diff options
| author | ian.mcgreer%sun.com <devnull@localhost> | 2003-01-30 21:31:11 +0000 |
|---|---|---|
| committer | ian.mcgreer%sun.com <devnull@localhost> | 2003-01-30 21:31:11 +0000 |
| commit | 0e94aead0f6d3fbfb7b211323942ac26a77483c5 (patch) | |
| tree | e63cc0afb5fe97e84676cf071070b1e9a9ce55c2 | |
| parent | c3f2ca3cb26747ed16b203f517b0a30367f8e0f5 (diff) | |
| download | nss-hg-0e94aead0f6d3fbfb7b211323942ac26a77483c5.tar.gz | |
get client-side working
| -rw-r--r-- | security/nss/cmd/cmdlib/cmdio.c | 19 | ||||
| -rw-r--r-- | security/nss/cmd/cmdlib/cmdutil.h | 2 | ||||
| -rw-r--r-- | security/nss/cmd/pkiutil/pkiobject.c | 9 | ||||
| -rw-r--r-- | security/nss/cmd/tstclnt/manifest.mn | 4 | ||||
| -rw-r--r-- | security/nss/cmd/tstclnt/tstclnt.c | 160 | ||||
| -rw-r--r-- | security/nss/lib/dev/devmodule.c | 2 | ||||
| -rw-r--r-- | security/nss/lib/dev/devslot.c | 4 | ||||
| -rw-r--r-- | security/nss/lib/pk11wrap/debug_module.c | 3 | ||||
| -rw-r--r-- | security/nss/lib/pki/volatiledomain.c | 8 | ||||
| -rw-r--r-- | security/nss/lib/ssl/ssl.def | 2 | ||||
| -rw-r--r-- | security/nss/lib/ssl/ssl.h | 7 | ||||
| -rw-r--r-- | security/nss/lib/ssl/ssl3con.c | 2 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslauth.c | 1 | ||||
| -rw-r--r-- | security/nss/tests/stan/stan.sh | 119 |
14 files changed, 221 insertions, 121 deletions
diff --git a/security/nss/cmd/cmdlib/cmdio.c b/security/nss/cmd/cmdlib/cmdio.c index 88e1ac5d0..44ec7c5d5 100644 --- a/security/nss/cmd/cmdlib/cmdio.c +++ b/security/nss/cmd/cmdlib/cmdio.c @@ -442,3 +442,22 @@ CMD_SetRSAPE(NSSItem *peIt, PRUint32 pe) return PR_SUCCESS; } +/* XXX move this */ +char * +CMD_DefaultSSLDir(void) +{ + char *dir; + static char sslDir[1000]; + + dir = PR_GetEnv("SSL_DIR"); + if (!dir) + return NULL; + + sprintf(sslDir, "%s", dir); + + if (sslDir[strlen(sslDir)-1] == '/') + sslDir[strlen(sslDir)-1] = 0; + + return sslDir; +} + diff --git a/security/nss/cmd/cmdlib/cmdutil.h b/security/nss/cmd/cmdlib/cmdutil.h index a47b121e2..09a88d290 100644 --- a/security/nss/cmd/cmdlib/cmdutil.h +++ b/security/nss/cmd/cmdlib/cmdutil.h @@ -225,4 +225,6 @@ CMD_PrintError(char *message, ...); PRStatus CMD_SetRSAPE(NSSItem *peIt, PRUint32 pe); +char * CMD_DefaultSSLDir(void); + #endif /* _CMDUTIL_H_ */ diff --git a/security/nss/cmd/pkiutil/pkiobject.c b/security/nss/cmd/pkiutil/pkiobject.c index fdd850b80..b9e8f3016 100644 --- a/security/nss/cmd/pkiutil/pkiobject.c +++ b/security/nss/cmd/pkiutil/pkiobject.c @@ -645,8 +645,7 @@ import_certificate /* get the encoded cert from the input source */ encoding = CMD_GetInput(rtData); /* import into trust domain */ - cert = NSSTrustDomain_ImportEncodedCert(td, encoding, - token, nickname); + cert = NSSTrustDomain_ImportEncodedCert(td, encoding, nickname, token); if (cert) { PR_fprintf(PR_STDOUT, "Import successful.\n"); dump_cert_info(td, cert, rtData); @@ -865,6 +864,12 @@ vkeys = NULL; if (vkeys) { vkey = private_key_chooser(vkeys); } else { + /* XXX I shouldn't have to do this, but softoken can't find public + * keys w/o the private key, which needs login... no other way + * to identify user certs + */ + status = NSSTrustDomain_Login(td, NULL); + if (status == PR_FAILURE) return PR_FAILURE; ucerts = NSSTrustDomain_FindUserCerts(td, NULL, 0, NULL); if (ucerts) { ucert = cert_chooser(ucerts); diff --git a/security/nss/cmd/tstclnt/manifest.mn b/security/nss/cmd/tstclnt/manifest.mn index 00378736a..a38cac8c0 100644 --- a/security/nss/cmd/tstclnt/manifest.mn +++ b/security/nss/cmd/tstclnt/manifest.mn @@ -34,13 +34,13 @@ CORE_DEPTH = ../../.. # MODULE public and private header directories are implicitly REQUIRED. -MODULE = security +MODULE = nss # This next line is used by .mk files # and gets translated into $LINCS in manifest.mnw # The MODULE is always implicitly required. # Listing it here in REQUIRES makes it appear twice in the cc command line. -REQUIRES = seccmd dbm +REQUIRES = seccmd # DIRS = diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index 1dc174f5e..af9c283ab 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -37,8 +37,6 @@ ** */ -#include "secutil.h" - #if defined(XP_UNIX) #include <unistd.h> #else @@ -55,11 +53,16 @@ #include "nspr.h" #include "prio.h" #include "prnetdb.h" +#include "plgetopt.h" + #include "nss.h" +#include "nsspki.h" +#include "nsspkix.h" + #include "ssl.h" #include "sslproto.h" -#include "pk11func.h" -#include "plgetopt.h" + +#include "cmdutil.h" #define PRINTF if (verbose) printf #define FPRINTF if (verbose) fprintf @@ -67,6 +70,8 @@ #define MAX_WAIT_FOR_SERVER 600 #define WAIT_INTERVAL 100 +char *password = NULL; + int ssl2CipherSuites[] = { SSL_EN_RC4_128_WITH_MD5, /* A */ SSL_EN_RC4_128_EXPORT40_WITH_MD5, /* B */ @@ -112,28 +117,23 @@ PRBool verbose; static char *progName; -/* This exists only for the automated test suite. It allows us to - * pass in a password on the command line. +/* XXX here to allow testing of other parts of SSL... cannot verify + * hostname until Stan can decode Names into strings */ - -char *password = NULL; - -char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) +SECStatus +myAuthCertificate(void *arg, PRFileDesc *socket, + PRBool checksig, PRBool isServer) { - char *passwd = NULL; - if ( (!retry) && arg ) { - passwd = PL_strdup((char *)arg); - } - return passwd; + /* XXX yipes! */ return SECSuccess; } void printSecurityInfo(PRFileDesc *fd) { - CERTCertificate * cert; + NSSCert * cert; SSL3Statistics * ssl3stats = SSL_GetStatistics(); - SECStatus result; SSLChannelInfo channel; SSLCipherSuiteInfo suite; + SECStatus result; result = SSL_GetChannelInfo(fd, &channel, sizeof channel); if (result == SECSuccess && @@ -155,17 +155,19 @@ void printSecurityInfo(PRFileDesc *fd) } cert = SSL_RevealCert(fd); if (cert) { - char * ip = CERT_NameToAscii(&cert->issuer); - char * sp = CERT_NameToAscii(&cert->subject); + NSSUTF8 * ip; + NSSUTF8 * sp; + (void)NSSCert_GetIssuerNames(cert, &ip, 1, NULL); + (void)NSSCert_GetNames(cert, &sp, 1, NULL); if (sp) { - fprintf(stderr, "subject DN: %s\n", sp); - PR_Free(sp); + FPRINTF(stderr, "selfserv: subject DN: %s\n", sp); + NSSUTF8_Destroy(sp); } if (ip) { - fprintf(stderr, "issuer DN: %s\n", ip); - PR_Free(ip); + FPRINTF(stderr, "selfserv: issuer DN: %s\n", ip); + NSSUTF8_Destroy(ip); } - CERT_DestroyCertificate(cert); + NSSCert_Destroy(cert); cert = NULL; } fprintf(stderr, @@ -256,9 +258,8 @@ disableAllSSLCiphers(void) PRUint16 suite = cipherSuites[i]; rv = SSL_CipherPrefSetDefault(suite, PR_FALSE); if (rv != SECSuccess) { - PRErrorCode err = PR_GetError(); - printf("SSL_CipherPrefSet didn't like value 0x%04x (i = %d): %s\n", - suite, i, SECU_Strerror(err)); + CMD_PrintError( + "SSL_CipherPrefSet didn't like value 0x%04x (i = %d)", suite, i); exit(2); } } @@ -273,7 +274,7 @@ ownBadCertHandler(void * arg, PRFileDesc * socket) { PRErrorCode err = PR_GetError(); /* can log invalid cert here */ - printf("Bad server certificate: %d, %s\n", err, SECU_Strerror(err)); + CMD_PrintError("Bad server certificate"); return SECSuccess; /* override, say it's OK. */ } @@ -281,7 +282,6 @@ int main(int argc, char **argv) { PRFileDesc * s; PRFileDesc * std_out; - CERTCertDBHandle * handle; char * host = NULL; char * port = "443"; char * certDir = NULL; @@ -310,6 +310,8 @@ int main(int argc, char **argv) PLOptState *optstate; PLOptStatus optstatus; PRStatus prStatus; + NSSCallback *pwcb; + NSSTrustDomain *td = NULL; progName = strrchr(argv[0], '/'); if (!progName) @@ -339,7 +341,6 @@ int main(int argc, char **argv) case 'd': certDir = strdup(optstate->value); - certDir = SECU_ConfigDirectory(certDir); break; case 'm': @@ -359,7 +360,7 @@ int main(int argc, char **argv) case 'v': verbose++; break; case 'w': - password = PORT_Strdup(optstate->value); + password = strdup(optstate->value); useCommandLinePassword = PR_TRUE; break; @@ -372,31 +373,34 @@ int main(int argc, char **argv) if (!host || !port) Usage(progName); if (!certDir) { - certDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */ - certDir = SECU_ConfigDirectory(certDir); /* call even if it's NULL */ + certDir = CMD_DefaultSSLDir(); /* Look in $SSL_DIR */ } PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); - /* set our password function */ - if ( useCommandLinePassword ) { - PK11_SetPasswordFunc(ownPasswd); - } else { - PK11_SetPasswordFunc(SECU_GetModulePassword); - } - - /* open the cert DB, the key DB, and the secmod DB. */ - rv = NSS_Init(certDir); - if (rv != SECSuccess) { - SECU_PrintError(progName, "unable to open cert database"); -#if 0 - rv = CERT_OpenVolatileCertDB(handle); - CERT_SetDefaultCertDB(handle); -#else + /* initialize NSS */ + status = NSS_Init(certDir); + if (status == PR_FAILURE) { + CMD_PrintError("Failed to initialize NSS"); return 1; -#endif } - handle = CERT_GetDefaultCertDB(); + + /* XXX */ + status = NSS_EnablePKIXCertificates(); + if (status == PR_FAILURE) { + CMD_PrintError("Failed to load PKIX module"); + /* goto shutdown; */ + exit(4); + } + td = NSS_GetDefaultTrustDomain(); + pwcb = CMD_GetDefaultPasswordCallback(NULL, NULL); + if (!pwcb) { + exit(4); + } + status = NSSTrustDomain_SetDefaultCallback(td, pwcb, NULL); + if (status != PR_SUCCESS) { + exit(4); + } /* set the policy bits true for all the cipher suites. */ if (useExportPolicy) @@ -413,11 +417,11 @@ int main(int argc, char **argv) /* Lookup host */ status = PR_GetHostByName(host, buf, sizeof(buf), &hp); if (status != PR_SUCCESS) { - SECU_PrintError(progName, "error looking up host"); + CMD_PrintError("error looking up host"); return 1; } if (PR_EnumerateHostEnt(0, &hp, atoi(port), &addr) == -1) { - SECU_PrintError(progName, "error looking up host address"); + CMD_PrintError("error looking up host address"); return 1; } @@ -435,15 +439,14 @@ int main(int argc, char **argv) do { s = PR_NewTCPSocket(); if (s == NULL) { - SECU_PrintError(progName, "Failed to create a TCP socket"); + CMD_PrintError("Failed to create a TCP socket"); } opt.option = PR_SockOpt_Nonblocking; opt.value.non_blocking = PR_FALSE; prStatus = PR_SetSocketOption(s, &opt); if (prStatus != PR_SUCCESS) { PR_Close(s); - SECU_PrintError(progName, - "Failed to set blocking socket option"); + CMD_PrintError("Failed to set blocking socket option"); return 1; } prStatus = PR_Connect(s, &addr, PR_INTERVAL_NO_TIMEOUT); @@ -457,13 +460,13 @@ int main(int argc, char **argv) err = PR_GetError(); if ((err != PR_CONNECT_REFUSED_ERROR) && (err != PR_CONNECT_RESET_ERROR)) { - SECU_PrintError(progName, "TCP Connection failed"); + CMD_PrintError("TCP Connection failed"); return 1; } PR_Close(s); PR_Sleep(PR_MillisecondsToInterval(WAIT_INTERVAL)); } while (++iter < MAX_WAIT_FOR_SERVER); - SECU_PrintError(progName, + CMD_PrintError( "Client timed out while waiting for connection to server"); return 1; } @@ -471,7 +474,7 @@ int main(int argc, char **argv) /* Create socket */ s = PR_NewTCPSocket(); if (s == NULL) { - SECU_PrintError(progName, "error creating socket"); + CMD_PrintError("error creating socket"); return 1; } @@ -480,21 +483,21 @@ int main(int argc, char **argv) PR_SetSocketOption(s, &opt); /*PR_SetSocketOption(PR_GetSpecialFD(PR_StandardInput), &opt);*/ - s = SSL_ImportFD(NULL, s); + s = SSL_ImportFD(NULL, td, s); if (s == NULL) { - SECU_PrintError(progName, "error importing socket"); + CMD_PrintError("error importing socket"); return 1; } rv = SSL_OptionSet(s, SSL_SECURITY, 1); if (rv != SECSuccess) { - SECU_PrintError(progName, "error enabling socket"); + CMD_PrintError("error enabling socket"); return 1; } rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, 1); if (rv != SECSuccess) { - SECU_PrintError(progName, "error enabling client handshake"); + CMD_PrintError("error enabling client handshake"); return 1; } @@ -515,33 +518,33 @@ int main(int argc, char **argv) SECStatus status; status = SSL_CipherPrefSet(s, cipher, SSL_ALLOWED); if (status != SECSuccess) - SECU_PrintError(progName, "SSL_CipherPrefSet()"); + CMD_PrintError("SSL_CipherPrefSet()"); } } } rv = SSL_OptionSet(s, SSL_ENABLE_SSL2, !disableSSL2); if (rv != SECSuccess) { - SECU_PrintError(progName, "error enabling SSLv2 "); + CMD_PrintError("error enabling SSLv2 "); return 1; } rv = SSL_OptionSet(s, SSL_ENABLE_SSL3, !disableSSL3); if (rv != SECSuccess) { - SECU_PrintError(progName, "error enabling SSLv3 "); + CMD_PrintError("error enabling SSLv3 "); return 1; } rv = SSL_OptionSet(s, SSL_ENABLE_TLS, !disableTLS); if (rv != SECSuccess) { - SECU_PrintError(progName, "error enabling TLS "); + CMD_PrintError("error enabling TLS "); return 1; } /* disable ssl2 and ssl2-compatible client hellos. */ rv = SSL_OptionSet(s, SSL_V2_COMPATIBLE_HELLO, !disableSSL2); if (rv != SECSuccess) { - SECU_PrintError(progName, "error disabling v2 compatibility"); + CMD_PrintError("error disabling v2 compatibility"); return 1; } @@ -549,11 +552,11 @@ int main(int argc, char **argv) SSL_SetPKCS11PinArg(s, password); } - SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle); + SSL_AuthCertificateHook(s, myAuthCertificate, NULL); if (override) { SSL_BadCertHook(s, ownBadCertHandler, NULL); } - SSL_GetClientAuthDataHook(s, NSS_GetClientAuthData, (void *)nickname); + SSL_GetClientAuthDataHook(s, SSL_GetClientAuthData, (void *)nickname); SSL_HandshakeCallback(s, handshakeCallback, NULL); SSL_SetURL(s, host); @@ -562,7 +565,7 @@ int main(int argc, char **argv) if (status != PR_SUCCESS) { if (PR_GetError() == PR_IN_PROGRESS_ERROR) { if (verbose) - SECU_PrintError(progName, "connect"); + CMD_PrintError("connect"); milliPause(50 * multiplier); pollset[0].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT; pollset[0].out_flags = 0; @@ -571,7 +574,7 @@ int main(int argc, char **argv) PRINTF("%s: about to call PR_Poll for connect completion!\n", progName); filesReady = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT); if (filesReady < 0) { - SECU_PrintError(progName, "unable to connect (poll)"); + CMD_PrintError("unable to connect (poll)"); return 1; } PRINTF("%s: PR_Poll returned 0x%02x for socket out_flags.\n", @@ -590,14 +593,14 @@ int main(int argc, char **argv) break; } if (PR_GetError() != PR_IN_PROGRESS_ERROR) { - SECU_PrintError(progName, "unable to connect (poll)"); + CMD_PrintError("unable to connect (poll)"); return 1; } - SECU_PrintError(progName, "poll"); + CMD_PrintError("poll"); milliPause(50 * multiplier); } } else { - SECU_PrintError(progName, "unable to connect"); + CMD_PrintError("unable to connect"); return 1; } } @@ -638,7 +641,7 @@ int main(int argc, char **argv) filesReady = PR_Poll(pollset, npds, PR_INTERVAL_NO_TIMEOUT); } if (filesReady < 0) { - SECU_PrintError(progName, "select failed"); + CMD_PrintError("select failed"); error=1; goto done; } @@ -659,7 +662,7 @@ int main(int argc, char **argv) PRINTF("%s: stdin read %d bytes\n", progName, nb); if (nb < 0) { if (PR_GetError() != PR_WOULD_BLOCK_ERROR) { - SECU_PrintError(progName, "read from stdin failed"); + CMD_PrintError("read from stdin failed"); error=1; break; } @@ -673,8 +676,7 @@ int main(int argc, char **argv) if (cc < 0) { PRErrorCode err = PR_GetError(); if (err != PR_WOULD_BLOCK_ERROR) { - SECU_PrintError(progName, - "write to SSL socket failed"); + CMD_PrintError("write to SSL socket failed"); error=254; goto done; } @@ -709,7 +711,7 @@ int main(int argc, char **argv) PRINTF("%s: Read from server %d bytes\n", progName, nb); if (nb < 0) { if (PR_GetError() != PR_WOULD_BLOCK_ERROR) { - SECU_PrintError(progName, "read from socket failed"); + CMD_PrintError("read from socket failed"); error=1; goto done; } diff --git a/security/nss/lib/dev/devmodule.c b/security/nss/lib/dev/devmodule.c index 28c0b452b..e977e193c 100644 --- a/security/nss/lib/dev/devmodule.c +++ b/security/nss/lib/dev/devmodule.c @@ -266,11 +266,9 @@ nssModule_Load ( #ifdef DEBUG_MODULE if (PR_TRUE) { modToDBG = PR_GetEnv("NSS_DEBUG_PKCS11_MODULE"); - fprintf(stderr, "try loaded %s %s\n", mod->base.name, modToDBG); if (modToDBG && strcmp(mod->base.name, modToDBG) == 0) { mod->epv = (void *)nss_InsertDeviceLog( (CK_FUNCTION_LIST_PTR)mod->epv); - fprintf(stderr, "loaded %s\n", modToDBG); } } #endif /* DEBUG_MODULE */ diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c index 79d9c82b4..8e477d9ae 100644 --- a/security/nss/lib/dev/devslot.c +++ b/security/nss/lib/dev/devslot.c @@ -938,6 +938,7 @@ nssSession_Save ( CK_RV ckrv; CK_ULONG stateLen; void *epv = nssSlot_GetCryptokiEPV(s->slot); + nssSession_EnterMonitor(s); ckrv = CKAPI(epv)->C_GetOperationState(s->handle, NULL, &stateLen); if (ckrv == CKR_OK && stateLen > 0) { state->data = nss_ZAlloc(arenaOpt, stateLen); @@ -954,6 +955,7 @@ nssSession_Save ( state->size = 0; } } + nssSession_ExitMonitor(s); return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE; } @@ -965,6 +967,7 @@ nssSession_Restore ( { CK_RV ckrv; void *epv = nssSlot_GetCryptokiEPV(s->slot); + nssSession_EnterMonitor(s); if (state->size > 0) { ckrv = CKAPI(epv)->C_SetOperationState(s->handle, (CK_BYTE_PTR)state->data, @@ -977,6 +980,7 @@ nssSession_Restore ( state->size = 0; } } + nssSession_ExitMonitor(s); return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE; } diff --git a/security/nss/lib/pk11wrap/debug_module.c b/security/nss/lib/pk11wrap/debug_module.c index f21dc0bda..9f62bab38 100644 --- a/security/nss/lib/pk11wrap/debug_module.c +++ b/security/nss/lib/pk11wrap/debug_module.c @@ -433,7 +433,7 @@ struct nssdbg_prof_str nssdbg_prof_data[] = { #define FUNC_C_WRAPKEY 60 NSSDBG_DEFINE(C_WrapKey), #define FUNC_C_UNWRAPKEY 61 - NSSDBG_DEFINE(C_UnWrapKey), + NSSDBG_DEFINE(C_UnwrapKey), #define FUNC_C_DERIVEKEY 62 NSSDBG_DEFINE(C_DeriveKey), #define FUNC_C_SEEDRANDOM 63 @@ -1461,6 +1461,7 @@ CK_RV NSSDBGC_SignUpdate( PR_LOG(modlog, 3, (" hSession = 0x%x", hSession)); PR_LOG(modlog, 3, (" pPart = 0x%p", pPart)); PR_LOG(modlog, 3, (" ulPartLen = %d", ulPartLen)); + print_hex_data(pPart, ulPartLen); nssdbg_start_time(FUNC_C_SIGNUPDATE,&start); rv = module_functions->C_SignUpdate(hSession, pPart, diff --git a/security/nss/lib/pki/volatiledomain.c b/security/nss/lib/pki/volatiledomain.c index 1a7b5a824..6434b1531 100644 --- a/security/nss/lib/pki/volatiledomain.c +++ b/security/nss/lib/pki/volatiledomain.c @@ -1333,8 +1333,12 @@ nssCertChain_Destroy ( NSSCertChain *chain ) { - nssCertArray_Destroy(chain->certs); - return nssArena_Destroy(chain->arena); + if (chain) { + nssCertArray_Destroy(chain->certs); + return nssArena_Destroy(chain->arena); + } else { + return PR_SUCCESS; + } } NSS_IMPLEMENT PRStatus diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def index 55dc55653..e509990e9 100644 --- a/security/nss/lib/ssl/ssl.def +++ b/security/nss/lib/ssl/ssl.def @@ -49,7 +49,7 @@ LIBRARY ssl4 ;- EXPORTS ;- SSL_ImplementedCiphers DATA ; SSL_NumImplementedCiphers DATA ; -;+#NSS_GetClientAuthData; +SSL_GetClientAuthData; NSS_SetDomesticPolicy; NSS_SetExportPolicy; NSS_SetFrancePolicy; diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index 375131561..3c3847f0b 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -225,6 +225,13 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg, NSSCert **pRetCert,/*return */ NSSPrivateKey **pRetKey);/* return */ +SSL_IMPORT PRStatus SSL_GetClientAuthData(void * arg, + PRFileDesc * socket, + NSSTrustDomain * td, + NSSDER ** caNames, + NSSCert ** pRetCert, + NSSPrivateKey ** pRetKey); + /* * Set the client side callback for SSL to retrieve user's private key * and certificate. diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 1c410c4d7..548d97dff 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -6771,9 +6771,9 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) /* cert is good */ } -#ifdef IMPLEMENT_SSL_STEP_UP /* start SSL Step Up, if appropriate */ cert = ss->sec.peerCert; +#ifdef IMPLEMENT_SSL_STEP_UP if (!isServer && ssl3_global_policy_some_restricted && ssl3->policy == SSL_ALLOWED && diff --git a/security/nss/lib/ssl/sslauth.c b/security/nss/lib/ssl/sslauth.c index 2e16fb1ab..7f14555c7 100644 --- a/security/nss/lib/ssl/sslauth.c +++ b/security/nss/lib/ssl/sslauth.c @@ -249,6 +249,7 @@ SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) /* this may seem backwards, but isn't. */ usage.peer = isServer ? NSSUsage_SSLClient : NSSUsage_SSLServer; + usage.ca = 0; /* XXX checkSig? */ status = NSSCert_Validate(ss->sec.peerCert, NSSTime_Now(), &usage, NULL); diff --git a/security/nss/tests/stan/stan.sh b/security/nss/tests/stan/stan.sh index 0240a61de..8b815e62f 100644 --- a/security/nss/tests/stan/stan.sh +++ b/security/nss/tests/stan/stan.sh @@ -174,110 +174,167 @@ cd ${HOSTDIR} cp ${QADIR}/stan/*.b64 . cp ${QADIR}/stan/*.txt . +CERTDIR="certs" SERVERDIR="server" -PKIU_IMPORT="-I -d ${SERVERDIR} -a" +CLIENTDIR="client" -mkdir -p ${SERVERDIR} +mkdir -p ${CERTDIR} PKIU_ACTION="Creating DBs" -pkiu -N -d ${SERVERDIR} +pkiu -N -d ${CERTDIR} if [ "$RET" -ne 0 ]; then Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" fi PKIU_ACTION="Set password" -pkiu --change-password -d ${SERVERDIR} -p nss +pkiu --change-password -d ${CERTDIR} -p nss if [ "$RET" -ne 0 ]; then Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" fi PKIU_ACTION="Import Root" -pkiu ${PKIU_IMPORT} -n stanRoot -i stanRoot.b64 +pkiu -I -d ${CERTDIR} -a -n stanRoot -i stanRoot.b64 if [ "$RET" -ne 0 ]; then Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" fi PKIU_ACTION="Import Intermediate" -pkiu ${PKIU_IMPORT} -n stanCA1 -i stanCA1.b64 +pkiu -I -d ${CERTDIR} -a -n stanCA1 -i stanCA1.b64 if [ "$RET" -ne 0 ]; then Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" fi -PKIU_ACTION="Import Server Cert" -pkiu ${PKIU_IMPORT} -n stanCert -i stanCert.b64 +PKIU_ACTION="Import Leaf Cert" +pkiu -I -d ${CERTDIR} -a -n stanCert -i stanCert.b64 if [ "$RET" -ne 0 ]; then Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" fi -PKIU_ACTION="Import Server Private Key" -pkiu ${PKIU_IMPORT} -n stanCert -i stanCert_key.b64 --type private-key -p nss -w asdf +PKIU_ACTION="Import Private Key" +pkiu -I -d ${CERTDIR} -a -n stanCert -i stanCert_key.b64 --type private-key -p nss -w asdf if [ "$RET" -ne 0 ]; then Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" fi PKIU_ACTION="List Certs" -pkiu -L -d ${SERVERDIR} +pkiu -L -d ${CERTDIR} PKIU_ACTION="List Keys" -pkiu -L -d ${SERVERDIR} --type private-key -p nss +pkiu -L -d ${CERTDIR} --type private-key -p nss PKIU_ACTION="Attempt Validation of Server Cert (FAIL)" FAILURE_CODE=255 -pkiuf -V -d ${SERVERDIR} -n stanCert -u cv +pkiuf -V -d ${CERTDIR} -n stanCert -u cv PKIU_ACTION="Set Root Cert Trust" -pkiu -M -d ${SERVERDIR} -n stanRoot -u CV +pkiu -M -d ${CERTDIR} -n stanRoot -u CV if [ "$RET" -ne 0 ]; then Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" fi -PKIU_ACTION="Validate Server Cert" -pkiu -V -d ${SERVERDIR} -n stanCert -u cv +PKIU_ACTION="Validate Leaf Cert" +pkiu -V -d ${CERTDIR} -n stanCert -u cv PKIU_ACTION="Validate Intermediate CA Cert" -pkiu -V -d ${SERVERDIR} -n stanCA1 -u CV +pkiu -V -d ${CERTDIR} -n stanCA1 -u CV -PKIU_ACTION="Export Copy of Server Cert" -pkiu -E -d ${SERVERDIR} -n stanCert --type cert -a -o stanCertCopy.b64 +PKIU_ACTION="Export Copy of Leaf Cert" +pkiu -E -d ${CERTDIR} -n stanCert --type cert -a -o stanCertCopy.b64 -PKIU_ACTION="Export Copy of Server Private Key" -pkiu -E -d ${SERVERDIR} -n stanCert --type private-key -a -o stanKeyCopy.b64 -w asdf +PKIU_ACTION="Export Copy of Private Key" +pkiu -E -d ${CERTDIR} -n stanCert --type private-key -a -o stanKeyCopy.b64 -w asdf -p nss PKIU_ACTION="Import Expired Cert" -pkiu ${PKIU_IMPORT} -n stanExpired -i stanExpired.b64 +pkiu -I -d ${CERTDIR} -a -n stanExpired -i stanExpired.b64 if [ "$RET" -ne 0 ]; then Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" fi PKIU_ACTION="Attempt Validation of Expired Cert (FAIL)" FAILURE_CODE=255 -pkiuf -V -d ${SERVERDIR} -n stanExpired -u cv +pkiuf -V -d ${CERTDIR} -n stanExpired -u cv PKIU_ACTION="Delete Expired Cert" -pkiu -D -d ${SERVERDIR} -n stanExpired +pkiu -D -d ${CERTDIR} -n stanExpired PKIU_ACTION="List Certs" -pkiu -L -d ${SERVERDIR} +pkiu -L -d ${CERTDIR} -PKIU_ACTION="List Server Cert Chain" -pkiu --list-chain -d ${SERVERDIR} -n stanCert +PKIU_ACTION="List Cert Chain" +pkiu --list-chain -d ${CERTDIR} -n stanCert NSSU_ACTION="List Modules" -nssu --list-modules -d ${SERVERDIR} +nssu --list-modules -d ${CERTDIR} NSSU_ACTION="Show Internal Module" DEVNAME="NSS Internal PKCS #11 Module" -nssu --dump-module -d ${SERVERDIR} +nssu --dump-module -d ${CERTDIR} NSSU_ACTION="Show Internal DB Slot" DEVNAME="NSS User Private Key and Certificate Services" -nssu --dump-slot -d ${SERVERDIR} +nssu --dump-slot -d ${CERTDIR} NSSU_ACTION="Show Internal DB Token" DEVNAME="NSS Certificate DB" -nssu --dump-token -d ${SERVERDIR} +nssu --dump-token -d ${CERTDIR} CIPHER_ACTION="Run Symmetric Key Self-Tests" ciph -T +mkdir -p ${SERVERDIR} +PKIU_ACTION="Creating DBs for server" +pkiu -N -d ${SERVERDIR} +if [ "$RET" -ne 0 ]; then + Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" +fi + +PKIU_ACTION="Set password for server" +pkiu --change-password -d ${SERVERDIR} -p nss +if [ "$RET" -ne 0 ]; then + Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" +fi + +PKIU_ACTION="Import Root For Server" +pkiu -I -d ${SERVERDIR} -a -n serverRoot -i serverRoot.b64 +if [ "$RET" -ne 0 ]; then + Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" +fi + +PKIU_ACTION="Import Server Cert" +pkiu -I -d ${SERVERDIR} -a -n localhost -i localhost.b64 +if [ "$RET" -ne 0 ]; then + Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" +fi + +PKIU_ACTION="Import Server Private Key" +pkiu -I -d ${SERVERDIR} -a -n localhost -i localhost_key.b64 --type private-key -p nss -w asdf +if [ "$RET" -ne 0 ]; then + Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" +fi + +mkdir -p ${CLIENTDIR} +PKIU_ACTION="Creating DBs for client" +pkiu -N -d ${CLIENTDIR} +if [ "$RET" -ne 0 ]; then + Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" +fi + +PKIU_ACTION="Set password for client" +pkiu --change-password -d ${CLIENTDIR} -p nss +if [ "$RET" -ne 0 ]; then + Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" +fi + +PKIU_ACTION="Import Server CA for client" +pkiu -I -d ${CLIENTDIR} -a -n serverRoot -i serverRoot.b64 +if [ "$RET" -ne 0 ]; then + Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" +fi + +PKIU_ACTION="Set Root Cert Trust for client" +pkiu -M -d ${CLIENTDIR} -n serverRoot -u CV +if [ "$RET" -ne 0 ]; then + Exit 6 "Fatal - failed ${PKIU_ACTION} [$RET]" +fi + cert_cleanup |