Chromium Code Reviews Chromium Code Reviews
Issue 14522022:
Update NSS libSSL to NSS_3_15_BETA2. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| Index: net/third_party/nss/ssl/ssl3ecc.c |
| =================================================================== |
| --- net/third_party/nss/ssl/ssl3ecc.c (revision 196870) |
| +++ net/third_party/nss/ssl/ssl3ecc.c (working copy) |
| @@ -6,7 +6,7 @@ |
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| /* ECC code moved here from ssl3con.c */ |
| -/* $Id: ssl3ecc.c,v 1.29 2012/06/11 02:38:30 emaldona%redhat.com Exp $ */ |
| +/* $Id$ */ |
| #include "nss.h" |
| #include "cert.h" |
| @@ -969,7 +969,16 @@ |
| ssl3_IsECCEnabled(sslSocket * ss) |
| { |
| const ssl3CipherSuite * suite; |
| + PK11SlotInfo *slot; |
| + /* make sure we can do ECC */ |
| + slot = PK11_GetBestSlot(CKM_ECDH1_DERIVE, ss->pkcs11PinArg); |
| + if (!slot) { |
| + return PR_FALSE; |
| + } |
| + PK11_FreeSlot(slot); |
| + |
| + /* make sure an ECC cipher is enabled */ |
| for (suite = ecSuites; *suite; ++suite) { |
| PRBool enabled = PR_FALSE; |
| SECStatus rv = ssl3_CipherPrefGet(ss, *suite, &enabled); |
| @@ -983,21 +992,20 @@ |
| #define BE(n) 0, n |
| -#ifndef NSS_ECC_MORE_THAN_SUITE_B |
| /* Prefabricated TLS client hello extension, Elliptic Curves List, |
| * offers only 3 curves, the Suite B curves, 23-25 |
| */ |
| -static const PRUint8 EClist[12] = { |
| +static const PRUint8 suiteBECList[12] = { |
| BE(10), /* Extension type */ |
| BE( 8), /* octets that follow ( 3 pairs + 1 length pair) */ |
| BE( 6), /* octets that follow ( 3 pairs) */ |
| BE(23), BE(24), BE(25) |
| }; |
| -#else |
| + |
| /* Prefabricated TLS client hello extension, Elliptic Curves List, |
| * offers curves 1-25. |
| */ |
| -static const PRUint8 EClist[56] = { |
| +static const PRUint8 tlsECList[56] = { |
| BE(10), /* Extension type */ |
| BE(52), /* octets that follow (25 pairs + 1 length pair) */ |
| BE(50), /* octets that follow (25 pairs) */ |
| @@ -1006,7 +1014,6 @@ |
| BE(16), BE(17), BE(18), BE(19), BE(20), BE(21), BE(22), BE(23), |
| BE(24), BE(25) |
| }; |
| -#endif |
| static const PRUint8 ECPtFmt[6] = { |
| BE(11), /* Extension type */ |
| @@ -1015,6 +1022,33 @@ |
| 0 /* uncompressed type only */ |
| }; |
| +/* This function already presumes we can do ECC, ssl_IsECCEnabled must be |
| + * called before this function. It looks to see if we have a token which |
| + * is capable of doing smaller than SuiteB curves. If the token can, we |
| + * presume the token can do the whole SSL suite of curves. If it can't we |
| + * presume the token that allowed ECC to be enabled can only do suite B |
| + * curves. */ |
| +static PRBool |
| +ssl3_SuiteBOnly(sslSocket *ss) |
| +{ |
| +#if 0 |
| + /* look to see if we can handle certs less than 163 bits */ |
| + PK11SlotInfo *slot = |
| + PK11_GetBestSlotWithAttributes(CKM_ECDH1_DERIVE, 0, 163, |
| + ss ? ss->pkcs11PinArg : NULL); |
| + |
| + if (!slot) { |
| + /* nope, presume we can only do suite B */ |
| + return PR_TRUE; |
| + } |
| + /* we can, presume we can do all curves */ |
| + PK11_FreeSlot(slot); |
| + return PR_FALSE; |
| +#else |
| + return PR_TRUE; |
| +#endif |
| +} |
| + |
| /* Send our "canned" (precompiled) Supported Elliptic Curves extension, |
| * which says that we support all TLS-defined named curves. |
| */ |
| @@ -1024,10 +1058,22 @@ |
| PRBool append, |
| PRUint32 maxBytes) |
| { |
| + int ECListSize = 0; |
|
agl
2013/05/02 14:43:57
nit: starting with a capital letter is odd for a l
wtc
2013/05/02 22:32:00
Done.
|
| + const PRUint8 *ECList = NULL; |
| + |
| if (!ss || !ssl3_IsECCEnabled(ss)) |
| return 0; |
| - if (append && maxBytes >= (sizeof EClist)) { |
| - SECStatus rv = ssl3_AppendHandshake(ss, EClist, (sizeof EClist)); |
| + |
| + if (ssl3_SuiteBOnly(ss)) { |
| + ECListSize = sizeof (suiteBECList); |
| + ECList = suiteBECList; |
| + } else { |
| + ECListSize = sizeof (tlsECList); |
| + ECList = tlsECList; |
| + } |
| + |
| + if (append && maxBytes >= ECListSize) { |
| + SECStatus rv = ssl3_AppendHandshake(ss, ECList, ECListSize); |
| if (rv != SECSuccess) |
| return -1; |
| if (!ss->sec.isServer) { |
| @@ -1036,9 +1082,18 @@ |
| ssl_elliptic_curves_xtn; |
| } |
| } |
| - return (sizeof EClist); |
| + return ECListSize; |
| } |
| +PRInt32 |
| +ssl3_GetSupportedECCCurveMask(sslSocket *ss) |
| +{ |
| + if (ssl3_SuiteBOnly(ss)) { |
| + return SSL3_SUITE_B_SUPPORTED_CURVES_MASK; |
| + } |
| + return SSL3_ALL_SUPPORTED_CURVES_MASK; |
| +} |
| + |
| /* Send our "canned" (precompiled) Supported Point Formats extension, |
| * which says that we only support uncompressed points. |
| */ |
