Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(453)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/nss/patches/renegoclientversion.patch

Issue 11275240: Update net/third_party/nss/ssl to NSS 3.14. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Upload before commit Created 8 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/third_party/nss/patches/recordlayerversion.patch ('k') | net/third_party/nss/patches/renegoscsv.patch » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/patches/renegoclientversion.patch
===================================================================
--- net/third_party/nss/patches/renegoclientversion.patch (revision 166942)
+++ net/third_party/nss/patches/renegoclientversion.patch (working copy)
@@ -1,114 +0,0 @@
-Index: mozilla/security/nss/lib/ssl/ssl3con.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v
-retrieving revision 1.186
-diff -u -p -r1.186 ssl3con.c
---- mozilla/security/nss/lib/ssl/ssl3con.c 30 Jul 2012 00:47:36 -0000 1.186
-+++ mozilla/security/nss/lib/ssl/ssl3con.c 17 Aug 2012 02:23:29 -0000
-@@ -4028,6 +4028,23 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
- return rv;
- }
-
-+ /*
-+ * During a renegotiation, ss->clientHelloVersion will be used again to
-+ * work around a Windows SChannel bug. Ensure that it is still enabled.
-+ */
-+ if (ss->firstHsDone) {
-+ if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
-+ PORT_SetError(SSL_ERROR_SSL_DISABLED);
-+ return SECFailure;
-+ }
-+
-+ if (ss->clientHelloVersion < ss->vrange.min ||
-+ ss->clientHelloVersion > ss->vrange.max) {
-+ PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-+ return SECFailure;
-+ }
-+ }
-+
- /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
- * handles expired entries and other details.
- * XXX If we've been called from ssl2_BeginClientHandshake, then
-@@ -4075,9 +4092,41 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
- sidOK = PR_FALSE;
- }
-
-- if (sidOK && ssl3_NegotiateVersion(ss, sid->version,
-- PR_FALSE) != SECSuccess) {
-- sidOK = PR_FALSE;
-+ /* TLS 1.0 (RFC 2246) Appendix E says:
-+ * Whenever a client already knows the highest protocol known to
-+ * a server (for example, when resuming a session), it should
-+ * initiate the connection in that native protocol.
-+ * So we pass sid->version to ssl3_NegotiateVersion() here, except
-+ * when renegotiating.
-+ *
-+ * Windows SChannel compares the client_version inside the RSA
-+ * EncryptedPreMasterSecret of a renegotiation with the
-+ * client_version of the initial ClientHello rather than the
-+ * ClientHello in the renegotiation. To work around this bug, we
-+ * continue to use the client_version used in the initial
-+ * ClientHello when renegotiating.
-+ */
-+ if (sidOK) {
-+ if (ss->firstHsDone) {
-+ /*
-+ * The client_version of the initial ClientHello is still
-+ * available in ss->clientHelloVersion. Ensure that
-+ * sid->version is bounded within
-+ * [ss->vrange.min, ss->clientHelloVersion], otherwise we
-+ * can't use sid.
-+ */
-+ if (sid->version >= ss->vrange.min &&
-+ sid->version <= ss->clientHelloVersion) {
-+ ss->version = ss->clientHelloVersion;
-+ } else {
-+ sidOK = PR_FALSE;
-+ }
-+ } else {
-+ if (ssl3_NegotiateVersion(ss, sid->version,
-+ PR_FALSE) != SECSuccess) {
-+ sidOK = PR_FALSE;
-+ }
-+ }
- }
-
- if (!sidOK) {
-@@ -4104,10 +4153,22 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
- } else {
- SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
-
-- rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED,
-- PR_TRUE);
-- if (rv != SECSuccess)
-- return rv; /* error code was set */
-+ /*
-+ * Windows SChannel compares the client_version inside the RSA
-+ * EncryptedPreMasterSecret of a renegotiation with the
-+ * client_version of the initial ClientHello rather than the
-+ * ClientHello in the renegotiation. To work around this bug, we
-+ * continue to use the client_version used in the initial
-+ * ClientHello when renegotiating.
-+ */
-+ if (ss->firstHsDone) {
-+ ss->version = ss->clientHelloVersion;
-+ } else {
-+ rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED,
-+ PR_TRUE);
-+ if (rv != SECSuccess)
-+ return rv; /* error code was set */
-+ }
-
- sid = ssl3_NewSessionID(ss, PR_FALSE);
- if (!sid) {
-@@ -4207,6 +4268,10 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
- return rv; /* err set by ssl3_AppendHandshake* */
- }
-
-+ if (ss->firstHsDone) {
-+ /* Work around the Windows SChannel bug described above. */
-+ PORT_Assert(ss->version == ss->clientHelloVersion);
-+ }
- ss->clientHelloVersion = ss->version;
- if (IS_DTLS(ss)) {
- PRUint16 version;
« no previous file with comments | « net/third_party/nss/patches/recordlayerversion.patch ('k') | net/third_party/nss/patches/renegoscsv.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698