Index: net/third_party/nss/ssl/sslsecur.c |
=================================================================== |
--- net/third_party/nss/ssl/sslsecur.c (revision 124804) |
+++ net/third_party/nss/ssl/sslsecur.c (working copy) |
@@ -37,7 +37,7 @@ |
* the terms of any one of the MPL, the GPL or the LGPL. |
* |
* ***** END LICENSE BLOCK ***** */ |
-/* $Id: sslsecur.c,v 1.43.2.2 2010/08/26 18:06:55 wtc%google.com Exp $ */ |
+/* $Id: sslsecur.c,v 1.57 2012/02/15 21:52:08 kaie%kuix.de Exp $ */ |
#include "cert.h" |
#include "secitem.h" |
#include "keyhi.h" |
@@ -84,7 +84,8 @@ |
* |
* 3. SECWouldBlock was returned by one of the callback functions, via |
* one of these paths: |
- * - ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> ss->getClientAuthData() |
+ * - ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> |
+ * ss->getClientAuthData() |
* |
* - ssl2_HandleServerHelloMessage() -> ss->handleBadCert() |
* |
@@ -117,6 +118,7 @@ |
PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); |
PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss)); |
PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss)); |
+ PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss)); |
if (ss->handshake == 0) { |
/* Previous handshake finished. Switch to next one */ |
@@ -157,6 +159,7 @@ |
PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss)); |
PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss)); |
+ PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss)); |
if (rv == SECWouldBlock) { |
PORT_SetError(PR_WOULD_BLOCK_ERROR); |
@@ -170,7 +173,7 @@ |
* retry on a connection on the next read/write. |
*/ |
static SECStatus |
-AlwaysBlock(sslSocket *ss) |
+ssl3_AlwaysBlock(sslSocket *ss) |
{ |
PORT_SetError(PR_WOULD_BLOCK_ERROR); /* perhaps redundant. */ |
return SECWouldBlock; |
@@ -180,10 +183,10 @@ |
* set the initial handshake state machine to block |
*/ |
void |
-ssl_SetAlwaysBlock(sslSocket *ss) |
+ssl3_SetAlwaysBlock(sslSocket *ss) |
{ |
if (!ss->firstHsDone) { |
- ss->handshake = AlwaysBlock; |
+ ss->handshake = ssl3_AlwaysBlock; |
ss->nextHandshake = 0; |
} |
} |
@@ -235,7 +238,6 @@ |
/* Reset handshake state */ |
ssl_Get1stHandshakeLock(ss); |
- ssl_GetSSL3HandshakeLock(ss); |
ss->firstHsDone = PR_FALSE; |
if ( asServer ) { |
@@ -252,6 +254,8 @@ |
status = ssl_InitGather(&ss->gs); |
ssl_ReleaseRecvBufLock(ss); |
+ ssl_GetSSL3HandshakeLock(ss); |
+ |
/* |
** Blow away old security state and get a fresh setup. |
*/ |
@@ -686,7 +690,7 @@ |
SECStatus |
ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert, |
- CERTCertificateList *certChain, |
+ const CERTCertificateList *certChain, |
ssl3KeyPair *keyPair, SSLKEAType kea) |
{ |
CERTCertificateList *localCertChain = NULL; |
@@ -764,6 +768,15 @@ |
SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert, |
SECKEYPrivateKey *key, SSL3KEAType kea) |
{ |
+ |
+ return SSL_ConfigSecureServerWithCertChain(fd, cert, NULL, key, kea); |
+} |
+ |
+SECStatus |
+SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert, |
+ const CERTCertificateList *certChainOpt, |
+ SECKEYPrivateKey *key, SSL3KEAType kea) |
+{ |
sslSocket *ss; |
SECKEYPublicKey *pubKey = NULL; |
ssl3KeyPair *keyPair = NULL; |
@@ -834,7 +847,7 @@ |
} |
pubKey = NULL; /* adopted by serverKeyPair */ |
} |
- if (ssl_ConfigSecureServer(ss, cert, NULL, |
+ if (ssl_ConfigSecureServer(ss, cert, certChainOpt, |
keyPair, kea) == SECFailure) { |
goto loser; |
} |
@@ -1212,12 +1225,15 @@ |
if (!ss->firstHsDone) { |
PRBool canFalseStart = PR_FALSE; |
ssl_Get1stHandshakeLock(ss); |
- if (ss->version >= SSL_LIBRARY_VERSION_3_0 && |
- (ss->ssl3.hs.ws == wait_change_cipher || |
- ss->ssl3.hs.ws == wait_finished || |
- ss->ssl3.hs.ws == wait_new_session_ticket) && |
- ssl3_CanFalseStart(ss)) { |
- canFalseStart = PR_TRUE; |
+ if (ss->version >= SSL_LIBRARY_VERSION_3_0) { |
+ ssl_GetSSL3HandshakeLock(ss); |
+ if ((ss->ssl3.hs.ws == wait_change_cipher || |
+ ss->ssl3.hs.ws == wait_finished || |
+ ss->ssl3.hs.ws == wait_new_session_ticket) && |
+ ssl3_CanFalseStart(ss)) { |
+ canFalseStart = PR_TRUE; |
+ } |
+ ssl_ReleaseSSL3HandshakeLock(ss); |
} |
if (!canFalseStart && |
(ss->handshake || ss->nextHandshake || ss->securityHandshake)) { |
@@ -1510,37 +1526,51 @@ |
if (certChain != NULL) { |
CERT_DestroyCertificateList(certChain); |
} |
- ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key); |
+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); |
+ ret = SECFailure; |
} |
ssl_Release1stHandshakeLock(ss); /************************************/ |
return ret; |
} |
- |
-/* restart an SSL connection that we stopped to run certificate dialogs |
-** XXX Need to document here how an application marks a cert to show that |
-** the application has accepted it (overridden CERT_VerifyCert). |
- * |
- * XXX This code only works on the initial handshake on a connection, XXX |
- * It does not work on a subsequent handshake (redo). |
- * |
- * Return value: XXX |
-*/ |
+/* DO NOT USE. This function was exported in ssl.def with the wrong signature; |
+ * this implementation exists to maintain link-time compatibility. |
+ */ |
int |
-SSL_RestartHandshakeAfterServerCert(sslSocket *ss) |
+SSL_RestartHandshakeAfterServerCert(sslSocket * ss) |
{ |
- int rv = SECSuccess; |
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
+ return -1; |
+} |
- ssl_Get1stHandshakeLock(ss); |
+/* See documentation in ssl.h */ |
+SECStatus |
+SSL_AuthCertificateComplete(PRFileDesc *fd, PRErrorCode error) |
+{ |
+ SECStatus rv; |
+ sslSocket *ss = ssl_FindSocket(fd); |
- if (ss->version >= SSL_LIBRARY_VERSION_3_0) { |
- rv = ssl3_RestartHandshakeAfterServerCert(ss); |
+ if (!ss) { |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_AuthCertificateComplete", |
+ SSL_GETPID(), fd)); |
+ return SECFailure; |
+ } |
+ |
+ ssl_Get1stHandshakeLock(ss); |
+ |
+ if (!ss->ssl3.initialized) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; |
+ } else if (ss->version < SSL_LIBRARY_VERSION_3_0) { |
+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); |
+ rv = SECFailure; |
} else { |
- rv = ssl2_RestartHandshakeAfterServerCert(ss); |
+ rv = ssl3_AuthCertificateComplete(ss, error); |
} |
ssl_Release1stHandshakeLock(ss); |
+ |
return rv; |
} |