Attachment #26588 for bug #56924

Attachment #26588: proposed patch, see comments below. for bug #56924

View | Details | Raw Unified | Return to bug 56924
Collapse All | Expand All






	    if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {

		ss->handshakeBegun = 1;
		count = ssl_SendSavedWriteData(ss, &ss->pendingBuf,
		                               &ssl_DefSend);
		if (count < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) {

		}
	    }
	} else if (write->len > 0) {
	    ss->handshakeBegun = 1;
	    count = ssl_DefSend(ss, write->buf, write->len,
				flags & ~ssl_SEND_FLAG_MASK);
	    if (count < 0) {

    /* If the server has required client-auth blindly but doesn't
     * actually look at the certificate it won't know that no
     * certificate was presented so we shutdown the socket to ensure
     * an error.  We only do this if we haven't already completed the
     * first handshake because if we're redoing the handshake we 
     * know the server is paying attention to the certificate.
     */
    if ((ss->requireCertificate == 1) ||
	(!ss->firstHsDone && (ss->requireCertificate > 1))) {
	PRFileDesc * lower;

	ss->sec->uncache(ss->sec->ci.sid);

	 */
	if ((sid->peerCert == NULL) && ss->requestCertificate &&
	    ((ss->requireCertificate == 1) ||
	     ((ss->requireCertificate == 2) && !ss->firstHsDone))) {

	    ++ssl3stats.hch_sid_cache_not_ok;
	    ss->sec->uncache(sid);


    ssl_ReleaseXmitBufLock(ss);	/*************************************/

    /* The first handshake is now completed. */
    ss->handshake           = NULL;
    ss->firstHsDone         = PR_TRUE;
    ss->gather->writeOffset = 0;
    ss->gather->readOffset  = 0;


}

/*
** If ssl3 socket has completed the first handshake, and is in idle state, 
** then start a new handshake.
** If flushCache is true, the SID cache will be flushed first, forcing a
** "Full" handshake (not a session restart handshake), to be done.
**


    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );

    if (!ss->firstHsDone ||
        ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
	 ss->ssl3 && (ss->ssl3->hs.ws != idle_handshake))) {
	PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);

(-)sslauth.c (-1 / +1 lines)

Line	Link Here

Lines 84-90	Link Here

	*op = SSL_SECURITY_STATUS_OFF;

	*op = SSL_SECURITY_STATUS_OFF;

    if (ss->useSecurity && ss->connected) {

    if (ss->useSecurity && ss->firstHsDone) {

	PORT_Assert(ss->sec != 0);

	PORT_Assert(ss->sec != 0);

	sec = ss->sec;

	sec = ss->sec;

(-)sslcon.c (+3 lines)

Line	Link Here

Lines 546-551	Link Here

546

547

    SSL_TRC(3, ("%d: SSL[%d]: sending error %d", SSL_GETPID(), ss->fd, error));

547

    SSL_TRC(3, ("%d: SSL[%d]: sending error %d", SSL_GETPID(), ss->fd, error));

548

549

    ss->handshakeBegun = 1;

549

    rv = (*sec->send)(ss, msg, sizeof(msg), 0);

550

    rv = (*sec->send)(ss, msg, sizeof(msg), 0);

550

    if (rv >= 0) {

551

    if (rv >= 0) {

551

	rv = SECSuccess;

552

	rv = SECSuccess;

Lines 3102-3107	Link Here

3102

3103

    /* Send it to the server */

3104

    /* Send it to the server */

3104

    DUMP_MSG(29, (ss, msg, sendLen));

3105

    DUMP_MSG(29, (ss, msg, sendLen));

3106

    ss->handshakeBegun = 1;

3105

    rv = (*sec->send)(ss, msg, sendLen, 0);

3107

    rv = (*sec->send)(ss, msg, sendLen, 0);

3106

3108

3107

    ssl_ReleaseXmitBufLock(ss);    /***************************************/

3109

    ssl_ReleaseXmitBufLock(ss);    /***************************************/

Lines 3595-3600	Link Here

3595

3597

3596

    DUMP_MSG(29, (ss, msg, sendLen));

3598

    DUMP_MSG(29, (ss, msg, sendLen));

3597

3599

3600

    ss->handshakeBegun = 1;

3598

    sent = (*sec->send)(ss, msg, sendLen, 0);

3601

    sent = (*sec->send)(ss, msg, sendLen, 0);

3599

    if (sent < 0) {

3602

    if (sent < 0) {

3600

	goto loser;

3603

	goto loser;





 * may use your version of this file under either the MPL or the
 * GPL.
 *
 * $Id: ssldef.c,v 1.1 2001/02/09 19:40:18 nelsonb Exp nelsonb $
 */

#include "cert.h"

	if (rv < 0) {
	    PRErrorCode err = PR_GetError();
	    if (err == PR_WOULD_BLOCK_ERROR) {
		ss->lastWriteBlocked = 1;
		return count ? count : rv;
	    }
	    ss->lastWriteBlocked = 0;
	    MAP_ERROR(PR_CONNECT_ABORTED_ERROR, PR_CONNECT_RESET_ERROR)
	    /* Loser */
	    return rv;

	}
	break;
    }
    ss->lastWriteBlocked = 0;
    return count;
}


	if (rv < 0) {
	    PRErrorCode err = PR_GetError();
	    if (err == PR_WOULD_BLOCK_ERROR) {
		ss->lastWriteBlocked = 1;
		return count ? count : rv;
	    }
	    ss->lastWriteBlocked = 0;
	    MAP_ERROR(PR_CONNECT_ABORTED_ERROR, PR_CONNECT_RESET_ERROR)
	    /* Loser */
	    return rv;

	}
	break;
    }
    ss->lastWriteBlocked = 0;
    return count;
}


(-)sslgathr.c (-2 / +2 lines)

Line	Link Here

Lines 139-145	Link Here

139

	/* Probably finished this piece */

139

	/* Probably finished this piece */

140

	switch (gs->state) {

140

	switch (gs->state) {

141

	case GS_HEADER:

141

	case GS_HEADER:

142

	    if ((ss->enableSSL3 || ss->enableTLS) && !ss->connected) {

142

	    if ((ss->enableSSL3 || ss->enableTLS) && !ss->firstHsDone) {

143

144

		PORT_Assert( ssl_Have1stHandshakeLock(ss) );

144

		PORT_Assert( ssl_Have1stHandshakeLock(ss) );

145

Lines 183-189	Link Here

183

			return SECFailure;

183

			return SECFailure;

184

185

186

	    }	/* ((ss->enableSSL3 || ss->enableTLS) && !ss->connected) */

186

	    }	/* ((ss->enableSSL3 || ss->enableTLS) && !ss->firstHsDone) */

187

188

	    /* we've got the first 3 bytes.  The header may be two or three. */

188

	    /* we've got the first 3 bytes.  The header may be two or three. */

189

	    if (gs->hdr[0] & 0x80) {

189

	    if (gs->hdr[0] & 0x80) {

(-)sslimpl.h (-4 / +14 lines)

Line	Link Here

Lines 33-39	Link Here

 * may use your version of this file under either the MPL or the

 * may use your version of this file under either the MPL or the

 * GPL.

 * GPL.

 * $Id: sslimpl.h,v 1.10 2001/02/07 17:50:43 wtc%netscape.com Exp $

 * $Id: sslimpl.h,v 1.3 2001/02/09 19:40:18 nelsonb Exp nelsonb $

*/

*/

#ifndef __sslimpl_h_

#ifndef __sslimpl_h_

Lines 238-243	Link Here

238

    unsigned int detectRollBack  	: 1;  /* 14 */

238

    unsigned int detectRollBack  	: 1;  /* 14 */

239

} sslOptions;

239

} sslOptions;

240

241

typedef enum { sslHandshakingUndetermined = 0,

242

	       sslHandshakingAsClient,

243

	       sslHandshakingAsServer

244

} sslHandshakingType;

245

241

/*

246

/*

242

** SSL Socket struct

247

** SSL Socket struct

243

**

248

**

Lines 254-273	Link Here

254

    unsigned int     useSecurity	: 1;

259

    unsigned int     useSecurity	: 1;

255

    unsigned int     requestCertificate	: 1;

260

    unsigned int     requestCertificate	: 1;

256

    unsigned int     requireCertificate	: 2;

261

    unsigned int     requireCertificate	: 2;

257

258

    unsigned int     handshakeAsClient	: 1;

262

    unsigned int     handshakeAsClient	: 1;

259

    unsigned int     handshakeAsServer	: 1;

263

    unsigned int     handshakeAsServer	: 1;

260

    unsigned int     enableSSL2		: 1;

264

    unsigned int     enableSSL2		: 1;

265

261

    unsigned int     enableSSL3		: 1;

266

    unsigned int     enableSSL3		: 1;

262

    unsigned int     enableTLS		: 1;

267

    unsigned int     enableTLS		: 1;

263

264

    unsigned int     clientAuthRequested: 1;

268

    unsigned int     clientAuthRequested: 1;

265

    unsigned int     noCache		: 1;

269

    unsigned int     noCache		: 1;

266

    unsigned int     fdx		: 1; /* simultaneous read/write threads */

270

    unsigned int     fdx		: 1; /* simultaneous read/write threads */

267

    unsigned int     v2CompatibleHello	: 1; /* Send v3+ client hello in v2 format */

271

    unsigned int     v2CompatibleHello	: 1; /* Send v3+ client hello in v2 format */

268

    unsigned int     detectRollBack   	: 1; /* Detect rollback to SSL v3 */

272

    unsigned int     detectRollBack   	: 1; /* Detect rollback to SSL v3 */

269

    unsigned int     connected		: 1; /* initial handshake is complete. */

273

    unsigned int     firstHsDone	: 1; /* first handshake is complete. */

274

270

    unsigned int     recvdCloseNotify	: 1; /* received SSL EOF. */

275

    unsigned int     recvdCloseNotify	: 1; /* received SSL EOF. */

276

    unsigned int     lastWriteBlocked   : 1;

277

    unsigned int     TCPconnected       : 1;

278

    unsigned int     handshakeBegun     : 1;

271

279

272

    /* version of the protocol to use */

280

    /* version of the protocol to use */

273

    SSL3ProtocolVersion version;

281

    SSL3ProtocolVersion version;

Lines 352-357	Link Here

352

    PRUint16	allowedByPolicy;          /* copy of global policy bits. */

360

    PRUint16	allowedByPolicy;          /* copy of global policy bits. */

353

    PRUint16	maybeAllowedByPolicy;     /* copy of global policy bits. */

361

    PRUint16	maybeAllowedByPolicy;     /* copy of global policy bits. */

354

    PRUint16	chosenPreference;         /* SSL2 cipher preferences. */

362

    PRUint16	chosenPreference;         /* SSL2 cipher preferences. */

363

364

    sslHandshakingType handshaking;

355

365

356

    ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];

366

    ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];

357

367





	    /* for v3 this is done in ssl3_HandleFinished() */
	    if ((ss->sec != NULL) &&               /* used SSL */
	        (ss->handshakeCallback != NULL) && /* has callback */
		(!ss->firstHsDone) &&              /* only first time */
		(ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
		ss->firstHsDone     = PR_TRUE;
		(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
	    }
	    ss->firstHsDone         = PR_TRUE;
	    ss->gather->writeOffset = 0;
	    ss->gather->readOffset  = 0;
	    break;

void
ssl_SetAlwaysBlock(sslSocket *ss)
{
    if (!ss->firstHsDone) {
	ss->handshake = AlwaysBlock;
	ss->nextHandshake = 0;
    }

{
    sslSocket *ss;
    SECStatus rv;
    PRNetAddr addr;

    ss = ssl_FindSocket(s);
    if (!ss) {

    ssl_Get1stHandshakeLock(ss);
    ssl_GetSSL3HandshakeLock(ss);

    ss->firstHsDone = PR_FALSE;
    if ( asServer ) {
	ss->securityHandshake = ssl2_BeginServerHandshake;
	ss->handshaking = sslHandshakingAsServer;
    } else {
	ss->securityHandshake = ssl2_BeginClientHandshake;
	ss->handshaking = sslHandshakingAsClient;
    }
    ss->nextHandshake       = 0;
    ss->securityHandshake   = 0;


    ssl_ReleaseSSL3HandshakeLock(ss);
    ssl_Release1stHandshakeLock(ss);

    if (!ss->TCPconnected)
	ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));

    SSL_UNLOCK_WRITER(ss);
    SSL_UNLOCK_READER(ss);


	} else if (gatherResult == SECWouldBlock) {
	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
	}
    } else if (!ss->firstHsDone) {
	rv = ssl_Do1stHandshake(ss);
    } else {
	/* tried to force handshake on an SSL 2 socket that has 
	** already completed the handshake. */
    	rv = SECSuccess;	/* just pretend we did it. */
    }



    PORT_Assert(ss->sec != 0);

    /* First connect to server */
    rv = osfd->methods->connect(osfd, sa, ss->cTimeout);
    if (rv < 0) {
	int olderrno = PR_GetError();
	SSL_DBG(("%d: SSL[%d]: connect failed, errno=%d",
		 SSL_GETPID(), ss->fd, olderrno));
	if ((olderrno == PR_IS_CONNECTED_ERROR) ||
	    (olderrno == PR_IN_PROGRESS_ERROR)) {
	    /*
	    ** Connected or trying to connect.  Caller is Using a non-blocking
	    ** connect. Go ahead and set things up.
	    */
	} else {
	    return rv;
	}
    }

    SSL_TRC(5, ("%d: SSL[%d]: secure connect completed, setting up handshake",
		SSL_GETPID(), ss->fd));

    if ( ss->handshakeAsServer ) {
	ss->securityHandshake = ssl2_BeginServerHandshake;
	ss->handshaking = sslHandshakingAsServer;
    } else {
	ss->securityHandshake = ssl2_BeginClientHandshake;
	ss->handshaking = sslHandshakingAsClient;
    }

    /* connect to server */
    rv = osfd->methods->connect(osfd, sa, ss->cTimeout);
    if (rv == PR_SUCCESS) {
	ss->TCPconnected = 1;
    } else {
	int err = PR_GetError();
	SSL_DBG(("%d: SSL[%d]: connect failed, errno=%d",
		 SSL_GETPID(), ss->fd, err));
	if (err == PR_IS_CONNECTED_ERROR) {
	    ss->TCPconnected = 1;
	} 
    }

    SSL_TRC(5, ("%d: SSL[%d]: secure connect completed, rv == %d",
		SSL_GETPID(), ss->fd, rv));
    return rv;
}


    int rv;

    if (ss->version >= SSL_LIBRARY_VERSION_3_0 	&&
    	ss->firstHsDone 			&& 
	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)	&&
	!ss->recvdCloseNotify                   &&
	(ss->ssl3 != NULL)) {

	(void) SSL3_SendAlert(ss, alert_warning, close_notify);

    if ((sslHow & ssl_SHUTDOWN_SEND) != 0 		&&
	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)		&&
    	(ss->version >= SSL_LIBRARY_VERSION_3_0)	&&
	ss->firstHsDone 				&& 
	!ss->recvdCloseNotify                   	&&
	(ss->ssl3 != NULL)) {

	(void) SSL3_SendAlert(ss, alert_warning, close_notify);

    
    rv = 0;
    /* If any of these is non-zero, the initial handshake is not done. */
    if (!ss->firstHsDone) {
	ssl_Get1stHandshakeLock(ss);
	if (ss->handshake || ss->nextHandshake || ss->securityHandshake) {
	    rv = ssl_Do1stHandshake(ss);

    if (len > 0) 
    	ss->writerThread = PR_GetCurrentThread();
    /* If any of these is non-zero, the initial handshake is not done. */
    if (!ss->firstHsDone) {
	ssl_Get1stHandshakeLock(ss);
	if (ss->handshake || ss->nextHandshake || ss->securityHandshake) {
	    rv = ssl_Do1stHandshake(ss);

	ssl_Get1stHandshakeLock(ss);
	ssl_GetSSL3HandshakeLock(ss);

	if (ss->useSecurity && ss->firstHsDone && ss->sec && ss->sec->ci.sid) {
	    sid = ss->sec->ci.sid;
	    item = (SECItem *)PORT_Alloc(sizeof(SECItem));
	    if (sid->version < SSL_LIBRARY_VERSION_3_0) {

(-)sslsock.c (-17 / +57 lines)

Line	Link Here

Lines 34-40	Link Here

 * may use your version of this file under either the MPL or the

 * may use your version of this file under either the MPL or the

 * GPL.

 * GPL.

 * $Id: sslsock.c,v 1.13 2001/02/09 02:11:31 nelsonb%netscape.com Exp $

 * $Id: sslsock.c,v 1.3 2001/02/09 19:40:18 nelsonb Exp nelsonb $

*/

*/

#include "seccomon.h"

#include "seccomon.h"

#include "cert.h"

#include "cert.h"

Lines 897-902	Link Here

897

898

    sslSocket * ns = NULL;

898

    sslSocket * ns = NULL;

899

    PRStatus    rv;

899

    PRStatus    rv;

900

    PRNetAddr   addr;

900

901

    if (model == NULL) {

902

    if (model == NULL) {

902

	/* Just create a default socket if we're given NULL for the model */

903

	/* Just create a default socket if we're given NULL for the model */

Lines 922-927	Link Here

922

#ifdef _WIN32

923

#ifdef _WIN32

923

    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */

924

    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */

924

#endif

925

#endif

926

    ns = ssl_FindSocket(fd);

927

    PORT_Assert(ns);

928

    if (ns)

929

	ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));

925

    return fd;

930

    return fd;

926

931

927

932

Lines 984-993	Link Here

984

    if ( ns->useSecurity ) {

989

    if ( ns->useSecurity ) {

985

	if ( ns->handshakeAsClient ) {

990

	if ( ns->handshakeAsClient ) {

986

	    ns->handshake = ssl2_BeginClientHandshake;

991

	    ns->handshake = ssl2_BeginClientHandshake;

992

	    ss->handshaking = sslHandshakingAsClient;

987

	} else {

993

	} else {

988

	    ns->handshake = ssl2_BeginServerHandshake;

994

	    ns->handshake = ssl2_BeginServerHandshake;

995

	    ss->handshaking = sslHandshakingAsServer;

989

996

990

997

998

    ns->TCPconnected = 1;

991

    return newfd;

999

    return newfd;

992

1000

993

loser:

1001

loser:

Lines 1236-1241	Link Here

1236

    if (rv < 0) {

1244

    if (rv < 0) {

1237

	return SECFailure;

1245

	return SECFailure;

1238

1246

1247

    ss->TCPconnected = 1;

1239

    /* we have to mask off the high byte because AIX is lame */

1248

    /* we have to mask off the high byte because AIX is lame */

1240

    if ((sin.inet.family & 0xff) == PR_AF_INET) {

1249

    if ((sin.inet.family & 0xff) == PR_AF_INET) {

1241

        PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ci->peer);

1250

        PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ci->peer);

Lines 1282-1287	Link Here

1282

1291

1283

    sslSocket *ss;

1292

    sslSocket *ss;

1284

    PRInt16    ret_flags = how_flags;	/* should select on these flags. */

1293

    PRInt16    ret_flags = how_flags;	/* should select on these flags. */

1294

    PRNetAddr  addr;

1285

1295

1286

    *out_flags = 0;

1296

    *out_flags = 0;

1287

    ss = ssl_GetPrivate(fd);

1297

    ss = ssl_GetPrivate(fd);

Lines 1291-1313	Link Here

1291

	return 0;	/* don't poll on this socket */

1301

	return 0;	/* don't poll on this socket */

1292

1302

1293

1303

1294

    if ((ret_flags & PR_POLL_WRITE) &&

1304

    if (ss->useSecurity &&

1295

        ss->useSecurity &&

1305

	ss->handshaking != sslHandshakingUndetermined &&

1296

	!ss->connected &&

1306

        !ss->firstHsDone) {

1297

	   /* XXX There needs to be a better test than the following. */

1307

	if (!ss->TCPconnected) {

1298

	   /* Don't check ss->securityHandshake. */

1308

	    ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));

1299

	(ss->handshake || ss->nextHandshake)) {

1309

1300

    	/* The user is trying to write, but the handshake is blocked waiting

1310

	/* If it's not connected, then presumably the application is polling

1301

	 * to read, so tell NSPR NOT to poll on write.

1311

	** on read or write approrpiately, so don't change it.

1302

*/

1312

*/

1303

	ret_flags ^=  PR_POLL_WRITE;	/* don't select on write. */

1313

	if (ss->TCPconnected) {

1304

	ret_flags |=  PR_POLL_READ;	/* do    select on read. */

1314

	    if (!ss->handshakeBegun) {

1305

1315

		/* If the handshake has not begun, poll on read or write

1306

1316

		** based on the local application's role in the handshake,

1307

    if ((ret_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {

1317

		** not based on what the application requested.

1318

*/

1319

		ret_flags &= ~(PR_POLL_WRITE | PR_POLL_READ);

1320

		if (ss->handshaking == sslHandshakingAsClient) {

1321

		    ret_flags |= PR_POLL_WRITE;

1322

		} else { /* handshaking as server */

1323

		    ret_flags |= PR_POLL_READ;

1324

1325

	    } else

1326

	    /* First handshake is in progress */

1327

	    if (ss->lastWriteBlocked) {

1328

		if (ret_flags & PR_POLL_READ) {

1329

		    /* The caller is waiting for data to be received,

1330

		    ** but the initial handshake is blocked on write, or the

1331

		    ** client's first handshake record has not been written.

1332

		    ** The code should select on write, not read.

1333

*/

1334

		    ret_flags ^=  PR_POLL_READ;	   /* don't select on read. */

1335

		    ret_flags |=  PR_POLL_WRITE;   /* do    select on write. */

1336

1337

	    } else if (ret_flags & PR_POLL_WRITE) {

1338

		    /* The caller is trying to write, but the handshake is

1339

		    ** blocked waiting for data to read, and the first

1340

		    ** handshake has been sent.  so do NOT to poll on write.

1341

*/

1342

		    ret_flags ^=  PR_POLL_WRITE;   /* don't select on write. */

1343

		    ret_flags |=  PR_POLL_READ;	   /* do    select on read. */

1344

1345

1346

    } else if ((ret_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {

1308

	*out_flags = PR_POLL_READ;	/* it's ready already. */

1347

	*out_flags = PR_POLL_READ;	/* it's ready already. */

1309

1348

	return ret_flags;

1310

    } else if (ret_flags && (fd->lower->methods->poll != NULL)) {

1349

1350

    if (ret_flags && (fd->lower->methods->poll != NULL)) {

1311

        ret_flags = fd->lower->methods->poll(fd->lower, ret_flags, out_flags);

1351

        ret_flags = fd->lower->methods->poll(fd->lower, ret_flags, out_flags);

1312

1352

1313

1353

Return to bug 56924