Update net/third_party/nss to NSS 3.13.3.

net/third_party/nss/ssl/sslsecur.c

 /*
  * Various SSL functions.
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
@@ skipping 19 matching lines @@
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsecur.c,v 1.43.2.2 2010/08/26 18:06:55 wtc%google.com Exp $ */
+/* $Id: sslsecur.c,v 1.57 2012/02/15 21:52:08 kaie%kuix.de Exp $ */
 #include "cert.h"
 #include "secitem.h"
 #include "keyhi.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "secoid.h"     /* for SECOID_GetALgorithmTag */
 #include "pk11func.h"   /* for PK11_GenerateRandom */
 #include "nss.h"        /* for NSS_RegisterShutdown */
 #include "prinit.h"     /* for PR_CallOnceWithArg */
@@ skipping 26 matching lines @@
  * 1.   ssl_GatherRecord1stHandshake called ssl2_GatherData which read in 
  *      the beginning of an SSL v3 hello message and returned SECWouldBlock 
  *      to switch to SSL v3 handshake processing.
  *
  * 2.   ssl2_HandleClientHelloMessage discovered version 3.0 in the incoming
  *      v2 client hello msg, and called ssl3_HandleV2ClientHello which 
  *      returned SECWouldBlock.
  *
  * 3.   SECWouldBlock was returned by one of the callback functions, via
  *      one of these paths:
- * -    ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> ss->getClientAuthData()
+ * -    ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() ->
+ *      ss->getClientAuthData()
  *
  * -    ssl2_HandleServerHelloMessage() -> ss->handleBadCert()
  *
  * -    ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 
  *      ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 
  *      ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificate() -> 
  *      ss->handleBadCert()
  *
  * -    ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 
  *      ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 
@@ skipping 12 matching lines @@
 int 
 ssl_Do1stHandshake(sslSocket *ss)
 {
     int rv        = SECSuccess;
     int loopCount = 0;
 
     do {
         PORT_Assert(ss->opt.noLocks ||  ssl_Have1stHandshakeLock(ss) );
         PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
         PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
+        PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
 
         if (ss->handshake == 0) {
             /* Previous handshake finished. Switch to next one */
             ss->handshake = ss->nextHandshake;
             ss->nextHandshake = 0;
         }
         if (ss->handshake == 0) {
             /* Previous handshake finished. Switch to security handshake */
             ss->handshake = ss->securityHandshake;
             ss->securityHandshake = 0;
@@ skipping 20 matching lines @@
         }
         rv = (*ss->handshake)(ss);
         ++loopCount;
     /* This code must continue to loop on SECWouldBlock, 
      * or any positive value.   See XXX_1 comments.
      */
     } while (rv != SECFailure);         /* was (rv >= 0); XXX_1 */
 
     PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
     PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
+    PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
 
     if (rv == SECWouldBlock) {
         PORT_SetError(PR_WOULD_BLOCK_ERROR);
         rv = SECFailure;
     }
     return rv;
 }
 
 /*
  * Handshake function that blocks.  Used to force a
  * retry on a connection on the next read/write.
  */
 static SECStatus
-AlwaysBlock(sslSocket *ss)
+ssl3_AlwaysBlock(sslSocket *ss)
 {
     PORT_SetError(PR_WOULD_BLOCK_ERROR);        /* perhaps redundant. */
     return SECWouldBlock;
 }
 
 /*
  * set the initial handshake state machine to block
  */
 void
-ssl_SetAlwaysBlock(sslSocket *ss)
+ssl3_SetAlwaysBlock(sslSocket *ss)
 {
     if (!ss->firstHsDone) {
-        ss->handshake = AlwaysBlock;
+        ss->handshake = ssl3_AlwaysBlock;
         ss->nextHandshake = 0;
     }
 }
 
 static SECStatus 
 ssl_SetTimeout(PRFileDesc *fd, PRIntervalTime timeout)
 {
     sslSocket *ss;
 
     ss = ssl_FindSocket(fd);
@@ skipping 31 matching lines @@
 
     /* Don't waste my time */
     if (!ss->opt.useSecurity)
         return SECSuccess;
 
     SSL_LOCK_READER(ss);
     SSL_LOCK_WRITER(ss);
 
     /* Reset handshake state */
     ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
 
     ss->firstHsDone = PR_FALSE;
     if ( asServer ) {
         ss->handshake = ssl2_BeginServerHandshake;
         ss->handshaking = sslHandshakingAsServer;
     } else {
         ss->handshake = ssl2_BeginClientHandshake;
         ss->handshaking = sslHandshakingAsClient;
     }
     ss->nextHandshake       = 0;
     ss->securityHandshake   = 0;
 
     ssl_GetRecvBufLock(ss);
     status = ssl_InitGather(&ss->gs);
     ssl_ReleaseRecvBufLock(ss);
 
+    ssl_GetSSL3HandshakeLock(ss);
+
     /*
     ** Blow away old security state and get a fresh setup.
     */
     ssl_GetXmitBufLock(ss); 
     ssl_ResetSecurityInfo(&ss->sec, PR_TRUE);
     status = ssl_CreateSecurityInfo(ss);
     ssl_ReleaseXmitBufLock(ss); 
 
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
@@ skipping 414 matching lines @@
     PORT_Assert(SECSuccess == rv);
     if (SECSuccess == rv) {
         ssl3_server_ca_list = CERT_GetSSLCACerts(dbHandle);
         return PR_SUCCESS;
     }
     return PR_FAILURE;
 }
 
 SECStatus
 ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
-                       CERTCertificateList *certChain,
+                       const CERTCertificateList *certChain,
                        ssl3KeyPair *keyPair, SSLKEAType kea)
 {
     CERTCertificateList *localCertChain = NULL;
     sslServerCerts  *sc = ss->serverCerts + kea;
 
     /* load the server certificate */
     if (sc->serverCert != NULL) {
         CERT_DestroyCertificate(sc->serverCert);
         sc->serverCert = NULL;
         sc->serverKeyBits = 0;
@@ skipping 57 matching lines @@
     }
     return SECFailure;
 }
 
 /* XXX need to protect the data that gets changed here.!! */
 
 SECStatus
 SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
                        SECKEYPrivateKey *key, SSL3KEAType kea)
 {
+
+    return SSL_ConfigSecureServerWithCertChain(fd, cert, NULL, key, kea);
+}
+
+SECStatus
+SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert,
+                                    const CERTCertificateList *certChainOpt,
+                                    SECKEYPrivateKey *key, SSL3KEAType kea)
+{
     sslSocket *ss;
     SECKEYPublicKey *pubKey = NULL;
     ssl3KeyPair *keyPair = NULL;
     SECStatus rv = SECFailure;
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
         return SECFailure;
     }
 
@@ skipping 50 matching lines @@
             keyCopy = SECKEY_CopyPrivateKey(key);
         if (keyCopy == NULL)
             goto loser;
         keyPair = ssl3_NewKeyPair(keyCopy, pubKey);
         if (keyPair == NULL) {
             SECKEY_DestroyPrivateKey(keyCopy);
             goto loser;
         }
         pubKey = NULL; /* adopted by serverKeyPair */
     }
-    if (ssl_ConfigSecureServer(ss, cert, NULL,
+    if (ssl_ConfigSecureServer(ss, cert, certChainOpt,
                                keyPair, kea) == SECFailure) {
         goto loser;
     }
 
     /* Only do this once because it's global. */
     if (PR_SUCCESS == PR_CallOnceWithArg(&setupServerCAListOnce, 
                                          &serverCAListSetup,
                                          (void *)(ss->dbHandle))) {
         rv = SECSuccess;
     }
@@ skipping 357 matching lines @@
     if (rv < 0) {
         goto done;
     }
 
     if (len > 0) 
         ss->writerThread = PR_GetCurrentThread();
     /* If any of these is non-zero, the initial handshake is not done. */
     if (!ss->firstHsDone) {
         PRBool canFalseStart = PR_FALSE;
         ssl_Get1stHandshakeLock(ss);
-        if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
-            (ss->ssl3.hs.ws == wait_change_cipher ||
-             ss->ssl3.hs.ws == wait_finished ||
-             ss->ssl3.hs.ws == wait_new_session_ticket) &&
-            ssl3_CanFalseStart(ss)) {
-            canFalseStart = PR_TRUE;
+        if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+            ssl_GetSSL3HandshakeLock(ss);
+            if ((ss->ssl3.hs.ws == wait_change_cipher ||
+                ss->ssl3.hs.ws == wait_finished ||
+                ss->ssl3.hs.ws == wait_new_session_ticket) &&
+                ssl3_CanFalseStart(ss)) {
+                canFalseStart = PR_TRUE;
+            }
+            ssl_ReleaseSSL3HandshakeLock(ss);
         }
         if (!canFalseStart &&
             (ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
             rv = ssl_Do1stHandshake(ss);
         }
         ssl_Release1stHandshakeLock(ss);
     }
     if (rv < 0) {
         ss->writerThread = NULL;
         goto done;
@@ skipping 272 matching lines @@
     }
 
     ssl_Get1stHandshakeLock(ss);   /************************************/
 
     if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
         ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain);
     } else {
         if (certChain != NULL) {
             CERT_DestroyCertificateList(certChain);
         }
-        ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key);
+        PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+        ret = SECFailure;
     }
 
     ssl_Release1stHandshakeLock(ss);  /************************************/
     return ret;
 }
 
+/* DO NOT USE. This function was exported in ssl.def with the wrong signature;
+ * this implementation exists to maintain link-time compatibility.
+ */
+int
+SSL_RestartHandshakeAfterServerCert(sslSocket * ss)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return -1;
+}
 
-/* restart an SSL connection that we stopped to run certificate dialogs 
-** XXX  Need to document here how an application marks a cert to show that
-**      the application has accepted it (overridden CERT_VerifyCert).
- *
- * XXX This code only works on the initial handshake on a connection, XXX
- *     It does not work on a subsequent handshake (redo).
- *
- * Return value: XXX
-*/
-int
-SSL_RestartHandshakeAfterServerCert(sslSocket *ss)
+/* See documentation in ssl.h */
+SECStatus
+SSL_AuthCertificateComplete(PRFileDesc *fd, PRErrorCode error)
 {
-    int rv      = SECSuccess;
+    SECStatus rv;
+    sslSocket *ss = ssl_FindSocket(fd);
 
-    ssl_Get1stHandshakeLock(ss); 
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_AuthCertificateComplete",
+                 SSL_GETPID(), fd));
+        return SECFailure;
+    }
 
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-        rv = ssl3_RestartHandshakeAfterServerCert(ss);
+    ssl_Get1stHandshakeLock(ss);
+
+    if (!ss->ssl3.initialized) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        rv = SECFailure;
+    } else if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+        PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+        rv = SECFailure;
     } else {
-        rv = ssl2_RestartHandshakeAfterServerCert(ss);
+        rv = ssl3_AuthCertificateComplete(ss, error);
     }
 
     ssl_Release1stHandshakeLock(ss);
+
     return rv;
 }
 
 /* For more info see ssl.h */
 SECStatus 
 SSL_SNISocketConfigHook(PRFileDesc *fd, SSLSNISocketConfig func,
                         void *arg)
 {
     sslSocket *ss;
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
         SSL_DBG(("%d: SSL[%d]: bad socket in SNISocketConfigHook",
                  SSL_GETPID(), fd));
         return SECFailure;
     }
 
     ss->sniSocketConfig = func;
     ss->sniSocketConfigArg = arg;
     return SECSuccess;
 }