Fix bug 135261. Create symbolic names for the values 2 and 3 for the

SSL_REQUIRE_CERTIFICATE option. Value 2 has always been the default. New Value 3 is appropriate for servers that want to re-request, but still not require, client-auth from a client with whom an SSL session is already established.
2002-06-22 01:40:32 +00:00 · 2002-06-22 01:40:32 +00:00 · 071fe9ae9c
--- a/security/nss/lib/ssl/ssl.h
+++ b/security/nss/lib/ssl/ssl.h
@ -32,7 +32,7 @@
 * may use your version of this file under either the MPL or the
 * GPL.
 *
- * $Id: ssl.h,v 1.13 2002/06/21 18:25:46 wtc%netscape.com Exp $
+ * $Id: ssl.h,v 1.14 2002/06/22 01:40:31 nelsonb%netscape.com Exp $
 */

 #ifndef __ssl_h_
@ -138,6 +138,12 @@ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
 #define SSL_ALLOWED		 1
 #define SSL_RESTRICTED		 2	      /* only with "Step-Up" certs. */

+/* Values for "on" with SSL_REQUIRE_CERTIFICATE. */
+#define SSL_REQUIRE_NEVER           ((PRBool)0)
+#define SSL_REQUIRE_ALWAYS          ((PRBool)1)
+#define SSL_REQUIRE_FIRST_HANDSHAKE ((PRBool)2)
+#define SSL_REQUIRE_NO_ERROR        ((PRBool)3)
+
 /*
 ** Reset the handshake state for fd. This will make the complete SSL
 ** handshake protocol execute from the ground up on the next i/o
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@ -33,7 +33,7 @@
 * may use your version of this file under either the MPL or the
 * GPL.
 *
- * $Id: ssl3con.c,v 1.36 2002/06/19 15:21:37 ian.mcgreer%sun.com Exp $
+ * $Id: ssl3con.c,v 1.37 2002/06/22 01:40:32 nelsonb%netscape.com Exp $
 */

 #include "nssrenam.h"
@ -1615,8 +1615,9 @@ ssl3_HandleNoCertificate(sslSocket *ss)
     * first handshake because if we're redoing the handshake we 
     * know the server is paying attention to the certificate.
     */
-    if ((ss->requireCertificate == 1) ||
-	(!ss->firstHsDone && (ss->requireCertificate > 1))) {
+    if ((ss->requireCertificate == SSL_REQUIRE_ALWAYS) ||
+	(!ss->firstHsDone && 
+	 (ss->requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
 	PRFileDesc * lower;

 	ss->sec.uncache(ss->sec.ci.sid);
@ -5009,8 +5010,10 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 	 * then drop this old cache entry and start a new session.
 	 */
 	if ((sid->peerCert == NULL) && ss->requestCertificate &&
-	    ((ss->requireCertificate == 1) ||
-	     ((ss->requireCertificate == 2) && !ss->firstHsDone))) {
+	    ((ss->requireCertificate == SSL_REQUIRE_ALWAYS) ||
+	     (ss->requireCertificate == SSL_REQUIRE_NO_ERROR) ||
+	     ((ss->requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE) 
+	      && !ss->firstHsDone))) {

 	    ++ssl3stats.hch_sid_cache_not_ok;
 	    ss->sec.uncache(sid);