OLD | NEW |
1 /* | 1 /* |
2 * SSL3 Protocol | 2 * SSL3 Protocol |
3 * | 3 * |
4 * ***** BEGIN LICENSE BLOCK ***** | 4 * ***** BEGIN LICENSE BLOCK ***** |
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
6 * | 6 * |
7 * The contents of this file are subject to the Mozilla Public License Version | 7 * The contents of this file are subject to the Mozilla Public License Version |
8 * 1.1 (the "License"); you may not use this file except in compliance with | 8 * 1.1 (the "License"); you may not use this file except in compliance with |
9 * the License. You may obtain a copy of the License at | 9 * the License. You may obtain a copy of the License at |
10 * http://www.mozilla.org/MPL/ | 10 * http://www.mozilla.org/MPL/ |
(...skipping 1993 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2004 | 2004 |
2005 if (rv != SECSuccess) { | 2005 if (rv != SECSuccess) { |
2006 rv = SECFailure; | 2006 rv = SECFailure; |
2007 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 2007 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
2008 } | 2008 } |
2009 return rv; | 2009 return rv; |
2010 } | 2010 } |
2011 | 2011 |
2012 static PRBool | 2012 static PRBool |
2013 ssl3_ClientAuthTokenPresent(sslSessionID *sid) { | 2013 ssl3_ClientAuthTokenPresent(sslSessionID *sid) { |
| 2014 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 2015 if (!sid || !sid->u.ssl3.clPlatformAuthValid) { |
| 2016 return PR_TRUE; |
| 2017 } |
| 2018 return ssl_PlatformAuthTokenPresent(&sid->u.ssl3.clPlatformAuthInfo); |
| 2019 #else |
2014 PK11SlotInfo *slot = NULL; | 2020 PK11SlotInfo *slot = NULL; |
2015 PRBool isPresent = PR_TRUE; | 2021 PRBool isPresent = PR_TRUE; |
2016 | 2022 |
2017 /* we only care if we are doing client auth */ | 2023 /* we only care if we are doing client auth */ |
2018 if (!sid || !sid->u.ssl3.clAuthValid) { | 2024 if (!sid || !sid->u.ssl3.clAuthValid) { |
2019 return PR_TRUE; | 2025 return PR_TRUE; |
2020 } | 2026 } |
2021 | 2027 |
2022 /* get the slot */ | 2028 /* get the slot */ |
2023 slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID, | 2029 slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID, |
2024 sid->u.ssl3.clAuthSlotID); | 2030 sid->u.ssl3.clAuthSlotID); |
2025 if (slot == NULL || | 2031 if (slot == NULL || |
2026 !PK11_IsPresent(slot) || | 2032 !PK11_IsPresent(slot) || |
2027 sid->u.ssl3.clAuthSeries != PK11_GetSlotSeries(slot) || | 2033 sid->u.ssl3.clAuthSeries != PK11_GetSlotSeries(slot) || |
2028 sid->u.ssl3.clAuthSlotID != PK11_GetSlotID(slot) || | 2034 sid->u.ssl3.clAuthSlotID != PK11_GetSlotID(slot) || |
2029 sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) || | 2035 sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) || |
2030 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { | 2036 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { |
2031 isPresent = PR_FALSE; | 2037 isPresent = PR_FALSE; |
2032 } | 2038 } |
2033 if (slot) { | 2039 if (slot) { |
2034 PK11_FreeSlot(slot); | 2040 PK11_FreeSlot(slot); |
2035 } | 2041 } |
2036 return isPresent; | 2042 return isPresent; |
| 2043 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
2037 } | 2044 } |
2038 | 2045 |
2039 SECStatus | 2046 SECStatus |
2040 ssl3_CompressMACEncryptRecord(sslSocket * ss, | 2047 ssl3_CompressMACEncryptRecord(sslSocket * ss, |
2041 SSL3ContentType type, | 2048 SSL3ContentType type, |
2042 const SSL3Opaque * pIn, | 2049 const SSL3Opaque * pIn, |
2043 PRUint32 contentLen) | 2050 PRUint32 contentLen) |
2044 { | 2051 { |
2045 ssl3CipherSpec * cwSpec; | 2052 ssl3CipherSpec * cwSpec; |
2046 const ssl3BulkCipherDef * cipher_def; | 2053 const ssl3BulkCipherDef * cipher_def; |
(...skipping 2773 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4820 SSL_GETPID(), ss->fd)); | 4827 SSL_GETPID(), ss->fd)); |
4821 | 4828 |
4822 ssl_GetSpecReadLock(ss); | 4829 ssl_GetSpecReadLock(ss); |
4823 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); | 4830 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); |
4824 ssl_ReleaseSpecReadLock(ss); | 4831 ssl_ReleaseSpecReadLock(ss); |
4825 if (rv != SECSuccess) { | 4832 if (rv != SECSuccess) { |
4826 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ | 4833 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ |
4827 } | 4834 } |
4828 | 4835 |
4829 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 4836 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 4837 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 4838 rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, |
| 4839 &buf, isTLS); |
| 4840 if (rv == SECSuccess) { |
| 4841 sslSessionID * sid = ss->sec.ci.sid; |
| 4842 ssl_GetPlatformAuthInfoForKey(ss->ssl3.platformClientKey, |
| 4843 &sid->u.ssl3.clPlatformAuthInfo); |
| 4844 sid->u.ssl3.clPlatformAuthValid = PR_TRUE; |
| 4845 } |
| 4846 if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) { |
| 4847 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 4848 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 4849 } |
| 4850 #else /* NSS_PLATFORM_CLIENT_AUTH */ |
4830 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); | 4851 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); |
4831 if (rv == SECSuccess) { | 4852 if (rv == SECSuccess) { |
4832 PK11SlotInfo * slot; | 4853 PK11SlotInfo * slot; |
4833 sslSessionID * sid = ss->sec.ci.sid; | 4854 sslSessionID * sid = ss->sec.ci.sid; |
4834 | 4855 |
4835 /* Remember the info about the slot that did the signing. | 4856 /* Remember the info about the slot that did the signing. |
4836 ** Later, when doing an SSL restart handshake, verify this. | 4857 ** Later, when doing an SSL restart handshake, verify this. |
4837 ** These calls are mere accessors, and can't fail. | 4858 ** These calls are mere accessors, and can't fail. |
4838 */ | 4859 */ |
4839 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); | 4860 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); |
4840 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); | 4861 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); |
4841 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); | 4862 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); |
4842 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); | 4863 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); |
4843 sid->u.ssl3.clAuthValid = PR_TRUE; | 4864 sid->u.ssl3.clAuthValid = PR_TRUE; |
4844 PK11_FreeSlot(slot); | 4865 PK11_FreeSlot(slot); |
4845 } | 4866 } |
4846 /* If we're doing RSA key exchange, we're all done with the private key | 4867 /* If we're doing RSA key exchange, we're all done with the private key |
4847 * here. Diffie-Hellman key exchanges need the client's | 4868 * here. Diffie-Hellman key exchanges need the client's |
4848 * private key for the key exchange. | 4869 * private key for the key exchange. |
4849 */ | 4870 */ |
4850 if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) { | 4871 if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) { |
4851 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 4872 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
4852 ss->ssl3.clientPrivateKey = NULL; | 4873 ss->ssl3.clientPrivateKey = NULL; |
4853 } | 4874 } |
| 4875 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
4854 if (rv != SECSuccess) { | 4876 if (rv != SECSuccess) { |
4855 goto done; /* err code was set by ssl3_SignHashes */ | 4877 goto done; /* err code was set by ssl3_SignHashes */ |
4856 } | 4878 } |
4857 | 4879 |
4858 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2); | 4880 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2); |
4859 if (rv != SECSuccess) { | 4881 if (rv != SECSuccess) { |
4860 goto done; /* error code set by AppendHandshake */ | 4882 goto done; /* error code set by AppendHandshake */ |
4861 } | 4883 } |
4862 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); | 4884 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); |
4863 if (rv != SECSuccess) { | 4885 if (rv != SECSuccess) { |
(...skipping 610 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5474 dnameNode * node; | 5496 dnameNode * node; |
5475 PRInt32 remaining; | 5497 PRInt32 remaining; |
5476 PRBool isTLS = PR_FALSE; | 5498 PRBool isTLS = PR_FALSE; |
5477 int i; | 5499 int i; |
5478 int errCode = SSL_ERROR_RX_MALFORMED_CERT_REQUEST; | 5500 int errCode = SSL_ERROR_RX_MALFORMED_CERT_REQUEST; |
5479 int nnames = 0; | 5501 int nnames = 0; |
5480 SECStatus rv; | 5502 SECStatus rv; |
5481 SSL3AlertDescription desc = illegal_parameter; | 5503 SSL3AlertDescription desc = illegal_parameter; |
5482 SECItem cert_types = {siBuffer, NULL, 0}; | 5504 SECItem cert_types = {siBuffer, NULL, 0}; |
5483 CERTDistNames ca_list; | 5505 CERTDistNames ca_list; |
| 5506 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 5507 CERTCertList * platform_cert_list = NULL; |
| 5508 CERTCertListNode * certNode = NULL; |
| 5509 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
5484 | 5510 |
5485 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", | 5511 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", |
5486 SSL_GETPID(), ss->fd)); | 5512 SSL_GETPID(), ss->fd)); |
5487 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 5513 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
5488 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 5514 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
5489 | 5515 |
5490 if (ss->ssl3.hs.ws != wait_cert_request && | 5516 if (ss->ssl3.hs.ws != wait_cert_request && |
5491 ss->ssl3.hs.ws != wait_server_key) { | 5517 ss->ssl3.hs.ws != wait_server_key) { |
5492 desc = unexpected_message; | 5518 desc = unexpected_message; |
5493 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST; | 5519 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST; |
5494 goto alert_loser; | 5520 goto alert_loser; |
5495 } | 5521 } |
5496 | 5522 |
5497 /* clean up anything left from previous handshake. */ | 5523 /* clean up anything left from previous handshake. */ |
5498 if (ss->ssl3.clientCertChain != NULL) { | 5524 if (ss->ssl3.clientCertChain != NULL) { |
5499 CERT_DestroyCertificateList(ss->ssl3.clientCertChain); | 5525 CERT_DestroyCertificateList(ss->ssl3.clientCertChain); |
5500 ss->ssl3.clientCertChain = NULL; | 5526 ss->ssl3.clientCertChain = NULL; |
5501 } | 5527 } |
5502 if (ss->ssl3.clientCertificate != NULL) { | 5528 if (ss->ssl3.clientCertificate != NULL) { |
5503 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 5529 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
5504 ss->ssl3.clientCertificate = NULL; | 5530 ss->ssl3.clientCertificate = NULL; |
5505 } | 5531 } |
5506 if (ss->ssl3.clientPrivateKey != NULL) { | 5532 if (ss->ssl3.clientPrivateKey != NULL) { |
5507 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 5533 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
5508 ss->ssl3.clientPrivateKey = NULL; | 5534 ss->ssl3.clientPrivateKey = NULL; |
5509 } | 5535 } |
| 5536 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 5537 if (ss->ssl3.platformClientKey) { |
| 5538 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 5539 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 5540 } |
| 5541 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
5510 | 5542 |
5511 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 5543 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
5512 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); | 5544 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); |
5513 if (rv != SECSuccess) | 5545 if (rv != SECSuccess) |
5514 goto loser; /* malformed, alert has been sent */ | 5546 goto loser; /* malformed, alert has been sent */ |
5515 | 5547 |
5516 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 5548 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
5517 if (arena == NULL) | 5549 if (arena == NULL) |
5518 goto no_mem; | 5550 goto no_mem; |
5519 | 5551 |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5566 i++, node = node->next) { | 5598 i++, node = node->next) { |
5567 ca_list.names[i] = node->name; | 5599 ca_list.names[i] = node->name; |
5568 } | 5600 } |
5569 | 5601 |
5570 if (length != 0) | 5602 if (length != 0) |
5571 goto alert_loser; /* malformed */ | 5603 goto alert_loser; /* malformed */ |
5572 | 5604 |
5573 desc = no_certificate; | 5605 desc = no_certificate; |
5574 ss->ssl3.hs.ws = wait_hello_done; | 5606 ss->ssl3.hs.ws = wait_hello_done; |
5575 | 5607 |
| 5608 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 5609 if (ss->getPlatformClientAuthData == NULL) { |
| 5610 rv = SECFailure; /* force it to send a no_certificate alert */ |
| 5611 } else { |
| 5612 /* XXX Should pass cert_types in this call!! */ |
| 5613 rv = (SECStatus)(*ss->getPlatformClientAuthData)( |
| 5614 ss->getPlatformClientAuthDataArg, |
| 5615 ss->fd, &ca_list, |
| 5616 &platform_cert_list, |
| 5617 (void**)&ss->ssl3.platformClientKey); |
| 5618 } |
| 5619 #else |
5576 if (ss->getClientAuthData == NULL) { | 5620 if (ss->getClientAuthData == NULL) { |
5577 rv = SECFailure; /* force it to send a no_certificate alert */ | 5621 rv = SECFailure; /* force it to send a no_certificate alert */ |
5578 } else { | 5622 } else { |
5579 /* XXX Should pass cert_types in this call!! */ | 5623 /* XXX Should pass cert_types in this call!! */ |
5580 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, | 5624 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, |
5581 ss->fd, &ca_list, | 5625 ss->fd, &ca_list, |
5582 &ss->ssl3.clientCertificate, | 5626 &ss->ssl3.clientCertificate, |
5583 &ss->ssl3.clientPrivateKey); | 5627 &ss->ssl3.clientPrivateKey); |
5584 } | 5628 } |
| 5629 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
5585 switch (rv) { | 5630 switch (rv) { |
5586 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ | 5631 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ |
5587 ssl_SetAlwaysBlock(ss); | 5632 ssl_SetAlwaysBlock(ss); |
5588 break; /* not an error */ | 5633 break; /* not an error */ |
5589 | 5634 |
5590 case SECSuccess: | 5635 case SECSuccess: |
| 5636 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 5637 if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) || |
| 5638 !ss->ssl3.platformClientKey) { |
| 5639 if (platform_cert_list) { |
| 5640 CERT_DestroyCertList(platform_cert_list); |
| 5641 platform_cert_list = NULL; |
| 5642 } |
| 5643 if (ss->ssl3.platformClientKey) { |
| 5644 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 5645 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 5646 } |
| 5647 goto send_no_certificate; |
| 5648 } |
| 5649 |
| 5650 certNode = CERT_LIST_HEAD(platform_cert_list); |
| 5651 ss->ssl3.clientCertificate = CERT_DupCertificate(certNode->cert); |
| 5652 |
| 5653 /* Setting ssl3.clientCertChain non-NULL will cause |
| 5654 * ssl3_HandleServerHelloDone to call SendCertificate. |
| 5655 * Note: clientCertChain should include the EE cert as |
| 5656 * clientCertificate is ignored during the actual sending |
| 5657 */ |
| 5658 ss->ssl3.clientCertChain = |
| 5659 hack_NewCertificateListFromCertList(platform_cert_list); |
| 5660 CERT_DestroyCertList(platform_cert_list); |
| 5661 platform_cert_list = NULL; |
| 5662 if (ss->ssl3.clientCertChain == NULL) { |
| 5663 if (ss->ssl3.clientCertificate != NULL) { |
| 5664 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
| 5665 ss->ssl3.clientCertificate = NULL; |
| 5666 } |
| 5667 if (ss->ssl3.platformClientKey) { |
| 5668 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 5669 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 5670 } |
| 5671 goto send_no_certificate; |
| 5672 } |
| 5673 #else |
5591 /* check what the callback function returned */ | 5674 /* check what the callback function returned */ |
5592 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { | 5675 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
5593 /* we are missing either the key or cert */ | 5676 /* we are missing either the key or cert */ |
5594 if (ss->ssl3.clientCertificate) { | 5677 if (ss->ssl3.clientCertificate) { |
5595 /* got a cert, but no key - free it */ | 5678 /* got a cert, but no key - free it */ |
5596 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 5679 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
5597 ss->ssl3.clientCertificate = NULL; | 5680 ss->ssl3.clientCertificate = NULL; |
5598 } | 5681 } |
5599 if (ss->ssl3.clientPrivateKey) { | 5682 if (ss->ssl3.clientPrivateKey) { |
5600 /* got a key, but no cert - free it */ | 5683 /* got a key, but no cert - free it */ |
(...skipping 12 matching lines...) Expand all Loading... |
5613 if (ss->ssl3.clientCertificate != NULL) { | 5696 if (ss->ssl3.clientCertificate != NULL) { |
5614 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 5697 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
5615 ss->ssl3.clientCertificate = NULL; | 5698 ss->ssl3.clientCertificate = NULL; |
5616 } | 5699 } |
5617 if (ss->ssl3.clientPrivateKey != NULL) { | 5700 if (ss->ssl3.clientPrivateKey != NULL) { |
5618 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 5701 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
5619 ss->ssl3.clientPrivateKey = NULL; | 5702 ss->ssl3.clientPrivateKey = NULL; |
5620 } | 5703 } |
5621 goto send_no_certificate; | 5704 goto send_no_certificate; |
5622 } | 5705 } |
| 5706 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
5623 break; /* not an error */ | 5707 break; /* not an error */ |
5624 | 5708 |
5625 case SECFailure: | 5709 case SECFailure: |
5626 default: | 5710 default: |
5627 send_no_certificate: | 5711 send_no_certificate: |
5628 if (isTLS) { | 5712 if (isTLS) { |
5629 ss->ssl3.sendEmptyCert = PR_TRUE; | 5713 ss->ssl3.sendEmptyCert = PR_TRUE; |
5630 } else { | 5714 } else { |
5631 (void)SSL3_SendAlert(ss, alert_warning, no_certificate); | 5715 (void)SSL3_SendAlert(ss, alert_warning, no_certificate); |
5632 } | 5716 } |
(...skipping 10 matching lines...) Expand all Loading... |
5643 alert_loser: | 5727 alert_loser: |
5644 if (isTLS && desc == illegal_parameter) | 5728 if (isTLS && desc == illegal_parameter) |
5645 desc = decode_error; | 5729 desc = decode_error; |
5646 (void)SSL3_SendAlert(ss, alert_fatal, desc); | 5730 (void)SSL3_SendAlert(ss, alert_fatal, desc); |
5647 loser: | 5731 loser: |
5648 PORT_SetError(errCode); | 5732 PORT_SetError(errCode); |
5649 rv = SECFailure; | 5733 rv = SECFailure; |
5650 done: | 5734 done: |
5651 if (arena != NULL) | 5735 if (arena != NULL) |
5652 PORT_FreeArena(arena, PR_FALSE); | 5736 PORT_FreeArena(arena, PR_FALSE); |
| 5737 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 5738 if (platform_cert_list) |
| 5739 CERT_DestroyCertList(platform_cert_list); |
| 5740 #endif |
5653 return rv; | 5741 return rv; |
5654 } | 5742 } |
5655 | 5743 |
5656 /* | 5744 /* |
5657 * attempt to restart the handshake after asynchronously handling | 5745 * attempt to restart the handshake after asynchronously handling |
5658 * a request for the client's certificate. | 5746 * a request for the client's certificate. |
5659 * | 5747 * |
5660 * inputs: | 5748 * inputs: |
5661 * cert Client cert chosen by application. | 5749 * cert Client cert chosen by application. |
5662 * Note: ssl takes this reference, and does not bump the | 5750 * Note: ssl takes this reference, and does not bump the |
(...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5751 ssl_GetXmitBufLock(ss); /*******************************/ | 5839 ssl_GetXmitBufLock(ss); /*******************************/ |
5752 | 5840 |
5753 if (ss->ssl3.sendEmptyCert) { | 5841 if (ss->ssl3.sendEmptyCert) { |
5754 ss->ssl3.sendEmptyCert = PR_FALSE; | 5842 ss->ssl3.sendEmptyCert = PR_FALSE; |
5755 rv = ssl3_SendEmptyCertificate(ss); | 5843 rv = ssl3_SendEmptyCertificate(ss); |
5756 /* Don't send verify */ | 5844 /* Don't send verify */ |
5757 if (rv != SECSuccess) { | 5845 if (rv != SECSuccess) { |
5758 goto loser; /* error code is set. */ | 5846 goto loser; /* error code is set. */ |
5759 } | 5847 } |
5760 } else | 5848 } else |
| 5849 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 5850 if (ss->ssl3.clientCertChain != NULL && |
| 5851 ss->ssl3.platformClientKey) { |
| 5852 send_verify = PR_TRUE; |
| 5853 rv = ssl3_SendCertificate(ss); |
| 5854 if (rv != SECSuccess) { |
| 5855 goto loser; /* error code is set. */ |
| 5856 } |
| 5857 } |
| 5858 #else |
5761 if (ss->ssl3.clientCertChain != NULL && | 5859 if (ss->ssl3.clientCertChain != NULL && |
5762 ss->ssl3.clientPrivateKey != NULL) { | 5860 ss->ssl3.clientPrivateKey != NULL) { |
5763 send_verify = PR_TRUE; | 5861 send_verify = PR_TRUE; |
5764 rv = ssl3_SendCertificate(ss); | 5862 rv = ssl3_SendCertificate(ss); |
5765 if (rv != SECSuccess) { | 5863 if (rv != SECSuccess) { |
5766 goto loser; /* error code is set. */ | 5864 goto loser; /* error code is set. */ |
5767 } | 5865 } |
5768 } | 5866 } |
| 5867 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
5769 | 5868 |
5770 rv = ssl3_SendClientKeyExchange(ss); | 5869 rv = ssl3_SendClientKeyExchange(ss); |
5771 if (rv != SECSuccess) { | 5870 if (rv != SECSuccess) { |
5772 goto loser; /* err is set. */ | 5871 goto loser; /* err is set. */ |
5773 } | 5872 } |
5774 | 5873 |
5775 if (send_verify) { | 5874 if (send_verify) { |
5776 rv = ssl3_SendCertificateVerify(ss); | 5875 rv = ssl3_SendCertificateVerify(ss); |
5777 if (rv != SECSuccess) { | 5876 if (rv != SECSuccess) { |
5778 goto loser; /* err is set. */ | 5877 goto loser; /* err is set. */ |
(...skipping 3840 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9619 /* Called from ssl_DestroySocketContents() in sslsock.c */ | 9718 /* Called from ssl_DestroySocketContents() in sslsock.c */ |
9620 void | 9719 void |
9621 ssl3_DestroySSL3Info(sslSocket *ss) | 9720 ssl3_DestroySSL3Info(sslSocket *ss) |
9622 { | 9721 { |
9623 | 9722 |
9624 if (ss->ssl3.clientCertificate != NULL) | 9723 if (ss->ssl3.clientCertificate != NULL) |
9625 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 9724 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
9626 | 9725 |
9627 if (ss->ssl3.clientPrivateKey != NULL) | 9726 if (ss->ssl3.clientPrivateKey != NULL) |
9628 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 9727 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 9728 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 9729 if (ss->ssl3.platformClientKey) |
| 9730 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 9731 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
9629 | 9732 |
9630 if (ss->ssl3.peerCertArena != NULL) | 9733 if (ss->ssl3.peerCertArena != NULL) |
9631 ssl3_CleanupPeerCerts(ss); | 9734 ssl3_CleanupPeerCerts(ss); |
9632 | 9735 |
9633 if (ss->ssl3.clientCertChain != NULL) { | 9736 if (ss->ssl3.clientCertChain != NULL) { |
9634 CERT_DestroyCertificateList(ss->ssl3.clientCertChain); | 9737 CERT_DestroyCertificateList(ss->ssl3.clientCertChain); |
9635 ss->ssl3.clientCertChain = NULL; | 9738 ss->ssl3.clientCertChain = NULL; |
9636 } | 9739 } |
9637 | 9740 |
9638 if (ss->ssl3.predictedCertChain != NULL) | 9741 if (ss->ssl3.predictedCertChain != NULL) |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9674 | 9777 |
9675 ss->ssl3.initialized = PR_FALSE; | 9778 ss->ssl3.initialized = PR_FALSE; |
9676 | 9779 |
9677 if (ss->ssl3.nextProto.data) { | 9780 if (ss->ssl3.nextProto.data) { |
9678 PORT_Free(ss->ssl3.nextProto.data); | 9781 PORT_Free(ss->ssl3.nextProto.data); |
9679 ss->ssl3.nextProto.data = NULL; | 9782 ss->ssl3.nextProto.data = NULL; |
9680 } | 9783 } |
9681 } | 9784 } |
9682 | 9785 |
9683 /* End of ssl3con.c */ | 9786 /* End of ssl3con.c */ |
OLD | NEW |