diff options
Diffstat (limited to 'chromium/net/third_party/nss/patches/cipherorder.patch')
-rw-r--r-- | chromium/net/third_party/nss/patches/cipherorder.patch | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/chromium/net/third_party/nss/patches/cipherorder.patch b/chromium/net/third_party/nss/patches/cipherorder.patch new file mode 100644 index 00000000000..16d4745dcd8 --- /dev/null +++ b/chromium/net/third_party/nss/patches/cipherorder.patch @@ -0,0 +1,106 @@ +diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h +index 4cf02aa..24627ed 100644 +--- a/nss/lib/ssl/ssl.h ++++ b/nss/lib/ssl/ssl.h +@@ -265,6 +265,13 @@ SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); + SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); + SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); + ++/* SSL_CipherOrderSet sets the cipher suite preference order from |ciphers|, ++ * which must be an array of cipher suite ids of length |len|. All the given ++ * cipher suite ids must appear in the array that is returned by ++ * |SSL_GetImplementedCiphers| and may only appear once, at most. */ ++SSL_IMPORT SECStatus SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, ++ unsigned int len); ++ + /* SSLChannelBindingType enumerates the types of supported channel binding + * values. See RFC 5929. */ + typedef enum SSLChannelBindingType { +diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c +index c2d9eeb..350d09c 100644 +--- a/nss/lib/ssl/ssl3con.c ++++ b/nss/lib/ssl/ssl3con.c +@@ -12423,6 +12423,46 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled) + return rv; + } + ++SECStatus ++ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphers, unsigned int len) ++{ ++ /* |i| iterates over |ciphers| while |done| and |j| iterate over ++ * |ss->cipherSuites|. */ ++ unsigned int i, done; ++ ++ for (i = done = 0; i < len; i++) { ++ PRUint16 id = ciphers[i]; ++ unsigned int existingIndex, j; ++ PRBool found = PR_FALSE; ++ ++ for (j = done; j < ssl_V3_SUITES_IMPLEMENTED; j++) { ++ if (ss->cipherSuites[j].cipher_suite == id) { ++ existingIndex = j; ++ found = PR_TRUE; ++ break; ++ } ++ } ++ ++ if (!found) { ++ continue; ++ } ++ ++ if (existingIndex != done) { ++ const ssl3CipherSuiteCfg temp = ss->cipherSuites[done]; ++ ss->cipherSuites[done] = ss->cipherSuites[existingIndex]; ++ ss->cipherSuites[existingIndex] = temp; ++ } ++ done++; ++ } ++ ++ /* Disable all cipher suites that weren't included. */ ++ for (; done < ssl_V3_SUITES_IMPLEMENTED; done++) { ++ ss->cipherSuites[done].enabled = 0; ++ } ++ ++ return SECSuccess; ++} ++ + /* copy global default policy into socket. */ + void + ssl3_InitSocketPolicy(sslSocket *ss) +diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h +index 1e4655f..7521dba 100644 +--- a/nss/lib/ssl/sslimpl.h ++++ b/nss/lib/ssl/sslimpl.h +@@ -1711,6 +1711,8 @@ extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool + extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on); + extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled); + extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled); ++extern SECStatus ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *cipher, ++ unsigned int len); + + extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy); + extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy); +diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c +index 965215d..9f8286c 100644 +--- a/nss/lib/ssl/sslsock.c ++++ b/nss/lib/ssl/sslsock.c +@@ -1344,6 +1344,19 @@ SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled) + return rv; + } + ++SECStatus ++SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len) ++{ ++ sslSocket *ss = ssl_FindSocket(fd); ++ ++ if (!ss) { ++ SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(), ++ fd)); ++ return SECFailure; ++ } ++ return ssl3_CipherOrderSet(ss, ciphers, len); ++} ++ + SECStatus + SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) + { |