| Index: net/third_party/nss/ssl/ssl3con.c
|
| diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
|
| index d56bb97b802b4b5fd094480bd33b37d44ab831cf..f5c08800547f672f719672a433d8d04229b3d17a 100644
|
| --- a/net/third_party/nss/ssl/ssl3con.c
|
| +++ b/net/third_party/nss/ssl/ssl3con.c
|
| @@ -4843,10 +4843,8 @@ ssl3_SendCertificateVerify(sslSocket *ss)
|
| &sid->u.ssl3.clPlatformAuthInfo);
|
| sid->u.ssl3.clPlatformAuthValid = PR_TRUE;
|
| }
|
| - if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
|
| - ssl_FreePlatformKey(ss->ssl3.platformClientKey);
|
| - ss->ssl3.platformClientKey = (PlatformKey)NULL;
|
| - }
|
| + ssl_FreePlatformKey(ss->ssl3.platformClientKey);
|
| + ss->ssl3.platformClientKey = (PlatformKey)NULL;
|
| #else /* NSS_PLATFORM_CLIENT_AUTH */
|
| rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
|
| if (rv == SECSuccess) {
|
| @@ -4864,14 +4862,8 @@ ssl3_SendCertificateVerify(sslSocket *ss)
|
| sid->u.ssl3.clAuthValid = PR_TRUE;
|
| PK11_FreeSlot(slot);
|
| }
|
| - /* If we're doing RSA key exchange, we're all done with the private key
|
| - * here. Diffie-Hellman key exchanges need the client's
|
| - * private key for the key exchange.
|
| - */
|
| - if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
|
| - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
|
| - ss->ssl3.clientPrivateKey = NULL;
|
| - }
|
| + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
|
| + ss->ssl3.clientPrivateKey = NULL;
|
| #endif /* NSS_PLATFORM_CLIENT_AUTH */
|
| if (rv != SECSuccess) {
|
| goto done; /* err code was set by ssl3_SignHashes */
|
| @@ -5022,6 +5014,26 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| desc = unexpected_message;
|
| goto alert_loser;
|
| }
|
| +
|
| + /* clean up anything left from previous handshake. */
|
| + if (ss->ssl3.clientCertChain != NULL) {
|
| + CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
|
| + ss->ssl3.clientCertChain = NULL;
|
| + }
|
| + if (ss->ssl3.clientCertificate != NULL) {
|
| + CERT_DestroyCertificate(ss->ssl3.clientCertificate);
|
| + ss->ssl3.clientCertificate = NULL;
|
| + }
|
| + if (ss->ssl3.clientPrivateKey != NULL) {
|
| + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
|
| + ss->ssl3.clientPrivateKey = NULL;
|
| + }
|
| +#ifdef NSS_PLATFORM_CLIENT_AUTH
|
| + if (ss->ssl3.platformClientKey) {
|
| + ssl_FreePlatformKey(ss->ssl3.platformClientKey);
|
| + ss->ssl3.platformClientKey = (PlatformKey)NULL;
|
| + }
|
| +#endif /* NSS_PLATFORM_CLIENT_AUTH */
|
|
|
| if (ss->ssl3.serverHelloPredictionData.data)
|
| SECITEM_FreeItem(&ss->ssl3.serverHelloPredictionData, PR_FALSE);
|
| @@ -5519,26 +5531,13 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
|
| goto alert_loser;
|
| }
|
| -
|
| - /* clean up anything left from previous handshake. */
|
| - if (ss->ssl3.clientCertChain != NULL) {
|
| - CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
|
| - ss->ssl3.clientCertChain = NULL;
|
| - }
|
| - if (ss->ssl3.clientCertificate != NULL) {
|
| - CERT_DestroyCertificate(ss->ssl3.clientCertificate);
|
| - ss->ssl3.clientCertificate = NULL;
|
| - }
|
| - if (ss->ssl3.clientPrivateKey != NULL) {
|
| - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
|
| - ss->ssl3.clientPrivateKey = NULL;
|
| - }
|
| +
|
| + PORT_Assert(ss->ssl3.clientCertChain == NULL);
|
| + PORT_Assert(ss->ssl3.clientCertificate == NULL);
|
| + PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
|
| #ifdef NSS_PLATFORM_CLIENT_AUTH
|
| - if (ss->ssl3.platformClientKey) {
|
| - ssl_FreePlatformKey(ss->ssl3.platformClientKey);
|
| - ss->ssl3.platformClientKey = (PlatformKey)NULL;
|
| - }
|
| -#endif /* NSS_PLATFORM_CLIENT_AUTH */
|
| + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL);
|
| +#endif /* NSS_PLATFORM_CLIENT_AUTH */
|
|
|
| isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
|
| rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
|
|
|
Chromium Code Reviews
Issue 5611005:
Workaround a bug in NSS when using DHE+client authentication. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src