Update NSS libSSL to NSS_3_15_BETA2.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: ssl3con.c,v 1.192 2012/09/28 05:10:25 wtc%google.com Exp $ */
+/* $Id$ */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
 #include "cert.h"
 #include "ssl.h"
 #include "cryptohi.h"   /* for DSAU_ stuff */
 #include "keyhi.h"
 #include "secder.h"
 #include "secitem.h"
 
@@ skipping 24 matching lines @@
 
 static void      ssl3_CleanupPeerCerts(sslSocket *ss);
 static void      ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
                                        PK11SlotInfo * serverKeySlot);
 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss);
 static SECStatus ssl3_HandshakeFailure(      sslSocket *ss);
 static SECStatus ssl3_InitState(             sslSocket *ss);
 static SECStatus ssl3_SendCertificate(       sslSocket *ss);
+static SECStatus ssl3_SendCertificateStatus( sslSocket *ss);
 static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
 static SECStatus ssl3_SendNextProto(         sslSocket *ss);
 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
 static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
 static SECStatus ssl3_SendServerHello(       sslSocket *ss);
 static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
 static SECStatus ssl3_NewHandshakeHashes(    sslSocket *ss);
 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
@@ skipping 4114 matching lines @@
     if (rv != SECSuccess) {
         return rv;              /* ssl3_InitState has set the error code. */
     }
     ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
     PORT_Assert(IS_DTLS(ss) || !resending);
 
     /* We might be starting a session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
-    ss->ssl3.hs.may_get_cert_status = PR_FALSE;
-    if (ss->ssl3.hs.cert_status.data) {
-        SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE);
-    }
 
     SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
             SSL_GETPID(), ss->fd ));
     rv = ssl3_RestartHandshakeHashes(ss);
     if (rv != SECSuccess) {
         return rv;
     }
 
     /*
      * During a renegotiation, ss->clientHelloVersion will be used again to
@@ skipping 190 matching lines @@
         if (extLen < 0) {
             return SECFailure;
         }
         maxBytes        -= extLen;
         total_exten_len += extLen;
 
         if (total_exten_len > 0)
             total_exten_len += 2;
     }
 
-#if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
+#if defined(NSS_ENABLE_ECC)
     if (!total_exten_len || !isTLS) {
         /* not sending the elliptic_curves and ec_point_formats extensions */
         ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     }
 #endif
 
     if (IS_DTLS(ss)) {
         ssl3_DisableNonDTLSSuites(ss);
     }
 
@@ skipping 947 matching lines @@
     rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
     ssl_ReleaseSpecReadLock(ss);
     if (rv != SECSuccess) {
         goto done;      /* err code was set by ssl3_ComputeHandshakeHashes */
     }
 
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
     if (ss->ssl3.platformClientKey) {
 #ifdef NSS_PLATFORM_CLIENT_AUTH
         rv = ssl3_PlatformSignHashes(
-            &hashes, ss->ssl3.platformClientKey, &buf, isTLS, 
-            CERT_GetCertKeyType(&ss->ssl3.clientCertificate->subjectPublicKeyInfo));
+            &hashes, ss->ssl3.platformClientKey, &buf, isTLS,
+            CERT_GetCertKeyType(
+                &ss->ssl3.clientCertificate->subjectPublicKeyInfo));
         ssl_FreePlatformKey(ss->ssl3.platformClientKey);
         ss->ssl3.platformClientKey = (PlatformKey)NULL;
 #endif /* NSS_PLATFORM_CLIENT_AUTH */
     } else {
         rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
         if (rv == SECSuccess) {
             PK11SlotInfo * slot;
             sslSessionID * sid   = ss->sec.ci.sid;
 
             /* Remember the info about the slot that did the signing.
@@ skipping 353 matching lines @@
             ss->ssl3.hs.ws = wait_change_cipher;
 
         ss->ssl3.hs.isResuming = PR_TRUE;
 
         /* copy the peer cert from the SID */
         if (sid->peerCert != NULL) {
             ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
             ssl3_CopyPeerCertsFromSID(ss, sid);
         }
 
-
         /* NULL value for PMS signifies re-use of the old MS */
         rv = ssl3_InitPendingCipherSpec(ss,  NULL);
         if (rv != SECSuccess) {
             goto alert_loser;   /* err code was set */
         }
         goto winner;
     } while (0);
 
     if (sid_match)
         SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok );
@@ skipping 424 matching lines @@
         /* XXX Should pass cert_types in this call!! */
         rv = (SECStatus)(*ss->getPlatformClientAuthData)(
                                         ss->getPlatformClientAuthDataArg,
                                         ss->fd, &ca_list,
                                         &platform_cert_list,
                                         (void**)&ss->ssl3.platformClientKey,
                                         &ss->ssl3.clientCertificate,
                                         &ss->ssl3.clientPrivateKey);
     } else
 #endif
-    if (ss->getClientAuthData == NULL) {
-        rv = SECFailure; /* force it to send a no_certificate alert */
-    } else {
+    if (ss->getClientAuthData != NULL) {
         /* XXX Should pass cert_types in this call!! */
         rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
                                                  ss->fd, &ca_list,
                                                  &ss->ssl3.clientCertificate,
                                                  &ss->ssl3.clientPrivateKey);
+    } else {
+        rv = SECFailure; /* force it to send a no_certificate alert */
     }
 
     switch (rv) {
     case SECWouldBlock: /* getClientAuthData has put up a dialog box. */
         ssl3_SetAlwaysBlock(ss);
         break;  /* not an error */
 
     case SECSuccess:
 #ifdef NSS_PLATFORM_CLIENT_AUTH
         if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) ||
@@ skipping 491 matching lines @@
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     rv = ssl3_SendServerHello(ss);
     if (rv != SECSuccess) {
         return rv;      /* err code is set. */
     }
     rv = ssl3_SendCertificate(ss);
     if (rv != SECSuccess) {
         return rv;      /* error code is set. */
     }
+    rv = ssl3_SendCertificateStatus(ss);
+    if (rv != SECSuccess) {
+        return rv;      /* error code is set. */
+    }
     /* We have to do this after the call to ssl3_SendServerHello,
      * because kea_def is set up by ssl3_SendServerHello().
      */
     kea_def = ss->ssl3.hs.kea_def;
     ss->ssl3.hs.usedStepDownKey = PR_FALSE;
 
     if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
         /* see if we can legally use the key in the cert. */
         int keyLen;  /* bytes */
 
@@ skipping 1923 matching lines @@
 #endif
             if (rv != SECSuccess) {
                 return rv;              /* err set by AppendHandshake. */
             }
         }
     }
 
     return SECSuccess;
 }
 
+/*
+ * Used by server only.
+ * single-stapling, send only a single cert status
+ */
+static SECStatus
+ssl3_SendCertificateStatus(sslSocket *ss)
+{
+    SECStatus            rv;
+    int                  len            = 0;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send certificate status handshake",
+                SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    if (!ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn))
+        return SECSuccess;
+
+    if (!ss->certStatusArray)

[Ryan Sleevi, 2013/05/01 19:06:08]

nit: It seems to me that ss->certStatusArray->len should be checked here for
correctness. Namely, if ss->certStatusArray was freed, ->len will be 0, and
items[0] will read off into the nether.

This is more about correctness though - the existing code does appear to be
NULLing certStatusArray when it's freed, but I absolutely hate when code follows
two different patterns for validity checking, and assumes it can only check one.

[wtc, 2013/05/01 21:52:16]

I can fix this problem in the NSS upstream.

+        return SECSuccess;
+
+    /* Use the array's first item only (single stapling) */
+    len = 1 + ss->certStatusArray->items[0].len + 3;
+
+    rv = ssl3_AppendHandshakeHeader(ss, certificate_status, len);
+    if (rv != SECSuccess) {
+        return rv;              /* err set by AppendHandshake. */
+    }
+    rv = ssl3_AppendHandshakeNumber(ss, 1 /*ocsp*/, 1);
+    if (rv != SECSuccess)
+        return rv;              /* err set by AppendHandshake. */
+
+    rv = ssl3_AppendHandshakeVariable(ss,
+                                      ss->certStatusArray->items[0].data,
+                                      ss->certStatusArray->items[0].len,
+                                      3);
+    if (rv != SECSuccess)
+        return rv;              /* err set by AppendHandshake. */
+
+    return SECSuccess;
+}
+
 /* This is used to delete the CA certificates in the peer certificate chain
  * from the cert database after they've been validated.
  */
 static void
 ssl3_CleanupPeerCerts(sslSocket *ss)
 {
     PRArenaPool * arena = ss->ssl3.peerCertArena;
     ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain;
 
     for (; certs; certs = certs->next) {
@@ skipping 45 matching lines @@
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 CertificateStatus message.
  * Caller must hold Handshake and RecvBuf locks.
  * This is always called before ssl3_HandleCertificate, even if the Certificate
  * message is sent first.
  */
 static SECStatus
 ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     PRInt32 status, len;
-    int     errCode;
-    SSL3AlertDescription desc;
-
-    if (!ss->ssl3.hs.may_get_cert_status ||
-        ss->ssl3.hs.ws != wait_server_cert ||
-        !ss->ssl3.hs.pending_cert_msg.data ||
-        ss->ssl3.hs.cert_status.data) {
-        errCode = SSL_ERROR_RX_UNEXPECTED_CERT_STATUS;
-        desc = unexpected_message;
-        goto alert_loser;
-    }
+    PORT_Assert(ss->ssl3.hs.ws == wait_certificate_status);
 
     /* Consume the CertificateStatusType enum */
     status = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
     if (status != 1 /* ocsp */) {
-        goto format_loser;
+       goto format_loser;
     }
 
     len = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
     if (len != length) {
-        goto format_loser;
+       goto format_loser;
     }
 
-    if (SECITEM_AllocItem(NULL, &ss->ssl3.hs.cert_status, length) == NULL) {
+#define MAX_CERTSTATUS_LEN 0x1ffff   /* 128k - 1 */
+    if (length > MAX_CERTSTATUS_LEN)
+       goto format_loser;
+#undef MAX_CERTSTATUS_LEN

[Ryan Sleevi, 2013/05/01 19:06:08]

rant: I have no idea why Kai did this.

The NSS code here (as far as I've seen) follows the spec, which is to allow any
spec-valid form. OCSPResponse is 2^24-1, and this is continued in the
multi-response.

I don't see why this limit is imposed here, given that we already have limits
for other areas (like certificates) that would handle this fine.

I would recommend we fix this upstream, but that we not take this bit in
Chromium.

[wtc, 2013/05/01 21:52:16]

I looked into this. bsmith suggested using a smaller max
size in his code review. See these three comments:
https://bugzilla.mozilla.org/show_bug.cgi?id=360420#c45
https://bugzilla.mozilla.org/show_bug.cgi?id=360420#c63
https://bugzilla.mozilla.org/show_bug.cgi?id=360420#c110

(Search for "sane" and "max" in that NSS bug report to
find the relevant comments.)

I think the 2^24-1 max size in the OCSP stapling and
multi-stapling specs is to allow maximum variable-length
vectors that can be encoded with a three-byte length. It
seems reasonable for NSS to refuse to call PORT_Alloc with
a 16MB length (line 8783).

[Ryan Sleevi, 2013/05/01 23:22:57]

I'm not sure I agree. |b| (SSL3Opaque) already contains the fully decoded
handshake message, and the code on lines 8769 guarantee that length == len,
meaning that |b| contains at least that many bytes.

That's why I think this check is silly/unnecessary/at the wrong layer.

If we're trying to avoid strange allocs, there are plenty of other ways - since
the code assumes spec compliance throughout (that I've seen).

That's why this didn't make sense.

+
+    /* Array size 1, because we currently implement single-stapling only*/
+    SECITEM_AllocArray(NULL, &ss->sec.ci.sid->peerCertStatus, 1);
+    if (!ss->sec.ci.sid->peerCertStatus.items)
+       return SECFailure;
+
+    ss->sec.ci.sid->peerCertStatus.items[0].data = PORT_Alloc(length);
+
+    if (!ss->sec.ci.sid->peerCertStatus.items[0].data) {
+        SECITEM_FreeArray(&ss->sec.ci.sid->peerCertStatus, PR_FALSE);

[Ryan Sleevi, 2013/05/01 19:06:08]

See how this does not zero-out peerCertStatus, but just leaves ->len = 0? This
is why my comments in the server send code apply.

         return SECFailure;
     }
-    ss->ssl3.hs.cert_status.type = siBuffer;
-    PORT_Memcpy(ss->ssl3.hs.cert_status.data, b, length);
 
+    PORT_Memcpy(ss->sec.ci.sid->peerCertStatus.items[0].data, b, length);
+    ss->sec.ci.sid->peerCertStatus.items[0].len = length;
+    ss->sec.ci.sid->peerCertStatus.items[0].type = siBuffer;
     return SECSuccess;
 
 format_loser:
-    errCode = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT;
-    desc = bad_certificate_status_response;
+    return ssl3_DecodeError(ss);
+}
 
-alert_loser:
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-    (void)ssl_MapLowLevelError(errCode);
-    return SECFailure;
-}
+static SECStatus ssl3_AuthCertificate(sslSocket *ss);
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 Certificate message.
  * Caller must hold Handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     ssl3CertNode *   c;
     ssl3CertNode *   lastCert   = NULL;
     PRInt32          remaining  = 0;
     PRInt32          size;
     SECStatus        rv;
     PRBool           isServer   = (PRBool)(!!ss->sec.isServer);
-    PRBool           trusted    = PR_FALSE;
     PRBool           isTLS;
     SSL3AlertDescription desc;
     int              errCode    = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
     SECItem          certItem;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
                 SSL_GETPID(), ss->fd));
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
@@ skipping 22 matching lines @@
     */
     if (length) {
         remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
         if (remaining < 0)
             goto loser; /* fatal alert already sent by ConsumeHandshake. */
         if ((PRUint32)remaining > length)
             goto decode_loser;
     }
 
     if (!remaining) {
-        if (!(isTLS && isServer))
+        if (!(isTLS && isServer)) {
+            desc = bad_certificate;
             goto alert_loser;
+        }
         /* This is TLS's version of a no_certificate alert. */
         /* I'm a server. I've requested a client cert. He hasn't got one. */
         rv = ssl3_HandleNoCertificate(ss);
         if (rv != SECSuccess) {
             errCode = PORT_GetError();
             goto loser;
         }
-        goto server_no_cert;
+       ss->ssl3.hs.ws = wait_client_key;
+       return SECSuccess;
     }
 
     ss->ssl3.peerCertArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (ss->ssl3.peerCertArena == NULL) {
         goto loser;     /* don't send alerts on memory errors */
     }
 
     /* First get the peer cert. */
     remaining -= 3;
     if (remaining < 0)
@@ skipping 44 matching lines @@
         if (c == NULL) {
             goto loser; /* don't send alerts on memory errors */
         }
 
         c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
                                           PR_FALSE, PR_TRUE);
         if (c->cert == NULL) {
             goto ambiguous_err;
         }
 
-        if (c->cert->trust)
-            trusted = PR_TRUE;
-
         c->next = NULL;
         if (lastCert) {
             lastCert->next = c;
         } else {
             ss->ssl3.peerCertChain = c;
         }
         lastCert = c;
     }
 
     if (remaining != 0)
         goto decode_loser;
 
     SECKEY_UpdateCertPQG(ss->sec.peerCert);
 
+    if (!isServer && ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn)) {
+       ss->ssl3.hs.ws = wait_certificate_status;
+       rv = SECSuccess;
+    } else {
+       rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
+    }
+
+    return rv;
+
+ambiguous_err:
+    errCode = PORT_GetError();
+    switch (errCode) {
+    case PR_OUT_OF_MEMORY_ERROR:
+    case SEC_ERROR_BAD_DATABASE:
+    case SEC_ERROR_NO_MEMORY:
+       if (isTLS) {
+           desc = internal_error;
+           goto alert_loser;
+       }
+       goto loser;
+    }
+    ssl3_SendAlertForCertError(ss, errCode);
+    goto loser;
+
+decode_loser:
+    desc = isTLS ? decode_error : bad_certificate;
+
+alert_loser:
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+
+loser:
+    (void)ssl_MapLowLevelError(errCode);
+    return SECFailure;
+}
+
+static SECStatus
+ssl3_AuthCertificate(sslSocket *ss)
+{
+    SECStatus        rv;
+    PRBool           isServer   = (PRBool)(!!ss->sec.isServer);
+    int              errCode;
+
     ss->ssl3.hs.authCertificatePending = PR_FALSE;
 
     /*
      * Ask caller-supplied callback function to validate cert chain.
      */
     rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
                                            PR_TRUE, isServer);
     if (rv) {
         errCode = PORT_GetError();
         if (rv != SECWouldBlock) {
@@ skipping 77 matching lines @@
         if (ss->ssl3.hs.kea_def->is_limited ||
             /* XXX OR server cert is signing only. */
 #ifdef NSS_ENABLE_ECC
             ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
             ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
 #endif /* NSS_ENABLE_ECC */
             ss->ssl3.hs.kea_def->exchKeyType == kt_dh) {
             ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
         }
     } else {
-server_no_cert:
         ss->ssl3.hs.ws = wait_client_key;
     }
 
     PORT_Assert(rv == SECSuccess);
     if (rv != SECSuccess) {
         errCode = SEC_ERROR_LIBRARY_FAILURE;
         rv = SECFailure;
         goto loser;
     }
 
     return rv;
 
-ambiguous_err:
-    errCode = PORT_GetError();
-    switch (errCode) {
-    case PR_OUT_OF_MEMORY_ERROR:
-    case SEC_ERROR_BAD_DATABASE:
-    case SEC_ERROR_NO_MEMORY:
-        if (isTLS) {
-            desc = internal_error;
-            goto alert_loser;
-        }
-        goto loser;
-    }
-    ssl3_SendAlertForCertError(ss, errCode);
-    goto loser;
-
-decode_loser:
-    desc = isTLS ? decode_error : bad_certificate;
-
-alert_loser:
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-
 loser:
-    ssl3_CleanupPeerCerts(ss);
-
-    if (ss->sec.peerCert != NULL) {
-        CERT_DestroyCertificate(ss->sec.peerCert);
-        ss->sec.peerCert = NULL;
-    }
     (void)ssl_MapLowLevelError(errCode);
     return SECFailure;
 }
 
 static SECStatus ssl3_FinishHandshake(sslSocket *ss);
 
 static SECStatus
 ssl3_AlwaysFail(sslSocket * ss)
 {
     PORT_SetError(PR_INVALID_STATE_ERROR);
@@ skipping 742 matching lines @@
     ss->ssl3.hs.ws = idle_handshake;
 
     /* Do the handshake callback for sslv3 here, if we cannot false start. */
     if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) {
         (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
     }
 
     return SECSuccess;
 }
 
-/* This function handles any pending Certificate messages. Certificate messages
- * can be pending if we expect a possible CertificateStatus message to follow.
- *
- * This function must be called immediately after handling the
- * CertificateStatus message, and before handling any ServerKeyExchange or
- * CertificateRequest messages.
- */
-static SECStatus
-ssl3_MaybeHandlePendingCertificateMessage(sslSocket *ss)
-{
-    SECStatus rv = SECSuccess;
-
-    if (ss->ssl3.hs.pending_cert_msg.data) {
-        rv = ssl3_HandleCertificate(ss, ss->ssl3.hs.pending_cert_msg.data,
-                                    ss->ssl3.hs.pending_cert_msg.len);
-        SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
-    }
-    return rv;
-}
-
 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
  * hanshake message.
  * Caller must hold Handshake and RecvBuf locks.
  */
 SECStatus
 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     SECStatus         rv        = SECSuccess;
     SSL3HandshakeType type      = ss->ssl3.hs.msg_type;
     SSL3Hashes        hashes;   /* computed hashes are put here. */
@@ skipping 69 matching lines @@
                                             sizeof(dtlsData));
             if (rv != SECSuccess) return rv;    /* err code already set. */
         }
 
         /* The message body */
         rv = ssl3_UpdateHandshakeHashes(ss, b, length);
         if (rv != SECSuccess) return rv;        /* err code already set. */
     }
 
     PORT_SetError(0);   /* each message starts with no error. */
-    switch (ss->ssl3.hs.msg_type) {
+
+    /* The CertificateStatus message is optional. We process the message if we
+     * get one when it is allowed, but otherwise we just carry on.
+     */
+    if (ss->ssl3.hs.ws == wait_certificate_status) {
+       /* We must process any CertificateStatus message before we call
+        * ssl3_AuthCertificate, as ssl3_AuthCertificate needs any stapled OCSP
+        * response we get.
+        */
+       if (ss->ssl3.hs.msg_type == certificate_status) {
+           rv = ssl3_HandleCertificateStatus(ss, b, length);
+           if (rv != SECSuccess)
+               return rv;
+       }
+
+       /* Regardless of whether we got a CertificateStatus message, we must
+        * authenticate the cert before we handle any more handshake messages.
+        */
+       rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
+    } else switch (ss->ssl3.hs.msg_type) {

[Ryan Sleevi, 2013/05/01 19:06:08]

totally unnecessary rant: I really dislike this style of unbraced-else with
braced-switch.

[wtc, 2013/05/01 21:52:16]

I also hate this. I know why the author did this: to avoid
indenting the big switch statement.

I will figure out a solution upstream.

     case hello_request:
         if (length != 0) {
             (void)ssl3_DecodeError(ss);
             PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
             return SECFailure;
         }
         if (ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
             return SECFailure;
@@ skipping 18 matching lines @@
         break;
     case hello_verify_request:
         if (!IS_DTLS(ss) || ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST);
             return SECFailure;
         }
         rv = dtls_HandleHelloVerifyRequest(ss, b, length);
         break;
     case certificate:
-        if (ss->ssl3.hs.may_get_cert_status) {
-            /* If we might get a CertificateStatus then we want to postpone the
-             * processing of the Certificate message until after we have
-             * processed the CertificateStatus */
-            if (ss->ssl3.hs.pending_cert_msg.data ||
-                ss->ssl3.hs.ws != wait_server_cert) {
-                (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-                (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE);
-                return SECFailure;
-            }
-            if (SECITEM_AllocItem(NULL, &ss->ssl3.hs.pending_cert_msg,
-                                  length) == NULL) {
-                return SECFailure;
-            }
-            ss->ssl3.hs.pending_cert_msg.type = siBuffer;
-            PORT_Memcpy(ss->ssl3.hs.pending_cert_msg.data, b, length);
-            break;
-        }
         rv = ssl3_HandleCertificate(ss, b, length);
         break;
     case certificate_status:
-        rv = ssl3_HandleCertificateStatus(ss, b, length);
-        if (rv != SECSuccess)
-            break;
-        PORT_Assert(ss->ssl3.hs.pending_cert_msg.data);
-        rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
-        break;
+       /* The good case is handled above */
+       PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS);
+       rv = SECFailure;
+       break;
     case server_key_exchange:
         if (ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
             return SECFailure;
         }
-        rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
-        if (rv != SECSuccess)
-            break;
         rv = ssl3_HandleServerKeyExchange(ss, b, length);
         break;
     case certificate_request:
         if (ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
             return SECFailure;
         }
-        rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
-        if (rv != SECSuccess)
-            break;
         rv = ssl3_HandleCertificateRequest(ss, b, length);
         break;
     case server_hello_done:
         if (length != 0) {
             (void)ssl3_DecodeError(ss);
             PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE);
             return SECFailure;
         }
         if (ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
             return SECFailure;
         }
-        rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
-        if (rv != SECSuccess)
-            break;
         rv = ssl3_HandleServerHelloDone(ss);
         break;
     case certificate_verify:
         if (!ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
             return SECFailure;
         }
         rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
         break;
@@ skipping 154 matching lines @@
     return SECSuccess;
 }
 
 /* These macros return the given value with the MSB copied to all the other
  * bits. They use the fact that arithmetic shift shifts-in the sign bit.
  * However, this is not ensured by the C standard so you may need to replace
  * them with something else for odd compilers. */
 #define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
 #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
 
-/* SECStatusToMask returns, in constant time, a mask value of all ones if rv ==
- * SECSuccess.  Otherwise it returns zero. */
-static unsigned SECStatusToMask(SECStatus rv)
+/* SECStatusToMask returns, in constant time, a mask value of all ones if
+ * rv == SECSuccess.  Otherwise it returns zero. */
+static unsigned int
+SECStatusToMask(SECStatus rv)
 {
     unsigned int good;
-    /* rv ^ SECSuccess is zero iff rv == SECSuccess. Subtracting one results in
-     * the MSB being set to one iff it was zero before. */
+    /* rv ^ SECSuccess is zero iff rv == SECSuccess. Subtracting one results
+     * in the MSB being set to one iff it was zero before. */
     good = rv ^ SECSuccess;
     good--;
     return DUPLICATE_MSB_TO_ALL(good);
 }
 
 /* ssl_ConstantTimeGE returns 0xff if a>=b and 0x00 otherwise. */
-static unsigned char ssl_ConstantTimeGE(unsigned a, unsigned b)
+static unsigned char
+ssl_ConstantTimeGE(unsigned int a, unsigned int b)
 {
     a -= b;
     return DUPLICATE_MSB_TO_ALL(~a);
 }
 
 /* ssl_ConstantTimeEQ8 returns 0xff if a==b and 0x00 otherwise. */
-static unsigned char ssl_ConstantTimeEQ8(unsigned char a, unsigned char b)
+static unsigned char
+ssl_ConstantTimeEQ8(unsigned char a, unsigned char b)
 {
-    unsigned c = a ^ b;
+    unsigned int c = a ^ b;
     c--;
     return DUPLICATE_MSB_TO_ALL_8(c);
 }
 
-static SECStatus ssl_RemoveSSLv3CBCPadding(sslBuffer *plaintext,
-                                           unsigned blockSize,
-                                           unsigned macSize) {
+static SECStatus
+ssl_RemoveSSLv3CBCPadding(sslBuffer *plaintext,
+                          unsigned int blockSize,
+                          unsigned int macSize)
+{
     unsigned int paddingLength, good, t;
     const unsigned int overhead = 1 /* padding length byte */ + macSize;
 
     /* These lengths are all public so we can test them in non-constant
      * time. */
     if (overhead > plaintext->len) {
         return SECFailure;
     }
 
     paddingLength = plaintext->buf[plaintext->len-1];
     /* SSLv3 padding bytes are random and cannot be checked. */
     t = plaintext->len;
     t -= paddingLength+overhead;
     /* If len >= padding_length+overhead then the MSB of t is zero. */
     good = DUPLICATE_MSB_TO_ALL(~t);
     /* SSLv3 requires that the padding is minimal. */
     t = blockSize - (paddingLength+1);
     good &= DUPLICATE_MSB_TO_ALL(~t);
     plaintext->len -= good & (paddingLength+1);
     return (good & SECSuccess) | (~good & SECFailure);
 }
 
-
-static SECStatus ssl_RemoveTLSCBCPadding(sslBuffer *plaintext,
-                                         unsigned macSize) {
+static SECStatus
+ssl_RemoveTLSCBCPadding(sslBuffer *plaintext, unsigned int macSize)
+{
     unsigned int paddingLength, good, t, toCheck, i;
     const unsigned int overhead = 1 /* padding length byte */ + macSize;
 
     /* These lengths are all public so we can test them in non-constant
      * time. */
     if (overhead > plaintext->len) {
         return SECFailure;
     }
 
     paddingLength = plaintext->buf[plaintext->len-1];
@@ skipping 39 matching lines @@
 
     plaintext->len -= good & (paddingLength+1);
     return (good & SECSuccess) | (~good & SECFailure);
 }
 
 /* On entry:
  *   originalLength >= macSize
  *   macSize <= MAX_MAC_LENGTH
  *   plaintext->len >= macSize
  */
-static void ssl_CBCExtractMAC(sslBuffer *plaintext,
-                              unsigned int originalLength,
-                              SSL3Opaque* out,
-                              unsigned int macSize) {
+static void
+ssl_CBCExtractMAC(sslBuffer *plaintext,
+                  unsigned int originalLength,
+                  SSL3Opaque* out,
+                  unsigned int macSize)
+{
     unsigned char rotatedMac[MAX_MAC_LENGTH];
-    /* macEnd is the index of |plaintext->buf| just after the end of the MAC. */
+    /* macEnd is the index of |plaintext->buf| just after the end of the
+     * MAC. */
     unsigned macEnd = plaintext->len;
     unsigned macStart = macEnd - macSize;
     /* scanStart contains the number of bytes that we can ignore because
      * the MAC's position can only vary by 255 bytes. */
     unsigned scanStart = 0;
     unsigned i, j, divSpoiler;
     unsigned char rotateOffset;
 
     if (originalLength > macSize + 255 + 1)
         scanStart = originalLength - (macSize + 255 + 1);
@@ skipping 13 matching lines @@
     for (i = scanStart; i < originalLength;) {
         for (j = 0; j < macSize && i < originalLength; i++, j++) {
             unsigned char macStarted = ssl_ConstantTimeGE(i, macStart);
             unsigned char macEnded = ssl_ConstantTimeGE(i, macEnd);
             unsigned char b = 0;
             b = plaintext->buf[i];
             rotatedMac[j] |= b & macStarted & ~macEnded;
         }
     }
 
-    /* Now rotate the MAC. If we knew that the MAC fit into a CPU cache line we
-     * could line-align |rotatedMac| and rotate in place. */
+    /* Now rotate the MAC. If we knew that the MAC fit into a CPU cache line
+     * we could line-align |rotatedMac| and rotate in place. */
     memset(out, 0, macSize);
     for (i = 0; i < macSize; i++) {
-        unsigned char offset = (divSpoiler + macSize - rotateOffset + i) % macSize;
+        unsigned char offset =
+            (divSpoiler + macSize - rotateOffset + i) % macSize;
         for (j = 0; j < macSize; j++) {
             out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, offset);
         }
     }
 }
 
 /* if cText is non-null, then decipher, check MAC, and decompress the
  * SSL record from cText->buf (typically gs->inbuf)
  * into databuf (typically gs->buf), and any previous contents of databuf
  * is lost.  Then handle databuf according to its SSL record type,
@@ skipping 479 matching lines @@
 
     ssl_GetSpecWriteLock(ss);
     ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
     ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
     ss->ssl3.hs.sendingSCSV = PR_FALSE;
     ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
     ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
 
     ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
 #ifdef NSS_ENABLE_ECC
-    ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK;
+    ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCCurveMask(ss);
 #endif
     ssl_ReleaseSpecWriteLock(ss);
 
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
     if (IS_DTLS(ss)) {
         ss->ssl3.hs.sendMessageSeq = 0;
         ss->ssl3.hs.recvMessageSeq = 0;
         ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
         ss->ssl3.hs.rtRetries = 0;
@@ skipping 382 matching lines @@
     }
     if (ss->ssl3.hs.sha) {
         PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
     }
     if (ss->ssl3.hs.messages.buf) {
         PORT_Free(ss->ssl3.hs.messages.buf);
         ss->ssl3.hs.messages.buf = NULL;
         ss->ssl3.hs.messages.len = 0;
         ss->ssl3.hs.messages.space = 0;
     }
-    if (ss->ssl3.hs.pending_cert_msg.data) {
-        SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
-    }
-    if (ss->ssl3.hs.cert_status.data) {
-        SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE);
-    }
 
     /* free the SSL3Buffer (msg_body) */
     PORT_Free(ss->ssl3.hs.msg_body.buf);
 
     /* free up the CipherSpecs */
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
 
     /* Destroy the DTLS data */
     if (IS_DTLS(ss)) {
         dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
         if (ss->ssl3.hs.recvdFragments.buf) {
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */