Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2755)

Unified Diff: net/third_party/nss/patches/clientauth.patch

Issue 6528039: Add the NSS patch for SSL client auth with native crypto APIs on Mac... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Remove the question mark line from the patch Created 9 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/third_party/nss/README.chromium ('k') | net/third_party/nss/patches/dheclientauth.patch » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/patches/clientauth.patch
===================================================================
--- net/third_party/nss/patches/clientauth.patch (revision 0)
+++ net/third_party/nss/patches/clientauth.patch (revision 0)
@@ -0,0 +1,703 @@
+Index: mozilla/security/nss/lib/ssl/ssl.h
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl.h,v
+retrieving revision 1.38
+diff -p -u -8 -r1.38 ssl.h
+--- mozilla/security/nss/lib/ssl/ssl.h 17 Feb 2010 02:29:07 -0000 1.38
++++ mozilla/security/nss/lib/ssl/ssl.h 16 Feb 2011 02:40:21 -0000
+@@ -275,16 +275,49 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
+ * and certificate.
+ * fd - the file descriptor for the connection in question
+ * f - the application's callback that delivers the key and cert
+ * a - application specific data
+ */
+ SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd,
+ SSLGetClientAuthData f, void *a);
+
++/*
++ * Prototype for SSL callback to get client auth data from the application,
++ * when using the underlying platform's cryptographic primitives. Returning
++ * SECFailure will cause the socket to send no client certificate.
++ * arg - application passed argument
++ * caNames - pointer to distinguished names of CAs that the server likes
++ * pRetCerts - pointer to pointer to list of certs, with the first being
++ * the client cert, and any following being used for chain
++ * building
++ * pRetKey - pointer to native key pointer, for return of key
++ * - Windows: A pointer to a PCERT_KEY_CONTEXT that was allocated
++ * via PORT_Alloc(). Ownership of the PCERT_KEY_CONTEXT
++ * is transferred to NSS, which will free via
++ * PORT_Free().
++ * - Mac OS X: A pointer to a SecKeyRef. Ownership is
++ * transferred to NSS, which will free via CFRelease().
++ */
++typedef SECStatus (PR_CALLBACK *SSLGetPlatformClientAuthData)(void *arg,
++ PRFileDesc *fd,
++ CERTDistNames *caNames,
++ CERTCertList **pRetCerts,/*return */
++ void **pRetKey);/* return */
++
++/*
++ * Set the client side callback for SSL to retrieve user's private key
++ * and certificate.
++ * fd - the file descriptor for the connection in question
++ * f - the application's callback that delivers the key and cert
++ * a - application specific data
++ */
++SSL_IMPORT SECStatus
++SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd,
++ SSLGetPlatformClientAuthData f, void *a);
+
+ /*
+ ** SNI extension processing callback function.
+ ** It is called when SSL socket receives SNI extension in ClientHello message.
+ ** Upon this callback invocation, application is responsible to reconfigure the
+ ** socket with the data for a particular server name.
+ ** There are three potential outcomes of this function invocation:
+ ** * application does not recognize the name or the type and wants the
+Index: mozilla/security/nss/lib/ssl/ssl3con.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v
+retrieving revision 1.142
+diff -p -u -8 -r1.142 ssl3con.c
+--- mozilla/security/nss/lib/ssl/ssl3con.c 24 Jun 2010 19:53:20 -0000 1.142
++++ mozilla/security/nss/lib/ssl/ssl3con.c 16 Feb 2011 02:40:21 -0000
+@@ -2007,16 +2007,19 @@ ssl3_ComputeRecordMAC(
+ rv = SECFailure;
+ ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
+ }
+ return rv;
+ }
+
+ static PRBool
+ ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ return PR_TRUE;
++#else
+ PK11SlotInfo *slot = NULL;
+ PRBool isPresent = PR_TRUE;
+
+ /* we only care if we are doing client auth */
+ if (!sid || !sid->u.ssl3.clAuthValid) {
+ return PR_TRUE;
+ }
+
+@@ -2030,16 +2033,17 @@ ssl3_ClientAuthTokenPresent(sslSessionID
+ sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) ||
+ (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
+ isPresent = PR_FALSE;
+ }
+ if (slot) {
+ PK11_FreeSlot(slot);
+ }
+ return isPresent;
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+ }
+
+ static SECStatus
+ ssl3_CompressMACEncryptRecord(sslSocket * ss,
+ SSL3ContentType type,
+ const SSL3Opaque * pIn,
+ PRUint32 contentLen)
+ {
+@@ -4812,40 +4816,41 @@ ssl3_SendCertificateVerify(sslSocket *ss
+ ssl_GetSpecReadLock(ss);
+ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
+ ssl_ReleaseSpecReadLock(ss);
+ if (rv != SECSuccess) {
+ goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
+ }
+
+ isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
++ &buf, isTLS);
++ ssl_FreePlatformKey(ss->ssl3.platformClientKey);
++ ss->ssl3.platformClientKey = (PlatformKey)NULL;
++#else /* NSS_PLATFORM_CLIENT_AUTH */
+ rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
+ if (rv == SECSuccess) {
+ PK11SlotInfo * slot;
+ sslSessionID * sid = ss->sec.ci.sid;
+
+ /* Remember the info about the slot that did the signing.
+ ** Later, when doing an SSL restart handshake, verify this.
+ ** These calls are mere accessors, and can't fail.
+ */
+ slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
+ sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot);
+ sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot);
+ sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot);
+ sid->u.ssl3.clAuthValid = PR_TRUE;
+ PK11_FreeSlot(slot);
+ }
+- /* If we're doing RSA key exchange, we're all done with the private key
+- * here. Diffie-Hellman key exchanges need the client's
+- * private key for the key exchange.
+- */
+- if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
+- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+- ss->ssl3.clientPrivateKey = NULL;
+- }
++ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
++ ss->ssl3.clientPrivateKey = NULL;
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+ if (rv != SECSuccess) {
+ goto done; /* err code was set by ssl3_SignHashes */
+ }
+
+ rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2);
+ if (rv != SECSuccess) {
+ goto done; /* error code set by AppendHandshake */
+ }
+@@ -4890,16 +4895,36 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+ goto alert_loser;
+ }
+ if (ss->ssl3.hs.ws != wait_server_hello) {
+ errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
+ desc = unexpected_message;
+ goto alert_loser;
+ }
+
++ /* clean up anything left from previous handshake. */
++ if (ss->ssl3.clientCertChain != NULL) {
++ CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
++ ss->ssl3.clientCertChain = NULL;
++ }
++ if (ss->ssl3.clientCertificate != NULL) {
++ CERT_DestroyCertificate(ss->ssl3.clientCertificate);
++ ss->ssl3.clientCertificate = NULL;
++ }
++ if (ss->ssl3.clientPrivateKey != NULL) {
++ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
++ ss->ssl3.clientPrivateKey = NULL;
++ }
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ if (ss->ssl3.platformClientKey) {
++ ssl_FreePlatformKey(ss->ssl3.platformClientKey);
++ ss->ssl3.platformClientKey = (PlatformKey)NULL;
++ }
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
++
+ temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+ if (temp < 0) {
+ goto loser; /* alert has been sent */
+ }
+ version = (SSL3ProtocolVersion)temp;
+
+ /* this is appropriate since the negotiation is complete, and we only
+ ** know SSL 3.x.
+@@ -5430,42 +5455,39 @@ ssl3_HandleCertificateRequest(sslSocket
+ PRBool isTLS = PR_FALSE;
+ int i;
+ int errCode = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
+ int nnames = 0;
+ SECStatus rv;
+ SSL3AlertDescription desc = illegal_parameter;
+ SECItem cert_types = {siBuffer, NULL, 0};
+ CERTDistNames ca_list;
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ CERTCertList * platform_cert_list = NULL;
++ CERTCertListNode * certNode = NULL;
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+
+ SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
+ SSL_GETPID(), ss->fd));
+ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+ if (ss->ssl3.hs.ws != wait_cert_request &&
+ ss->ssl3.hs.ws != wait_server_key) {
+ desc = unexpected_message;
+ errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
+ goto alert_loser;
+ }
+
+- /* clean up anything left from previous handshake. */
+- if (ss->ssl3.clientCertChain != NULL) {
+- CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
+- ss->ssl3.clientCertChain = NULL;
+- }
+- if (ss->ssl3.clientCertificate != NULL) {
+- CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+- ss->ssl3.clientCertificate = NULL;
+- }
+- if (ss->ssl3.clientPrivateKey != NULL) {
+- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+- ss->ssl3.clientPrivateKey = NULL;
+- }
++ PORT_Assert(ss->ssl3.clientCertChain == NULL);
++ PORT_Assert(ss->ssl3.clientCertificate == NULL);
++ PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL);
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+
+ isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
+ rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
+ if (rv != SECSuccess)
+ goto loser; /* malformed, alert has been sent */
+
+ arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL)
+@@ -5522,31 +5544,82 @@ ssl3_HandleCertificateRequest(sslSocket
+ }
+
+ if (length != 0)
+ goto alert_loser; /* malformed */
+
+ desc = no_certificate;
+ ss->ssl3.hs.ws = wait_hello_done;
+
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ if (ss->getPlatformClientAuthData == NULL) {
++ rv = SECFailure; /* force it to send a no_certificate alert */
++ } else {
++ /* XXX Should pass cert_types in this call!! */
++ rv = (SECStatus)(*ss->getPlatformClientAuthData)(
++ ss->getPlatformClientAuthDataArg,
++ ss->fd, &ca_list,
++ &platform_cert_list,
++ (void**)&ss->ssl3.platformClientKey);
++ }
++#else
+ if (ss->getClientAuthData == NULL) {
+ rv = SECFailure; /* force it to send a no_certificate alert */
+ } else {
+ /* XXX Should pass cert_types in this call!! */
+ rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
+ ss->fd, &ca_list,
+ &ss->ssl3.clientCertificate,
+ &ss->ssl3.clientPrivateKey);
+ }
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+ switch (rv) {
+ case SECWouldBlock: /* getClientAuthData has put up a dialog box. */
+ ssl_SetAlwaysBlock(ss);
+ break; /* not an error */
+
+ case SECSuccess:
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) ||
++ !ss->ssl3.platformClientKey) {
++ if (platform_cert_list) {
++ CERT_DestroyCertList(platform_cert_list);
++ platform_cert_list = NULL;
++ }
++ if (ss->ssl3.platformClientKey) {
++ ssl_FreePlatformKey(ss->ssl3.platformClientKey);
++ ss->ssl3.platformClientKey = (PlatformKey)NULL;
++ }
++ goto send_no_certificate;
++ }
++
++ certNode = CERT_LIST_HEAD(platform_cert_list);
++ ss->ssl3.clientCertificate = CERT_DupCertificate(certNode->cert);
++
++ /* Setting ssl3.clientCertChain non-NULL will cause
++ * ssl3_HandleServerHelloDone to call SendCertificate.
++ * Note: clientCertChain should include the EE cert as
++ * clientCertificate is ignored during the actual sending
++ */
++ ss->ssl3.clientCertChain =
++ hack_NewCertificateListFromCertList(platform_cert_list);
++ CERT_DestroyCertList(platform_cert_list);
++ platform_cert_list = NULL;
++ if (ss->ssl3.clientCertChain == NULL) {
++ if (ss->ssl3.clientCertificate != NULL) {
++ CERT_DestroyCertificate(ss->ssl3.clientCertificate);
++ ss->ssl3.clientCertificate = NULL;
++ }
++ if (ss->ssl3.platformClientKey) {
++ ssl_FreePlatformKey(ss->ssl3.platformClientKey);
++ ss->ssl3.platformClientKey = (PlatformKey)NULL;
++ }
++ goto send_no_certificate;
++ }
++#else
+ /* check what the callback function returned */
+ if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
+ /* we are missing either the key or cert */
+ if (ss->ssl3.clientCertificate) {
+ /* got a cert, but no key - free it */
+ CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+ ss->ssl3.clientCertificate = NULL;
+ }
+@@ -5569,16 +5642,17 @@ ssl3_HandleCertificateRequest(sslSocket
+ ss->ssl3.clientCertificate = NULL;
+ }
+ if (ss->ssl3.clientPrivateKey != NULL) {
+ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+ ss->ssl3.clientPrivateKey = NULL;
+ }
+ goto send_no_certificate;
+ }
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+ break; /* not an error */
+
+ case SECFailure:
+ default:
+ send_no_certificate:
+ if (isTLS) {
+ ss->ssl3.sendEmptyCert = PR_TRUE;
+ } else {
+@@ -5599,16 +5673,20 @@ alert_loser:
+ desc = decode_error;
+ (void)SSL3_SendAlert(ss, alert_fatal, desc);
+ loser:
+ PORT_SetError(errCode);
+ rv = SECFailure;
+ done:
+ if (arena != NULL)
+ PORT_FreeArena(arena, PR_FALSE);
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ if (platform_cert_list)
++ CERT_DestroyCertList(platform_cert_list);
++#endif
+ return rv;
+ }
+
+ /*
+ * attempt to restart the handshake after asynchronously handling
+ * a request for the client's certificate.
+ *
+ * inputs:
+@@ -5697,24 +5775,35 @@ ssl3_HandleServerHelloDone(sslSocket *ss
+ if (ss->ssl3.sendEmptyCert) {
+ ss->ssl3.sendEmptyCert = PR_FALSE;
+ rv = ssl3_SendEmptyCertificate(ss);
+ /* Don't send verify */
+ if (rv != SECSuccess) {
+ goto loser; /* error code is set. */
+ }
+ } else
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ if (ss->ssl3.clientCertChain != NULL &&
++ ss->ssl3.platformClientKey) {
++ send_verify = PR_TRUE;
++ rv = ssl3_SendCertificate(ss);
++ if (rv != SECSuccess) {
++ goto loser; /* error code is set. */
++ }
++ }
++#else
+ if (ss->ssl3.clientCertChain != NULL &&
+ ss->ssl3.clientPrivateKey != NULL) {
+ send_verify = PR_TRUE;
+ rv = ssl3_SendCertificate(ss);
+ if (rv != SECSuccess) {
+ goto loser; /* error code is set. */
+ }
+ }
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+
+ rv = ssl3_SendClientKeyExchange(ss);
+ if (rv != SECSuccess) {
+ goto loser; /* err is set. */
+ }
+
+ if (send_verify) {
+ rv = ssl3_SendCertificateVerify(ss);
+@@ -9426,16 +9515,20 @@ void
+ ssl3_DestroySSL3Info(sslSocket *ss)
+ {
+
+ if (ss->ssl3.clientCertificate != NULL)
+ CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+
+ if (ss->ssl3.clientPrivateKey != NULL)
+ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ if (ss->ssl3.platformClientKey)
++ ssl_FreePlatformKey(ss->ssl3.platformClientKey);
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+
+ if (ss->ssl3.peerCertArena != NULL)
+ ssl3_CleanupPeerCerts(ss);
+
+ if (ss->ssl3.clientCertChain != NULL) {
+ CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
+ ss->ssl3.clientCertChain = NULL;
+ }
+Index: mozilla/security/nss/lib/ssl/ssl3ext.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3ext.c,v
+retrieving revision 1.14
+diff -p -u -8 -r1.14 ssl3ext.c
+--- mozilla/security/nss/lib/ssl/ssl3ext.c 3 Apr 2010 19:19:07 -0000 1.14
++++ mozilla/security/nss/lib/ssl/ssl3ext.c 16 Feb 2011 02:40:21 -0000
+@@ -41,18 +41,18 @@
+ * ***** END LICENSE BLOCK ***** */
+
+ /* TLS extension code moved here from ssl3ecc.c */
+ /* $Id: ssl3ext.c,v 1.14 2010/04/03 19:19:07 nelson%bolyard.com Exp $ */
+
+ #include "nssrenam.h"
+ #include "nss.h"
+ #include "ssl.h"
+-#include "sslproto.h"
+ #include "sslimpl.h"
++#include "sslproto.h"
+ #include "pk11pub.h"
+ #include "blapi.h"
+ #include "prinit.h"
+
+ static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN];
+ static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL;
+ static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL;
+
+Index: mozilla/security/nss/lib/ssl/sslauth.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslauth.c,v
+retrieving revision 1.16
+diff -p -u -8 -r1.16 sslauth.c
+--- mozilla/security/nss/lib/ssl/sslauth.c 20 Apr 2006 00:20:45 -0000 1.16
++++ mozilla/security/nss/lib/ssl/sslauth.c 16 Feb 2011 02:40:21 -0000
+@@ -204,16 +204,38 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
+ return SECFailure;
+ }
+
+ ss->getClientAuthData = func;
+ ss->getClientAuthDataArg = arg;
+ return SECSuccess;
+ }
+
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++/* NEED LOCKS IN HERE. */
++SECStatus
++SSL_GetPlatformClientAuthDataHook(PRFileDesc *s,
++ SSLGetPlatformClientAuthData func,
++ void *arg)
++{
++ sslSocket *ss;
++
++ ss = ssl_FindSocket(s);
++ if (!ss) {
++ SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook",
++ SSL_GETPID(), s));
++ return SECFailure;
++ }
++
++ ss->getPlatformClientAuthData = func;
++ ss->getPlatformClientAuthDataArg = arg;
++ return SECSuccess;
++}
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
++
+ /* NEED LOCKS IN HERE. */
+ SECStatus
+ SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
+ {
+ sslSocket *ss;
+
+ ss = ssl_FindSocket(s);
+ if (!ss) {
+Index: mozilla/security/nss/lib/ssl/sslimpl.h
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslimpl.h,v
+retrieving revision 1.77
+diff -p -u -8 -r1.77 sslimpl.h
+--- mozilla/security/nss/lib/ssl/sslimpl.h 10 Feb 2010 00:33:50 -0000 1.77
++++ mozilla/security/nss/lib/ssl/sslimpl.h 16 Feb 2011 02:40:21 -0000
+@@ -60,16 +60,25 @@
+ #if defined(XP_UNIX) || defined(XP_BEOS)
+ #include "unistd.h"
+ #endif
+ #include "nssrwlk.h"
+ #include "prthread.h"
+
+ #include "sslt.h" /* for some formerly private types, now public */
+
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++#if defined(XP_WIN32)
++#include <windows.h>
++#include <wincrypt.h>
++#elif defined(XP_MACOSX)
++#include <Security/Security.h>
++#endif
++#endif
++
+ /* to make some of these old enums public without namespace pollution,
+ ** it was necessary to prepend ssl_ to the names.
+ ** These #defines preserve compatibility with the old code here in libssl.
+ */
+ typedef SSLKEAType SSL3KEAType;
+ typedef SSLMACAlgorithm SSL3MACAlgorithm;
+ typedef SSLSignType SSL3SignType;
+
+@@ -782,16 +791,25 @@ const ssl3CipherSuiteDef *suite_def;
+ SSL3Hashes sFinished[2];
+ SSL3Opaque data[72];
+ } finishedMsgs;
+ #ifdef NSS_ENABLE_ECC
+ PRUint32 negotiatedECCurves; /* bit mask */
+ #endif /* NSS_ENABLE_ECC */
+ } SSL3HandshakeState;
+
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++#if defined(XP_WIN32)
++typedef PCERT_KEY_CONTEXT PlatformKey;
++#elif defined(XP_MACOSX)
++typedef SecKeyRef PlatformKey;
++#else
++typedef void *PlatformKey;
++#endif
++#endif
+
+
+ /*
+ ** This is the "ssl3" struct, as in "ss->ssl3".
+ ** note:
+ ** usually, crSpec == cwSpec and prSpec == pwSpec.
+ ** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
+ ** But there are never more than 2 actual specs.
+@@ -805,16 +823,19 @@ struct ssl3StateStr {
+ */
+ ssl3CipherSpec * crSpec; /* current read spec. */
+ ssl3CipherSpec * prSpec; /* pending read spec. */
+ ssl3CipherSpec * cwSpec; /* current write spec. */
+ ssl3CipherSpec * pwSpec; /* pending write spec. */
+
+ CERTCertificate * clientCertificate; /* used by client */
+ SECKEYPrivateKey * clientPrivateKey; /* used by client */
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ PlatformKey platformClientKey; /* used by client */
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+ CERTCertificateList *clientCertChain; /* used by client */
+ PRBool sendEmptyCert; /* used by client */
+
+ int policy;
+ /* This says what cipher suites we can do, and should
+ * be either SSL_ALLOWED or SSL_RESTRICTED
+ */
+ PRArenaPool * peerCertArena;
+@@ -1045,16 +1066,20 @@ const unsigned char * preferredCipher;
+
+ ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */
+
+ /* Callbacks */
+ SSLAuthCertificate authCertificate;
+ void *authCertificateArg;
+ SSLGetClientAuthData getClientAuthData;
+ void *getClientAuthDataArg;
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ SSLGetPlatformClientAuthData getPlatformClientAuthData;
++ void *getPlatformClientAuthDataArg;
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+ SSLSNISocketConfig sniSocketConfig;
+ void *sniSocketConfigArg;
+ SSLBadCertHandler handleBadCert;
+ void *badCertArg;
+ SSLHandshakeCallback handshakeCallback;
+ void *handshakeCallbackData;
+ void *pkcs11PinArg;
+
+@@ -1587,16 +1612,36 @@ extern SECStatus SSL3_ShutdownServerCach
+ extern SECStatus ssl_InitSymWrapKeysLock(void);
+
+ extern SECStatus ssl_FreeSymWrapKeysLock(void);
+
+ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
+
+ extern SECStatus ssl_FreeSessionCacheLocks(void);
+
++/***************** platform client auth ****************/
++
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++// Releases the platform key.
++extern void ssl_FreePlatformKey(PlatformKey key);
++
++// Implement the client CertificateVerify message for SSL3/TLS1.0
++extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash,
++ PlatformKey key, SECItem *buf,
++ PRBool isTLS);
++
++// Converts a CERTCertList* (A collection of CERTCertificates) into a
++// CERTCertificateList* (A collection of SECItems), or returns NULL if
++// it cannot be converted.
++// This is to allow the platform-supplied chain to be created with purely
++// public API functions, using the preferred CERTCertList mutators, rather
++// pushing this hack to clients.
++extern CERTCertificateList* hack_NewCertificateListFromCertList(
++ CERTCertList* list);
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+
+ /********************** misc calls *********************/
+
+ extern int ssl_MapLowLevelError(int hiLevelError);
+
+ extern PRUint32 ssl_Time(void);
+
+ extern void SSL_AtomicIncrementLong(long * x);
+Index: mozilla/security/nss/lib/ssl/sslsock.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v
+retrieving revision 1.67
+diff -p -u -8 -r1.67 sslsock.c
+--- mozilla/security/nss/lib/ssl/sslsock.c 25 Apr 2010 23:37:38 -0000 1.67
++++ mozilla/security/nss/lib/ssl/sslsock.c 16 Feb 2011 02:40:21 -0000
+@@ -329,16 +329,20 @@ ssl_DupSocket(sslSocket *os)
+ /*
+ * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
+ * XXX We should detect this, and not just march on with NULL pointers.
+ */
+ ss->authCertificate = os->authCertificate;
+ ss->authCertificateArg = os->authCertificateArg;
+ ss->getClientAuthData = os->getClientAuthData;
+ ss->getClientAuthDataArg = os->getClientAuthDataArg;
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ ss->getPlatformClientAuthData = os->getPlatformClientAuthData;
++ ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg;
++#endif
+ ss->sniSocketConfig = os->sniSocketConfig;
+ ss->sniSocketConfigArg = os->sniSocketConfigArg;
+ ss->handleBadCert = os->handleBadCert;
+ ss->badCertArg = os->badCertArg;
+ ss->handshakeCallback = os->handshakeCallback;
+ ss->handshakeCallbackData = os->handshakeCallbackData;
+ ss->pkcs11PinArg = os->pkcs11PinArg;
+
+@@ -1338,16 +1342,22 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
+ if (sm->authCertificate)
+ ss->authCertificate = sm->authCertificate;
+ if (sm->authCertificateArg)
+ ss->authCertificateArg = sm->authCertificateArg;
+ if (sm->getClientAuthData)
+ ss->getClientAuthData = sm->getClientAuthData;
+ if (sm->getClientAuthDataArg)
+ ss->getClientAuthDataArg = sm->getClientAuthDataArg;
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ if (sm->getPlatformClientAuthData)
++ ss->getPlatformClientAuthData = sm->getPlatformClientAuthData;
++ if (sm->getPlatformClientAuthDataArg)
++ ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg;
++#endif
+ if (sm->sniSocketConfig)
+ ss->sniSocketConfig = sm->sniSocketConfig;
+ if (sm->sniSocketConfigArg)
+ ss->sniSocketConfigArg = sm->sniSocketConfigArg;
+ if (sm->handleBadCert)
+ ss->handleBadCert = sm->handleBadCert;
+ if (sm->badCertArg)
+ ss->badCertArg = sm->badCertArg;
+@@ -2350,16 +2360,20 @@ ssl_NewSocket(PRBool makeLocks)
+ ss->dbHandle = CERT_GetDefaultCertDB();
+
+ /* Provide default implementation of hooks */
+ ss->authCertificate = SSL_AuthCertificate;
+ ss->authCertificateArg = (void *)ss->dbHandle;
+ ss->sniSocketConfig = NULL;
+ ss->sniSocketConfigArg = NULL;
+ ss->getClientAuthData = NULL;
++#ifdef NSS_PLATFORM_CLIENT_AUTH
++ ss->getPlatformClientAuthData = NULL;
++ ss->getPlatformClientAuthDataArg = NULL;
++#endif /* NSS_PLATFORM_CLIENT_AUTH */
+ ss->handleBadCert = NULL;
+ ss->badCertArg = NULL;
+ ss->pkcs11PinArg = NULL;
+
+ ssl_ChooseOps(ss);
+ ssl2_InitSocketPolicy(ss);
+ ssl3_InitSocketPolicy(ss);
+
« no previous file with comments | « net/third_party/nss/README.chromium ('k') | net/third_party/nss/patches/dheclientauth.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698