| Index: net/third_party/nss/patches/cbcrandomiv.patch
|
| ===================================================================
|
| --- net/third_party/nss/patches/cbcrandomiv.patch (revision 123842)
|
| +++ net/third_party/nss/patches/cbcrandomiv.patch (working copy)
|
| @@ -1,181 +0,0 @@
|
| -From fb2d182ed92f38bd9c1134bb929f095ea6d3e752 Mon Sep 17 00:00:00 2001
|
| -From: Adam Langley <agl@chromium.org>
|
| -Date: Mon, 3 Oct 2011 12:23:29 -0400
|
| -Subject: [PATCH] cbcrandomiv.patch
|
| -
|
| ----
|
| - mozilla/security/nss/lib/ssl/ssl3con.c | 97 +++++++++++++++++++++++---------
|
| - 1 files changed, 70 insertions(+), 27 deletions(-)
|
| -
|
| -diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
|
| -index dd99962..d561307 100644
|
| ---- a/mozilla/security/nss/lib/ssl/ssl3con.c
|
| -+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
|
| -@@ -2039,24 +2039,24 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
|
| - return isPresent;
|
| - }
|
| -
|
| -+/* Caller must hold the spec read lock. wrBuf is sometimes, but not always,
|
| -+ * ss->sec.writeBuf.
|
| -+ */
|
| - static SECStatus
|
| --ssl3_CompressMACEncryptRecord(sslSocket * ss,
|
| -+ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
|
| -+ PRBool isServer,
|
| - SSL3ContentType type,
|
| - const SSL3Opaque * pIn,
|
| -- PRUint32 contentLen)
|
| -+ PRUint32 contentLen,
|
| -+ sslBuffer * wrBuf)
|
| - {
|
| -- ssl3CipherSpec * cwSpec;
|
| - const ssl3BulkCipherDef * cipher_def;
|
| -- sslBuffer * wrBuf = &ss->sec.writeBuf;
|
| - SECStatus rv;
|
| - PRUint32 macLen = 0;
|
| - PRUint32 fragLen;
|
| - PRUint32 p1Len, p2Len, oddLen = 0;
|
| - PRInt32 cipherBytes = 0;
|
| -
|
| -- ssl_GetSpecReadLock(ss); /********************************/
|
| --
|
| -- cwSpec = ss->ssl3.cwSpec;
|
| - cipher_def = cwSpec->cipher_def;
|
| -
|
| - if (cwSpec->compressor) {
|
| -@@ -2073,12 +2073,12 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss,
|
| - /*
|
| - * Add the MAC
|
| - */
|
| -- rv = ssl3_ComputeRecordMAC( cwSpec, (PRBool)(ss->sec.isServer),
|
| -+ rv = ssl3_ComputeRecordMAC( cwSpec, isServer,
|
| - type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
|
| - wrBuf->buf + contentLen + SSL3_RECORD_HEADER_LENGTH, &macLen);
|
| - if (rv != SECSuccess) {
|
| - ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
|
| -- goto spec_locked_loser;
|
| -+ return SECFailure;
|
| - }
|
| - p1Len = contentLen;
|
| - p2Len = macLen;
|
| -@@ -2131,7 +2131,7 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss,
|
| - PORT_Assert(rv == SECSuccess && cipherBytes == p1Len);
|
| - if (rv != SECSuccess || cipherBytes != p1Len) {
|
| - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
|
| -- goto spec_locked_loser;
|
| -+ return SECFailure;
|
| - }
|
| - }
|
| - if (p2Len > 0) {
|
| -@@ -2145,7 +2145,7 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss,
|
| - PORT_Assert(rv == SECSuccess && cipherBytesPart2 == p2Len);
|
| - if (rv != SECSuccess || cipherBytesPart2 != p2Len) {
|
| - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
|
| -- goto spec_locked_loser;
|
| -+ return SECFailure;
|
| - }
|
| - cipherBytes += cipherBytesPart2;
|
| - }
|
| -@@ -2160,13 +2160,7 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss,
|
| - wrBuf->buf[3] = MSB(cipherBytes);
|
| - wrBuf->buf[4] = LSB(cipherBytes);
|
| -
|
| -- ssl_ReleaseSpecReadLock(ss); /************************************/
|
| --
|
| - return SECSuccess;
|
| --
|
| --spec_locked_loser:
|
| -- ssl_ReleaseSpecReadLock(ss);
|
| -- return SECFailure;
|
| - }
|
| -
|
| - /* Process the plain text before sending it.
|
| -@@ -2227,20 +2221,71 @@ ssl3_SendRecord( sslSocket * ss,
|
| -
|
| - while (nIn > 0) {
|
| - PRUint32 contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
|
| -+ unsigned int spaceNeeded;
|
| -+ unsigned int numRecords;
|
| -+
|
| -+ ssl_GetSpecReadLock(ss); /********************************/
|
| -+
|
| -+ if (nIn > 1 &&
|
| -+ ss->opt.enableFalseStart &&
|
| -+ ss->ssl3.cwSpec->version <= SSL_LIBRARY_VERSION_3_1_TLS &&
|
| -+ type == content_application_data &&
|
| -+ ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) {
|
| -+ /* We will split the first byte of the record into its own record,
|
| -+ * as explained in the documentation for SSL_CBC_RANDOM_IV in ssl.h
|
| -+ */
|
| -+ numRecords = 2;
|
| -+ } else {
|
| -+ numRecords = 1;
|
| -+ }
|
| -
|
| -- if (wrBuf->space < contentLen + SSL3_BUFFER_FUDGE) {
|
| -- PRInt32 newSpace = PR_MAX(wrBuf->space * 2, contentLen);
|
| -- newSpace = PR_MIN(newSpace, MAX_FRAGMENT_LENGTH);
|
| -- newSpace += SSL3_BUFFER_FUDGE;
|
| -- rv = sslBuffer_Grow(wrBuf, newSpace);
|
| -+ spaceNeeded = contentLen + (numRecords * SSL3_BUFFER_FUDGE);
|
| -+ if (spaceNeeded > wrBuf->space) {
|
| -+ rv = sslBuffer_Grow(wrBuf, spaceNeeded);
|
| - if (rv != SECSuccess) {
|
| - SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
|
| -- SSL_GETPID(), ss->fd, newSpace));
|
| -- return SECFailure; /* sslBuffer_Grow set a memory error code. */
|
| -+ SSL_GETPID(), ss->fd, spaceNeeded));
|
| -+ goto spec_locked_loser; /* sslBuffer_Grow set a memory error code. */
|
| -+ }
|
| -+ }
|
| -+
|
| -+ if (numRecords == 2) {
|
| -+ sslBuffer secondRecord;
|
| -+
|
| -+ rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
|
| -+ ss->sec.isServer, type, pIn, 1,
|
| -+ wrBuf);
|
| -+ if (rv != SECSuccess)
|
| -+ goto spec_locked_loser;
|
| -+
|
| -+ PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:",
|
| -+ wrBuf->buf, wrBuf->len));
|
| -+
|
| -+ secondRecord.buf = wrBuf->buf + wrBuf->len;
|
| -+ secondRecord.len = 0;
|
| -+ secondRecord.space = wrBuf->space - wrBuf->len;
|
| -+
|
| -+ rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
|
| -+ ss->sec.isServer, type, pIn + 1,
|
| -+ contentLen - 1, &secondRecord);
|
| -+ if (rv == SECSuccess) {
|
| -+ PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:",
|
| -+ secondRecord.buf, secondRecord.len));
|
| -+ wrBuf->len += secondRecord.len;
|
| -+ }
|
| -+ } else {
|
| -+ rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
|
| -+ ss->sec.isServer, type, pIn,
|
| -+ contentLen, wrBuf);
|
| -+ if (rv == SECSuccess) {
|
| -+ PRINT_BUF(50, (ss, "send (encrypted) record data [1/1]:",
|
| -+ wrBuf->buf, wrBuf->len));
|
| - }
|
| - }
|
| -
|
| -- rv = ssl3_CompressMACEncryptRecord( ss, type, pIn, contentLen);
|
| -+spec_locked_loser:
|
| -+ ssl_ReleaseSpecReadLock(ss); /************************************/
|
| -+
|
| - if (rv != SECSuccess)
|
| - return SECFailure;
|
| -
|
| -@@ -2248,8 +2293,6 @@ ssl3_SendRecord( sslSocket * ss,
|
| - nIn -= contentLen;
|
| - PORT_Assert( nIn >= 0 );
|
| -
|
| -- PRINT_BUF(50, (ss, "send (encrypted) record data:", wrBuf->buf, wrBuf->len));
|
| --
|
| - /* If there's still some previously saved ciphertext,
|
| - * or the caller doesn't want us to send the data yet,
|
| - * then add all our new ciphertext to the amount previously saved.
|
|
|
Chromium Code Reviews
Issue 9558017:
Update net/third_party/nss to NSS 3.13.3. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/