| OLD | NEW |
|---|
| 1 diff -upN a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.
h | 1 diff -puN -r a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3c
on.c |
| 2 --- a/src/net/third_party/nss/ssl/ssl.h»2012-02-28 19:26:04.047351199 -0800 | 2 --- a/net/third_party/nss/ssl/ssl3con.c»2012-11-09 15:34:12.258133766 -0800 |
| 3 +++ b/src/net/third_party/nss/ssl/ssl.h»2012-02-28 20:04:24.039351965 -0800 | 3 +++ b/net/third_party/nss/ssl/ssl3con.c»2012-11-09 15:35:08.488958561 -0800 |
| 4 @@ -421,6 +421,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl | 4 @@ -2033,6 +2033,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID |
| 5 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, | |
| 6 » » » SSLGetClientAuthData f, void *a); | |
| 7 | |
| 8 +/* | |
| 9 + * Prototype for SSL callback to get client auth data from the application, | |
| 10 + * optionally using the underlying platform's cryptographic primitives. | |
| 11 + * To use the platform cryptographic primitives, caNames and pRetCerts | |
| 12 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. | |
| 13 + * Returning SECFailure will cause the socket to send no client certificate. | |
| 14 + *» arg - application passed argument | |
| 15 + *» caNames - pointer to distinguished names of CAs that the server likes | |
| 16 + *» pRetCerts - pointer to pointer to list of certs, with the first being | |
| 17 + *» » the client cert, and any following being used for chain | |
| 18 + *» » building | |
| 19 + *» pRetKey - pointer to native key pointer, for return of key | |
| 20 + * - Windows: A pointer to a PCERT_KEY_CONTEXT that was allocated | |
| 21 + * via PORT_Alloc(). Ownership of the PCERT_KEY_CONTEXT | |
| 22 + * is transferred to NSS, which will free via | |
| 23 + * PORT_Free(). | |
| 24 + * - Mac OS X: A pointer to a SecKeyRef. Ownership is | |
| 25 + * transferred to NSS, which will free via CFRelease(). | |
| 26 + *» pRetNSSCert - pointer to pointer to NSS cert, for return of cert. | |
| 27 + *» pRetNSSKey - pointer to NSS key pointer, for return of key. | |
| 28 + */ | |
| 29 +typedef SECStatus (PR_CALLBACK *SSLGetPlatformClientAuthData)(void *arg, | |
| 30 + PRFileDesc *fd, | |
| 31 + CERTDistNames *caNames, | |
| 32 + CERTCertList **pRetCerts,/*return */ | |
| 33 + void **pRetKey,/* return */ | |
| 34 + CERTCertificate **pRetNSSCert,/*return */ | |
| 35 + SECKEYPrivateKey **pRetNSSKey);/* return */ | |
| 36 + | |
| 37 +/* | |
| 38 + * Set the client side callback for SSL to retrieve user's private key | |
| 39 + * and certificate. | |
| 40 + *» fd - the file descriptor for the connection in question | |
| 41 + *» f - the application's callback that delivers the key and cert | |
| 42 + *» a - application specific data | |
| 43 + */ | |
| 44 +SSL_IMPORT SECStatus | |
| 45 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, | |
| 46 + SSLGetPlatformClientAuthData f, void *a); | |
| 47 | |
| 48 /* | |
| 49 ** SNI extension processing callback function. | |
| 50 diff -upN a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/
ssl3con.c | |
| 51 --- a/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-28 19:26:04.047351199 -0
800 | |
| 52 +++ b/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-28 20:07:04.101579541 -0
800 | |
| 53 @@ -2015,6 +2015,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID | |
| 54 PRBool isPresent = PR_TRUE; | 5 PRBool isPresent = PR_TRUE; |
| 55 | 6 |
| 56 /* we only care if we are doing client auth */ | 7 /* we only care if we are doing client auth */ |
| 57 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being | 8 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being |
| 58 + * used, u.ssl3.clAuthValid will be false and this function will always | 9 + * used, u.ssl3.clAuthValid will be false and this function will always |
| 59 + * return PR_TRUE. */ | 10 + * return PR_TRUE. */ |
| 60 if (!sid || !sid->u.ssl3.clAuthValid) { | 11 if (!sid || !sid->u.ssl3.clAuthValid) { |
| 61 return PR_TRUE; | 12 return PR_TRUE; |
| 62 } | 13 } |
| 63 @@ -4893,24 +4896,33 @@ ssl3_SendCertificateVerify(sslSocket *ss | 14 @@ -5226,24 +5229,33 @@ ssl3_SendCertificateVerify(sslSocket *ss |
| 64 } | 15 } |
| 65 | 16 |
| 66 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 17 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 67 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); | 18 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); |
| 68 - if (rv == SECSuccess) { | 19 - if (rv == SECSuccess) { |
| 69 - PK11SlotInfo * slot; | 20 - PK11SlotInfo * slot; |
| 70 - sslSessionID * sid = ss->sec.ci.sid; | 21 - sslSessionID * sid = ss->sec.ci.sid; |
| 71 + if (ss->ssl3.platformClientKey) { | 22 + if (ss->ssl3.platformClientKey) { |
| 72 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 23 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 73 + rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, | 24 + rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, |
| (...skipping 29 matching lines...) Expand all Loading... |
| 103 + PK11_FreeSlot(slot); | 54 + PK11_FreeSlot(slot); |
| 104 + } | 55 + } |
| 105 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 56 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 106 + ss->ssl3.clientPrivateKey = NULL; | 57 + ss->ssl3.clientPrivateKey = NULL; |
| 107 } | 58 } |
| 108 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 59 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 109 - ss->ssl3.clientPrivateKey = NULL; | 60 - ss->ssl3.clientPrivateKey = NULL; |
| 110 if (rv != SECSuccess) { | 61 if (rv != SECSuccess) { |
| 111 goto done; /* err code was set by ssl3_SignHashes */ | 62 goto done; /* err code was set by ssl3_SignHashes */ |
| 112 } | 63 } |
| 113 @@ -4978,6 +4990,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS | 64 @@ -5311,6 +5323,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
| 114 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 65 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 115 ss->ssl3.clientPrivateKey = NULL; | 66 ss->ssl3.clientPrivateKey = NULL; |
| 116 } | 67 } |
| 117 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 68 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 118 + if (ss->ssl3.platformClientKey) { | 69 + if (ss->ssl3.platformClientKey) { |
| 119 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 70 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 120 + ss->ssl3.platformClientKey = (PlatformKey)NULL; | 71 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 121 + } | 72 + } |
| 122 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 73 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 123 | 74 |
| 124 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 75 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
| 125 if (temp < 0) { | 76 if (temp < 0) { |
| 126 @@ -5522,6 +5540,10 @@ ssl3_HandleCertificateRequest(sslSocket | 77 @@ -5901,6 +5919,10 @@ ssl3_HandleCertificateRequest(sslSocket |
| 127 SSL3AlertDescription desc = illegal_parameter; | 78 SSL3AlertDescription desc = illegal_parameter; |
| 128 SECItem cert_types = {siBuffer, NULL, 0}; | 79 SECItem cert_types = {siBuffer, NULL, 0}; |
| 129 CERTDistNames ca_list; | 80 CERTDistNames ca_list; |
| 130 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 81 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 131 + CERTCertList * platform_cert_list = NULL; | 82 + CERTCertList * platform_cert_list = NULL; |
| 132 + CERTCertListNode * certNode = NULL; | 83 + CERTCertListNode * certNode = NULL; |
| 133 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 84 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 134 | 85 |
| 135 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", | 86 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", |
| 136 SSL_GETPID(), ss->fd)); | 87 SSL_GETPID(), ss->fd)); |
| 137 @@ -5538,6 +5560,7 @@ ssl3_HandleCertificateRequest(sslSocket | 88 @@ -5917,6 +5939,7 @@ ssl3_HandleCertificateRequest(sslSocket |
| 138 PORT_Assert(ss->ssl3.clientCertChain == NULL); | 89 PORT_Assert(ss->ssl3.clientCertChain == NULL); |
| 139 PORT_Assert(ss->ssl3.clientCertificate == NULL); | 90 PORT_Assert(ss->ssl3.clientCertificate == NULL); |
| 140 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); | 91 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
| 141 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); | 92 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); |
| 142 | 93 |
| 143 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 94 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 144 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); | 95 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); |
| 145 @@ -5604,6 +5627,20 @@ ssl3_HandleCertificateRequest(sslSocket | 96 @@ -5983,6 +6006,20 @@ ssl3_HandleCertificateRequest(sslSocket |
| 146 desc = no_certificate; | 97 desc = no_certificate; |
| 147 ss->ssl3.hs.ws = wait_hello_done; | 98 ss->ssl3.hs.ws = wait_hello_done; |
| 148 | 99 |
| 149 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 100 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 150 + if (ss->getPlatformClientAuthData == NULL) { | 101 + if (ss->getPlatformClientAuthData == NULL) { |
| 151 + rv = SECFailure; /* force it to send a no_certificate alert */ | 102 + rv = SECFailure; /* force it to send a no_certificate alert */ |
| 152 + } else { | 103 + } else { |
| 153 + /* XXX Should pass cert_types in this call!! */ | 104 + /* XXX Should pass cert_types in this call!! */ |
| 154 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( | 105 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( |
| 155 + ss->getPlatformClientAuthDataArg, | 106 + ss->getPlatformClientAuthDataArg, |
| 156 + ss->fd, &ca_list, | 107 + ss->fd, &ca_list, |
| 157 + &platform_cert_list, | 108 + &platform_cert_list, |
| 158 + (void**)&ss->ssl3.platformClientKey, | 109 + (void**)&ss->ssl3.platformClientKey, |
| 159 + &ss->ssl3.clientCertificate, | 110 + &ss->ssl3.clientCertificate, |
| 160 + &ss->ssl3.clientPrivateKey); | 111 + &ss->ssl3.clientPrivateKey); |
| 161 + } | 112 + } |
| 162 +#else | 113 +#else |
| 163 if (ss->getClientAuthData == NULL) { | 114 if (ss->getClientAuthData == NULL) { |
| 164 rv = SECFailure; /* force it to send a no_certificate alert */ | 115 rv = SECFailure; /* force it to send a no_certificate alert */ |
| 165 } else { | 116 } else { |
| 166 @@ -5613,12 +5650,52 @@ ssl3_HandleCertificateRequest(sslSocket | 117 @@ -5992,12 +6029,52 @@ ssl3_HandleCertificateRequest(sslSocket |
| 167 &ss->ssl3.clientCertificate, | 118 &ss->ssl3.clientCertificate, |
| 168 &ss->ssl3.clientPrivateKey); | 119 &ss->ssl3.clientPrivateKey); |
| 169 } | 120 } |
| 170 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 121 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 171 switch (rv) { | 122 switch (rv) { |
| 172 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ | 123 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ |
| 173 ssl3_SetAlwaysBlock(ss); | 124 ssl3_SetAlwaysBlock(ss); |
| 174 break; /* not an error */ | 125 break; /* not an error */ |
| 175 | 126 |
| 176 case SECSuccess: | 127 case SECSuccess: |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 209 + ss->ssl3.platformClientKey = (PlatformKey)NULL; | 160 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 210 + } | 161 + } |
| 211 + goto send_no_certificate; | 162 + goto send_no_certificate; |
| 212 + } | 163 + } |
| 213 + break; /* not an error */ | 164 + break; /* not an error */ |
| 214 + } | 165 + } |
| 215 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 166 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 216 /* check what the callback function returned */ | 167 /* check what the callback function returned */ |
| 217 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { | 168 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
| 218 /* we are missing either the key or cert */ | 169 /* we are missing either the key or cert */ |
| 219 @@ -5681,6 +5758,10 @@ loser: | 170 @@ -6060,6 +6137,10 @@ loser: |
| 220 done: | 171 done: |
| 221 if (arena != NULL) | 172 if (arena != NULL) |
| 222 PORT_FreeArena(arena, PR_FALSE); | 173 PORT_FreeArena(arena, PR_FALSE); |
| 223 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 174 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 224 + if (platform_cert_list) | 175 + if (platform_cert_list) |
| 225 + CERT_DestroyCertList(platform_cert_list); | 176 + CERT_DestroyCertList(platform_cert_list); |
| 226 +#endif | 177 +#endif |
| 227 return rv; | 178 return rv; |
| 228 } | 179 } |
| 229 | 180 |
| 230 @@ -5755,7 +5836,8 @@ ssl3_SendClientSecondRound(sslSocket *ss | 181 @@ -6134,7 +6215,8 @@ ssl3_SendClientSecondRound(sslSocket *ss |
| 231 | 182 |
| 232 sendClientCert = !ss->ssl3.sendEmptyCert && | 183 sendClientCert = !ss->ssl3.sendEmptyCert && |
| 233 ss->ssl3.clientCertChain != NULL && | 184 ss->ssl3.clientCertChain != NULL && |
| 234 - ss->ssl3.clientPrivateKey != NULL; | 185 - ss->ssl3.clientPrivateKey != NULL; |
| 235 + (ss->ssl3.platformClientKey || | 186 + (ss->ssl3.platformClientKey || |
| 236 + ss->ssl3.clientPrivateKey != NULL); | 187 + ss->ssl3.clientPrivateKey != NULL); |
| 237 | 188 |
| 238 /* We must wait for the server's certificate to be authenticated before | 189 /* We must wait for the server's certificate to be authenticated before |
| 239 * sending the client certificate in order to disclosing the client | 190 * sending the client certificate in order to disclosing the client |
| 240 @@ -9725,6 +9807,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) | 191 @@ -10446,6 +10528,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
| 241 | 192 |
| 242 if (ss->ssl3.clientPrivateKey != NULL) | 193 if (ss->ssl3.clientPrivateKey != NULL) |
| 243 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 194 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 244 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 195 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 245 + if (ss->ssl3.platformClientKey) | 196 + if (ss->ssl3.platformClientKey) |
| 246 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 197 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 247 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 198 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 248 | 199 |
| 249 if (ss->ssl3.peerCertArena != NULL) | 200 if (ss->ssl3.peerCertArena != NULL) |
| 250 ssl3_CleanupPeerCerts(ss); | 201 ssl3_CleanupPeerCerts(ss); |
| 251 diff -upN a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/
ssl3ext.c | 202 diff -puN -r a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3e
xt.c |
| 252 --- a/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-28 19:26:04.047351199 -0
800 | 203 --- a/net/third_party/nss/ssl/ssl3ext.c»2012-11-09 15:34:12.258133766 -0800 |
| 253 +++ b/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-28 20:20:35.392842118 -0
800 | 204 +++ b/net/third_party/nss/ssl/ssl3ext.c»2012-11-09 15:35:08.488958561 -0800 |
| 254 @@ -46,8 +46,8 @@ | 205 @@ -11,8 +11,8 @@ |
| 255 #include "nssrenam.h" | 206 #include "nssrenam.h" |
| 256 #include "nss.h" | 207 #include "nss.h" |
| 257 #include "ssl.h" | 208 #include "ssl.h" |
| 258 -#include "sslproto.h" | 209 -#include "sslproto.h" |
| 259 #include "sslimpl.h" | 210 #include "sslimpl.h" |
| 260 +#include "sslproto.h" | 211 +#include "sslproto.h" |
| 261 #include "pk11pub.h" | 212 #include "pk11pub.h" |
| 262 #include "blapi.h" | 213 #ifdef NO_PKCS11_BYPASS |
| 263 #include "prinit.h" | 214 #include "blapit.h" |
| 264 diff -upN a/src/net/third_party/nss/ssl/sslauth.c b/src/net/third_party/nss/ssl/
sslauth.c | 215 diff -puN -r a/net/third_party/nss/ssl/sslauth.c b/net/third_party/nss/ssl/sslau
th.c |
| 265 --- a/src/net/third_party/nss/ssl/sslauth.c» 2012-02-28 18:34:23.263186340 -0
800 | 216 --- a/net/third_party/nss/ssl/sslauth.c»2012-11-09 15:27:15.952019947 -0800 |
| 266 +++ b/src/net/third_party/nss/ssl/sslauth.c» 2012-02-28 20:04:24.039351965 -0
800 | 217 +++ b/net/third_party/nss/ssl/sslauth.c»2012-11-09 15:35:08.488958561 -0800 |
| 267 @@ -251,6 +251,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, | 218 @@ -219,6 +219,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, |
| 268 return SECSuccess; | 219 return SECSuccess; |
| 269 } | 220 } |
| 270 | 221 |
| 271 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 222 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 272 +/* NEED LOCKS IN HERE. */ | 223 +/* NEED LOCKS IN HERE. */ |
| 273 +SECStatus | 224 +SECStatus |
| 274 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, | 225 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, |
| 275 + SSLGetPlatformClientAuthData func, | 226 + SSLGetPlatformClientAuthData func, |
| 276 + void *arg) | 227 + void *arg) |
| 277 +{ | 228 +{ |
| 278 + sslSocket *ss; | 229 + sslSocket *ss; |
| 279 + | 230 + |
| 280 + ss = ssl_FindSocket(s); | 231 + ss = ssl_FindSocket(s); |
| 281 + if (!ss) { | 232 + if (!ss) { |
| 282 + SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", | 233 + SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", |
| 283 + SSL_GETPID(), s)); | 234 + SSL_GETPID(), s)); |
| 284 + return SECFailure; | 235 + return SECFailure; |
| 285 + } | 236 + } |
| 286 + | 237 + |
| 287 + ss->getPlatformClientAuthData = func; | 238 + ss->getPlatformClientAuthData = func; |
| 288 + ss->getPlatformClientAuthDataArg = arg; | 239 + ss->getPlatformClientAuthDataArg = arg; |
| 289 + return SECSuccess; | 240 + return SECSuccess; |
| 290 +} | 241 +} |
| 291 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 242 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 292 + | 243 + |
| 293 /* NEED LOCKS IN HERE. */ | 244 /* NEED LOCKS IN HERE. */ |
| 294 SECStatus | 245 SECStatus |
| 295 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) | 246 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) |
| 296 diff -upN a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/
sslimpl.h | 247 diff -puN -r a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h |
| 297 --- a/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-28 19:26:04.047351199 -0
800 | 248 --- a/net/third_party/nss/ssl/ssl.h» 2012-11-09 15:34:12.258133766 -0800 |
| 298 +++ b/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-28 20:04:24.039351965 -0
800 | 249 +++ b/net/third_party/nss/ssl/ssl.h» 2012-11-09 15:35:08.488958561 -0800 |
| 299 @@ -65,6 +65,15 @@ | 250 @@ -483,6 +483,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl |
| 251 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, |
| 252 » » » SSLGetClientAuthData f, void *a); |
| 253 |
| 254 +/* |
| 255 + * Prototype for SSL callback to get client auth data from the application, |
| 256 + * optionally using the underlying platform's cryptographic primitives. |
| 257 + * To use the platform cryptographic primitives, caNames and pRetCerts |
| 258 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. |
| 259 + * Returning SECFailure will cause the socket to send no client certificate. |
| 260 + *» arg - application passed argument |
| 261 + *» caNames - pointer to distinguished names of CAs that the server likes |
| 262 + *» pRetCerts - pointer to pointer to list of certs, with the first being |
| 263 + *» » the client cert, and any following being used for chain |
| 264 + *» » building |
| 265 + *» pRetKey - pointer to native key pointer, for return of key |
| 266 + * - Windows: A pointer to a PCERT_KEY_CONTEXT that was allocated |
| 267 + * via PORT_Alloc(). Ownership of the PCERT_KEY_CONTEXT |
| 268 + * is transferred to NSS, which will free via |
| 269 + * PORT_Free(). |
| 270 + * - Mac OS X: A pointer to a SecKeyRef. Ownership is |
| 271 + * transferred to NSS, which will free via CFRelease(). |
| 272 + *» pRetNSSCert - pointer to pointer to NSS cert, for return of cert. |
| 273 + *» pRetNSSKey - pointer to NSS key pointer, for return of key. |
| 274 + */ |
| 275 +typedef SECStatus (PR_CALLBACK *SSLGetPlatformClientAuthData)(void *arg, |
| 276 + PRFileDesc *fd, |
| 277 + CERTDistNames *caNames, |
| 278 + CERTCertList **pRetCerts,/*return */ |
| 279 + void **pRetKey,/* return */ |
| 280 + CERTCertificate **pRetNSSCert,/*return */ |
| 281 + SECKEYPrivateKey **pRetNSSKey);/* return */ |
| 282 + |
| 283 +/* |
| 284 + * Set the client side callback for SSL to retrieve user's private key |
| 285 + * and certificate. |
| 286 + *» fd - the file descriptor for the connection in question |
| 287 + *» f - the application's callback that delivers the key and cert |
| 288 + *» a - application specific data |
| 289 + */ |
| 290 +SSL_IMPORT SECStatus |
| 291 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, |
| 292 + SSLGetPlatformClientAuthData f, void *a); |
| 293 |
| 294 /* |
| 295 ** SNI extension processing callback function. |
| 296 diff -puN -r a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslim
pl.h |
| 297 --- a/net/third_party/nss/ssl/sslimpl.h»2012-11-09 15:34:12.258133766 -0800 |
| 298 +++ b/net/third_party/nss/ssl/sslimpl.h»2012-11-09 15:36:42.600338478 -0800 |
| 299 @@ -32,6 +32,15 @@ |
| 300 | 300 |
| 301 #include "sslt.h" /* for some formerly private types, now public */ | 301 #include "sslt.h" /* for some formerly private types, now public */ |
| 302 | 302 |
| 303 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 303 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 304 +#if defined(XP_WIN32) | 304 +#if defined(XP_WIN32) |
| 305 +#include <windows.h> | 305 +#include <windows.h> |
| 306 +#include <wincrypt.h> | 306 +#include <wincrypt.h> |
| 307 +#elif defined(XP_MACOSX) | 307 +#elif defined(XP_MACOSX) |
| 308 +#include <Security/Security.h> | 308 +#include <Security/Security.h> |
| 309 +#endif | 309 +#endif |
| 310 +#endif | 310 +#endif |
| 311 + | 311 + |
| 312 /* to make some of these old enums public without namespace pollution, | 312 /* to make some of these old enums public without namespace pollution, |
| 313 ** it was necessary to prepend ssl_ to the names. | 313 ** it was necessary to prepend ssl_ to the names. |
| 314 ** These #defines preserve compatibility with the old code here in libssl. | 314 ** These #defines preserve compatibility with the old code here in libssl. |
| 315 @@ -462,6 +471,14 @@ typedef SECStatus (*SSLCompressor)(void | 315 @@ -446,6 +455,14 @@ typedef SECStatus (*SSLCompressor)(void |
| 316 int inlen); | 316 int inlen); |
| 317 typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); | 317 typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); |
| 318 | 318 |
| 319 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) | 319 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) |
| 320 +typedef PCERT_KEY_CONTEXT PlatformKey; | 320 +typedef PCERT_KEY_CONTEXT PlatformKey; |
| 321 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) | 321 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) |
| 322 +typedef SecKeyRef PlatformKey; | 322 +typedef SecKeyRef PlatformKey; |
| 323 +#else | 323 +#else |
| 324 +typedef void *PlatformKey; | 324 +typedef void *PlatformKey; |
| 325 +#endif | 325 +#endif |
| 326 + | 326 + |
| 327 | 327 |
| 328 | 328 |
| 329 /* | 329 /* |
| 330 @@ -836,6 +853,10 @@ struct ssl3StateStr { | 330 @@ -870,6 +887,10 @@ struct ssl3StateStr { |
| 331 | 331 |
| 332 CERTCertificate * clientCertificate; /* used by client */ | 332 CERTCertificate * clientCertificate; /* used by client */ |
| 333 SECKEYPrivateKey * clientPrivateKey; /* used by client */ | 333 SECKEYPrivateKey * clientPrivateKey; /* used by client */ |
| 334 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not | 334 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not |
| 335 + * defined in order to allow cleaner conditional code. | 335 + * defined in order to allow cleaner conditional code. |
| 336 + * At most one of clientPrivateKey and platformClientKey may be set. */ | 336 + * At most one of clientPrivateKey and platformClientKey may be set. */ |
| 337 + PlatformKey platformClientKey; /* used by client */ | 337 + PlatformKey platformClientKey; /* used by client */ |
| 338 CERTCertificateList *clientCertChain; /* used by client */ | 338 CERTCertificateList *clientCertChain; /* used by client */ |
| 339 PRBool sendEmptyCert; /* used by client */ | 339 PRBool sendEmptyCert; /* used by client */ |
| 340 | 340 |
| 341 @@ -1082,6 +1103,10 @@ const unsigned char * preferredCipher; | 341 @@ -1127,6 +1148,10 @@ const unsigned char * preferredCipher; |
| 342 void *authCertificateArg; | 342 void *authCertificateArg; |
| 343 SSLGetClientAuthData getClientAuthData; | 343 SSLGetClientAuthData getClientAuthData; |
| 344 void *getClientAuthDataArg; | 344 void *getClientAuthDataArg; |
| 345 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 345 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 346 + SSLGetPlatformClientAuthData getPlatformClientAuthData; | 346 + SSLGetPlatformClientAuthData getPlatformClientAuthData; |
| 347 + void *getPlatformClientAuthDataArg; | 347 + void *getPlatformClientAuthDataArg; |
| 348 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 348 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 349 SSLSNISocketConfig sniSocketConfig; | 349 SSLSNISocketConfig sniSocketConfig; |
| 350 void *sniSocketConfigArg; | 350 void *sniSocketConfigArg; |
| 351 SSLBadCertHandler handleBadCert; | 351 SSLBadCertHandler handleBadCert; |
| 352 @@ -1644,6 +1669,26 @@ extern SECStatus ssl_InitSessionCacheLoc | 352 @@ -1700,7 +1725,6 @@ extern void ssl_FreePRSocket(PRFileDesc |
| 353 * various ciphers */ |
| 354 extern int ssl3_config_match_init(sslSocket *); |
| 355 |
| 356 - |
| 357 /* Create a new ref counted key pair object from two keys. */ |
| 358 extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, |
| 359 SECKEYPublicKey * pubKey); |
| 360 @@ -1740,6 +1764,26 @@ extern SECStatus ssl_InitSessionCacheLoc |
| 353 | 361 |
| 354 extern SECStatus ssl_FreeSessionCacheLocks(void); | 362 extern SECStatus ssl_FreeSessionCacheLocks(void); |
| 355 | 363 |
| 356 +/***************** platform client auth ****************/ | 364 +/***************** platform client auth ****************/ |
| 357 + | 365 + |
| 358 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 366 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 359 +// Releases the platform key. | 367 +// Releases the platform key. |
| 360 +extern void ssl_FreePlatformKey(PlatformKey key); | 368 +extern void ssl_FreePlatformKey(PlatformKey key); |
| 361 + | 369 + |
| 362 +// Implement the client CertificateVerify message for SSL3/TLS1.0 | 370 +// Implement the client CertificateVerify message for SSL3/TLS1.0 |
| 363 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, | 371 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, |
| 364 + PlatformKey key, SECItem *buf, | 372 + PlatformKey key, SECItem *buf, |
| 365 + PRBool isTLS); | 373 + PRBool isTLS); |
| 366 + | 374 + |
| 367 +// Converts a CERTCertList* (A collection of CERTCertificates) into a | 375 +// Converts a CERTCertList* (A collection of CERTCertificates) into a |
| 368 +// CERTCertificateList* (A collection of SECItems), or returns NULL if | 376 +// CERTCertificateList* (A collection of SECItems), or returns NULL if |
| 369 +// it cannot be converted. | 377 +// it cannot be converted. |
| 370 +// This is to allow the platform-supplied chain to be created with purely | 378 +// This is to allow the platform-supplied chain to be created with purely |
| 371 +// public API functions, using the preferred CERTCertList mutators, rather | 379 +// public API functions, using the preferred CERTCertList mutators, rather |
| 372 +// pushing this hack to clients. | 380 +// pushing this hack to clients. |
| 373 +extern CERTCertificateList* hack_NewCertificateListFromCertList( | 381 +extern CERTCertificateList* hack_NewCertificateListFromCertList( |
| 374 + CERTCertList* list); | 382 + CERTCertList* list); |
| 375 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 383 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 376 | 384 |
| 377 /********************** misc calls *********************/ | 385 /**************** DTLS-specific functions **************/ |
| 378 | 386 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); |
| 379 diff -upN a/src/net/third_party/nss/ssl/sslplatf.c b/src/net/third_party/nss/ssl
/sslplatf.c | 387 diff -puN -r a/net/third_party/nss/ssl/sslplatf.c b/net/third_party/nss/ssl/sslp
latf.c |
| 380 --- a/src/net/third_party/nss/ssl/sslplatf.c» 1969-12-31 16:00:00.000000000 -0
800 | 388 --- a/net/third_party/nss/ssl/sslplatf.c» 1969-12-31 16:00:00.000000000 -0
800 |
| 381 +++ b/src/net/third_party/nss/ssl/sslplatf.c» 2012-02-28 20:04:24.039351965 -0
800 | 389 +++ b/net/third_party/nss/ssl/sslplatf.c» 2012-11-09 15:35:08.498958708 -0
800 |
| 382 @@ -0,0 +1,399 @@ | 390 @@ -0,0 +1,399 @@ |
| 383 +/* | 391 +/* |
| 384 + * Platform specific crypto wrappers | 392 + * Platform specific crypto wrappers |
| 385 + * | 393 + * |
| 386 + * ***** BEGIN LICENSE BLOCK ***** | 394 + * ***** BEGIN LICENSE BLOCK ***** |
| 387 + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 395 + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| 388 + * | 396 + * |
| 389 + * The contents of this file are subject to the Mozilla Public License Version | 397 + * The contents of this file are subject to the Mozilla Public License Version |
| 390 + * 1.1 (the "License"); you may not use this file except in compliance with | 398 + * 1.1 (the "License"); you may not use this file except in compliance with |
| 391 + * the License. You may obtain a copy of the License at | 399 + * the License. You may obtain a copy of the License at |
| (...skipping 380 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 772 +SECStatus | 780 +SECStatus |
| 773 +ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, | 781 +ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, |
| 774 + PRBool isTLS) | 782 + PRBool isTLS) |
| 775 +{ | 783 +{ |
| 776 + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | 784 + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| 777 + return SECFailure; | 785 + return SECFailure; |
| 778 +} | 786 +} |
| 779 +#endif | 787 +#endif |
| 780 + | 788 + |
| 781 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 789 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 782 diff -upN a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/
sslsock.c | 790 diff -puN -r a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslso
ck.c |
| 783 --- a/src/net/third_party/nss/ssl/sslsock.c» 2012-02-28 19:26:04.057351342 -0
800 | 791 --- a/net/third_party/nss/ssl/sslsock.c»2012-11-09 15:34:12.268133912 -0800 |
| 784 +++ b/src/net/third_party/nss/ssl/sslsock.c» 2012-02-28 20:04:24.049352104 -0
800 | 792 +++ b/net/third_party/nss/ssl/sslsock.c»2012-11-09 15:35:08.498958708 -0800 |
| 785 @@ -339,6 +339,10 @@ ssl_DupSocket(sslSocket *os) | 793 @@ -335,6 +335,10 @@ ssl_DupSocket(sslSocket *os) |
| 786 ss->authCertificateArg = os->authCertificateArg; | 794 ss->authCertificateArg = os->authCertificateArg; |
| 787 ss->getClientAuthData = os->getClientAuthData; | 795 ss->getClientAuthData = os->getClientAuthData; |
| 788 ss->getClientAuthDataArg = os->getClientAuthDataArg; | 796 ss->getClientAuthDataArg = os->getClientAuthDataArg; |
| 789 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 797 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 790 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; | 798 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; |
| 791 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; | 799 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; |
| 792 +#endif | 800 +#endif |
| 793 ss->sniSocketConfig = os->sniSocketConfig; | 801 ss->sniSocketConfig = os->sniSocketConfig; |
| 794 ss->sniSocketConfigArg = os->sniSocketConfigArg; | 802 ss->sniSocketConfigArg = os->sniSocketConfigArg; |
| 795 ss->handleBadCert = os->handleBadCert; | 803 ss->handleBadCert = os->handleBadCert; |
| 796 @@ -1530,6 +1534,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile | 804 @@ -1712,6 +1716,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile |
| 797 ss->getClientAuthData = sm->getClientAuthData; | 805 ss->getClientAuthData = sm->getClientAuthData; |
| 798 if (sm->getClientAuthDataArg) | 806 if (sm->getClientAuthDataArg) |
| 799 ss->getClientAuthDataArg = sm->getClientAuthDataArg; | 807 ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
| 800 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 808 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 801 + if (sm->getPlatformClientAuthData) | 809 + if (sm->getPlatformClientAuthData) |
| 802 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; | 810 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; |
| 803 + if (sm->getPlatformClientAuthDataArg) | 811 + if (sm->getPlatformClientAuthDataArg) |
| 804 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; | 812 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; |
| 805 +#endif | 813 +#endif |
| 806 if (sm->sniSocketConfig) | 814 if (sm->sniSocketConfig) |
| 807 ss->sniSocketConfig = sm->sniSocketConfig; | 815 ss->sniSocketConfig = sm->sniSocketConfig; |
| 808 if (sm->sniSocketConfigArg) | 816 if (sm->sniSocketConfigArg) |
| 809 @@ -2617,6 +2627,10 @@ ssl_NewSocket(PRBool makeLocks) | 817 @@ -2942,6 +2952,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto |
| 810 ss->sniSocketConfig = NULL; | 818 ss->sniSocketConfig = NULL; |
| 811 ss->sniSocketConfigArg = NULL; | 819 ss->sniSocketConfigArg = NULL; |
| 812 ss->getClientAuthData = NULL; | 820 ss->getClientAuthData = NULL; |
| 813 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 821 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 814 + ss->getPlatformClientAuthData = NULL; | 822 + ss->getPlatformClientAuthData = NULL; |
| 815 + ss->getPlatformClientAuthDataArg = NULL; | 823 + ss->getPlatformClientAuthDataArg = NULL; |
| 816 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 824 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 817 ss->handleBadCert = NULL; | 825 ss->handleBadCert = NULL; |
| 818 ss->badCertArg = NULL; | 826 ss->badCertArg = NULL; |
| 819 ss->pkcs11PinArg = NULL; | 827 ss->pkcs11PinArg = NULL; |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 11275240:
Update net/third_party/nss/ssl to NSS 3.14. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/