Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(337)

Side by Side Diff: net/third_party/nss/patches/secret_exporter.patch

Issue 9733012: Update NSS to NSS 3.13.4 pre-release snapshot 20120319. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Forgot to update the sslerr.h and SSLerrs.h files Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
(Empty)
1 diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
2 --- a/src/net/third_party/nss/ssl/ssl.h 2012-02-29 17:12:15.720044263 -0800
3 +++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-29 17:18:04.824794558 -0800
4 @@ -774,6 +774,19 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteI
5 /* Returnes negotiated through SNI host info. */
6 SSL_IMPORT SECItem *SSL_GetNegotiatedHostInfo(PRFileDesc *fd);
7
8 +/* Export keying material according to RFC 5705.
9 +** fd must correspond to a TLS 1.0 or higher socket and out must
10 +** already be allocated. If contextLen is zero it uses the no-context
11 +** construction from the RFC.
12 +*/
13 +SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd,
14 + const char *label,
15 + unsigned int labelLen,
16 + const unsigned char *context,
17 + unsigned int contextLen,
18 + unsigned char *out,
19 + unsigned int outLen);
20 +
21 /*
22 ** Return a new reference to the certificate that was most recently sent
23 ** to the peer on this SSL/TLS connection, or NULL if none has been sent.
24 diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/s sl3con.c
25 --- a/src/net/third_party/nss/ssl/ssl3con.c 2012-02-28 20:34:50.114663722 -0 800
26 +++ b/src/net/third_party/nss/ssl/ssl3con.c 2012-02-29 17:18:04.824794558 -0 800
27 @@ -8368,33 +8368,33 @@ done:
28 return rv;
29 }
30
31 -static SECStatus
32 -ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
33 - PRBool isServer,
34 - const SSL3Finished * hashes,
35 - TLSFinished * tlsFinished)
36 +/* The calling function must acquire and release the appropriate lock (i.e.,
37 + * ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for ss->ssl3.crSpec). Any
38 + * label must already be concatenated onto the beginning of val.
39 + */
40 +SECStatus
41 +ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
42 + unsigned int labelLen, const unsigned char *val, unsigned int valLen,
43 + unsigned char *out, unsigned int outLen)
44 {
45 - const char * label;
46 - unsigned int len;
47 - SECStatus rv;
48 -
49 - label = isServer ? "server finished" : "client finished";
50 - len = 15;
51 + SECStatus rv = SECSuccess;
52
53 if (spec->master_secret && !spec->bypassCiphers) {
54 SECItem param = {siBuffer, NULL, 0};
55 PK11Context *prf_context =
56 PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN,
57 spec->master_secret, &param);
58 + unsigned int retLen;
59 +
60 if (!prf_context)
61 return SECFailure;
62
63 rv = PK11_DigestBegin(prf_context);
64 - rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len);
65 - rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes);
66 - rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data,
67 - &len, sizeof tlsFinished->verify_data);
68 - PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished);
69 + rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
70 + rv |= PK11_DigestOp(prf_context, val, valLen);
71 + rv |= PK11_DigestFinal(prf_context, out,
72 + &retLen, outLen);
73 + PORT_Assert(rv != SECSuccess || retLen == outLen);
74
75 PK11_DestroyContext(prf_context, PR_TRUE);
76 } else {
77 @@ -8403,17 +8403,36 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *
78 SECItem outData = { siBuffer, };
79 PRBool isFIPS = PR_FALSE;
80
81 - inData.data = (unsigned char *)hashes->md5;
82 - inData.len = sizeof hashes[0];
83 - outData.data = tlsFinished->verify_data;
84 - outData.len = sizeof tlsFinished->verify_data;
85 + inData.data = (unsigned char *) val;
86 + inData.len = valLen;
87 + outData.data = out;
88 + outData.len = outLen;
89 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
90 - PORT_Assert(rv != SECSuccess || \
91 - outData.len == sizeof tlsFinished->verify_data);
92 + PORT_Assert(rv != SECSuccess || outData.len == outLen);
93 }
94 return rv;
95 }
96
97 +static SECStatus
98 +ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
99 + PRBool isServer,
100 + const SSL3Finished * hashes,
101 + TLSFinished * tlsFinished)
102 +{
103 + const char * label;
104 + SECStatus rv;
105 + unsigned int len;
106 +
107 + label = isServer ? "server finished" : "client finished";
108 + len = 15;
109 +
110 + rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5,
111 + sizeof *hashes, tlsFinished->verify_data,
112 + sizeof tlsFinished->verify_data);
113 +
114 + return rv;
115 +}
116 +
117 /* called from ssl3_HandleServerHelloDone
118 */
119 static SECStatus
120 diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/s slimpl.h
121 --- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 17:12:15.720044263 -0 800
122 +++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 17:16:59.143900589 -0 800
123 @@ -1709,6 +1709,11 @@ SECStatus SSL_DisableDefaultExportCipher
124 SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
125 PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite);
126
127 +SECStatus ssl3_TLSPRFWithMasterSecret(
128 + ssl3CipherSpec *spec, const char *label,
129 + unsigned int labelLen, const unsigned char *val,
130 + unsigned int valLen, unsigned char *out,
131 + unsigned int outLen);
132
133 #ifdef TRACE
134 #define SSL_TRACE(msg) ssl_Trace msg
135 diff -up a/src/net/third_party/nss/ssl/sslinfo.c b/src/net/third_party/nss/ssl/s slinfo.c
136 --- a/src/net/third_party/nss/ssl/sslinfo.c 2010-09-01 18:12:57.000000000 -0 700
137 +++ b/src/net/third_party/nss/ssl/sslinfo.c 2012-02-29 17:18:04.824794558 -0 800
138 @@ -20,6 +20,7 @@
139 *
140 * Contributor(s):
141 * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
142 + * Douglas Stebila <douglas@stebila.ca>
143 *
144 * Alternatively, the contents of this file may be used under the terms of
145 * either the GNU General Public License Version 2 or later (the "GPL"), or
146 @@ -316,6 +317,69 @@ SSL_IsExportCipherSuite(PRUint16 cipherS
147 return PR_FALSE;
148 }
149
150 +/* Export keying material according to RFC 5705.
151 +** fd must correspond to a TLS 1.0 or higher socket, out must
152 +** be already allocated.
153 +*/
154 +SECStatus
155 +SSL_ExportKeyingMaterial(PRFileDesc *fd,
156 + const char *label,
157 + unsigned int labelLen,
158 + const unsigned char *context,
159 + unsigned int contextLen,
160 + unsigned char *out,
161 + unsigned int outLen)
162 +{
163 + sslSocket *ss;
164 + unsigned char *val = NULL;
165 + unsigned int valLen, i;
166 + SECStatus rv = SECFailure;
167 +
168 + ss = ssl_FindSocket(fd);
169 + if (!ss) {
170 + SSL_DBG(("%d: SSL[%d]: bad socket in ExportKeyingMaterial",
171 + SSL_GETPID(), fd));
172 + return SECFailure;
173 + }
174 +
175 + if (ss->version < SSL_LIBRARY_VERSION_3_1_TLS) {
176 + PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
177 + return SECFailure;
178 + }
179 +
180 + valLen = SSL3_RANDOM_LENGTH * 2;
181 + if (contextLen > 0)
182 + valLen += 2 /* uint16 length */ + contextLen;
183 + val = PORT_Alloc(valLen);
184 + if (val == NULL)
185 + return SECFailure;
186 + i = 0;
187 + PORT_Memcpy(val + i, &ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
188 + i += SSL3_RANDOM_LENGTH;
189 + PORT_Memcpy(val + i, &ss->ssl3.hs.server_random.rand, SSL3_RANDOM_LENGTH);
190 + i += SSL3_RANDOM_LENGTH;
191 + if (contextLen > 0) {
192 + val[i++] = contextLen >> 8;
193 + val[i++] = contextLen;
194 + PORT_Memcpy(val + i, context, contextLen);
195 + i += contextLen;
196 + }
197 + PORT_Assert(i == valLen);
198 +
199 + ssl_GetSpecReadLock(ss);
200 + if (!ss->ssl3.cwSpec->master_secret && !ss->ssl3.cwSpec->msItem.len) {
201 + PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
202 + rv = SECFailure;
203 + } else {
204 + rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.cwSpec, label, labelLen, val,
205 + valLen, out, outLen);
206 + }
207 + ssl_ReleaseSpecReadLock(ss);
208 +
209 + PORT_ZFree(val, valLen);
210 + return rv;
211 +}
212 +
213 SECItem*
214 SSL_GetNegotiatedHostInfo(PRFileDesc *fd)
215 {
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698