Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(123)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/patches/secret_exporter2.patch

Issue 9663043: Add a boolean |had_context| argument to the TLS ExportKeyingMaterial (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Make suggested changes, add patch file Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/ssl.h » ('j') | remoting/protocol/auth_util.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 Index: net/third_party/nss/ssl/ssl.h
2 ===================================================================
3 --- net/third_party/nss/ssl/ssl.h (revision 125777)
4 +++ net/third_party/nss/ssl/ssl.h (working copy)
5 @@ -792,12 +792,14 @@
6
7 /* Export keying material according to RFC 5705.
8 ** fd must correspond to a TLS 1.0 or higher socket and out must
9 -** already be allocated. If contextLen is zero it uses the no-context
10 -** construction from the RFC.
11 +** already be allocated. If hasContext is false, it uses the no-context
12 +** construction from the RFC and ignores the context and contextLen
13 +** arguments.
14 */
15 SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd,
16 const char *label,
17 unsigned int labelLen,
18 + PRBool hasContext,
19 const unsigned char *context,
20 unsigned int contextLen,
21 unsigned char *out,
22 Index: net/third_party/nss/ssl/sslinfo.c
23 ===================================================================
24 --- net/third_party/nss/ssl/sslinfo.c (revision 125777)
25 +++ net/third_party/nss/ssl/sslinfo.c (working copy)
26 @@ -317,18 +317,12 @@
27 return PR_FALSE;
28 }
29
30 -/* Export keying material according to RFC 5705.
31 -** fd must correspond to a TLS 1.0 or higher socket, out must
32 -** be already allocated.
33 -*/
34 SECStatus
35 SSL_ExportKeyingMaterial(PRFileDesc *fd,
36 - const char *label,
37 - unsigned int labelLen,
38 - const unsigned char *context,
39 - unsigned int contextLen,
40 - unsigned char *out,
41 - unsigned int outLen)
42 + const char *label, unsigned int labelLen,
43 + PRBool hasContext,
44 + const unsigned char *context, unsigned int contextLen,
45 + unsigned char *out, unsigned int outLen)
46 {
47 sslSocket *ss;
48 unsigned char *val = NULL;
49 @@ -347,18 +341,21 @@
50 return SECFailure;
51 }
52
53 + /* construct PRF arguments */
54 valLen = SSL3_RANDOM_LENGTH * 2;
55 - if (contextLen > 0)
56 + if (hasContext) {
57 valLen += 2 /* uint16 length */ + contextLen;
58 + }
59 val = PORT_Alloc(valLen);
60 - if (val == NULL)
61 + if (!val) {
62 return SECFailure;
63 + }
64 i = 0;
65 PORT_Memcpy(val + i, &ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
66 i += SSL3_RANDOM_LENGTH;
67 PORT_Memcpy(val + i, &ss->ssl3.hs.server_random.rand, SSL3_RANDOM_LENGTH);
68 i += SSL3_RANDOM_LENGTH;
69 - if (contextLen > 0) {
70 + if (hasContext) {
71 val[i++] = contextLen >> 8;
72 val[i++] = contextLen;
73 PORT_Memcpy(val + i, context, contextLen);
74 @@ -366,6 +363,9 @@
75 }
76 PORT_Assert(i == valLen);
77
78 + /* Allow TLS keying material to be exported sooner, when the master
79 + * secret is available and we have sent ChangeCipherSpec.
80 + */
81 ssl_GetSpecReadLock(ss);
82 if (!ss->ssl3.cwSpec->master_secret && !ss->ssl3.cwSpec->msItem.len) {
83 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
84 Index: net/third_party/nss/ssl/sslimpl.h
85 ===================================================================
86 --- net/third_party/nss/ssl/sslimpl.h (revision 125777)
87 +++ net/third_party/nss/ssl/sslimpl.h (working copy)
88 @@ -1715,11 +1715,11 @@
89 SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
90 PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite);
91
92 -SECStatus ssl3_TLSPRFWithMasterSecret(
93 - ssl3CipherSpec *spec, const char *label,
94 - unsigned int labelLen, const unsigned char *val,
95 - unsigned int valLen, unsigned char *out,
96 - unsigned int outLen);
97 +extern SECStatus
98 +ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec,
99 + const char *label, unsigned int labelLen,
100 + const unsigned char *val, unsigned int valLen,
101 + unsigned char *out, unsigned int outLen);
102
103 #ifdef TRACE
104 #define SSL_TRACE(msg) ssl_Trace msg
105 Index: net/third_party/nss/ssl/ssl3ext.c
106 ===================================================================
107 --- net/third_party/nss/ssl/ssl3ext.c (revision 125777)
108 +++ net/third_party/nss/ssl/ssl3ext.c (working copy)
109 @@ -606,10 +606,7 @@
110 unsigned char resultBuffer[255];
111 SECItem result = { siBuffer, resultBuffer, 0 };
112
113 - if (ss->firstHsDone) {
114 - PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
115 - return SECFailure;
116 - }
117 + PORT_Assert(!ss->firstHsDone);
118
119 rv = ssl3_ValidateNextProtoNego(data->data, data->len);
120 if (rv != SECSuccess)
121 @@ -621,6 +618,8 @@
122 */
123 PORT_Assert(ss->nextProtoCallback != NULL);
124 if (!ss->nextProtoCallback) {
125 + /* XXX Use a better error code. This is an application error, not an
126 + * NSS bug. */
127 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
128 return SECFailure;
129 }
130 @@ -631,7 +630,7 @@
131 return rv;
132 /* If the callback wrote more than allowed to |result| it has corrupted our
133 * stack. */
134 - if (result.len > sizeof result) {
135 + if (result.len > sizeof resultBuffer) {
136 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
137 return SECFailure;
138 }
139 Index: net/third_party/nss/ssl/sslsock.c
140 ===================================================================
141 --- net/third_party/nss/ssl/sslsock.c (revision 125777)
142 +++ net/third_party/nss/ssl/sslsock.c (working copy)
143 @@ -1344,7 +1344,7 @@
144 return SECSuccess;
145 }
146
147 -/* NextProtoStandardCallback is set as an NPN callback for the case when
148 +/* ssl_NextProtoNegoCallback is set as an NPN callback for the case when
149 * SSL_SetNextProtoNego is used.
150 */
151 static SECStatus
152 @@ -1390,12 +1390,12 @@
153 result = ss->opt.nextProtoNego.data;
154
155 found:
156 - *protoOutLen = result[0];
157 if (protoMaxLen < result[0]) {
158 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
159 return SECFailure;
160 }
161 memcpy(protoOut, result + 1, result[0]);
162 + *protoOutLen = result[0];
163 return SECSuccess;
164 }
165
166 @@ -1449,13 +1449,12 @@
167
168 if (ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT &&
169 ss->ssl3.nextProto.data) {
170 - *bufLen = ss->ssl3.nextProto.len;
171 - if (*bufLen > bufLenMax) {
172 + if (ss->ssl3.nextProto.len > bufLenMax) {
173 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
174 - *bufLen = 0;
175 return SECFailure;
176 }
177 PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len);
178 + *bufLen = ss->ssl3.nextProto.len;
179 } else {
180 *bufLen = 0;
181 }
182 Index: net/third_party/nss/ssl/ssl3con.c
183 ===================================================================
184 --- net/third_party/nss/ssl/ssl3con.c (revision 125777)
185 +++ net/third_party/nss/ssl/ssl3con.c (working copy)
186 @@ -8484,9 +8484,9 @@
187 return rv;
188 }
189
190 -/* The calling function must acquire and release the appropriate lock (i.e.,
191 - * ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for ss->ssl3.crSpec). Any
192 - * label must already be concatenated onto the beginning of val.
193 +/* The calling function must acquire and release the appropriate
194 + * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for
195 + * ss->ssl3.crSpec).
196 */
197 SECStatus
198 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
199 @@ -8508,8 +8508,7 @@
200 rv = PK11_DigestBegin(prf_context);
201 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
202 rv |= PK11_DigestOp(prf_context, val, valLen);
203 - rv |= PK11_DigestFinal(prf_context, out,
204 - &retLen, outLen);
205 + rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen);
206 PORT_Assert(rv != SECSuccess || retLen == outLen);
207
208 PK11_DestroyContext(prf_context, PR_TRUE);
209 @@ -8532,15 +8531,15 @@
210 static SECStatus
211 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
212 PRBool isServer,
213 - const SSL3Finished * hashes,
214 - TLSFinished * tlsFinished)
215 + const SSL3Finished * hashes,
216 + TLSFinished * tlsFinished)
217 {
218 const char * label;
219 - SECStatus rv;
220 unsigned int len;
221 + SECStatus rv;
222
223 label = isServer ? "server finished" : "client finished";
224 - len = 15;
225 + len = 15;
226
227 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5,
228 sizeof *hashes, tlsFinished->verify_data,
OLDNEW
« no previous file with comments | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/ssl.h » ('j') | remoting/protocol/auth_util.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698