Skip to content
Browse files

Bug 698552: Update to NSS 3.13.2 BETA1 (NSS_3_13_2_BETA1), r=kaie, r=…

…honzab
  • Loading branch information...
1 parent dd40eda commit 050ebaadc01a9df39a2059660cc9a88b4ba71dc2 @briansmith briansmith committed Dec 1, 2011
Showing with 562 additions and 351 deletions.
  1. +1 −0 dbm/src/Makefile.in
  2. +1 −0 security/coreconf/coreconf.dep
  3. +3 −3 security/nss/Makefile
  4. +1 −1 security/nss/TAG-INFO
  5. +1 −1 security/nss/cmd/lib/pppolicy.c
  6. +8 −8 security/nss/cmd/ssltap/ssltap.c
  7. +1 −1 security/nss/lib/certdb/cert.h
  8. +1 −12 security/nss/lib/certdb/certdb.c
  9. +1 −1 security/nss/lib/certdb/certv3.c
  10. +1 −1 security/nss/lib/certdb/polcyxtn.c
  11. +1 −6 security/nss/lib/certhigh/certvfypkix.c
  12. +2 −2 security/nss/lib/ckfw/builtins/certdata.c
  13. +1 −1 security/nss/lib/ckfw/builtins/certdata.txt
  14. +1 −1 security/nss/lib/cryptohi/keyhi.h
  15. +2 −2 security/nss/lib/freebl/blapi.h
  16. +1 −1 security/nss/lib/freebl/jpake.c
  17. +6 −0 security/nss/lib/nss/nss.def
  18. +4 −4 security/nss/lib/nss/nss.h
  19. +28 −1 security/nss/lib/pk11wrap/pk11akey.c
  20. +5 −0 security/nss/lib/pk11wrap/pk11pub.h
  21. +1 −1 security/nss/lib/pkcs7/p7decode.c
  22. +1 −1 security/nss/lib/pkcs7/secpkcs7.h
  23. +1 −5 security/nss/lib/pki/pki3hack.c
  24. +3 −18 security/nss/lib/softoken/jpakesftk.c
  25. +4 −5 security/nss/lib/softoken/legacydb/config.mk
  26. +3 −3 security/nss/lib/softoken/softkver.h
  27. +6 −0 security/nss/lib/ssl/SSLerrs.h
  28. +8 −0 security/nss/lib/ssl/ssl.def
  29. +57 −1 security/nss/lib/ssl/ssl.h
  30. +63 −59 security/nss/lib/ssl/ssl3con.c
  31. +127 −2 security/nss/lib/ssl/ssl3ext.c
  32. +3 −2 security/nss/lib/ssl/ssl3prot.h
  33. +13 −151 security/nss/lib/ssl/sslcon.c
  34. +5 −1 security/nss/lib/ssl/sslerr.h
  35. +17 −10 security/nss/lib/ssl/sslimpl.h
  36. +20 −7 security/nss/lib/ssl/sslsecur.c
  37. +144 −23 security/nss/lib/ssl/sslsock.c
  38. +3 −2 security/nss/lib/ssl/sslt.h
  39. +3 −3 security/nss/lib/util/nssutil.h
  40. +3 −4 security/nss/lib/util/pkcs11n.h
  41. +1 −1 security/nss/lib/util/secder.h
  42. +1 −1 security/nss/lib/util/secoid.h
  43. +5 −5 security/nss/tests/pkits/pkits.sh
View
1 dbm/src/Makefile.in
@@ -79,6 +79,7 @@ endif # WINNT
LOCAL_INCLUDES = -I$(srcdir)/../include
FORCE_STATIC_LIB = 1
+FORCE_USE_PIC = 1
include $(topsrcdir)/config/rules.mk
View
1 security/coreconf/coreconf.dep
@@ -42,3 +42,4 @@
*/
#error "Do not include this header file."
+
View
6 security/nss/Makefile
@@ -147,10 +147,10 @@ clobber_nspr: $(NSPR_CONFIG_STATUS)
cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE) clobber
build_dbm:
-ifndef NSS_DISABLE_DBM
- cd $(CORE_DEPTH)/dbm ; $(MAKE) export libs
+ifdef NSS_DISABLE_DBM
+ @echo "skipping the build of DBM"
else
- echo "skipping the build of DBM"
+ cd $(CORE_DEPTH)/dbm ; $(MAKE) export libs
endif
clobber_dbm:
View
2 security/nss/TAG-INFO
@@ -1 +1 @@
-NSS_3_13_1_RTM
+NSS_3_13_2_BETA1
View
2 security/nss/cmd/lib/pppolicy.c
@@ -37,7 +37,7 @@
/*
* Support for various policy related extensions
*
- * $Id: pppolicy.c,v 1.3 2005/02/22 20:02:22 wtchang%redhat.com Exp $
+ * $Id: pppolicy.c,v 1.5 2011/11/16 19:12:30 kaie%kuix.de Exp $
*/
#include "seccomon.h"
View
16 security/nss/cmd/ssltap/ssltap.c
@@ -66,7 +66,7 @@
#include "cert.h"
#include "sslproto.h"
-#define VERSIONSTRING "$Revision: 1.19 $ ($Date: 2010/02/16 18:56:47 $) $Author: wtc%google.com $"
+#define VERSIONSTRING "$Revision: 1.20 $ ($Date: 2011/11/05 23:09:28 $) $Author: wtc%google.com $"
struct _DataBufferList;
@@ -1516,11 +1516,11 @@ int main(int argc, char *argv[])
{
char *hostname=NULL;
PRUint16 rendport=DEFPORT,port;
- PRHostEnt hp;
+ PRAddrInfo *ai;
+ void *iter;
PRStatus r;
PRNetAddr na_client,na_server,na_rend;
PRFileDesc *s_server,*s_client,*s_rend; /*rendezvous */
- char netdbbuf[PR_NETDB_BUF_SIZE];
int c_count=0;
PLOptState *optstate;
PLOptStatus status;
@@ -1591,14 +1591,14 @@ int main(int argc, char *argv[])
PR_fprintf(PR_STDOUT,"<BODY><PRE>\n");
}
PR_fprintf(PR_STDERR,"Looking up \"%s\"...\n", hostname);
- r = PR_GetHostByName(hostname,netdbbuf,PR_NETDB_BUF_SIZE,&hp);
- if (r) {
+ ai = PR_GetAddrInfoByName(hostname, PR_AF_UNSPEC, PR_AI_ADDRCONFIG);
+ if (!ai) {
showErr("Host Name lookup failed\n");
exit(5);
}
- PR_EnumerateHostEnt(0,&hp,0,&na_server);
- PR_InitializeNetAddr(PR_IpAddrNull,port,&na_server);
+ iter = NULL;
+ iter = PR_EnumerateAddrInfo(iter, ai, port, &na_server);
/* set up the port which the client will connect to */
r = PR_InitializeNetAddr(PR_IpAddrAny,rendport,&na_rend);
@@ -1641,7 +1641,7 @@ int main(int argc, char *argv[])
exit(7);
}
- s_server = PR_NewTCPSocket();
+ s_server = PR_OpenTCPSocket(na_server.raw.family);
if (s_server == NULL) {
showErr("couldn't open new socket to connect to server \n");
exit(8);
View
2 security/nss/lib/certdb/cert.h
@@ -37,7 +37,7 @@
/*
* cert.h - public data structures and prototypes for the certificate library
*
- * $Id: cert.h,v 1.86 2011/07/24 13:48:09 wtc%google.com Exp $
+ * $Id: cert.h,v 1.88 2011/11/16 19:12:32 kaie%kuix.de Exp $
*/
#ifndef _CERT_H_
View
13 security/nss/lib/certdb/certdb.c
@@ -39,7 +39,7 @@
/*
* Certificate handling code
*
- * $Id: certdb.c,v 1.116 2011/08/05 01:13:14 wtc%google.com Exp $
+ * $Id: certdb.c,v 1.120 2011/11/17 00:20:20 bsmith%mozilla.com Exp $
*/
#include "nssilock.h"
@@ -596,17 +596,6 @@ cert_ComputeCertType(CERTCertificate *cert)
nsCertType |= NS_CERT_TYPE_SSL_SERVER;
}
}
- /* Treat certs with step-up OID as also having SSL server type. */
- if (findOIDinOIDSeqByTagNum(extKeyUsage,
- SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) ==
- SECSuccess){
- if (basicConstraintPresent == PR_TRUE &&
- (basicConstraint.isCA)) {
- nsCertType |= NS_CERT_TYPE_SSL_CA;
- } else {
- nsCertType |= NS_CERT_TYPE_SSL_SERVER;
- }
- }
if (findOIDinOIDSeqByTagNum(extKeyUsage,
SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) ==
SECSuccess){
View
2 security/nss/lib/certdb/certv3.c
@@ -37,7 +37,7 @@
/*
* Code for dealing with X509.V3 extensions.
*
- * $Id: certv3.c,v 1.10 2007/10/12 01:44:40 julien.pierre.boogz%sun.com Exp $
+ * $Id: certv3.c,v 1.12 2011/11/16 19:12:32 kaie%kuix.de Exp $
*/
#include "cert.h"
View
2 security/nss/lib/certdb/polcyxtn.c
@@ -37,7 +37,7 @@
/*
* Support for various policy related extensions
*
- * $Id: polcyxtn.c,v 1.11 2008/02/13 04:03:19 julien.pierre.boogz%sun.com Exp $
+ * $Id: polcyxtn.c,v 1.13 2011/11/16 19:12:32 kaie%kuix.de Exp $
*/
#include "seccomon.h"
View
7 security/nss/lib/certhigh/certvfypkix.c
@@ -225,9 +225,6 @@ typedef struct {
const SECCertUsageToEku certUsageEkuStringMap[] = {
{certUsageSSLClient, ekuIndexSSLClient},
{certUsageSSLServer, ekuIndexSSLServer},
- {certUsageSSLServerWithStepUp, ekuIndexSSLServer}, /* need to add oids to
- * the list of eku.
- * see 390381*/
{certUsageSSLCA, ekuIndexSSLServer},
{certUsageEmailSigner, ekuIndexEmail},
{certUsageEmailRecipient, ekuIndexEmail},
@@ -239,8 +236,6 @@ const SECCertUsageToEku certUsageEkuStringMap[] = {
{certUsageAnyCA, ekuIndexUnknown},
};
-#define CERT_USAGE_EKU_STRING_MAPS_TOTAL 12
-
/*
* FUNCTION: cert_NssCertificateUsageToPkixKUAndEKU
* DESCRIPTION:
@@ -292,7 +287,7 @@ cert_NssCertificateUsageToPkixKUAndEKU(
PKIX_List_Create(&ekuOidsList, plContext),
PKIX_LISTCREATEFAILED);
- for (;i < CERT_USAGE_EKU_STRING_MAPS_TOTAL;i++) {
+ for (;i < PR_ARRAY_SIZE(certUsageEkuStringMap);i++) {
const SECCertUsageToEku *usageToEkuElem =
&certUsageEkuStringMap[i];
if (usageToEkuElem->certUsage == requiredCertUsage) {
View
4 security/nss/lib/ckfw/builtins/certdata.c
@@ -35,7 +35,7 @@
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.79 $ $Date: 2011/09/02 19:40:56 $""; @(#) $RCSfile: certdata.perl,v $ $Revision: 1.13 $ $Date: 2010/03/26 22:06:47 $";
+static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.83 $ $Date: 2011/11/03 15:11:57 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.83 $ $Date: 2011/11/03 15:11:57 $";
#endif /* DEBUG */
#ifndef BUILTINS_H
@@ -1095,7 +1095,7 @@ static const NSSItem nss_builtins_items_0 [] = {
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"CVS ID", (PRUint32)7 },
{ (void *)"NSS", (PRUint32)4 },
- { (void *)"@(#) $RCSfile: certdata.txt,v $ $Revision: 1.79 $ $Date: 2011/09/02 19:40:56 $""; @(#) $RCSfile: certdata.perl,v $ $Revision: 1.13 $ $Date: 2010/03/26 22:06:47 $", (PRUint32)160 }
+ { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.83 $ $Date: 2011/11/03 15:11:57 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.83 $ $Date: 2011/11/03 15:11:57 $", (PRUint32)160 }
};
#endif /* DEBUG */
static const NSSItem nss_builtins_items_1 [] = {
View
2 security/nss/lib/ckfw/builtins/certdata.txt
@@ -34,7 +34,7 @@
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
-CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.79 $ $Date: 2011/09/02 19:40:56 $"
+CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $"
#
# certdata.txt
View
2 security/nss/lib/cryptohi/keyhi.h
@@ -35,7 +35,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: keyhi.h,v 1.18 2011/07/24 13:48:12 wtc%google.com Exp $ */
+/* $Id: keyhi.h,v 1.20 2011/11/16 19:12:33 kaie%kuix.de Exp $ */
#ifndef _KEYHI_H_
#define _KEYHI_H_
View
4 security/nss/lib/freebl/blapi.h
@@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: blapi.h,v 1.42 2011/10/04 22:05:53 wtc%google.com Exp $ */
+/* $Id: blapi.h,v 1.43 2011/10/29 23:28:45 wtc%google.com Exp $ */
#ifndef _BLAPI_H_
#define _BLAPI_H_
@@ -273,7 +273,7 @@ JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
* The arena is *not* optional so do not pass NULL for the arena parameter.
*/
SECStatus
-JPAKE_Verify(PRArenaPool * arena, const PQGParams * pqg,
+JPAKE_Verify(PLArenaPool * arena, const PQGParams * pqg,
HASH_HashType hashType, const SECItem * signerID,
const SECItem * peerID, const SECItem * gx,
const SECItem * gv, const SECItem * r);
View
2 security/nss/lib/freebl/jpake.c
@@ -222,7 +222,7 @@ JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
/* Verify a Schnorr signature generated by the peer in round 1 or round 2. */
SECStatus
-JPAKE_Verify(PRArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
+JPAKE_Verify(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
const SECItem * signerID, const SECItem * peerID,
const SECItem * gx, const SECItem * gv, const SECItem * r)
{
View
6 security/nss/lib/nss/nss.def
@@ -1028,3 +1028,9 @@ NSS_GetVersion;
;+ local:
;+ *;
;+};
+;+NSS_3.13.2 { # NSS 3.13.2 release
+;+ global:
+PK11_ImportEncryptedPrivateKeyInfoAndReturnKey;
+;+ local:
+;+ *;
+;+};
View
8 security/nss/lib/nss/nss.h
@@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.86 2011/10/27 19:29:44 kaie%kuix.de Exp $ */
+/* $Id: nss.h,v 1.87 2011/10/27 19:39:00 kaie%kuix.de Exp $ */
#ifndef __nss_h_
#define __nss_h_
@@ -66,12 +66,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.13.1.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION "3.13.2.0" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 13
-#define NSS_VPATCH 1
+#define NSS_VPATCH 2
#define NSS_VBUILD 0
-#define NSS_BETA PR_FALSE
+#define NSS_BETA PR_TRUE
#ifndef RC_INVOKED
View
29 security/nss/lib/pk11wrap/pk11akey.c
@@ -1574,13 +1574,36 @@ PK11_MakeKEAPubKey(unsigned char *keyData,int length)
return pubk;
}
+/*
+ * NOTE: This function doesn't return a SECKEYPrivateKey struct to represent
+ * the new private key object. If it were to create a session object that
+ * could later be looked up by its nickname, it would leak a SECKEYPrivateKey.
+ * So isPerm must be true.
+ */
SECStatus
PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, KeyType keyType,
unsigned int keyUsage, void *wincx)
{
+ if (!isPerm) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ return PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(slot, epki,
+ pwitem, nickname, publicValue, isPerm, isPrivate, keyType,
+ keyUsage, NULL, wincx);
+}
+
+SECStatus
+PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
+ SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
+ SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+ PRBool isPrivate, KeyType keyType,
+ unsigned int keyUsage, SECKEYPrivateKey **privk,
+ void *wincx)
+{
CK_MECHANISM_TYPE pbeMechType;
SECItem *crypto_param = NULL;
PK11SymKey *key = NULL;
@@ -1676,7 +1699,11 @@ PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
nickname, publicValue, isPerm, isPrivate,
key_type, usage, usageCount, wincx);
if(privKey) {
- SECKEY_DestroyPrivateKey(privKey);
+ if (privk) {
+ *privk = privKey;
+ } else {
+ SECKEY_DestroyPrivateKey(privKey);
+ }
privKey = NULL;
rv = SECSuccess;
goto done;
View
5 security/nss/lib/pk11wrap/pk11pub.h
@@ -571,6 +571,11 @@ SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, KeyType type,
unsigned int usage, void *wincx);
+SECStatus PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
+ SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
+ SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+ PRBool isPrivate, KeyType type,
+ unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
CERTCertificate *cert, void *wincx);
SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo(
View
2 security/nss/lib/pkcs7/p7decode.c
@@ -38,7 +38,7 @@
/*
* PKCS7 decoding, verification.
*
- * $Id: p7decode.c,v 1.26 2011/08/21 01:14:17 wtc%google.com Exp $
+ * $Id: p7decode.c,v 1.28 2011/11/16 19:12:34 kaie%kuix.de Exp $
*/
#include "p7local.h"
View
2 security/nss/lib/pkcs7/secpkcs7.h
@@ -37,7 +37,7 @@
/*
* Interface to the PKCS7 implementation.
*
- * $Id: secpkcs7.h,v 1.6 2008/06/14 14:20:25 wtc%google.com Exp $
+ * $Id: secpkcs7.h,v 1.8 2011/11/16 19:12:34 kaie%kuix.de Exp $
*/
#ifndef _SECPKCS7_H_
View
6 security/nss/lib/pki/pki3hack.c
@@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.102 $ $Date: 2011/04/13 00:10:26 $";
+static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.105 $ $Date: 2011/11/17 00:20:21 $";
#endif /* DEBUG */
/*
@@ -592,10 +592,6 @@ cert_trust_from_stan_trust(NSSTrust *t, PRArenaPool *arena)
rvTrust->sslFlags |= client;
rvTrust->emailFlags = get_nss3trust_from_nss4trust(t->emailProtection);
rvTrust->objectSigningFlags = get_nss3trust_from_nss4trust(t->codeSigning);
- /* The cert is a valid step-up cert (in addition to/lieu of trust above */
- if (t->stepUpApproved) {
- rvTrust->sslFlags |= CERTDB_GOVT_APPROVED_CA;
- }
return rvTrust;
}
View
21 security/nss/lib/softoken/jpakesftk.c
@@ -74,9 +74,9 @@ jpake_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
NULL, &gx, &gv, &r),
CKR_MECHANISM_PARAM_INVALID);
if (crv == CKR_OK) {
- if (out->pGX != NULL && out->ulGXLen >= gx.len ||
- out->pGV != NULL && out->ulGVLen >= gv.len ||
- out->pR != NULL && out->ulRLen >= r.len) {
+ if ((out->pGX != NULL && out->ulGXLen >= gx.len) ||
+ (out->pGV != NULL && out->ulGVLen >= gv.len) ||
+ (out->pR != NULL && out->ulRLen >= r.len)) {
PORT_Memcpy(out->pGX, gx.data, gx.len);
PORT_Memcpy(out->pGV, gv.data, gv.len);
PORT_Memcpy(out->pR, r.data, r.len);
@@ -108,21 +108,6 @@ jpake_Verify(PLArenaPool * arena, const PQGParams * pqg,
#define NUM_ELEM(x) (sizeof (x) / sizeof (x)[0])
-/* Ensure that the key is of the given type. */
-static CK_RV
-jpake_ensureKeyType(SFTKObject * key, CK_KEY_TYPE keyType)
-{
- CK_RV crv;
- SFTKAttribute * keyTypeAttr = sftk_FindAttribute(key, CKA_KEY_TYPE);
- crv = keyTypeAttr != NULL &&
- *(CK_KEY_TYPE *)keyTypeAttr->attrib.pValue == keyType
- ? CKR_OK
- : CKR_TEMPLATE_INCONSISTENT;
- if (keyTypeAttr != NULL)
- sftk_FreeAttribute(keyTypeAttr);
- return crv;
-}
-
/* If the template has the key type set, ensure that it was set to the correct
* value. If the template did not have the key type set, set it to the
* correct value.
View
9 security/nss/lib/softoken/legacydb/config.mk
@@ -38,11 +38,10 @@
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-EXTRA_LIBS += $(CRYPTOLIB)
-
-ifndef NSS_DISABLE_DBM
-EXTRA_LIBS += $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX)
-endif
+EXTRA_LIBS += \
+ $(CRYPTOLIB) \
+ $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
+ $(NULL)
# can't do this in manifest.mn because OS_TARGET isn't defined there.
ifeq (,$(filter-out WIN%,$(OS_TARGET)))
View
6 security/nss/lib/softoken/softkver.h
@@ -57,11 +57,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.13.1.0" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.13.2.0" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 13
-#define SOFTOKEN_VPATCH 1
+#define SOFTOKEN_VPATCH 2
#define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_FALSE
+#define SOFTOKEN_BETA PR_TRUE
#endif /* _SOFTKVER_H_ */
View
6 security/nss/lib/ssl/SSLerrs.h
@@ -405,3 +405,9 @@ ER3(SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD, (SSL_ERROR_BASE + 114),
ER3(SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY, (SSL_ERROR_BASE + 115),
"SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.")
+
+ER3(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, (SSL_ERROR_BASE + 116),
+"SSL received invalid NPN extension data.")
+
+ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2, (SSL_ERROR_BASE + 117),
+"SSL feature not supported for SSL 2.0 connections.")
View
8 security/nss/lib/ssl/ssl.def
@@ -164,3 +164,11 @@ NSSSSL_GetVersion;
;+ local:
;+ *;
;+};
+;+NSS_3.13.2 { # NSS 3.13.2 release
+;+ global:
+SSL_SetNextProtoCallback;
+SSL_SetNextProtoNego;
+SSL_GetNextProto;
+;+ local:
+;+ *;
+;+};
View
58 security/nss/lib/ssl/ssl.h
@@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: ssl.h,v 1.44 2011/10/06 22:42:33 wtc%google.com Exp $ */
+/* $Id: ssl.h,v 1.45 2011/10/29 00:29:11 bsmith%mozilla.com Exp $ */
#ifndef __ssl_h_
#define __ssl_h_
@@ -181,6 +181,62 @@ SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on);
SSL_IMPORT SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on);
SSL_IMPORT SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle);
+/* SSLNextProtoCallback is called during the handshake for the client, when a
+ * Next Protocol Negotiation (NPN) extension has been received from the server.
+ * |protos| and |protosLen| define a buffer which contains the server's
+ * advertisement. This data is guaranteed to be well formed per the NPN spec.
+ * |protoOut| is a buffer provided by the caller, of length 255 (the maximum
+ * allowed by the protocol). On successful return, the protocol to be announced
+ * to the server will be in |protoOut| and its length in |*protoOutLen|.
+ *
+ * The callback must return SECFailure or SECSuccess (not SECWouldBlock).
+ */
+typedef SECStatus (PR_CALLBACK *SSLNextProtoCallback)(
+ void *arg,
+ PRFileDesc *fd,
+ const unsigned char* protos,
+ unsigned int protosLen,
+ unsigned char* protoOut,
+ unsigned int* protoOutLen,
+ unsigned int protoMaxOut);
+
+/* SSL_SetNextProtoCallback sets a callback function to handle Next Protocol
+ * Negotiation. It causes a client to advertise NPN. */
+SSL_IMPORT SECStatus SSL_SetNextProtoCallback(PRFileDesc *fd,
+ SSLNextProtoCallback callback,
+ void *arg);
+
+/* SSL_SetNextProtoNego can be used as an alternative to
+ * SSL_SetNextProtoCallback. It also causes a client to advertise NPN and
+ * installs a default callback function which selects the first supported
+ * protocol in server-preference order. If no matching protocol is found it
+ * selects the first supported protocol.
+ *
+ * The supported protocols are specified in |data| in wire-format (8-bit
+ * length-prefixed). For example: "\010http/1.1\006spdy/2". */
+SSL_IMPORT SECStatus SSL_SetNextProtoNego(PRFileDesc *fd,
+ const unsigned char *data,
+ unsigned int length);
+
+typedef enum SSLNextProtoState {
+ SSL_NEXT_PROTO_NO_SUPPORT = 0, /* No peer support */
+ SSL_NEXT_PROTO_NEGOTIATED = 1, /* Mutual agreement */
+ SSL_NEXT_PROTO_NO_OVERLAP = 2 /* No protocol overlap found */
+} SSLNextProtoState;
+
+/* SSL_GetNextProto can be used in the HandshakeCallback or any time after
+ * a handshake to retrieve the result of the Next Protocol negotiation.
+ *
+ * The length of the negotiated protocol, if any, is written into *bufLen.
+ * If the negotiated protocol is longer than bufLenMax, then SECFailure is
+ * returned. Otherwise, the negotiated protocol, if any, is written into buf,
+ * and SECSuccess is returned. */
+SSL_IMPORT SECStatus SSL_GetNextProto(PRFileDesc *fd,
+ SSLNextProtoState *state,
+ unsigned char *buf,
+ unsigned int *bufLen,
+ unsigned int bufLenMax);
+
/*
** Control ciphers that SSL uses. If on is non-zero then the named cipher
** is enabled, otherwise it is disabled.
View
122 security/nss/lib/ssl/ssl3con.c
@@ -39,7 +39,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: ssl3con.c,v 1.152 2011/10/01 03:59:54 bsmith%mozilla.com Exp $ */
+/* $Id: ssl3con.c,v 1.158 2011/11/19 21:58:21 bsmith%mozilla.com Exp $ */
#include "cert.h"
#include "ssl.h"
@@ -81,6 +81,7 @@ static SECStatus ssl3_InitState( sslSocket *ss);
static SECStatus ssl3_SendCertificate( sslSocket *ss);
static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
+static SECStatus ssl3_SendNextProto( sslSocket *ss);
static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
static SECStatus ssl3_SendServerHello( sslSocket *ss);
static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
@@ -237,9 +238,6 @@ static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = {
#define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
-/* This is a hack to make sure we don't do double handshakes for US policy */
-PRBool ssl3_global_policy_some_restricted = PR_FALSE;
-
/* This global item is used only in servers. It is is initialized by
** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
*/
@@ -3759,7 +3757,6 @@ ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
**************************************************************************/
/* Called from ssl3_HandleHelloRequest(),
- * ssl3_HandleFinished() (for step-up)
* ssl3_RedoHandshake()
* ssl2_BeginClientHandshake (when resuming ssl3 session)
*/
@@ -5583,7 +5580,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
}
switch (rv) {
case SECWouldBlock: /* getClientAuthData has put up a dialog box. */
- ssl_SetAlwaysBlock(ss);
+ ssl3_SetAlwaysBlock(ss);
break; /* not an error */
case SECSuccess:
@@ -5788,6 +5785,14 @@ ssl3_HandleServerHelloDone(sslSocket *ss)
if (rv != SECSuccess) {
goto loser; /* err code was set. */
}
+
+ if (!ss->firstHsDone) {
+ rv = ssl3_SendNextProto(ss);
+ if (rv != SECSuccess) {
+ goto loser; /* err code was set. */
+ }
+ }
+
rv = ssl3_SendFinished(ss, 0);
if (rv != SECSuccess) {
goto loser; /* err code was set. */
@@ -7811,7 +7816,6 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
ssl3CertNode * lastCert = NULL;
ssl3CertNode * certs = NULL;
PRArenaPool * arena = NULL;
- CERTCertificate *cert;
PRInt32 remaining = 0;
PRInt32 size;
SECStatus rv;
@@ -7968,7 +7972,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
SSL_GETPID(), ss->fd));
ss->ssl3.peerCertChain = certs;
certs = NULL;
- ssl_SetAlwaysBlock(ss);
+ ssl3_SetAlwaysBlock(ss);
goto cert_block;
}
/* cert is bad */
@@ -7977,23 +7981,11 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
/* cert is good */
}
- /* start SSL Step Up, if appropriate */
- cert = ss->sec.peerCert;
- if (!isServer &&
- ssl3_global_policy_some_restricted &&
- ss->ssl3.policy == SSL_ALLOWED &&
- anyRestrictedEnabled(ss) &&
- SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
- PR_FALSE, /* checkSig */
- certUsageSSLServerWithStepUp,
-/*XXX*/ ss->authCertificateArg) ) {
- ss->ssl3.policy = SSL_RESTRICTED;
- ss->ssl3.hs.rehandshake = PR_TRUE;
- }
-
ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
if (!ss->sec.isServer) {
+ CERTCertificate *cert = ss->sec.peerCert;
+
/* set the server authentication and key exchange types and sizes
** from the value in the cert. If the key exchange key is different,
** it will get fixed when we handle the server key exchange message.
@@ -8133,8 +8125,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
int
ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
{
- CERTCertificate * cert;
- int rv = SECSuccess;
+ int rv = SECSuccess;
if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
SET_ERROR_CODE
@@ -8145,21 +8136,6 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
return SECFailure;
}
- cert = ss->sec.peerCert;
-
- /* Permit step up if user decided to accept the cert */
- if (!ss->sec.isServer &&
- ssl3_global_policy_some_restricted &&
- ss->ssl3.policy == SSL_ALLOWED &&
- anyRestrictedEnabled(ss) &&
- (SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
- PR_FALSE, /* checksig */
- certUsageSSLServerWithStepUp,
-/*XXX*/ ss->authCertificateArg) )) {
- ss->ssl3.policy = SSL_RESTRICTED;
- ss->ssl3.hs.rehandshake = PR_TRUE;
- }
-
if (ss->handshake != NULL) {
ss->handshake = ssl_GatherRecord1stHandshake;
ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
@@ -8221,6 +8197,40 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
}
/* called from ssl3_HandleServerHelloDone
+ */
+static SECStatus
+ssl3_SendNextProto(sslSocket *ss)
+{
+ SECStatus rv;
+ int padding_len;
+ static const unsigned char padding[32] = {0};
+
+ if (ss->ssl3.nextProto.len == 0)
+ return SECSuccess;
+
+ PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+ padding_len = 32 - ((ss->ssl3.nextProto.len + 2) % 32);
+
+ rv = ssl3_AppendHandshakeHeader(ss, next_proto, ss->ssl3.nextProto.len +
+ 2 + padding_len);
+ if (rv != SECSuccess) {
+ return rv; /* error code set by AppendHandshakeHeader */
+ }
+ rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data,
+ ss->ssl3.nextProto.len, 1);
+ if (rv != SECSuccess) {
+ return rv; /* error code set by AppendHandshake */
+ }
+ rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1);
+ if (rv != SECSuccess) {
+ return rv; /* error code set by AppendHandshake */
+ }
+ return rv;
+}
+
+/* called from ssl3_HandleServerHelloDone
* ssl3_HandleClientHello
* ssl3_HandleFinished
*/
@@ -8382,7 +8392,6 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
SECStatus rv = SECSuccess;
PRBool isServer = ss->sec.isServer;
PRBool isTLS;
- PRBool doStepUp;
SSL3KEAType effectiveExchKeyType;
PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
@@ -8438,8 +8447,6 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
}
}
- doStepUp = (PRBool)(!isServer && ss->ssl3.hs.rehandshake);
-
ssl_GetXmitBufLock(ss); /*************************************/
if ((isServer && !ss->ssl3.hs.isResuming) ||
@@ -8465,32 +8472,32 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
goto xmit_loser; /* err is set. */
}
/* If this thread is in SSL_SecureSend (trying to write some data)
- ** or if it is going to step up,
** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the
** last two handshake messages (change cipher spec and finished)
** will be sent in the same send/write call as the application data.
*/
- if (doStepUp || ss->writerThread == PR_GetCurrentThread()) {
+ if (ss->writerThread == PR_GetCurrentThread()) {
flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
}
+
+ if (!isServer && !ss->firstHsDone) {
+ rv = ssl3_SendNextProto(ss);
+ if (rv != SECSuccess) {
+ goto xmit_loser; /* err code was set. */
+ }
+ }
+
rv = ssl3_SendFinished(ss, flags);
if (rv != SECSuccess) {
goto xmit_loser; /* err is set. */
}
}
- /* Optimization: don't cache this connection if we're going to step up. */
- if (doStepUp) {
- ssl_FreeSID(sid);
- ss->sec.ci.sid = sid = NULL;
- ss->ssl3.hs.rehandshake = PR_FALSE;
- rv = ssl3_SendClientHello(ss);
xmit_loser:
- ssl_ReleaseXmitBufLock(ss);
- return rv; /* err code is set if appropriate. */
- }
-
ssl_ReleaseXmitBufLock(ss); /*************************************/
+ if (rv != SECSuccess) {
+ return rv;
+ }
/* The first handshake is now completed. */
ss->handshake = NULL;
@@ -9206,7 +9213,6 @@ ssl3_InitState(sslSocket *ss)
ssl_GetSpecWriteLock(ss);
ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
- ss->ssl3.hs.rehandshake = PR_FALSE;
ss->ssl3.hs.sendingSCSV = PR_FALSE;
ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
@@ -9315,10 +9321,6 @@ ssl3_SetPolicy(ssl3CipherSuite which, int policy)
}
suite->policy = policy;
- if (policy == SSL_RESTRICTED) {
- ssl3_global_policy_some_restricted = PR_TRUE;
- }
-
return SECSuccess;
}
@@ -9540,6 +9542,8 @@ ssl3_DestroySSL3Info(sslSocket *ss)
ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
ss->ssl3.initialized = PR_FALSE;
+
+ SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
}
/* End of ssl3con.c */
View
129 security/nss/lib/ssl/ssl3ext.c
@@ -41,7 +41,7 @@
* ***** END LICENSE BLOCK ***** */
/* TLS extension code moved here from ssl3ecc.c */
-/* $Id: ssl3ext.c,v 1.16 2011/03/24 01:40:14 alexei.volkov.bugs%sun.com Exp $ */
+/* $Id: ssl3ext.c,v 1.20 2011/11/16 19:12:35 kaie%kuix.de Exp $ */
#include "nssrenam.h"
#include "nss.h"
@@ -78,6 +78,12 @@ static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss,
PRBool append, PRUint32 maxBytes);
static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss,
PRUint16 ex_type, SECItem *data);
+static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
+ PRUint16 ex_type, SECItem *data);
+static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
+ PRUint16 ex_type, SECItem *data);
+static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
+ PRUint32 maxBytes);
/*
* Write bytes. Using this function means the SECItem structure
@@ -235,6 +241,7 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
#endif
{ ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
{ ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
+ { ssl_next_proto_neg_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
{ -1, NULL }
};
@@ -245,6 +252,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
/* TODO: add a handler for ssl_ec_point_formats_xtn */
{ ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
{ ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
+ { ssl_next_proto_neg_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
{ -1, NULL }
};
@@ -267,7 +275,8 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
{ ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
{ ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
#endif
- { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }
+ { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
+ { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn }
/* any extra entries will appear as { 0, NULL } */
};
@@ -534,6 +543,122 @@ ssl3_SendSessionTicketXtn(
return -1;
}
+/* handle an incoming Next Protocol Negotiation extension. */
+static SECStatus
+ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
+{
+ if (ss->firstHsDone || data->len != 0) {
+ /* Clients MUST send an empty NPN extension, if any. */
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+
+ return SECSuccess;
+}
+
+/* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none
+ * of the lengths may be 0 and the sum of the lengths must equal the length of
+ * the block. */
+SECStatus
+ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length)
+{
+ unsigned int offset = 0;
+
+ while (offset < length) {
+ unsigned int newOffset = offset + 1 + (unsigned int) data[offset];
+ /* Reject embedded nulls to protect against buggy applications that
+ * store protocol identifiers in null-terminated strings.
+ */
+ if (newOffset > length || data[offset] == 0) {
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+ offset = newOffset;
+ }
+
+ if (offset > length) {
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+
+ return SECSuccess;
+}
+
+static SECStatus
+ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
+ SECItem *data)
+{
+ SECStatus rv;
+ unsigned char resultBuffer[255];
+ SECItem result = { siBuffer, resultBuffer, 0 };
+
+ if (ss->firstHsDone) {
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+
+ rv = ssl3_ValidateNextProtoNego(data->data, data->len);
+ if (rv != SECSuccess)
+ return rv;
+
+ /* ss->nextProtoCallback cannot normally be NULL if we negotiated the
+ * extension. However, It is possible that an application erroneously
+ * cleared the callback between the time we sent the ClientHello and now.
+ */
+ PORT_Assert(ss->nextProtoCallback != NULL);
+ if (!ss->nextProtoCallback) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+ rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len,
+ result.data, &result.len, sizeof resultBuffer);
+ if (rv != SECSuccess)
+ return rv;
+ /* If the callback wrote more than allowed to |result| it has corrupted our
+ * stack. */
+ if (result.len > sizeof result) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+
+ SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
+ return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result);
+}
+
+static PRInt32
+ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append,
+ PRUint32 maxBytes)
+{
+ PRInt32 extension_length;
+
+ /* Renegotiations do not send this extension. */
+ if (!ss->nextProtoCallback || ss->firstHsDone) {
+ return 0;
+ }
+
+ extension_length = 4;
+
+ if (append && maxBytes >= extension_length) {
+ SECStatus rv;
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_neg_xtn, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+ ssl_next_proto_neg_xtn;
+ } else if (maxBytes < extension_length) {
+ return 0;
+ }
+
+ return extension_length;
+
+loser:
+ return -1;
+}
+
/*
* NewSessionTicket
* Called from ssl3_HandleFinished
View
5 security/nss/lib/ssl/ssl3prot.h
@@ -38,7 +38,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: ssl3prot.h,v 1.19 2010/06/24 09:24:18 nelson%bolyard.com Exp $ */
+/* $Id: ssl3prot.h,v 1.20 2011/10/29 00:29:11 bsmith%mozilla.com Exp $ */
#ifndef __ssl3proto_h_
#define __ssl3proto_h_
@@ -157,7 +157,8 @@ typedef enum {
server_hello_done = 14,
certificate_verify = 15,
client_key_exchange = 16,
- finished = 20
+ finished = 20,
+ next_proto = 67
} SSL3HandshakeType;
typedef struct {
View
164 security/nss/lib/ssl/sslcon.c
@@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: sslcon.c,v 1.42 2011/08/01 07:08:09 kaie%kuix.de Exp $ */
+/* $Id: sslcon.c,v 1.45 2011/11/19 21:58:21 bsmith%mozilla.com Exp $ */
#include "nssrenam.h"
#include "cert.h"
@@ -518,7 +518,6 @@ ssl2_GetSendBuffer(sslSocket *ss, unsigned int len)
* ssl2_HandleMessage() <- ssl_Do1stHandshake()
* ssl2_HandleServerHelloMessage() <- ssl_Do1stHandshake()
after ssl2_BeginClientHandshake()
- * ssl2_RestartHandshakeAfterCertReq() <- Called from certdlgs.c in nav.
* ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake()
after ssl2_BeginServerHandshake()
*
@@ -765,7 +764,6 @@ ssl2_SendCertificateRequestMessage(sslSocket *ss)
}
/* Called from ssl2_HandleRequestCertificate() <- ssl2_HandleMessage()
- * ssl2_RestartHandshakeAfterCertReq() <- (application)
* Acquires and releases the socket's xmitBufLock.
*/
static int
@@ -1177,7 +1175,6 @@ ssl2_SendBlock(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
/*
** Called from: ssl2_HandleServerHelloMessage,
** ssl2_HandleClientSessionKeyMessage,
-** ssl2_RestartHandshakeAfterServerCert,
** ssl2_HandleClientHelloMessage,
**
*/
@@ -1237,9 +1234,7 @@ ssl2_UseClearSendFunc(sslSocket *ss)
* ssl2_HandleServerHelloMessage
* ssl2_BeginClientHandshake
* ssl2_HandleClientSessionKeyMessage
- * ssl2_RestartHandshakeAfterCertReq
* ssl3_RestartHandshakeAfterCertReq
- * ssl2_RestartHandshakeAfterServerCert
* ssl3_RestartHandshakeAfterServerCert
* ssl2_HandleClientHelloMessage
* ssl2_BeginServerHandshake
@@ -2232,8 +2227,6 @@ ssl2_TriggerNextMessage(sslSocket *ss)
** ssl2_HandleVerifyMessage
** ssl2_HandleServerHelloMessage
** ssl2_HandleClientSessionKeyMessage
-** ssl2_RestartHandshakeAfterCertReq
-** ssl2_RestartHandshakeAfterServerCert
*/
static SECStatus
ssl2_TryToFinish(sslSocket *ss)
@@ -2267,7 +2260,6 @@ ssl2_TryToFinish(sslSocket *ss)
/*
** Called from ssl2_HandleRequestCertificate
-** ssl2_RestartHandshakeAfterCertReq
*/
static SECStatus
ssl2_SignResponse(sslSocket *ss,
@@ -2354,8 +2346,9 @@ ssl2_HandleRequestCertificate(sslSocket *ss)
ret = (*ss->getClientAuthData)(ss->getClientAuthDataArg, ss->fd,
NULL, &cert, &key);
if ( ret == SECWouldBlock ) {
- ssl_SetAlwaysBlock(ss);
- goto done;
+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+ ret = -1;
+ goto loser;
}
if (ret) {
@@ -2715,8 +2708,7 @@ ssl2_HandleMessage(sslSocket *ss)
/************************************************************************/
-/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage or
-** ssl2_RestartHandshakeAfterServerCert.
+/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage.
*/
static SECStatus
ssl2_HandleVerifyMessage(sslSocket *ss)
@@ -2936,19 +2928,16 @@ ssl2_HandleServerHelloMessage(sslSocket *ss)
rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
if ( rv ) {
if ( rv == SECWouldBlock ) {
- /* someone will handle this connection asynchronously*/
-
- SSL_DBG(("%d: SSL[%d]: go to async cert handler",
- SSL_GETPID(), ss->fd));
- ssl_ReleaseRecvBufLock(ss);
- ssl_SetAlwaysBlock(ss);
- return SECWouldBlock;
+ SSL_DBG(("%d: SSL[%d]: SSL2 bad cert handler returned "
+ "SECWouldBlock", SSL_GETPID(), ss->fd));
+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+ rv = SECFailure;
+ } else {
+ /* cert is bad */
+ SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
+ SSL_GETPID(), ss->fd, PORT_GetError()));
}
- /* cert is bad */
- SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
- SSL_GETPID(), ss->fd, PORT_GetError()));
goto loser;
-
}
/* cert is good */
} else {
@@ -3331,133 +3320,6 @@ ssl2_HandleClientSessionKeyMessage(sslSocket *ss)
}
/*
- * attempt to restart the handshake after asynchronously handling
- * a request for the client's certificate.
- *
- * inputs:
- * cert Client cert chosen by application.
- * key Private key associated with cert.
- *
- * XXX: need to make ssl2 and ssl3 versions of this function agree on whether
- * they take the reference, or bump the ref count!
- *
- * Return value: XXX
- *
- * Caller holds 1stHandshakeLock.
- */
-int
-ssl2_RestartHandshakeAfterCertReq(sslSocket * ss,
- CERTCertificate * cert,
- SECKEYPrivateKey * key)
-{
- int ret;
- SECStatus rv = SECSuccess;
- SECItem response;
-
- if (ss->version >= SSL_LIBRARY_VERSION_3_0)
- return SECFailure;
-
- response.data = NULL;
-
- /* generate error if no cert or key */
- if ( ( cert == NULL ) || ( key == NULL ) ) {
- goto no_cert;
- }
-
- /* generate signed response to the challenge */
- rv = ssl2_SignResponse(ss, key, &response);
- if ( rv != SECSuccess ) {
- goto no_cert;
- }
-
- /* Send response message */
- ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
- if (ret) {
- goto no_cert;
- }
-
- /* try to finish the handshake */
- ret = ssl2_TryToFinish(ss);
- if (ret) {
- goto loser;
- }
-
- /* done with handshake */
- if (ss->handshake == 0) {
- ret = SECSuccess;
- goto done;
- }
-
- /* continue handshake */
- ssl_GetRecvBufLock(ss);
- ss->gs.recordLen = 0;
- ssl_ReleaseRecvBufLock(ss);
-
- ss->handshake = ssl_GatherRecord1stHandshake;
- ss->nextHandshake = ssl2_HandleMessage;
- ret = ssl2_TriggerNextMessage(ss);
- goto done;
-
-no_cert:
- /* no cert - send error */
- ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
- goto done;
-
-loser:
- ret = SECFailure;
-done:
- /* free allocated data */
- if ( response.data ) {
- PORT_Free(response.data);
- }
-
- return ret;
-}
-
-
-/* restart an SSL connection that we stopped to run certificate dialogs
-** XXX Need to document here how an application marks a cert to show that
-** the application has accepted it (overridden CERT_VerifyCert).
- *
- * Return value: XXX
- *
- * Caller holds 1stHandshakeLock.
-*/
-int
-ssl2_RestartHandshakeAfterServerCert(sslSocket *ss)
-{
- int rv = SECSuccess;
-
- if (ss->version >= SSL_LIBRARY_VERSION_3_0)
- return SECFailure;
-
- /* SSL 2
- ** At this point we have a completed session key and our session
- ** cipher is setup and ready to go. Switch to encrypted write routine
- ** as all future message data is to be encrypted.
- */
- ssl2_UseEncryptedSendFunc(ss);
-
- rv = ssl2_TryToFinish(ss);
- if (rv == SECSuccess && ss->handshake != NULL) {
- /* handshake is not yet finished. */
-
- SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
- SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
- ss->sec.ci.elements));
-
- ssl_GetRecvBufLock(ss);
- ss->gs.recordLen = 0; /* mark it all used up. */
- ssl_ReleaseRecvBufLock(ss);
-
- ss->handshake = ssl_GatherRecord1stHandshake;
- ss->nextHandshake = ssl2_HandleVerifyMessage;
- }
-
- return rv;
-}
-
-/*
** Handle the initial hello message from the client
**
** not static because ssl2_GatherData() tests ss->nextHandshake for this value.
View
6 security/nss/lib/ssl/sslerr.h
@@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: sslerr.h,v 1.14 2011/10/05 18:07:18 emaldona%redhat.com Exp $ */
+/* $Id: sslerr.h,v 1.18 2011/11/19 21:58:21 bsmith%mozilla.com Exp $ */
#ifndef __SSL_ERR_H_
#define __SSL_ERR_H_
@@ -205,6 +205,10 @@ SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD = (SSL_ERROR_BASE + 114),
SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = (SSL_ERROR_BASE + 115),
+SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID = (SSL_ERROR_BASE + 116),
+
+SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2 = (SSL_ERROR_BASE + 117),
+
SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
} SSLErrorCodes;
#endif /* NO_SECURITY_ERROR_ENUM */
View
27 security/nss/lib/ssl/sslimpl.h
@@ -39,7 +39,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: sslimpl.h,v 1.84 2011/10/22 16:45:40 emaldona%redhat.com Exp $ */
+/* $Id: sslimpl.h,v 1.90 2011/11/19 21:58:21 bsmith%mozilla.com Exp $ */
#ifndef __sslimpl_h_
#define __sslimpl_h_
@@ -313,6 +313,10 @@ typedef struct {
#endif /* NSS_ENABLE_ECC */
typedef struct sslOptionsStr {
+ /* If SSL_SetNextProtoNego has been called, then this contains the
+ * list of supported protocols. */
+ SECItem nextProtoNego;
+
unsigned int useSecurity : 1; /* 1 */
unsigned int useSocks : 1; /* 2 */
unsigned int requestCertificate : 1; /* 3 */
@@ -771,8 +775,6 @@ const ssl3CipherSuiteDef *suite_def;
unsigned long msg_len;
SECItem ca_list; /* used only by client */
PRBool isResuming; /* are we resuming a session */
- PRBool rehandshake; /* immediately start another handshake
- * when this one finishes */
PRBool usedStepDownKey; /* we did a server key exchange. */
PRBool sendingSCSV; /* instead of empty RI */
sslBuffer msgState; /* current state for handshake messages*/
@@ -828,6 +830,12 @@ struct ssl3StateStr {
PRBool initialized;
SSL3HandshakeState hs;
ssl3CipherSpec specs[2]; /* one is current, one is pending. */
+
+ /* In a client: if the server supports Next Protocol Negotiation, then
+ * this is the protocol that was negotiated.
+ */
+ SECItem nextProto;
+ SSLNextProtoState nextProtoState;
};
typedef struct {
@@ -1059,6 +1067,8 @@ const unsigned char * preferredCipher;
SSLHandshakeCallback handshakeCallback;
void *handshakeCallbackData;
void *pkcs11PinArg;
+ SSLNextProtoCallback nextProtoCallback;
+ void *nextProtoArg;
PRIntervalTime rTimeout; /* timeout for NSPR I/O */
PRIntervalTime wTimeout; /* timeout for NSPR I/O */
@@ -1138,7 +1148,6 @@ extern FILE * ssl_keylog_iob;
extern CERTDistNames * ssl3_server_ca_list;
extern PRUint32 ssl_sid_timeout;
extern PRUint32 ssl3_sid_timeout;
-extern PRBool ssl3_global_policy_some_restricted;
extern const char * const ssl_cipherName[];
extern const char * const ssl3_cipherName[];
@@ -1252,7 +1261,7 @@ extern PRBool ssl_FdIsBlocking(PRFileDesc *fd);
extern PRBool ssl_SocketIsBlocking(sslSocket *ss);
-extern void ssl_SetAlwaysBlock(sslSocket *ss);
+extern void ssl3_SetAlwaysBlock(sslSocket *ss);
extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
@@ -1341,16 +1350,11 @@ extern void ssl_FreeSocket(struct sslSocketStr *ssl);
extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
SSL3AlertDescription desc);
-extern int ssl2_RestartHandshakeAfterCertReq(sslSocket * ss,
- CERTCertificate * cert,
- SECKEYPrivateKey * key);
-
extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket * ss,
CERTCertificate * cert,
SECKEYPrivateKey * key,
CERTCertificateList *certChain);
-extern int ssl2_RestartHandshakeAfterServerCert(sslSocket *ss);
extern int ssl3_RestartHandshakeAfterServerCert(sslSocket *ss);
/*
@@ -1569,6 +1573,9 @@ extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
#define TLS_EX_SESS_TICKET_LIFETIME_HINT (2 * 24 * 60 * 60) /* 2 days */
#define TLS_EX_SESS_TICKET_VERSION (0x0100)
+extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data,
+ unsigned int length);
+
/* Construct a new NSPR socket for the app to use */
extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
extern void ssl_FreePRSocket(PRFileDesc *fd);
View
27 security/nss/lib/ssl/sslsecur.c
@@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: sslsecur.c,v 1.49 2011/04/08 05:37:44 wtc%google.com Exp $ */
+/* $Id: sslsecur.c,v 1.53 2011/11/19 21:58:21 bsmith%mozilla.com Exp $ */
#include "cert.h"
#include "secitem.h"
#include "keyhi.h"
@@ -173,7 +173,7 @@ ssl_Do1stHandshake(sslSocket *ss)
* retry on a connection on the next read/write.
*/
static SECStatus
-AlwaysBlock(sslSocket *ss)
+ssl3_AlwaysBlock(sslSocket *ss)
{
PORT_SetError(PR_WOULD_BLOCK_ERROR); /* perhaps redundant. */
return SECWouldBlock;
@@ -183,10 +183,10 @@ AlwaysBlock(sslSocket *ss)
* set the initial handshake state machine to block
*/
void
-ssl_SetAlwaysBlock(sslSocket *ss)
+ssl3_SetAlwaysBlock(sslSocket *ss)
{
if (!ss->firstHsDone) {
- ss->handshake = AlwaysBlock;
+ ss->handshake = ssl3_AlwaysBlock;
ss->nextHandshake = 0;
}
}
@@ -392,6 +392,18 @@ SSL_ForceHandshake(PRFileDesc *fd)
if (!ss->opt.useSecurity)
return SECSuccess;
+ if (!ssl_SocketIsBlocking(ss)) {
+ ssl_GetXmitBufLock(ss);
+ if (ss->pendingBuf.len != 0) {
+ rv = ssl_SendSavedWriteData(ss);
+ if ((rv < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) {
+ ssl_ReleaseXmitBufLock(ss);
+ return SECFailure;
+ }
+ }
+ ssl_ReleaseXmitBufLock(ss);
+ }
+
ssl_Get1stHandshakeLock(ss);
if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
@@ -1141,7 +1153,6 @@ ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
ssl_ReleaseXmitBufLock(ss);
return SECFailure;
}
- /* XXX short write? */
}
ssl_ReleaseXmitBufLock(ss);
}
@@ -1489,7 +1500,8 @@ SSL_RestartHandshakeAfterCertReq(sslSocket * ss,
if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain);
} else {
- ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key);
+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+ ret = SECFailure;
}
ssl_Release1stHandshakeLock(ss); /************************************/
@@ -1516,7 +1528,8 @@ SSL_RestartHandshakeAfterServerCert(sslSocket *ss)
if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
rv = ssl3_RestartHandshakeAfterServerCert(ss);
} else {
- rv = ssl2_RestartHandshakeAfterServerCert(ss);
+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+ rv = SECFailure;
}
ssl_Release1stHandshakeLock(ss);
View
167 security/nss/lib/ssl/sslsock.c
@@ -40,7 +40,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: sslsock.c,v 1.75 2011/10/22 16:45:40 emaldona%redhat.com Exp $ */
+/* $Id: sslsock.c,v 1.80 2011/11/17 00:20:22 bsmith%mozilla.com Exp $ */
#include "seccomon.h"
#include "cert.h"
#include "keyhi.h"
@@ -163,6 +163,7 @@ static const sslSocketOps ssl_secure_ops = { /* SSL. */
** default settings for socket enables
*/
static sslOptions ssl_defaults = {
+ { siBuffer, NULL, 0 }, /* nextProtoNego */
PR_TRUE, /* useSecurity */
PR_FALSE, /* useSocks */
PR_FALSE, /* requestCertificate */
@@ -440,6 +441,7 @@ ssl_DestroySocketContents(sslSocket *ss)
ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
ss->ephemeralECDHKeyPair = NULL;
}
+ SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE);
PORT_Assert(!ss->xtnData.sniNameArr);
if (ss->xtnData.sniNameArr) {
PORT_Free(ss->xtnData.sniNameArr);
@@ -1212,7 +1214,6 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
SECStatus
NSS_SetDomesticPolicy(void)
{
-#ifndef EXPORT_VERSION
SECStatus status = SECSuccess;
cipherPolicy * policy;
@@ -1222,37 +1223,18 @@ NSS_SetDomesticPolicy(void)
break;
}
return status;
-#else
- return NSS_SetExportPolicy();
-#endif
}
SECStatus
NSS_SetExportPolicy(void)
{
- SECStatus status = SECSuccess;
- cipherPolicy * policy;
-
- for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
- status = SSL_SetPolicy(policy->cipher, policy->export);
- if (status != SECSuccess)
- break;
- }
- return status;
+ return NSS_SetDomesticPolicy();
}
SECStatus
NSS_SetFrancePolicy(void)
{
- SECStatus status = SECSuccess;
- cipherPolicy * policy;
-
- for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
- status = SSL_SetPolicy(policy->cipher, policy->france);
- if (status != SECSuccess)
- break;
- }
- return status;
+ return NSS_SetDomesticPolicy();
}
@@ -1301,6 +1283,145 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
return fd;
}
+SECStatus
+SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback,
+ void *arg)
+{
+ sslSocket *ss = ssl_FindSocket(fd);
+
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoCallback", SSL_GETPID(),
+ fd));
+ return SECFailure;
+ }
+
+ ssl_GetSSL3HandshakeLock(ss);
+ ss->nextProtoCallback = callback;
+ ss->nextProtoArg = arg;
+ ssl_ReleaseSSL3HandshakeLock(ss);
+
+ return SECSuccess;
+}
+
+/* NextProtoStandardCallback is set as an NPN callback for the case when
+ * SSL_SetNextProtoNego is used.
+ */
+static SECStatus
+ssl_NextProtoNegoCallback(void *arg, PRFileDesc *fd,
+ const unsigned char *protos, unsigned int protos_len,
+ unsigned char *protoOut, unsigned int *protoOutLen,
+ unsigned int protoMaxLen)
+{
+ unsigned int i, j;
+ const unsigned char *result;
+ sslSocket *ss = ssl_FindSocket(fd);
+
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in ssl_NextProtoNegoCallback",
+ SSL_GETPID(), fd));
+ return SECFailure;
+ }
+
+ if (protos_len == 0) {
+ /* The server supports the extension, but doesn't have any protocols
+ * configured. In this case we request our favoured protocol. */
+ goto pick_first;
+ }
+
+ /* For each protocol in server preference, see if we support it. */
+ for (i = 0; i < protos_len; ) {
+ for (j = 0; j < ss->opt.nextProtoNego.len; ) {
+ if (protos[i] == ss->opt.nextProtoNego.data[j] &&
+ PORT_Memcmp(&protos[i+1], &ss->opt.nextProtoNego.data[j+1],
+ protos[i]) == 0) {
+ /* We found a match. */
+ ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED;
+ result = &protos[i];
+ goto found;
+ }
+ j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j];
+ }
+ i += 1 + (unsigned int)protos[i];
+ }
+
+pick_first:
+ ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NO_OVERLAP;
+ result = ss->opt.nextProtoNego.data;
+
+found:
+ *protoOutLen = result[0];
+ if (protoMaxLen < result[0]) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+ memcpy(protoOut, result + 1, result[0]);
+ return SECSuccess;
+}
+
+SECStatus
+SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data,
+ unsigned int length)
+{
+ sslSocket *ss;
+ SECStatus rv;
+ SECItem dataItem = { siBuffer, (unsigned char *) data, length };
+
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego",
+ SSL_GETPID(), fd));
+ return SECFailure;
+ }
+
+ if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess)
+ return SECFailure;
+
+ ssl_GetSSL3HandshakeLock(ss);
+ SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE);
+ rv = SECITEM_CopyItem(NULL, &ss->opt.nextProtoNego, &dataItem);
+ ssl_ReleaseSSL3HandshakeLock(ss);
+
+ if (rv != SECSuccess)
+ return rv;
+
+ return SSL_SetNextProtoCallback(fd, ssl_NextProtoNegoCallback, NULL);
+}
+
+SECStatus
+SSL_GetNextProto(PRFileDesc *fd, SSLNextProtoState *state, unsigned char *buf,
+ unsigned int *bufLen, unsigned int bufLenMax)
+{
+ sslSocket *ss = ssl_FindSocket(fd);
+
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetNextProto", SSL_GETPID(),
+ fd));
+ return SECFailure;
+ }
+
+ if (!state || !buf || !bufLen) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ *state = ss->ssl3.nextProtoState;
+
+ if (ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT &&
+ ss->ssl3.nextProto.data) {
+ *bufLen = ss->ssl3.nextProto.len;
+ if (*bufLen > bufLenMax) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ *bufLen = 0;
+ return SECFailure;
+ }
+ PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len);
+ } else {
+ *bufLen = 0;
+ }
+
+ return SECSuccess;
+}
+
PRFileDesc *
SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
{
View
5 security/nss/lib/ssl/sslt.h
@@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: sslt.h,v 1.16 2010/02/04 03:21:11 wtc%google.com Exp $ */
+/* $Id: sslt.h,v 1.17 2011/10/29 00:29:11 bsmith%mozilla.com Exp $ */
#ifndef __sslt_h_
#define __sslt_h_
@@ -203,9 +203,10 @@ typedef enum {
ssl_ec_point_formats_xtn = 11,
#endif
ssl_session_ticket_xtn = 35,
+ ssl_next_proto_neg_xtn = 13172,
ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
} SSLExtensionType;
-#define SSL_MAX_EXTENSIONS 5
+#define SSL_MAX_EXTENSIONS 6
#endif /* __sslt_h_ */
View
6 security/nss/lib/util/nssutil.h
@@ -51,12 +51,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
-#define NSSUTIL_VERSION "3.13.1.0"
+#define NSSUTIL_VERSION "3.13.2.0 Beta"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 13
-#define NSSUTIL_VPATCH 1
+#define NSSUTIL_VPATCH 2
#define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_FALSE
+#define NSSUTIL_BETA PR_TRUE
SEC_BEGIN_PROTOS
View
7 security/nss/lib/util/pkcs11n.h
@@ -39,7 +39,7 @@
#define _PKCS11N_H_
#ifdef DEBUG
-static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.23 $ $Date: 2011/09/14 01:21:10 $";
+static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.27 $ $Date: 2011/11/24 12:26:35 $";
#endif /* DEBUG */
/*
@@ -162,7 +162,6 @@ static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.23 $
#define CKA_CERT_MD5_HASH (CKA_TRUST + 101)
/* NSS trust stuff */
-/* XXX fgmr new ones here-- step-up, etc. */
/* HISTORICAL: define used to pass in the database key for DSA private keys */
#define CKA_NETSCAPE_DB 0xD5A0DB00L
@@ -346,7 +345,7 @@ typedef CK_ULONG CK_TRUST;
* labels have never been accurate to what was really implemented.
* The new labels correctly reflect what the values effectively mean.
*/
-#if __GNUC__ > 3
+#if defined(__GNUC__) && (__GNUC__ > 3)
/* make GCC warn when we use these #defines */
/*
* This is really painful because GCC doesn't allow us to mark random
@@ -362,7 +361,7 @@ typedef CK_ULONG CK_TRUST;
* cast the resulting value to the deprecated type in the #define, thus
* producting the warning when the #define is used.
*/
-#if (__GNUC__ == 4) && (__GNUC_MINOR < 5)
+#if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5)
/* The mac doesn't like the friendlier deprecate messages. I'm assuming this
* is a gcc version issue rather than mac or ppc specific */
typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated));
View
2 security/nss/lib/util/secder.h
@@ -43,7 +43,7 @@
* secder.h - public data structures and prototypes for the DER encoding and
* decoding utilities library
*
- * $Id: secder.h,v 1.13 2008/06/18 01:04:23 wtc%google.com Exp $
+ * $Id: secder.h,v 1.15 2011/11/16 19:12:36 kaie%kuix.de Exp $
*/
#if defined(_WIN32_WCE)
View
2 security/nss/lib/util/secoid.h
@@ -42,7 +42,7 @@
/*
* secoid.h - public data structures and prototypes for ASN.1 OID functions
*
- * $Id: secoid.h,v 1.14 2009/11/11 23:24:33 alexei.volkov.bugs%sun.com Exp $
+ * $Id: secoid.h,v 1.16 2011/11/16 19:12:36 kaie%kuix.de Exp $
*/
#include "plarena.h"
View
10 security/nss/tests/pkits/pkits.sh
@@ -127,7 +127,7 @@ pkits_init()
${BINDIR}/certutil -A -n TrustAnchorRootCertificate -t "C,C,C" -i \
$certs/TrustAnchorRootCertificate.crt -d $PKITSdb
if [ -z "$NSS_NO_PKITS_CRLS" ]; then
- ${BINDIR}/crlutil -I -i $crls/TrustAnchorRootCRL.crl -d ${PKITSdb}
+ ${BINDIR}/crlutil -I -i $crls/TrustAnchorRootCRL.crl -d ${PKITSdb} -f ${PKITSdb}/pw
else
html "<H3>NO CRLs are being used.</H3>"
pkits_log "NO CRLs are being used."
@@ -234,8 +234,8 @@ pkitsn()
crlImport()
{
if [ -z "$NSS_NO_PKITS_CRLS" ]; then
- echo "crlutil -d $PKITSdb -I -i $crls/$*"
- ${BINDIR}/crlutil -d ${PKITSdb} -I -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1
+ echo "crlutil -d $PKITSdb -I -f ${PKITSdb}/pw -i $crls/$*"
+ ${BINDIR}/crlutil -d ${PKITSdb} -I -f ${PKITSdb}/pw -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1
RET=$?
cat ${PKITSDIR}/cmdout.txt
@@ -254,8 +254,8 @@ crlImportn()
{
RET=0
if [ -z "$NSS_NO_PKITS_CRLS" ]; then
- echo "crlutil -d $PKITSdb -I -i $crls/$*"
- ${BINDIR}/crlutil -d ${PKITSdb} -I -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1
+ echo "crlutil -d $PKITSdb -I -f ${PKITSdb}/pw -i $crls/$*"
+ ${BINDIR}/crlutil -d ${PKITSdb} -I -f ${PKITSdb}/pw -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1
RET=$?
cat ${PKITSDIR}/cmdout.txt

0 comments on commit 050ebaa

Please sign in to comment.
Something went wrong with that request. Please try again.