Bug 716636, Part 2: Fix cert authentication lock reentrence, r=honzab

2024-09-13 09:24:08 -07:00 · 2012-01-31 05:19:52 -08:00 · 2012-01-31 05:19:52 -08:00 · 9afea7b820
commit 9afea7b820
parent 63e61f7ddf
2 changed files with 12 additions and 5 deletions
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@ -599,12 +599,9 @@ SSLServerCertVerificationJob::Dispatch(const void * fdForLogging,
                                       CERTCertificate * serverCert)
 {
  // Runs on the socket transport thread
-
  if (!socketInfo || !serverCert) {
    NS_ERROR("Invalid parameters for SSL server cert validation");
-    socketInfo->SetCertVerificationResult(PR_INVALID_STATE_ERROR,
-                                          PlainErrorMessage);
-    PR_SetError(PR_INVALID_STATE_ERROR, 0);
+    PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
    return SECFailure;
  }
  
@ -619,10 +616,16 @@ SSLServerCertVerificationJob::Dispatch(const void * fdForLogging,
    nrv = gCertVerificationThreadPool->Dispatch(job, NS_DISPATCH_NORMAL);
  }
  if (NS_FAILED(nrv)) {
+    // We can't call SetCertVerificationResult here to change
+    // mCertVerificationState because SetCertVerificationResult will call
+    // libssl functions that acquire SSL locks that are already being held at
+    // this point. socketInfo->mCertVerificationState will be stuck at
+    // waiting_for_cert_verification here, but that is OK because we already
+    // have to be able to handle cases where we encounter non-cert errors while
+    // in that state.
    PRErrorCode error = nrv == NS_ERROR_OUT_OF_MEMORY
                      ? SEC_ERROR_NO_MEMORY
                      : PR_INVALID_STATE_ERROR;
-    socketInfo->SetCertVerificationResult(error, PlainErrorMessage);
    PORT_SetError(error);
    return SECFailure;
  }
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@ -967,6 +967,10 @@ nsNSSSocketInfo::SetCertVerificationWaiting()
  mCertVerificationStarted = PR_IntervalNow();
 }

+// Be careful that SetCertVerificationResult does NOT get called while we are
+// processing a SSL callback function, because SSL_AuthCertificateComplete will
+// attempt to acquire locks that are already held by libssl when it calls
+// callbacks.
 void
 nsNSSSocketInfo::SetCertVerificationResult(PRErrorCode errorCode,
                                           SSLErrorMessageType errorMessageType)