The current implementation of client authentication for Windows and Mac matches the NSS implementation, in that it continously checks that the private key is still accessible. The intent is that once the user removes the private key (such as by ejecting a smart card, if it's stored on one), then the existing SSL sessions will become invalidated. However, depending on the smart card middleware, this may involve non-trivial work being done every SSL record, and may be causing a performance regression for authentication.

The new behaviour is that any negotiated SSL connections remain valid, even after the smart card is ejected, and any established SSL sessions are not invalidated and may be reused. This matches the observed behaviours of IE and Safari. Smart card client auth on Linux is unaffected and will continue polling the smart card to determine if it's been ejected / the key has been deleted.

BUG=71928
TEST=none

Review URL: http://codereview.chromium.org/6413010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@74716 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 1 insertions, 214 deletions

diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index f5c0880..6aaa88c 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -2012,10 +2012,7 @@ ssl3_ComputeRecordMAC(
 static PRBool
 ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
 #ifdef NSS_PLATFORM_CLIENT_AUTH
-    if (!sid || !sid->u.ssl3.clPlatformAuthValid) {
-	return PR_TRUE;
-    }
-    return ssl_PlatformAuthTokenPresent(&sid->u.ssl3.clPlatformAuthInfo);
+    return PR_TRUE;
 #else
     PK11SlotInfo *slot = NULL;
     PRBool isPresent = PR_TRUE;
@@ -4837,12 +4834,6 @@ ssl3_SendCertificateVerify(sslSocket *ss)
 #ifdef NSS_PLATFORM_CLIENT_AUTH
     rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
                                  &buf, isTLS);
-    if (rv == SECSuccess) {
-        sslSessionID * sid = ss->sec.ci.sid;
-        ssl_GetPlatformAuthInfoForKey(ss->ssl3.platformClientKey,
-                                      &sid->u.ssl3.clPlatformAuthInfo);
-        sid->u.ssl3.clPlatformAuthValid = PR_TRUE;
-    }
     ssl_FreePlatformKey(ss->ssl3.platformClientKey);
     ss->ssl3.platformClientKey = (PlatformKey)NULL;
 #else /* NSS_PLATFORM_CLIENT_AUTH */
diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
index 1ea82da..357c1b9 100644
--- a/net/third_party/nss/ssl/sslimpl.h
+++ b/net/third_party/nss/ssl/sslimpl.h
@@ -680,11 +680,6 @@ struct sslSessionIDStr {
             char              masterValid;
 	    char              clAuthValid;
 
-#ifdef NSS_PLATFORM_CLIENT_AUTH
-	    PlatformAuthInfo  clPlatformAuthInfo;
-	    char              clPlatformAuthValid;
-#endif  /* NSS_PLATFORM_CLIENT_AUTH */
-
 	    /* Session ticket if we have one, is sent as an extension in the
 	     * ClientHello message.  This field is used by clients.
 	     */
@@ -1753,23 +1748,6 @@ extern SECStatus ssl_FreeSessionCacheLocks(void);
 // Releases the platform key.
 extern void ssl_FreePlatformKey(PlatformKey key);
 
-// Frees any memory allocated to store a persistent reference to the
-// platform key.
-extern void ssl_FreePlatformAuthInfo(PlatformAuthInfo* info);
-
-// Initializes the PlatformAuthInfo to empty/invalid values.
-extern void ssl_InitPlatformAuthInfo(PlatformAuthInfo* info);
-
-// Determine if the given key is still present in the system. This is used
-// to check for things like smart cards being ejected after handshaking,
-// since no further operations on the key will happen which would detect this.
-extern PRBool ssl_PlatformAuthTokenPresent(PlatformAuthInfo* info);
-
-// Obtain a persistent reference to a key, sufficient for
-// ssl_PlatformAuthTokenPresent to determine if the key is still present.
-extern void ssl_GetPlatformAuthInfoForKey(PlatformKey key,
-                                          PlatformAuthInfo* info);
-
 // Implement the client CertificateVerify message for SSL3/TLS1.0
 extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash,
                                          PlatformKey key, SECItem *buf,
diff --git a/net/third_party/nss/ssl/sslnonce.c b/net/third_party/nss/ssl/sslnonce.c
index 345f041..64adc1f 100644
--- a/net/third_party/nss/ssl/sslnonce.c
+++ b/net/third_party/nss/ssl/sslnonce.c
@@ -226,11 +226,6 @@ ssl_DestroySID(sslSessionID *sid)
     if (sid->u.ssl3.sessionTicket.ticket.data) {
 	SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
     }
-#ifdef NSS_PLATFORM_CLIENT_AUTH
-    if (sid->u.ssl3.clPlatformAuthValid) {
-	ssl_FreePlatformAuthInfo(&sid->u.ssl3.clPlatformAuthInfo);
-    }
-#endif   /* NSS_PLATFORM_CLIENT_AUTH */
     
     PORT_ZFree(sid, sizeof(sslSessionID));
 }
diff --git a/net/third_party/nss/ssl/sslplatf.c b/net/third_party/nss/ssl/sslplatf.c
index 9ab6172..208956f8 100644
--- a/net/third_party/nss/ssl/sslplatf.c
+++ b/net/third_party/nss/ssl/sslplatf.c
@@ -109,87 +109,6 @@ ssl_FreePlatformKey(PlatformKey key)
     }
 }
 
-void
-ssl_FreePlatformAuthInfo(PlatformAuthInfo* info)
-{
-    if (info->provider != NULL) {
-        PORT_Free(info->provider);
-        info->provider = NULL;
-    }
-    if (info->container != NULL) {
-        PORT_Free(info->container);
-        info->container = NULL;
-    }
-    info->provType = 0;
-}
-
-void
-ssl_InitPlatformAuthInfo(PlatformAuthInfo* info)
-{
-    info->provider  = NULL;
-    info->container = NULL;
-    info->provType  = 0;
-}
-
-PRBool
-ssl_PlatformAuthTokenPresent(PlatformAuthInfo *info)
-{
-    HCRYPTPROV prov = 0;
-
-    if (!info || !info->provider || !info->container)
-        return PR_FALSE;
-
-    if (!CryptAcquireContextA(&prov, info->container, info->provider,
-                              info->provType, 0))
-        return PR_FALSE;
-
-    CryptReleaseContext(prov, 0);
-    return PR_TRUE;
-}
-
-void
-ssl_GetPlatformAuthInfoForKey(PlatformKey key,
-                              PlatformAuthInfo *info)
-{
-    DWORD bytesNeeded = 0;
-    ssl_InitPlatformAuthInfo(info);
-    if (!key || key->dwKeySpec == CERT_NCRYPT_KEY_SPEC)
-        goto error;
-
-    bytesNeeded = sizeof(info->provType);
-    if (!CryptGetProvParam(key->hCryptProv, PP_PROVTYPE,
-                           (BYTE*)&info->provType, &bytesNeeded, 0))
-        goto error;
-
-    bytesNeeded = 0;
-    if (!CryptGetProvParam(key->hCryptProv, PP_CONTAINER, NULL, &bytesNeeded,
-                           0))
-        goto error;
-    info->container = (char*)PORT_Alloc(bytesNeeded);
-    if (info->container == NULL)
-        goto error;
-    if (!CryptGetProvParam(key->hCryptProv, PP_CONTAINER,
-                           (BYTE*)info->container, &bytesNeeded, 0))
-        goto error;
-
-    bytesNeeded = 0;
-    if (!CryptGetProvParam(key->hCryptProv, PP_NAME, NULL, &bytesNeeded, 0))
-        goto error;
-    info->provider = (char*)PORT_Alloc(bytesNeeded);
-    if (info->provider == NULL)
-        goto error;
-    if (!CryptGetProvParam(key->hCryptProv, PP_NAME, (BYTE*)info->provider,
-                           &bytesNeeded, 0))
-        goto error;
-
-    goto done;
-error:
-    ssl_FreePlatformAuthInfo(info);
-
-done:
-    return;
-}
-
 SECStatus
 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, 
                         PRBool isTLS)
@@ -316,82 +235,12 @@ done:
 #elif defined(XP_MACOSX)
 #include <Security/cssm.h>
 
-/*
- * In Mac OS X 10.5, these two functions are private but implemented, and
- * in Mac OS X 10.6, these are exposed publicly.  To compile with the 10.5
- * SDK, we declare them here.
- */
-OSStatus SecKeychainItemCreatePersistentReference(SecKeychainItemRef itemRef, CFDataRef *persistentItemRef);
-OSStatus SecKeychainItemCopyFromPersistentReference(CFDataRef persistentItemRef, SecKeychainItemRef *itemRef);
-
 void
 ssl_FreePlatformKey(PlatformKey key)
 {
     CFRelease(key);
 }
 
-void
-ssl_FreePlatformAuthInfo(PlatformAuthInfo* info)
-{
-    if (info->keychain != NULL) {
-        CFRelease(info->keychain);
-        info->keychain = NULL;
-    }
-    if (info->persistentKey != NULL) {
-        CFRelease(info->persistentKey);
-        info->persistentKey = NULL;
-    }
-}
-
-void
-ssl_InitPlatformAuthInfo(PlatformAuthInfo* info)
-{
-    info->keychain = NULL;
-    info->persistentKey = NULL;
-}
-
-PRBool
-ssl_PlatformAuthTokenPresent(PlatformAuthInfo* info)
-{
-    if (!info || !info->keychain || !info->persistentKey)
-        return PR_FALSE;
-
-    // Not actually interested in the status, but it can be used to make sure
-    // that the keychain still exists (as smart card ejection will remove
-    // the keychain)
-    SecKeychainStatus keychainStatus;
-    OSStatus rv = SecKeychainGetStatus(info->keychain, &keychainStatus);
-    if (rv != noErr)
-        return PR_FALSE;
-
-    // Make sure the individual key still exists within the keychain, if
-    // the keychain is present
-    SecKeychainItemRef keychainItem;
-    rv = SecKeychainItemCopyFromPersistentReference(info->persistentKey,
-                                                    &keychainItem);
-    if (rv != noErr)
-        return PR_FALSE;
-
-    CFRelease(keychainItem);
-    return PR_TRUE;
-}
-
-void
-ssl_GetPlatformAuthInfoForKey(PlatformKey key,
-                              PlatformAuthInfo *info)
-{
-    SecKeychainItemRef keychainItem = (SecKeychainItemRef)key;
-    OSStatus rv = SecKeychainItemCopyKeychain(keychainItem, &info->keychain);
-    if (rv == noErr) {
-        rv = SecKeychainItemCreatePersistentReference(keychainItem,
-                                                      &info->persistentKey);
-    }
-    if (rv != noErr) {
-        ssl_FreePlatformAuthInfo(info);
-    }
-    return;
-}
-
 SECStatus
 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, 
                         PRBool isTLS)
@@ -538,27 +387,6 @@ ssl_FreePlatformKey(PlatformKey key)
 {
 }
 
-void
-ssl_FreePlatformAuthInfo(PlatformAuthInfo *info)
-{
-}
-
-void
-ssl_InitPlatformAuthInfo(PlatformAuthInfo *info)
-{
-}
-
-PRBool
-ssl_PlatformAuthTokenPresent(PlatformAuthInfo *info)
-{
-    return PR_FALSE;
-}
-
-void
-ssl_GetPlatformAuthInfoForKey(PlatformKey key, PlatformAuthInfo *info)
-{
-}
-
 SECStatus
 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf,
                         PRBool isTLS)
diff --git a/net/third_party/nss/ssl/sslsnce.c b/net/third_party/nss/ssl/sslsnce.c
index 4176ac8..6c73f25 100644
--- a/net/third_party/nss/ssl/sslsnce.c
+++ b/net/third_party/nss/ssl/sslsnce.c
@@ -638,11 +638,6 @@ ConvertToSID(sidCacheEntry *    from,
 	to->u.ssl3.clAuthSeries     = 0;
 	to->u.ssl3.clAuthValid      = PR_FALSE;
 
-#ifdef NSS_PLATFORM_CLIENT_AUTH
-	ssl_InitPlatformAuthInfo(&to->u.ssl3.clPlatformAuthInfo);
-	to->u.ssl3.clPlatformAuthValid = PR_FALSE;
-#endif   /* NSS_PLATFORM_CLIENT_AUTH */
-
 	if (from->u.ssl3.certIndex != -1 && pcce) {
 	    SECItem          derCert;