Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(441)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/nss/ssl/ssl3con.c

Issue 7058049: Added client-side support for the TLS cached info extension. This feature is disabled by default ... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Added Null pointer check Created 9 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/socket/ssl_client_socket_nss.cc ('K') | « net/third_party/nss/ssl/ssl.h ('k') | net/third_party/nss/ssl/ssl3ext.c » ('j') | net/third_party/nss/ssl/ssl3ext.c » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/ssl/ssl3con.c
===================================================================
--- net/third_party/nss/ssl/ssl3con.c (revision 86360)
+++ net/third_party/nss/ssl/ssl3con.c (working copy)
@@ -8065,105 +8065,151 @@
goto loser; /* don't send alerts on memory errors */
}
- /* First get the peer cert. */
- remaining -= 3;
- if (remaining < 0)
- goto decode_loser;
+ int i;
+ PRBool using_cert_chain_digest = PR_FALSE;
+ for (i = 0; i < ss->xtnData.numNegotiated; i++) {
+ if (ss->xtnData.negotiated[i] == ssl_cached_info_xtn) {
wtc 2011/06/03 22:56:55 There should be a function that does this search i
rkn 2011/06/04 20:50:19 Done.
+ using_cert_chain_digest = PR_TRUE;
+ break;
+ }
+ }
- size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
- if (size <= 0)
- goto loser; /* fatal alert already sent by ConsumeHandshake. */
+ // if (using_cert_chain_digest) {
+ if (length == 12) {
wtc 2011/06/03 22:56:55 Use the using_cert_chain_digest variable in this t
rkn 2011/06/04 20:50:19 Done.
+ /* We are dealing with a certificate_chain digest */
- if (remaining < size)
- goto decode_loser;
+ /* First get the peer cert. */
+ if (ss->ssl3.predictedCertChain[0] == NULL) {
+ desc = handshake_failure;
+ goto alert_loser;
+ }
+ ss->sec.peerCert = CERT_DupCertificate(ss->ssl3.predictedCertChain[0]);
- certItem.data = b;
- certItem.len = size;
- b += size;
- length -= size;
- remaining -= size;
-
- ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
- PR_FALSE, PR_TRUE);
- if (ss->sec.peerCert == NULL) {
- /* We should report an alert if the cert was bad, but not if the
- * problem was just some local problem, like memory error.
- */
- goto ambiguous_err;
+ /* Now get all of the CA certs. */
+ ssl3CertNode *certNodeCurrent;
+ ss->ssl3.peerCertChain = certNodeCurrent
+ = PORT_ArenaNew(arena, ssl3CertNode);
+ if (certNodeCurrent == NULL) {
+ goto loser; /* don't send alerts on memory errors */
+ }
+ certNodeCurrent->cert =
+ CERT_DupCertificate(ss->ssl3.predictedCertChain[0]);
+ int i = 1;
+ while (ss->ssl3.predictedCertChain[i] != NULL) {
+ certNodeCurrent->next = PORT_ArenaNew(arena, ssl3CertNode);
+ if (certNodeCurrent->next == NULL) {
+ goto loser; /* don't send alerts on memory errors */
+ }
+ certNodeCurrent = certNodeCurrent->next;
+ certNodeCurrent->cert =
+ CERT_DupCertificate(ss->ssl3.predictedCertChain[i]);
+ i++;
+ }
+ certNodeCurrent->next = NULL;
}
+ else {
wtc 2011/06/03 22:56:55 Put } and else on the same line: } else {
rkn 2011/06/04 20:50:19 Done.
+ /* We are dealing with a regular certificate message */
+
+ /* First get the peer cert. */
+ remaining -= 3;
+ if (remaining < 0)
+ goto decode_loser;
- /* Now get all of the CA certs. */
- while (remaining > 0) {
- remaining -= 3;
- if (remaining < 0)
- goto decode_loser;
+ size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
+ if (size <= 0)
+ goto loser; /* fatal alert already sent by ConsumeHandshake. */
- size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
- if (size <= 0)
- goto loser; /* fatal alert already sent by ConsumeHandshake. */
+ if (remaining < size)
+ goto decode_loser;
- if (remaining < size)
- goto decode_loser;
+ certItem.data = b;
+ certItem.len = size;
+ b += size;
+ length -= size;
+ remaining -= size;
- certItem.data = b;
- certItem.len = size;
- b += size;
- length -= size;
- remaining -= size;
+ ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem,
+ NULL, PR_FALSE, PR_TRUE);
+ if (ss->sec.peerCert == NULL) {
+ /* We should report an alert if the cert was bad, but not if the
+ * problem was just some local problem, like memory error.
+ */
+ goto ambiguous_err;
+ }
- c = PORT_ArenaNew(arena, ssl3CertNode);
- if (c == NULL) {
- goto loser; /* don't send alerts on memory errors */
- }
+ /* Now get all of the CA certs. */
+ while (remaining > 0) {
+ remaining -= 3;
+ if (remaining < 0)
+ goto decode_loser;
- c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
- PR_FALSE, PR_TRUE);
- if (c->cert == NULL) {
- goto ambiguous_err;
- }
+ size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
+ if (size <= 0)
+ goto loser; /* fatal alert already sent by ConsumeHandshake. */
- if (c->cert->trust)
- trusted = PR_TRUE;
+ if (remaining < size)
+ goto decode_loser;
- c->next = NULL;
- if (lastCert) {
- lastCert->next = c;
- } else {
- certs = c;
- }
- lastCert = c;
+ certItem.data = b;
+ certItem.len = size;
+ b += size;
+ length -= size;
+ remaining -= size;
+
+ c = PORT_ArenaNew(arena, ssl3CertNode);
+ if (c == NULL) {
+ goto loser; /* don't send alerts on memory errors */
+ }
+
+ c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
+ PR_FALSE, PR_TRUE);
+ if (c->cert == NULL) {
+ goto ambiguous_err;
+ }
+
+ if (c->cert->trust)
+ trusted = PR_TRUE;
+
+ c->next = NULL;
+ if (lastCert) {
+ lastCert->next = c;
+ } else {
+ certs = c;
+ }
+ lastCert = c;
+ }
+
+ if (remaining != 0)
+ goto decode_loser;
}
- if (remaining != 0)
- goto decode_loser;
-
SECKEY_UpdateCertPQG(ss->sec.peerCert);
/*
* Ask caller-supplied callback function to validate cert chain.
*/
rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
- PR_TRUE, isServer);
+ PR_TRUE, isServer);
if (rv) {
- errCode = PORT_GetError();
- if (!ss->handleBadCert) {
- goto bad_cert;
- }
- rv = (SECStatus)(*ss->handleBadCert)(ss->badCertArg, ss->fd);
- if ( rv ) {
- if ( rv == SECWouldBlock ) {
- /* someone will handle this connection asynchronously*/
- SSL_DBG(("%d: SSL3[%d]: go to async cert handler",
- SSL_GETPID(), ss->fd));
- ss->ssl3.peerCertChain = certs;
- certs = NULL;
- ssl_SetAlwaysBlock(ss);
- goto cert_block;
- }
- /* cert is bad */
- goto bad_cert;
- }
- /* cert is good */
+ errCode = PORT_GetError();
+ if (!ss->handleBadCert) {
+ goto bad_cert;
+ }
+ rv = (SECStatus)(*ss->handleBadCert)(ss->badCertArg, ss->fd);
+ if ( rv ) {
+ if ( rv == SECWouldBlock ) {
+ /* someone will handle this connection asynchronously*/
+ SSL_DBG(("%d: SSL3[%d]: go to async cert handler",
+ SSL_GETPID(), ss->fd));
+ ss->ssl3.peerCertChain = certs;
+ certs = NULL;
+ ssl_SetAlwaysBlock(ss);
+ goto cert_block;
+ }
+ /* cert is bad */
+ goto bad_cert;
+ }
+ /* cert is good */
}
/* start SSL Step Up, if appropriate */
@@ -8171,13 +8217,13 @@
if (!isServer &&
ssl3_global_policy_some_restricted &&
ss->ssl3.policy == SSL_ALLOWED &&
- anyRestrictedEnabled(ss) &&
- SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
- PR_FALSE, /* checkSig */
- certUsageSSLServerWithStepUp,
+ anyRestrictedEnabled(ss) &&
+ SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
+ PR_FALSE, /* checkSig */
+ certUsageSSLServerWithStepUp,
/*XXX*/ ss->authCertificateArg) ) {
- ss->ssl3.policy = SSL_RESTRICTED;
- ss->ssl3.hs.rehandshake = PR_TRUE;
+ ss->ssl3.policy = SSL_RESTRICTED;
+ ss->ssl3.hs.rehandshake = PR_TRUE;
wtc 2011/06/03 22:56:55 Don't fix the TABs in NSS source code.
rkn 2011/06/04 20:52:31 I tried to undo this by downloading and applying a
}
ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
« net/socket/ssl_client_socket_nss.cc ('K') | « net/third_party/nss/ssl/ssl.h ('k') | net/third_party/nss/ssl/ssl3ext.c » ('j') | net/third_party/nss/ssl/ssl3ext.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698