diff options
author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-02-17 22:00:52 +0000 |
---|---|---|
committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-02-17 22:00:52 +0000 |
commit | a7a95be44281bbc0ffae6ad29133c57ccf2e4fc8 (patch) | |
tree | 59366576fe7c60745d0faa398298261a0fa8f824 /net/third_party | |
parent | 4a930eec2958cdf91c5577e98fd183fb2efbcc21 (diff) | |
download | chromium_src-a7a95be44281bbc0ffae6ad29133c57ccf2e4fc8.zip chromium_src-a7a95be44281bbc0ffae6ad29133c57ccf2e4fc8.tar.gz chromium_src-a7a95be44281bbc0ffae6ad29133c57ccf2e4fc8.tar.bz2 |
Update the NSS patches. Add snapstart2.patch and peercertchain.patch.
Tweak sslimpl.h to eliminate one conflict when applying clientauth.patch.
Unfortunately one conflict in sslimpl.h and one conflict in ssl3con.c still
remain in clientauth.patch.
Add the applypatches.sh script to make it easier to apply the patches.
R=agl
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/6538005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@75311 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/third_party')
-rw-r--r-- | net/third_party/nss/README.chromium | 7 | ||||
-rwxr-xr-x | net/third_party/nss/patches/applypatches.sh | 28 | ||||
-rw-r--r-- | net/third_party/nss/patches/clientauth.patch | 47 | ||||
-rw-r--r-- | net/third_party/nss/patches/peercertchain.patch | 81 | ||||
-rw-r--r-- | net/third_party/nss/patches/snapstart2.patch | 93 | ||||
-rw-r--r-- | net/third_party/nss/ssl/sslimpl.h | 19 |
6 files changed, 243 insertions, 32 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium index d1fa694..22df661 100644 --- a/net/third_party/nss/README.chromium +++ b/net/third_party/nss/README.chromium @@ -40,8 +40,12 @@ Patches: * Add Snap Start support patches/snapstart.patch + patches/snapstart2.patch http://tools.ietf.org/html/draft-agl-tls-snapstart-00 + * Add the SSL_PeerCertificateChain function + patches/peercertchain.patch + * Add OCSP stapling support patches/ocspstapling.patch @@ -55,5 +59,8 @@ Patches: patches/clientauth.patch https://bugzilla.mozilla.org/show_bug.cgi?id=616757 +Apply the patches to NSS by running the patches/applypatches.sh script. Read +the comments at the top of patches/applypatches.sh for instructions. + The ssl/bodge directory contains files taken from the NSS repo that we required for building libssl outside of its usual build environment. diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh new file mode 100755 index 0000000..7bba438 --- /dev/null +++ b/net/third_party/nss/patches/applypatches.sh @@ -0,0 +1,28 @@ +# Run this script in the mozilla/security/nss/lib directory in a NSS source +# tree. +# +# Point patches_dir to the src/net/third_party/nss/patches directory in a +# chromium source tree. +patches_dir=/Users/wtc/chrome1/src/net/third_party/nss/patches + +patch -p5 < $patches_dir/nextproto.patch + +patch -p4 < $patches_dir/falsestart.patch +patch -p4 < $patches_dir/falsestart2.patch + +patch -p5 < $patches_dir/versionskew.patch + +patch -p4 < $patches_dir/renegoscsv.patch + +patch -p4 < $patches_dir/cachecerts.patch + +patch -p4 < $patches_dir/weakserverkey.patch + +patch -p5 < $patches_dir/snapstart.patch +patch -p3 < $patches_dir/snapstart2.patch + +patch -p3 < $patches_dir/peercertchain.patch + +patch -p4 < $patches_dir/ocspstapling.patch + +patch -p4 < $patches_dir/clientauth.patch diff --git a/net/third_party/nss/patches/clientauth.patch b/net/third_party/nss/patches/clientauth.patch index 5128566..30bf8cc 100644 --- a/net/third_party/nss/patches/clientauth.patch +++ b/net/third_party/nss/patches/clientauth.patch @@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl.h,v retrieving revision 1.38 diff -p -u -8 -r1.38 ssl.h --- mozilla/security/nss/lib/ssl/ssl.h 17 Feb 2010 02:29:07 -0000 1.38 -+++ mozilla/security/nss/lib/ssl/ssl.h 16 Feb 2011 02:40:21 -0000 ++++ mozilla/security/nss/lib/ssl/ssl.h 16 Feb 2011 23:30:37 -0000 @@ -275,16 +275,49 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl * and certificate. * fd - the file descriptor for the connection in question @@ -61,7 +61,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v retrieving revision 1.142 diff -p -u -8 -r1.142 ssl3con.c --- mozilla/security/nss/lib/ssl/ssl3con.c 24 Jun 2010 19:53:20 -0000 1.142 -+++ mozilla/security/nss/lib/ssl/ssl3con.c 16 Feb 2011 02:40:21 -0000 ++++ mozilla/security/nss/lib/ssl/ssl3con.c 16 Feb 2011 23:30:37 -0000 @@ -2007,16 +2007,19 @@ ssl3_ComputeRecordMAC( rv = SECFailure; ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); @@ -94,7 +94,7 @@ diff -p -u -8 -r1.142 ssl3con.c +#endif /* NSS_PLATFORM_CLIENT_AUTH */ } - static SECStatus + SECStatus ssl3_CompressMACEncryptRecord(sslSocket * ss, SSL3ContentType type, const SSL3Opaque * pIn, @@ -425,7 +425,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3ext.c,v retrieving revision 1.14 diff -p -u -8 -r1.14 ssl3ext.c --- mozilla/security/nss/lib/ssl/ssl3ext.c 3 Apr 2010 19:19:07 -0000 1.14 -+++ mozilla/security/nss/lib/ssl/ssl3ext.c 16 Feb 2011 02:40:21 -0000 ++++ mozilla/security/nss/lib/ssl/ssl3ext.c 16 Feb 2011 23:30:37 -0000 @@ -41,18 +41,18 @@ * ***** END LICENSE BLOCK ***** */ @@ -452,7 +452,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslauth.c,v retrieving revision 1.16 diff -p -u -8 -r1.16 sslauth.c --- mozilla/security/nss/lib/ssl/sslauth.c 20 Apr 2006 00:20:45 -0000 1.16 -+++ mozilla/security/nss/lib/ssl/sslauth.c 16 Feb 2011 02:40:21 -0000 ++++ mozilla/security/nss/lib/ssl/sslauth.c 16 Feb 2011 23:30:37 -0000 @@ -204,16 +204,38 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, return SECFailure; } @@ -498,7 +498,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslimpl.h,v retrieving revision 1.77 diff -p -u -8 -r1.77 sslimpl.h --- mozilla/security/nss/lib/ssl/sslimpl.h 10 Feb 2010 00:33:50 -0000 1.77 -+++ mozilla/security/nss/lib/ssl/sslimpl.h 16 Feb 2011 02:40:21 -0000 ++++ mozilla/security/nss/lib/ssl/sslimpl.h 16 Feb 2011 23:30:37 -0000 @@ -60,16 +60,25 @@ #if defined(XP_UNIX) || defined(XP_BEOS) #include "unistd.h" @@ -525,14 +525,14 @@ diff -p -u -8 -r1.77 sslimpl.h typedef SSLMACAlgorithm SSL3MACAlgorithm; typedef SSLSignType SSL3SignType; -@@ -782,16 +791,25 @@ const ssl3CipherSuiteDef *suite_def; - SSL3Hashes sFinished[2]; - SSL3Opaque data[72]; - } finishedMsgs; - #ifdef NSS_ENABLE_ECC - PRUint32 negotiatedECCurves; /* bit mask */ - #endif /* NSS_ENABLE_ECC */ - } SSL3HandshakeState; +@@ -450,16 +459,26 @@ typedef SECStatus (*SSLCipher)(void * + typedef SECStatus (*SSLCompressor)(void * context, + unsigned char * out, + int * outlen, + int maxout, + const unsigned char *in, + int inlen); + typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); +#ifdef NSS_PLATFORM_CLIENT_AUTH +#if defined(XP_WIN32) @@ -543,15 +543,16 @@ diff -p -u -8 -r1.77 sslimpl.h +typedef void *PlatformKey; +#endif +#endif ++ /* - ** This is the "ssl3" struct, as in "ss->ssl3". - ** note: - ** usually, crSpec == cwSpec and prSpec == pwSpec. - ** Sometimes, crSpec == pwSpec and prSpec == cwSpec. - ** But there are never more than 2 actual specs. -@@ -805,16 +823,19 @@ struct ssl3StateStr { + ** ssl3State and CipherSpec structs + */ + + /* The SSL bulk cipher definition */ + typedef enum { +@@ -805,16 +824,19 @@ struct ssl3StateStr { */ ssl3CipherSpec * crSpec; /* current read spec. */ ssl3CipherSpec * prSpec; /* pending read spec. */ @@ -571,7 +572,7 @@ diff -p -u -8 -r1.77 sslimpl.h * be either SSL_ALLOWED or SSL_RESTRICTED */ PRArenaPool * peerCertArena; -@@ -1045,16 +1066,20 @@ const unsigned char * preferredCipher; +@@ -1045,16 +1067,20 @@ const unsigned char * preferredCipher; ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */ @@ -592,7 +593,7 @@ diff -p -u -8 -r1.77 sslimpl.h void *handshakeCallbackData; void *pkcs11PinArg; -@@ -1587,16 +1612,36 @@ extern SECStatus SSL3_ShutdownServerCach +@@ -1587,16 +1613,36 @@ extern SECStatus SSL3_ShutdownServerCach extern SECStatus ssl_InitSymWrapKeysLock(void); extern SECStatus ssl_FreeSymWrapKeysLock(void); @@ -635,7 +636,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v retrieving revision 1.67 diff -p -u -8 -r1.67 sslsock.c --- mozilla/security/nss/lib/ssl/sslsock.c 25 Apr 2010 23:37:38 -0000 1.67 -+++ mozilla/security/nss/lib/ssl/sslsock.c 16 Feb 2011 02:40:21 -0000 ++++ mozilla/security/nss/lib/ssl/sslsock.c 16 Feb 2011 23:30:37 -0000 @@ -329,16 +329,20 @@ ssl_DupSocket(sslSocket *os) /* * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. diff --git a/net/third_party/nss/patches/peercertchain.patch b/net/third_party/nss/patches/peercertchain.patch new file mode 100644 index 0000000..8973c4b --- /dev/null +++ b/net/third_party/nss/patches/peercertchain.patch @@ -0,0 +1,81 @@ +Index: net/third_party/nss/ssl/ssl.h +=================================================================== +--- net/third_party/nss/ssl/ssl.h (revision 63749) ++++ net/third_party/nss/ssl/ssl.h (revision 63750) +@@ -273,6 +273,17 @@ + SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd); + + /* ++** Return references to the certificates presented by the SSL peer. On entry, ++** |*certs_size| must contain the size of the |certs| array. On successful ++** return, |*certs_size| contains the number of certificates available and ++** |certs| will contain references to as many certificates as would fit. ++** Therefore if, on exit, |*certs_size| contains a value less than, or equal to, ++** the entry value then all certificates were returned. ++*/ ++SSL_IMPORT SECStatus SSL_PeerCertificateChain( ++ PRFileDesc *fd, CERTCertificate **certs, unsigned int *certs_size); ++ ++/* + ** Authenticate certificate hook. Called when a certificate comes in + ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the + ** certificate. +Index: net/third_party/nss/ssl/sslauth.c +=================================================================== +--- net/third_party/nss/ssl/sslauth.c (revision 63749) ++++ net/third_party/nss/ssl/sslauth.c (revision 63750) +@@ -60,6 +60,42 @@ + } + + /* NEED LOCKS IN HERE. */ ++SECStatus ++SSL_PeerCertificateChain(PRFileDesc *fd, CERTCertificate **certs, ++ unsigned int *certsSize) ++{ ++ sslSocket *ss; ++ unsigned int inSize = *certsSize; ++ ssl3CertNode* cur; ++ ++ ss = ssl_FindSocket(fd); ++ if (!ss) { ++ SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain", ++ SSL_GETPID(), fd)); ++ return SECFailure; ++ } ++ if (!ss->opt.useSecurity) ++ return SECFailure; ++ ++ if (ss->sec.peerCert == NULL) { ++ *certsSize = 0; ++ return SECSuccess; ++ } ++ ++ *certsSize = 1; /* for the leaf certificate */ ++ if (inSize > 0) ++ certs[0] = CERT_DupCertificate(ss->sec.peerCert); ++ ++ for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) { ++ if (*certsSize < inSize) ++ certs[*certsSize] = CERT_DupCertificate(cur->cert); ++ (*certsSize)++; ++ } ++ ++ return SECSuccess; ++} ++ ++/* NEED LOCKS IN HERE. */ + CERTCertificate * + SSL_LocalCertificate(PRFileDesc *fd) + { +Index: net/third_party/nss/ssl/ssl.def +=================================================================== +--- net/third_party/nss/ssl/ssl.def (revision 63749) ++++ net/third_party/nss/ssl/ssl.def (revision 63750) +@@ -163,6 +163,7 @@ + ;+ global: + SSL_GetPredictedServerHelloData; + SSL_GetSnapStartResult; ++SSL_PeerCertificateChain; + SSL_SetPredictedPeerCertificates; + SSL_SetPredictedServerHelloData; + SSL_SetSnapStartApplicationData; diff --git a/net/third_party/nss/patches/snapstart2.patch b/net/third_party/nss/patches/snapstart2.patch new file mode 100644 index 0000000..34ec562 --- /dev/null +++ b/net/third_party/nss/patches/snapstart2.patch @@ -0,0 +1,93 @@ +Index: net/third_party/nss/ssl/snapstart.c +=================================================================== +--- net/third_party/nss/ssl/snapstart.c (revision 64952) ++++ net/third_party/nss/ssl/snapstart.c (revision 64953) +@@ -48,10 +48,6 @@ + + /* TODO(agl): Add support for snap starting with compression. */ + +-/* TODO(agl): Free snapStartApplicationData as soon as the handshake has +-** completed. +-*/ +- + #include "pk11pub.h" + #include "ssl.h" + #include "sslimpl.h" +@@ -821,6 +817,7 @@ + rv = ssl3_AppendSnapStartApplicationData( + ss, ss->ssl3.snapStartApplicationData.data, + ss->ssl3.snapStartApplicationData.len); ++ SECITEM_FreeItem(&ss->ssl3.snapStartApplicationData, PR_FALSE); + if (rv != SECSuccess) + goto loser; + } +@@ -1053,6 +1053,8 @@ + ss->ssl3.hs.snapStartType = snap_start_resume_recovery; + } + ++ ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NO_SUPPORT; ++ + ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_TRUE/*freeSrvName*/); + + return SECSuccess; +Index: net/third_party/nss/ssl/ssl3con.c +=================================================================== +--- net/third_party/nss/ssl/ssl3con.c (revision 65946) ++++ net/third_party/nss/ssl/ssl3con.c (revision 65947) +@@ -5023,21 +5023,21 @@ + goto alert_loser; + } + +- if (!ss->ssl3.serverHelloPredictionData.data) { +- /* If this allocation fails it will only stop the application from +- * recording the ServerHello information and performing future Snap +- * Starts. */ +- if (SECITEM_AllocItem(NULL, &ss->ssl3.serverHelloPredictionData, +- length)) +- memcpy(ss->ssl3.serverHelloPredictionData.data, b, length); +- /* ss->ssl3.serverHelloPredictionDataValid is still false at this +- * point. We have to record the contents of the ServerHello here +- * because we don't have a pointer to the whole message when handling +- * the extensions. However, we wait until the Snap Start extenion +- * handler to recognise that the server supports Snap Start and to set +- * serverHelloPredictionDataValid. */ +- } ++ if (ss->ssl3.serverHelloPredictionData.data) ++ SECITEM_FreeItem(&ss->ssl3.serverHelloPredictionData, PR_FALSE); + ++ /* If this allocation fails it will only stop the application from ++ * recording the ServerHello information and performing future Snap ++ * Starts. */ ++ if (SECITEM_AllocItem(NULL, &ss->ssl3.serverHelloPredictionData, length)) ++ memcpy(ss->ssl3.serverHelloPredictionData.data, b, length); ++ /* ss->ssl3.serverHelloPredictionDataValid is still false at this ++ * point. We have to record the contents of the ServerHello here ++ * because we don't have a pointer to the whole message when handling ++ * the extensions. However, we wait until the Snap Start extension ++ * handler to recognise that the server supports Snap Start and to set ++ * serverHelloPredictionDataValid. */ ++ + temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); + if (temp < 0) { + goto loser; /* alert has been sent */ +@@ -8366,20 +8366,6 @@ + } + } + +- if ((ss->ssl3.hs.snapStartType == snap_start_recovery || +- ss->ssl3.hs.snapStartType == snap_start_resume_recovery) && +- ss->ssl3.snapStartApplicationData.data) { +- /* In the event that the server ignored the application data in our +- * snap start extension, we need to retransmit it now. */ +- PRInt32 sent = ssl3_SendRecord(ss, content_application_data, +- ss->ssl3.snapStartApplicationData.data, +- ss->ssl3.snapStartApplicationData.len, +- flags); +- SECITEM_FreeItem(&ss->ssl3.snapStartApplicationData, PR_FALSE); +- if (sent < 0) +- return (SECStatus)sent; /* error code set by ssl3_SendRecord */ +- } +- + return SECSuccess; + + fail: diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h index 6c52d72..98847f0 100644 --- a/net/third_party/nss/ssl/sslimpl.h +++ b/net/third_party/nss/ssl/sslimpl.h @@ -473,6 +473,16 @@ typedef SECStatus (*SSLCompressor)(void * context, int inlen); typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); +#ifdef NSS_PLATFORM_CLIENT_AUTH +#if defined(XP_WIN32) +typedef PCERT_KEY_CONTEXT PlatformKey; +#elif defined(XP_MACOSX) +typedef SecKeyRef PlatformKey; +#else +typedef void *PlatformKey; +#endif +#endif + /* @@ -834,15 +844,6 @@ const ssl3CipherSuiteDef *suite_def; PRBool nextProtoNego;/* Our peer has sent this extension */ } SSL3HandshakeState; -#ifdef NSS_PLATFORM_CLIENT_AUTH -#if defined(XP_WIN32) -typedef PCERT_KEY_CONTEXT PlatformKey; -#elif defined(XP_MACOSX) -typedef SecKeyRef PlatformKey; -#else -typedef void *PlatformKey; -#endif -#endif /* |