| Index: net/third_party/nss/patches/tls12backuphash.patch
|
| ===================================================================
|
| --- net/third_party/nss/patches/tls12backuphash.patch (revision 223078)
|
| +++ net/third_party/nss/patches/tls12backuphash.patch (working copy)
|
| @@ -1,13 +1,12 @@
|
| Index: net/third_party/nss/ssl/ssl3con.c
|
| ===================================================================
|
| ---- net/third_party/nss/ssl/ssl3con.c (revision 219342)
|
| +--- net/third_party/nss/ssl/ssl3con.c (revision 220594)
|
| +++ net/third_party/nss/ssl/ssl3con.c (working copy)
|
| -@@ -3933,6 +3933,22 @@
|
| +@@ -3933,6 +3933,20 @@
|
| ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
|
| return SECFailure;
|
| }
|
| +
|
| -+#ifdef _WIN32
|
| + /* A backup SHA-1 hash for a potential client auth signature. */
|
| + if (!ss->sec.isServer) {
|
| + ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_SHA1);
|
| @@ -21,11 +20,10 @@
|
| + return SECFailure;
|
| + }
|
| + }
|
| -+#endif
|
| } else {
|
| /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
|
| * created successfully. */
|
| -@@ -4043,6 +4059,13 @@
|
| +@@ -4043,6 +4057,13 @@
|
| ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
|
| return rv;
|
| }
|
| @@ -39,7 +37,7 @@
|
| } else {
|
| rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
|
| if (rv != SECSuccess) {
|
| -@@ -4791,6 +4814,30 @@
|
| +@@ -4791,6 +4812,30 @@
|
| return rv;
|
| }
|
|
|
| @@ -70,7 +68,7 @@
|
| /*
|
| * SSL 2 based implementations pass in the initial outbound buffer
|
| * so that the handshake hash can contain the included information.
|
| -@@ -6044,7 +6091,17 @@
|
| +@@ -6044,7 +6089,17 @@
|
| SSL_GETPID(), ss->fd));
|
|
|
| ssl_GetSpecReadLock(ss);
|
| @@ -89,7 +87,7 @@
|
| ssl_ReleaseSpecReadLock(ss);
|
| if (rv != SECSuccess) {
|
| goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
|
| -@@ -6098,11 +6155,6 @@
|
| +@@ -6098,11 +6153,6 @@
|
| if (rv != SECSuccess) {
|
| goto done;
|
| }
|
| @@ -101,21 +99,47 @@
|
| sigAndHash.hashAlg = hashes.hashAlg;
|
|
|
| rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
|
| -@@ -6994,6 +7046,31 @@
|
| +@@ -6994,6 +7044,56 @@
|
| }
|
| goto send_no_certificate;
|
| }
|
| +
|
| + if (isTLS12 && ss->ssl3.hs.md5) {
|
| + PRBool need_backup_hash = PR_FALSE;
|
| ++ PRBool prefer_sha1 = PR_FALSE;
|
| +#ifdef _WIN32
|
| + /* If the key is in CAPI, assume conservatively that the CAPI
|
| + * service provider may be unable to sign SHA-256 hashes.
|
| -+ * Use SHA-1 if the server supports it. */
|
| ++ */
|
| + if (ss->ssl3.platformClientKey->dwKeySpec !=
|
| + CERT_NCRYPT_KEY_SPEC) {
|
| ++ /* CAPI only supports RSA and DSA signatures, so we don't
|
| ++ * need to check the key type. */
|
| ++ prefer_sha1 = PR_TRUE;
|
| ++ }
|
| ++#endif /* _WIN32 */
|
| ++ /* If the key is a 1024-bit RSA or DSA key, assume
|
| ++ * conservatively that it may be unable to sign SHA-256
|
| ++ * hashes. This is the case for older Estonian ID cards that
|
| ++ * have 1024-bit RSA keys. In FIPS 186-2 and older, DSA key
|
| ++ * size is at most 1024 bits and the hash function must be
|
| ++ * SHA-1.
|
| ++ */
|
| ++ if (!prefer_sha1) {
|
| ++ SECKEYPublicKey *pubk =
|
| ++ CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
|
| ++ if (pubk == NULL) {
|
| ++ errCode = SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE;
|
| ++ goto loser;
|
| ++ }
|
| ++ if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) {
|
| ++ prefer_sha1 = SECKEY_PublicKeyStrength(pubk) <= 128;
|
| ++ }
|
| ++ SECKEY_DestroyPublicKey(pubk);
|
| ++ }
|
| ++ /* Use SHA-1 if the server supports it. */
|
| ++ if (prefer_sha1) {
|
| + for (i = 0; i < algorithms.len; i += 2) {
|
| -+ /* CAPI only supports RSA and DSA signatures. */
|
| + if (algorithms.data[i] == tls_hash_sha1 &&
|
| + (algorithms.data[i+1] == tls_sig_rsa ||
|
| + algorithms.data[i+1] == tls_sig_dsa)) {
|
| @@ -124,7 +148,6 @@
|
| + }
|
| + }
|
| + }
|
| -+#endif /* _WIN32 */
|
| + if (!need_backup_hash) {
|
| + PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
|
| + ss->ssl3.hs.md5 = NULL;
|
| @@ -133,7 +156,7 @@
|
| break; /* not an error */
|
| }
|
| #endif /* NSS_PLATFORM_CLIENT_AUTH */
|
| -@@ -7227,6 +7304,13 @@
|
| +@@ -7227,6 +7327,13 @@
|
| (ss->ssl3.platformClientKey ||
|
| ss->ssl3.clientPrivateKey != NULL);
|
|
|
| @@ -149,15 +172,15 @@
|
| * certificate to an attacker that does not have a valid cert for the
|
| Index: net/third_party/nss/ssl/sslimpl.h
|
| ===================================================================
|
| ---- net/third_party/nss/ssl/sslimpl.h (revision 219342)
|
| +--- net/third_party/nss/ssl/sslimpl.h (revision 220594)
|
| +++ net/third_party/nss/ssl/sslimpl.h (working copy)
|
| @@ -838,6 +838,9 @@
|
| * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and
|
| * |sha| for SHA-1.
|
| * TLS 1.2 and later use only |sha|, for SHA-256. */
|
| -+ /* NOTE: On Windows, TLS 1.2 and later use |md5| as a backup handshake hash
|
| -+ * for generating client auth signatures. Confusingly, the backup hash
|
| -+ * function is SHA-1. */
|
| ++ /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup
|
| ++ * handshake hash for generating client auth signatures. Confusingly, the
|
| ++ * backup hash function is SHA-1. */
|
| PK11Context * md5;
|
| PK11Context * sha;
|
|
|
|
|
Chromium Code Reviews
Issue 23889028:
Merge 221609 "Prefer to generate SHA-1 signatures for TLS 1.2 cl..." (Closed)
Base URL: svn://svn.chromium.org/chrome/branches/1599/src/