Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(744)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/nss/patches/paddingextension.patch

Issue 66553007: net: don't add padding extension for SSLv3. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | net/third_party/nss/ssl/ssl3con.c » ('j') | net/third_party/nss/ssl/ssl3con.c » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/patches/paddingextension.patch
diff --git a/net/third_party/nss/patches/paddingextension.patch b/net/third_party/nss/patches/paddingextension.patch
index 8ea388cfc5ce365114e1ea3dcf5fe841c085bba3..2b6433a2b685bd7b8520c395f2cdcea99f445f42 100644
--- a/net/third_party/nss/patches/paddingextension.patch
+++ b/net/third_party/nss/patches/paddingextension.patch
@@ -1,142 +1,48 @@
diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
-index 8b8b758..567d481 100644
+index 567d481..8eb3ab5 100644
--- a/nss/lib/ssl/ssl3con.c
+++ b/nss/lib/ssl/ssl3con.c
-@@ -4975,6 +4975,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
+@@ -4975,7 +4975,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
PRBool isTLS = PR_FALSE;
PRBool requestingResume = PR_FALSE;
PRInt32 total_exten_len = 0;
-+ unsigned paddingExtensionLen;
+- unsigned paddingExtensionLen;
++ PRInt32 paddingExtensionLen;
unsigned numCompressionMethods;
PRInt32 flags;
-@@ -5241,6 +5242,20 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
- length += 1 + ss->ssl3.hs.cookieLen;
- }
-
-+ /* A padding extension may be included to ensure that the record containing
-+ * the ClientHello doesn't have a length between 256 and 511 bytes
-+ * (inclusive). Initial, ClientHello records with such lengths trigger bugs
-+ * in F5 devices.
-+ *
-+ * This is not done for DTLS nor for renegotiation. */
-+ if (!IS_DTLS(ss) && !ss->firstHsDone) {
-+ paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length);
-+ total_exten_len += paddingExtensionLen;
-+ length += paddingExtensionLen;
-+ } else {
-+ paddingExtensionLen = 0;
-+ }
-+
- rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
- if (rv != SECSuccess) {
- return rv; /* err set by ssl3_AppendHandshake* */
-@@ -5360,6 +5375,13 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
- return SECFailure;
- }
- maxBytes -= extLen;
-+
-+ extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes);
-+ if (extLen < 0) {
-+ return SECFailure;
-+ }
-+ maxBytes -= extLen;
-+
- PORT_Assert(!maxBytes);
- }
- if (ss->ssl3.hs.sendingSCSV) {
+@@ -5248,7 +5248,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
+ * in F5 devices.
+ *
+ * This is not done for DTLS nor for renegotiation. */
+- if (!IS_DTLS(ss) && !ss->firstHsDone) {
++ if (!IS_DTLS(ss) && isTLS && !ss->firstHsDone) {
+ paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length);
+ total_exten_len += paddingExtensionLen;
+ length += paddingExtensionLen;
diff --git a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
-index 0415770..8be042e 100644
+index 8be042e..ea2cf7a 100644
--- a/nss/lib/ssl/ssl3ext.c
+++ b/nss/lib/ssl/ssl3ext.c
-@@ -2297,3 +2297,56 @@ ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
- loser:
+@@ -2298,7 +2298,7 @@ loser:
return -1;
}
-+
-+unsigned int
-+ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
-+{
-+ unsigned int recordLength = 1 /* handshake message type */ +
-+ 3 /* handshake message length */ +
-+ clientHelloLength;
-+ unsigned int extensionLength;
-+
-+ if (recordLength < 256 || recordLength >= 512) {
-+ return 0;
-+ }
-+
-+ extensionLength = 512 - recordLength;
-+ /* Extensions take at least four bytes to encode. */
-+ if (extensionLength < 4) {
-+ extensionLength = 4;
-+ }
-+
-+ return extensionLength;
-+}
-+
-+/* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a
-+ * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures
-+ * that we don't trigger bugs in F5 products. */
-+unsigned int
-+ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
-+ PRUint32 maxBytes)
-+{
-+ unsigned int paddingLen = extensionLen - 4;
-+ unsigned char padding[256];
-+
-+ if (extensionLen == 0) {
-+ return 0;
-+ }
-+
-+ if (extensionLen < 4 ||
-+ extensionLen > maxBytes ||
-+ paddingLen > sizeof(padding)) {
-+ PORT_Assert(0);
-+ return 0;
-+ }
-+
-+ if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2))
-+ return -1;
-+ if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2))
-+ return -1;
-+ memset(padding, ' ', paddingLen);
-+ if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen))
-+ return -1;
-+
-+ return extensionLen;
-+}
+
+-unsigned int
++PRInt32
+ ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
+ {
+ unsigned int recordLength = 1 /* handshake message type */ +
diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
-index 614eed1..621f25e 100644
+index 621f25e..fdf5b8f 100644
--- a/nss/lib/ssl/sslimpl.h
+++ b/nss/lib/ssl/sslimpl.h
-@@ -237,6 +237,13 @@ extern PRInt32
+@@ -237,7 +237,7 @@ extern PRInt32
ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
const ssl3HelloExtensionSender *sender);
-+extern unsigned int
-+ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength);
-+
-+extern unsigned int
-+ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
-+ PRUint32 maxBytes);
-+
- /* Socket ops */
- struct sslSocketOpsStr {
- int (*connect) (sslSocket *, const PRNetAddr *);
-diff --git a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
-index a8007d8..e4d188f 100644
---- a/nss/lib/ssl/sslt.h
-+++ b/nss/lib/ssl/sslt.h
-@@ -205,9 +205,10 @@ typedef enum {
- ssl_session_ticket_xtn = 35,
- ssl_next_proto_nego_xtn = 13172,
- ssl_channel_id_xtn = 30031,
-+ ssl_padding_xtn = 35655,
- ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
- } SSLExtensionType;
+-extern unsigned int
++extern PRInt32
+ ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength);
--#define SSL_MAX_EXTENSIONS 11
-+#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */
-
- #endif /* __sslt_h_ */
+ extern unsigned int
« no previous file with comments | « no previous file | net/third_party/nss/ssl/ssl3con.c » ('j') | net/third_party/nss/ssl/ssl3con.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698