1 files changed, 61 insertions, 31 deletions

diff --git a/net/third_party/nss/ssl/sslsecur.c b/net/third_party/nss/ssl/sslsecur.c
index 7105125..16fd203 100644
--- a/net/third_party/nss/ssl/sslsecur.c
+++ b/net/third_party/nss/ssl/sslsecur.c
@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsecur.c,v 1.43.2.2 2010/08/26 18:06:55 wtc%google.com Exp $ */
+/* $Id: sslsecur.c,v 1.57 2012/02/15 21:52:08 kaie%kuix.de Exp $ */
 #include "cert.h"
 #include "secitem.h"
 #include "keyhi.h"
@@ -84,7 +84,8 @@
  *
  * 3.   SECWouldBlock was returned by one of the callback functions, via
  *	one of these paths:
- * -	ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> ss->getClientAuthData()
+ * -	ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() ->
+ *	ss->getClientAuthData()
  *
  * -	ssl2_HandleServerHelloMessage() -> ss->handleBadCert()
  *
@@ -117,6 +118,7 @@ ssl_Do1stHandshake(sslSocket *ss)
 	PORT_Assert(ss->opt.noLocks ||  ssl_Have1stHandshakeLock(ss) );
 	PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
 	PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
+	PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
 
 	if (ss->handshake == 0) {
 	    /* Previous handshake finished. Switch to next one */
@@ -157,6 +159,7 @@ ssl_Do1stHandshake(sslSocket *ss)
 
     PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
     PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
+    PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
 
     if (rv == SECWouldBlock) {
 	PORT_SetError(PR_WOULD_BLOCK_ERROR);
@@ -170,7 +173,7 @@ ssl_Do1stHandshake(sslSocket *ss)
  * retry on a connection on the next read/write.
  */
 static SECStatus
-AlwaysBlock(sslSocket *ss)
+ssl3_AlwaysBlock(sslSocket *ss)
 {
     PORT_SetError(PR_WOULD_BLOCK_ERROR);	/* perhaps redundant. */
     return SECWouldBlock;
@@ -180,10 +183,10 @@ AlwaysBlock(sslSocket *ss)
  * set the initial handshake state machine to block
  */
 void
-ssl_SetAlwaysBlock(sslSocket *ss)
+ssl3_SetAlwaysBlock(sslSocket *ss)
 {
     if (!ss->firstHsDone) {
-	ss->handshake = AlwaysBlock;
+	ss->handshake = ssl3_AlwaysBlock;
 	ss->nextHandshake = 0;
     }
 }
@@ -235,7 +238,6 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
 
     /* Reset handshake state */
     ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
 
     ss->firstHsDone = PR_FALSE;
     if ( asServer ) {
@@ -252,6 +254,8 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
     status = ssl_InitGather(&ss->gs);
     ssl_ReleaseRecvBufLock(ss);
 
+    ssl_GetSSL3HandshakeLock(ss);
+
     /*
     ** Blow away old security state and get a fresh setup.
     */
@@ -686,7 +690,7 @@ static PRStatus serverCAListSetup(void *arg)
 
 SECStatus
 ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
-                       CERTCertificateList *certChain,
+                       const CERTCertificateList *certChain,
                        ssl3KeyPair *keyPair, SSLKEAType kea)
 {
     CERTCertificateList *localCertChain = NULL;
@@ -764,6 +768,15 @@ SECStatus
 SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
 		       SECKEYPrivateKey *key, SSL3KEAType kea)
 {
+
+    return SSL_ConfigSecureServerWithCertChain(fd, cert, NULL, key, kea);
+}
+
+SECStatus
+SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert,
+                                    const CERTCertificateList *certChainOpt,
+                                    SECKEYPrivateKey *key, SSL3KEAType kea)
+{
     sslSocket *ss;
     SECKEYPublicKey *pubKey = NULL;
     ssl3KeyPair *keyPair = NULL;
@@ -834,7 +847,7 @@ SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
         }
 	pubKey = NULL; /* adopted by serverKeyPair */
     }
-    if (ssl_ConfigSecureServer(ss, cert, NULL,
+    if (ssl_ConfigSecureServer(ss, cert, certChainOpt,
                                keyPair, kea) == SECFailure) {
         goto loser;
     }
@@ -1212,12 +1225,15 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
     if (!ss->firstHsDone) {
 	PRBool canFalseStart = PR_FALSE;
 	ssl_Get1stHandshakeLock(ss);
-	if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
-	    (ss->ssl3.hs.ws == wait_change_cipher ||
-	     ss->ssl3.hs.ws == wait_finished ||
-	     ss->ssl3.hs.ws == wait_new_session_ticket) &&
-	    ssl3_CanFalseStart(ss)) {
-	    canFalseStart = PR_TRUE;
+	if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	    ssl_GetSSL3HandshakeLock(ss);
+	    if ((ss->ssl3.hs.ws == wait_change_cipher ||
+		ss->ssl3.hs.ws == wait_finished ||
+		ss->ssl3.hs.ws == wait_new_session_ticket) &&
+		ssl3_CanFalseStart(ss)) {
+		canFalseStart = PR_TRUE;
+	    }
+	    ssl_ReleaseSSL3HandshakeLock(ss);
 	}
 	if (!canFalseStart &&
 	    (ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
@@ -1510,37 +1526,51 @@ SSL_RestartHandshakeAfterCertReq(PRFileDesc *        fd,
 	if (certChain != NULL) {
 	    CERT_DestroyCertificateList(certChain);
 	}
-    	ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key);
+	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+	ret = SECFailure;
     }
 
     ssl_Release1stHandshakeLock(ss);  /************************************/
     return ret;
 }
 
-
-/* restart an SSL connection that we stopped to run certificate dialogs 
-** XXX	Need to document here how an application marks a cert to show that
-**	the application has accepted it (overridden CERT_VerifyCert).
- *
- * XXX This code only works on the initial handshake on a connection, XXX
- *     It does not work on a subsequent handshake (redo).
- *
- * Return value: XXX
-*/
+/* DO NOT USE. This function was exported in ssl.def with the wrong signature;
+ * this implementation exists to maintain link-time compatibility.
+ */
 int
-SSL_RestartHandshakeAfterServerCert(sslSocket *ss)
+SSL_RestartHandshakeAfterServerCert(sslSocket * ss)
 {
-    int rv	= SECSuccess;
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return -1;
+}
 
-    ssl_Get1stHandshakeLock(ss); 
+/* See documentation in ssl.h */
+SECStatus
+SSL_AuthCertificateComplete(PRFileDesc *fd, PRErrorCode error)
+{
+    SECStatus rv;
+    sslSocket *ss = ssl_FindSocket(fd);
 
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	rv = ssl3_RestartHandshakeAfterServerCert(ss);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_AuthCertificateComplete",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    ssl_Get1stHandshakeLock(ss);
+
+    if (!ss->ssl3.initialized) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    } else if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+	rv = SECFailure;
     } else {
-	rv = ssl2_RestartHandshakeAfterServerCert(ss);
+	rv = ssl3_AuthCertificateComplete(ss, error);
     }
 
     ssl_Release1stHandshakeLock(ss);
+
     return rv;
 }