summaryrefslogtreecommitdiffstats
path: root/chromium/net/third_party/nss/patches/clientauth.patch
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/net/third_party/nss/patches/clientauth.patch')
-rw-r--r--chromium/net/third_party/nss/patches/clientauth.patch100
1 files changed, 57 insertions, 43 deletions
diff --git a/chromium/net/third_party/nss/patches/clientauth.patch b/chromium/net/third_party/nss/patches/clientauth.patch
index a2c7299c37a..92836763bc5 100644
--- a/chromium/net/third_party/nss/patches/clientauth.patch
+++ b/chromium/net/third_party/nss/patches/clientauth.patch
@@ -1,7 +1,7 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2013-07-31 12:31:45.326118409 -0700
-+++ b/nss/lib/ssl/ssl3con.c 2013-07-31 12:35:27.189373289 -0700
-@@ -2284,6 +2284,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 17:52:00.295082288 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 17:52:19.745405758 -0800
+@@ -2471,6 +2471,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID
PRBool isPresent = PR_TRUE;
/* we only care if we are doing client auth */
@@ -11,7 +11,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (!sid || !sid->u.ssl3.clAuthValid) {
return PR_TRUE;
}
-@@ -5768,25 +5771,36 @@ ssl3_SendCertificateVerify(sslSocket *ss
+@@ -6103,25 +6106,36 @@ ssl3_SendCertificateVerify(sslSocket *ss
isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
@@ -65,7 +65,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (rv != SECSuccess) {
goto done; /* err code was set by ssl3_SignHashes */
}
-@@ -5870,6 +5884,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6200,6 +6214,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
ss->ssl3.clientPrivateKey = NULL;
}
@@ -78,7 +78,26 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
if (temp < 0) {
-@@ -6496,6 +6516,10 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -6827,6 +6847,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss,
+ goto done;
+ }
+
++#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32)
++ /* If the key is in CAPI, assume conservatively that the CAPI service
++ * provider may be unable to sign SHA-256 hashes.
++ */
++ if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) {
++ /* CAPI only supports RSA and DSA signatures, so we don't need to
++ * check the key type. */
++ *preferSha1 = PR_TRUE;
++ goto done;
++ }
++#endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */
++
+ /* If the key is a 1024-bit RSA or DSA key, assume conservatively that
+ * it may be unable to sign SHA-256 hashes. This is the case for older
+ * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
+@@ -6925,6 +6957,10 @@ ssl3_HandleCertificateRequest(sslSocket
SECItem cert_types = {siBuffer, NULL, 0};
SECItem algorithms = {siBuffer, NULL, 0};
CERTDistNames ca_list;
@@ -89,7 +108,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
SSL_GETPID(), ss->fd));
-@@ -6512,6 +6536,7 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -6941,6 +6977,7 @@ ssl3_HandleCertificateRequest(sslSocket
PORT_Assert(ss->ssl3.clientCertChain == NULL);
PORT_Assert(ss->ssl3.clientCertificate == NULL);
PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
@@ -97,7 +116,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
-@@ -6591,6 +6616,18 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -7020,6 +7057,18 @@ ssl3_HandleCertificateRequest(sslSocket
desc = no_certificate;
ss->ssl3.hs.ws = wait_hello_done;
@@ -116,7 +135,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (ss->getClientAuthData != NULL) {
/* XXX Should pass cert_types and algorithms in this call!! */
rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
-@@ -6600,12 +6637,52 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -7029,12 +7078,55 @@ ssl3_HandleCertificateRequest(sslSocket
} else {
rv = SECFailure; /* force it to send a no_certificate alert */
}
@@ -163,13 +182,16 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
+ }
+ goto send_no_certificate;
+ }
++ if (ss->ssl3.hs.hashType == handshake_hash_single) {
++ ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
++ }
+ break; /* not an error */
+ }
+#endif /* NSS_PLATFORM_CLIENT_AUTH */
/* check what the callback function returned */
if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
/* we are missing either the key or cert */
-@@ -6668,6 +6745,10 @@ loser:
+@@ -7096,6 +7188,10 @@ loser:
done:
if (arena != NULL)
PORT_FreeArena(arena, PR_FALSE);
@@ -180,7 +202,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
return rv;
}
-@@ -6749,7 +6830,8 @@ ssl3_SendClientSecondRound(sslSocket *ss
+@@ -7213,7 +7309,8 @@ ssl3_SendClientSecondRound(sslSocket *ss
sendClientCert = !ss->ssl3.sendEmptyCert &&
ss->ssl3.clientCertChain != NULL &&
@@ -188,9 +210,9 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
+ (ss->ssl3.platformClientKey ||
+ ss->ssl3.clientPrivateKey != NULL);
- /* We must wait for the server's certificate to be authenticated before
- * sending the client certificate in order to disclosing the client
-@@ -11465,6 +11547,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+ if (!sendClientCert &&
+ ss->ssl3.hs.hashType == handshake_hash_single &&
+@@ -12052,6 +12149,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
if (ss->ssl3.clientPrivateKey != NULL)
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
@@ -202,8 +224,8 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (ss->ssl3.peerCertArena != NULL)
ssl3_CleanupPeerCerts(ss);
diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
---- a/nss/lib/ssl/ssl3ext.c 2013-07-31 12:07:10.964699464 -0700
-+++ b/nss/lib/ssl/ssl3ext.c 2013-07-31 12:35:27.189373289 -0700
+--- a/nss/lib/ssl/ssl3ext.c 2014-01-17 17:49:26.072517368 -0800
++++ b/nss/lib/ssl/ssl3ext.c 2014-01-17 17:52:19.745405758 -0800
@@ -10,8 +10,8 @@
#include "nssrenam.h"
#include "nss.h"
@@ -215,9 +237,9 @@ diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
#ifdef NO_PKCS11_BYPASS
#include "blapit.h"
diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
---- a/nss/lib/ssl/sslauth.c 2013-07-31 12:32:29.076760372 -0700
-+++ b/nss/lib/ssl/sslauth.c 2013-07-31 12:35:27.189373289 -0700
-@@ -219,6 +219,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
+--- a/nss/lib/ssl/sslauth.c 2014-01-17 17:49:26.072517368 -0800
++++ b/nss/lib/ssl/sslauth.c 2014-01-17 17:52:19.755405924 -0800
+@@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
return SECSuccess;
}
@@ -247,9 +269,9 @@ diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
SECStatus
SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2013-07-31 12:32:29.076760372 -0700
-+++ b/nss/lib/ssl/ssl.h 2013-07-31 12:35:27.199373436 -0700
-@@ -503,6 +503,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
+--- a/nss/lib/ssl/ssl.h 2014-01-17 17:49:26.062517203 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-17 17:52:19.755405924 -0800
+@@ -533,6 +533,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd,
SSLGetClientAuthData f, void *a);
@@ -299,8 +321,8 @@ diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
/*
** SNI extension processing callback function.
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2013-07-31 12:31:45.326118409 -0700
-+++ b/nss/lib/ssl/sslimpl.h 2013-07-31 12:35:27.199373436 -0700
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 17:52:00.295082288 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 17:52:19.755405924 -0800
@@ -20,6 +20,7 @@
#include "sslerr.h"
#include "ssl3prot.h"
@@ -325,9 +347,9 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/* to make some of these old enums public without namespace pollution,
** it was necessary to prepend ssl_ to the names.
** These #defines preserve compatibility with the old code here in libssl.
-@@ -444,6 +454,14 @@ typedef SECStatus (*SSLCompressor)(void
- int inlen);
- typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
+@@ -441,6 +451,14 @@ struct sslGatherStr {
+ #define GS_DATA 3
+ #define GS_PAD 4
+#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
+typedef PCERT_KEY_CONTEXT PlatformKey;
@@ -340,7 +362,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/*
-@@ -896,6 +914,10 @@ struct ssl3StateStr {
+@@ -953,6 +971,10 @@ struct ssl3StateStr {
CERTCertificate * clientCertificate; /* used by client */
SECKEYPrivateKey * clientPrivateKey; /* used by client */
@@ -351,7 +373,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
CERTCertificateList *clientCertChain; /* used by client */
PRBool sendEmptyCert; /* used by client */
-@@ -1153,6 +1175,10 @@ const unsigned char * preferredCipher;
+@@ -1214,6 +1236,10 @@ const unsigned char * preferredCipher;
void *authCertificateArg;
SSLGetClientAuthData getClientAuthData;
void *getClientAuthDataArg;
@@ -362,15 +384,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
SSLSNISocketConfig sniSocketConfig;
void *sniSocketConfigArg;
SSLBadCertHandler handleBadCert;
-@@ -1737,7 +1763,6 @@ extern void ssl_FreePRSocket(PRFileDesc
- * various ciphers */
- extern int ssl3_config_match_init(sslSocket *);
-
--
- /* Create a new ref counted key pair object from two keys. */
- extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey,
- SECKEYPublicKey * pubKey);
-@@ -1777,6 +1802,26 @@ extern SECStatus ssl_InitSessionCacheLoc
+@@ -1852,6 +1878,26 @@ extern SECStatus ssl_InitSessionCacheLoc
extern SECStatus ssl_FreeSessionCacheLocks(void);
@@ -398,9 +412,9 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/**************** DTLS-specific functions **************/
extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg);
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c 2013-07-31 12:28:39.283413269 -0700
-+++ b/nss/lib/ssl/sslsock.c 2013-07-31 12:35:27.199373436 -0700
-@@ -343,6 +343,10 @@ ssl_DupSocket(sslSocket *os)
+--- a/nss/lib/ssl/sslsock.c 2014-01-17 17:49:40.942764689 -0800
++++ b/nss/lib/ssl/sslsock.c 2014-01-17 17:52:19.755405924 -0800
+@@ -263,6 +263,10 @@ ssl_DupSocket(sslSocket *os)
ss->authCertificateArg = os->authCertificateArg;
ss->getClientAuthData = os->getClientAuthData;
ss->getClientAuthDataArg = os->getClientAuthDataArg;
@@ -411,7 +425,7 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
ss->sniSocketConfig = os->sniSocketConfig;
ss->sniSocketConfigArg = os->sniSocketConfigArg;
ss->handleBadCert = os->handleBadCert;
-@@ -1730,6 +1734,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
+@@ -1667,6 +1671,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
ss->getClientAuthData = sm->getClientAuthData;
if (sm->getClientAuthDataArg)
ss->getClientAuthDataArg = sm->getClientAuthDataArg;
@@ -424,7 +438,7 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
if (sm->sniSocketConfig)
ss->sniSocketConfig = sm->sniSocketConfig;
if (sm->sniSocketConfigArg)
-@@ -2980,6 +2990,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
+@@ -2921,6 +2931,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
ss->sniSocketConfig = NULL;
ss->sniSocketConfigArg = NULL;
ss->getClientAuthData = NULL;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-07 22:02:49 +0000