| OLD | NEW |
|---|
| (Empty) |
| 1 diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con
.c | |
| 2 index 6780a84..4cf011b 100644 | |
| 3 --- a/net/third_party/nss/ssl/ssl3con.c | |
| 4 +++ b/net/third_party/nss/ssl/ssl3con.c | |
| 5 @@ -4793,6 +4793,17 @@ done: | |
| 6 return unwrappedWrappingKey; | |
| 7 } | |
| 8 | |
| 9 +/* hexEncode hex encodes |length| bytes from |in| and writes it as |length*2| | |
| 10 + * bytes to |out|. */ | |
| 11 +static void hexEncode(char *out, const unsigned char *in, size_t length) { | |
| 12 + static const char hextable[] = "0123456789abcdef"; | |
| 13 + size_t i; | |
| 14 + | |
| 15 + for (i = 0; i < length; i++) { | |
| 16 + *(out++) = hextable[in[i] >> 4]; | |
| 17 + *(out++) = hextable[in[i] & 15]; | |
| 18 + } | |
| 19 +} | |
| 20 | |
| 21 /* Called from ssl3_SendClientKeyExchange(). */ | |
| 22 /* Presently, this always uses PKCS11. There is no bypass for this. */ | |
| 23 @@ -4832,16 +4843,17 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey
* svrPubKey) | |
| 24 goto loser; | |
| 25 } | |
| 26 | |
| 27 -#if defined(TRACE) | |
| 28 - if (ssl_trace >= 100 || ssl_keylog_iob) { | |
| 29 + if (ssl_keylog_iob) { | |
| 30 SECStatus extractRV = PK11_ExtractKeyValue(pms); | |
| 31 if (extractRV == SECSuccess) { | |
| 32 SECItem * keyData = PK11_GetKeyData(pms); | |
| 33 if (keyData && keyData->data && keyData->len) { | |
| 34 +#ifdef TRACE | |
| 35 if (ssl_trace >= 100) { | |
| 36 ssl_PrintBuf(ss, "Pre-Master Secret", | |
| 37 keyData->data, keyData->len); | |
| 38 } | |
| 39 +#endif | |
| 40 if (ssl_keylog_iob && enc_pms.len >= 8 && keyData->len == 48) { | |
| 41 /* https://developer.mozilla.org/en/NSS_Key_Log_Format */ | |
| 42 | |
| 43 @@ -4849,21 +4861,11 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey
* svrPubKey) | |
| 44 * keylog, so we have to do everything in a single call to | |
| 45 * fwrite. */ | |
| 46 char buf[4 + 8*2 + 1 + 48*2 + 1]; | |
| 47 - static const char hextable[16] = "0123456789abcdef"; | |
| 48 - unsigned int i; | |
| 49 | |
| 50 strcpy(buf, "RSA "); | |
| 51 - | |
| 52 - for (i = 0; i < 8; i++) { | |
| 53 - buf[4 + i*2] = hextable[enc_pms.data[i] >> 4]; | |
| 54 - buf[4 + i*2 + 1] = hextable[enc_pms.data[i] & 15]; | |
| 55 - } | |
| 56 + hexEncode(buf + 4, enc_pms.data, 8); | |
| 57 buf[20] = ' '; | |
| 58 - | |
| 59 - for (i = 0; i < 48; i++) { | |
| 60 - buf[21 + i*2] = hextable[keyData->data[i] >> 4]; | |
| 61 - buf[21 + i*2 + 1] = hextable[keyData->data[i] & 15]; | |
| 62 - } | |
| 63 + hexEncode(buf + 21, keyData->data, 48); | |
| 64 buf[sizeof(buf) - 1] = '\n'; | |
| 65 | |
| 66 fwrite(buf, sizeof(buf), 1, ssl_keylog_iob); | |
| 67 @@ -4872,7 +4874,6 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey *
svrPubKey) | |
| 68 } | |
| 69 } | |
| 70 } | |
| 71 -#endif | |
| 72 | |
| 73 rv = ssl3_InitPendingCipherSpec(ss, pms); | |
| 74 PK11_FreeSymKey(pms); pms = NULL; | |
| 75 @@ -9046,6 +9047,69 @@ ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss, | |
| 76 return SECSuccess; | |
| 77 } | |
| 78 | |
| 79 +/* called from ssl3_SendFinished | |
| 80 + * | |
| 81 + * Caller must already hold the SpecReadLock. (wish we could assert that!). | |
| 82 + * This function is simply a debugging aid and therefore does not return a | |
| 83 + * SECStatus. */ | |
| 84 +static void | |
| 85 +ssl3_RecordKeyLog(sslSocket *ss) | |
| 86 +{ | |
| 87 + sslSessionID *sid; | |
| 88 + SECStatus rv; | |
| 89 + SECItem *keyData; | |
| 90 + char buf[14 /* "CLIENT_RANDOM " */ + | |
| 91 + SSL3_RANDOM_LENGTH*2 /* client_random */ + | |
| 92 + 1 /* " " */ + | |
| 93 + 48*2 /* master secret */ + | |
| 94 + 1 /* new line */]; | |
| 95 + unsigned int j; | |
| 96 + | |
| 97 + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
| 98 + | |
| 99 + sid = ss->sec.ci.sid; | |
| 100 + | |
| 101 + if (!ssl_keylog_iob) | |
| 102 + return; | |
| 103 + | |
| 104 + rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret); | |
| 105 + if (rv != SECSuccess) | |
| 106 + return; | |
| 107 + | |
| 108 + ssl_GetSpecReadLock(ss); | |
| 109 + | |
| 110 + /* keyData does not need to be freed. */ | |
| 111 + keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret); | |
| 112 + if (!keyData || !keyData->data || keyData->len != 48) { | |
| 113 + ssl_ReleaseSpecReadLock(ss); | |
| 114 + return; | |
| 115 + } | |
| 116 + | |
| 117 + /* https://developer.mozilla.org/en/NSS_Key_Log_Format */ | |
| 118 + | |
| 119 + /* There could be multiple, concurrent writers to the | |
| 120 + * keylog, so we have to do everything in a single call to | |
| 121 + * fwrite. */ | |
| 122 + | |
| 123 + memcpy(buf, "CLIENT_RANDOM ", 14); | |
| 124 + j = 14; | |
| 125 + hexEncode(buf + j, ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH); | |
| 126 + j += SSL3_RANDOM_LENGTH*2; | |
| 127 + buf[j++] = ' '; | |
| 128 + hexEncode(buf + j, keyData->data, 48); | |
| 129 + j += 48*2; | |
| 130 + buf[j++] = '\n'; | |
| 131 + | |
| 132 + PORT_Assert(j == sizeof(buf)); | |
| 133 + | |
| 134 + ssl_ReleaseSpecReadLock(ss); | |
| 135 + | |
| 136 + if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1) | |
| 137 + return; | |
| 138 + fflush(ssl_keylog_iob); | |
| 139 + return; | |
| 140 +} | |
| 141 + | |
| 142 /* called from ssl3_HandleServerHelloDone | |
| 143 * ssl3_HandleClientHello | |
| 144 * ssl3_HandleFinished | |
| 145 @@ -9107,6 +9171,9 @@ ssl3_SendFinished(sslSocket *ss, PRInt32 flags) | |
| 146 if (rv != SECSuccess) { | |
| 147 goto fail; /* error code set by ssl3_FlushHandshake */ | |
| 148 } | |
| 149 + | |
| 150 + ssl3_RecordKeyLog(ss); | |
| 151 + | |
| 152 return SECSuccess; | |
| 153 | |
| 154 fail: | |
| 155 diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock
.c | |
| 156 index c61ab44..9387a21 100644 | |
| 157 --- a/net/third_party/nss/ssl/sslsock.c | |
| 158 +++ b/net/third_party/nss/ssl/sslsock.c | |
| 159 @@ -2903,22 +2903,22 @@ ssl_SetDefaultsFromEnvironment(void) | |
| 160 ssl_trace = atoi(ev); | |
| 161 SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); | |
| 162 } | |
| 163 +#endif /* TRACE */ | |
| 164 + ev = getenv("SSLDEBUG"); | |
| 165 + if (ev && ev[0]) { | |
| 166 + ssl_debug = atoi(ev); | |
| 167 + SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); | |
| 168 + } | |
| 169 +#endif /* DEBUG */ | |
| 170 ev = getenv("SSLKEYLOGFILE"); | |
| 171 if (ev && ev[0]) { | |
| 172 ssl_keylog_iob = fopen(ev, "a"); | |
| 173 if (ftell(ssl_keylog_iob) == 0) { | |
| 174 - fputs("# pre-master secret log file, generated by NSS\n", | |
| 175 + fputs("# SSL/TLS secrets log file, generated by NSS\n", | |
| 176 ssl_keylog_iob); | |
| 177 } | |
| 178 SSL_TRACE(("SSL: logging pre-master secrets to %s", ev)); | |
| 179 } | |
| 180 -#endif /* TRACE */ | |
| 181 - ev = getenv("SSLDEBUG"); | |
| 182 - if (ev && ev[0]) { | |
| 183 - ssl_debug = atoi(ev); | |
| 184 - SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); | |
| 185 - } | |
| 186 -#endif /* DEBUG */ | |
| 187 ev = getenv("SSLBYPASS"); | |
| 188 if (ev && ev[0]) { | |
| 189 ssl_defaults.bypassPKCS11 = (ev[0] == '1'); | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 11275240:
Update net/third_party/nss/ssl to NSS 3.14. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/