dart:io | Support connection renegotiation (rehandshake) on SecureSocket.

sdk/lib/io/secure_socket.dart

 // Copyright (c) 2013, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 part of dart.io;
 
 /**
  * A high-level class for communicating securely over a TCP socket, using
  * TLS and SSL. The [SecureSocket] exposes both a [Stream] and an
  * [IOSink] interface, making it ideal for using together with
@@ skipping 132 matching lines @@
   /**
    * Get the peer certificate for a connected SecureSocket.  If this
    * SecureSocket is the server end of a secure socket connection,
    * [peerCertificate] will return the client certificate, or null, if no
    * client certificate was received.  If it is the client end,
    * [peerCertificate] will return the server's certificate.
    */
   X509Certificate get peerCertificate;
 
   /**
+   * Renegotiate an existing secure connection, renewing the session keys
+   * and possibly changing the connection properties.
+   *
+   * This repeats the SSL or TLS handshake, with options that allow clearing
+   * the session cache and requesting a client certificate.
+   */
+  void renegotiate({bool useSessionCache: true,
+                    bool requestClientCertificate: false,
+                    bool requireClientCertificate: false});
+
+  /**
    * Initializes the NSS library. If [initialize] is not called, the library
    * is automatically initialized as if [initialize] were called with no
    * arguments. If [initialize] is called more than once, or called after
    * automatic initialization has happened (when a secure connection is made),
    * then a TlsException is thrown.
    *
    * The optional argument [database] is the path to a certificate database
    * directory containing root certificates for verifying certificate paths on
    * client connections, and server certificates to provide on server
    * connections. The argument [password] should be used when creating
@@ skipping 164 matching lines @@
         certificateName,
         is_server: true,
         socket: socket,
         subscription: subscription,
         bufferedData: bufferedData,
         requestClientCertificate: requestClientCertificate,
         requireClientCertificate: requireClientCertificate);
   }
 
   /**
+   * Renegotiate an existing secure connection, renewing the session keys
+   * and possibly changing the connection properties.
+   *
+   * This repeats the SSL or TLS handshake, with options that allow clearing
+   * the session cache and requesting a client certificate.
+   */
+  void renegotiate({bool useSessionCache: true,
+                    bool requestClientCertificate: false,
+                    bool requireClientCertificate: false});
+
+  /**
    * Get the peer certificate for a connected RawSecureSocket.  If this
    * RawSecureSocket is the server end of a secure socket connection,
    * [peerCertificate] will return the client certificate, or null, if no
    * client certificate was received.  If it is the client end,
    * [peerCertificate] will return the server's certificate.
    */
   X509Certificate get peerCertificate;
 }
 
 
@@ skipping 431 matching lines @@
       _secureFilter.handshake();
       _filterStatus.writeEmpty = false;
       _readSocket();
       _writeSocket();
       _scheduleFilter();
     } catch (e) {
       _reportError(e);
     }
   }
 
+  void renegotiate({bool useSessionCache: true,
+                    bool requestClientCertificate: false,
+                    bool requireClientCertificate: false}) {
+    try {
+      if (_status != CONNECTED) {

[Anders Johnsen, 2013/07/11 11:20:32]

I would expect this to be a StateError thrown directly, not something that'll
modify the filter.

[Bill Hesse, 2013/07/11 15:25:42]

Done.

+        throw new HandshakeException(
+            "Called renegotiate on a non-connected socket");
+      }
+      _secureFilter.renegotiate(useSessionCache,
+                                requestClientCertificate,
+                                requireClientCertificate);
+      _status = HANDSHAKE;
+      _filterStatus.writeEmpty = false;
+      _scheduleFilter();
+    } catch (e) {
+      _reportError(e);
+    }
+  }
+
   void _secureHandshakeCompleteHandler() {
     _status = CONNECTED;
     if (_connectPending) {
       _connectPending = false;
       // We don't want user code to run synchronously in this callback.
       Timer.run(() => _handshakeComplete.complete(this));
     }
   }
 
   void _onPauseStateChange() {
@@ skipping 353 matching lines @@
   void connect(String hostName,
                Uint8List addr,
                int port,
                bool is_server,
                String certificateName,
                bool requestClientCertificate,
                bool requireClientCertificate,
                bool sendClientCertificate);
   void destroy();
   void handshake();
+  void rehandshake();
+  void renegotiate(bool useSessionCache,
+                   bool requestClientCertificate,
+                   bool requireClientCertificate);
   void init();
   X509Certificate get peerCertificate;
   int processBuffer(int bufferIndex);
   void registerBadCertificateCallback(Function callback);
   void registerHandshakeCompleteCallback(Function handshakeCompleteHandler);
   int _pointer();
 
   List<_ExternalBuffer> get buffers;
 }
 
@@ skipping 43 matching lines @@
 /**
  * An exception that happens in the handshake phase of establishing
  * a secure network connection, when looking up or verifying a
  * certificate.
  */
 class CertificateException extends TlsException {
   const CertificateException([String message = "",
                             OSError osError = null])
      : super._("CertificateException", message, osError);
 }