diff options
Diffstat (limited to 'chromium/net/third_party/nss/patches/ciphersuiteversion.patch')
-rw-r--r-- | chromium/net/third_party/nss/patches/ciphersuiteversion.patch | 169 |
1 files changed, 0 insertions, 169 deletions
diff --git a/chromium/net/third_party/nss/patches/ciphersuiteversion.patch b/chromium/net/third_party/nss/patches/ciphersuiteversion.patch deleted file mode 100644 index 3967f17dcd6..00000000000 --- a/chromium/net/third_party/nss/patches/ciphersuiteversion.patch +++ /dev/null @@ -1,169 +0,0 @@ -diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c -index bc54c99..1245393 100644 ---- a/nss/lib/ssl/ssl3con.c -+++ b/nss/lib/ssl/ssl3con.c -@@ -631,8 +631,9 @@ void SSL_AtomicIncrementLong(long * x) - } - - static PRBool --ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite, -- SSL3ProtocolVersion version) -+ssl3_CipherSuiteAllowedForVersionRange( -+ ssl3CipherSuite cipherSuite, -+ const SSLVersionRange *vrange) - { - switch (cipherSuite) { - /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or -@@ -649,7 +650,9 @@ ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite, - * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented - * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented - */ -- return version <= SSL_LIBRARY_VERSION_TLS_1_0; -+ return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; -+ case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: -+ case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: - case TLS_RSA_WITH_AES_256_CBC_SHA256: - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: -@@ -661,7 +664,7 @@ ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite, - case TLS_RSA_WITH_AES_128_CBC_SHA256: - case TLS_RSA_WITH_AES_128_GCM_SHA256: - case TLS_RSA_WITH_NULL_SHA256: -- return version >= SSL_LIBRARY_VERSION_TLS_1_2; -+ return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; - default: - return PR_TRUE; - } -@@ -804,7 +807,8 @@ ssl3_config_match_init(sslSocket *ss) - } - - --/* return PR_TRUE if suite matches policy and enabled state */ -+/* return PR_TRUE if suite matches policy, enabled state and is applicable to -+ * the given version range. */ - /* It would be a REALLY BAD THING (tm) if we ever permitted the use - ** of a cipher that was NOT_ALLOWED. So, if this is ever called with - ** policy == SSL_NOT_ALLOWED, report no match. -@@ -812,7 +816,8 @@ ssl3_config_match_init(sslSocket *ss) - /* adjust suite enabled to the availability of a token that can do the - * cipher suite. */ - static PRBool --config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) -+config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled, -+ const SSLVersionRange *vrange) - { - PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); - if (policy == SSL_NOT_ALLOWED || !enabled) -@@ -820,10 +825,13 @@ config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) - return (PRBool)(suite->enabled && - suite->isPresent && - suite->policy != SSL_NOT_ALLOWED && -- suite->policy <= policy); -+ suite->policy <= policy && -+ ssl3_CipherSuiteAllowedForVersionRange( -+ suite->cipher_suite, vrange)); - } - --/* return number of cipher suites that match policy and enabled state */ -+/* return number of cipher suites that match policy, enabled state and are -+ * applicable for the configured protocol version range. */ - /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ - static int - count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) -@@ -834,7 +842,7 @@ count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) - return 0; - } - for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { -- if (config_match(&ss->cipherSuites[i], policy, enabled)) -+ if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange)) - count++; - } - if (count <= 0) { -@@ -5294,7 +5302,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) - } - for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { - ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; -- if (config_match(suite, ss->ssl3.policy, PR_TRUE)) { -+ if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) { - actual_count++; - if (actual_count > num_suites) { - /* set error card removal/insertion error */ -@@ -6359,15 +6367,19 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) - for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { - ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; - if (temp == suite->cipher_suite) { -- if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) { -+ SSLVersionRange vrange = {ss->version, ss->version}; -+ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { -+ /* config_match already checks whether the cipher suite is -+ * acceptable for the version, but the check is repeated here -+ * in order to give a more precise error code. */ -+ if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) { -+ desc = handshake_failure; -+ errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION; -+ goto alert_loser; -+ } -+ - break; /* failure */ - } -- if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, -- ss->version)) { -- desc = handshake_failure; -- errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION; -- goto alert_loser; -- } - - suite_found = PR_TRUE; - break; /* success */ -@@ -8008,6 +8020,9 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) - */ - if (sid) do { - ssl3CipherSuiteCfg *suite; -+#ifdef PARANOID -+ SSLVersionRange vrange = {ss->version, ss->version}; -+#endif - - /* Check that the cached compression method is still enabled. */ - if (!compressionEnabled(ss, sid->u.ssl3.compression)) -@@ -8036,7 +8051,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) - * The product policy won't change during the process lifetime. - * Implemented ("isPresent") shouldn't change for servers. - */ -- if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) -+ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) - break; - #else - if (!suite->enabled) -@@ -8084,9 +8099,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) - */ - for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { - ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; -- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || -- !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, -- ss->version)) { -+ SSLVersionRange vrange = {ss->version, ss->version}; -+ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { - continue; - } - for (i = 0; i + 1 < suites.len; i += 2) { -@@ -8619,9 +8633,8 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length) - */ - for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { - ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; -- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || -- !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, -- ss->version)) { -+ SSLVersionRange vrange = {ss->version, ss->version}; -+ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { - continue; - } - for (i = 0; i+2 < suite_length; i += 3) { -@@ -12324,7 +12337,7 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) - /* ssl3_config_match_init was called by the caller of this function. */ - for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { - ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; -- if (config_match(suite, SSL_ALLOWED, PR_TRUE)) { -+ if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) { - if (cs != NULL) { - *cs++ = 0x00; - *cs++ = (suite->cipher_suite >> 8) & 0xFF; |