| Index: net/third_party/nss/patches/clientauth.patch
|
| ===================================================================
|
| --- net/third_party/nss/patches/clientauth.patch (revision 124804)
|
| +++ net/third_party/nss/patches/clientauth.patch (working copy)
|
| @@ -1,24 +1,7 @@
|
| -From 1ebf459243cea430614e1958ecab1ad10457ccc2 Mon Sep 17 00:00:00 2001
|
| -From: Adam Langley <agl@chromium.org>
|
| -Date: Mon, 3 Oct 2011 12:44:48 -0400
|
| -Subject: [PATCH] clientauth.patch
|
| -
|
| ----
|
| - mozilla/security/nss/lib/ssl/ssl.h | 39 +++
|
| - mozilla/security/nss/lib/ssl/ssl3con.c | 163 ++++++++++---
|
| - mozilla/security/nss/lib/ssl/ssl3ext.c | 2 +-
|
| - mozilla/security/nss/lib/ssl/sslauth.c | 22 ++
|
| - mozilla/security/nss/lib/ssl/sslimpl.h | 45 ++++
|
| - mozilla/security/nss/lib/ssl/sslplatf.c | 399 +++++++++++++++++++++++++++++++
|
| - mozilla/security/nss/lib/ssl/sslsock.c | 14 +
|
| - 7 files changed, 647 insertions(+), 37 deletions(-)
|
| - create mode 100644 mozilla/security/nss/lib/ssl/sslplatf.c
|
| -
|
| -diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h
|
| -index 7e748bd..03535f3 100644
|
| ---- a/mozilla/security/nss/lib/ssl/ssl.h
|
| -+++ b/mozilla/security/nss/lib/ssl/ssl.h
|
| -@@ -353,6 +353,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg,
|
| +diff -upN a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
|
| +--- a/src/net/third_party/nss/ssl/ssl.h 2012-02-28 19:26:04.047351199 -0800
|
| ++++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-28 20:04:24.039351965 -0800
|
| +@@ -421,6 +421,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
|
| SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd,
|
| SSLGetClientAuthData f, void *a);
|
|
|
| @@ -64,11 +47,10 @@
|
|
|
| /*
|
| ** SNI extension processing callback function.
|
| -diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
|
| -index d372ee2..ad8f4cd 100644
|
| ---- a/mozilla/security/nss/lib/ssl/ssl3con.c
|
| -+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
|
| -@@ -2018,6 +2018,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
|
| +diff -upN a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
|
| +--- a/src/net/third_party/nss/ssl/ssl3con.c 2012-02-28 19:26:04.047351199 -0800
|
| ++++ b/src/net/third_party/nss/ssl/ssl3con.c 2012-02-28 20:07:04.101579541 -0800
|
| +@@ -2015,6 +2015,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID
|
| PRBool isPresent = PR_TRUE;
|
|
|
| /* we only care if we are doing client auth */
|
| @@ -78,7 +60,7 @@
|
| if (!sid || !sid->u.ssl3.clAuthValid) {
|
| return PR_TRUE;
|
| }
|
| -@@ -4865,27 +4868,30 @@ ssl3_SendCertificateVerify(sslSocket *ss)
|
| +@@ -4893,24 +4896,33 @@ ssl3_SendCertificateVerify(sslSocket *ss
|
| }
|
|
|
| isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
|
| @@ -109,12 +91,6 @@
|
| - sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot);
|
| - sid->u.ssl3.clAuthValid = PR_TRUE;
|
| - PK11_FreeSlot(slot);
|
| -- }
|
| -- /* If we're doing RSA key exchange, we're all done with the private key
|
| -- * here. Diffie-Hellman key exchanges need the client's
|
| -- * private key for the key exchange.
|
| -- */
|
| -- if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
|
| + /* Remember the info about the slot that did the signing.
|
| + ** Later, when doing an SSL restart handshake, verify this.
|
| + ** These calls are mere accessors, and can't fail.
|
| @@ -126,37 +102,28 @@
|
| + sid->u.ssl3.clAuthValid = PR_TRUE;
|
| + PK11_FreeSlot(slot);
|
| + }
|
| - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
|
| - ss->ssl3.clientPrivateKey = NULL;
|
| ++ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
|
| ++ ss->ssl3.clientPrivateKey = NULL;
|
| }
|
| -@@ -4943,6 +4949,26 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| - goto alert_loser;
|
| +- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
|
| +- ss->ssl3.clientPrivateKey = NULL;
|
| + if (rv != SECSuccess) {
|
| + goto done; /* err code was set by ssl3_SignHashes */
|
| }
|
| -
|
| -+ /* clean up anything left from previous handshake. */
|
| -+ if (ss->ssl3.clientCertChain != NULL) {
|
| -+ CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
|
| -+ ss->ssl3.clientCertChain = NULL;
|
| -+ }
|
| -+ if (ss->ssl3.clientCertificate != NULL) {
|
| -+ CERT_DestroyCertificate(ss->ssl3.clientCertificate);
|
| -+ ss->ssl3.clientCertificate = NULL;
|
| -+ }
|
| -+ if (ss->ssl3.clientPrivateKey != NULL) {
|
| -+ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
|
| -+ ss->ssl3.clientPrivateKey = NULL;
|
| -+ }
|
| +@@ -4978,6 +4990,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS
|
| + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
|
| + ss->ssl3.clientPrivateKey = NULL;
|
| + }
|
| +#ifdef NSS_PLATFORM_CLIENT_AUTH
|
| + if (ss->ssl3.platformClientKey) {
|
| + ssl_FreePlatformKey(ss->ssl3.platformClientKey);
|
| + ss->ssl3.platformClientKey = (PlatformKey)NULL;
|
| + }
|
| +#endif /* NSS_PLATFORM_CLIENT_AUTH */
|
| -+
|
| +
|
| temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
|
| if (temp < 0) {
|
| - goto loser; /* alert has been sent */
|
| -@@ -5485,6 +5511,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| +@@ -5522,6 +5540,10 @@ ssl3_HandleCertificateRequest(sslSocket
|
| SSL3AlertDescription desc = illegal_parameter;
|
| SECItem cert_types = {siBuffer, NULL, 0};
|
| CERTDistNames ca_list;
|
| @@ -167,31 +134,15 @@
|
|
|
| SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
|
| SSL_GETPID(), ss->fd));
|
| -@@ -5498,19 +5528,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| - goto alert_loser;
|
| - }
|
| -
|
| -- /* clean up anything left from previous handshake. */
|
| -- if (ss->ssl3.clientCertChain != NULL) {
|
| -- CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
|
| -- ss->ssl3.clientCertChain = NULL;
|
| -- }
|
| -- if (ss->ssl3.clientCertificate != NULL) {
|
| -- CERT_DestroyCertificate(ss->ssl3.clientCertificate);
|
| -- ss->ssl3.clientCertificate = NULL;
|
| -- }
|
| -- if (ss->ssl3.clientPrivateKey != NULL) {
|
| -- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
|
| -- ss->ssl3.clientPrivateKey = NULL;
|
| -- }
|
| -+ PORT_Assert(ss->ssl3.clientCertChain == NULL);
|
| -+ PORT_Assert(ss->ssl3.clientCertificate == NULL);
|
| -+ PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
|
| +@@ -5538,6 +5560,7 @@ ssl3_HandleCertificateRequest(sslSocket
|
| + PORT_Assert(ss->ssl3.clientCertChain == NULL);
|
| + PORT_Assert(ss->ssl3.clientCertificate == NULL);
|
| + PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
|
| + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL);
|
|
|
| isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
|
| rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
|
| -@@ -5577,6 +5598,20 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| +@@ -5604,6 +5627,20 @@ ssl3_HandleCertificateRequest(sslSocket
|
| desc = no_certificate;
|
| ss->ssl3.hs.ws = wait_hello_done;
|
|
|
| @@ -212,14 +163,14 @@
|
| if (ss->getClientAuthData == NULL) {
|
| rv = SECFailure; /* force it to send a no_certificate alert */
|
| } else {
|
| -@@ -5586,12 +5621,52 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| +@@ -5613,12 +5650,52 @@ ssl3_HandleCertificateRequest(sslSocket
|
| &ss->ssl3.clientCertificate,
|
| &ss->ssl3.clientPrivateKey);
|
| }
|
| +#endif /* NSS_PLATFORM_CLIENT_AUTH */
|
| switch (rv) {
|
| case SECWouldBlock: /* getClientAuthData has put up a dialog box. */
|
| - ssl_SetAlwaysBlock(ss);
|
| + ssl3_SetAlwaysBlock(ss);
|
| break; /* not an error */
|
|
|
| case SECSuccess:
|
| @@ -265,7 +216,7 @@
|
| /* check what the callback function returned */
|
| if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
|
| /* we are missing either the key or cert */
|
| -@@ -5654,6 +5729,10 @@ loser:
|
| +@@ -5681,6 +5758,10 @@ loser:
|
| done:
|
| if (arena != NULL)
|
| PORT_FreeArena(arena, PR_FALSE);
|
| @@ -276,29 +227,18 @@
|
| return rv;
|
| }
|
|
|
| -@@ -5785,9 +5864,17 @@ ssl3_HandleServerHelloDone(sslSocket *ss)
|
| - if (rv != SECSuccess) {
|
| - goto loser; /* error code is set. */
|
| - }
|
| -- } else
|
| -- if (ss->ssl3.clientCertChain != NULL &&
|
| -- ss->ssl3.clientPrivateKey != NULL) {
|
| -+ } else if (ss->ssl3.clientCertChain != NULL &&
|
| -+ ss->ssl3.platformClientKey) {
|
| -+#ifdef NSS_PLATFORM_CLIENT_AUTH
|
| -+ send_verify = PR_TRUE;
|
| -+ rv = ssl3_SendCertificate(ss);
|
| -+ if (rv != SECSuccess) {
|
| -+ goto loser; /* error code is set. */
|
| -+ }
|
| -+#endif /* NSS_PLATFORM_CLIENT_AUTH */
|
| -+ } else if (ss->ssl3.clientCertChain != NULL &&
|
| -+ ss->ssl3.clientPrivateKey != NULL) {
|
| - send_verify = PR_TRUE;
|
| - rv = ssl3_SendCertificate(ss);
|
| - if (rv != SECSuccess) {
|
| -@@ -9856,6 +9943,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
|
| +@@ -5755,7 +5836,8 @@ ssl3_SendClientSecondRound(sslSocket *ss
|
|
|
| + sendClientCert = !ss->ssl3.sendEmptyCert &&
|
| + ss->ssl3.clientCertChain != NULL &&
|
| +- ss->ssl3.clientPrivateKey != NULL;
|
| ++ (ss->ssl3.platformClientKey ||
|
| ++ ss->ssl3.clientPrivateKey != NULL);
|
| +
|
| + /* We must wait for the server's certificate to be authenticated before
|
| + * sending the client certificate in order to disclosing the client
|
| +@@ -9725,6 +9807,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
|
| +
|
| if (ss->ssl3.clientPrivateKey != NULL)
|
| SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
|
| +#ifdef NSS_PLATFORM_CLIENT_AUTH
|
| @@ -308,10 +248,9 @@
|
|
|
| if (ss->ssl3.peerCertArena != NULL)
|
| ssl3_CleanupPeerCerts(ss);
|
| -diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c
|
| -index 887344b..e54b4fd 100644
|
| ---- a/mozilla/security/nss/lib/ssl/ssl3ext.c
|
| -+++ b/mozilla/security/nss/lib/ssl/ssl3ext.c
|
| +diff -upN a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c
|
| +--- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 19:26:04.047351199 -0800
|
| ++++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 20:20:35.392842118 -0800
|
| @@ -46,8 +46,8 @@
|
| #include "nssrenam.h"
|
| #include "nss.h"
|
| @@ -322,11 +261,10 @@
|
| #include "pk11pub.h"
|
| #include "blapi.h"
|
| #include "prinit.h"
|
| -diff --git a/mozilla/security/nss/lib/ssl/sslauth.c b/mozilla/security/nss/lib/ssl/sslauth.c
|
| -index fcd15ca..8da5c66 100644
|
| ---- a/mozilla/security/nss/lib/ssl/sslauth.c
|
| -+++ b/mozilla/security/nss/lib/ssl/sslauth.c
|
| -@@ -292,6 +292,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
|
| +diff -upN a/src/net/third_party/nss/ssl/sslauth.c b/src/net/third_party/nss/ssl/sslauth.c
|
| +--- a/src/net/third_party/nss/ssl/sslauth.c 2012-02-28 18:34:23.263186340 -0800
|
| ++++ b/src/net/third_party/nss/ssl/sslauth.c 2012-02-28 20:04:24.039351965 -0800
|
| +@@ -251,6 +251,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
|
| return SECSuccess;
|
| }
|
|
|
| @@ -355,10 +293,9 @@
|
| /* NEED LOCKS IN HERE. */
|
| SECStatus
|
| SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
|
| -diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
|
| -index 70ff4c3..d73a0e3 100644
|
| ---- a/mozilla/security/nss/lib/ssl/sslimpl.h
|
| -+++ b/mozilla/security/nss/lib/ssl/sslimpl.h
|
| +diff -upN a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
|
| +--- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 19:26:04.047351199 -0800
|
| ++++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 20:04:24.039351965 -0800
|
| @@ -65,6 +65,15 @@
|
|
|
| #include "sslt.h" /* for some formerly private types, now public */
|
| @@ -375,7 +312,7 @@
|
| /* to make some of these old enums public without namespace pollution,
|
| ** it was necessary to prepend ssl_ to the names.
|
| ** These #defines preserve compatibility with the old code here in libssl.
|
| -@@ -464,6 +473,14 @@ typedef SECStatus (*SSLCompressor)(void * context,
|
| +@@ -462,6 +471,14 @@ typedef SECStatus (*SSLCompressor)(void
|
| int inlen);
|
| typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
|
|
|
| @@ -401,7 +338,7 @@
|
| CERTCertificateList *clientCertChain; /* used by client */
|
| PRBool sendEmptyCert; /* used by client */
|
|
|
| -@@ -1097,6 +1118,10 @@ const unsigned char * preferredCipher;
|
| +@@ -1082,6 +1103,10 @@ const unsigned char * preferredCipher;
|
| void *authCertificateArg;
|
| SSLGetClientAuthData getClientAuthData;
|
| void *getClientAuthDataArg;
|
| @@ -412,7 +349,7 @@
|
| SSLSNISocketConfig sniSocketConfig;
|
| void *sniSocketConfigArg;
|
| SSLBadCertHandler handleBadCert;
|
| -@@ -1663,6 +1688,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
|
| +@@ -1644,6 +1669,26 @@ extern SECStatus ssl_InitSessionCacheLoc
|
|
|
| extern SECStatus ssl_FreeSessionCacheLocks(void);
|
|
|
| @@ -439,11 +376,9 @@
|
|
|
| /********************** misc calls *********************/
|
|
|
| -diff --git a/mozilla/security/nss/lib/ssl/sslplatf.c b/mozilla/security/nss/lib/ssl/sslplatf.c
|
| -new file mode 100644
|
| -index 0000000..208956f
|
| ---- /dev/null
|
| -+++ b/mozilla/security/nss/lib/ssl/sslplatf.c
|
| +diff -upN a/src/net/third_party/nss/ssl/sslplatf.c b/src/net/third_party/nss/ssl/sslplatf.c
|
| +--- a/src/net/third_party/nss/ssl/sslplatf.c 1969-12-31 16:00:00.000000000 -0800
|
| ++++ b/src/net/third_party/nss/ssl/sslplatf.c 2012-02-28 20:04:24.039351965 -0800
|
| @@ -0,0 +1,399 @@
|
| +/*
|
| + * Platform specific crypto wrappers
|
| @@ -844,10 +779,9 @@
|
| +#endif
|
| +
|
| +#endif /* NSS_PLATFORM_CLIENT_AUTH */
|
| -diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
|
| -index 7d12bfe..68fd3cb 100644
|
| ---- a/mozilla/security/nss/lib/ssl/sslsock.c
|
| -+++ b/mozilla/security/nss/lib/ssl/sslsock.c
|
| +diff -upN a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c
|
| +--- a/src/net/third_party/nss/ssl/sslsock.c 2012-02-28 19:26:04.057351342 -0800
|
| ++++ b/src/net/third_party/nss/ssl/sslsock.c 2012-02-28 20:04:24.049352104 -0800
|
| @@ -339,6 +339,10 @@ ssl_DupSocket(sslSocket *os)
|
| ss->authCertificateArg = os->authCertificateArg;
|
| ss->getClientAuthData = os->getClientAuthData;
|
| @@ -859,7 +793,7 @@
|
| ss->sniSocketConfig = os->sniSocketConfig;
|
| ss->sniSocketConfigArg = os->sniSocketConfigArg;
|
| ss->handleBadCert = os->handleBadCert;
|
| -@@ -1468,6 +1472,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
|
| +@@ -1530,6 +1534,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
|
| ss->getClientAuthData = sm->getClientAuthData;
|
| if (sm->getClientAuthDataArg)
|
| ss->getClientAuthDataArg = sm->getClientAuthDataArg;
|
| @@ -872,7 +806,7 @@
|
| if (sm->sniSocketConfig)
|
| ss->sniSocketConfig = sm->sniSocketConfig;
|
| if (sm->sniSocketConfigArg)
|
| -@@ -2525,6 +2535,10 @@ ssl_NewSocket(PRBool makeLocks)
|
| +@@ -2617,6 +2627,10 @@ ssl_NewSocket(PRBool makeLocks)
|
| ss->sniSocketConfig = NULL;
|
| ss->sniSocketConfigArg = NULL;
|
| ss->getClientAuthData = NULL;
|
|
|
Chromium Code Reviews
Issue 9558017:
Update net/third_party/nss to NSS 3.13.3. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/