Expose more functions for webrtc.

Expose more functions for webrtc.

[Ronghua Wu (Left Chromium), 2013-01-14 18:46:46]

For the build errors we got when trying to enable dtls.

https://codereview.chromium.org/11828060/
http://build.chromium.org/p/tryserver.chromium/builders/win/builds/44169/step...

[Ryan Sleevi, 2013-01-14 18:48:39]

Can you point to the webrtc CLs using these? I am concerned about whether
these are the right functions to be calling in Chrome. Certainly, they will
not work as you may think on Win (since they are tied to client certs)
On Jan 14, 2013 10:46 AM, <ronghuawu@chromium.org> wrote:

> Reviewers: wtc, juberti, Ryan Sleevi,
>
> Message:
> For the build errors we got when trying to enable dtls.
>
>
https://codereview.chromium.**org/11828060/<https://codereview.chromium.org/1...
> http://build.chromium.org/p/**tryserver.chromium/builders/**
>
win/builds/44169/steps/**compile/logs/stdio<http://build.chromium.org/p/tryserver.chromium/builders/win/builds/44169/steps/compile/logs/stdio>
>
> Description:
> Expose more functions for webrtc.
>
> Please review this at
https://codereview.chromium.**org/11884022/<https://codereview.chromium.org/1...
>
> SVN Base:
http://src.chromium.org/svn/**trunk/deps/third_party/nss/<http://src.chromium...
>
> Affected files:
>   M     mozilla/security/nss/exports_**win.def
>
>
> Index: mozilla/security/nss/exports_**win.def
> ==============================**==============================**=======
> --- mozilla/security/nss/exports_**win.def        (revision 176679)
> +++ mozilla/security/nss/exports_**win.def        (working copy)
> @@ -22,6 +22,7 @@
>  CERT_AsciiToName
>  CERT_CertChainFromCert
>  CERT_CertTimesValid
> +CERT_CheckCertValidTimes
>  CERT_CreateCertificate
>  CERT_CreateCertificateRequest
>  CERT_CreateValidity
> @@ -34,9 +35,13 @@
>  CERT_DupCertificate
>  CERT_DupCertList
>  CERT_ExtractPublicKey
> +CERT_FindCertByName
>  CERT_FindCertExtension
>  CERT_FinishExtensions
>  CERT_FreeDistNames
> +CERT_FreeNicknames
> +CERT_FindUserCertByUsage
> +CERT_GetCertNicknames
>  CERT_GetCommonName
>  CERT_GetDefaultCertDB
>  CERT_GetSSLCACerts
> @@ -46,6 +51,7 @@
>  CERT_StartCertExtensions
>  CERT_VerifyCertName
>  CERT_VerifyCertNow
> +DER_Lengths_Util
>  DES_Decrypt
>  DES_DestroyContext
>  DES_Encrypt
> @@ -104,6 +110,7 @@
>  PK11_**ExportEncryptedPrivKeyInfo
>  PK11_ExtractKeyValue
>  PK11_Finalize
> +PK11_FindKeyByAnyCert
>  PK11_FreeSlot
>  PK11_FreeSymKey
>  PK11_GenerateKeyPair
>
>
>

[Ronghua Wu (Left Chromium), 2013-01-14 18:57:10]

The libjingle turned this on is here:
https://code.google.com/p/libjingle/source/detail?r=261

Add support for NSS-based SSL/TLS/DTLS implementation.
https://code.google.com/p/libjingle/source/detail?spec=svn261&r=211

On Mon, Jan 14, 2013 at 10:48 AM, Ryan Sleevi <rsleevi@chromium.org> wrote:

> Can you point to the webrtc CLs using these? I am concerned about whether
> these are the right functions to be calling in Chrome. Certainly, they will
> not work as you may think on Win (since they are tied to client certs)
>  On Jan 14, 2013 10:46 AM, <ronghuawu@chromium.org> wrote:
>
>> Reviewers: wtc, juberti, Ryan Sleevi,
>>
>> Message:
>> For the build errors we got when trying to enable dtls.
>>
>>
https://codereview.chromium.**org/11828060/<https://codereview.chromium.org/1...
>> http://build.chromium.org/p/**tryserver.chromium/builders/**
>>
win/builds/44169/steps/**compile/logs/stdio<http://build.chromium.org/p/tryserver.chromium/builders/win/builds/44169/steps/compile/logs/stdio>
>>
>> Description:
>> Expose more functions for webrtc.
>>
>> Please review this at
https://codereview.chromium.**org/11884022/<https://codereview.chromium.org/1...
>>
>> SVN Base:
http://src.chromium.org/svn/**trunk/deps/third_party/nss/<http://src.chromium...
>>
>> Affected files:
>>   M     mozilla/security/nss/exports_**win.def
>>
>>
>> Index: mozilla/security/nss/exports_**win.def
>> ==============================**==============================**=======
>> --- mozilla/security/nss/exports_**win.def        (revision 176679)
>> +++ mozilla/security/nss/exports_**win.def        (working copy)
>> @@ -22,6 +22,7 @@
>>  CERT_AsciiToName
>>  CERT_CertChainFromCert
>>  CERT_CertTimesValid
>> +CERT_CheckCertValidTimes
>>  CERT_CreateCertificate
>>  CERT_CreateCertificateRequest
>>  CERT_CreateValidity
>> @@ -34,9 +35,13 @@
>>  CERT_DupCertificate
>>  CERT_DupCertList
>>  CERT_ExtractPublicKey
>> +CERT_FindCertByName
>>  CERT_FindCertExtension
>>  CERT_FinishExtensions
>>  CERT_FreeDistNames
>> +CERT_FreeNicknames
>> +CERT_FindUserCertByUsage
>> +CERT_GetCertNicknames
>>  CERT_GetCommonName
>>  CERT_GetDefaultCertDB
>>  CERT_GetSSLCACerts
>> @@ -46,6 +51,7 @@
>>  CERT_StartCertExtensions
>>  CERT_VerifyCertName
>>  CERT_VerifyCertNow
>> +DER_Lengths_Util
>>  DES_Decrypt
>>  DES_DestroyContext
>>  DES_Encrypt
>> @@ -104,6 +110,7 @@
>>  PK11_**ExportEncryptedPrivKeyInfo
>>  PK11_ExtractKeyValue
>>  PK11_Finalize
>> +PK11_FindKeyByAnyCert
>>  PK11_FreeSlot
>>  PK11_FreeSymKey
>>  PK11_GenerateKeyPair
>>
>>
>>

[ekr, 2013-01-14 19:36:05]

On 2013/01/14 18:57:10, Ronghua Wu wrote:
> The libjingle turned this on is here:
> https://code.google.com/p/libjingle/source/detail?r=261
> 
> Add support for NSS-based SSL/TLS/DTLS implementation.
> https://code.google.com/p/libjingle/source/detail?spec=svn261&r=211
> 
> On Mon, Jan 14, 2013 at 10:48 AM, Ryan Sleevi <mailto:rsleevi@chromium.org>
wrote:
> 
> > Can you point to the webrtc CLs using these? I am concerned about whether
> > these are the right functions to be calling in Chrome. Certainly, they will
> > not work as you may think on Win (since they are tied to client certs)
> >  On Jan 14, 2013 10:46 AM, <mailto:ronghuawu@chromium.org> wrote:
> >
> >> Reviewers: wtc, juberti, Ryan Sleevi,
> >>
> >> Message:
> >> For the build errors we got when trying to enable dtls.
> >>
> >>
>
https://codereview.chromium.**org/11828060/%3Chttps://codereview.chromium.org...>
> >> http://build.chromium.org/p/**tryserver.chromium/builders/**
> >>
>
win/builds/44169/steps/**compile/logs/stdio<http://build.chromium.org/p/tryserver.chromium/builders/win/builds/44169/steps/compile/logs/stdio>
> >>
> >> Description:
> >> Expose more functions for webrtc.
> >>
> >> Please review this at
>
https://codereview.chromium.**org/11884022/%3Chttps://codereview.chromium.org...>
> >>
> >> SVN Base:
>
http://src.chromium.org/svn/**trunk/deps/third_party/nss/%3Chttp://src.chromi...>
> >>
> >> Affected files:
> >>   M     mozilla/security/nss/exports_**win.def
> >>
> >>
> >> Index: mozilla/security/nss/exports_**win.def
> >> ==============================**==============================**=======
> >> --- mozilla/security/nss/exports_**win.def        (revision 176679)
> >> +++ mozilla/security/nss/exports_**win.def        (working copy)
> >> @@ -22,6 +22,7 @@
> >>  CERT_AsciiToName
> >>  CERT_CertChainFromCert
> >>  CERT_CertTimesValid
> >> +CERT_CheckCertValidTimes
> >>  CERT_CreateCertificate
> >>  CERT_CreateCertificateRequest
> >>  CERT_CreateValidity
> >> @@ -34,9 +35,13 @@
> >>  CERT_DupCertificate
> >>  CERT_DupCertList
> >>  CERT_ExtractPublicKey
> >> +CERT_FindCertByName
> >>  CERT_FindCertExtension
> >>  CERT_FinishExtensions
> >>  CERT_FreeDistNames
> >> +CERT_FreeNicknames
> >> +CERT_FindUserCertByUsage
> >> +CERT_GetCertNicknames
> >>  CERT_GetCommonName
> >>  CERT_GetDefaultCertDB
> >>  CERT_GetSSLCACerts
> >> @@ -46,6 +51,7 @@
> >>  CERT_StartCertExtensions
> >>  CERT_VerifyCertName
> >>  CERT_VerifyCertNow
> >> +DER_Lengths_Util
> >>  DES_Decrypt
> >>  DES_DestroyContext
> >>  DES_Encrypt
> >> @@ -104,6 +110,7 @@
> >>  PK11_**ExportEncryptedPrivKeyInfo
> >>  PK11_ExtractKeyValue
> >>  PK11_Finalize
> >> +PK11_FindKeyByAnyCert
> >>  PK11_FreeSlot
> >>  PK11_FreeSymKey
> >>  PK11_GenerateKeyPair
> >>
> >>
> >>

Hmm.....

So we aren't explicitly calling these functions. I suspect that they are getting
pulled in by our use of certificate-based client-auth, which is just based on
ephemeral certificates, so need not be ited into the Windows cert store.

[wtc, 2013-01-14 19:40:50]

Patch set 1 LGTM. Please wait for rsleevi's OK.

I verified that all of these functions are exported from
NSS upstream in nss.def or nssutil.def.

[Ryan Sleevi, 2013-01-14 19:58:56]

I am concerned that these link failures may be the result of some sort of
transitive GYP failure.

The errors indicate a link failure when linking libssl (a static_library), which
has a dependency on crnss (which, in a component build such as the bots
indicated, is built as a shared library)

The symbols are all part of NSS's default client auth hook (
NSS_GetClientAuthData ), which should not be used. On existing Chromium builds,
this is handled by virtue of it being optimized out when compiling, but in this
case, with WebRTC, it is not, and that is odd.

These changes LGTM in terms of correctness and matching upstream, but can you
investigate why NSS_GetClientAuthData is not being optimized out when content
depends on webrtc?

[Ronghua Wu (Left Chromium), 2013-01-14 21:37:36]

Ok, looks like we agree there's no harm to commit this change.

Ryan,
But I probably didn't fully get your comments regarding to
NSS_GetClientAuthData. Any more information where can I start with?

[commit-bot: I haz the power, 2013-01-14 22:26:06]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/ronghuawu@chromium.org/11884022/1

[commit-bot: I haz the power, 2013-01-14 22:26:13]

Change committed as 176741