From f6ee0a018e7b1f4ff5e63da7e8c388041acad2c3 Mon Sep 17 00:00:00 2001
From: "wtc@chromium.org"
 <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Fri, 5 Mar 2010 22:00:24 +0000
Subject: SSLClientSocketNSS::ClientAuthHandler should return SECWouldBlock
 instead of SECFailure when we want to abort the handshake, because
 SECWouldBlock causes NSS to suspend the client authentication, whereas
 SECFailure causes NSS to continue the handshake with an empty certificate (in
 TLS) or no_certificate alert (in SSL 3.0).

R=agl
BUG=16830
TEST=SSL client authentication on Linux should still work.
Review URL: http://codereview.chromium.org/669198

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40785 0039d316-1c4b-4281-b951-d872f2087c98
---
 net/socket/ssl_client_socket_nss.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'net')

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 52dc09e..994f1f3 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1150,7 +1150,9 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler(
     CERT_FreeNicknames(names);
   }
 
-  return SECFailure;
+  // Tell NSS to suspend the client authentication.  We will then abort the
+  // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
+  return SECWouldBlock;
 #endif
 }
 
@@ -1286,7 +1288,7 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
   }
 
   completed_handshake_ = true;
-  // TODO(ukai): we may not need this call because it is now harmless to have an
+  // TODO(ukai): we may not need this call because it is now harmless to have a
   // session with a bad cert.
   InvalidateSessionIfBadCertificate();
   // Exit DoHandshakeLoop and return the result to the caller to Connect.
-- 
cgit v1.1