| Index: net/third_party/nss/ssl/ssl3con.c
|
| diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
|
| index 55e490142cbe70f5eb600d7a9008322ed99363e1..db9fad3dde5c2d84d4c14d7b0292f77a9ac743d2 100644
|
| --- a/net/third_party/nss/ssl/ssl3con.c
|
| +++ b/net/third_party/nss/ssl/ssl3con.c
|
| @@ -2991,14 +2991,7 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
|
|
|
| ss->ssl3.prSpec = ss->ssl3.crSpec;
|
| ss->ssl3.crSpec = prSpec;
|
| -
|
| - if (ss->sec.isServer &&
|
| - ss->opt.requestCertificate &&
|
| - ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
|
| - ss->ssl3.hs.ws = wait_client_cert;
|
| - } else {
|
| - ss->ssl3.hs.ws = wait_finished;
|
| - }
|
| + ss->ssl3.hs.ws = wait_finished;
|
|
|
| SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
|
| SSL_GETPID(), ss->fd ));
|
| @@ -5087,11 +5080,10 @@ loser:
|
| static SECStatus
|
| ssl3_SendCertificateVerify(sslSocket *ss)
|
| {
|
| - SECStatus rv = SECFailure;
|
| - PRBool isTLS;
|
| - SECItem buf = {siBuffer, NULL, 0};
|
| - SSL3Hashes hashes;
|
| - ssl3CipherSpec *spec;
|
| + SECStatus rv = SECFailure;
|
| + PRBool isTLS;
|
| + SECItem buf = {siBuffer, NULL, 0};
|
| + SSL3Hashes hashes;
|
|
|
| PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
|
| PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
|
| @@ -5100,17 +5092,13 @@ ssl3_SendCertificateVerify(sslSocket *ss)
|
| SSL_GETPID(), ss->fd));
|
|
|
| ssl_GetSpecReadLock(ss);
|
| - spec = ss->ssl3.pwSpec;
|
| - if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
|
| - spec = ss->ssl3.cwSpec;
|
| - }
|
| - rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0);
|
| + rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
|
| ssl_ReleaseSpecReadLock(ss);
|
| if (rv != SECSuccess) {
|
| goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
|
| }
|
|
|
| - isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
|
| + isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
|
| if (ss->ssl3.platformClientKey) {
|
| #ifdef NSS_PLATFORM_CLIENT_AUTH
|
| rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
|
| @@ -6165,10 +6153,6 @@ ssl3_SendClientSecondRound(sslSocket *ss)
|
| {
|
| SECStatus rv;
|
| PRBool sendClientCert;
|
| - PRBool sendEmptyCert;
|
| - int n = 0, i;
|
| - typedef SECStatus (*SendFunction)(sslSocket*);
|
| - SendFunction send_funcs[5];
|
|
|
| PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
|
| PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
|
| @@ -6215,40 +6199,35 @@ ssl3_SendClientSecondRound(sslSocket *ss)
|
|
|
| ssl_GetXmitBufLock(ss); /*******************************/
|
|
|
| - sendEmptyCert = ss->ssl3.sendEmptyCert;
|
| - ss->ssl3.sendEmptyCert = PR_FALSE;
|
| -
|
| - if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
|
| - send_funcs[n++] = ssl3_SendClientKeyExchange;
|
| - send_funcs[n++] = ssl3_SendChangeCipherSpecs;
|
| - if (sendEmptyCert) {
|
| - send_funcs[n++] = ssl3_SendEmptyCertificate;
|
| - }
|
| - if (sendClientCert) {
|
| - send_funcs[n++] = ssl3_SendCertificate;
|
| - send_funcs[n++] = ssl3_SendCertificateVerify;
|
| - }
|
| - } else {
|
| - if (sendEmptyCert) {
|
| - send_funcs[n++] = ssl3_SendEmptyCertificate;
|
| - }
|
| - if (sendClientCert) {
|
| - send_funcs[n++] = ssl3_SendCertificate;
|
| - }
|
| - send_funcs[n++] = ssl3_SendClientKeyExchange;
|
| - if (sendClientCert) {
|
| - send_funcs[n++] = ssl3_SendCertificateVerify;
|
| - }
|
| - send_funcs[n++] = ssl3_SendChangeCipherSpecs;
|
| + if (ss->ssl3.sendEmptyCert) {
|
| + ss->ssl3.sendEmptyCert = PR_FALSE;
|
| + rv = ssl3_SendEmptyCertificate(ss);
|
| + /* Don't send verify */
|
| + if (rv != SECSuccess) {
|
| + goto loser; /* error code is set. */
|
| + }
|
| + } else if (sendClientCert) {
|
| + rv = ssl3_SendCertificate(ss);
|
| + if (rv != SECSuccess) {
|
| + goto loser; /* error code is set. */
|
| + }
|
| }
|
|
|
| - PORT_Assert(n <= sizeof(send_funcs)/sizeof(send_funcs[0]));
|
| + rv = ssl3_SendClientKeyExchange(ss);
|
| + if (rv != SECSuccess) {
|
| + goto loser; /* err is set. */
|
| + }
|
|
|
| - for (i = 0; i < n; i++) {
|
| - rv = send_funcs[i](ss);
|
| + if (sendClientCert) {
|
| + rv = ssl3_SendCertificateVerify(ss);
|
| if (rv != SECSuccess) {
|
| - goto loser; /* err code was set. */
|
| - }
|
| + goto loser; /* err is set. */
|
| + }
|
| + }
|
| +
|
| + rv = ssl3_SendChangeCipherSpecs(ss);
|
| + if (rv != SECSuccess) {
|
| + goto loser; /* err code was set. */
|
| }
|
|
|
| /* XXX: If the server's certificate hasn't been authenticated by this
|
| @@ -6463,13 +6442,8 @@ ssl3_SendServerHelloSequence(sslSocket *ss)
|
| return rv; /* err code is set. */
|
| }
|
|
|
| - if (ss->opt.requestCertificate &&
|
| - !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
|
| - ss->ssl3.hs.ws = wait_client_cert;
|
| - } else {
|
| - ss->ssl3.hs.ws = wait_client_key;
|
| - }
|
| -
|
| + ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
|
| + : wait_client_key;
|
| return SECSuccess;
|
| }
|
|
|
| @@ -7766,11 +7740,7 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
|
| desc = isTLS ? decode_error : illegal_parameter;
|
| goto alert_loser; /* malformed */
|
| }
|
| - if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
|
| - ss->ssl3.hs.ws = wait_finished;
|
| - } else {
|
| - ss->ssl3.hs.ws = wait_change_cipher;
|
| - }
|
| + ss->ssl3.hs.ws = wait_change_cipher;
|
| return SECSuccess;
|
|
|
| alert_loser:
|
| @@ -8683,11 +8653,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| }
|
| } else {
|
| server_no_cert:
|
| - if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
|
| - ss->ssl3.hs.ws = wait_cert_verify;
|
| - } else {
|
| - ss->ssl3.hs.ws = wait_client_key;
|
| - }
|
| + ss->ssl3.hs.ws = wait_client_key;
|
| }
|
|
|
| PORT_Assert(rv == SECSuccess);
|
| @@ -9302,8 +9268,6 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| if (type == finished) {
|
| sender = ss->sec.isServer ? sender_client : sender_server;
|
| rSpec = ss->ssl3.crSpec;
|
| - } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
|
| - rSpec = ss->ssl3.crSpec;
|
| }
|
| rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
|
| }
|
|
|
Chromium Code Reviews
Issue 10387222:
nss: revert encrypted and origin bound certificates support. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src