| Index: net/third_party/nss/patches/secret_exporter.patch
|
| ===================================================================
|
| --- net/third_party/nss/patches/secret_exporter.patch (revision 127513)
|
| +++ net/third_party/nss/patches/secret_exporter.patch (working copy)
|
| @@ -1,215 +0,0 @@
|
| -diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
|
| ---- a/src/net/third_party/nss/ssl/ssl.h 2012-02-29 17:12:15.720044263 -0800
|
| -+++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-29 17:18:04.824794558 -0800
|
| -@@ -774,6 +774,19 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteI
|
| - /* Returnes negotiated through SNI host info. */
|
| - SSL_IMPORT SECItem *SSL_GetNegotiatedHostInfo(PRFileDesc *fd);
|
| -
|
| -+/* Export keying material according to RFC 5705.
|
| -+** fd must correspond to a TLS 1.0 or higher socket and out must
|
| -+** already be allocated. If contextLen is zero it uses the no-context
|
| -+** construction from the RFC.
|
| -+*/
|
| -+SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd,
|
| -+ const char *label,
|
| -+ unsigned int labelLen,
|
| -+ const unsigned char *context,
|
| -+ unsigned int contextLen,
|
| -+ unsigned char *out,
|
| -+ unsigned int outLen);
|
| -+
|
| - /*
|
| - ** Return a new reference to the certificate that was most recently sent
|
| - ** to the peer on this SSL/TLS connection, or NULL if none has been sent.
|
| -diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
|
| ---- a/src/net/third_party/nss/ssl/ssl3con.c 2012-02-28 20:34:50.114663722 -0800
|
| -+++ b/src/net/third_party/nss/ssl/ssl3con.c 2012-02-29 17:18:04.824794558 -0800
|
| -@@ -8368,33 +8368,33 @@ done:
|
| - return rv;
|
| - }
|
| -
|
| --static SECStatus
|
| --ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
|
| -- PRBool isServer,
|
| -- const SSL3Finished * hashes,
|
| -- TLSFinished * tlsFinished)
|
| -+/* The calling function must acquire and release the appropriate lock (i.e.,
|
| -+ * ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for ss->ssl3.crSpec). Any
|
| -+ * label must already be concatenated onto the beginning of val.
|
| -+ */
|
| -+SECStatus
|
| -+ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
|
| -+ unsigned int labelLen, const unsigned char *val, unsigned int valLen,
|
| -+ unsigned char *out, unsigned int outLen)
|
| - {
|
| -- const char * label;
|
| -- unsigned int len;
|
| -- SECStatus rv;
|
| --
|
| -- label = isServer ? "server finished" : "client finished";
|
| -- len = 15;
|
| -+ SECStatus rv = SECSuccess;
|
| -
|
| - if (spec->master_secret && !spec->bypassCiphers) {
|
| - SECItem param = {siBuffer, NULL, 0};
|
| - PK11Context *prf_context =
|
| - PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN,
|
| - spec->master_secret, ¶m);
|
| -+ unsigned int retLen;
|
| -+
|
| - if (!prf_context)
|
| - return SECFailure;
|
| -
|
| - rv = PK11_DigestBegin(prf_context);
|
| -- rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len);
|
| -- rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes);
|
| -- rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data,
|
| -- &len, sizeof tlsFinished->verify_data);
|
| -- PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished);
|
| -+ rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
|
| -+ rv |= PK11_DigestOp(prf_context, val, valLen);
|
| -+ rv |= PK11_DigestFinal(prf_context, out,
|
| -+ &retLen, outLen);
|
| -+ PORT_Assert(rv != SECSuccess || retLen == outLen);
|
| -
|
| - PK11_DestroyContext(prf_context, PR_TRUE);
|
| - } else {
|
| -@@ -8403,17 +8403,36 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *
|
| - SECItem outData = { siBuffer, };
|
| - PRBool isFIPS = PR_FALSE;
|
| -
|
| -- inData.data = (unsigned char *)hashes->md5;
|
| -- inData.len = sizeof hashes[0];
|
| -- outData.data = tlsFinished->verify_data;
|
| -- outData.len = sizeof tlsFinished->verify_data;
|
| -+ inData.data = (unsigned char *) val;
|
| -+ inData.len = valLen;
|
| -+ outData.data = out;
|
| -+ outData.len = outLen;
|
| - rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
|
| -- PORT_Assert(rv != SECSuccess || \
|
| -- outData.len == sizeof tlsFinished->verify_data);
|
| -+ PORT_Assert(rv != SECSuccess || outData.len == outLen);
|
| - }
|
| - return rv;
|
| - }
|
| -
|
| -+static SECStatus
|
| -+ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
|
| -+ PRBool isServer,
|
| -+ const SSL3Finished * hashes,
|
| -+ TLSFinished * tlsFinished)
|
| -+{
|
| -+ const char * label;
|
| -+ SECStatus rv;
|
| -+ unsigned int len;
|
| -+
|
| -+ label = isServer ? "server finished" : "client finished";
|
| -+ len = 15;
|
| -+
|
| -+ rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5,
|
| -+ sizeof *hashes, tlsFinished->verify_data,
|
| -+ sizeof tlsFinished->verify_data);
|
| -+
|
| -+ return rv;
|
| -+}
|
| -+
|
| - /* called from ssl3_HandleServerHelloDone
|
| - */
|
| - static SECStatus
|
| -diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
|
| ---- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 17:12:15.720044263 -0800
|
| -+++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 17:16:59.143900589 -0800
|
| -@@ -1709,6 +1709,11 @@ SECStatus SSL_DisableDefaultExportCipher
|
| - SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
|
| - PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite);
|
| -
|
| -+SECStatus ssl3_TLSPRFWithMasterSecret(
|
| -+ ssl3CipherSpec *spec, const char *label,
|
| -+ unsigned int labelLen, const unsigned char *val,
|
| -+ unsigned int valLen, unsigned char *out,
|
| -+ unsigned int outLen);
|
| -
|
| - #ifdef TRACE
|
| - #define SSL_TRACE(msg) ssl_Trace msg
|
| -diff -up a/src/net/third_party/nss/ssl/sslinfo.c b/src/net/third_party/nss/ssl/sslinfo.c
|
| ---- a/src/net/third_party/nss/ssl/sslinfo.c 2010-09-01 18:12:57.000000000 -0700
|
| -+++ b/src/net/third_party/nss/ssl/sslinfo.c 2012-02-29 17:18:04.824794558 -0800
|
| -@@ -20,6 +20,7 @@
|
| - *
|
| - * Contributor(s):
|
| - * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
|
| -+ * Douglas Stebila <douglas@stebila.ca>
|
| - *
|
| - * Alternatively, the contents of this file may be used under the terms of
|
| - * either the GNU General Public License Version 2 or later (the "GPL"), or
|
| -@@ -316,6 +317,69 @@ SSL_IsExportCipherSuite(PRUint16 cipherS
|
| - return PR_FALSE;
|
| - }
|
| -
|
| -+/* Export keying material according to RFC 5705.
|
| -+** fd must correspond to a TLS 1.0 or higher socket, out must
|
| -+** be already allocated.
|
| -+*/
|
| -+SECStatus
|
| -+SSL_ExportKeyingMaterial(PRFileDesc *fd,
|
| -+ const char *label,
|
| -+ unsigned int labelLen,
|
| -+ const unsigned char *context,
|
| -+ unsigned int contextLen,
|
| -+ unsigned char *out,
|
| -+ unsigned int outLen)
|
| -+{
|
| -+ sslSocket *ss;
|
| -+ unsigned char *val = NULL;
|
| -+ unsigned int valLen, i;
|
| -+ SECStatus rv = SECFailure;
|
| -+
|
| -+ ss = ssl_FindSocket(fd);
|
| -+ if (!ss) {
|
| -+ SSL_DBG(("%d: SSL[%d]: bad socket in ExportKeyingMaterial",
|
| -+ SSL_GETPID(), fd));
|
| -+ return SECFailure;
|
| -+ }
|
| -+
|
| -+ if (ss->version < SSL_LIBRARY_VERSION_3_1_TLS) {
|
| -+ PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
|
| -+ return SECFailure;
|
| -+ }
|
| -+
|
| -+ valLen = SSL3_RANDOM_LENGTH * 2;
|
| -+ if (contextLen > 0)
|
| -+ valLen += 2 /* uint16 length */ + contextLen;
|
| -+ val = PORT_Alloc(valLen);
|
| -+ if (val == NULL)
|
| -+ return SECFailure;
|
| -+ i = 0;
|
| -+ PORT_Memcpy(val + i, &ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
|
| -+ i += SSL3_RANDOM_LENGTH;
|
| -+ PORT_Memcpy(val + i, &ss->ssl3.hs.server_random.rand, SSL3_RANDOM_LENGTH);
|
| -+ i += SSL3_RANDOM_LENGTH;
|
| -+ if (contextLen > 0) {
|
| -+ val[i++] = contextLen >> 8;
|
| -+ val[i++] = contextLen;
|
| -+ PORT_Memcpy(val + i, context, contextLen);
|
| -+ i += contextLen;
|
| -+ }
|
| -+ PORT_Assert(i == valLen);
|
| -+
|
| -+ ssl_GetSpecReadLock(ss);
|
| -+ if (!ss->ssl3.cwSpec->master_secret && !ss->ssl3.cwSpec->msItem.len) {
|
| -+ PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
|
| -+ rv = SECFailure;
|
| -+ } else {
|
| -+ rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.cwSpec, label, labelLen, val,
|
| -+ valLen, out, outLen);
|
| -+ }
|
| -+ ssl_ReleaseSpecReadLock(ss);
|
| -+
|
| -+ PORT_ZFree(val, valLen);
|
| -+ return rv;
|
| -+}
|
| -+
|
| - SECItem*
|
| - SSL_GetNegotiatedHostInfo(PRFileDesc *fd)
|
| - {
|
|
|