summaryrefslogtreecommitdiffstats
path: root/net/third_party/nss/patches/restartclientauth.patch
diff options
context:
space:
mode:
Diffstat (limited to 'net/third_party/nss/patches/restartclientauth.patch')
-rw-r--r--net/third_party/nss/patches/restartclientauth.patch149
1 files changed, 149 insertions, 0 deletions
diff --git a/net/third_party/nss/patches/restartclientauth.patch b/net/third_party/nss/patches/restartclientauth.patch
new file mode 100644
index 0000000..736428d
--- /dev/null
+++ b/net/third_party/nss/patches/restartclientauth.patch
@@ -0,0 +1,149 @@
+Index: mozilla/security/nss/lib/ssl/ssl.h
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl.h,v
+retrieving revision 1.38.2.4
+diff -u -p -r1.38.2.4 ssl.h
+--- mozilla/security/nss/lib/ssl/ssl.h 8 Apr 2011 05:44:32 -0000 1.38.2.4
++++ mozilla/security/nss/lib/ssl/ssl.h 17 Aug 2011 18:13:58 -0000
+@@ -220,6 +220,11 @@ SSL_IMPORT SECStatus SSL_ForceHandshake(
+ SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd,
+ PRIntervalTime timeout);
+
++SSL_IMPORT SECStatus SSL_RestartHandshakeAfterCertReq(PRFileDesc *fd,
++ CERTCertificate *cert,
++ SECKEYPrivateKey *key,
++ CERTCertificateList *certChain);
++
+ /*
+ ** Query security status of socket. *on is set to one if security is
+ ** enabled. *keySize will contain the stream key size used. *issuer will
+Index: mozilla/security/nss/lib/ssl/ssl3con.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v
+retrieving revision 1.142.2.5
+diff -u -p -r1.142.2.5 ssl3con.c
+--- mozilla/security/nss/lib/ssl/ssl3con.c 25 Jan 2011 01:49:22 -0000 1.142.2.5
++++ mozilla/security/nss/lib/ssl/ssl3con.c 17 Aug 2011 18:13:58 -0000
+@@ -5621,9 +5621,10 @@ done:
+ * reference count. The caller should drop its reference
+ * without calling CERT_DestroyCert after calling this function.
+ *
+- * key Private key associated with cert. This function makes a
+- * copy of the private key, so the caller remains responsible
+- * for destroying its copy after this function returns.
++ * key Private key associated with cert. This function takes
++ * ownership of the private key, so the caller should drop its
++ * reference without destroying the private key after this
++ * function returns.
+ *
+ * certChain DER-encoded certs, client cert and its signers.
+ * Note: ssl takes this reference, and does not copy the chain.
+@@ -5652,12 +5653,27 @@ ssl3_RestartHandshakeAfterCertReq(sslSoc
+ if (ss->handshake != 0) {
+ ss->handshake = ssl_GatherRecord1stHandshake;
+ ss->ssl3.clientCertificate = cert;
++ ss->ssl3.clientPrivateKey = key;
+ ss->ssl3.clientCertChain = certChain;
+- if (key == NULL) {
+- (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
+- ss->ssl3.clientPrivateKey = NULL;
+- } else {
+- ss->ssl3.clientPrivateKey = SECKEY_CopyPrivateKey(key);
++ if (!cert || !key || !certChain) {
++ /* we are missing the key, cert, or cert chain */
++ if (ss->ssl3.clientCertificate) {
++ CERT_DestroyCertificate(ss->ssl3.clientCertificate);
++ ss->ssl3.clientCertificate = NULL;
++ }
++ if (ss->ssl3.clientPrivateKey) {
++ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
++ ss->ssl3.clientPrivateKey = NULL;
++ }
++ if (ss->ssl3.clientCertChain != NULL) {
++ CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
++ ss->ssl3.clientCertChain = NULL;
++ }
++ if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) {
++ ss->ssl3.sendEmptyCert = PR_TRUE;
++ } else {
++ (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
++ }
+ }
+ ssl_GetRecvBufLock(ss);
+ if (ss->ssl3.hs.msgState.buf != NULL) {
+Index: mozilla/security/nss/lib/ssl/sslimpl.h
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslimpl.h,v
+retrieving revision 1.77.2.2
+diff -u -p -r1.77.2.2 sslimpl.h
+--- mozilla/security/nss/lib/ssl/sslimpl.h 16 Mar 2011 18:55:38 -0000 1.77.2.2
++++ mozilla/security/nss/lib/ssl/sslimpl.h 17 Aug 2011 18:13:58 -0000
+@@ -1310,10 +1310,6 @@ extern SECStatus ssl3_MasterKeyDeriveBy
+
+ extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error);
+ extern int SSL_RestartHandshakeAfterServerCert(struct sslSocketStr *ss);
+-extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss,
+- CERTCertificate *cert,
+- SECKEYPrivateKey *key,
+- CERTCertificateList *certChain);
+ extern sslSocket *ssl_FindSocket(PRFileDesc *fd);
+ extern void ssl_FreeSocket(struct sslSocketStr *ssl);
+ extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
+Index: mozilla/security/nss/lib/ssl/sslsecur.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsecur.c,v
+retrieving revision 1.43.2.4
+diff -u -p -r1.43.2.4 sslsecur.c
+--- mozilla/security/nss/lib/ssl/sslsecur.c 8 Apr 2011 05:25:21 -0000 1.43.2.4
++++ mozilla/security/nss/lib/ssl/sslsecur.c 17 Aug 2011 18:13:58 -0000
+@@ -1453,11 +1453,13 @@ SSL_CertDBHandleSet(PRFileDesc *fd, CERT
+ * cert Client cert chosen by application.
+ * Note: ssl takes this reference, and does not bump the
+ * reference count. The caller should drop its reference
+- * without calling CERT_DestroyCert after calling this function.
++ * without calling CERT_DestroyCertificate after calling this
++ * function.
+ *
+- * key Private key associated with cert. This function makes a
+- * copy of the private key, so the caller remains responsible
+- * for destroying its copy after this function returns.
++ * key Private key associated with cert. This function takes
++ * ownership of the private key, so the caller should drop its
++ * reference without destroying the private key after this
++ * function returns.
+ *
+ * certChain Chain of signers for cert.
+ * Note: ssl takes this reference, and does not copy the chain.
+@@ -1469,19 +1471,29 @@ SSL_CertDBHandleSet(PRFileDesc *fd, CERT
+ * XXX This code only works on the initial handshake on a connection, XXX
+ * It does not work on a subsequent handshake (redo).
+ */
+-int
+-SSL_RestartHandshakeAfterCertReq(sslSocket * ss,
++SECStatus
++SSL_RestartHandshakeAfterCertReq(PRFileDesc * fd,
+ CERTCertificate * cert,
+ SECKEYPrivateKey * key,
+ CERTCertificateList *certChain)
+ {
+- int ret;
++ sslSocket * ss = ssl_FindSocket(fd);
++ SECStatus ret;
++
++ if (!ss) {
++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RestartHandshakeAfterCertReq",
++ SSL_GETPID(), fd));
++ return SECFailure;
++ }
+
+ ssl_Get1stHandshakeLock(ss); /************************************/
+
+ if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+ ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain);
+ } else {
++ if (certChain != NULL) {
++ CERT_DestroyCertificateList(certChain);
++ }
+ ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key);
+ }
+
generated by cgit v1.1 at 2025-03-01 19:23:34 +0000