| OLD | NEW |
|---|
| 1 diff --git a/ssl/ssl.h b/ssl/ssl.h | 1 diff --git a/lib/ssl/ssl.h b/lib/ssl/ssl.h |
| 2 index 91a47a6..4e7d52e 100644 | 2 index 2a52769..48fa018 100644 |
| 3 --- a/ssl/ssl.h | 3 --- a/lib/ssl/ssl.h |
| 4 +++ b/ssl/ssl.h | 4 +++ b/lib/ssl/ssl.h |
| 5 @@ -543,6 +543,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void
*arg, | 5 @@ -636,6 +636,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void
*arg, |
| 6 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, | 6 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, |
| 7 SSLGetClientAuthData f, void *a); | 7 SSLGetClientAuthData f, void *a); |
| 8 | 8 |
| 9 +/* | 9 +/* |
| 10 + * Prototype for SSL callback to get client auth data from the application, | 10 + * Prototype for SSL callback to get client auth data from the application, |
| 11 + * optionally using the underlying platform's cryptographic primitives. | 11 + * optionally using the underlying platform's cryptographic primitives. |
| 12 + * To use the platform cryptographic primitives, caNames and pRetCerts | 12 + * To use the platform cryptographic primitives, caNames and pRetCerts |
| 13 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. | 13 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. |
| 14 + * Returning SECFailure will cause the socket to send no client certificate. | 14 + * Returning SECFailure will cause the socket to send no client certificate. |
| 15 + * arg - application passed argument | 15 + * arg - application passed argument |
| (...skipping 28 matching lines...) Expand all Loading... |
| 44 + * fd - the file descriptor for the connection in question | 44 + * fd - the file descriptor for the connection in question |
| 45 + * f - the application's callback that delivers the key and cert | 45 + * f - the application's callback that delivers the key and cert |
| 46 + * a - application specific data | 46 + * a - application specific data |
| 47 + */ | 47 + */ |
| 48 +SSL_IMPORT SECStatus | 48 +SSL_IMPORT SECStatus |
| 49 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, | 49 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, |
| 50 + SSLGetPlatformClientAuthData f, void *a); | 50 + SSLGetPlatformClientAuthData f, void *a); |
| 51 | 51 |
| 52 /* | 52 /* |
| 53 ** SNI extension processing callback function. | 53 ** SNI extension processing callback function. |
| 54 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c | 54 diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c |
| 55 index 60af5b0..b9014ef 100644 | 55 index 9aaf601..cc193cd 100644 |
| 56 --- a/ssl/ssl3con.c | 56 --- a/lib/ssl/ssl3con.c |
| 57 +++ b/ssl/ssl3con.c | 57 +++ b/lib/ssl/ssl3con.c |
| 58 @@ -2503,6 +2503,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) { | 58 @@ -2530,6 +2530,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) { |
| 59 PRBool isPresent = PR_TRUE; | 59 PRBool isPresent = PR_TRUE; |
| 60 | 60 |
| 61 /* we only care if we are doing client auth */ | 61 /* we only care if we are doing client auth */ |
| 62 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being | 62 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being |
| 63 + * used, u.ssl3.clAuthValid will be false and this function will always | 63 + * used, u.ssl3.clAuthValid will be false and this function will always |
| 64 + * return PR_TRUE. */ | 64 + * return PR_TRUE. */ |
| 65 if (!sid || !sid->u.ssl3.clAuthValid) { | 65 if (!sid || !sid->u.ssl3.clAuthValid) { |
| 66 return PR_TRUE; | 66 return PR_TRUE; |
| 67 } | 67 } |
| 68 @@ -6178,25 +6181,36 @@ ssl3_SendCertificateVerify(sslSocket *ss) | 68 @@ -6352,25 +6355,36 @@ ssl3_SendCertificateVerify(sslSocket *ss) |
| 69 | 69 |
| 70 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 70 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 71 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; | 71 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; |
| 72 - keyType = ss->ssl3.clientPrivateKey->keyType; | 72 - keyType = ss->ssl3.clientPrivateKey->keyType; |
| 73 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); | 73 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); |
| 74 - if (rv == SECSuccess) { | 74 - if (rv == SECSuccess) { |
| 75 - PK11SlotInfo * slot; | 75 - PK11SlotInfo * slot; |
| 76 - sslSessionID * sid = ss->sec.ci.sid; | 76 - sslSessionID * sid = ss->sec.ci.sid; |
| 77 + if (ss->ssl3.platformClientKey) { | 77 + if (ss->ssl3.platformClientKey) { |
| 78 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 78 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 112 + PK11_FreeSlot(slot); | 112 + PK11_FreeSlot(slot); |
| 113 + } | 113 + } |
| 114 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 114 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 115 + ss->ssl3.clientPrivateKey = NULL; | 115 + ss->ssl3.clientPrivateKey = NULL; |
| 116 } | 116 } |
| 117 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 117 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 118 - ss->ssl3.clientPrivateKey = NULL; | 118 - ss->ssl3.clientPrivateKey = NULL; |
| 119 if (rv != SECSuccess) { | 119 if (rv != SECSuccess) { |
| 120 goto done; /* err code was set by ssl3_SignHashes */ | 120 goto done; /* err code was set by ssl3_SignHashes */ |
| 121 } | 121 } |
| 122 @@ -6275,6 +6289,12 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUi
nt32 length) | 122 @@ -6449,6 +6463,12 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUi
nt32 length) |
| 123 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 123 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 124 ss->ssl3.clientPrivateKey = NULL; | 124 ss->ssl3.clientPrivateKey = NULL; |
| 125 } | 125 } |
| 126 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 126 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 127 + if (ss->ssl3.platformClientKey) { | 127 + if (ss->ssl3.platformClientKey) { |
| 128 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 128 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 129 + ss->ssl3.platformClientKey = (PlatformKey)NULL; | 129 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 130 + } | 130 + } |
| 131 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 131 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 132 | 132 |
| 133 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 133 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
| 134 if (temp < 0) { | 134 if (temp < 0) { |
| 135 @@ -6904,6 +6924,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss, | 135 @@ -7109,6 +7129,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss, |
| 136 goto done; | 136 goto done; |
| 137 } | 137 } |
| 138 | 138 |
| 139 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) | 139 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) |
| 140 + /* If the key is in CAPI, assume conservatively that the CAPI service | 140 + /* If the key is in CAPI, assume conservatively that the CAPI service |
| 141 + * provider may be unable to sign SHA-256 hashes. | 141 + * provider may be unable to sign SHA-256 hashes. |
| 142 + */ | 142 + */ |
| 143 + if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { | 143 + if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { |
| 144 + /* CAPI only supports RSA and DSA signatures, so we don't need to | 144 + /* CAPI only supports RSA and DSA signatures, so we don't need to |
| 145 + * check the key type. */ | 145 + * check the key type. */ |
| 146 + *preferSha1 = PR_TRUE; | 146 + *preferSha1 = PR_TRUE; |
| 147 + goto done; | 147 + goto done; |
| 148 + } | 148 + } |
| 149 +#endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ | 149 +#endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ |
| 150 + | 150 + |
| 151 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that | 151 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that |
| 152 * it may be unable to sign SHA-256 hashes. This is the case for older | 152 * it may be unable to sign SHA-256 hashes. This is the case for older |
| 153 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and | 153 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and |
| 154 @@ -7002,6 +7034,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *
b, PRUint32 length) | 154 @@ -7207,6 +7239,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *
b, PRUint32 length) |
| 155 SECItem cert_types = {siBuffer, NULL, 0}; | 155 SECItem cert_types = {siBuffer, NULL, 0}; |
| 156 SECItem algorithms = {siBuffer, NULL, 0}; | 156 SECItem algorithms = {siBuffer, NULL, 0}; |
| 157 CERTDistNames ca_list; | 157 CERTDistNames ca_list; |
| 158 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 158 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 159 + CERTCertList * platform_cert_list = NULL; | 159 + CERTCertList * platform_cert_list = NULL; |
| 160 + CERTCertListNode * certNode = NULL; | 160 + CERTCertListNode * certNode = NULL; |
| 161 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 161 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 162 | 162 |
| 163 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", | 163 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", |
| 164 SSL_GETPID(), ss->fd)); | 164 SSL_GETPID(), ss->fd)); |
| 165 @@ -7017,6 +7053,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b
, PRUint32 length) | 165 @@ -7222,6 +7258,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b
, PRUint32 length) |
| 166 PORT_Assert(ss->ssl3.clientCertChain == NULL); | 166 PORT_Assert(ss->ssl3.clientCertChain == NULL); |
| 167 PORT_Assert(ss->ssl3.clientCertificate == NULL); | 167 PORT_Assert(ss->ssl3.clientCertificate == NULL); |
| 168 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); | 168 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
| 169 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); | 169 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); |
| 170 | 170 |
| 171 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 171 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 172 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; | 172 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; |
| 173 @@ -7096,6 +7133,18 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *
b, PRUint32 length) | 173 @@ -7301,6 +7338,18 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *
b, PRUint32 length) |
| 174 desc = no_certificate; | 174 desc = no_certificate; |
| 175 ss->ssl3.hs.ws = wait_hello_done; | 175 ss->ssl3.hs.ws = wait_hello_done; |
| 176 | 176 |
| 177 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 177 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 178 + if (ss->getPlatformClientAuthData != NULL) { | 178 + if (ss->getPlatformClientAuthData != NULL) { |
| 179 + /* XXX Should pass cert_types and algorithms in this call!! */ | 179 + /* XXX Should pass cert_types and algorithms in this call!! */ |
| 180 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( | 180 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( |
| 181 + ss->getPlatformClientAuthDataArg, | 181 + ss->getPlatformClientAuthDataArg, |
| 182 + ss->fd, &ca_list, | 182 + ss->fd, &ca_list, |
| 183 + &platform_cert_list, | 183 + &platform_cert_list, |
| 184 + (void**)&ss->ssl3.platformClientKey, | 184 + (void**)&ss->ssl3.platformClientKey, |
| 185 + &ss->ssl3.clientCertificate, | 185 + &ss->ssl3.clientCertificate, |
| 186 + &ss->ssl3.clientPrivateKey); | 186 + &ss->ssl3.clientPrivateKey); |
| 187 + } else | 187 + } else |
| 188 +#endif | 188 +#endif |
| 189 if (ss->getClientAuthData != NULL) { | 189 if (ss->getClientAuthData != NULL) { |
| 190 » /* XXX Should pass cert_types and algorithms in this call!! */ | 190 PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) == |
| 191 » rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, | 191 ssl_preinfo_all); |
| 192 @@ -7105,12 +7154,55 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque
*b, PRUint32 length) | 192 @@ -7312,12 +7361,55 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque
*b, PRUint32 length) |
| 193 } else { | 193 } else { |
| 194 rv = SECFailure; /* force it to send a no_certificate alert */ | 194 rv = SECFailure; /* force it to send a no_certificate alert */ |
| 195 } | 195 } |
| 196 + | 196 + |
| 197 switch (rv) { | 197 switch (rv) { |
| 198 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ | 198 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ |
| 199 ssl3_SetAlwaysBlock(ss); | 199 ssl3_SetAlwaysBlock(ss); |
| 200 break; /* not an error */ | 200 break; /* not an error */ |
| 201 | 201 |
| 202 case SECSuccess: | 202 case SECSuccess: |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 238 + } | 238 + } |
| 239 + if (ss->ssl3.hs.hashType == handshake_hash_single) { | 239 + if (ss->ssl3.hs.hashType == handshake_hash_single) { |
| 240 + ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); | 240 + ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); |
| 241 + } | 241 + } |
| 242 + break; /* not an error */ | 242 + break; /* not an error */ |
| 243 + } | 243 + } |
| 244 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 244 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 245 /* check what the callback function returned */ | 245 /* check what the callback function returned */ |
| 246 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { | 246 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
| 247 /* we are missing either the key or cert */ | 247 /* we are missing either the key or cert */ |
| 248 @@ -7172,6 +7264,10 @@ loser: | 248 @@ -7379,6 +7471,10 @@ loser: |
| 249 done: | 249 done: |
| 250 if (arena != NULL) | 250 if (arena != NULL) |
| 251 PORT_FreeArena(arena, PR_FALSE); | 251 PORT_FreeArena(arena, PR_FALSE); |
| 252 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 252 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 253 + if (platform_cert_list) | 253 + if (platform_cert_list) |
| 254 + CERT_DestroyCertList(platform_cert_list); | 254 + CERT_DestroyCertList(platform_cert_list); |
| 255 +#endif | 255 +#endif |
| 256 return rv; | 256 return rv; |
| 257 } | 257 } |
| 258 | 258 |
| 259 @@ -7288,7 +7384,8 @@ ssl3_SendClientSecondRound(sslSocket *ss) | 259 @@ -7497,7 +7593,8 @@ ssl3_SendClientSecondRound(sslSocket *ss) |
| 260 | 260 |
| 261 sendClientCert = !ss->ssl3.sendEmptyCert && | 261 sendClientCert = !ss->ssl3.sendEmptyCert && |
| 262 ss->ssl3.clientCertChain != NULL && | 262 ss->ssl3.clientCertChain != NULL && |
| 263 - ss->ssl3.clientPrivateKey != NULL; | 263 - ss->ssl3.clientPrivateKey != NULL; |
| 264 + (ss->ssl3.platformClientKey || | 264 + (ss->ssl3.platformClientKey || |
| 265 + ss->ssl3.clientPrivateKey != NULL); | 265 + ss->ssl3.clientPrivateKey != NULL); |
| 266 | 266 |
| 267 if (!sendClientCert && | 267 if (!sendClientCert && |
| 268 ss->ssl3.hs.hashType == handshake_hash_single && | 268 ss->ssl3.hs.hashType == handshake_hash_single && |
| 269 @@ -12148,6 +12245,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) | 269 @@ -12910,6 +13007,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
| 270 | 270 |
| 271 if (ss->ssl3.clientPrivateKey != NULL) | 271 if (ss->ssl3.clientPrivateKey != NULL) |
| 272 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 272 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 273 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 273 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 274 + if (ss->ssl3.platformClientKey) | 274 + if (ss->ssl3.platformClientKey) |
| 275 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 275 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 276 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 276 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 277 | 277 |
| 278 if (ss->ssl3.peerCertArena != NULL) | 278 if (ss->ssl3.peerCertArena != NULL) |
| 279 ssl3_CleanupPeerCerts(ss); | 279 ssl3_CleanupPeerCerts(ss); |
| 280 diff --git a/ssl/ssl3ext.c b/ssl/ssl3ext.c | 280 diff --git a/lib/ssl/ssl3ext.c b/lib/ssl/ssl3ext.c |
| 281 index 28d21c4..0a2288a 100644 | 281 index cf04aba..5661a5c 100644 |
| 282 --- a/ssl/ssl3ext.c | 282 --- a/lib/ssl/ssl3ext.c |
| 283 +++ b/ssl/ssl3ext.c | 283 +++ b/lib/ssl/ssl3ext.c |
| 284 @@ -11,8 +11,8 @@ | 284 @@ -11,8 +11,8 @@ |
| 285 #include "nssrenam.h" | 285 #include "nssrenam.h" |
| 286 #include "nss.h" | 286 #include "nss.h" |
| 287 #include "ssl.h" | 287 #include "ssl.h" |
| 288 -#include "sslproto.h" | 288 -#include "sslproto.h" |
| 289 #include "sslimpl.h" | 289 #include "sslimpl.h" |
| 290 +#include "sslproto.h" | 290 +#include "sslproto.h" |
| 291 #include "pk11pub.h" | 291 #include "pk11pub.h" |
| 292 #ifdef NO_PKCS11_BYPASS | 292 #ifdef NO_PKCS11_BYPASS |
| 293 #include "blapit.h" | 293 #include "blapit.h" |
| 294 diff --git a/ssl/sslauth.c b/ssl/sslauth.c | 294 diff --git a/lib/ssl/sslauth.c b/lib/ssl/sslauth.c |
| 295 index ed74d94..7f9c43b 100644 | 295 index b144336..e6981f0 100644 |
| 296 --- a/ssl/sslauth.c | 296 --- a/lib/ssl/sslauth.c |
| 297 +++ b/ssl/sslauth.c | 297 +++ b/lib/ssl/sslauth.c |
| 298 @@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthDa
ta func, | 298 @@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthDa
ta func, |
| 299 return SECSuccess; | 299 return SECSuccess; |
| 300 } | 300 } |
| 301 | 301 |
| 302 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 302 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 303 +/* NEED LOCKS IN HERE. */ | 303 +/* NEED LOCKS IN HERE. */ |
| 304 +SECStatus | 304 +SECStatus |
| 305 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, | 305 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, |
| 306 + SSLGetPlatformClientAuthData func, | 306 + SSLGetPlatformClientAuthData func, |
| 307 + void *arg) | 307 + void *arg) |
| 308 +{ | 308 +{ |
| 309 + sslSocket *ss; | 309 + sslSocket *ss; |
| 310 + | 310 + |
| 311 + ss = ssl_FindSocket(s); | 311 + ss = ssl_FindSocket(s); |
| 312 + if (!ss) { | 312 + if (!ss) { |
| 313 + SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", | 313 + SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", |
| 314 + SSL_GETPID(), s)); | 314 + SSL_GETPID(), s)); |
| 315 + return SECFailure; | 315 + return SECFailure; |
| 316 + } | 316 + } |
| 317 + | 317 + |
| 318 + ss->getPlatformClientAuthData = func; | 318 + ss->getPlatformClientAuthData = func; |
| 319 + ss->getPlatformClientAuthDataArg = arg; | 319 + ss->getPlatformClientAuthDataArg = arg; |
| 320 + return SECSuccess; | 320 + return SECSuccess; |
| 321 +} | 321 +} |
| 322 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 322 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 323 + | 323 + |
| 324 /* NEED LOCKS IN HERE. */ | 324 /* NEED LOCKS IN HERE. */ |
| 325 SECStatus | 325 SECStatus |
| 326 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) | 326 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) |
| 327 diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h | 327 diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h |
| 328 index 086f6d2..bbc9bd2 100644 | 328 index 9dcc29e..94bb9f4 100644 |
| 329 --- a/ssl/sslimpl.h | 329 --- a/lib/ssl/sslimpl.h |
| 330 +++ b/ssl/sslimpl.h | 330 +++ b/lib/ssl/sslimpl.h |
| 331 @@ -20,6 +20,7 @@ | 331 @@ -21,6 +21,7 @@ |
| 332 #include "sslerr.h" | 332 #include "sslerr.h" |
| 333 #include "ssl3prot.h" | 333 #include "ssl3prot.h" |
| 334 #include "hasht.h" | 334 #include "hasht.h" |
| 335 +#include "keythi.h" | 335 +#include "keythi.h" |
| 336 #include "nssilock.h" | 336 #include "nssilock.h" |
| 337 #include "pkcs11t.h" | 337 #include "pkcs11t.h" |
| 338 #if defined(XP_UNIX) || defined(XP_BEOS) | 338 #if defined(XP_UNIX) || defined(XP_BEOS) |
| 339 @@ -31,6 +32,15 @@ | 339 @@ -32,6 +33,15 @@ |
| 340 | 340 |
| 341 #include "sslt.h" /* for some formerly private types, now public */ | 341 #include "sslt.h" /* for some formerly private types, now public */ |
| 342 | 342 |
| 343 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 343 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 344 +#if defined(XP_WIN32) | 344 +#if defined(XP_WIN32) |
| 345 +#include <windows.h> | 345 +#include <windows.h> |
| 346 +#include <wincrypt.h> | 346 +#include <wincrypt.h> |
| 347 +#elif defined(XP_MACOSX) | 347 +#elif defined(XP_MACOSX) |
| 348 +#include <Security/Security.h> | 348 +#include <Security/Security.h> |
| 349 +#endif | 349 +#endif |
| 350 +#endif | 350 +#endif |
| 351 + | 351 + |
| 352 /* to make some of these old enums public without namespace pollution, | 352 /* to make some of these old enums public without namespace pollution, |
| 353 ** it was necessary to prepend ssl_ to the names. | 353 ** it was necessary to prepend ssl_ to the names. |
| 354 ** These #defines preserve compatibility with the old code here in libssl. | 354 ** These #defines preserve compatibility with the old code here in libssl. |
| 355 @@ -443,6 +453,14 @@ struct sslGatherStr { | 355 @@ -453,6 +463,14 @@ struct sslGatherStr { |
| 356 #define GS_DATA 3 | 356 #define GS_DATA 3 |
| 357 #define GS_PAD 4 | 357 #define GS_PAD 4 |
| 358 | 358 |
| 359 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) | 359 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) |
| 360 +typedef PCERT_KEY_CONTEXT PlatformKey; | 360 +typedef PCERT_KEY_CONTEXT PlatformKey; |
| 361 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) | 361 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) |
| 362 +typedef SecKeyRef PlatformKey; | 362 +typedef SecKeyRef PlatformKey; |
| 363 +#else | 363 +#else |
| 364 +typedef void *PlatformKey; | 364 +typedef void *PlatformKey; |
| 365 +#endif | 365 +#endif |
| 366 + | 366 + |
| 367 | 367 |
| 368 | 368 |
| 369 /* | 369 /* |
| 370 @@ -961,6 +979,10 @@ struct ssl3StateStr { | 370 @@ -974,6 +992,10 @@ struct ssl3StateStr { |
| 371 | 371 |
| 372 CERTCertificate * clientCertificate; /* used by client */ | 372 CERTCertificate * clientCertificate; /* used by client */ |
| 373 SECKEYPrivateKey * clientPrivateKey; /* used by client */ | 373 SECKEYPrivateKey * clientPrivateKey; /* used by client */ |
| 374 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not | 374 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not |
| 375 + * defined in order to allow cleaner conditional code. | 375 + * defined in order to allow cleaner conditional code. |
| 376 + * At most one of clientPrivateKey and platformClientKey may be set. */ | 376 + * At most one of clientPrivateKey and platformClientKey may be set. */ |
| 377 + PlatformKey platformClientKey; /* used by client */ | 377 + PlatformKey platformClientKey; /* used by client */ |
| 378 CERTCertificateList *clientCertChain; /* used by client */ | 378 CERTCertificateList *clientCertChain; /* used by client */ |
| 379 PRBool sendEmptyCert; /* used by client */ | 379 PRBool sendEmptyCert; /* used by client */ |
| 380 | 380 |
| 381 @@ -1223,6 +1245,10 @@ const unsigned char * preferredCipher; | 381 @@ -1253,6 +1275,10 @@ const unsigned char * preferredCipher; |
| 382 void *authCertificateArg; | 382 void *authCertificateArg; |
| 383 SSLGetClientAuthData getClientAuthData; | 383 SSLGetClientAuthData getClientAuthData; |
| 384 void *getClientAuthDataArg; | 384 void *getClientAuthDataArg; |
| 385 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 385 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 386 + SSLGetPlatformClientAuthData getPlatformClientAuthData; | 386 + SSLGetPlatformClientAuthData getPlatformClientAuthData; |
| 387 + void *getPlatformClientAuthDataArg; | 387 + void *getPlatformClientAuthDataArg; |
| 388 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 388 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 389 SSLSNISocketConfig sniSocketConfig; | 389 SSLSNISocketConfig sniSocketConfig; |
| 390 void *sniSocketConfigArg; | 390 void *sniSocketConfigArg; |
| 391 SSLBadCertHandler handleBadCert; | 391 SSLBadCertHandler handleBadCert; |
| 392 @@ -1863,6 +1889,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyIni
t); | 392 @@ -1896,6 +1922,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyIni
t); |
| 393 | 393 |
| 394 extern SECStatus ssl_FreeSessionCacheLocks(void); | 394 extern SECStatus ssl_FreeSessionCacheLocks(void); |
| 395 | 395 |
| 396 +/***************** platform client auth ****************/ | 396 +/***************** platform client auth ****************/ |
| 397 + | 397 + |
| 398 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 398 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 399 +// Releases the platform key. | 399 +// Releases the platform key. |
| 400 +extern void ssl_FreePlatformKey(PlatformKey key); | 400 +extern void ssl_FreePlatformKey(PlatformKey key); |
| 401 + | 401 + |
| 402 +// Implement the client CertificateVerify message for SSL3/TLS1.0 | 402 +// Implement the client CertificateVerify message for SSL3/TLS1.0 |
| 403 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, | 403 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, |
| 404 + PlatformKey key, SECItem *buf, | 404 + PlatformKey key, SECItem *buf, |
| 405 + PRBool isTLS, KeyType keyType); | 405 + PRBool isTLS, KeyType keyType); |
| 406 + | 406 + |
| 407 +// Converts a CERTCertList* (A collection of CERTCertificates) into a | 407 +// Converts a CERTCertList* (A collection of CERTCertificates) into a |
| 408 +// CERTCertificateList* (A collection of SECItems), or returns NULL if | 408 +// CERTCertificateList* (A collection of SECItems), or returns NULL if |
| 409 +// it cannot be converted. | 409 +// it cannot be converted. |
| 410 +// This is to allow the platform-supplied chain to be created with purely | 410 +// This is to allow the platform-supplied chain to be created with purely |
| 411 +// public API functions, using the preferred CERTCertList mutators, rather | 411 +// public API functions, using the preferred CERTCertList mutators, rather |
| 412 +// pushing this hack to clients. | 412 +// pushing this hack to clients. |
| 413 +extern CERTCertificateList* hack_NewCertificateListFromCertList( | 413 +extern CERTCertificateList* hack_NewCertificateListFromCertList( |
| 414 + CERTCertList* list); | 414 + CERTCertList* list); |
| 415 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 415 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 416 | 416 |
| 417 /**************** DTLS-specific functions **************/ | 417 /**************** DTLS-specific functions **************/ |
| 418 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); | 418 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); |
| 419 diff --git a/ssl/sslsock.c b/ssl/sslsock.c | 419 diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c |
| 420 index 282bb85..6c09992 100644 | 420 index f735009..21754d6 100644 |
| 421 --- a/ssl/sslsock.c | 421 --- a/lib/ssl/sslsock.c |
| 422 +++ b/ssl/sslsock.c | 422 +++ b/lib/ssl/sslsock.c |
| 423 @@ -275,6 +275,10 @@ ssl_DupSocket(sslSocket *os) | 423 @@ -300,6 +300,10 @@ ssl_DupSocket(sslSocket *os) |
| 424 ss->authCertificateArg = os->authCertificateArg; | 424 ss->authCertificateArg = os->authCertificateArg; |
| 425 ss->getClientAuthData = os->getClientAuthData; | 425 ss->getClientAuthData = os->getClientAuthData; |
| 426 ss->getClientAuthDataArg = os->getClientAuthDataArg; | 426 ss->getClientAuthDataArg = os->getClientAuthDataArg; |
| 427 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 427 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 428 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; | 428 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; |
| 429 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg
; | 429 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg
; |
| 430 +#endif | 430 +#endif |
| 431 ss->sniSocketConfig = os->sniSocketConfig; | 431 ss->sniSocketConfig = os->sniSocketConfig; |
| 432 ss->sniSocketConfigArg = os->sniSocketConfigArg; | 432 ss->sniSocketConfigArg = os->sniSocketConfigArg; |
| 433 ss->handleBadCert = os->handleBadCert; | 433 ss->handleBadCert = os->handleBadCert; |
| 434 @@ -1709,6 +1713,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) | 434 @@ -1963,6 +1967,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
| 435 ss->getClientAuthData = sm->getClientAuthData; | 435 ss->getClientAuthData = sm->getClientAuthData; |
| 436 if (sm->getClientAuthDataArg) | 436 if (sm->getClientAuthDataArg) |
| 437 ss->getClientAuthDataArg = sm->getClientAuthDataArg; | 437 ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
| 438 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 438 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 439 + if (sm->getPlatformClientAuthData) | 439 + if (sm->getPlatformClientAuthData) |
| 440 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; | 440 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; |
| 441 + if (sm->getPlatformClientAuthDataArg) | 441 + if (sm->getPlatformClientAuthDataArg) |
| 442 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; | 442 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; |
| 443 +#endif | 443 +#endif |
| 444 if (sm->sniSocketConfig) | 444 if (sm->sniSocketConfig) |
| 445 ss->sniSocketConfig = sm->sniSocketConfig; | 445 ss->sniSocketConfig = sm->sniSocketConfig; |
| 446 if (sm->sniSocketConfigArg) | 446 if (sm->sniSocketConfigArg) |
| 447 @@ -2974,6 +2984,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protoc
olVariant) | 447 @@ -3232,6 +3242,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protoc
olVariant) |
| 448 ss->sniSocketConfig = NULL; | 448 ss->sniSocketConfig = NULL; |
| 449 ss->sniSocketConfigArg = NULL; | 449 ss->sniSocketConfigArg = NULL; |
| 450 ss->getClientAuthData = NULL; | 450 ss->getClientAuthData = NULL; |
| 451 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 451 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 452 + ss->getPlatformClientAuthData = NULL; | 452 + ss->getPlatformClientAuthData = NULL; |
| 453 + ss->getPlatformClientAuthDataArg = NULL; | 453 + ss->getPlatformClientAuthDataArg = NULL; |
| 454 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 454 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 455 ss->handleBadCert = NULL; | 455 ss->handleBadCert = NULL; |
| 456 ss->badCertArg = NULL; | 456 ss->badCertArg = NULL; |
| 457 ss->pkcs11PinArg = NULL; | 457 ss->pkcs11PinArg = NULL; |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1511123006:
Uprev NSS (in libssl) to NSS 3.21 (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master