OLD | NEW |
(Empty) | |
| 1 Index: mozilla/security/nss/lib/ssl/ssl.h |
| 2 =================================================================== |
| 3 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl.h,v |
| 4 retrieving revision 1.38 |
| 5 diff -p -u -8 -r1.38 ssl.h |
| 6 --- mozilla/security/nss/lib/ssl/ssl.h 17 Feb 2010 02:29:07 -0000 1.38 |
| 7 +++ mozilla/security/nss/lib/ssl/ssl.h 16 Feb 2011 02:40:21 -0000 |
| 8 @@ -275,16 +275,49 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl |
| 9 * and certificate. |
| 10 * fd - the file descriptor for the connection in question |
| 11 * f - the application's callback that delivers the key and cert |
| 12 * a - application specific data |
| 13 */ |
| 14 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, |
| 15 SSLGetClientAuthData f, void *a); |
| 16 |
| 17 +/* |
| 18 + * Prototype for SSL callback to get client auth data from the application, |
| 19 + * when using the underlying platform's cryptographic primitives. Returning |
| 20 + * SECFailure will cause the socket to send no client certificate. |
| 21 + * arg - application passed argument |
| 22 + * caNames - pointer to distinguished names of CAs that the server likes |
| 23 + * pRetCerts - pointer to pointer to list of certs, with the first being |
| 24 + * the client cert, and any following being used for chain |
| 25 + * building |
| 26 + * pRetKey - pointer to native key pointer, for return of key |
| 27 + * - Windows: A pointer to a PCERT_KEY_CONTEXT that was allocated |
| 28 + * via PORT_Alloc(). Ownership of the PCERT_KEY_CONTEXT |
| 29 + * is transferred to NSS, which will free via |
| 30 + * PORT_Free(). |
| 31 + * - Mac OS X: A pointer to a SecKeyRef. Ownership is |
| 32 + * transferred to NSS, which will free via CFRelease(). |
| 33 + */ |
| 34 +typedef SECStatus (PR_CALLBACK *SSLGetPlatformClientAuthData)(void *arg, |
| 35 + PRFileDesc *fd, |
| 36 + CERTDistNames *caNames, |
| 37 + CERTCertList **pRetCerts,/*return */ |
| 38 + void **pRetKey);/* return */ |
| 39 + |
| 40 +/* |
| 41 + * Set the client side callback for SSL to retrieve user's private key |
| 42 + * and certificate. |
| 43 + * fd - the file descriptor for the connection in question |
| 44 + * f - the application's callback that delivers the key and cert |
| 45 + * a - application specific data |
| 46 + */ |
| 47 +SSL_IMPORT SECStatus |
| 48 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, |
| 49 + SSLGetPlatformClientAuthData f, void *a); |
| 50 |
| 51 /* |
| 52 ** SNI extension processing callback function. |
| 53 ** It is called when SSL socket receives SNI extension in ClientHello message. |
| 54 ** Upon this callback invocation, application is responsible to reconfigure the |
| 55 ** socket with the data for a particular server name. |
| 56 ** There are three potential outcomes of this function invocation: |
| 57 ** * application does not recognize the name or the type and wants the |
| 58 Index: mozilla/security/nss/lib/ssl/ssl3con.c |
| 59 =================================================================== |
| 60 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v |
| 61 retrieving revision 1.142 |
| 62 diff -p -u -8 -r1.142 ssl3con.c |
| 63 --- mozilla/security/nss/lib/ssl/ssl3con.c 24 Jun 2010 19:53:20 -0000
1.142 |
| 64 +++ mozilla/security/nss/lib/ssl/ssl3con.c 16 Feb 2011 02:40:21 -0000 |
| 65 @@ -2007,16 +2007,19 @@ ssl3_ComputeRecordMAC( |
| 66 rv = SECFailure; |
| 67 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
| 68 } |
| 69 return rv; |
| 70 } |
| 71 |
| 72 static PRBool |
| 73 ssl3_ClientAuthTokenPresent(sslSessionID *sid) { |
| 74 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 75 + return PR_TRUE; |
| 76 +#else |
| 77 PK11SlotInfo *slot = NULL; |
| 78 PRBool isPresent = PR_TRUE; |
| 79 |
| 80 /* we only care if we are doing client auth */ |
| 81 if (!sid || !sid->u.ssl3.clAuthValid) { |
| 82 return PR_TRUE; |
| 83 } |
| 84 |
| 85 @@ -2030,16 +2033,17 @@ ssl3_ClientAuthTokenPresent(sslSessionID |
| 86 sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) || |
| 87 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { |
| 88 isPresent = PR_FALSE; |
| 89 } |
| 90 if (slot) { |
| 91 PK11_FreeSlot(slot); |
| 92 } |
| 93 return isPresent; |
| 94 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 95 } |
| 96 |
| 97 static SECStatus |
| 98 ssl3_CompressMACEncryptRecord(sslSocket * ss, |
| 99 SSL3ContentType type, |
| 100 const SSL3Opaque * pIn, |
| 101 PRUint32 contentLen) |
| 102 { |
| 103 @@ -4812,40 +4816,41 @@ ssl3_SendCertificateVerify(sslSocket *ss |
| 104 ssl_GetSpecReadLock(ss); |
| 105 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); |
| 106 ssl_ReleaseSpecReadLock(ss); |
| 107 if (rv != SECSuccess) { |
| 108 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ |
| 109 } |
| 110 |
| 111 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 112 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 113 + rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, |
| 114 + &buf, isTLS); |
| 115 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 116 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 117 +#else /* NSS_PLATFORM_CLIENT_AUTH */ |
| 118 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); |
| 119 if (rv == SECSuccess) { |
| 120 PK11SlotInfo * slot; |
| 121 sslSessionID * sid = ss->sec.ci.sid; |
| 122 |
| 123 /* Remember the info about the slot that did the signing. |
| 124 ** Later, when doing an SSL restart handshake, verify this. |
| 125 ** These calls are mere accessors, and can't fail. |
| 126 */ |
| 127 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); |
| 128 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); |
| 129 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); |
| 130 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); |
| 131 sid->u.ssl3.clAuthValid = PR_TRUE; |
| 132 PK11_FreeSlot(slot); |
| 133 } |
| 134 - /* If we're doing RSA key exchange, we're all done with the private key |
| 135 - * here. Diffie-Hellman key exchanges need the client's |
| 136 - * private key for the key exchange. |
| 137 - */ |
| 138 - if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) { |
| 139 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 140 - ss->ssl3.clientPrivateKey = NULL; |
| 141 - } |
| 142 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 143 + ss->ssl3.clientPrivateKey = NULL; |
| 144 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 145 if (rv != SECSuccess) { |
| 146 goto done; /* err code was set by ssl3_SignHashes */ |
| 147 } |
| 148 |
| 149 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2); |
| 150 if (rv != SECSuccess) { |
| 151 goto done; /* error code set by AppendHandshake */ |
| 152 } |
| 153 @@ -4890,16 +4895,36 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
| 154 goto alert_loser; |
| 155 } |
| 156 if (ss->ssl3.hs.ws != wait_server_hello) { |
| 157 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO; |
| 158 desc = unexpected_message; |
| 159 goto alert_loser; |
| 160 } |
| 161 |
| 162 + /* clean up anything left from previous handshake. */ |
| 163 + if (ss->ssl3.clientCertChain != NULL) { |
| 164 + CERT_DestroyCertificateList(ss->ssl3.clientCertChain); |
| 165 + ss->ssl3.clientCertChain = NULL; |
| 166 + } |
| 167 + if (ss->ssl3.clientCertificate != NULL) { |
| 168 + CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
| 169 + ss->ssl3.clientCertificate = NULL; |
| 170 + } |
| 171 + if (ss->ssl3.clientPrivateKey != NULL) { |
| 172 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 173 + ss->ssl3.clientPrivateKey = NULL; |
| 174 + } |
| 175 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 176 + if (ss->ssl3.platformClientKey) { |
| 177 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 178 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 179 + } |
| 180 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 181 + |
| 182 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
| 183 if (temp < 0) { |
| 184 goto loser; /* alert has been sent */ |
| 185 } |
| 186 version = (SSL3ProtocolVersion)temp; |
| 187 |
| 188 /* this is appropriate since the negotiation is complete, and we only |
| 189 ** know SSL 3.x. |
| 190 @@ -5430,42 +5455,39 @@ ssl3_HandleCertificateRequest(sslSocket |
| 191 PRBool isTLS = PR_FALSE; |
| 192 int i; |
| 193 int errCode = SSL_ERROR_RX_MALFORMED_CERT_REQUEST; |
| 194 int nnames = 0; |
| 195 SECStatus rv; |
| 196 SSL3AlertDescription desc = illegal_parameter; |
| 197 SECItem cert_types = {siBuffer, NULL, 0}; |
| 198 CERTDistNames ca_list; |
| 199 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 200 + CERTCertList * platform_cert_list = NULL; |
| 201 + CERTCertListNode * certNode = NULL; |
| 202 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 203 |
| 204 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", |
| 205 SSL_GETPID(), ss->fd)); |
| 206 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 207 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 208 |
| 209 if (ss->ssl3.hs.ws != wait_cert_request && |
| 210 ss->ssl3.hs.ws != wait_server_key) { |
| 211 desc = unexpected_message; |
| 212 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST; |
| 213 goto alert_loser; |
| 214 } |
| 215 |
| 216 - /* clean up anything left from previous handshake. */ |
| 217 - if (ss->ssl3.clientCertChain != NULL) { |
| 218 - CERT_DestroyCertificateList(ss->ssl3.clientCertChain); |
| 219 - ss->ssl3.clientCertChain = NULL; |
| 220 - } |
| 221 - if (ss->ssl3.clientCertificate != NULL) { |
| 222 - CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
| 223 - ss->ssl3.clientCertificate = NULL; |
| 224 - } |
| 225 - if (ss->ssl3.clientPrivateKey != NULL) { |
| 226 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 227 - ss->ssl3.clientPrivateKey = NULL; |
| 228 - } |
| 229 + PORT_Assert(ss->ssl3.clientCertChain == NULL); |
| 230 + PORT_Assert(ss->ssl3.clientCertificate == NULL); |
| 231 + PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
| 232 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 233 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); |
| 234 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 235 |
| 236 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 237 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); |
| 238 if (rv != SECSuccess) |
| 239 goto loser; /* malformed, alert has been sent */ |
| 240 |
| 241 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 242 if (arena == NULL) |
| 243 @@ -5522,31 +5544,82 @@ ssl3_HandleCertificateRequest(sslSocket |
| 244 } |
| 245 |
| 246 if (length != 0) |
| 247 goto alert_loser; /* malformed */ |
| 248 |
| 249 desc = no_certificate; |
| 250 ss->ssl3.hs.ws = wait_hello_done; |
| 251 |
| 252 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 253 + if (ss->getPlatformClientAuthData == NULL) { |
| 254 + rv = SECFailure; /* force it to send a no_certificate alert */ |
| 255 + } else { |
| 256 + /* XXX Should pass cert_types in this call!! */ |
| 257 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( |
| 258 + ss->getPlatformClientAuthDataArg, |
| 259 + ss->fd, &ca_list, |
| 260 + &platform_cert_list, |
| 261 + (void**)&ss->ssl3.platformClientKey); |
| 262 + } |
| 263 +#else |
| 264 if (ss->getClientAuthData == NULL) { |
| 265 rv = SECFailure; /* force it to send a no_certificate alert */ |
| 266 } else { |
| 267 /* XXX Should pass cert_types in this call!! */ |
| 268 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, |
| 269 ss->fd, &ca_list, |
| 270 &ss->ssl3.clientCertificate, |
| 271 &ss->ssl3.clientPrivateKey); |
| 272 } |
| 273 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 274 switch (rv) { |
| 275 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ |
| 276 ssl_SetAlwaysBlock(ss); |
| 277 break; /* not an error */ |
| 278 |
| 279 case SECSuccess: |
| 280 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 281 + if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) || |
| 282 + !ss->ssl3.platformClientKey) { |
| 283 + if (platform_cert_list) { |
| 284 + CERT_DestroyCertList(platform_cert_list); |
| 285 + platform_cert_list = NULL; |
| 286 + } |
| 287 + if (ss->ssl3.platformClientKey) { |
| 288 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 289 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 290 + } |
| 291 + goto send_no_certificate; |
| 292 + } |
| 293 + |
| 294 + certNode = CERT_LIST_HEAD(platform_cert_list); |
| 295 + ss->ssl3.clientCertificate = CERT_DupCertificate(certNode->cert); |
| 296 + |
| 297 + /* Setting ssl3.clientCertChain non-NULL will cause |
| 298 + * ssl3_HandleServerHelloDone to call SendCertificate. |
| 299 + * Note: clientCertChain should include the EE cert as |
| 300 + * clientCertificate is ignored during the actual sending |
| 301 + */ |
| 302 + ss->ssl3.clientCertChain = |
| 303 + hack_NewCertificateListFromCertList(platform_cert_list); |
| 304 + CERT_DestroyCertList(platform_cert_list); |
| 305 + platform_cert_list = NULL; |
| 306 + if (ss->ssl3.clientCertChain == NULL) { |
| 307 + if (ss->ssl3.clientCertificate != NULL) { |
| 308 + CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
| 309 + ss->ssl3.clientCertificate = NULL; |
| 310 + } |
| 311 + if (ss->ssl3.platformClientKey) { |
| 312 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 313 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 314 + } |
| 315 + goto send_no_certificate; |
| 316 + } |
| 317 +#else |
| 318 /* check what the callback function returned */ |
| 319 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
| 320 /* we are missing either the key or cert */ |
| 321 if (ss->ssl3.clientCertificate) { |
| 322 /* got a cert, but no key - free it */ |
| 323 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
| 324 ss->ssl3.clientCertificate = NULL; |
| 325 } |
| 326 @@ -5569,16 +5642,17 @@ ssl3_HandleCertificateRequest(sslSocket |
| 327 ss->ssl3.clientCertificate = NULL; |
| 328 } |
| 329 if (ss->ssl3.clientPrivateKey != NULL) { |
| 330 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 331 ss->ssl3.clientPrivateKey = NULL; |
| 332 } |
| 333 goto send_no_certificate; |
| 334 } |
| 335 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 336 break; /* not an error */ |
| 337 |
| 338 case SECFailure: |
| 339 default: |
| 340 send_no_certificate: |
| 341 if (isTLS) { |
| 342 ss->ssl3.sendEmptyCert = PR_TRUE; |
| 343 } else { |
| 344 @@ -5599,16 +5673,20 @@ alert_loser: |
| 345 desc = decode_error; |
| 346 (void)SSL3_SendAlert(ss, alert_fatal, desc); |
| 347 loser: |
| 348 PORT_SetError(errCode); |
| 349 rv = SECFailure; |
| 350 done: |
| 351 if (arena != NULL) |
| 352 PORT_FreeArena(arena, PR_FALSE); |
| 353 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 354 + if (platform_cert_list) |
| 355 + CERT_DestroyCertList(platform_cert_list); |
| 356 +#endif |
| 357 return rv; |
| 358 } |
| 359 |
| 360 /* |
| 361 * attempt to restart the handshake after asynchronously handling |
| 362 * a request for the client's certificate. |
| 363 * |
| 364 * inputs: |
| 365 @@ -5697,24 +5775,35 @@ ssl3_HandleServerHelloDone(sslSocket *ss |
| 366 if (ss->ssl3.sendEmptyCert) { |
| 367 ss->ssl3.sendEmptyCert = PR_FALSE; |
| 368 rv = ssl3_SendEmptyCertificate(ss); |
| 369 /* Don't send verify */ |
| 370 if (rv != SECSuccess) { |
| 371 goto loser; /* error code is set. */ |
| 372 } |
| 373 } else |
| 374 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 375 + if (ss->ssl3.clientCertChain != NULL && |
| 376 + ss->ssl3.platformClientKey) { |
| 377 + send_verify = PR_TRUE; |
| 378 + rv = ssl3_SendCertificate(ss); |
| 379 + if (rv != SECSuccess) { |
| 380 + goto loser; /* error code is set. */ |
| 381 + } |
| 382 + } |
| 383 +#else |
| 384 if (ss->ssl3.clientCertChain != NULL && |
| 385 ss->ssl3.clientPrivateKey != NULL) { |
| 386 send_verify = PR_TRUE; |
| 387 rv = ssl3_SendCertificate(ss); |
| 388 if (rv != SECSuccess) { |
| 389 goto loser; /* error code is set. */ |
| 390 } |
| 391 } |
| 392 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 393 |
| 394 rv = ssl3_SendClientKeyExchange(ss); |
| 395 if (rv != SECSuccess) { |
| 396 goto loser; /* err is set. */ |
| 397 } |
| 398 |
| 399 if (send_verify) { |
| 400 rv = ssl3_SendCertificateVerify(ss); |
| 401 @@ -9426,16 +9515,20 @@ void |
| 402 ssl3_DestroySSL3Info(sslSocket *ss) |
| 403 { |
| 404 |
| 405 if (ss->ssl3.clientCertificate != NULL) |
| 406 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
| 407 |
| 408 if (ss->ssl3.clientPrivateKey != NULL) |
| 409 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 410 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 411 + if (ss->ssl3.platformClientKey) |
| 412 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 413 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 414 |
| 415 if (ss->ssl3.peerCertArena != NULL) |
| 416 ssl3_CleanupPeerCerts(ss); |
| 417 |
| 418 if (ss->ssl3.clientCertChain != NULL) { |
| 419 CERT_DestroyCertificateList(ss->ssl3.clientCertChain); |
| 420 ss->ssl3.clientCertChain = NULL; |
| 421 } |
| 422 Index: mozilla/security/nss/lib/ssl/ssl3ext.c |
| 423 =================================================================== |
| 424 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3ext.c,v |
| 425 retrieving revision 1.14 |
| 426 diff -p -u -8 -r1.14 ssl3ext.c |
| 427 --- mozilla/security/nss/lib/ssl/ssl3ext.c 3 Apr 2010 19:19:07 -0000
1.14 |
| 428 +++ mozilla/security/nss/lib/ssl/ssl3ext.c 16 Feb 2011 02:40:21 -0000 |
| 429 @@ -41,18 +41,18 @@ |
| 430 * ***** END LICENSE BLOCK ***** */ |
| 431 |
| 432 /* TLS extension code moved here from ssl3ecc.c */ |
| 433 /* $Id: ssl3ext.c,v 1.14 2010/04/03 19:19:07 nelson%bolyard.com Exp $ */ |
| 434 |
| 435 #include "nssrenam.h" |
| 436 #include "nss.h" |
| 437 #include "ssl.h" |
| 438 -#include "sslproto.h" |
| 439 #include "sslimpl.h" |
| 440 +#include "sslproto.h" |
| 441 #include "pk11pub.h" |
| 442 #include "blapi.h" |
| 443 #include "prinit.h" |
| 444 |
| 445 static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; |
| 446 static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL; |
| 447 static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL; |
| 448 |
| 449 Index: mozilla/security/nss/lib/ssl/sslauth.c |
| 450 =================================================================== |
| 451 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslauth.c,v |
| 452 retrieving revision 1.16 |
| 453 diff -p -u -8 -r1.16 sslauth.c |
| 454 --- mozilla/security/nss/lib/ssl/sslauth.c 20 Apr 2006 00:20:45 -0000
1.16 |
| 455 +++ mozilla/security/nss/lib/ssl/sslauth.c 16 Feb 2011 02:40:21 -0000 |
| 456 @@ -204,16 +204,38 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, |
| 457 return SECFailure; |
| 458 } |
| 459 |
| 460 ss->getClientAuthData = func; |
| 461 ss->getClientAuthDataArg = arg; |
| 462 return SECSuccess; |
| 463 } |
| 464 |
| 465 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 466 +/* NEED LOCKS IN HERE. */ |
| 467 +SECStatus |
| 468 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, |
| 469 + SSLGetPlatformClientAuthData func, |
| 470 + void *arg) |
| 471 +{ |
| 472 + sslSocket *ss; |
| 473 + |
| 474 + ss = ssl_FindSocket(s); |
| 475 + if (!ss) { |
| 476 + SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", |
| 477 + SSL_GETPID(), s)); |
| 478 + return SECFailure; |
| 479 + } |
| 480 + |
| 481 + ss->getPlatformClientAuthData = func; |
| 482 + ss->getPlatformClientAuthDataArg = arg; |
| 483 + return SECSuccess; |
| 484 +} |
| 485 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 486 + |
| 487 /* NEED LOCKS IN HERE. */ |
| 488 SECStatus |
| 489 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) |
| 490 { |
| 491 sslSocket *ss; |
| 492 |
| 493 ss = ssl_FindSocket(s); |
| 494 if (!ss) { |
| 495 Index: mozilla/security/nss/lib/ssl/sslimpl.h |
| 496 =================================================================== |
| 497 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslimpl.h,v |
| 498 retrieving revision 1.77 |
| 499 diff -p -u -8 -r1.77 sslimpl.h |
| 500 --- mozilla/security/nss/lib/ssl/sslimpl.h 10 Feb 2010 00:33:50 -0000
1.77 |
| 501 +++ mozilla/security/nss/lib/ssl/sslimpl.h 16 Feb 2011 02:40:21 -0000 |
| 502 @@ -60,16 +60,25 @@ |
| 503 #if defined(XP_UNIX) || defined(XP_BEOS) |
| 504 #include "unistd.h" |
| 505 #endif |
| 506 #include "nssrwlk.h" |
| 507 #include "prthread.h" |
| 508 |
| 509 #include "sslt.h" /* for some formerly private types, now public */ |
| 510 |
| 511 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 512 +#if defined(XP_WIN32) |
| 513 +#include <windows.h> |
| 514 +#include <wincrypt.h> |
| 515 +#elif defined(XP_MACOSX) |
| 516 +#include <Security/Security.h> |
| 517 +#endif |
| 518 +#endif |
| 519 + |
| 520 /* to make some of these old enums public without namespace pollution, |
| 521 ** it was necessary to prepend ssl_ to the names. |
| 522 ** These #defines preserve compatibility with the old code here in libssl. |
| 523 */ |
| 524 typedef SSLKEAType SSL3KEAType; |
| 525 typedef SSLMACAlgorithm SSL3MACAlgorithm; |
| 526 typedef SSLSignType SSL3SignType; |
| 527 |
| 528 @@ -782,16 +791,25 @@ const ssl3CipherSuiteDef *suite_def; |
| 529 SSL3Hashes sFinished[2]; |
| 530 SSL3Opaque data[72]; |
| 531 } finishedMsgs; |
| 532 #ifdef NSS_ENABLE_ECC |
| 533 PRUint32 negotiatedECCurves; /* bit mask */ |
| 534 #endif /* NSS_ENABLE_ECC */ |
| 535 } SSL3HandshakeState; |
| 536 |
| 537 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 538 +#if defined(XP_WIN32) |
| 539 +typedef PCERT_KEY_CONTEXT PlatformKey; |
| 540 +#elif defined(XP_MACOSX) |
| 541 +typedef SecKeyRef PlatformKey; |
| 542 +#else |
| 543 +typedef void *PlatformKey; |
| 544 +#endif |
| 545 +#endif |
| 546 |
| 547 |
| 548 /* |
| 549 ** This is the "ssl3" struct, as in "ss->ssl3". |
| 550 ** note: |
| 551 ** usually, crSpec == cwSpec and prSpec == pwSpec. |
| 552 ** Sometimes, crSpec == pwSpec and prSpec == cwSpec. |
| 553 ** But there are never more than 2 actual specs. |
| 554 @@ -805,16 +823,19 @@ struct ssl3StateStr { |
| 555 */ |
| 556 ssl3CipherSpec * crSpec; /* current read spec. */ |
| 557 ssl3CipherSpec * prSpec; /* pending read spec. */ |
| 558 ssl3CipherSpec * cwSpec; /* current write spec. */ |
| 559 ssl3CipherSpec * pwSpec; /* pending write spec. */ |
| 560 |
| 561 CERTCertificate * clientCertificate; /* used by client */ |
| 562 SECKEYPrivateKey * clientPrivateKey; /* used by client */ |
| 563 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 564 + PlatformKey platformClientKey; /* used by client */ |
| 565 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 566 CERTCertificateList *clientCertChain; /* used by client */ |
| 567 PRBool sendEmptyCert; /* used by client */ |
| 568 |
| 569 int policy; |
| 570 /* This says what cipher suites we can do, and should |
| 571 * be either SSL_ALLOWED or SSL_RESTRICTED |
| 572 */ |
| 573 PRArenaPool * peerCertArena; |
| 574 @@ -1045,16 +1066,20 @@ const unsigned char * preferredCipher; |
| 575 |
| 576 ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */ |
| 577 |
| 578 /* Callbacks */ |
| 579 SSLAuthCertificate authCertificate; |
| 580 void *authCertificateArg; |
| 581 SSLGetClientAuthData getClientAuthData; |
| 582 void *getClientAuthDataArg; |
| 583 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 584 + SSLGetPlatformClientAuthData getPlatformClientAuthData; |
| 585 + void *getPlatformClientAuthDataArg; |
| 586 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 587 SSLSNISocketConfig sniSocketConfig; |
| 588 void *sniSocketConfigArg; |
| 589 SSLBadCertHandler handleBadCert; |
| 590 void *badCertArg; |
| 591 SSLHandshakeCallback handshakeCallback; |
| 592 void *handshakeCallbackData; |
| 593 void *pkcs11PinArg; |
| 594 |
| 595 @@ -1587,16 +1612,36 @@ extern SECStatus SSL3_ShutdownServerCach |
| 596 extern SECStatus ssl_InitSymWrapKeysLock(void); |
| 597 |
| 598 extern SECStatus ssl_FreeSymWrapKeysLock(void); |
| 599 |
| 600 extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit); |
| 601 |
| 602 extern SECStatus ssl_FreeSessionCacheLocks(void); |
| 603 |
| 604 +/***************** platform client auth ****************/ |
| 605 + |
| 606 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 607 +// Releases the platform key. |
| 608 +extern void ssl_FreePlatformKey(PlatformKey key); |
| 609 + |
| 610 +// Implement the client CertificateVerify message for SSL3/TLS1.0 |
| 611 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, |
| 612 + PlatformKey key, SECItem *buf, |
| 613 + PRBool isTLS); |
| 614 + |
| 615 +// Converts a CERTCertList* (A collection of CERTCertificates) into a |
| 616 +// CERTCertificateList* (A collection of SECItems), or returns NULL if |
| 617 +// it cannot be converted. |
| 618 +// This is to allow the platform-supplied chain to be created with purely |
| 619 +// public API functions, using the preferred CERTCertList mutators, rather |
| 620 +// pushing this hack to clients. |
| 621 +extern CERTCertificateList* hack_NewCertificateListFromCertList( |
| 622 + CERTCertList* list); |
| 623 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 624 |
| 625 /********************** misc calls *********************/ |
| 626 |
| 627 extern int ssl_MapLowLevelError(int hiLevelError); |
| 628 |
| 629 extern PRUint32 ssl_Time(void); |
| 630 |
| 631 extern void SSL_AtomicIncrementLong(long * x); |
| 632 Index: mozilla/security/nss/lib/ssl/sslsock.c |
| 633 =================================================================== |
| 634 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v |
| 635 retrieving revision 1.67 |
| 636 diff -p -u -8 -r1.67 sslsock.c |
| 637 --- mozilla/security/nss/lib/ssl/sslsock.c 25 Apr 2010 23:37:38 -0000
1.67 |
| 638 +++ mozilla/security/nss/lib/ssl/sslsock.c 16 Feb 2011 02:40:21 -0000 |
| 639 @@ -329,16 +329,20 @@ ssl_DupSocket(sslSocket *os) |
| 640 /* |
| 641 * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. |
| 642 * XXX We should detect this, and not just march on with NULL pointers. |
| 643 */ |
| 644 ss->authCertificate = os->authCertificate; |
| 645 ss->authCertificateArg = os->authCertificateArg; |
| 646 ss->getClientAuthData = os->getClientAuthData; |
| 647 ss->getClientAuthDataArg = os->getClientAuthDataArg; |
| 648 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 649 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; |
| 650 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; |
| 651 +#endif |
| 652 ss->sniSocketConfig = os->sniSocketConfig; |
| 653 ss->sniSocketConfigArg = os->sniSocketConfigArg; |
| 654 ss->handleBadCert = os->handleBadCert; |
| 655 ss->badCertArg = os->badCertArg; |
| 656 ss->handshakeCallback = os->handshakeCallback; |
| 657 ss->handshakeCallbackData = os->handshakeCallbackData; |
| 658 ss->pkcs11PinArg = os->pkcs11PinArg; |
| 659 |
| 660 @@ -1338,16 +1342,22 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile |
| 661 if (sm->authCertificate) |
| 662 ss->authCertificate = sm->authCertificate; |
| 663 if (sm->authCertificateArg) |
| 664 ss->authCertificateArg = sm->authCertificateArg; |
| 665 if (sm->getClientAuthData) |
| 666 ss->getClientAuthData = sm->getClientAuthData; |
| 667 if (sm->getClientAuthDataArg) |
| 668 ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
| 669 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 670 + if (sm->getPlatformClientAuthData) |
| 671 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; |
| 672 + if (sm->getPlatformClientAuthDataArg) |
| 673 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; |
| 674 +#endif |
| 675 if (sm->sniSocketConfig) |
| 676 ss->sniSocketConfig = sm->sniSocketConfig; |
| 677 if (sm->sniSocketConfigArg) |
| 678 ss->sniSocketConfigArg = sm->sniSocketConfigArg; |
| 679 if (sm->handleBadCert) |
| 680 ss->handleBadCert = sm->handleBadCert; |
| 681 if (sm->badCertArg) |
| 682 ss->badCertArg = sm->badCertArg; |
| 683 @@ -2350,16 +2360,20 @@ ssl_NewSocket(PRBool makeLocks) |
| 684 ss->dbHandle = CERT_GetDefaultCertDB(); |
| 685 |
| 686 /* Provide default implementation of hooks */ |
| 687 ss->authCertificate = SSL_AuthCertificate; |
| 688 ss->authCertificateArg = (void *)ss->dbHandle; |
| 689 ss->sniSocketConfig = NULL; |
| 690 ss->sniSocketConfigArg = NULL; |
| 691 ss->getClientAuthData = NULL; |
| 692 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 693 + ss->getPlatformClientAuthData = NULL; |
| 694 + ss->getPlatformClientAuthDataArg = NULL; |
| 695 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 696 ss->handleBadCert = NULL; |
| 697 ss->badCertArg = NULL; |
| 698 ss->pkcs11PinArg = NULL; |
| 699 |
| 700 ssl_ChooseOps(ss); |
| 701 ssl2_InitSocketPolicy(ss); |
| 702 ssl3_InitSocketPolicy(ss); |
| 703 |
OLD | NEW |