Bug 646460 - Don't allow to override after treating certificates as revoked, r=bsmith, a=dveditz
authorKai Engert <kaie@kuix.de>
Tue, 10 May 2011 22:11:14 +0200
changeset 27408 ce0dd43871e2f8e1868ecc39f48b701a2a597a2a
parent 27407 2acbfab37f69ff5afd758cb5c06e39a4c752cc16
child 27409 b5e3b71282de22ab2c4c2d4041d8bd1d3f1eb21b
push id2722
push userkaie@kuix.de
push dateTue, 10 May 2011 20:11:58 +0000
reviewersbsmith, dveditz
bugs646460
milestone1.9.1.20pre
Bug 646460 - Don't allow to override after treating certificates as revoked, r=bsmith, a=dveditz
security/manager/ssl/src/nsNSSIOLayer.cpp
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -3165,16 +3165,23 @@ cancel_and_failure(nsNSSSocketInfo* info
 {
   infoObject->SetCanceled(PR_TRUE);
   return SECFailure;
 }
 
 static SECStatus
 nsNSSBadCertHandler(void *arg, PRFileDesc *sslSocket)
 {
+  // cert was revoked, don't do anything else
+  // Calling cancel_and_failure is not necessary, and would be wrong,
+  // [for errors other than the ones explicitly handled below,] 
+  // because it suppresses error reporting.
+  if (PR_GetError() == SEC_ERROR_REVOKED_CERTIFICATE)
+    return SECFailure;
+
   nsNSSShutDownPreventionLock locker;
   nsNSSSocketInfo* infoObject = (nsNSSSocketInfo *)arg;
   if (!infoObject)
     return SECFailure;
 
   if (nsSSLThread::exitRequested())
     return cancel_and_failure(infoObject);