| Index: net/third_party/nss/patches/tlsunique.patch
|
| diff --git a/net/third_party/nss/patches/tlsunique.patch b/net/third_party/nss/patches/tlsunique.patch
|
| index a31049aec757d6bfed8db1913c8bd5db8ee52a69..d004ca735426b61561da7b95fc29acc3b3eb8570 100644
|
| --- a/net/third_party/nss/patches/tlsunique.patch
|
| +++ b/net/third_party/nss/patches/tlsunique.patch
|
| @@ -1,8 +1,8 @@
|
| diff --git a/lib/ssl/ssl.h b/lib/ssl/ssl.h
|
| -index 120c257..eb7f7ec 100644
|
| +index 870a8cc..3550580 100644
|
| --- a/lib/ssl/ssl.h
|
| +++ b/lib/ssl/ssl.h
|
| -@@ -385,6 +385,27 @@ SSL_IMPORT SECStatus SSL_DHEGroupPrefSet(PRFileDesc *fd,
|
| +@@ -387,6 +387,27 @@ SSL_IMPORT SECStatus SSL_DHEGroupPrefSet(PRFileDesc *fd,
|
| */
|
| SSL_IMPORT SECStatus SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled);
|
|
|
| @@ -22,31 +22,32 @@ index 120c257..eb7f7ec 100644
|
| + *
|
| + * This call will fail if made during a renegotiation. */
|
| +SSL_IMPORT SECStatus SSL_GetChannelBinding(PRFileDesc *fd,
|
| -+ SSLChannelBindingType binding_type,
|
| -+ unsigned char *out,
|
| -+ unsigned int *outLen,
|
| -+ unsigned int outLenMax);
|
| ++ SSLChannelBindingType binding_type,
|
| ++ unsigned char *out,
|
| ++ unsigned int *outLen,
|
| ++ unsigned int outLenMax);
|
| +
|
| /* SSL Version Range API
|
| **
|
| ** This API should be used to control SSL 3.0 & TLS support instead of the
|
| diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
| -index 2ae8ce9..ce92cf1 100644
|
| +index a2beec2..1394542 100644
|
| --- a/lib/ssl/ssl3con.c
|
| +++ b/lib/ssl/ssl3con.c
|
| -@@ -13241,6 +13241,68 @@ ssl3_InitSocketPolicy(sslSocket *ss)
|
| +@@ -13808,6 +13808,69 @@ ssl3_InitSocketPolicy(sslSocket *ss)
|
| ss->ssl3.signatureAlgorithmCount = PR_ARRAY_SIZE(defaultSignatureAlgorithms);
|
| }
|
|
|
| +SECStatus
|
| +ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
|
| -+ unsigned char *out,
|
| -+ unsigned int *outLen,
|
| -+ unsigned int outLenMax) {
|
| -+ PRBool isTLS;
|
| -+ int index = 0;
|
| ++ unsigned char *out,
|
| ++ unsigned int *outLen,
|
| ++ unsigned int outLenMax)
|
| ++{
|
| ++ PRBool isTLS;
|
| ++ int index = 0;
|
| + unsigned int len;
|
| -+ SECStatus rv = SECFailure;
|
| ++ SECStatus rv = SECFailure;
|
| +
|
| + *outLen = 0;
|
| +
|
| @@ -64,33 +65,33 @@ index 2ae8ce9..ce92cf1 100644
|
| + /* Sending or receiving a Finished message will set finishedBytes to a
|
| + * non-zero value. */
|
| + if (len == 0) {
|
| -+ PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
|
| -+ goto loser;
|
| ++ PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
|
| ++ goto loser;
|
| + }
|
| +
|
| + /* If we are in the middle of a renegotiation then the channel binding
|
| + * value is poorly defined and depends on the direction that it will be
|
| + * used on. Therefore we simply return an error in this case. */
|
| + if (ss->firstHsDone && ss->ssl3.hs.ws != idle_handshake) {
|
| -+ PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
|
| -+ goto loser;
|
| ++ PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
|
| ++ goto loser;
|
| + }
|
| +
|
| + /* If resuming, then we want the second Finished value in the array, which
|
| + * is the server's */
|
| + if (ss->ssl3.hs.isResuming)
|
| -+ index = 1;
|
| ++ index = 1;
|
| +
|
| + *outLen = len;
|
| + if (outLenMax < len) {
|
| -+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
|
| -+ goto loser;
|
| ++ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
|
| ++ goto loser;
|
| + }
|
| +
|
| + if (isTLS) {
|
| -+ memcpy(out, &ss->ssl3.hs.finishedMsgs.tFinished[index], len);
|
| ++ memcpy(out, &ss->ssl3.hs.finishedMsgs.tFinished[index], len);
|
| + } else {
|
| -+ memcpy(out, &ss->ssl3.hs.finishedMsgs.sFinished[index], len);
|
| ++ memcpy(out, &ss->ssl3.hs.finishedMsgs.sFinished[index], len);
|
| + }
|
| +
|
| + rv = SECSuccess;
|
| @@ -104,46 +105,47 @@ index 2ae8ce9..ce92cf1 100644
|
| * the caller of this function.
|
| */
|
| diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h
|
| -index c286518..976330e 100644
|
| +index 4607655..d47eb28 100644
|
| --- a/lib/ssl/sslimpl.h
|
| +++ b/lib/ssl/sslimpl.h
|
| -@@ -1897,6 +1897,11 @@ extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
|
| - extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data,
|
| - unsigned int length);
|
| +@@ -1981,6 +1981,11 @@ extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
|
| + extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char *data,
|
| + unsigned int length);
|
|
|
| +extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
|
| -+ unsigned char *out,
|
| -+ unsigned int *outLen,
|
| -+ unsigned int outLenMax);
|
| ++ unsigned char *out,
|
| ++ unsigned int *outLen,
|
| ++ unsigned int outLenMax);
|
| +
|
| /* Construct a new NSPR socket for the app to use */
|
| extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
|
| extern void ssl_FreePRSocket(PRFileDesc *fd);
|
| diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
| -index efba686..c9a4493 100644
|
| +index 84c78b3..e312d82 100644
|
| --- a/lib/ssl/sslsock.c
|
| +++ b/lib/ssl/sslsock.c
|
| -@@ -1540,6 +1540,28 @@ SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled)
|
| +@@ -1700,6 +1700,29 @@ SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled)
|
| return SECSuccess;
|
| }
|
|
|
| +SECStatus
|
| +SSL_GetChannelBinding(PRFileDesc *fd,
|
| -+ SSLChannelBindingType binding_type,
|
| -+ unsigned char *out,
|
| -+ unsigned int *outLen,
|
| -+ unsigned int outLenMax) {
|
| ++ SSLChannelBindingType binding_type,
|
| ++ unsigned char *out,
|
| ++ unsigned int *outLen,
|
| ++ unsigned int outLenMax)
|
| ++{
|
| + sslSocket *ss = ssl_FindSocket(fd);
|
| +
|
| + if (!ss) {
|
| -+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding",
|
| -+ SSL_GETPID(), fd));
|
| -+ return SECFailure;
|
| ++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding",
|
| ++ SSL_GETPID(), fd));
|
| ++ return SECFailure;
|
| + }
|
| +
|
| + if (binding_type != SSL_CHANNEL_BINDING_TLS_UNIQUE) {
|
| -+ PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
|
| -+ return SECFailure;
|
| ++ PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
|
| ++ return SECFailure;
|
| + }
|
| +
|
| + return ssl3_GetTLSUniqueChannelBinding(ss, out, outLen, outLenMax);
|
|
|
Chromium Code Reviews
Issue 1844813002:
Uprev NSS to 3.23 on iOS (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master