diff options
Diffstat (limited to 'net')
| -rw-r--r-- | net/third_party/nss/README.chromium (renamed from net/third_party/nss/README.google) | 5 | ||||
| -rw-r--r-- | net/third_party/nss/patches/renegoscsv.patch | 29 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3con.c | 4 |
3 files changed, 36 insertions, 2 deletions
diff --git a/net/third_party/nss/README.google b/net/third_party/nss/README.chromium index ce46e1a..d319060 100644 --- a/net/third_party/nss/README.google +++ b/net/third_party/nss/README.chromium @@ -13,5 +13,10 @@ Patches: which may not exist in the system NSS library. patches/versionskew.patch + * Send empty renegotiation info extension instead of SCSV unless TLS is + disabled. + patches/renegoscsv.patch + https://bugzilla.mozilla.org/show_bug.cgi?id=549042 + The ssl/bodge directory contains files taken from the NSS repo that we required for building libssl outside of its usual build environment. diff --git a/net/third_party/nss/patches/renegoscsv.patch b/net/third_party/nss/patches/renegoscsv.patch new file mode 100644 index 0000000..a9c188c --- /dev/null +++ b/net/third_party/nss/patches/renegoscsv.patch @@ -0,0 +1,29 @@ +Index: mozilla/security/nss/lib/ssl/ssl3con.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v +retrieving revision 1.136 +diff -u -p -u -8 -r1.136 ssl3con.c +--- mozilla/security/nss/lib/ssl/ssl3con.c 17 Feb 2010 02:29:07 -0000 1.136 ++++ mozilla/security/nss/lib/ssl/ssl3con.c 27 Feb 2010 02:55:21 -0000 +@@ -3863,19 +3863,19 @@ ssl3_SendClientHello(sslSocket *ss) + } + + /* how many suites does our PKCS11 support (regardless of policy)? */ + num_suites = ssl3_config_match_init(ss); + if (!num_suites) + return SECFailure; /* ssl3_config_match_init has set error code. */ + + /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, +- * only if we're willing to complete an SSL 3.0 handshake. ++ * only if TLS is disabled. + */ +- if (!ss->firstHsDone && ss->opt.enableSSL3) { ++ if (!ss->firstHsDone && !isTLS) { + /* Must set this before calling Hello Extension Senders, + * to suppress sending of empty RI extension. + */ + ss->ssl3.hs.sendingSCSV = PR_TRUE; + } + + if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) { + PRUint32 maxBytes = 65535; /* 2^16 - 1 */ diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c index 545e51e..9a56a91 100644 --- a/net/third_party/nss/ssl/ssl3con.c +++ b/net/third_party/nss/ssl/ssl3con.c @@ -3869,9 +3869,9 @@ ssl3_SendClientHello(sslSocket *ss) return SECFailure; /* ssl3_config_match_init has set error code. */ /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, - * only if we're willing to complete an SSL 3.0 handshake. + * only if TLS is disabled. */ - if (!ss->firstHsDone && ss->opt.enableSSL3) { + if (!ss->firstHsDone && !isTLS) { /* Must set this before calling Hello Extension Senders, * to suppress sending of empty RI extension. */ |