summaryrefslogtreecommitdiffstats
path: root/net/third_party/nss/ssl/ssl3con.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/third_party/nss/ssl/ssl3con.c')
-rw-r--r--net/third_party/nss/ssl/ssl3con.c108
1 files changed, 36 insertions, 72 deletions
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index 55e4901..db9fad3 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -2991,14 +2991,7 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
ss->ssl3.prSpec = ss->ssl3.crSpec;
ss->ssl3.crSpec = prSpec;
-
- if (ss->sec.isServer &&
- ss->opt.requestCertificate &&
- ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- ss->ssl3.hs.ws = wait_client_cert;
- } else {
- ss->ssl3.hs.ws = wait_finished;
- }
+ ss->ssl3.hs.ws = wait_finished;
SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
SSL_GETPID(), ss->fd ));
@@ -5087,11 +5080,10 @@ loser:
static SECStatus
ssl3_SendCertificateVerify(sslSocket *ss)
{
- SECStatus rv = SECFailure;
- PRBool isTLS;
- SECItem buf = {siBuffer, NULL, 0};
- SSL3Hashes hashes;
- ssl3CipherSpec *spec;
+ SECStatus rv = SECFailure;
+ PRBool isTLS;
+ SECItem buf = {siBuffer, NULL, 0};
+ SSL3Hashes hashes;
PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
@@ -5100,17 +5092,13 @@ ssl3_SendCertificateVerify(sslSocket *ss)
SSL_GETPID(), ss->fd));
ssl_GetSpecReadLock(ss);
- spec = ss->ssl3.pwSpec;
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- spec = ss->ssl3.cwSpec;
- }
- rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0);
+ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
ssl_ReleaseSpecReadLock(ss);
if (rv != SECSuccess) {
goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
}
- isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
+ isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
if (ss->ssl3.platformClientKey) {
#ifdef NSS_PLATFORM_CLIENT_AUTH
rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
@@ -6165,10 +6153,6 @@ ssl3_SendClientSecondRound(sslSocket *ss)
{
SECStatus rv;
PRBool sendClientCert;
- PRBool sendEmptyCert;
- int n = 0, i;
- typedef SECStatus (*SendFunction)(sslSocket*);
- SendFunction send_funcs[5];
PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
@@ -6215,40 +6199,35 @@ ssl3_SendClientSecondRound(sslSocket *ss)
ssl_GetXmitBufLock(ss); /*******************************/
- sendEmptyCert = ss->ssl3.sendEmptyCert;
- ss->ssl3.sendEmptyCert = PR_FALSE;
-
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- send_funcs[n++] = ssl3_SendClientKeyExchange;
- send_funcs[n++] = ssl3_SendChangeCipherSpecs;
- if (sendEmptyCert) {
- send_funcs[n++] = ssl3_SendEmptyCertificate;
- }
- if (sendClientCert) {
- send_funcs[n++] = ssl3_SendCertificate;
- send_funcs[n++] = ssl3_SendCertificateVerify;
- }
- } else {
- if (sendEmptyCert) {
- send_funcs[n++] = ssl3_SendEmptyCertificate;
- }
- if (sendClientCert) {
- send_funcs[n++] = ssl3_SendCertificate;
- }
- send_funcs[n++] = ssl3_SendClientKeyExchange;
- if (sendClientCert) {
- send_funcs[n++] = ssl3_SendCertificateVerify;
- }
- send_funcs[n++] = ssl3_SendChangeCipherSpecs;
+ if (ss->ssl3.sendEmptyCert) {
+ ss->ssl3.sendEmptyCert = PR_FALSE;
+ rv = ssl3_SendEmptyCertificate(ss);
+ /* Don't send verify */
+ if (rv != SECSuccess) {
+ goto loser; /* error code is set. */
+ }
+ } else if (sendClientCert) {
+ rv = ssl3_SendCertificate(ss);
+ if (rv != SECSuccess) {
+ goto loser; /* error code is set. */
+ }
}
- PORT_Assert(n <= sizeof(send_funcs)/sizeof(send_funcs[0]));
+ rv = ssl3_SendClientKeyExchange(ss);
+ if (rv != SECSuccess) {
+ goto loser; /* err is set. */
+ }
- for (i = 0; i < n; i++) {
- rv = send_funcs[i](ss);
+ if (sendClientCert) {
+ rv = ssl3_SendCertificateVerify(ss);
if (rv != SECSuccess) {
- goto loser; /* err code was set. */
- }
+ goto loser; /* err is set. */
+ }
+ }
+
+ rv = ssl3_SendChangeCipherSpecs(ss);
+ if (rv != SECSuccess) {
+ goto loser; /* err code was set. */
}
/* XXX: If the server's certificate hasn't been authenticated by this
@@ -6463,13 +6442,8 @@ ssl3_SendServerHelloSequence(sslSocket *ss)
return rv; /* err code is set. */
}
- if (ss->opt.requestCertificate &&
- !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- ss->ssl3.hs.ws = wait_client_cert;
- } else {
- ss->ssl3.hs.ws = wait_client_key;
- }
-
+ ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
+ : wait_client_key;
return SECSuccess;
}
@@ -7766,11 +7740,7 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
desc = isTLS ? decode_error : illegal_parameter;
goto alert_loser; /* malformed */
}
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- ss->ssl3.hs.ws = wait_finished;
- } else {
- ss->ssl3.hs.ws = wait_change_cipher;
- }
+ ss->ssl3.hs.ws = wait_change_cipher;
return SECSuccess;
alert_loser:
@@ -8683,11 +8653,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
}
} else {
server_no_cert:
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- ss->ssl3.hs.ws = wait_cert_verify;
- } else {
- ss->ssl3.hs.ws = wait_client_key;
- }
+ ss->ssl3.hs.ws = wait_client_key;
}
PORT_Assert(rv == SECSuccess);
@@ -9302,8 +9268,6 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
if (type == finished) {
sender = ss->sec.isServer ? sender_client : sender_server;
rSpec = ss->ssl3.crSpec;
- } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- rSpec = ss->ssl3.crSpec;
}
rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
}
generated by cgit v1.1 at 2025-02-13 12:22:01 +0000