OLD | NEW |
(Empty) | |
| 1 diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con
.c |
| 2 index e8a7f01..b6f4313 100644 |
| 3 --- a/net/third_party/nss/ssl/ssl3con.c |
| 4 +++ b/net/third_party/nss/ssl/ssl3con.c |
| 5 @@ -6087,10 +6087,17 @@ ssl3_CanFalseStart(sslSocket *ss) { |
| 6 !ss->sec.isServer && |
| 7 !ss->ssl3.hs.isResuming && |
| 8 ss->ssl3.cwSpec && |
| 9 + |
| 10 + /* An attacker can control the selected ciphersuite so we only wish to |
| 11 + * do False Start in the case that the selected ciphersuite is |
| 12 + * sufficiently strong that the attack can gain no advantage. |
| 13 + * Therefore we require an 80-bit cipher and a forward-secret key |
| 14 + * exchange. */ |
| 15 ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 && |
| 16 - (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa || |
| 17 - ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh || |
| 18 - ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh); |
| 19 + (ss->ssl3.hs.kea_def->kea == kea_dhe_dss || |
| 20 + ss->ssl3.hs.kea_def->kea == kea_dhe_rsa || |
| 21 + ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa || |
| 22 + ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa); |
| 23 ssl_ReleaseSpecReadLock(ss); |
| 24 return rv; |
| 25 } |
| 26 diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext
.c |
| 27 index 80c1f7f..6d5866b 100644 |
| 28 --- a/net/third_party/nss/ssl/ssl3ext.c |
| 29 +++ b/net/third_party/nss/ssl/ssl3ext.c |
| 30 @@ -567,6 +567,12 @@ ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16
ex_type, SECItem *dat |
| 31 return SECFailure; |
| 32 } |
| 33 |
| 34 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
| 35 + |
| 36 + /* TODO: server side NPN support would require calling |
| 37 + * ssl3_RegisterServerHelloExtensionSender here in order to echo the |
| 38 + * extension back to the client. */ |
| 39 + |
| 40 return SECSuccess; |
| 41 } |
| 42 |
| 43 @@ -635,6 +641,8 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex
_type, |
| 44 return SECFailure; |
| 45 } |
| 46 |
| 47 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
| 48 + |
| 49 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
| 50 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); |
| 51 } |
OLD | NEW |