From 363e9f30f1ca4e7c80b666c66050f19001c84ba1 Mon Sep 17 00:00:00 2001 From: "agl@chromium.org" Date: Tue, 21 Jun 2011 15:29:21 +0000 Subject: net: rebase NSS patches. No code change. There's a lot of noise in the patches, but the end result is only that a couple of lines were transposed in ssl.def due to hand merging. BUG=none TEST=no code change. Review URL: http://codereview.chromium.org/7212013 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@89829 0039d316-1c4b-4281-b951-d872f2087c98 --- net/third_party/nss/patches/applypatches.sh | 14 +- net/third_party/nss/patches/cachecerts.patch | 55 +- net/third_party/nss/patches/clientauth.patch | 757 +++++++++++++++--------- net/third_party/nss/patches/nextproto.patch | 56 +- net/third_party/nss/patches/ocspstapling.patch | 177 +++--- net/third_party/nss/patches/peercertchain.patch | 50 +- net/third_party/nss/patches/renegoscsv.patch | 29 +- net/third_party/nss/patches/versionskew.patch | 18 +- net/third_party/nss/ssl/ssl.def | 163 ----- 9 files changed, 660 insertions(+), 659 deletions(-) delete mode 100644 net/third_party/nss/ssl/ssl.def (limited to 'net/third_party') diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh index 0c2a687..b7948ed 100755 --- a/net/third_party/nss/patches/applypatches.sh +++ b/net/third_party/nss/patches/applypatches.sh @@ -5,16 +5,16 @@ # chromium source tree. patches_dir=/Users/wtc/chrome1/src/net/third_party/nss/patches -patch -p5 < $patches_dir/nextproto.patch +patch -p6 < $patches_dir/nextproto.patch -patch -p5 < $patches_dir/versionskew.patch +patch -p6 < $patches_dir/versionskew.patch -patch -p4 < $patches_dir/renegoscsv.patch +patch -p6 < $patches_dir/renegoscsv.patch -patch -p4 < $patches_dir/cachecerts.patch +patch -p6 < $patches_dir/cachecerts.patch -patch -p3 < $patches_dir/peercertchain.patch +patch -p6 < $patches_dir/peercertchain.patch -patch -p4 < $patches_dir/ocspstapling.patch +patch -p6 < $patches_dir/ocspstapling.patch -patch -p4 < $patches_dir/clientauth.patch +patch -p6 < $patches_dir/clientauth.patch diff --git a/net/third_party/nss/patches/cachecerts.patch b/net/third_party/nss/patches/cachecerts.patch index e0720ac..babae67 100644 --- a/net/third_party/nss/patches/cachecerts.patch +++ b/net/third_party/nss/patches/cachecerts.patch @@ -1,10 +1,13 @@ -Index: mozilla/security/nss/lib/ssl/ssl3con.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v -retrieving revision 1.142 -diff -p -u -r1.142 ssl3con.c ---- mozilla/security/nss/lib/ssl/ssl3con.c 24 Jun 2010 19:53:20 -0000 1.142 -+++ mozilla/security/nss/lib/ssl/ssl3con.c 21 Oct 2010 02:24:18 -0000 +commit 107c49e2efd15ef547b2055af14952610e0e7afa +Author: Adam Langley +Date: Mon Jun 20 15:52:55 2011 -0400 + + cachecerts.patch + +diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c +index 455a532..9830e65 100644 +--- a/mozilla/security/nss/lib/ssl/ssl3con.c ++++ b/mozilla/security/nss/lib/ssl/ssl3con.c @@ -72,6 +72,7 @@ #endif @@ -13,7 +16,7 @@ diff -p -u -r1.142 ssl3con.c static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, PK11SlotInfo * serverKeySlot); static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); -@@ -5136,6 +5137,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS +@@ -5141,6 +5142,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) /* copy the peer cert from the SID */ if (sid->peerCert != NULL) { ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); @@ -21,7 +24,7 @@ diff -p -u -r1.142 ssl3con.c } -@@ -6364,6 +6366,7 @@ compression_found: +@@ -6393,6 +6395,7 @@ compression_found: ss->sec.ci.sid = sid; if (sid->peerCert != NULL) { ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); @@ -29,7 +32,7 @@ diff -p -u -r1.142 ssl3con.c } /* -@@ -7732,6 +7735,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss) +@@ -7761,6 +7764,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss) ss->ssl3.peerCertChain = NULL; } @@ -74,7 +77,7 @@ diff -p -u -r1.142 ssl3con.c /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete * ssl3 Certificate message. * Caller must hold Handshake and RecvBuf locks. -@@ -7740,6 +7781,7 @@ static SECStatus +@@ -7769,6 +7810,7 @@ static SECStatus ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) { ssl3CertNode * c; @@ -82,7 +85,7 @@ diff -p -u -r1.142 ssl3con.c ssl3CertNode * certs = NULL; PRArenaPool * arena = NULL; CERTCertificate *cert; -@@ -7867,8 +7909,13 @@ ssl3_HandleCertificate(sslSocket *ss, SS +@@ -7896,8 +7938,13 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (c->cert->trust) trusted = PR_TRUE; @@ -98,7 +101,7 @@ diff -p -u -r1.142 ssl3con.c } if (remaining != 0) -@@ -7918,6 +7965,7 @@ ssl3_HandleCertificate(sslSocket *ss, SS +@@ -7947,6 +7994,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); @@ -106,7 +109,7 @@ diff -p -u -r1.142 ssl3con.c if (!ss->sec.isServer) { /* set the server authentication and key exchange types and sizes -@@ -8089,6 +8137,8 @@ ssl3_RestartHandshakeAfterServerCert(ssl +@@ -8118,6 +8166,8 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss) if (ss->handshake != NULL) { ss->handshake = ssl_GatherRecord1stHandshake; ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); @@ -115,14 +118,11 @@ diff -p -u -r1.142 ssl3con.c ssl_GetRecvBufLock(ss); if (ss->ssl3.hs.msgState.buf != NULL) { -Index: mozilla/security/nss/lib/ssl/sslimpl.h -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslimpl.h,v -retrieving revision 1.77 -diff -p -u -r1.77 sslimpl.h ---- mozilla/security/nss/lib/ssl/sslimpl.h 10 Feb 2010 00:33:50 -0000 1.77 -+++ mozilla/security/nss/lib/ssl/sslimpl.h 21 Oct 2010 02:24:18 -0000 -@@ -563,10 +563,13 @@ typedef enum { never_cached, +diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h +index d1c1181..48d6d83 100644 +--- a/mozilla/security/nss/lib/ssl/sslimpl.h ++++ b/mozilla/security/nss/lib/ssl/sslimpl.h +@@ -569,10 +569,13 @@ typedef enum { never_cached, invalid_cache /* no longer in any cache. */ } Cached; @@ -136,13 +136,10 @@ diff -p -u -r1.77 sslimpl.h const char * peerID; /* client only */ const char * urlSvrName; /* client only */ CERTCertificate * localCert; -Index: mozilla/security/nss/lib/ssl/sslnonce.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslnonce.c,v -retrieving revision 1.25 -diff -p -u -r1.25 sslnonce.c ---- mozilla/security/nss/lib/ssl/sslnonce.c 10 Mar 2008 00:01:28 -0000 1.25 -+++ mozilla/security/nss/lib/ssl/sslnonce.c 21 Oct 2010 02:24:18 -0000 +diff --git a/mozilla/security/nss/lib/ssl/sslnonce.c b/mozilla/security/nss/lib/ssl/sslnonce.c +index 63dc5a2..64adc1f 100644 +--- a/mozilla/security/nss/lib/ssl/sslnonce.c ++++ b/mozilla/security/nss/lib/ssl/sslnonce.c @@ -197,6 +197,7 @@ lock_cache(void) static void ssl_DestroySID(sslSessionID *sid) diff --git a/net/third_party/nss/patches/clientauth.patch b/net/third_party/nss/patches/clientauth.patch index 30bf8cc..76fba67 100644 --- a/net/third_party/nss/patches/clientauth.patch +++ b/net/third_party/nss/patches/clientauth.patch @@ -1,16 +1,14 @@ -Index: mozilla/security/nss/lib/ssl/ssl.h -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl.h,v -retrieving revision 1.38 -diff -p -u -8 -r1.38 ssl.h ---- mozilla/security/nss/lib/ssl/ssl.h 17 Feb 2010 02:29:07 -0000 1.38 -+++ mozilla/security/nss/lib/ssl/ssl.h 16 Feb 2011 23:30:37 -0000 -@@ -275,16 +275,49 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl - * and certificate. - * fd - the file descriptor for the connection in question - * f - the application's callback that delivers the key and cert - * a - application specific data - */ +commit 33952cd5de867c82987e1e9eb9bc8edd56938daa +Author: Adam Langley +Date: Mon Jun 20 16:19:32 2011 -0400 + + clientauth.patch + +diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h +index 221fe2d..563cfd5 100644 +--- a/mozilla/security/nss/lib/ssl/ssl.h ++++ b/mozilla/security/nss/lib/ssl/ssl.h +@@ -332,6 +332,39 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg, SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, SSLGetClientAuthData f, void *a); @@ -50,24 +48,11 @@ diff -p -u -8 -r1.38 ssl.h /* ** SNI extension processing callback function. - ** It is called when SSL socket receives SNI extension in ClientHello message. - ** Upon this callback invocation, application is responsible to reconfigure the - ** socket with the data for a particular server name. - ** There are three potential outcomes of this function invocation: - ** * application does not recognize the name or the type and wants the -Index: mozilla/security/nss/lib/ssl/ssl3con.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v -retrieving revision 1.142 -diff -p -u -8 -r1.142 ssl3con.c ---- mozilla/security/nss/lib/ssl/ssl3con.c 24 Jun 2010 19:53:20 -0000 1.142 -+++ mozilla/security/nss/lib/ssl/ssl3con.c 16 Feb 2011 23:30:37 -0000 -@@ -2007,16 +2007,19 @@ ssl3_ComputeRecordMAC( - rv = SECFailure; - ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); - } - return rv; - } +diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c +index ca2793f..0997e18 100644 +--- a/mozilla/security/nss/lib/ssl/ssl3con.c ++++ b/mozilla/security/nss/lib/ssl/ssl3con.c +@@ -2014,6 +2014,9 @@ ssl3_ComputeRecordMAC( static PRBool ssl3_ClientAuthTokenPresent(sslSessionID *sid) { @@ -77,35 +62,15 @@ diff -p -u -8 -r1.142 ssl3con.c PK11SlotInfo *slot = NULL; PRBool isPresent = PR_TRUE; - /* we only care if we are doing client auth */ - if (!sid || !sid->u.ssl3.clAuthValid) { - return PR_TRUE; - } - -@@ -2030,16 +2033,17 @@ ssl3_ClientAuthTokenPresent(sslSessionID - sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) || - (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { - isPresent = PR_FALSE; - } - if (slot) { +@@ -2037,6 +2040,7 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) { PK11_FreeSlot(slot); } return isPresent; +#endif /* NSS_PLATFORM_CLIENT_AUTH */ } - SECStatus - ssl3_CompressMACEncryptRecord(sslSocket * ss, - SSL3ContentType type, - const SSL3Opaque * pIn, - PRUint32 contentLen) - { -@@ -4812,40 +4816,41 @@ ssl3_SendCertificateVerify(sslSocket *ss - ssl_GetSpecReadLock(ss); - rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); - ssl_ReleaseSpecReadLock(ss); - if (rv != SECSuccess) { - goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ + static SECStatus +@@ -4823,6 +4827,12 @@ ssl3_SendCertificateVerify(sslSocket *ss) } isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); @@ -118,16 +83,7 @@ diff -p -u -8 -r1.142 ssl3con.c rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); if (rv == SECSuccess) { PK11SlotInfo * slot; - sslSessionID * sid = ss->sec.ci.sid; - - /* Remember the info about the slot that did the signing. - ** Later, when doing an SSL restart handshake, verify this. - ** These calls are mere accessors, and can't fail. - */ - slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); - sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); - sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); - sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); +@@ -4839,14 +4849,9 @@ ssl3_SendCertificateVerify(sslSocket *ss) sid->u.ssl3.clAuthValid = PR_TRUE; PK11_FreeSlot(slot); } @@ -145,17 +101,7 @@ diff -p -u -8 -r1.142 ssl3con.c if (rv != SECSuccess) { goto done; /* err code was set by ssl3_SignHashes */ } - - rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2); - if (rv != SECSuccess) { - goto done; /* error code set by AppendHandshake */ - } -@@ -4890,16 +4895,36 @@ ssl3_HandleServerHello(sslSocket *ss, SS - goto alert_loser; - } - if (ss->ssl3.hs.ws != wait_server_hello) { - errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO; - desc = unexpected_message; +@@ -4901,6 +4906,26 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto alert_loser; } @@ -182,17 +128,7 @@ diff -p -u -8 -r1.142 ssl3con.c temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); if (temp < 0) { goto loser; /* alert has been sent */ - } - version = (SSL3ProtocolVersion)temp; - - /* this is appropriate since the negotiation is complete, and we only - ** know SSL 3.x. -@@ -5430,42 +5455,39 @@ ssl3_HandleCertificateRequest(sslSocket - PRBool isTLS = PR_FALSE; - int i; - int errCode = SSL_ERROR_RX_MALFORMED_CERT_REQUEST; - int nnames = 0; - SECStatus rv; +@@ -5444,6 +5469,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) SSL3AlertDescription desc = illegal_parameter; SECItem cert_types = {siBuffer, NULL, 0}; CERTDistNames ca_list; @@ -203,13 +139,7 @@ diff -p -u -8 -r1.142 ssl3con.c SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", SSL_GETPID(), ss->fd)); - PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); - PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); - - if (ss->ssl3.hs.ws != wait_cert_request && - ss->ssl3.hs.ws != wait_server_key) { - desc = unexpected_message; - errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST; +@@ -5457,19 +5486,12 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto alert_loser; } @@ -235,17 +165,7 @@ diff -p -u -8 -r1.142 ssl3con.c isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); - if (rv != SECSuccess) - goto loser; /* malformed, alert has been sent */ - - arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) -@@ -5522,31 +5544,82 @@ ssl3_HandleCertificateRequest(sslSocket - } - - if (length != 0) - goto alert_loser; /* malformed */ - +@@ -5536,6 +5558,18 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) desc = no_certificate; ss->ssl3.hs.ws = wait_hello_done; @@ -264,9 +184,7 @@ diff -p -u -8 -r1.142 ssl3con.c if (ss->getClientAuthData == NULL) { rv = SECFailure; /* force it to send a no_certificate alert */ } else { - /* XXX Should pass cert_types in this call!! */ - rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, - ss->fd, &ca_list, +@@ -5545,12 +5579,51 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) &ss->ssl3.clientCertificate, &ss->ssl3.clientPrivateKey); } @@ -318,17 +236,7 @@ diff -p -u -8 -r1.142 ssl3con.c /* check what the callback function returned */ if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { /* we are missing either the key or cert */ - if (ss->ssl3.clientCertificate) { - /* got a cert, but no key - free it */ - CERT_DestroyCertificate(ss->ssl3.clientCertificate); - ss->ssl3.clientCertificate = NULL; - } -@@ -5569,16 +5642,17 @@ ssl3_HandleCertificateRequest(sslSocket - ss->ssl3.clientCertificate = NULL; - } - if (ss->ssl3.clientPrivateKey != NULL) { - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); - ss->ssl3.clientPrivateKey = NULL; +@@ -5583,6 +5656,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } goto send_no_certificate; } @@ -336,17 +244,7 @@ diff -p -u -8 -r1.142 ssl3con.c break; /* not an error */ case SECFailure: - default: - send_no_certificate: - if (isTLS) { - ss->ssl3.sendEmptyCert = PR_TRUE; - } else { -@@ -5599,16 +5673,20 @@ alert_loser: - desc = decode_error; - (void)SSL3_SendAlert(ss, alert_fatal, desc); - loser: - PORT_SetError(errCode); - rv = SECFailure; +@@ -5613,6 +5687,10 @@ loser: done: if (arena != NULL) PORT_FreeArena(arena, PR_FALSE); @@ -357,17 +255,7 @@ diff -p -u -8 -r1.142 ssl3con.c return rv; } - /* - * attempt to restart the handshake after asynchronously handling - * a request for the client's certificate. - * - * inputs: -@@ -5697,24 +5775,35 @@ ssl3_HandleServerHelloDone(sslSocket *ss - if (ss->ssl3.sendEmptyCert) { - ss->ssl3.sendEmptyCert = PR_FALSE; - rv = ssl3_SendEmptyCertificate(ss); - /* Don't send verify */ - if (rv != SECSuccess) { +@@ -5721,6 +5799,16 @@ ssl3_HandleServerHelloDone(sslSocket *ss) goto loser; /* error code is set. */ } } else @@ -384,8 +272,7 @@ diff -p -u -8 -r1.142 ssl3con.c if (ss->ssl3.clientCertChain != NULL && ss->ssl3.clientPrivateKey != NULL) { send_verify = PR_TRUE; - rv = ssl3_SendCertificate(ss); - if (rv != SECSuccess) { +@@ -5729,6 +5817,7 @@ ssl3_HandleServerHelloDone(sslSocket *ss) goto loser; /* error code is set. */ } } @@ -393,17 +280,7 @@ diff -p -u -8 -r1.142 ssl3con.c rv = ssl3_SendClientKeyExchange(ss); if (rv != SECSuccess) { - goto loser; /* err is set. */ - } - - if (send_verify) { - rv = ssl3_SendCertificateVerify(ss); -@@ -9426,16 +9515,20 @@ void - ssl3_DestroySSL3Info(sslSocket *ss) - { - - if (ss->ssl3.clientCertificate != NULL) - CERT_DestroyCertificate(ss->ssl3.clientCertificate); +@@ -9657,6 +9746,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) if (ss->ssl3.clientPrivateKey != NULL) SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); @@ -414,24 +291,11 @@ diff -p -u -8 -r1.142 ssl3con.c if (ss->ssl3.peerCertArena != NULL) ssl3_CleanupPeerCerts(ss); - - if (ss->ssl3.clientCertChain != NULL) { - CERT_DestroyCertificateList(ss->ssl3.clientCertChain); - ss->ssl3.clientCertChain = NULL; - } -Index: mozilla/security/nss/lib/ssl/ssl3ext.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3ext.c,v -retrieving revision 1.14 -diff -p -u -8 -r1.14 ssl3ext.c ---- mozilla/security/nss/lib/ssl/ssl3ext.c 3 Apr 2010 19:19:07 -0000 1.14 -+++ mozilla/security/nss/lib/ssl/ssl3ext.c 16 Feb 2011 23:30:37 -0000 -@@ -41,18 +41,18 @@ - * ***** END LICENSE BLOCK ***** */ - - /* TLS extension code moved here from ssl3ecc.c */ - /* $Id: ssl3ext.c,v 1.14 2010/04/03 19:19:07 nelson%bolyard.com Exp $ */ - +diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c +index 4e3d9cc..94dab58 100644 +--- a/mozilla/security/nss/lib/ssl/ssl3ext.c ++++ b/mozilla/security/nss/lib/ssl/ssl3ext.c +@@ -46,8 +46,8 @@ #include "nssrenam.h" #include "nss.h" #include "ssl.h" @@ -441,24 +305,11 @@ diff -p -u -8 -r1.14 ssl3ext.c #include "pk11pub.h" #include "blapi.h" #include "prinit.h" - - static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; - static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL; - static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL; - -Index: mozilla/security/nss/lib/ssl/sslauth.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslauth.c,v -retrieving revision 1.16 -diff -p -u -8 -r1.16 sslauth.c ---- mozilla/security/nss/lib/ssl/sslauth.c 20 Apr 2006 00:20:45 -0000 1.16 -+++ mozilla/security/nss/lib/ssl/sslauth.c 16 Feb 2011 23:30:37 -0000 -@@ -204,16 +204,38 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, - return SECFailure; - } - - ss->getClientAuthData = func; - ss->getClientAuthDataArg = arg; +diff --git a/mozilla/security/nss/lib/ssl/sslauth.c b/mozilla/security/nss/lib/ssl/sslauth.c +index df40f30..447aaf8 100644 +--- a/mozilla/security/nss/lib/ssl/sslauth.c ++++ b/mozilla/security/nss/lib/ssl/sslauth.c +@@ -252,6 +252,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, return SECSuccess; } @@ -487,24 +338,11 @@ diff -p -u -8 -r1.16 sslauth.c /* NEED LOCKS IN HERE. */ SECStatus SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) - { - sslSocket *ss; - - ss = ssl_FindSocket(s); - if (!ss) { -Index: mozilla/security/nss/lib/ssl/sslimpl.h -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslimpl.h,v -retrieving revision 1.77 -diff -p -u -8 -r1.77 sslimpl.h ---- mozilla/security/nss/lib/ssl/sslimpl.h 10 Feb 2010 00:33:50 -0000 1.77 -+++ mozilla/security/nss/lib/ssl/sslimpl.h 16 Feb 2011 23:30:37 -0000 -@@ -60,16 +60,25 @@ - #if defined(XP_UNIX) || defined(XP_BEOS) - #include "unistd.h" - #endif - #include "nssrwlk.h" - #include "prthread.h" +diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h +index 8e2bd14..2e1364e 100644 +--- a/mozilla/security/nss/lib/ssl/sslimpl.h ++++ b/mozilla/security/nss/lib/ssl/sslimpl.h +@@ -65,6 +65,15 @@ #include "sslt.h" /* for some formerly private types, now public */ @@ -520,17 +358,7 @@ diff -p -u -8 -r1.77 sslimpl.h /* to make some of these old enums public without namespace pollution, ** it was necessary to prepend ssl_ to the names. ** These #defines preserve compatibility with the old code here in libssl. - */ - typedef SSLKEAType SSL3KEAType; - typedef SSLMACAlgorithm SSL3MACAlgorithm; - typedef SSLSignType SSL3SignType; - -@@ -450,16 +459,26 @@ typedef SECStatus (*SSLCipher)(void * - typedef SECStatus (*SSLCompressor)(void * context, - unsigned char * out, - int * outlen, - int maxout, - const unsigned char *in, +@@ -462,6 +471,16 @@ typedef SECStatus (*SSLCompressor)(void * context, int inlen); typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); @@ -547,17 +375,7 @@ diff -p -u -8 -r1.77 sslimpl.h /* - ** ssl3State and CipherSpec structs - */ - - /* The SSL bulk cipher definition */ - typedef enum { -@@ -805,16 +824,19 @@ struct ssl3StateStr { - */ - ssl3CipherSpec * crSpec; /* current read spec. */ - ssl3CipherSpec * prSpec; /* pending read spec. */ - ssl3CipherSpec * cwSpec; /* current write spec. */ - ssl3CipherSpec * pwSpec; /* pending write spec. */ +@@ -829,6 +848,9 @@ struct ssl3StateStr { CERTCertificate * clientCertificate; /* used by client */ SECKEYPrivateKey * clientPrivateKey; /* used by client */ @@ -567,17 +385,7 @@ diff -p -u -8 -r1.77 sslimpl.h CERTCertificateList *clientCertChain; /* used by client */ PRBool sendEmptyCert; /* used by client */ - int policy; - /* This says what cipher suites we can do, and should - * be either SSL_ALLOWED or SSL_RESTRICTED - */ - PRArenaPool * peerCertArena; -@@ -1045,16 +1067,20 @@ const unsigned char * preferredCipher; - - ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */ - - /* Callbacks */ - SSLAuthCertificate authCertificate; +@@ -1079,6 +1101,10 @@ const unsigned char * preferredCipher; void *authCertificateArg; SSLGetClientAuthData getClientAuthData; void *getClientAuthDataArg; @@ -588,17 +396,7 @@ diff -p -u -8 -r1.77 sslimpl.h SSLSNISocketConfig sniSocketConfig; void *sniSocketConfigArg; SSLBadCertHandler handleBadCert; - void *badCertArg; - SSLHandshakeCallback handshakeCallback; - void *handshakeCallbackData; - void *pkcs11PinArg; - -@@ -1587,16 +1613,36 @@ extern SECStatus SSL3_ShutdownServerCach - extern SECStatus ssl_InitSymWrapKeysLock(void); - - extern SECStatus ssl_FreeSymWrapKeysLock(void); - - extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit); +@@ -1635,6 +1661,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit); extern SECStatus ssl_FreeSessionCacheLocks(void); @@ -625,24 +423,416 @@ diff -p -u -8 -r1.77 sslimpl.h /********************** misc calls *********************/ - extern int ssl_MapLowLevelError(int hiLevelError); - - extern PRUint32 ssl_Time(void); - - extern void SSL_AtomicIncrementLong(long * x); -Index: mozilla/security/nss/lib/ssl/sslsock.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v -retrieving revision 1.67 -diff -p -u -8 -r1.67 sslsock.c ---- mozilla/security/nss/lib/ssl/sslsock.c 25 Apr 2010 23:37:38 -0000 1.67 -+++ mozilla/security/nss/lib/ssl/sslsock.c 16 Feb 2011 23:30:37 -0000 -@@ -329,16 +329,20 @@ ssl_DupSocket(sslSocket *os) - /* - * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. - * XXX We should detect this, and not just march on with NULL pointers. - */ - ss->authCertificate = os->authCertificate; +diff --git a/mozilla/security/nss/lib/ssl/sslplatf.c b/mozilla/security/nss/lib/ssl/sslplatf.c +new file mode 100644 +index 0000000..208956f +--- /dev/null ++++ b/mozilla/security/nss/lib/ssl/sslplatf.c +@@ -0,0 +1,399 @@ ++/* ++ * Platform specific crypto wrappers ++ * ++ * ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape security libraries. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1994-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * Ryan Sleevi ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++/* $Id$ */ ++#include "ssl.h" ++#include "certt.h" ++#include "keythi.h" ++#include "sslimpl.h" ++#include "cryptohi.h" ++#include "secitem.h" ++ ++#ifdef NSS_PLATFORM_CLIENT_AUTH ++CERTCertificateList* ++hack_NewCertificateListFromCertList(CERTCertList* list) ++{ ++ CERTCertificateList * chain = NULL; ++ PRArenaPool * arena = NULL; ++ CERTCertListNode * node; ++ int len; ++ ++ if (CERT_LIST_EMPTY(list)) ++ goto loser; ++ ++ arena = PORT_NewArena(4096); ++ if (arena == NULL) ++ goto loser; ++ ++ for (len = 0, node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list); ++ len++, node = CERT_LIST_NEXT(node)) { ++ } ++ ++ chain = PORT_ArenaNew(arena, CERTCertificateList); ++ if (chain == NULL) ++ goto loser; ++ ++ chain->certs = PORT_ArenaNewArray(arena, SECItem, len); ++ if (!chain->certs) ++ goto loser; ++ chain->len = len; ++ ++ for (len = 0, node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list); ++ len++, node = CERT_LIST_NEXT(node)) { ++ // Check to see if the last cert to be sent is a self-signed cert, ++ // and if so, omit it from the list of certificates. However, if ++ // there is only one cert (len == 0), include the cert, as it means ++ // the EE cert is self-signed. ++ if (len > 0 && (len == chain->len - 1) && node->cert->isRoot) { ++ chain->len = len; ++ break; ++ } ++ SECITEM_CopyItem(arena, &chain->certs[len], &node->cert->derCert); ++ } ++ ++ chain->arena = arena; ++ return chain; ++ ++loser: ++ if (arena) { ++ PORT_FreeArena(arena, PR_FALSE); ++ } ++ return NULL; ++} ++ ++#if defined(XP_WIN32) ++void ++ssl_FreePlatformKey(PlatformKey key) ++{ ++ if (key) { ++ if (key->dwKeySpec != CERT_NCRYPT_KEY_SPEC) ++ CryptReleaseContext(key->hCryptProv, 0); ++ /* FIXME(rsleevi): Close CNG keys. */ ++ PORT_Free(key); ++ } ++} ++ ++SECStatus ++ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, ++ PRBool isTLS) ++{ ++ SECStatus rv = SECFailure; ++ PRBool doDerEncode = PR_FALSE; ++ SECItem hashItem; ++ HCRYPTKEY hKey = 0; ++ DWORD argLen = 0; ++ ALG_ID keyAlg = 0; ++ DWORD signatureLen = 0; ++ ALG_ID hashAlg = 0; ++ HCRYPTHASH hHash = 0; ++ DWORD hashLen = 0; ++ unsigned int i = 0; ++ ++ buf->data = NULL; ++ if (!CryptGetUserKey(key->hCryptProv, key->dwKeySpec, &hKey)) { ++ if (GetLastError() == NTE_NO_KEY) { ++ PORT_SetError(SEC_ERROR_NO_KEY); ++ } else { ++ PORT_SetError(SEC_ERROR_INVALID_KEY); ++ } ++ goto done; ++ } ++ ++ argLen = sizeof(keyAlg); ++ if (!CryptGetKeyParam(hKey, KP_ALGID, (BYTE*)&keyAlg, &argLen, 0)) { ++ PORT_SetError(SEC_ERROR_INVALID_KEY); ++ goto done; ++ } ++ ++ switch (keyAlg) { ++ case CALG_RSA_KEYX: ++ case CALG_RSA_SIGN: ++ hashAlg = CALG_SSL3_SHAMD5; ++ hashItem.data = hash->md5; ++ hashItem.len = sizeof(SSL3Hashes); ++ break; ++ case CALG_DSS_SIGN: ++ case CALG_ECDSA: ++ if (keyAlg == CALG_ECDSA) { ++ doDerEncode = PR_TRUE; ++ } else { ++ doDerEncode = isTLS; ++ } ++ hashAlg = CALG_SHA1; ++ hashItem.data = hash->sha; ++ hashItem.len = sizeof(hash->sha); ++ break; ++ default: ++ PORT_SetError(SEC_ERROR_INVALID_KEY); ++ goto done; ++ } ++ PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); ++ ++ if (!CryptCreateHash(key->hCryptProv, hashAlg, 0, 0, &hHash)) { ++ PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); ++ goto done; ++ } ++ argLen = sizeof(hashLen); ++ if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE*)&hashLen, &argLen, 0)) { ++ PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); ++ goto done; ++ } ++ if (hashLen != hashItem.len) { ++ PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); ++ goto done; ++ } ++ if (!CryptSetHashParam(hHash, HP_HASHVAL, (BYTE*)hashItem.data, 0)) { ++ PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); ++ goto done; ++ } ++ if (!CryptSignHash(hHash, key->dwKeySpec, NULL, 0, ++ NULL, &signatureLen) || signatureLen == 0) { ++ PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); ++ goto done; ++ } ++ buf->data = (unsigned char *)PORT_Alloc(signatureLen); ++ if (!buf->data) ++ goto done; /* error code was set. */ ++ ++ if (!CryptSignHash(hHash, key->dwKeySpec, NULL, 0, ++ (BYTE*)buf->data, &signatureLen)) { ++ PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); ++ goto done; ++ } ++ buf->len = signatureLen; ++ ++ /* CryptoAPI signs in little-endian, so reverse */ ++ for (i = 0; i < buf->len / 2; ++i) { ++ unsigned char tmp = buf->data[i]; ++ buf->data[i] = buf->data[buf->len - 1 - i]; ++ buf->data[buf->len - 1 - i] = tmp; ++ } ++ if (doDerEncode) { ++ SECItem derSig = {siBuffer, NULL, 0}; ++ ++ /* This also works for an ECDSA signature */ ++ rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); ++ if (rv == SECSuccess) { ++ PORT_Free(buf->data); /* discard unencoded signature. */ ++ *buf = derSig; /* give caller encoded signature. */ ++ } else if (derSig.data) { ++ PORT_Free(derSig.data); ++ } ++ } else { ++ rv = SECSuccess; ++ } ++ ++ PRINT_BUF(60, (NULL, "signed hashes", buf->data, buf->len)); ++done: ++ if (hHash) ++ CryptDestroyHash(hHash); ++ if (hKey) ++ CryptDestroyKey(hKey); ++ if (rv != SECSuccess && buf->data) { ++ PORT_Free(buf->data); ++ buf->data = NULL; ++ } ++ return rv; ++} ++ ++#elif defined(XP_MACOSX) ++#include ++ ++void ++ssl_FreePlatformKey(PlatformKey key) ++{ ++ CFRelease(key); ++} ++ ++SECStatus ++ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, ++ PRBool isTLS) ++{ ++ SECStatus rv = SECFailure; ++ PRBool doDerEncode = PR_FALSE; ++ unsigned int signatureLen; ++ OSStatus status = noErr; ++ CSSM_CSP_HANDLE cspHandle = 0; ++ const CSSM_KEY *cssmKey = NULL; ++ CSSM_ALGORITHMS sigAlg; ++ const CSSM_ACCESS_CREDENTIALS * cssmCreds = NULL; ++ CSSM_RETURN cssmRv; ++ CSSM_DATA hashData; ++ CSSM_DATA signatureData; ++ CSSM_CC_HANDLE cssmSignature = 0; ++ ++ buf->data = NULL; ++ ++ status = SecKeyGetCSPHandle(key, &cspHandle); ++ if (status != noErr) { ++ PORT_SetError(SEC_ERROR_INVALID_KEY); ++ goto done; ++ } ++ ++ status = SecKeyGetCSSMKey(key, &cssmKey); ++ if (status != noErr || !cssmKey) { ++ PORT_SetError(SEC_ERROR_NO_KEY); ++ goto done; ++ } ++ ++ /* SecKeyGetBlockSize wasn't addeded until OS X 10.6 - but the ++ * needed information is readily available on the key itself. ++ */ ++ signatureLen = (cssmKey->KeyHeader.LogicalKeySizeInBits + 7) / 8; ++ ++ if (signatureLen == 0) { ++ PORT_SetError(SEC_ERROR_INVALID_KEY); ++ goto done; ++ } ++ ++ buf->data = (unsigned char *)PORT_Alloc(signatureLen); ++ if (!buf->data) ++ goto done; /* error code was set. */ ++ ++ sigAlg = cssmKey->KeyHeader.AlgorithmId; ++ switch (sigAlg) { ++ case CSSM_ALGID_RSA: ++ hashData.Data = hash->md5; ++ hashData.Length = sizeof(SSL3Hashes); ++ break; ++ case CSSM_ALGID_ECDSA: ++ case CSSM_ALGID_DSA: ++ if (sigAlg == CSSM_ALGID_ECDSA) { ++ doDerEncode = PR_TRUE; ++ } else { ++ doDerEncode = isTLS; ++ } ++ hashData.Data = hash->sha; ++ hashData.Length = sizeof(hash->sha); ++ break; ++ default: ++ PORT_SetError(SEC_ERROR_INVALID_KEY); ++ goto done; ++ } ++ PRINT_BUF(60, (NULL, "hash(es) to be signed", hashData.Data, hashData.Length)); ++ ++ /* TODO(rsleevi): Should it be kSecCredentialTypeNoUI? In Win32, at least, ++ * you can prevent the UI by setting the provider handle on the ++ * certificate to be opened with CRYPT_SILENT, but is there an equivalent? ++ */ ++ status = SecKeyGetCredentials(key, CSSM_ACL_AUTHORIZATION_SIGN, ++ kSecCredentialTypeDefault, &cssmCreds); ++ if (status != noErr) { ++ PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); ++ goto done; ++ } ++ ++ signatureData.Length = signatureLen; ++ signatureData.Data = (uint8*)buf->data; ++ ++ cssmRv = CSSM_CSP_CreateSignatureContext(cspHandle, sigAlg, cssmCreds, ++ cssmKey, &cssmSignature); ++ if (cssmRv) { ++ PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); ++ goto done; ++ } ++ ++ /* See "Apple Cryptographic Service Provider Functional Specification" */ ++ if (cssmKey->KeyHeader.AlgorithmId == CSSM_ALGID_RSA) { ++ /* To set RSA blinding for RSA keys */ ++ CSSM_CONTEXT_ATTRIBUTE blindingAttr; ++ blindingAttr.AttributeType = CSSM_ATTRIBUTE_RSA_BLINDING; ++ blindingAttr.AttributeLength = sizeof(uint32); ++ blindingAttr.Attribute.Uint32 = 1; ++ cssmRv = CSSM_UpdateContextAttributes(cssmSignature, 1, &blindingAttr); ++ if (cssmRv) { ++ PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); ++ goto done; ++ } ++ } ++ ++ cssmRv = CSSM_SignData(cssmSignature, &hashData, 1, CSSM_ALGID_NONE, ++ &signatureData); ++ if (cssmRv) { ++ PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); ++ goto done; ++ } ++ buf->len = signatureData.Length; ++ ++ if (doDerEncode) { ++ SECItem derSig = {siBuffer, NULL, 0}; ++ ++ /* This also works for an ECDSA signature */ ++ rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); ++ if (rv == SECSuccess) { ++ PORT_Free(buf->data); /* discard unencoded signature. */ ++ *buf = derSig; /* give caller encoded signature. */ ++ } else if (derSig.data) { ++ PORT_Free(derSig.data); ++ } ++ } else { ++ rv = SECSuccess; ++ } ++ ++ PRINT_BUF(60, (NULL, "signed hashes", buf->data, buf->len)); ++done: ++ /* cspHandle, cssmKey, and cssmCreds are owned by the SecKeyRef and ++ * should not be freed. When the PlatformKey is freed, they will be ++ * released. ++ */ ++ if (cssmSignature) ++ CSSM_DeleteContext(cssmSignature); ++ ++ if (rv != SECSuccess && buf->data) { ++ PORT_Free(buf->data); ++ buf->data = NULL; ++ } ++ return rv; ++} ++#else ++void ++ssl_FreePlatformKey(PlatformKey key) ++{ ++} ++ ++SECStatus ++ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, ++ PRBool isTLS) ++{ ++ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); ++ return SECFailure; ++} ++#endif ++ ++#endif /* NSS_PLATFORM_CLIENT_AUTH */ +diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c +index 4c4df3f..1bb211e 100644 +--- a/mozilla/security/nss/lib/ssl/sslsock.c ++++ b/mozilla/security/nss/lib/ssl/sslsock.c +@@ -337,6 +337,10 @@ ssl_DupSocket(sslSocket *os) ss->authCertificateArg = os->authCertificateArg; ss->getClientAuthData = os->getClientAuthData; ss->getClientAuthDataArg = os->getClientAuthDataArg; @@ -653,17 +843,7 @@ diff -p -u -8 -r1.67 sslsock.c ss->sniSocketConfig = os->sniSocketConfig; ss->sniSocketConfigArg = os->sniSocketConfigArg; ss->handleBadCert = os->handleBadCert; - ss->badCertArg = os->badCertArg; - ss->handshakeCallback = os->handshakeCallback; - ss->handshakeCallbackData = os->handshakeCallbackData; - ss->pkcs11PinArg = os->pkcs11PinArg; - -@@ -1338,16 +1342,22 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile - if (sm->authCertificate) - ss->authCertificate = sm->authCertificate; - if (sm->authCertificateArg) - ss->authCertificateArg = sm->authCertificateArg; - if (sm->getClientAuthData) +@@ -1446,6 +1450,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) ss->getClientAuthData = sm->getClientAuthData; if (sm->getClientAuthDataArg) ss->getClientAuthDataArg = sm->getClientAuthDataArg; @@ -676,17 +856,7 @@ diff -p -u -8 -r1.67 sslsock.c if (sm->sniSocketConfig) ss->sniSocketConfig = sm->sniSocketConfig; if (sm->sniSocketConfigArg) - ss->sniSocketConfigArg = sm->sniSocketConfigArg; - if (sm->handleBadCert) - ss->handleBadCert = sm->handleBadCert; - if (sm->badCertArg) - ss->badCertArg = sm->badCertArg; -@@ -2350,16 +2360,20 @@ ssl_NewSocket(PRBool makeLocks) - ss->dbHandle = CERT_GetDefaultCertDB(); - - /* Provide default implementation of hooks */ - ss->authCertificate = SSL_AuthCertificate; - ss->authCertificateArg = (void *)ss->dbHandle; +@@ -2489,6 +2499,10 @@ ssl_NewSocket(PRBool makeLocks) ss->sniSocketConfig = NULL; ss->sniSocketConfigArg = NULL; ss->getClientAuthData = NULL; @@ -697,8 +867,3 @@ diff -p -u -8 -r1.67 sslsock.c ss->handleBadCert = NULL; ss->badCertArg = NULL; ss->pkcs11PinArg = NULL; - - ssl_ChooseOps(ss); - ssl2_InitSocketPolicy(ss); - ssl3_InitSocketPolicy(ss); - diff --git a/net/third_party/nss/patches/nextproto.patch b/net/third_party/nss/patches/nextproto.patch index 837295e..4322fe9 100644 --- a/net/third_party/nss/patches/nextproto.patch +++ b/net/third_party/nss/patches/nextproto.patch @@ -1,22 +1,26 @@ +commit de6d1a65eb146a0887a31ca92e9ca924045e9e69 +Author: Adam Langley +Date: Mon Jun 20 15:49:24 2011 -0400 + + nextproto.patch + diff --git a/mozilla/security/nss/cmd/tstclnt/tstclnt.c b/mozilla/security/nss/cmd/tstclnt/tstclnt.c -index c15a0ad..b6210bf 100644 +index 55684e6..d209a33 100644 --- a/mozilla/security/nss/cmd/tstclnt/tstclnt.c +++ b/mozilla/security/nss/cmd/tstclnt/tstclnt.c -@@ -863,7 +863,13 @@ int main(int argc, char **argv) - SECU_PrintError(progName, "error enabling compression"); +@@ -868,6 +868,12 @@ int main(int argc, char **argv) return 1; } -- -+ + + rv = SSL_SetNextProtoNego(s, "\004flip\004http1.1", 10); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error enabling next protocol negotiation"); + return 1; + } + - SSL_SetPKCS11PinArg(s, &pwdata); - - SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle); + /* enable false start. */ + rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart); + if (rv != SECSuccess) { diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def index d3f455c..a1f4b51 100644 --- a/mozilla/security/nss/lib/ssl/ssl.def @@ -33,10 +37,10 @@ index d3f455c..a1f4b51 100644 +;+*; +;+}; diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h -index d60a73c..00c250b 100644 +index 4a9e89d..ffa973c 100644 --- a/mozilla/security/nss/lib/ssl/ssl.h +++ b/mozilla/security/nss/lib/ssl/ssl.h -@@ -142,6 +142,18 @@ SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on); +@@ -153,6 +153,18 @@ SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on); SSL_IMPORT SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on); SSL_IMPORT SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle); @@ -56,7 +60,7 @@ index d60a73c..00c250b 100644 ** Control ciphers that SSL uses. If on is non-zero then the named cipher ** is enabled, otherwise it is disabled. diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c -index 083248d..5c14672 100644 +index 8048913..e0cb4e9 100644 --- a/mozilla/security/nss/lib/ssl/ssl3con.c +++ b/mozilla/security/nss/lib/ssl/ssl3con.c @@ -81,6 +81,7 @@ static SECStatus ssl3_InitState( sslSocket *ss); @@ -67,7 +71,7 @@ index 083248d..5c14672 100644 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); static SECStatus ssl3_SendServerHello( sslSocket *ss); static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); -@@ -5717,6 +5718,12 @@ ssl3_HandleServerHelloDone(sslSocket *ss) +@@ -5742,6 +5743,12 @@ ssl3_HandleServerHelloDone(sslSocket *ss) if (rv != SECSuccess) { goto loser; /* err code was set. */ } @@ -80,7 +84,7 @@ index 083248d..5c14672 100644 rv = ssl3_SendFinished(ss, 0); if (rv != SECSuccess) { goto loser; /* err code was set. */ -@@ -8138,6 +8145,40 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, +@@ -8169,6 +8176,40 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, } /* called from ssl3_HandleServerHelloDone @@ -121,7 +125,7 @@ index 083248d..5c14672 100644 * ssl3_HandleClientHello * ssl3_HandleFinished */ -@@ -8390,6 +8431,14 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, +@@ -8421,6 +8462,14 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, if (doStepUp || ss->writerThread == PR_GetCurrentThread()) { flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; } @@ -136,7 +140,7 @@ index 083248d..5c14672 100644 rv = ssl3_SendFinished(ss, flags); if (rv != SECSuccess) { goto xmit_loser; /* err is set. */ -@@ -9455,6 +9504,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) +@@ -9488,6 +9537,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); ss->ssl3.initialized = PR_FALSE; @@ -149,7 +153,7 @@ index 083248d..5c14672 100644 /* End of ssl3con.c */ diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c -index ac2b067..04f45a4 100644 +index becbfe9..fbd5a91 100644 --- a/mozilla/security/nss/lib/ssl/ssl3ext.c +++ b/mozilla/security/nss/lib/ssl/ssl3ext.c @@ -235,6 +235,7 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = { @@ -178,7 +182,7 @@ index ac2b067..04f45a4 100644 /* any extra entries will appear as { 0, NULL } */ }; -@@ -532,6 +535,123 @@ ssl3_SendSessionTicketXtn( +@@ -534,6 +537,123 @@ ssl3_SendSessionTicketXtn( return -1; } @@ -303,7 +307,7 @@ index ac2b067..04f45a4 100644 * NewSessionTicket * Called from ssl3_HandleFinished diff --git a/mozilla/security/nss/lib/ssl/ssl3prot.h b/mozilla/security/nss/lib/ssl/ssl3prot.h -index 0fc1675..c82c891 100644 +index 4702fcc..f3c950e 100644 --- a/mozilla/security/nss/lib/ssl/ssl3prot.h +++ b/mozilla/security/nss/lib/ssl/ssl3prot.h @@ -157,7 +157,8 @@ typedef enum { @@ -317,7 +321,7 @@ index 0fc1675..c82c891 100644 typedef struct { diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h -index 7581b98..0658d2c 100644 +index 9af471d..d1c1181 100644 --- a/mozilla/security/nss/lib/ssl/sslimpl.h +++ b/mozilla/security/nss/lib/ssl/sslimpl.h @@ -313,6 +313,11 @@ typedef struct { @@ -332,7 +336,7 @@ index 7581b98..0658d2c 100644 unsigned int useSecurity : 1; /* 1 */ unsigned int useSocks : 1; /* 2 */ unsigned int requestCertificate : 1; /* 3 */ -@@ -785,6 +790,7 @@ const ssl3CipherSuiteDef *suite_def; +@@ -786,6 +791,7 @@ const ssl3CipherSuiteDef *suite_def; #ifdef NSS_ENABLE_ECC PRUint32 negotiatedECCurves; /* bit mask */ #endif /* NSS_ENABLE_ECC */ @@ -340,7 +344,7 @@ index 7581b98..0658d2c 100644 } SSL3HandshakeState; -@@ -826,6 +832,16 @@ struct ssl3StateStr { +@@ -827,6 +833,16 @@ struct ssl3StateStr { PRBool initialized; SSL3HandshakeState hs; ssl3CipherSpec specs[2]; /* one is current, one is pending. */ @@ -357,7 +361,7 @@ index 7581b98..0658d2c 100644 }; typedef struct { -@@ -1491,8 +1507,12 @@ extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss, +@@ -1494,8 +1510,12 @@ extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data); extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data); @@ -370,7 +374,7 @@ index 7581b98..0658d2c 100644 /* ClientHello and ServerHello extension senders. * Note that not all extension senders are exposed here; only those that -@@ -1523,6 +1543,10 @@ extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss, +@@ -1526,6 +1546,10 @@ extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss, extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes); #endif @@ -382,7 +386,7 @@ index 7581b98..0658d2c 100644 /* call the registered extension handlers. */ extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c -index f1d1921..6536354 100644 +index bc770a1..4c8fbfd 100644 --- a/mozilla/security/nss/lib/ssl/sslsock.c +++ b/mozilla/security/nss/lib/ssl/sslsock.c @@ -163,6 +163,7 @@ static const sslSocketOps ssl_secure_ops = { /* SSL. */ @@ -393,7 +397,7 @@ index f1d1921..6536354 100644 PR_TRUE, /* useSecurity */ PR_FALSE, /* useSocks */ PR_FALSE, /* requestCertificate */ -@@ -437,6 +438,10 @@ ssl_DestroySocketContents(sslSocket *ss) +@@ -438,6 +439,10 @@ ssl_DestroySocketContents(sslSocket *ss) ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); ss->ephemeralECDHKeyPair = NULL; } @@ -404,7 +408,7 @@ index f1d1921..6536354 100644 PORT_Assert(!ss->xtnData.sniNameArr); if (ss->xtnData.sniNameArr) { PORT_Free(ss->xtnData.sniNameArr); -@@ -1255,6 +1260,75 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) +@@ -1266,6 +1271,75 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) return fd; } diff --git a/net/third_party/nss/patches/ocspstapling.patch b/net/third_party/nss/patches/ocspstapling.patch index 03b8f0a..4a6dcaf 100644 --- a/net/third_party/nss/patches/ocspstapling.patch +++ b/net/third_party/nss/patches/ocspstapling.patch @@ -1,42 +1,34 @@ -commit aa046eb9a2f5bd6fb027a1a516c01ec2a093d287 +commit 5edecc25e3c8ec46e7708274f37096224c9b8b94 Author: Adam Langley -Date: Mon Nov 22 16:40:05 2010 -0500 +Date: Mon Jun 20 16:12:27 2011 -0400 - nss: add support for OCSP stapling. - - This patch adds support in libssl for requesting and storing OCSP - stapled responses. - - BUG=none - TEST=none (yet) - - http://codereview.chromium.org/5045001 + ocspstapling.patch -diff --git a/net/third_party/nss/ssl/ssl.def b/net/third_party/nss/ssl/ssl.def -index 60ebbb1..76417d0 100644 ---- a/net/third_party/nss/ssl/ssl.def -+++ b/net/third_party/nss/ssl/ssl.def -@@ -163,6 +163,7 @@ SSL_SetNextProtoNego; +diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def +index 0fa8777..35cc1e3 100644 +--- a/mozilla/security/nss/lib/ssl/ssl.def ++++ b/mozilla/security/nss/lib/ssl/ssl.def +@@ -155,6 +155,7 @@ SSL_SNISocketConfigHook; + ;+NSS_CHROMIUM { ;+ global: - SSL_GetPredictedServerHelloData; - SSL_GetSnapStartResult; + SSL_GetNextProto; +SSL_GetStapledOCSPResponse; SSL_PeerCertificateChain; - SSL_SetPredictedPeerCertificates; - SSL_SetPredictedServerHelloData; -diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h -index 9d3da0c..3515007 100644 ---- a/net/third_party/nss/ssl/ssl.h -+++ b/net/third_party/nss/ssl/ssl.h -@@ -148,6 +148,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); - /* previous connection to the same server is required. See */ - /* SSL_GetPredictedServerHelloData, SSL_SetPredictedPeerCertificates and */ - /* SSL_SetSnapStartApplicationData. */ -+#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ + SSL_SetNextProtoNego; + ;+ local: +diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h +index cccb49a..221fe2d 100644 +--- a/mozilla/security/nss/lib/ssl/ssl.h ++++ b/mozilla/security/nss/lib/ssl/ssl.h +@@ -139,6 +139,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); + /* occur on RSA or DH ciphersuites where the cipher's key length is >= 80 */ + /* bits. The advantage of False Start is that it saves a round trip for */ + /* client-speaks-first protocols when performing a full handshake. */ ++#define SSL_ENABLE_OCSP_STAPLING 23 /* Request OCSP stapling (client) */ #ifdef SSL_DEPRECATED_FUNCTION /* Old deprecated function names */ -@@ -283,6 +284,23 @@ SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd); +@@ -274,6 +275,23 @@ SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd); SSL_IMPORT SECStatus SSL_PeerCertificateChain( PRFileDesc *fd, CERTCertificate **certs, unsigned int *certs_size); @@ -60,11 +52,11 @@ index 9d3da0c..3515007 100644 /* ** Authenticate certificate hook. Called when a certificate comes in ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the -diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c -index c5ea79f..d56bb97 100644 ---- a/net/third_party/nss/ssl/ssl3con.c -+++ b/net/third_party/nss/ssl/ssl3con.c -@@ -7945,6 +7945,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid) +diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c +index 9830e65..ca2793f 100644 +--- a/mozilla/security/nss/lib/ssl/ssl3con.c ++++ b/mozilla/security/nss/lib/ssl/ssl3con.c +@@ -7803,6 +7803,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid) } /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete @@ -122,7 +114,7 @@ index c5ea79f..d56bb97 100644 * ssl3 Certificate message. * Caller must hold Handshake and RecvBuf locks. */ -@@ -8773,6 +8824,26 @@ xmit_loser: +@@ -8605,6 +8656,26 @@ xmit_loser: return SECSuccess; } @@ -149,7 +141,7 @@ index c5ea79f..d56bb97 100644 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 * hanshake message. * Caller must hold Handshake and RecvBuf locks. -@@ -8872,14 +8943,42 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +@@ -8699,14 +8770,42 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) rv = ssl3_HandleServerHello(ss, b, length); break; case certificate: @@ -192,7 +184,7 @@ index c5ea79f..d56bb97 100644 rv = ssl3_HandleServerKeyExchange(ss, b, length); break; case certificate_request: -@@ -8888,6 +8987,9 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +@@ -8715,6 +8814,9 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST); return SECFailure; } @@ -202,7 +194,7 @@ index c5ea79f..d56bb97 100644 rv = ssl3_HandleCertificateRequest(ss, b, length); break; case server_hello_done: -@@ -8901,6 +9003,9 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +@@ -8728,6 +8830,9 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); return SECFailure; } @@ -212,9 +204,9 @@ index c5ea79f..d56bb97 100644 rv = ssl3_HandleServerHelloDone(ss); break; case certificate_verify: -@@ -9767,6 +9872,12 @@ ssl3_DestroySSL3Info(sslSocket *ss) - if (ss->ssl3.hs.origClientHello.data) { - SECITEM_FreeItem(&ss->ssl3.hs.origClientHello, PR_FALSE); +@@ -9578,6 +9683,12 @@ ssl3_DestroySSL3Info(sslSocket *ss) + ss->ssl3.hs.messages.len = 0; + ss->ssl3.hs.messages.space = 0; } + if (ss->ssl3.hs.pending_cert_msg.data) { + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); @@ -225,27 +217,29 @@ index c5ea79f..d56bb97 100644 /* free the SSL3Buffer (msg_body) */ PORT_Free(ss->ssl3.hs.msg_body.buf); -diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c -index f044e1c..b93671e 100644 ---- a/net/third_party/nss/ssl/ssl3ext.c -+++ b/net/third_party/nss/ssl/ssl3ext.c +diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c +index fbd5a91..4e3d9cc 100644 +--- a/mozilla/security/nss/lib/ssl/ssl3ext.c ++++ b/mozilla/security/nss/lib/ssl/ssl3ext.c @@ -247,6 +247,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, { ssl_next_proto_neg_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, + { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, - { ssl_snap_start_xtn, &ssl3_ClientHandleSnapStartXtn }, { -1, NULL } }; -@@ -272,6 +273,7 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { + +@@ -270,7 +271,8 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { + { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, #endif { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, - { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn }, -+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, - { ssl_snap_start_xtn, &ssl3_SendSnapStartXtn } - /* NOTE: The Snap Start sender MUST be the last extension in the list. */ +- { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn } ++ { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn }, ++ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } /* any extra entries will appear as { 0, NULL } */ -@@ -659,6 +661,80 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, + }; + +@@ -654,6 +656,80 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, return -1; } @@ -326,10 +320,10 @@ index f044e1c..b93671e 100644 /* * NewSessionTicket * Called from ssl3_HandleFinished -diff --git a/net/third_party/nss/ssl/ssl3prot.h b/net/third_party/nss/ssl/ssl3prot.h +diff --git a/mozilla/security/nss/lib/ssl/ssl3prot.h b/mozilla/security/nss/lib/ssl/ssl3prot.h index f3c950e..aeaacdd 100644 ---- a/net/third_party/nss/ssl/ssl3prot.h -+++ b/net/third_party/nss/ssl/ssl3prot.h +--- a/mozilla/security/nss/lib/ssl/ssl3prot.h ++++ b/mozilla/security/nss/lib/ssl/ssl3prot.h @@ -158,6 +158,7 @@ typedef enum { certificate_verify = 15, client_key_exchange = 16, @@ -338,10 +332,10 @@ index f3c950e..aeaacdd 100644 next_proto = 67 } SSL3HandshakeType; -diff --git a/net/third_party/nss/ssl/sslerr.h b/net/third_party/nss/ssl/sslerr.h -index bd72f97..eb56ea9 100644 ---- a/net/third_party/nss/ssl/sslerr.h -+++ b/net/third_party/nss/ssl/sslerr.h +diff --git a/mozilla/security/nss/lib/ssl/sslerr.h b/mozilla/security/nss/lib/ssl/sslerr.h +index a2f6524..c940f95 100644 +--- a/mozilla/security/nss/lib/ssl/sslerr.h ++++ b/mozilla/security/nss/lib/ssl/sslerr.h @@ -203,6 +203,8 @@ SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD = (SSL_ERROR_BASE + 114), SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = (SSL_ERROR_BASE + 115), @@ -351,19 +345,19 @@ index bd72f97..eb56ea9 100644 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ } SSLErrorCodes; #endif /* NO_SECURITY_ERROR_ENUM */ -diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h -index b84511b..c656f65 100644 ---- a/net/third_party/nss/ssl/sslimpl.h -+++ b/net/third_party/nss/ssl/sslimpl.h -@@ -350,6 +350,7 @@ typedef struct sslOptionsStr { +diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h +index 48d6d83..8e2bd14 100644 +--- a/mozilla/security/nss/lib/ssl/sslimpl.h ++++ b/mozilla/security/nss/lib/ssl/sslimpl.h +@@ -339,6 +339,7 @@ typedef struct sslOptionsStr { + unsigned int enableRenegotiation : 2; /* 20-21 */ unsigned int requireSafeNegotiation : 1; /* 22 */ unsigned int enableFalseStart : 1; /* 23 */ - unsigned int enableSnapStart : 1; /* 24 */ -+ unsigned int enableOCSPStapling : 1; /* 25 */ ++ unsigned int enableOCSPStapling : 1; /* 24 */ } sslOptions; typedef enum { sslHandshakingUndetermined = 0, -@@ -820,6 +821,14 @@ const ssl3CipherSuiteDef *suite_def; +@@ -782,6 +783,14 @@ const ssl3CipherSuiteDef *suite_def; * when this one finishes */ PRBool usedStepDownKey; /* we did a server key exchange. */ PRBool sendingSCSV; /* instead of empty RI */ @@ -378,7 +372,7 @@ index b84511b..c656f65 100644 sslBuffer msgState; /* current state for handshake messages*/ /* protected by recvBufLock */ sslBuffer messages; /* Accumulated handshake messages */ -@@ -1620,6 +1629,8 @@ extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, +@@ -1515,6 +1524,8 @@ extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data); extern SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data); @@ -387,7 +381,7 @@ index b84511b..c656f65 100644 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data); extern SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, -@@ -1631,6 +1642,8 @@ extern SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, +@@ -1526,6 +1537,8 @@ extern SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, */ extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes); @@ -396,10 +390,10 @@ index b84511b..c656f65 100644 /* ClientHello and ServerHello extension senders. * The code is in ssl3ext.c. -diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c -index 33e7f3e..b14a935 100644 ---- a/net/third_party/nss/ssl/sslsock.c -+++ b/net/third_party/nss/ssl/sslsock.c +diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c +index b7e32a2..4c4df3f 100644 +--- a/mozilla/security/nss/lib/ssl/sslsock.c ++++ b/mozilla/security/nss/lib/ssl/sslsock.c @@ -185,6 +185,7 @@ static sslOptions ssl_defaults = { 2, /* enableRenegotiation (default: requires extension) */ PR_FALSE, /* requireSafeNegotiation */ @@ -408,8 +402,8 @@ index 33e7f3e..b14a935 100644 }; sslSessionIDLookupFunc ssl_sid_lookup; -@@ -746,6 +747,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) - ss->opt.enableSnapStart = on; +@@ -738,6 +739,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) + ss->opt.enableFalseStart = on; break; + case SSL_ENABLE_OCSP_STAPLING: @@ -419,26 +413,26 @@ index 33e7f3e..b14a935 100644 default: PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; -@@ -811,6 +816,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) +@@ -802,6 +807,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) + case SSL_REQUIRE_SAFE_NEGOTIATION: on = ss->opt.requireSafeNegotiation; break; case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; - case SSL_ENABLE_SNAP_START: on = ss->opt.enableSnapStart; break; + case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); -@@ -863,6 +869,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) +@@ -853,6 +859,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) + on = ssl_defaults.requireSafeNegotiation; break; case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; - case SSL_ENABLE_SNAP_START: on = ssl_defaults.enableSnapStart; break; + case SSL_ENABLE_OCSP_STAPLING: + on = ssl_defaults.enableOCSPStapling; + break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); -@@ -1014,6 +1023,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) - ssl_defaults.enableSnapStart = on; +@@ -1000,6 +1009,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) + ssl_defaults.enableFalseStart = on; break; + case SSL_ENABLE_OCSP_STAPLING: @@ -448,7 +442,7 @@ index 33e7f3e..b14a935 100644 default: PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; -@@ -1473,6 +1486,36 @@ loser: +@@ -1453,6 +1466,36 @@ loser: #endif } @@ -485,10 +479,10 @@ index 33e7f3e..b14a935 100644 /************************************************************************/ /* The following functions are the TOP LEVEL SSL functions. ** They all get called through the NSPRIOMethods table below. -diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h -index 68cbf87..3fa3f9b 100644 ---- a/net/third_party/nss/ssl/sslt.h -+++ b/net/third_party/nss/ssl/sslt.h +diff --git a/mozilla/security/nss/lib/ssl/sslt.h b/mozilla/security/nss/lib/ssl/sslt.h +index f6e0b62..917c093 100644 +--- a/mozilla/security/nss/lib/ssl/sslt.h ++++ b/mozilla/security/nss/lib/ssl/sslt.h @@ -198,6 +198,7 @@ typedef enum { /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */ typedef enum { @@ -497,12 +491,11 @@ index 68cbf87..3fa3f9b 100644 #ifdef NSS_ENABLE_ECC ssl_elliptic_curves_xtn = 10, ssl_ec_point_formats_xtn = 11, -@@ -208,7 +209,7 @@ typedef enum { +@@ -207,6 +208,6 @@ typedef enum { ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ } SSLExtensionType; --#define SSL_MAX_EXTENSIONS 7 -+#define SSL_MAX_EXTENSIONS 8 +-#define SSL_MAX_EXTENSIONS 6 ++#define SSL_MAX_EXTENSIONS 7 - typedef enum { - /* No Snap Start handshake was attempted. */ + #endif /* __sslt_h_ */ diff --git a/net/third_party/nss/patches/peercertchain.patch b/net/third_party/nss/patches/peercertchain.patch index 8973c4b..e923901 100644 --- a/net/third_party/nss/patches/peercertchain.patch +++ b/net/third_party/nss/patches/peercertchain.patch @@ -1,8 +1,26 @@ -Index: net/third_party/nss/ssl/ssl.h -=================================================================== ---- net/third_party/nss/ssl/ssl.h (revision 63749) -+++ net/third_party/nss/ssl/ssl.h (revision 63750) -@@ -273,6 +273,17 @@ +commit 3833600af1d2e49f0d3b9381de10d120ddf0a03c +Author: Adam Langley +Date: Mon Jun 20 15:54:45 2011 -0400 + + peercertchain.patch + +diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def +index a1f4b51..0fa8777 100644 +--- a/mozilla/security/nss/lib/ssl/ssl.def ++++ b/mozilla/security/nss/lib/ssl/ssl.def +@@ -155,6 +155,7 @@ SSL_SNISocketConfigHook; + ;+NSS_CHROMIUM { + ;+ global: + SSL_GetNextProto; ++SSL_PeerCertificateChain; + SSL_SetNextProtoNego; + ;+ local: + ;+*; +diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h +index ffa973c..cccb49a 100644 +--- a/mozilla/security/nss/lib/ssl/ssl.h ++++ b/mozilla/security/nss/lib/ssl/ssl.h +@@ -264,6 +264,17 @@ SSL_IMPORT SECStatus SSL_SecurityStatus(PRFileDesc *fd, int *on, char **cipher, SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd); /* @@ -20,11 +38,11 @@ Index: net/third_party/nss/ssl/ssl.h ** Authenticate certificate hook. Called when a certificate comes in ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the ** certificate. -Index: net/third_party/nss/ssl/sslauth.c -=================================================================== ---- net/third_party/nss/ssl/sslauth.c (revision 63749) -+++ net/third_party/nss/ssl/sslauth.c (revision 63750) -@@ -60,6 +60,42 @@ +diff --git a/mozilla/security/nss/lib/ssl/sslauth.c b/mozilla/security/nss/lib/ssl/sslauth.c +index 6d1eab0..df40f30 100644 +--- a/mozilla/security/nss/lib/ssl/sslauth.c ++++ b/mozilla/security/nss/lib/ssl/sslauth.c +@@ -60,6 +60,42 @@ SSL_PeerCertificate(PRFileDesc *fd) } /* NEED LOCKS IN HERE. */ @@ -67,15 +85,3 @@ Index: net/third_party/nss/ssl/sslauth.c CERTCertificate * SSL_LocalCertificate(PRFileDesc *fd) { -Index: net/third_party/nss/ssl/ssl.def -=================================================================== ---- net/third_party/nss/ssl/ssl.def (revision 63749) -+++ net/third_party/nss/ssl/ssl.def (revision 63750) -@@ -163,6 +163,7 @@ - ;+ global: - SSL_GetPredictedServerHelloData; - SSL_GetSnapStartResult; -+SSL_PeerCertificateChain; - SSL_SetPredictedPeerCertificates; - SSL_SetPredictedServerHelloData; - SSL_SetSnapStartApplicationData; diff --git a/net/third_party/nss/patches/renegoscsv.patch b/net/third_party/nss/patches/renegoscsv.patch index a9c188c..fd24d43 100644 --- a/net/third_party/nss/patches/renegoscsv.patch +++ b/net/third_party/nss/patches/renegoscsv.patch @@ -1,16 +1,14 @@ -Index: mozilla/security/nss/lib/ssl/ssl3con.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v -retrieving revision 1.136 -diff -u -p -u -8 -r1.136 ssl3con.c ---- mozilla/security/nss/lib/ssl/ssl3con.c 17 Feb 2010 02:29:07 -0000 1.136 -+++ mozilla/security/nss/lib/ssl/ssl3con.c 27 Feb 2010 02:55:21 -0000 -@@ -3863,19 +3863,19 @@ ssl3_SendClientHello(sslSocket *ss) - } - - /* how many suites does our PKCS11 support (regardless of policy)? */ - num_suites = ssl3_config_match_init(ss); - if (!num_suites) +commit f11613336a772057cd102a02759a6e4d111503d1 +Author: Adam Langley +Date: Mon Jun 20 15:52:10 2011 -0400 + + renegoscsv.patch + +diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c +index e0cb4e9..455a532 100644 +--- a/mozilla/security/nss/lib/ssl/ssl3con.c ++++ b/mozilla/security/nss/lib/ssl/ssl3con.c +@@ -3874,9 +3874,9 @@ ssl3_SendClientHello(sslSocket *ss) return SECFailure; /* ssl3_config_match_init has set error code. */ /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, @@ -22,8 +20,3 @@ diff -u -p -u -8 -r1.136 ssl3con.c /* Must set this before calling Hello Extension Senders, * to suppress sending of empty RI extension. */ - ss->ssl3.hs.sendingSCSV = PR_TRUE; - } - - if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) { - PRUint32 maxBytes = 65535; /* 2^16 - 1 */ diff --git a/net/third_party/nss/patches/versionskew.patch b/net/third_party/nss/patches/versionskew.patch index 1b96983..0df63ea 100644 --- a/net/third_party/nss/patches/versionskew.patch +++ b/net/third_party/nss/patches/versionskew.patch @@ -1,8 +1,14 @@ +commit 47ee639fe155c26aed5ef6edba34be6d359a92c7 +Author: Adam Langley +Date: Mon Jun 20 15:50:01 2011 -0400 + + versionskew.patch + diff --git a/mozilla/security/nss/lib/ssl/sslsecur.c b/mozilla/security/nss/lib/ssl/sslsecur.c -index 8f79135..80c2ba6 100644 +index a0cae54..816b8f6 100644 --- a/mozilla/security/nss/lib/ssl/sslsecur.c +++ b/mozilla/security/nss/lib/ssl/sslsecur.c -@@ -1307,6 +1307,10 @@ SSL_SetURL(PRFileDesc *fd, const char *url) +@@ -1316,6 +1316,10 @@ SSL_SetURL(PRFileDesc *fd, const char *url) SECStatus SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *certList) { @@ -13,7 +19,7 @@ index 8f79135..80c2ba6 100644 sslSocket * ss = ssl_FindSocket(fd); CERTDistNames *names = NULL; -@@ -1334,6 +1338,7 @@ SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *certList) +@@ -1343,6 +1347,7 @@ SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *certList) ssl_Release1stHandshakeLock(ss); return SECSuccess; @@ -22,10 +28,10 @@ index 8f79135..80c2ba6 100644 /* diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c -index aab48d6..01ef3bd 100644 +index 4c8fbfd..b7e32a2 100644 --- a/mozilla/security/nss/lib/ssl/sslsock.c +++ b/mozilla/security/nss/lib/ssl/sslsock.c -@@ -1258,6 +1258,11 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) +@@ -1343,6 +1343,11 @@ SSL_GetNextProto(PRFileDesc *fd, int *state, unsigned char *buf, PRFileDesc * SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) { @@ -37,7 +43,7 @@ index aab48d6..01ef3bd 100644 sslSocket * sm = NULL, *ss = NULL; int i; sslServerCerts * mc = sm->serverCerts; -@@ -1360,6 +1365,7 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) +@@ -1445,6 +1450,7 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) return fd; loser: return NULL; diff --git a/net/third_party/nss/ssl/ssl.def b/net/third_party/nss/ssl/ssl.def deleted file mode 100644 index 35cc1e3..0000000 --- a/net/third_party/nss/ssl/ssl.def +++ /dev/null @@ -1,163 +0,0 @@ -;+# -;+# ***** BEGIN LICENSE BLOCK ***** -;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -;+# -;+# The contents of this file are subject to the Mozilla Public License Version -;+# 1.1 (the "License"); you may not use this file except in compliance with -;+# the License. You may obtain a copy of the License at -;+# http://www.mozilla.org/MPL/ -;+# -;+# Software distributed under the License is distributed on an "AS IS" basis, -;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -;+# for the specific language governing rights and limitations under the -;+# License. -;+# -;+# The Original Code is the Netscape security libraries. -;+# -;+# The Initial Developer of the Original Code is -;+# Netscape Communications Corporation. -;+# Portions created by the Initial Developer are Copyright (C) 2000 -;+# the Initial Developer. All Rights Reserved. -;+# -;+# Contributor(s): -;+# -;+# Alternatively, the contents of this file may be used under the terms of -;+# either the GNU General Public License Version 2 or later (the "GPL"), or -;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -;+# in which case the provisions of the GPL or the LGPL are applicable instead -;+# of those above. If you wish to allow use of your version of this file only -;+# under the terms of either the GPL or the LGPL, and not to allow others to -;+# use your version of this file under the terms of the MPL, indicate your -;+# decision by deleting the provisions above and replace them with the notice -;+# and other provisions required by the GPL or the LGPL. If you do not delete -;+# the provisions above, a recipient may use your version of this file under -;+# the terms of any one of the MPL, the GPL or the LGPL. -;+# -;+# ***** END LICENSE BLOCK ***** -;+# -;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS -;+# 1. For all unix platforms, the string ";-" means "remove this line" -;+# 2. For all unix platforms, the string " DATA " will be removed from any -;+# line on which it occurs. -;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX. -;+# On AIX, lines containing ";+" will be removed. -;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed. -;+# 5. For all unix platforms, after the above processing has taken place, -;+# all characters after the first ";" on the line will be removed. -;+# And for AIX, the first ";" will also be removed. -;+# This file is passed directly to windows. Since ';' is a comment, all UNIX -;+# directives are hidden behind ";", ";+", and ";-" -;+ -;+NSS_3.2 { # NSS 3.2 release -;+ global: -LIBRARY ssl3 ;- -EXPORTS ;- -SSL_ImplementedCiphers DATA ; -SSL_NumImplementedCiphers DATA ; -NSS_CmpCertChainWCANames; -NSS_FindCertKEAType; -NSS_GetClientAuthData; -NSS_SetDomesticPolicy; -NSS_SetExportPolicy; -NSS_SetFrancePolicy; -SSL_AuthCertificate; -SSL_AuthCertificateHook; -SSL_BadCertHook; -SSL_CertDBHandleSet; -SSL_CipherPolicyGet; -SSL_CipherPolicySet; -SSL_CipherPrefGet; -SSL_CipherPrefGetDefault; -SSL_CipherPrefSet; -SSL_CipherPrefSetDefault; -SSL_ClearSessionCache; -SSL_ConfigMPServerSIDCache; -SSL_ConfigSecureServer; -SSL_ConfigServerSessionIDCache; -SSL_DataPending; -SSL_ForceHandshake; -SSL_GetClientAuthDataHook; -SSL_GetSessionID; -SSL_GetStatistics; -SSL_HandshakeCallback; -SSL_ImportFD; -SSL_InheritMPServerSIDCache; -SSL_InvalidateSession; -SSL_OptionGet; -SSL_OptionGetDefault; -SSL_OptionSet; -SSL_OptionSetDefault; -SSL_PeerCertificate; -SSL_PreencryptedFileToStream; -SSL_PreencryptedStreamToFile; -SSL_ReHandshake; -SSL_ResetHandshake; -SSL_RestartHandshakeAfterCertReq; -SSL_RestartHandshakeAfterServerCert; -SSL_RevealCert; -SSL_RevealPinArg; -SSL_RevealURL; -SSL_SecurityStatus; -SSL_SetPKCS11PinArg; -SSL_SetSockPeerID; -SSL_SetURL; -;+ local: -;+*; -;+}; -;+NSS_3.2.1 { # NSS 3.2.1 release -;+ global: -NSSSSL_VersionCheck; -;+ local: -;+*; -;+}; -;+NSS_3.4 { # NSS 3.4 release -;+ global: -SSL_GetChannelInfo; -SSL_GetCipherSuiteInfo; -SSL_GetMaxServerCacheLocks; -SSL_LocalCertificate; -SSL_SetMaxServerCacheLocks; -;+ local: -;+*; -;+}; -;+NSS_3.7.4 { # NSS 3.7.4 release -;+ global: -SSL_ShutdownServerSessionIDCache; -;+ local: -;+*; -;+}; -;+NSS_3.11.4 { # NSS 3.11.4 release -;+ global: -SSL_ForceHandshakeWithTimeout; -SSL_ReHandshakeWithTimeout; -;+ local: -;+*; -;+}; -;+NSS_3.11.8 { # NSS 3.11.8 release -;+ global: -SSL_CanBypass; -;+ local: -;+*; -;+}; -;+NSS_3.12.6 { # NSS 3.12.6 release -;+ global: -SSL_ConfigServerSessionIDCacheWithOpt; -SSL_GetImplementedCiphers; -SSL_GetNegotiatedHostInfo; -SSL_GetNumImplementedCiphers; -SSL_HandshakeNegotiatedExtension; -SSL_ReconfigFD; -SSL_SetTrustAnchors; -SSL_SNISocketConfigHook; -;+ local: -;+*; -;+}; -;+NSS_CHROMIUM { -;+ global: -SSL_GetNextProto; -SSL_GetStapledOCSPResponse; -SSL_PeerCertificateChain; -SSL_SetNextProtoNego; -;+ local: -;+*; -;+}; -- cgit v1.1