void
ssl_FinishHandshake(sslSocket *ss)
{
PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss));
PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", SSL_GETPID(), ss->fd));
ss->firstHsDone = PR_TRUE;
ss->enoughFirstHsDone = PR_TRUE;
ss->gs.writeOffset = 0;
ss->gs.readOffset = 0;
if (ss->handshakeCallback) {
PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) ==
ssl_preinfo_all);
(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
}
}
/* Returns a SECStatus: SECSuccess or SECFailure, NOT SECWouldBlock.
*
* Currently, the list of functions called through ss->handshake is:
*
* In sslsocks.c:
* SocksGatherRecord
* SocksHandleReply
* SocksStartGather
*
* In sslcon.c:
* ssl_GatherRecord1stHandshake
* ssl_BeginClientHandshake
* ssl_BeginServerHandshake
*
* The ss->handshake function returns SECWouldBlock if it was returned by
* one of the callback functions, via one of these paths:
*
* - ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() ->
* ssl3_HandleRecord() -> ssl3_HandleHandshake() ->
* ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificate() ->
* ss->handleBadCert()
*
* - ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() ->
* ssl3_HandleRecord() -> ssl3_HandleHandshake() ->
* ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificateRequest() ->
* ss->getClientAuthData()
*
* Called from: SSL_ForceHandshake (below),
* ssl_SecureRecv (below) and
* ssl_SecureSend (below)
* from: WaitForResponse in sslsocks.c
* ssl_SocksRecv in sslsocks.c
* ssl_SocksSend in sslsocks.c
*
* Caller must hold the (write) handshakeLock.
*/
int
ssl_Do1stHandshake(sslSocket *ss)
{
int rv = SECSuccess;
while (ss->handshake && rv == SECSuccess) {
PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss));
PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
rv = (*ss->handshake)(ss);
};
PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
if (rv == SECWouldBlock) {
PORT_SetError(PR_WOULD_BLOCK_ERROR);
rv = SECFailure;
}
return rv;
}
/* Gather in a record and when complete, Handle that record.
* Repeat this until the handshake is complete,
* or until application data is available.
*
* Returns 1 when the handshake is completed without error, or
* application data is available.
* Returns 0 if ssl3_GatherData hits EOF.
* Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
* Returns -2 on SECWouldBlock return from ssl3_HandleRecord.
*
* Called from ssl_GatherRecord1stHandshake in sslcon.c,
* and from SSL_ForceHandshake in sslsecur.c
* and from ssl3_GatherAppDataRecord below (<- DoRecv in sslsecur.c).
*
* Caller must hold the recv buf lock.
*/
int
ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
{
SSL3Ciphertext cText;
int rv;
PRBool keepGoing = PR_TRUE;
SSL_TRC(30, ("ssl3_GatherCompleteHandshake"));
/* ssl3_HandleRecord may end up eventually calling ssl_FinishHandshake,
* which requires the 1stHandshakeLock, which must be acquired before the
* RecvBufLock.
*/
PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss));
PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
do {
PRBool handleRecordNow = PR_FALSE;
ssl_GetSSL3HandshakeLock(ss);
/* Without this, we may end up wrongly reporting
* SSL_ERROR_RX_UNEXPECTED_* errors if we receive any records from the
* peer while we are waiting to be restarted.
*/
if (ss->ssl3.hs.restartTarget) {
ssl_ReleaseSSL3HandshakeLock(ss);
PORT_SetError(PR_WOULD_BLOCK_ERROR);
return (int)SECFailure;
}
/* Treat an empty msgState like a NULL msgState. (Most of the time
* when ssl3_HandleHandshake returns SECWouldBlock, it leaves
* behind a non-NULL but zero-length msgState).
* Test: async_cert_restart_server_sends_hello_request_first_in_separate_record
*/
if (ss->ssl3.hs.msgState.buf) {
if (ss->ssl3.hs.msgState.len == 0) {
ss->ssl3.hs.msgState.buf = NULL;
} else {
handleRecordNow = PR_TRUE;
}
}
ssl_ReleaseSSL3HandshakeLock(ss);
if (handleRecordNow) {
/* ssl3_HandleHandshake previously returned SECWouldBlock and the
* as-yet-unprocessed plaintext of that previous handshake record.
* We need to process it now before we overwrite it with the next
* handshake record.
*/
rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
} else {
/* bring in the next sslv3 record. */
if (ss->recvdCloseNotify) {
/* RFC 5246 Section 7.2.1:
* Any data received after a closure alert is ignored.
*/
return 0;
}
if (!IS_DTLS(ss)) {
rv = ssl3_GatherData(ss, &ss->gs, flags);
} else {
rv = dtls_GatherData(ss, &ss->gs, flags);
/* If we got a would block error, that means that no data was
* available, so we check the timer to see if it's time to
* retransmit */
if (rv == SECFailure &&
(PORT_GetError() == PR_WOULD_BLOCK_ERROR)) {
ssl_GetSSL3HandshakeLock(ss);
dtls_CheckTimer(ss);
ssl_ReleaseSSL3HandshakeLock(ss);
/* Restore the error in case something succeeded */
PORT_SetError(PR_WOULD_BLOCK_ERROR);
}
}
if (rv <= 0) {
return rv;
}
/* decipher it, and handle it if it's a handshake.
* If it's application data, ss->gs.buf will not be empty upon return.
* If it's a change cipher spec, alert, or handshake message,
* ss->gs.buf.len will be 0 when ssl3_HandleRecord returns SECSuccess.
*/
cText.type = (SSL3ContentType)ss->gs.hdr[0];
cText.version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2];
if (IS_DTLS(ss)) {
int i;
cText.version = dtls_DTLSVersionToTLSVersion(cText.version);
/* DTLS sequence number */
cText.seq_num.high = 0;
cText.seq_num.low = 0;
for (i = 0; i < 4; i++) {
cText.seq_num.high <<= 8;
cText.seq_num.low <<= 8;
cText.seq_num.high |= ss->gs.hdr[3 + i];
cText.seq_num.low |= ss->gs.hdr[7 + i];
}
}
cText.buf = &ss->gs.inbuf;
rv = ssl3_HandleRecord(ss, &cText, &ss->gs.buf);
}
if (rv < 0) {
return ss->recvdCloseNotify ? 0 : rv;
}
if (ss->gs.buf.len > 0) {
/* We have application data to return to the application. This
* prioritizes returning application data to the application over
* completing any renegotiation handshake we may be doing.
*/
PORT_Assert(ss->firstHsDone);
PORT_Assert(cText.type == content_application_data);
break;
}
PORT_Assert(keepGoing);
ssl_GetSSL3HandshakeLock(ss);
if (ss->ssl3.hs.ws == idle_handshake) {
/* We are done with the current handshake so stop trying to
* handshake. Note that it would be safe to test ss->firstHsDone
* instead of ss->ssl3.hs.ws. By testing ss->ssl3.hs.ws instead,
* we prioritize completing a renegotiation handshake over sending
* application data.
*/
PORT_Assert(ss->firstHsDone);
PORT_Assert(!ss->ssl3.hs.canFalseStart);
keepGoing = PR_FALSE;
} else if (ss->ssl3.hs.canFalseStart) {
/* Prioritize sending application data over trying to complete
* the handshake if we're false starting.
*
* If we were to do this check at the beginning of the loop instead
* of here, then this function would become be a no-op after
* receiving the ServerHelloDone in the false start case, and we
* would never complete the handshake.
*/
PORT_Assert(!ss->firstHsDone);
if (ssl3_WaitingForServerSecondRound(ss)) {
keepGoing = PR_FALSE;
} else {
ss->ssl3.hs.canFalseStart = PR_FALSE;
}
}
ssl_ReleaseSSL3HandshakeLock(ss);
} while (keepGoing);
ss->gs.readOffset = 0;
ss->gs.writeOffset = ss->gs.buf.len;
return 1;
}
int
ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
{
SSL3Ciphertext cText;
int rv;
PRBool keepGoing = PR_TRUE;
SSL_TRC(30, ("ssl3_GatherCompleteHandshake"));
PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
do {
PRBool handleRecordNow = PR_FALSE;
ssl_GetSSL3HandshakeLock(ss);
if (ss->ssl3.hs.restartTarget) {
ssl_ReleaseSSL3HandshakeLock(ss);
PORT_SetError(PR_WOULD_BLOCK_ERROR);
return (int) SECFailure;
}
if (ss->ssl3.hs.msgState.buf) {
if (ss->ssl3.hs.msgState.len == 0) {
ss->ssl3.hs.msgState.buf = NULL;
} else {
handleRecordNow = PR_TRUE;
}
}
ssl_ReleaseSSL3HandshakeLock(ss);
if (handleRecordNow) {
rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
} else {
if (!IS_DTLS(ss)) {
rv = ssl3_GatherData(ss, &ss->gs, flags);
} else {
rv = dtls_GatherData(ss, &ss->gs, flags);
if (rv == SECFailure &&
(PORT_GetError() == PR_WOULD_BLOCK_ERROR)) {
ssl_GetSSL3HandshakeLock(ss);
dtls_CheckTimer(ss);
ssl_ReleaseSSL3HandshakeLock(ss);
PORT_SetError(PR_WOULD_BLOCK_ERROR);
}
}
if (rv <= 0) {
return rv;
}
cText.type = (SSL3ContentType)ss->gs.hdr[0];
cText.version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2];
if (IS_DTLS(ss)) {
int i;
cText.version = dtls_DTLSVersionToTLSVersion(cText.version);
cText.seq_num.high = 0;
cText.seq_num.low = 0;
for (i = 0; i < 4; i++) {
cText.seq_num.high <<= 8;
cText.seq_num.low <<= 8;
cText.seq_num.high |= ss->gs.hdr[3 + i];
cText.seq_num.low |= ss->gs.hdr[7 + i];
}
}
cText.buf = &ss->gs.inbuf;
rv = ssl3_HandleRecord(ss, &cText, &ss->gs.buf);
if (rv == (int) SECSuccess && ss->gs.buf.len > 0) {
PORT_Assert(ss->firstHsDone);
PORT_Assert(cText.type == content_application_data);
break;
}
}
if (rv < 0) {
return ss->recvdCloseNotify ? 0 : rv;
}
PORT_Assert(keepGoing);
ssl_GetSSL3HandshakeLock(ss);
if (ss->ssl3.hs.ws == idle_handshake) {
PORT_Assert(ss->firstHsDone);
PORT_Assert(!ss->ssl3.hs.canFalseStart);
keepGoing = PR_FALSE;
} else if (ss->ssl3.hs.canFalseStart) {
PORT_Assert(!ss->firstHsDone);
if (ssl3_WaitingForStartOfServerSecondRound(ss)) {
keepGoing = PR_FALSE;
} else {
ss->ssl3.hs.canFalseStart = PR_FALSE;
}
}
ssl_ReleaseSSL3HandshakeLock(ss);
} while (keepGoing);
ss->gs.readOffset = 0;
ss->gs.writeOffset = ss->gs.buf.len;
return 1;
}
/* Sends out the initial client Hello message on the connection.
* Acquires and releases the socket's xmitBufLock.
*/
SECStatus
ssl_BeginClientHandshake(sslSocket *ss)
{
sslSessionID *sid;
SECStatus rv;
PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss));
ss->sec.isServer = PR_FALSE;
ssl_ChooseSessionIDProcs(&ss->sec);
rv = ssl_CheckConfigSanity(ss);
if (rv != SECSuccess)
goto loser;
/* Get peer name of server */
rv = ssl_GetPeerInfo(ss);
if (rv < 0) {
#ifdef HPUX11
/*
* On some HP-UX B.11.00 systems, getpeername() occasionally
* fails with ENOTCONN after a successful completion of
* non-blocking connect. I found that if we do a write()
* and then retry getpeername(), it will work.
*/
if (PR_GetError() == PR_NOT_CONNECTED_ERROR) {
char dummy;
(void)PR_Write(ss->fd->lower, &dummy, 0);
rv = ssl_GetPeerInfo(ss);
if (rv < 0) {
goto loser;
}
}
#else
goto loser;
#endif
}
SSL_TRC(3, ("%d: SSL[%d]: sending client-hello", SSL_GETPID(), ss->fd));
/* Try to find server in our session-id cache */
if (ss->opt.noCache) {
sid = NULL;
} else {
sid = ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID,
ss->url);
}
if (sid) {
if (sid->version >= ss->vrange.min && sid->version <= ss->vrange.max) {
PORT_Assert(!ss->sec.localCert);
ss->sec.localCert = CERT_DupCertificate(sid->localCert);
} else {
ss->sec.uncache(sid);
ssl_FreeSID(sid);
sid = NULL;
}
}
if (!sid) {
sid = PORT_ZNew(sslSessionID);
if (!sid) {
goto loser;
}
sid->references = 1;
sid->cached = never_cached;
sid->addr = ss->sec.ci.peer;
sid->port = ss->sec.ci.port;
if (ss->peerID != NULL) {
sid->peerID = PORT_Strdup(ss->peerID);
}
if (ss->url != NULL) {
sid->urlSvrName = PORT_Strdup(ss->url);
}
}
ss->sec.ci.sid = sid;
PORT_Assert(sid != NULL);
ss->gs.state = GS_INIT;
ss->handshake = ssl_GatherRecord1stHandshake;
/* ssl3_SendClientHello will override this if it succeeds. */
ss->version = SSL_LIBRARY_VERSION_3_0;
ssl_GetSSL3HandshakeLock(ss);
ssl_GetXmitBufLock(ss);
rv = ssl3_SendClientHello(ss, client_hello_initial);
ssl_ReleaseXmitBufLock(ss);
ssl_ReleaseSSL3HandshakeLock(ss);
return rv;
loser:
return SECFailure;
}
