Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(7)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 7058049: Added client-side support for the TLS cached info extension. This feature is disabled by default ... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Added Null pointer check Created 9 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/socket/ssl_client_socket_nss.cc ('K') | « net/third_party/nss/ssl/ssl.h ('k') | net/third_party/nss/ssl/ssl3ext.c » ('j') | net/third_party/nss/ssl/ssl3ext.c » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * SSL3 Protocol 2 * SSL3 Protocol
3 * 3 *
4 * ***** BEGIN LICENSE BLOCK ***** 4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 * 6 *
7 * The contents of this file are subject to the Mozilla Public License Version 7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with 8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at 9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/ 10 * http://www.mozilla.org/MPL/
(...skipping 8047 matching lines...) Expand 10 before | Expand all | Expand 10 after
8058 goto loser; 8058 goto loser;
8059 } 8059 }
8060 goto cert_block; 8060 goto cert_block;
8061 } 8061 }
8062 8062
8063 ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 8063 ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
8064 if ( arena == NULL ) { 8064 if ( arena == NULL ) {
8065 goto loser; /* don't send alerts on memory errors */ 8065 goto loser; /* don't send alerts on memory errors */
8066 } 8066 }
8067 8067
8068 /* First get the peer cert. */ 8068 int i;
8069 remaining -= 3; 8069 PRBool using_cert_chain_digest = PR_FALSE;
8070 if (remaining < 0) 8070 for (i = 0; i < ss->xtnData.numNegotiated; i++) {
8071 » goto decode_loser; 8071 if (ss->xtnData.negotiated[i] == ssl_cached_info_xtn) {
wtc 2011/06/03 22:56:55 There should be a function that does this search i
rkn 2011/06/04 20:50:19 Done.
8072 8072 using_cert_chain_digest = PR_TRUE;
8073 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); 8073 break;
8074 if (size <= 0) 8074 }
8075 » goto loser;» /* fatal alert already sent by ConsumeHandshake. */
8076
8077 if (remaining < size)
8078 » goto decode_loser;
8079
8080 certItem.data = b;
8081 certItem.len = size;
8082 b += size;
8083 length -= size;
8084 remaining -= size;
8085
8086 ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
8087 PR_FALSE, PR_TRUE);
8088 if (ss->sec.peerCert == NULL) {
8089 » /* We should report an alert if the cert was bad, but not if the
8090 » * problem was just some local problem, like memory error.
8091 » */
8092 » goto ambiguous_err;
8093 } 8075 }
8094 8076
8095 /* Now get all of the CA certs. */ 8077 // if (using_cert_chain_digest) {
8096 while (remaining > 0) { 8078 if (length == 12) {
wtc 2011/06/03 22:56:55 Use the using_cert_chain_digest variable in this t
rkn 2011/06/04 20:50:19 Done.
8097 » remaining -= 3; 8079 /* We are dealing with a certificate_chain digest */
8098 » if (remaining < 0)
8099 » goto decode_loser;
8100 8080
8101 » size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); 8081 /* First get the peer cert. */
8102 » if (size <= 0) 8082 if (ss->ssl3.predictedCertChain[0] == NULL) {
8103 » goto loser;»/* fatal alert already sent by ConsumeHandshake. */ 8083 desc = handshake_failure;
8084 goto alert_loser;
8085 » }
8086 ss->sec.peerCert = CERT_DupCertificate(ss->ssl3.predictedCertChain[0]);
8104 8087
8105 » if (remaining < size) 8088 /* Now get all of the CA certs. */
8106 » goto decode_loser; 8089 ssl3CertNode *certNodeCurrent;
8090 ss->ssl3.peerCertChain = certNodeCurrent
8091 = PORT_ArenaNew(arena, ssl3CertNode);
8092 if (certNodeCurrent == NULL) {
8093 goto loser;»/* don't send alerts on memory errors */
8094 }
8095 certNodeCurrent->cert =
8096 CERT_DupCertificate(ss->ssl3.predictedCertChain[0]);
8097 int i = 1;
8098 while (ss->ssl3.predictedCertChain[i] != NULL) {
8099 certNodeCurrent->next = PORT_ArenaNew(arena, ssl3CertNode);
8100 if (certNodeCurrent->next == NULL) {
8101 goto loser; /* don't send alerts on memory errors */
8102 }
8103 certNodeCurrent = certNodeCurrent->next;
8104 certNodeCurrent->cert =
8105 CERT_DupCertificate(ss->ssl3.predictedCertChain[i]);
8106 i++;
8107 }
8108 certNodeCurrent->next = NULL;
8109 }
8110 else {
wtc 2011/06/03 22:56:55 Put } and else on the same line: } else {
rkn 2011/06/04 20:50:19 Done.
8111 /* We are dealing with a regular certificate message */
8112
8113 /* First get the peer cert. */
8114 remaining -= 3;
8115 if (remaining < 0)
8116 goto decode_loser;
8107 8117
8108 » certItem.data = b; 8118 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
8109 » certItem.len = size; 8119 if (size <= 0)
8110 » b += size; 8120 goto loser;»/* fatal alert already sent by ConsumeHandshake. */
8111 » length -= size;
8112 » remaining -= size;
8113 8121
8114 » c = PORT_ArenaNew(arena, ssl3CertNode); 8122 if (remaining < size)
8115 » if (c == NULL) { 8123 goto decode_loser;
8116 » goto loser;»/* don't send alerts on memory errors */
8117 » }
8118 8124
8119 » c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL, 8125 certItem.data = b;
8120 » PR_FALSE, PR_TRUE); 8126 certItem.len = size;
8121 » if (c->cert == NULL) { 8127 b += size;
8122 » goto ambiguous_err; 8128 length -= size;
8123 » } 8129 remaining -= size;
8124 8130
8125 » if (c->cert->trust) 8131 ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem,
8126 » trusted = PR_TRUE; 8132 NULL, PR_FALSE, PR_TRUE);
8133 if (ss->sec.peerCert == NULL) {
8134 /* We should report an alert if the cert was bad, but not if the
8135 * problem was just some local problem, like memory error.
8136 */
8137 goto ambiguous_err;
8138 }
8127 8139
8128 » c->next = NULL; 8140 /* Now get all of the CA certs. */
8129 » if (lastCert) { 8141 while (remaining > 0) {
8130 » lastCert->next = c; 8142 remaining -= 3;
8131 » } else { 8143 if (remaining < 0)
8132 » certs = c; 8144 goto decode_loser;
8133 » } 8145
8134 » lastCert = c; 8146 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
8147 if (size <= 0)
8148 goto loser; /* fatal alert already sent by ConsumeHandshake. */
8149
8150 if (remaining < size)
8151 goto decode_loser;
8152
8153 certItem.data = b;
8154 certItem.len = size;
8155 b += size;
8156 length -= size;
8157 remaining -= size;
8158
8159 c = PORT_ArenaNew(arena, ssl3CertNode);
8160 if (c == NULL) {
8161 goto loser;» /* don't send alerts on memory errors */
8162 }
8163
8164 c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
8165 PR_FALSE, PR_TRUE);
8166 if (c->cert == NULL) {
8167 goto ambiguous_err;
8168 }
8169
8170 if (c->cert->trust)
8171 trusted = PR_TRUE;
8172
8173 c->next = NULL;
8174 » if (lastCert) {
8175 lastCert->next = c;
8176 } else {
8177 certs = c;
8178 }
8179 lastCert = c;
8180 }
8181
8182 if (remaining != 0)
8183 goto decode_loser;
8135 } 8184 }
8136 8185
8137 if (remaining != 0)
8138 goto decode_loser;
8139
8140 SECKEY_UpdateCertPQG(ss->sec.peerCert); 8186 SECKEY_UpdateCertPQG(ss->sec.peerCert);
8141 8187
8142 /* 8188 /*
8143 * Ask caller-supplied callback function to validate cert chain. 8189 * Ask caller-supplied callback function to validate cert chain.
8144 */ 8190 */
8145 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd, 8191 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
8146 » » » » » PR_TRUE, isServer); 8192 PR_TRUE, isServer);
8147 if (rv) { 8193 if (rv) {
8148 » errCode = PORT_GetError(); 8194 errCode = PORT_GetError();
8149 » if (!ss->handleBadCert) { 8195 if (!ss->handleBadCert) {
8150 » goto bad_cert; 8196 goto bad_cert;
8151 » } 8197 }
8152 » rv = (SECStatus)(*ss->handleBadCert)(ss->badCertArg, ss->fd); 8198 rv = (SECStatus)(*ss->handleBadCert)(ss->badCertArg, ss->fd);
8153 » if ( rv ) { 8199 if ( rv ) {
8154 » if ( rv == SECWouldBlock ) { 8200 if ( rv == SECWouldBlock ) {
8155 » » /* someone will handle this connection asynchronously*/ 8201 » /* someone will handle this connection asynchronously*/
8156 » » SSL_DBG(("%d: SSL3[%d]: go to async cert handler", 8202 » SSL_DBG(("%d: SSL3[%d]: go to async cert handler",
8157 » » » SSL_GETPID(), ss->fd)); 8203 » » SSL_GETPID(), ss->fd));
8158 » » ss->ssl3.peerCertChain = certs; 8204 » ss->ssl3.peerCertChain = certs;
8159 » » certs = NULL; 8205 » certs = NULL;
8160 » » ssl_SetAlwaysBlock(ss); 8206 » ssl_SetAlwaysBlock(ss);
8161 » » goto cert_block; 8207 » goto cert_block;
8162 » } 8208 }
8163 » /* cert is bad */ 8209 /* cert is bad */
8164 » goto bad_cert; 8210 goto bad_cert;
8165 » } 8211 }
8166 » /* cert is good */ 8212 /* cert is good */
8167 } 8213 }
8168 8214
8169 /* start SSL Step Up, if appropriate */ 8215 /* start SSL Step Up, if appropriate */
8170 cert = ss->sec.peerCert; 8216 cert = ss->sec.peerCert;
8171 if (!isServer && 8217 if (!isServer &&
8172 ssl3_global_policy_some_restricted && 8218 ssl3_global_policy_some_restricted &&
8173 ss->ssl3.policy == SSL_ALLOWED && 8219 ss->ssl3.policy == SSL_ALLOWED &&
8174 » anyRestrictedEnabled(ss) && 8220 anyRestrictedEnabled(ss) &&
8175 » SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert, 8221 SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
8176 » PR_FALSE, /* checkSig */ 8222 PR_FALSE, /* checkSig */
8177 » » » » certUsageSSLServerWithStepUp, 8223 » » » certUsageSSLServerWithStepUp,
8178 /*XXX*/ ss->authCertificateArg) ) { 8224 /*XXX*/ ss->authCertificateArg) ) {
8179 » ss->ssl3.policy = SSL_RESTRICTED; 8225 ss->ssl3.policy = SSL_RESTRICTED;
8180 » ss->ssl3.hs.rehandshake = PR_TRUE; 8226 ss->ssl3.hs.rehandshake = PR_TRUE;
wtc 2011/06/03 22:56:55 Don't fix the TABs in NSS source code.
rkn 2011/06/04 20:52:31 I tried to undo this by downloading and applying a
8181 } 8227 }
8182 8228
8183 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); 8229 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
8184 ssl3_CopyPeerCertsToSID(certs, ss->sec.ci.sid); 8230 ssl3_CopyPeerCertsToSID(certs, ss->sec.ci.sid);
8185 8231
8186 if (!ss->sec.isServer) { 8232 if (!ss->sec.isServer) {
8187 /* set the server authentication and key exchange types and sizes 8233 /* set the server authentication and key exchange types and sizes
8188 ** from the value in the cert. If the key exchange key is different, 8234 ** from the value in the cert. If the key exchange key is different,
8189 ** it will get fixed when we handle the server key exchange message. 8235 ** it will get fixed when we handle the server key exchange message.
8190 */ 8236 */
(...skipping 1691 matching lines...) Expand 10 before | Expand all | Expand 10 after
9882 9928
9883 ss->ssl3.initialized = PR_FALSE; 9929 ss->ssl3.initialized = PR_FALSE;
9884 9930
9885 if (ss->ssl3.nextProto.data) { 9931 if (ss->ssl3.nextProto.data) {
9886 PORT_Free(ss->ssl3.nextProto.data); 9932 PORT_Free(ss->ssl3.nextProto.data);
9887 ss->ssl3.nextProto.data = NULL; 9933 ss->ssl3.nextProto.data = NULL;
9888 } 9934 }
9889 } 9935 }
9890 9936
9891 /* End of ssl3con.c */ 9937 /* End of ssl3con.c */
OLDNEW
« net/socket/ssl_client_socket_nss.cc ('K') | « net/third_party/nss/ssl/ssl.h ('k') | net/third_party/nss/ssl/ssl3ext.c » ('j') | net/third_party/nss/ssl/ssl3ext.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698