Home | History | Annotate | Download | only in ssl
      1 /*
      2  * Various SSL functions.
      3  *
      4  * This Source Code Form is subject to the terms of the Mozilla Public
      5  * License, v. 2.0. If a copy of the MPL was not distributed with this
      6  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      7 #include "cert.h"
      8 #include "secitem.h"
      9 #include "keyhi.h"
     10 #include "ssl.h"
     11 #include "sslimpl.h"
     12 #include "sslproto.h"
     13 #include "secoid.h"	/* for SECOID_GetALgorithmTag */
     14 #include "pk11func.h"	/* for PK11_GenerateRandom */
     15 #include "nss.h"        /* for NSS_RegisterShutdown */
     16 #include "prinit.h"     /* for PR_CallOnceWithArg */
     17 
     18 #define MAX_BLOCK_CYPHER_SIZE	32
     19 
     20 #define TEST_FOR_FAILURE	/* reminder */
     21 #define SET_ERROR_CODE		/* reminder */
     22 
     23 /* Returns a SECStatus: SECSuccess or SECFailure, NOT SECWouldBlock.
     24  *
     25  * Currently, the list of functions called through ss->handshake is:
     26  *
     27  * In sslsocks.c:
     28  *  SocksGatherRecord
     29  *  SocksHandleReply
     30  *  SocksStartGather
     31  *
     32  * In sslcon.c:
     33  *  ssl_GatherRecord1stHandshake
     34  *  ssl2_HandleClientSessionKeyMessage
     35  *  ssl2_HandleMessage
     36  *  ssl2_HandleVerifyMessage
     37  *  ssl2_BeginClientHandshake
     38  *  ssl2_BeginServerHandshake
     39  *  ssl2_HandleClientHelloMessage
     40  *  ssl2_HandleServerHelloMessage
     41  *
     42  * The ss->handshake function returns SECWouldBlock under these conditions:
     43  * 1.	ssl_GatherRecord1stHandshake called ssl2_GatherData which read in
     44  *	the beginning of an SSL v3 hello message and returned SECWouldBlock
     45  *	to switch to SSL v3 handshake processing.
     46  *
     47  * 2.	ssl2_HandleClientHelloMessage discovered version 3.0 in the incoming
     48  *	v2 client hello msg, and called ssl3_HandleV2ClientHello which
     49  *	returned SECWouldBlock.
     50  *
     51  * 3.   SECWouldBlock was returned by one of the callback functions, via
     52  *	one of these paths:
     53  * -	ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() ->
     54  *	ss->getClientAuthData()
     55  *
     56  * -	ssl2_HandleServerHelloMessage() -> ss->handleBadCert()
     57  *
     58  * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() ->
     59  *	ssl3_HandleRecord() -> ssl3_HandleHandshake() ->
     60  *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificate() ->
     61  *	ss->handleBadCert()
     62  *
     63  * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() ->
     64  *	ssl3_HandleRecord() -> ssl3_HandleHandshake() ->
     65  *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificateRequest() ->
     66  *	ss->getClientAuthData()
     67  *
     68  * Called from: SSL_ForceHandshake	(below),
     69  *              ssl_SecureRecv 		(below) and
     70  *              ssl_SecureSend		(below)
     71  *	  from: WaitForResponse 	in sslsocks.c
     72  *	        ssl_SocksRecv   	in sslsocks.c
     73  *              ssl_SocksSend   	in sslsocks.c
     74  *
     75  * Caller must hold the (write) handshakeLock.
     76  */
     77 int
     78 ssl_Do1stHandshake(sslSocket *ss)
     79 {
     80     int rv        = SECSuccess;
     81     int loopCount = 0;
     82 
     83     do {
     84 	PORT_Assert(ss->opt.noLocks ||  ssl_Have1stHandshakeLock(ss) );
     85 	PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
     86 	PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
     87 	PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
     88 
     89 	if (ss->handshake == 0) {
     90 	    /* Previous handshake finished. Switch to next one */
     91 	    ss->handshake = ss->nextHandshake;
     92 	    ss->nextHandshake = 0;
     93 	}
     94 	if (ss->handshake == 0) {
     95 	    /* Previous handshake finished. Switch to security handshake */
     96 	    ss->handshake = ss->securityHandshake;
     97 	    ss->securityHandshake = 0;
     98 	}
     99 	if (ss->handshake == 0) {
    100 	    ssl_GetRecvBufLock(ss);
    101 	    ss->gs.recordLen = 0;
    102 	    ssl_ReleaseRecvBufLock(ss);
    103 
    104 	    SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
    105 			SSL_GETPID(), ss->fd));
    106             /* call handshake callback for ssl v2 */
    107 	    /* for v3 this is done in ssl3_HandleFinished() */
    108 	    if ((ss->handshakeCallback != NULL) && /* has callback */
    109 		(!ss->firstHsDone) &&              /* only first time */
    110 		(ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
    111 		ss->firstHsDone     = PR_TRUE;
    112 		(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
    113 	    }
    114 	    ss->firstHsDone         = PR_TRUE;
    115 	    ss->gs.writeOffset = 0;
    116 	    ss->gs.readOffset  = 0;
    117 	    break;
    118 	}
    119 	rv = (*ss->handshake)(ss);
    120 	++loopCount;
    121     /* This code must continue to loop on SECWouldBlock,
    122      * or any positive value.	See XXX_1 comments.
    123      */
    124     } while (rv != SECFailure);  	/* was (rv >= 0); XXX_1 */
    125 
    126     PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
    127     PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
    128     PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
    129 
    130     if (rv == SECWouldBlock) {
    131 	PORT_SetError(PR_WOULD_BLOCK_ERROR);
    132 	rv = SECFailure;
    133     }
    134     return rv;
    135 }
    136 
    137 /*
    138  * Handshake function that blocks.  Used to force a
    139  * retry on a connection on the next read/write.
    140  */
    141 static SECStatus
    142 ssl3_AlwaysBlock(sslSocket *ss)
    143 {
    144     PORT_SetError(PR_WOULD_BLOCK_ERROR);	/* perhaps redundant. */
    145     return SECWouldBlock;
    146 }
    147 
    148 /*
    149  * set the initial handshake state machine to block
    150  */
    151 void
    152 ssl3_SetAlwaysBlock(sslSocket *ss)
    153 {
    154     if (!ss->firstHsDone) {
    155 	ss->handshake = ssl3_AlwaysBlock;
    156 	ss->nextHandshake = 0;
    157     }
    158 }
    159 
    160 static SECStatus
    161 ssl_SetTimeout(PRFileDesc *fd, PRIntervalTime timeout)
    162 {
    163     sslSocket *ss;
    164 
    165     ss = ssl_FindSocket(fd);
    166     if (!ss) {
    167 	SSL_DBG(("%d: SSL[%d]: bad socket in SetTimeout", SSL_GETPID(), fd));
    168 	return SECFailure;
    169     }
    170     SSL_LOCK_READER(ss);
    171     ss->rTimeout = timeout;
    172     if (ss->opt.fdx) {
    173         SSL_LOCK_WRITER(ss);
    174     }
    175     ss->wTimeout = timeout;
    176     if (ss->opt.fdx) {
    177         SSL_UNLOCK_WRITER(ss);
    178     }
    179     SSL_UNLOCK_READER(ss);
    180     return SECSuccess;
    181 }
    182 
    183 /* Acquires and releases HandshakeLock.
    184 */
    185 SECStatus
    186 SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
    187 {
    188     sslSocket *ss;
    189     SECStatus status;
    190     PRNetAddr addr;
    191 
    192     ss = ssl_FindSocket(s);
    193     if (!ss) {
    194 	SSL_DBG(("%d: SSL[%d]: bad socket in ResetHandshake", SSL_GETPID(), s));
    195 	return SECFailure;
    196     }
    197 
    198     /* Don't waste my time */
    199     if (!ss->opt.useSecurity)
    200 	return SECSuccess;
    201 
    202     SSL_LOCK_READER(ss);
    203     SSL_LOCK_WRITER(ss);
    204 
    205     /* Reset handshake state */
    206     ssl_Get1stHandshakeLock(ss);
    207 
    208     ss->firstHsDone = PR_FALSE;
    209     if ( asServer ) {
    210 	ss->handshake = ssl2_BeginServerHandshake;
    211 	ss->handshaking = sslHandshakingAsServer;
    212     } else {
    213 	ss->handshake = ssl2_BeginClientHandshake;
    214 	ss->handshaking = sslHandshakingAsClient;
    215     }
    216     ss->nextHandshake       = 0;
    217     ss->securityHandshake   = 0;
    218 
    219     ssl_GetRecvBufLock(ss);
    220     status = ssl_InitGather(&ss->gs);
    221     ssl_ReleaseRecvBufLock(ss);
    222 
    223     ssl_GetSSL3HandshakeLock(ss);
    224 
    225     /*
    226     ** Blow away old security state and get a fresh setup.
    227     */
    228     ssl_GetXmitBufLock(ss);
    229     ssl_ResetSecurityInfo(&ss->sec, PR_TRUE);
    230     status = ssl_CreateSecurityInfo(ss);
    231     ssl_ReleaseXmitBufLock(ss);
    232 
    233     ssl_ReleaseSSL3HandshakeLock(ss);
    234     ssl_Release1stHandshakeLock(ss);
    235 
    236     if (!ss->TCPconnected)
    237 	ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
    238 
    239     SSL_UNLOCK_WRITER(ss);
    240     SSL_UNLOCK_READER(ss);
    241 
    242     return status;
    243 }
    244 
    245 /* For SSLv2, does nothing but return an error.
    246 ** For SSLv3, flushes SID cache entry (if requested),
    247 ** and then starts new client hello or hello request.
    248 ** Acquires and releases HandshakeLock.
    249 */
    250 SECStatus
    251 SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache)
    252 {
    253     sslSocket *ss;
    254     SECStatus  rv;
    255 
    256     ss = ssl_FindSocket(fd);
    257     if (!ss) {
    258 	SSL_DBG(("%d: SSL[%d]: bad socket in RedoHandshake", SSL_GETPID(), fd));
    259 	return SECFailure;
    260     }
    261 
    262     if (!ss->opt.useSecurity)
    263 	return SECSuccess;
    264 
    265     ssl_Get1stHandshakeLock(ss);
    266 
    267     /* SSL v2 protocol does not support subsequent handshakes. */
    268     if (ss->version < SSL_LIBRARY_VERSION_3_0) {
    269 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
    270 	rv = SECFailure;
    271     } else {
    272 	ssl_GetSSL3HandshakeLock(ss);
    273 	rv = ssl3_RedoHandshake(ss, flushCache); /* force full handshake. */
    274 	ssl_ReleaseSSL3HandshakeLock(ss);
    275     }
    276 
    277     ssl_Release1stHandshakeLock(ss);
    278 
    279     return rv;
    280 }
    281 
    282 /*
    283 ** Same as above, but with an I/O timeout.
    284  */
    285 SSL_IMPORT SECStatus SSL_ReHandshakeWithTimeout(PRFileDesc *fd,
    286                                                 PRBool flushCache,
    287                                                 PRIntervalTime timeout)
    288 {
    289     if (SECSuccess != ssl_SetTimeout(fd, timeout)) {
    290         return SECFailure;
    291     }
    292     return SSL_ReHandshake(fd, flushCache);
    293 }
    294 
    295 SECStatus
    296 SSL_RedoHandshake(PRFileDesc *fd)
    297 {
    298     return SSL_ReHandshake(fd, PR_TRUE);
    299 }
    300 
    301 /* Register an application callback to be called when SSL handshake completes.
    302 ** Acquires and releases HandshakeLock.
    303 */
    304 SECStatus
    305 SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb,
    306 		      void *client_data)
    307 {
    308     sslSocket *ss;
    309 
    310     ss = ssl_FindSocket(fd);
    311     if (!ss) {
    312 	SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeCallback",
    313 		 SSL_GETPID(), fd));
    314 	return SECFailure;
    315     }
    316 
    317     if (!ss->opt.useSecurity) {
    318 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
    319 	return SECFailure;
    320     }
    321 
    322     ssl_Get1stHandshakeLock(ss);
    323     ssl_GetSSL3HandshakeLock(ss);
    324 
    325     ss->handshakeCallback     = cb;
    326     ss->handshakeCallbackData = client_data;
    327 
    328     ssl_ReleaseSSL3HandshakeLock(ss);
    329     ssl_Release1stHandshakeLock(ss);
    330 
    331     return SECSuccess;
    332 }
    333 
    334 /* Try to make progress on an SSL handshake by attempting to read the
    335 ** next handshake from the peer, and sending any responses.
    336 ** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot
    337 ** read the next handshake from the underlying socket.
    338 ** For SSLv2, returns when handshake is complete or fatal error occurs.
    339 ** For SSLv3, returns when handshake is complete, or application data has
    340 ** arrived that must be taken by application before handshake can continue,
    341 ** or a fatal error occurs.
    342 ** Application should use handshake completion callback to tell which.
    343 */
    344 SECStatus
    345 SSL_ForceHandshake(PRFileDesc *fd)
    346 {
    347     sslSocket *ss;
    348     SECStatus  rv = SECFailure;
    349 
    350     ss = ssl_FindSocket(fd);
    351     if (!ss) {
    352 	SSL_DBG(("%d: SSL[%d]: bad socket in ForceHandshake",
    353 		 SSL_GETPID(), fd));
    354 	return rv;
    355     }
    356 
    357     /* Don't waste my time */
    358     if (!ss->opt.useSecurity)
    359     	return SECSuccess;
    360 
    361     if (!ssl_SocketIsBlocking(ss)) {
    362 	ssl_GetXmitBufLock(ss);
    363 	if (ss->pendingBuf.len != 0) {
    364 	    int sent = ssl_SendSavedWriteData(ss);
    365 	    if ((sent < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) {
    366 		ssl_ReleaseXmitBufLock(ss);
    367 		return SECFailure;
    368 	    }
    369 	}
    370 	ssl_ReleaseXmitBufLock(ss);
    371     }
    372 
    373     ssl_Get1stHandshakeLock(ss);
    374 
    375     if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
    376 	int gatherResult;
    377 
    378     	ssl_GetRecvBufLock(ss);
    379 	gatherResult = ssl3_GatherCompleteHandshake(ss, 0);
    380 	ssl_ReleaseRecvBufLock(ss);
    381 	if (gatherResult > 0) {
    382 	    rv = SECSuccess;
    383 	} else if (gatherResult == 0) {
    384 	    PORT_SetError(PR_END_OF_FILE_ERROR);
    385 	} else if (gatherResult == SECWouldBlock) {
    386 	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
    387 	}
    388     } else if (!ss->firstHsDone) {
    389 	rv = ssl_Do1stHandshake(ss);
    390     } else {
    391 	/* tried to force handshake on an SSL 2 socket that has
    392 	** already completed the handshake. */
    393     	rv = SECSuccess;	/* just pretend we did it. */
    394     }
    395 
    396     ssl_Release1stHandshakeLock(ss);
    397 
    398     return rv;
    399 }
    400 
    401 /*
    402  ** Same as above, but with an I/O timeout.
    403  */
    404 SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd,
    405                                                    PRIntervalTime timeout)
    406 {
    407     if (SECSuccess != ssl_SetTimeout(fd, timeout)) {
    408         return SECFailure;
    409     }
    410     return SSL_ForceHandshake(fd);
    411 }
    412 
    413 
    414 /************************************************************************/
    415 
    416 /*
    417 ** Grow a buffer to hold newLen bytes of data.
    418 ** Called for both recv buffers and xmit buffers.
    419 ** Caller must hold xmitBufLock or recvBufLock, as appropriate.
    420 */
    421 SECStatus
    422 sslBuffer_Grow(sslBuffer *b, unsigned int newLen)
    423 {
    424     newLen = PR_MAX(newLen, MAX_FRAGMENT_LENGTH + 2048);
    425     if (newLen > b->space) {
    426 	unsigned char *newBuf;
    427 	if (b->buf) {
    428 	    newBuf = (unsigned char *) PORT_Realloc(b->buf, newLen);
    429 	} else {
    430 	    newBuf = (unsigned char *) PORT_Alloc(newLen);
    431 	}
    432 	if (!newBuf) {
    433 	    return SECFailure;
    434 	}
    435 	SSL_TRC(10, ("%d: SSL: grow buffer from %d to %d",
    436 		     SSL_GETPID(), b->space, newLen));
    437 	b->buf = newBuf;
    438 	b->space = newLen;
    439     }
    440     return SECSuccess;
    441 }
    442 
    443 SECStatus
    444 sslBuffer_Append(sslBuffer *b, const void * data, unsigned int len)
    445 {
    446     unsigned int newLen = b->len + len;
    447     SECStatus rv;
    448 
    449     rv = sslBuffer_Grow(b, newLen);
    450     if (rv != SECSuccess)
    451     	return rv;
    452     PORT_Memcpy(b->buf + b->len, data, len);
    453     b->len += len;
    454     return SECSuccess;
    455 }
    456 
    457 /*
    458 ** Save away write data that is trying to be written before the security
    459 ** handshake has been completed. When the handshake is completed, we will
    460 ** flush this data out.
    461 ** Caller must hold xmitBufLock
    462 */
    463 SECStatus
    464 ssl_SaveWriteData(sslSocket *ss, const void *data, unsigned int len)
    465 {
    466     SECStatus    rv;
    467 
    468     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
    469     rv = sslBuffer_Append(&ss->pendingBuf, data, len);
    470     SSL_TRC(5, ("%d: SSL[%d]: saving %u bytes of data (%u total saved so far)",
    471 		 SSL_GETPID(), ss->fd, len, ss->pendingBuf.len));
    472     return rv;
    473 }
    474 
    475 /*
    476 ** Send saved write data. This will flush out data sent prior to a
    477 ** complete security handshake. Hopefully there won't be too much of it.
    478 ** Returns count of the bytes sent, NOT a SECStatus.
    479 ** Caller must hold xmitBufLock
    480 */
    481 int
    482 ssl_SendSavedWriteData(sslSocket *ss)
    483 {
    484     int rv	= 0;
    485 
    486     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
    487     if (ss->pendingBuf.len != 0) {
    488 	SSL_TRC(5, ("%d: SSL[%d]: sending %d bytes of saved data",
    489 		     SSL_GETPID(), ss->fd, ss->pendingBuf.len));
    490 	rv = ssl_DefSend(ss, ss->pendingBuf.buf, ss->pendingBuf.len, 0);
    491 	if (rv < 0) {
    492 	    return rv;
    493 	}
    494 	ss->pendingBuf.len -= rv;
    495 	if (ss->pendingBuf.len > 0 && rv > 0) {
    496 	    /* UGH !! This shifts the whole buffer down by copying it */
    497 	    PORT_Memmove(ss->pendingBuf.buf, ss->pendingBuf.buf + rv,
    498 	                 ss->pendingBuf.len);
    499     	}
    500     }
    501     return rv;
    502 }
    503 
    504 /************************************************************************/
    505 
    506 /*
    507 ** Receive some application data on a socket.  Reads SSL records from the input
    508 ** stream, decrypts them and then copies them to the output buffer.
    509 ** Called from ssl_SecureRecv() below.
    510 **
    511 ** Caller does NOT hold 1stHandshakeLock because that handshake is over.
    512 ** Caller doesn't call this until initial handshake is complete.
    513 ** For SSLv2, there is no subsequent handshake.
    514 ** For SSLv3, the call to ssl3_GatherAppDataRecord may encounter handshake
    515 ** messages from a subsequent handshake.
    516 **
    517 ** This code is similar to, and easily confused with,
    518 **   ssl_GatherRecord1stHandshake() in sslcon.c
    519 */
    520 static int
    521 DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
    522 {
    523     int              rv;
    524     int              amount;
    525     int              available;
    526 
    527     ssl_GetRecvBufLock(ss);
    528 
    529     available = ss->gs.writeOffset - ss->gs.readOffset;
    530     if (available == 0) {
    531 	/* Get some more data */
    532 	if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
    533 	    /* Wait for application data to arrive.  */
    534 	    rv = ssl3_GatherAppDataRecord(ss, 0);
    535 	} else {
    536 	    /* See if we have a complete record */
    537 	    rv = ssl2_GatherRecord(ss, 0);
    538 	}
    539 	if (rv <= 0) {
    540 	    if (rv == 0) {
    541 		/* EOF */
    542 		SSL_TRC(10, ("%d: SSL[%d]: ssl_recv EOF",
    543 			     SSL_GETPID(), ss->fd));
    544 		goto done;
    545 	    }
    546 	    if ((rv != SECWouldBlock) &&
    547 	        (PR_GetError() != PR_WOULD_BLOCK_ERROR)) {
    548 		/* Some random error */
    549 		goto done;
    550 	    }
    551 
    552 	    /*
    553 	    ** Gather record is blocked waiting for more record data to
    554 	    ** arrive. Try to process what we have already received
    555 	    */
    556 	} else {
    557 	    /* Gather record has finished getting a complete record */
    558 	}
    559 
    560 	/* See if any clear data is now available */
    561 	available = ss->gs.writeOffset - ss->gs.readOffset;
    562 	if (available == 0) {
    563 	    /*
    564 	    ** No partial data is available. Force error code to
    565 	    ** EWOULDBLOCK so that caller will try again later. Note
    566 	    ** that the error code is probably EWOULDBLOCK already,
    567 	    ** but if it isn't (for example, if we received a zero
    568 	    ** length record) then this will force it to be correct.
    569 	    */
    570 	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
    571 	    rv = SECFailure;
    572 	    goto done;
    573 	}
    574 	SSL_TRC(30, ("%d: SSL[%d]: partial data ready, available=%d",
    575 		     SSL_GETPID(), ss->fd, available));
    576     }
    577 
    578     /* Dole out clear data to reader */
    579     amount = PR_MIN(len, available);
    580     PORT_Memcpy(out, ss->gs.buf.buf + ss->gs.readOffset, amount);
    581     if (!(flags & PR_MSG_PEEK)) {
    582 	ss->gs.readOffset += amount;
    583     }
    584     PORT_Assert(ss->gs.readOffset <= ss->gs.writeOffset);
    585     rv = amount;
    586 
    587     SSL_TRC(30, ("%d: SSL[%d]: amount=%d available=%d",
    588 		 SSL_GETPID(), ss->fd, amount, available));
    589     PRINT_BUF(4, (ss, "DoRecv receiving plaintext:", out, amount));
    590 
    591 done:
    592     ssl_ReleaseRecvBufLock(ss);
    593     return rv;
    594 }
    595 
    596 /************************************************************************/
    597 
    598 /*
    599 ** Return SSLKEAType derived from cert's Public Key algorithm info.
    600 */
    601 SSLKEAType
    602 NSS_FindCertKEAType(CERTCertificate * cert)
    603 {
    604   SSLKEAType keaType = kt_null;
    605   int tag;
    606 
    607   if (!cert) goto loser;
    608 
    609   tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
    610 
    611   switch (tag) {
    612   case SEC_OID_X500_RSA_ENCRYPTION:
    613   case SEC_OID_PKCS1_RSA_ENCRYPTION:
    614     keaType = kt_rsa;
    615     break;
    616   case SEC_OID_X942_DIFFIE_HELMAN_KEY:
    617     keaType = kt_dh;
    618     break;
    619 #ifdef NSS_ENABLE_ECC
    620   case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
    621     keaType = kt_ecdh;
    622     break;
    623 #endif /* NSS_ENABLE_ECC */
    624   default:
    625     keaType = kt_null;
    626   }
    627 
    628  loser:
    629 
    630   return keaType;
    631 }
    632 
    633 static const PRCallOnceType pristineCallOnce;
    634 static       PRCallOnceType setupServerCAListOnce;
    635 
    636 static SECStatus serverCAListShutdown(void* appData, void* nssData)
    637 {
    638     PORT_Assert(ssl3_server_ca_list);
    639     if (ssl3_server_ca_list) {
    640 	CERT_FreeDistNames(ssl3_server_ca_list);
    641 	ssl3_server_ca_list = NULL;
    642     }
    643     setupServerCAListOnce = pristineCallOnce;
    644     return SECSuccess;
    645 }
    646 
    647 static PRStatus serverCAListSetup(void *arg)
    648 {
    649     CERTCertDBHandle *dbHandle = (CERTCertDBHandle *)arg;
    650     SECStatus rv = NSS_RegisterShutdown(serverCAListShutdown, NULL);
    651     PORT_Assert(SECSuccess == rv);
    652     if (SECSuccess == rv) {
    653 	ssl3_server_ca_list = CERT_GetSSLCACerts(dbHandle);
    654 	return PR_SUCCESS;
    655     }
    656     return PR_FAILURE;
    657 }
    658 
    659 SECStatus
    660 ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
    661                        const CERTCertificateList *certChain,
    662                        ssl3KeyPair *keyPair, SSLKEAType kea)
    663 {
    664     CERTCertificateList *localCertChain = NULL;
    665     sslServerCerts  *sc = ss->serverCerts + kea;
    666 
    667     /* load the server certificate */
    668     if (sc->serverCert != NULL) {
    669 	CERT_DestroyCertificate(sc->serverCert);
    670     	sc->serverCert = NULL;
    671         sc->serverKeyBits = 0;
    672     }
    673     /* load the server cert chain */
    674     if (sc->serverCertChain != NULL) {
    675 	CERT_DestroyCertificateList(sc->serverCertChain);
    676     	sc->serverCertChain = NULL;
    677     }
    678     if (cert) {
    679         sc->serverCert = CERT_DupCertificate(cert);
    680         /* get the size of the cert's public key, and remember it */
    681         sc->serverKeyBits = SECKEY_PublicKeyStrengthInBits(keyPair->pubKey);
    682         if (!certChain) {
    683             localCertChain =
    684                 CERT_CertChainFromCert(sc->serverCert, certUsageSSLServer,
    685                                        PR_TRUE);
    686             if (!localCertChain)
    687                 goto loser;
    688         }
    689         sc->serverCertChain = (certChain) ? CERT_DupCertList(certChain) :
    690                                             localCertChain;
    691         if (!sc->serverCertChain) {
    692             goto loser;
    693         }
    694         localCertChain = NULL;      /* consumed */
    695     }
    696 
    697     /* get keyPair */
    698     if (sc->serverKeyPair != NULL) {
    699         ssl3_FreeKeyPair(sc->serverKeyPair);
    700         sc->serverKeyPair = NULL;
    701     }
    702     if (keyPair) {
    703         SECKEY_CacheStaticFlags(keyPair->privKey);
    704         sc->serverKeyPair = ssl3_GetKeyPairRef(keyPair);
    705     }
    706     if (kea == kt_rsa && cert && sc->serverKeyBits > 512 &&
    707         !ss->opt.noStepDown && !ss->stepDownKeyPair) {
    708         if (ssl3_CreateRSAStepDownKeys(ss) != SECSuccess) {
    709             goto loser;
    710         }
    711     }
    712     return SECSuccess;
    713 
    714 loser:
    715     if (localCertChain) {
    716         CERT_DestroyCertificateList(localCertChain);
    717     }
    718     if (sc->serverCert != NULL) {
    719 	CERT_DestroyCertificate(sc->serverCert);
    720 	sc->serverCert = NULL;
    721     }
    722     if (sc->serverCertChain != NULL) {
    723 	CERT_DestroyCertificateList(sc->serverCertChain);
    724 	sc->serverCertChain = NULL;
    725     }
    726     if (sc->serverKeyPair != NULL) {
    727 	ssl3_FreeKeyPair(sc->serverKeyPair);
    728 	sc->serverKeyPair = NULL;
    729     }
    730     return SECFailure;
    731 }
    732 
    733 /* XXX need to protect the data that gets changed here.!! */
    734 
    735 SECStatus
    736 SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
    737 		       SECKEYPrivateKey *key, SSL3KEAType kea)
    738 {
    739 
    740     return SSL_ConfigSecureServerWithCertChain(fd, cert, NULL, key, kea);
    741 }
    742 
    743 SECStatus
    744 SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert,
    745                                     const CERTCertificateList *certChainOpt,
    746                                     SECKEYPrivateKey *key, SSL3KEAType kea)
    747 {
    748     sslSocket *ss;
    749     SECKEYPublicKey *pubKey = NULL;
    750     ssl3KeyPair *keyPair = NULL;
    751     SECStatus rv = SECFailure;
    752 
    753     ss = ssl_FindSocket(fd);
    754     if (!ss) {
    755 	return SECFailure;
    756     }
    757 
    758     /* Both key and cert must have a value or be NULL */
    759     /* Passing a value of NULL will turn off key exchange algorithms that were
    760      * previously turned on */
    761     if (!cert != !key) {
    762 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
    763 	return SECFailure;
    764     }
    765 
    766     /* make sure the key exchange is recognized */
    767     if ((kea >= kt_kea_size) || (kea < kt_null)) {
    768 	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
    769 	return SECFailure;
    770     }
    771 
    772     if (kea != NSS_FindCertKEAType(cert)) {
    773     	PORT_SetError(SSL_ERROR_CERT_KEA_MISMATCH);
    774 	return SECFailure;
    775     }
    776 
    777     if (cert) {
    778     	/* get the size of the cert's public key, and remember it */
    779 	pubKey = CERT_ExtractPublicKey(cert);
    780 	if (!pubKey)
    781             return SECFailure;
    782     }
    783 
    784     if (key) {
    785 	SECKEYPrivateKey * keyCopy	= NULL;
    786 	CK_MECHANISM_TYPE  keyMech	= CKM_INVALID_MECHANISM;
    787 
    788 	if (key->pkcs11Slot) {
    789 	    PK11SlotInfo * bestSlot;
    790 	    bestSlot = PK11_ReferenceSlot(key->pkcs11Slot);
    791 	    if (bestSlot) {
    792 		keyCopy = PK11_CopyTokenPrivKeyToSessionPrivKey(bestSlot, key);
    793 		PK11_FreeSlot(bestSlot);
    794 	    }
    795 	}
    796 	if (keyCopy == NULL)
    797 	    keyMech = PK11_MapSignKeyType(key->keyType);
    798 	if (keyMech != CKM_INVALID_MECHANISM) {
    799 	    PK11SlotInfo * bestSlot;
    800 	    /* XXX Maybe should be bestSlotMultiple? */
    801 	    bestSlot = PK11_GetBestSlot(keyMech, NULL /* wincx */);
    802 	    if (bestSlot) {
    803 		keyCopy = PK11_CopyTokenPrivKeyToSessionPrivKey(bestSlot, key);
    804 		PK11_FreeSlot(bestSlot);
    805 	    }
    806 	}
    807 	if (keyCopy == NULL)
    808 	    keyCopy = SECKEY_CopyPrivateKey(key);
    809 	if (keyCopy == NULL)
    810 	    goto loser;
    811         keyPair = ssl3_NewKeyPair(keyCopy, pubKey);
    812         if (keyPair == NULL) {
    813             SECKEY_DestroyPrivateKey(keyCopy);
    814             goto loser;
    815         }
    816 	pubKey = NULL; /* adopted by serverKeyPair */
    817     }
    818     if (ssl_ConfigSecureServer(ss, cert, certChainOpt,
    819                                keyPair, kea) == SECFailure) {
    820         goto loser;
    821     }
    822 
    823     /* Only do this once because it's global. */
    824     if (PR_SUCCESS == PR_CallOnceWithArg(&setupServerCAListOnce,
    825                                          &serverCAListSetup,
    826                                          (void *)(ss->dbHandle))) {
    827         rv = SECSuccess;
    828     }
    829 
    830 loser:
    831     if (keyPair) {
    832         ssl3_FreeKeyPair(keyPair);
    833     }
    834     if (pubKey) {
    835 	SECKEY_DestroyPublicKey(pubKey);
    836 	pubKey = NULL;
    837     }
    838     return rv;
    839 }
    840 
    841 /************************************************************************/
    842 
    843 SECStatus
    844 ssl_CreateSecurityInfo(sslSocket *ss)
    845 {
    846     SECStatus status;
    847 
    848     /* initialize sslv2 socket to send data in the clear. */
    849     ssl2_UseClearSendFunc(ss);
    850 
    851     ss->sec.blockSize  = 1;
    852     ss->sec.blockShift = 0;
    853 
    854     ssl_GetXmitBufLock(ss);
    855     status = sslBuffer_Grow(&ss->sec.writeBuf, 4096);
    856     ssl_ReleaseXmitBufLock(ss);
    857 
    858     return status;
    859 }
    860 
    861 SECStatus
    862 ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os)
    863 {
    864     ss->sec.send 		= os->sec.send;
    865     ss->sec.isServer 		= os->sec.isServer;
    866     ss->sec.keyBits    		= os->sec.keyBits;
    867     ss->sec.secretKeyBits 	= os->sec.secretKeyBits;
    868 
    869     ss->sec.peerCert   		= CERT_DupCertificate(os->sec.peerCert);
    870     if (os->sec.peerCert && !ss->sec.peerCert)
    871     	goto loser;
    872 
    873     ss->sec.cache      		= os->sec.cache;
    874     ss->sec.uncache    		= os->sec.uncache;
    875 
    876     /* we don't dup the connection info. */
    877 
    878     ss->sec.sendSequence 	= os->sec.sendSequence;
    879     ss->sec.rcvSequence 	= os->sec.rcvSequence;
    880 
    881     if (os->sec.hash && os->sec.hashcx) {
    882 	ss->sec.hash 		= os->sec.hash;
    883 	ss->sec.hashcx 		= os->sec.hash->clone(os->sec.hashcx);
    884 	if (os->sec.hashcx && !ss->sec.hashcx)
    885 	    goto loser;
    886     } else {
    887 	ss->sec.hash 		= NULL;
    888 	ss->sec.hashcx 		= NULL;
    889     }
    890 
    891     SECITEM_CopyItem(0, &ss->sec.sendSecret, &os->sec.sendSecret);
    892     if (os->sec.sendSecret.data && !ss->sec.sendSecret.data)
    893     	goto loser;
    894     SECITEM_CopyItem(0, &ss->sec.rcvSecret,  &os->sec.rcvSecret);
    895     if (os->sec.rcvSecret.data && !ss->sec.rcvSecret.data)
    896     	goto loser;
    897 
    898     /* XXX following code is wrong if either cx != 0 */
    899     PORT_Assert(os->sec.readcx  == 0);
    900     PORT_Assert(os->sec.writecx == 0);
    901     ss->sec.readcx     		= os->sec.readcx;
    902     ss->sec.writecx    		= os->sec.writecx;
    903     ss->sec.destroy    		= 0;
    904 
    905     ss->sec.enc        		= os->sec.enc;
    906     ss->sec.dec        		= os->sec.dec;
    907 
    908     ss->sec.blockShift 		= os->sec.blockShift;
    909     ss->sec.blockSize  		= os->sec.blockSize;
    910 
    911     return SECSuccess;
    912 
    913 loser:
    914     return SECFailure;
    915 }
    916 
    917 /* Reset sec back to its initial state.
    918 ** Caller holds any relevant locks.
    919 */
    920 void
    921 ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset)
    922 {
    923     /* Destroy MAC */
    924     if (sec->hash && sec->hashcx) {
    925 	(*sec->hash->destroy)(sec->hashcx, PR_TRUE);
    926 	sec->hashcx = NULL;
    927 	sec->hash = NULL;
    928     }
    929     SECITEM_ZfreeItem(&sec->sendSecret, PR_FALSE);
    930     SECITEM_ZfreeItem(&sec->rcvSecret, PR_FALSE);
    931 
    932     /* Destroy ciphers */
    933     if (sec->destroy) {
    934 	(*sec->destroy)(sec->readcx, PR_TRUE);
    935 	(*sec->destroy)(sec->writecx, PR_TRUE);
    936 	sec->readcx = NULL;
    937 	sec->writecx = NULL;
    938     } else {
    939 	PORT_Assert(sec->readcx == 0);
    940 	PORT_Assert(sec->writecx == 0);
    941     }
    942     sec->readcx = 0;
    943     sec->writecx = 0;
    944 
    945     if (sec->localCert) {
    946 	CERT_DestroyCertificate(sec->localCert);
    947 	sec->localCert = NULL;
    948     }
    949     if (sec->peerCert) {
    950 	CERT_DestroyCertificate(sec->peerCert);
    951 	sec->peerCert = NULL;
    952     }
    953     if (sec->peerKey) {
    954 	SECKEY_DestroyPublicKey(sec->peerKey);
    955 	sec->peerKey = NULL;
    956     }
    957 
    958     /* cleanup the ci */
    959     if (sec->ci.sid != NULL) {
    960 	ssl_FreeSID(sec->ci.sid);
    961     }
    962     PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space);
    963     if (doMemset) {
    964         memset(&sec->ci, 0, sizeof sec->ci);
    965     }
    966 
    967 }
    968 
    969 /*
    970 ** Called from SSL_ResetHandshake (above), and
    971 **        from ssl_FreeSocket     in sslsock.c
    972 ** Caller should hold relevant locks (e.g. XmitBufLock)
    973 */
    974 void
    975 ssl_DestroySecurityInfo(sslSecurityInfo *sec)
    976 {
    977     ssl_ResetSecurityInfo(sec, PR_FALSE);
    978 
    979     PORT_ZFree(sec->writeBuf.buf, sec->writeBuf.space);
    980     sec->writeBuf.buf = 0;
    981 
    982     memset(sec, 0, sizeof *sec);
    983 }
    984 
    985 /************************************************************************/
    986 
    987 int
    988 ssl_SecureConnect(sslSocket *ss, const PRNetAddr *sa)
    989 {
    990     PRFileDesc *osfd = ss->fd->lower;
    991     int rv;
    992 
    993     if ( ss->opt.handshakeAsServer ) {
    994 	ss->securityHandshake = ssl2_BeginServerHandshake;
    995 	ss->handshaking = sslHandshakingAsServer;
    996     } else {
    997 	ss->securityHandshake = ssl2_BeginClientHandshake;
    998 	ss->handshaking = sslHandshakingAsClient;
    999     }
   1000 
   1001     /* connect to server */
   1002     rv = osfd->methods->connect(osfd, sa, ss->cTimeout);
   1003     if (rv == PR_SUCCESS) {
   1004 	ss->TCPconnected = 1;
   1005     } else {
   1006 	int err = PR_GetError();
   1007 	SSL_DBG(("%d: SSL[%d]: connect failed, errno=%d",
   1008 		 SSL_GETPID(), ss->fd, err));
   1009 	if (err == PR_IS_CONNECTED_ERROR) {
   1010 	    ss->TCPconnected = 1;
   1011 	}
   1012     }
   1013 
   1014     SSL_TRC(5, ("%d: SSL[%d]: secure connect completed, rv == %d",
   1015 		SSL_GETPID(), ss->fd, rv));
   1016     return rv;
   1017 }
   1018 
   1019 /*
   1020  * The TLS 1.2 RFC 5246, Section 7.2.1 says:
   1021  *
   1022  *     Unless some other fatal alert has been transmitted, each party is
   1023  *     required to send a close_notify alert before closing the write side
   1024  *     of the connection.  The other party MUST respond with a close_notify
   1025  *     alert of its own and close down the connection immediately,
   1026  *     discarding any pending writes.  It is not required for the initiator
   1027  *     of the close to wait for the responding close_notify alert before
   1028  *     closing the read side of the connection.
   1029  *
   1030  * The second sentence requires that we send a close_notify alert when we
   1031  * have received a close_notify alert.  In practice, all SSL implementations
   1032  * close the socket immediately after sending a close_notify alert (which is
   1033  * allowed by the third sentence), so responding with a close_notify alert
   1034  * would result in a write failure with the ECONNRESET error.  This is why
   1035  * we don't respond with a close_notify alert.
   1036  *
   1037  * Also, in the unlikely event that the TCP pipe is full and the peer stops
   1038  * reading, the SSL3_SendAlert call in ssl_SecureClose and ssl_SecureShutdown
   1039  * may block indefinitely in blocking mode, and may fail (without retrying)
   1040  * in non-blocking mode.
   1041  */
   1042 
   1043 int
   1044 ssl_SecureClose(sslSocket *ss)
   1045 {
   1046     int rv;
   1047 
   1048     if (ss->version >= SSL_LIBRARY_VERSION_3_0 	&&
   1049 	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)	&&
   1050     	ss->firstHsDone 			&&
   1051 	!ss->recvdCloseNotify                   &&
   1052 	ss->ssl3.initialized) {
   1053 
   1054 	/* We don't want the final alert to be Nagle delayed. */
   1055 	if (!ss->delayDisabled) {
   1056 	    ssl_EnableNagleDelay(ss, PR_FALSE);
   1057 	    ss->delayDisabled = 1;
   1058 	}
   1059 
   1060 	(void) SSL3_SendAlert(ss, alert_warning, close_notify);
   1061     }
   1062     rv = ssl_DefClose(ss);
   1063     return rv;
   1064 }
   1065 
   1066 /* Caller handles all locking */
   1067 int
   1068 ssl_SecureShutdown(sslSocket *ss, int nsprHow)
   1069 {
   1070     PRFileDesc *osfd = ss->fd->lower;
   1071     int 	rv;
   1072     PRIntn	sslHow	= nsprHow + 1;
   1073 
   1074     if ((unsigned)nsprHow > PR_SHUTDOWN_BOTH) {
   1075 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
   1076     	return PR_FAILURE;
   1077     }
   1078 
   1079     if ((sslHow & ssl_SHUTDOWN_SEND) != 0 		&&
   1080     	ss->version >= SSL_LIBRARY_VERSION_3_0		&&
   1081 	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)		&&
   1082 	ss->firstHsDone 				&&
   1083 	!ss->recvdCloseNotify                   	&&
   1084 	ss->ssl3.initialized) {
   1085 
   1086 	(void) SSL3_SendAlert(ss, alert_warning, close_notify);
   1087     }
   1088 
   1089     rv = osfd->methods->shutdown(osfd, nsprHow);
   1090 
   1091     ss->shutdownHow |= sslHow;
   1092 
   1093     return rv;
   1094 }
   1095 
   1096 /************************************************************************/
   1097 
   1098 
   1099 int
   1100 ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
   1101 {
   1102     sslSecurityInfo *sec;
   1103     int              rv   = 0;
   1104 
   1105     sec = &ss->sec;
   1106 
   1107     if (ss->shutdownHow & ssl_SHUTDOWN_RCV) {
   1108 	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
   1109     	return PR_FAILURE;
   1110     }
   1111     if (flags & ~PR_MSG_PEEK) {
   1112 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
   1113     	return PR_FAILURE;
   1114     }
   1115 
   1116     if (!ssl_SocketIsBlocking(ss) && !ss->opt.fdx) {
   1117 	ssl_GetXmitBufLock(ss);
   1118 	if (ss->pendingBuf.len != 0) {
   1119 	    rv = ssl_SendSavedWriteData(ss);
   1120 	    if ((rv < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) {
   1121 		ssl_ReleaseXmitBufLock(ss);
   1122 		return SECFailure;
   1123 	    }
   1124 	}
   1125 	ssl_ReleaseXmitBufLock(ss);
   1126     }
   1127 
   1128     rv = 0;
   1129     /* If any of these is non-zero, the initial handshake is not done. */
   1130     if (!ss->firstHsDone) {
   1131 	ssl_Get1stHandshakeLock(ss);
   1132 	if (ss->handshake || ss->nextHandshake || ss->securityHandshake) {
   1133 	    rv = ssl_Do1stHandshake(ss);
   1134 	}
   1135 	ssl_Release1stHandshakeLock(ss);
   1136     }
   1137     if (rv < 0) {
   1138 	return rv;
   1139     }
   1140 
   1141     if (len == 0) return 0;
   1142 
   1143     rv = DoRecv(ss, (unsigned char*) buf, len, flags);
   1144     SSL_TRC(2, ("%d: SSL[%d]: recving %d bytes securely (errno=%d)",
   1145 		SSL_GETPID(), ss->fd, rv, PORT_GetError()));
   1146     return rv;
   1147 }
   1148 
   1149 int
   1150 ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len)
   1151 {
   1152     return ssl_SecureRecv(ss, buf, len, 0);
   1153 }
   1154 
   1155 /* Caller holds the SSL Socket's write lock. SSL_LOCK_WRITER(ss) */
   1156 int
   1157 ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
   1158 {
   1159     int              rv		= 0;
   1160 
   1161     SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes",
   1162 		SSL_GETPID(), ss->fd, len));
   1163 
   1164     if (ss->shutdownHow & ssl_SHUTDOWN_SEND) {
   1165 	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
   1166     	rv = PR_FAILURE;
   1167 	goto done;
   1168     }
   1169     if (flags) {
   1170 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
   1171     	rv = PR_FAILURE;
   1172 	goto done;
   1173     }
   1174 
   1175     ssl_GetXmitBufLock(ss);
   1176     if (ss->pendingBuf.len != 0) {
   1177 	PORT_Assert(ss->pendingBuf.len > 0);
   1178 	rv = ssl_SendSavedWriteData(ss);
   1179 	if (rv >= 0 && ss->pendingBuf.len != 0) {
   1180 	    PORT_Assert(ss->pendingBuf.len > 0);
   1181 	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
   1182 	    rv = SECFailure;
   1183 	}
   1184     }
   1185     ssl_ReleaseXmitBufLock(ss);
   1186     if (rv < 0) {
   1187 	goto done;
   1188     }
   1189 
   1190     if (len > 0)
   1191     	ss->writerThread = PR_GetCurrentThread();
   1192     /* If any of these is non-zero, the initial handshake is not done. */
   1193     if (!ss->firstHsDone) {
   1194 	PRBool canFalseStart = PR_FALSE;
   1195 	ssl_Get1stHandshakeLock(ss);
   1196 	if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
   1197 	    ssl_GetSSL3HandshakeLock(ss);
   1198 	    if ((ss->ssl3.hs.ws == wait_change_cipher ||
   1199 		ss->ssl3.hs.ws == wait_finished ||
   1200 		ss->ssl3.hs.ws == wait_new_session_ticket) &&
   1201 		ssl3_CanFalseStart(ss)) {
   1202 		canFalseStart = PR_TRUE;
   1203 	    }
   1204 	    ssl_ReleaseSSL3HandshakeLock(ss);
   1205 	}
   1206 	if (!canFalseStart &&
   1207 	    (ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
   1208 	    rv = ssl_Do1stHandshake(ss);
   1209 	}
   1210 	ssl_Release1stHandshakeLock(ss);
   1211     }
   1212     if (rv < 0) {
   1213     	ss->writerThread = NULL;
   1214 	goto done;
   1215     }
   1216 
   1217     /* Check for zero length writes after we do housekeeping so we make forward
   1218      * progress.
   1219      */
   1220     if (len == 0) {
   1221     	rv = 0;
   1222 	goto done;
   1223     }
   1224     PORT_Assert(buf != NULL);
   1225     if (!buf) {
   1226 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
   1227     	rv = PR_FAILURE;
   1228 	goto done;
   1229     }
   1230 
   1231     /* Send out the data using one of these functions:
   1232      *	ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock,
   1233      *  ssl3_SendApplicationData
   1234      */
   1235     ssl_GetXmitBufLock(ss);
   1236     rv = (*ss->sec.send)(ss, buf, len, flags);
   1237     ssl_ReleaseXmitBufLock(ss);
   1238     ss->writerThread = NULL;
   1239 done:
   1240     if (rv < 0) {
   1241 	SSL_TRC(2, ("%d: SSL[%d]: SecureSend: returning %d count, error %d",
   1242 		    SSL_GETPID(), ss->fd, rv, PORT_GetError()));
   1243     } else {
   1244 	SSL_TRC(2, ("%d: SSL[%d]: SecureSend: returning %d count",
   1245 		    SSL_GETPID(), ss->fd, rv));
   1246     }
   1247     return rv;
   1248 }
   1249 
   1250 int
   1251 ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len)
   1252 {
   1253     return ssl_SecureSend(ss, buf, len, 0);
   1254 }
   1255 
   1256 SECStatus
   1257 SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg)
   1258 {
   1259     sslSocket *ss;
   1260 
   1261     ss = ssl_FindSocket(fd);
   1262     if (!ss) {
   1263 	SSL_DBG(("%d: SSL[%d]: bad socket in SSLBadCertHook",
   1264 		 SSL_GETPID(), fd));
   1265 	return SECFailure;
   1266     }
   1267 
   1268     ss->handleBadCert = f;
   1269     ss->badCertArg = arg;
   1270 
   1271     return SECSuccess;
   1272 }
   1273 
   1274 /*
   1275  * Allow the application to pass the url or hostname into the SSL library
   1276  * so that we can do some checking on it. It will be used for the value in
   1277  * SNI extension of client hello message.
   1278  */
   1279 SECStatus
   1280 SSL_SetURL(PRFileDesc *fd, const char *url)
   1281 {
   1282     sslSocket *   ss = ssl_FindSocket(fd);
   1283     SECStatus     rv = SECSuccess;
   1284 
   1285     if (!ss) {
   1286 	SSL_DBG(("%d: SSL[%d]: bad socket in SSLSetURL",
   1287 		 SSL_GETPID(), fd));
   1288 	return SECFailure;
   1289     }
   1290     ssl_Get1stHandshakeLock(ss);
   1291     ssl_GetSSL3HandshakeLock(ss);
   1292 
   1293     if ( ss->url ) {
   1294 	PORT_Free((void *)ss->url);	/* CONST */
   1295     }
   1296 
   1297     ss->url = (const char *)PORT_Strdup(url);
   1298     if ( ss->url == NULL ) {
   1299 	rv = SECFailure;
   1300     }
   1301 
   1302     ssl_ReleaseSSL3HandshakeLock(ss);
   1303     ssl_Release1stHandshakeLock(ss);
   1304 
   1305     return rv;
   1306 }
   1307 
   1308 /*
   1309  * Allow the application to pass the set of trust anchors
   1310  */
   1311 SECStatus
   1312 SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *certList)
   1313 {
   1314     PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
   1315     PR_NOT_REACHED("not implemented");
   1316     return SECFailure;
   1317 #if 0
   1318     sslSocket *   ss = ssl_FindSocket(fd);
   1319     CERTDistNames *names = NULL;
   1320 
   1321     if (!certList) {
   1322         PORT_SetError(SEC_ERROR_INVALID_ARGS);
   1323         return SECFailure;
   1324     }
   1325     if (!ss) {
   1326 	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetTrustAnchors",
   1327 		 SSL_GETPID(), fd));
   1328 	return SECFailure;
   1329     }
   1330 
   1331     names = CERT_DistNamesFromCertList(certList);
   1332     if (names == NULL) {
   1333         return SECFailure;
   1334     }
   1335     ssl_Get1stHandshakeLock(ss);
   1336     ssl_GetSSL3HandshakeLock(ss);
   1337     if (ss->ssl3.ca_list) {
   1338         CERT_FreeDistNames(ss->ssl3.ca_list);
   1339     }
   1340     ss->ssl3.ca_list = names;
   1341     ssl_ReleaseSSL3HandshakeLock(ss);
   1342     ssl_Release1stHandshakeLock(ss);
   1343 
   1344     return SECSuccess;
   1345 #endif
   1346 }
   1347 
   1348 /*
   1349 ** Returns Negative number on error, zero or greater on success.
   1350 ** Returns the amount of data immediately available to be read.
   1351 */
   1352 int
   1353 SSL_DataPending(PRFileDesc *fd)
   1354 {
   1355     sslSocket *ss;
   1356     int        rv  = 0;
   1357 
   1358     ss = ssl_FindSocket(fd);
   1359 
   1360     if (ss && ss->opt.useSecurity) {
   1361 	ssl_GetRecvBufLock(ss);
   1362 	rv = ss->gs.writeOffset - ss->gs.readOffset;
   1363 	ssl_ReleaseRecvBufLock(ss);
   1364     }
   1365 
   1366     return rv;
   1367 }
   1368 
   1369 SECStatus
   1370 SSL_InvalidateSession(PRFileDesc *fd)
   1371 {
   1372     sslSocket *   ss = ssl_FindSocket(fd);
   1373     SECStatus     rv = SECFailure;
   1374 
   1375     if (ss) {
   1376 	ssl_Get1stHandshakeLock(ss);
   1377 	ssl_GetSSL3HandshakeLock(ss);
   1378 
   1379 	if (ss->sec.ci.sid && ss->sec.uncache) {
   1380 	    ss->sec.uncache(ss->sec.ci.sid);
   1381 	    rv = SECSuccess;
   1382 	}
   1383 
   1384 	ssl_ReleaseSSL3HandshakeLock(ss);
   1385 	ssl_Release1stHandshakeLock(ss);
   1386     }
   1387     return rv;
   1388 }
   1389 
   1390 SECItem *
   1391 SSL_GetSessionID(PRFileDesc *fd)
   1392 {
   1393     sslSocket *    ss;
   1394     SECItem *      item = NULL;
   1395 
   1396     ss = ssl_FindSocket(fd);
   1397     if (ss) {
   1398 	ssl_Get1stHandshakeLock(ss);
   1399 	ssl_GetSSL3HandshakeLock(ss);
   1400 
   1401 	if (ss->opt.useSecurity && ss->firstHsDone && ss->sec.ci.sid) {
   1402 	    item = (SECItem *)PORT_Alloc(sizeof(SECItem));
   1403 	    if (item) {
   1404 		sslSessionID * sid = ss->sec.ci.sid;
   1405 		if (sid->version < SSL_LIBRARY_VERSION_3_0) {
   1406 		    item->len = SSL2_SESSIONID_BYTES;
   1407 		    item->data = (unsigned char*)PORT_Alloc(item->len);
   1408 		    PORT_Memcpy(item->data, sid->u.ssl2.sessionID, item->len);
   1409 		} else {
   1410 		    item->len = sid->u.ssl3.sessionIDLength;
   1411 		    item->data = (unsigned char*)PORT_Alloc(item->len);
   1412 		    PORT_Memcpy(item->data, sid->u.ssl3.sessionID, item->len);
   1413 		}
   1414 	    }
   1415 	}
   1416 
   1417 	ssl_ReleaseSSL3HandshakeLock(ss);
   1418 	ssl_Release1stHandshakeLock(ss);
   1419     }
   1420     return item;
   1421 }
   1422 
   1423 SECStatus
   1424 SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle)
   1425 {
   1426     sslSocket *    ss;
   1427 
   1428     ss = ssl_FindSocket(fd);
   1429     if (!ss)
   1430     	return SECFailure;
   1431     if (!dbHandle) {
   1432     	PORT_SetError(SEC_ERROR_INVALID_ARGS);
   1433 	return SECFailure;
   1434     }
   1435     ss->dbHandle = dbHandle;
   1436     return SECSuccess;
   1437 }
   1438 
   1439 /*
   1440  * attempt to restart the handshake after asynchronously handling
   1441  * a request for the client's certificate.
   1442  *
   1443  * inputs:
   1444  *	cert	Client cert chosen by application.
   1445  *		Note: ssl takes this reference, and does not bump the
   1446  *		reference count.  The caller should drop its reference
   1447  *		without calling CERT_DestroyCertificate after calling this
   1448  *		function.
   1449  *
   1450  *	key	Private key associated with cert.  This function takes
   1451  *		ownership of the private key, so the caller should drop its
   1452  *		reference without destroying the private key after this
   1453  *		function returns.
   1454  *
   1455  *	certChain  Chain of signers for cert.
   1456  *		Note: ssl takes this reference, and does not copy the chain.
   1457  *		The caller should drop its reference without destroying the
   1458  *		chain.  SSL will free the chain when it is done with it.
   1459  *
   1460  * Return value: XXX
   1461  *
   1462  * XXX This code only works on the initial handshake on a connection, XXX
   1463  *     It does not work on a subsequent handshake (redo).
   1464  */
   1465 SECStatus
   1466 SSL_RestartHandshakeAfterCertReq(PRFileDesc *        fd,
   1467 				CERTCertificate *    cert,
   1468 				SECKEYPrivateKey *   key,
   1469 				CERTCertificateList *certChain)
   1470 {
   1471     sslSocket *   ss = ssl_FindSocket(fd);
   1472     SECStatus     ret;
   1473 
   1474     if (!ss) {
   1475 	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RestartHandshakeAfterCertReq",
   1476 		 SSL_GETPID(), fd));
   1477 	if (cert) {
   1478 	    CERT_DestroyCertificate(cert);
   1479 	}
   1480 	if (key) {
   1481 	    SECKEY_DestroyPrivateKey(key);
   1482 	}
   1483 	if (certChain) {
   1484 	    CERT_DestroyCertificateList(certChain);
   1485 	}
   1486 	return SECFailure;
   1487     }
   1488 
   1489     ssl_Get1stHandshakeLock(ss);   /************************************/
   1490 
   1491     if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
   1492 	ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain);
   1493     } else {
   1494 	if (certChain != NULL) {
   1495 	    CERT_DestroyCertificateList(certChain);
   1496 	}
   1497 	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
   1498 	ret = SECFailure;
   1499     }
   1500 
   1501     ssl_Release1stHandshakeLock(ss);  /************************************/
   1502     return ret;
   1503 }
   1504 
   1505 SECStatus
   1506 SSL_RestartHandshakeAfterChannelIDReq(PRFileDesc *      fd,
   1507 				      SECKEYPublicKey * channelIDPub,
   1508 				      SECKEYPrivateKey *channelID)
   1509 {
   1510     sslSocket *   ss = ssl_FindSocket(fd);
   1511     SECStatus     ret;
   1512 
   1513     if (!ss) {
   1514 	SSL_DBG(("%d: SSL[%d]: bad socket in"
   1515 		 " SSL_RestartHandshakeAfterChannelIDReq",
   1516 		 SSL_GETPID(), fd));
   1517 	goto loser;
   1518     }
   1519 
   1520 
   1521     ssl_Get1stHandshakeLock(ss);
   1522 
   1523     if (ss->version < SSL_LIBRARY_VERSION_3_0) {
   1524 	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
   1525 	ssl_Release1stHandshakeLock(ss);
   1526 	goto loser;
   1527     }
   1528 
   1529     ret = ssl3_RestartHandshakeAfterChannelIDReq(ss, channelIDPub,
   1530 						 channelID);
   1531     ssl_Release1stHandshakeLock(ss);
   1532 
   1533     return ret;
   1534 
   1535 loser:
   1536     SECKEY_DestroyPublicKey(channelIDPub);
   1537     SECKEY_DestroyPrivateKey(channelID);
   1538     return SECFailure;
   1539 }
   1540 
   1541 /* DO NOT USE. This function was exported in ssl.def with the wrong signature;
   1542  * this implementation exists to maintain link-time compatibility.
   1543  */
   1544 int
   1545 SSL_RestartHandshakeAfterServerCert(sslSocket * ss)
   1546 {
   1547     PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
   1548     return -1;
   1549 }
   1550 
   1551 /* See documentation in ssl.h */
   1552 SECStatus
   1553 SSL_AuthCertificateComplete(PRFileDesc *fd, PRErrorCode error)
   1554 {
   1555     SECStatus rv;
   1556     sslSocket *ss = ssl_FindSocket(fd);
   1557 
   1558     if (!ss) {
   1559 	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_AuthCertificateComplete",
   1560 		 SSL_GETPID(), fd));
   1561 	return SECFailure;
   1562     }
   1563 
   1564     ssl_Get1stHandshakeLock(ss);
   1565 
   1566     if (!ss->ssl3.initialized) {
   1567 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
   1568 	rv = SECFailure;
   1569     } else if (ss->version < SSL_LIBRARY_VERSION_3_0) {
   1570 	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
   1571 	rv = SECFailure;
   1572     } else {
   1573 	rv = ssl3_AuthCertificateComplete(ss, error);
   1574     }
   1575 
   1576     ssl_Release1stHandshakeLock(ss);
   1577 
   1578     return rv;
   1579 }
   1580 
   1581 /* For more info see ssl.h */
   1582 SECStatus
   1583 SSL_SNISocketConfigHook(PRFileDesc *fd, SSLSNISocketConfig func,
   1584                         void *arg)
   1585 {
   1586     sslSocket *ss;
   1587 
   1588     ss = ssl_FindSocket(fd);
   1589     if (!ss) {
   1590 	SSL_DBG(("%d: SSL[%d]: bad socket in SNISocketConfigHook",
   1591 		 SSL_GETPID(), fd));
   1592 	return SECFailure;
   1593     }
   1594 
   1595     ss->sniSocketConfig = func;
   1596     ss->sniSocketConfigArg = arg;
   1597     return SECSuccess;
   1598 }
   1599