Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(297)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/patches/ciphersuiteversion.patch

Issue 23928007: NSS: don't advertise TLS 1.2-only ciphersuites in a TLS 1.1 ClientHello. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 7 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/third_party/nss/README.chromium ('K') | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/ssl3con.c » ('j') | net/third_party/nss/ssl/ssl3con.c » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
2 index bc54c99..6f12efb 100644
3 --- a/nss/lib/ssl/ssl3con.c
4 +++ b/nss/lib/ssl/ssl3con.c
5 @@ -804,7 +804,8 @@ ssl3_config_match_init(sslSocket *ss)
6 }
7
8
9 -/* return PR_TRUE if suite matches policy and enabled state */
10 +/* return PR_TRUE if suite matches policy, enabled state and is applicable to
11 + * the given version. */
12 /* It would be a REALLY BAD THING (tm) if we ever permitted the use
13 ** of a cipher that was NOT_ALLOWED. So, if this is ever called with
14 ** policy == SSL_NOT_ALLOWED, report no match.
15 @@ -812,7 +813,8 @@ ssl3_config_match_init(sslSocket *ss)
16 /* adjust suite enabled to the availability of a token that can do the
17 * cipher suite. */
18 static PRBool
19 -config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
20 +config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled,
21 + PRUint16 version)
22 {
23 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
24 if (policy == SSL_NOT_ALLOWED || !enabled)
25 @@ -820,13 +822,17 @@ config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
26 return (PRBool)(suite->enabled &&
27 suite->isPresent &&
28 suite->policy != SSL_NOT_ALLOWED &&
29 - suite->policy <= policy);
30 + suite->policy <= policy &&
31 + ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
32 + version));
33 }
34
35 -/* return number of cipher suites that match policy and enabled state */
36 +/* return number of cipher suites that match policy, enabled state and are
37 + * applicable for the given protocol version. */
38 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
39 static int
40 -count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
41 +count_cipher_suites(sslSocket *ss, int policy, PRBool enabled,
42 + PRUint16 version)
43 {
44 int i, count = 0;
45
46 @@ -834,7 +840,7 @@ count_cipher_suites(sslSocket *ss, int policy, PRBool enable d)
47 return 0;
48 }
49 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
50 - if (config_match(&ss->cipherSuites[i], policy, enabled))
51 + if (config_match(&ss->cipherSuites[i], policy, enabled, version))
52 count++;
53 }
54 if (count <= 0) {
55 @@ -5204,7 +5210,8 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
56 }
57
58 /* how many suites are permitted by policy and user preference? */
59 - num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
60 + num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE,
61 + ss->version);
62 if (!num_suites)
63 return SECFailure; /* count_cipher_suites has set error code. */
64 if (ss->ssl3.hs.sendingSCSV) {
65 @@ -5294,7 +5301,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
66 }
67 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
68 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
69 - if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
70 + if (config_match(suite, ss->ssl3.policy, PR_TRUE, ss->version)) {
71 actual_count++;
72 if (actual_count > num_suites) {
73 /* set error card removal/insertion error */
74 @@ -6359,15 +6366,9 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUi nt32 length)
75 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
76 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
77 if (temp == suite->cipher_suite) {
78 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) {
79 + if (!config_match(suite, ss->ssl3.policy, PR_TRUE, ss->version)) {
80 break; /* failure */
81 }
82 - if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
83 - ss->version)) {
84 - desc = handshake_failure;
85 - errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
86 - goto alert_loser;
87 - }
88
89 suite_found = PR_TRUE;
90 break; /* success */
91 @@ -8036,7 +8037,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin t32 length)
92 * The product policy won't change during the process lifetime.
93 * Implemented ("isPresent") shouldn't change for servers.
94 */
95 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
96 + if (!config_match(suite, ss->ssl3.policy, PR_TRUE, ss->version))
97 break;
98 #else
99 if (!suite->enabled)
100 @@ -8084,9 +8085,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin t32 length)
101 */
102 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
103 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
104 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
105 - !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
106 - ss->version)) {
107 + if (!config_match(suite, ss->ssl3.policy, PR_TRUE, ss->version)) {
108 continue;
109 }
110 for (i = 0; i + 1 < suites.len; i += 2) {
111 @@ -8619,9 +8618,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buf fer, int length)
112 */
113 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
114 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
115 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
116 - !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
117 - ss->version)) {
118 + if (!config_match(suite, ss->ssl3.policy, PR_TRUE, ss->version)) {
119 continue;
120 }
121 for (i = 0; i+2 < suite_length; i += 3) {
122 @@ -12317,14 +12314,14 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigne d char *cs, int *size)
123 return SECSuccess;
124 }
125 if (cs == NULL) {
126 - *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
127 + *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE, ss->vrange.max);
128 return SECSuccess;
129 }
130
131 /* ssl3_config_match_init was called by the caller of this function. */
132 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
133 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
134 - if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
135 + if (config_match(suite, SSL_ALLOWED, PR_TRUE, ss->vrange.max)) {
136 if (cs != NULL) {
137 *cs++ = 0x00;
138 *cs++ = (suite->cipher_suite >> 8) & 0xFF;
OLDNEW
« net/third_party/nss/README.chromium ('K') | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/ssl3con.c » ('j') | net/third_party/nss/ssl/ssl3con.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698