| Index: net/third_party/nss/patches/fallbackscsv.patch
|
| ===================================================================
|
| --- net/third_party/nss/patches/fallbackscsv.patch (revision 242942)
|
| +++ net/third_party/nss/patches/fallbackscsv.patch (working copy)
|
| @@ -1,34 +1,7 @@
|
| -diff --git a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h
|
| -index c0d26cc..4ff0b7d 100644
|
| ---- a/nss/lib/ssl/SSLerrs.h
|
| -+++ b/nss/lib/ssl/SSLerrs.h
|
| -@@ -421,3 +421,8 @@ ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 130),
|
| -
|
| - ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131),
|
| - "The application could not get a TLS Channel ID.")
|
| -+
|
| -+ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 132),
|
| -+"The connection was using a lesser TLS version as a result of a previous"
|
| -+" handshake failure, but the server indicated that it should not have been"
|
| -+" needed.")
|
| -diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
|
| -index 24627ed..067938c 100644
|
| ---- a/nss/lib/ssl/ssl.h
|
| -+++ b/nss/lib/ssl/ssl.h
|
| -@@ -163,6 +163,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
|
| - #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
|
| - /* Request Signed Certificate Timestamps via TLS extension (client) */
|
| - #define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25
|
| -+#define SSL_ENABLE_FALLBACK_SCSV 26 /* Send fallback SCSV in
|
| -+ * handshakes. */
|
| -
|
| - #ifdef SSL_DEPRECATED_FUNCTION
|
| - /* Old deprecated function names */
|
| -diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
|
| -index cf7ef32..946f780 100644
|
| ---- a/nss/lib/ssl/ssl3con.c
|
| -+++ b/nss/lib/ssl/ssl3con.c
|
| -@@ -3469,6 +3469,9 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
|
| +diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
|
| +--- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:44:44.807185186 -0800
|
| ++++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:44:54.857349534 -0800
|
| +@@ -3473,6 +3473,9 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe
|
| case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
|
| break;
|
| case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
|
| @@ -38,19 +11,26 @@
|
|
|
| /* All alerts below are TLS only. */
|
| case unknown_ca: error = SSL_ERROR_UNKNOWN_CA_ALERT; break;
|
| -@@ -4973,7 +4976,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
|
| +@@ -4986,6 +4989,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
|
| int num_suites;
|
| int actual_count = 0;
|
| PRBool isTLS = PR_FALSE;
|
| -- PRBool requestingResume = PR_FALSE;
|
| + PRBool requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE;
|
| PRInt32 total_exten_len = 0;
|
| unsigned paddingExtensionLen;
|
| unsigned numCompressionMethods;
|
| -@@ -5223,8 +5226,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
|
| - num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
|
| - if (!num_suites)
|
| +@@ -5128,6 +5132,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
|
| + }
|
| +
|
| + if (sid) {
|
| ++ requestingResume = PR_TRUE;
|
| + SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
|
| +
|
| + PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
|
| +@@ -5246,8 +5251,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
|
| + if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
|
| return SECFailure; /* count_cipher_suites has set error code. */
|
| + }
|
| +
|
| + fallbackSCSV = ss->opt.enableFallbackSCSV && (!requestingResume ||
|
| + ss->version < sid->version);
|
| @@ -64,7 +44,7 @@
|
| }
|
|
|
| /* count compression methods */
|
| -@@ -5322,6 +5332,14 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
|
| +@@ -5353,6 +5365,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
|
| }
|
| actual_count++;
|
| }
|
| @@ -72,6 +52,7 @@
|
| + rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV,
|
| + sizeof(ssl3CipherSuite));
|
| + if (rv != SECSuccess) {
|
| ++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
|
| + return rv; /* err set by ssl3_AppendHandshake* */
|
| + }
|
| + actual_count++;
|
| @@ -79,7 +60,15 @@
|
| for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
|
| ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
|
| if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
|
| -@@ -8037,6 +8055,19 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| +@@ -5416,6 +5437,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
|
| +
|
| + extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes);
|
| + if (extLen < 0) {
|
| ++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
|
| + return SECFailure;
|
| + }
|
| + maxBytes -= extLen;
|
| +@@ -8083,6 +8105,19 @@ ssl3_HandleClientHello(sslSocket *ss, SS
|
| goto loser; /* malformed */
|
| }
|
|
|
| @@ -99,10 +88,9 @@
|
| /* grab the list of compression methods. */
|
| rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
|
| if (rv != SECSuccess) {
|
| -diff --git a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h
|
| -index 0eab970..4c19ade 100644
|
| ---- a/nss/lib/ssl/ssl3prot.h
|
| -+++ b/nss/lib/ssl/ssl3prot.h
|
| +diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h
|
| +--- a/nss/lib/ssl/ssl3prot.h 2014-01-03 19:39:28.442012014 -0800
|
| ++++ b/nss/lib/ssl/ssl3prot.h 2014-01-03 19:44:54.857349534 -0800
|
| @@ -98,6 +98,7 @@ typedef enum {
|
| protocol_version = 70,
|
| insufficient_security = 71,
|
| @@ -111,11 +99,10 @@
|
| user_canceled = 90,
|
| no_renegotiation = 100,
|
|
|
| -diff --git a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h
|
| -index 5a949c9..82ae7df 100644
|
| ---- a/nss/lib/ssl/sslerr.h
|
| -+++ b/nss/lib/ssl/sslerr.h
|
| -@@ -196,6 +196,7 @@ SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128),
|
| +diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h
|
| +--- a/nss/lib/ssl/sslerr.h 2014-01-03 19:39:28.442012014 -0800
|
| ++++ b/nss/lib/ssl/sslerr.h 2014-01-03 19:44:54.877349862 -0800
|
| +@@ -196,6 +196,7 @@ SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM
|
| SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129),
|
| SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130),
|
| SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131),
|
| @@ -123,10 +110,33 @@
|
|
|
| SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
|
| } SSLErrorCodes;
|
| -diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
|
| -index 7521dba..6d0bc15 100644
|
| ---- a/nss/lib/ssl/sslimpl.h
|
| -+++ b/nss/lib/ssl/sslimpl.h
|
| +diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h
|
| +--- a/nss/lib/ssl/SSLerrs.h 2014-01-03 19:39:28.442012014 -0800
|
| ++++ b/nss/lib/ssl/SSLerrs.h 2014-01-03 19:44:54.907350351 -0800
|
| +@@ -421,3 +421,8 @@ ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (S
|
| +
|
| + ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131),
|
| + "The application could not get a TLS Channel ID.")
|
| ++
|
| ++ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 132),
|
| ++"The connection was using a lesser TLS version as a result of a previous"
|
| ++" handshake failure, but the server indicated that it should not have been"
|
| ++" needed.")
|
| +diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
|
| +--- a/nss/lib/ssl/ssl.h 2014-01-03 19:44:44.807185186 -0800
|
| ++++ b/nss/lib/ssl/ssl.h 2014-01-03 19:44:54.907350351 -0800
|
| +@@ -163,6 +163,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
|
| + #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
|
| + /* Request Signed Certificate Timestamps via TLS extension (client) */
|
| + #define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25
|
| ++#define SSL_ENABLE_FALLBACK_SCSV 26 /* Send fallback SCSV in
|
| ++ * handshakes. */
|
| +
|
| + #ifdef SSL_DEPRECATED_FUNCTION
|
| + /* Old deprecated function names */
|
| +diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
|
| +--- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:44:44.807185186 -0800
|
| ++++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:44:54.907350351 -0800
|
| @@ -336,6 +336,7 @@ typedef struct sslOptionsStr {
|
| unsigned int cbcRandomIV : 1; /* 24 */
|
| unsigned int enableOCSPStapling : 1; /* 25 */
|
| @@ -135,10 +145,9 @@
|
| } sslOptions;
|
|
|
| typedef enum { sslHandshakingUndetermined = 0,
|
| -diff --git a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h
|
| -index 6b60a28..621ef37 100644
|
| ---- a/nss/lib/ssl/sslproto.h
|
| -+++ b/nss/lib/ssl/sslproto.h
|
| +diff -pu a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h
|
| +--- a/nss/lib/ssl/sslproto.h 2014-01-03 19:43:07.025586219 -0800
|
| ++++ b/nss/lib/ssl/sslproto.h 2014-01-03 19:44:54.907350351 -0800
|
| @@ -172,6 +172,11 @@
|
| */
|
| #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF
|
| @@ -151,11 +160,10 @@
|
| /* Cipher Suite Values starting with 0xC000 are defined in informational
|
| * RFCs.
|
| */
|
| -diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
|
| -index 9f8286c..f7d44d4 100644
|
| ---- a/nss/lib/ssl/sslsock.c
|
| -+++ b/nss/lib/ssl/sslsock.c
|
| -@@ -174,7 +174,8 @@ static sslOptions ssl_defaults = {
|
| +diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
|
| +--- a/nss/lib/ssl/sslsock.c 2014-01-03 19:44:44.807185186 -0800
|
| ++++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:44:54.907350351 -0800
|
| +@@ -86,7 +86,8 @@ static sslOptions ssl_defaults = {
|
| PR_FALSE, /* enableFalseStart */
|
| PR_TRUE, /* cbcRandomIV */
|
| PR_FALSE, /* enableOCSPStapling */
|
| @@ -165,7 +173,7 @@
|
| };
|
|
|
| /*
|
| -@@ -870,6 +871,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
|
| +@@ -782,6 +783,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
| ss->opt.enableSignedCertTimestamps = on;
|
| break;
|
|
|
| @@ -176,7 +184,7 @@
|
| default:
|
| PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| rv = SECFailure;
|
| -@@ -943,6 +948,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
|
| +@@ -855,6 +860,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
|
| case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
|
| on = ss->opt.enableSignedCertTimestamps;
|
| break;
|
| @@ -184,7 +192,7 @@
|
|
|
| default:
|
| PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| -@@ -1007,6 +1013,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
|
| +@@ -919,6 +925,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
|
| case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
|
| on = ssl_defaults.enableSignedCertTimestamps;
|
| break;
|
| @@ -194,7 +202,7 @@
|
|
|
| default:
|
| PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| -@@ -1178,6 +1187,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
|
| +@@ -1090,6 +1099,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
|
| ssl_defaults.enableSignedCertTimestamps = on;
|
| break;
|
|
|
|
|
Chromium Code Reviews
Issue 111853013:
Update net/third_party/nss to NSS 3.15.4. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/