| OLD | NEW |
|---|
| 1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c | 1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
| 2 --- a/nss/lib/ssl/ssl3con.c» 2014-01-03 19:30:40.073373382 -0800 | 2 --- a/nss/lib/ssl/ssl3con.c» 2014-01-17 17:52:00.295082288 -0800 |
| 3 +++ b/nss/lib/ssl/ssl3con.c» 2014-01-03 19:30:52.653579045 -0800 | 3 +++ b/nss/lib/ssl/ssl3con.c» 2014-01-17 17:52:19.745405758 -0800 |
| 4 @@ -2471,6 +2471,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID | 4 @@ -2471,6 +2471,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID |
| 5 PRBool isPresent = PR_TRUE; | 5 PRBool isPresent = PR_TRUE; |
| 6 | 6 |
| 7 /* we only care if we are doing client auth */ | 7 /* we only care if we are doing client auth */ |
| 8 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being | 8 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being |
| 9 + * used, u.ssl3.clAuthValid will be false and this function will always | 9 + * used, u.ssl3.clAuthValid will be false and this function will always |
| 10 + * return PR_TRUE. */ | 10 + * return PR_TRUE. */ |
| 11 if (!sid || !sid->u.ssl3.clAuthValid) { | 11 if (!sid || !sid->u.ssl3.clAuthValid) { |
| 12 return PR_TRUE; | 12 return PR_TRUE; |
| 13 } | 13 } |
| 14 @@ -6080,25 +6083,36 @@ ssl3_SendCertificateVerify(sslSocket *ss | 14 @@ -6103,25 +6106,36 @@ ssl3_SendCertificateVerify(sslSocket *ss |
| 15 | 15 |
| 16 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 16 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 17 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; | 17 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; |
| 18 - keyType = ss->ssl3.clientPrivateKey->keyType; | 18 - keyType = ss->ssl3.clientPrivateKey->keyType; |
| 19 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); | 19 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); |
| 20 - if (rv == SECSuccess) { | 20 - if (rv == SECSuccess) { |
| 21 - PK11SlotInfo * slot; | 21 - PK11SlotInfo * slot; |
| 22 - sslSessionID * sid = ss->sec.ci.sid; | 22 - sslSessionID * sid = ss->sec.ci.sid; |
| 23 + if (ss->ssl3.platformClientKey) { | 23 + if (ss->ssl3.platformClientKey) { |
| 24 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 24 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 58 + PK11_FreeSlot(slot); | 58 + PK11_FreeSlot(slot); |
| 59 + } | 59 + } |
| 60 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 60 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 61 + ss->ssl3.clientPrivateKey = NULL; | 61 + ss->ssl3.clientPrivateKey = NULL; |
| 62 } | 62 } |
| 63 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 63 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 64 - ss->ssl3.clientPrivateKey = NULL; | 64 - ss->ssl3.clientPrivateKey = NULL; |
| 65 if (rv != SECSuccess) { | 65 if (rv != SECSuccess) { |
| 66 goto done; /* err code was set by ssl3_SignHashes */ | 66 goto done; /* err code was set by ssl3_SignHashes */ |
| 67 } | 67 } |
| 68 @@ -6177,6 +6191,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS | 68 @@ -6200,6 +6214,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
| 69 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 69 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 70 ss->ssl3.clientPrivateKey = NULL; | 70 ss->ssl3.clientPrivateKey = NULL; |
| 71 } | 71 } |
| 72 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 72 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 73 + if (ss->ssl3.platformClientKey) { | 73 + if (ss->ssl3.platformClientKey) { |
| 74 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 74 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 75 + ss->ssl3.platformClientKey = (PlatformKey)NULL; | 75 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 76 + } | 76 + } |
| 77 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 77 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 78 | 78 |
| 79 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 79 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
| 80 if (temp < 0) { | 80 if (temp < 0) { |
| 81 @@ -6804,6 +6824,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss, | 81 @@ -6827,6 +6847,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss, |
| 82 goto done; | 82 goto done; |
| 83 } | 83 } |
| 84 | 84 |
| 85 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) | 85 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) |
| 86 + /* If the key is in CAPI, assume conservatively that the CAPI service | 86 + /* If the key is in CAPI, assume conservatively that the CAPI service |
| 87 + * provider may be unable to sign SHA-256 hashes. | 87 + * provider may be unable to sign SHA-256 hashes. |
| 88 + */ | 88 + */ |
| 89 + if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { | 89 + if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { |
| 90 + /* CAPI only supports RSA and DSA signatures, so we don't need to | 90 + /* CAPI only supports RSA and DSA signatures, so we don't need to |
| 91 + * check the key type. */ | 91 + * check the key type. */ |
| 92 + *preferSha1 = PR_TRUE; | 92 + *preferSha1 = PR_TRUE; |
| 93 + goto done; | 93 + goto done; |
| 94 + } | 94 + } |
| 95 +#endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ | 95 +#endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ |
| 96 + | 96 + |
| 97 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that | 97 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that |
| 98 * it may be unable to sign SHA-256 hashes. This is the case for older | 98 * it may be unable to sign SHA-256 hashes. This is the case for older |
| 99 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and | 99 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and |
| 100 @@ -6902,6 +6934,10 @@ ssl3_HandleCertificateRequest(sslSocket | 100 @@ -6925,6 +6957,10 @@ ssl3_HandleCertificateRequest(sslSocket |
| 101 SECItem cert_types = {siBuffer, NULL, 0}; | 101 SECItem cert_types = {siBuffer, NULL, 0}; |
| 102 SECItem algorithms = {siBuffer, NULL, 0}; | 102 SECItem algorithms = {siBuffer, NULL, 0}; |
| 103 CERTDistNames ca_list; | 103 CERTDistNames ca_list; |
| 104 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 104 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 105 + CERTCertList * platform_cert_list = NULL; | 105 + CERTCertList * platform_cert_list = NULL; |
| 106 + CERTCertListNode * certNode = NULL; | 106 + CERTCertListNode * certNode = NULL; |
| 107 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 107 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 108 | 108 |
| 109 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", | 109 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", |
| 110 SSL_GETPID(), ss->fd)); | 110 SSL_GETPID(), ss->fd)); |
| 111 @@ -6918,6 +6954,7 @@ ssl3_HandleCertificateRequest(sslSocket | 111 @@ -6941,6 +6977,7 @@ ssl3_HandleCertificateRequest(sslSocket |
| 112 PORT_Assert(ss->ssl3.clientCertChain == NULL); | 112 PORT_Assert(ss->ssl3.clientCertChain == NULL); |
| 113 PORT_Assert(ss->ssl3.clientCertificate == NULL); | 113 PORT_Assert(ss->ssl3.clientCertificate == NULL); |
| 114 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); | 114 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
| 115 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); | 115 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); |
| 116 | 116 |
| 117 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 117 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 118 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; | 118 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; |
| 119 @@ -6997,6 +7034,18 @@ ssl3_HandleCertificateRequest(sslSocket | 119 @@ -7020,6 +7057,18 @@ ssl3_HandleCertificateRequest(sslSocket |
| 120 desc = no_certificate; | 120 desc = no_certificate; |
| 121 ss->ssl3.hs.ws = wait_hello_done; | 121 ss->ssl3.hs.ws = wait_hello_done; |
| 122 | 122 |
| 123 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 123 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 124 + if (ss->getPlatformClientAuthData != NULL) { | 124 + if (ss->getPlatformClientAuthData != NULL) { |
| 125 + /* XXX Should pass cert_types and algorithms in this call!! */ | 125 + /* XXX Should pass cert_types and algorithms in this call!! */ |
| 126 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( | 126 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( |
| 127 + ss->getPlatformClientAuthDataArg, | 127 + ss->getPlatformClientAuthDataArg, |
| 128 + ss->fd, &ca_list, | 128 + ss->fd, &ca_list, |
| 129 + &platform_cert_list, | 129 + &platform_cert_list, |
| 130 + (void**)&ss->ssl3.platformClientKey, | 130 + (void**)&ss->ssl3.platformClientKey, |
| 131 + &ss->ssl3.clientCertificate, | 131 + &ss->ssl3.clientCertificate, |
| 132 + &ss->ssl3.clientPrivateKey); | 132 + &ss->ssl3.clientPrivateKey); |
| 133 + } else | 133 + } else |
| 134 +#endif | 134 +#endif |
| 135 if (ss->getClientAuthData != NULL) { | 135 if (ss->getClientAuthData != NULL) { |
| 136 /* XXX Should pass cert_types and algorithms in this call!! */ | 136 /* XXX Should pass cert_types and algorithms in this call!! */ |
| 137 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, | 137 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, |
| 138 @@ -7006,12 +7055,55 @@ ssl3_HandleCertificateRequest(sslSocket | 138 @@ -7029,12 +7078,55 @@ ssl3_HandleCertificateRequest(sslSocket |
| 139 } else { | 139 } else { |
| 140 rv = SECFailure; /* force it to send a no_certificate alert */ | 140 rv = SECFailure; /* force it to send a no_certificate alert */ |
| 141 } | 141 } |
| 142 + | 142 + |
| 143 switch (rv) { | 143 switch (rv) { |
| 144 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ | 144 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ |
| 145 ssl3_SetAlwaysBlock(ss); | 145 ssl3_SetAlwaysBlock(ss); |
| 146 break; /* not an error */ | 146 break; /* not an error */ |
| 147 | 147 |
| 148 case SECSuccess: | 148 case SECSuccess: |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 184 + } | 184 + } |
| 185 + if (ss->ssl3.hs.hashType == handshake_hash_single) { | 185 + if (ss->ssl3.hs.hashType == handshake_hash_single) { |
| 186 + ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); | 186 + ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); |
| 187 + } | 187 + } |
| 188 + break; /* not an error */ | 188 + break; /* not an error */ |
| 189 + } | 189 + } |
| 190 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 190 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 191 /* check what the callback function returned */ | 191 /* check what the callback function returned */ |
| 192 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { | 192 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
| 193 /* we are missing either the key or cert */ | 193 /* we are missing either the key or cert */ |
| 194 @@ -7073,6 +7165,10 @@ loser: | 194 @@ -7096,6 +7188,10 @@ loser: |
| 195 done: | 195 done: |
| 196 if (arena != NULL) | 196 if (arena != NULL) |
| 197 PORT_FreeArena(arena, PR_FALSE); | 197 PORT_FreeArena(arena, PR_FALSE); |
| 198 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 198 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 199 + if (platform_cert_list) | 199 + if (platform_cert_list) |
| 200 + CERT_DestroyCertList(platform_cert_list); | 200 + CERT_DestroyCertList(platform_cert_list); |
| 201 +#endif | 201 +#endif |
| 202 return rv; | 202 return rv; |
| 203 } | 203 } |
| 204 | 204 |
| 205 @@ -7190,7 +7286,8 @@ ssl3_SendClientSecondRound(sslSocket *ss | 205 @@ -7213,7 +7309,8 @@ ssl3_SendClientSecondRound(sslSocket *ss |
| 206 | 206 |
| 207 sendClientCert = !ss->ssl3.sendEmptyCert && | 207 sendClientCert = !ss->ssl3.sendEmptyCert && |
| 208 ss->ssl3.clientCertChain != NULL && | 208 ss->ssl3.clientCertChain != NULL && |
| 209 - ss->ssl3.clientPrivateKey != NULL; | 209 - ss->ssl3.clientPrivateKey != NULL; |
| 210 + (ss->ssl3.platformClientKey || | 210 + (ss->ssl3.platformClientKey || |
| 211 + ss->ssl3.clientPrivateKey != NULL); | 211 + ss->ssl3.clientPrivateKey != NULL); |
| 212 | 212 |
| 213 if (!sendClientCert && | 213 if (!sendClientCert && |
| 214 ss->ssl3.hs.hashType == handshake_hash_single && | 214 ss->ssl3.hs.hashType == handshake_hash_single && |
| 215 @@ -12027,6 +12124,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) | 215 @@ -12052,6 +12149,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
| 216 | 216 |
| 217 if (ss->ssl3.clientPrivateKey != NULL) | 217 if (ss->ssl3.clientPrivateKey != NULL) |
| 218 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 218 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 219 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 219 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 220 + if (ss->ssl3.platformClientKey) | 220 + if (ss->ssl3.platformClientKey) |
| 221 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 221 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 222 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 222 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 223 | 223 |
| 224 if (ss->ssl3.peerCertArena != NULL) | 224 if (ss->ssl3.peerCertArena != NULL) |
| 225 ssl3_CleanupPeerCerts(ss); | 225 ssl3_CleanupPeerCerts(ss); |
| 226 diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c | 226 diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c |
| 227 --- a/nss/lib/ssl/ssl3ext.c» 2014-01-03 19:28:03.550814608 -0800 | 227 --- a/nss/lib/ssl/ssl3ext.c» 2014-01-17 17:49:26.072517368 -0800 |
| 228 +++ b/nss/lib/ssl/ssl3ext.c» 2014-01-03 19:30:52.653579045 -0800 | 228 +++ b/nss/lib/ssl/ssl3ext.c» 2014-01-17 17:52:19.745405758 -0800 |
| 229 @@ -10,8 +10,8 @@ | 229 @@ -10,8 +10,8 @@ |
| 230 #include "nssrenam.h" | 230 #include "nssrenam.h" |
| 231 #include "nss.h" | 231 #include "nss.h" |
| 232 #include "ssl.h" | 232 #include "ssl.h" |
| 233 -#include "sslproto.h" | 233 -#include "sslproto.h" |
| 234 #include "sslimpl.h" | 234 #include "sslimpl.h" |
| 235 +#include "sslproto.h" | 235 +#include "sslproto.h" |
| 236 #include "pk11pub.h" | 236 #include "pk11pub.h" |
| 237 #ifdef NO_PKCS11_BYPASS | 237 #ifdef NO_PKCS11_BYPASS |
| 238 #include "blapit.h" | 238 #include "blapit.h" |
| 239 diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c | 239 diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c |
| 240 --- a/nss/lib/ssl/sslauth.c» 2014-01-03 19:28:03.550814608 -0800 | 240 --- a/nss/lib/ssl/sslauth.c» 2014-01-17 17:49:26.072517368 -0800 |
| 241 +++ b/nss/lib/ssl/sslauth.c» 2014-01-03 19:30:52.653579045 -0800 | 241 +++ b/nss/lib/ssl/sslauth.c» 2014-01-17 17:52:19.755405924 -0800 |
| 242 @@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, | 242 @@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, |
| 243 return SECSuccess; | 243 return SECSuccess; |
| 244 } | 244 } |
| 245 | 245 |
| 246 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 246 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 247 +/* NEED LOCKS IN HERE. */ | 247 +/* NEED LOCKS IN HERE. */ |
| 248 +SECStatus | 248 +SECStatus |
| 249 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, | 249 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, |
| 250 + SSLGetPlatformClientAuthData func, | 250 + SSLGetPlatformClientAuthData func, |
| 251 + void *arg) | 251 + void *arg) |
| (...skipping 10 matching lines...) Expand all Loading... |
| 262 + ss->getPlatformClientAuthData = func; | 262 + ss->getPlatformClientAuthData = func; |
| 263 + ss->getPlatformClientAuthDataArg = arg; | 263 + ss->getPlatformClientAuthDataArg = arg; |
| 264 + return SECSuccess; | 264 + return SECSuccess; |
| 265 +} | 265 +} |
| 266 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 266 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 267 + | 267 + |
| 268 /* NEED LOCKS IN HERE. */ | 268 /* NEED LOCKS IN HERE. */ |
| 269 SECStatus | 269 SECStatus |
| 270 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) | 270 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) |
| 271 diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h | 271 diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
| 272 --- a/nss/lib/ssl/ssl.h»2014-01-03 19:28:03.540814444 -0800 | 272 --- a/nss/lib/ssl/ssl.h»2014-01-17 17:49:26.062517203 -0800 |
| 273 +++ b/nss/lib/ssl/ssl.h»2014-01-03 19:30:52.653579045 -0800 | 273 +++ b/nss/lib/ssl/ssl.h»2014-01-17 17:52:19.755405924 -0800 |
| 274 @@ -503,6 +503,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl | 274 @@ -533,6 +533,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl |
| 275 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, | 275 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, |
| 276 SSLGetClientAuthData f, void *a); | 276 SSLGetClientAuthData f, void *a); |
| 277 | 277 |
| 278 +/* | 278 +/* |
| 279 + * Prototype for SSL callback to get client auth data from the application, | 279 + * Prototype for SSL callback to get client auth data from the application, |
| 280 + * optionally using the underlying platform's cryptographic primitives. | 280 + * optionally using the underlying platform's cryptographic primitives. |
| 281 + * To use the platform cryptographic primitives, caNames and pRetCerts | 281 + * To use the platform cryptographic primitives, caNames and pRetCerts |
| 282 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. | 282 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. |
| 283 + * Returning SECFailure will cause the socket to send no client certificate. | 283 + * Returning SECFailure will cause the socket to send no client certificate. |
| 284 + * arg - application passed argument | 284 + * arg - application passed argument |
| (...skipping 29 matching lines...) Expand all Loading... |
| 314 + * f - the application's callback that delivers the key and cert | 314 + * f - the application's callback that delivers the key and cert |
| 315 + * a - application specific data | 315 + * a - application specific data |
| 316 + */ | 316 + */ |
| 317 +SSL_IMPORT SECStatus | 317 +SSL_IMPORT SECStatus |
| 318 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, | 318 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, |
| 319 + SSLGetPlatformClientAuthData f, void *a); | 319 + SSLGetPlatformClientAuthData f, void *a); |
| 320 | 320 |
| 321 /* | 321 /* |
| 322 ** SNI extension processing callback function. | 322 ** SNI extension processing callback function. |
| 323 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h | 323 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
| 324 --- a/nss/lib/ssl/sslimpl.h» 2014-01-03 19:30:40.073373382 -0800 | 324 --- a/nss/lib/ssl/sslimpl.h» 2014-01-17 17:52:00.295082288 -0800 |
| 325 +++ b/nss/lib/ssl/sslimpl.h» 2014-01-03 19:30:52.653579045 -0800 | 325 +++ b/nss/lib/ssl/sslimpl.h» 2014-01-17 17:52:19.755405924 -0800 |
| 326 @@ -20,6 +20,7 @@ | 326 @@ -20,6 +20,7 @@ |
| 327 #include "sslerr.h" | 327 #include "sslerr.h" |
| 328 #include "ssl3prot.h" | 328 #include "ssl3prot.h" |
| 329 #include "hasht.h" | 329 #include "hasht.h" |
| 330 +#include "keythi.h" | 330 +#include "keythi.h" |
| 331 #include "nssilock.h" | 331 #include "nssilock.h" |
| 332 #include "pkcs11t.h" | 332 #include "pkcs11t.h" |
| 333 #if defined(XP_UNIX) || defined(XP_BEOS) | 333 #if defined(XP_UNIX) || defined(XP_BEOS) |
| 334 @@ -31,6 +32,15 @@ | 334 @@ -31,6 +32,15 @@ |
| 335 | 335 |
| 336 #include "sslt.h" /* for some formerly private types, now public */ | 336 #include "sslt.h" /* for some formerly private types, now public */ |
| 337 | 337 |
| 338 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 338 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 339 +#if defined(XP_WIN32) | 339 +#if defined(XP_WIN32) |
| 340 +#include <windows.h> | 340 +#include <windows.h> |
| 341 +#include <wincrypt.h> | 341 +#include <wincrypt.h> |
| 342 +#elif defined(XP_MACOSX) | 342 +#elif defined(XP_MACOSX) |
| 343 +#include <Security/Security.h> | 343 +#include <Security/Security.h> |
| 344 +#endif | 344 +#endif |
| 345 +#endif | 345 +#endif |
| 346 + | 346 + |
| 347 /* to make some of these old enums public without namespace pollution, | 347 /* to make some of these old enums public without namespace pollution, |
| 348 ** it was necessary to prepend ssl_ to the names. | 348 ** it was necessary to prepend ssl_ to the names. |
| 349 ** These #defines preserve compatibility with the old code here in libssl. | 349 ** These #defines preserve compatibility with the old code here in libssl. |
| 350 @@ -432,6 +442,14 @@ struct sslGatherStr { | 350 @@ -441,6 +451,14 @@ struct sslGatherStr { |
| 351 #define GS_DATA 3 | 351 #define GS_DATA 3 |
| 352 #define GS_PAD 4 | 352 #define GS_PAD 4 |
| 353 | 353 |
| 354 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) | 354 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) |
| 355 +typedef PCERT_KEY_CONTEXT PlatformKey; | 355 +typedef PCERT_KEY_CONTEXT PlatformKey; |
| 356 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) | 356 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) |
| 357 +typedef SecKeyRef PlatformKey; | 357 +typedef SecKeyRef PlatformKey; |
| 358 +#else | 358 +#else |
| 359 +typedef void *PlatformKey; | 359 +typedef void *PlatformKey; |
| 360 +#endif | 360 +#endif |
| 361 + | 361 + |
| 362 | 362 |
| 363 | 363 |
| 364 /* | 364 /* |
| 365 @@ -944,6 +962,10 @@ struct ssl3StateStr { | 365 @@ -953,6 +971,10 @@ struct ssl3StateStr { |
| 366 | 366 |
| 367 CERTCertificate * clientCertificate; /* used by client */ | 367 CERTCertificate * clientCertificate; /* used by client */ |
| 368 SECKEYPrivateKey * clientPrivateKey; /* used by client */ | 368 SECKEYPrivateKey * clientPrivateKey; /* used by client */ |
| 369 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not | 369 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not |
| 370 + * defined in order to allow cleaner conditional code. | 370 + * defined in order to allow cleaner conditional code. |
| 371 + * At most one of clientPrivateKey and platformClientKey may be set. */ | 371 + * At most one of clientPrivateKey and platformClientKey may be set. */ |
| 372 + PlatformKey platformClientKey; /* used by client */ | 372 + PlatformKey platformClientKey; /* used by client */ |
| 373 CERTCertificateList *clientCertChain; /* used by client */ | 373 CERTCertificateList *clientCertChain; /* used by client */ |
| 374 PRBool sendEmptyCert; /* used by client */ | 374 PRBool sendEmptyCert; /* used by client */ |
| 375 | 375 |
| 376 @@ -1205,6 +1227,10 @@ const unsigned char * preferredCipher; | 376 @@ -1214,6 +1236,10 @@ const unsigned char * preferredCipher; |
| 377 void *authCertificateArg; | 377 void *authCertificateArg; |
| 378 SSLGetClientAuthData getClientAuthData; | 378 SSLGetClientAuthData getClientAuthData; |
| 379 void *getClientAuthDataArg; | 379 void *getClientAuthDataArg; |
| 380 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 380 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 381 + SSLGetPlatformClientAuthData getPlatformClientAuthData; | 381 + SSLGetPlatformClientAuthData getPlatformClientAuthData; |
| 382 + void *getPlatformClientAuthDataArg; | 382 + void *getPlatformClientAuthDataArg; |
| 383 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 383 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 384 SSLSNISocketConfig sniSocketConfig; | 384 SSLSNISocketConfig sniSocketConfig; |
| 385 void *sniSocketConfigArg; | 385 void *sniSocketConfigArg; |
| 386 SSLBadCertHandler handleBadCert; | 386 SSLBadCertHandler handleBadCert; |
| 387 @@ -1843,6 +1869,26 @@ extern SECStatus ssl_InitSessionCacheLoc | 387 @@ -1852,6 +1878,26 @@ extern SECStatus ssl_InitSessionCacheLoc |
| 388 | 388 |
| 389 extern SECStatus ssl_FreeSessionCacheLocks(void); | 389 extern SECStatus ssl_FreeSessionCacheLocks(void); |
| 390 | 390 |
| 391 +/***************** platform client auth ****************/ | 391 +/***************** platform client auth ****************/ |
| 392 + | 392 + |
| 393 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 393 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 394 +// Releases the platform key. | 394 +// Releases the platform key. |
| 395 +extern void ssl_FreePlatformKey(PlatformKey key); | 395 +extern void ssl_FreePlatformKey(PlatformKey key); |
| 396 + | 396 + |
| 397 +// Implement the client CertificateVerify message for SSL3/TLS1.0 | 397 +// Implement the client CertificateVerify message for SSL3/TLS1.0 |
| 398 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, | 398 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, |
| 399 + PlatformKey key, SECItem *buf, | 399 + PlatformKey key, SECItem *buf, |
| 400 + PRBool isTLS, KeyType keyType); | 400 + PRBool isTLS, KeyType keyType); |
| 401 + | 401 + |
| 402 +// Converts a CERTCertList* (A collection of CERTCertificates) into a | 402 +// Converts a CERTCertList* (A collection of CERTCertificates) into a |
| 403 +// CERTCertificateList* (A collection of SECItems), or returns NULL if | 403 +// CERTCertificateList* (A collection of SECItems), or returns NULL if |
| 404 +// it cannot be converted. | 404 +// it cannot be converted. |
| 405 +// This is to allow the platform-supplied chain to be created with purely | 405 +// This is to allow the platform-supplied chain to be created with purely |
| 406 +// public API functions, using the preferred CERTCertList mutators, rather | 406 +// public API functions, using the preferred CERTCertList mutators, rather |
| 407 +// pushing this hack to clients. | 407 +// pushing this hack to clients. |
| 408 +extern CERTCertificateList* hack_NewCertificateListFromCertList( | 408 +extern CERTCertificateList* hack_NewCertificateListFromCertList( |
| 409 + CERTCertList* list); | 409 + CERTCertList* list); |
| 410 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 410 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 411 | 411 |
| 412 /**************** DTLS-specific functions **************/ | 412 /**************** DTLS-specific functions **************/ |
| 413 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); | 413 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); |
| 414 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c | 414 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
| 415 --- a/nss/lib/ssl/sslsock.c» 2014-01-03 19:28:03.560814773 -0800 | 415 --- a/nss/lib/ssl/sslsock.c» 2014-01-17 17:49:40.942764689 -0800 |
| 416 +++ b/nss/lib/ssl/sslsock.c» 2014-01-03 19:30:52.653579045 -0800 | 416 +++ b/nss/lib/ssl/sslsock.c» 2014-01-17 17:52:19.755405924 -0800 |
| 417 @@ -261,6 +261,10 @@ ssl_DupSocket(sslSocket *os) | 417 @@ -263,6 +263,10 @@ ssl_DupSocket(sslSocket *os) |
| 418 ss->authCertificateArg = os->authCertificateArg; | 418 ss->authCertificateArg = os->authCertificateArg; |
| 419 ss->getClientAuthData = os->getClientAuthData; | 419 ss->getClientAuthData = os->getClientAuthData; |
| 420 ss->getClientAuthDataArg = os->getClientAuthDataArg; | 420 ss->getClientAuthDataArg = os->getClientAuthDataArg; |
| 421 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 421 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 422 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; | 422 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; |
| 423 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; | 423 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; |
| 424 +#endif | 424 +#endif |
| 425 ss->sniSocketConfig = os->sniSocketConfig; | 425 ss->sniSocketConfig = os->sniSocketConfig; |
| 426 ss->sniSocketConfigArg = os->sniSocketConfigArg; | 426 ss->sniSocketConfigArg = os->sniSocketConfigArg; |
| 427 ss->handleBadCert = os->handleBadCert; | 427 ss->handleBadCert = os->handleBadCert; |
| 428 @@ -1645,6 +1649,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile | 428 @@ -1667,6 +1671,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile |
| 429 ss->getClientAuthData = sm->getClientAuthData; | 429 ss->getClientAuthData = sm->getClientAuthData; |
| 430 if (sm->getClientAuthDataArg) | 430 if (sm->getClientAuthDataArg) |
| 431 ss->getClientAuthDataArg = sm->getClientAuthDataArg; | 431 ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
| 432 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 432 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 433 + if (sm->getPlatformClientAuthData) | 433 + if (sm->getPlatformClientAuthData) |
| 434 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; | 434 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; |
| 435 + if (sm->getPlatformClientAuthDataArg) | 435 + if (sm->getPlatformClientAuthDataArg) |
| 436 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; | 436 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; |
| 437 +#endif | 437 +#endif |
| 438 if (sm->sniSocketConfig) | 438 if (sm->sniSocketConfig) |
| 439 ss->sniSocketConfig = sm->sniSocketConfig; | 439 ss->sniSocketConfig = sm->sniSocketConfig; |
| 440 if (sm->sniSocketConfigArg) | 440 if (sm->sniSocketConfigArg) |
| 441 @@ -2899,6 +2909,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto | 441 @@ -2921,6 +2931,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto |
| 442 ss->sniSocketConfig = NULL; | 442 ss->sniSocketConfig = NULL; |
| 443 ss->sniSocketConfigArg = NULL; | 443 ss->sniSocketConfigArg = NULL; |
| 444 ss->getClientAuthData = NULL; | 444 ss->getClientAuthData = NULL; |
| 445 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 445 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 446 + ss->getPlatformClientAuthData = NULL; | 446 + ss->getPlatformClientAuthData = NULL; |
| 447 + ss->getPlatformClientAuthDataArg = NULL; | 447 + ss->getPlatformClientAuthDataArg = NULL; |
| 448 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 448 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 449 ss->handleBadCert = NULL; | 449 ss->handleBadCert = NULL; |
| 450 ss->badCertArg = NULL; | 450 ss->badCertArg = NULL; |
| 451 ss->pkcs11PinArg = NULL; | 451 ss->pkcs11PinArg = NULL; |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 142283002:
Update net/third_party/nss to NSS_3_15_5_BETA2. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/