| Index: net/third_party/nss/patches/chacha20poly1305.patch
|
| ===================================================================
|
| --- net/third_party/nss/patches/chacha20poly1305.patch (revision 242942)
|
| +++ net/third_party/nss/patches/chacha20poly1305.patch (working copy)
|
| @@ -1,7 +1,6 @@
|
| -diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
|
| -index 8be517c..53c29f0 100644
|
| ---- a/nss/lib/ssl/ssl3con.c
|
| -+++ b/nss/lib/ssl/ssl3con.c
|
| +diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
|
| +--- a/nss/lib/ssl/ssl3con.c 2014-01-06 14:58:15.904992214 -0800
|
| ++++ b/nss/lib/ssl/ssl3con.c 2014-01-06 14:58:25.635150408 -0800
|
| @@ -40,6 +40,21 @@
|
| #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
|
| #endif
|
| @@ -24,16 +23,16 @@
|
| #include <stdio.h>
|
| #ifdef NSS_ENABLE_ZLIB
|
| #include "zlib.h"
|
| -@@ -100,6 +115,8 @@ static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
|
| - static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
|
| - /* cipher_suite policy enabled is_present*/
|
| +@@ -104,6 +119,8 @@ static ssl3CipherSuiteCfg cipherSuites[s
|
| + /* cipher_suite policy enabled isPresent */
|
| +
|
| #ifdef NSS_ENABLE_ECC
|
| -+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| -+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - #endif /* NSS_ENABLE_ECC */
|
| -@@ -273,6 +290,7 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = {
|
| ++ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
| + /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
|
| +@@ -292,6 +309,7 @@ static const ssl3BulkCipherDef bulk_ciph
|
| {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0},
|
| {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0},
|
| {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8},
|
| @@ -41,7 +40,7 @@
|
| {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
|
| };
|
|
|
| -@@ -399,6 +417,8 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] =
|
| +@@ -418,6 +436,8 @@ static const ssl3CipherSuiteDef cipher_s
|
| {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
|
| {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
|
| {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
|
| @@ -50,7 +49,7 @@
|
|
|
| #ifdef NSS_ENABLE_ECC
|
| {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
|
| -@@ -464,6 +484,7 @@ static const SSLCipher2Mech alg2Mech[] = {
|
| +@@ -483,6 +503,7 @@ static const SSLCipher2Mech alg2Mech[] =
|
| { calg_camellia , CKM_CAMELLIA_CBC },
|
| { calg_seed , CKM_SEED_CBC },
|
| { calg_aes_gcm , CKM_AES_GCM },
|
| @@ -58,7 +57,16 @@
|
| /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
|
| };
|
|
|
| -@@ -2020,6 +2041,46 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
|
| +@@ -647,6 +668,8 @@ ssl3_CipherSuiteAllowedForVersionRange(
|
| + * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented
|
| + */
|
| + return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
|
| ++ case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
|
| ++ case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
|
| + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
|
| + case TLS_RSA_WITH_AES_256_CBC_SHA256:
|
| + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
|
| +@@ -2043,6 +2066,46 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
|
| }
|
| #endif
|
|
|
| @@ -105,7 +113,7 @@
|
| /* Initialize encryption and MAC contexts for pending spec.
|
| * Master Secret already is derived.
|
| * Caller holds Spec write lock.
|
| -@@ -2053,13 +2114,17 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss)
|
| +@@ -2076,13 +2139,17 @@ ssl3_InitPendingContextsPKCS11(sslSocket
|
| pwSpec->client.write_mac_context = NULL;
|
| pwSpec->server.write_mac_context = NULL;
|
|
|
| @@ -125,11 +133,10 @@
|
| return SECSuccess;
|
| }
|
|
|
| -diff --git a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c
|
| -index a3638e7..21a5e05 100644
|
| ---- a/nss/lib/ssl/ssl3ecc.c
|
| -+++ b/nss/lib/ssl/ssl3ecc.c
|
| -@@ -913,6 +913,7 @@ static const ssl3CipherSuite ecdhe_ecdsa_suites[] = {
|
| +diff -pu a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c
|
| +--- a/nss/lib/ssl/ssl3ecc.c 2014-01-06 14:57:50.984587086 -0800
|
| ++++ b/nss/lib/ssl/ssl3ecc.c 2014-01-06 14:58:25.635150408 -0800
|
| +@@ -904,6 +904,7 @@ static const ssl3CipherSuite ecdhe_ecdsa
|
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
| @@ -137,7 +144,7 @@
|
| TLS_ECDHE_ECDSA_WITH_NULL_SHA,
|
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
| 0 /* end of list marker */
|
| -@@ -924,6 +925,7 @@ static const ssl3CipherSuite ecdhe_rsa_suites[] = {
|
| +@@ -915,6 +916,7 @@ static const ssl3CipherSuite ecdhe_rsa_s
|
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
| @@ -145,7 +152,7 @@
|
| TLS_ECDHE_RSA_WITH_NULL_SHA,
|
| TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
| 0 /* end of list marker */
|
| -@@ -936,6 +938,7 @@ static const ssl3CipherSuite ecSuites[] = {
|
| +@@ -927,6 +929,7 @@ static const ssl3CipherSuite ecSuites[]
|
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
| @@ -153,7 +160,7 @@
|
| TLS_ECDHE_ECDSA_WITH_NULL_SHA,
|
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
| -@@ -943,6 +946,7 @@ static const ssl3CipherSuite ecSuites[] = {
|
| +@@ -934,6 +937,7 @@ static const ssl3CipherSuite ecSuites[]
|
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
| @@ -161,23 +168,37 @@
|
| TLS_ECDHE_RSA_WITH_NULL_SHA,
|
| TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
| TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
| -diff --git a/nss/lib/ssl/sslenum.c b/nss/lib/ssl/sslenum.c
|
| -index 597ec07..fc6b854 100644
|
| ---- a/nss/lib/ssl/sslenum.c
|
| -+++ b/nss/lib/ssl/sslenum.c
|
| -@@ -31,6 +31,8 @@
|
| +diff -pu a/nss/lib/ssl/sslenum.c b/nss/lib/ssl/sslenum.c
|
| +--- a/nss/lib/ssl/sslenum.c 2014-01-06 14:53:43.540566574 -0800
|
| ++++ b/nss/lib/ssl/sslenum.c 2014-01-06 15:11:13.167642594 -0800
|
| +@@ -37,17 +37,21 @@
|
| + *
|
| + * Exception: Because some servers ignore the high-order byte of the cipher
|
| + * suite ID, we must be careful about adding cipher suites with IDs larger
|
| +- * than 0x00ff; see bug 946147. For these broken servers, the first four cipher
|
| ++ * than 0x00ff; see bug 946147. For these broken servers, the first six cipher
|
| + * suites, with the MSB zeroed, look like:
|
| ++ * TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA { 0x00,0x14 }
|
| ++ * TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 }
|
| + * TLS_KRB5_EXPORT_WITH_RC4_40_MD5 {0x00,0x2B }
|
| + * TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F }
|
| + * TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }
|
| + * TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 }
|
| +- * The broken server only supports the third and fourth ones and will select
|
| +- * the third one.
|
| ++ * The broken server only supports the fifth and sixth ones and will select
|
| ++ * the fifth one.
|
| + */
|
| const PRUint16 SSL_ImplementedCiphers[] = {
|
| - /* AES-GCM */
|
| #ifdef NSS_ENABLE_ECC
|
| + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
| + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
| - #endif /* NSS_ENABLE_ECC */
|
| -diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
|
| -index 0fe12d0..e3ae9ce 100644
|
| ---- a/nss/lib/ssl/sslimpl.h
|
| -+++ b/nss/lib/ssl/sslimpl.h
|
| + /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
|
| +diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
|
| +--- a/nss/lib/ssl/sslimpl.h 2014-01-06 14:57:46.654516696 -0800
|
| ++++ b/nss/lib/ssl/sslimpl.h 2014-01-06 14:58:25.635150408 -0800
|
| @@ -65,6 +65,7 @@ typedef SSLSignType SSL3SignType;
|
| #define calg_camellia ssl_calg_camellia
|
| #define calg_seed ssl_calg_seed
|
| @@ -203,11 +224,10 @@
|
| cipher_missing /* reserved for no such supported cipher */
|
| /* This enum must match ssl3_cipherName[] in ssl3con.c. */
|
| } SSL3BulkCipher;
|
| -diff --git a/nss/lib/ssl/sslinfo.c b/nss/lib/ssl/sslinfo.c
|
| -index 9597209..bfc1676 100644
|
| ---- a/nss/lib/ssl/sslinfo.c
|
| -+++ b/nss/lib/ssl/sslinfo.c
|
| -@@ -118,6 +118,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
|
| +diff -pu a/nss/lib/ssl/sslinfo.c b/nss/lib/ssl/sslinfo.c
|
| +--- a/nss/lib/ssl/sslinfo.c 2014-01-06 14:57:21.444106895 -0800
|
| ++++ b/nss/lib/ssl/sslinfo.c 2014-01-06 14:58:25.635150408 -0800
|
| +@@ -110,6 +110,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh
|
| #define C_NULL "NULL", calg_null
|
| #define C_SJ "SKIPJACK", calg_sj
|
| #define C_AESGCM "AES-GCM", calg_aes_gcm
|
| @@ -215,7 +235,7 @@
|
|
|
| #define B_256 256, 256, 256
|
| #define B_128 128, 128, 128
|
| -@@ -196,12 +197,14 @@ static const SSLCipherSuiteInfo suiteInfo[] = {
|
| +@@ -188,12 +189,14 @@ static const SSLCipherSuiteInfo suiteInf
|
| {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
|
| {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
|
| {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, },
|
| @@ -230,10 +250,9 @@
|
|
|
| {0,CS(TLS_ECDHE_RSA_WITH_NULL_SHA), S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, 0, 0, 0, },
|
| {0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
|
| -diff --git a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h
|
| -index 53bba01..6b60a28 100644
|
| ---- a/nss/lib/ssl/sslproto.h
|
| -+++ b/nss/lib/ssl/sslproto.h
|
| +diff -pu a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h
|
| +--- a/nss/lib/ssl/sslproto.h 2014-01-06 14:53:43.540566574 -0800
|
| ++++ b/nss/lib/ssl/sslproto.h 2014-01-06 14:58:25.635150408 -0800
|
| @@ -213,6 +213,9 @@
|
| #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
|
| #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
|
| @@ -244,30 +263,9 @@
|
| /* Netscape "experimental" cipher suites. */
|
| #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0
|
| #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1
|
| -diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
|
| -index c17c7a3..ffbccc6 100644
|
| ---- a/nss/lib/ssl/sslsock.c
|
| -+++ b/nss/lib/ssl/sslsock.c
|
| -@@ -98,6 +98,7 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */
|
| - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| -+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
|
| - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| -@@ -110,6 +111,7 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */
|
| - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| -+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - #endif /* NSS_ENABLE_ECC */
|
| - { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
|
| - };
|
| -diff --git a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
|
| -index b03422e..a8007d8 100644
|
| ---- a/nss/lib/ssl/sslt.h
|
| -+++ b/nss/lib/ssl/sslt.h
|
| +diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
|
| +--- a/nss/lib/ssl/sslt.h 2014-01-06 14:58:13.034945554 -0800
|
| ++++ b/nss/lib/ssl/sslt.h 2014-01-06 14:58:25.635150408 -0800
|
| @@ -94,7 +94,8 @@ typedef enum {
|
| ssl_calg_aes = 7,
|
| ssl_calg_camellia = 8,
|
|
|
Chromium Code Reviews
Issue 111853013:
Update net/third_party/nss to NSS 3.15.4. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/