OLD | NEW |
1 diff --git a/ssl/ssl.h b/ssl/ssl.h | 1 diff --git a/lib/ssl/ssl.h b/lib/ssl/ssl.h |
2 index 91a47a6..4e7d52e 100644 | 2 index 2a52769..48fa018 100644 |
3 --- a/ssl/ssl.h | 3 --- a/lib/ssl/ssl.h |
4 +++ b/ssl/ssl.h | 4 +++ b/lib/ssl/ssl.h |
5 @@ -543,6 +543,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void
*arg, | 5 @@ -636,6 +636,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void
*arg, |
6 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, | 6 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, |
7 SSLGetClientAuthData f, void *a); | 7 SSLGetClientAuthData f, void *a); |
8 | 8 |
9 +/* | 9 +/* |
10 + * Prototype for SSL callback to get client auth data from the application, | 10 + * Prototype for SSL callback to get client auth data from the application, |
11 + * optionally using the underlying platform's cryptographic primitives. | 11 + * optionally using the underlying platform's cryptographic primitives. |
12 + * To use the platform cryptographic primitives, caNames and pRetCerts | 12 + * To use the platform cryptographic primitives, caNames and pRetCerts |
13 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. | 13 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. |
14 + * Returning SECFailure will cause the socket to send no client certificate. | 14 + * Returning SECFailure will cause the socket to send no client certificate. |
15 + * arg - application passed argument | 15 + * arg - application passed argument |
(...skipping 28 matching lines...) Expand all Loading... |
44 + * fd - the file descriptor for the connection in question | 44 + * fd - the file descriptor for the connection in question |
45 + * f - the application's callback that delivers the key and cert | 45 + * f - the application's callback that delivers the key and cert |
46 + * a - application specific data | 46 + * a - application specific data |
47 + */ | 47 + */ |
48 +SSL_IMPORT SECStatus | 48 +SSL_IMPORT SECStatus |
49 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, | 49 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, |
50 + SSLGetPlatformClientAuthData f, void *a); | 50 + SSLGetPlatformClientAuthData f, void *a); |
51 | 51 |
52 /* | 52 /* |
53 ** SNI extension processing callback function. | 53 ** SNI extension processing callback function. |
54 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c | 54 diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c |
55 index 60af5b0..b9014ef 100644 | 55 index 9aaf601..cc193cd 100644 |
56 --- a/ssl/ssl3con.c | 56 --- a/lib/ssl/ssl3con.c |
57 +++ b/ssl/ssl3con.c | 57 +++ b/lib/ssl/ssl3con.c |
58 @@ -2503,6 +2503,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) { | 58 @@ -2530,6 +2530,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) { |
59 PRBool isPresent = PR_TRUE; | 59 PRBool isPresent = PR_TRUE; |
60 | 60 |
61 /* we only care if we are doing client auth */ | 61 /* we only care if we are doing client auth */ |
62 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being | 62 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being |
63 + * used, u.ssl3.clAuthValid will be false and this function will always | 63 + * used, u.ssl3.clAuthValid will be false and this function will always |
64 + * return PR_TRUE. */ | 64 + * return PR_TRUE. */ |
65 if (!sid || !sid->u.ssl3.clAuthValid) { | 65 if (!sid || !sid->u.ssl3.clAuthValid) { |
66 return PR_TRUE; | 66 return PR_TRUE; |
67 } | 67 } |
68 @@ -6178,25 +6181,36 @@ ssl3_SendCertificateVerify(sslSocket *ss) | 68 @@ -6352,25 +6355,36 @@ ssl3_SendCertificateVerify(sslSocket *ss) |
69 | 69 |
70 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 70 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
71 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; | 71 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; |
72 - keyType = ss->ssl3.clientPrivateKey->keyType; | 72 - keyType = ss->ssl3.clientPrivateKey->keyType; |
73 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); | 73 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); |
74 - if (rv == SECSuccess) { | 74 - if (rv == SECSuccess) { |
75 - PK11SlotInfo * slot; | 75 - PK11SlotInfo * slot; |
76 - sslSessionID * sid = ss->sec.ci.sid; | 76 - sslSessionID * sid = ss->sec.ci.sid; |
77 + if (ss->ssl3.platformClientKey) { | 77 + if (ss->ssl3.platformClientKey) { |
78 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 78 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
112 + PK11_FreeSlot(slot); | 112 + PK11_FreeSlot(slot); |
113 + } | 113 + } |
114 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 114 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
115 + ss->ssl3.clientPrivateKey = NULL; | 115 + ss->ssl3.clientPrivateKey = NULL; |
116 } | 116 } |
117 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 117 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
118 - ss->ssl3.clientPrivateKey = NULL; | 118 - ss->ssl3.clientPrivateKey = NULL; |
119 if (rv != SECSuccess) { | 119 if (rv != SECSuccess) { |
120 goto done; /* err code was set by ssl3_SignHashes */ | 120 goto done; /* err code was set by ssl3_SignHashes */ |
121 } | 121 } |
122 @@ -6275,6 +6289,12 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUi
nt32 length) | 122 @@ -6449,6 +6463,12 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUi
nt32 length) |
123 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 123 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
124 ss->ssl3.clientPrivateKey = NULL; | 124 ss->ssl3.clientPrivateKey = NULL; |
125 } | 125 } |
126 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 126 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
127 + if (ss->ssl3.platformClientKey) { | 127 + if (ss->ssl3.platformClientKey) { |
128 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 128 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
129 + ss->ssl3.platformClientKey = (PlatformKey)NULL; | 129 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
130 + } | 130 + } |
131 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 131 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
132 | 132 |
133 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 133 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
134 if (temp < 0) { | 134 if (temp < 0) { |
135 @@ -6904,6 +6924,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss, | 135 @@ -7109,6 +7129,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss, |
136 goto done; | 136 goto done; |
137 } | 137 } |
138 | 138 |
139 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) | 139 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) |
140 + /* If the key is in CAPI, assume conservatively that the CAPI service | 140 + /* If the key is in CAPI, assume conservatively that the CAPI service |
141 + * provider may be unable to sign SHA-256 hashes. | 141 + * provider may be unable to sign SHA-256 hashes. |
142 + */ | 142 + */ |
143 + if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { | 143 + if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { |
144 + /* CAPI only supports RSA and DSA signatures, so we don't need to | 144 + /* CAPI only supports RSA and DSA signatures, so we don't need to |
145 + * check the key type. */ | 145 + * check the key type. */ |
146 + *preferSha1 = PR_TRUE; | 146 + *preferSha1 = PR_TRUE; |
147 + goto done; | 147 + goto done; |
148 + } | 148 + } |
149 +#endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ | 149 +#endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ |
150 + | 150 + |
151 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that | 151 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that |
152 * it may be unable to sign SHA-256 hashes. This is the case for older | 152 * it may be unable to sign SHA-256 hashes. This is the case for older |
153 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and | 153 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and |
154 @@ -7002,6 +7034,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *
b, PRUint32 length) | 154 @@ -7207,6 +7239,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *
b, PRUint32 length) |
155 SECItem cert_types = {siBuffer, NULL, 0}; | 155 SECItem cert_types = {siBuffer, NULL, 0}; |
156 SECItem algorithms = {siBuffer, NULL, 0}; | 156 SECItem algorithms = {siBuffer, NULL, 0}; |
157 CERTDistNames ca_list; | 157 CERTDistNames ca_list; |
158 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 158 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
159 + CERTCertList * platform_cert_list = NULL; | 159 + CERTCertList * platform_cert_list = NULL; |
160 + CERTCertListNode * certNode = NULL; | 160 + CERTCertListNode * certNode = NULL; |
161 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 161 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
162 | 162 |
163 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", | 163 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", |
164 SSL_GETPID(), ss->fd)); | 164 SSL_GETPID(), ss->fd)); |
165 @@ -7017,6 +7053,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b
, PRUint32 length) | 165 @@ -7222,6 +7258,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b
, PRUint32 length) |
166 PORT_Assert(ss->ssl3.clientCertChain == NULL); | 166 PORT_Assert(ss->ssl3.clientCertChain == NULL); |
167 PORT_Assert(ss->ssl3.clientCertificate == NULL); | 167 PORT_Assert(ss->ssl3.clientCertificate == NULL); |
168 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); | 168 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
169 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); | 169 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); |
170 | 170 |
171 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 171 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
172 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; | 172 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2)
; |
173 @@ -7096,6 +7133,18 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *
b, PRUint32 length) | 173 @@ -7301,6 +7338,18 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *
b, PRUint32 length) |
174 desc = no_certificate; | 174 desc = no_certificate; |
175 ss->ssl3.hs.ws = wait_hello_done; | 175 ss->ssl3.hs.ws = wait_hello_done; |
176 | 176 |
177 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 177 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
178 + if (ss->getPlatformClientAuthData != NULL) { | 178 + if (ss->getPlatformClientAuthData != NULL) { |
179 + /* XXX Should pass cert_types and algorithms in this call!! */ | 179 + /* XXX Should pass cert_types and algorithms in this call!! */ |
180 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( | 180 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( |
181 + ss->getPlatformClientAuthDataArg, | 181 + ss->getPlatformClientAuthDataArg, |
182 + ss->fd, &ca_list, | 182 + ss->fd, &ca_list, |
183 + &platform_cert_list, | 183 + &platform_cert_list, |
184 + (void**)&ss->ssl3.platformClientKey, | 184 + (void**)&ss->ssl3.platformClientKey, |
185 + &ss->ssl3.clientCertificate, | 185 + &ss->ssl3.clientCertificate, |
186 + &ss->ssl3.clientPrivateKey); | 186 + &ss->ssl3.clientPrivateKey); |
187 + } else | 187 + } else |
188 +#endif | 188 +#endif |
189 if (ss->getClientAuthData != NULL) { | 189 if (ss->getClientAuthData != NULL) { |
190 » /* XXX Should pass cert_types and algorithms in this call!! */ | 190 PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) == |
191 » rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, | 191 ssl_preinfo_all); |
192 @@ -7105,12 +7154,55 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque
*b, PRUint32 length) | 192 @@ -7312,12 +7361,55 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque
*b, PRUint32 length) |
193 } else { | 193 } else { |
194 rv = SECFailure; /* force it to send a no_certificate alert */ | 194 rv = SECFailure; /* force it to send a no_certificate alert */ |
195 } | 195 } |
196 + | 196 + |
197 switch (rv) { | 197 switch (rv) { |
198 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ | 198 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ |
199 ssl3_SetAlwaysBlock(ss); | 199 ssl3_SetAlwaysBlock(ss); |
200 break; /* not an error */ | 200 break; /* not an error */ |
201 | 201 |
202 case SECSuccess: | 202 case SECSuccess: |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
238 + } | 238 + } |
239 + if (ss->ssl3.hs.hashType == handshake_hash_single) { | 239 + if (ss->ssl3.hs.hashType == handshake_hash_single) { |
240 + ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); | 240 + ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); |
241 + } | 241 + } |
242 + break; /* not an error */ | 242 + break; /* not an error */ |
243 + } | 243 + } |
244 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 244 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
245 /* check what the callback function returned */ | 245 /* check what the callback function returned */ |
246 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { | 246 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
247 /* we are missing either the key or cert */ | 247 /* we are missing either the key or cert */ |
248 @@ -7172,6 +7264,10 @@ loser: | 248 @@ -7379,6 +7471,10 @@ loser: |
249 done: | 249 done: |
250 if (arena != NULL) | 250 if (arena != NULL) |
251 PORT_FreeArena(arena, PR_FALSE); | 251 PORT_FreeArena(arena, PR_FALSE); |
252 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 252 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
253 + if (platform_cert_list) | 253 + if (platform_cert_list) |
254 + CERT_DestroyCertList(platform_cert_list); | 254 + CERT_DestroyCertList(platform_cert_list); |
255 +#endif | 255 +#endif |
256 return rv; | 256 return rv; |
257 } | 257 } |
258 | 258 |
259 @@ -7288,7 +7384,8 @@ ssl3_SendClientSecondRound(sslSocket *ss) | 259 @@ -7497,7 +7593,8 @@ ssl3_SendClientSecondRound(sslSocket *ss) |
260 | 260 |
261 sendClientCert = !ss->ssl3.sendEmptyCert && | 261 sendClientCert = !ss->ssl3.sendEmptyCert && |
262 ss->ssl3.clientCertChain != NULL && | 262 ss->ssl3.clientCertChain != NULL && |
263 - ss->ssl3.clientPrivateKey != NULL; | 263 - ss->ssl3.clientPrivateKey != NULL; |
264 + (ss->ssl3.platformClientKey || | 264 + (ss->ssl3.platformClientKey || |
265 + ss->ssl3.clientPrivateKey != NULL); | 265 + ss->ssl3.clientPrivateKey != NULL); |
266 | 266 |
267 if (!sendClientCert && | 267 if (!sendClientCert && |
268 ss->ssl3.hs.hashType == handshake_hash_single && | 268 ss->ssl3.hs.hashType == handshake_hash_single && |
269 @@ -12148,6 +12245,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) | 269 @@ -12910,6 +13007,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
270 | 270 |
271 if (ss->ssl3.clientPrivateKey != NULL) | 271 if (ss->ssl3.clientPrivateKey != NULL) |
272 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 272 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
273 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 273 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
274 + if (ss->ssl3.platformClientKey) | 274 + if (ss->ssl3.platformClientKey) |
275 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 275 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
276 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 276 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
277 | 277 |
278 if (ss->ssl3.peerCertArena != NULL) | 278 if (ss->ssl3.peerCertArena != NULL) |
279 ssl3_CleanupPeerCerts(ss); | 279 ssl3_CleanupPeerCerts(ss); |
280 diff --git a/ssl/ssl3ext.c b/ssl/ssl3ext.c | 280 diff --git a/lib/ssl/ssl3ext.c b/lib/ssl/ssl3ext.c |
281 index 28d21c4..0a2288a 100644 | 281 index cf04aba..5661a5c 100644 |
282 --- a/ssl/ssl3ext.c | 282 --- a/lib/ssl/ssl3ext.c |
283 +++ b/ssl/ssl3ext.c | 283 +++ b/lib/ssl/ssl3ext.c |
284 @@ -11,8 +11,8 @@ | 284 @@ -11,8 +11,8 @@ |
285 #include "nssrenam.h" | 285 #include "nssrenam.h" |
286 #include "nss.h" | 286 #include "nss.h" |
287 #include "ssl.h" | 287 #include "ssl.h" |
288 -#include "sslproto.h" | 288 -#include "sslproto.h" |
289 #include "sslimpl.h" | 289 #include "sslimpl.h" |
290 +#include "sslproto.h" | 290 +#include "sslproto.h" |
291 #include "pk11pub.h" | 291 #include "pk11pub.h" |
292 #ifdef NO_PKCS11_BYPASS | 292 #ifdef NO_PKCS11_BYPASS |
293 #include "blapit.h" | 293 #include "blapit.h" |
294 diff --git a/ssl/sslauth.c b/ssl/sslauth.c | 294 diff --git a/lib/ssl/sslauth.c b/lib/ssl/sslauth.c |
295 index ed74d94..7f9c43b 100644 | 295 index b144336..e6981f0 100644 |
296 --- a/ssl/sslauth.c | 296 --- a/lib/ssl/sslauth.c |
297 +++ b/ssl/sslauth.c | 297 +++ b/lib/ssl/sslauth.c |
298 @@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthDa
ta func, | 298 @@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthDa
ta func, |
299 return SECSuccess; | 299 return SECSuccess; |
300 } | 300 } |
301 | 301 |
302 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 302 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
303 +/* NEED LOCKS IN HERE. */ | 303 +/* NEED LOCKS IN HERE. */ |
304 +SECStatus | 304 +SECStatus |
305 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, | 305 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, |
306 + SSLGetPlatformClientAuthData func, | 306 + SSLGetPlatformClientAuthData func, |
307 + void *arg) | 307 + void *arg) |
308 +{ | 308 +{ |
309 + sslSocket *ss; | 309 + sslSocket *ss; |
310 + | 310 + |
311 + ss = ssl_FindSocket(s); | 311 + ss = ssl_FindSocket(s); |
312 + if (!ss) { | 312 + if (!ss) { |
313 + SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", | 313 + SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", |
314 + SSL_GETPID(), s)); | 314 + SSL_GETPID(), s)); |
315 + return SECFailure; | 315 + return SECFailure; |
316 + } | 316 + } |
317 + | 317 + |
318 + ss->getPlatformClientAuthData = func; | 318 + ss->getPlatformClientAuthData = func; |
319 + ss->getPlatformClientAuthDataArg = arg; | 319 + ss->getPlatformClientAuthDataArg = arg; |
320 + return SECSuccess; | 320 + return SECSuccess; |
321 +} | 321 +} |
322 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 322 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
323 + | 323 + |
324 /* NEED LOCKS IN HERE. */ | 324 /* NEED LOCKS IN HERE. */ |
325 SECStatus | 325 SECStatus |
326 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) | 326 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) |
327 diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h | 327 diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h |
328 index 086f6d2..bbc9bd2 100644 | 328 index 9dcc29e..94bb9f4 100644 |
329 --- a/ssl/sslimpl.h | 329 --- a/lib/ssl/sslimpl.h |
330 +++ b/ssl/sslimpl.h | 330 +++ b/lib/ssl/sslimpl.h |
331 @@ -20,6 +20,7 @@ | 331 @@ -21,6 +21,7 @@ |
332 #include "sslerr.h" | 332 #include "sslerr.h" |
333 #include "ssl3prot.h" | 333 #include "ssl3prot.h" |
334 #include "hasht.h" | 334 #include "hasht.h" |
335 +#include "keythi.h" | 335 +#include "keythi.h" |
336 #include "nssilock.h" | 336 #include "nssilock.h" |
337 #include "pkcs11t.h" | 337 #include "pkcs11t.h" |
338 #if defined(XP_UNIX) || defined(XP_BEOS) | 338 #if defined(XP_UNIX) || defined(XP_BEOS) |
339 @@ -31,6 +32,15 @@ | 339 @@ -32,6 +33,15 @@ |
340 | 340 |
341 #include "sslt.h" /* for some formerly private types, now public */ | 341 #include "sslt.h" /* for some formerly private types, now public */ |
342 | 342 |
343 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 343 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
344 +#if defined(XP_WIN32) | 344 +#if defined(XP_WIN32) |
345 +#include <windows.h> | 345 +#include <windows.h> |
346 +#include <wincrypt.h> | 346 +#include <wincrypt.h> |
347 +#elif defined(XP_MACOSX) | 347 +#elif defined(XP_MACOSX) |
348 +#include <Security/Security.h> | 348 +#include <Security/Security.h> |
349 +#endif | 349 +#endif |
350 +#endif | 350 +#endif |
351 + | 351 + |
352 /* to make some of these old enums public without namespace pollution, | 352 /* to make some of these old enums public without namespace pollution, |
353 ** it was necessary to prepend ssl_ to the names. | 353 ** it was necessary to prepend ssl_ to the names. |
354 ** These #defines preserve compatibility with the old code here in libssl. | 354 ** These #defines preserve compatibility with the old code here in libssl. |
355 @@ -443,6 +453,14 @@ struct sslGatherStr { | 355 @@ -453,6 +463,14 @@ struct sslGatherStr { |
356 #define GS_DATA 3 | 356 #define GS_DATA 3 |
357 #define GS_PAD 4 | 357 #define GS_PAD 4 |
358 | 358 |
359 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) | 359 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) |
360 +typedef PCERT_KEY_CONTEXT PlatformKey; | 360 +typedef PCERT_KEY_CONTEXT PlatformKey; |
361 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) | 361 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) |
362 +typedef SecKeyRef PlatformKey; | 362 +typedef SecKeyRef PlatformKey; |
363 +#else | 363 +#else |
364 +typedef void *PlatformKey; | 364 +typedef void *PlatformKey; |
365 +#endif | 365 +#endif |
366 + | 366 + |
367 | 367 |
368 | 368 |
369 /* | 369 /* |
370 @@ -961,6 +979,10 @@ struct ssl3StateStr { | 370 @@ -974,6 +992,10 @@ struct ssl3StateStr { |
371 | 371 |
372 CERTCertificate * clientCertificate; /* used by client */ | 372 CERTCertificate * clientCertificate; /* used by client */ |
373 SECKEYPrivateKey * clientPrivateKey; /* used by client */ | 373 SECKEYPrivateKey * clientPrivateKey; /* used by client */ |
374 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not | 374 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not |
375 + * defined in order to allow cleaner conditional code. | 375 + * defined in order to allow cleaner conditional code. |
376 + * At most one of clientPrivateKey and platformClientKey may be set. */ | 376 + * At most one of clientPrivateKey and platformClientKey may be set. */ |
377 + PlatformKey platformClientKey; /* used by client */ | 377 + PlatformKey platformClientKey; /* used by client */ |
378 CERTCertificateList *clientCertChain; /* used by client */ | 378 CERTCertificateList *clientCertChain; /* used by client */ |
379 PRBool sendEmptyCert; /* used by client */ | 379 PRBool sendEmptyCert; /* used by client */ |
380 | 380 |
381 @@ -1223,6 +1245,10 @@ const unsigned char * preferredCipher; | 381 @@ -1253,6 +1275,10 @@ const unsigned char * preferredCipher; |
382 void *authCertificateArg; | 382 void *authCertificateArg; |
383 SSLGetClientAuthData getClientAuthData; | 383 SSLGetClientAuthData getClientAuthData; |
384 void *getClientAuthDataArg; | 384 void *getClientAuthDataArg; |
385 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 385 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
386 + SSLGetPlatformClientAuthData getPlatformClientAuthData; | 386 + SSLGetPlatformClientAuthData getPlatformClientAuthData; |
387 + void *getPlatformClientAuthDataArg; | 387 + void *getPlatformClientAuthDataArg; |
388 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 388 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
389 SSLSNISocketConfig sniSocketConfig; | 389 SSLSNISocketConfig sniSocketConfig; |
390 void *sniSocketConfigArg; | 390 void *sniSocketConfigArg; |
391 SSLBadCertHandler handleBadCert; | 391 SSLBadCertHandler handleBadCert; |
392 @@ -1863,6 +1889,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyIni
t); | 392 @@ -1896,6 +1922,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyIni
t); |
393 | 393 |
394 extern SECStatus ssl_FreeSessionCacheLocks(void); | 394 extern SECStatus ssl_FreeSessionCacheLocks(void); |
395 | 395 |
396 +/***************** platform client auth ****************/ | 396 +/***************** platform client auth ****************/ |
397 + | 397 + |
398 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 398 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
399 +// Releases the platform key. | 399 +// Releases the platform key. |
400 +extern void ssl_FreePlatformKey(PlatformKey key); | 400 +extern void ssl_FreePlatformKey(PlatformKey key); |
401 + | 401 + |
402 +// Implement the client CertificateVerify message for SSL3/TLS1.0 | 402 +// Implement the client CertificateVerify message for SSL3/TLS1.0 |
403 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, | 403 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, |
404 + PlatformKey key, SECItem *buf, | 404 + PlatformKey key, SECItem *buf, |
405 + PRBool isTLS, KeyType keyType); | 405 + PRBool isTLS, KeyType keyType); |
406 + | 406 + |
407 +// Converts a CERTCertList* (A collection of CERTCertificates) into a | 407 +// Converts a CERTCertList* (A collection of CERTCertificates) into a |
408 +// CERTCertificateList* (A collection of SECItems), or returns NULL if | 408 +// CERTCertificateList* (A collection of SECItems), or returns NULL if |
409 +// it cannot be converted. | 409 +// it cannot be converted. |
410 +// This is to allow the platform-supplied chain to be created with purely | 410 +// This is to allow the platform-supplied chain to be created with purely |
411 +// public API functions, using the preferred CERTCertList mutators, rather | 411 +// public API functions, using the preferred CERTCertList mutators, rather |
412 +// pushing this hack to clients. | 412 +// pushing this hack to clients. |
413 +extern CERTCertificateList* hack_NewCertificateListFromCertList( | 413 +extern CERTCertificateList* hack_NewCertificateListFromCertList( |
414 + CERTCertList* list); | 414 + CERTCertList* list); |
415 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 415 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
416 | 416 |
417 /**************** DTLS-specific functions **************/ | 417 /**************** DTLS-specific functions **************/ |
418 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); | 418 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); |
419 diff --git a/ssl/sslsock.c b/ssl/sslsock.c | 419 diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c |
420 index 282bb85..6c09992 100644 | 420 index f735009..21754d6 100644 |
421 --- a/ssl/sslsock.c | 421 --- a/lib/ssl/sslsock.c |
422 +++ b/ssl/sslsock.c | 422 +++ b/lib/ssl/sslsock.c |
423 @@ -275,6 +275,10 @@ ssl_DupSocket(sslSocket *os) | 423 @@ -300,6 +300,10 @@ ssl_DupSocket(sslSocket *os) |
424 ss->authCertificateArg = os->authCertificateArg; | 424 ss->authCertificateArg = os->authCertificateArg; |
425 ss->getClientAuthData = os->getClientAuthData; | 425 ss->getClientAuthData = os->getClientAuthData; |
426 ss->getClientAuthDataArg = os->getClientAuthDataArg; | 426 ss->getClientAuthDataArg = os->getClientAuthDataArg; |
427 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 427 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
428 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; | 428 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; |
429 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg
; | 429 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg
; |
430 +#endif | 430 +#endif |
431 ss->sniSocketConfig = os->sniSocketConfig; | 431 ss->sniSocketConfig = os->sniSocketConfig; |
432 ss->sniSocketConfigArg = os->sniSocketConfigArg; | 432 ss->sniSocketConfigArg = os->sniSocketConfigArg; |
433 ss->handleBadCert = os->handleBadCert; | 433 ss->handleBadCert = os->handleBadCert; |
434 @@ -1709,6 +1713,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) | 434 @@ -1963,6 +1967,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
435 ss->getClientAuthData = sm->getClientAuthData; | 435 ss->getClientAuthData = sm->getClientAuthData; |
436 if (sm->getClientAuthDataArg) | 436 if (sm->getClientAuthDataArg) |
437 ss->getClientAuthDataArg = sm->getClientAuthDataArg; | 437 ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
438 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 438 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
439 + if (sm->getPlatformClientAuthData) | 439 + if (sm->getPlatformClientAuthData) |
440 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; | 440 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; |
441 + if (sm->getPlatformClientAuthDataArg) | 441 + if (sm->getPlatformClientAuthDataArg) |
442 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; | 442 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; |
443 +#endif | 443 +#endif |
444 if (sm->sniSocketConfig) | 444 if (sm->sniSocketConfig) |
445 ss->sniSocketConfig = sm->sniSocketConfig; | 445 ss->sniSocketConfig = sm->sniSocketConfig; |
446 if (sm->sniSocketConfigArg) | 446 if (sm->sniSocketConfigArg) |
447 @@ -2974,6 +2984,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protoc
olVariant) | 447 @@ -3232,6 +3242,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protoc
olVariant) |
448 ss->sniSocketConfig = NULL; | 448 ss->sniSocketConfig = NULL; |
449 ss->sniSocketConfigArg = NULL; | 449 ss->sniSocketConfigArg = NULL; |
450 ss->getClientAuthData = NULL; | 450 ss->getClientAuthData = NULL; |
451 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 451 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
452 + ss->getPlatformClientAuthData = NULL; | 452 + ss->getPlatformClientAuthData = NULL; |
453 + ss->getPlatformClientAuthDataArg = NULL; | 453 + ss->getPlatformClientAuthDataArg = NULL; |
454 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 454 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
455 ss->handleBadCert = NULL; | 455 ss->handleBadCert = NULL; |
456 ss->badCertArg = NULL; | 456 ss->badCertArg = NULL; |
457 ss->pkcs11PinArg = NULL; | 457 ss->pkcs11PinArg = NULL; |
OLD | NEW |