OLD | NEW |
1 /* | 1 /* |
2 * This file is PRIVATE to SSL and should be the first thing included by | 2 * This file is PRIVATE to SSL and should be the first thing included by |
3 * any SSL implementation file. | 3 * any SSL implementation file. |
4 * | 4 * |
5 * ***** BEGIN LICENSE BLOCK ***** | 5 * ***** BEGIN LICENSE BLOCK ***** |
6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
7 * | 7 * |
8 * The contents of this file are subject to the Mozilla Public License Version | 8 * The contents of this file are subject to the Mozilla Public License Version |
9 * 1.1 (the "License"); you may not use this file except in compliance with | 9 * 1.1 (the "License"); you may not use this file except in compliance with |
10 * the License. You may obtain a copy of the License at | 10 * the License. You may obtain a copy of the License at |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
58 #include "nssilock.h" | 58 #include "nssilock.h" |
59 #include "pkcs11t.h" | 59 #include "pkcs11t.h" |
60 #if defined(XP_UNIX) || defined(XP_BEOS) | 60 #if defined(XP_UNIX) || defined(XP_BEOS) |
61 #include "unistd.h" | 61 #include "unistd.h" |
62 #endif | 62 #endif |
63 #include "nssrwlk.h" | 63 #include "nssrwlk.h" |
64 #include "prthread.h" | 64 #include "prthread.h" |
65 | 65 |
66 #include "sslt.h" /* for some formerly private types, now public */ | 66 #include "sslt.h" /* for some formerly private types, now public */ |
67 | 67 |
| 68 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 69 #if defined(XP_WIN32) |
| 70 #include <windows.h> |
| 71 #include <wincrypt.h> |
| 72 #elif defined(XP_MACOSX) |
| 73 #include <Security/Security.h> |
| 74 #endif |
| 75 #endif |
| 76 |
68 /* to make some of these old enums public without namespace pollution, | 77 /* to make some of these old enums public without namespace pollution, |
69 ** it was necessary to prepend ssl_ to the names. | 78 ** it was necessary to prepend ssl_ to the names. |
70 ** These #defines preserve compatibility with the old code here in libssl. | 79 ** These #defines preserve compatibility with the old code here in libssl. |
71 */ | 80 */ |
72 typedef SSLKEAType SSL3KEAType; | 81 typedef SSLKEAType SSL3KEAType; |
73 typedef SSLMACAlgorithm SSL3MACAlgorithm; | 82 typedef SSLMACAlgorithm SSL3MACAlgorithm; |
74 typedef SSLSignType SSL3SignType; | 83 typedef SSLSignType SSL3SignType; |
75 | 84 |
76 #define sign_null ssl_sign_null | 85 #define sign_null ssl_sign_null |
77 #define sign_rsa ssl_sign_rsa | 86 #define sign_rsa ssl_sign_rsa |
(...skipping 488 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
566 } ssl3CipherSpec; | 575 } ssl3CipherSpec; |
567 | 576 |
568 typedef enum { never_cached, | 577 typedef enum { never_cached, |
569 in_client_cache, | 578 in_client_cache, |
570 in_server_cache, | 579 in_server_cache, |
571 invalid_cache /* no longer in any cache. */ | 580 invalid_cache /* no longer in any cache. */ |
572 } Cached; | 581 } Cached; |
573 | 582 |
574 #define MAX_PEER_CERT_CHAIN_SIZE 8 | 583 #define MAX_PEER_CERT_CHAIN_SIZE 8 |
575 | 584 |
| 585 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 586 typedef struct { |
| 587 #if defined(XP_WIN32) |
| 588 char * provider; |
| 589 char * container; |
| 590 DWORD provType; |
| 591 PRBool removable; |
| 592 #elif defined(XP_MACOSX) |
| 593 SecKeychainRef keychain; |
| 594 CFDataRef persistentKey; |
| 595 #endif |
| 596 } PlatformAuthInfo; |
| 597 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 598 |
576 struct sslSessionIDStr { | 599 struct sslSessionIDStr { |
577 sslSessionID * next; /* chain used for client sockets, only */ | 600 sslSessionID * next; /* chain used for client sockets, only */ |
578 | 601 |
579 CERTCertificate * peerCert; | 602 CERTCertificate * peerCert; |
580 CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE]; | 603 CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE]; |
581 const char * peerID; /* client only */ | 604 const char * peerID; /* client only */ |
582 const char * urlSvrName; /* client only */ | 605 const char * urlSvrName; /* client only */ |
583 CERTCertificate * localCert; | 606 CERTCertificate * localCert; |
584 | 607 |
585 PRIPv6Addr addr; | 608 PRIPv6Addr addr; |
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
650 /* The following values pertain to the slot that did the signature | 673 /* The following values pertain to the slot that did the signature |
651 ** for client auth. (used only in client) | 674 ** for client auth. (used only in client) |
652 */ | 675 */ |
653 SECMODModuleID clAuthModuleID; | 676 SECMODModuleID clAuthModuleID; |
654 CK_SLOT_ID clAuthSlotID; | 677 CK_SLOT_ID clAuthSlotID; |
655 PRUint16 clAuthSeries; | 678 PRUint16 clAuthSeries; |
656 | 679 |
657 char masterValid; | 680 char masterValid; |
658 char clAuthValid; | 681 char clAuthValid; |
659 | 682 |
| 683 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 684 PlatformAuthInfo clPlatformAuthInfo; |
| 685 char clPlatformAuthValid; |
| 686 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 687 |
660 /* Session ticket if we have one, is sent as an extension in the | 688 /* Session ticket if we have one, is sent as an extension in the |
661 * ClientHello message. This field is used by clients. | 689 * ClientHello message. This field is used by clients. |
662 */ | 690 */ |
663 NewSessionTicket sessionTicket; | 691 NewSessionTicket sessionTicket; |
664 SECItem srvName; | 692 SECItem srvName; |
665 } ssl3; | 693 } ssl3; |
666 } u; | 694 } u; |
667 }; | 695 }; |
668 | 696 |
669 | 697 |
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
809 * our Snap Start attempt, then it will hash the whole ClientHello. Thus we | 837 * our Snap Start attempt, then it will hash the whole ClientHello. Thus we |
810 * store the original ClientHello that we sent in case we need to reset our | 838 * store the original ClientHello that we sent in case we need to reset our |
811 * Finished hash to cover it. */ | 839 * Finished hash to cover it. */ |
812 SECItem origClientHello; | 840 SECItem origClientHello; |
813 #ifdef NSS_ENABLE_ECC | 841 #ifdef NSS_ENABLE_ECC |
814 PRUint32 negotiatedECCurves; /* bit mask */ | 842 PRUint32 negotiatedECCurves; /* bit mask */ |
815 #endif /* NSS_ENABLE_ECC */ | 843 #endif /* NSS_ENABLE_ECC */ |
816 PRBool nextProtoNego;/* Our peer has sent this extension */ | 844 PRBool nextProtoNego;/* Our peer has sent this extension */ |
817 } SSL3HandshakeState; | 845 } SSL3HandshakeState; |
818 | 846 |
| 847 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 848 #if defined(XP_WIN32) |
| 849 typedef HCRYPTPROV PlatformKey; |
| 850 #elif defined(XP_MACOSX) |
| 851 typedef SecKeyRef PlatformKey; |
| 852 #else |
| 853 typedef void *PlatformKey; |
| 854 #endif |
| 855 #endif |
819 | 856 |
820 | 857 |
821 /* | 858 /* |
822 ** This is the "ssl3" struct, as in "ss->ssl3". | 859 ** This is the "ssl3" struct, as in "ss->ssl3". |
823 ** note: | 860 ** note: |
824 ** usually, crSpec == cwSpec and prSpec == pwSpec. | 861 ** usually, crSpec == cwSpec and prSpec == pwSpec. |
825 ** Sometimes, crSpec == pwSpec and prSpec == cwSpec. | 862 ** Sometimes, crSpec == pwSpec and prSpec == cwSpec. |
826 ** But there are never more than 2 actual specs. | 863 ** But there are never more than 2 actual specs. |
827 ** No spec must ever be modified if either "current" pointer points to it. | 864 ** No spec must ever be modified if either "current" pointer points to it. |
828 */ | 865 */ |
829 struct ssl3StateStr { | 866 struct ssl3StateStr { |
830 | 867 |
831 /* | 868 /* |
832 ** The following Specs and Spec pointers must be protected using the | 869 ** The following Specs and Spec pointers must be protected using the |
833 ** Spec Lock. | 870 ** Spec Lock. |
834 */ | 871 */ |
835 ssl3CipherSpec * crSpec; /* current read spec. */ | 872 ssl3CipherSpec * crSpec; /* current read spec. */ |
836 ssl3CipherSpec * prSpec; /* pending read spec. */ | 873 ssl3CipherSpec * prSpec; /* pending read spec. */ |
837 ssl3CipherSpec * cwSpec; /* current write spec. */ | 874 ssl3CipherSpec * cwSpec; /* current write spec. */ |
838 ssl3CipherSpec * pwSpec; /* pending write spec. */ | 875 ssl3CipherSpec * pwSpec; /* pending write spec. */ |
839 | 876 |
840 CERTCertificate * clientCertificate; /* used by client */ | 877 CERTCertificate * clientCertificate; /* used by client */ |
841 SECKEYPrivateKey * clientPrivateKey; /* used by client */ | 878 SECKEYPrivateKey * clientPrivateKey; /* used by client */ |
| 879 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 880 PlatformKey platformClientKey; /* used by client */ |
| 881 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
842 CERTCertificateList *clientCertChain; /* used by client */ | 882 CERTCertificateList *clientCertChain; /* used by client */ |
843 PRBool sendEmptyCert; /* used by client */ | 883 PRBool sendEmptyCert; /* used by client */ |
844 | 884 |
845 /* TLS Snap Start: */ | 885 /* TLS Snap Start: */ |
846 CERTCertificate ** predictedCertChain; | 886 CERTCertificate ** predictedCertChain; |
847 /* An array terminated with a NULL. */ | 887 /* An array terminated with a NULL. */ |
848 SECItem serverHelloPredictionData; | 888 SECItem serverHelloPredictionData; |
849 PRBool serverHelloPredictionDataValid; | 889 PRBool serverHelloPredictionDataValid; |
850 /* data needed to predict the ServerHello from | 890 /* data needed to predict the ServerHello from |
851 * this server. */ | 891 * this server. */ |
(...skipping 241 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1093 unsigned int sizeCipherSpecs; | 1133 unsigned int sizeCipherSpecs; |
1094 const unsigned char * preferredCipher; | 1134 const unsigned char * preferredCipher; |
1095 | 1135 |
1096 ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */ | 1136 ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */ |
1097 | 1137 |
1098 /* Callbacks */ | 1138 /* Callbacks */ |
1099 SSLAuthCertificate authCertificate; | 1139 SSLAuthCertificate authCertificate; |
1100 void *authCertificateArg; | 1140 void *authCertificateArg; |
1101 SSLGetClientAuthData getClientAuthData; | 1141 SSLGetClientAuthData getClientAuthData; |
1102 void *getClientAuthDataArg; | 1142 void *getClientAuthDataArg; |
| 1143 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 1144 SSLGetPlatformClientAuthData getPlatformClientAuthData; |
| 1145 void *getPlatformClientAuthDataArg; |
| 1146 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
1103 SSLSNISocketConfig sniSocketConfig; | 1147 SSLSNISocketConfig sniSocketConfig; |
1104 void *sniSocketConfigArg; | 1148 void *sniSocketConfigArg; |
1105 SSLBadCertHandler handleBadCert; | 1149 SSLBadCertHandler handleBadCert; |
1106 void *badCertArg; | 1150 void *badCertArg; |
1107 SSLHandshakeCallback handshakeCallback; | 1151 SSLHandshakeCallback handshakeCallback; |
1108 void *handshakeCallbackData; | 1152 void *handshakeCallbackData; |
1109 void *pkcs11PinArg; | 1153 void *pkcs11PinArg; |
1110 | 1154 |
1111 PRIntervalTime rTimeout; /* timeout for NSPR I/O */ | 1155 PRIntervalTime rTimeout; /* timeout for NSPR I/O */ |
1112 PRIntervalTime wTimeout; /* timeout for NSPR I/O */ | 1156 PRIntervalTime wTimeout; /* timeout for NSPR I/O */ |
(...skipping 571 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1684 extern SECStatus SSL3_ShutdownServerCache(void); | 1728 extern SECStatus SSL3_ShutdownServerCache(void); |
1685 | 1729 |
1686 extern SECStatus ssl_InitSymWrapKeysLock(void); | 1730 extern SECStatus ssl_InitSymWrapKeysLock(void); |
1687 | 1731 |
1688 extern SECStatus ssl_FreeSymWrapKeysLock(void); | 1732 extern SECStatus ssl_FreeSymWrapKeysLock(void); |
1689 | 1733 |
1690 extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit); | 1734 extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit); |
1691 | 1735 |
1692 extern SECStatus ssl_FreeSessionCacheLocks(void); | 1736 extern SECStatus ssl_FreeSessionCacheLocks(void); |
1693 | 1737 |
| 1738 /***************** platform client auth ****************/ |
| 1739 |
| 1740 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 1741 // Releases the platform key. |
| 1742 extern void ssl_FreePlatformKey(PlatformKey key); |
| 1743 |
| 1744 // Frees any memory allocated to store a persistent reference to the |
| 1745 // platform key. |
| 1746 extern void ssl_FreePlatformAuthInfo(PlatformAuthInfo* info); |
| 1747 |
| 1748 // Initializes the PlatformAuthInfo to empty/invalid values. |
| 1749 extern void ssl_InitPlatformAuthInfo(PlatformAuthInfo* info); |
| 1750 |
| 1751 // Determine if the given key is still present in the system. This is used |
| 1752 // to check for things like smart cards being ejected after handshaking, |
| 1753 // since no further operations on the key will happen which would detect this. |
| 1754 extern PRBool ssl_PlatformAuthTokenPresent(PlatformAuthInfo* info); |
| 1755 |
| 1756 // Obtain a persistent reference to a key, sufficient for |
| 1757 // ssl_PlatformAuthTokenPresent to determine if the key is still present. |
| 1758 extern void ssl_GetPlatformAuthInfoForKey(PlatformKey key, |
| 1759 PlatformAuthInfo* info); |
| 1760 |
| 1761 // Implement the client CertificateVerify message for SSL3/TLS1.0 |
| 1762 extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, |
| 1763 PlatformKey key, SECItem *buf, |
| 1764 PRBool isTLS); |
| 1765 |
| 1766 // Converts a CERTCertList* (A collection of CERTCertificates) into a |
| 1767 // CERTCertificateList* (A collection of SECItems), or returns NULL if |
| 1768 // it cannot be converted. |
| 1769 // This is to allow the platform-supplied chain to be created with purely |
| 1770 // public API functions, using the preferred CERTCertList mutators, rather |
| 1771 // pushing this hack to clients. |
| 1772 extern CERTCertificateList* hack_NewCertificateListFromCertList( |
| 1773 CERTCertList* list); |
| 1774 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
1694 | 1775 |
1695 /********************** misc calls *********************/ | 1776 /********************** misc calls *********************/ |
1696 | 1777 |
1697 extern int ssl_MapLowLevelError(int hiLevelError); | 1778 extern int ssl_MapLowLevelError(int hiLevelError); |
1698 | 1779 |
1699 extern PRUint32 ssl_Time(void); | 1780 extern PRUint32 ssl_Time(void); |
1700 | 1781 |
1701 extern void SSL_AtomicIncrementLong(long * x); | 1782 extern void SSL_AtomicIncrementLong(long * x); |
1702 | 1783 |
1703 SECStatus SSL_DisableDefaultExportCipherSuites(void); | 1784 SECStatus SSL_DisableDefaultExportCipherSuites(void); |
(...skipping 22 matching lines...) Expand all Loading... |
1726 #elif defined(_WIN32_WCE) | 1807 #elif defined(_WIN32_WCE) |
1727 #define SSL_GETPID GetCurrentProcessId | 1808 #define SSL_GETPID GetCurrentProcessId |
1728 #elif defined(WIN32) | 1809 #elif defined(WIN32) |
1729 extern int __cdecl _getpid(void); | 1810 extern int __cdecl _getpid(void); |
1730 #define SSL_GETPID _getpid | 1811 #define SSL_GETPID _getpid |
1731 #else | 1812 #else |
1732 #define SSL_GETPID() 0 | 1813 #define SSL_GETPID() 0 |
1733 #endif | 1814 #endif |
1734 | 1815 |
1735 #endif /* __sslimpl_h_ */ | 1816 #endif /* __sslimpl_h_ */ |
OLD | NEW |