Workaround a bug in NSS when using DHE+client authentication.

net/third_party/nss/ssl/ssl3con.c

Index: net/third_party/nss/ssl/ssl3con.c
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index d56bb97b802b4b5fd094480bd33b37d44ab831cf..7d4d7a16030111ac21b6c162326220728bfd93fd 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -4843,10 +4843,8 @@ ssl3_SendCertificateVerify(sslSocket *ss)
                                       &sid->u.ssl3.clPlatformAuthInfo);
         sid->u.ssl3.clPlatformAuthValid = PR_TRUE;
     }
-    if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
-        ssl_FreePlatformKey(ss->ssl3.platformClientKey);
-        ss->ssl3.platformClientKey = (PlatformKey)NULL;
-    }
+    ssl_FreePlatformKey(ss->ssl3.platformClientKey);
+    ss->ssl3.platformClientKey = (PlatformKey)NULL;
 #else /* NSS_PLATFORM_CLIENT_AUTH */
     rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
     if (rv == SECSuccess) {
@@ -4864,14 +4862,9 @@ ssl3_SendCertificateVerify(sslSocket *ss)
 	sid->u.ssl3.clAuthValid      = PR_TRUE;
 	PK11_FreeSlot(slot);
     }
-    /* If we're doing RSA key exchange, we're all done with the private key

[wtc, 2010/12/08 03:04:14]

I think we should still do something here.

It seems that even for fixed DH, we would be done with
the client private key (and client certificate and client
cert chain) here.  We would do the DH key derivation in
ssl3_SendCertificate, when we send the client's fixed DH
certificate. Agreed?

[Ryan Sleevi, 2010/12/08 07:19:35]

Er, yes, agreed. I'm assuming you meant ssl3_SendClientKeyExchange, rather than
ssl3_SendCertificate, since an empty client key exchange is still sent for fixed
DH. But yes, by the time this code is reached, the premaster secret should
already have been derived (whether from a fixed key or ephemeral), so there's no
point in holding onto the key.

[wtc, 2010/12/08 19:24:42]

I didn't know that.  Yes, in that case, we can derive the
premaster secret for fixed DH in ssl3_SendClientKeyExchange.

-     * here.  Diffie-Hellman key exchanges need the client's
-     * private key for the key exchange.
-     */
-    if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
+    /* Fixed DH is not supported, so the private key is no longer needed. */

[wtc, 2010/12/07 02:47:13]

This comment should explain the consequences of not destroying
the client private key here.

Please fix the indentation of the next two lines (lines
4866-4867).

 	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
 	ss->ssl3.clientPrivateKey = NULL;
-    }
 #endif /* NSS_PLATFORM_CLIENT_AUTH */
     if (rv != SECSuccess) {
 	goto done;	/* err code was set by ssl3_SignHashes */