Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(424)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/nss/patches/clientauth.patch

Issue 1511123006: Uprev NSS (in libssl) to NSS 3.21 (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Updated deps Created 5 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/third_party/nss/patches/cipherorder.patch ('k') | net/third_party/nss/patches/dh1024.patch » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/patches/clientauth.patch
diff --git a/net/third_party/nss/patches/clientauth.patch b/net/third_party/nss/patches/clientauth.patch
index 83206b064e0179c896bfaa0ccd53c42c7d9f82eb..17539d16322037a175aa9a1679da2bd15519a3b0 100644
--- a/net/third_party/nss/patches/clientauth.patch
+++ b/net/third_party/nss/patches/clientauth.patch
@@ -1,8 +1,8 @@
-diff --git a/ssl/ssl.h b/ssl/ssl.h
-index 91a47a6..4e7d52e 100644
---- a/ssl/ssl.h
-+++ b/ssl/ssl.h
-@@ -543,6 +543,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg,
+diff --git a/lib/ssl/ssl.h b/lib/ssl/ssl.h
+index 2a52769..48fa018 100644
+--- a/lib/ssl/ssl.h
++++ b/lib/ssl/ssl.h
+@@ -636,6 +636,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg,
SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd,
SSLGetClientAuthData f, void *a);
@@ -51,11 +51,11 @@ index 91a47a6..4e7d52e 100644
/*
** SNI extension processing callback function.
-diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c
-index 60af5b0..b9014ef 100644
---- a/ssl/ssl3con.c
-+++ b/ssl/ssl3con.c
-@@ -2503,6 +2503,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+index 9aaf601..cc193cd 100644
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -2530,6 +2530,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
PRBool isPresent = PR_TRUE;
/* we only care if we are doing client auth */
@@ -65,7 +65,7 @@ index 60af5b0..b9014ef 100644
if (!sid || !sid->u.ssl3.clAuthValid) {
return PR_TRUE;
}
-@@ -6178,25 +6181,36 @@ ssl3_SendCertificateVerify(sslSocket *ss)
+@@ -6352,25 +6355,36 @@ ssl3_SendCertificateVerify(sslSocket *ss)
isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
@@ -119,7 +119,7 @@ index 60af5b0..b9014ef 100644
if (rv != SECSuccess) {
goto done; /* err code was set by ssl3_SignHashes */
}
-@@ -6275,6 +6289,12 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -6449,6 +6463,12 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
ss->ssl3.clientPrivateKey = NULL;
}
@@ -132,7 +132,7 @@ index 60af5b0..b9014ef 100644
temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
if (temp < 0) {
-@@ -6904,6 +6924,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss,
+@@ -7109,6 +7129,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss,
goto done;
}
@@ -151,7 +151,7 @@ index 60af5b0..b9014ef 100644
/* If the key is a 1024-bit RSA or DSA key, assume conservatively that
* it may be unable to sign SHA-256 hashes. This is the case for older
* Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
-@@ -7002,6 +7034,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -7207,6 +7239,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
SECItem cert_types = {siBuffer, NULL, 0};
SECItem algorithms = {siBuffer, NULL, 0};
CERTDistNames ca_list;
@@ -162,7 +162,7 @@ index 60af5b0..b9014ef 100644
SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
SSL_GETPID(), ss->fd));
-@@ -7017,6 +7053,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -7222,6 +7258,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
PORT_Assert(ss->ssl3.clientCertChain == NULL);
PORT_Assert(ss->ssl3.clientCertificate == NULL);
PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
@@ -170,7 +170,7 @@ index 60af5b0..b9014ef 100644
isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
-@@ -7096,6 +7133,18 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -7301,6 +7338,18 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
desc = no_certificate;
ss->ssl3.hs.ws = wait_hello_done;
@@ -187,9 +187,9 @@ index 60af5b0..b9014ef 100644
+ } else
+#endif
if (ss->getClientAuthData != NULL) {
- /* XXX Should pass cert_types and algorithms in this call!! */
- rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
-@@ -7105,12 +7154,55 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+ PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) ==
+ ssl_preinfo_all);
+@@ -7312,12 +7361,55 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
} else {
rv = SECFailure; /* force it to send a no_certificate alert */
}
@@ -245,7 +245,7 @@ index 60af5b0..b9014ef 100644
/* check what the callback function returned */
if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
/* we are missing either the key or cert */
-@@ -7172,6 +7264,10 @@ loser:
+@@ -7379,6 +7471,10 @@ loser:
done:
if (arena != NULL)
PORT_FreeArena(arena, PR_FALSE);
@@ -256,7 +256,7 @@ index 60af5b0..b9014ef 100644
return rv;
}
-@@ -7288,7 +7384,8 @@ ssl3_SendClientSecondRound(sslSocket *ss)
+@@ -7497,7 +7593,8 @@ ssl3_SendClientSecondRound(sslSocket *ss)
sendClientCert = !ss->ssl3.sendEmptyCert &&
ss->ssl3.clientCertChain != NULL &&
@@ -266,7 +266,7 @@ index 60af5b0..b9014ef 100644
if (!sendClientCert &&
ss->ssl3.hs.hashType == handshake_hash_single &&
-@@ -12148,6 +12245,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+@@ -12910,6 +13007,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
if (ss->ssl3.clientPrivateKey != NULL)
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
@@ -277,10 +277,10 @@ index 60af5b0..b9014ef 100644
if (ss->ssl3.peerCertArena != NULL)
ssl3_CleanupPeerCerts(ss);
-diff --git a/ssl/ssl3ext.c b/ssl/ssl3ext.c
-index 28d21c4..0a2288a 100644
---- a/ssl/ssl3ext.c
-+++ b/ssl/ssl3ext.c
+diff --git a/lib/ssl/ssl3ext.c b/lib/ssl/ssl3ext.c
+index cf04aba..5661a5c 100644
+--- a/lib/ssl/ssl3ext.c
++++ b/lib/ssl/ssl3ext.c
@@ -11,8 +11,8 @@
#include "nssrenam.h"
#include "nss.h"
@@ -291,10 +291,10 @@ index 28d21c4..0a2288a 100644
#include "pk11pub.h"
#ifdef NO_PKCS11_BYPASS
#include "blapit.h"
-diff --git a/ssl/sslauth.c b/ssl/sslauth.c
-index ed74d94..7f9c43b 100644
---- a/ssl/sslauth.c
-+++ b/ssl/sslauth.c
+diff --git a/lib/ssl/sslauth.c b/lib/ssl/sslauth.c
+index b144336..e6981f0 100644
+--- a/lib/ssl/sslauth.c
++++ b/lib/ssl/sslauth.c
@@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
return SECSuccess;
}
@@ -324,11 +324,11 @@ index ed74d94..7f9c43b 100644
/* NEED LOCKS IN HERE. */
SECStatus
SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
-diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h
-index 086f6d2..bbc9bd2 100644
---- a/ssl/sslimpl.h
-+++ b/ssl/sslimpl.h
-@@ -20,6 +20,7 @@
+diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h
+index 9dcc29e..94bb9f4 100644
+--- a/lib/ssl/sslimpl.h
++++ b/lib/ssl/sslimpl.h
+@@ -21,6 +21,7 @@
#include "sslerr.h"
#include "ssl3prot.h"
#include "hasht.h"
@@ -336,7 +336,7 @@ index 086f6d2..bbc9bd2 100644
#include "nssilock.h"
#include "pkcs11t.h"
#if defined(XP_UNIX) || defined(XP_BEOS)
-@@ -31,6 +32,15 @@
+@@ -32,6 +33,15 @@
#include "sslt.h" /* for some formerly private types, now public */
@@ -352,7 +352,7 @@ index 086f6d2..bbc9bd2 100644
/* to make some of these old enums public without namespace pollution,
** it was necessary to prepend ssl_ to the names.
** These #defines preserve compatibility with the old code here in libssl.
-@@ -443,6 +453,14 @@ struct sslGatherStr {
+@@ -453,6 +463,14 @@ struct sslGatherStr {
#define GS_DATA 3
#define GS_PAD 4
@@ -367,7 +367,7 @@ index 086f6d2..bbc9bd2 100644
/*
-@@ -961,6 +979,10 @@ struct ssl3StateStr {
+@@ -974,6 +992,10 @@ struct ssl3StateStr {
CERTCertificate * clientCertificate; /* used by client */
SECKEYPrivateKey * clientPrivateKey; /* used by client */
@@ -378,7 +378,7 @@ index 086f6d2..bbc9bd2 100644
CERTCertificateList *clientCertChain; /* used by client */
PRBool sendEmptyCert; /* used by client */
-@@ -1223,6 +1245,10 @@ const unsigned char * preferredCipher;
+@@ -1253,6 +1275,10 @@ const unsigned char * preferredCipher;
void *authCertificateArg;
SSLGetClientAuthData getClientAuthData;
void *getClientAuthDataArg;
@@ -389,7 +389,7 @@ index 086f6d2..bbc9bd2 100644
SSLSNISocketConfig sniSocketConfig;
void *sniSocketConfigArg;
SSLBadCertHandler handleBadCert;
-@@ -1863,6 +1889,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
+@@ -1896,6 +1922,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
extern SECStatus ssl_FreeSessionCacheLocks(void);
@@ -416,11 +416,11 @@ index 086f6d2..bbc9bd2 100644
/**************** DTLS-specific functions **************/
extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg);
-diff --git a/ssl/sslsock.c b/ssl/sslsock.c
-index 282bb85..6c09992 100644
---- a/ssl/sslsock.c
-+++ b/ssl/sslsock.c
-@@ -275,6 +275,10 @@ ssl_DupSocket(sslSocket *os)
+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+index f735009..21754d6 100644
+--- a/lib/ssl/sslsock.c
++++ b/lib/ssl/sslsock.c
+@@ -300,6 +300,10 @@ ssl_DupSocket(sslSocket *os)
ss->authCertificateArg = os->authCertificateArg;
ss->getClientAuthData = os->getClientAuthData;
ss->getClientAuthDataArg = os->getClientAuthDataArg;
@@ -431,7 +431,7 @@ index 282bb85..6c09992 100644
ss->sniSocketConfig = os->sniSocketConfig;
ss->sniSocketConfigArg = os->sniSocketConfigArg;
ss->handleBadCert = os->handleBadCert;
-@@ -1709,6 +1713,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
+@@ -1963,6 +1967,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
ss->getClientAuthData = sm->getClientAuthData;
if (sm->getClientAuthDataArg)
ss->getClientAuthDataArg = sm->getClientAuthDataArg;
@@ -444,7 +444,7 @@ index 282bb85..6c09992 100644
if (sm->sniSocketConfig)
ss->sniSocketConfig = sm->sniSocketConfig;
if (sm->sniSocketConfigArg)
-@@ -2974,6 +2984,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
+@@ -3232,6 +3242,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
ss->sniSocketConfig = NULL;
ss->sniSocketConfigArg = NULL;
ss->getClientAuthData = NULL;
« no previous file with comments | « net/third_party/nss/patches/cipherorder.patch ('k') | net/third_party/nss/patches/dh1024.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698