Update the NSS patches. Add snapstart2.patch and peercertchain.patch.

Tweak sslimpl.h to eliminate one conflict when applying clientauth.patch.
Unfortunately one conflict in sslimpl.h and one conflict in ssl3con.c still
remain in clientauth.patch.

Add the applypatches.sh script to make it easier to apply the patches.

R=agl
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/6538005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@75311 0039d316-1c4b-4281-b951-d872f2087c98

6 files changed, 243 insertions, 32 deletions

diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index d1fa694..22df661 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -40,8 +40,12 @@ Patches:
 
   * Add Snap Start support
     patches/snapstart.patch
+    patches/snapstart2.patch
     http://tools.ietf.org/html/draft-agl-tls-snapstart-00
 
+  * Add the SSL_PeerCertificateChain function
+    patches/peercertchain.patch
+
   * Add OCSP stapling support
     patches/ocspstapling.patch
 
@@ -55,5 +59,8 @@ Patches:
     patches/clientauth.patch
     https://bugzilla.mozilla.org/show_bug.cgi?id=616757
 
+Apply the patches to NSS by running the patches/applypatches.sh script.  Read
+the comments at the top of patches/applypatches.sh for instructions.
+
 The ssl/bodge directory contains files taken from the NSS repo that we required
 for building libssl outside of its usual build environment.
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh
new file mode 100755
index 0000000..7bba438
--- /dev/null
+++ b/net/third_party/nss/patches/applypatches.sh
@@ -0,0 +1,28 @@
+# Run this script in the mozilla/security/nss/lib directory in a NSS source
+# tree.
+#
+# Point patches_dir to the src/net/third_party/nss/patches directory in a
+# chromium source tree.
+patches_dir=/Users/wtc/chrome1/src/net/third_party/nss/patches
+
+patch -p5 < $patches_dir/nextproto.patch
+
+patch -p4 < $patches_dir/falsestart.patch
+patch -p4 < $patches_dir/falsestart2.patch
+
+patch -p5 < $patches_dir/versionskew.patch
+
+patch -p4 < $patches_dir/renegoscsv.patch
+
+patch -p4 < $patches_dir/cachecerts.patch
+
+patch -p4 < $patches_dir/weakserverkey.patch
+
+patch -p5 < $patches_dir/snapstart.patch
+patch -p3 < $patches_dir/snapstart2.patch
+
+patch -p3 < $patches_dir/peercertchain.patch
+
+patch -p4 < $patches_dir/ocspstapling.patch
+
+patch -p4 < $patches_dir/clientauth.patch
diff --git a/net/third_party/nss/patches/clientauth.patch b/net/third_party/nss/patches/clientauth.patch
index 5128566..30bf8cc 100644
--- a/net/third_party/nss/patches/clientauth.patch
+++ b/net/third_party/nss/patches/clientauth.patch
@@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl.h,v
 retrieving revision 1.38
 diff -p -u -8 -r1.38 ssl.h
 --- mozilla/security/nss/lib/ssl/ssl.h	17 Feb 2010 02:29:07 -0000	1.38
-+++ mozilla/security/nss/lib/ssl/ssl.h	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/ssl.h	16 Feb 2011 23:30:37 -0000
 @@ -275,16 +275,49 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
   * and certificate.
   *	fd - the file descriptor for the connection in question
@@ -61,7 +61,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v
 retrieving revision 1.142
 diff -p -u -8 -r1.142 ssl3con.c
 --- mozilla/security/nss/lib/ssl/ssl3con.c	24 Jun 2010 19:53:20 -0000	1.142
-+++ mozilla/security/nss/lib/ssl/ssl3con.c	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/ssl3con.c	16 Feb 2011 23:30:37 -0000
 @@ -2007,16 +2007,19 @@ ssl3_ComputeRecordMAC(
      	rv = SECFailure;
  	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
@@ -94,7 +94,7 @@ diff -p -u -8 -r1.142 ssl3con.c
 +#endif /* NSS_PLATFORM_CLIENT_AUTH */
  }
  
- static SECStatus
+ SECStatus
  ssl3_CompressMACEncryptRecord(sslSocket *        ss,
                                SSL3ContentType    type,
  		              const SSL3Opaque * pIn,
@@ -425,7 +425,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3ext.c,v
 retrieving revision 1.14
 diff -p -u -8 -r1.14 ssl3ext.c
 --- mozilla/security/nss/lib/ssl/ssl3ext.c	3 Apr 2010 19:19:07 -0000	1.14
-+++ mozilla/security/nss/lib/ssl/ssl3ext.c	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/ssl3ext.c	16 Feb 2011 23:30:37 -0000
 @@ -41,18 +41,18 @@
   * ***** END LICENSE BLOCK ***** */
  
@@ -452,7 +452,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslauth.c,v
 retrieving revision 1.16
 diff -p -u -8 -r1.16 sslauth.c
 --- mozilla/security/nss/lib/ssl/sslauth.c	20 Apr 2006 00:20:45 -0000	1.16
-+++ mozilla/security/nss/lib/ssl/sslauth.c	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/sslauth.c	16 Feb 2011 23:30:37 -0000
 @@ -204,16 +204,38 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
  	return SECFailure;
      }
@@ -498,7 +498,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslimpl.h,v
 retrieving revision 1.77
 diff -p -u -8 -r1.77 sslimpl.h
 --- mozilla/security/nss/lib/ssl/sslimpl.h	10 Feb 2010 00:33:50 -0000	1.77
-+++ mozilla/security/nss/lib/ssl/sslimpl.h	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/sslimpl.h	16 Feb 2011 23:30:37 -0000
 @@ -60,16 +60,25 @@
  #if defined(XP_UNIX) || defined(XP_BEOS)
  #include "unistd.h"
@@ -525,14 +525,14 @@ diff -p -u -8 -r1.77 sslimpl.h
  typedef SSLMACAlgorithm SSL3MACAlgorithm;
  typedef SSLSignType     SSL3SignType;
  
-@@ -782,16 +791,25 @@ const ssl3CipherSuiteDef *suite_def;
- 	SSL3Hashes        sFinished[2];
- 	SSL3Opaque        data[72];
-     }                     finishedMsgs;
- #ifdef NSS_ENABLE_ECC
-     PRUint32              negotiatedECCurves; /* bit mask */
- #endif /* NSS_ENABLE_ECC */
- } SSL3HandshakeState;
+@@ -450,16 +459,26 @@ typedef SECStatus (*SSLCipher)(void *   
+ typedef SECStatus (*SSLCompressor)(void *               context,
+                                    unsigned char *      out,
+                                    int *                outlen,
+                                    int                  maxout,
+                                    const unsigned char *in,
+                                    int                  inlen);
+ typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
  
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +#if defined(XP_WIN32)
@@ -543,15 +543,16 @@ diff -p -u -8 -r1.77 sslimpl.h
 +typedef void *PlatformKey;
 +#endif
 +#endif
++
  
  
  /*
- ** This is the "ssl3" struct, as in "ss->ssl3".
- ** note:
- ** usually,   crSpec == cwSpec and prSpec == pwSpec.  
- ** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
- ** But there are never more than 2 actual specs.  
-@@ -805,16 +823,19 @@ struct ssl3StateStr {
+ ** ssl3State and CipherSpec structs
+ */
+ 
+ /* The SSL bulk cipher definition */
+ typedef enum {
+@@ -805,16 +824,19 @@ struct ssl3StateStr {
      */
      ssl3CipherSpec *     crSpec; 	/* current read spec. */
      ssl3CipherSpec *     prSpec; 	/* pending read spec. */
@@ -571,7 +572,7 @@ diff -p -u -8 -r1.77 sslimpl.h
  			 * be either SSL_ALLOWED or SSL_RESTRICTED 
  			 */
      PRArenaPool *        peerCertArena;  
-@@ -1045,16 +1066,20 @@ const unsigned char *  preferredCipher;
+@@ -1045,16 +1067,20 @@ const unsigned char *  preferredCipher;
  
      ssl3KeyPair *         stepDownKeyPair;	/* RSA step down keys */
  
@@ -592,7 +593,7 @@ diff -p -u -8 -r1.77 sslimpl.h
      void                     *handshakeCallbackData;
      void                     *pkcs11PinArg;
  
-@@ -1587,16 +1612,36 @@ extern SECStatus SSL3_ShutdownServerCach
+@@ -1587,16 +1613,36 @@ extern SECStatus SSL3_ShutdownServerCach
  extern SECStatus ssl_InitSymWrapKeysLock(void);
  
  extern SECStatus ssl_FreeSymWrapKeysLock(void);
@@ -635,7 +636,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v
 retrieving revision 1.67
 diff -p -u -8 -r1.67 sslsock.c
 --- mozilla/security/nss/lib/ssl/sslsock.c	25 Apr 2010 23:37:38 -0000	1.67
-+++ mozilla/security/nss/lib/ssl/sslsock.c	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/sslsock.c	16 Feb 2011 23:30:37 -0000
 @@ -329,16 +329,20 @@ ssl_DupSocket(sslSocket *os)
  /*
   * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
diff --git a/net/third_party/nss/patches/peercertchain.patch b/net/third_party/nss/patches/peercertchain.patch
new file mode 100644
index 0000000..8973c4b
--- /dev/null
+++ b/net/third_party/nss/patches/peercertchain.patch
@@ -0,0 +1,81 @@
+Index: net/third_party/nss/ssl/ssl.h
+===================================================================
+--- net/third_party/nss/ssl/ssl.h	(revision 63749)
++++ net/third_party/nss/ssl/ssl.h	(revision 63750)
+@@ -273,6 +273,17 @@
+ SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
+ 
+ /*
++** Return references to the certificates presented by the SSL peer. On entry,
++** |*certs_size| must contain the size of the |certs| array. On successful
++** return, |*certs_size| contains the number of certificates available and
++** |certs| will contain references to as many certificates as would fit.
++** Therefore if, on exit, |*certs_size| contains a value less than, or equal to,
++** the entry value then all certificates were returned.
++*/
++SSL_IMPORT SECStatus SSL_PeerCertificateChain(
++	PRFileDesc *fd, CERTCertificate **certs, unsigned int *certs_size);
++
++/*
+ ** Authenticate certificate hook. Called when a certificate comes in
+ ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
+ ** certificate.
+Index: net/third_party/nss/ssl/sslauth.c
+===================================================================
+--- net/third_party/nss/ssl/sslauth.c	(revision 63749)
++++ net/third_party/nss/ssl/sslauth.c	(revision 63750)
+@@ -60,6 +60,42 @@
+ }
+ 
+ /* NEED LOCKS IN HERE.  */
++SECStatus
++SSL_PeerCertificateChain(PRFileDesc *fd, CERTCertificate **certs,
++			 unsigned int *certsSize)
++{
++    sslSocket *ss;
++    unsigned int inSize = *certsSize;
++    ssl3CertNode* cur;
++
++    ss = ssl_FindSocket(fd);
++    if (!ss) {
++	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
++		 SSL_GETPID(), fd));
++	return SECFailure;
++    }
++    if (!ss->opt.useSecurity)
++	return SECFailure;
++
++    if (ss->sec.peerCert == NULL) {
++      *certsSize = 0;
++      return SECSuccess;
++    }
++
++    *certsSize = 1;  /* for the leaf certificate */
++    if (inSize > 0)
++	certs[0] = CERT_DupCertificate(ss->sec.peerCert);
++
++    for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
++	if (*certsSize < inSize)
++	    certs[*certsSize] = CERT_DupCertificate(cur->cert);
++	(*certsSize)++;
++    }
++
++    return SECSuccess;
++}
++
++/* NEED LOCKS IN HERE.  */
+ CERTCertificate *
+ SSL_LocalCertificate(PRFileDesc *fd)
+ {
+Index: net/third_party/nss/ssl/ssl.def
+===================================================================
+--- net/third_party/nss/ssl/ssl.def	(revision 63749)
++++ net/third_party/nss/ssl/ssl.def	(revision 63750)
+@@ -163,6 +163,7 @@
+ ;+    global:
+ SSL_GetPredictedServerHelloData;
+ SSL_GetSnapStartResult;
++SSL_PeerCertificateChain;
+ SSL_SetPredictedPeerCertificates;
+ SSL_SetPredictedServerHelloData;
+ SSL_SetSnapStartApplicationData;
diff --git a/net/third_party/nss/patches/snapstart2.patch b/net/third_party/nss/patches/snapstart2.patch
new file mode 100644
index 0000000..34ec562
--- /dev/null
+++ b/net/third_party/nss/patches/snapstart2.patch
@@ -0,0 +1,93 @@
+Index: net/third_party/nss/ssl/snapstart.c
+===================================================================
+--- net/third_party/nss/ssl/snapstart.c	(revision 64952)
++++ net/third_party/nss/ssl/snapstart.c	(revision 64953)
+@@ -48,10 +48,6 @@
+ 
+ /* TODO(agl): Add support for snap starting with compression. */
+ 
+-/* TODO(agl): Free snapStartApplicationData as soon as the handshake has
+-** completed.
+-*/
+-
+ #include "pk11pub.h"
+ #include "ssl.h"
+ #include "sslimpl.h"
+@@ -821,6 +817,7 @@
+         rv = ssl3_AppendSnapStartApplicationData(
+                  ss, ss->ssl3.snapStartApplicationData.data,
+                  ss->ssl3.snapStartApplicationData.len);
++        SECITEM_FreeItem(&ss->ssl3.snapStartApplicationData, PR_FALSE);
+         if (rv != SECSuccess)
+             goto loser;
+     }
+@@ -1053,6 +1053,8 @@
+         ss->ssl3.hs.snapStartType = snap_start_resume_recovery;
+     }
+ 
++    ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NO_SUPPORT;
++
+     ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_TRUE/*freeSrvName*/);
+ 
+     return SECSuccess;
+Index: net/third_party/nss/ssl/ssl3con.c
+===================================================================
+--- net/third_party/nss/ssl/ssl3con.c	(revision 65946)
++++ net/third_party/nss/ssl/ssl3con.c	(revision 65947)
+@@ -5023,21 +5023,21 @@
+ 	goto alert_loser;
+     }
+ 
+-    if (!ss->ssl3.serverHelloPredictionData.data) {
+-        /* If this allocation fails it will only stop the application from
+-	 * recording the ServerHello information and performing future Snap
+-	 * Starts. */
+-	if (SECITEM_AllocItem(NULL, &ss->ssl3.serverHelloPredictionData,
+-			      length))
+-	    memcpy(ss->ssl3.serverHelloPredictionData.data, b, length);
+-	/* ss->ssl3.serverHelloPredictionDataValid is still false at this
+-	 * point. We have to record the contents of the ServerHello here
+-	 * because we don't have a pointer to the whole message when handling
+-	 * the extensions. However, we wait until the Snap Start extenion
+-	 * handler to recognise that the server supports Snap Start and to set
+-	 * serverHelloPredictionDataValid. */
+-    }
++    if (ss->ssl3.serverHelloPredictionData.data)
++	SECITEM_FreeItem(&ss->ssl3.serverHelloPredictionData, PR_FALSE);
+ 
++    /* If this allocation fails it will only stop the application from
++     * recording the ServerHello information and performing future Snap
++     * Starts. */
++    if (SECITEM_AllocItem(NULL, &ss->ssl3.serverHelloPredictionData, length))
++	memcpy(ss->ssl3.serverHelloPredictionData.data, b, length);
++    /* ss->ssl3.serverHelloPredictionDataValid is still false at this
++     * point. We have to record the contents of the ServerHello here
++     * because we don't have a pointer to the whole message when handling
++     * the extensions. However, we wait until the Snap Start extension
++     * handler to recognise that the server supports Snap Start and to set
++     * serverHelloPredictionDataValid. */
++
+     temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+     if (temp < 0) {
+     	goto loser; 	/* alert has been sent */
+@@ -8366,20 +8366,6 @@
+ 	}
+     }
+ 
+-    if ((ss->ssl3.hs.snapStartType == snap_start_recovery ||
+-         ss->ssl3.hs.snapStartType == snap_start_resume_recovery) &&
+-	ss->ssl3.snapStartApplicationData.data) {
+-	/* In the event that the server ignored the application data in our
+-	 * snap start extension, we need to retransmit it now. */
+-	PRInt32 sent = ssl3_SendRecord(ss, content_application_data,
+-                                       ss->ssl3.snapStartApplicationData.data,
+-                                       ss->ssl3.snapStartApplicationData.len,
+-                                       flags);
+-	SECITEM_FreeItem(&ss->ssl3.snapStartApplicationData, PR_FALSE);
+-	if (sent < 0)
+-	    return (SECStatus)sent;	/* error code set by ssl3_SendRecord */
+-    }
+-
+     return SECSuccess;
+ 
+ fail:
diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
index 6c52d72..98847f0 100644
--- a/net/third_party/nss/ssl/sslimpl.h
+++ b/net/third_party/nss/ssl/sslimpl.h
@@ -473,6 +473,16 @@ typedef SECStatus (*SSLCompressor)(void *               context,
                                    int                  inlen);
 typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
 
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+#if defined(XP_WIN32)
+typedef PCERT_KEY_CONTEXT PlatformKey;
+#elif defined(XP_MACOSX)
+typedef SecKeyRef PlatformKey;
+#else
+typedef void *PlatformKey;
+#endif
+#endif
+
 
 
 /*
@@ -834,15 +844,6 @@ const ssl3CipherSuiteDef *suite_def;
     PRBool                nextProtoNego;/* Our peer has sent this extension */
 } SSL3HandshakeState;
 
-#ifdef NSS_PLATFORM_CLIENT_AUTH
-#if defined(XP_WIN32)
-typedef PCERT_KEY_CONTEXT PlatformKey;
-#elif defined(XP_MACOSX)
-typedef SecKeyRef PlatformKey;
-#else
-typedef void *PlatformKey;
-#endif
-#endif
 
 
 /*