diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-22 17:29:30 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-22 17:29:30 +0000 |
| commit | dcdcbbbd6d066cbba6074546a740125c7163bffc (patch) | |
| tree | f5f12ab7ed4ab76367c6a5a659b0ae3b2cc12102 /net/third_party | |
| parent | e02f4bf475f03ac9a1dff9763cea55f484cafe3b (diff) | |
| download | chromium_src-dcdcbbbd6d066cbba6074546a740125c7163bffc.zip chromium_src-dcdcbbbd6d066cbba6074546a740125c7163bffc.tar.gz chromium_src-dcdcbbbd6d066cbba6074546a740125c7163bffc.tar.bz2 | |
NSS: send a fatal alert if the ChannelID callback fails.
By the time that NSS makes a ChannelID callback, we have already committed to
sending a ChannelID on the current connection. Therefore, if we cannot, it's
fatal to the connection.
The only time that we should fail to generate a keypair is if we've been
compiled without ECC support. In that case, we need to ensure that we don't
advertise ChannelID support in the first place.
BUG=127506
TEST=none
Review URL: https://chromiumcodereview.appspot.com/10640007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@143629 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/third_party')
| -rw-r--r-- | net/third_party/nss/patches/channelid.patch | 15 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3con.c | 3 |
2 files changed, 10 insertions, 8 deletions
diff --git a/net/third_party/nss/patches/channelid.patch b/net/third_party/nss/patches/channelid.patch index 0484daa..bdac018 100644 --- a/net/third_party/nss/patches/channelid.patch +++ b/net/third_party/nss/patches/channelid.patch @@ -55,7 +55,7 @@ index 1368e2f..9b3a199 100644 ** How long should we wait before retransmitting the next flight of ** the DTLS handshake? Returns SECFailure if not DTLS or not in a diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c -index db9fad3..6780a84 100644 +index db9fad3..cb2906f 100644 --- a/net/third_party/nss/ssl/ssl3con.c +++ b/net/third_party/nss/ssl/ssl3con.c @@ -86,6 +86,7 @@ static SECStatus ssl3_SendCertificate( sslSocket *ss); @@ -97,7 +97,7 @@ index db9fad3..6780a84 100644 } while (0); if (sid_match) -@@ -5483,6 +5492,26 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +@@ -5483,6 +5492,27 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ss->ssl3.hs.isResuming = PR_FALSE; ss->ssl3.hs.ws = wait_server_cert; @@ -117,14 +117,15 @@ index db9fad3..6780a84 100644 + ss->ssl3.channelIDPub == NULL || + ss->ssl3.channelID == NULL) { + PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED); -+ goto loser; ++ desc = internal_error; ++ goto alert_loser; + } + } + return SECSuccess; alert_loser: -@@ -6239,6 +6268,10 @@ ssl3_SendClientSecondRound(sslSocket *ss) +@@ -6239,6 +6269,10 @@ ssl3_SendClientSecondRound(sslSocket *ss) goto loser; /* err code was set. */ } } @@ -135,7 +136,7 @@ index db9fad3..6780a84 100644 rv = ssl3_SendFinished(ss, 0); if (rv != SECSuccess) { -@@ -8855,6 +8888,164 @@ ssl3_SendNextProto(sslSocket *ss) +@@ -8855,6 +8889,164 @@ ssl3_SendNextProto(sslSocket *ss) return rv; } @@ -300,7 +301,7 @@ index db9fad3..6780a84 100644 /* called from ssl3_HandleServerHelloDone * ssl3_HandleClientHello * ssl3_HandleFinished -@@ -9105,11 +9296,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, +@@ -9105,11 +9297,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; } @@ -321,7 +322,7 @@ index db9fad3..6780a84 100644 } if (IS_DTLS(ss)) { -@@ -10376,6 +10572,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) +@@ -10376,6 +10573,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) ssl_FreePlatformKey(ss->ssl3.platformClientKey); #endif /* NSS_PLATFORM_CLIENT_AUTH */ diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c index 4cf011b..0f1cdc6 100644 --- a/net/third_party/nss/ssl/ssl3con.c +++ b/net/third_party/nss/ssl/ssl3con.c @@ -5509,7 +5509,8 @@ winner: ss->ssl3.channelIDPub == NULL || ss->ssl3.channelID == NULL) { PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED); - goto loser; + desc = internal_error; + goto alert_loser; } } |