Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(590)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/nss/patches/secret_exporter.patch

Issue 7493056: net: allow SSL secrets to be exported sooner. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 9 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/socket/ssl_server_socket_nss.cc ('k') | net/third_party/nss/ssl/ssl.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/patches/secret_exporter.patch
diff --git a/net/third_party/nss/patches/secret_exporter.patch b/net/third_party/nss/patches/secret_exporter.patch
index 8e042521c4e33d5e2bb11f1d7b948f726e1aea63..7e6eaa05ae79eeec24c015ac30fdfaeb04e6b630 100644
--- a/net/third_party/nss/patches/secret_exporter.patch
+++ b/net/third_party/nss/patches/secret_exporter.patch
@@ -1,4 +1,4 @@
-commit 58913147a052b19246ac946077484d033d309287
+commit c92170f883e6cfdc2c2dc6dbb49d3e6b8e9928f1
Author: Adam Langley <agl@chromium.org>
Date: Thu Jul 21 11:34:32 2011 -0400
@@ -17,32 +17,34 @@ index 7ef15db..1993d3e 100644
SSL_GetStapledOCSPResponse;
SSL_HandshakeResumedSession;
diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h
-index 53ca301..1537aae 100644
+index 53ca301..6b364bb 100644
--- a/mozilla/security/nss/lib/ssl/ssl.h
+++ b/mozilla/security/nss/lib/ssl/ssl.h
-@@ -686,6 +686,17 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite,
+@@ -686,6 +686,19 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite,
/* Returnes negotiated through SNI host info. */
SSL_IMPORT SECItem *SSL_GetNegotiatedHostInfo(PRFileDesc *fd);
+/* Export keying material according to RFC 5705.
+** fd must correspond to a TLS 1.0 or higher socket and out must
-+** already be allocated.
++** already be allocated. If contextLen is zero it uses the no-context
++** construction from the RFC.
+*/
+SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd,
+ const char *label,
++ unsigned int labelLen,
+ const unsigned char *context,
-+ unsigned int contextlen,
++ unsigned int contextLen,
+ unsigned char *out,
-+ unsigned int outlen);
++ unsigned int outLen);
+
/*
** Return a new reference to the certificate that was most recently sent
** to the peer on this SSL/TLS connection, or NULL if none has been sent.
diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
-index c39b8f8..dee5555 100644
+index 66071d2..3bda2f3 100644
--- a/mozilla/security/nss/lib/ssl/ssl3con.c
+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
-@@ -8442,18 +8442,17 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
+@@ -8443,33 +8443,33 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
return rv;
}
@@ -67,11 +69,15 @@ index c39b8f8..dee5555 100644
- label = isServer ? "server finished" : "client finished";
- len = 15;
+ SECStatus rv = SECSuccess;
-+ unsigned int retLen;
if (spec->master_secret && !spec->bypassCiphers) {
SECItem param = {siBuffer, NULL, 0};
-@@ -8464,11 +8463,11 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
+ PK11Context *prf_context =
+ PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN,
+ spec->master_secret, &param);
++ unsigned int retLen;
++
+ if (!prf_context)
return SECFailure;
rv = PK11_DigestBegin(prf_context);
@@ -88,7 +94,7 @@ index c39b8f8..dee5555 100644
PK11_DestroyContext(prf_context, PR_TRUE);
} else {
-@@ -8477,17 +8476,34 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
+@@ -8478,17 +8478,36 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
SECItem outData = { siBuffer, };
PRBool isFIPS = PR_FALSE;
@@ -116,10 +122,12 @@ index c39b8f8..dee5555 100644
+{
+ const char * label;
+ SECStatus rv;
++ unsigned int len;
+
+ label = isServer ? "server finished" : "client finished";
++ len = 15;
+
-+ rv = ssl3_TLSPRFWithMasterSecret(spec, label, 15, hashes->md5,
++ rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5,
+ sizeof *hashes, tlsFinished->verify_data,
+ sizeof tlsFinished->verify_data);
+
@@ -147,7 +155,7 @@ index df30029..073616f 100644
void FNV1A64_Init(PRUint64 *digest);
diff --git a/mozilla/security/nss/lib/ssl/sslinfo.c b/mozilla/security/nss/lib/ssl/sslinfo.c
-index 96377b0..9a58b4d 100644
+index 96377b0..cf870c7 100644
--- a/mozilla/security/nss/lib/ssl/sslinfo.c
+++ b/mozilla/security/nss/lib/ssl/sslinfo.c
@@ -20,6 +20,7 @@
@@ -158,24 +166,18 @@ index 96377b0..9a58b4d 100644
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
-@@ -38,6 +39,7 @@
- #include "ssl.h"
- #include "sslimpl.h"
- #include "sslproto.h"
-+#include "pk11func.h"
-
- static const char *
- ssl_GetCompressionMethodName(SSLCompressionMethod compression)
-@@ -316,6 +318,67 @@ SSL_IsExportCipherSuite(PRUint16 cipherSuite)
+@@ -316,6 +317,69 @@ SSL_IsExportCipherSuite(PRUint16 cipherSuite)
return PR_FALSE;
}
-+/* Export keying material according to draft-ietf-tls-extractor-06.
++/* Export keying material according to RFC 5705.
+** fd must correspond to a TLS 1.0 or higher socket, out must
+** be already allocated.
+*/
+SECStatus
-+SSL_ExportKeyingMaterial(PRFileDesc *fd, const char *label,
++SSL_ExportKeyingMaterial(PRFileDesc *fd,
++ const char *label,
++ unsigned int labelLen,
+ const unsigned char *context,
+ unsigned int contextLen,
+ unsigned char *out,
@@ -198,11 +200,6 @@ index 96377b0..9a58b4d 100644
+ return SECFailure;
+ }
+
-+ if (ss->ssl3.hs.ws != idle_handshake) {
-+ PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
-+ return SECFailure;
-+ }
-+
+ valLen = SSL3_RANDOM_LENGTH * 2;
+ if (contextLen > 0)
+ valLen += 2 /* uint16 length */ + contextLen;
@@ -223,11 +220,16 @@ index 96377b0..9a58b4d 100644
+ PORT_Assert(i == valLen);
+
+ ssl_GetSpecReadLock(ss);
-+ rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.crSpec, label, strlen(label), val, valLen, out, outLen);
++ if (!ss->ssl3.cwSpec->master_secret && !ss->ssl3.cwSpec->msItem.len) {
++ PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
++ rv = SECFailure;
++ } else {
++ rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.cwSpec, label, labelLen, val,
++ valLen, out, outLen);
++ }
+ ssl_ReleaseSpecReadLock(ss);
+
-+ if (val != NULL)
-+ PORT_ZFree(val, valLen);
++ PORT_ZFree(val, valLen);
+ return rv;
+}
+
« no previous file with comments | « net/socket/ssl_server_socket_nss.cc ('k') | net/third_party/nss/ssl/ssl.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698