Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(220)

Side by Side Diff: net/third_party/nss/ssl/sslsock.c

Issue 9733012: Update NSS to NSS 3.13.4 pre-release snapshot 20120319. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Forgot to update the sslerr.h and SSLerrs.h files Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 /* 1 /*
2 * vtables (and methods that call through them) for the 4 types of 2 * vtables (and methods that call through them) for the 4 types of
3 * SSLSockets supported. Only one type is still supported. 3 * SSLSockets supported. Only one type is still supported.
4 * Various other functions. 4 * Various other functions.
5 * 5 *
6 * ***** BEGIN LICENSE BLOCK ***** 6 * ***** BEGIN LICENSE BLOCK *****
7 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 7 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
8 * 8 *
9 * The contents of this file are subject to the Mozilla Public License Version 9 * The contents of this file are subject to the Mozilla Public License Version
10 * 1.1 (the "License"); you may not use this file except in compliance with 10 * 1.1 (the "License"); you may not use this file except in compliance with
(...skipping 22 matching lines...) Expand all
33 * in which case the provisions of the GPL or the LGPL are applicable instead 33 * in which case the provisions of the GPL or the LGPL are applicable instead
34 * of those above. If you wish to allow use of your version of this file only 34 * of those above. If you wish to allow use of your version of this file only
35 * under the terms of either the GPL or the LGPL, and not to allow others to 35 * under the terms of either the GPL or the LGPL, and not to allow others to
36 * use your version of this file under the terms of the MPL, indicate your 36 * use your version of this file under the terms of the MPL, indicate your
37 * decision by deleting the provisions above and replace them with the notice 37 * decision by deleting the provisions above and replace them with the notice
38 * and other provisions required by the GPL or the LGPL. If you do not delete 38 * and other provisions required by the GPL or the LGPL. If you do not delete
39 * the provisions above, a recipient may use your version of this file under 39 * the provisions above, a recipient may use your version of this file under
40 * the terms of any one of the MPL, the GPL or the LGPL. 40 * the terms of any one of the MPL, the GPL or the LGPL.
41 * 41 *
42 * ***** END LICENSE BLOCK ***** */ 42 * ***** END LICENSE BLOCK ***** */
43 /* $Id: sslsock.c,v 1.82 2012/02/15 21:52:08 kaie%kuix.de Exp $ */ 43 /* $Id: sslsock.c,v 1.86 2012/03/18 00:31:20 wtc%google.com Exp $ */
44 #include "seccomon.h" 44 #include "seccomon.h"
45 #include "cert.h" 45 #include "cert.h"
46 #include "keyhi.h" 46 #include "keyhi.h"
47 #include "ssl.h" 47 #include "ssl.h"
48 #include "sslimpl.h" 48 #include "sslimpl.h"
49 #include "sslproto.h" 49 #include "sslproto.h"
50 #include "nspr.h" 50 #include "nspr.h"
51 #include "private/pprio.h" 51 #include "private/pprio.h"
52 #include "blapi.h" 52 #include "blapi.h"
53 #include "nss.h" 53 #include "nss.h"
(...skipping 110 matching lines...) Expand 10 before | Expand all | Expand 10 after
164 */ 164 */
165 static sslOptions ssl_defaults = { 165 static sslOptions ssl_defaults = {
166 { siBuffer, NULL, 0 }, /* nextProtoNego */ 166 { siBuffer, NULL, 0 }, /* nextProtoNego */
167 PR_TRUE, /* useSecurity */ 167 PR_TRUE, /* useSecurity */
168 PR_FALSE, /* useSocks */ 168 PR_FALSE, /* useSocks */
169 PR_FALSE, /* requestCertificate */ 169 PR_FALSE, /* requestCertificate */
170 2, /* requireCertificate */ 170 2, /* requireCertificate */
171 PR_FALSE, /* handshakeAsClient */ 171 PR_FALSE, /* handshakeAsClient */
172 PR_FALSE, /* handshakeAsServer */ 172 PR_FALSE, /* handshakeAsServer */
173 PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ 173 PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */
174 PR_TRUE,» /* enableSSL3 */ 174 PR_FALSE,» /* unusedBit9 */
175 PR_TRUE, » /* enableTLS */ /* now defaults to on in NSS 3.0 */ 175 PR_FALSE, » /* unusedBit10 */
176 PR_FALSE, /* noCache */ 176 PR_FALSE, /* noCache */
177 PR_FALSE, /* fdx */ 177 PR_FALSE, /* fdx */
178 PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ 178 PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */
179 PR_TRUE, /* detectRollBack */ 179 PR_TRUE, /* detectRollBack */
180 PR_FALSE, /* noStepDown */ 180 PR_FALSE, /* noStepDown */
181 PR_FALSE, /* bypassPKCS11 */ 181 PR_FALSE, /* bypassPKCS11 */
182 PR_FALSE, /* noLocks */ 182 PR_FALSE, /* noLocks */
183 PR_FALSE, /* enableSessionTickets */ 183 PR_FALSE, /* enableSessionTickets */
184 PR_FALSE, /* enableDeflate */ 184 PR_FALSE, /* enableDeflate */
185 2, /* enableRenegotiation (default: requires extension) */ 185 2, /* enableRenegotiation (default: requires extension) */
186 PR_FALSE, /* requireSafeNegotiation */ 186 PR_FALSE, /* requireSafeNegotiation */
187 PR_FALSE, /* enableFalseStart */ 187 PR_FALSE, /* enableFalseStart */
188 PR_TRUE, /* cbcRandomIV */ 188 PR_TRUE, /* cbcRandomIV */
189 PR_FALSE, /* enableOCSPStapling */ 189 PR_FALSE, /* enableOCSPStapling */
190 PR_FALSE, /* enableOBCerts */ 190 PR_FALSE, /* enableOBCerts */
191 PR_FALSE, /* encryptClientCerts */ 191 PR_FALSE, /* encryptClientCerts */
192 }; 192 };
193 193
194 /*
195 * default range of enabled SSL/TLS protocols
196 */
197 static SSLVersionRange versions_defaults = {
198 SSL_LIBRARY_VERSION_3_0,
199 SSL_LIBRARY_VERSION_TLS_1_0
200 };
201
194 sslSessionIDLookupFunc ssl_sid_lookup; 202 sslSessionIDLookupFunc ssl_sid_lookup;
195 sslSessionIDCacheFunc ssl_sid_cache; 203 sslSessionIDCacheFunc ssl_sid_cache;
196 sslSessionIDUncacheFunc ssl_sid_uncache; 204 sslSessionIDUncacheFunc ssl_sid_uncache;
197 205
198 static PRBool ssl_inited = PR_FALSE; 206 static PRBool ssl_inited = PR_FALSE;
199 static PRDescIdentity ssl_layer_id; 207 static PRDescIdentity ssl_layer_id;
200 208
201 PRBool locksEverDisabled; /* implicitly PR_FALSE */ 209 PRBool locksEverDisabled; /* implicitly PR_FALSE */
202 PRBool ssl_force_locks; /* implicitly PR_FALSE */ 210 PRBool ssl_force_locks; /* implicitly PR_FALSE */
203 int ssl_lock_readers = 1; /* default true. */ 211 int ssl_lock_readers = 1; /* default true. */
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after
270 sslSocket * 278 sslSocket *
271 ssl_DupSocket(sslSocket *os) 279 ssl_DupSocket(sslSocket *os)
272 { 280 {
273 sslSocket *ss; 281 sslSocket *ss;
274 SECStatus rv; 282 SECStatus rv;
275 283
276 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks)); 284 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks));
277 if (ss) { 285 if (ss) {
278 ss->opt = os->opt; 286 ss->opt = os->opt;
279 ss->opt.useSocks = PR_FALSE; 287 ss->opt.useSocks = PR_FALSE;
288 ss->vrange = os->vrange;
280 289
281 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); 290 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID);
282 ss->url = !os->url ? NULL : PORT_Strdup(os->url); 291 ss->url = !os->url ? NULL : PORT_Strdup(os->url);
283 292
284 ss->ops = os->ops; 293 ss->ops = os->ops;
285 ss->rTimeout = os->rTimeout; 294 ss->rTimeout = os->rTimeout;
286 ss->wTimeout = os->wTimeout; 295 ss->wTimeout = os->wTimeout;
287 ss->cTimeout = os->cTimeout; 296 ss->cTimeout = os->cTimeout;
288 ss->dbHandle = os->dbHandle; 297 ss->dbHandle = os->dbHandle;
289 298
(...skipping 272 matching lines...) Expand 10 before | Expand all | Expand 10 after
562 SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL); 571 SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL);
563 PORT_Assert(SECSuccess == rv); 572 PORT_Assert(SECSuccess == rv);
564 return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE; 573 return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE;
565 } 574 }
566 575
567 static PRStatus SSL_BypassSetup(void) 576 static PRStatus SSL_BypassSetup(void)
568 { 577 {
569 return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown); 578 return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
570 } 579 }
571 580
581 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in
582 * ssl.h in the section "SSL version range setting API".
583 */
584 static void
585 ssl_EnableTLS(SSLVersionRange *vrange, PRBool on)
586 {
587 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) {
588 if (on) {
589 vrange->min = SSL_LIBRARY_VERSION_TLS_1_0;
590 vrange->max = SSL_LIBRARY_VERSION_TLS_1_0;
591 } /* else don't change anything */
592 return;
593 }
594
595 if (on) {
596 /* Expand the range of enabled version to include TLS 1.0 */
597 vrange->min = PR_MIN(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
598 vrange->max = PR_MAX(vrange->max, SSL_LIBRARY_VERSION_TLS_1_0);
599 } else {
600 /* Disable all TLS versions, leaving only SSL 3.0 if it was enabled */
601 if (vrange->min == SSL_LIBRARY_VERSION_3_0) {
602 vrange->max = SSL_LIBRARY_VERSION_3_0;
603 } else {
604 /* Only TLS was enabled, so now no versions are. */
605 vrange->min = SSL_LIBRARY_VERSION_NONE;
606 vrange->max = SSL_LIBRARY_VERSION_NONE;
607 }
608 }
609 }
610
611 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_SSL3, on) described in
612 * ssl.h in the section "SSL version range setting API".
613 */
614 static void
615 ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on)
616 {
617 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) {
618 if (on) {
619 vrange->min = SSL_LIBRARY_VERSION_3_0;
620 vrange->max = SSL_LIBRARY_VERSION_3_0;
621 } /* else don't change anything */
622 return;
623 }
624
625 if (on) {
626 /* Expand the range of enabled versions to include SSL 3.0. We know
627 * SSL 3.0 or some version of TLS is already enabled at this point, so
628 * we don't need to change vrange->max.
629 */
630 vrange->min = SSL_LIBRARY_VERSION_3_0;
631 } else {
632 /* Disable SSL 3.0, leaving TLS unaffected. */
633 if (vrange->max > SSL_LIBRARY_VERSION_3_0) {
634 vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
635 } else {
636 /* Only SSL 3.0 was enabled, so now no versions are. */
637 vrange->min = SSL_LIBRARY_VERSION_NONE;
638 vrange->max = SSL_LIBRARY_VERSION_NONE;
639 }
640 }
641 }
642
572 SECStatus 643 SECStatus
573 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) 644 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
574 { 645 {
575 sslSocket *ss = ssl_FindSocket(fd); 646 sslSocket *ss = ssl_FindSocket(fd);
576 SECStatus rv = SECSuccess; 647 SECStatus rv = SECSuccess;
577 PRBool holdingLocks; 648 PRBool holdingLocks;
578 649
579 if (!ss) { 650 if (!ss) {
580 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); 651 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
581 return SECFailure; 652 return SECFailure;
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
620 case SSL_HANDSHAKE_AS_SERVER: 691 case SSL_HANDSHAKE_AS_SERVER:
621 if ( ss->opt.handshakeAsClient && on ) { 692 if ( ss->opt.handshakeAsClient && on ) {
622 PORT_SetError(SEC_ERROR_INVALID_ARGS); 693 PORT_SetError(SEC_ERROR_INVALID_ARGS);
623 rv = SECFailure; 694 rv = SECFailure;
624 break; 695 break;
625 } 696 }
626 ss->opt.handshakeAsServer = on; 697 ss->opt.handshakeAsServer = on;
627 break; 698 break;
628 699
629 case SSL_ENABLE_TLS: 700 case SSL_ENABLE_TLS:
630 » ss->opt.enableTLS = on; 701 » ssl_EnableTLS(&ss->vrange, on);
631 ss->preferredCipher = NULL; 702 ss->preferredCipher = NULL;
632 if (ss->cipherSpecs) { 703 if (ss->cipherSpecs) {
633 PORT_Free(ss->cipherSpecs); 704 PORT_Free(ss->cipherSpecs);
634 ss->cipherSpecs = NULL; 705 ss->cipherSpecs = NULL;
635 ss->sizeCipherSpecs = 0; 706 ss->sizeCipherSpecs = 0;
636 } 707 }
637 break; 708 break;
638 709
639 case SSL_ENABLE_SSL3: 710 case SSL_ENABLE_SSL3:
640 » ss->opt.enableSSL3 = on; 711 » ssl_EnableSSL3(&ss->vrange, on);
641 ss->preferredCipher = NULL; 712 ss->preferredCipher = NULL;
642 if (ss->cipherSpecs) { 713 if (ss->cipherSpecs) {
643 PORT_Free(ss->cipherSpecs); 714 PORT_Free(ss->cipherSpecs);
644 ss->cipherSpecs = NULL; 715 ss->cipherSpecs = NULL;
645 ss->sizeCipherSpecs = 0; 716 ss->sizeCipherSpecs = 0;
646 } 717 }
647 break; 718 break;
648 719
649 case SSL_ENABLE_SSL2: 720 case SSL_ENABLE_SSL2:
650 ss->opt.enableSSL2 = on; 721 ss->opt.enableSSL2 = on;
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after
798 ssl_Get1stHandshakeLock(ss); 869 ssl_Get1stHandshakeLock(ss);
799 ssl_GetSSL3HandshakeLock(ss); 870 ssl_GetSSL3HandshakeLock(ss);
800 871
801 switch (which) { 872 switch (which) {
802 case SSL_SOCKS: on = PR_FALSE; break; 873 case SSL_SOCKS: on = PR_FALSE; break;
803 case SSL_SECURITY: on = ss->opt.useSecurity; break; 874 case SSL_SECURITY: on = ss->opt.useSecurity; break;
804 case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break; 875 case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break;
805 case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break; 876 case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break;
806 case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break; 877 case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break;
807 case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break; 878 case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break;
808 case SSL_ENABLE_TLS: on = ss->opt.enableTLS; break; 879 case SSL_ENABLE_TLS:
809 case SSL_ENABLE_SSL3: on = ss->opt.enableSSL3; break; 880 » on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
881 » break;
882 case SSL_ENABLE_SSL3:
883 » on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
884 » break;
810 case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break; 885 case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break;
811 case SSL_NO_CACHE: on = ss->opt.noCache; break; 886 case SSL_NO_CACHE: on = ss->opt.noCache; break;
812 case SSL_ENABLE_FDX: on = ss->opt.fdx; break; 887 case SSL_ENABLE_FDX: on = ss->opt.fdx; break;
813 case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break; 888 case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break;
814 case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break; 889 case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break;
815 case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break; 890 case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break;
816 case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break; 891 case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break;
817 case SSL_NO_LOCKS: on = ss->opt.noLocks; break; 892 case SSL_NO_LOCKS: on = ss->opt.noLocks; break;
818 case SSL_ENABLE_SESSION_TICKETS: 893 case SSL_ENABLE_SESSION_TICKETS:
819 on = ss->opt.enableSessionTickets; 894 on = ss->opt.enableSessionTickets;
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after
855 930
856 ssl_SetDefaultsFromEnvironment(); 931 ssl_SetDefaultsFromEnvironment();
857 932
858 switch (which) { 933 switch (which) {
859 case SSL_SOCKS: on = PR_FALSE; break; 934 case SSL_SOCKS: on = PR_FALSE; break;
860 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; 935 case SSL_SECURITY: on = ssl_defaults.useSecurity; break;
861 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; 936 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break;
862 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; 937 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break;
863 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; 938 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break;
864 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; 939 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break;
865 case SSL_ENABLE_TLS: on = ssl_defaults.enableTLS; break; 940 case SSL_ENABLE_TLS:
866 case SSL_ENABLE_SSL3: on = ssl_defaults.enableSSL3; break; 941 » on = versions_defaults.max >= SSL_LIBRARY_VERSION_TLS_1_0;
942 » break;
943 case SSL_ENABLE_SSL3:
944 » on = versions_defaults.min == SSL_LIBRARY_VERSION_3_0;
945 » break;
867 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; 946 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break;
868 case SSL_NO_CACHE: on = ssl_defaults.noCache; break; 947 case SSL_NO_CACHE: on = ssl_defaults.noCache; break;
869 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; 948 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break;
870 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; 949 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break;
871 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; 950 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break;
872 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; 951 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break;
873 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; 952 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break;
874 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; 953 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break;
875 case SSL_ENABLE_SESSION_TICKETS: 954 case SSL_ENABLE_SESSION_TICKETS:
876 on = ssl_defaults.enableSessionTickets; 955 on = ssl_defaults.enableSessionTickets;
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after
948 1027
949 case SSL_HANDSHAKE_AS_SERVER: 1028 case SSL_HANDSHAKE_AS_SERVER:
950 if ( ssl_defaults.handshakeAsClient && on ) { 1029 if ( ssl_defaults.handshakeAsClient && on ) {
951 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1030 PORT_SetError(SEC_ERROR_INVALID_ARGS);
952 return SECFailure; 1031 return SECFailure;
953 } 1032 }
954 ssl_defaults.handshakeAsServer = on; 1033 ssl_defaults.handshakeAsServer = on;
955 break; 1034 break;
956 1035
957 case SSL_ENABLE_TLS: 1036 case SSL_ENABLE_TLS:
958 » ssl_defaults.enableTLS = on; 1037 » ssl_EnableTLS(&versions_defaults, on);
959 break; 1038 break;
960 1039
961 case SSL_ENABLE_SSL3: 1040 case SSL_ENABLE_SSL3:
962 » ssl_defaults.enableSSL3 = on; 1041 » ssl_EnableSSL3(&versions_defaults, on);
963 break; 1042 break;
964 1043
965 case SSL_ENABLE_SSL2: 1044 case SSL_ENABLE_SSL2:
966 ssl_defaults.enableSSL2 = on; 1045 ssl_defaults.enableSSL2 = on;
967 if (on) { 1046 if (on) {
968 ssl_defaults.v2CompatibleHello = on; 1047 ssl_defaults.v2CompatibleHello = on;
969 } 1048 }
970 break; 1049 break;
971 1050
972 case SSL_NO_CACHE: 1051 case SSL_NO_CACHE:
(...skipping 513 matching lines...) Expand 10 before | Expand all | Expand 10 after
1486 return NULL; 1565 return NULL;
1487 } 1566 }
1488 ss = ssl_FindSocket(fd); 1567 ss = ssl_FindSocket(fd);
1489 PORT_Assert(ss); 1568 PORT_Assert(ss);
1490 if (ss == NULL) { 1569 if (ss == NULL) {
1491 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1570 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1492 return NULL; 1571 return NULL;
1493 } 1572 }
1494 1573
1495 ss->opt = sm->opt; 1574 ss->opt = sm->opt;
1575 ss->vrange = sm->vrange;
1496 PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites); 1576 PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites);
1497 1577
1498 if (!ss->opt.useSecurity) { 1578 if (!ss->opt.useSecurity) {
1499 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1579 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1500 return NULL; 1580 return NULL;
1501 } 1581 }
1502 /* This int should be SSLKEAType, but CC on Irix complains, 1582 /* This int should be SSLKEAType, but CC on Irix complains,
1503 * during the for loop. 1583 * during the for loop.
1504 */ 1584 */
1505 for (i=kt_null; i < kt_kea_size; i++) { 1585 for (i=kt_null; i < kt_kea_size; i++) {
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after
1576 if (sm->handshakeCallbackData) 1656 if (sm->handshakeCallbackData)
1577 ss->handshakeCallbackData = sm->handshakeCallbackData; 1657 ss->handshakeCallbackData = sm->handshakeCallbackData;
1578 if (sm->pkcs11PinArg) 1658 if (sm->pkcs11PinArg)
1579 ss->pkcs11PinArg = sm->pkcs11PinArg; 1659 ss->pkcs11PinArg = sm->pkcs11PinArg;
1580 return fd; 1660 return fd;
1581 loser: 1661 loser:
1582 return NULL; 1662 return NULL;
1583 #endif 1663 #endif
1584 } 1664 }
1585 1665
1666 PRBool
1667 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
1668 SSL3ProtocolVersion version)
1669 {
1670 return protocolVariant == ssl_variant_stream &&
1671 version >= SSL_LIBRARY_VERSION_3_0 &&
1672 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED;
1673 }
1674
1675 /* Returns PR_TRUE if the given version range is valid and
1676 ** fully supported; otherwise, returns PR_FALSE.
1677 */
1678 static PRBool
1679 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant,
1680 const SSLVersionRange *vrange)
1681 {
1682 return vrange &&
1683 vrange->min <= vrange->max &&
1684 ssl3_VersionIsSupported(protocolVariant, vrange->min) &&
1685 ssl3_VersionIsSupported(protocolVariant, vrange->max);
1686 }
1687
1688 SECStatus
1689 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant,
1690 SSLVersionRange *vrange)
1691 {
1692 if (protocolVariant != ssl_variant_stream || !vrange) {
1693 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1694 return SECFailure;
1695 }
1696
1697 vrange->min = SSL_LIBRARY_VERSION_3_0;
1698 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
1699
1700 return SECSuccess;
1701 }
1702
1703 SECStatus
1704 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant,
1705 SSLVersionRange *vrange)
1706 {
1707 if (protocolVariant != ssl_variant_stream || !vrange) {
1708 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1709 return SECFailure;
1710 }
1711
1712 *vrange = versions_defaults;
1713
1714 return SECSuccess;
1715 }
1716
1717 SECStatus
1718 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant,
1719 const SSLVersionRange *vrange)
1720 {
1721 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) {
1722 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
1723 return SECFailure;
1724 }
1725
1726 versions_defaults = *vrange;
1727
1728 return SECSuccess;
1729 }
1730
1731 SECStatus
1732 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange)
1733 {
1734 sslSocket *ss = ssl_FindSocket(fd);
1735
1736 if (!ss) {
1737 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeGet",
1738 SSL_GETPID(), fd));
1739 return SECFailure;
1740 }
1741
1742 if (!vrange) {
1743 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1744 return SECFailure;
1745 }
1746
1747 ssl_Get1stHandshakeLock(ss);
1748 ssl_GetSSL3HandshakeLock(ss);
1749
1750 *vrange = ss->vrange;
1751
1752 ssl_ReleaseSSL3HandshakeLock(ss);
1753 ssl_Release1stHandshakeLock(ss);
1754
1755 return SECSuccess;
1756 }
1757
1758 SECStatus
1759 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
1760 {
1761 sslSocket *ss = ssl_FindSocket(fd);
1762
1763 if (!ss) {
1764 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet",
1765 SSL_GETPID(), fd));
1766 return SECFailure;
1767 }
1768
1769 if (!ssl3_VersionRangeIsValid(ssl_variant_stream, vrange)) {
1770 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
1771 return SECFailure;
1772 }
1773
1774 ssl_Get1stHandshakeLock(ss);
1775 ssl_GetSSL3HandshakeLock(ss);
1776
1777 ss->vrange = *vrange;
1778
1779 ssl_ReleaseSSL3HandshakeLock(ss);
1780 ssl_Release1stHandshakeLock(ss);
1781
1782 return SECSuccess;
1783 }
1784
1586 SECStatus 1785 SECStatus
1587 SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data, 1786 SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data,
1588 unsigned int *len) { 1787 unsigned int *len) {
1589 sslSocket *ss = ssl_FindSocket(fd); 1788 sslSocket *ss = ssl_FindSocket(fd);
1590 1789
1591 if (!ss) { 1790 if (!ss) {
1592 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse", 1791 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse",
1593 SSL_GETPID(), fd)); 1792 SSL_GETPID(), fd));
1594 return SECFailure; 1793 return SECFailure;
1595 } 1794 }
(...skipping 1049 matching lines...) Expand 10 before | Expand all | Expand 10 after
2645 if (ss) { 2844 if (ss) {
2646 /* This should be of type SSLKEAType, but CC on IRIX 2845 /* This should be of type SSLKEAType, but CC on IRIX
2647 * complains during the for loop. 2846 * complains during the for loop.
2648 */ 2847 */
2649 int i; 2848 int i;
2650 SECStatus status; 2849 SECStatus status;
2651 2850
2652 ss->opt = ssl_defaults; 2851 ss->opt = ssl_defaults;
2653 ss->opt.useSocks = PR_FALSE; 2852 ss->opt.useSocks = PR_FALSE;
2654 ss->opt.noLocks = !makeLocks; 2853 ss->opt.noLocks = !makeLocks;
2854 ss->vrange = versions_defaults;
2655 2855
2656 ss->peerID = NULL; 2856 ss->peerID = NULL;
2657 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; 2857 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
2658 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; 2858 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
2659 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; 2859 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT;
2660 ss->cipherSpecs = NULL; 2860 ss->cipherSpecs = NULL;
2661 ss->sizeCipherSpecs = 0; /* produced lazily */ 2861 ss->sizeCipherSpecs = 0; /* produced lazily */
2662 ss->preferredCipher = NULL; 2862 ss->preferredCipher = NULL;
2663 ss->url = NULL; 2863 ss->url = NULL;
2664 2864
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after
2704 loser: 2904 loser:
2705 ssl_DestroySocketContents(ss); 2905 ssl_DestroySocketContents(ss);
2706 ssl_DestroyLocks(ss); 2906 ssl_DestroyLocks(ss);
2707 PORT_Free(ss); 2907 PORT_Free(ss);
2708 ss = NULL; 2908 ss = NULL;
2709 } 2909 }
2710 } 2910 }
2711 return ss; 2911 return ss;
2712 } 2912 }
2713 2913
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698