| OLD | NEW |
|---|
| 1 diff -puN -r a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3c
on.c | 1 diff -puN a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
| 2 --- a/net/third_party/nss/ssl/ssl3con.c»2012-11-09 15:34:12.258133766 -0800 | 2 --- a/nss/lib/ssl/ssl3con.c» 2013-04-27 09:20:13.658889025 -0700 |
| 3 +++ b/net/third_party/nss/ssl/ssl3con.c»2012-11-09 15:35:08.488958561 -0800 | 3 +++ b/nss/lib/ssl/ssl3con.c» 2013-04-27 09:20:50.169405985 -0700 |
| 4 @@ -2033,6 +2033,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID | 4 @@ -2155,6 +2155,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID |
| 5 PRBool isPresent = PR_TRUE; | 5 PRBool isPresent = PR_TRUE; |
| 6 | 6 |
| 7 /* we only care if we are doing client auth */ | 7 /* we only care if we are doing client auth */ |
| 8 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being | 8 + /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being |
| 9 + * used, u.ssl3.clAuthValid will be false and this function will always | 9 + * used, u.ssl3.clAuthValid will be false and this function will always |
| 10 + * return PR_TRUE. */ | 10 + * return PR_TRUE. */ |
| 11 if (!sid || !sid->u.ssl3.clAuthValid) { | 11 if (!sid || !sid->u.ssl3.clAuthValid) { |
| 12 return PR_TRUE; | 12 return PR_TRUE; |
| 13 } | 13 } |
| 14 @@ -5226,24 +5229,33 @@ ssl3_SendCertificateVerify(sslSocket *ss | 14 @@ -5348,24 +5351,35 @@ ssl3_SendCertificateVerify(sslSocket *ss |
| 15 } | 15 } |
| 16 | 16 |
| 17 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 17 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 18 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); | 18 - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); |
| 19 - if (rv == SECSuccess) { | 19 - if (rv == SECSuccess) { |
| 20 - PK11SlotInfo * slot; | 20 - PK11SlotInfo * slot; |
| 21 - sslSessionID * sid = ss->sec.ci.sid; | 21 - sslSessionID * sid = ss->sec.ci.sid; |
| 22 + if (ss->ssl3.platformClientKey) { | 22 + if (ss->ssl3.platformClientKey) { |
| 23 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 23 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 24 +» rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, | 24 +» rv = ssl3_PlatformSignHashes( |
| 25 +» » » » &buf, isTLS); | 25 +» &hashes, ss->ssl3.platformClientKey, &buf, isTLS, |
| 26 +» CERT_GetCertKeyType( |
| 27 +» » &ss->ssl3.clientCertificate->subjectPublicKeyInfo)); |
| 26 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 28 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 27 + ss->ssl3.platformClientKey = (PlatformKey)NULL; | 29 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 28 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 30 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 29 + } else { | 31 + } else { |
| 30 + rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); | 32 + rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); |
| 31 + if (rv == SECSuccess) { | 33 + if (rv == SECSuccess) { |
| 32 + PK11SlotInfo * slot; | 34 + PK11SlotInfo * slot; |
| 33 + sslSessionID * sid = ss->sec.ci.sid; | 35 + sslSessionID * sid = ss->sec.ci.sid; |
| 34 | 36 |
| 35 - /* Remember the info about the slot that did the signing. | 37 - /* Remember the info about the slot that did the signing. |
| (...skipping 18 matching lines...) Expand all Loading... |
| 54 + PK11_FreeSlot(slot); | 56 + PK11_FreeSlot(slot); |
| 55 + } | 57 + } |
| 56 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 58 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 57 + ss->ssl3.clientPrivateKey = NULL; | 59 + ss->ssl3.clientPrivateKey = NULL; |
| 58 } | 60 } |
| 59 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 61 - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 60 - ss->ssl3.clientPrivateKey = NULL; | 62 - ss->ssl3.clientPrivateKey = NULL; |
| 61 if (rv != SECSuccess) { | 63 if (rv != SECSuccess) { |
| 62 goto done; /* err code was set by ssl3_SignHashes */ | 64 goto done; /* err code was set by ssl3_SignHashes */ |
| 63 } | 65 } |
| 64 @@ -5311,6 +5323,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS | 66 @@ -5433,6 +5447,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
| 65 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 67 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 66 ss->ssl3.clientPrivateKey = NULL; | 68 ss->ssl3.clientPrivateKey = NULL; |
| 67 } | 69 } |
| 68 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 70 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 69 + if (ss->ssl3.platformClientKey) { | 71 + if (ss->ssl3.platformClientKey) { |
| 70 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 72 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 71 + ss->ssl3.platformClientKey = (PlatformKey)NULL; | 73 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 72 + } | 74 + } |
| 73 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 75 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 74 | 76 |
| 75 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 77 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
| 76 if (temp < 0) { | 78 if (temp < 0) { |
| 77 @@ -5901,6 +5919,10 @@ ssl3_HandleCertificateRequest(sslSocket | 79 @@ -6022,6 +6042,10 @@ ssl3_HandleCertificateRequest(sslSocket |
| 78 SSL3AlertDescription desc = illegal_parameter; | 80 SSL3AlertDescription desc = illegal_parameter; |
| 79 SECItem cert_types = {siBuffer, NULL, 0}; | 81 SECItem cert_types = {siBuffer, NULL, 0}; |
| 80 CERTDistNames ca_list; | 82 CERTDistNames ca_list; |
| 81 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 83 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 82 + CERTCertList * platform_cert_list = NULL; | 84 + CERTCertList * platform_cert_list = NULL; |
| 83 + CERTCertListNode * certNode = NULL; | 85 + CERTCertListNode * certNode = NULL; |
| 84 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 86 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 85 | 87 |
| 86 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", | 88 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", |
| 87 SSL_GETPID(), ss->fd)); | 89 SSL_GETPID(), ss->fd)); |
| 88 @@ -5917,6 +5939,7 @@ ssl3_HandleCertificateRequest(sslSocket | 90 @@ -6038,6 +6062,7 @@ ssl3_HandleCertificateRequest(sslSocket |
| 89 PORT_Assert(ss->ssl3.clientCertChain == NULL); | 91 PORT_Assert(ss->ssl3.clientCertChain == NULL); |
| 90 PORT_Assert(ss->ssl3.clientCertificate == NULL); | 92 PORT_Assert(ss->ssl3.clientCertificate == NULL); |
| 91 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); | 93 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
| 92 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); | 94 + PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); |
| 93 | 95 |
| 94 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 96 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 95 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); | 97 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); |
| 96 @@ -5983,6 +6006,18 @@ ssl3_HandleCertificateRequest(sslSocket | 98 @@ -6104,6 +6129,18 @@ ssl3_HandleCertificateRequest(sslSocket |
| 97 desc = no_certificate; | 99 desc = no_certificate; |
| 98 ss->ssl3.hs.ws = wait_hello_done; | 100 ss->ssl3.hs.ws = wait_hello_done; |
| 99 | 101 |
| 100 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 102 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 101 + if (ss->getPlatformClientAuthData != NULL) { | 103 + if (ss->getPlatformClientAuthData != NULL) { |
| 102 + /* XXX Should pass cert_types in this call!! */ | 104 + /* XXX Should pass cert_types in this call!! */ |
| 103 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( | 105 + rv = (SECStatus)(*ss->getPlatformClientAuthData)( |
| 104 + ss->getPlatformClientAuthDataArg, | 106 + ss->getPlatformClientAuthDataArg, |
| 105 + ss->fd, &ca_list, | 107 + ss->fd, &ca_list, |
| 106 + &platform_cert_list, | 108 + &platform_cert_list, |
| 107 + (void**)&ss->ssl3.platformClientKey, | 109 + (void**)&ss->ssl3.platformClientKey, |
| 108 + &ss->ssl3.clientCertificate, | 110 + &ss->ssl3.clientCertificate, |
| 109 + &ss->ssl3.clientPrivateKey); | 111 + &ss->ssl3.clientPrivateKey); |
| 110 + } else | 112 + } else |
| 111 +#endif | 113 +#endif |
| 112 if (ss->getClientAuthData == NULL) { | 114 if (ss->getClientAuthData != NULL) { |
| 115 » /* XXX Should pass cert_types in this call!! */ |
| 116 » rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, |
| 117 @@ -6113,12 +6150,52 @@ ssl3_HandleCertificateRequest(sslSocket |
| 118 } else { |
| 113 rv = SECFailure; /* force it to send a no_certificate alert */ | 119 rv = SECFailure; /* force it to send a no_certificate alert */ |
| 114 } else { | |
| 115 @@ -5992,12 +6029,52 @@ ssl3_HandleCertificateRequest(sslSocket | |
| 116 &ss->ssl3.clientCertificate, | |
| 117 &ss->ssl3.clientPrivateKey); | |
| 118 } | 120 } |
| 119 + | 121 + |
| 120 switch (rv) { | 122 switch (rv) { |
| 121 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ | 123 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ |
| 122 ssl3_SetAlwaysBlock(ss); | 124 ssl3_SetAlwaysBlock(ss); |
| 123 break; /* not an error */ | 125 break; /* not an error */ |
| 124 | 126 |
| 125 case SECSuccess: | 127 case SECSuccess: |
| 126 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 128 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 127 + if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) || | 129 + if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) || |
| (...skipping 30 matching lines...) Expand all Loading... |
| 158 + ss->ssl3.platformClientKey = (PlatformKey)NULL; | 160 + ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 159 + } | 161 + } |
| 160 + goto send_no_certificate; | 162 + goto send_no_certificate; |
| 161 + } | 163 + } |
| 162 + break; /* not an error */ | 164 + break; /* not an error */ |
| 163 + } | 165 + } |
| 164 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 166 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 165 /* check what the callback function returned */ | 167 /* check what the callback function returned */ |
| 166 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { | 168 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
| 167 /* we are missing either the key or cert */ | 169 /* we are missing either the key or cert */ |
| 168 @@ -6060,6 +6137,10 @@ loser: | 170 @@ -6181,6 +6258,10 @@ loser: |
| 169 done: | 171 done: |
| 170 if (arena != NULL) | 172 if (arena != NULL) |
| 171 PORT_FreeArena(arena, PR_FALSE); | 173 PORT_FreeArena(arena, PR_FALSE); |
| 172 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 174 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 173 + if (platform_cert_list) | 175 + if (platform_cert_list) |
| 174 + CERT_DestroyCertList(platform_cert_list); | 176 + CERT_DestroyCertList(platform_cert_list); |
| 175 +#endif | 177 +#endif |
| 176 return rv; | 178 return rv; |
| 177 } | 179 } |
| 178 | 180 |
| 179 @@ -6134,7 +6215,8 @@ ssl3_SendClientSecondRound(sslSocket *ss | 181 @@ -6262,7 +6343,8 @@ ssl3_SendClientSecondRound(sslSocket *ss |
| 180 | 182 |
| 181 sendClientCert = !ss->ssl3.sendEmptyCert && | 183 sendClientCert = !ss->ssl3.sendEmptyCert && |
| 182 ss->ssl3.clientCertChain != NULL && | 184 ss->ssl3.clientCertChain != NULL && |
| 183 - ss->ssl3.clientPrivateKey != NULL; | 185 - ss->ssl3.clientPrivateKey != NULL; |
| 184 + (ss->ssl3.platformClientKey || | 186 + (ss->ssl3.platformClientKey || |
| 185 + ss->ssl3.clientPrivateKey != NULL); | 187 + ss->ssl3.clientPrivateKey != NULL); |
| 186 | 188 |
| 187 /* We must wait for the server's certificate to be authenticated before | 189 /* We must wait for the server's certificate to be authenticated before |
| 188 * sending the client certificate in order to disclosing the client | 190 * sending the client certificate in order to disclosing the client |
| 189 @@ -10446,6 +10528,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) | 191 @@ -10815,6 +10897,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
| 190 | 192 |
| 191 if (ss->ssl3.clientPrivateKey != NULL) | 193 if (ss->ssl3.clientPrivateKey != NULL) |
| 192 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 194 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 193 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 195 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 194 + if (ss->ssl3.platformClientKey) | 196 + if (ss->ssl3.platformClientKey) |
| 195 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 197 + ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 196 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 198 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 197 | 199 |
| 198 if (ss->ssl3.peerCertArena != NULL) | 200 if (ss->ssl3.peerCertArena != NULL) |
| 199 ssl3_CleanupPeerCerts(ss); | 201 ssl3_CleanupPeerCerts(ss); |
| 200 diff -puN -r a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3e
xt.c | 202 diff -puN a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c |
| 201 --- a/net/third_party/nss/ssl/ssl3ext.c»2012-11-09 15:34:12.258133766 -0800 | 203 --- a/nss/lib/ssl/ssl3ext.c» 2013-04-27 09:17:17.216390477 -0700 |
| 202 +++ b/net/third_party/nss/ssl/ssl3ext.c»2012-11-09 15:35:08.488958561 -0800 | 204 +++ b/nss/lib/ssl/ssl3ext.c» 2013-04-27 09:20:50.169405985 -0700 |
| 203 @@ -11,8 +11,8 @@ | 205 @@ -11,8 +11,8 @@ |
| 204 #include "nssrenam.h" | 206 #include "nssrenam.h" |
| 205 #include "nss.h" | 207 #include "nss.h" |
| 206 #include "ssl.h" | 208 #include "ssl.h" |
| 207 -#include "sslproto.h" | 209 -#include "sslproto.h" |
| 208 #include "sslimpl.h" | 210 #include "sslimpl.h" |
| 209 +#include "sslproto.h" | 211 +#include "sslproto.h" |
| 210 #include "pk11pub.h" | 212 #include "pk11pub.h" |
| 211 #ifdef NO_PKCS11_BYPASS | 213 #ifdef NO_PKCS11_BYPASS |
| 212 #include "blapit.h" | 214 #include "blapit.h" |
| 213 diff -puN -r a/net/third_party/nss/ssl/sslauth.c b/net/third_party/nss/ssl/sslau
th.c | 215 diff -puN a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c |
| 214 --- a/net/third_party/nss/ssl/sslauth.c»2012-11-09 15:27:15.952019947 -0800 | 216 --- a/nss/lib/ssl/sslauth.c» 2013-04-27 09:20:36.319209880 -0700 |
| 215 +++ b/net/third_party/nss/ssl/sslauth.c»2012-11-09 15:35:08.488958561 -0800 | 217 +++ b/nss/lib/ssl/sslauth.c» 2013-04-27 09:20:50.359408673 -0700 |
| 216 @@ -219,6 +219,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, | 218 @@ -220,6 +220,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, |
| 217 return SECSuccess; | 219 return SECSuccess; |
| 218 } | 220 } |
| 219 | 221 |
| 220 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 222 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 221 +/* NEED LOCKS IN HERE. */ | 223 +/* NEED LOCKS IN HERE. */ |
| 222 +SECStatus | 224 +SECStatus |
| 223 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, | 225 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, |
| 224 + SSLGetPlatformClientAuthData func, | 226 + SSLGetPlatformClientAuthData func, |
| 225 + void *arg) | 227 + void *arg) |
| 226 +{ | 228 +{ |
| 227 + sslSocket *ss; | 229 + sslSocket *ss; |
| 228 + | 230 + |
| 229 + ss = ssl_FindSocket(s); | 231 + ss = ssl_FindSocket(s); |
| 230 + if (!ss) { | 232 + if (!ss) { |
| 231 + SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", | 233 + SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", |
| 232 + SSL_GETPID(), s)); | 234 + SSL_GETPID(), s)); |
| 233 + return SECFailure; | 235 + return SECFailure; |
| 234 + } | 236 + } |
| 235 + | 237 + |
| 236 + ss->getPlatformClientAuthData = func; | 238 + ss->getPlatformClientAuthData = func; |
| 237 + ss->getPlatformClientAuthDataArg = arg; | 239 + ss->getPlatformClientAuthDataArg = arg; |
| 238 + return SECSuccess; | 240 + return SECSuccess; |
| 239 +} | 241 +} |
| 240 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 242 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 241 + | 243 + |
| 242 /* NEED LOCKS IN HERE. */ | 244 /* NEED LOCKS IN HERE. */ |
| 243 SECStatus | 245 SECStatus |
| 244 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) | 246 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) |
| 245 diff -puN -r a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h | 247 diff -puN a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
| 246 --- a/net/third_party/nss/ssl/ssl.h» 2012-11-09 15:34:12.258133766 -0800 | 248 --- a/nss/lib/ssl/ssl.h»2013-04-27 09:20:36.319209880 -0700 |
| 247 +++ b/net/third_party/nss/ssl/ssl.h» 2012-11-09 15:35:08.488958561 -0800 | 249 +++ b/nss/lib/ssl/ssl.h»2013-04-27 09:20:50.409409383 -0700 |
| 248 @@ -483,6 +483,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl | 250 @@ -505,6 +505,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl |
| 249 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, | 251 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, |
| 250 SSLGetClientAuthData f, void *a); | 252 SSLGetClientAuthData f, void *a); |
| 251 | 253 |
| 252 +/* | 254 +/* |
| 253 + * Prototype for SSL callback to get client auth data from the application, | 255 + * Prototype for SSL callback to get client auth data from the application, |
| 254 + * optionally using the underlying platform's cryptographic primitives. | 256 + * optionally using the underlying platform's cryptographic primitives. |
| 255 + * To use the platform cryptographic primitives, caNames and pRetCerts | 257 + * To use the platform cryptographic primitives, caNames and pRetCerts |
| 256 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. | 258 + * should be set. To use NSS, pRetNSSCert and pRetNSSKey should be set. |
| 257 + * Returning SECFailure will cause the socket to send no client certificate. | 259 + * Returning SECFailure will cause the socket to send no client certificate. |
| 258 + * arg - application passed argument | 260 + * arg - application passed argument |
| (...skipping 28 matching lines...) Expand all Loading... |
| 287 + * fd - the file descriptor for the connection in question | 289 + * fd - the file descriptor for the connection in question |
| 288 + * f - the application's callback that delivers the key and cert | 290 + * f - the application's callback that delivers the key and cert |
| 289 + * a - application specific data | 291 + * a - application specific data |
| 290 + */ | 292 + */ |
| 291 +SSL_IMPORT SECStatus | 293 +SSL_IMPORT SECStatus |
| 292 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, | 294 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd, |
| 293 + SSLGetPlatformClientAuthData f, void *a); | 295 + SSLGetPlatformClientAuthData f, void *a); |
| 294 | 296 |
| 295 /* | 297 /* |
| 296 ** SNI extension processing callback function. | 298 ** SNI extension processing callback function. |
| 297 diff -puN -r a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslim
pl.h | 299 diff -puN a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
| 298 --- a/net/third_party/nss/ssl/sslimpl.h»2012-11-09 15:34:12.258133766 -0800 | 300 --- a/nss/lib/ssl/sslimpl.h» 2013-04-27 09:20:13.658889025 -0700 |
| 299 +++ b/net/third_party/nss/ssl/sslimpl.h»2012-11-09 15:36:42.600338478 -0800 | 301 +++ b/nss/lib/ssl/sslimpl.h» 2013-04-27 09:20:50.409409383 -0700 |
| 300 @@ -32,6 +32,15 @@ | 302 @@ -21,6 +21,7 @@ |
| 303 #include "sslerr.h" |
| 304 #include "ssl3prot.h" |
| 305 #include "hasht.h" |
| 306 +#include "keythi.h" |
| 307 #include "nssilock.h" |
| 308 #include "pkcs11t.h" |
| 309 #if defined(XP_UNIX) || defined(XP_BEOS) |
| 310 @@ -32,6 +33,15 @@ |
| 301 | 311 |
| 302 #include "sslt.h" /* for some formerly private types, now public */ | 312 #include "sslt.h" /* for some formerly private types, now public */ |
| 303 | 313 |
| 304 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 314 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 305 +#if defined(XP_WIN32) | 315 +#if defined(XP_WIN32) |
| 306 +#include <windows.h> | 316 +#include <windows.h> |
| 307 +#include <wincrypt.h> | 317 +#include <wincrypt.h> |
| 308 +#elif defined(XP_MACOSX) | 318 +#elif defined(XP_MACOSX) |
| 309 +#include <Security/Security.h> | 319 +#include <Security/Security.h> |
| 310 +#endif | 320 +#endif |
| 311 +#endif | 321 +#endif |
| 312 + | 322 + |
| 313 /* to make some of these old enums public without namespace pollution, | 323 /* to make some of these old enums public without namespace pollution, |
| 314 ** it was necessary to prepend ssl_ to the names. | 324 ** it was necessary to prepend ssl_ to the names. |
| 315 ** These #defines preserve compatibility with the old code here in libssl. | 325 ** These #defines preserve compatibility with the old code here in libssl. |
| 316 @@ -446,6 +455,14 @@ typedef SECStatus (*SSLCompressor)(void | 326 @@ -444,6 +454,14 @@ typedef SECStatus (*SSLCompressor)(void |
| 317 int inlen); | 327 int inlen); |
| 318 typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); | 328 typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); |
| 319 | 329 |
| 320 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) | 330 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) |
| 321 +typedef PCERT_KEY_CONTEXT PlatformKey; | 331 +typedef PCERT_KEY_CONTEXT PlatformKey; |
| 322 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) | 332 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) |
| 323 +typedef SecKeyRef PlatformKey; | 333 +typedef SecKeyRef PlatformKey; |
| 324 +#else | 334 +#else |
| 325 +typedef void *PlatformKey; | 335 +typedef void *PlatformKey; |
| 326 +#endif | 336 +#endif |
| 327 + | 337 + |
| 328 | 338 |
| 329 | 339 |
| 330 /* | 340 /* |
| 331 @@ -870,6 +887,10 @@ struct ssl3StateStr { | 341 @@ -862,6 +880,10 @@ struct ssl3StateStr { |
| 332 | 342 |
| 333 CERTCertificate * clientCertificate; /* used by client */ | 343 CERTCertificate * clientCertificate; /* used by client */ |
| 334 SECKEYPrivateKey * clientPrivateKey; /* used by client */ | 344 SECKEYPrivateKey * clientPrivateKey; /* used by client */ |
| 335 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not | 345 + /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not |
| 336 + * defined in order to allow cleaner conditional code. | 346 + * defined in order to allow cleaner conditional code. |
| 337 + * At most one of clientPrivateKey and platformClientKey may be set. */ | 347 + * At most one of clientPrivateKey and platformClientKey may be set. */ |
| 338 + PlatformKey platformClientKey; /* used by client */ | 348 + PlatformKey platformClientKey; /* used by client */ |
| 339 CERTCertificateList *clientCertChain; /* used by client */ | 349 CERTCertificateList *clientCertChain; /* used by client */ |
| 340 PRBool sendEmptyCert; /* used by client */ | 350 PRBool sendEmptyCert; /* used by client */ |
| 341 | 351 |
| 342 @@ -1127,6 +1148,10 @@ const unsigned char * preferredCipher; | 352 @@ -1119,6 +1141,10 @@ const unsigned char * preferredCipher; |
| 343 void *authCertificateArg; | 353 void *authCertificateArg; |
| 344 SSLGetClientAuthData getClientAuthData; | 354 SSLGetClientAuthData getClientAuthData; |
| 345 void *getClientAuthDataArg; | 355 void *getClientAuthDataArg; |
| 346 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 356 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 347 + SSLGetPlatformClientAuthData getPlatformClientAuthData; | 357 + SSLGetPlatformClientAuthData getPlatformClientAuthData; |
| 348 + void *getPlatformClientAuthDataArg; | 358 + void *getPlatformClientAuthDataArg; |
| 349 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 359 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 350 SSLSNISocketConfig sniSocketConfig; | 360 SSLSNISocketConfig sniSocketConfig; |
| 351 void *sniSocketConfigArg; | 361 void *sniSocketConfigArg; |
| 352 SSLBadCertHandler handleBadCert; | 362 SSLBadCertHandler handleBadCert; |
| 353 @@ -1700,7 +1725,6 @@ extern void ssl_FreePRSocket(PRFileDesc | 363 @@ -1691,7 +1717,6 @@ extern void ssl_FreePRSocket(PRFileDesc |
| 354 * various ciphers */ | 364 * various ciphers */ |
| 355 extern int ssl3_config_match_init(sslSocket *); | 365 extern int ssl3_config_match_init(sslSocket *); |
| 356 | 366 |
| 357 - | 367 - |
| 358 /* Create a new ref counted key pair object from two keys. */ | 368 /* Create a new ref counted key pair object from two keys. */ |
| 359 extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, | 369 extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, |
| 360 SECKEYPublicKey * pubKey); | 370 SECKEYPublicKey * pubKey); |
| 361 @@ -1740,6 +1764,26 @@ extern SECStatus ssl_InitSessionCacheLoc | 371 @@ -1731,6 +1756,26 @@ extern SECStatus ssl_InitSessionCacheLoc |
| 362 | 372 |
| 363 extern SECStatus ssl_FreeSessionCacheLocks(void); | 373 extern SECStatus ssl_FreeSessionCacheLocks(void); |
| 364 | 374 |
| 365 +/***************** platform client auth ****************/ | 375 +/***************** platform client auth ****************/ |
| 366 + | 376 + |
| 367 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 377 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 368 +// Releases the platform key. | 378 +// Releases the platform key. |
| 369 +extern void ssl_FreePlatformKey(PlatformKey key); | 379 +extern void ssl_FreePlatformKey(PlatformKey key); |
| 370 + | 380 + |
| 371 +// Implement the client CertificateVerify message for SSL3/TLS1.0 | 381 +// Implement the client CertificateVerify message for SSL3/TLS1.0 |
| 372 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, | 382 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash, |
| 373 + PlatformKey key, SECItem *buf, | 383 + PlatformKey key, SECItem *buf, |
| 374 + PRBool isTLS); | 384 + PRBool isTLS, KeyType keyType); |
| 375 + | 385 + |
| 376 +// Converts a CERTCertList* (A collection of CERTCertificates) into a | 386 +// Converts a CERTCertList* (A collection of CERTCertificates) into a |
| 377 +// CERTCertificateList* (A collection of SECItems), or returns NULL if | 387 +// CERTCertificateList* (A collection of SECItems), or returns NULL if |
| 378 +// it cannot be converted. | 388 +// it cannot be converted. |
| 379 +// This is to allow the platform-supplied chain to be created with purely | 389 +// This is to allow the platform-supplied chain to be created with purely |
| 380 +// public API functions, using the preferred CERTCertList mutators, rather | 390 +// public API functions, using the preferred CERTCertList mutators, rather |
| 381 +// pushing this hack to clients. | 391 +// pushing this hack to clients. |
| 382 +extern CERTCertificateList* hack_NewCertificateListFromCertList( | 392 +extern CERTCertificateList* hack_NewCertificateListFromCertList( |
| 383 + CERTCertList* list); | 393 + CERTCertList* list); |
| 384 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 394 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 385 | 395 |
| 386 /**************** DTLS-specific functions **************/ | 396 /**************** DTLS-specific functions **************/ |
| 387 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); | 397 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); |
| 388 diff -puN -r a/net/third_party/nss/ssl/sslplatf.c b/net/third_party/nss/ssl/sslp
latf.c | 398 diff -puN a/nss/lib/ssl/sslplatf.c b/nss/lib/ssl/sslplatf.c |
| 389 --- a/net/third_party/nss/ssl/sslplatf.c» 1969-12-31 16:00:00.000000000 -0
800 | 399 --- a/nss/lib/ssl/sslplatf.c» 1969-12-31 16:00:00.000000000 -0800 |
| 390 +++ b/net/third_party/nss/ssl/sslplatf.c» 2012-11-09 15:35:08.498958708 -0
800 | 400 +++ b/nss/lib/ssl/sslplatf.c» 2013-04-27 09:20:50.409409383 -0700 |
| 391 @@ -0,0 +1,399 @@ | 401 @@ -0,0 +1,383 @@ |
| 392 +/* | 402 +/* |
| 393 + * Platform specific crypto wrappers | 403 + * Platform specific crypto wrappers |
| 394 + * | 404 + * |
| 395 + * ***** BEGIN LICENSE BLOCK ***** | 405 + * ***** BEGIN LICENSE BLOCK ***** |
| 396 + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 406 + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| 397 + * | 407 + * |
| 398 + * The contents of this file are subject to the Mozilla Public License Version | 408 + * The contents of this file are subject to the Mozilla Public License Version |
| 399 + * 1.1 (the "License"); you may not use this file except in compliance with | 409 + * 1.1 (the "License"); you may not use this file except in compliance with |
| 400 + * the License. You may obtain a copy of the License at | 410 + * the License. You may obtain a copy of the License at |
| 401 + * http://www.mozilla.org/MPL/ | 411 + * http://www.mozilla.org/MPL/ |
| (...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 494 +{ | 504 +{ |
| 495 + if (key) { | 505 + if (key) { |
| 496 + if (key->dwKeySpec != CERT_NCRYPT_KEY_SPEC) | 506 + if (key->dwKeySpec != CERT_NCRYPT_KEY_SPEC) |
| 497 + CryptReleaseContext(key->hCryptProv, 0); | 507 + CryptReleaseContext(key->hCryptProv, 0); |
| 498 + /* FIXME(rsleevi): Close CNG keys. */ | 508 + /* FIXME(rsleevi): Close CNG keys. */ |
| 499 + PORT_Free(key); | 509 + PORT_Free(key); |
| 500 + } | 510 + } |
| 501 +} | 511 +} |
| 502 + | 512 + |
| 503 +SECStatus | 513 +SECStatus |
| 504 +ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, | 514 +ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, |
| 505 + PRBool isTLS) | 515 + PRBool isTLS, KeyType keyType) |
| 506 +{ | 516 +{ |
| 507 + SECStatus rv = SECFailure; | 517 + SECStatus rv = SECFailure; |
| 508 + PRBool doDerEncode = PR_FALSE; | 518 + PRBool doDerEncode = PR_FALSE; |
| 509 + SECItem hashItem; | 519 + SECItem hashItem; |
| 510 + HCRYPTKEY hKey = 0; | |
| 511 + DWORD argLen = 0; | 520 + DWORD argLen = 0; |
| 512 + ALG_ID keyAlg = 0; | |
| 513 + DWORD signatureLen = 0; | 521 + DWORD signatureLen = 0; |
| 514 + ALG_ID hashAlg = 0; | 522 + ALG_ID hashAlg = 0; |
| 515 + HCRYPTHASH hHash = 0; | 523 + HCRYPTHASH hHash = 0; |
| 516 + DWORD hashLen = 0; | 524 + DWORD hashLen = 0; |
| 517 + unsigned int i = 0; | 525 + unsigned int i = 0; |
| 518 + | 526 + |
| 519 + buf->data = NULL; | 527 + buf->data = NULL; |
| 520 + if (!CryptGetUserKey(key->hCryptProv, key->dwKeySpec, &hKey)) { | |
| 521 + if (GetLastError() == NTE_NO_KEY) { | |
| 522 + PORT_SetError(SEC_ERROR_NO_KEY); | |
| 523 + } else { | |
| 524 + PORT_SetError(SEC_ERROR_INVALID_KEY); | |
| 525 + } | |
| 526 + goto done; | |
| 527 + } | |
| 528 + | 528 + |
| 529 + argLen = sizeof(keyAlg); | 529 + switch (keyType) { |
| 530 + if (!CryptGetKeyParam(hKey, KP_ALGID, (BYTE*)&keyAlg, &argLen, 0)) { | 530 + case rsaKey: |
| 531 + PORT_SetError(SEC_ERROR_INVALID_KEY); | |
| 532 + goto done; | |
| 533 + } | |
| 534 + | |
| 535 + switch (keyAlg) { | |
| 536 + case CALG_RSA_KEYX: | |
| 537 + case CALG_RSA_SIGN: | |
| 538 + hashAlg = CALG_SSL3_SHAMD5; | 531 + hashAlg = CALG_SSL3_SHAMD5; |
| 539 + hashItem.data = hash->md5; | 532 + hashItem.data = hash->md5; |
| 540 + hashItem.len = sizeof(SSL3Hashes); | 533 + hashItem.len = sizeof(SSL3Hashes); |
| 541 + break; | 534 + break; |
| 542 + case CALG_DSS_SIGN: | 535 + case dsaKey: |
| 543 + case CALG_ECDSA: | 536 + case ecKey: |
| 544 + if (keyAlg == CALG_ECDSA) { | 537 + if (keyType == ecKey) { |
| 545 + doDerEncode = PR_TRUE; | 538 + doDerEncode = PR_TRUE; |
| 546 + } else { | 539 + } else { |
| 547 + doDerEncode = isTLS; | 540 + doDerEncode = isTLS; |
| 548 + } | 541 + } |
| 549 + hashAlg = CALG_SHA1; | 542 + hashAlg = CALG_SHA1; |
| 550 + hashItem.data = hash->sha; | 543 + hashItem.data = hash->sha; |
| 551 + hashItem.len = sizeof(hash->sha); | 544 + hashItem.len = sizeof(hash->sha); |
| 552 + break; | 545 + break; |
| 553 + default: | 546 + default: |
| 554 + PORT_SetError(SEC_ERROR_INVALID_KEY); | 547 + PORT_SetError(SEC_ERROR_INVALID_KEY); |
| 555 + goto done; | 548 + goto done; |
| 556 + } | 549 + } |
| 557 + PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len))
; | 550 + PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len))
; |
| 558 + | 551 + |
| 559 + if (!CryptCreateHash(key->hCryptProv, hashAlg, 0, 0, &hHash)) { | 552 + if (!CryptCreateHash(key->hCryptProv, hashAlg, 0, 0, &hHash)) { |
| 560 + PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); | 553 + PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 561 + goto done; | 554 + goto done; |
| 562 + } | 555 + } |
| 563 + argLen = sizeof(hashLen); | 556 + argLen = sizeof(hashLen); |
| 564 + if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE*)&hashLen, &argLen, 0)) { | 557 + if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE*)&hashLen, &argLen, 0)) { |
| 565 + PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); | 558 + PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 566 + goto done; | 559 + goto done; |
| 567 + } | 560 + } |
| 568 + if (hashLen != hashItem.len) { | 561 + if (hashLen != hashItem.len) { |
| 569 + PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); | 562 + PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 570 + goto done; | 563 + goto done; |
| 571 + } | 564 + } |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 607 + PORT_Free(derSig.data); | 600 + PORT_Free(derSig.data); |
| 608 + } | 601 + } |
| 609 + } else { | 602 + } else { |
| 610 + rv = SECSuccess; | 603 + rv = SECSuccess; |
| 611 + } | 604 + } |
| 612 + | 605 + |
| 613 + PRINT_BUF(60, (NULL, "signed hashes", buf->data, buf->len)); | 606 + PRINT_BUF(60, (NULL, "signed hashes", buf->data, buf->len)); |
| 614 +done: | 607 +done: |
| 615 + if (hHash) | 608 + if (hHash) |
| 616 + CryptDestroyHash(hHash); | 609 + CryptDestroyHash(hHash); |
| 617 + if (hKey) | |
| 618 + CryptDestroyKey(hKey); | |
| 619 + if (rv != SECSuccess && buf->data) { | 610 + if (rv != SECSuccess && buf->data) { |
| 620 + PORT_Free(buf->data); | 611 + PORT_Free(buf->data); |
| 621 + buf->data = NULL; | 612 + buf->data = NULL; |
| 622 + } | 613 + } |
| 623 + return rv; | 614 + return rv; |
| 624 +} | 615 +} |
| 625 + | 616 + |
| 626 +#elif defined(XP_MACOSX) | 617 +#elif defined(XP_MACOSX) |
| 627 +#include <Security/cssm.h> | 618 +#include <Security/cssm.h> |
| 628 + | 619 + |
| 629 +void | 620 +void |
| 630 +ssl_FreePlatformKey(PlatformKey key) | 621 +ssl_FreePlatformKey(PlatformKey key) |
| 631 +{ | 622 +{ |
| 632 + CFRelease(key); | 623 + CFRelease(key); |
| 633 +} | 624 +} |
| 634 + | 625 + |
| 635 +SECStatus | 626 +SECStatus |
| 636 +ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, | 627 +ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, |
| 637 + PRBool isTLS) | 628 + PRBool isTLS, KeyType keyType) |
| 638 +{ | 629 +{ |
| 639 + SECStatus rv = SECFailure; | 630 + SECStatus rv = SECFailure; |
| 640 + PRBool doDerEncode = PR_FALSE; | 631 + PRBool doDerEncode = PR_FALSE; |
| 641 + unsigned int signatureLen; | 632 + unsigned int signatureLen; |
| 642 + OSStatus status = noErr; | 633 + OSStatus status = noErr; |
| 643 + CSSM_CSP_HANDLE cspHandle = 0; | 634 + CSSM_CSP_HANDLE cspHandle = 0; |
| 644 + const CSSM_KEY *cssmKey = NULL; | 635 + const CSSM_KEY *cssmKey = NULL; |
| 645 + CSSM_ALGORITHMS sigAlg; | 636 + CSSM_ALGORITHMS sigAlg; |
| 646 + const CSSM_ACCESS_CREDENTIALS * cssmCreds = NULL; | 637 + const CSSM_ACCESS_CREDENTIALS * cssmCreds = NULL; |
| 647 + CSSM_RETURN cssmRv; | 638 + CSSM_RETURN cssmRv; |
| (...skipping 12 matching lines...) Expand all Loading... |
| 660 + status = SecKeyGetCSSMKey(key, &cssmKey); | 651 + status = SecKeyGetCSSMKey(key, &cssmKey); |
| 661 + if (status != noErr || !cssmKey) { | 652 + if (status != noErr || !cssmKey) { |
| 662 + PORT_SetError(SEC_ERROR_NO_KEY); | 653 + PORT_SetError(SEC_ERROR_NO_KEY); |
| 663 + goto done; | 654 + goto done; |
| 664 + } | 655 + } |
| 665 + | 656 + |
| 666 + /* SecKeyGetBlockSize wasn't addeded until OS X 10.6 - but the | 657 + /* SecKeyGetBlockSize wasn't addeded until OS X 10.6 - but the |
| 667 + * needed information is readily available on the key itself. | 658 + * needed information is readily available on the key itself. |
| 668 + */ | 659 + */ |
| 669 + signatureLen = (cssmKey->KeyHeader.LogicalKeySizeInBits + 7) / 8; | 660 + signatureLen = (cssmKey->KeyHeader.LogicalKeySizeInBits + 7) / 8; |
| 670 + | 661 + |
| 671 + if (signatureLen == 0) { | 662 + if (signatureLen == 0) { |
| 672 + PORT_SetError(SEC_ERROR_INVALID_KEY); | 663 + PORT_SetError(SEC_ERROR_INVALID_KEY); |
| 673 + goto done; | 664 + goto done; |
| 674 + } | 665 + } |
| 675 + | 666 + |
| 676 + buf->data = (unsigned char *)PORT_Alloc(signatureLen); | 667 + buf->data = (unsigned char *)PORT_Alloc(signatureLen); |
| 677 + if (!buf->data) | 668 + if (!buf->data) |
| 678 + goto done; /* error code was set. */ | 669 + goto done; /* error code was set. */ |
| 679 + | 670 + |
| 680 + sigAlg = cssmKey->KeyHeader.AlgorithmId; | 671 + sigAlg = cssmKey->KeyHeader.AlgorithmId; |
| 681 + switch (sigAlg) { | 672 + switch (keyType) { |
| 682 + case CSSM_ALGID_RSA: | 673 + case rsaKey: |
| 674 + PORT_Assert(sigAlg == CSSM_ALGID_RSA); |
| 683 + hashData.Data = hash->md5; | 675 + hashData.Data = hash->md5; |
| 684 + hashData.Length = sizeof(SSL3Hashes); | 676 + hashData.Length = sizeof(SSL3Hashes); |
| 685 + break; | 677 + break; |
| 686 + case CSSM_ALGID_ECDSA: | 678 + case dsaKey: |
| 687 + case CSSM_ALGID_DSA: | 679 + case ecKey: |
| 688 + if (sigAlg == CSSM_ALGID_ECDSA) { | 680 + if (keyType == ecKey) { |
| 681 + PORT_Assert(sigAlg == CSSM_ALGID_ECDSA); |
| 689 + doDerEncode = PR_TRUE; | 682 + doDerEncode = PR_TRUE; |
| 690 + } else { | 683 + } else { |
| 684 + PORT_Assert(sigAlg == CSSM_ALGID_DSA); |
| 691 + doDerEncode = isTLS; | 685 + doDerEncode = isTLS; |
| 692 + } | 686 + } |
| 693 + hashData.Data = hash->sha; | 687 + hashData.Data = hash->sha; |
| 694 + hashData.Length = sizeof(hash->sha); | 688 + hashData.Length = sizeof(hash->sha); |
| 695 + break; | 689 + break; |
| 696 + default: | 690 + default: |
| 697 + PORT_SetError(SEC_ERROR_INVALID_KEY); | 691 + PORT_SetError(SEC_ERROR_INVALID_KEY); |
| 698 + goto done; | 692 + goto done; |
| 699 + } | 693 + } |
| 700 + PRINT_BUF(60, (NULL, "hash(es) to be signed", hashData.Data, hashData.Lengt
h)); | 694 + PRINT_BUF(60, (NULL, "hash(es) to be signed", hashData.Data, hashData.Lengt
h)); |
| 701 + | 695 + |
| 702 + /* TODO(rsleevi): Should it be kSecCredentialTypeNoUI? In Win32, at least, | 696 + /* TODO(rsleevi): Should it be kSecCredentialTypeNoUI? In Win32, at least, |
| 703 + * you can prevent the UI by setting the provider handle on the | 697 + * you can prevent the UI by setting the provider handle on the |
| 704 + * certificate to be opened with CRYPT_SILENT, but is there an equivalent? | 698 + * certificate to be opened with CRYPT_SILENT, but is there an equivalent? |
| 705 + */ | 699 + */ |
| 706 + status = SecKeyGetCredentials(key, CSSM_ACL_AUTHORIZATION_SIGN, | 700 + status = SecKeyGetCredentials(key, CSSM_ACL_AUTHORIZATION_SIGN, |
| 707 + kSecCredentialTypeDefault, &cssmCreds); | 701 + kSecCredentialTypeDefault, &cssmCreds); |
| 708 + if (status != noErr) { | 702 + if (status != noErr) { |
| 709 + PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); | 703 + PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 710 + goto done; | 704 + goto done; |
| 711 + } | 705 + } |
| 712 + | 706 + |
| 713 + signatureData.Length = signatureLen; | 707 + signatureData.Length = signatureLen; |
| 714 + signatureData.Data = (uint8*)buf->data; | 708 + signatureData.Data = (uint8*)buf->data; |
| 715 + | 709 + |
| 716 + cssmRv = CSSM_CSP_CreateSignatureContext(cspHandle, sigAlg, cssmCreds, | 710 + cssmRv = CSSM_CSP_CreateSignatureContext(cspHandle, sigAlg, cssmCreds, |
| 717 + cssmKey, &cssmSignature); | 711 + cssmKey, &cssmSignature); |
| 718 + if (cssmRv) { | 712 + if (cssmRv) { |
| 719 + PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); | 713 + PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 720 + goto done; | 714 + goto done; |
| 721 + } | 715 + } |
| 722 + | 716 + |
| 723 + /* See "Apple Cryptographic Service Provider Functional Specification" */ | 717 + /* See "Apple Cryptographic Service Provider Functional Specification" */ |
| 724 + if (cssmKey->KeyHeader.AlgorithmId == CSSM_ALGID_RSA) { | 718 + if (cssmKey->KeyHeader.AlgorithmId == CSSM_ALGID_RSA) { |
| 725 + /* To set RSA blinding for RSA keys */ | 719 + /* To set RSA blinding for RSA keys */ |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 773 + return rv; | 767 + return rv; |
| 774 +} | 768 +} |
| 775 +#else | 769 +#else |
| 776 +void | 770 +void |
| 777 +ssl_FreePlatformKey(PlatformKey key) | 771 +ssl_FreePlatformKey(PlatformKey key) |
| 778 +{ | 772 +{ |
| 779 +} | 773 +} |
| 780 + | 774 + |
| 781 +SECStatus | 775 +SECStatus |
| 782 +ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, | 776 +ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, |
| 783 + PRBool isTLS) | 777 + PRBool isTLS, KeyType keyType) |
| 784 +{ | 778 +{ |
| 785 + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | 779 + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| 786 + return SECFailure; | 780 + return SECFailure; |
| 787 +} | 781 +} |
| 788 +#endif | 782 +#endif |
| 789 + | 783 + |
| 790 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 784 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 791 diff -puN -r a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslso
ck.c | 785 diff -puN a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
| 792 --- a/net/third_party/nss/ssl/sslsock.c»2012-11-09 15:34:12.268133912 -0800 | 786 --- a/nss/lib/ssl/sslsock.c» 2013-04-27 09:19:05.777927838 -0700 |
| 793 +++ b/net/third_party/nss/ssl/sslsock.c»2012-11-09 15:35:08.498958708 -0800 | 787 +++ b/nss/lib/ssl/sslsock.c» 2013-04-27 09:20:50.419409524 -0700 |
| 794 @@ -335,6 +335,10 @@ ssl_DupSocket(sslSocket *os) | 788 @@ -337,6 +337,10 @@ ssl_DupSocket(sslSocket *os) |
| 795 ss->authCertificateArg = os->authCertificateArg; | 789 ss->authCertificateArg = os->authCertificateArg; |
| 796 ss->getClientAuthData = os->getClientAuthData; | 790 ss->getClientAuthData = os->getClientAuthData; |
| 797 ss->getClientAuthDataArg = os->getClientAuthDataArg; | 791 ss->getClientAuthDataArg = os->getClientAuthDataArg; |
| 798 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 792 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 799 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; | 793 + ss->getPlatformClientAuthData = os->getPlatformClientAuthData; |
| 800 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; | 794 + ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; |
| 801 +#endif | 795 +#endif |
| 802 ss->sniSocketConfig = os->sniSocketConfig; | 796 ss->sniSocketConfig = os->sniSocketConfig; |
| 803 ss->sniSocketConfigArg = os->sniSocketConfigArg; | 797 ss->sniSocketConfigArg = os->sniSocketConfigArg; |
| 804 ss->handleBadCert = os->handleBadCert; | 798 ss->handleBadCert = os->handleBadCert; |
| 805 @@ -1712,6 +1716,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile | 799 @@ -1725,6 +1729,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile |
| 806 ss->getClientAuthData = sm->getClientAuthData; | 800 ss->getClientAuthData = sm->getClientAuthData; |
| 807 if (sm->getClientAuthDataArg) | 801 if (sm->getClientAuthDataArg) |
| 808 ss->getClientAuthDataArg = sm->getClientAuthDataArg; | 802 ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
| 809 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 803 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 810 + if (sm->getPlatformClientAuthData) | 804 + if (sm->getPlatformClientAuthData) |
| 811 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; | 805 + ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; |
| 812 + if (sm->getPlatformClientAuthDataArg) | 806 + if (sm->getPlatformClientAuthDataArg) |
| 813 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; | 807 + ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; |
| 814 +#endif | 808 +#endif |
| 815 if (sm->sniSocketConfig) | 809 if (sm->sniSocketConfig) |
| 816 ss->sniSocketConfig = sm->sniSocketConfig; | 810 ss->sniSocketConfig = sm->sniSocketConfig; |
| 817 if (sm->sniSocketConfigArg) | 811 if (sm->sniSocketConfigArg) |
| 818 @@ -2942,6 +2952,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto | 812 @@ -2977,6 +2987,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto |
| 819 ss->sniSocketConfig = NULL; | 813 ss->sniSocketConfig = NULL; |
| 820 ss->sniSocketConfigArg = NULL; | 814 ss->sniSocketConfigArg = NULL; |
| 821 ss->getClientAuthData = NULL; | 815 ss->getClientAuthData = NULL; |
| 822 +#ifdef NSS_PLATFORM_CLIENT_AUTH | 816 +#ifdef NSS_PLATFORM_CLIENT_AUTH |
| 823 + ss->getPlatformClientAuthData = NULL; | 817 + ss->getPlatformClientAuthData = NULL; |
| 824 + ss->getPlatformClientAuthDataArg = NULL; | 818 + ss->getPlatformClientAuthDataArg = NULL; |
| 825 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ | 819 +#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 826 ss->handleBadCert = NULL; | 820 ss->handleBadCert = NULL; |
| 827 ss->badCertArg = NULL; | 821 ss->badCertArg = NULL; |
| 828 ss->pkcs11PinArg = NULL; | 822 ss->pkcs11PinArg = NULL; |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 14522022:
Update NSS libSSL to NSS_3_15_BETA2. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/