Merge Chromium at r65505: Initial merge by git.

Change-Id: I31d8f1d8cd33caaf7f47ffa7350aef42d5fbdb45
author: Ben Murdoch <benm@google.com> 2010-11-18 18:32:45 +0000
committer: Ben Murdoch <benm@google.com> 2010-11-18 18:38:07 +0000
commit: 513209b27ff55e2841eac0e4120199c23acce758 (patch)
tree: aeba30bb08c5f47c57003544e378a377c297eee6 /net/third_party/nss/ssl/ssl3con.c
parent: 164f7496de0fbee436b385a79ead9e3cb81a50c1 (diff)
download: external_chromium-513209b27ff55e2841eac0e4120199c23acce758.zip
external_chromium-513209b27ff55e2841eac0e4120199c23acce758.tar.gz
external_chromium-513209b27ff55e2841eac0e4120199c23acce758.tar.bz2
1 files changed, 103 insertions, 14 deletions
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index 1a6612f..d3d2727 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -2011,6 +2011,12 @@ ssl3_ComputeRecordMAC(
 
 static PRBool
 ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+    if (!sid || !sid->u.ssl3.clPlatformAuthValid) {
+	return PR_TRUE;
+    }
+    return ssl_PlatformAuthTokenPresent(&sid->u.ssl3.clPlatformAuthInfo);
+#else
     PK11SlotInfo *slot = NULL;
     PRBool isPresent = PR_TRUE;
 
@@ -2034,6 +2040,7 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
 	PK11_FreeSlot(slot);
     }
     return isPresent;
+#endif /* NSS_PLATFORM_CLIENT_AUTH */
 }
 
 SECStatus
@@ -4827,6 +4834,20 @@ ssl3_SendCertificateVerify(sslSocket *ss)
     }
 
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+    rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
+                                 &buf, isTLS);
+    if (rv == SECSuccess) {
+        sslSessionID * sid = ss->sec.ci.sid;
+        ssl_GetPlatformAuthInfoForKey(ss->ssl3.platformClientKey,
+                                      &sid->u.ssl3.clPlatformAuthInfo);
+        sid->u.ssl3.clPlatformAuthValid = PR_TRUE;
+    }
+    if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
+        ssl_FreePlatformKey(ss->ssl3.platformClientKey);
+        ss->ssl3.platformClientKey = (PlatformKey)NULL;
+    }
+#else /* NSS_PLATFORM_CLIENT_AUTH */
     rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
     if (rv == SECSuccess) {
 	PK11SlotInfo * slot;
@@ -4851,6 +4872,7 @@ ssl3_SendCertificateVerify(sslSocket *ss)
 	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
 	ss->ssl3.clientPrivateKey = NULL;
     }
+#endif /* NSS_PLATFORM_CLIENT_AUTH */
     if (rv != SECSuccess) {
 	goto done;	/* err code was set by ssl3_SignHashes */
     }
@@ -5481,6 +5503,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     SSL3AlertDescription desc        = illegal_parameter;
     SECItem              cert_types  = {siBuffer, NULL, 0};
     CERTDistNames        ca_list;
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+    CERTCertList *       platform_cert_list = NULL;
+    CERTCertListNode *   certNode = NULL;
+#endif  /* NSS_PLATFORM_CLIENT_AUTH */
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
 		SSL_GETPID(), ss->fd));
@@ -5507,6 +5533,12 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
        SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
        ss->ssl3.clientPrivateKey = NULL;
     }
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+    if (ss->ssl3.platformClientKey) {
+       ssl_FreePlatformKey(ss->ssl3.platformClientKey);
+       ss->ssl3.platformClientKey = (PlatformKey)NULL;
+    }
+#endif  /* NSS_PLATFORM_CLIENT_AUTH */
 
     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
     rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
@@ -5573,6 +5605,18 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     desc = no_certificate;
     ss->ssl3.hs.ws = wait_hello_done;
 
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+    if (ss->getPlatformClientAuthData == NULL) {
+	rv = SECFailure; /* force it to send a no_certificate alert */
+    } else {
+	/* XXX Should pass cert_types in this call!! */
+        rv = (SECStatus)(*ss->getPlatformClientAuthData)(
+                                        ss->getPlatformClientAuthDataArg,
+                                        ss->fd, &ca_list,
+                                        &platform_cert_list,
+                                        (void**)&ss->ssl3.platformClientKey);
+    }
+#else
     if (ss->getClientAuthData == NULL) {
 	rv = SECFailure; /* force it to send a no_certificate alert */
     } else {
@@ -5582,12 +5626,51 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 						 &ss->ssl3.clientCertificate,
 						 &ss->ssl3.clientPrivateKey);
     }
+#endif   /* NSS_PLATFORM_CLIENT_AUTH */
     switch (rv) {
     case SECWouldBlock:	/* getClientAuthData has put up a dialog box. */
 	ssl_SetAlwaysBlock(ss);
 	break;	/* not an error */
 
     case SECSuccess:
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+        if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) ||
+            !ss->ssl3.platformClientKey) {
+            if (platform_cert_list) {
+                CERT_DestroyCertList(platform_cert_list);
+                platform_cert_list = NULL;
+            }
+            if (ss->ssl3.platformClientKey) {
+                ssl_FreePlatformKey(ss->ssl3.platformClientKey);
+                ss->ssl3.platformClientKey = (PlatformKey)NULL;
+            }
+            goto send_no_certificate;
+        }
+
+        certNode = CERT_LIST_HEAD(platform_cert_list);
+        ss->ssl3.clientCertificate = CERT_DupCertificate(certNode->cert);
+
+        /* Setting ssl3.clientCertChain non-NULL will cause
+         * ssl3_HandleServerHelloDone to call SendCertificate.
+         * Note: clientCertChain should include the EE cert as
+         * clientCertificate is ignored during the actual sending
+         */
+        ss->ssl3.clientCertChain =
+            hack_NewCertificateListFromCertList(platform_cert_list);
+        CERT_DestroyCertList(platform_cert_list);
+        platform_cert_list = NULL;
+        if (ss->ssl3.clientCertChain == NULL) {
+            if (ss->ssl3.clientCertificate != NULL) {
+                CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+                ss->ssl3.clientCertificate = NULL;
+            }
+            if (ss->ssl3.platformClientKey) {
+                ssl_FreePlatformKey(ss->ssl3.platformClientKey);
+                ss->ssl3.platformClientKey = (PlatformKey)NULL;
+            }
+            goto send_no_certificate;
+        } 
+#else
         /* check what the callback function returned */
         if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
             /* we are missing either the key or cert */
@@ -5620,6 +5703,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 	    }
 	    goto send_no_certificate;
 	}
+#endif   /* NSS_PLATFORM_CLIENT_AUTH */
 	break;	/* not an error */
 
     case SECFailure:
@@ -5650,6 +5734,10 @@ loser:
 done:
     if (arena != NULL)
     	PORT_FreeArena(arena, PR_FALSE);
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+    if (platform_cert_list)
+        CERT_DestroyCertList(platform_cert_list);
+#endif
     return rv;
 }
 
@@ -5758,6 +5846,16 @@ ssl3_HandleServerHelloDone(sslSocket *ss)
 	    goto loser;	/* error code is set. */
     	}
     } else
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+    if (ss->ssl3.clientCertChain != NULL &&
+        ss->ssl3.platformClientKey) {
+        send_verify = PR_TRUE;
+        rv = ssl3_SendCertificate(ss);
+        if (rv != SECSuccess) {
+            goto loser; /* error code is set. */
+        }
+    }
+#else
     if (ss->ssl3.clientCertChain  != NULL &&
 	ss->ssl3.clientPrivateKey != NULL) {
 	send_verify = PR_TRUE;
@@ -5766,6 +5864,7 @@ ssl3_HandleServerHelloDone(sslSocket *ss)
 	    goto loser;	/* error code is set. */
     	}
     }
+#endif /* NSS_PLATFORM_CLIENT_AUTH */
 
     rv = ssl3_SendClientKeyExchange(ss);
     if (rv != SECSuccess) {
@@ -8366,20 +8465,6 @@ ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
 	}
     }
 
-    if ((ss->ssl3.hs.snapStartType == snap_start_recovery ||
-         ss->ssl3.hs.snapStartType == snap_start_resume_recovery) &&
-	ss->ssl3.snapStartApplicationData.data) {
-	/* In the event that the server ignored the application data in our
-	 * snap start extension, we need to retransmit it now. */
-	PRInt32 sent = ssl3_SendRecord(ss, content_application_data,
-                                       ss->ssl3.snapStartApplicationData.data,
-                                       ss->ssl3.snapStartApplicationData.len,
-                                       flags);
-	SECITEM_FreeItem(&ss->ssl3.snapStartApplicationData, PR_FALSE);
-	if (sent < 0)
-	    return (SECStatus)sent;	/* error code set by ssl3_SendRecord */
-    }
-
     return SECSuccess;
 
 fail:
@@ -9640,6 +9725,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
 
     if (ss->ssl3.clientPrivateKey != NULL)
 	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+    if (ss->ssl3.platformClientKey)
+	ssl_FreePlatformKey(ss->ssl3.platformClientKey);    
+#endif /* NSS_PLATFORM_CLIENT_AUTH */
 
     if (ss->ssl3.peerCertArena != NULL)
 	ssl3_CleanupPeerCerts(ss);
author	Ben Murdoch <benm@google.com>	2010-11-18 18:32:45 +0000
committer	Ben Murdoch <benm@google.com>	2010-11-18 18:38:07 +0000
commit	513209b27ff55e2841eac0e4120199c23acce758 (patch)
tree	aeba30bb08c5f47c57003544e378a377c297eee6 /net/third_party/nss/ssl/ssl3con.c
parent	164f7496de0fbee436b385a79ead9e3cb81a50c1 (diff)
download	external_chromium-513209b27ff55e2841eac0e4120199c23acce758.zip external_chromium-513209b27ff55e2841eac0e4120199c23acce758.tar.gz external_chromium-513209b27ff55e2841eac0e4120199c23acce758.tar.bz2