diff options
Diffstat (limited to 'chromium/net/third_party/nss/patches/clientauth.patch')
-rw-r--r-- | chromium/net/third_party/nss/patches/clientauth.patch | 100 |
1 files changed, 57 insertions, 43 deletions
diff --git a/chromium/net/third_party/nss/patches/clientauth.patch b/chromium/net/third_party/nss/patches/clientauth.patch index a2c7299c37a..92836763bc5 100644 --- a/chromium/net/third_party/nss/patches/clientauth.patch +++ b/chromium/net/third_party/nss/patches/clientauth.patch @@ -1,7 +1,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c ---- a/nss/lib/ssl/ssl3con.c 2013-07-31 12:31:45.326118409 -0700 -+++ b/nss/lib/ssl/ssl3con.c 2013-07-31 12:35:27.189373289 -0700 -@@ -2284,6 +2284,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID +--- a/nss/lib/ssl/ssl3con.c 2014-01-17 17:52:00.295082288 -0800 ++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 17:52:19.745405758 -0800 +@@ -2471,6 +2471,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID PRBool isPresent = PR_TRUE; /* we only care if we are doing client auth */ @@ -11,7 +11,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c if (!sid || !sid->u.ssl3.clAuthValid) { return PR_TRUE; } -@@ -5768,25 +5771,36 @@ ssl3_SendCertificateVerify(sslSocket *ss +@@ -6103,25 +6106,36 @@ ssl3_SendCertificateVerify(sslSocket *ss isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); @@ -65,7 +65,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c if (rv != SECSuccess) { goto done; /* err code was set by ssl3_SignHashes */ } -@@ -5870,6 +5884,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS +@@ -6200,6 +6214,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); ss->ssl3.clientPrivateKey = NULL; } @@ -78,7 +78,26 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); if (temp < 0) { -@@ -6496,6 +6516,10 @@ ssl3_HandleCertificateRequest(sslSocket +@@ -6827,6 +6847,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss, + goto done; + } + ++#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) ++ /* If the key is in CAPI, assume conservatively that the CAPI service ++ * provider may be unable to sign SHA-256 hashes. ++ */ ++ if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { ++ /* CAPI only supports RSA and DSA signatures, so we don't need to ++ * check the key type. */ ++ *preferSha1 = PR_TRUE; ++ goto done; ++ } ++#endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ ++ + /* If the key is a 1024-bit RSA or DSA key, assume conservatively that + * it may be unable to sign SHA-256 hashes. This is the case for older + * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and +@@ -6925,6 +6957,10 @@ ssl3_HandleCertificateRequest(sslSocket SECItem cert_types = {siBuffer, NULL, 0}; SECItem algorithms = {siBuffer, NULL, 0}; CERTDistNames ca_list; @@ -89,7 +108,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", SSL_GETPID(), ss->fd)); -@@ -6512,6 +6536,7 @@ ssl3_HandleCertificateRequest(sslSocket +@@ -6941,6 +6977,7 @@ ssl3_HandleCertificateRequest(sslSocket PORT_Assert(ss->ssl3.clientCertChain == NULL); PORT_Assert(ss->ssl3.clientCertificate == NULL); PORT_Assert(ss->ssl3.clientPrivateKey == NULL); @@ -97,7 +116,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); -@@ -6591,6 +6616,18 @@ ssl3_HandleCertificateRequest(sslSocket +@@ -7020,6 +7057,18 @@ ssl3_HandleCertificateRequest(sslSocket desc = no_certificate; ss->ssl3.hs.ws = wait_hello_done; @@ -116,7 +135,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c if (ss->getClientAuthData != NULL) { /* XXX Should pass cert_types and algorithms in this call!! */ rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, -@@ -6600,12 +6637,52 @@ ssl3_HandleCertificateRequest(sslSocket +@@ -7029,12 +7078,55 @@ ssl3_HandleCertificateRequest(sslSocket } else { rv = SECFailure; /* force it to send a no_certificate alert */ } @@ -163,13 +182,16 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c + } + goto send_no_certificate; + } ++ if (ss->ssl3.hs.hashType == handshake_hash_single) { ++ ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); ++ } + break; /* not an error */ + } +#endif /* NSS_PLATFORM_CLIENT_AUTH */ /* check what the callback function returned */ if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { /* we are missing either the key or cert */ -@@ -6668,6 +6745,10 @@ loser: +@@ -7096,6 +7188,10 @@ loser: done: if (arena != NULL) PORT_FreeArena(arena, PR_FALSE); @@ -180,7 +202,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c return rv; } -@@ -6749,7 +6830,8 @@ ssl3_SendClientSecondRound(sslSocket *ss +@@ -7213,7 +7309,8 @@ ssl3_SendClientSecondRound(sslSocket *ss sendClientCert = !ss->ssl3.sendEmptyCert && ss->ssl3.clientCertChain != NULL && @@ -188,9 +210,9 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c + (ss->ssl3.platformClientKey || + ss->ssl3.clientPrivateKey != NULL); - /* We must wait for the server's certificate to be authenticated before - * sending the client certificate in order to disclosing the client -@@ -11465,6 +11547,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) + if (!sendClientCert && + ss->ssl3.hs.hashType == handshake_hash_single && +@@ -12052,6 +12149,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) if (ss->ssl3.clientPrivateKey != NULL) SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); @@ -202,8 +224,8 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c if (ss->ssl3.peerCertArena != NULL) ssl3_CleanupPeerCerts(ss); diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c ---- a/nss/lib/ssl/ssl3ext.c 2013-07-31 12:07:10.964699464 -0700 -+++ b/nss/lib/ssl/ssl3ext.c 2013-07-31 12:35:27.189373289 -0700 +--- a/nss/lib/ssl/ssl3ext.c 2014-01-17 17:49:26.072517368 -0800 ++++ b/nss/lib/ssl/ssl3ext.c 2014-01-17 17:52:19.745405758 -0800 @@ -10,8 +10,8 @@ #include "nssrenam.h" #include "nss.h" @@ -215,9 +237,9 @@ diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c #ifdef NO_PKCS11_BYPASS #include "blapit.h" diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c ---- a/nss/lib/ssl/sslauth.c 2013-07-31 12:32:29.076760372 -0700 -+++ b/nss/lib/ssl/sslauth.c 2013-07-31 12:35:27.189373289 -0700 -@@ -219,6 +219,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, +--- a/nss/lib/ssl/sslauth.c 2014-01-17 17:49:26.072517368 -0800 ++++ b/nss/lib/ssl/sslauth.c 2014-01-17 17:52:19.755405924 -0800 +@@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, return SECSuccess; } @@ -247,9 +269,9 @@ diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c SECStatus SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h ---- a/nss/lib/ssl/ssl.h 2013-07-31 12:32:29.076760372 -0700 -+++ b/nss/lib/ssl/ssl.h 2013-07-31 12:35:27.199373436 -0700 -@@ -503,6 +503,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl +--- a/nss/lib/ssl/ssl.h 2014-01-17 17:49:26.062517203 -0800 ++++ b/nss/lib/ssl/ssl.h 2014-01-17 17:52:19.755405924 -0800 +@@ -533,6 +533,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, SSLGetClientAuthData f, void *a); @@ -299,8 +321,8 @@ diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h /* ** SNI extension processing callback function. diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h ---- a/nss/lib/ssl/sslimpl.h 2013-07-31 12:31:45.326118409 -0700 -+++ b/nss/lib/ssl/sslimpl.h 2013-07-31 12:35:27.199373436 -0700 +--- a/nss/lib/ssl/sslimpl.h 2014-01-17 17:52:00.295082288 -0800 ++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 17:52:19.755405924 -0800 @@ -20,6 +20,7 @@ #include "sslerr.h" #include "ssl3prot.h" @@ -325,9 +347,9 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h /* to make some of these old enums public without namespace pollution, ** it was necessary to prepend ssl_ to the names. ** These #defines preserve compatibility with the old code here in libssl. -@@ -444,6 +454,14 @@ typedef SECStatus (*SSLCompressor)(void - int inlen); - typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); +@@ -441,6 +451,14 @@ struct sslGatherStr { + #define GS_DATA 3 + #define GS_PAD 4 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) +typedef PCERT_KEY_CONTEXT PlatformKey; @@ -340,7 +362,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h /* -@@ -896,6 +914,10 @@ struct ssl3StateStr { +@@ -953,6 +971,10 @@ struct ssl3StateStr { CERTCertificate * clientCertificate; /* used by client */ SECKEYPrivateKey * clientPrivateKey; /* used by client */ @@ -351,7 +373,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h CERTCertificateList *clientCertChain; /* used by client */ PRBool sendEmptyCert; /* used by client */ -@@ -1153,6 +1175,10 @@ const unsigned char * preferredCipher; +@@ -1214,6 +1236,10 @@ const unsigned char * preferredCipher; void *authCertificateArg; SSLGetClientAuthData getClientAuthData; void *getClientAuthDataArg; @@ -362,15 +384,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h SSLSNISocketConfig sniSocketConfig; void *sniSocketConfigArg; SSLBadCertHandler handleBadCert; -@@ -1737,7 +1763,6 @@ extern void ssl_FreePRSocket(PRFileDesc - * various ciphers */ - extern int ssl3_config_match_init(sslSocket *); - -- - /* Create a new ref counted key pair object from two keys. */ - extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, - SECKEYPublicKey * pubKey); -@@ -1777,6 +1802,26 @@ extern SECStatus ssl_InitSessionCacheLoc +@@ -1852,6 +1878,26 @@ extern SECStatus ssl_InitSessionCacheLoc extern SECStatus ssl_FreeSessionCacheLocks(void); @@ -398,9 +412,9 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h /**************** DTLS-specific functions **************/ extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c ---- a/nss/lib/ssl/sslsock.c 2013-07-31 12:28:39.283413269 -0700 -+++ b/nss/lib/ssl/sslsock.c 2013-07-31 12:35:27.199373436 -0700 -@@ -343,6 +343,10 @@ ssl_DupSocket(sslSocket *os) +--- a/nss/lib/ssl/sslsock.c 2014-01-17 17:49:40.942764689 -0800 ++++ b/nss/lib/ssl/sslsock.c 2014-01-17 17:52:19.755405924 -0800 +@@ -263,6 +263,10 @@ ssl_DupSocket(sslSocket *os) ss->authCertificateArg = os->authCertificateArg; ss->getClientAuthData = os->getClientAuthData; ss->getClientAuthDataArg = os->getClientAuthDataArg; @@ -411,7 +425,7 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c ss->sniSocketConfig = os->sniSocketConfig; ss->sniSocketConfigArg = os->sniSocketConfigArg; ss->handleBadCert = os->handleBadCert; -@@ -1730,6 +1734,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile +@@ -1667,6 +1671,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile ss->getClientAuthData = sm->getClientAuthData; if (sm->getClientAuthDataArg) ss->getClientAuthDataArg = sm->getClientAuthDataArg; @@ -424,7 +438,7 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c if (sm->sniSocketConfig) ss->sniSocketConfig = sm->sniSocketConfig; if (sm->sniSocketConfigArg) -@@ -2980,6 +2990,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto +@@ -2921,6 +2931,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto ss->sniSocketConfig = NULL; ss->sniSocketConfigArg = NULL; ss->getClientAuthData = NULL; |