Index: net/third_party/nss/patches/tlsunique.patch |
diff --git a/net/third_party/nss/patches/tlsunique.patch b/net/third_party/nss/patches/tlsunique.patch |
index a31049aec757d6bfed8db1913c8bd5db8ee52a69..d004ca735426b61561da7b95fc29acc3b3eb8570 100644 |
--- a/net/third_party/nss/patches/tlsunique.patch |
+++ b/net/third_party/nss/patches/tlsunique.patch |
@@ -1,8 +1,8 @@ |
diff --git a/lib/ssl/ssl.h b/lib/ssl/ssl.h |
-index 120c257..eb7f7ec 100644 |
+index 870a8cc..3550580 100644 |
--- a/lib/ssl/ssl.h |
+++ b/lib/ssl/ssl.h |
-@@ -385,6 +385,27 @@ SSL_IMPORT SECStatus SSL_DHEGroupPrefSet(PRFileDesc *fd, |
+@@ -387,6 +387,27 @@ SSL_IMPORT SECStatus SSL_DHEGroupPrefSet(PRFileDesc *fd, |
*/ |
SSL_IMPORT SECStatus SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled); |
@@ -22,31 +22,32 @@ index 120c257..eb7f7ec 100644 |
+ * |
+ * This call will fail if made during a renegotiation. */ |
+SSL_IMPORT SECStatus SSL_GetChannelBinding(PRFileDesc *fd, |
-+ SSLChannelBindingType binding_type, |
-+ unsigned char *out, |
-+ unsigned int *outLen, |
-+ unsigned int outLenMax); |
++ SSLChannelBindingType binding_type, |
++ unsigned char *out, |
++ unsigned int *outLen, |
++ unsigned int outLenMax); |
+ |
/* SSL Version Range API |
** |
** This API should be used to control SSL 3.0 & TLS support instead of the |
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c |
-index 2ae8ce9..ce92cf1 100644 |
+index a2beec2..1394542 100644 |
--- a/lib/ssl/ssl3con.c |
+++ b/lib/ssl/ssl3con.c |
-@@ -13241,6 +13241,68 @@ ssl3_InitSocketPolicy(sslSocket *ss) |
+@@ -13808,6 +13808,69 @@ ssl3_InitSocketPolicy(sslSocket *ss) |
ss->ssl3.signatureAlgorithmCount = PR_ARRAY_SIZE(defaultSignatureAlgorithms); |
} |
+SECStatus |
+ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, |
-+ unsigned char *out, |
-+ unsigned int *outLen, |
-+ unsigned int outLenMax) { |
-+ PRBool isTLS; |
-+ int index = 0; |
++ unsigned char *out, |
++ unsigned int *outLen, |
++ unsigned int outLenMax) |
++{ |
++ PRBool isTLS; |
++ int index = 0; |
+ unsigned int len; |
-+ SECStatus rv = SECFailure; |
++ SECStatus rv = SECFailure; |
+ |
+ *outLen = 0; |
+ |
@@ -64,33 +65,33 @@ index 2ae8ce9..ce92cf1 100644 |
+ /* Sending or receiving a Finished message will set finishedBytes to a |
+ * non-zero value. */ |
+ if (len == 0) { |
-+ PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); |
-+ goto loser; |
++ PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); |
++ goto loser; |
+ } |
+ |
+ /* If we are in the middle of a renegotiation then the channel binding |
+ * value is poorly defined and depends on the direction that it will be |
+ * used on. Therefore we simply return an error in this case. */ |
+ if (ss->firstHsDone && ss->ssl3.hs.ws != idle_handshake) { |
-+ PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); |
-+ goto loser; |
++ PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); |
++ goto loser; |
+ } |
+ |
+ /* If resuming, then we want the second Finished value in the array, which |
+ * is the server's */ |
+ if (ss->ssl3.hs.isResuming) |
-+ index = 1; |
++ index = 1; |
+ |
+ *outLen = len; |
+ if (outLenMax < len) { |
-+ PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
-+ goto loser; |
++ PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
++ goto loser; |
+ } |
+ |
+ if (isTLS) { |
-+ memcpy(out, &ss->ssl3.hs.finishedMsgs.tFinished[index], len); |
++ memcpy(out, &ss->ssl3.hs.finishedMsgs.tFinished[index], len); |
+ } else { |
-+ memcpy(out, &ss->ssl3.hs.finishedMsgs.sFinished[index], len); |
++ memcpy(out, &ss->ssl3.hs.finishedMsgs.sFinished[index], len); |
+ } |
+ |
+ rv = SECSuccess; |
@@ -104,46 +105,47 @@ index 2ae8ce9..ce92cf1 100644 |
* the caller of this function. |
*/ |
diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h |
-index c286518..976330e 100644 |
+index 4607655..d47eb28 100644 |
--- a/lib/ssl/sslimpl.h |
+++ b/lib/ssl/sslimpl.h |
-@@ -1897,6 +1897,11 @@ extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey, |
- extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data, |
- unsigned int length); |
+@@ -1981,6 +1981,11 @@ extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey, |
+ extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char *data, |
+ unsigned int length); |
+extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, |
-+ unsigned char *out, |
-+ unsigned int *outLen, |
-+ unsigned int outLenMax); |
++ unsigned char *out, |
++ unsigned int *outLen, |
++ unsigned int outLenMax); |
+ |
/* Construct a new NSPR socket for the app to use */ |
extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd); |
extern void ssl_FreePRSocket(PRFileDesc *fd); |
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c |
-index efba686..c9a4493 100644 |
+index 84c78b3..e312d82 100644 |
--- a/lib/ssl/sslsock.c |
+++ b/lib/ssl/sslsock.c |
-@@ -1540,6 +1540,28 @@ SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled) |
+@@ -1700,6 +1700,29 @@ SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled) |
return SECSuccess; |
} |
+SECStatus |
+SSL_GetChannelBinding(PRFileDesc *fd, |
-+ SSLChannelBindingType binding_type, |
-+ unsigned char *out, |
-+ unsigned int *outLen, |
-+ unsigned int outLenMax) { |
++ SSLChannelBindingType binding_type, |
++ unsigned char *out, |
++ unsigned int *outLen, |
++ unsigned int outLenMax) |
++{ |
+ sslSocket *ss = ssl_FindSocket(fd); |
+ |
+ if (!ss) { |
-+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding", |
-+ SSL_GETPID(), fd)); |
-+ return SECFailure; |
++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding", |
++ SSL_GETPID(), fd)); |
++ return SECFailure; |
+ } |
+ |
+ if (binding_type != SSL_CHANNEL_BINDING_TLS_UNIQUE) { |
-+ PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
-+ return SECFailure; |
++ PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
++ return SECFailure; |
+ } |
+ |
+ return ssl3_GetTLSUniqueChannelBinding(ss, out, outLen, outLenMax); |