| OLD | NEW |
| 1 /* | 1 /* |
| 2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of |
| 3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. |
| 4 * Various other functions. | 4 * Various other functions. |
| 5 * | 5 * |
| 6 * ***** BEGIN LICENSE BLOCK ***** | 6 * ***** BEGIN LICENSE BLOCK ***** |
| 7 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 7 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| 8 * | 8 * |
| 9 * The contents of this file are subject to the Mozilla Public License Version | 9 * The contents of this file are subject to the Mozilla Public License Version |
| 10 * 1.1 (the "License"); you may not use this file except in compliance with | 10 * 1.1 (the "License"); you may not use this file except in compliance with |
| (...skipping 22 matching lines...) Expand all Loading... |
| 33 * in which case the provisions of the GPL or the LGPL are applicable instead | 33 * in which case the provisions of the GPL or the LGPL are applicable instead |
| 34 * of those above. If you wish to allow use of your version of this file only | 34 * of those above. If you wish to allow use of your version of this file only |
| 35 * under the terms of either the GPL or the LGPL, and not to allow others to | 35 * under the terms of either the GPL or the LGPL, and not to allow others to |
| 36 * use your version of this file under the terms of the MPL, indicate your | 36 * use your version of this file under the terms of the MPL, indicate your |
| 37 * decision by deleting the provisions above and replace them with the notice | 37 * decision by deleting the provisions above and replace them with the notice |
| 38 * and other provisions required by the GPL or the LGPL. If you do not delete | 38 * and other provisions required by the GPL or the LGPL. If you do not delete |
| 39 * the provisions above, a recipient may use your version of this file under | 39 * the provisions above, a recipient may use your version of this file under |
| 40 * the terms of any one of the MPL, the GPL or the LGPL. | 40 * the terms of any one of the MPL, the GPL or the LGPL. |
| 41 * | 41 * |
| 42 * ***** END LICENSE BLOCK ***** */ | 42 * ***** END LICENSE BLOCK ***** */ |
| 43 /* $Id: sslsock.c,v 1.82 2012/02/15 21:52:08 kaie%kuix.de Exp $ */ | 43 /* $Id: sslsock.c,v 1.86 2012/03/18 00:31:20 wtc%google.com Exp $ */ |
| 44 #include "seccomon.h" | 44 #include "seccomon.h" |
| 45 #include "cert.h" | 45 #include "cert.h" |
| 46 #include "keyhi.h" | 46 #include "keyhi.h" |
| 47 #include "ssl.h" | 47 #include "ssl.h" |
| 48 #include "sslimpl.h" | 48 #include "sslimpl.h" |
| 49 #include "sslproto.h" | 49 #include "sslproto.h" |
| 50 #include "nspr.h" | 50 #include "nspr.h" |
| 51 #include "private/pprio.h" | 51 #include "private/pprio.h" |
| 52 #include "blapi.h" | 52 #include "blapi.h" |
| 53 #include "nss.h" | 53 #include "nss.h" |
| (...skipping 110 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 164 */ | 164 */ |
| 165 static sslOptions ssl_defaults = { | 165 static sslOptions ssl_defaults = { |
| 166 { siBuffer, NULL, 0 }, /* nextProtoNego */ | 166 { siBuffer, NULL, 0 }, /* nextProtoNego */ |
| 167 PR_TRUE, /* useSecurity */ | 167 PR_TRUE, /* useSecurity */ |
| 168 PR_FALSE, /* useSocks */ | 168 PR_FALSE, /* useSocks */ |
| 169 PR_FALSE, /* requestCertificate */ | 169 PR_FALSE, /* requestCertificate */ |
| 170 2, /* requireCertificate */ | 170 2, /* requireCertificate */ |
| 171 PR_FALSE, /* handshakeAsClient */ | 171 PR_FALSE, /* handshakeAsClient */ |
| 172 PR_FALSE, /* handshakeAsServer */ | 172 PR_FALSE, /* handshakeAsServer */ |
| 173 PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ | 173 PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ |
| 174 PR_TRUE,» /* enableSSL3 */ | 174 PR_FALSE,» /* unusedBit9 */ |
| 175 PR_TRUE, » /* enableTLS */ /* now defaults to on in NSS 3.0 */ | 175 PR_FALSE, » /* unusedBit10 */ |
| 176 PR_FALSE, /* noCache */ | 176 PR_FALSE, /* noCache */ |
| 177 PR_FALSE, /* fdx */ | 177 PR_FALSE, /* fdx */ |
| 178 PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ | 178 PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ |
| 179 PR_TRUE, /* detectRollBack */ | 179 PR_TRUE, /* detectRollBack */ |
| 180 PR_FALSE, /* noStepDown */ | 180 PR_FALSE, /* noStepDown */ |
| 181 PR_FALSE, /* bypassPKCS11 */ | 181 PR_FALSE, /* bypassPKCS11 */ |
| 182 PR_FALSE, /* noLocks */ | 182 PR_FALSE, /* noLocks */ |
| 183 PR_FALSE, /* enableSessionTickets */ | 183 PR_FALSE, /* enableSessionTickets */ |
| 184 PR_FALSE, /* enableDeflate */ | 184 PR_FALSE, /* enableDeflate */ |
| 185 2, /* enableRenegotiation (default: requires extension) */ | 185 2, /* enableRenegotiation (default: requires extension) */ |
| 186 PR_FALSE, /* requireSafeNegotiation */ | 186 PR_FALSE, /* requireSafeNegotiation */ |
| 187 PR_FALSE, /* enableFalseStart */ | 187 PR_FALSE, /* enableFalseStart */ |
| 188 PR_TRUE, /* cbcRandomIV */ | 188 PR_TRUE, /* cbcRandomIV */ |
| 189 PR_FALSE, /* enableOCSPStapling */ | 189 PR_FALSE, /* enableOCSPStapling */ |
| 190 PR_FALSE, /* enableOBCerts */ | 190 PR_FALSE, /* enableOBCerts */ |
| 191 PR_FALSE, /* encryptClientCerts */ | 191 PR_FALSE, /* encryptClientCerts */ |
| 192 }; | 192 }; |
| 193 | 193 |
| 194 /* |
| 195 * default range of enabled SSL/TLS protocols |
| 196 */ |
| 197 static SSLVersionRange versions_defaults = { |
| 198 SSL_LIBRARY_VERSION_3_0, |
| 199 SSL_LIBRARY_VERSION_TLS_1_0 |
| 200 }; |
| 201 |
| 194 sslSessionIDLookupFunc ssl_sid_lookup; | 202 sslSessionIDLookupFunc ssl_sid_lookup; |
| 195 sslSessionIDCacheFunc ssl_sid_cache; | 203 sslSessionIDCacheFunc ssl_sid_cache; |
| 196 sslSessionIDUncacheFunc ssl_sid_uncache; | 204 sslSessionIDUncacheFunc ssl_sid_uncache; |
| 197 | 205 |
| 198 static PRBool ssl_inited = PR_FALSE; | 206 static PRBool ssl_inited = PR_FALSE; |
| 199 static PRDescIdentity ssl_layer_id; | 207 static PRDescIdentity ssl_layer_id; |
| 200 | 208 |
| 201 PRBool locksEverDisabled; /* implicitly PR_FALSE */ | 209 PRBool locksEverDisabled; /* implicitly PR_FALSE */ |
| 202 PRBool ssl_force_locks; /* implicitly PR_FALSE */ | 210 PRBool ssl_force_locks; /* implicitly PR_FALSE */ |
| 203 int ssl_lock_readers = 1; /* default true. */ | 211 int ssl_lock_readers = 1; /* default true. */ |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 270 sslSocket * | 278 sslSocket * |
| 271 ssl_DupSocket(sslSocket *os) | 279 ssl_DupSocket(sslSocket *os) |
| 272 { | 280 { |
| 273 sslSocket *ss; | 281 sslSocket *ss; |
| 274 SECStatus rv; | 282 SECStatus rv; |
| 275 | 283 |
| 276 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks)); | 284 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks)); |
| 277 if (ss) { | 285 if (ss) { |
| 278 ss->opt = os->opt; | 286 ss->opt = os->opt; |
| 279 ss->opt.useSocks = PR_FALSE; | 287 ss->opt.useSocks = PR_FALSE; |
| 288 ss->vrange = os->vrange; |
| 280 | 289 |
| 281 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); | 290 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); |
| 282 ss->url = !os->url ? NULL : PORT_Strdup(os->url); | 291 ss->url = !os->url ? NULL : PORT_Strdup(os->url); |
| 283 | 292 |
| 284 ss->ops = os->ops; | 293 ss->ops = os->ops; |
| 285 ss->rTimeout = os->rTimeout; | 294 ss->rTimeout = os->rTimeout; |
| 286 ss->wTimeout = os->wTimeout; | 295 ss->wTimeout = os->wTimeout; |
| 287 ss->cTimeout = os->cTimeout; | 296 ss->cTimeout = os->cTimeout; |
| 288 ss->dbHandle = os->dbHandle; | 297 ss->dbHandle = os->dbHandle; |
| 289 | 298 |
| (...skipping 272 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 562 SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL); | 571 SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL); |
| 563 PORT_Assert(SECSuccess == rv); | 572 PORT_Assert(SECSuccess == rv); |
| 564 return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE; | 573 return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE; |
| 565 } | 574 } |
| 566 | 575 |
| 567 static PRStatus SSL_BypassSetup(void) | 576 static PRStatus SSL_BypassSetup(void) |
| 568 { | 577 { |
| 569 return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown); | 578 return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown); |
| 570 } | 579 } |
| 571 | 580 |
| 581 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in |
| 582 * ssl.h in the section "SSL version range setting API". |
| 583 */ |
| 584 static void |
| 585 ssl_EnableTLS(SSLVersionRange *vrange, PRBool on) |
| 586 { |
| 587 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { |
| 588 if (on) { |
| 589 vrange->min = SSL_LIBRARY_VERSION_TLS_1_0; |
| 590 vrange->max = SSL_LIBRARY_VERSION_TLS_1_0; |
| 591 } /* else don't change anything */ |
| 592 return; |
| 593 } |
| 594 |
| 595 if (on) { |
| 596 /* Expand the range of enabled version to include TLS 1.0 */ |
| 597 vrange->min = PR_MIN(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); |
| 598 vrange->max = PR_MAX(vrange->max, SSL_LIBRARY_VERSION_TLS_1_0); |
| 599 } else { |
| 600 /* Disable all TLS versions, leaving only SSL 3.0 if it was enabled */ |
| 601 if (vrange->min == SSL_LIBRARY_VERSION_3_0) { |
| 602 vrange->max = SSL_LIBRARY_VERSION_3_0; |
| 603 } else { |
| 604 /* Only TLS was enabled, so now no versions are. */ |
| 605 vrange->min = SSL_LIBRARY_VERSION_NONE; |
| 606 vrange->max = SSL_LIBRARY_VERSION_NONE; |
| 607 } |
| 608 } |
| 609 } |
| 610 |
| 611 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_SSL3, on) described in |
| 612 * ssl.h in the section "SSL version range setting API". |
| 613 */ |
| 614 static void |
| 615 ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on) |
| 616 { |
| 617 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { |
| 618 if (on) { |
| 619 vrange->min = SSL_LIBRARY_VERSION_3_0; |
| 620 vrange->max = SSL_LIBRARY_VERSION_3_0; |
| 621 } /* else don't change anything */ |
| 622 return; |
| 623 } |
| 624 |
| 625 if (on) { |
| 626 /* Expand the range of enabled versions to include SSL 3.0. We know |
| 627 * SSL 3.0 or some version of TLS is already enabled at this point, so |
| 628 * we don't need to change vrange->max. |
| 629 */ |
| 630 vrange->min = SSL_LIBRARY_VERSION_3_0; |
| 631 } else { |
| 632 /* Disable SSL 3.0, leaving TLS unaffected. */ |
| 633 if (vrange->max > SSL_LIBRARY_VERSION_3_0) { |
| 634 vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); |
| 635 } else { |
| 636 /* Only SSL 3.0 was enabled, so now no versions are. */ |
| 637 vrange->min = SSL_LIBRARY_VERSION_NONE; |
| 638 vrange->max = SSL_LIBRARY_VERSION_NONE; |
| 639 } |
| 640 } |
| 641 } |
| 642 |
| 572 SECStatus | 643 SECStatus |
| 573 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) | 644 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) |
| 574 { | 645 { |
| 575 sslSocket *ss = ssl_FindSocket(fd); | 646 sslSocket *ss = ssl_FindSocket(fd); |
| 576 SECStatus rv = SECSuccess; | 647 SECStatus rv = SECSuccess; |
| 577 PRBool holdingLocks; | 648 PRBool holdingLocks; |
| 578 | 649 |
| 579 if (!ss) { | 650 if (!ss) { |
| 580 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); | 651 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); |
| 581 return SECFailure; | 652 return SECFailure; |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 620 case SSL_HANDSHAKE_AS_SERVER: | 691 case SSL_HANDSHAKE_AS_SERVER: |
| 621 if ( ss->opt.handshakeAsClient && on ) { | 692 if ( ss->opt.handshakeAsClient && on ) { |
| 622 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 693 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 623 rv = SECFailure; | 694 rv = SECFailure; |
| 624 break; | 695 break; |
| 625 } | 696 } |
| 626 ss->opt.handshakeAsServer = on; | 697 ss->opt.handshakeAsServer = on; |
| 627 break; | 698 break; |
| 628 | 699 |
| 629 case SSL_ENABLE_TLS: | 700 case SSL_ENABLE_TLS: |
| 630 » ss->opt.enableTLS = on; | 701 » ssl_EnableTLS(&ss->vrange, on); |
| 631 ss->preferredCipher = NULL; | 702 ss->preferredCipher = NULL; |
| 632 if (ss->cipherSpecs) { | 703 if (ss->cipherSpecs) { |
| 633 PORT_Free(ss->cipherSpecs); | 704 PORT_Free(ss->cipherSpecs); |
| 634 ss->cipherSpecs = NULL; | 705 ss->cipherSpecs = NULL; |
| 635 ss->sizeCipherSpecs = 0; | 706 ss->sizeCipherSpecs = 0; |
| 636 } | 707 } |
| 637 break; | 708 break; |
| 638 | 709 |
| 639 case SSL_ENABLE_SSL3: | 710 case SSL_ENABLE_SSL3: |
| 640 » ss->opt.enableSSL3 = on; | 711 » ssl_EnableSSL3(&ss->vrange, on); |
| 641 ss->preferredCipher = NULL; | 712 ss->preferredCipher = NULL; |
| 642 if (ss->cipherSpecs) { | 713 if (ss->cipherSpecs) { |
| 643 PORT_Free(ss->cipherSpecs); | 714 PORT_Free(ss->cipherSpecs); |
| 644 ss->cipherSpecs = NULL; | 715 ss->cipherSpecs = NULL; |
| 645 ss->sizeCipherSpecs = 0; | 716 ss->sizeCipherSpecs = 0; |
| 646 } | 717 } |
| 647 break; | 718 break; |
| 648 | 719 |
| 649 case SSL_ENABLE_SSL2: | 720 case SSL_ENABLE_SSL2: |
| 650 ss->opt.enableSSL2 = on; | 721 ss->opt.enableSSL2 = on; |
| (...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 798 ssl_Get1stHandshakeLock(ss); | 869 ssl_Get1stHandshakeLock(ss); |
| 799 ssl_GetSSL3HandshakeLock(ss); | 870 ssl_GetSSL3HandshakeLock(ss); |
| 800 | 871 |
| 801 switch (which) { | 872 switch (which) { |
| 802 case SSL_SOCKS: on = PR_FALSE; break; | 873 case SSL_SOCKS: on = PR_FALSE; break; |
| 803 case SSL_SECURITY: on = ss->opt.useSecurity; break; | 874 case SSL_SECURITY: on = ss->opt.useSecurity; break; |
| 804 case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break; | 875 case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break; |
| 805 case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break; | 876 case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break; |
| 806 case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break; | 877 case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break; |
| 807 case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break; | 878 case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break; |
| 808 case SSL_ENABLE_TLS: on = ss->opt.enableTLS; break; | 879 case SSL_ENABLE_TLS: |
| 809 case SSL_ENABLE_SSL3: on = ss->opt.enableSSL3; break; | 880 » on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
| 881 » break; |
| 882 case SSL_ENABLE_SSL3: |
| 883 » on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; |
| 884 » break; |
| 810 case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break; | 885 case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break; |
| 811 case SSL_NO_CACHE: on = ss->opt.noCache; break; | 886 case SSL_NO_CACHE: on = ss->opt.noCache; break; |
| 812 case SSL_ENABLE_FDX: on = ss->opt.fdx; break; | 887 case SSL_ENABLE_FDX: on = ss->opt.fdx; break; |
| 813 case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break; | 888 case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break; |
| 814 case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break; | 889 case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break; |
| 815 case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break; | 890 case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break; |
| 816 case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break; | 891 case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break; |
| 817 case SSL_NO_LOCKS: on = ss->opt.noLocks; break; | 892 case SSL_NO_LOCKS: on = ss->opt.noLocks; break; |
| 818 case SSL_ENABLE_SESSION_TICKETS: | 893 case SSL_ENABLE_SESSION_TICKETS: |
| 819 on = ss->opt.enableSessionTickets; | 894 on = ss->opt.enableSessionTickets; |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 855 | 930 |
| 856 ssl_SetDefaultsFromEnvironment(); | 931 ssl_SetDefaultsFromEnvironment(); |
| 857 | 932 |
| 858 switch (which) { | 933 switch (which) { |
| 859 case SSL_SOCKS: on = PR_FALSE; break; | 934 case SSL_SOCKS: on = PR_FALSE; break; |
| 860 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; | 935 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; |
| 861 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; | 936 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; |
| 862 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; | 937 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; |
| 863 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; | 938 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; |
| 864 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; | 939 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; |
| 865 case SSL_ENABLE_TLS: on = ssl_defaults.enableTLS; break; | 940 case SSL_ENABLE_TLS: |
| 866 case SSL_ENABLE_SSL3: on = ssl_defaults.enableSSL3; break; | 941 » on = versions_defaults.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
| 942 » break; |
| 943 case SSL_ENABLE_SSL3: |
| 944 » on = versions_defaults.min == SSL_LIBRARY_VERSION_3_0; |
| 945 » break; |
| 867 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; | 946 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; |
| 868 case SSL_NO_CACHE: on = ssl_defaults.noCache; break; | 947 case SSL_NO_CACHE: on = ssl_defaults.noCache; break; |
| 869 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; | 948 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; |
| 870 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; | 949 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; |
| 871 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; | 950 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; |
| 872 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; | 951 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; |
| 873 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; | 952 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; |
| 874 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; | 953 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; |
| 875 case SSL_ENABLE_SESSION_TICKETS: | 954 case SSL_ENABLE_SESSION_TICKETS: |
| 876 on = ssl_defaults.enableSessionTickets; | 955 on = ssl_defaults.enableSessionTickets; |
| (...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 948 | 1027 |
| 949 case SSL_HANDSHAKE_AS_SERVER: | 1028 case SSL_HANDSHAKE_AS_SERVER: |
| 950 if ( ssl_defaults.handshakeAsClient && on ) { | 1029 if ( ssl_defaults.handshakeAsClient && on ) { |
| 951 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1030 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 952 return SECFailure; | 1031 return SECFailure; |
| 953 } | 1032 } |
| 954 ssl_defaults.handshakeAsServer = on; | 1033 ssl_defaults.handshakeAsServer = on; |
| 955 break; | 1034 break; |
| 956 | 1035 |
| 957 case SSL_ENABLE_TLS: | 1036 case SSL_ENABLE_TLS: |
| 958 » ssl_defaults.enableTLS = on; | 1037 » ssl_EnableTLS(&versions_defaults, on); |
| 959 break; | 1038 break; |
| 960 | 1039 |
| 961 case SSL_ENABLE_SSL3: | 1040 case SSL_ENABLE_SSL3: |
| 962 » ssl_defaults.enableSSL3 = on; | 1041 » ssl_EnableSSL3(&versions_defaults, on); |
| 963 break; | 1042 break; |
| 964 | 1043 |
| 965 case SSL_ENABLE_SSL2: | 1044 case SSL_ENABLE_SSL2: |
| 966 ssl_defaults.enableSSL2 = on; | 1045 ssl_defaults.enableSSL2 = on; |
| 967 if (on) { | 1046 if (on) { |
| 968 ssl_defaults.v2CompatibleHello = on; | 1047 ssl_defaults.v2CompatibleHello = on; |
| 969 } | 1048 } |
| 970 break; | 1049 break; |
| 971 | 1050 |
| 972 case SSL_NO_CACHE: | 1051 case SSL_NO_CACHE: |
| (...skipping 513 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1486 return NULL; | 1565 return NULL; |
| 1487 } | 1566 } |
| 1488 ss = ssl_FindSocket(fd); | 1567 ss = ssl_FindSocket(fd); |
| 1489 PORT_Assert(ss); | 1568 PORT_Assert(ss); |
| 1490 if (ss == NULL) { | 1569 if (ss == NULL) { |
| 1491 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1570 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1492 return NULL; | 1571 return NULL; |
| 1493 } | 1572 } |
| 1494 | 1573 |
| 1495 ss->opt = sm->opt; | 1574 ss->opt = sm->opt; |
| 1575 ss->vrange = sm->vrange; |
| 1496 PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites); | 1576 PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites); |
| 1497 | 1577 |
| 1498 if (!ss->opt.useSecurity) { | 1578 if (!ss->opt.useSecurity) { |
| 1499 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1579 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1500 return NULL; | 1580 return NULL; |
| 1501 } | 1581 } |
| 1502 /* This int should be SSLKEAType, but CC on Irix complains, | 1582 /* This int should be SSLKEAType, but CC on Irix complains, |
| 1503 * during the for loop. | 1583 * during the for loop. |
| 1504 */ | 1584 */ |
| 1505 for (i=kt_null; i < kt_kea_size; i++) { | 1585 for (i=kt_null; i < kt_kea_size; i++) { |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1576 if (sm->handshakeCallbackData) | 1656 if (sm->handshakeCallbackData) |
| 1577 ss->handshakeCallbackData = sm->handshakeCallbackData; | 1657 ss->handshakeCallbackData = sm->handshakeCallbackData; |
| 1578 if (sm->pkcs11PinArg) | 1658 if (sm->pkcs11PinArg) |
| 1579 ss->pkcs11PinArg = sm->pkcs11PinArg; | 1659 ss->pkcs11PinArg = sm->pkcs11PinArg; |
| 1580 return fd; | 1660 return fd; |
| 1581 loser: | 1661 loser: |
| 1582 return NULL; | 1662 return NULL; |
| 1583 #endif | 1663 #endif |
| 1584 } | 1664 } |
| 1585 | 1665 |
| 1666 PRBool |
| 1667 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, |
| 1668 SSL3ProtocolVersion version) |
| 1669 { |
| 1670 return protocolVariant == ssl_variant_stream && |
| 1671 version >= SSL_LIBRARY_VERSION_3_0 && |
| 1672 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
| 1673 } |
| 1674 |
| 1675 /* Returns PR_TRUE if the given version range is valid and |
| 1676 ** fully supported; otherwise, returns PR_FALSE. |
| 1677 */ |
| 1678 static PRBool |
| 1679 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, |
| 1680 const SSLVersionRange *vrange) |
| 1681 { |
| 1682 return vrange && |
| 1683 vrange->min <= vrange->max && |
| 1684 ssl3_VersionIsSupported(protocolVariant, vrange->min) && |
| 1685 ssl3_VersionIsSupported(protocolVariant, vrange->max); |
| 1686 } |
| 1687 |
| 1688 SECStatus |
| 1689 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, |
| 1690 SSLVersionRange *vrange) |
| 1691 { |
| 1692 if (protocolVariant != ssl_variant_stream || !vrange) { |
| 1693 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1694 return SECFailure; |
| 1695 } |
| 1696 |
| 1697 vrange->min = SSL_LIBRARY_VERSION_3_0; |
| 1698 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
| 1699 |
| 1700 return SECSuccess; |
| 1701 } |
| 1702 |
| 1703 SECStatus |
| 1704 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, |
| 1705 SSLVersionRange *vrange) |
| 1706 { |
| 1707 if (protocolVariant != ssl_variant_stream || !vrange) { |
| 1708 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1709 return SECFailure; |
| 1710 } |
| 1711 |
| 1712 *vrange = versions_defaults; |
| 1713 |
| 1714 return SECSuccess; |
| 1715 } |
| 1716 |
| 1717 SECStatus |
| 1718 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, |
| 1719 const SSLVersionRange *vrange) |
| 1720 { |
| 1721 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) { |
| 1722 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 1723 return SECFailure; |
| 1724 } |
| 1725 |
| 1726 versions_defaults = *vrange; |
| 1727 |
| 1728 return SECSuccess; |
| 1729 } |
| 1730 |
| 1731 SECStatus |
| 1732 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) |
| 1733 { |
| 1734 sslSocket *ss = ssl_FindSocket(fd); |
| 1735 |
| 1736 if (!ss) { |
| 1737 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeGet", |
| 1738 SSL_GETPID(), fd)); |
| 1739 return SECFailure; |
| 1740 } |
| 1741 |
| 1742 if (!vrange) { |
| 1743 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1744 return SECFailure; |
| 1745 } |
| 1746 |
| 1747 ssl_Get1stHandshakeLock(ss); |
| 1748 ssl_GetSSL3HandshakeLock(ss); |
| 1749 |
| 1750 *vrange = ss->vrange; |
| 1751 |
| 1752 ssl_ReleaseSSL3HandshakeLock(ss); |
| 1753 ssl_Release1stHandshakeLock(ss); |
| 1754 |
| 1755 return SECSuccess; |
| 1756 } |
| 1757 |
| 1758 SECStatus |
| 1759 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) |
| 1760 { |
| 1761 sslSocket *ss = ssl_FindSocket(fd); |
| 1762 |
| 1763 if (!ss) { |
| 1764 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet", |
| 1765 SSL_GETPID(), fd)); |
| 1766 return SECFailure; |
| 1767 } |
| 1768 |
| 1769 if (!ssl3_VersionRangeIsValid(ssl_variant_stream, vrange)) { |
| 1770 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 1771 return SECFailure; |
| 1772 } |
| 1773 |
| 1774 ssl_Get1stHandshakeLock(ss); |
| 1775 ssl_GetSSL3HandshakeLock(ss); |
| 1776 |
| 1777 ss->vrange = *vrange; |
| 1778 |
| 1779 ssl_ReleaseSSL3HandshakeLock(ss); |
| 1780 ssl_Release1stHandshakeLock(ss); |
| 1781 |
| 1782 return SECSuccess; |
| 1783 } |
| 1784 |
| 1586 SECStatus | 1785 SECStatus |
| 1587 SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data, | 1786 SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data, |
| 1588 unsigned int *len) { | 1787 unsigned int *len) { |
| 1589 sslSocket *ss = ssl_FindSocket(fd); | 1788 sslSocket *ss = ssl_FindSocket(fd); |
| 1590 | 1789 |
| 1591 if (!ss) { | 1790 if (!ss) { |
| 1592 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse", | 1791 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse", |
| 1593 SSL_GETPID(), fd)); | 1792 SSL_GETPID(), fd)); |
| 1594 return SECFailure; | 1793 return SECFailure; |
| 1595 } | 1794 } |
| (...skipping 1049 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2645 if (ss) { | 2844 if (ss) { |
| 2646 /* This should be of type SSLKEAType, but CC on IRIX | 2845 /* This should be of type SSLKEAType, but CC on IRIX |
| 2647 * complains during the for loop. | 2846 * complains during the for loop. |
| 2648 */ | 2847 */ |
| 2649 int i; | 2848 int i; |
| 2650 SECStatus status; | 2849 SECStatus status; |
| 2651 | 2850 |
| 2652 ss->opt = ssl_defaults; | 2851 ss->opt = ssl_defaults; |
| 2653 ss->opt.useSocks = PR_FALSE; | 2852 ss->opt.useSocks = PR_FALSE; |
| 2654 ss->opt.noLocks = !makeLocks; | 2853 ss->opt.noLocks = !makeLocks; |
| 2854 ss->vrange = versions_defaults; |
| 2655 | 2855 |
| 2656 ss->peerID = NULL; | 2856 ss->peerID = NULL; |
| 2657 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; | 2857 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 2658 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; | 2858 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 2659 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; | 2859 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 2660 ss->cipherSpecs = NULL; | 2860 ss->cipherSpecs = NULL; |
| 2661 ss->sizeCipherSpecs = 0; /* produced lazily */ | 2861 ss->sizeCipherSpecs = 0; /* produced lazily */ |
| 2662 ss->preferredCipher = NULL; | 2862 ss->preferredCipher = NULL; |
| 2663 ss->url = NULL; | 2863 ss->url = NULL; |
| 2664 | 2864 |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2704 loser: | 2904 loser: |
| 2705 ssl_DestroySocketContents(ss); | 2905 ssl_DestroySocketContents(ss); |
| 2706 ssl_DestroyLocks(ss); | 2906 ssl_DestroyLocks(ss); |
| 2707 PORT_Free(ss); | 2907 PORT_Free(ss); |
| 2708 ss = NULL; | 2908 ss = NULL; |
| 2709 } | 2909 } |
| 2710 } | 2910 } |
| 2711 return ss; | 2911 return ss; |
| 2712 } | 2912 } |
| 2713 | 2913 |
| OLD | NEW |