diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-02 01:08:00 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-02 01:08:00 +0000 |
| commit | 1cb31cf66284777dc5526773eebaadf24c48080a (patch) | |
| tree | 5136310ef244bb4974be718efaf1903e8025bdda | |
| parent | 5f02bacd8661cfe359882412b56eba313593aa50 (diff) | |
| download | chromium_src-1cb31cf66284777dc5526773eebaadf24c48080a.zip chromium_src-1cb31cf66284777dc5526773eebaadf24c48080a.tar.gz chromium_src-1cb31cf66284777dc5526773eebaadf24c48080a.tar.bz2 | |
Send an empty renegotiation info extension instead of SCSV
unless TLS is disabled. This allows implementers of server
side secure renegotiation to use Linux Chrome as a test
client that sends empty renegotiation info extensions in
initial handshakes.
Rename README.google to README.chromium.
R=agl
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/660233
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40337 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | net/third_party/nss/README.chromium (renamed from net/third_party/nss/README.google) | 5 | ||||
| -rw-r--r-- | net/third_party/nss/patches/renegoscsv.patch | 29 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3con.c | 4 |
3 files changed, 36 insertions, 2 deletions
diff --git a/net/third_party/nss/README.google b/net/third_party/nss/README.chromium index ce46e1a..d319060 100644 --- a/net/third_party/nss/README.google +++ b/net/third_party/nss/README.chromium @@ -13,5 +13,10 @@ Patches: which may not exist in the system NSS library. patches/versionskew.patch + * Send empty renegotiation info extension instead of SCSV unless TLS is + disabled. + patches/renegoscsv.patch + https://bugzilla.mozilla.org/show_bug.cgi?id=549042 + The ssl/bodge directory contains files taken from the NSS repo that we required for building libssl outside of its usual build environment. diff --git a/net/third_party/nss/patches/renegoscsv.patch b/net/third_party/nss/patches/renegoscsv.patch new file mode 100644 index 0000000..a9c188c --- /dev/null +++ b/net/third_party/nss/patches/renegoscsv.patch @@ -0,0 +1,29 @@ +Index: mozilla/security/nss/lib/ssl/ssl3con.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v +retrieving revision 1.136 +diff -u -p -u -8 -r1.136 ssl3con.c +--- mozilla/security/nss/lib/ssl/ssl3con.c 17 Feb 2010 02:29:07 -0000 1.136 ++++ mozilla/security/nss/lib/ssl/ssl3con.c 27 Feb 2010 02:55:21 -0000 +@@ -3863,19 +3863,19 @@ ssl3_SendClientHello(sslSocket *ss) + } + + /* how many suites does our PKCS11 support (regardless of policy)? */ + num_suites = ssl3_config_match_init(ss); + if (!num_suites) + return SECFailure; /* ssl3_config_match_init has set error code. */ + + /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, +- * only if we're willing to complete an SSL 3.0 handshake. ++ * only if TLS is disabled. + */ +- if (!ss->firstHsDone && ss->opt.enableSSL3) { ++ if (!ss->firstHsDone && !isTLS) { + /* Must set this before calling Hello Extension Senders, + * to suppress sending of empty RI extension. + */ + ss->ssl3.hs.sendingSCSV = PR_TRUE; + } + + if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) { + PRUint32 maxBytes = 65535; /* 2^16 - 1 */ diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c index 545e51e..9a56a91 100644 --- a/net/third_party/nss/ssl/ssl3con.c +++ b/net/third_party/nss/ssl/ssl3con.c @@ -3869,9 +3869,9 @@ ssl3_SendClientHello(sslSocket *ss) return SECFailure; /* ssl3_config_match_init has set error code. */ /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, - * only if we're willing to complete an SSL 3.0 handshake. + * only if TLS is disabled. */ - if (!ss->firstHsDone && ss->opt.enableSSL3) { + if (!ss->firstHsDone && !isTLS) { /* Must set this before calling Hello Extension Senders, * to suppress sending of empty RI extension. */ |