Index: net/third_party/nss/patches/cbcrandomiv.patch |
=================================================================== |
--- net/third_party/nss/patches/cbcrandomiv.patch (revision 124804) |
+++ net/third_party/nss/patches/cbcrandomiv.patch (working copy) |
@@ -1,181 +0,0 @@ |
-From fb2d182ed92f38bd9c1134bb929f095ea6d3e752 Mon Sep 17 00:00:00 2001 |
-From: Adam Langley <agl@chromium.org> |
-Date: Mon, 3 Oct 2011 12:23:29 -0400 |
-Subject: [PATCH] cbcrandomiv.patch |
- |
---- |
- mozilla/security/nss/lib/ssl/ssl3con.c | 97 +++++++++++++++++++++++--------- |
- 1 files changed, 70 insertions(+), 27 deletions(-) |
- |
-diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c |
-index dd99962..d561307 100644 |
---- a/mozilla/security/nss/lib/ssl/ssl3con.c |
-+++ b/mozilla/security/nss/lib/ssl/ssl3con.c |
-@@ -2039,24 +2039,24 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) { |
- return isPresent; |
- } |
- |
-+/* Caller must hold the spec read lock. wrBuf is sometimes, but not always, |
-+ * ss->sec.writeBuf. |
-+ */ |
- static SECStatus |
--ssl3_CompressMACEncryptRecord(sslSocket * ss, |
-+ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, |
-+ PRBool isServer, |
- SSL3ContentType type, |
- const SSL3Opaque * pIn, |
-- PRUint32 contentLen) |
-+ PRUint32 contentLen, |
-+ sslBuffer * wrBuf) |
- { |
-- ssl3CipherSpec * cwSpec; |
- const ssl3BulkCipherDef * cipher_def; |
-- sslBuffer * wrBuf = &ss->sec.writeBuf; |
- SECStatus rv; |
- PRUint32 macLen = 0; |
- PRUint32 fragLen; |
- PRUint32 p1Len, p2Len, oddLen = 0; |
- PRInt32 cipherBytes = 0; |
- |
-- ssl_GetSpecReadLock(ss); /********************************/ |
-- |
-- cwSpec = ss->ssl3.cwSpec; |
- cipher_def = cwSpec->cipher_def; |
- |
- if (cwSpec->compressor) { |
-@@ -2073,12 +2073,12 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss, |
- /* |
- * Add the MAC |
- */ |
-- rv = ssl3_ComputeRecordMAC( cwSpec, (PRBool)(ss->sec.isServer), |
-+ rv = ssl3_ComputeRecordMAC( cwSpec, isServer, |
- type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
- wrBuf->buf + contentLen + SSL3_RECORD_HEADER_LENGTH, &macLen); |
- if (rv != SECSuccess) { |
- ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
-- goto spec_locked_loser; |
-+ return SECFailure; |
- } |
- p1Len = contentLen; |
- p2Len = macLen; |
-@@ -2131,7 +2131,7 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss, |
- PORT_Assert(rv == SECSuccess && cipherBytes == p1Len); |
- if (rv != SECSuccess || cipherBytes != p1Len) { |
- PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
-- goto spec_locked_loser; |
-+ return SECFailure; |
- } |
- } |
- if (p2Len > 0) { |
-@@ -2145,7 +2145,7 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss, |
- PORT_Assert(rv == SECSuccess && cipherBytesPart2 == p2Len); |
- if (rv != SECSuccess || cipherBytesPart2 != p2Len) { |
- PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
-- goto spec_locked_loser; |
-+ return SECFailure; |
- } |
- cipherBytes += cipherBytesPart2; |
- } |
-@@ -2160,13 +2160,7 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss, |
- wrBuf->buf[3] = MSB(cipherBytes); |
- wrBuf->buf[4] = LSB(cipherBytes); |
- |
-- ssl_ReleaseSpecReadLock(ss); /************************************/ |
-- |
- return SECSuccess; |
-- |
--spec_locked_loser: |
-- ssl_ReleaseSpecReadLock(ss); |
-- return SECFailure; |
- } |
- |
- /* Process the plain text before sending it. |
-@@ -2227,20 +2221,71 @@ ssl3_SendRecord( sslSocket * ss, |
- |
- while (nIn > 0) { |
- PRUint32 contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH); |
-+ unsigned int spaceNeeded; |
-+ unsigned int numRecords; |
-+ |
-+ ssl_GetSpecReadLock(ss); /********************************/ |
-+ |
-+ if (nIn > 1 && |
-+ ss->opt.enableFalseStart && |
-+ ss->ssl3.cwSpec->version <= SSL_LIBRARY_VERSION_3_1_TLS && |
-+ type == content_application_data && |
-+ ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) { |
-+ /* We will split the first byte of the record into its own record, |
-+ * as explained in the documentation for SSL_CBC_RANDOM_IV in ssl.h |
-+ */ |
-+ numRecords = 2; |
-+ } else { |
-+ numRecords = 1; |
-+ } |
- |
-- if (wrBuf->space < contentLen + SSL3_BUFFER_FUDGE) { |
-- PRInt32 newSpace = PR_MAX(wrBuf->space * 2, contentLen); |
-- newSpace = PR_MIN(newSpace, MAX_FRAGMENT_LENGTH); |
-- newSpace += SSL3_BUFFER_FUDGE; |
-- rv = sslBuffer_Grow(wrBuf, newSpace); |
-+ spaceNeeded = contentLen + (numRecords * SSL3_BUFFER_FUDGE); |
-+ if (spaceNeeded > wrBuf->space) { |
-+ rv = sslBuffer_Grow(wrBuf, spaceNeeded); |
- if (rv != SECSuccess) { |
- SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes", |
-- SSL_GETPID(), ss->fd, newSpace)); |
-- return SECFailure; /* sslBuffer_Grow set a memory error code. */ |
-+ SSL_GETPID(), ss->fd, spaceNeeded)); |
-+ goto spec_locked_loser; /* sslBuffer_Grow set a memory error code. */ |
-+ } |
-+ } |
-+ |
-+ if (numRecords == 2) { |
-+ sslBuffer secondRecord; |
-+ |
-+ rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
-+ ss->sec.isServer, type, pIn, 1, |
-+ wrBuf); |
-+ if (rv != SECSuccess) |
-+ goto spec_locked_loser; |
-+ |
-+ PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:", |
-+ wrBuf->buf, wrBuf->len)); |
-+ |
-+ secondRecord.buf = wrBuf->buf + wrBuf->len; |
-+ secondRecord.len = 0; |
-+ secondRecord.space = wrBuf->space - wrBuf->len; |
-+ |
-+ rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
-+ ss->sec.isServer, type, pIn + 1, |
-+ contentLen - 1, &secondRecord); |
-+ if (rv == SECSuccess) { |
-+ PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:", |
-+ secondRecord.buf, secondRecord.len)); |
-+ wrBuf->len += secondRecord.len; |
-+ } |
-+ } else { |
-+ rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
-+ ss->sec.isServer, type, pIn, |
-+ contentLen, wrBuf); |
-+ if (rv == SECSuccess) { |
-+ PRINT_BUF(50, (ss, "send (encrypted) record data [1/1]:", |
-+ wrBuf->buf, wrBuf->len)); |
- } |
- } |
- |
-- rv = ssl3_CompressMACEncryptRecord( ss, type, pIn, contentLen); |
-+spec_locked_loser: |
-+ ssl_ReleaseSpecReadLock(ss); /************************************/ |
-+ |
- if (rv != SECSuccess) |
- return SECFailure; |
- |
-@@ -2248,8 +2293,6 @@ ssl3_SendRecord( sslSocket * ss, |
- nIn -= contentLen; |
- PORT_Assert( nIn >= 0 ); |
- |
-- PRINT_BUF(50, (ss, "send (encrypted) record data:", wrBuf->buf, wrBuf->len)); |
-- |
- /* If there's still some previously saved ciphertext, |
- * or the caller doesn't want us to send the data yet, |
- * then add all our new ciphertext to the amount previously saved. |