OLD | NEW |
(Empty) | |
| 1 Index: net/third_party/nss/ssl/sslproto.h |
| 2 =================================================================== |
| 3 --- net/third_party/nss/ssl/sslproto.h (revision 203497) |
| 4 +++ net/third_party/nss/ssl/sslproto.h (working copy) |
| 5 @@ -134,6 +134,9 @@ |
| 6 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 |
| 7 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 |
| 8 #define TLS_DH_ANON_WITH_AES_256_CBC_SHA 0x003A |
| 9 +#define TLS_RSA_WITH_NULL_SHA256 0x003B |
| 10 +#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C |
| 11 +#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D |
| 12 |
| 13 #define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041 |
| 14 #define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042 |
| 15 @@ -148,6 +151,8 @@ |
| 16 #define TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x0063 |
| 17 #define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x0065 |
| 18 #define TLS_DHE_DSS_WITH_RC4_128_SHA 0x0066 |
| 19 +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 |
| 20 +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B |
| 21 |
| 22 #define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084 |
| 23 #define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0085 |
| 24 @@ -197,6 +202,9 @@ |
| 25 #define TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018 |
| 26 #define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019 |
| 27 |
| 28 +#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 |
| 29 +#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 |
| 30 + |
| 31 /* Netscape "experimental" cipher suites. */ |
| 32 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 |
| 33 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 |
| 34 Index: net/third_party/nss/ssl/sslt.h |
| 35 =================================================================== |
| 36 --- net/third_party/nss/ssl/sslt.h (revision 203497) |
| 37 +++ net/third_party/nss/ssl/sslt.h (working copy) |
| 38 @@ -102,7 +102,8 @@ |
| 39 ssl_mac_md5 = 1, |
| 40 ssl_mac_sha = 2, |
| 41 ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */ |
| 42 - ssl_hmac_sha = 4 /* TLS HMAC version of mac_sha */ |
| 43 + ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */ |
| 44 + ssl_hmac_sha256 = 5 |
| 45 } SSLMACAlgorithm; |
| 46 |
| 47 typedef enum { |
| 48 Index: net/third_party/nss/ssl/sslinfo.c |
| 49 =================================================================== |
| 50 --- net/third_party/nss/ssl/sslinfo.c (revision 203497) |
| 51 +++ net/third_party/nss/ssl/sslinfo.c (working copy) |
| 52 @@ -128,6 +128,7 @@ |
| 53 #define B_40 128, 40, 40 |
| 54 #define B_0 0, 0, 0 |
| 55 |
| 56 +#define M_SHA256 "SHA256", ssl_hmac_sha256, 256 |
| 57 #define M_SHA "SHA1", ssl_mac_sha, 160 |
| 58 #define M_MD5 "MD5", ssl_mac_md5, 128 |
| 59 |
| 60 @@ -135,20 +136,24 @@ |
| 61 /* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC>
<FIPS> */ |
| 62 {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256,
M_SHA, 0, 0, 0, }, |
| 63 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256,
M_SHA, 0, 0, 0, }, |
| 64 +{0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA
256, 1, 0, 0, }, |
| 65 {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_DHE, C_AES, B_256, M_SHA
, 1, 0, 0, }, |
| 66 {0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA), S_DSA, K_DHE, C_AES, B_256, M_SHA
, 1, 0, 0, }, |
| 67 {0,CS(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_256,
M_SHA, 0, 0, 0, }, |
| 68 +{0,CS(TLS_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_RSA, C_AES, B_256, M_SHA
256, 1, 0, 0, }, |
| 69 {0,CS(TLS_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_RSA, C_AES, B_256, M_SHA
, 1, 0, 0, }, |
| 70 |
| 71 {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_128,
M_SHA, 0, 0, 0, }, |
| 72 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128,
M_SHA, 0, 0, 0, }, |
| 73 {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA
, 0, 0, 0, }, |
| 74 +{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA
256, 1, 0, 0, }, |
| 75 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA
, 1, 0, 0, }, |
| 76 {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA
, 1, 0, 0, }, |
| 77 {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA
, 1, 0, 0, }, |
| 78 {0,CS(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_128,
M_SHA, 0, 0, 0, }, |
| 79 {0,CS(SSL_RSA_WITH_RC4_128_SHA), S_RSA, K_RSA, C_RC4, B_128, M_SHA
, 0, 0, 0, }, |
| 80 {0,CS(SSL_RSA_WITH_RC4_128_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5
, 0, 0, 0, }, |
| 81 +{0,CS(TLS_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_RSA, C_AES, B_128, M_SHA
256, 1, 0, 0, }, |
| 82 {0,CS(TLS_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_RSA, C_AES, B_128, M_SHA
, 1, 0, 0, }, |
| 83 |
| 84 {0,CS(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_DHE, C_3DES,B_3DES,M_SHA
, 1, 0, 0, }, |
| 85 @@ -165,6 +170,7 @@ |
| 86 {0,CS(TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA
, 0, 1, 0, }, |
| 87 {0,CS(SSL_RSA_EXPORT_WITH_RC4_40_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5
, 0, 1, 0, }, |
| 88 {0,CS(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5), S_RSA, K_RSA, C_RC2, B_40, M_MD5
, 0, 1, 0, }, |
| 89 +{0,CS(TLS_RSA_WITH_NULL_SHA256), S_RSA, K_RSA, C_NULL,B_0, M_SHA
256, 0, 1, 0, }, |
| 90 {0,CS(SSL_RSA_WITH_NULL_SHA), S_RSA, K_RSA, C_NULL,B_0, M_SHA
, 0, 1, 0, }, |
| 91 {0,CS(SSL_RSA_WITH_NULL_MD5), S_RSA, K_RSA, C_NULL,B_0, M_MD5
, 0, 1, 0, }, |
| 92 |
| 93 @@ -180,6 +186,7 @@ |
| 94 {0,CS(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDHE, C_RC4, B_128, M
_SHA, 0, 0, 0, }, |
| 95 {0,CS(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDHE, C_3DES, B_3DES,
M_SHA, 1, 0, 0, }, |
| 96 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_128, M
_SHA, 1, 0, 0, }, |
| 97 +{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128,
M_SHA256, 1, 0, 0, }, |
| 98 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_256, M
_SHA, 1, 0, 0, }, |
| 99 |
| 100 {0,CS(TLS_ECDH_RSA_WITH_NULL_SHA), S_RSA, K_ECDH, C_NULL, B_0, M_SHA
, 0, 0, 0, }, |
| 101 @@ -192,6 +199,7 @@ |
| 102 {0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDHE, C_RC4, B_128, M_S
HA, 0, 0, 0, }, |
| 103 {0,CS(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_ECDHE, C_3DES, B_3DES, M
_SHA, 1, 0, 0, }, |
| 104 {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_128, M_S
HA, 1, 0, 0, }, |
| 105 +{0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_S
HA256, 1, 0, 0, }, |
| 106 {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_S
HA, 1, 0, 0, }, |
| 107 #endif /* NSS_ENABLE_ECC */ |
| 108 |
| 109 Index: net/third_party/nss/ssl/sslimpl.h |
| 110 =================================================================== |
| 111 --- net/third_party/nss/ssl/sslimpl.h (revision 203497) |
| 112 +++ net/third_party/nss/ssl/sslimpl.h (working copy) |
| 113 @@ -71,6 +71,7 @@ |
| 114 #define mac_sha ssl_mac_sha |
| 115 #define hmac_md5 ssl_hmac_md5 |
| 116 #define hmac_sha ssl_hmac_sha |
| 117 +#define hmac_sha256 ssl_hmac_sha256 |
| 118 |
| 119 #define SET_ERROR_CODE /* reminder */ |
| 120 #define SEND_ALERT /* reminder */ |
| 121 @@ -290,9 +291,9 @@ |
| 122 } ssl3CipherSuiteCfg; |
| 123 |
| 124 #ifdef NSS_ENABLE_ECC |
| 125 -#define ssl_V3_SUITES_IMPLEMENTED 50 |
| 126 +#define ssl_V3_SUITES_IMPLEMENTED 57 |
| 127 #else |
| 128 -#define ssl_V3_SUITES_IMPLEMENTED 30 |
| 129 +#define ssl_V3_SUITES_IMPLEMENTED 35 |
| 130 #endif /* NSS_ENABLE_ECC */ |
| 131 |
| 132 #define MAX_DTLS_SRTP_CIPHER_SUITES 4 |
| 133 Index: net/third_party/nss/ssl/ssl3ecc.c |
| 134 =================================================================== |
| 135 --- net/third_party/nss/ssl/ssl3ecc.c (revision 203497) |
| 136 +++ net/third_party/nss/ssl/ssl3ecc.c (working copy) |
| 137 @@ -911,6 +911,7 @@ |
| 138 static const ssl3CipherSuite ecdhe_ecdsa_suites[] = { |
| 139 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
| 140 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
| 141 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, |
| 142 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
| 143 TLS_ECDHE_ECDSA_WITH_NULL_SHA, |
| 144 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
| 145 @@ -920,6 +921,7 @@ |
| 146 static const ssl3CipherSuite ecdhe_rsa_suites[] = { |
| 147 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, |
| 148 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
| 149 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
| 150 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, |
| 151 TLS_ECDHE_RSA_WITH_NULL_SHA, |
| 152 TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
| 153 @@ -930,11 +932,13 @@ |
| 154 static const ssl3CipherSuite ecSuites[] = { |
| 155 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
| 156 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
| 157 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, |
| 158 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
| 159 TLS_ECDHE_ECDSA_WITH_NULL_SHA, |
| 160 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
| 161 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, |
| 162 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
| 163 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
| 164 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, |
| 165 TLS_ECDHE_RSA_WITH_NULL_SHA, |
| 166 TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
| 167 Index: net/third_party/nss/ssl/sslsock.c |
| 168 =================================================================== |
| 169 --- net/third_party/nss/ssl/sslsock.c (revision 203497) |
| 170 +++ net/third_party/nss/ssl/sslsock.c (working copy) |
| 171 @@ -38,8 +38,8 @@ |
| 172 typedef struct cipherPolicyStr cipherPolicy; |
| 173 |
| 174 /* This table contains two preconfigured policies: Export and France. |
| 175 -** It is used only by the functions SSL_SetDomesticPolicy, |
| 176 -** SSL_SetExportPolicy, and SSL_SetFrancyPolicy. |
| 177 +** It is used only by the functions NSS_SetDomesticPolicy, |
| 178 +** NSS_SetExportPolicy, and NSS_SetFrancePolicy. |
| 179 ** Order of entries is not important. |
| 180 */ |
| 181 static cipherPolicy ssl_ciphers[] = { /* Export France */ |
| 182 @@ -62,14 +62,19 @@ |
| 183 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 184 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 185 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 186 - { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 187 { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 188 + { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 189 + { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED }, |
| 190 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 191 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 192 + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 193 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 194 + { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 195 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 196 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 197 + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 198 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 199 + { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 200 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 201 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 202 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 203 @@ -89,6 +94,7 @@ |
| 204 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 205 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 206 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 207 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 208 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 209 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 210 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 211 @@ -99,6 +105,7 @@ |
| 212 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 213 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 214 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 215 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 216 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 217 #endif /* NSS_ENABLE_ECC */ |
| 218 { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } |
| 219 @@ -789,28 +796,20 @@ |
| 220 rv = SECFailure; |
| 221 } else { |
| 222 if (PR_FALSE != on) { |
| 223 - /* TLS 1.2 isn't supported in bypass mode. */ |
| 224 - if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 225 - /* If the user requested a minimum version of TLS 1.2 then |
| 226 - * we don't silently downgrade. */ |
| 227 - PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 228 - rv = SECFailure; |
| 229 - break; |
| 230 - } |
| 231 - if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 232 - ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
| 233 - } |
| 234 - if (PR_SUCCESS == SSL_BypassSetup() ) { |
| 235 + /* PKCS#11 bypass is not supported with TLS 1.2. */ |
| 236 + if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 237 + ss->opt.bypassPKCS11 = PR_FALSE; |
| 238 + } else if (PR_SUCCESS == SSL_BypassSetup() ) { |
| 239 #ifdef NO_PKCS11_BYPASS |
| 240 - ss->opt.bypassPKCS11 = PR_FALSE; |
| 241 + ss->opt.bypassPKCS11 = PR_FALSE; |
| 242 #else |
| 243 - ss->opt.bypassPKCS11 = on; |
| 244 + ss->opt.bypassPKCS11 = on; |
| 245 #endif |
| 246 } else { |
| 247 rv = SECFailure; |
| 248 } |
| 249 } else { |
| 250 - ss->opt.bypassPKCS11 = PR_FALSE; |
| 251 + ss->opt.bypassPKCS11 = PR_FALSE; |
| 252 } |
| 253 } |
| 254 break; |
| 255 Index: net/third_party/nss/ssl/ssl3con.c |
| 256 =================================================================== |
| 257 --- net/third_party/nss/ssl/ssl3con.c (revision 203497) |
| 258 +++ net/third_party/nss/ssl/ssl3con.c (working copy) |
| 259 @@ -97,6 +97,7 @@ |
| 260 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 261 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 262 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 263 + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 264 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 265 #ifdef NSS_ENABLE_ECC |
| 266 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 267 @@ -104,17 +105,21 @@ |
| 268 #endif /* NSS_ENABLE_ECC */ |
| 269 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_
FALSE}, |
| 270 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 271 + { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 272 |
| 273 #ifdef NSS_ENABLE_ECC |
| 274 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 275 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 276 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 277 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 278 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 279 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 280 #endif /* NSS_ENABLE_ECC */ |
| 281 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 282 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 283 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 284 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 285 + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 286 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 287 #ifdef NSS_ENABLE_ECC |
| 288 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 289 @@ -127,6 +132,7 @@ |
| 290 { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 291 { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
| 292 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 293 + { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 294 |
| 295 #ifdef NSS_ENABLE_ECC |
| 296 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 297 @@ -159,6 +165,7 @@ |
| 298 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 299 #endif /* NSS_ENABLE_ECC */ |
| 300 { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 301 + { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 302 { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 303 |
| 304 }; |
| 305 @@ -282,6 +289,7 @@ |
| 306 {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, |
| 307 {SSL_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa}, |
| 308 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa}, |
| 309 + {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa}, |
| 310 {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export}, |
| 311 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa}, |
| 312 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa}, |
| 313 @@ -326,11 +334,15 @@ |
| 314 |
| 315 /* New TLS cipher suites */ |
| 316 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa
}, |
| 317 + {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa}, |
| 318 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe
_dss}, |
| 319 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe
_rsa}, |
| 320 + {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_
rsa}, |
| 321 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa
}, |
| 322 + {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa}, |
| 323 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe
_dss}, |
| 324 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe
_rsa}, |
| 325 + {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_
rsa}, |
| 326 #if 0 |
| 327 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_
dss}, |
| 328 {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_
rsa}, |
| 329 @@ -372,6 +384,7 @@ |
| 330 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecds
a}, |
| 331 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecd
sa}, |
| 332 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_e
cdsa}, |
| 333 + {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_
ecdhe_ecdsa}, |
| 334 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_e
cdsa}, |
| 335 |
| 336 {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa}
, |
| 337 @@ -384,6 +397,7 @@ |
| 338 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rs
a}, |
| 339 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rs
a}, |
| 340 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rs
a}, |
| 341 + {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ec
dhe_rsa}, |
| 342 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rs
a}, |
| 343 |
| 344 #if 0 |
| 345 @@ -430,14 +444,17 @@ |
| 346 #define mmech_sha CKM_SSL3_SHA1_MAC |
| 347 #define mmech_md5_hmac CKM_MD5_HMAC |
| 348 #define mmech_sha_hmac CKM_SHA_1_HMAC |
| 349 +#define mmech_sha256_hmac CKM_SHA256_HMAC |
| 350 |
| 351 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ |
| 352 + /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ |
| 353 /* mac mmech pad_size mac_size */ |
| 354 { mac_null, mmech_null, 0, 0 }, |
| 355 { mac_md5, mmech_md5, 48, MD5_LENGTH }, |
| 356 { mac_sha, mmech_sha, 40, SHA1_LENGTH}, |
| 357 - {hmac_md5, mmech_md5_hmac, 48, MD5_LENGTH }, |
| 358 - {hmac_sha, mmech_sha_hmac, 40, SHA1_LENGTH}, |
| 359 + {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, |
| 360 + {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, |
| 361 + {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, |
| 362 }; |
| 363 |
| 364 /* indexed by SSL3BulkCipher */ |
| 365 @@ -580,6 +597,14 @@ |
| 366 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented |
| 367 */ |
| 368 return version <= SSL_LIBRARY_VERSION_TLS_1_0; |
| 369 + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: |
| 370 + case TLS_RSA_WITH_AES_256_CBC_SHA256: |
| 371 + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: |
| 372 + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: |
| 373 + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: |
| 374 + case TLS_RSA_WITH_AES_128_CBC_SHA256: |
| 375 + case TLS_RSA_WITH_NULL_SHA256: |
| 376 + return version >= SSL_LIBRARY_VERSION_TLS_1_2; |
| 377 default: |
| 378 return PR_TRUE; |
| 379 } |
| 380 @@ -1334,7 +1359,7 @@ |
| 381 cipher = suite_def->bulk_cipher_alg; |
| 382 kea = suite_def->key_exchange_alg; |
| 383 mac = suite_def->mac_alg; |
| 384 - if (isTLS) |
| 385 + if (mac <= ssl_mac_sha && isTLS) |
| 386 mac += 2; |
| 387 |
| 388 ss->ssl3.hs.suite_def = suite_def; |
| 389 @@ -2060,6 +2085,9 @@ |
| 390 case ssl_hmac_sha: /* used with TLS */ |
| 391 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1); |
| 392 break; |
| 393 + case ssl_hmac_sha256: /* used with TLS */ |
| 394 + hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); |
| 395 + break; |
| 396 default: |
| 397 break; |
| 398 } |
| 399 @@ -3517,6 +3545,13 @@ |
| 400 key_material_params.ulMacSizeInBits = pwSpec->mac_size * BPB; |
| 401 key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB; |
| 402 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB; |
| 403 + if (cipher_def->type == type_block && |
| 404 + pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
| 405 + /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */ |
| 406 + key_material_params.ulIVSizeInBits = 0; |
| 407 + memset(pwSpec->client.write_iv, 0, cipher_def->iv_size); |
| 408 + memset(pwSpec->server.write_iv, 0, cipher_def->iv_size); |
| 409 + } |
| 410 |
| 411 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); |
| 412 /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */ |
| 413 Index: net/third_party/nss/ssl/sslenum.c |
| 414 =================================================================== |
| 415 --- net/third_party/nss/ssl/sslenum.c (revision 203497) |
| 416 +++ net/third_party/nss/ssl/sslenum.c (working copy) |
| 417 @@ -26,6 +26,8 @@ |
| 418 * |
| 419 * If new ECC cipher suites are added, also update the ssl3CipherSuite arrays |
| 420 * in ssl3ecc.c. |
| 421 + * |
| 422 + * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h. |
| 423 */ |
| 424 const PRUint16 SSL_ImplementedCiphers[] = { |
| 425 /* 256-bit */ |
| 426 @@ -36,6 +38,7 @@ |
| 427 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, |
| 428 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, |
| 429 TLS_DHE_RSA_WITH_AES_256_CBC_SHA, |
| 430 + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, |
| 431 TLS_DHE_DSS_WITH_AES_256_CBC_SHA, |
| 432 #ifdef NSS_ENABLE_ECC |
| 433 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, |
| 434 @@ -43,18 +46,22 @@ |
| 435 #endif /* NSS_ENABLE_ECC */ |
| 436 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, |
| 437 TLS_RSA_WITH_AES_256_CBC_SHA, |
| 438 + TLS_RSA_WITH_AES_256_CBC_SHA256, |
| 439 |
| 440 /* 128-bit */ |
| 441 #ifdef NSS_ENABLE_ECC |
| 442 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
| 443 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
| 444 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, |
| 445 TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
| 446 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
| 447 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
| 448 #endif /* NSS_ENABLE_ECC */ |
| 449 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, |
| 450 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, |
| 451 TLS_DHE_DSS_WITH_RC4_128_SHA, |
| 452 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, |
| 453 + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, |
| 454 TLS_DHE_DSS_WITH_AES_128_CBC_SHA, |
| 455 #ifdef NSS_ENABLE_ECC |
| 456 TLS_ECDH_RSA_WITH_RC4_128_SHA, |
| 457 @@ -67,6 +74,7 @@ |
| 458 SSL_RSA_WITH_RC4_128_SHA, |
| 459 SSL_RSA_WITH_RC4_128_MD5, |
| 460 TLS_RSA_WITH_AES_128_CBC_SHA, |
| 461 + TLS_RSA_WITH_AES_128_CBC_SHA256, |
| 462 |
| 463 /* 112-bit 3DES */ |
| 464 #ifdef NSS_ENABLE_ECC |
| 465 @@ -104,6 +112,7 @@ |
| 466 TLS_ECDH_ECDSA_WITH_NULL_SHA, |
| 467 #endif /* NSS_ENABLE_ECC */ |
| 468 SSL_RSA_WITH_NULL_SHA, |
| 469 + TLS_RSA_WITH_NULL_SHA256, |
| 470 SSL_RSA_WITH_NULL_MD5, |
| 471 |
| 472 /* SSL2 cipher suites. */ |
OLD | NEW |