Index: net/third_party/nss/patches/clientauth.patch |
=================================================================== |
--- net/third_party/nss/patches/clientauth.patch (revision 124804) |
+++ net/third_party/nss/patches/clientauth.patch (working copy) |
@@ -1,24 +1,7 @@ |
-From 1ebf459243cea430614e1958ecab1ad10457ccc2 Mon Sep 17 00:00:00 2001 |
-From: Adam Langley <agl@chromium.org> |
-Date: Mon, 3 Oct 2011 12:44:48 -0400 |
-Subject: [PATCH] clientauth.patch |
- |
---- |
- mozilla/security/nss/lib/ssl/ssl.h | 39 +++ |
- mozilla/security/nss/lib/ssl/ssl3con.c | 163 ++++++++++--- |
- mozilla/security/nss/lib/ssl/ssl3ext.c | 2 +- |
- mozilla/security/nss/lib/ssl/sslauth.c | 22 ++ |
- mozilla/security/nss/lib/ssl/sslimpl.h | 45 ++++ |
- mozilla/security/nss/lib/ssl/sslplatf.c | 399 +++++++++++++++++++++++++++++++ |
- mozilla/security/nss/lib/ssl/sslsock.c | 14 + |
- 7 files changed, 647 insertions(+), 37 deletions(-) |
- create mode 100644 mozilla/security/nss/lib/ssl/sslplatf.c |
- |
-diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h |
-index 7e748bd..03535f3 100644 |
---- a/mozilla/security/nss/lib/ssl/ssl.h |
-+++ b/mozilla/security/nss/lib/ssl/ssl.h |
-@@ -353,6 +353,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg, |
+diff -upN a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h |
+--- a/src/net/third_party/nss/ssl/ssl.h 2012-02-28 19:26:04.047351199 -0800 |
++++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-28 20:04:24.039351965 -0800 |
+@@ -421,6 +421,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl |
SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, |
SSLGetClientAuthData f, void *a); |
@@ -64,11 +47,10 @@ |
/* |
** SNI extension processing callback function. |
-diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c |
-index d372ee2..ad8f4cd 100644 |
---- a/mozilla/security/nss/lib/ssl/ssl3con.c |
-+++ b/mozilla/security/nss/lib/ssl/ssl3con.c |
-@@ -2018,6 +2018,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) { |
+diff -upN a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c |
+--- a/src/net/third_party/nss/ssl/ssl3con.c 2012-02-28 19:26:04.047351199 -0800 |
++++ b/src/net/third_party/nss/ssl/ssl3con.c 2012-02-28 20:07:04.101579541 -0800 |
+@@ -2015,6 +2015,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID |
PRBool isPresent = PR_TRUE; |
/* we only care if we are doing client auth */ |
@@ -78,7 +60,7 @@ |
if (!sid || !sid->u.ssl3.clAuthValid) { |
return PR_TRUE; |
} |
-@@ -4865,27 +4868,30 @@ ssl3_SendCertificateVerify(sslSocket *ss) |
+@@ -4893,24 +4896,33 @@ ssl3_SendCertificateVerify(sslSocket *ss |
} |
isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
@@ -109,12 +91,6 @@ |
- sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); |
- sid->u.ssl3.clAuthValid = PR_TRUE; |
- PK11_FreeSlot(slot); |
-- } |
-- /* If we're doing RSA key exchange, we're all done with the private key |
-- * here. Diffie-Hellman key exchanges need the client's |
-- * private key for the key exchange. |
-- */ |
-- if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) { |
+ /* Remember the info about the slot that did the signing. |
+ ** Later, when doing an SSL restart handshake, verify this. |
+ ** These calls are mere accessors, and can't fail. |
@@ -126,37 +102,28 @@ |
+ sid->u.ssl3.clAuthValid = PR_TRUE; |
+ PK11_FreeSlot(slot); |
+ } |
- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
- ss->ssl3.clientPrivateKey = NULL; |
++ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
++ ss->ssl3.clientPrivateKey = NULL; |
} |
-@@ -4943,6 +4949,26 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
- goto alert_loser; |
+- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
+- ss->ssl3.clientPrivateKey = NULL; |
+ if (rv != SECSuccess) { |
+ goto done; /* err code was set by ssl3_SignHashes */ |
} |
- |
-+ /* clean up anything left from previous handshake. */ |
-+ if (ss->ssl3.clientCertChain != NULL) { |
-+ CERT_DestroyCertificateList(ss->ssl3.clientCertChain); |
-+ ss->ssl3.clientCertChain = NULL; |
-+ } |
-+ if (ss->ssl3.clientCertificate != NULL) { |
-+ CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
-+ ss->ssl3.clientCertificate = NULL; |
-+ } |
-+ if (ss->ssl3.clientPrivateKey != NULL) { |
-+ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
-+ ss->ssl3.clientPrivateKey = NULL; |
-+ } |
+@@ -4978,6 +4990,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
+ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
+ ss->ssl3.clientPrivateKey = NULL; |
+ } |
+#ifdef NSS_PLATFORM_CLIENT_AUTH |
+ if (ss->ssl3.platformClientKey) { |
+ ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
+ ss->ssl3.platformClientKey = (PlatformKey)NULL; |
+ } |
+#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
-+ |
+ |
temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
if (temp < 0) { |
- goto loser; /* alert has been sent */ |
-@@ -5485,6 +5511,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
+@@ -5522,6 +5540,10 @@ ssl3_HandleCertificateRequest(sslSocket |
SSL3AlertDescription desc = illegal_parameter; |
SECItem cert_types = {siBuffer, NULL, 0}; |
CERTDistNames ca_list; |
@@ -167,31 +134,15 @@ |
SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", |
SSL_GETPID(), ss->fd)); |
-@@ -5498,19 +5528,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
- goto alert_loser; |
- } |
- |
-- /* clean up anything left from previous handshake. */ |
-- if (ss->ssl3.clientCertChain != NULL) { |
-- CERT_DestroyCertificateList(ss->ssl3.clientCertChain); |
-- ss->ssl3.clientCertChain = NULL; |
-- } |
-- if (ss->ssl3.clientCertificate != NULL) { |
-- CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
-- ss->ssl3.clientCertificate = NULL; |
-- } |
-- if (ss->ssl3.clientPrivateKey != NULL) { |
-- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
-- ss->ssl3.clientPrivateKey = NULL; |
-- } |
-+ PORT_Assert(ss->ssl3.clientCertChain == NULL); |
-+ PORT_Assert(ss->ssl3.clientCertificate == NULL); |
-+ PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
+@@ -5538,6 +5560,7 @@ ssl3_HandleCertificateRequest(sslSocket |
+ PORT_Assert(ss->ssl3.clientCertChain == NULL); |
+ PORT_Assert(ss->ssl3.clientCertificate == NULL); |
+ PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
+ PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); |
isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); |
-@@ -5577,6 +5598,20 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
+@@ -5604,6 +5627,20 @@ ssl3_HandleCertificateRequest(sslSocket |
desc = no_certificate; |
ss->ssl3.hs.ws = wait_hello_done; |
@@ -212,14 +163,14 @@ |
if (ss->getClientAuthData == NULL) { |
rv = SECFailure; /* force it to send a no_certificate alert */ |
} else { |
-@@ -5586,12 +5621,52 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
+@@ -5613,12 +5650,52 @@ ssl3_HandleCertificateRequest(sslSocket |
&ss->ssl3.clientCertificate, |
&ss->ssl3.clientPrivateKey); |
} |
+#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
switch (rv) { |
case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ |
- ssl_SetAlwaysBlock(ss); |
+ ssl3_SetAlwaysBlock(ss); |
break; /* not an error */ |
case SECSuccess: |
@@ -265,7 +216,7 @@ |
/* check what the callback function returned */ |
if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
/* we are missing either the key or cert */ |
-@@ -5654,6 +5729,10 @@ loser: |
+@@ -5681,6 +5758,10 @@ loser: |
done: |
if (arena != NULL) |
PORT_FreeArena(arena, PR_FALSE); |
@@ -276,29 +227,18 @@ |
return rv; |
} |
-@@ -5785,9 +5864,17 @@ ssl3_HandleServerHelloDone(sslSocket *ss) |
- if (rv != SECSuccess) { |
- goto loser; /* error code is set. */ |
- } |
-- } else |
-- if (ss->ssl3.clientCertChain != NULL && |
-- ss->ssl3.clientPrivateKey != NULL) { |
-+ } else if (ss->ssl3.clientCertChain != NULL && |
-+ ss->ssl3.platformClientKey) { |
-+#ifdef NSS_PLATFORM_CLIENT_AUTH |
-+ send_verify = PR_TRUE; |
-+ rv = ssl3_SendCertificate(ss); |
-+ if (rv != SECSuccess) { |
-+ goto loser; /* error code is set. */ |
-+ } |
-+#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
-+ } else if (ss->ssl3.clientCertChain != NULL && |
-+ ss->ssl3.clientPrivateKey != NULL) { |
- send_verify = PR_TRUE; |
- rv = ssl3_SendCertificate(ss); |
- if (rv != SECSuccess) { |
-@@ -9856,6 +9943,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
+@@ -5755,7 +5836,8 @@ ssl3_SendClientSecondRound(sslSocket *ss |
+ sendClientCert = !ss->ssl3.sendEmptyCert && |
+ ss->ssl3.clientCertChain != NULL && |
+- ss->ssl3.clientPrivateKey != NULL; |
++ (ss->ssl3.platformClientKey || |
++ ss->ssl3.clientPrivateKey != NULL); |
+ |
+ /* We must wait for the server's certificate to be authenticated before |
+ * sending the client certificate in order to disclosing the client |
+@@ -9725,6 +9807,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
+ |
if (ss->ssl3.clientPrivateKey != NULL) |
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
+#ifdef NSS_PLATFORM_CLIENT_AUTH |
@@ -308,10 +248,9 @@ |
if (ss->ssl3.peerCertArena != NULL) |
ssl3_CleanupPeerCerts(ss); |
-diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c |
-index 887344b..e54b4fd 100644 |
---- a/mozilla/security/nss/lib/ssl/ssl3ext.c |
-+++ b/mozilla/security/nss/lib/ssl/ssl3ext.c |
+diff -upN a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c |
+--- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 19:26:04.047351199 -0800 |
++++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 20:20:35.392842118 -0800 |
@@ -46,8 +46,8 @@ |
#include "nssrenam.h" |
#include "nss.h" |
@@ -322,11 +261,10 @@ |
#include "pk11pub.h" |
#include "blapi.h" |
#include "prinit.h" |
-diff --git a/mozilla/security/nss/lib/ssl/sslauth.c b/mozilla/security/nss/lib/ssl/sslauth.c |
-index fcd15ca..8da5c66 100644 |
---- a/mozilla/security/nss/lib/ssl/sslauth.c |
-+++ b/mozilla/security/nss/lib/ssl/sslauth.c |
-@@ -292,6 +292,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, |
+diff -upN a/src/net/third_party/nss/ssl/sslauth.c b/src/net/third_party/nss/ssl/sslauth.c |
+--- a/src/net/third_party/nss/ssl/sslauth.c 2012-02-28 18:34:23.263186340 -0800 |
++++ b/src/net/third_party/nss/ssl/sslauth.c 2012-02-28 20:04:24.039351965 -0800 |
+@@ -251,6 +251,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, |
return SECSuccess; |
} |
@@ -355,10 +293,9 @@ |
/* NEED LOCKS IN HERE. */ |
SECStatus |
SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) |
-diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h |
-index 70ff4c3..d73a0e3 100644 |
---- a/mozilla/security/nss/lib/ssl/sslimpl.h |
-+++ b/mozilla/security/nss/lib/ssl/sslimpl.h |
+diff -upN a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h |
+--- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 19:26:04.047351199 -0800 |
++++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 20:04:24.039351965 -0800 |
@@ -65,6 +65,15 @@ |
#include "sslt.h" /* for some formerly private types, now public */ |
@@ -375,7 +312,7 @@ |
/* to make some of these old enums public without namespace pollution, |
** it was necessary to prepend ssl_ to the names. |
** These #defines preserve compatibility with the old code here in libssl. |
-@@ -464,6 +473,14 @@ typedef SECStatus (*SSLCompressor)(void * context, |
+@@ -462,6 +471,14 @@ typedef SECStatus (*SSLCompressor)(void |
int inlen); |
typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); |
@@ -401,7 +338,7 @@ |
CERTCertificateList *clientCertChain; /* used by client */ |
PRBool sendEmptyCert; /* used by client */ |
-@@ -1097,6 +1118,10 @@ const unsigned char * preferredCipher; |
+@@ -1082,6 +1103,10 @@ const unsigned char * preferredCipher; |
void *authCertificateArg; |
SSLGetClientAuthData getClientAuthData; |
void *getClientAuthDataArg; |
@@ -412,7 +349,7 @@ |
SSLSNISocketConfig sniSocketConfig; |
void *sniSocketConfigArg; |
SSLBadCertHandler handleBadCert; |
-@@ -1663,6 +1688,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit); |
+@@ -1644,6 +1669,26 @@ extern SECStatus ssl_InitSessionCacheLoc |
extern SECStatus ssl_FreeSessionCacheLocks(void); |
@@ -439,11 +376,9 @@ |
/********************** misc calls *********************/ |
-diff --git a/mozilla/security/nss/lib/ssl/sslplatf.c b/mozilla/security/nss/lib/ssl/sslplatf.c |
-new file mode 100644 |
-index 0000000..208956f |
---- /dev/null |
-+++ b/mozilla/security/nss/lib/ssl/sslplatf.c |
+diff -upN a/src/net/third_party/nss/ssl/sslplatf.c b/src/net/third_party/nss/ssl/sslplatf.c |
+--- a/src/net/third_party/nss/ssl/sslplatf.c 1969-12-31 16:00:00.000000000 -0800 |
++++ b/src/net/third_party/nss/ssl/sslplatf.c 2012-02-28 20:04:24.039351965 -0800 |
@@ -0,0 +1,399 @@ |
+/* |
+ * Platform specific crypto wrappers |
@@ -844,10 +779,9 @@ |
+#endif |
+ |
+#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
-diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c |
-index 7d12bfe..68fd3cb 100644 |
---- a/mozilla/security/nss/lib/ssl/sslsock.c |
-+++ b/mozilla/security/nss/lib/ssl/sslsock.c |
+diff -upN a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c |
+--- a/src/net/third_party/nss/ssl/sslsock.c 2012-02-28 19:26:04.057351342 -0800 |
++++ b/src/net/third_party/nss/ssl/sslsock.c 2012-02-28 20:04:24.049352104 -0800 |
@@ -339,6 +339,10 @@ ssl_DupSocket(sslSocket *os) |
ss->authCertificateArg = os->authCertificateArg; |
ss->getClientAuthData = os->getClientAuthData; |
@@ -859,7 +793,7 @@ |
ss->sniSocketConfig = os->sniSocketConfig; |
ss->sniSocketConfigArg = os->sniSocketConfigArg; |
ss->handleBadCert = os->handleBadCert; |
-@@ -1468,6 +1472,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
+@@ -1530,6 +1534,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile |
ss->getClientAuthData = sm->getClientAuthData; |
if (sm->getClientAuthDataArg) |
ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
@@ -872,7 +806,7 @@ |
if (sm->sniSocketConfig) |
ss->sniSocketConfig = sm->sniSocketConfig; |
if (sm->sniSocketConfigArg) |
-@@ -2525,6 +2535,10 @@ ssl_NewSocket(PRBool makeLocks) |
+@@ -2617,6 +2627,10 @@ ssl_NewSocket(PRBool makeLocks) |
ss->sniSocketConfig = NULL; |
ss->sniSocketConfigArg = NULL; |
ss->getClientAuthData = NULL; |