Workaround a bug in NSS when using DHE+client authentication.

net/third_party/nss/ssl/ssl3con.c

 /*
  * SSL3 Protocol
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
@@ skipping 4825 matching lines @@
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
 #ifdef NSS_PLATFORM_CLIENT_AUTH
     rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
                                  &buf, isTLS);
     if (rv == SECSuccess) {
         sslSessionID * sid = ss->sec.ci.sid;
         ssl_GetPlatformAuthInfoForKey(ss->ssl3.platformClientKey,
                                       &sid->u.ssl3.clPlatformAuthInfo);
         sid->u.ssl3.clPlatformAuthValid = PR_TRUE;
     }
-    if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
-        ssl_FreePlatformKey(ss->ssl3.platformClientKey);
-        ss->ssl3.platformClientKey = (PlatformKey)NULL;
-    }
+    ssl_FreePlatformKey(ss->ssl3.platformClientKey);
+    ss->ssl3.platformClientKey = (PlatformKey)NULL;
 #else /* NSS_PLATFORM_CLIENT_AUTH */
     rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
     if (rv == SECSuccess) {
         PK11SlotInfo * slot;
         sslSessionID * sid   = ss->sec.ci.sid;
 
         /* Remember the info about the slot that did the signing.
         ** Later, when doing an SSL restart handshake, verify this.
         ** These calls are mere accessors, and can't fail.
         */
         slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
         sid->u.ssl3.clAuthSeries     = PK11_GetSlotSeries(slot);
         sid->u.ssl3.clAuthSlotID     = PK11_GetSlotID(slot);
         sid->u.ssl3.clAuthModuleID   = PK11_GetModuleID(slot);
         sid->u.ssl3.clAuthValid      = PR_TRUE;
         PK11_FreeSlot(slot);
     }
-    /* If we're doing RSA key exchange, we're all done with the private key

[wtc, 2010/12/08 03:04:14]

I think we should still do something here.

It seems that even for fixed DH, we would be done with
the client private key (and client certificate and client
cert chain) here.  We would do the DH key derivation in
ssl3_SendCertificate, when we send the client's fixed DH
certificate. Agreed?

[Ryan Sleevi, 2010/12/08 07:19:35]

Er, yes, agreed. I'm assuming you meant ssl3_SendClientKeyExchange, rather than
ssl3_SendCertificate, since an empty client key exchange is still sent for fixed
DH. But yes, by the time this code is reached, the premaster secret should
already have been derived (whether from a fixed key or ephemeral), so there's no
point in holding onto the key.

[wtc, 2010/12/08 19:24:42]

I didn't know that.  Yes, in that case, we can derive the
premaster secret for fixed DH in ssl3_SendClientKeyExchange.

-     * here.  Diffie-Hellman key exchanges need the client's
-     * private key for the key exchange.
-     */
-    if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
+    /* Fixed DH is not supported, so the private key is no longer needed. */

[wtc, 2010/12/07 02:47:13]

This comment should explain the consequences of not destroying
the client private key here.

Please fix the indentation of the next two lines (lines
4866-4867).

         SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
         ss->ssl3.clientPrivateKey = NULL;
-    }
 #endif /* NSS_PLATFORM_CLIENT_AUTH */
     if (rv != SECSuccess) {
         goto done;      /* err code was set by ssl3_SignHashes */
     }
 
     rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2);
     if (rv != SECSuccess) {
         goto done;      /* error code set by AppendHandshake */
     }
     rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
@@ skipping 5003 matching lines @@
 
     ss->ssl3.initialized = PR_FALSE;
 
     if (ss->ssl3.nextProto.data) {
         PORT_Free(ss->ssl3.nextProto.data);
         ss->ssl3.nextProto.data = NULL;
     }
 }
 
 /* End of ssl3con.c */