summaryrefslogtreecommitdiffstats
path: root/net/third_party/nss/patches
diff options
context:
space:
mode:
Diffstat (limited to 'net/third_party/nss/patches')
-rwxr-xr-xnet/third_party/nss/patches/applypatches.sh2
-rw-r--r--net/third_party/nss/patches/secret_exporter2.patch228
2 files changed, 230 insertions, 0 deletions
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh
index 48cbe52..1356eab 100755
--- a/net/third_party/nss/patches/applypatches.sh
+++ b/net/third_party/nss/patches/applypatches.sh
@@ -38,3 +38,5 @@ patch -p6 < $patches_dir/restartclientauth.patch
patch -p6 < $patches_dir/encryptedclientcerts.patch
patch -p5 < $patches_dir/nextprotocleanup.patch
+
+patch -p4 < $patches_dir/secret_exporter2.patch
diff --git a/net/third_party/nss/patches/secret_exporter2.patch b/net/third_party/nss/patches/secret_exporter2.patch
new file mode 100644
index 0000000..695754d
--- /dev/null
+++ b/net/third_party/nss/patches/secret_exporter2.patch
@@ -0,0 +1,228 @@
+Index: net/third_party/nss/ssl/ssl.h
+===================================================================
+--- net/third_party/nss/ssl/ssl.h (revision 125777)
++++ net/third_party/nss/ssl/ssl.h (working copy)
+@@ -792,12 +792,14 @@
+
+ /* Export keying material according to RFC 5705.
+ ** fd must correspond to a TLS 1.0 or higher socket and out must
+-** already be allocated. If contextLen is zero it uses the no-context
+-** construction from the RFC.
++** already be allocated. If hasContext is false, it uses the no-context
++** construction from the RFC and ignores the context and contextLen
++** arguments.
+ */
+ SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd,
+ const char *label,
+ unsigned int labelLen,
++ PRBool hasContext,
+ const unsigned char *context,
+ unsigned int contextLen,
+ unsigned char *out,
+Index: net/third_party/nss/ssl/sslinfo.c
+===================================================================
+--- net/third_party/nss/ssl/sslinfo.c (revision 125777)
++++ net/third_party/nss/ssl/sslinfo.c (working copy)
+@@ -317,18 +317,12 @@
+ return PR_FALSE;
+ }
+
+-/* Export keying material according to RFC 5705.
+-** fd must correspond to a TLS 1.0 or higher socket, out must
+-** be already allocated.
+-*/
+ SECStatus
+ SSL_ExportKeyingMaterial(PRFileDesc *fd,
+- const char *label,
+- unsigned int labelLen,
+- const unsigned char *context,
+- unsigned int contextLen,
+- unsigned char *out,
+- unsigned int outLen)
++ const char *label, unsigned int labelLen,
++ PRBool hasContext,
++ const unsigned char *context, unsigned int contextLen,
++ unsigned char *out, unsigned int outLen)
+ {
+ sslSocket *ss;
+ unsigned char *val = NULL;
+@@ -347,18 +341,21 @@
+ return SECFailure;
+ }
+
++ /* construct PRF arguments */
+ valLen = SSL3_RANDOM_LENGTH * 2;
+- if (contextLen > 0)
++ if (hasContext) {
+ valLen += 2 /* uint16 length */ + contextLen;
++ }
+ val = PORT_Alloc(valLen);
+- if (val == NULL)
++ if (!val) {
+ return SECFailure;
++ }
+ i = 0;
+ PORT_Memcpy(val + i, &ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
+ i += SSL3_RANDOM_LENGTH;
+ PORT_Memcpy(val + i, &ss->ssl3.hs.server_random.rand, SSL3_RANDOM_LENGTH);
+ i += SSL3_RANDOM_LENGTH;
+- if (contextLen > 0) {
++ if (hasContext) {
+ val[i++] = contextLen >> 8;
+ val[i++] = contextLen;
+ PORT_Memcpy(val + i, context, contextLen);
+@@ -366,6 +363,9 @@
+ }
+ PORT_Assert(i == valLen);
+
++ /* Allow TLS keying material to be exported sooner, when the master
++ * secret is available and we have sent ChangeCipherSpec.
++ */
+ ssl_GetSpecReadLock(ss);
+ if (!ss->ssl3.cwSpec->master_secret && !ss->ssl3.cwSpec->msItem.len) {
+ PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
+Index: net/third_party/nss/ssl/sslimpl.h
+===================================================================
+--- net/third_party/nss/ssl/sslimpl.h (revision 125777)
++++ net/third_party/nss/ssl/sslimpl.h (working copy)
+@@ -1715,11 +1715,11 @@
+ SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
+ PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite);
+
+-SECStatus ssl3_TLSPRFWithMasterSecret(
+- ssl3CipherSpec *spec, const char *label,
+- unsigned int labelLen, const unsigned char *val,
+- unsigned int valLen, unsigned char *out,
+- unsigned int outLen);
++extern SECStatus
++ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec,
++ const char *label, unsigned int labelLen,
++ const unsigned char *val, unsigned int valLen,
++ unsigned char *out, unsigned int outLen);
+
+ #ifdef TRACE
+ #define SSL_TRACE(msg) ssl_Trace msg
+Index: net/third_party/nss/ssl/ssl3ext.c
+===================================================================
+--- net/third_party/nss/ssl/ssl3ext.c (revision 125777)
++++ net/third_party/nss/ssl/ssl3ext.c (working copy)
+@@ -606,10 +606,7 @@
+ unsigned char resultBuffer[255];
+ SECItem result = { siBuffer, resultBuffer, 0 };
+
+- if (ss->firstHsDone) {
+- PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+- return SECFailure;
+- }
++ PORT_Assert(!ss->firstHsDone);
+
+ rv = ssl3_ValidateNextProtoNego(data->data, data->len);
+ if (rv != SECSuccess)
+@@ -621,6 +618,8 @@
+ */
+ PORT_Assert(ss->nextProtoCallback != NULL);
+ if (!ss->nextProtoCallback) {
++ /* XXX Use a better error code. This is an application error, not an
++ * NSS bug. */
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+@@ -631,7 +630,7 @@
+ return rv;
+ /* If the callback wrote more than allowed to |result| it has corrupted our
+ * stack. */
+- if (result.len > sizeof result) {
++ if (result.len > sizeof resultBuffer) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+Index: net/third_party/nss/ssl/sslsock.c
+===================================================================
+--- net/third_party/nss/ssl/sslsock.c (revision 125777)
++++ net/third_party/nss/ssl/sslsock.c (working copy)
+@@ -1344,7 +1344,7 @@
+ return SECSuccess;
+ }
+
+-/* NextProtoStandardCallback is set as an NPN callback for the case when
++/* ssl_NextProtoNegoCallback is set as an NPN callback for the case when
+ * SSL_SetNextProtoNego is used.
+ */
+ static SECStatus
+@@ -1390,12 +1390,12 @@
+ result = ss->opt.nextProtoNego.data;
+
+ found:
+- *protoOutLen = result[0];
+ if (protoMaxLen < result[0]) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+ memcpy(protoOut, result + 1, result[0]);
++ *protoOutLen = result[0];
+ return SECSuccess;
+ }
+
+@@ -1449,13 +1449,12 @@
+
+ if (ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT &&
+ ss->ssl3.nextProto.data) {
+- *bufLen = ss->ssl3.nextProto.len;
+- if (*bufLen > bufLenMax) {
++ if (ss->ssl3.nextProto.len > bufLenMax) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+- *bufLen = 0;
+ return SECFailure;
+ }
+ PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len);
++ *bufLen = ss->ssl3.nextProto.len;
+ } else {
+ *bufLen = 0;
+ }
+Index: net/third_party/nss/ssl/ssl3con.c
+===================================================================
+--- net/third_party/nss/ssl/ssl3con.c (revision 125777)
++++ net/third_party/nss/ssl/ssl3con.c (working copy)
+@@ -8484,9 +8484,9 @@
+ return rv;
+ }
+
+-/* The calling function must acquire and release the appropriate lock (i.e.,
+- * ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for ss->ssl3.crSpec). Any
+- * label must already be concatenated onto the beginning of val.
++/* The calling function must acquire and release the appropriate
++ * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for
++ * ss->ssl3.crSpec).
+ */
+ SECStatus
+ ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
+@@ -8508,8 +8508,7 @@
+ rv = PK11_DigestBegin(prf_context);
+ rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
+ rv |= PK11_DigestOp(prf_context, val, valLen);
+- rv |= PK11_DigestFinal(prf_context, out,
+- &retLen, outLen);
++ rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen);
+ PORT_Assert(rv != SECSuccess || retLen == outLen);
+
+ PK11_DestroyContext(prf_context, PR_TRUE);
+@@ -8532,15 +8531,15 @@
+ static SECStatus
+ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
+ PRBool isServer,
+- const SSL3Finished * hashes,
+- TLSFinished * tlsFinished)
++ const SSL3Finished * hashes,
++ TLSFinished * tlsFinished)
+ {
+ const char * label;
+- SECStatus rv;
+ unsigned int len;
++ SECStatus rv;
+
+ label = isServer ? "server finished" : "client finished";
+- len = 15;
++ len = 15;
+
+ rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5,
+ sizeof *hashes, tlsFinished->verify_data,
generated by cgit v1.1 at 2024-12-27 07:57:13 +0000