OLD | NEW |
1 diff --git a/lib/ssl/ssl.h b/lib/ssl/ssl.h | 1 diff --git a/lib/ssl/ssl.h b/lib/ssl/ssl.h |
2 index cf9f6db..85ced8a 100644 | 2 index 9e57220..aa4a3e5 100644 |
3 --- a/lib/ssl/ssl.h | 3 --- a/lib/ssl/ssl.h |
4 +++ b/lib/ssl/ssl.h | 4 +++ b/lib/ssl/ssl.h |
5 @@ -502,6 +502,11 @@ SSL_IMPORT SECStatus SSL_ForceHandshake(PRFileDesc *fd); | 5 @@ -516,6 +516,11 @@ SSL_IMPORT SECStatus SSL_ForceHandshake(PRFileDesc *fd); |
6 SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd, | 6 SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd, |
7 PRIntervalTime timeout); | 7 PRIntervalTime timeout); |
8 | 8 |
9 +SSL_IMPORT SECStatus SSL_RestartHandshakeAfterCertReq(PRFileDesc *fd, | 9 +SSL_IMPORT SECStatus SSL_RestartHandshakeAfterCertReq(PRFileDesc *fd, |
10 +» » » » » CERTCertificate *cert, | 10 + CERTCertificate *cert, |
11 +» » » » » SECKEYPrivateKey *key, | 11 + SECKEYPrivateKey *key, |
12 +» » » » » CERTCertificateList *certChain); | 12 + CERTCertificateList *cert
Chain); |
13 + | 13 + |
14 /* | 14 /* |
15 ** Query security status of socket. *on is set to one if security is | 15 ** Query security status of socket. *on is set to one if security is |
16 ** enabled. *keySize will contain the stream key size used. *issuer will | 16 ** enabled. *keySize will contain the stream key size used. *issuer will |
17 diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c | 17 diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c |
18 index 27038f3..304e03b 100644 | 18 index 784f59b..2a2e644 100644 |
19 --- a/lib/ssl/ssl3con.c | 19 --- a/lib/ssl/ssl3con.c |
20 +++ b/lib/ssl/ssl3con.c | 20 +++ b/lib/ssl/ssl3con.c |
21 @@ -7482,6 +7482,85 @@ done: | 21 @@ -7803,6 +7803,85 @@ ssl3_CompleteHandleCertificateRequest(sslSocket *ss, SECI
tem *algorithms, |
22 return rv; | 22 return rv; |
23 } | 23 } |
24 | 24 |
25 +/* | 25 +/* |
26 + * attempt to restart the handshake after asynchronously handling | 26 + * attempt to restart the handshake after asynchronously handling |
27 + * a request for the client's certificate. | 27 + * a request for the client's certificate. |
28 + * | 28 + * |
29 + * inputs: | 29 + * inputs: |
30 + * cert Client cert chosen by application. | 30 + * cert Client cert chosen by application. |
31 + * Note: ssl takes this reference, and does not bump the | 31 + * Note: ssl takes this reference, and does not bump the |
(...skipping 11 matching lines...) Expand all Loading... |
43 + * chain. SSL will free the chain when it is done with it. | 43 + * chain. SSL will free the chain when it is done with it. |
44 + * | 44 + * |
45 + * Return value: XXX | 45 + * Return value: XXX |
46 + * | 46 + * |
47 + * XXX This code only works on the initial handshake on a connection, XXX | 47 + * XXX This code only works on the initial handshake on a connection, XXX |
48 + * It does not work on a subsequent handshake (redo). | 48 + * It does not work on a subsequent handshake (redo). |
49 + * | 49 + * |
50 + * Caller holds 1stHandshakeLock. | 50 + * Caller holds 1stHandshakeLock. |
51 + */ | 51 + */ |
52 +SECStatus | 52 +SECStatus |
53 +ssl3_RestartHandshakeAfterCertReq(sslSocket * ss, | 53 +ssl3_RestartHandshakeAfterCertReq(sslSocket *ss, |
54 +» » » » CERTCertificate * cert, | 54 + CERTCertificate *cert, |
55 +» » » » SECKEYPrivateKey * key, | 55 + SECKEYPrivateKey *key, |
56 +» » » » CERTCertificateList *certChain) | 56 + CERTCertificateList *certChain) |
57 +{ | 57 +{ |
58 + SECStatus rv = SECSuccess; | 58 + SECStatus rv = SECSuccess; |
59 + | 59 + |
60 + /* XXX This code only works on the initial handshake on a connection, | 60 + /* XXX This code only works on the initial handshake on a connection, |
61 + ** XXX It does not work on a subsequent handshake (redo). | 61 + ** XXX It does not work on a subsequent handshake (redo). |
62 + */ | 62 + */ |
63 + if (ss->handshake != 0) { | 63 + if (ss->handshake != 0) { |
64 +» ss->handshake = ssl_GatherRecord1stHandshake; | 64 + ss->handshake = ssl_GatherRecord1stHandshake; |
65 +» ss->ssl3.clientCertificate = cert; | 65 + ss->ssl3.clientCertificate = cert; |
66 +» ss->ssl3.clientPrivateKey = key; | 66 + ss->ssl3.clientPrivateKey = key; |
67 +» ss->ssl3.clientCertChain = certChain; | 67 + ss->ssl3.clientCertChain = certChain; |
68 + if (!cert || !key || !certChain) { | 68 + if (!cert || !key || !certChain) { |
69 + /* we are missing the key, cert, or cert chain */ | 69 + /* we are missing the key, cert, or cert chain */ |
70 + if (ss->ssl3.clientCertificate) { | 70 + if (ss->ssl3.clientCertificate) { |
71 + CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 71 + CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
72 + ss->ssl3.clientCertificate = NULL; | 72 + ss->ssl3.clientCertificate = NULL; |
73 + } | 73 + } |
74 + if (ss->ssl3.clientPrivateKey) { | 74 + if (ss->ssl3.clientPrivateKey) { |
75 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 75 + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
76 + ss->ssl3.clientPrivateKey = NULL; | 76 + ss->ssl3.clientPrivateKey = NULL; |
77 + } | 77 + } |
78 + if (ss->ssl3.clientCertChain != NULL) { | 78 + if (ss->ssl3.clientCertChain != NULL) { |
79 + CERT_DestroyCertificateList(ss->ssl3.clientCertChain); | 79 + CERT_DestroyCertificateList(ss->ssl3.clientCertChain); |
80 + ss->ssl3.clientCertChain = NULL; | 80 + ss->ssl3.clientCertChain = NULL; |
81 + } | 81 + } |
82 + if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { | 82 + if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { |
83 + ss->ssl3.sendEmptyCert = PR_TRUE; | 83 + ss->ssl3.sendEmptyCert = PR_TRUE; |
84 + } else { | 84 + } else { |
85 + (void)SSL3_SendAlert(ss, alert_warning, no_certificate); | 85 + (void)SSL3_SendAlert(ss, alert_warning, no_certificate); |
86 + } | 86 + } |
87 +» } | 87 + } |
88 + } else { | 88 + } else { |
89 +» if (cert) { | 89 + if (cert) { |
90 +» CERT_DestroyCertificate(cert); | 90 + CERT_DestroyCertificate(cert); |
91 +» } | 91 + } |
92 +» if (key) { | 92 + if (key) { |
93 +» SECKEY_DestroyPrivateKey(key); | 93 + SECKEY_DestroyPrivateKey(key); |
94 +» } | 94 + } |
95 +» if (certChain) { | 95 + if (certChain) { |
96 +» CERT_DestroyCertificateList(certChain); | 96 + CERT_DestroyCertificateList(certChain); |
97 +» } | 97 + } |
98 +» PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 98 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
99 +» rv = SECFailure; | 99 + rv = SECFailure; |
100 + } | 100 + } |
101 + return rv; | 101 + return rv; |
102 +} | 102 +} |
103 + | 103 + |
104 static SECStatus | 104 static SECStatus |
105 ssl3_CheckFalseStart(sslSocket *ss) | 105 ssl3_CheckFalseStart(sslSocket *ss) |
106 { | 106 { |
107 diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h | 107 diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h |
108 index c7231a7..c089889 100644 | 108 index 5f0e6c9..dad75b2 100644 |
109 --- a/lib/ssl/sslimpl.h | 109 --- a/lib/ssl/sslimpl.h |
110 +++ b/lib/ssl/sslimpl.h | 110 +++ b/lib/ssl/sslimpl.h |
111 @@ -1629,16 +1629,17 @@ extern SECStatus ssl3_MasterSecretDeriveBypass( ssl3Cip
herSpec * pwSpec, | 111 @@ -1702,16 +1702,16 @@ extern SECStatus ssl3_MasterSecretDeriveBypass(ssl3Ciphe
rSpec *pwSpec, |
112 /* These functions are called from secnav, even though they're "private". */ | 112 /* These functions are called from secnav, even though they're "private". */ |
113 | 113 |
114 extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error); | 114 extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error); |
115 -extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss, | 115 -extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss, |
116 -» » » » » CERTCertificate *cert, | 116 - CERTCertificate *cert, |
117 -» » » » » SECKEYPrivateKey *key, | 117 - SECKEYPrivateKey *key, |
118 -» » » » » CERTCertificateList *certChain); | 118 - CERTCertificateList *certChain); |
119 extern sslSocket *ssl_FindSocket(PRFileDesc *fd); | 119 extern sslSocket *ssl_FindSocket(PRFileDesc *fd); |
120 extern void ssl_FreeSocket(struct sslSocketStr *ssl); | 120 extern void ssl_FreeSocket(struct sslSocketStr *ssl); |
121 extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, | 121 extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, |
122 » » » » SSL3AlertDescription desc); | 122 SSL3AlertDescription desc); |
123 extern SECStatus ssl3_DecodeError(sslSocket *ss); | 123 extern SECStatus ssl3_DecodeError(sslSocket *ss); |
124 | 124 |
125 +extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket * ss, | 125 +extern SECStatus ssl3_RestartHandshakeAfterCertReq(struct sslSocketStr *ss, |
126 +» » » » » CERTCertificate * cert, | 126 + CERTCertificate *cert, |
127 +» » » » » SECKEYPrivateKey * key, | 127 + SECKEYPrivateKey *key, |
128 +» » » » » CERTCertificateList *certChain); | 128 + CERTCertificateList *certCha
in); |
129 + | |
130 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
; | 129 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
; |
131 | 130 |
132 /* | 131 /* |
133 diff --git a/lib/ssl/sslsecur.c b/lib/ssl/sslsecur.c | 132 diff --git a/lib/ssl/sslsecur.c b/lib/ssl/sslsecur.c |
134 index 53b4885..f77d6fa 100644 | 133 index 5773748..a087ffc 100644 |
135 --- a/lib/ssl/sslsecur.c | 134 --- a/lib/ssl/sslsecur.c |
136 +++ b/lib/ssl/sslsecur.c | 135 +++ b/lib/ssl/sslsecur.c |
137 @@ -1532,17 +1532,70 @@ SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *db
Handle) | 136 @@ -1535,17 +1535,70 @@ SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *db
Handle) |
138 return SECSuccess; | 137 return SECSuccess; |
139 } | 138 } |
140 | 139 |
141 -/* DO NOT USE. This function was exported in ssl.def with the wrong signature; | 140 -/* DO NOT USE. This function was exported in ssl.def with the wrong signature; |
142 - * this implementation exists to maintain link-time compatibility. | 141 - * this implementation exists to maintain link-time compatibility. |
| 142 - */ |
| 143 -int |
| 144 -SSL_RestartHandshakeAfterCertReq(sslSocket *ss, |
143 +/* | 145 +/* |
144 + * attempt to restart the handshake after asynchronously handling | 146 + * attempt to restart the handshake after asynchronously handling |
145 + * a request for the client's certificate. | 147 + * a request for the client's certificate. |
146 + * | 148 + * |
147 + * inputs: | 149 + * inputs: |
148 + * cert Client cert chosen by application. | 150 + * cert Client cert chosen by application. |
149 + * Note: ssl takes this reference, and does not bump the | 151 + * Note: ssl takes this reference, and does not bump the |
150 + * reference count. The caller should drop its reference | 152 + * reference count. The caller should drop its reference |
151 + * without calling CERT_DestroyCertificate after calling this | 153 + * without calling CERT_DestroyCertificate after calling this |
152 + * function. | 154 + * function. |
153 + * | 155 + * |
154 + * key Private key associated with cert. This function takes | 156 + * key Private key associated with cert. This function takes |
155 + * ownership of the private key, so the caller should drop its | 157 + * ownership of the private key, so the caller should drop its |
156 + * reference without destroying the private key after this | 158 + * reference without destroying the private key after this |
157 + * function returns. | 159 + * function returns. |
158 + * | 160 + * |
159 + * certChain Chain of signers for cert. | 161 + * certChain Chain of signers for cert. |
160 + * Note: ssl takes this reference, and does not copy the chain. | 162 + * Note: ssl takes this reference, and does not copy the chain. |
161 + * The caller should drop its reference without destroying the | 163 + * The caller should drop its reference without destroying the |
162 + * chain. SSL will free the chain when it is done with it. | 164 + * chain. SSL will free the chain when it is done with it. |
163 + * | 165 + * |
164 + * Return value: XXX | 166 + * Return value: XXX |
165 + * | 167 + * |
166 + * XXX This code only works on the initial handshake on a connection, XXX | 168 + * XXX This code only works on the initial handshake on a connection, XXX |
167 + * It does not work on a subsequent handshake (redo). | 169 + * It does not work on a subsequent handshake (redo). |
168 */ | 170 + */ |
169 -int | |
170 -SSL_RestartHandshakeAfterCertReq(sslSocket * ss, | |
171 +SECStatus | 171 +SECStatus |
172 +SSL_RestartHandshakeAfterCertReq(PRFileDesc * fd, | 172 +SSL_RestartHandshakeAfterCertReq(PRFileDesc *fd, |
173 » » » » CERTCertificate * cert, | 173 CERTCertificate *cert, |
174 » » » » SECKEYPrivateKey * key, | 174 SECKEYPrivateKey *key, |
175 » » » » CERTCertificateList *certChain) | 175 CERTCertificateList *certChain) |
176 { | 176 { |
177 - PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | 177 - PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
178 - return -1; | 178 - return -1; |
179 + sslSocket * ss = ssl_FindSocket(fd); | 179 + sslSocket *ss = ssl_FindSocket(fd); |
180 + SECStatus ret; | 180 + SECStatus ret; |
181 + | 181 + |
182 + if (!ss) { | 182 + if (!ss) { |
183 +» SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RestartHandshakeAfterCertReq", | 183 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RestartHandshakeAfterCertReq", |
184 +» » SSL_GETPID(), fd)); | 184 + SSL_GETPID(), fd)); |
185 +» if (cert) { | 185 + if (cert) { |
186 +» CERT_DestroyCertificate(cert); | 186 + CERT_DestroyCertificate(cert); |
187 +» } | 187 + } |
188 +» if (key) { | 188 + if (key) { |
189 +» SECKEY_DestroyPrivateKey(key); | 189 + SECKEY_DestroyPrivateKey(key); |
190 +» } | 190 + } |
191 +» if (certChain) { | 191 + if (certChain) { |
192 +» CERT_DestroyCertificateList(certChain); | 192 + CERT_DestroyCertificateList(certChain); |
193 +» } | 193 + } |
194 +» return SECFailure; | 194 + return SECFailure; |
195 + } | 195 + } |
196 + | 196 + |
197 + ssl_Get1stHandshakeLock(ss); /************************************/ | 197 + ssl_Get1stHandshakeLock(ss); /************************************/ |
198 + | 198 + |
199 + if (ss->version >= SSL_LIBRARY_VERSION_3_0) { | 199 + if (ss->version >= SSL_LIBRARY_VERSION_3_0) { |
200 +» ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain); | 200 + ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain); |
201 + } else { | 201 + } else { |
202 +» if (certChain != NULL) { | 202 + if (certChain != NULL) { |
203 +» CERT_DestroyCertificateList(certChain); | 203 + CERT_DestroyCertificateList(certChain); |
204 +» } | 204 + } |
205 +» PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); | 205 + PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); |
206 +» ret = SECFailure; | 206 + ret = SECFailure; |
207 + } | 207 + } |
208 + | 208 + |
209 + ssl_Release1stHandshakeLock(ss); /************************************/ | 209 + ssl_Release1stHandshakeLock(ss); /************************************/ |
210 + return ret; | 210 + return ret; |
211 } | 211 } |
212 | 212 |
213 /* DO NOT USE. This function was exported in ssl.def with the wrong signature; | 213 /* DO NOT USE. This function was exported in ssl.def with the wrong signature; |
OLD | NEW |