Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(664)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/nss/patches/clientauth.patch

Issue 111853013: Update net/third_party/nss to NSS 3.15.4. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Add CT TLS extension bug number Created 6 years, 12 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/third_party/nss/patches/ciphersuiteversion.patch ('k') | net/third_party/nss/patches/didhandshakeresume.patch » ('j') | net/third_party/nss/ssl/ssl3con.c » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/patches/clientauth.patch
===================================================================
--- net/third_party/nss/patches/clientauth.patch (revision 242942)
+++ net/third_party/nss/patches/clientauth.patch (working copy)
@@ -1,7 +1,7 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2013-07-31 12:31:45.326118409 -0700
-+++ b/nss/lib/ssl/ssl3con.c 2013-07-31 12:35:27.189373289 -0700
-@@ -2284,6 +2284,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID
+--- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:30:40.073373382 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:30:52.653579045 -0800
+@@ -2471,6 +2471,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID
PRBool isPresent = PR_TRUE;
/* we only care if we are doing client auth */
@@ -11,7 +11,7 @@
if (!sid || !sid->u.ssl3.clAuthValid) {
return PR_TRUE;
}
-@@ -5768,25 +5771,36 @@ ssl3_SendCertificateVerify(sslSocket *ss
+@@ -6080,25 +6083,36 @@ ssl3_SendCertificateVerify(sslSocket *ss
isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
@@ -65,7 +65,7 @@
if (rv != SECSuccess) {
goto done; /* err code was set by ssl3_SignHashes */
}
-@@ -5870,6 +5884,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6177,6 +6191,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
ss->ssl3.clientPrivateKey = NULL;
}
@@ -78,7 +78,26 @@
temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
if (temp < 0) {
-@@ -6496,6 +6516,10 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -6804,6 +6824,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss,
+ goto done;
+ }
+
++#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32)
++ /* If the key is in CAPI, assume conservatively that the CAPI service
++ * provider may be unable to sign SHA-256 hashes.
++ */
++ if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) {
++ /* CAPI only supports RSA and DSA signatures, so we don't need to
++ * check the key type. */
++ *preferSha1 = PR_TRUE;
++ goto done;
++ }
++#endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */
++
+ /* If the key is a 1024-bit RSA or DSA key, assume conservatively that
+ * it may be unable to sign SHA-256 hashes. This is the case for older
+ * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
+@@ -6902,6 +6934,10 @@ ssl3_HandleCertificateRequest(sslSocket
SECItem cert_types = {siBuffer, NULL, 0};
SECItem algorithms = {siBuffer, NULL, 0};
CERTDistNames ca_list;
@@ -89,7 +108,7 @@
SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
SSL_GETPID(), ss->fd));
-@@ -6512,6 +6536,7 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -6918,6 +6954,7 @@ ssl3_HandleCertificateRequest(sslSocket
PORT_Assert(ss->ssl3.clientCertChain == NULL);
PORT_Assert(ss->ssl3.clientCertificate == NULL);
PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
@@ -97,7 +116,7 @@
isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
-@@ -6591,6 +6616,18 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -6997,6 +7034,18 @@ ssl3_HandleCertificateRequest(sslSocket
desc = no_certificate;
ss->ssl3.hs.ws = wait_hello_done;
@@ -116,7 +135,7 @@
if (ss->getClientAuthData != NULL) {
/* XXX Should pass cert_types and algorithms in this call!! */
rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
-@@ -6600,12 +6637,52 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -7006,12 +7055,55 @@ ssl3_HandleCertificateRequest(sslSocket
} else {
rv = SECFailure; /* force it to send a no_certificate alert */
}
@@ -163,13 +182,16 @@
+ }
+ goto send_no_certificate;
+ }
++ if (ss->ssl3.hs.hashType == handshake_hash_single) {
++ ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
++ }
+ break; /* not an error */
+ }
+#endif /* NSS_PLATFORM_CLIENT_AUTH */
/* check what the callback function returned */
if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
/* we are missing either the key or cert */
-@@ -6668,6 +6745,10 @@ loser:
+@@ -7073,6 +7165,10 @@ loser:
done:
if (arena != NULL)
PORT_FreeArena(arena, PR_FALSE);
@@ -180,7 +202,7 @@
return rv;
}
-@@ -6749,7 +6830,8 @@ ssl3_SendClientSecondRound(sslSocket *ss
+@@ -7190,7 +7286,8 @@ ssl3_SendClientSecondRound(sslSocket *ss
sendClientCert = !ss->ssl3.sendEmptyCert &&
ss->ssl3.clientCertChain != NULL &&
@@ -188,9 +210,9 @@
+ (ss->ssl3.platformClientKey ||
+ ss->ssl3.clientPrivateKey != NULL);
- /* We must wait for the server's certificate to be authenticated before
- * sending the client certificate in order to disclosing the client
-@@ -11465,6 +11547,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+ if (!sendClientCert &&
+ ss->ssl3.hs.hashType == handshake_hash_single &&
+@@ -12027,6 +12124,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
if (ss->ssl3.clientPrivateKey != NULL)
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
@@ -202,8 +224,8 @@
if (ss->ssl3.peerCertArena != NULL)
ssl3_CleanupPeerCerts(ss);
diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
---- a/nss/lib/ssl/ssl3ext.c 2013-07-31 12:07:10.964699464 -0700
-+++ b/nss/lib/ssl/ssl3ext.c 2013-07-31 12:35:27.189373289 -0700
+--- a/nss/lib/ssl/ssl3ext.c 2014-01-03 19:28:03.550814608 -0800
++++ b/nss/lib/ssl/ssl3ext.c 2014-01-03 19:30:52.653579045 -0800
@@ -10,8 +10,8 @@
#include "nssrenam.h"
#include "nss.h"
@@ -215,9 +237,9 @@
#ifdef NO_PKCS11_BYPASS
#include "blapit.h"
diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
---- a/nss/lib/ssl/sslauth.c 2013-07-31 12:32:29.076760372 -0700
-+++ b/nss/lib/ssl/sslauth.c 2013-07-31 12:35:27.189373289 -0700
-@@ -219,6 +219,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
+--- a/nss/lib/ssl/sslauth.c 2014-01-03 19:28:03.550814608 -0800
++++ b/nss/lib/ssl/sslauth.c 2014-01-03 19:30:52.653579045 -0800
+@@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
return SECSuccess;
}
@@ -247,8 +269,8 @@
SECStatus
SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2013-07-31 12:32:29.076760372 -0700
-+++ b/nss/lib/ssl/ssl.h 2013-07-31 12:35:27.199373436 -0700
+--- a/nss/lib/ssl/ssl.h 2014-01-03 19:28:03.540814444 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-03 19:30:52.653579045 -0800
@@ -503,6 +503,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd,
SSLGetClientAuthData f, void *a);
@@ -299,8 +321,8 @@
/*
** SNI extension processing callback function.
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2013-07-31 12:31:45.326118409 -0700
-+++ b/nss/lib/ssl/sslimpl.h 2013-07-31 12:35:27.199373436 -0700
+--- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:30:40.073373382 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:30:52.653579045 -0800
@@ -20,6 +20,7 @@
#include "sslerr.h"
#include "ssl3prot.h"
@@ -325,9 +347,9 @@
/* to make some of these old enums public without namespace pollution,
** it was necessary to prepend ssl_ to the names.
** These #defines preserve compatibility with the old code here in libssl.
-@@ -444,6 +454,14 @@ typedef SECStatus (*SSLCompressor)(void
- int inlen);
- typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
+@@ -432,6 +442,14 @@ struct sslGatherStr {
+ #define GS_DATA 3
+ #define GS_PAD 4
+#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
+typedef PCERT_KEY_CONTEXT PlatformKey;
@@ -340,7 +362,7 @@
/*
-@@ -896,6 +914,10 @@ struct ssl3StateStr {
+@@ -944,6 +962,10 @@ struct ssl3StateStr {
CERTCertificate * clientCertificate; /* used by client */
SECKEYPrivateKey * clientPrivateKey; /* used by client */
@@ -351,7 +373,7 @@
CERTCertificateList *clientCertChain; /* used by client */
PRBool sendEmptyCert; /* used by client */
-@@ -1153,6 +1175,10 @@ const unsigned char * preferredCipher;
+@@ -1205,6 +1227,10 @@ const unsigned char * preferredCipher;
void *authCertificateArg;
SSLGetClientAuthData getClientAuthData;
void *getClientAuthDataArg;
@@ -362,16 +384,8 @@
SSLSNISocketConfig sniSocketConfig;
void *sniSocketConfigArg;
SSLBadCertHandler handleBadCert;
-@@ -1737,7 +1763,6 @@ extern void ssl_FreePRSocket(PRFileDesc
- * various ciphers */
- extern int ssl3_config_match_init(sslSocket *);
+@@ -1843,6 +1869,26 @@ extern SECStatus ssl_InitSessionCacheLoc
--
- /* Create a new ref counted key pair object from two keys. */
- extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey,
- SECKEYPublicKey * pubKey);
-@@ -1777,6 +1802,26 @@ extern SECStatus ssl_InitSessionCacheLoc
-
extern SECStatus ssl_FreeSessionCacheLocks(void);
+/***************** platform client auth ****************/
@@ -398,9 +412,9 @@
/**************** DTLS-specific functions **************/
extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg);
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c 2013-07-31 12:28:39.283413269 -0700
-+++ b/nss/lib/ssl/sslsock.c 2013-07-31 12:35:27.199373436 -0700
-@@ -343,6 +343,10 @@ ssl_DupSocket(sslSocket *os)
+--- a/nss/lib/ssl/sslsock.c 2014-01-03 19:28:03.560814773 -0800
++++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:30:52.653579045 -0800
+@@ -261,6 +261,10 @@ ssl_DupSocket(sslSocket *os)
ss->authCertificateArg = os->authCertificateArg;
ss->getClientAuthData = os->getClientAuthData;
ss->getClientAuthDataArg = os->getClientAuthDataArg;
@@ -411,7 +425,7 @@
ss->sniSocketConfig = os->sniSocketConfig;
ss->sniSocketConfigArg = os->sniSocketConfigArg;
ss->handleBadCert = os->handleBadCert;
-@@ -1730,6 +1734,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
+@@ -1645,6 +1649,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
ss->getClientAuthData = sm->getClientAuthData;
if (sm->getClientAuthDataArg)
ss->getClientAuthDataArg = sm->getClientAuthDataArg;
@@ -424,7 +438,7 @@
if (sm->sniSocketConfig)
ss->sniSocketConfig = sm->sniSocketConfig;
if (sm->sniSocketConfigArg)
-@@ -2980,6 +2990,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
+@@ -2899,6 +2909,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
ss->sniSocketConfig = NULL;
ss->sniSocketConfigArg = NULL;
ss->getClientAuthData = NULL;
« no previous file with comments | « net/third_party/nss/patches/ciphersuiteversion.patch ('k') | net/third_party/nss/patches/didhandshakeresume.patch » ('j') | net/third_party/nss/ssl/ssl3con.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698