Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(273)

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 10777021: Cap the record layer version number of TLS ClientHello to TLS 1.0 (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Make the changes rsleevi suggested. Add the patch file. Created 8 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/third_party/nss/ssl/dtls1con.c ('k') | net/third_party/nss/ssl/sslimpl.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* 2 /*
3 * SSL3 Protocol 3 * SSL3 Protocol
4 * 4 *
5 * ***** BEGIN LICENSE BLOCK ***** 5 * ***** BEGIN LICENSE BLOCK *****
6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
7 * 7 *
8 * The contents of this file are subject to the Mozilla Public License Version 8 * The contents of this file are subject to the Mozilla Public License Version
9 * 1.1 (the "License"); you may not use this file except in compliance with 9 * 1.1 (the "License"); you may not use this file except in compliance with
10 * the License. You may obtain a copy of the License at 10 * the License. You may obtain a copy of the License at
(...skipping 2039 matching lines...) Expand 10 before | Expand all | Expand 10 after
2050 PK11_FreeSlot(slot); 2050 PK11_FreeSlot(slot);
2051 } 2051 }
2052 return isPresent; 2052 return isPresent;
2053 } 2053 }
2054 2054
2055 /* Caller must hold the spec read lock. */ 2055 /* Caller must hold the spec read lock. */
2056 SECStatus 2056 SECStatus
2057 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, 2057 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
2058 PRBool isServer, 2058 PRBool isServer,
2059 PRBool isDTLS, 2059 PRBool isDTLS,
2060 PRBool capRecordVersion,
2060 SSL3ContentType type, 2061 SSL3ContentType type,
2061 const SSL3Opaque * pIn, 2062 const SSL3Opaque * pIn,
2062 PRUint32 contentLen, 2063 PRUint32 contentLen,
2063 sslBuffer * wrBuf) 2064 sslBuffer * wrBuf)
2064 { 2065 {
2065 const ssl3BulkCipherDef * cipher_def; 2066 const ssl3BulkCipherDef * cipher_def;
2066 SECStatus rv; 2067 SECStatus rv;
2067 PRUint32 macLen = 0; 2068 PRUint32 macLen = 0;
2068 PRUint32 fragLen; 2069 PRUint32 fragLen;
2069 PRUint32 p1Len, p2Len, oddLen = 0; 2070 PRUint32 p1Len, p2Len, oddLen = 0;
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after
2209 wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16); 2210 wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16);
2210 wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >> 8); 2211 wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >> 8);
2211 wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >> 0); 2212 wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >> 0);
2212 wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low >> 24); 2213 wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low >> 24);
2213 wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low >> 16); 2214 wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low >> 16);
2214 wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low >> 8); 2215 wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low >> 8);
2215 wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >> 0); 2216 wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >> 0);
2216 wrBuf->buf[11] = MSB(cipherBytes); 2217 wrBuf->buf[11] = MSB(cipherBytes);
2217 wrBuf->buf[12] = LSB(cipherBytes); 2218 wrBuf->buf[12] = LSB(cipherBytes);
2218 } else { 2219 } else {
2219 » wrBuf->buf[1] = MSB(cwSpec->version); 2220 » SSL3ProtocolVersion version = cwSpec->version;
2220 » wrBuf->buf[2] = LSB(cwSpec->version); 2221
2222 » if (capRecordVersion) {
2223 » version = PR_MIN(SSL_LIBRARY_VERSION_TLS_1_0, version);
2224 » }
2225 » wrBuf->buf[1] = MSB(version);
2226 » wrBuf->buf[2] = LSB(version);
2221 wrBuf->buf[3] = MSB(cipherBytes); 2227 wrBuf->buf[3] = MSB(cipherBytes);
2222 wrBuf->buf[4] = LSB(cipherBytes); 2228 wrBuf->buf[4] = LSB(cipherBytes);
2223 } 2229 }
2224 2230
2225 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); 2231 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
2226 2232
2227 return SECSuccess; 2233 return SECSuccess;
2228 } 2234 }
2229 2235
2230 /* Process the plain text before sending it. 2236 /* Process the plain text before sending it.
2231 * Returns the number of bytes of plaintext that were successfully sent 2237 * Returns the number of bytes of plaintext that were successfully sent
2232 * plus the number of bytes of plaintext that were copied into the 2238 * plus the number of bytes of plaintext that were copied into the
2233 * output (write) buffer. 2239 * output (write) buffer.
2234 * Returns SECFailure on a hard IO error, memory error, or crypto error. 2240 * Returns SECFailure on a hard IO error, memory error, or crypto error.
2235 * Does NOT return SECWouldBlock. 2241 * Does NOT return SECWouldBlock.
2236 * 2242 *
2237 * Notes on the use of the private ssl flags: 2243 * Notes on the use of the private ssl flags:
2238 * (no private SSL flags) 2244 * (no private SSL flags)
2239 * Attempt to make and send SSL records for all plaintext 2245 * Attempt to make and send SSL records for all plaintext
2240 * If non-blocking and a send gets WOULD_BLOCK, 2246 * If non-blocking and a send gets WOULD_BLOCK,
2241 * or if the pending (ciphertext) buffer is not empty, 2247 * or if the pending (ciphertext) buffer is not empty,
2242 * then buffer remaining bytes of ciphertext into pending buf, 2248 * then buffer remaining bytes of ciphertext into pending buf,
2243 * and continue to do that for all succssive records until all 2249 * and continue to do that for all succssive records until all
2244 * bytes are used. 2250 * bytes are used.
2245 * ssl_SEND_FLAG_FORCE_INTO_BUFFER 2251 * ssl_SEND_FLAG_FORCE_INTO_BUFFER
2246 * As above, except this suppresses all write attempts, and forces 2252 * As above, except this suppresses all write attempts, and forces
2247 * all ciphertext into the pending ciphertext buffer. 2253 * all ciphertext into the pending ciphertext buffer.
2248 * ssl_SEND_FLAG_USE_EPOCH (for DTLS) 2254 * ssl_SEND_FLAG_USE_EPOCH (for DTLS)
2249 * Forces the use of the provided epoch 2255 * Forces the use of the provided epoch
2250 * 2256 * ssl_SEND_FLAG_CAP_RECORD_VERSION
2257 * Caps the record layer version number of TLS ClientHello to { 3, 1 }
2258 * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
2259 * ClientHello.client_version and use the record layer version number
2260 * (TLSPlaintext.version) instead when negotiating protocol versions. In
2261 * addition, if the record layer version number of ClientHello is { 3, 2 }
2262 * (TLS 1.1) or higher, these servers reset the TCP connections. Set this
2263 * flag to work around such servers.
2251 */ 2264 */
2252 PRInt32 2265 PRInt32
2253 ssl3_SendRecord( sslSocket * ss, 2266 ssl3_SendRecord( sslSocket * ss,
2254 DTLSEpoch epoch, /* DTLS only */ 2267 DTLSEpoch epoch, /* DTLS only */
2255 SSL3ContentType type, 2268 SSL3ContentType type,
2256 const SSL3Opaque * pIn, /* input buffer */ 2269 const SSL3Opaque * pIn, /* input buffer */
2257 PRInt32 nIn, /* bytes of input */ 2270 PRInt32 nIn, /* bytes of input */
2258 PRInt32 flags) 2271 PRInt32 flags)
2259 { 2272 {
2260 sslBuffer * wrBuf = &ss->sec.writeBuf; 2273 sslBuffer * wrBuf = &ss->sec.writeBuf;
2261 SECStatus rv; 2274 SECStatus rv;
2262 PRInt32 totalSent = 0; 2275 PRInt32 totalSent = 0;
2276 PRBool capRecordVersion;
2263 2277
2264 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", 2278 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
2265 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type), 2279 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
2266 nIn)); 2280 nIn));
2267 PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn)); 2281 PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
2268 2282
2269 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 2283 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2270 2284
2285 capRecordVersion = ((flags & ssl_SEND_FLAG_CAP_RECORD_VERSION) != 0);
2286
2287 if (capRecordVersion) {
2288 /* ssl_SEND_FLAG_CAP_RECORD_VERSION can only be used with
2289 * TLS ClientHello. */
2290 PORT_Assert(!IS_DTLS(ss));
2291 PORT_Assert(type == content_handshake);
2292 PORT_Assert(ss->ssl3.hs.ws == wait_server_hello);
2293 }
2294
2271 if (ss->ssl3.initialized == PR_FALSE) { 2295 if (ss->ssl3.initialized == PR_FALSE) {
2272 /* This can happen on a server if the very first incoming record 2296 /* This can happen on a server if the very first incoming record
2273 ** looks like a defective ssl3 record (e.g. too long), and we're 2297 ** looks like a defective ssl3 record (e.g. too long), and we're
2274 ** trying to send an alert. 2298 ** trying to send an alert.
2275 */ 2299 */
2276 PR_ASSERT(type == content_alert); 2300 PR_ASSERT(type == content_alert);
2277 rv = ssl3_InitState(ss); 2301 rv = ssl3_InitState(ss);
2278 if (rv != SECSuccess) { 2302 if (rv != SECSuccess) {
2279 return SECFailure; /* ssl3_InitState has set the error code. */ 2303 return SECFailure; /* ssl3_InitState has set the error code. */
2280 } 2304 }
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after
2317 SSL_GETPID(), ss->fd, spaceNeeded)); 2341 SSL_GETPID(), ss->fd, spaceNeeded));
2318 goto spec_locked_loser; /* sslBuffer_Grow set error code. */ 2342 goto spec_locked_loser; /* sslBuffer_Grow set error code. */
2319 } 2343 }
2320 } 2344 }
2321 2345
2322 if (numRecords == 2) { 2346 if (numRecords == 2) {
2323 sslBuffer secondRecord; 2347 sslBuffer secondRecord;
2324 2348
2325 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, 2349 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
2326 ss->sec.isServer, IS_DTLS(ss), 2350 ss->sec.isServer, IS_DTLS(ss),
2327 » » » » » type, pIn, 1, wrBuf); 2351 » » » » » capRecordVersion, type, pIn,
2352 » » » » » 1, wrBuf);
2328 if (rv != SECSuccess) 2353 if (rv != SECSuccess)
2329 goto spec_locked_loser; 2354 goto spec_locked_loser;
2330 2355
2331 PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:", 2356 PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:",
2332 wrBuf->buf, wrBuf->len)); 2357 wrBuf->buf, wrBuf->len));
2333 2358
2334 secondRecord.buf = wrBuf->buf + wrBuf->len; 2359 secondRecord.buf = wrBuf->buf + wrBuf->len;
2335 secondRecord.len = 0; 2360 secondRecord.len = 0;
2336 secondRecord.space = wrBuf->space - wrBuf->len; 2361 secondRecord.space = wrBuf->space - wrBuf->len;
2337 2362
2338 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, 2363 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
2339 ss->sec.isServer, IS_DTLS(ss), 2364 ss->sec.isServer, IS_DTLS(ss),
2340 » » » » » type, pIn + 1, contentLen - 1, 2365 » » » » » capRecordVersion, type,
2366 » » » » » pIn + 1, contentLen - 1,
2341 &secondRecord); 2367 &secondRecord);
2342 if (rv == SECSuccess) { 2368 if (rv == SECSuccess) {
2343 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:", 2369 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:",
2344 secondRecord.buf, secondRecord.len)); 2370 secondRecord.buf, secondRecord.len));
2345 wrBuf->len += secondRecord.len; 2371 wrBuf->len += secondRecord.len;
2346 } 2372 }
2347 } else { 2373 } else {
2348 if (!IS_DTLS(ss)) { 2374 if (!IS_DTLS(ss)) {
2349 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, 2375 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
2350 ss->sec.isServer, 2376 ss->sec.isServer,
2351 IS_DTLS(ss), 2377 IS_DTLS(ss),
2378 capRecordVersion,
2352 type, pIn, 2379 type, pIn,
2353 contentLen, wrBuf); 2380 contentLen, wrBuf);
2354 } else { 2381 } else {
2355 rv = dtls_CompressMACEncryptRecord(ss, epoch, 2382 rv = dtls_CompressMACEncryptRecord(ss, epoch,
2356 !!(flags & ssl_SEND_FLAG_USE_ EPOCH), 2383 !!(flags & ssl_SEND_FLAG_USE_ EPOCH),
2357 type, pIn, 2384 type, pIn,
2358 contentLen, wrBuf); 2385 contentLen, wrBuf);
2359 } 2386 }
2360 2387
2361 if (rv == SECSuccess) { 2388 if (rv == SECSuccess) {
(...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after
2553 2580
2554 /* Attempt to send the content of sendBuf buffer in an SSL handshake record. 2581 /* Attempt to send the content of sendBuf buffer in an SSL handshake record.
2555 * This function returns SECSuccess or SECFailure, never SECWouldBlock. 2582 * This function returns SECSuccess or SECFailure, never SECWouldBlock.
2556 * Always set sendBuf.len to 0, even when returning SECFailure. 2583 * Always set sendBuf.len to 0, even when returning SECFailure.
2557 * 2584 *
2558 * Called from ssl3_FlushHandshake 2585 * Called from ssl3_FlushHandshake
2559 */ 2586 */
2560 static SECStatus 2587 static SECStatus
2561 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags) 2588 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
2562 { 2589 {
2590 static const PRInt32 allowedFlags = ssl_SEND_FLAG_FORCE_INTO_BUFFER |
2591 ssl_SEND_FLAG_CAP_RECORD_VERSION;
2563 PRInt32 rv = SECSuccess; 2592 PRInt32 rv = SECSuccess;
2564 2593
2565 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 2594 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2566 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 2595 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2567 2596
2568 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) 2597 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
2569 return rv; 2598 return rv;
2570 2599
2571 /* only this flag is allowed */ 2600 /* only these flags are allowed */
2572 PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER)); 2601 PORT_Assert(!(flags & ~allowedFlags));
2573 if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) { 2602 if ((flags & ~allowedFlags) != 0) {
2574 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2603 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2575 rv = SECFailure; 2604 rv = SECFailure;
2576 } else { 2605 } else {
2577 rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf, 2606 rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf,
2578 ss->sec.ci.sendBuf.len, flags); 2607 ss->sec.ci.sendBuf.len, flags);
2579 } 2608 }
2580 if (rv < 0) { 2609 if (rv < 0) {
2581 int err = PORT_GetError(); 2610 int err = PORT_GetError();
2582 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); 2611 PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
2583 if (err == PR_WOULD_BLOCK_ERROR) { 2612 if (err == PR_WOULD_BLOCK_ERROR) {
(...skipping 1390 matching lines...) Expand 10 before | Expand all | Expand 10 after
3974 ssl3_SendClientHello(sslSocket *ss, PRBool resending) 4003 ssl3_SendClientHello(sslSocket *ss, PRBool resending)
3975 { 4004 {
3976 sslSessionID * sid; 4005 sslSessionID * sid;
3977 ssl3CipherSpec * cwSpec; 4006 ssl3CipherSpec * cwSpec;
3978 SECStatus rv; 4007 SECStatus rv;
3979 int i; 4008 int i;
3980 int length; 4009 int length;
3981 int num_suites; 4010 int num_suites;
3982 int actual_count = 0; 4011 int actual_count = 0;
3983 PRBool isTLS = PR_FALSE; 4012 PRBool isTLS = PR_FALSE;
4013 PRBool serverVersionKnown = PR_FALSE;
3984 PRInt32 total_exten_len = 0; 4014 PRInt32 total_exten_len = 0;
3985 unsigned numCompressionMethods; 4015 unsigned numCompressionMethods;
4016 PRInt32 flags;
3986 4017
3987 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), 4018 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
3988 ss->fd)); 4019 ss->fd));
3989 4020
3990 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4021 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3991 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 4022 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3992 4023
3993 rv = ssl3_InitState(ss); 4024 rv = ssl3_InitState(ss);
3994 if (rv != SECSuccess) { 4025 if (rv != SECSuccess) {
3995 return rv; /* ssl3_InitState has set the error code. */ 4026 return rv; /* ssl3_InitState has set the error code. */
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after
4063 4094
4064 if (!sidOK) { 4095 if (!sidOK) {
4065 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok ); 4096 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok );
4066 (*ss->sec.uncache)(sid); 4097 (*ss->sec.uncache)(sid);
4067 ssl_FreeSID(sid); 4098 ssl_FreeSID(sid);
4068 sid = NULL; 4099 sid = NULL;
4069 } 4100 }
4070 } 4101 }
4071 4102
4072 if (sid) { 4103 if (sid) {
4104 serverVersionKnown = PR_TRUE;
4073 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits ); 4105 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
4074 4106
4075 /* Are we attempting a stateless session resume? */ 4107 /* Are we attempting a stateless session resume? */
4076 if (sid->version > SSL_LIBRARY_VERSION_3_0 && 4108 if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
4077 sid->u.ssl3.sessionTicket.ticket.data) 4109 sid->u.ssl3.sessionTicket.ticket.data)
4078 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes ); 4110 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes );
4079 4111
4080 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, 4112 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
4081 sid->u.ssl3.sessionIDLength)); 4113 sid->u.ssl3.sessionIDLength));
4082 4114
(...skipping 215 matching lines...) Expand 10 before | Expand all | Expand 10 after
4298 maxBytes -= extLen; 4330 maxBytes -= extLen;
4299 PORT_Assert(!maxBytes); 4331 PORT_Assert(!maxBytes);
4300 } 4332 }
4301 if (ss->ssl3.hs.sendingSCSV) { 4333 if (ss->ssl3.hs.sendingSCSV) {
4302 /* Since we sent the SCSV, pretend we sent empty RI extension. */ 4334 /* Since we sent the SCSV, pretend we sent empty RI extension. */
4303 TLSExtensionData *xtnData = &ss->xtnData; 4335 TLSExtensionData *xtnData = &ss->xtnData;
4304 xtnData->advertised[xtnData->numAdvertised++] = 4336 xtnData->advertised[xtnData->numAdvertised++] =
4305 ssl_renegotiation_info_xtn; 4337 ssl_renegotiation_info_xtn;
4306 } 4338 }
4307 4339
4308 rv = ssl3_FlushHandshake(ss, 0); 4340 flags = 0;
4341 if (!serverVersionKnown && !IS_DTLS(ss)) {
4342 » flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
4343 }
4344 rv = ssl3_FlushHandshake(ss, flags);
4309 if (rv != SECSuccess) { 4345 if (rv != SECSuccess) {
4310 return rv; /* error code set by ssl3_FlushHandshake */ 4346 return rv; /* error code set by ssl3_FlushHandshake */
4311 } 4347 }
4312 4348
4313 ss->ssl3.hs.ws = wait_server_hello; 4349 ss->ssl3.hs.ws = wait_server_hello;
4314 return rv; 4350 return rv;
4315 } 4351 }
4316 4352
4317 4353
4318 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 4354 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
(...skipping 6437 matching lines...) Expand 10 before | Expand all | Expand 10 after
10756 PORT_Free(ss->ssl3.hs.recvdFragments.buf); 10792 PORT_Free(ss->ssl3.hs.recvdFragments.buf);
10757 } 10793 }
10758 } 10794 }
10759 10795
10760 ss->ssl3.initialized = PR_FALSE; 10796 ss->ssl3.initialized = PR_FALSE;
10761 10797
10762 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 10798 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
10763 } 10799 }
10764 10800
10765 /* End of ssl3con.c */ 10801 /* End of ssl3con.c */
OLDNEW
« no previous file with comments | « net/third_party/nss/ssl/dtls1con.c ('k') | net/third_party/nss/ssl/sslimpl.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698