| Index: net/third_party/nss/ssl/sslsecur.c
|
| ===================================================================
|
| --- net/third_party/nss/ssl/sslsecur.c (revision 124359)
|
| +++ net/third_party/nss/ssl/sslsecur.c (working copy)
|
| @@ -37,7 +37,7 @@
|
| * the terms of any one of the MPL, the GPL or the LGPL.
|
| *
|
| * ***** END LICENSE BLOCK ***** */
|
| -/* $Id: sslsecur.c,v 1.43.2.2 2010/08/26 18:06:55 wtc%google.com Exp $ */
|
| +/* $Id: sslsecur.c,v 1.57 2012/02/15 21:52:08 kaie%kuix.de Exp $ */
|
| #include "cert.h"
|
| #include "secitem.h"
|
| #include "keyhi.h"
|
| @@ -84,7 +84,8 @@
|
| *
|
| * 3. SECWouldBlock was returned by one of the callback functions, via
|
| * one of these paths:
|
| - * - ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> ss->getClientAuthData()
|
| + * - ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() ->
|
| + * ss->getClientAuthData()
|
| *
|
| * - ssl2_HandleServerHelloMessage() -> ss->handleBadCert()
|
| *
|
| @@ -117,6 +118,7 @@
|
| PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
|
| PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
|
| PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
|
| + PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
|
|
|
| if (ss->handshake == 0) {
|
| /* Previous handshake finished. Switch to next one */
|
| @@ -157,6 +159,7 @@
|
|
|
| PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
|
| PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
|
| + PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
|
|
|
| if (rv == SECWouldBlock) {
|
| PORT_SetError(PR_WOULD_BLOCK_ERROR);
|
| @@ -170,7 +173,7 @@
|
| * retry on a connection on the next read/write.
|
| */
|
| static SECStatus
|
| -AlwaysBlock(sslSocket *ss)
|
| +ssl3_AlwaysBlock(sslSocket *ss)
|
| {
|
| PORT_SetError(PR_WOULD_BLOCK_ERROR); /* perhaps redundant. */
|
| return SECWouldBlock;
|
| @@ -180,10 +183,10 @@
|
| * set the initial handshake state machine to block
|
| */
|
| void
|
| -ssl_SetAlwaysBlock(sslSocket *ss)
|
| +ssl3_SetAlwaysBlock(sslSocket *ss)
|
| {
|
| if (!ss->firstHsDone) {
|
| - ss->handshake = AlwaysBlock;
|
| + ss->handshake = ssl3_AlwaysBlock;
|
| ss->nextHandshake = 0;
|
| }
|
| }
|
| @@ -235,7 +238,6 @@
|
|
|
| /* Reset handshake state */
|
| ssl_Get1stHandshakeLock(ss);
|
| - ssl_GetSSL3HandshakeLock(ss);
|
|
|
| ss->firstHsDone = PR_FALSE;
|
| if ( asServer ) {
|
| @@ -252,6 +254,8 @@
|
| status = ssl_InitGather(&ss->gs);
|
| ssl_ReleaseRecvBufLock(ss);
|
|
|
| + ssl_GetSSL3HandshakeLock(ss);
|
| +
|
| /*
|
| ** Blow away old security state and get a fresh setup.
|
| */
|
| @@ -686,7 +690,7 @@
|
|
|
| SECStatus
|
| ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
|
| - CERTCertificateList *certChain,
|
| + const CERTCertificateList *certChain,
|
| ssl3KeyPair *keyPair, SSLKEAType kea)
|
| {
|
| CERTCertificateList *localCertChain = NULL;
|
| @@ -764,6 +768,15 @@
|
| SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
|
| SECKEYPrivateKey *key, SSL3KEAType kea)
|
| {
|
| +
|
| + return SSL_ConfigSecureServerWithCertChain(fd, cert, NULL, key, kea);
|
| +}
|
| +
|
| +SECStatus
|
| +SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert,
|
| + const CERTCertificateList *certChainOpt,
|
| + SECKEYPrivateKey *key, SSL3KEAType kea)
|
| +{
|
| sslSocket *ss;
|
| SECKEYPublicKey *pubKey = NULL;
|
| ssl3KeyPair *keyPair = NULL;
|
| @@ -834,7 +847,7 @@
|
| }
|
| pubKey = NULL; /* adopted by serverKeyPair */
|
| }
|
| - if (ssl_ConfigSecureServer(ss, cert, NULL,
|
| + if (ssl_ConfigSecureServer(ss, cert, certChainOpt,
|
| keyPair, kea) == SECFailure) {
|
| goto loser;
|
| }
|
| @@ -1212,12 +1225,15 @@
|
| if (!ss->firstHsDone) {
|
| PRBool canFalseStart = PR_FALSE;
|
| ssl_Get1stHandshakeLock(ss);
|
| - if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
|
| - (ss->ssl3.hs.ws == wait_change_cipher ||
|
| - ss->ssl3.hs.ws == wait_finished ||
|
| - ss->ssl3.hs.ws == wait_new_session_ticket) &&
|
| - ssl3_CanFalseStart(ss)) {
|
| - canFalseStart = PR_TRUE;
|
| + if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
|
| + ssl_GetSSL3HandshakeLock(ss);
|
| + if ((ss->ssl3.hs.ws == wait_change_cipher ||
|
| + ss->ssl3.hs.ws == wait_finished ||
|
| + ss->ssl3.hs.ws == wait_new_session_ticket) &&
|
| + ssl3_CanFalseStart(ss)) {
|
| + canFalseStart = PR_TRUE;
|
| + }
|
| + ssl_ReleaseSSL3HandshakeLock(ss);
|
| }
|
| if (!canFalseStart &&
|
| (ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
|
| @@ -1510,37 +1526,51 @@
|
| if (certChain != NULL) {
|
| CERT_DestroyCertificateList(certChain);
|
| }
|
| - ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key);
|
| + PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
|
| + ret = SECFailure;
|
| }
|
|
|
| ssl_Release1stHandshakeLock(ss); /************************************/
|
| return ret;
|
| }
|
|
|
| -
|
| -/* restart an SSL connection that we stopped to run certificate dialogs
|
| -** XXX Need to document here how an application marks a cert to show that
|
| -** the application has accepted it (overridden CERT_VerifyCert).
|
| - *
|
| - * XXX This code only works on the initial handshake on a connection, XXX
|
| - * It does not work on a subsequent handshake (redo).
|
| - *
|
| - * Return value: XXX
|
| -*/
|
| +/* DO NOT USE. This function was exported in ssl.def with the wrong signature;
|
| + * this implementation exists to maintain link-time compatibility.
|
| + */
|
| int
|
| -SSL_RestartHandshakeAfterServerCert(sslSocket *ss)
|
| +SSL_RestartHandshakeAfterServerCert(sslSocket * ss)
|
| {
|
| - int rv = SECSuccess;
|
| + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
|
| + return -1;
|
| +}
|
|
|
| - ssl_Get1stHandshakeLock(ss);
|
| +/* See documentation in ssl.h */
|
| +SECStatus
|
| +SSL_AuthCertificateComplete(PRFileDesc *fd, PRErrorCode error)
|
| +{
|
| + SECStatus rv;
|
| + sslSocket *ss = ssl_FindSocket(fd);
|
|
|
| - if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
|
| - rv = ssl3_RestartHandshakeAfterServerCert(ss);
|
| + if (!ss) {
|
| + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_AuthCertificateComplete",
|
| + SSL_GETPID(), fd));
|
| + return SECFailure;
|
| + }
|
| +
|
| + ssl_Get1stHandshakeLock(ss);
|
| +
|
| + if (!ss->ssl3.initialized) {
|
| + PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| + rv = SECFailure;
|
| + } else if (ss->version < SSL_LIBRARY_VERSION_3_0) {
|
| + PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
|
| + rv = SECFailure;
|
| } else {
|
| - rv = ssl2_RestartHandshakeAfterServerCert(ss);
|
| + rv = ssl3_AuthCertificateComplete(ss, error);
|
| }
|
|
|
| ssl_Release1stHandshakeLock(ss);
|
| +
|
| return rv;
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 9558017:
Update net/third_party/nss to NSS 3.13.3. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/