OLD | NEW |
1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c | 1 diff --git a/ssl/ssl.h b/ssl/ssl.h |
2 --- a/nss/lib/ssl/ssl3con.c» 2014-01-17 17:52:00.295082288 -0800 | 2 index 91a47a6..4e7d52e 100644 |
3 +++ b/nss/lib/ssl/ssl3con.c» 2014-01-17 17:52:19.745405758 -0800 | 3 --- a/ssl/ssl.h |
4 @@ -2471,6 +2471,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID | 4 +++ b/ssl/ssl.h |
| 5 @@ -543,6 +543,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void
*arg, |
| 6 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, |
| 7 » » » SSLGetClientAuthData f, void *a); |
| 8 |
| 9 +/* |
| 10 + * Prototype for SSL callback to get client auth data from the application, |
| 11 + * optionally using the underlying platform's cryptographic primitives. |
| 12 + * To use the platform cryptographic primitives, caNames and pRetCerts |
| 13 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. |
| 14 + * Returning SECFailure will cause the socket to send no client certificate. |
| 15 + *» arg - application passed argument |
| 16 + *» caNames - pointer to distinguished names of CAs that the server likes |
| 17 + *» pRetCerts - pointer to pointer to list of certs, with the first being |
| 18 + *» » the client cert, and any following being used for chain |
| 19 + *» » building |
| 20 + *» pRetKey - pointer to native key pointer, for return of key |
| 21 + * - Windows: A pointer to a PCERT_KEY_CONTEXT that was allocated |
| 22 + * via PORT_Alloc(). Ownership of the PCERT_KEY_CONTEXT |
| 23 + * is transferred to NSS, which will free via |
| 24 + * PORT_Free(). |
| 25 + * - Mac OS X: A pointer to a SecKeyRef. Ownership is |
| 26 + * transferred to NSS, which will free via CFRelease(). |
| 27 + *» pRetNSSCert - pointer to pointer to NSS cert, for return of cert. |
| 28 + *» pRetNSSKey - pointer to NSS key pointer, for return of key. |
| 29 + */ |
| 30 +typedef SECStatus (PR_CALLBACK *SSLGetPlatformClientAuthData)(void *arg, |
| 31 + PRFileDesc *fd, |
| 32 + CERTDistNames *caNames, |
| 33 + CERTCertList **pRetCerts,/*return */ |
| 34 + void **pRetKey,/* return */ |
| 35 + CERTCertificate **pRetNSSCert,/*return */ |
| 36 + SECKEYPrivateKey **pRetNSSKey);/* return */ |
| 37 + |
| 38 +/* |
| 39 + * Set the client side callback for SSL to retrieve user's private key |
| 40 + * and certificate. |
| 41 + * Note: If a platform client auth callback is set, the callback configured by |
| 42 + * SSL_GetClientAuthDataHook, if any, will not be called. |
| 43 + * |
| 44 + *» fd - the file descriptor for the connection in question |
| 45 + *» f - the application's callback that delivers the key and cert |
| 46 + *» a - application specific data |
| 47 + */ |
| 48 +SSL_IMPORT SECStatus |
| 49 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, |
| 50 + SSLGetPlatformClientAuthData f, void *a); |
| 51 |
| 52 /* |
| 53 ** SNI extension processing callback function. |
| 54 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c |
| 55 index ebaee61..40ae885 100644 |
| 56 --- a/ssl/ssl3con.c |
| 57 +++ b/ssl/ssl3con.c |
| 58 @@ -2503,6 +2503,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) { |
5 PRBool isPresent = PR_TRUE; | 59 PRBool isPresent = PR_TRUE; |
6 | 60 |
7 /* we only care if we are doing client auth */ | 61 /* we only care if we are doing client auth */ |
8 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being | 62 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being |
9 + * used, u.ssl3.clAuthValid will be false and this function will always | 63 + * used, u.ssl3.clAuthValid will be false and this function will always |
10 + * return PR_TRUE. */ | 64 + * return PR_TRUE. */ |
11 if (!sid || !sid->u.ssl3.clAuthValid) { | 65 if (!sid || !sid->u.ssl3.clAuthValid) { |
12 return PR_TRUE; | 66 return PR_TRUE; |
13 } | 67 } |
14 @@ -6103,25 +6106,36 @@ ssl3_SendCertificateVerify(sslSocket *ss | 68 @@ -6163,25 +6166,36 @@ ssl3_SendCertificateVerify(sslSocket *ss) |
15 | 69 |
16 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 70 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
17 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; | 71 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; |
18 - keyType = ss->ssl3.clientPrivateKey->keyType; | 72 - keyType = ss->ssl3.clientPrivateKey->keyType; |
19 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); | 73 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); |
20 - if (rv == SECSuccess) { | 74 - if (rv == SECSuccess) { |
21 - PK11SlotInfo * slot; | 75 - PK11SlotInfo * slot; |
22 - sslSessionID * sid = ss->sec.ci.sid; | 76 - sslSessionID * sid = ss->sec.ci.sid; |
23 + if (ss->ssl3.platformClientKey) { | 77 + if (ss->ssl3.platformClientKey) { |
24 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 78 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
58 + PK11_FreeSlot(slot); | 112 + PK11_FreeSlot(slot); |
59 + } | 113 + } |
60 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 114 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
61 + ss->ssl3.clientPrivateKey = NULL; | 115 + ss->ssl3.clientPrivateKey = NULL; |
62 } | 116 } |
63 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 117 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
64 - ss->ssl3.clientPrivateKey = NULL; | 118 - ss->ssl3.clientPrivateKey = NULL; |
65 if (rv != SECSuccess) { | 119 if (rv != SECSuccess) { |
66 goto done; /* err code was set by ssl3_SignHashes */ | 120 goto done; /* err code was set by ssl3_SignHashes */ |
67 } | 121 } |
68 @@ -6200,6 +6214,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS | 122 @@ -6260,6 +6274,12 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUi
nt32 length) |
69 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 123 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
70 ss->ssl3.clientPrivateKey = NULL; | 124 ss->ssl3.clientPrivateKey = NULL; |
71 } | 125 } |
72 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 126 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
73 + if (ss->ssl3.platformClientKey) { | 127 + if (ss->ssl3.platformClientKey) { |
74 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 128 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
75 + ss->ssl3.platformClientKey = (PlatformKey)NULL; | 129 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
76 + } | 130 + } |
77 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 131 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
78 | 132 |
79 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 133 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
80 if (temp < 0) { | 134 if (temp < 0) { |
81 @@ -6827,6 +6847,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss, | 135 @@ -6887,6 +6907,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss, |
82 goto done; | 136 goto done; |
83 } | 137 } |
84 | 138 |
85 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) | 139 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) |
86 + /* If the key is in CAPI, assume conservatively that the CAPI service | 140 + /* If the key is in CAPI, assume conservatively that the CAPI service |
87 + * provider may be unable to sign SHA-256 hashes. | 141 + * provider may be unable to sign SHA-256 hashes. |
88 + */ | 142 + */ |
89 + if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { | 143 + if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { |
90 + /* CAPI only supports RSA and DSA signatures, so we don't need to | 144 + /* CAPI only supports RSA and DSA signatures, so we don't need to |
91 + * check the key type. */ | 145 + * check the key type. */ |
92 + *preferSha1 = PR_TRUE; | 146 + *preferSha1 = PR_TRUE; |
93 + goto done; | 147 + goto done; |
94 + } | 148 + } |
95 +#endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ | 149 +#endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ |
96 + | 150 + |
97 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that | 151 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that |
98 * it may be unable to sign SHA-256 hashes. This is the case for older | 152 * it may be unable to sign SHA-256 hashes. This is the case for older |
99 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and | 153 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and |
100 @@ -6925,6 +6957,10 @@ ssl3_HandleCertificateRequest(sslSocket | 154 @@ -6985,6 +7017,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *
b, PRUint32 length) |
101 SECItem cert_types = {siBuffer, NULL, 0}; | 155 SECItem cert_types = {siBuffer, NULL, 0}; |
102 SECItem algorithms = {siBuffer, NULL, 0}; | 156 SECItem algorithms = {siBuffer, NULL, 0}; |
103 CERTDistNames ca_list; | 157 CERTDistNames ca_list; |
104 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 158 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
105 + CERTCertList * platform_cert_list = NULL; | 159 + CERTCertList * platform_cert_list = NULL; |
106 + CERTCertListNode * certNode = NULL; | 160 + CERTCertListNode * certNode = NULL; |
107 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 161 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
108 | 162 |
109 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", | 163 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", |
110 SSL_GETPID(), ss->fd)); | 164 SSL_GETPID(), ss->fd)); |
111 @@ -6941,6 +6977,7 @@ ssl3_HandleCertificateRequest(sslSocket | 165 @@ -7001,6 +7037,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b
, PRUint32 length) |
112 PORT_Assert(ss->ssl3.clientCertChain == NULL); | 166 PORT_Assert(ss->ssl3.clientCertChain == NULL); |
113 PORT_Assert(ss->ssl3.clientCertificate == NULL); | 167 PORT_Assert(ss->ssl3.clientCertificate == NULL); |
114 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); | 168 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
115 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); | 169 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); |
116 | 170 |
117 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 171 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
118 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; | 172 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; |
119 @@ -7020,6 +7057,18 @@ ssl3_HandleCertificateRequest(sslSocket | 173 @@ -7080,6 +7117,18 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *
b, PRUint32 length) |
120 desc = no_certificate; | 174 desc = no_certificate; |
121 ss->ssl3.hs.ws = wait_hello_done; | 175 ss->ssl3.hs.ws = wait_hello_done; |
122 | 176 |
123 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 177 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
124 + if (ss->getPlatformClientAuthData != NULL) { | 178 + if (ss->getPlatformClientAuthData != NULL) { |
125 + /* XXX Should pass cert_types and algorithms in this call!! */ | 179 + /* XXX Should pass cert_types and algorithms in this call!! */ |
126 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( | 180 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( |
127 + ss->getPlatformClientAuthDataArg, | 181 + ss->getPlatformClientAuthDataArg, |
128 + ss->fd, &ca_list, | 182 + ss->fd, &ca_list, |
129 + &platform_cert_list, | 183 + &platform_cert_list, |
130 + (void**)&ss->ssl3.platformClientKey, | 184 + (void**)&ss->ssl3.platformClientKey, |
131 + &ss->ssl3.clientCertificate, | 185 + &ss->ssl3.clientCertificate, |
132 + &ss->ssl3.clientPrivateKey); | 186 + &ss->ssl3.clientPrivateKey); |
133 + } else | 187 + } else |
134 +#endif | 188 +#endif |
135 if (ss->getClientAuthData != NULL) { | 189 if (ss->getClientAuthData != NULL) { |
136 /* XXX Should pass cert_types and algorithms in this call!! */ | 190 /* XXX Should pass cert_types and algorithms in this call!! */ |
137 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, | 191 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, |
138 @@ -7029,12 +7078,55 @@ ssl3_HandleCertificateRequest(sslSocket | 192 @@ -7089,12 +7138,55 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque
*b, PRUint32 length) |
139 } else { | 193 } else { |
140 rv = SECFailure; /* force it to send a no_certificate alert */ | 194 rv = SECFailure; /* force it to send a no_certificate alert */ |
141 } | 195 } |
142 + | 196 + |
143 switch (rv) { | 197 switch (rv) { |
144 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ | 198 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ |
145 ssl3_SetAlwaysBlock(ss); | 199 ssl3_SetAlwaysBlock(ss); |
146 break; /* not an error */ | 200 break; /* not an error */ |
147 | 201 |
148 case SECSuccess: | 202 case SECSuccess: |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
184 + } | 238 + } |
185 + if (ss->ssl3.hs.hashType == handshake_hash_single) { | 239 + if (ss->ssl3.hs.hashType == handshake_hash_single) { |
186 + ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); | 240 + ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); |
187 + } | 241 + } |
188 + break; /* not an error */ | 242 + break; /* not an error */ |
189 + } | 243 + } |
190 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 244 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
191 /* check what the callback function returned */ | 245 /* check what the callback function returned */ |
192 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { | 246 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
193 /* we are missing either the key or cert */ | 247 /* we are missing either the key or cert */ |
194 @@ -7096,6 +7188,10 @@ loser: | 248 @@ -7156,6 +7248,10 @@ loser: |
195 done: | 249 done: |
196 if (arena != NULL) | 250 if (arena != NULL) |
197 PORT_FreeArena(arena, PR_FALSE); | 251 PORT_FreeArena(arena, PR_FALSE); |
198 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 252 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
199 + if (platform_cert_list) | 253 + if (platform_cert_list) |
200 + CERT_DestroyCertList(platform_cert_list); | 254 + CERT_DestroyCertList(platform_cert_list); |
201 +#endif | 255 +#endif |
202 return rv; | 256 return rv; |
203 } | 257 } |
204 | 258 |
205 @@ -7213,7 +7309,8 @@ ssl3_SendClientSecondRound(sslSocket *ss | 259 @@ -7273,7 +7369,8 @@ ssl3_SendClientSecondRound(sslSocket *ss) |
206 | 260 |
207 sendClientCert = !ss->ssl3.sendEmptyCert && | 261 sendClientCert = !ss->ssl3.sendEmptyCert && |
208 ss->ssl3.clientCertChain != NULL && | 262 ss->ssl3.clientCertChain != NULL && |
209 - ss->ssl3.clientPrivateKey != NULL; | 263 - ss->ssl3.clientPrivateKey != NULL; |
210 + (ss->ssl3.platformClientKey || | 264 + (ss->ssl3.platformClientKey || |
211 + ss->ssl3.clientPrivateKey != NULL); | 265 + ss->ssl3.clientPrivateKey != NULL); |
212 | 266 |
213 if (!sendClientCert && | 267 if (!sendClientCert && |
214 ss->ssl3.hs.hashType == handshake_hash_single && | 268 ss->ssl3.hs.hashType == handshake_hash_single && |
215 @@ -12052,6 +12149,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) | 269 @@ -12140,6 +12237,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
216 | 270 |
217 if (ss->ssl3.clientPrivateKey != NULL) | 271 if (ss->ssl3.clientPrivateKey != NULL) |
218 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 272 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
219 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 273 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
220 + if (ss->ssl3.platformClientKey) | 274 + if (ss->ssl3.platformClientKey) |
221 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 275 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
222 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 276 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
223 | 277 |
224 if (ss->ssl3.peerCertArena != NULL) | 278 if (ss->ssl3.peerCertArena != NULL) |
225 ssl3_CleanupPeerCerts(ss); | 279 ssl3_CleanupPeerCerts(ss); |
226 diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c | 280 diff --git a/ssl/ssl3ext.c b/ssl/ssl3ext.c |
227 --- a/nss/lib/ssl/ssl3ext.c» 2014-01-17 17:49:26.072517368 -0800 | 281 index 3660866..9345be8 100644 |
228 +++ b/nss/lib/ssl/ssl3ext.c» 2014-01-17 17:52:19.745405758 -0800 | 282 --- a/ssl/ssl3ext.c |
| 283 +++ b/ssl/ssl3ext.c |
229 @@ -10,8 +10,8 @@ | 284 @@ -10,8 +10,8 @@ |
230 #include "nssrenam.h" | 285 #include "nssrenam.h" |
231 #include "nss.h" | 286 #include "nss.h" |
232 #include "ssl.h" | 287 #include "ssl.h" |
233 -#include "sslproto.h" | 288 -#include "sslproto.h" |
234 #include "sslimpl.h" | 289 #include "sslimpl.h" |
235 +#include "sslproto.h" | 290 +#include "sslproto.h" |
236 #include "pk11pub.h" | 291 #include "pk11pub.h" |
237 #ifdef NO_PKCS11_BYPASS | 292 #ifdef NO_PKCS11_BYPASS |
238 #include "blapit.h" | 293 #include "blapit.h" |
239 diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c | 294 diff --git a/ssl/sslauth.c b/ssl/sslauth.c |
240 --- a/nss/lib/ssl/sslauth.c» 2014-01-17 17:49:26.072517368 -0800 | 295 index ed74d94..7f9c43b 100644 |
241 +++ b/nss/lib/ssl/sslauth.c» 2014-01-17 17:52:19.755405924 -0800 | 296 --- a/ssl/sslauth.c |
242 @@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, | 297 +++ b/ssl/sslauth.c |
| 298 @@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthDa
ta func, |
243 return SECSuccess; | 299 return SECSuccess; |
244 } | 300 } |
245 | 301 |
246 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 302 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
247 +/* NEED LOCKS IN HERE. */ | 303 +/* NEED LOCKS IN HERE. */ |
248 +SECStatus | 304 +SECStatus |
249 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, | 305 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, |
250 + SSLGetPlatformClientAuthData func, | 306 + SSLGetPlatformClientAuthData func, |
251 + void *arg) | 307 + void *arg) |
252 +{ | 308 +{ |
253 + sslSocket *ss; | 309 + sslSocket *ss; |
254 + | 310 + |
255 + ss = ssl_FindSocket(s); | 311 + ss = ssl_FindSocket(s); |
256 + if (!ss) { | 312 + if (!ss) { |
257 + SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", | 313 + SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", |
258 + SSL_GETPID(), s)); | 314 + SSL_GETPID(), s)); |
259 + return SECFailure; | 315 + return SECFailure; |
260 + } | 316 + } |
261 + | 317 + |
262 + ss->getPlatformClientAuthData = func; | 318 + ss->getPlatformClientAuthData = func; |
263 + ss->getPlatformClientAuthDataArg = arg; | 319 + ss->getPlatformClientAuthDataArg = arg; |
264 + return SECSuccess; | 320 + return SECSuccess; |
265 +} | 321 +} |
266 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 322 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
267 + | 323 + |
268 /* NEED LOCKS IN HERE. */ | 324 /* NEED LOCKS IN HERE. */ |
269 SECStatus | 325 SECStatus |
270 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) | 326 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) |
271 diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h | 327 diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h |
272 --- a/nss/lib/ssl/ssl.h»2014-01-17 17:49:26.062517203 -0800 | 328 index 88a7039..cda1869 100644 |
273 +++ b/nss/lib/ssl/ssl.h»2014-01-17 17:52:19.755405924 -0800 | 329 --- a/ssl/sslimpl.h |
274 @@ -533,6 +533,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl | 330 +++ b/ssl/sslimpl.h |
275 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, | |
276 » » » SSLGetClientAuthData f, void *a); | |
277 | |
278 +/* | |
279 + * Prototype for SSL callback to get client auth data from the application, | |
280 + * optionally using the underlying platform's cryptographic primitives. | |
281 + * To use the platform cryptographic primitives, caNames and pRetCerts | |
282 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. | |
283 + * Returning SECFailure will cause the socket to send no client certificate. | |
284 + *» arg - application passed argument | |
285 + *» caNames - pointer to distinguished names of CAs that the server likes | |
286 + *» pRetCerts - pointer to pointer to list of certs, with the first being | |
287 + *» » the client cert, and any following being used for chain | |
288 + *» » building | |
289 + *» pRetKey - pointer to native key pointer, for return of key | |
290 + * - Windows: A pointer to a PCERT_KEY_CONTEXT that was allocated | |
291 + * via PORT_Alloc(). Ownership of the PCERT_KEY_CONTEXT | |
292 + * is transferred to NSS, which will free via | |
293 + * PORT_Free(). | |
294 + * - Mac OS X: A pointer to a SecKeyRef. Ownership is | |
295 + * transferred to NSS, which will free via CFRelease(). | |
296 + *» pRetNSSCert - pointer to pointer to NSS cert, for return of cert. | |
297 + *» pRetNSSKey - pointer to NSS key pointer, for return of key. | |
298 + */ | |
299 +typedef SECStatus (PR_CALLBACK *SSLGetPlatformClientAuthData)(void *arg, | |
300 + PRFileDesc *fd, | |
301 + CERTDistNames *caNames, | |
302 + CERTCertList **pRetCerts,/*return */ | |
303 + void **pRetKey,/* return */ | |
304 + CERTCertificate **pRetNSSCert,/*return */ | |
305 + SECKEYPrivateKey **pRetNSSKey);/* return */ | |
306 + | |
307 +/* | |
308 + * Set the client side callback for SSL to retrieve user's private key | |
309 + * and certificate. | |
310 + * Note: If a platform client auth callback is set, the callback configured by | |
311 + * SSL_GetClientAuthDataHook, if any, will not be called. | |
312 + * | |
313 + *» fd - the file descriptor for the connection in question | |
314 + *» f - the application's callback that delivers the key and cert | |
315 + *» a - application specific data | |
316 + */ | |
317 +SSL_IMPORT SECStatus | |
318 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, | |
319 + SSLGetPlatformClientAuthData f, void *a); | |
320 | |
321 /* | |
322 ** SNI extension processing callback function. | |
323 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h | |
324 --- a/nss/lib/ssl/sslimpl.h» 2014-01-17 17:52:00.295082288 -0800 | |
325 +++ b/nss/lib/ssl/sslimpl.h» 2014-01-17 17:52:19.755405924 -0800 | |
326 @@ -20,6 +20,7 @@ | 331 @@ -20,6 +20,7 @@ |
327 #include "sslerr.h" | 332 #include "sslerr.h" |
328 #include "ssl3prot.h" | 333 #include "ssl3prot.h" |
329 #include "hasht.h" | 334 #include "hasht.h" |
330 +#include "keythi.h" | 335 +#include "keythi.h" |
331 #include "nssilock.h" | 336 #include "nssilock.h" |
332 #include "pkcs11t.h" | 337 #include "pkcs11t.h" |
333 #if defined(XP_UNIX) || defined(XP_BEOS) | 338 #if defined(XP_UNIX) || defined(XP_BEOS) |
334 @@ -31,6 +32,15 @@ | 339 @@ -31,6 +32,15 @@ |
335 | 340 |
336 #include "sslt.h" /* for some formerly private types, now public */ | 341 #include "sslt.h" /* for some formerly private types, now public */ |
337 | 342 |
338 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 343 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
339 +#if defined(XP_WIN32) | 344 +#if defined(XP_WIN32) |
340 +#include <windows.h> | 345 +#include <windows.h> |
341 +#include <wincrypt.h> | 346 +#include <wincrypt.h> |
342 +#elif defined(XP_MACOSX) | 347 +#elif defined(XP_MACOSX) |
343 +#include <Security/Security.h> | 348 +#include <Security/Security.h> |
344 +#endif | 349 +#endif |
345 +#endif | 350 +#endif |
346 + | 351 + |
347 /* to make some of these old enums public without namespace pollution, | 352 /* to make some of these old enums public without namespace pollution, |
348 ** it was necessary to prepend ssl_ to the names. | 353 ** it was necessary to prepend ssl_ to the names. |
349 ** These #defines preserve compatibility with the old code here in libssl. | 354 ** These #defines preserve compatibility with the old code here in libssl. |
350 @@ -441,6 +451,14 @@ struct sslGatherStr { | 355 @@ -443,6 +453,14 @@ struct sslGatherStr { |
351 #define GS_DATA 3 | 356 #define GS_DATA 3 |
352 #define GS_PAD 4 | 357 #define GS_PAD 4 |
353 | 358 |
354 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) | 359 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) |
355 +typedef PCERT_KEY_CONTEXT PlatformKey; | 360 +typedef PCERT_KEY_CONTEXT PlatformKey; |
356 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) | 361 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) |
357 +typedef SecKeyRef PlatformKey; | 362 +typedef SecKeyRef PlatformKey; |
358 +#else | 363 +#else |
359 +typedef void *PlatformKey; | 364 +typedef void *PlatformKey; |
360 +#endif | 365 +#endif |
361 + | 366 + |
362 | 367 |
363 | 368 |
364 /* | 369 /* |
365 @@ -953,6 +971,10 @@ struct ssl3StateStr { | 370 @@ -955,6 +973,10 @@ struct ssl3StateStr { |
366 | 371 |
367 CERTCertificate * clientCertificate; /* used by client */ | 372 CERTCertificate * clientCertificate; /* used by client */ |
368 SECKEYPrivateKey * clientPrivateKey; /* used by client */ | 373 SECKEYPrivateKey * clientPrivateKey; /* used by client */ |
369 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not | 374 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not |
370 + * defined in order to allow cleaner conditional code. | 375 + * defined in order to allow cleaner conditional code. |
371 + * At most one of clientPrivateKey and platformClientKey may be set. */ | 376 + * At most one of clientPrivateKey and platformClientKey may be set. */ |
372 + PlatformKey platformClientKey; /* used by client */ | 377 + PlatformKey platformClientKey; /* used by client */ |
373 CERTCertificateList *clientCertChain; /* used by client */ | 378 CERTCertificateList *clientCertChain; /* used by client */ |
374 PRBool sendEmptyCert; /* used by client */ | 379 PRBool sendEmptyCert; /* used by client */ |
375 | 380 |
376 @@ -1214,6 +1236,10 @@ const unsigned char * preferredCipher; | 381 @@ -1216,6 +1238,10 @@ const unsigned char * preferredCipher; |
377 void *authCertificateArg; | 382 void *authCertificateArg; |
378 SSLGetClientAuthData getClientAuthData; | 383 SSLGetClientAuthData getClientAuthData; |
379 void *getClientAuthDataArg; | 384 void *getClientAuthDataArg; |
380 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 385 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
381 + SSLGetPlatformClientAuthData getPlatformClientAuthData; | 386 + SSLGetPlatformClientAuthData getPlatformClientAuthData; |
382 + void *getPlatformClientAuthDataArg; | 387 + void *getPlatformClientAuthDataArg; |
383 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 388 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
384 SSLSNISocketConfig sniSocketConfig; | 389 SSLSNISocketConfig sniSocketConfig; |
385 void *sniSocketConfigArg; | 390 void *sniSocketConfigArg; |
386 SSLBadCertHandler handleBadCert; | 391 SSLBadCertHandler handleBadCert; |
387 @@ -1852,6 +1878,26 @@ extern SECStatus ssl_InitSessionCacheLoc | 392 @@ -1856,6 +1882,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyIni
t); |
388 | 393 |
389 extern SECStatus ssl_FreeSessionCacheLocks(void); | 394 extern SECStatus ssl_FreeSessionCacheLocks(void); |
390 | 395 |
391 +/***************** platform client auth ****************/ | 396 +/***************** platform client auth ****************/ |
392 + | 397 + |
393 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 398 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
394 +// Releases the platform key. | 399 +// Releases the platform key. |
395 +extern void ssl_FreePlatformKey(PlatformKey key); | 400 +extern void ssl_FreePlatformKey(PlatformKey key); |
396 + | 401 + |
397 +// Implement the client CertificateVerify message for SSL3/TLS1.0 | 402 +// Implement the client CertificateVerify message for SSL3/TLS1.0 |
398 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, | 403 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, |
399 + PlatformKey key, SECItem *buf, | 404 + PlatformKey key, SECItem *buf, |
400 + PRBool isTLS, KeyType keyType); | 405 + PRBool isTLS, KeyType keyType); |
401 + | 406 + |
402 +// Converts a CERTCertList* (A collection of CERTCertificates) into a | 407 +// Converts a CERTCertList* (A collection of CERTCertificates) into a |
403 +// CERTCertificateList* (A collection of SECItems), or returns NULL if | 408 +// CERTCertificateList* (A collection of SECItems), or returns NULL if |
404 +// it cannot be converted. | 409 +// it cannot be converted. |
405 +// This is to allow the platform-supplied chain to be created with purely | 410 +// This is to allow the platform-supplied chain to be created with purely |
406 +// public API functions, using the preferred CERTCertList mutators, rather | 411 +// public API functions, using the preferred CERTCertList mutators, rather |
407 +// pushing this hack to clients. | 412 +// pushing this hack to clients. |
408 +extern CERTCertificateList* hack_NewCertificateListFromCertList( | 413 +extern CERTCertificateList* hack_NewCertificateListFromCertList( |
409 + CERTCertList* list); | 414 + CERTCertList* list); |
410 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 415 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
411 | 416 |
412 /**************** DTLS-specific functions **************/ | 417 /**************** DTLS-specific functions **************/ |
413 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); | 418 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); |
414 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c | 419 diff --git a/ssl/sslsock.c b/ssl/sslsock.c |
415 --- a/nss/lib/ssl/sslsock.c» 2014-01-17 17:49:40.942764689 -0800 | 420 index 90bc457..fccc664 100644 |
416 +++ b/nss/lib/ssl/sslsock.c» 2014-01-17 17:52:19.755405924 -0800 | 421 --- a/ssl/sslsock.c |
417 @@ -263,6 +263,10 @@ ssl_DupSocket(sslSocket *os) | 422 +++ b/ssl/sslsock.c |
418 » ss->authCertificateArg = os->authCertificateArg; | 423 @@ -275,6 +275,10 @@ ssl_DupSocket(sslSocket *os) |
419 » ss->getClientAuthData = os->getClientAuthData; | 424 ss->authCertificateArg = os->authCertificateArg; |
420 » ss->getClientAuthDataArg = os->getClientAuthDataArg; | 425 ss->getClientAuthData = os->getClientAuthData; |
| 426 ss->getClientAuthDataArg = os->getClientAuthDataArg; |
421 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 427 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
422 +» ss->getPlatformClientAuthData = os->getPlatformClientAuthData; | 428 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; |
423 +» ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; | 429 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg
; |
424 +#endif | 430 +#endif |
425 ss->sniSocketConfig = os->sniSocketConfig; | 431 ss->sniSocketConfig = os->sniSocketConfig; |
426 ss->sniSocketConfigArg = os->sniSocketConfigArg; | 432 ss->sniSocketConfigArg = os->sniSocketConfigArg; |
427 » ss->handleBadCert = os->handleBadCert; | 433 ss->handleBadCert = os->handleBadCert; |
428 @@ -1667,6 +1671,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile | 434 @@ -1709,6 +1713,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
429 ss->getClientAuthData = sm->getClientAuthData; | 435 ss->getClientAuthData = sm->getClientAuthData; |
430 if (sm->getClientAuthDataArg) | 436 if (sm->getClientAuthDataArg) |
431 ss->getClientAuthDataArg = sm->getClientAuthDataArg; | 437 ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
432 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 438 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
433 + if (sm->getPlatformClientAuthData) | 439 + if (sm->getPlatformClientAuthData) |
434 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; | 440 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; |
435 + if (sm->getPlatformClientAuthDataArg) | 441 + if (sm->getPlatformClientAuthDataArg) |
436 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; | 442 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; |
437 +#endif | 443 +#endif |
438 if (sm->sniSocketConfig) | 444 if (sm->sniSocketConfig) |
439 ss->sniSocketConfig = sm->sniSocketConfig; | 445 ss->sniSocketConfig = sm->sniSocketConfig; |
440 if (sm->sniSocketConfigArg) | 446 if (sm->sniSocketConfigArg) |
441 @@ -2921,6 +2931,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto | 447 @@ -2974,6 +2984,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protoc
olVariant) |
442 ss->sniSocketConfig = NULL; | 448 ss->sniSocketConfig = NULL; |
443 ss->sniSocketConfigArg = NULL; | 449 ss->sniSocketConfigArg = NULL; |
444 » ss->getClientAuthData = NULL; | 450 ss->getClientAuthData = NULL; |
445 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 451 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
446 +» ss->getPlatformClientAuthData = NULL; | 452 + ss->getPlatformClientAuthData = NULL; |
447 +» ss->getPlatformClientAuthDataArg = NULL; | 453 + ss->getPlatformClientAuthDataArg = NULL; |
448 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 454 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
449 » ss->handleBadCert = NULL; | 455 ss->handleBadCert = NULL; |
450 » ss->badCertArg = NULL; | 456 ss->badCertArg = NULL; |
451 » ss->pkcs11PinArg = NULL; | 457 ss->pkcs11PinArg = NULL; |
OLD | NEW |