dart:io | Support connection renegotiation (rehandshake) on SecureSocket.

runtime/bin/secure_socket.cc

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #include "bin/secure_socket.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/stat.h>
 #include <stdio.h>
@@ skipping 171 matching lines @@
 }
 
 
 void FUNCTION_NAME(SecureSocket_Handshake)(Dart_NativeArguments args) {
   Dart_EnterScope();
   GetFilter(args)->Handshake();
   Dart_ExitScope();
 }
 
 
+void FUNCTION_NAME(SecureSocket_Renegotiate)(Dart_NativeArguments args) {
+  Dart_EnterScope();
+  bool use_session_cache =
+      DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 1));
+  bool request_client_certificate =
+      DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 2));
+  bool require_client_certificate =
+      DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 3));
+  GetFilter(args)->Renegotiate(use_session_cache,
+                               request_client_certificate,
+                               require_client_certificate);
+  Dart_ExitScope();
+}
+
+
 void FUNCTION_NAME(SecureSocket_RegisterHandshakeCompleteCallback)(
     Dart_NativeArguments args) {
   Dart_EnterScope();
   Dart_Handle handshake_complete =
       ThrowIfError(Dart_GetNativeArgument(args, 1));
   if (!Dart_IsClosure(handshake_complete)) {
     Dart_ThrowException(DartUtils::NewDartArgumentError(
         "Illegal argument to RegisterHandshakeCompleteCallback"));
   }
   GetFilter(args)->RegisterHandshakeCompleteCallback(handshake_complete);
@@ skipping 523 matching lines @@
           "Failed SSL_ConfigSecureServer call with certificate %s",
           certificate_name);
     }
 
     if (request_client_certificate) {
       status = SSL_OptionSet(filter_, SSL_REQUEST_CERTIFICATE, PR_TRUE);
       if (status != SECSuccess) {
         ThrowPRException("TlsException",
                          "Failed SSL_OptionSet(REQUEST_CERTIFICATE) call");
       }
-      PRBool require_cert = require_client_certificate ? PR_TRUE : PR_FALSE;
-      status = SSL_OptionSet(filter_, SSL_REQUIRE_CERTIFICATE, require_cert);
+      status = SSL_OptionSet(filter_,
+                             SSL_REQUIRE_CERTIFICATE,
+                             require_client_certificate);
       if (status != SECSuccess) {
         ThrowPRException("TlsException",
                          "Failed SSL_OptionSet(REQUIRE_CERTIFICATE) call");
       }
     }
   } else {  // Client.
     if (SSL_SetURL(filter_, host_name) == -1) {
       ThrowPRException("TlsException",
                        "Failed SetURL call");
     }
@@ skipping 18 matching lines @@
                          "Failed SSL_GetClientAuthDataHook call");
       }
     }
   }
 
   // Install bad certificate callback, and pass 'this' to it if it is called.
   status = SSL_BadCertHook(filter_,
                            BadCertificateCallback,
                            static_cast<void*>(this));
 
-  PRBool as_server = is_server ? PR_TRUE : PR_FALSE;
-  status = SSL_ResetHandshake(filter_, as_server);
+  status = SSL_ResetHandshake(filter_, is_server);
   if (status != SECSuccess) {
     ThrowPRException("TlsException",
                      "Failed SSL_ResetHandshake call");
   }
 
   // Set the peer address from the address passed. The DNS has already
   // been done in Dart code, so just use that address. This relies on
   // following about PRNetAddr: "The raw member of the union is
   // equivalent to struct sockaddr", which is stated in the NSS
   // documentation.
@@ skipping 33 matching lines @@
                          "Handshake error in server");
       } else {
         ThrowPRException("HandshakeException",
                          "Handshake error in client");
       }
     }
   }
 }
 
 
+void SSLFilter::Renegotiate(bool use_session_cache,
+                            bool request_client_certificate,
+                            bool require_client_certificate) {
+  SECStatus status;
+  // The SSL_REQUIRE_CERTIFICATE option only takes effect if the
+  // SSL_REQUEST_CERTIFICATE option is also set, so set it.
+  request_client_certificate =
+      request_client_certificate || require_client_certificate;
+
+  status = SSL_OptionSet(filter_,
+                         SSL_REQUEST_CERTIFICATE,
+                         request_client_certificate);
+  if (status != SECSuccess) {
+    ThrowPRException("TlsException",
+       "Failure in (Raw)SecureSocket.renegotiate request_client_certificate");
+  }
+  status = SSL_OptionSet(filter_,
+                         SSL_REQUIRE_CERTIFICATE,
+                         require_client_certificate);
+  if (status != SECSuccess) {
+    ThrowPRException("TlsException",
+       "Failure in (Raw)SecureSocket.renegotiate require_client_certificate");
+  }
+  bool flush_cache = !use_session_cache;
+  status = SSL_ReHandshake(filter_, flush_cache);
+  if (status != SECSuccess) {
+    if (is_server_) {
+      ThrowPRException("HandshakeException",
+                       "Failure in (Raw)SecureSocket.renegotiate in server");
+    } else {
+      ThrowPRException("HandshakeException",
+                       "Failure in (Raw)SecureSocket.renegotiate in client");
+    }
+  }
+}
+
+
 void SSLFilter::Destroy() {
   for (int i = 0; i < kNumBuffers; ++i) {
     Dart_DeletePersistentHandle(dart_buffer_objects_[i]);
     delete[] buffers_[i];
   }
   Dart_DeletePersistentHandle(string_start_);
   Dart_DeletePersistentHandle(string_length_);
   Dart_DeletePersistentHandle(handshake_complete_);
   Dart_DeletePersistentHandle(bad_certificate_callback_);
   free(client_certificate_name_);
@@ skipping 102 matching lines @@
     // Return a send port for the service port.
     Dart_Handle send_port = Dart_NewSendPort(service_port);
     Dart_SetReturnValue(args, send_port);
   }
   Dart_ExitScope();
 }
 
 
 }  // namespace bin
 }  // namespace dart