summaryrefslogtreecommitdiffstats
path: root/chromium/net/third_party/nss/patches/ciphersuiteversion.patch
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/net/third_party/nss/patches/ciphersuiteversion.patch')
-rw-r--r--chromium/net/third_party/nss/patches/ciphersuiteversion.patch169
1 files changed, 0 insertions, 169 deletions
diff --git a/chromium/net/third_party/nss/patches/ciphersuiteversion.patch b/chromium/net/third_party/nss/patches/ciphersuiteversion.patch
deleted file mode 100644
index 3967f17dcd6..00000000000
--- a/chromium/net/third_party/nss/patches/ciphersuiteversion.patch
+++ /dev/null
@@ -1,169 +0,0 @@
-diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
-index bc54c99..1245393 100644
---- a/nss/lib/ssl/ssl3con.c
-+++ b/nss/lib/ssl/ssl3con.c
-@@ -631,8 +631,9 @@ void SSL_AtomicIncrementLong(long * x)
- }
-
- static PRBool
--ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite,
-- SSL3ProtocolVersion version)
-+ssl3_CipherSuiteAllowedForVersionRange(
-+ ssl3CipherSuite cipherSuite,
-+ const SSLVersionRange *vrange)
- {
- switch (cipherSuite) {
- /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or
-@@ -649,7 +650,9 @@ ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite,
- * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented
- * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented
- */
-- return version <= SSL_LIBRARY_VERSION_TLS_1_0;
-+ return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
-+ case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
-+ case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
- case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
- case TLS_RSA_WITH_AES_256_CBC_SHA256:
- case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
-@@ -661,7 +664,7 @@ ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite,
- case TLS_RSA_WITH_AES_128_CBC_SHA256:
- case TLS_RSA_WITH_AES_128_GCM_SHA256:
- case TLS_RSA_WITH_NULL_SHA256:
-- return version >= SSL_LIBRARY_VERSION_TLS_1_2;
-+ return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
- default:
- return PR_TRUE;
- }
-@@ -804,7 +807,8 @@ ssl3_config_match_init(sslSocket *ss)
- }
-
-
--/* return PR_TRUE if suite matches policy and enabled state */
-+/* return PR_TRUE if suite matches policy, enabled state and is applicable to
-+ * the given version range. */
- /* It would be a REALLY BAD THING (tm) if we ever permitted the use
- ** of a cipher that was NOT_ALLOWED. So, if this is ever called with
- ** policy == SSL_NOT_ALLOWED, report no match.
-@@ -812,7 +816,8 @@ ssl3_config_match_init(sslSocket *ss)
- /* adjust suite enabled to the availability of a token that can do the
- * cipher suite. */
- static PRBool
--config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
-+config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled,
-+ const SSLVersionRange *vrange)
- {
- PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
- if (policy == SSL_NOT_ALLOWED || !enabled)
-@@ -820,10 +825,13 @@ config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
- return (PRBool)(suite->enabled &&
- suite->isPresent &&
- suite->policy != SSL_NOT_ALLOWED &&
-- suite->policy <= policy);
-+ suite->policy <= policy &&
-+ ssl3_CipherSuiteAllowedForVersionRange(
-+ suite->cipher_suite, vrange));
- }
-
--/* return number of cipher suites that match policy and enabled state */
-+/* return number of cipher suites that match policy, enabled state and are
-+ * applicable for the configured protocol version range. */
- /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
- static int
- count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
-@@ -834,7 +842,7 @@ count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
- return 0;
- }
- for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-- if (config_match(&ss->cipherSuites[i], policy, enabled))
-+ if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange))
- count++;
- }
- if (count <= 0) {
-@@ -5294,7 +5302,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
- }
- for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
- ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-- if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
-+ if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
- actual_count++;
- if (actual_count > num_suites) {
- /* set error card removal/insertion error */
-@@ -6359,15 +6367,19 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
- for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
- ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
- if (temp == suite->cipher_suite) {
-- if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) {
-+ SSLVersionRange vrange = {ss->version, ss->version};
-+ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
-+ /* config_match already checks whether the cipher suite is
-+ * acceptable for the version, but the check is repeated here
-+ * in order to give a more precise error code. */
-+ if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) {
-+ desc = handshake_failure;
-+ errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
-+ goto alert_loser;
-+ }
-+
- break; /* failure */
- }
-- if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
-- ss->version)) {
-- desc = handshake_failure;
-- errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
-- goto alert_loser;
-- }
-
- suite_found = PR_TRUE;
- break; /* success */
-@@ -8008,6 +8020,9 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
- */
- if (sid) do {
- ssl3CipherSuiteCfg *suite;
-+#ifdef PARANOID
-+ SSLVersionRange vrange = {ss->version, ss->version};
-+#endif
-
- /* Check that the cached compression method is still enabled. */
- if (!compressionEnabled(ss, sid->u.ssl3.compression))
-@@ -8036,7 +8051,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
- * The product policy won't change during the process lifetime.
- * Implemented ("isPresent") shouldn't change for servers.
- */
-- if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
-+ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange))
- break;
- #else
- if (!suite->enabled)
-@@ -8084,9 +8099,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
- */
- for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
- ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
-- !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
-- ss->version)) {
-+ SSLVersionRange vrange = {ss->version, ss->version};
-+ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
- continue;
- }
- for (i = 0; i + 1 < suites.len; i += 2) {
-@@ -8619,9 +8633,8 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
- */
- for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
- ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
-- !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
-- ss->version)) {
-+ SSLVersionRange vrange = {ss->version, ss->version};
-+ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
- continue;
- }
- for (i = 0; i+2 < suite_length; i += 3) {
-@@ -12324,7 +12337,7 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
- /* ssl3_config_match_init was called by the caller of this function. */
- for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
- ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-- if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
-+ if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) {
- if (cs != NULL) {
- *cs++ = 0x00;
- *cs++ = (suite->cipher_suite >> 8) & 0xFF;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-07 20:20:36 +0000