Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(767)

Unified Diff: net/third_party/nss/patches/clientauth.patch

Issue 9558017: Update net/third_party/nss to NSS 3.13.3. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Upload before checkin Created 8 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/third_party/nss/patches/cbcrandomiv.patch ('k') | net/third_party/nss/patches/didhandshakeresume.patch » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/patches/clientauth.patch
===================================================================
--- net/third_party/nss/patches/clientauth.patch (revision 124804)
+++ net/third_party/nss/patches/clientauth.patch (working copy)
@@ -1,24 +1,7 @@
-From 1ebf459243cea430614e1958ecab1ad10457ccc2 Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl@chromium.org>
-Date: Mon, 3 Oct 2011 12:44:48 -0400
-Subject: [PATCH] clientauth.patch
-
----
- mozilla/security/nss/lib/ssl/ssl.h | 39 +++
- mozilla/security/nss/lib/ssl/ssl3con.c | 163 ++++++++++---
- mozilla/security/nss/lib/ssl/ssl3ext.c | 2 +-
- mozilla/security/nss/lib/ssl/sslauth.c | 22 ++
- mozilla/security/nss/lib/ssl/sslimpl.h | 45 ++++
- mozilla/security/nss/lib/ssl/sslplatf.c | 399 +++++++++++++++++++++++++++++++
- mozilla/security/nss/lib/ssl/sslsock.c | 14 +
- 7 files changed, 647 insertions(+), 37 deletions(-)
- create mode 100644 mozilla/security/nss/lib/ssl/sslplatf.c
-
-diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h
-index 7e748bd..03535f3 100644
---- a/mozilla/security/nss/lib/ssl/ssl.h
-+++ b/mozilla/security/nss/lib/ssl/ssl.h
-@@ -353,6 +353,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg,
+diff -upN a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
+--- a/src/net/third_party/nss/ssl/ssl.h 2012-02-28 19:26:04.047351199 -0800
++++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-28 20:04:24.039351965 -0800
+@@ -421,6 +421,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd,
SSLGetClientAuthData f, void *a);
@@ -64,11 +47,10 @@
/*
** SNI extension processing callback function.
-diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
-index d372ee2..ad8f4cd 100644
---- a/mozilla/security/nss/lib/ssl/ssl3con.c
-+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
-@@ -2018,6 +2018,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
+diff -upN a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
+--- a/src/net/third_party/nss/ssl/ssl3con.c 2012-02-28 19:26:04.047351199 -0800
++++ b/src/net/third_party/nss/ssl/ssl3con.c 2012-02-28 20:07:04.101579541 -0800
+@@ -2015,6 +2015,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID
PRBool isPresent = PR_TRUE;
/* we only care if we are doing client auth */
@@ -78,7 +60,7 @@
if (!sid || !sid->u.ssl3.clAuthValid) {
return PR_TRUE;
}
-@@ -4865,27 +4868,30 @@ ssl3_SendCertificateVerify(sslSocket *ss)
+@@ -4893,24 +4896,33 @@ ssl3_SendCertificateVerify(sslSocket *ss
}
isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
@@ -109,12 +91,6 @@
- sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot);
- sid->u.ssl3.clAuthValid = PR_TRUE;
- PK11_FreeSlot(slot);
-- }
-- /* If we're doing RSA key exchange, we're all done with the private key
-- * here. Diffie-Hellman key exchanges need the client's
-- * private key for the key exchange.
-- */
-- if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
+ /* Remember the info about the slot that did the signing.
+ ** Later, when doing an SSL restart handshake, verify this.
+ ** These calls are mere accessors, and can't fail.
@@ -126,37 +102,28 @@
+ sid->u.ssl3.clAuthValid = PR_TRUE;
+ PK11_FreeSlot(slot);
+ }
- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
- ss->ssl3.clientPrivateKey = NULL;
++ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
++ ss->ssl3.clientPrivateKey = NULL;
}
-@@ -4943,6 +4949,26 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
- goto alert_loser;
+- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+- ss->ssl3.clientPrivateKey = NULL;
+ if (rv != SECSuccess) {
+ goto done; /* err code was set by ssl3_SignHashes */
}
-
-+ /* clean up anything left from previous handshake. */
-+ if (ss->ssl3.clientCertChain != NULL) {
-+ CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
-+ ss->ssl3.clientCertChain = NULL;
-+ }
-+ if (ss->ssl3.clientCertificate != NULL) {
-+ CERT_DestroyCertificate(ss->ssl3.clientCertificate);
-+ ss->ssl3.clientCertificate = NULL;
-+ }
-+ if (ss->ssl3.clientPrivateKey != NULL) {
-+ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
-+ ss->ssl3.clientPrivateKey = NULL;
-+ }
+@@ -4978,6 +4990,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+ ss->ssl3.clientPrivateKey = NULL;
+ }
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+ if (ss->ssl3.platformClientKey) {
+ ssl_FreePlatformKey(ss->ssl3.platformClientKey);
+ ss->ssl3.platformClientKey = (PlatformKey)NULL;
+ }
+#endif /* NSS_PLATFORM_CLIENT_AUTH */
-+
+
temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
if (temp < 0) {
- goto loser; /* alert has been sent */
-@@ -5485,6 +5511,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -5522,6 +5540,10 @@ ssl3_HandleCertificateRequest(sslSocket
SSL3AlertDescription desc = illegal_parameter;
SECItem cert_types = {siBuffer, NULL, 0};
CERTDistNames ca_list;
@@ -167,31 +134,15 @@
SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
SSL_GETPID(), ss->fd));
-@@ -5498,19 +5528,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
- goto alert_loser;
- }
-
-- /* clean up anything left from previous handshake. */
-- if (ss->ssl3.clientCertChain != NULL) {
-- CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
-- ss->ssl3.clientCertChain = NULL;
-- }
-- if (ss->ssl3.clientCertificate != NULL) {
-- CERT_DestroyCertificate(ss->ssl3.clientCertificate);
-- ss->ssl3.clientCertificate = NULL;
-- }
-- if (ss->ssl3.clientPrivateKey != NULL) {
-- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
-- ss->ssl3.clientPrivateKey = NULL;
-- }
-+ PORT_Assert(ss->ssl3.clientCertChain == NULL);
-+ PORT_Assert(ss->ssl3.clientCertificate == NULL);
-+ PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
+@@ -5538,6 +5560,7 @@ ssl3_HandleCertificateRequest(sslSocket
+ PORT_Assert(ss->ssl3.clientCertChain == NULL);
+ PORT_Assert(ss->ssl3.clientCertificate == NULL);
+ PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
+ PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL);
isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
-@@ -5577,6 +5598,20 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -5604,6 +5627,20 @@ ssl3_HandleCertificateRequest(sslSocket
desc = no_certificate;
ss->ssl3.hs.ws = wait_hello_done;
@@ -212,14 +163,14 @@
if (ss->getClientAuthData == NULL) {
rv = SECFailure; /* force it to send a no_certificate alert */
} else {
-@@ -5586,12 +5621,52 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -5613,12 +5650,52 @@ ssl3_HandleCertificateRequest(sslSocket
&ss->ssl3.clientCertificate,
&ss->ssl3.clientPrivateKey);
}
+#endif /* NSS_PLATFORM_CLIENT_AUTH */
switch (rv) {
case SECWouldBlock: /* getClientAuthData has put up a dialog box. */
- ssl_SetAlwaysBlock(ss);
+ ssl3_SetAlwaysBlock(ss);
break; /* not an error */
case SECSuccess:
@@ -265,7 +216,7 @@
/* check what the callback function returned */
if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
/* we are missing either the key or cert */
-@@ -5654,6 +5729,10 @@ loser:
+@@ -5681,6 +5758,10 @@ loser:
done:
if (arena != NULL)
PORT_FreeArena(arena, PR_FALSE);
@@ -276,29 +227,18 @@
return rv;
}
-@@ -5785,9 +5864,17 @@ ssl3_HandleServerHelloDone(sslSocket *ss)
- if (rv != SECSuccess) {
- goto loser; /* error code is set. */
- }
-- } else
-- if (ss->ssl3.clientCertChain != NULL &&
-- ss->ssl3.clientPrivateKey != NULL) {
-+ } else if (ss->ssl3.clientCertChain != NULL &&
-+ ss->ssl3.platformClientKey) {
-+#ifdef NSS_PLATFORM_CLIENT_AUTH
-+ send_verify = PR_TRUE;
-+ rv = ssl3_SendCertificate(ss);
-+ if (rv != SECSuccess) {
-+ goto loser; /* error code is set. */
-+ }
-+#endif /* NSS_PLATFORM_CLIENT_AUTH */
-+ } else if (ss->ssl3.clientCertChain != NULL &&
-+ ss->ssl3.clientPrivateKey != NULL) {
- send_verify = PR_TRUE;
- rv = ssl3_SendCertificate(ss);
- if (rv != SECSuccess) {
-@@ -9856,6 +9943,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+@@ -5755,7 +5836,8 @@ ssl3_SendClientSecondRound(sslSocket *ss
+ sendClientCert = !ss->ssl3.sendEmptyCert &&
+ ss->ssl3.clientCertChain != NULL &&
+- ss->ssl3.clientPrivateKey != NULL;
++ (ss->ssl3.platformClientKey ||
++ ss->ssl3.clientPrivateKey != NULL);
+
+ /* We must wait for the server's certificate to be authenticated before
+ * sending the client certificate in order to disclosing the client
+@@ -9725,6 +9807,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+
if (ss->ssl3.clientPrivateKey != NULL)
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+#ifdef NSS_PLATFORM_CLIENT_AUTH
@@ -308,10 +248,9 @@
if (ss->ssl3.peerCertArena != NULL)
ssl3_CleanupPeerCerts(ss);
-diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c
-index 887344b..e54b4fd 100644
---- a/mozilla/security/nss/lib/ssl/ssl3ext.c
-+++ b/mozilla/security/nss/lib/ssl/ssl3ext.c
+diff -upN a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c
+--- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 19:26:04.047351199 -0800
++++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 20:20:35.392842118 -0800
@@ -46,8 +46,8 @@
#include "nssrenam.h"
#include "nss.h"
@@ -322,11 +261,10 @@
#include "pk11pub.h"
#include "blapi.h"
#include "prinit.h"
-diff --git a/mozilla/security/nss/lib/ssl/sslauth.c b/mozilla/security/nss/lib/ssl/sslauth.c
-index fcd15ca..8da5c66 100644
---- a/mozilla/security/nss/lib/ssl/sslauth.c
-+++ b/mozilla/security/nss/lib/ssl/sslauth.c
-@@ -292,6 +292,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
+diff -upN a/src/net/third_party/nss/ssl/sslauth.c b/src/net/third_party/nss/ssl/sslauth.c
+--- a/src/net/third_party/nss/ssl/sslauth.c 2012-02-28 18:34:23.263186340 -0800
++++ b/src/net/third_party/nss/ssl/sslauth.c 2012-02-28 20:04:24.039351965 -0800
+@@ -251,6 +251,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
return SECSuccess;
}
@@ -355,10 +293,9 @@
/* NEED LOCKS IN HERE. */
SECStatus
SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
-diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
-index 70ff4c3..d73a0e3 100644
---- a/mozilla/security/nss/lib/ssl/sslimpl.h
-+++ b/mozilla/security/nss/lib/ssl/sslimpl.h
+diff -upN a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
+--- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 19:26:04.047351199 -0800
++++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 20:04:24.039351965 -0800
@@ -65,6 +65,15 @@
#include "sslt.h" /* for some formerly private types, now public */
@@ -375,7 +312,7 @@
/* to make some of these old enums public without namespace pollution,
** it was necessary to prepend ssl_ to the names.
** These #defines preserve compatibility with the old code here in libssl.
-@@ -464,6 +473,14 @@ typedef SECStatus (*SSLCompressor)(void * context,
+@@ -462,6 +471,14 @@ typedef SECStatus (*SSLCompressor)(void
int inlen);
typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
@@ -401,7 +338,7 @@
CERTCertificateList *clientCertChain; /* used by client */
PRBool sendEmptyCert; /* used by client */
-@@ -1097,6 +1118,10 @@ const unsigned char * preferredCipher;
+@@ -1082,6 +1103,10 @@ const unsigned char * preferredCipher;
void *authCertificateArg;
SSLGetClientAuthData getClientAuthData;
void *getClientAuthDataArg;
@@ -412,7 +349,7 @@
SSLSNISocketConfig sniSocketConfig;
void *sniSocketConfigArg;
SSLBadCertHandler handleBadCert;
-@@ -1663,6 +1688,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
+@@ -1644,6 +1669,26 @@ extern SECStatus ssl_InitSessionCacheLoc
extern SECStatus ssl_FreeSessionCacheLocks(void);
@@ -439,11 +376,9 @@
/********************** misc calls *********************/
-diff --git a/mozilla/security/nss/lib/ssl/sslplatf.c b/mozilla/security/nss/lib/ssl/sslplatf.c
-new file mode 100644
-index 0000000..208956f
---- /dev/null
-+++ b/mozilla/security/nss/lib/ssl/sslplatf.c
+diff -upN a/src/net/third_party/nss/ssl/sslplatf.c b/src/net/third_party/nss/ssl/sslplatf.c
+--- a/src/net/third_party/nss/ssl/sslplatf.c 1969-12-31 16:00:00.000000000 -0800
++++ b/src/net/third_party/nss/ssl/sslplatf.c 2012-02-28 20:04:24.039351965 -0800
@@ -0,0 +1,399 @@
+/*
+ * Platform specific crypto wrappers
@@ -844,10 +779,9 @@
+#endif
+
+#endif /* NSS_PLATFORM_CLIENT_AUTH */
-diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
-index 7d12bfe..68fd3cb 100644
---- a/mozilla/security/nss/lib/ssl/sslsock.c
-+++ b/mozilla/security/nss/lib/ssl/sslsock.c
+diff -upN a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c
+--- a/src/net/third_party/nss/ssl/sslsock.c 2012-02-28 19:26:04.057351342 -0800
++++ b/src/net/third_party/nss/ssl/sslsock.c 2012-02-28 20:04:24.049352104 -0800
@@ -339,6 +339,10 @@ ssl_DupSocket(sslSocket *os)
ss->authCertificateArg = os->authCertificateArg;
ss->getClientAuthData = os->getClientAuthData;
@@ -859,7 +793,7 @@
ss->sniSocketConfig = os->sniSocketConfig;
ss->sniSocketConfigArg = os->sniSocketConfigArg;
ss->handleBadCert = os->handleBadCert;
-@@ -1468,6 +1472,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
+@@ -1530,6 +1534,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
ss->getClientAuthData = sm->getClientAuthData;
if (sm->getClientAuthDataArg)
ss->getClientAuthDataArg = sm->getClientAuthDataArg;
@@ -872,7 +806,7 @@
if (sm->sniSocketConfig)
ss->sniSocketConfig = sm->sniSocketConfig;
if (sm->sniSocketConfigArg)
-@@ -2525,6 +2535,10 @@ ssl_NewSocket(PRBool makeLocks)
+@@ -2617,6 +2627,10 @@ ssl_NewSocket(PRBool makeLocks)
ss->sniSocketConfig = NULL;
ss->sniSocketConfigArg = NULL;
ss->getClientAuthData = NULL;
« no previous file with comments | « net/third_party/nss/patches/cbcrandomiv.patch ('k') | net/third_party/nss/patches/didhandshakeresume.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698