diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-10-03 16:50:48 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-10-03 16:50:48 +0000 |
| commit | ebd6e59c205e1df76d95968f4f78601f24280c5b (patch) | |
| tree | daea563c2baecdbd8e3c10db5b6c39be2bf08ffa /net/third_party | |
| parent | 1cf25d9e567a65d65ce8253057cc51183c1fff62 (diff) | |
| download | chromium_src-ebd6e59c205e1df76d95968f4f78601f24280c5b.zip chromium_src-ebd6e59c205e1df76d95968f4f78601f24280c5b.tar.gz chromium_src-ebd6e59c205e1df76d95968f4f78601f24280c5b.tar.bz2 | |
net: update NSS patches.
This change doesn't alter anything about the patches, it just makes them apply
cleanly on top of one another in preparation for altering the NPN patch.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@103728 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/third_party')
| -rwxr-xr-x | net/third_party/nss/patches/applypatches.sh | 10 | ||||
| -rw-r--r-- | net/third_party/nss/patches/cachecerts.patch | 13 | ||||
| -rw-r--r-- | net/third_party/nss/patches/cachedinfo.patch | 78 | ||||
| -rw-r--r-- | net/third_party/nss/patches/cbcrandomiv.patch | 100 | ||||
| -rw-r--r-- | net/third_party/nss/patches/clientauth.patch | 131 | ||||
| -rw-r--r-- | net/third_party/nss/patches/didhandshakeresume.patch | 21 | ||||
| -rw-r--r-- | net/third_party/nss/patches/handshakeshortwrite.patch | 44 | ||||
| -rw-r--r-- | net/third_party/nss/patches/negotiatedextension.patch | 38 | ||||
| -rw-r--r-- | net/third_party/nss/patches/nextproto.patch | 19 | ||||
| -rw-r--r-- | net/third_party/nss/patches/ocspstapling.patch | 19 | ||||
| -rw-r--r-- | net/third_party/nss/patches/origin_bound_certs.patch | 57 | ||||
| -rw-r--r-- | net/third_party/nss/patches/peercertchain.patch | 13 | ||||
| -rw-r--r-- | net/third_party/nss/patches/renegoscsv.patch | 11 | ||||
| -rw-r--r-- | net/third_party/nss/patches/restartclientauth.patch | 68 | ||||
| -rw-r--r-- | net/third_party/nss/patches/secret_exporter.patch | 29 | ||||
| -rw-r--r-- | net/third_party/nss/patches/versionskew.patch | 12 |
16 files changed, 322 insertions, 341 deletions
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh index ecf526f..207e396 100755 --- a/net/third_party/nss/patches/applypatches.sh +++ b/net/third_party/nss/patches/applypatches.sh @@ -21,20 +21,20 @@ patch -p6 < $patches_dir/peercertchain.patch patch -p6 < $patches_dir/ocspstapling.patch -patch -p4 < $patches_dir/clientauth.patch +patch -p6 < $patches_dir/clientauth.patch patch -p6 < $patches_dir/cachedinfo.patch patch -p6 < $patches_dir/didhandshakeresume.patch -patch -p5 < $patches_dir/cbcrandomiv.patch +patch -p6 < $patches_dir/cbcrandomiv.patch patch -p6 < $patches_dir/origin_bound_certs.patch patch -p6 < $patches_dir/secret_exporter.patch -patch -p5 < $patches_dir/handshakeshortwrite.patch +patch -p6 < $patches_dir/handshakeshortwrite.patch -patch -p5 < $patches_dir/restartclientauth.patch +patch -p6 < $patches_dir/restartclientauth.patch -patch -p5 < $patches_dir/negotiatedextension.patch +patch -p6 < $patches_dir/negotiatedextension.patch diff --git a/net/third_party/nss/patches/cachecerts.patch b/net/third_party/nss/patches/cachecerts.patch index babae67..9fe07ca 100644 --- a/net/third_party/nss/patches/cachecerts.patch +++ b/net/third_party/nss/patches/cachecerts.patch @@ -1,8 +1,13 @@ -commit 107c49e2efd15ef547b2055af14952610e0e7afa -Author: Adam Langley <agl@chromium.org> -Date: Mon Jun 20 15:52:55 2011 -0400 +From 4c2b4b3992f81f062248f03296f7eb59b5fc0868 Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:20:29 -0400 +Subject: [PATCH] cachecerts.patch - cachecerts.patch +--- + mozilla/security/nss/lib/ssl/ssl3con.c | 54 +++++++++++++++++++++++++++++- + mozilla/security/nss/lib/ssl/sslimpl.h | 3 ++ + mozilla/security/nss/lib/ssl/sslnonce.c | 4 ++ + 3 files changed, 59 insertions(+), 2 deletions(-) diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c index 455a532..9830e65 100644 diff --git a/net/third_party/nss/patches/cachedinfo.patch b/net/third_party/nss/patches/cachedinfo.patch index 14fa9ff..97ffb84 100644 --- a/net/third_party/nss/patches/cachedinfo.patch +++ b/net/third_party/nss/patches/cachedinfo.patch @@ -1,8 +1,20 @@ -commit b84efe75d31ad7e16bf8e97845d264a0f5994a3f -Author: Adam Langley <agl@chromium.org> -Date: Fri Jun 24 13:10:38 2011 -0400 +From 1c425d479c495d266c23876887198a54e82e7078 Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:22:24 -0400 +Subject: [PATCH] cachedinfo.patch - cachedinfo.patch +--- + mozilla/security/nss/lib/ssl/fnv1a64.c | 72 +++++++++ + mozilla/security/nss/lib/ssl/manifest.mn | 1 + + mozilla/security/nss/lib/ssl/ssl.h | 26 +++ + mozilla/security/nss/lib/ssl/ssl3con.c | 221 +++++++++++++++++++------ + mozilla/security/nss/lib/ssl/ssl3ext.c | 258 ++++++++++++++++++++++++++++++ + mozilla/security/nss/lib/ssl/sslauth.c | 40 +++++ + mozilla/security/nss/lib/ssl/sslimpl.h | 33 ++++- + mozilla/security/nss/lib/ssl/sslsock.c | 11 ++ + mozilla/security/nss/lib/ssl/sslt.h | 3 +- + 9 files changed, 611 insertions(+), 54 deletions(-) + create mode 100644 mozilla/security/nss/lib/ssl/fnv1a64.c diff --git a/mozilla/security/nss/lib/ssl/fnv1a64.c b/mozilla/security/nss/lib/ssl/fnv1a64.c new file mode 100644 @@ -95,7 +107,7 @@ index 8451229..f09d770 100644 ssl3con.c \ ssl3gthr.c \ diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h -index 563cfd5..e7d6c54 100644 +index 221fe2d..3a22b45 100644 --- a/mozilla/security/nss/lib/ssl/ssl.h +++ b/mozilla/security/nss/lib/ssl/ssl.h @@ -140,6 +140,8 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); @@ -134,7 +146,7 @@ index 563cfd5..e7d6c54 100644 /* SSL_GetStapledOCSPResponse returns the OCSP response that was provided by * the TLS server. The resulting data is copied to |out_data|. On entry, |*len| * must contain the size of |out_data|. On exit, |*len| will contain the size -@@ -438,6 +453,17 @@ SSL_IMPORT SECStatus SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, +@@ -405,6 +420,17 @@ SSL_IMPORT SECStatus SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg); /* @@ -153,10 +165,10 @@ index 563cfd5..e7d6c54 100644 ** certificate for the server and the servers private key. The arguments ** are copied. diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c -index 0997e18..068f021 100644 +index ca2793f..dd99962 100644 --- a/mozilla/security/nss/lib/ssl/ssl3con.c +++ b/mozilla/security/nss/lib/ssl/ssl3con.c -@@ -5170,7 +5170,6 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +@@ -5145,7 +5145,6 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ssl3_CopyPeerCertsFromSID(ss, sid); } @@ -164,7 +176,7 @@ index 0997e18..068f021 100644 /* NULL value for PMS signifies re-use of the old MS */ rv = ssl3_InitPendingCipherSpec(ss, NULL); if (rv != SECSuccess) { -@@ -7804,6 +7803,69 @@ ssl3_SendCertificate(sslSocket *ss) +@@ -7715,6 +7714,69 @@ ssl3_SendCertificate(sslSocket *ss) } } @@ -234,7 +246,7 @@ index 0997e18..068f021 100644 rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3); if (rv != SECSuccess) { return rv; /* err set by AppendHandshake. */ -@@ -7958,7 +8020,6 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +@@ -7869,7 +7931,6 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) PRInt32 size; SECStatus rv; PRBool isServer = (PRBool)(!!ss->sec.isServer); @@ -242,7 +254,7 @@ index 0997e18..068f021 100644 PRBool isTLS; SSL3AlertDescription desc = bad_certificate; int errCode = SSL_ERROR_RX_MALFORMED_CERTIFICATE; -@@ -8018,35 +8079,46 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +@@ -7929,35 +7990,46 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto loser; /* don't send alerts on memory errors */ } @@ -313,7 +325,7 @@ index 0997e18..068f021 100644 remaining -= 3; if (remaining < 0) goto decode_loser; -@@ -8060,35 +8132,63 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +@@ -7971,35 +8043,63 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) certItem.data = b; certItem.len = size; @@ -397,7 +409,7 @@ index 0997e18..068f021 100644 SECKEY_UpdateCertPQG(ss->sec.peerCert); -@@ -8108,8 +8208,6 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +@@ -8019,8 +8119,6 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) /* someone will handle this connection asynchronously*/ SSL_DBG(("%d: SSL3[%d]: go to async cert handler", SSL_GETPID(), ss->fd)); @@ -406,7 +418,7 @@ index 0997e18..068f021 100644 ssl_SetAlwaysBlock(ss); goto cert_block; } -@@ -8134,7 +8232,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +@@ -8045,7 +8143,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); @@ -415,7 +427,7 @@ index 0997e18..068f021 100644 if (!ss->sec.isServer) { /* set the server authentication and key exchange types and sizes -@@ -8179,8 +8277,6 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +@@ -8090,8 +8188,6 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } } @@ -424,7 +436,7 @@ index 0997e18..068f021 100644 cert_block: if (ss->sec.isServer) { ss->ssl3.hs.ws = wait_client_key; -@@ -8250,7 +8346,10 @@ alert_loser: +@@ -8161,7 +8257,10 @@ alert_loser: (void)SSL3_SendAlert(ss, alert_fatal, desc); loser: @@ -436,7 +448,7 @@ index 0997e18..068f021 100644 ssl3_CleanupPeerCerts(ss); if (ss->sec.peerCert != NULL) { -@@ -9736,6 +9835,21 @@ ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache) +@@ -9647,6 +9746,21 @@ ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache) return rv; } @@ -458,7 +470,7 @@ index 0997e18..068f021 100644 /* Called from ssl_DestroySocketContents() in sslsock.c */ void ssl3_DestroySSL3Info(sslSocket *ss) -@@ -9759,6 +9873,9 @@ ssl3_DestroySSL3Info(sslSocket *ss) +@@ -9666,6 +9780,9 @@ ssl3_DestroySSL3Info(sslSocket *ss) ss->ssl3.clientCertChain = NULL; } @@ -469,7 +481,7 @@ index 0997e18..068f021 100644 if (ss->opt.bypassPKCS11) { SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c -index 94dab58..79ed9e3 100644 +index 4e3d9cc..17898fb 100644 --- a/mozilla/security/nss/lib/ssl/ssl3ext.c +++ b/mozilla/security/nss/lib/ssl/ssl3ext.c @@ -236,6 +236,7 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = { @@ -759,7 +771,7 @@ index 94dab58..79ed9e3 100644 * client side. See RFC 4366 section 3.6. */ PRInt32 diff --git a/mozilla/security/nss/lib/ssl/sslauth.c b/mozilla/security/nss/lib/ssl/sslauth.c -index 447aaf8..8da5c66 100644 +index df40f30..fcd15ca 100644 --- a/mozilla/security/nss/lib/ssl/sslauth.c +++ b/mozilla/security/nss/lib/ssl/sslauth.c @@ -95,6 +95,46 @@ SSL_PeerCertificateChain(PRFileDesc *fd, CERTCertificate **certs, @@ -810,10 +822,10 @@ index 447aaf8..8da5c66 100644 CERTCertificate * SSL_LocalCertificate(PRFileDesc *fd) diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h -index 2e1364e..95a1eee 100644 +index 8e2bd14..f1e9a3e 100644 --- a/mozilla/security/nss/lib/ssl/sslimpl.h +++ b/mozilla/security/nss/lib/ssl/sslimpl.h -@@ -349,6 +349,7 @@ typedef struct sslOptionsStr { +@@ -340,6 +340,7 @@ typedef struct sslOptionsStr { unsigned int requireSafeNegotiation : 1; /* 22 */ unsigned int enableFalseStart : 1; /* 23 */ unsigned int enableOCSPStapling : 1; /* 24 */ @@ -821,7 +833,7 @@ index 2e1364e..95a1eee 100644 } sslOptions; typedef enum { sslHandshakingUndetermined = 0, -@@ -773,6 +774,11 @@ struct TLSExtensionDataStr { +@@ -754,6 +755,11 @@ struct TLSExtensionDataStr { PRUint32 sniNameArrSize; }; @@ -833,7 +845,7 @@ index 2e1364e..95a1eee 100644 /* ** This is the "hs" member of the "ssl3" struct. ** This entire struct is protected by ssl3HandshakeLock -@@ -854,6 +860,14 @@ struct ssl3StateStr { +@@ -832,6 +838,14 @@ struct ssl3StateStr { CERTCertificateList *clientCertChain; /* used by client */ PRBool sendEmptyCert; /* used by client */ @@ -848,7 +860,7 @@ index 2e1364e..95a1eee 100644 int policy; /* This says what cipher suites we can do, and should * be either SSL_ALLOWED or SSL_RESTRICTED -@@ -861,7 +875,10 @@ struct ssl3StateStr { +@@ -839,7 +853,10 @@ struct ssl3StateStr { PRArenaPool * peerCertArena; /* These are used to keep track of the peer CA */ void * peerCertChain; @@ -860,7 +872,7 @@ index 2e1364e..95a1eee 100644 CERTDistNames * ca_list; /* used by server. trusted CAs for this socket. */ PRBool initialized; -@@ -1550,6 +1567,10 @@ extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, +@@ -1524,6 +1541,10 @@ extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data); extern SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data); @@ -871,7 +883,7 @@ index 2e1364e..95a1eee 100644 extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data); extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, -@@ -1571,6 +1592,10 @@ extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append, +@@ -1545,6 +1566,10 @@ extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append, */ extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes); @@ -882,7 +894,7 @@ index 2e1364e..95a1eee 100644 /* Assigns new cert, cert chain and keys to ss->serverCerts * struct. If certChain is NULL, tries to find one. Aborts if -@@ -1694,6 +1719,12 @@ SECStatus SSL_DisableDefaultExportCipherSuites(void); +@@ -1648,6 +1673,12 @@ SECStatus SSL_DisableDefaultExportCipherSuites(void); SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd); PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite); @@ -896,7 +908,7 @@ index 2e1364e..95a1eee 100644 #ifdef TRACE #define SSL_TRACE(msg) ssl_Trace msg diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c -index 1bb211e..f00f8f4 100644 +index 4c4df3f..3d89d86 100644 --- a/mozilla/security/nss/lib/ssl/sslsock.c +++ b/mozilla/security/nss/lib/ssl/sslsock.c @@ -186,6 +186,7 @@ static sslOptions ssl_defaults = { @@ -907,7 +919,7 @@ index 1bb211e..f00f8f4 100644 }; sslSessionIDLookupFunc ssl_sid_lookup; -@@ -747,6 +748,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) +@@ -743,6 +744,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) ss->opt.enableOCSPStapling = on; break; @@ -918,7 +930,7 @@ index 1bb211e..f00f8f4 100644 default: PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; -@@ -812,6 +817,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) +@@ -808,6 +813,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) on = ss->opt.requireSafeNegotiation; break; case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; @@ -926,7 +938,7 @@ index 1bb211e..f00f8f4 100644 default: PORT_SetError(SEC_ERROR_INVALID_ARGS); -@@ -866,6 +872,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) +@@ -862,6 +868,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) case SSL_ENABLE_OCSP_STAPLING: on = ssl_defaults.enableOCSPStapling; break; @@ -934,7 +946,7 @@ index 1bb211e..f00f8f4 100644 default: PORT_SetError(SEC_ERROR_INVALID_ARGS); -@@ -1017,6 +1024,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) +@@ -1013,6 +1020,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) ssl_defaults.enableOCSPStapling = on; break; diff --git a/net/third_party/nss/patches/cbcrandomiv.patch b/net/third_party/nss/patches/cbcrandomiv.patch index 445b2f9..806e0b2 100644 --- a/net/third_party/nss/patches/cbcrandomiv.patch +++ b/net/third_party/nss/patches/cbcrandomiv.patch @@ -1,16 +1,17 @@ -Index: mozilla/security/nss/lib/ssl/ssl3con.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v -retrieving revision 1.151 -diff -u -p -8 -r1.151 ssl3con.c ---- mozilla/security/nss/lib/ssl/ssl3con.c 26 Jul 2011 02:13:37 -0000 1.151 -+++ mozilla/security/nss/lib/ssl/ssl3con.c 29 Sep 2011 17:39:16 -0000 -@@ -2032,56 +2032,56 @@ ssl3_ClientAuthTokenPresent(sslSessionID - isPresent = PR_FALSE; - } - if (slot) { - PK11_FreeSlot(slot); - } +From 03c5c660f3668ed1e9c9b6277d64c96d2ab3d890 Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:23:29 -0400 +Subject: [PATCH] cbcrandomiv.patch + +--- + mozilla/security/nss/lib/ssl/ssl3con.c | 96 +++++++++++++++++++++++--------- + 1 files changed, 69 insertions(+), 27 deletions(-) + +diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c +index dd99962..2648cbe 100644 +--- a/mozilla/security/nss/lib/ssl/ssl3con.c ++++ b/mozilla/security/nss/lib/ssl/ssl3con.c +@@ -2039,24 +2039,24 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) { return isPresent; } @@ -42,16 +43,7 @@ diff -u -p -8 -r1.151 ssl3con.c cipher_def = cwSpec->cipher_def; if (cwSpec->compressor) { - int outlen; - rv = cwSpec->compressor( - cwSpec->compressContext, wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, - &outlen, wrBuf->space - SSL3_RECORD_HEADER_LENGTH, pIn, contentLen); - if (rv != SECSuccess) - return rv; - pIn = wrBuf->buf + SSL3_RECORD_HEADER_LENGTH; - contentLen = outlen; - } - +@@ -2073,12 +2073,12 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss, /* * Add the MAC */ @@ -66,17 +58,7 @@ diff -u -p -8 -r1.151 ssl3con.c } p1Len = contentLen; p2Len = macLen; - fragLen = contentLen + macLen; /* needs to be encrypted */ - PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); - - /* - * Pad the text (if we're doing a block cipher) -@@ -2124,52 +2124,46 @@ ssl3_CompressMACEncryptRecord(sslSocket - rv = cwSpec->encode( cwSpec->encodeContext, - wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, /* output */ - &cipherBytes, /* actual outlen */ - p1Len, /* max outlen */ - pIn, p1Len); /* input, and inputlen */ +@@ -2131,7 +2131,7 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss, PORT_Assert(rv == SECSuccess && cipherBytes == p1Len); if (rv != SECSuccess || cipherBytes != p1Len) { PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); @@ -85,13 +67,7 @@ diff -u -p -8 -r1.151 ssl3con.c } } if (p2Len > 0) { - PRInt32 cipherBytesPart2 = -1; - rv = cwSpec->encode( cwSpec->encodeContext, - wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len, - &cipherBytesPart2, /* output and actual outLen */ - p2Len, /* max outlen */ - wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len, - p2Len); /* input and inputLen*/ +@@ -2145,7 +2145,7 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss, PORT_Assert(rv == SECSuccess && cipherBytesPart2 == p2Len); if (rv != SECSuccess || cipherBytesPart2 != p2Len) { PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); @@ -100,14 +76,7 @@ diff -u -p -8 -r1.151 ssl3con.c } cipherBytes += cipherBytesPart2; } - PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); - - ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); - - wrBuf->len = cipherBytes + SSL3_RECORD_HEADER_LENGTH; - wrBuf->buf[0] = type; - wrBuf->buf[1] = MSB(cwSpec->version); - wrBuf->buf[2] = LSB(cwSpec->version); +@@ -2160,13 +2160,7 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss, wrBuf->buf[3] = MSB(cipherBytes); wrBuf->buf[4] = LSB(cipherBytes); @@ -121,17 +90,7 @@ diff -u -p -8 -r1.151 ssl3con.c } /* Process the plain text before sending it. - * Returns the number of bytes of plaintext that were successfully sent - * plus the number of bytes of plaintext that were copied into the - * output (write) buffer. - * Returns SECFailure on a hard IO error, memory error, or crypto error. - * Does NOT return SECWouldBlock. -@@ -2220,39 +2214,87 @@ ssl3_SendRecord( sslSocket * ss - /* check for Token Presence */ - if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) { - PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); - return SECFailure; - } +@@ -2227,20 +2221,70 @@ ssl3_SendRecord( sslSocket * ss, while (nIn > 0) { PRUint32 contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH); @@ -166,9 +125,10 @@ diff -u -p -8 -r1.151 ssl3con.c - return SECFailure; /* sslBuffer_Grow set a memory error code. */ + SSL_GETPID(), ss->fd, spaceNeeded)); + goto spec_locked_loser; /* sslBuffer_Grow set a memory error code. */ -+ } -+ } -+ + } + } + +- rv = ssl3_CompressMACEncryptRecord( ss, type, pIn, contentLen); + if (numRecords == 2) { + sslBuffer secondRecord; + @@ -200,17 +160,16 @@ diff -u -p -8 -r1.151 ssl3con.c + if (rv == SECSuccess) { + PRINT_BUF(50, (ss, "send (encrypted) record data [1/1]:", + wrBuf->buf, wrBuf->len)); - } - } - -- rv = ssl3_CompressMACEncryptRecord( ss, type, pIn, contentLen); ++ } ++ } ++ +spec_locked_loser: + ssl_ReleaseSpecReadLock(ss); /************************************/ + if (rv != SECSuccess) return SECFailure; - pIn += contentLen; +@@ -2248,8 +2292,6 @@ ssl3_SendRecord( sslSocket * ss, nIn -= contentLen; PORT_Assert( nIn >= 0 ); @@ -219,8 +178,3 @@ diff -u -p -8 -r1.151 ssl3con.c /* If there's still some previously saved ciphertext, * or the caller doesn't want us to send the data yet, * then add all our new ciphertext to the amount previously saved. - */ - if ((ss->pendingBuf.len > 0) || - (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) { - - rv = ssl_SaveWriteData(ss, wrBuf->buf, wrBuf->len); diff --git a/net/third_party/nss/patches/clientauth.patch b/net/third_party/nss/patches/clientauth.patch index 97d549f..371c640 100644 --- a/net/third_party/nss/patches/clientauth.patch +++ b/net/third_party/nss/patches/clientauth.patch @@ -1,11 +1,24 @@ -Index: security/nss/lib/ssl/ssl.h -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl.h,v -retrieving revision 1.38.2.1 -diff -u -r1.38.2.1 ssl.h ---- security/nss/lib/ssl/ssl.h 31 Jul 2010 04:33:52 -0000 1.38.2.1 -+++ security/nss/lib/ssl/ssl.h 22 Sep 2011 00:21:33 -0000 -@@ -291,6 +291,45 @@ +From 1ebf459243cea430614e1958ecab1ad10457ccc2 Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:44:48 -0400 +Subject: [PATCH] clientauth.patch + +--- + mozilla/security/nss/lib/ssl/ssl.h | 39 +++ + mozilla/security/nss/lib/ssl/ssl3con.c | 163 ++++++++++--- + mozilla/security/nss/lib/ssl/ssl3ext.c | 2 +- + mozilla/security/nss/lib/ssl/sslauth.c | 22 ++ + mozilla/security/nss/lib/ssl/sslimpl.h | 45 ++++ + mozilla/security/nss/lib/ssl/sslplatf.c | 399 +++++++++++++++++++++++++++++++ + mozilla/security/nss/lib/ssl/sslsock.c | 14 + + 7 files changed, 647 insertions(+), 37 deletions(-) + create mode 100644 mozilla/security/nss/lib/ssl/sslplatf.c + +diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h +index 7e748bd..03535f3 100644 +--- a/mozilla/security/nss/lib/ssl/ssl.h ++++ b/mozilla/security/nss/lib/ssl/ssl.h +@@ -353,6 +353,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg, SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, SSLGetClientAuthData f, void *a); @@ -51,14 +64,11 @@ diff -u -r1.38.2.1 ssl.h /* ** SNI extension processing callback function. -Index: security/nss/lib/ssl/ssl3con.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v -retrieving revision 1.142.2.4 -diff -u -r1.142.2.4 ssl3con.c ---- security/nss/lib/ssl/ssl3con.c 1 Sep 2010 19:47:11 -0000 1.142.2.4 -+++ security/nss/lib/ssl/ssl3con.c 22 Sep 2011 00:21:33 -0000 -@@ -2016,6 +2016,9 @@ +diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c +index d372ee2..ad8f4cd 100644 +--- a/mozilla/security/nss/lib/ssl/ssl3con.c ++++ b/mozilla/security/nss/lib/ssl/ssl3con.c +@@ -2018,6 +2018,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) { PRBool isPresent = PR_TRUE; /* we only care if we are doing client auth */ @@ -68,7 +78,7 @@ diff -u -r1.142.2.4 ssl3con.c if (!sid || !sid->u.ssl3.clAuthValid) { return PR_TRUE; } -@@ -4821,27 +4824,30 @@ +@@ -4865,27 +4868,30 @@ ssl3_SendCertificateVerify(sslSocket *ss) } isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); @@ -119,7 +129,7 @@ diff -u -r1.142.2.4 ssl3con.c SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); ss->ssl3.clientPrivateKey = NULL; } -@@ -4899,6 +4905,26 @@ +@@ -4943,6 +4949,26 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto alert_loser; } @@ -146,7 +156,7 @@ diff -u -r1.142.2.4 ssl3con.c temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); if (temp < 0) { goto loser; /* alert has been sent */ -@@ -5441,6 +5467,10 @@ +@@ -5485,6 +5511,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) SSL3AlertDescription desc = illegal_parameter; SECItem cert_types = {siBuffer, NULL, 0}; CERTDistNames ca_list; @@ -157,7 +167,7 @@ diff -u -r1.142.2.4 ssl3con.c SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", SSL_GETPID(), ss->fd)); -@@ -5454,19 +5484,10 @@ +@@ -5498,19 +5528,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto alert_loser; } @@ -181,7 +191,7 @@ diff -u -r1.142.2.4 ssl3con.c isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); -@@ -5533,6 +5554,20 @@ +@@ -5577,6 +5598,20 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) desc = no_certificate; ss->ssl3.hs.ws = wait_hello_done; @@ -202,7 +212,7 @@ diff -u -r1.142.2.4 ssl3con.c if (ss->getClientAuthData == NULL) { rv = SECFailure; /* force it to send a no_certificate alert */ } else { -@@ -5542,12 +5577,52 @@ +@@ -5586,12 +5621,52 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) &ss->ssl3.clientCertificate, &ss->ssl3.clientPrivateKey); } @@ -255,7 +265,7 @@ diff -u -r1.142.2.4 ssl3con.c /* check what the callback function returned */ if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { /* we are missing either the key or cert */ -@@ -5610,6 +5685,10 @@ +@@ -5654,6 +5729,10 @@ loser: done: if (arena != NULL) PORT_FreeArena(arena, PR_FALSE); @@ -266,7 +276,7 @@ diff -u -r1.142.2.4 ssl3con.c return rv; } -@@ -5717,9 +5796,17 @@ +@@ -5785,9 +5864,17 @@ ssl3_HandleServerHelloDone(sslSocket *ss) if (rv != SECSuccess) { goto loser; /* error code is set. */ } @@ -287,7 +297,7 @@ diff -u -r1.142.2.4 ssl3con.c send_verify = PR_TRUE; rv = ssl3_SendCertificate(ss); if (rv != SECSuccess) { -@@ -9453,6 +9540,10 @@ +@@ -9856,6 +9943,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) if (ss->ssl3.clientPrivateKey != NULL) SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); @@ -298,13 +308,10 @@ diff -u -r1.142.2.4 ssl3con.c if (ss->ssl3.peerCertArena != NULL) ssl3_CleanupPeerCerts(ss); -Index: security/nss/lib/ssl/ssl3ext.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3ext.c,v -retrieving revision 1.14 -diff -u -r1.14 ssl3ext.c ---- security/nss/lib/ssl/ssl3ext.c 3 Apr 2010 19:19:07 -0000 1.14 -+++ security/nss/lib/ssl/ssl3ext.c 22 Sep 2011 00:21:33 -0000 +diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c +index 887344b..e54b4fd 100644 +--- a/mozilla/security/nss/lib/ssl/ssl3ext.c ++++ b/mozilla/security/nss/lib/ssl/ssl3ext.c @@ -46,8 +46,8 @@ #include "nssrenam.h" #include "nss.h" @@ -315,14 +322,11 @@ diff -u -r1.14 ssl3ext.c #include "pk11pub.h" #include "blapi.h" #include "prinit.h" -Index: security/nss/lib/ssl/sslauth.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslauth.c,v -retrieving revision 1.16.66.1 -diff -u -r1.16.66.1 sslauth.c ---- security/nss/lib/ssl/sslauth.c 3 Aug 2010 18:52:13 -0000 1.16.66.1 -+++ security/nss/lib/ssl/sslauth.c 22 Sep 2011 00:21:33 -0000 -@@ -216,6 +216,28 @@ +diff --git a/mozilla/security/nss/lib/ssl/sslauth.c b/mozilla/security/nss/lib/ssl/sslauth.c +index fcd15ca..8da5c66 100644 +--- a/mozilla/security/nss/lib/ssl/sslauth.c ++++ b/mozilla/security/nss/lib/ssl/sslauth.c +@@ -292,6 +292,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, return SECSuccess; } @@ -351,13 +355,10 @@ diff -u -r1.16.66.1 sslauth.c /* NEED LOCKS IN HERE. */ SECStatus SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) -Index: security/nss/lib/ssl/sslimpl.h -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslimpl.h,v -retrieving revision 1.77.2.1 -diff -u -r1.77.2.1 sslimpl.h ---- security/nss/lib/ssl/sslimpl.h 31 Jul 2010 04:33:52 -0000 1.77.2.1 -+++ security/nss/lib/ssl/sslimpl.h 22 Sep 2011 00:21:33 -0000 +diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h +index 70ff4c3..d73a0e3 100644 +--- a/mozilla/security/nss/lib/ssl/sslimpl.h ++++ b/mozilla/security/nss/lib/ssl/sslimpl.h @@ -65,6 +65,15 @@ #include "sslt.h" /* for some formerly private types, now public */ @@ -374,7 +375,7 @@ diff -u -r1.77.2.1 sslimpl.h /* to make some of these old enums public without namespace pollution, ** it was necessary to prepend ssl_ to the names. ** These #defines preserve compatibility with the old code here in libssl. -@@ -456,6 +465,14 @@ +@@ -464,6 +473,14 @@ typedef SECStatus (*SSLCompressor)(void * context, int inlen); typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); @@ -389,7 +390,7 @@ diff -u -r1.77.2.1 sslimpl.h /* -@@ -811,6 +828,10 @@ +@@ -836,6 +853,10 @@ struct ssl3StateStr { CERTCertificate * clientCertificate; /* used by client */ SECKEYPrivateKey * clientPrivateKey; /* used by client */ @@ -400,7 +401,7 @@ diff -u -r1.77.2.1 sslimpl.h CERTCertificateList *clientCertChain; /* used by client */ PRBool sendEmptyCert; /* used by client */ -@@ -1051,6 +1072,10 @@ +@@ -1097,6 +1118,10 @@ const unsigned char * preferredCipher; void *authCertificateArg; SSLGetClientAuthData getClientAuthData; void *getClientAuthDataArg; @@ -411,7 +412,7 @@ diff -u -r1.77.2.1 sslimpl.h SSLSNISocketConfig sniSocketConfig; void *sniSocketConfigArg; SSLBadCertHandler handleBadCert; -@@ -1595,6 +1620,26 @@ +@@ -1663,6 +1688,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit); extern SECStatus ssl_FreeSessionCacheLocks(void); @@ -438,12 +439,11 @@ diff -u -r1.77.2.1 sslimpl.h /********************** misc calls *********************/ -Index: security/nss/lib/ssl/sslplatf.c -=================================================================== -RCS file: security/nss/lib/ssl/sslplatf.c -diff -N security/nss/lib/ssl/sslplatf.c ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ security/nss/lib/ssl/sslplatf.c 22 Sep 2011 00:21:33 -0000 +diff --git a/mozilla/security/nss/lib/ssl/sslplatf.c b/mozilla/security/nss/lib/ssl/sslplatf.c +new file mode 100644 +index 0000000..208956f +--- /dev/null ++++ b/mozilla/security/nss/lib/ssl/sslplatf.c @@ -0,0 +1,399 @@ +/* + * Platform specific crypto wrappers @@ -844,14 +844,11 @@ diff -N security/nss/lib/ssl/sslplatf.c +#endif + +#endif /* NSS_PLATFORM_CLIENT_AUTH */ -Index: security/nss/lib/ssl/sslsock.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v -retrieving revision 1.67.2.1 -diff -u -r1.67.2.1 sslsock.c ---- security/nss/lib/ssl/sslsock.c 31 Jul 2010 04:33:52 -0000 1.67.2.1 -+++ security/nss/lib/ssl/sslsock.c 22 Sep 2011 00:21:33 -0000 -@@ -335,6 +335,10 @@ +diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c +index 7d12bfe..68fd3cb 100644 +--- a/mozilla/security/nss/lib/ssl/sslsock.c ++++ b/mozilla/security/nss/lib/ssl/sslsock.c +@@ -339,6 +339,10 @@ ssl_DupSocket(sslSocket *os) ss->authCertificateArg = os->authCertificateArg; ss->getClientAuthData = os->getClientAuthData; ss->getClientAuthDataArg = os->getClientAuthDataArg; @@ -862,7 +859,7 @@ diff -u -r1.67.2.1 sslsock.c ss->sniSocketConfig = os->sniSocketConfig; ss->sniSocketConfigArg = os->sniSocketConfigArg; ss->handleBadCert = os->handleBadCert; -@@ -1354,6 +1358,12 @@ +@@ -1468,6 +1472,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) ss->getClientAuthData = sm->getClientAuthData; if (sm->getClientAuthDataArg) ss->getClientAuthDataArg = sm->getClientAuthDataArg; @@ -875,7 +872,7 @@ diff -u -r1.67.2.1 sslsock.c if (sm->sniSocketConfig) ss->sniSocketConfig = sm->sniSocketConfig; if (sm->sniSocketConfigArg) -@@ -2366,6 +2376,10 @@ +@@ -2525,6 +2535,10 @@ ssl_NewSocket(PRBool makeLocks) ss->sniSocketConfig = NULL; ss->sniSocketConfigArg = NULL; ss->getClientAuthData = NULL; diff --git a/net/third_party/nss/patches/didhandshakeresume.patch b/net/third_party/nss/patches/didhandshakeresume.patch index 8c2a5a5..95890e9 100644 --- a/net/third_party/nss/patches/didhandshakeresume.patch +++ b/net/third_party/nss/patches/didhandshakeresume.patch @@ -1,8 +1,13 @@ -commit c1b34e0cdaed8eef92aa268a442965eb60828c7b -Author: Adam Langley <agl@chromium.org> -Date: Tue Jun 21 11:41:12 2011 -0400 +From 56e625df4d443b939c39fa75f907518bf66f6584 Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:23:01 -0400 +Subject: [PATCH] didhandshakeresume.patch - didhandshakeresume.patch +--- + mozilla/security/nss/lib/ssl/ssl.def | 1 + + mozilla/security/nss/lib/ssl/ssl.h | 4 ++++ + mozilla/security/nss/lib/ssl/sslsock.c | 14 ++++++++++++++ + 3 files changed, 19 insertions(+), 0 deletions(-) diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def index 35cc1e3..7ef15db 100644 @@ -17,10 +22,10 @@ index 35cc1e3..7ef15db 100644 SSL_SetNextProtoNego; ;+ local: diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h -index e7d6c54..5682d0a 100644 +index 3a22b45..c32438d 100644 --- a/mozilla/security/nss/lib/ssl/ssl.h +++ b/mozilla/security/nss/lib/ssl/ssl.h -@@ -730,6 +730,10 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFileDesc * socket, +@@ -697,6 +697,10 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFileDesc * socket, SSLExtensionType extId, PRBool *yes); @@ -32,10 +37,10 @@ index e7d6c54..5682d0a 100644 #endif /* __ssl_h_ */ diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c -index f00f8f4..340d17c 100644 +index 3d89d86..11b53da 100644 --- a/mozilla/security/nss/lib/ssl/sslsock.c +++ b/mozilla/security/nss/lib/ssl/sslsock.c -@@ -1517,6 +1517,20 @@ SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data, +@@ -1507,6 +1507,20 @@ SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data, return SECSuccess; } diff --git a/net/third_party/nss/patches/handshakeshortwrite.patch b/net/third_party/nss/patches/handshakeshortwrite.patch index 036a045..68e4330 100644 --- a/net/third_party/nss/patches/handshakeshortwrite.patch +++ b/net/third_party/nss/patches/handshakeshortwrite.patch @@ -1,16 +1,17 @@ -Index: mozilla/security/nss/lib/ssl/sslsecur.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsecur.c,v -retrieving revision 1.43.2.4 -diff -p -u -8 -r1.43.2.4 sslsecur.c ---- mozilla/security/nss/lib/ssl/sslsecur.c 8 Apr 2011 05:25:21 -0000 1.43.2.4 -+++ mozilla/security/nss/lib/ssl/sslsecur.c 4 Aug 2011 23:33:46 -0000 -@@ -383,16 +383,28 @@ SSL_ForceHandshake(PRFileDesc *fd) - SSL_GETPID(), fd)); - return rv; - } - - /* Don't waste my time */ +From eb24998651cb972c60453b5d5fb1e13dfd8107ce Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:26:44 -0400 +Subject: [PATCH] handshakeshortwrite.patch + +--- + mozilla/security/nss/lib/ssl/sslsecur.c | 13 ++++++++++++- + 1 files changed, 12 insertions(+), 1 deletions(-) + +diff --git a/mozilla/security/nss/lib/ssl/sslsecur.c b/mozilla/security/nss/lib/ssl/sslsecur.c +index 816b8f6..dc374e0 100644 +--- a/mozilla/security/nss/lib/ssl/sslsecur.c ++++ b/mozilla/security/nss/lib/ssl/sslsecur.c +@@ -388,6 +388,18 @@ SSL_ForceHandshake(PRFileDesc *fd) if (!ss->opt.useSecurity) return SECSuccess; @@ -29,17 +30,7 @@ diff -p -u -8 -r1.43.2.4 sslsecur.c ssl_Get1stHandshakeLock(ss); if (ss->version >= SSL_LIBRARY_VERSION_3_0) { - int gatherResult; - - ssl_GetRecvBufLock(ss); - gatherResult = ssl3_GatherCompleteHandshake(ss, 0); - ssl_ReleaseRecvBufLock(ss); -@@ -1132,17 +1144,16 @@ ssl_SecureRecv(sslSocket *ss, unsigned c - if (!ssl_SocketIsBlocking(ss) && !ss->opt.fdx) { - ssl_GetXmitBufLock(ss); - if (ss->pendingBuf.len != 0) { - rv = ssl_SendSavedWriteData(ss); - if ((rv < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) { +@@ -1128,7 +1140,6 @@ ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags) ssl_ReleaseXmitBufLock(ss); return SECFailure; } @@ -47,8 +38,3 @@ diff -p -u -8 -r1.43.2.4 sslsecur.c } ssl_ReleaseXmitBufLock(ss); } - - rv = 0; - /* If any of these is non-zero, the initial handshake is not done. */ - if (!ss->firstHsDone) { - ssl_Get1stHandshakeLock(ss); diff --git a/net/third_party/nss/patches/negotiatedextension.patch b/net/third_party/nss/patches/negotiatedextension.patch index cba4baa..98fbc07 100644 --- a/net/third_party/nss/patches/negotiatedextension.patch +++ b/net/third_party/nss/patches/negotiatedextension.patch @@ -1,16 +1,17 @@ -Index: mozilla/security/nss/lib/ssl/sslreveal.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslreveal.c,v -retrieving revision 1.8 -diff -u -p -u -8 -r1.8 sslreveal.c ---- mozilla/security/nss/lib/ssl/sslreveal.c 3 Aug 2010 18:48:45 -0000 1.8 -+++ mozilla/security/nss/lib/ssl/sslreveal.c 25 Aug 2011 00:48:18 -0000 -@@ -106,36 +106,29 @@ SSL_RevealURL(PRFileDesc * fd) - SECStatus - SSL_HandshakeNegotiatedExtension(PRFileDesc * socket, - SSLExtensionType extId, - PRBool *pYes) - { +From 577e6655d4edc789eb4c572b303daf888676a454 Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:27:21 -0400 +Subject: [PATCH] negotiatedextension.patch + +--- + mozilla/security/nss/lib/ssl/sslreveal.c | 9 +-------- + 1 files changed, 1 insertions(+), 8 deletions(-) + +diff --git a/mozilla/security/nss/lib/ssl/sslreveal.c b/mozilla/security/nss/lib/ssl/sslreveal.c +index 94b2c2f..0b9bb82 100644 +--- a/mozilla/security/nss/lib/ssl/sslreveal.c ++++ b/mozilla/security/nss/lib/ssl/sslreveal.c +@@ -111,7 +111,6 @@ SSL_HandshakeNegotiatedExtension(PRFileDesc * socket, /* some decisions derived from SSL_GetChannelInfo */ sslSocket * sslsocket = NULL; SECStatus rv = SECFailure; @@ -18,11 +19,7 @@ diff -u -p -u -8 -r1.8 sslreveal.c if (!pYes) return rv; - - sslsocket = ssl_FindSocket(socket); - if (!sslsocket) { - SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeNegotiatedExtension", - SSL_GETPID(), socket)); +@@ -123,14 +122,8 @@ SSL_HandshakeNegotiatedExtension(PRFileDesc * socket, return rv; } @@ -38,8 +35,3 @@ diff -u -p -u -8 -r1.8 sslreveal.c if (sslsocket->ssl3.initialized) { /* SSL3 and TLS */ /* now we know this socket went through ssl3_InitState() and * ss->xtnData got initialized, which is the only member accessed by - * ssl3_ExtensionNegotiated(); - * Member xtnData appears to get accessed in functions that handle - * the handshake (hello messages and extension sending), - * therefore the handshake lock should be sufficient. - */ diff --git a/net/third_party/nss/patches/nextproto.patch b/net/third_party/nss/patches/nextproto.patch index 4322fe9..a01f240 100644 --- a/net/third_party/nss/patches/nextproto.patch +++ b/net/third_party/nss/patches/nextproto.patch @@ -1,8 +1,19 @@ -commit de6d1a65eb146a0887a31ca92e9ca924045e9e69 -Author: Adam Langley <agl@chromium.org> -Date: Mon Jun 20 15:49:24 2011 -0400 +From 6b594dc531e7a1d1d5bca2f0f78e7bc0ac3ff937 Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:19:28 -0400 +Subject: [PATCH] nextproto.patch - nextproto.patch +--- + mozilla/security/nss/cmd/tstclnt/tstclnt.c | 6 ++ + mozilla/security/nss/lib/ssl/ssl.def | 7 ++ + mozilla/security/nss/lib/ssl/ssl.h | 12 +++ + mozilla/security/nss/lib/ssl/ssl3con.c | 54 ++++++++++++ + mozilla/security/nss/lib/ssl/ssl3ext.c | 122 +++++++++++++++++++++++++++- + mozilla/security/nss/lib/ssl/ssl3prot.h | 3 +- + mozilla/security/nss/lib/ssl/sslimpl.h | 24 ++++++ + mozilla/security/nss/lib/ssl/sslsock.c | 74 +++++++++++++++++ + mozilla/security/nss/lib/ssl/sslt.h | 3 +- + 9 files changed, 302 insertions(+), 3 deletions(-) diff --git a/mozilla/security/nss/cmd/tstclnt/tstclnt.c b/mozilla/security/nss/cmd/tstclnt/tstclnt.c index 55684e6..d209a33 100644 diff --git a/net/third_party/nss/patches/ocspstapling.patch b/net/third_party/nss/patches/ocspstapling.patch index 4a6dcaf..4b342b9 100644 --- a/net/third_party/nss/patches/ocspstapling.patch +++ b/net/third_party/nss/patches/ocspstapling.patch @@ -1,8 +1,19 @@ -commit 5edecc25e3c8ec46e7708274f37096224c9b8b94 -Author: Adam Langley <agl@chromium.org> -Date: Mon Jun 20 16:12:27 2011 -0400 +From 5d8c33901f2b1be41afd1b0211bee5d5236a868d Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:21:00 -0400 +Subject: [PATCH] ocspstapling.patch - ocspstapling.patch +--- + mozilla/security/nss/lib/ssl/ssl.def | 1 + + mozilla/security/nss/lib/ssl/ssl.h | 18 +++++ + mozilla/security/nss/lib/ssl/ssl3con.c | 111 +++++++++++++++++++++++++++++++ + mozilla/security/nss/lib/ssl/ssl3ext.c | 78 +++++++++++++++++++++- + mozilla/security/nss/lib/ssl/ssl3prot.h | 1 + + mozilla/security/nss/lib/ssl/sslerr.h | 2 + + mozilla/security/nss/lib/ssl/sslimpl.h | 13 ++++ + mozilla/security/nss/lib/ssl/sslsock.c | 43 ++++++++++++ + mozilla/security/nss/lib/ssl/sslt.h | 3 +- + 9 files changed, 268 insertions(+), 2 deletions(-) diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def index 0fa8777..35cc1e3 100644 diff --git a/net/third_party/nss/patches/origin_bound_certs.patch b/net/third_party/nss/patches/origin_bound_certs.patch index 99b0105..1f34654 100644 --- a/net/third_party/nss/patches/origin_bound_certs.patch +++ b/net/third_party/nss/patches/origin_bound_certs.patch @@ -1,11 +1,18 @@ -commit b5f89535668edebf59ac8186457d117572c05f2b -Author: Adam Langley <agl@chromium.org> -Date: Thu Jul 21 10:26:36 2011 -0400 +From 68d651bb679cd9da8f162774c5dcf40aad5ae3f1 Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:25:10 -0400 +Subject: [PATCH] origin_bound_certs.patch - obcerts +--- + mozilla/security/nss/lib/ssl/ssl.h | 1 + + mozilla/security/nss/lib/ssl/ssl3ext.c | 82 +++++++++++++++++++++++++++++++- + mozilla/security/nss/lib/ssl/sslimpl.h | 7 +++ + mozilla/security/nss/lib/ssl/sslsock.c | 13 +++++- + mozilla/security/nss/lib/ssl/sslt.h | 5 +- + 5 files changed, 104 insertions(+), 4 deletions(-) diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h -index 5682d0a..53ca301 100644 +index c32438d..1115fa9 100644 --- a/mozilla/security/nss/lib/ssl/ssl.h +++ b/mozilla/security/nss/lib/ssl/ssl.h @@ -142,6 +142,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); @@ -16,26 +23,8 @@ index 5682d0a..53ca301 100644 #ifdef SSL_DEPRECATED_FUNCTION /* Old deprecated function names */ -diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c -index c39b8f8..66071d2 100644 ---- a/mozilla/security/nss/lib/ssl/ssl3con.c -+++ b/mozilla/security/nss/lib/ssl/ssl3con.c -@@ -2352,9 +2352,10 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in, - ssl_ReleaseSpecReadLock(ss); - - if (isBlockCipher && len > 0) { -- // We assume that block ciphers are used in CBC mode and prepend an -- // empty record. This effectively randomizes the IV in a backwards -- // compatible way. -+ /* We assume that block ciphers are used in CBC mode and prepend an -+ * empty record. This effectively randomizes the IV in a backwards -+ * compatible way. -+ */ - PRInt32 sent = ssl3_SendRecord(ss, content_application_data, - in, 0 /* no payload */, flags); - if (sent < 0) { diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c -index 79ed9e3..e54b4fd 100644 +index 17898fb..887344b 100644 --- a/mozilla/security/nss/lib/ssl/ssl3ext.c +++ b/mozilla/security/nss/lib/ssl/ssl3ext.c @@ -237,6 +237,7 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = { @@ -146,10 +135,10 @@ index 79ed9e3..e54b4fd 100644 + return SECSuccess; +} diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h -index 95a1eee..df30029 100644 +index f1e9a3e..973a3c9 100644 --- a/mozilla/security/nss/lib/ssl/sslimpl.h +++ b/mozilla/security/nss/lib/ssl/sslimpl.h -@@ -350,6 +350,7 @@ typedef struct sslOptionsStr { +@@ -341,6 +341,7 @@ typedef struct sslOptionsStr { unsigned int enableFalseStart : 1; /* 23 */ unsigned int enableOCSPStapling : 1; /* 24 */ unsigned int enableCachedInfo : 1; /* 25 */ @@ -157,7 +146,7 @@ index 95a1eee..df30029 100644 } sslOptions; typedef enum { sslHandshakingUndetermined = 0, -@@ -1573,10 +1574,14 @@ extern SECStatus ssl3_ClientHandleCachedInfoXtn(sslSocket *ss, +@@ -1547,10 +1548,14 @@ extern SECStatus ssl3_ClientHandleCachedInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data); extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data); @@ -172,7 +161,7 @@ index 95a1eee..df30029 100644 /* ClientHello and ServerHello extension senders. * Note that not all extension senders are exposed here; only those that -@@ -1596,6 +1601,8 @@ extern PRInt32 ssl3_ClientSendCachedInfoXtn(sslSocket *ss, PRBool append, +@@ -1570,6 +1575,8 @@ extern PRInt32 ssl3_ClientSendCachedInfoXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes); extern PRInt32 ssl3_ServerSendCachedInfoXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes); @@ -182,7 +171,7 @@ index 95a1eee..df30029 100644 /* Assigns new cert, cert chain and keys to ss->serverCerts * struct. If certChain is NULL, tries to find one. Aborts if diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c -index 340d17c..68fd3cb 100644 +index 11b53da..7d12bfe 100644 --- a/mozilla/security/nss/lib/ssl/sslsock.c +++ b/mozilla/security/nss/lib/ssl/sslsock.c @@ -187,6 +187,7 @@ static sslOptions ssl_defaults = { @@ -193,7 +182,7 @@ index 340d17c..68fd3cb 100644 }; sslSessionIDLookupFunc ssl_sid_lookup; -@@ -752,6 +753,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) +@@ -748,6 +749,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) ss->opt.enableCachedInfo = on; break; @@ -204,7 +193,7 @@ index 340d17c..68fd3cb 100644 default: PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; -@@ -817,7 +822,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) +@@ -813,7 +818,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) on = ss->opt.requireSafeNegotiation; break; case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; @@ -214,7 +203,7 @@ index 340d17c..68fd3cb 100644 default: PORT_SetError(SEC_ERROR_INVALID_ARGS); -@@ -873,6 +879,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) +@@ -869,6 +875,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) on = ssl_defaults.enableOCSPStapling; break; case SSL_ENABLE_CACHED_INFO: on = ssl_defaults.enableCachedInfo; break; @@ -222,7 +211,7 @@ index 340d17c..68fd3cb 100644 default: PORT_SetError(SEC_ERROR_INVALID_ARGS); -@@ -1028,6 +1035,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) +@@ -1024,6 +1031,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) ssl_defaults.enableCachedInfo = on; break; @@ -234,7 +223,7 @@ index 340d17c..68fd3cb 100644 PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; diff --git a/mozilla/security/nss/lib/ssl/sslt.h b/mozilla/security/nss/lib/ssl/sslt.h -index bca7496..907c1dc 100644 +index bca7496..5f852fe 100644 --- a/mozilla/security/nss/lib/ssl/sslt.h +++ b/mozilla/security/nss/lib/ssl/sslt.h @@ -206,9 +206,10 @@ typedef enum { diff --git a/net/third_party/nss/patches/peercertchain.patch b/net/third_party/nss/patches/peercertchain.patch index e923901..4615ba7 100644 --- a/net/third_party/nss/patches/peercertchain.patch +++ b/net/third_party/nss/patches/peercertchain.patch @@ -1,8 +1,13 @@ -commit 3833600af1d2e49f0d3b9381de10d120ddf0a03c -Author: Adam Langley <agl@chromium.org> -Date: Mon Jun 20 15:54:45 2011 -0400 +From 40714671513378227413d1542c2911c2f62e3840 Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:20:43 -0400 +Subject: [PATCH] peercertchain.patch - peercertchain.patch +--- + mozilla/security/nss/lib/ssl/ssl.def | 1 + + mozilla/security/nss/lib/ssl/ssl.h | 11 +++++++++ + mozilla/security/nss/lib/ssl/sslauth.c | 36 ++++++++++++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 0 deletions(-) diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def index a1f4b51..0fa8777 100644 diff --git a/net/third_party/nss/patches/renegoscsv.patch b/net/third_party/nss/patches/renegoscsv.patch index fd24d43..8ed9dfc 100644 --- a/net/third_party/nss/patches/renegoscsv.patch +++ b/net/third_party/nss/patches/renegoscsv.patch @@ -1,8 +1,11 @@ -commit f11613336a772057cd102a02759a6e4d111503d1 -Author: Adam Langley <agl@chromium.org> -Date: Mon Jun 20 15:52:10 2011 -0400 +From 552c8d41b9ac9d55c8f1a861d81fc070a2a72aba Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:20:10 -0400 +Subject: [PATCH] renegoscsv.patch - renegoscsv.patch +--- + mozilla/security/nss/lib/ssl/ssl3con.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c index e0cb4e9..455a532 100644 diff --git a/net/third_party/nss/patches/restartclientauth.patch b/net/third_party/nss/patches/restartclientauth.patch index e95c263..f90825c 100644 --- a/net/third_party/nss/patches/restartclientauth.patch +++ b/net/third_party/nss/patches/restartclientauth.patch @@ -1,11 +1,20 @@ -Index: mozilla/security/nss/lib/ssl/ssl.h -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl.h,v -retrieving revision 1.38.2.4 -diff -u -p -r1.38.2.4 ssl.h ---- mozilla/security/nss/lib/ssl/ssl.h 8 Apr 2011 05:44:32 -0000 1.38.2.4 -+++ mozilla/security/nss/lib/ssl/ssl.h 18 Aug 2011 22:52:10 -0000 -@@ -220,6 +220,11 @@ SSL_IMPORT SECStatus SSL_ForceHandshake( +From 3c9aa423a3e721fc2223dc5f64d21cc5b4898d4e Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:27:03 -0400 +Subject: [PATCH] restartclientauth.patch + +--- + mozilla/security/nss/lib/ssl/ssl.h | 5 ++ + mozilla/security/nss/lib/ssl/ssl3con.c | 70 +++++++++++++++++++++---------- + mozilla/security/nss/lib/ssl/sslimpl.h | 4 -- + mozilla/security/nss/lib/ssl/sslsecur.c | 35 ++++++++++++--- + 4 files changed, 80 insertions(+), 34 deletions(-) + +diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h +index 835d3cf..7e748bd 100644 +--- a/mozilla/security/nss/lib/ssl/ssl.h ++++ b/mozilla/security/nss/lib/ssl/ssl.h +@@ -236,6 +236,11 @@ SSL_IMPORT SECStatus SSL_ForceHandshake(PRFileDesc *fd); SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd, PRIntervalTime timeout); @@ -17,14 +26,11 @@ diff -u -p -r1.38.2.4 ssl.h /* ** Query security status of socket. *on is set to one if security is ** enabled. *keySize will contain the stream key size used. *issuer will -Index: mozilla/security/nss/lib/ssl/ssl3con.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v -retrieving revision 1.142.2.5 -diff -u -p -r1.142.2.5 ssl3con.c ---- mozilla/security/nss/lib/ssl/ssl3con.c 25 Jan 2011 01:49:22 -0000 1.142.2.5 -+++ mozilla/security/nss/lib/ssl/ssl3con.c 18 Aug 2011 22:52:10 -0000 -@@ -5621,9 +5621,10 @@ done: +diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c +index f8838d6..d372ee2 100644 +--- a/mozilla/security/nss/lib/ssl/ssl3con.c ++++ b/mozilla/security/nss/lib/ssl/ssl3con.c +@@ -5667,9 +5667,10 @@ done: * reference count. The caller should drop its reference * without calling CERT_DestroyCert after calling this function. * @@ -38,7 +44,7 @@ diff -u -p -r1.142.2.5 ssl3con.c * * certChain DER-encoded certs, client cert and its signers. * Note: ssl takes this reference, and does not copy the chain. -@@ -5643,27 +5644,50 @@ ssl3_RestartHandshakeAfterCertReq(sslSoc +@@ -5689,27 +5690,50 @@ ssl3_RestartHandshakeAfterCertReq(sslSocket * ss, SECKEYPrivateKey * key, CERTCertificateList *certChain) { @@ -109,14 +115,11 @@ diff -u -p -r1.142.2.5 ssl3con.c } } return rv; -Index: mozilla/security/nss/lib/ssl/sslimpl.h -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslimpl.h,v -retrieving revision 1.77.2.2 -diff -u -p -r1.77.2.2 sslimpl.h ---- mozilla/security/nss/lib/ssl/sslimpl.h 16 Mar 2011 18:55:38 -0000 1.77.2.2 -+++ mozilla/security/nss/lib/ssl/sslimpl.h 18 Aug 2011 22:52:10 -0000 -@@ -1310,10 +1310,6 @@ extern SECStatus ssl3_MasterKeyDeriveBy +diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h +index 906874a..70ff4c3 100644 +--- a/mozilla/security/nss/lib/ssl/sslimpl.h ++++ b/mozilla/security/nss/lib/ssl/sslimpl.h +@@ -1356,10 +1356,6 @@ extern SECStatus ssl3_MasterKeyDeriveBypass( ssl3CipherSpec * pwSpec, extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error); extern int SSL_RestartHandshakeAfterServerCert(struct sslSocketStr *ss); @@ -127,14 +130,11 @@ diff -u -p -r1.77.2.2 sslimpl.h extern sslSocket *ssl_FindSocket(PRFileDesc *fd); extern void ssl_FreeSocket(struct sslSocketStr *ssl); extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, -Index: mozilla/security/nss/lib/ssl/sslsecur.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsecur.c,v -retrieving revision 1.43.2.4 -diff -u -p -r1.43.2.4 sslsecur.c ---- mozilla/security/nss/lib/ssl/sslsecur.c 8 Apr 2011 05:25:21 -0000 1.43.2.4 -+++ mozilla/security/nss/lib/ssl/sslsecur.c 18 Aug 2011 22:52:10 -0000 -@@ -1453,11 +1453,13 @@ SSL_CertDBHandleSet(PRFileDesc *fd, CERT +diff --git a/mozilla/security/nss/lib/ssl/sslsecur.c b/mozilla/security/nss/lib/ssl/sslsecur.c +index dc374e0..bb5f0eb 100644 +--- a/mozilla/security/nss/lib/ssl/sslsecur.c ++++ b/mozilla/security/nss/lib/ssl/sslsecur.c +@@ -1460,11 +1460,13 @@ SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle) * cert Client cert chosen by application. * Note: ssl takes this reference, and does not bump the * reference count. The caller should drop its reference @@ -152,7 +152,7 @@ diff -u -p -r1.43.2.4 sslsecur.c * * certChain Chain of signers for cert. * Note: ssl takes this reference, and does not copy the chain. -@@ -1469,19 +1471,38 @@ SSL_CertDBHandleSet(PRFileDesc *fd, CERT +@@ -1476,19 +1478,38 @@ SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle) * XXX This code only works on the initial handshake on a connection, XXX * It does not work on a subsequent handshake (redo). */ diff --git a/net/third_party/nss/patches/secret_exporter.patch b/net/third_party/nss/patches/secret_exporter.patch index 7e6eaa0..c6dc0e4 100644 --- a/net/third_party/nss/patches/secret_exporter.patch +++ b/net/third_party/nss/patches/secret_exporter.patch @@ -1,8 +1,15 @@ -commit c92170f883e6cfdc2c2dc6dbb49d3e6b8e9928f1 -Author: Adam Langley <agl@chromium.org> -Date: Thu Jul 21 11:34:32 2011 -0400 +From a30a1a87579d0a0d2950ee685a41bae428f38284 Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:25:44 -0400 +Subject: [PATCH] secret_exporter.patch - secret_extractor.patch +--- + mozilla/security/nss/lib/ssl/ssl.def | 1 + + mozilla/security/nss/lib/ssl/ssl.h | 13 ++++++ + mozilla/security/nss/lib/ssl/ssl3con.c | 63 ++++++++++++++++++++----------- + mozilla/security/nss/lib/ssl/sslimpl.h | 6 +++ + mozilla/security/nss/lib/ssl/sslinfo.c | 64 ++++++++++++++++++++++++++++++++ + 5 files changed, 125 insertions(+), 22 deletions(-) diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def index 7ef15db..1993d3e 100644 @@ -17,10 +24,10 @@ index 7ef15db..1993d3e 100644 SSL_GetStapledOCSPResponse; SSL_HandshakeResumedSession; diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h -index 53ca301..6b364bb 100644 +index 1115fa9..835d3cf 100644 --- a/mozilla/security/nss/lib/ssl/ssl.h +++ b/mozilla/security/nss/lib/ssl/ssl.h -@@ -686,6 +686,19 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, +@@ -653,6 +653,19 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, /* Returnes negotiated through SNI host info. */ SSL_IMPORT SECItem *SSL_GetNegotiatedHostInfo(PRFileDesc *fd); @@ -41,10 +48,10 @@ index 53ca301..6b364bb 100644 ** Return a new reference to the certificate that was most recently sent ** to the peer on this SSL/TLS connection, or NULL if none has been sent. diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c -index 66071d2..3bda2f3 100644 +index 2648cbe..f8838d6 100644 --- a/mozilla/security/nss/lib/ssl/ssl3con.c +++ b/mozilla/security/nss/lib/ssl/ssl3con.c -@@ -8443,33 +8443,33 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss) +@@ -8371,33 +8371,33 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss) return rv; } @@ -94,7 +101,7 @@ index 66071d2..3bda2f3 100644 PK11_DestroyContext(prf_context, PR_TRUE); } else { -@@ -8478,17 +8478,36 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, +@@ -8406,17 +8406,36 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, SECItem outData = { siBuffer, }; PRBool isFIPS = PR_FALSE; @@ -138,10 +145,10 @@ index 66071d2..3bda2f3 100644 */ static SECStatus diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h -index df30029..073616f 100644 +index 973a3c9..906874a 100644 --- a/mozilla/security/nss/lib/ssl/sslimpl.h +++ b/mozilla/security/nss/lib/ssl/sslimpl.h -@@ -1726,6 +1726,12 @@ SECStatus SSL_DisableDefaultExportCipherSuites(void); +@@ -1680,6 +1680,12 @@ SECStatus SSL_DisableDefaultExportCipherSuites(void); SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd); PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite); diff --git a/net/third_party/nss/patches/versionskew.patch b/net/third_party/nss/patches/versionskew.patch index 0df63ea..c55df5a 100644 --- a/net/third_party/nss/patches/versionskew.patch +++ b/net/third_party/nss/patches/versionskew.patch @@ -1,8 +1,12 @@ -commit 47ee639fe155c26aed5ef6edba34be6d359a92c7 -Author: Adam Langley <agl@chromium.org> -Date: Mon Jun 20 15:50:01 2011 -0400 +From 9a71b466147bcd334243d62996558a609657c07c Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@chromium.org> +Date: Mon, 3 Oct 2011 12:19:48 -0400 +Subject: [PATCH] versionskew.patch - versionskew.patch +--- + mozilla/security/nss/lib/ssl/sslsecur.c | 5 +++++ + mozilla/security/nss/lib/ssl/sslsock.c | 6 ++++++ + 2 files changed, 11 insertions(+), 0 deletions(-) diff --git a/mozilla/security/nss/lib/ssl/sslsecur.c b/mozilla/security/nss/lib/ssl/sslsecur.c index a0cae54..816b8f6 100644 |