6 files changed, 243 insertions, 32 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index d1fa694..22df661 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -40,8 +40,12 @@ Patches:
 
   * Add Snap Start support
     patches/snapstart.patch
+    patches/snapstart2.patch
     http://tools.ietf.org/html/draft-agl-tls-snapstart-00
 
+  * Add the SSL_PeerCertificateChain function
+    patches/peercertchain.patch
+
   * Add OCSP stapling support
     patches/ocspstapling.patch
 
@@ -55,5 +59,8 @@ Patches:
     patches/clientauth.patch
     https://bugzilla.mozilla.org/show_bug.cgi?id=616757
 
+Apply the patches to NSS by running the patches/applypatches.sh script.  Read
+the comments at the top of patches/applypatches.sh for instructions.
+
 The ssl/bodge directory contains files taken from the NSS repo that we required
 for building libssl outside of its usual build environment.
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh
new file mode 100755
index 0000000..7bba438
--- /dev/null
+++ b/net/third_party/nss/patches/applypatches.sh
@@ -0,0 +1,28 @@
+# Run this script in the mozilla/security/nss/lib directory in a NSS source
+# tree.
+#
+# Point patches_dir to the src/net/third_party/nss/patches directory in a
+# chromium source tree.
+patches_dir=/Users/wtc/chrome1/src/net/third_party/nss/patches
+
+patch -p5 < $patches_dir/nextproto.patch
+
+patch -p4 < $patches_dir/falsestart.patch
+patch -p4 < $patches_dir/falsestart2.patch
+
+patch -p5 < $patches_dir/versionskew.patch
+
+patch -p4 < $patches_dir/renegoscsv.patch
+
+patch -p4 < $patches_dir/cachecerts.patch
+
+patch -p4 < $patches_dir/weakserverkey.patch
+
+patch -p5 < $patches_dir/snapstart.patch
+patch -p3 < $patches_dir/snapstart2.patch
+
+patch -p3 < $patches_dir/peercertchain.patch
+
+patch -p4 < $patches_dir/ocspstapling.patch
+
+patch -p4 < $patches_dir/clientauth.patch
diff --git a/net/third_party/nss/patches/clientauth.patch b/net/third_party/nss/patches/clientauth.patch
index 5128566..30bf8cc 100644
--- a/net/third_party/nss/patches/clientauth.patch
+++ b/net/third_party/nss/patches/clientauth.patch
@@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl.h,v
 retrieving revision 1.38
 diff -p -u -8 -r1.38 ssl.h
 --- mozilla/security/nss/lib/ssl/ssl.h	17 Feb 2010 02:29:07 -0000	1.38
-+++ mozilla/security/nss/lib/ssl/ssl.h	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/ssl.h	16 Feb 2011 23:30:37 -0000
 @@ -275,16 +275,49 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
   * and certificate.
   *	fd - the file descriptor for the connection in question
@@ -61,7 +61,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v
 retrieving revision 1.142
 diff -p -u -8 -r1.142 ssl3con.c
 --- mozilla/security/nss/lib/ssl/ssl3con.c	24 Jun 2010 19:53:20 -0000	1.142
-+++ mozilla/security/nss/lib/ssl/ssl3con.c	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/ssl3con.c	16 Feb 2011 23:30:37 -0000
 @@ -2007,16 +2007,19 @@ ssl3_ComputeRecordMAC(
      	rv = SECFailure;
  	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
@@ -94,7 +94,7 @@ diff -p -u -8 -r1.142 ssl3con.c
 +#endif /* NSS_PLATFORM_CLIENT_AUTH */
  }
  
- static SECStatus
+ SECStatus
  ssl3_CompressMACEncryptRecord(sslSocket *        ss,
                                SSL3ContentType    type,
  		              const SSL3Opaque * pIn,
@@ -425,7 +425,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3ext.c,v
 retrieving revision 1.14
 diff -p -u -8 -r1.14 ssl3ext.c
 --- mozilla/security/nss/lib/ssl/ssl3ext.c	3 Apr 2010 19:19:07 -0000	1.14
-+++ mozilla/security/nss/lib/ssl/ssl3ext.c	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/ssl3ext.c	16 Feb 2011 23:30:37 -0000
 @@ -41,18 +41,18 @@
   * ***** END LICENSE BLOCK ***** */
  
@@ -452,7 +452,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslauth.c,v
 retrieving revision 1.16
 diff -p -u -8 -r1.16 sslauth.c
 --- mozilla/security/nss/lib/ssl/sslauth.c	20 Apr 2006 00:20:45 -0000	1.16
-+++ mozilla/security/nss/lib/ssl/sslauth.c	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/sslauth.c	16 Feb 2011 23:30:37 -0000
 @@ -204,16 +204,38 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
  	return SECFailure;
      }
@@ -498,7 +498,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslimpl.h,v
 retrieving revision 1.77
 diff -p -u -8 -r1.77 sslimpl.h
 --- mozilla/security/nss/lib/ssl/sslimpl.h	10 Feb 2010 00:33:50 -0000	1.77
-+++ mozilla/security/nss/lib/ssl/sslimpl.h	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/sslimpl.h	16 Feb 2011 23:30:37 -0000
 @@ -60,16 +60,25 @@
  #if defined(XP_UNIX) || defined(XP_BEOS)
  #include "unistd.h"
@@ -525,14 +525,14 @@ diff -p -u -8 -r1.77 sslimpl.h
  typedef SSLMACAlgorithm SSL3MACAlgorithm;
  typedef SSLSignType     SSL3SignType;
  
-@@ -782,16 +791,25 @@ const ssl3CipherSuiteDef *suite_def;
- 	SSL3Hashes        sFinished[2];
- 	SSL3Opaque        data[72];
-     }                     finishedMsgs;
- #ifdef NSS_ENABLE_ECC
-     PRUint32              negotiatedECCurves; /* bit mask */
- #endif /* NSS_ENABLE_ECC */
- } SSL3HandshakeState;
+@@ -450,16 +459,26 @@ typedef SECStatus (*SSLCipher)(void *   
+ typedef SECStatus (*SSLCompressor)(void *               context,
+                                    unsigned char *      out,
+                                    int *                outlen,
+                                    int                  maxout,
+                                    const unsigned char *in,
+                                    int                  inlen);
+ typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
  
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +#if defined(XP_WIN32)
@@ -543,15 +543,16 @@ diff -p -u -8 -r1.77 sslimpl.h
 +typedef void *PlatformKey;
 +#endif
 +#endif
++
  
  
  /*
- ** This is the "ssl3" struct, as in "ss->ssl3".
- ** note:
- ** usually,   crSpec == cwSpec and prSpec == pwSpec.  
- ** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
- ** But there are never more than 2 actual specs.  
-@@ -805,16 +823,19 @@ struct ssl3StateStr {
+ ** ssl3State and CipherSpec structs
+ */
+ 
+ /* The SSL bulk cipher definition */
+ typedef enum {
+@@ -805,16 +824,19 @@ struct ssl3StateStr {
      */
      ssl3CipherSpec *     crSpec; 	/* current read spec. */
      ssl3CipherSpec *     prSpec; 	/* pending read spec. */
@@ -571,7 +572,7 @@ diff -p -u -8 -r1.77 sslimpl.h
  			 * be either SSL_ALLOWED or SSL_RESTRICTED 
  			 */
      PRArenaPool *        peerCertArena;  
-@@ -1045,16 +1066,20 @@ const unsigned char *  preferredCipher;
+@@ -1045,16 +1067,20 @@ const unsigned char *  preferredCipher;
  
      ssl3KeyPair *         stepDownKeyPair;	/* RSA step down keys */
  
@@ -592,7 +593,7 @@ diff -p -u -8 -r1.77 sslimpl.h
      void                     *handshakeCallbackData;
      void                     *pkcs11PinArg;
  
-@@ -1587,16 +1612,36 @@ extern SECStatus SSL3_ShutdownServerCach
+@@ -1587,16 +1613,36 @@ extern SECStatus SSL3_ShutdownServerCach
  extern SECStatus ssl_InitSymWrapKeysLock(void);
  
  extern SECStatus ssl_FreeSymWrapKeysLock(void);
@@ -635,7 +636,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v
 retrieving revision 1.67
 diff -p -u -8 -r1.67 sslsock.c
 --- mozilla/security/nss/lib/ssl/sslsock.c	25 Apr 2010 23:37:38 -0000	1.67
-+++ mozilla/security/nss/lib/ssl/sslsock.c	16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/sslsock.c	16 Feb 2011 23:30:37 -0000
 @@ -329,16 +329,20 @@ ssl_DupSocket(sslSocket *os)
  /*
   * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
diff --git a/net/third_party/nss/patches/peercertchain.patch b/net/third_party/nss/patches/peercertchain.patch
new file mode 100644
index 0000000..8973c4b
--- /dev/null
+++ b/net/third_party/nss/patches/peercertchain.patch
@@ -0,0 +1,81 @@
+Index: net/third_party/nss/ssl/ssl.h
+===================================================================
+--- net/third_party/nss/ssl/ssl.h	(revision 63749)
++++ net/third_party/nss/ssl/ssl.h	(revision 63750)
+@@ -273,6 +273,17 @@
+ SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
+ 
+ /*
++** Return references to the certificates presented by the SSL peer. On entry,
++** |*certs_size| must contain the size of the |certs| array. On successful
++** return, |*certs_size| contains the number of certificates available and
++** |certs| will contain references to as many certificates as would fit.
++** Therefore if, on exit, |*certs_size| contains a value less than, or equal to,
++** the entry value then all certificates were returned.
++*/
++SSL_IMPORT SECStatus SSL_PeerCertificateChain(
++	PRFileDesc *fd, CERTCertificate **certs, unsigned int *certs_size);
++
++/*
+ ** Authenticate certificate hook. Called when a certificate comes in
+ ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
+ ** certificate.
+Index: net/third_party/nss/ssl/sslauth.c
+===================================================================
+--- net/third_party/nss/ssl/sslauth.c	(revision 63749)
++++ net/third_party/nss/ssl/sslauth.c	(revision 63750)
+@@ -60,6 +60,42 @@
+ }
+ 
+ /* NEED LOCKS IN HERE.  */
++SECStatus
++SSL_PeerCertificateChain(PRFileDesc *fd, CERTCertificate **certs,
++			 unsigned int *certsSize)
++{
++    sslSocket *ss;
++    unsigned int inSize = *certsSize;
++    ssl3CertNode* cur;
++
++    ss = ssl_FindSocket(fd);
++    if (!ss) {
++	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
++		 SSL_GETPID(), fd));
++	return SECFailure;
++    }
++    if (!ss->opt.useSecurity)
++	return SECFailure;
++
++    if (ss->sec.peerCert == NULL) {
++      *certsSize = 0;
++      return SECSuccess;
++    }
++
++    *certsSize = 1;  /* for the leaf certificate */
++    if (inSize > 0)
++	certs[0] = CERT_DupCertificate(ss->sec.peerCert);
++
++    for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
++	if (*certsSize < inSize)
++	    certs[*certsSize] = CERT_DupCertificate(cur->cert);
++	(*certsSize)++;
++    }
++
++    return SECSuccess;
++}
++
++/* NEED LOCKS IN HERE.  */
+ CERTCertificate *
+ SSL_LocalCertificate(PRFileDesc *fd)
+ {
+Index: net/third_party/nss/ssl/ssl.def
+===================================================================
+--- net/third_party/nss/ssl/ssl.def	(revision 63749)
++++ net/third_party/nss/ssl/ssl.def	(revision 63750)
+@@ -163,6 +163,7 @@
+ ;+    global:
+ SSL_GetPredictedServerHelloData;
+ SSL_GetSnapStartResult;
++SSL_PeerCertificateChain;
+ SSL_SetPredictedPeerCertificates;
+ SSL_SetPredictedServerHelloData;
+ SSL_SetSnapStartApplicationData;
diff --git a/net/third_party/nss/patches/snapstart2.patch b/net/third_party/nss/patches/snapstart2.patch
new file mode 100644
index 0000000..34ec562
--- /dev/null
+++ b/net/third_party/nss/patches/snapstart2.patch
@@ -0,0 +1,93 @@
+Index: net/third_party/nss/ssl/snapstart.c
+===================================================================
+--- net/third_party/nss/ssl/snapstart.c	(revision 64952)
++++ net/third_party/nss/ssl/snapstart.c	(revision 64953)
+@@ -48,10 +48,6 @@
+ 
+ /* TODO(agl): Add support for snap starting with compression. */
+ 
+-/* TODO(agl): Free snapStartApplicationData as soon as the handshake has
+-** completed.
+-*/
+-
+ #include "pk11pub.h"
+ #include "ssl.h"
+ #include "sslimpl.h"
+@@ -821,6 +817,7 @@
+         rv = ssl3_AppendSnapStartApplicationData(
+                  ss, ss->ssl3.snapStartApplicationData.data,
+                  ss->ssl3.snapStartApplicationData.len);
++        SECITEM_FreeItem(&ss->ssl3.snapStartApplicationData, PR_FALSE);
+         if (rv != SECSuccess)
+             goto loser;
+     }
+@@ -1053,6 +1053,8 @@
+         ss->ssl3.hs.snapStartType = snap_start_resume_recovery;
+     }
+ 
++    ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NO_SUPPORT;
++
+     ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_TRUE/*freeSrvName*/);
+ 
+     return SECSuccess;
+Index: net/third_party/nss/ssl/ssl3con.c
+===================================================================
+--- net/third_party/nss/ssl/ssl3con.c	(revision 65946)
++++ net/third_party/nss/ssl/ssl3con.c	(revision 65947)
+@@ -5023,21 +5023,21 @@
+ 	goto alert_loser;
+     }
+ 
+-    if (!ss->ssl3.serverHelloPredictionData.data) {
+-        /* If this allocation fails it will only stop the application from
+-	 * recording the ServerHello information and performing future Snap
+-	 * Starts. */
+-	if (SECITEM_AllocItem(NULL, &ss->ssl3.serverHelloPredictionData,
+-			      length))
+-	    memcpy(ss->ssl3.serverHelloPredictionData.data, b, length);
+-	/* ss->ssl3.serverHelloPredictionDataValid is still false at this
+-	 * point. We have to record the contents of the ServerHello here
+-	 * because we don't have a pointer to the whole message when handling
+-	 * the extensions. However, we wait until the Snap Start extenion
+-	 * handler to recognise that the server supports Snap Start and to set
+-	 * serverHelloPredictionDataValid. */
+-    }
++    if (ss->ssl3.serverHelloPredictionData.data)
++	SECITEM_FreeItem(&ss->ssl3.serverHelloPredictionData, PR_FALSE);
+ 
++    /* If this allocation fails it will only stop the application from
++     * recording the ServerHello information and performing future Snap
++     * Starts. */
++    if (SECITEM_AllocItem(NULL, &ss->ssl3.serverHelloPredictionData, length))
++	memcpy(ss->ssl3.serverHelloPredictionData.data, b, length);
++    /* ss->ssl3.serverHelloPredictionDataValid is still false at this
++     * point. We have to record the contents of the ServerHello here
++     * because we don't have a pointer to the whole message when handling
++     * the extensions. However, we wait until the Snap Start extension
++     * handler to recognise that the server supports Snap Start and to set
++     * serverHelloPredictionDataValid. */
++
+     temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+     if (temp < 0) {
+     	goto loser; 	/* alert has been sent */
+@@ -8366,20 +8366,6 @@
+ 	}
+     }
+ 
+-    if ((ss->ssl3.hs.snapStartType == snap_start_recovery ||
+-         ss->ssl3.hs.snapStartType == snap_start_resume_recovery) &&
+-	ss->ssl3.snapStartApplicationData.data) {
+-	/* In the event that the server ignored the application data in our
+-	 * snap start extension, we need to retransmit it now. */
+-	PRInt32 sent = ssl3_SendRecord(ss, content_application_data,
+-                                       ss->ssl3.snapStartApplicationData.data,
+-                                       ss->ssl3.snapStartApplicationData.len,
+-                                       flags);
+-	SECITEM_FreeItem(&ss->ssl3.snapStartApplicationData, PR_FALSE);
+-	if (sent < 0)
+-	    return (SECStatus)sent;	/* error code set by ssl3_SendRecord */
+-    }
+-
+     return SECSuccess;
+ 
+ fail:
diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
index 6c52d72..98847f0 100644
--- a/net/third_party/nss/ssl/sslimpl.h
+++ b/net/third_party/nss/ssl/sslimpl.h
@@ -473,6 +473,16 @@ typedef SECStatus (*SSLCompressor)(void *               context,
                                    int                  inlen);
 typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
 
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+#if defined(XP_WIN32)
+typedef PCERT_KEY_CONTEXT PlatformKey;
+#elif defined(XP_MACOSX)
+typedef SecKeyRef PlatformKey;
+#else
+typedef void *PlatformKey;
+#endif
+#endif
+
 
 
 /*
@@ -834,15 +844,6 @@ const ssl3CipherSuiteDef *suite_def;
     PRBool                nextProtoNego;/* Our peer has sent this extension */
 } SSL3HandshakeState;
 
-#ifdef NSS_PLATFORM_CLIENT_AUTH
-#if defined(XP_WIN32)
-typedef PCERT_KEY_CONTEXT PlatformKey;
-#elif defined(XP_MACOSX)
-typedef SecKeyRef PlatformKey;
-#else
-typedef void *PlatformKey;
-#endif
-#endif
 
 
 /*