| OLD | NEW |
|---|
| 1 diff --git a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h | 1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
| 2 index c0d26cc..4ff0b7d 100644 | 2 --- a/nss/lib/ssl/ssl3con.c» 2014-01-03 19:44:44.807185186 -0800 |
| 3 --- a/nss/lib/ssl/SSLerrs.h | 3 +++ b/nss/lib/ssl/ssl3con.c» 2014-01-03 19:44:54.857349534 -0800 |
| 4 +++ b/nss/lib/ssl/SSLerrs.h | 4 @@ -3473,6 +3473,9 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe |
| 5 @@ -421,3 +421,8 @@ ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 130)
, | |
| 6 | |
| 7 ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131), | |
| 8 "The application could not get a TLS Channel ID.") | |
| 9 + | |
| 10 +ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 132), | |
| 11 +"The connection was using a lesser TLS version as a result of a previous" | |
| 12 +" handshake failure, but the server indicated that it should not have been" | |
| 13 +" needed.") | |
| 14 diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h | |
| 15 index 24627ed..067938c 100644 | |
| 16 --- a/nss/lib/ssl/ssl.h | |
| 17 +++ b/nss/lib/ssl/ssl.h | |
| 18 @@ -163,6 +163,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFi
leDesc *fd); | |
| 19 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ | |
| 20 /* Request Signed Certificate Timestamps via TLS extension (client) */ | |
| 21 #define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25 | |
| 22 +#define SSL_ENABLE_FALLBACK_SCSV 26 /* Send fallback SCSV in | |
| 23 + * handshakes. */ | |
| 24 | |
| 25 #ifdef SSL_DEPRECATED_FUNCTION | |
| 26 /* Old deprecated function names */ | |
| 27 diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c | |
| 28 index cf7ef32..946f780 100644 | |
| 29 --- a/nss/lib/ssl/ssl3con.c | |
| 30 +++ b/nss/lib/ssl/ssl3con.c | |
| 31 @@ -3469,6 +3469,9 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf) | |
| 32 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT; | 5 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT; |
| 33 break; | 6 break; |
| 34 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break; | 7 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break; |
| 35 + case inappropriate_fallback: | 8 + case inappropriate_fallback: |
| 36 + error = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT; | 9 + error = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT; |
| 37 + break; | 10 + break; |
| 38 | 11 |
| 39 /* All alerts below are TLS only. */ | 12 /* All alerts below are TLS only. */ |
| 40 case unknown_ca: error = SSL_ERROR_UNKNOWN_CA_ALERT; break; | 13 case unknown_ca: error = SSL_ERROR_UNKNOWN_CA_ALERT; break; |
| 41 @@ -4973,7 +4976,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) | 14 @@ -4986,6 +4989,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo |
| 42 int num_suites; | 15 int num_suites; |
| 43 int actual_count = 0; | 16 int actual_count = 0; |
| 44 PRBool isTLS = PR_FALSE; | 17 PRBool isTLS = PR_FALSE; |
| 45 - PRBool requestingResume = PR_FALSE; | |
| 46 + PRBool requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE; | 18 + PRBool requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE; |
| 47 PRInt32 total_exten_len = 0; | 19 PRInt32 total_exten_len = 0; |
| 48 unsigned paddingExtensionLen; | 20 unsigned paddingExtensionLen; |
| 49 unsigned numCompressionMethods; | 21 unsigned numCompressionMethods; |
| 50 @@ -5223,8 +5226,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) | 22 @@ -5128,6 +5132,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo |
| 51 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); | 23 } |
| 52 if (!num_suites) | 24 |
| 25 if (sid) { |
| 26 +» requestingResume = PR_TRUE; |
| 27 » SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits ); |
| 28 |
| 29 » PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, |
| 30 @@ -5246,8 +5251,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBo |
| 31 » if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); } |
| 53 return SECFailure; /* count_cipher_suites has set error code. */ | 32 return SECFailure; /* count_cipher_suites has set error code. */ |
| 33 } |
| 54 + | 34 + |
| 55 + fallbackSCSV = ss->opt.enableFallbackSCSV && (!requestingResume || | 35 + fallbackSCSV = ss->opt.enableFallbackSCSV && (!requestingResume || |
| 56 + ss->version < sid->version); | 36 + ss->version < sid->version); |
| 57 + /* make room for SCSV */ | 37 + /* make room for SCSV */ |
| 58 if (ss->ssl3.hs.sendingSCSV) { | 38 if (ss->ssl3.hs.sendingSCSV) { |
| 59 - ++num_suites; /* make room for SCSV */ | 39 - ++num_suites; /* make room for SCSV */ |
| 60 + ++num_suites; | 40 + ++num_suites; |
| 61 + } | 41 + } |
| 62 + if (fallbackSCSV) { | 42 + if (fallbackSCSV) { |
| 63 + ++num_suites; | 43 + ++num_suites; |
| 64 } | 44 } |
| 65 | 45 |
| 66 /* count compression methods */ | 46 /* count compression methods */ |
| 67 @@ -5322,6 +5332,14 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) | 47 @@ -5353,6 +5365,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBo |
| 68 } | 48 } |
| 69 actual_count++; | 49 actual_count++; |
| 70 } | 50 } |
| 71 + if (fallbackSCSV) { | 51 + if (fallbackSCSV) { |
| 72 + rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV, | 52 + rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV, |
| 73 + sizeof(ssl3CipherSuite)); | 53 + sizeof(ssl3CipherSuite)); |
| 74 + if (rv != SECSuccess) { | 54 + if (rv != SECSuccess) { |
| 55 + if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); } |
| 75 + return rv; /* err set by ssl3_AppendHandshake* */ | 56 + return rv; /* err set by ssl3_AppendHandshake* */ |
| 76 + } | 57 + } |
| 77 + actual_count++; | 58 + actual_count++; |
| 78 + } | 59 + } |
| 79 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 60 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 80 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; | 61 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 81 if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) { | 62 if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) { |
| 82 @@ -8037,6 +8055,19 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUi
nt32 length) | 63 @@ -5416,6 +5437,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo |
| 64 |
| 65 » extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes); |
| 66 » if (extLen < 0) { |
| 67 +» if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); } |
| 68 » return SECFailure; |
| 69 » } |
| 70 » maxBytes -= extLen; |
| 71 @@ -8083,6 +8105,19 @@ ssl3_HandleClientHello(sslSocket *ss, SS |
| 83 goto loser; /* malformed */ | 72 goto loser; /* malformed */ |
| 84 } | 73 } |
| 85 | 74 |
| 86 + /* If the ClientHello version is less than our maximum version, check for a | 75 + /* If the ClientHello version is less than our maximum version, check for a |
| 87 + * TLS_FALLBACK_SCSV and reject the connection if found. */ | 76 + * TLS_FALLBACK_SCSV and reject the connection if found. */ |
| 88 + if (ss->vrange.max > ss->clientHelloVersion) { | 77 + if (ss->vrange.max > ss->clientHelloVersion) { |
| 89 + for (i = 0; i + 1 < suites.len; i += 2) { | 78 + for (i = 0; i + 1 < suites.len; i += 2) { |
| 90 + PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; | 79 + PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; |
| 91 + if (suite_i != TLS_FALLBACK_SCSV) | 80 + if (suite_i != TLS_FALLBACK_SCSV) |
| 92 + continue; | 81 + continue; |
| 93 + desc = inappropriate_fallback; | 82 + desc = inappropriate_fallback; |
| 94 + errCode = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT; | 83 + errCode = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT; |
| 95 + goto alert_loser; | 84 + goto alert_loser; |
| 96 + } | 85 + } |
| 97 + } | 86 + } |
| 98 + | 87 + |
| 99 /* grab the list of compression methods. */ | 88 /* grab the list of compression methods. */ |
| 100 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); | 89 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); |
| 101 if (rv != SECSuccess) { | 90 if (rv != SECSuccess) { |
| 102 diff --git a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h | 91 diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h |
| 103 index 0eab970..4c19ade 100644 | 92 --- a/nss/lib/ssl/ssl3prot.h» 2014-01-03 19:39:28.442012014 -0800 |
| 104 --- a/nss/lib/ssl/ssl3prot.h | 93 +++ b/nss/lib/ssl/ssl3prot.h» 2014-01-03 19:44:54.857349534 -0800 |
| 105 +++ b/nss/lib/ssl/ssl3prot.h | |
| 106 @@ -98,6 +98,7 @@ typedef enum { | 94 @@ -98,6 +98,7 @@ typedef enum { |
| 107 protocol_version = 70, | 95 protocol_version = 70, |
| 108 insufficient_security = 71, | 96 insufficient_security = 71, |
| 109 internal_error = 80, | 97 internal_error = 80, |
| 110 + inappropriate_fallback = 86, /* could also be sent for SSLv3 */ | 98 + inappropriate_fallback = 86, /* could also be sent for SSLv3 */ |
| 111 user_canceled = 90, | 99 user_canceled = 90, |
| 112 no_renegotiation = 100, | 100 no_renegotiation = 100, |
| 113 | 101 |
| 114 diff --git a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h | 102 diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h |
| 115 index 5a949c9..82ae7df 100644 | 103 --- a/nss/lib/ssl/sslerr.h» 2014-01-03 19:39:28.442012014 -0800 |
| 116 --- a/nss/lib/ssl/sslerr.h | 104 +++ b/nss/lib/ssl/sslerr.h» 2014-01-03 19:44:54.877349862 -0800 |
| 117 +++ b/nss/lib/ssl/sslerr.h | 105 @@ -196,6 +196,7 @@ SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM |
| 118 @@ -196,6 +196,7 @@ SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE +
128), | |
| 119 SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129), | 106 SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129), |
| 120 SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130), | 107 SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130), |
| 121 SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131), | 108 SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131), |
| 122 +SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT = (SSL_ERROR_BASE + 132), | 109 +SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT = (SSL_ERROR_BASE + 132), |
| 123 | 110 |
| 124 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ | 111 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ |
| 125 } SSLErrorCodes; | 112 } SSLErrorCodes; |
| 126 diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h | 113 diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h |
| 127 index 7521dba..6d0bc15 100644 | 114 --- a/nss/lib/ssl/SSLerrs.h» 2014-01-03 19:39:28.442012014 -0800 |
| 128 --- a/nss/lib/ssl/sslimpl.h | 115 +++ b/nss/lib/ssl/SSLerrs.h» 2014-01-03 19:44:54.907350351 -0800 |
| 129 +++ b/nss/lib/ssl/sslimpl.h | 116 @@ -421,3 +421,8 @@ ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (S |
| 117 |
| 118 ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131), |
| 119 "The application could not get a TLS Channel ID.") |
| 120 + |
| 121 +ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 132), |
| 122 +"The connection was using a lesser TLS version as a result of a previous" |
| 123 +" handshake failure, but the server indicated that it should not have been" |
| 124 +" needed.") |
| 125 diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
| 126 --- a/nss/lib/ssl/ssl.h»2014-01-03 19:44:44.807185186 -0800 |
| 127 +++ b/nss/lib/ssl/ssl.h»2014-01-03 19:44:54.907350351 -0800 |
| 128 @@ -163,6 +163,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF |
| 129 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ |
| 130 /* Request Signed Certificate Timestamps via TLS extension (client) */ |
| 131 #define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25 |
| 132 +#define SSL_ENABLE_FALLBACK_SCSV 26 /* Send fallback SCSV in |
| 133 + * handshakes. */ |
| 134 |
| 135 #ifdef SSL_DEPRECATED_FUNCTION |
| 136 /* Old deprecated function names */ |
| 137 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
| 138 --- a/nss/lib/ssl/sslimpl.h» 2014-01-03 19:44:44.807185186 -0800 |
| 139 +++ b/nss/lib/ssl/sslimpl.h» 2014-01-03 19:44:54.907350351 -0800 |
| 130 @@ -336,6 +336,7 @@ typedef struct sslOptionsStr { | 140 @@ -336,6 +336,7 @@ typedef struct sslOptionsStr { |
| 131 unsigned int cbcRandomIV : 1; /* 24 */ | 141 unsigned int cbcRandomIV : 1; /* 24 */ |
| 132 unsigned int enableOCSPStapling : 1; /* 25 */ | 142 unsigned int enableOCSPStapling : 1; /* 25 */ |
| 133 unsigned int enableSignedCertTimestamps : 1; /* 26 */ | 143 unsigned int enableSignedCertTimestamps : 1; /* 26 */ |
| 134 + unsigned int enableFallbackSCSV : 1; /* 27 */ | 144 + unsigned int enableFallbackSCSV : 1; /* 27 */ |
| 135 } sslOptions; | 145 } sslOptions; |
| 136 | 146 |
| 137 typedef enum { sslHandshakingUndetermined = 0, | 147 typedef enum { sslHandshakingUndetermined = 0, |
| 138 diff --git a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h | 148 diff -pu a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h |
| 139 index 6b60a28..621ef37 100644 | 149 --- a/nss/lib/ssl/sslproto.h» 2014-01-03 19:43:07.025586219 -0800 |
| 140 --- a/nss/lib/ssl/sslproto.h | 150 +++ b/nss/lib/ssl/sslproto.h» 2014-01-03 19:44:54.907350351 -0800 |
| 141 +++ b/nss/lib/ssl/sslproto.h | |
| 142 @@ -172,6 +172,11 @@ | 151 @@ -172,6 +172,11 @@ |
| 143 */ | 152 */ |
| 144 #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF | 153 #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF |
| 145 | 154 |
| 146 +/* TLS_FALLBACK_SCSV is a signaling cipher suite value that indicates that a | 155 +/* TLS_FALLBACK_SCSV is a signaling cipher suite value that indicates that a |
| 147 + * handshake is the result of TLS version fallback. This value is not IANA | 156 + * handshake is the result of TLS version fallback. This value is not IANA |
| 148 + * assigned. */ | 157 + * assigned. */ |
| 149 +#define TLS_FALLBACK_SCSV 0x5600 | 158 +#define TLS_FALLBACK_SCSV 0x5600 |
| 150 + | 159 + |
| 151 /* Cipher Suite Values starting with 0xC000 are defined in informational | 160 /* Cipher Suite Values starting with 0xC000 are defined in informational |
| 152 * RFCs. | 161 * RFCs. |
| 153 */ | 162 */ |
| 154 diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c | 163 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
| 155 index 9f8286c..f7d44d4 100644 | 164 --- a/nss/lib/ssl/sslsock.c» 2014-01-03 19:44:44.807185186 -0800 |
| 156 --- a/nss/lib/ssl/sslsock.c | 165 +++ b/nss/lib/ssl/sslsock.c» 2014-01-03 19:44:54.907350351 -0800 |
| 157 +++ b/nss/lib/ssl/sslsock.c | 166 @@ -86,7 +86,8 @@ static sslOptions ssl_defaults = { |
| 158 @@ -174,7 +174,8 @@ static sslOptions ssl_defaults = { | |
| 159 PR_FALSE, /* enableFalseStart */ | 167 PR_FALSE, /* enableFalseStart */ |
| 160 PR_TRUE, /* cbcRandomIV */ | 168 PR_TRUE, /* cbcRandomIV */ |
| 161 PR_FALSE, /* enableOCSPStapling */ | 169 PR_FALSE, /* enableOCSPStapling */ |
| 162 - PR_FALSE /* enableSignedCertTimestamps */ | 170 - PR_FALSE /* enableSignedCertTimestamps */ |
| 163 + PR_FALSE, /* enableSignedCertTimestamps */ | 171 + PR_FALSE, /* enableSignedCertTimestamps */ |
| 164 + PR_FALSE /* enableFallbackSCSV */ | 172 + PR_FALSE /* enableFallbackSCSV */ |
| 165 }; | 173 }; |
| 166 | 174 |
| 167 /* | 175 /* |
| 168 @@ -870,6 +871,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) | 176 @@ -782,6 +783,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh |
| 169 ss->opt.enableSignedCertTimestamps = on; | 177 ss->opt.enableSignedCertTimestamps = on; |
| 170 break; | 178 break; |
| 171 | 179 |
| 172 + case SSL_ENABLE_FALLBACK_SCSV: | 180 + case SSL_ENABLE_FALLBACK_SCSV: |
| 173 + ss->opt.enableFallbackSCSV = on; | 181 + ss->opt.enableFallbackSCSV = on; |
| 174 + break; | 182 + break; |
| 175 + | 183 + |
| 176 default: | 184 default: |
| 177 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 185 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 178 rv = SECFailure; | 186 rv = SECFailure; |
| 179 @@ -943,6 +948,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) | 187 @@ -855,6 +860,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh |
| 180 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | 188 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| 181 on = ss->opt.enableSignedCertTimestamps; | 189 on = ss->opt.enableSignedCertTimestamps; |
| 182 break; | 190 break; |
| 183 + case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break; | 191 + case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break; |
| 184 | 192 |
| 185 default: | 193 default: |
| 186 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 194 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 187 @@ -1007,6 +1013,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) | 195 @@ -919,6 +925,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo |
| 188 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | 196 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| 189 on = ssl_defaults.enableSignedCertTimestamps; | 197 on = ssl_defaults.enableSignedCertTimestamps; |
| 190 break; | 198 break; |
| 191 + case SSL_ENABLE_FALLBACK_SCSV: | 199 + case SSL_ENABLE_FALLBACK_SCSV: |
| 192 + on = ssl_defaults.enableFallbackSCSV; | 200 + on = ssl_defaults.enableFallbackSCSV; |
| 193 + break; | 201 + break; |
| 194 | 202 |
| 195 default: | 203 default: |
| 196 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 204 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 197 @@ -1178,6 +1187,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) | 205 @@ -1090,6 +1099,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo |
| 198 ssl_defaults.enableSignedCertTimestamps = on; | 206 ssl_defaults.enableSignedCertTimestamps = on; |
| 199 break; | 207 break; |
| 200 | 208 |
| 201 + case SSL_ENABLE_FALLBACK_SCSV: | 209 + case SSL_ENABLE_FALLBACK_SCSV: |
| 202 + ssl_defaults.enableFallbackSCSV = on; | 210 + ssl_defaults.enableFallbackSCSV = on; |
| 203 + break; | 211 + break; |
| 204 + | 212 + |
| 205 default: | 213 default: |
| 206 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 214 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 207 return SECFailure; | 215 return SECFailure; |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 111853013:
Update net/third_party/nss to NSS 3.15.4. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/