Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 700516: Remove SSL2 support for SSL_RestartHandshakeAfterServerCert and SSL_RestartHandshakeAfterCertReq, r=rrelyea

Browse Source 
git-svn-id: svn://10.0.0.236/trunk@263067 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
bsmith%mozilla.com 2011-11-11 19:06:52 +00:00
parent 7a0edbfd6a
commit 4778bbc800
7 changed files with 33 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
mozilla/security/nss/lib/ssl/SSLerrs.h
View File

@ -408,3 +408,6 @@ ER3(SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY, (SSL_ERROR_BASE + 115),
ER3(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, (SSL_ERROR_BASE + 116),
"SSL received invalid NPN extension data.")
ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2, (SSL_ERROR_BASE + 117),
"SSL feature not supported for SSL 2.0 connections.")

6
mozilla/security/nss/lib/ssl/ssl3con.c
View File

@ -39,7 +39,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: ssl3con.c,v 1.154 2011-11-11 18:47:20 bsmith%mozilla.com Exp $ */
/* $Id: ssl3con.c,v 1.155 2011-11-11 19:06:52 bsmith%mozilla.com Exp $ */
#include "cert.h"
#include "ssl.h"
@ -5580,7 +5580,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
}
switch (rv) {
case SECWouldBlock: /* getClientAuthData has put up a dialog box. */
ssl_SetAlwaysBlock(ss);
ssl3_SetAlwaysBlock(ss);
break; /* not an error */
case SECSuccess:
@ -7972,7 +7972,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
SSL_GETPID(), ss->fd));
ss->ssl3.peerCertChain = certs;
certs = NULL;
ssl_SetAlwaysBlock(ss);
ssl3_SetAlwaysBlock(ss);
goto cert_block;
}
/* cert is bad */

2
mozilla/security/nss/lib/ssl/ssl3ext.c
View File

@ -41,7 +41,7 @@
* ***** END LICENSE BLOCK ***** */
/* TLS extension code moved here from ssl3ecc.c */
/* $Id: ssl3ext.c,v 1.18 2011-11-08 22:12:05 bsmith%mozilla.com Exp $ */
/* $Id: ssl3ext.c,v 1.19 2011-11-11 19:06:52 bsmith%mozilla.com Exp $ */
#include "nssrenam.h"
#include "nss.h"

164
mozilla/security/nss/lib/ssl/sslcon.c
View File

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslcon.c,v 1.42 2011-08-01 07:08:09 kaie%kuix.de Exp $ */
/* $Id: sslcon.c,v 1.43 2011-11-11 19:06:52 bsmith%mozilla.com Exp $ */
#include "nssrenam.h"
#include "cert.h"
@ -518,7 +518,6 @@ ssl2_GetSendBuffer(sslSocket *ss, unsigned int len)
* ssl2_HandleMessage() <- ssl_Do1stHandshake()
* ssl2_HandleServerHelloMessage() <- ssl_Do1stHandshake()
after ssl2_BeginClientHandshake()
* ssl2_RestartHandshakeAfterCertReq() <- Called from certdlgs.c in nav.
* ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake()
after ssl2_BeginServerHandshake()
*
@ -765,7 +764,6 @@ done:
}
/* Called from ssl2_HandleRequestCertificate() <- ssl2_HandleMessage()
* ssl2_RestartHandshakeAfterCertReq() <- (application)
* Acquires and releases the socket's xmitBufLock.
*/
static int
@ -1177,7 +1175,6 @@ loser:
/*
** Called from: ssl2_HandleServerHelloMessage,
** ssl2_HandleClientSessionKeyMessage,
** ssl2_RestartHandshakeAfterServerCert,
** ssl2_HandleClientHelloMessage,
**
*/
@ -1237,9 +1234,7 @@ ssl2_UseClearSendFunc(sslSocket *ss)
* ssl2_HandleServerHelloMessage
* ssl2_BeginClientHandshake
* ssl2_HandleClientSessionKeyMessage
* ssl2_RestartHandshakeAfterCertReq
* ssl3_RestartHandshakeAfterCertReq
* ssl2_RestartHandshakeAfterServerCert
* ssl3_RestartHandshakeAfterServerCert
* ssl2_HandleClientHelloMessage
* ssl2_BeginServerHandshake
@ -2232,8 +2227,6 @@ ssl2_TriggerNextMessage(sslSocket *ss)
** ssl2_HandleVerifyMessage
** ssl2_HandleServerHelloMessage
** ssl2_HandleClientSessionKeyMessage
** ssl2_RestartHandshakeAfterCertReq
** ssl2_RestartHandshakeAfterServerCert
*/
static SECStatus
ssl2_TryToFinish(sslSocket *ss)
@ -2267,7 +2260,6 @@ ssl2_TryToFinish(sslSocket *ss)
/*
** Called from ssl2_HandleRequestCertificate
** ssl2_RestartHandshakeAfterCertReq
*/
static SECStatus
ssl2_SignResponse(sslSocket *ss,
@ -2354,8 +2346,9 @@ ssl2_HandleRequestCertificate(sslSocket *ss)
ret = (*ss->getClientAuthData)(ss->getClientAuthDataArg, ss->fd,
NULL, &cert, &key);
if ( ret == SECWouldBlock ) {
ssl_SetAlwaysBlock(ss);
goto done;
PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
ret = -1;
goto loser;
}
if (ret) {
@ -2715,8 +2708,7 @@ ssl2_HandleMessage(sslSocket *ss)
/************************************************************************/
/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage or
** ssl2_RestartHandshakeAfterServerCert.
/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage.
*/
static SECStatus
ssl2_HandleVerifyMessage(sslSocket *ss)
@ -2936,19 +2928,16 @@ ssl2_HandleServerHelloMessage(sslSocket *ss)
rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
if ( rv ) {
if ( rv == SECWouldBlock ) {
/* someone will handle this connection asynchronously*/
SSL_DBG(("%d: SSL[%d]: go to async cert handler",
SSL_GETPID(), ss->fd));
ssl_ReleaseRecvBufLock(ss);
ssl_SetAlwaysBlock(ss);
return SECWouldBlock;
SSL_DBG(("%d: SSL[%d]: SSL2 bad cert handler returned "
"SECWouldBlock", SSL_GETPID(), ss->fd));
PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
rv = SECFailure;
} else {
/* cert is bad */
SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
SSL_GETPID(), ss->fd, PORT_GetError()));
}
/* cert is bad */
SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
SSL_GETPID(), ss->fd, PORT_GetError()));
goto loser;
}
/* cert is good */
} else {
@ -3330,133 +3319,6 @@ loser:
return SECFailure;
}
/*
* attempt to restart the handshake after asynchronously handling
* a request for the client's certificate.
*
* inputs:
* cert Client cert chosen by application.
* key Private key associated with cert.
*
* XXX: need to make ssl2 and ssl3 versions of this function agree on whether
* they take the reference, or bump the ref count!
*
* Return value: XXX
*
* Caller holds 1stHandshakeLock.
*/
int
ssl2_RestartHandshakeAfterCertReq(sslSocket * ss,
CERTCertificate * cert,
SECKEYPrivateKey * key)
{
int ret;
SECStatus rv = SECSuccess;
SECItem response;
if (ss->version >= SSL_LIBRARY_VERSION_3_0)
return SECFailure;
response.data = NULL;
/* generate error if no cert or key */
if ( ( cert == NULL ) || ( key == NULL ) ) {
goto no_cert;
}
/* generate signed response to the challenge */
rv = ssl2_SignResponse(ss, key, &response);
if ( rv != SECSuccess ) {
goto no_cert;
}
/* Send response message */
ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
if (ret) {
goto no_cert;
}
/* try to finish the handshake */
ret = ssl2_TryToFinish(ss);
if (ret) {
goto loser;
}
/* done with handshake */
if (ss->handshake == 0) {
ret = SECSuccess;
goto done;
}
/* continue handshake */
ssl_GetRecvBufLock(ss);
ss->gs.recordLen = 0;
ssl_ReleaseRecvBufLock(ss);
ss->handshake = ssl_GatherRecord1stHandshake;
ss->nextHandshake = ssl2_HandleMessage;
ret = ssl2_TriggerNextMessage(ss);
goto done;
no_cert:
/* no cert - send error */
ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
goto done;
loser:
ret = SECFailure;
done:
/* free allocated data */
if ( response.data ) {
PORT_Free(response.data);
}
return ret;
}
/* restart an SSL connection that we stopped to run certificate dialogs
** XXX Need to document here how an application marks a cert to show that
** the application has accepted it (overridden CERT_VerifyCert).
*
* Return value: XXX
*
* Caller holds 1stHandshakeLock.
*/
int
ssl2_RestartHandshakeAfterServerCert(sslSocket *ss)
{
int rv = SECSuccess;
if (ss->version >= SSL_LIBRARY_VERSION_3_0)
return SECFailure;
/* SSL 2
** At this point we have a completed session key and our session
** cipher is setup and ready to go. Switch to encrypted write routine
** as all future message data is to be encrypted.
*/
ssl2_UseEncryptedSendFunc(ss);
rv = ssl2_TryToFinish(ss);
if (rv == SECSuccess && ss->handshake != NULL) {
/* handshake is not yet finished. */
SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
ss->sec.ci.elements));
ssl_GetRecvBufLock(ss);
ss->gs.recordLen = 0; /* mark it all used up. */
ssl_ReleaseRecvBufLock(ss);
ss->handshake = ssl_GatherRecord1stHandshake;
ss->nextHandshake = ssl2_HandleVerifyMessage;
}
return rv;
}
/*
** Handle the initial hello message from the client
**

4
mozilla/security/nss/lib/ssl/sslerr.h
View File

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslerr.h,v 1.15 2011-10-29 00:29:11 bsmith%mozilla.com Exp $ */
/* $Id: sslerr.h,v 1.16 2011-11-11 19:06:52 bsmith%mozilla.com Exp $ */
#ifndef __SSL_ERR_H_
#define __SSL_ERR_H_
@ -207,6 +207,8 @@ SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = (SSL_ERROR_BASE + 115),
SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID = (SSL_ERROR_BASE + 116),
SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2 = (SSL_ERROR_BASE + 117),
SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
} SSLErrorCodes;
#endif /* NO_SECURITY_ERROR_ENUM */

9
mozilla/security/nss/lib/ssl/sslimpl.h
View File

@ -39,7 +39,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslimpl.h,v 1.86 2011-11-11 18:47:20 bsmith%mozilla.com Exp $ */
/* $Id: sslimpl.h,v 1.87 2011-11-11 19:06:52 bsmith%mozilla.com Exp $ */
#ifndef __sslimpl_h_
#define __sslimpl_h_
@ -1261,7 +1261,7 @@ extern PRBool ssl_FdIsBlocking(PRFileDesc *fd);
extern PRBool ssl_SocketIsBlocking(sslSocket *ss);
extern void ssl_SetAlwaysBlock(sslSocket *ss);
extern void ssl3_SetAlwaysBlock(sslSocket *ss);
extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
@ -1350,16 +1350,11 @@ extern void ssl_FreeSocket(struct sslSocketStr *ssl);
extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
SSL3AlertDescription desc);
extern int ssl2_RestartHandshakeAfterCertReq(sslSocket * ss,
CERTCertificate * cert,
SECKEYPrivateKey * key);
extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket * ss,
CERTCertificate * cert,
SECKEYPrivateKey * key,
CERTCertificateList *certChain);
extern int ssl2_RestartHandshakeAfterServerCert(sslSocket *ss);
extern int ssl3_RestartHandshakeAfterServerCert(sslSocket *ss);
/*

14
mozilla/security/nss/lib/ssl/sslsecur.c
View File

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslsecur.c,v 1.50 2011-10-30 00:08:59 wtc%google.com Exp $ */
/* $Id: sslsecur.c,v 1.51 2011-11-11 19:06:52 bsmith%mozilla.com Exp $ */
#include "cert.h"
#include "secitem.h"
#include "keyhi.h"
@ -173,7 +173,7 @@ ssl_Do1stHandshake(sslSocket *ss)
* retry on a connection on the next read/write.
*/
static SECStatus
AlwaysBlock(sslSocket *ss)
ssl3_AlwaysBlock(sslSocket *ss)
{
PORT_SetError(PR_WOULD_BLOCK_ERROR); /* perhaps redundant. */
return SECWouldBlock;
@ -183,10 +183,10 @@ AlwaysBlock(sslSocket *ss)
* set the initial handshake state machine to block
*/
void
ssl_SetAlwaysBlock(sslSocket *ss)
ssl3_SetAlwaysBlock(sslSocket *ss)
{
if (!ss->firstHsDone) {
ss->handshake = AlwaysBlock;
ss->handshake = ssl3_AlwaysBlock;
ss->nextHandshake = 0;
}
}
@ -1500,7 +1500,8 @@ SSL_RestartHandshakeAfterCertReq(sslSocket * ss,
if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain);
} else {
ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key);
PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
ret = SECFailure;
}
ssl_Release1stHandshakeLock(ss); /************************************/
@ -1527,7 +1528,8 @@ SSL_RestartHandshakeAfterServerCert(sslSocket *ss)
if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
rv = ssl3_RestartHandshakeAfterServerCert(ss);
} else {
rv = ssl2_RestartHandshakeAfterServerCert(ss);
PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
rv = SECFailure;
}
ssl_Release1stHandshakeLock(ss);