Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(548)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/patches/tls12hmacsha256.patch

Issue 16394004: Support the new TLS 1.2 HMAC-SHA256 cipher suites specified in (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Add a patch Created 7 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/ssl3con.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 Index: net/third_party/nss/ssl/sslproto.h
2 ===================================================================
3 --- net/third_party/nss/ssl/sslproto.h (revision 203497)
4 +++ net/third_party/nss/ssl/sslproto.h (working copy)
5 @@ -134,6 +134,9 @@
6 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038
7 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039
8 #define TLS_DH_ANON_WITH_AES_256_CBC_SHA 0x003A
9 +#define TLS_RSA_WITH_NULL_SHA256 0x003B
10 +#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C
11 +#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D
12
13 #define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041
14 #define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042
15 @@ -148,6 +151,8 @@
16 #define TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x0063
17 #define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x0065
18 #define TLS_DHE_DSS_WITH_RC4_128_SHA 0x0066
19 +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067
20 +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B
21
22 #define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084
23 #define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0085
24 @@ -197,6 +202,9 @@
25 #define TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018
26 #define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019
27
28 +#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
29 +#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
30 +
31 /* Netscape "experimental" cipher suites. */
32 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0
33 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1
34 Index: net/third_party/nss/ssl/sslt.h
35 ===================================================================
36 --- net/third_party/nss/ssl/sslt.h (revision 203497)
37 +++ net/third_party/nss/ssl/sslt.h (working copy)
38 @@ -102,7 +102,8 @@
39 ssl_mac_md5 = 1,
40 ssl_mac_sha = 2,
41 ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */
42 - ssl_hmac_sha = 4 /* TLS HMAC version of mac_sha */
43 + ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */
44 + ssl_hmac_sha256 = 5
45 } SSLMACAlgorithm;
46
47 typedef enum {
48 Index: net/third_party/nss/ssl/sslinfo.c
49 ===================================================================
50 --- net/third_party/nss/ssl/sslinfo.c (revision 203497)
51 +++ net/third_party/nss/ssl/sslinfo.c (working copy)
52 @@ -128,6 +128,7 @@
53 #define B_40 128, 40, 40
54 #define B_0 0, 0, 0
55
56 +#define M_SHA256 "SHA256", ssl_hmac_sha256, 256
57 #define M_SHA "SHA1", ssl_mac_sha, 160
58 #define M_MD5 "MD5", ssl_mac_md5, 128
59
60 @@ -135,20 +136,24 @@
61 /* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC> <FIPS> */
62 {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
63 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
64 +{0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA 256, 1, 0, 0, },
65 {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_DHE, C_AES, B_256, M_SHA , 1, 0, 0, },
66 {0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA), S_DSA, K_DHE, C_AES, B_256, M_SHA , 1, 0, 0, },
67 {0,CS(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
68 +{0,CS(TLS_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_RSA, C_AES, B_256, M_SHA 256, 1, 0, 0, },
69 {0,CS(TLS_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_RSA, C_AES, B_256, M_SHA , 1, 0, 0, },
70
71 {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
72 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
73 {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA , 0, 0, 0, },
74 +{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA 256, 1, 0, 0, },
75 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA , 1, 0, 0, },
76 {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA , 1, 0, 0, },
77 {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA , 1, 0, 0, },
78 {0,CS(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
79 {0,CS(SSL_RSA_WITH_RC4_128_SHA), S_RSA, K_RSA, C_RC4, B_128, M_SHA , 0, 0, 0, },
80 {0,CS(SSL_RSA_WITH_RC4_128_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5 , 0, 0, 0, },
81 +{0,CS(TLS_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_RSA, C_AES, B_128, M_SHA 256, 1, 0, 0, },
82 {0,CS(TLS_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_RSA, C_AES, B_128, M_SHA , 1, 0, 0, },
83
84 {0,CS(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_DHE, C_3DES,B_3DES,M_SHA , 1, 0, 0, },
85 @@ -165,6 +170,7 @@
86 {0,CS(TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA , 0, 1, 0, },
87 {0,CS(SSL_RSA_EXPORT_WITH_RC4_40_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5 , 0, 1, 0, },
88 {0,CS(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5), S_RSA, K_RSA, C_RC2, B_40, M_MD5 , 0, 1, 0, },
89 +{0,CS(TLS_RSA_WITH_NULL_SHA256), S_RSA, K_RSA, C_NULL,B_0, M_SHA 256, 0, 1, 0, },
90 {0,CS(SSL_RSA_WITH_NULL_SHA), S_RSA, K_RSA, C_NULL,B_0, M_SHA , 0, 1, 0, },
91 {0,CS(SSL_RSA_WITH_NULL_MD5), S_RSA, K_RSA, C_NULL,B_0, M_MD5 , 0, 1, 0, },
92
93 @@ -180,6 +186,7 @@
94 {0,CS(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDHE, C_RC4, B_128, M _SHA, 0, 0, 0, },
95 {0,CS(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDHE, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
96 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_128, M _SHA, 1, 0, 0, },
97 +{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
98 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_256, M _SHA, 1, 0, 0, },
99
100 {0,CS(TLS_ECDH_RSA_WITH_NULL_SHA), S_RSA, K_ECDH, C_NULL, B_0, M_SHA , 0, 0, 0, },
101 @@ -192,6 +199,7 @@
102 {0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDHE, C_RC4, B_128, M_S HA, 0, 0, 0, },
103 {0,CS(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_ECDHE, C_3DES, B_3DES, M _SHA, 1, 0, 0, },
104 {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_128, M_S HA, 1, 0, 0, },
105 +{0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_S HA256, 1, 0, 0, },
106 {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_S HA, 1, 0, 0, },
107 #endif /* NSS_ENABLE_ECC */
108
109 Index: net/third_party/nss/ssl/sslimpl.h
110 ===================================================================
111 --- net/third_party/nss/ssl/sslimpl.h (revision 203497)
112 +++ net/third_party/nss/ssl/sslimpl.h (working copy)
113 @@ -71,6 +71,7 @@
114 #define mac_sha ssl_mac_sha
115 #define hmac_md5 ssl_hmac_md5
116 #define hmac_sha ssl_hmac_sha
117 +#define hmac_sha256 ssl_hmac_sha256
118
119 #define SET_ERROR_CODE /* reminder */
120 #define SEND_ALERT /* reminder */
121 @@ -290,9 +291,9 @@
122 } ssl3CipherSuiteCfg;
123
124 #ifdef NSS_ENABLE_ECC
125 -#define ssl_V3_SUITES_IMPLEMENTED 50
126 +#define ssl_V3_SUITES_IMPLEMENTED 57
127 #else
128 -#define ssl_V3_SUITES_IMPLEMENTED 30
129 +#define ssl_V3_SUITES_IMPLEMENTED 35
130 #endif /* NSS_ENABLE_ECC */
131
132 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
133 Index: net/third_party/nss/ssl/ssl3ecc.c
134 ===================================================================
135 --- net/third_party/nss/ssl/ssl3ecc.c (revision 203497)
136 +++ net/third_party/nss/ssl/ssl3ecc.c (working copy)
137 @@ -911,6 +911,7 @@
138 static const ssl3CipherSuite ecdhe_ecdsa_suites[] = {
139 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
140 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
141 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
142 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
143 TLS_ECDHE_ECDSA_WITH_NULL_SHA,
144 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
145 @@ -920,6 +921,7 @@
146 static const ssl3CipherSuite ecdhe_rsa_suites[] = {
147 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
148 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
149 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
150 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
151 TLS_ECDHE_RSA_WITH_NULL_SHA,
152 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
153 @@ -930,11 +932,13 @@
154 static const ssl3CipherSuite ecSuites[] = {
155 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
156 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
157 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
158 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
159 TLS_ECDHE_ECDSA_WITH_NULL_SHA,
160 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
161 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
162 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
163 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
164 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
165 TLS_ECDHE_RSA_WITH_NULL_SHA,
166 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
167 Index: net/third_party/nss/ssl/sslsock.c
168 ===================================================================
169 --- net/third_party/nss/ssl/sslsock.c (revision 203497)
170 +++ net/third_party/nss/ssl/sslsock.c (working copy)
171 @@ -38,8 +38,8 @@
172 typedef struct cipherPolicyStr cipherPolicy;
173
174 /* This table contains two preconfigured policies: Export and France.
175 -** It is used only by the functions SSL_SetDomesticPolicy,
176 -** SSL_SetExportPolicy, and SSL_SetFrancyPolicy.
177 +** It is used only by the functions NSS_SetDomesticPolicy,
178 +** NSS_SetExportPolicy, and NSS_SetFrancePolicy.
179 ** Order of entries is not important.
180 */
181 static cipherPolicy ssl_ciphers[] = { /* Export France */
182 @@ -62,14 +62,19 @@
183 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
184 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
185 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
186 - { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
187 { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED },
188 + { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
189 + { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED },
190 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
191 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
192 + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
193 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
194 + { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
195 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
196 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
197 + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
198 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
199 + { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
200 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
201 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
202 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALL OWED },
203 @@ -89,6 +94,7 @@
204 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
205 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
206 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
207 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
208 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
209 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
210 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
211 @@ -99,6 +105,7 @@
212 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
213 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
214 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
215 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
216 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
217 #endif /* NSS_ENABLE_ECC */
218 { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
219 @@ -789,28 +796,20 @@
220 rv = SECFailure;
221 } else {
222 if (PR_FALSE != on) {
223 - /* TLS 1.2 isn't supported in bypass mode. */
224 - if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) {
225 - /* If the user requested a minimum version of TLS 1.2 then
226 - * we don't silently downgrade. */
227 - PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
228 - rv = SECFailure;
229 - break;
230 - }
231 - if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) {
232 - ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1;
233 - }
234 - if (PR_SUCCESS == SSL_BypassSetup() ) {
235 + /* PKCS#11 bypass is not supported with TLS 1.2. */
236 + if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) {
237 + ss->opt.bypassPKCS11 = PR_FALSE;
238 + } else if (PR_SUCCESS == SSL_BypassSetup() ) {
239 #ifdef NO_PKCS11_BYPASS
240 - ss->opt.bypassPKCS11 = PR_FALSE;
241 + ss->opt.bypassPKCS11 = PR_FALSE;
242 #else
243 - ss->opt.bypassPKCS11 = on;
244 + ss->opt.bypassPKCS11 = on;
245 #endif
246 } else {
247 rv = SECFailure;
248 }
249 } else {
250 - ss->opt.bypassPKCS11 = PR_FALSE;
251 + ss->opt.bypassPKCS11 = PR_FALSE;
252 }
253 }
254 break;
255 Index: net/third_party/nss/ssl/ssl3con.c
256 ===================================================================
257 --- net/third_party/nss/ssl/ssl3con.c (revision 203497)
258 +++ net/third_party/nss/ssl/ssl3con.c (working copy)
259 @@ -97,6 +97,7 @@
260 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
261 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
262 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
263 + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
264 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
265 #ifdef NSS_ENABLE_ECC
266 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
267 @@ -104,17 +105,21 @@
268 #endif /* NSS_ENABLE_ECC */
269 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_ FALSE},
270 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
271 + { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
272
273 #ifdef NSS_ENABLE_ECC
274 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
275 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
276 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
277 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
278 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
279 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
280 #endif /* NSS_ENABLE_ECC */
281 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
282 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
283 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
284 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
285 + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
286 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
287 #ifdef NSS_ENABLE_ECC
288 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
289 @@ -127,6 +132,7 @@
290 { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
291 { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
292 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
293 + { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
294
295 #ifdef NSS_ENABLE_ECC
296 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
297 @@ -159,6 +165,7 @@
298 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE} ,
299 #endif /* NSS_ENABLE_ECC */
300 { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
301 + { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
302 { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
303
304 };
305 @@ -282,6 +289,7 @@
306 {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null},
307 {SSL_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa},
308 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa},
309 + {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa},
310 {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
311 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa},
312 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa},
313 @@ -326,11 +334,15 @@
314
315 /* New TLS cipher suites */
316 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa },
317 + {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa},
318 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe _dss},
319 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe _rsa},
320 + {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_ rsa},
321 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa },
322 + {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa},
323 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe _dss},
324 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe _rsa},
325 + {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_ rsa},
326 #if 0
327 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_ dss},
328 {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_ rsa},
329 @@ -372,6 +384,7 @@
330 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecds a},
331 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecd sa},
332 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_e cdsa},
333 + {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ ecdhe_ecdsa},
334 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_e cdsa},
335
336 {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa} ,
337 @@ -384,6 +397,7 @@
338 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rs a},
339 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rs a},
340 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rs a},
341 + {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ec dhe_rsa},
342 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rs a},
343
344 #if 0
345 @@ -430,14 +444,17 @@
346 #define mmech_sha CKM_SSL3_SHA1_MAC
347 #define mmech_md5_hmac CKM_MD5_HMAC
348 #define mmech_sha_hmac CKM_SHA_1_HMAC
349 +#define mmech_sha256_hmac CKM_SHA256_HMAC
350
351 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
352 + /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
353 /* mac mmech pad_size mac_size */
354 { mac_null, mmech_null, 0, 0 },
355 { mac_md5, mmech_md5, 48, MD5_LENGTH },
356 { mac_sha, mmech_sha, 40, SHA1_LENGTH},
357 - {hmac_md5, mmech_md5_hmac, 48, MD5_LENGTH },
358 - {hmac_sha, mmech_sha_hmac, 40, SHA1_LENGTH},
359 + {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH },
360 + {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
361 + {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
362 };
363
364 /* indexed by SSL3BulkCipher */
365 @@ -580,6 +597,14 @@
366 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented
367 */
368 return version <= SSL_LIBRARY_VERSION_TLS_1_0;
369 + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
370 + case TLS_RSA_WITH_AES_256_CBC_SHA256:
371 + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
372 + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
373 + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
374 + case TLS_RSA_WITH_AES_128_CBC_SHA256:
375 + case TLS_RSA_WITH_NULL_SHA256:
376 + return version >= SSL_LIBRARY_VERSION_TLS_1_2;
377 default:
378 return PR_TRUE;
379 }
380 @@ -1334,7 +1359,7 @@
381 cipher = suite_def->bulk_cipher_alg;
382 kea = suite_def->key_exchange_alg;
383 mac = suite_def->mac_alg;
384 - if (isTLS)
385 + if (mac <= ssl_mac_sha && isTLS)
386 mac += 2;
387
388 ss->ssl3.hs.suite_def = suite_def;
389 @@ -2060,6 +2085,9 @@
390 case ssl_hmac_sha: /* used with TLS */
391 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
392 break;
393 + case ssl_hmac_sha256: /* used with TLS */
394 + hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
395 + break;
396 default:
397 break;
398 }
399 @@ -3517,6 +3545,13 @@
400 key_material_params.ulMacSizeInBits = pwSpec->mac_size * BPB;
401 key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB;
402 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB;
403 + if (cipher_def->type == type_block &&
404 + pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
405 + /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */
406 + key_material_params.ulIVSizeInBits = 0;
407 + memset(pwSpec->client.write_iv, 0, cipher_def->iv_size);
408 + memset(pwSpec->server.write_iv, 0, cipher_def->iv_size);
409 + }
410
411 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
412 /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */
413 Index: net/third_party/nss/ssl/sslenum.c
414 ===================================================================
415 --- net/third_party/nss/ssl/sslenum.c (revision 203497)
416 +++ net/third_party/nss/ssl/sslenum.c (working copy)
417 @@ -26,6 +26,8 @@
418 *
419 * If new ECC cipher suites are added, also update the ssl3CipherSuite arrays
420 * in ssl3ecc.c.
421 + *
422 + * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
423 */
424 const PRUint16 SSL_ImplementedCiphers[] = {
425 /* 256-bit */
426 @@ -36,6 +38,7 @@
427 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
428 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
429 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
430 + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
431 TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
432 #ifdef NSS_ENABLE_ECC
433 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
434 @@ -43,18 +46,22 @@
435 #endif /* NSS_ENABLE_ECC */
436 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
437 TLS_RSA_WITH_AES_256_CBC_SHA,
438 + TLS_RSA_WITH_AES_256_CBC_SHA256,
439
440 /* 128-bit */
441 #ifdef NSS_ENABLE_ECC
442 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
443 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
444 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
445 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
446 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
447 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
448 #endif /* NSS_ENABLE_ECC */
449 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
450 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
451 TLS_DHE_DSS_WITH_RC4_128_SHA,
452 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
453 + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
454 TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
455 #ifdef NSS_ENABLE_ECC
456 TLS_ECDH_RSA_WITH_RC4_128_SHA,
457 @@ -67,6 +74,7 @@
458 SSL_RSA_WITH_RC4_128_SHA,
459 SSL_RSA_WITH_RC4_128_MD5,
460 TLS_RSA_WITH_AES_128_CBC_SHA,
461 + TLS_RSA_WITH_AES_128_CBC_SHA256,
462
463 /* 112-bit 3DES */
464 #ifdef NSS_ENABLE_ECC
465 @@ -104,6 +112,7 @@
466 TLS_ECDH_ECDSA_WITH_NULL_SHA,
467 #endif /* NSS_ENABLE_ECC */
468 SSL_RSA_WITH_NULL_SHA,
469 + TLS_RSA_WITH_NULL_SHA256,
470 SSL_RSA_WITH_NULL_MD5,
471
472 /* SSL2 cipher suites. */
OLDNEW
« no previous file with comments | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/ssl3con.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698