diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-13 16:48:59 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-13 16:48:59 +0000 |
| commit | a65b40124becc4fa82224f40012a8deb29ded66a (patch) | |
| tree | cf5e6ff5b2bf2416d25ed8f03347edbe3cb64821 /net | |
| parent | 33e9215cf129c9ede3bc373119bda7c3093262aa (diff) | |
| download | chromium_src-a65b40124becc4fa82224f40012a8deb29ded66a.zip chromium_src-a65b40124becc4fa82224f40012a8deb29ded66a.tar.gz chromium_src-a65b40124becc4fa82224f40012a8deb29ded66a.tar.bz2 | |
Update to NSS 3.12.7.
R=agl
BUG=51694
TEST=No build errors or test failures.
Review URL: http://codereview.chromium.org/3177012
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@56042 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/third_party/nss/README.chromium | 2 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/Makefile | 5 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl.h | 10 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3con.c | 85 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3ecc.c | 4 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3ext.c | 10 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3prot.h | 4 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslcon.c | 4 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslerr.h | 4 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslgathr.c | 32 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslmutex.c | 6 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslproto.h | 6 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslsnce.c | 11 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslsock.c | 12 |
14 files changed, 100 insertions, 95 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium index 0159106..a16796e 100644 --- a/net/third_party/nss/README.chromium +++ b/net/third_party/nss/README.chromium @@ -4,7 +4,7 @@ URL: http://www.mozilla.org/projects/security/pki/nss/ This directory includes a copy of NSS's libssl from the CVS repo at: :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot -The snapshot was updated to the CVS tag: NSS_3_12_6_RC0 +The snapshot was updated to the CVS tag: NSS_3_12_7_RTM Patches: diff --git a/net/third_party/nss/ssl/Makefile b/net/third_party/nss/ssl/Makefile index 3949fb4..a777569 100644 --- a/net/third_party/nss/ssl/Makefile +++ b/net/third_party/nss/ssl/Makefile @@ -71,11 +71,6 @@ CSRCS += unix_err.c endif endif -ifdef USE_SYSTEM_ZLIB -DEFINES += -DNSS_ENABLE_ZLIB -EXTRA_LIBS += $(ZLIB_LIBS) -endif - ####################################################################### # (5) Execute "global" rules. (OPTIONAL) # ####################################################################### diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h index a2e3984..d87ae56 100644 --- a/net/third_party/nss/ssl/ssl.h +++ b/net/third_party/nss/ssl/ssl.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl.h,v 1.36 2010/02/10 18:07:21 wtc%google.com Exp $ */ +/* $Id: ssl.h,v 1.38 2010/02/17 02:29:07 wtc%google.com Exp $ */ #ifndef __ssl_h_ #define __ssl_h_ @@ -123,7 +123,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); #define SSL_ENABLE_DEFLATE 19 /* Enable TLS compression with */ /* DEFLATE (off by default) */ #define SSL_ENABLE_RENEGOTIATION 20 /* Values below (default: never) */ -#define SSL_REQUIRE_SAFE_NEGOTIATION 21 /* Peer must send Signalling */ +#define SSL_REQUIRE_SAFE_NEGOTIATION 21 /* Peer must send Signaling */ /* Cipher Suite Value (SCSV) or */ /* Renegotiation Info (RI) */ /* extension in ALL handshakes. */ @@ -207,9 +207,11 @@ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); /* Only renegotiate if the peer's hello bears the TLS renegotiation_info */ /* extension. This is safe renegotiation. */ #define SSL_RENEGOTIATE_REQUIRES_XTN ((PRBool)2) -/* Disallow all renegotiation in server sockets only, but allow clients */ +/* Disallow unsafe renegotiation in server sockets only, but allow clients */ /* to continue to renegotiate with vulnerable servers. */ -#define SSL_RENEGOTIATE_CLIENT_ONLY ((PRBool)3) +/* This value should only be used during the transition period when few */ +/* servers have been upgraded. */ +#define SSL_RENEGOTIATE_TRANSITIONAL ((PRBool)3) /* ** Reset the handshake state for fd. This will make the complete SSL diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c index 5b194a6..0a138d7 100644 --- a/net/third_party/nss/ssl/ssl3con.c +++ b/net/third_party/nss/ssl/ssl3con.c @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl3con.c,v 1.134 2010/02/03 03:44:29 wtc%google.com Exp $ */ +/* $Id: ssl3con.c,v 1.142 2010/06/24 19:53:20 wtc%google.com Exp $ */ #include "cert.h" #include "ssl.h" @@ -570,11 +570,11 @@ typedef struct tooLongStr { void SSL_AtomicIncrementLong(long * x) { if ((sizeof *x) == sizeof(PRInt32)) { - PR_AtomicIncrement((PRInt32 *)x); + PR_ATOMIC_INCREMENT((PRInt32 *)x); } else { tooLong * tl = (tooLong *)x; - if (PR_AtomicIncrement(&tl->low) == 0) - PR_AtomicIncrement(&tl->high); + if (PR_ATOMIC_INCREMENT(&tl->low) == 0) + PR_ATOMIC_INCREMENT(&tl->high); } } @@ -2614,7 +2614,8 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf) case unexpected_message: error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT; break; case bad_record_mac: error = SSL_ERROR_BAD_MAC_ALERT; break; - case decryption_failed: error = SSL_ERROR_DECRYPTION_FAILED_ALERT; + case decryption_failed_RESERVED: + error = SSL_ERROR_DECRYPTION_FAILED_ALERT; break; case record_overflow: error = SSL_ERROR_RECORD_OVERFLOW_ALERT; break; case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT; @@ -3954,7 +3955,7 @@ ssl3_SendClientHello(sslSocket *ss) if (ss->ssl3.hs.sendingSCSV) { /* Add the actual SCSV */ - rv = ssl3_AppendHandshakeNumber(ss, TLS_RENEGO_PROTECTION_REQUEST, + rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, sizeof(ssl3CipherSuite)); if (rv != SECSuccess) { return rv; /* err set by ssl3_AppendHandshake* */ @@ -5311,14 +5312,22 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (rv != SECSuccess) { goto loser; /* malformed. */ } + if (dh_p.len < 512/8) + goto alert_loser; rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length); if (rv != SECSuccess) { goto loser; /* malformed. */ } + if (dh_g.len == 0 || dh_g.len > dh_p.len + 1 || + (dh_g.len == 1 && dh_g.data[0] == 0)) + goto alert_loser; rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); if (rv != SECSuccess) { goto loser; /* malformed. */ } + if (dh_Ys.len == 0 || dh_Ys.len > dh_p.len + 1 || + (dh_Ys.len == 1 && dh_Ys.data[0] == 0)) + goto alert_loser; rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); if (rv != SECSuccess) { goto loser; /* malformed. */ @@ -6005,8 +6014,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto alert_loser; } if (ss->ssl3.hs.ws == idle_handshake && - (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER || - ss->opt.enableRenegotiation == SSL_RENEGOTIATE_CLIENT_ONLY)) { + ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { desc = no_renegotiation; level = alert_warning; errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; @@ -6082,7 +6090,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) */ for (i = 0; i + 1 < suites.len; i += 2) { PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; - if (suite_i == TLS_RENEGO_PROTECTION_REQUEST) { + if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) { SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext; PRUint32 L2 = sizeof emptyRIext; (void)ssl3_HandleHelloExtensions(ss, &b2, &L2); @@ -6091,7 +6099,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } } if (ss->firstHsDone && - ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN && + (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN || + ss->opt.enableRenegotiation == SSL_RENEGOTIATE_TRANSITIONAL) && !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) { desc = no_renegotiation; level = alert_warning; @@ -6797,7 +6806,7 @@ suite_found: */ for (i = 0; i+2 < suite_length; i += 3) { PRUint32 suite_i = (suites[i] << 16) | (suites[i+1] << 8) | suites[i+2]; - if (suite_i == TLS_RENEGO_PROTECTION_REQUEST) { + if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) { SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext; PRUint32 L2 = sizeof emptyRIext; (void)ssl3_HandleHelloExtensions(ss, &b2, &L2); @@ -7598,7 +7607,7 @@ get_fake_cert(SECItem *pCertItem, int *pIndex) } *pIndex = (NULL != strstr(testdir, "root")); extension = (strstr(testdir, "simple") ? "" : ".der"); - fileNum = PR_AtomicIncrement(&connNum) - 1; + fileNum = PR_ATOMIC_INCREMENT(&connNum) - 1; if ((startat = PR_GetEnv("START_AT")) != NULL) { fileNum += atoi(startat); } @@ -8982,27 +8991,29 @@ const ssl3BulkCipherDef *cipher_def; PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); if (rv != SECSuccess) { - int err = ssl_MapLowLevelError(SSL_ERROR_DECRYPTION_FAILURE); - ssl_ReleaseSpecReadLock(ss); - SSL3_SendAlert(ss, alert_fatal, - isTLS ? decryption_failed : bad_record_mac); - PORT_SetError(err); - return SECFailure; + /* All decryption failures must be treated like a bad record + * MAC; see RFC 5246 (TLS 1.2). + */ + padIsBad = PR_TRUE; } /* If it's a block cipher, check and strip the padding. */ - if (cipher_def->type == type_block) { - padding_length = *(plaintext->buf + plaintext->len - 1); + if (cipher_def->type == type_block && !padIsBad) { + PRUint8 * pPaddingLen = plaintext->buf + plaintext->len - 1; + padding_length = *pPaddingLen; /* TLS permits padding to exceed the block size, up to 255 bytes. */ if (padding_length + 1 + crSpec->mac_size > plaintext->len) padIsBad = PR_TRUE; - /* if TLS, check value of first padding byte. */ - else if (padding_length && isTLS && - padding_length != *(plaintext->buf + - plaintext->len - (padding_length + 1))) - padIsBad = PR_TRUE; - else - plaintext->len -= padding_length + 1; + else { + plaintext->len -= padding_length + 1; + /* In TLS all padding bytes must be equal to the padding length. */ + if (isTLS) { + PRUint8 *p; + for (p = pPaddingLen - padding_length; p < pPaddingLen; ++p) { + padIsBad |= *p ^ padding_length; + } + } + } } /* Remove the MAC. */ @@ -9017,11 +9028,7 @@ const ssl3BulkCipherDef *cipher_def; rType, cText->version, crSpec->read_seq_num, plaintext->buf, plaintext->len, hash, &hashBytes); if (rv != SECSuccess) { - int err = ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); - ssl_ReleaseSpecReadLock(ss); - SSL3_SendAlert(ss, alert_fatal, bad_record_mac); - PORT_SetError(err); - return rv; + padIsBad = PR_TRUE; /* really macIsBad */ } /* Check the MAC */ @@ -9120,7 +9127,11 @@ const ssl3BulkCipherDef *cipher_def; ** function, not by this function. */ if (rType == content_application_data) { - return SECSuccess; + if (ss->firstHsDone) + return SECSuccess; + (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); + PORT_SetError(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA); + return SECFailure; } /* It's a record that must be handled by ssl itself, not the application. @@ -9279,14 +9290,14 @@ ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey) ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair) { - PR_AtomicIncrement(&keyPair->refCount); + PR_ATOMIC_INCREMENT(&keyPair->refCount); return keyPair; } void ssl3_FreeKeyPair(ssl3KeyPair * keyPair) { - PRInt32 newCount = PR_AtomicDecrement(&keyPair->refCount); + PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount); if (!newCount) { if (keyPair->privKey) SECKEY_DestroyPrivateKey(keyPair->privKey); @@ -9502,9 +9513,7 @@ ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache) PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); return SECFailure; } - if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER || - (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_CLIENT_ONLY && - ss->sec.isServer)) { + if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); return SECFailure; } diff --git a/net/third_party/nss/ssl/ssl3ecc.c b/net/third_party/nss/ssl/ssl3ecc.c index 42720e5..778c7ab 100644 --- a/net/third_party/nss/ssl/ssl3ecc.c +++ b/net/third_party/nss/ssl/ssl3ecc.c @@ -40,7 +40,7 @@ * ***** END LICENSE BLOCK ***** */ /* ECC code moved here from ssl3con.c */ -/* $Id: ssl3ecc.c,v 1.23 2010/01/28 16:14:25 kaie%kuix.de Exp $ */ +/* $Id: ssl3ecc.c,v 1.24 2010/03/15 08:03:14 nelson%bolyard.com Exp $ */ #include "nss.h" #include "cert.h" @@ -288,7 +288,7 @@ ssl3_ComputeECDHKeyHash(SECItem ec_params, SECItem server_ecpoint, PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result", hashes->md5, MD5_LENGTH)); PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH)); - if (hashBuf != buf && hashBuf != NULL) + if (hashBuf != buf) PORT_Free(hashBuf); return rv; } diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c index b6d52fd..d291be6 100644 --- a/net/third_party/nss/ssl/ssl3ext.c +++ b/net/third_party/nss/ssl/ssl3ext.c @@ -41,7 +41,7 @@ * ***** END LICENSE BLOCK ***** */ /* TLS extension code moved here from ssl3ecc.c */ -/* $Id: ssl3ext.c,v 1.11 2010/02/03 02:38:20 wtc%google.com Exp $ */ +/* $Id: ssl3ext.c,v 1.14 2010/04/03 19:19:07 nelson%bolyard.com Exp $ */ #include "nssrenam.h" #include "nss.h" @@ -314,12 +314,14 @@ ssl3_SendServerNameXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) { SECStatus rv; + if (!ss) + return 0; if (!ss->sec.isServer) { PRUint32 len; PRNetAddr netAddr; /* must have a hostname */ - if (!ss || !ss->url || !ss->url[0]) + if (!ss->url || !ss->url[0]) return 0; /* must not be an IPv4 or IPv6 address */ if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) { @@ -1623,8 +1625,8 @@ ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) data->data[0] != len || (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, data->data + 1, len))) { - /* Can we do this here? Or, must we arrange for the caller to do it? */ - (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); + /* Can we do this here? Or, must we arrange for the caller to do it? */ + (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); return SECFailure; } diff --git a/net/third_party/nss/ssl/ssl3prot.h b/net/third_party/nss/ssl/ssl3prot.h index c82c891..f3c950e 100644 --- a/net/third_party/nss/ssl/ssl3prot.h +++ b/net/third_party/nss/ssl/ssl3prot.h @@ -38,7 +38,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl3prot.h,v 1.18 2010/02/03 02:25:35 alexei.volkov.bugs%sun.com Exp $ */ +/* $Id: ssl3prot.h,v 1.19 2010/06/24 09:24:18 nelson%bolyard.com Exp $ */ #ifndef __ssl3proto_h_ #define __ssl3proto_h_ @@ -108,7 +108,7 @@ typedef enum { close_notify = 0, unexpected_message = 10, bad_record_mac = 20, - decryption_failed = 21, /* TLS only */ + decryption_failed_RESERVED = 21, /* do not send; see RFC 5246 */ record_overflow = 22, /* TLS only */ decompression_failure = 30, handshake_failure = 40, diff --git a/net/third_party/nss/ssl/sslcon.c b/net/third_party/nss/ssl/sslcon.c index c02b315..4e34554 100644 --- a/net/third_party/nss/ssl/sslcon.c +++ b/net/third_party/nss/ssl/sslcon.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslcon.c,v 1.39 2010/02/04 03:08:44 wtc%google.com Exp $ */ +/* $Id: sslcon.c,v 1.40 2010/04/25 23:37:38 nelson%bolyard.com Exp $ */ #include "nssrenam.h" #include "cert.h" @@ -1861,7 +1861,7 @@ ssl2_ChooseSessionCypher(sslSocket *ss, } preferred = ss->preferredCipher ? ss->preferredCipher : noneSuch; /* - ** Scan list of ciphers recieved from peer and look for a match in + ** Scan list of ciphers received from peer and look for a match in ** our list. * Note: Our list may contain SSL v3 ciphers. * We MUST NOT match on any of those. diff --git a/net/third_party/nss/ssl/sslerr.h b/net/third_party/nss/ssl/sslerr.h index 61b721c..2f021e7 100644 --- a/net/third_party/nss/ssl/sslerr.h +++ b/net/third_party/nss/ssl/sslerr.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslerr.h,v 1.10 2010/02/03 03:44:29 wtc%google.com Exp $ */ +/* $Id: sslerr.h,v 1.11 2010/06/24 09:24:18 nelson%bolyard.com Exp $ */ #ifndef __SSL_ERR_H_ #define __SSL_ERR_H_ @@ -149,7 +149,7 @@ SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE = (SSL_ERROR_BASE + 68), SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE = (SSL_ERROR_BASE + 69), SSL_ERROR_ENCRYPTION_FAILURE = (SSL_ERROR_BASE + 70), -SSL_ERROR_DECRYPTION_FAILURE = (SSL_ERROR_BASE + 71), +SSL_ERROR_DECRYPTION_FAILURE = (SSL_ERROR_BASE + 71), /* don't use */ SSL_ERROR_SOCKET_WRITE_FAILURE = (SSL_ERROR_BASE + 72), SSL_ERROR_MD5_DIGEST_FAILURE = (SSL_ERROR_BASE + 73), diff --git a/net/third_party/nss/ssl/sslgathr.c b/net/third_party/nss/ssl/sslgathr.c index 23f52a2..92c0e8a 100644 --- a/net/third_party/nss/ssl/sslgathr.c +++ b/net/third_party/nss/ssl/sslgathr.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslgathr.c,v 1.10 2009/10/16 17:45:35 wtc%google.com Exp $ */ +/* $Id: sslgathr.c,v 1.12 2010/04/25 23:37:38 nelson%bolyard.com Exp $ */ #include "cert.h" #include "ssl.h" #include "sslimpl.h" @@ -272,7 +272,7 @@ ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags) goto spec_locked_done; } - /* Decrypt the portion of data that we just recieved. + /* Decrypt the portion of data that we just received. ** Decrypt it in place. */ rv = (*ss->sec.dec)(ss->sec.readcx, pBuf, &nout, gs->offset, @@ -303,25 +303,25 @@ ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags) gs->offset - macLen); (*ss->sec.hash->update)(ss->sec.hashcx, seq, 4); (*ss->sec.hash->end)(ss->sec.hashcx, mac, &macLen, macLen); - } - PORT_Assert(macLen == ss->sec.hash->length); + PORT_Assert(macLen == ss->sec.hash->length); - ssl_ReleaseSpecReadLock(ss); /******************************/ + ssl_ReleaseSpecReadLock(ss); /******************************/ - if (NSS_SecureMemcmp(mac, pBuf, macLen) != 0) { - /* MAC's didn't match... */ - SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d", - SSL_GETPID(), ss->fd, ss->sec.rcvSequence)); - PRINT_BUF(1, (ss, "computed mac:", mac, macLen)); - PRINT_BUF(1, (ss, "received mac:", pBuf, macLen)); - PORT_SetError(SSL_ERROR_BAD_MAC_READ); - rv = SECFailure; - goto cleanup; + if (NSS_SecureMemcmp(mac, pBuf, macLen) != 0) { + /* MAC's didn't match... */ + SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d", + SSL_GETPID(), ss->fd, ss->sec.rcvSequence)); + PRINT_BUF(1, (ss, "computed mac:", mac, macLen)); + PRINT_BUF(1, (ss, "received mac:", pBuf, macLen)); + PORT_SetError(SSL_ERROR_BAD_MAC_READ); + rv = SECFailure; + goto cleanup; + } + } else { + ssl_ReleaseSpecReadLock(ss); /******************************/ } - - PORT_Assert(gs->recordPadding + macLen <= gs->offset); if (gs->recordPadding + macLen <= gs->offset) { gs->recordOffset = macLen; gs->readOffset = macLen; diff --git a/net/third_party/nss/ssl/sslmutex.c b/net/third_party/nss/ssl/sslmutex.c index 6b5dbd16..8403365 100644 --- a/net/third_party/nss/ssl/sslmutex.c +++ b/net/third_party/nss/ssl/sslmutex.c @@ -33,7 +33,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslmutex.c,v 1.24 2009/06/05 02:34:14 nelson%bolyard.com Exp $ */ +/* $Id: sslmutex.c,v 1.25 2010/04/03 18:27:33 nelson%bolyard.com Exp $ */ #include "seccomon.h" /* This ifdef should match the one in sslsnce.c */ @@ -211,7 +211,7 @@ sslMutex_Unlock(sslMutex *pMutex) return SECFailure; } /* Do Memory Barrier here. */ - newValue = PR_AtomicDecrement(&pMutex->u.pipeStr.nWaiters); + newValue = PR_ATOMIC_DECREMENT(&pMutex->u.pipeStr.nWaiters); if (newValue > 0) { int cc; char c = 1; @@ -241,7 +241,7 @@ sslMutex_Lock(sslMutex *pMutex) PORT_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } - newValue = PR_AtomicIncrement(&pMutex->u.pipeStr.nWaiters); + newValue = PR_ATOMIC_INCREMENT(&pMutex->u.pipeStr.nWaiters); /* Do Memory Barrier here. */ if (newValue > 1) { int cc; diff --git a/net/third_party/nss/ssl/sslproto.h b/net/third_party/nss/ssl/sslproto.h index bf7b71b..b534d0b 100644 --- a/net/third_party/nss/ssl/sslproto.h +++ b/net/third_party/nss/ssl/sslproto.h @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslproto.h,v 1.14 2010/01/28 06:19:12 nelson%bolyard.com Exp $ */ +/* $Id: sslproto.h,v 1.15 2010/02/16 18:56:48 wtc%google.com Exp $ */ #ifndef __sslproto_h_ #define __sslproto_h_ @@ -181,11 +181,11 @@ #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 -/* TLS "Signalling Cipher Suite Value" (SCSV). May be requested by client. +/* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client. * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending * back an empty Renegotiation Info (RI) server hello extension. */ -#define TLS_RENEGO_PROTECTION_REQUEST 0x00FF +#define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF /* Cipher Suite Values starting with 0xC000 are defined in informational * RFCs. diff --git a/net/third_party/nss/ssl/sslsnce.c b/net/third_party/nss/ssl/sslsnce.c index 5658dc2..6c73f25 100644 --- a/net/third_party/nss/ssl/sslsnce.c +++ b/net/third_party/nss/ssl/sslsnce.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsnce.c,v 1.52 2010/01/14 22:15:25 alexei.volkov.bugs%sun.com Exp $ */ +/* $Id: sslsnce.c,v 1.54 2010/07/05 19:31:56 alexei.volkov.bugs%sun.com Exp $ */ /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server * cache sids! @@ -820,7 +820,7 @@ ServerSessionIDLookup(const PRIPv6Addr *addr, pcce = 0; } } - if ((cndx = psce->u.ssl3.srvNameIndex) != -1) { + if (psce && ((cndx = psce->u.ssl3.srvNameIndex) != -1)) { PRUint32 gotLock = LockSidCacheLock(cache->srvNameCacheLock, now); if (gotLock) { @@ -1104,8 +1104,8 @@ InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries, cache->numCertCacheEntries = (maxCertCacheEntries > 0) ? maxCertCacheEntries : 0; - cache->numSrvNameCacheEntries = (maxSrvNameCacheEntries > 0) ? - maxSrvNameCacheEntries : 0; + cache->numSrvNameCacheEntries = (maxSrvNameCacheEntries >= 0) ? + maxSrvNameCacheEntries : DEF_NAME_CACHE_ENTRIES; /* compute size of shared memory, and offsets of all pointers */ ptr = 0; @@ -1168,9 +1168,6 @@ InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries, ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); cache->srvNameCacheData = (srvNameCacheEntry *)ptr; - if (cache->numSrvNameCacheEntries < 0) { - cache->numSrvNameCacheEntries = DEF_NAME_CACHE_ENTRIES; - } cache->srvNameCacheSize = cache->numSrvNameCacheEntries * sizeof(srvNameCacheEntry); ptr = (ptrdiff_t)(cache->srvNameCacheData + cache->numSrvNameCacheEntries); diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c index c4611a0..ca0d714 100644 --- a/net/third_party/nss/ssl/sslsock.c +++ b/net/third_party/nss/ssl/sslsock.c @@ -40,7 +40,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsock.c,v 1.64 2010/01/28 06:19:13 nelson%bolyard.com Exp $ */ +/* $Id: sslsock.c,v 1.67 2010/04/25 23:37:38 nelson%bolyard.com Exp $ */ #include "seccomon.h" #include "cert.h" #include "keyhi.h" @@ -329,7 +329,7 @@ ssl_DupSocket(sslSocket *os) ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair); /* - * XXX the preceeding CERT_ and SECKEY_ functions can fail and return NULL. + * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. * XXX We should detect this, and not just march on with NULL pointers. */ ss->authCertificate = os->authCertificate; @@ -2390,10 +2390,10 @@ ssl_NewSocket(PRBool makeLocks) ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; else if (ev[0] == '0' || LOWER(ev[0]) == 'n') ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; - else if (ev[0] == '3' || LOWER(ev[0]) == 'c') - ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_CLIENT_ONLY; - else - ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; + else if (ev[0] == '2' || LOWER(ev[0]) == 'r') + ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; + else if (ev[0] == '3' || LOWER(ev[0]) == 't') + ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL; SSL_TRACE(("SSL: enableRenegotiation set to %d", ssl_defaults.enableRenegotiation)); } |