Index: net/third_party/nss/ssl/ssl3con.c |
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c |
index 55e490142cbe70f5eb600d7a9008322ed99363e1..db9fad3dde5c2d84d4c14d7b0292f77a9ac743d2 100644 |
--- a/net/third_party/nss/ssl/ssl3con.c |
+++ b/net/third_party/nss/ssl/ssl3con.c |
@@ -2991,14 +2991,7 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf) |
ss->ssl3.prSpec = ss->ssl3.crSpec; |
ss->ssl3.crSpec = prSpec; |
- |
- if (ss->sec.isServer && |
- ss->opt.requestCertificate && |
- ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
- ss->ssl3.hs.ws = wait_client_cert; |
- } else { |
- ss->ssl3.hs.ws = wait_finished; |
- } |
+ ss->ssl3.hs.ws = wait_finished; |
SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending", |
SSL_GETPID(), ss->fd )); |
@@ -5087,11 +5080,10 @@ loser: |
static SECStatus |
ssl3_SendCertificateVerify(sslSocket *ss) |
{ |
- SECStatus rv = SECFailure; |
- PRBool isTLS; |
- SECItem buf = {siBuffer, NULL, 0}; |
- SSL3Hashes hashes; |
- ssl3CipherSpec *spec; |
+ SECStatus rv = SECFailure; |
+ PRBool isTLS; |
+ SECItem buf = {siBuffer, NULL, 0}; |
+ SSL3Hashes hashes; |
PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
@@ -5100,17 +5092,13 @@ ssl3_SendCertificateVerify(sslSocket *ss) |
SSL_GETPID(), ss->fd)); |
ssl_GetSpecReadLock(ss); |
- spec = ss->ssl3.pwSpec; |
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
- spec = ss->ssl3.cwSpec; |
- } |
- rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0); |
+ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); |
ssl_ReleaseSpecReadLock(ss); |
if (rv != SECSuccess) { |
goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ |
} |
- isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); |
+ isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
if (ss->ssl3.platformClientKey) { |
#ifdef NSS_PLATFORM_CLIENT_AUTH |
rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, |
@@ -6165,10 +6153,6 @@ ssl3_SendClientSecondRound(sslSocket *ss) |
{ |
SECStatus rv; |
PRBool sendClientCert; |
- PRBool sendEmptyCert; |
- int n = 0, i; |
- typedef SECStatus (*SendFunction)(sslSocket*); |
- SendFunction send_funcs[5]; |
PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
@@ -6215,40 +6199,35 @@ ssl3_SendClientSecondRound(sslSocket *ss) |
ssl_GetXmitBufLock(ss); /*******************************/ |
- sendEmptyCert = ss->ssl3.sendEmptyCert; |
- ss->ssl3.sendEmptyCert = PR_FALSE; |
- |
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
- send_funcs[n++] = ssl3_SendClientKeyExchange; |
- send_funcs[n++] = ssl3_SendChangeCipherSpecs; |
- if (sendEmptyCert) { |
- send_funcs[n++] = ssl3_SendEmptyCertificate; |
- } |
- if (sendClientCert) { |
- send_funcs[n++] = ssl3_SendCertificate; |
- send_funcs[n++] = ssl3_SendCertificateVerify; |
- } |
- } else { |
- if (sendEmptyCert) { |
- send_funcs[n++] = ssl3_SendEmptyCertificate; |
- } |
- if (sendClientCert) { |
- send_funcs[n++] = ssl3_SendCertificate; |
- } |
- send_funcs[n++] = ssl3_SendClientKeyExchange; |
- if (sendClientCert) { |
- send_funcs[n++] = ssl3_SendCertificateVerify; |
- } |
- send_funcs[n++] = ssl3_SendChangeCipherSpecs; |
+ if (ss->ssl3.sendEmptyCert) { |
+ ss->ssl3.sendEmptyCert = PR_FALSE; |
+ rv = ssl3_SendEmptyCertificate(ss); |
+ /* Don't send verify */ |
+ if (rv != SECSuccess) { |
+ goto loser; /* error code is set. */ |
+ } |
+ } else if (sendClientCert) { |
+ rv = ssl3_SendCertificate(ss); |
+ if (rv != SECSuccess) { |
+ goto loser; /* error code is set. */ |
+ } |
} |
- PORT_Assert(n <= sizeof(send_funcs)/sizeof(send_funcs[0])); |
+ rv = ssl3_SendClientKeyExchange(ss); |
+ if (rv != SECSuccess) { |
+ goto loser; /* err is set. */ |
+ } |
- for (i = 0; i < n; i++) { |
- rv = send_funcs[i](ss); |
+ if (sendClientCert) { |
+ rv = ssl3_SendCertificateVerify(ss); |
if (rv != SECSuccess) { |
- goto loser; /* err code was set. */ |
- } |
+ goto loser; /* err is set. */ |
+ } |
+ } |
+ |
+ rv = ssl3_SendChangeCipherSpecs(ss); |
+ if (rv != SECSuccess) { |
+ goto loser; /* err code was set. */ |
} |
/* XXX: If the server's certificate hasn't been authenticated by this |
@@ -6463,13 +6442,8 @@ ssl3_SendServerHelloSequence(sslSocket *ss) |
return rv; /* err code is set. */ |
} |
- if (ss->opt.requestCertificate && |
- !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
- ss->ssl3.hs.ws = wait_client_cert; |
- } else { |
- ss->ssl3.hs.ws = wait_client_key; |
- } |
- |
+ ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert |
+ : wait_client_key; |
return SECSuccess; |
} |
@@ -7766,11 +7740,7 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, |
desc = isTLS ? decode_error : illegal_parameter; |
goto alert_loser; /* malformed */ |
} |
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
- ss->ssl3.hs.ws = wait_finished; |
- } else { |
- ss->ssl3.hs.ws = wait_change_cipher; |
- } |
+ ss->ssl3.hs.ws = wait_change_cipher; |
return SECSuccess; |
alert_loser: |
@@ -8683,11 +8653,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
} |
} else { |
server_no_cert: |
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
- ss->ssl3.hs.ws = wait_cert_verify; |
- } else { |
- ss->ssl3.hs.ws = wait_client_key; |
- } |
+ ss->ssl3.hs.ws = wait_client_key; |
} |
PORT_Assert(rv == SECSuccess); |
@@ -9302,8 +9268,6 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
if (type == finished) { |
sender = ss->sec.isServer ? sender_client : sender_server; |
rSpec = ss->ssl3.crSpec; |
- } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
- rSpec = ss->ssl3.crSpec; |
} |
rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); |
} |