| Index: net/third_party/nss/ssl/ssl3ecc.c
|
| diff --git a/net/third_party/nss/ssl/ssl3ecc.c b/net/third_party/nss/ssl/ssl3ecc.c
|
| index 31e07744bb9541feafa4d435e5ed2ba8d008b1e0..ab5ab14d41d5cbdc7dba049032a0f9eac42100be 100644
|
| --- a/net/third_party/nss/ssl/ssl3ecc.c
|
| +++ b/net/third_party/nss/ssl/ssl3ecc.c
|
| @@ -214,7 +214,7 @@ params2ecName(SECKEYECParams * params)
|
|
|
| /* Caller must set hiLevel error code. */
|
| static SECStatus
|
| -ssl3_ComputeECDHKeyHash(SECOidTag hashAlg,
|
| +ssl3_ComputeECDHKeyHash(SSLHashType hashAlg,
|
| SECItem ec_params, SECItem server_ecpoint,
|
| SSL3Random *client_rand, SSL3Random *server_rand,
|
| SSL3Hashes *hashes, PRBool bypassPKCS11)
|
| @@ -303,7 +303,7 @@ ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
|
| pubKey->u.ec.publicValue.len));
|
|
|
| if (isTLS12) {
|
| - target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
|
| + target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
|
| } else if (isTLS) {
|
| target = CKM_TLS_MASTER_KEY_DERIVE_DH;
|
| } else {
|
| @@ -325,14 +325,6 @@ ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
|
| SECKEY_DestroyPrivateKey(privKey);
|
| privKey = NULL;
|
|
|
| - rv = ssl3_InitPendingCipherSpec(ss, pms);
|
| - PK11_FreeSymKey(pms); pms = NULL;
|
| -
|
| - if (rv != SECSuccess) {
|
| - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
|
| - goto loser;
|
| - }
|
| -
|
| rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
|
| pubKey->u.ec.publicValue.len + 1);
|
| if (rv != SECSuccess) {
|
| @@ -349,6 +341,14 @@ ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
|
| goto loser; /* err set by ssl3_AppendHandshake* */
|
| }
|
|
|
| + rv = ssl3_InitPendingCipherSpec(ss, pms);
|
| + PK11_FreeSymKey(pms); pms = NULL;
|
| +
|
| + if (rv != SECSuccess) {
|
| + ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
|
| + goto loser;
|
| + }
|
| +
|
| rv = SECSuccess;
|
|
|
| loser:
|
| @@ -394,7 +394,7 @@ ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b,
|
| isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
|
|
|
| if (isTLS12) {
|
| - target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
|
| + target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
|
| } else if (isTLS) {
|
| target = CKM_TLS_MASTER_KEY_DERIVE_DH;
|
| } else {
|
| @@ -615,9 +615,9 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| SECItem ec_params = {siBuffer, NULL, 0};
|
| SECItem ec_point = {siBuffer, NULL, 0};
|
| unsigned char paramBuf[3]; /* only for curve_type == named_curve */
|
| - SSL3SignatureAndHashAlgorithm sigAndHash;
|
| + SSLSignatureAndHashAlg sigAndHash;
|
|
|
| - sigAndHash.hashAlg = SEC_OID_UNKNOWN;
|
| + sigAndHash.hashAlg = ssl_hash_none;
|
|
|
| isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
|
| isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
|
| @@ -659,7 +659,7 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| goto loser; /* malformed or unsupported. */
|
| }
|
| rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
|
| - &sigAndHash, ss->sec.peerCert);
|
| + ss, &sigAndHash, ss->sec.peerCert);
|
| if (rv != SECSuccess) {
|
| goto loser;
|
| }
|
| @@ -710,7 +710,7 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| goto no_memory;
|
| }
|
|
|
| - ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
|
| + peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
|
| if (peerKey == NULL) {
|
| goto no_memory;
|
| }
|
| @@ -731,7 +731,6 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| /* copy publicValue in peerKey */
|
| if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue, &ec_point))
|
| {
|
| - PORT_FreeArena(arena, PR_FALSE);
|
| goto no_memory;
|
| }
|
| peerKey->pkcs11Slot = NULL;
|
| @@ -745,10 +744,16 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| alert_loser:
|
| (void)SSL3_SendAlert(ss, alert_fatal, desc);
|
| loser:
|
| + if (arena) {
|
| + PORT_FreeArena(arena, PR_FALSE);
|
| + }
|
| PORT_SetError( errCode );
|
| return SECFailure;
|
|
|
| no_memory: /* no-memory error has already been set. */
|
| + if (arena) {
|
| + PORT_FreeArena(arena, PR_FALSE);
|
| + }
|
| ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
|
| return SECFailure;
|
| }
|
| @@ -756,7 +761,7 @@ no_memory: /* no-memory error has already been set. */
|
| SECStatus
|
| ssl3_SendECDHServerKeyExchange(
|
| sslSocket *ss,
|
| - const SSL3SignatureAndHashAlgorithm *sigAndHash)
|
| + const SSLSignatureAndHashAlg *sigAndHash)
|
| {
|
| const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
|
| SECStatus rv = SECFailure;
|
| @@ -977,9 +982,7 @@ ssl3_DisableECCSuites(sslSocket * ss, const ssl3CipherSuite * suite)
|
| if (!suite)
|
| suite = ecSuites;
|
| for (; *suite; ++suite) {
|
| - SECStatus rv = ssl3_CipherPrefSet(ss, *suite, PR_FALSE);
|
| -
|
| - PORT_Assert(rv == SECSuccess); /* else is coding error */
|
| + PORT_CheckSuccess(ssl3_CipherPrefSet(ss, *suite, PR_FALSE));
|
| }
|
| return SECSuccess;
|
| }
|
| @@ -1142,7 +1145,10 @@ ssl3_SendSupportedCurvesXtn(
|
| ecList = tlsECList;
|
| }
|
|
|
| - if (append && maxBytes >= ecListSize) {
|
| + if (maxBytes < (PRUint32)ecListSize) {
|
| + return 0;
|
| + }
|
| + if (append) {
|
| SECStatus rv = ssl3_AppendHandshake(ss, ecList, ecListSize);
|
| if (rv != SECSuccess)
|
| return -1;
|
|
|
Chromium Code Reviews
Issue 1511123006:
Uprev NSS (in libssl) to NSS 3.21 (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master