| OLD | NEW |
|---|
| 1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c | 1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
| 2 --- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:46:51.999581198 -0800 | 2 --- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:46:51.999581198 -0800 |
| 3 +++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:47:05.509804656 -0800 | 3 +++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:47:05.509804656 -0800 |
| 4 @@ -3473,6 +3473,9 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe | 4 @@ -3473,6 +3473,9 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe |
| 5 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT; | 5 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT; |
| 6 break; | 6 break; |
| 7 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break; | 7 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break; |
| 8 + case inappropriate_fallback: | 8 + case inappropriate_fallback: |
| 9 + error = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT; | 9 + error = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT; |
| 10 + break; | 10 + break; |
| (...skipping 26 matching lines...) Expand all Loading... |
| 37 + /* make room for SCSV */ | 37 + /* make room for SCSV */ |
| 38 if (ss->ssl3.hs.sendingSCSV) { | 38 if (ss->ssl3.hs.sendingSCSV) { |
| 39 - ++num_suites; /* make room for SCSV */ | 39 - ++num_suites; /* make room for SCSV */ |
| 40 + ++num_suites; | 40 + ++num_suites; |
| 41 + } | 41 + } |
| 42 + if (fallbackSCSV) { | 42 + if (fallbackSCSV) { |
| 43 + ++num_suites; | 43 + ++num_suites; |
| 44 } | 44 } |
| 45 | 45 |
| 46 /* count compression methods */ | 46 /* count compression methods */ |
| 47 @@ -5353,6 +5365,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBo | 47 @@ -5389,11 +5389,21 @@ ssl3_SendClientHello(sslSocket *ss, PRBo |
| 48 » } | 48 » if (rv != SECSuccess) { |
| 49 » actual_count++; | 49 » » if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock);
} |
| 50 } | 50 » » return rv;» /* err set by ssl3_AppendHandshake* */ |
| 51 » } |
| 52 » } |
| 53 } |
| 54 |
| 51 + if (fallbackSCSV) { | 55 + if (fallbackSCSV) { |
| 52 + rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV, | 56 + rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV, |
| 53 + sizeof(ssl3CipherSuite)); | 57 + sizeof(ssl3CipherSuite)); |
| 54 + if (rv != SECSuccess) { | 58 + if (rv != SECSuccess) { |
| 55 + if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); } | 59 + if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); } |
| 56 + return rv; /* err set by ssl3_AppendHandshake* */ | 60 + return rv; /* err set by ssl3_AppendHandshake* */ |
| 57 + } | 61 + } |
| 58 + actual_count++; | 62 + actual_count++; |
| 59 + } | 63 + } |
| 60 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 64 + |
| 61 » ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; | 65 /* if cards were removed or inserted between count_cipher_suites and |
| 62 » if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) { | 66 * generating our list, detect the error here rather than send it off to |
| 67 * the server.. */ |
| 68 if (actual_count != num_suites) { |
| 63 @@ -8084,6 +8105,19 @@ ssl3_HandleClientHello(sslSocket *ss, SS | 69 @@ -8084,6 +8105,19 @@ ssl3_HandleClientHello(sslSocket *ss, SS |
| 64 goto loser; /* malformed */ | 70 goto loser; /* malformed */ |
| 65 } | 71 } |
| 66 | 72 |
| 67 + /* If the ClientHello version is less than our maximum version, check for a | 73 + /* If the ClientHello version is less than our maximum version, check for a |
| 68 + * TLS_FALLBACK_SCSV and reject the connection if found. */ | 74 + * TLS_FALLBACK_SCSV and reject the connection if found. */ |
| 69 + if (ss->vrange.max > ss->clientHelloVersion) { | 75 + if (ss->vrange.max > ss->clientHelloVersion) { |
| 70 + for (i = 0; i + 1 < suites.len; i += 2) { | 76 + for (i = 0; i + 1 < suites.len; i += 2) { |
| 71 + PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; | 77 + PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; |
| 72 + if (suite_i != TLS_FALLBACK_SCSV) | 78 + if (suite_i != TLS_FALLBACK_SCSV) |
| (...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 198 ssl_defaults.enableSignedCertTimestamps = on; | 204 ssl_defaults.enableSignedCertTimestamps = on; |
| 199 break; | 205 break; |
| 200 | 206 |
| 201 + case SSL_ENABLE_FALLBACK_SCSV: | 207 + case SSL_ENABLE_FALLBACK_SCSV: |
| 202 + ssl_defaults.enableFallbackSCSV = on; | 208 + ssl_defaults.enableFallbackSCSV = on; |
| 203 + break; | 209 + break; |
| 204 + | 210 + |
| 205 default: | 211 default: |
| 206 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 212 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 207 return SECFailure; | 213 return SECFailure; |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 683113005:
Update from chromium https://crrev.com/302282 (Closed)
Base URL: git@github.com:domokit/mojo.git@master