Update net/third_party/nss to NSS 3.13.3.

net/third_party/nss/ssl/sslcon.c

 /* 
  * SSL v2 handshake functions, and functions common to SSL2 and SSL3.
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
@@ skipping 19 matching lines @@
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslcon.c,v 1.40 2010/04/25 23:37:38 nelson%bolyard.com Exp $ */
+/* $Id: sslcon.c,v 1.45 2011/11/19 21:58:21 bsmith%mozilla.com Exp $ */
 
 #include "nssrenam.h"
 #include "cert.h"
 #include "secitem.h"
 #include "sechash.h"
 #include "cryptohi.h"           /* for SGN_ funcs */
 #include "keyhi.h"              /* for SECKEY_ high level functions. */
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
@@ skipping 460 matching lines @@
     return rv;
 }
 
 /* Called from:
  * ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
  * ssl2_HandleRequestCertificate()     <- ssl2_HandleMessage() <- 
                                         ssl_Do1stHandshake()
  * ssl2_HandleMessage()                <- ssl_Do1stHandshake()
  * ssl2_HandleServerHelloMessage() <- ssl_Do1stHandshake()
                                      after ssl2_BeginClientHandshake()
- * ssl2_RestartHandshakeAfterCertReq() <- Called from certdlgs.c in nav.
  * ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake() 
                                      after ssl2_BeginServerHandshake()
  * 
  * Acquires and releases the socket's xmitBufLock.
  */     
 int
 ssl2_SendErrorMessage(sslSocket *ss, int error)
 {
     int rv;
     PRUint8 msg[SSL_HL_ERROR_HBYTES];
@@ skipping 226 matching lines @@
 
     DUMP_MSG(29, (ss, msg, sendLen));
     sent = (*ss->sec.send)(ss, msg, sendLen, 0);
     rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
 done:
     ssl_ReleaseXmitBufLock(ss);    /***************************************/
     return rv;
 }
 
 /* Called from ssl2_HandleRequestCertificate() <- ssl2_HandleMessage()
- *             ssl2_RestartHandshakeAfterCertReq() <- (application)
  * Acquires and releases the socket's xmitBufLock.
  */
 static int
 ssl2_SendCertificateResponseMessage(sslSocket *ss, SECItem *cert, 
                                     SECItem *encCode)
 {
     PRUint8 *msg;
     int rv, sendLen;
 
     PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
@@ skipping 391 matching lines @@
     return count;
 
 loser:
     ssl_ReleaseSpecReadLock(ss);
     return SECFailure;
 }
 
 /*
 ** Called from: ssl2_HandleServerHelloMessage,
 **              ssl2_HandleClientSessionKeyMessage,
-**              ssl2_RestartHandshakeAfterServerCert,
 **              ssl2_HandleClientHelloMessage,
 **              
 */
 static void
 ssl2_UseEncryptedSendFunc(sslSocket *ss)
 {
     ssl_GetXmitBufLock(ss);
     PORT_Assert(ss->sec.hashcx != 0);
 
     ss->gs.encrypted = 1;
@@ skipping 39 matching lines @@
  *
  * This code is similar to, and easily confused with, DoRecv() in sslsecur.c
  *
  * This function is called from ssl_Do1stHandshake().  
  * The following functions put ssl_GatherRecord1stHandshake into ss->handshake:
  *      ssl2_HandleMessage
  *      ssl2_HandleVerifyMessage
  *      ssl2_HandleServerHelloMessage
  *      ssl2_BeginClientHandshake       
  *      ssl2_HandleClientSessionKeyMessage
- *      ssl2_RestartHandshakeAfterCertReq 
  *      ssl3_RestartHandshakeAfterCertReq 
- *      ssl2_RestartHandshakeAfterServerCert 
  *      ssl3_RestartHandshakeAfterServerCert 
  *      ssl2_HandleClientHelloMessage
  *      ssl2_BeginServerHandshake
  */
 SECStatus
 ssl_GatherRecord1stHandshake(sslSocket *ss)
 {
     int rv;
 
     PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
@@ skipping 972 matching lines @@
 }
 
 /* See if it's time to send our finished message, or if the handshakes are
 ** complete.  Send finished message if appropriate.
 ** Returns SECSuccess unless anything goes wrong.
 **
 ** Called from ssl2_HandleMessage,
 **             ssl2_HandleVerifyMessage 
 **             ssl2_HandleServerHelloMessage
 **             ssl2_HandleClientSessionKeyMessage
-**             ssl2_RestartHandshakeAfterCertReq
-**             ssl2_RestartHandshakeAfterServerCert
 */
 static SECStatus
 ssl2_TryToFinish(sslSocket *ss)
 {
     SECStatus        rv;
     char             e, ef;
 
     PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     e = ss->sec.ci.elements;
@@ skipping 13 matching lines @@
             /* Totally finished */
             ss->handshake = 0;
             return SECSuccess;
         }
     }
     return SECSuccess;
 }
 
 /*
 ** Called from ssl2_HandleRequestCertificate
-**             ssl2_RestartHandshakeAfterCertReq
 */
 static SECStatus
 ssl2_SignResponse(sslSocket *ss,
              SECKEYPrivateKey *key,
              SECItem *response)
 {
     SGNContext *     sgn = NULL;
     PRUint8 *        challenge;
     unsigned int     len;
     SECStatus        rv         = SECFailure;
@@ skipping 66 matching lines @@
 
     /* Get certificate and private-key from client */
     if (!ss->getClientAuthData) {
         SSL_TRC(7, ("%d: SSL[%d]: client doesn't support client-auth",
                     SSL_GETPID(), ss->fd));
         goto no_cert_error;
     }
     ret = (*ss->getClientAuthData)(ss->getClientAuthDataArg, ss->fd,
                                    NULL, &cert, &key);
     if ( ret == SECWouldBlock ) {
-        ssl_SetAlwaysBlock(ss);
-        goto done;
+        PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+        ret = -1;
+        goto loser;
     }
 
     if (ret) {
         goto no_cert_error;
     }
 
     /* check what the callback function returned */
     if ((!cert) || (!key)) {
         /* we are missing either the key or cert */
         if (cert) {
@@ skipping 339 matching lines @@
     PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT : SSL_ERROR_BAD_SERVER);
     /* FALL THROUGH */
 
   loser:
     ssl_ReleaseRecvBufLock(ss);
     return SECFailure;
 }
 
 /************************************************************************/
 
-/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage or 
-** ssl2_RestartHandshakeAfterServerCert.
+/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage.
 */
 static SECStatus
 ssl2_HandleVerifyMessage(sslSocket *ss)
 {
     PRUint8 *        data;
     SECStatus        rv;
 
     PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
     ssl_GetRecvBufLock(ss);
 
@@ skipping 199 matching lines @@
 
   if (!sidHit) {
     /* verify the server's certificate. if sidHit, don't check signatures */
     rv = (* ss->authCertificate)(ss->authCertificateArg, ss->fd, 
                                  (PRBool)(!sidHit), PR_FALSE);
     if (rv) {
         if (ss->handleBadCert) {
             rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
             if ( rv ) {
                 if ( rv == SECWouldBlock ) {
-                    /* someone will handle this connection asynchronously*/
-
-                    SSL_DBG(("%d: SSL[%d]: go to async cert handler",
-                             SSL_GETPID(), ss->fd));
-                    ssl_ReleaseRecvBufLock(ss);
-                    ssl_SetAlwaysBlock(ss);
-                    return SECWouldBlock;
+                    SSL_DBG(("%d: SSL[%d]: SSL2 bad cert handler returned "
+                             "SECWouldBlock", SSL_GETPID(), ss->fd));
+                    PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+                    rv = SECFailure;
+                } else {
+                    /* cert is bad */
+                    SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
+                             SSL_GETPID(), ss->fd, PORT_GetError()));
                 }
-                /* cert is bad */
-                SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
-                         SSL_GETPID(), ss->fd, PORT_GetError()));
                 goto loser;
-
             }
             /* cert is good */
         } else {
             SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
                      SSL_GETPID(), ss->fd, PORT_GetError()));
             goto loser;
         }
     }
   }
     /*
@@ skipping 156 matching lines @@
 
     if ((sid->version >= SSL_LIBRARY_VERSION_3_0 || !ss->opt.v2CompatibleHello) &&
         (ss->opt.enableSSL3 || ss->opt.enableTLS)) {
 
         ss->gs.state      = GS_INIT;
         ss->handshake     = ssl_GatherRecord1stHandshake;
 
         /* ssl3_SendClientHello will override this if it succeeds. */
         ss->version       = SSL_LIBRARY_VERSION_3_0;
 
-        ssl_GetXmitBufLock(ss);    /***************************************/
         ssl_GetSSL3HandshakeLock(ss);
+        ssl_GetXmitBufLock(ss);
         rv =  ssl3_SendClientHello(ss);
+        ssl_ReleaseXmitBufLock(ss);
         ssl_ReleaseSSL3HandshakeLock(ss);
-        ssl_ReleaseXmitBufLock(ss); /***************************************/
 
         return rv;
     }
 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
     /* ensure we don't neogtiate ECC cipher suites with SSL2 hello */
     ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     if (ss->cipherSpecs != NULL) {
         PORT_Free(ss->cipherSpecs);
         ss->cipherSpecs     = NULL;
         ss->sizeCipherSpecs = 0;
@@ skipping 181 matching lines @@
 bad_client:
     ssl_ReleaseRecvBufLock(ss);
     PORT_SetError(SSL_ERROR_BAD_CLIENT);
     /* FALLTHROUGH */
 
 loser:
     return SECFailure;
 }
 
 /*
- * attempt to restart the handshake after asynchronously handling
- * a request for the client's certificate.
- *
- * inputs:  
- *      cert    Client cert chosen by application.
- *      key     Private key associated with cert.  
- *
- * XXX: need to make ssl2 and ssl3 versions of this function agree on whether
- *      they take the reference, or bump the ref count!
- *
- * Return value: XXX
- *
- * Caller holds 1stHandshakeLock.
- */
-int
-ssl2_RestartHandshakeAfterCertReq(sslSocket *          ss,
-                                  CERTCertificate *    cert, 
-                                  SECKEYPrivateKey *   key)
-{
-    int              ret;
-    SECStatus        rv          = SECSuccess;
-    SECItem          response;
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) 
-        return SECFailure;
-
-    response.data = NULL;
-
-    /* generate error if no cert or key */
-    if ( ( cert == NULL ) || ( key == NULL ) ) {
-        goto no_cert;
-    }
-    
-    /* generate signed response to the challenge */
-    rv = ssl2_SignResponse(ss, key, &response);
-    if ( rv != SECSuccess ) {
-        goto no_cert;
-    }
-    
-    /* Send response message */
-    ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
-    if (ret) {
-        goto no_cert;
-    }
-
-    /* try to finish the handshake */
-    ret = ssl2_TryToFinish(ss);
-    if (ret) {
-        goto loser;
-    }
-    
-    /* done with handshake */
-    if (ss->handshake == 0) {
-        ret = SECSuccess;
-        goto done;
-    }
-
-    /* continue handshake */
-    ssl_GetRecvBufLock(ss);
-    ss->gs.recordLen = 0;
-    ssl_ReleaseRecvBufLock(ss);
-
-    ss->handshake     = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake = ssl2_HandleMessage;
-    ret = ssl2_TriggerNextMessage(ss);
-    goto done;
-    
-no_cert:
-    /* no cert - send error */
-    ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
-    goto done;
-    
-loser:
-    ret = SECFailure;
-done:
-    /* free allocated data */
-    if ( response.data ) {
-        PORT_Free(response.data);
-    }
-    
-    return ret;
-}
-
-
-/* restart an SSL connection that we stopped to run certificate dialogs 
-** XXX  Need to document here how an application marks a cert to show that
-**      the application has accepted it (overridden CERT_VerifyCert).
- *
- * Return value: XXX
- *
- * Caller holds 1stHandshakeLock.
-*/
-int
-ssl2_RestartHandshakeAfterServerCert(sslSocket *ss)
-{
-    int rv      = SECSuccess;
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) 
-        return SECFailure;
-
-    /* SSL 2
-    ** At this point we have a completed session key and our session
-    ** cipher is setup and ready to go. Switch to encrypted write routine
-    ** as all future message data is to be encrypted.
-    */
-    ssl2_UseEncryptedSendFunc(ss);
-
-    rv = ssl2_TryToFinish(ss);
-    if (rv == SECSuccess && ss->handshake != NULL) {    
-        /* handshake is not yet finished. */
-
-        SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
-                SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
-                ss->sec.ci.elements));
-
-        ssl_GetRecvBufLock(ss);
-        ss->gs.recordLen = 0;   /* mark it all used up. */
-        ssl_ReleaseRecvBufLock(ss);
-
-        ss->handshake     = ssl_GatherRecord1stHandshake;
-        ss->nextHandshake = ssl2_HandleVerifyMessage;
-    }
-
-    return rv;
-}
-
-/*
 ** Handle the initial hello message from the client
 **
 ** not static because ssl2_GatherData() tests ss->nextHandshake for this value.
 */
 SECStatus
 ssl2_HandleClientHelloMessage(sslSocket *ss)
 {
     sslSessionID    *sid;
     sslServerCerts * sc;
     CERTCertificate *serverCert;
@@ skipping 374 matching lines @@
      * check algorithm.  This release is not backward
      * compatible with previous major releases.  It is
      * not compatible with future major, minor, or
      * patch releases.
      */
     volatile char c; /* force a reference that won't get optimized away */
 
     c = __nss_ssl_rcsid[0] + __nss_ssl_sccsid[0]; 
     return NSS_VersionCheck(importedVersion);
 }
+
+const char *
+NSSSSL_GetVersion(void)
+{
+    return NSS_VERSION;
+}