OLD | NEW |
---|---|
1 /* | 1 /* |
2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of |
3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. |
4 * Various other functions. | 4 * Various other functions. |
5 * | 5 * |
6 * ***** BEGIN LICENSE BLOCK ***** | 6 * ***** BEGIN LICENSE BLOCK ***** |
7 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 7 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
8 * | 8 * |
9 * The contents of this file are subject to the Mozilla Public License Version | 9 * The contents of this file are subject to the Mozilla Public License Version |
10 * 1.1 (the "License"); you may not use this file except in compliance with | 10 * 1.1 (the "License"); you may not use this file except in compliance with |
(...skipping 176 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
187 PR_FALSE, /* enableFalseStart */ | 187 PR_FALSE, /* enableFalseStart */ |
188 PR_TRUE, /* cbcRandomIV */ | 188 PR_TRUE, /* cbcRandomIV */ |
189 PR_FALSE, /* enableOCSPStapling */ | 189 PR_FALSE, /* enableOCSPStapling */ |
190 PR_FALSE, /* enableOBCerts */ | 190 PR_FALSE, /* enableOBCerts */ |
191 PR_FALSE, /* encryptClientCerts */ | 191 PR_FALSE, /* encryptClientCerts */ |
192 }; | 192 }; |
193 | 193 |
194 /* | 194 /* |
195 * default range of enabled SSL/TLS protocols | 195 * default range of enabled SSL/TLS protocols |
196 */ | 196 */ |
197 static SSLVersionRange versions_defaults = { | 197 static SSLVersionRange versions_defaults_stream = { |
198 SSL_LIBRARY_VERSION_3_0, | 198 SSL_LIBRARY_VERSION_3_0, |
199 SSL_LIBRARY_VERSION_TLS_1_0 | 199 SSL_LIBRARY_VERSION_TLS_1_0 |
200 }; | 200 }; |
201 | 201 |
202 static SSLVersionRange versions_defaults_datagram = { | |
203 SSL_LIBRARY_VERSION_TLS_1_1, | |
204 SSL_LIBRARY_VERSION_TLS_1_1 | |
205 }; | |
206 | |
207 #define VERSIONS_DEFAULTS(variant) (variant == ssl_variant_stream ? &versions_de faults_stream : &versions_defaults_datagram) | |
208 | |
202 sslSessionIDLookupFunc ssl_sid_lookup; | 209 sslSessionIDLookupFunc ssl_sid_lookup; |
203 sslSessionIDCacheFunc ssl_sid_cache; | 210 sslSessionIDCacheFunc ssl_sid_cache; |
204 sslSessionIDUncacheFunc ssl_sid_uncache; | 211 sslSessionIDUncacheFunc ssl_sid_uncache; |
205 | 212 |
206 static PRBool ssl_inited = PR_FALSE; | 213 static PRBool ssl_inited = PR_FALSE; |
207 static PRDescIdentity ssl_layer_id; | 214 static PRDescIdentity ssl_layer_id; |
208 | 215 |
209 PRBool locksEverDisabled; /* implicitly PR_FALSE */ | 216 PRBool locksEverDisabled; /* implicitly PR_FALSE */ |
210 PRBool ssl_force_locks; /* implicitly PR_FALSE */ | 217 PRBool ssl_force_locks; /* implicitly PR_FALSE */ |
211 int ssl_lock_readers = 1; /* default true. */ | 218 int ssl_lock_readers = 1; /* default true. */ |
212 char ssl_debug; | 219 char ssl_debug; |
213 char ssl_trace; | 220 char ssl_trace; |
214 FILE * ssl_trace_iob; | 221 FILE * ssl_trace_iob; |
215 FILE * ssl_keylog_iob; | 222 FILE * ssl_keylog_iob; |
216 char lockStatus[] = "Locks are ENABLED. "; | 223 char lockStatus[] = "Locks are ENABLED. "; |
217 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ | 224 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ |
218 | 225 |
219 /* forward declarations. */ | 226 /* forward declarations. */ |
220 static sslSocket *ssl_NewSocket(PRBool makeLocks); | 227 static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant); |
221 static SECStatus ssl_MakeLocks(sslSocket *ss); | 228 static SECStatus ssl_MakeLocks(sslSocket *ss); |
222 static void ssl_SetDefaultsFromEnvironment(void); | 229 static void ssl_SetDefaultsFromEnvironment(void); |
223 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, | 230 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, |
224 PRDescIdentity id); | 231 PRDescIdentity id); |
225 | 232 |
226 /************************************************************************/ | 233 /************************************************************************/ |
227 | 234 |
228 /* | 235 /* |
229 ** Lookup a socket structure from a file descriptor. | 236 ** Lookup a socket structure from a file descriptor. |
230 ** Only functions called through the PRIOMethods table should use this. | 237 ** Only functions called through the PRIOMethods table should use this. |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
274 ss->fd = layer; | 281 ss->fd = layer; |
275 return ss; | 282 return ss; |
276 } | 283 } |
277 | 284 |
278 sslSocket * | 285 sslSocket * |
279 ssl_DupSocket(sslSocket *os) | 286 ssl_DupSocket(sslSocket *os) |
280 { | 287 { |
281 sslSocket *ss; | 288 sslSocket *ss; |
282 SECStatus rv; | 289 SECStatus rv; |
283 | 290 |
284 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks)); | 291 /* Not implemented for datagram */ |
292 PORT_Assert(os->protocolVariant == ssl_variant_stream); | |
293 | |
294 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant); | |
285 if (ss) { | 295 if (ss) { |
286 ss->opt = os->opt; | 296 ss->opt = os->opt; |
287 ss->opt.useSocks = PR_FALSE; | 297 ss->opt.useSocks = PR_FALSE; |
288 ss->vrange = os->vrange; | 298 ss->vrange = os->vrange; |
289 | 299 |
290 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); | 300 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); |
291 ss->url = !os->url ? NULL : PORT_Strdup(os->url); | 301 ss->url = !os->url ? NULL : PORT_Strdup(os->url); |
292 | 302 |
293 ss->ops = os->ops; | 303 ss->ops = os->ops; |
294 ss->rTimeout = os->rTimeout; | 304 ss->rTimeout = os->rTimeout; |
(...skipping 396 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
691 case SSL_HANDSHAKE_AS_SERVER: | 701 case SSL_HANDSHAKE_AS_SERVER: |
692 if ( ss->opt.handshakeAsClient && on ) { | 702 if ( ss->opt.handshakeAsClient && on ) { |
693 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 703 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
694 rv = SECFailure; | 704 rv = SECFailure; |
695 break; | 705 break; |
696 } | 706 } |
697 ss->opt.handshakeAsServer = on; | 707 ss->opt.handshakeAsServer = on; |
698 break; | 708 break; |
699 | 709 |
700 case SSL_ENABLE_TLS: | 710 case SSL_ENABLE_TLS: |
711 if (IS_DTLS(ss)) { | |
712 if (on) { | |
713 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
714 rv = SECFailure; /* not allowed */ | |
715 } | |
716 else { | |
717 rv = SECSuccess; /* no-op */ | |
718 } | |
719 break; | |
720 } | |
701 ssl_EnableTLS(&ss->vrange, on); | 721 ssl_EnableTLS(&ss->vrange, on); |
702 ss->preferredCipher = NULL; | 722 ss->preferredCipher = NULL; |
703 if (ss->cipherSpecs) { | 723 if (ss->cipherSpecs) { |
704 PORT_Free(ss->cipherSpecs); | 724 PORT_Free(ss->cipherSpecs); |
705 ss->cipherSpecs = NULL; | 725 ss->cipherSpecs = NULL; |
706 ss->sizeCipherSpecs = 0; | 726 ss->sizeCipherSpecs = 0; |
707 } | 727 } |
708 break; | 728 break; |
709 | 729 |
710 case SSL_ENABLE_SSL3: | 730 case SSL_ENABLE_SSL3: |
731 if (IS_DTLS(ss)) { | |
732 if (on) { | |
733 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
734 rv = SECFailure; /* not allowed */ | |
735 } | |
736 else { | |
737 rv = SECSuccess; /* no-op */ | |
738 } | |
739 break; | |
740 } | |
711 ssl_EnableSSL3(&ss->vrange, on); | 741 ssl_EnableSSL3(&ss->vrange, on); |
712 ss->preferredCipher = NULL; | 742 ss->preferredCipher = NULL; |
713 if (ss->cipherSpecs) { | 743 if (ss->cipherSpecs) { |
714 PORT_Free(ss->cipherSpecs); | 744 PORT_Free(ss->cipherSpecs); |
715 ss->cipherSpecs = NULL; | 745 ss->cipherSpecs = NULL; |
716 ss->sizeCipherSpecs = 0; | 746 ss->sizeCipherSpecs = 0; |
717 } | 747 } |
718 break; | 748 break; |
719 | |
720 case SSL_ENABLE_SSL2: | 749 case SSL_ENABLE_SSL2: |
750 if (IS_DTLS(ss)) { | |
751 if (on) { | |
752 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
753 rv = SECFailure; /* not allowed */ | |
754 } | |
755 else { | |
756 rv = SECSuccess; /* no-op */ | |
757 } | |
758 break; | |
759 } | |
721 ss->opt.enableSSL2 = on; | 760 ss->opt.enableSSL2 = on; |
722 if (on) { | 761 if (on) { |
723 ss->opt.v2CompatibleHello = on; | 762 ss->opt.v2CompatibleHello = on; |
724 } | 763 } |
725 ss->preferredCipher = NULL; | 764 ss->preferredCipher = NULL; |
726 if (ss->cipherSpecs) { | 765 if (ss->cipherSpecs) { |
727 PORT_Free(ss->cipherSpecs); | 766 PORT_Free(ss->cipherSpecs); |
728 ss->cipherSpecs = NULL; | 767 ss->cipherSpecs = NULL; |
729 ss->sizeCipherSpecs = 0; | 768 ss->sizeCipherSpecs = 0; |
730 } | 769 } |
731 break; | 770 break; |
732 | 771 |
733 case SSL_NO_CACHE: | 772 case SSL_NO_CACHE: |
734 ss->opt.noCache = on; | 773 ss->opt.noCache = on; |
735 break; | 774 break; |
736 | 775 |
737 case SSL_ENABLE_FDX: | 776 case SSL_ENABLE_FDX: |
738 if (on && ss->opt.noLocks) { | 777 if (on && ss->opt.noLocks) { |
739 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 778 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
740 rv = SECFailure; | 779 rv = SECFailure; |
741 } | 780 } |
742 ss->opt.fdx = on; | 781 ss->opt.fdx = on; |
743 break; | 782 break; |
744 | 783 |
745 case SSL_V2_COMPATIBLE_HELLO: | 784 case SSL_V2_COMPATIBLE_HELLO: |
785 if (IS_DTLS(ss)) { | |
786 if (on) { | |
787 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
788 rv = SECFailure; /* not allowed */ | |
789 } | |
790 else { | |
791 rv = SECSuccess; /* no-op */ | |
792 } | |
793 break; | |
794 } | |
746 ss->opt.v2CompatibleHello = on; | 795 ss->opt.v2CompatibleHello = on; |
747 if (!on) { | 796 if (!on) { |
748 ss->opt.enableSSL2 = on; | 797 ss->opt.enableSSL2 = on; |
749 } | 798 } |
750 break; | 799 break; |
751 | 800 |
752 case SSL_ROLLBACK_DETECTION: | 801 case SSL_ROLLBACK_DETECTION: |
753 ss->opt.detectRollBack = on; | 802 ss->opt.detectRollBack = on; |
754 break; | 803 break; |
755 | 804 |
(...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
931 ssl_SetDefaultsFromEnvironment(); | 980 ssl_SetDefaultsFromEnvironment(); |
932 | 981 |
933 switch (which) { | 982 switch (which) { |
934 case SSL_SOCKS: on = PR_FALSE; break; | 983 case SSL_SOCKS: on = PR_FALSE; break; |
935 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; | 984 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; |
936 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; | 985 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; |
937 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; | 986 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; |
938 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; | 987 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; |
939 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; | 988 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; |
940 case SSL_ENABLE_TLS: | 989 case SSL_ENABLE_TLS: |
941 » on = versions_defaults.max >= SSL_LIBRARY_VERSION_TLS_1_0; | 990 » on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
942 break; | 991 break; |
943 case SSL_ENABLE_SSL3: | 992 case SSL_ENABLE_SSL3: |
944 » on = versions_defaults.min == SSL_LIBRARY_VERSION_3_0; | 993 » on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; |
945 break; | 994 break; |
946 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; | 995 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; |
947 case SSL_NO_CACHE: on = ssl_defaults.noCache; break; | 996 case SSL_NO_CACHE: on = ssl_defaults.noCache; break; |
948 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; | 997 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; |
949 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; | 998 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; |
950 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; | 999 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; |
951 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; | 1000 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; |
952 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; | 1001 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; |
953 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; | 1002 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; |
954 case SSL_ENABLE_SESSION_TICKETS: | 1003 case SSL_ENABLE_SESSION_TICKETS: |
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1027 | 1076 |
1028 case SSL_HANDSHAKE_AS_SERVER: | 1077 case SSL_HANDSHAKE_AS_SERVER: |
1029 if ( ssl_defaults.handshakeAsClient && on ) { | 1078 if ( ssl_defaults.handshakeAsClient && on ) { |
1030 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1079 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1031 return SECFailure; | 1080 return SECFailure; |
1032 } | 1081 } |
1033 ssl_defaults.handshakeAsServer = on; | 1082 ssl_defaults.handshakeAsServer = on; |
1034 break; | 1083 break; |
1035 | 1084 |
1036 case SSL_ENABLE_TLS: | 1085 case SSL_ENABLE_TLS: |
1037 » ssl_EnableTLS(&versions_defaults, on); | 1086 » ssl_EnableTLS(&versions_defaults_stream, on); |
1038 break; | 1087 break; |
1039 | 1088 |
1040 case SSL_ENABLE_SSL3: | 1089 case SSL_ENABLE_SSL3: |
1041 » ssl_EnableSSL3(&versions_defaults, on); | 1090 » ssl_EnableSSL3(&versions_defaults_stream, on); |
1042 break; | 1091 break; |
1043 | 1092 |
1044 case SSL_ENABLE_SSL2: | 1093 case SSL_ENABLE_SSL2: |
1045 ssl_defaults.enableSSL2 = on; | 1094 ssl_defaults.enableSSL2 = on; |
1046 if (on) { | 1095 if (on) { |
1047 ssl_defaults.v2CompatibleHello = on; | 1096 ssl_defaults.v2CompatibleHello = on; |
1048 } | 1097 } |
1049 break; | 1098 break; |
1050 | 1099 |
1051 case SSL_NO_CACHE: | 1100 case SSL_NO_CACHE: |
(...skipping 302 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1354 SECStatus | 1403 SECStatus |
1355 NSS_SetFrancePolicy(void) | 1404 NSS_SetFrancePolicy(void) |
1356 { | 1405 { |
1357 return NSS_SetDomesticPolicy(); | 1406 return NSS_SetDomesticPolicy(); |
1358 } | 1407 } |
1359 | 1408 |
1360 | 1409 |
1361 | 1410 |
1362 /* LOCKS ??? XXX */ | 1411 /* LOCKS ??? XXX */ |
1363 PRFileDesc * | 1412 PRFileDesc * |
1364 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) | 1413 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) |
1365 { | 1414 { |
1366 sslSocket * ns = NULL; | 1415 sslSocket * ns = NULL; |
1367 PRStatus rv; | 1416 PRStatus rv; |
1368 PRNetAddr addr; | 1417 PRNetAddr addr; |
1369 SECStatus status = ssl_Init(); | 1418 SECStatus status = ssl_Init(); |
1370 | 1419 |
1371 if (status != SECSuccess) { | 1420 if (status != SECSuccess) { |
1372 return NULL; | 1421 return NULL; |
1373 } | 1422 } |
1374 | 1423 |
1375 if (model == NULL) { | 1424 if (model == NULL) { |
1376 /* Just create a default socket if we're given NULL for the model */ | 1425 /* Just create a default socket if we're given NULL for the model */ |
1377 » ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks)); | 1426 » ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant); |
1378 } else { | 1427 } else { |
1379 sslSocket * ss = ssl_FindSocket(model); | 1428 sslSocket * ss = ssl_FindSocket(model); |
1380 » if (ss == NULL) { | 1429 » if (ss == NULL || ss->protocolVariant != variant) { |
1381 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", | 1430 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", |
1382 SSL_GETPID(), model)); | 1431 SSL_GETPID(), model)); |
1383 return NULL; | 1432 return NULL; |
1384 } | 1433 } |
1385 ns = ssl_DupSocket(ss); | 1434 ns = ssl_DupSocket(ss); |
1386 } | 1435 } |
1387 if (ns == NULL) | 1436 if (ns == NULL) |
1388 return NULL; | 1437 return NULL; |
1389 | 1438 |
1390 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); | 1439 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); |
1391 if (rv != PR_SUCCESS) { | 1440 if (rv != PR_SUCCESS) { |
1392 ssl_FreeSocket(ns); | 1441 ssl_FreeSocket(ns); |
1393 SET_ERROR_CODE | 1442 SET_ERROR_CODE |
1394 return NULL; | 1443 return NULL; |
1395 } | 1444 } |
1396 #ifdef _WIN32 | 1445 #ifdef _WIN32 |
1397 PR_Sleep(PR_INTERVAL_NO_WAIT); /* workaround NT winsock connect bug. */ | 1446 PR_Sleep(PR_INTERVAL_NO_WAIT); /* workaround NT winsock connect bug. */ |
1398 #endif | 1447 #endif |
1399 ns = ssl_FindSocket(fd); | 1448 ns = ssl_FindSocket(fd); |
1400 PORT_Assert(ns); | 1449 PORT_Assert(ns); |
1401 if (ns) | 1450 if (ns) |
1402 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); | 1451 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); |
1452 | |
1403 return fd; | 1453 return fd; |
1404 } | 1454 } |
1405 | 1455 |
1456 PRFileDesc * | |
1457 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) | |
1458 { | |
1459 return ssl_ImportFD(model, fd, ssl_variant_stream); | |
1460 } | |
1461 | |
1462 PRFileDesc * | |
1463 DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd) | |
1464 { | |
1465 return ssl_ImportFD(model, fd, ssl_variant_datagram); | |
1466 } | |
1467 | |
1406 SECStatus | 1468 SECStatus |
1407 SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback, | 1469 SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback, |
1408 void *arg) | 1470 void *arg) |
1409 { | 1471 { |
1410 sslSocket *ss = ssl_FindSocket(fd); | 1472 sslSocket *ss = ssl_FindSocket(fd); |
1411 | 1473 |
1412 if (!ss) { | 1474 if (!ss) { |
1413 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoCallback", SSL_GETP ID(), | 1475 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoCallback", SSL_GETP ID(), |
1414 fd)); | 1476 fd)); |
1415 return SECFailure; | 1477 return SECFailure; |
(...skipping 244 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1660 return fd; | 1722 return fd; |
1661 loser: | 1723 loser: |
1662 return NULL; | 1724 return NULL; |
1663 #endif | 1725 #endif |
1664 } | 1726 } |
1665 | 1727 |
1666 PRBool | 1728 PRBool |
1667 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, | 1729 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, |
1668 SSL3ProtocolVersion version) | 1730 SSL3ProtocolVersion version) |
1669 { | 1731 { |
1670 return protocolVariant == ssl_variant_stream && | 1732 switch(protocolVariant) { |
1671 » version >= SSL_LIBRARY_VERSION_3_0 && | 1733 case ssl_variant_stream: |
1672 » version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED; | 1734 » return(version >= SSL_LIBRARY_VERSION_3_0 && |
1735 » version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); | |
1736 » break; /* Belt and suspenders */ | |
ekr
2012/03/26 21:49:18
I guess this is house style, but I've gotten very
| |
1737 case ssl_variant_datagram: | |
1738 » return(version >= SSL_LIBRARY_VERSION_TLS_1_1 && | |
1739 » version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); | |
1740 » break; /* Belt and suspenders */ | |
1741 } | |
1742 | |
1743 /* Can't get here */ | |
1744 PORT_Assert(PR_FALSE); | |
1745 return PR_FALSE; | |
1673 } | 1746 } |
1674 | 1747 |
1675 /* Returns PR_TRUE if the given version range is valid and | 1748 /* Returns PR_TRUE if the given version range is valid and |
1676 ** fully supported; otherwise, returns PR_FALSE. | 1749 ** fully supported; otherwise, returns PR_FALSE. |
1677 */ | 1750 */ |
1678 static PRBool | 1751 static PRBool |
1679 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, | 1752 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, |
1680 const SSLVersionRange *vrange) | 1753 const SSLVersionRange *vrange) |
1681 { | 1754 { |
1682 return vrange && | 1755 return vrange && |
1683 vrange->min <= vrange->max && | 1756 vrange->min <= vrange->max && |
1684 ssl3_VersionIsSupported(protocolVariant, vrange->min) && | 1757 ssl3_VersionIsSupported(protocolVariant, vrange->min) && |
1685 ssl3_VersionIsSupported(protocolVariant, vrange->max); | 1758 ssl3_VersionIsSupported(protocolVariant, vrange->max); |
1686 } | 1759 } |
1687 | 1760 |
1688 SECStatus | 1761 SECStatus |
1689 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, | 1762 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, |
1690 SSLVersionRange *vrange) | 1763 SSLVersionRange *vrange) |
1691 { | 1764 { |
1692 if (protocolVariant != ssl_variant_stream || !vrange) { | 1765 switch(protocolVariant) { |
1693 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1766 case ssl_variant_stream: |
1767 » vrange->min = SSL_LIBRARY_VERSION_3_0; | |
1768 » vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; | |
1769 » break; | |
1770 case ssl_variant_datagram: | |
1771 » vrange->min = SSL_LIBRARY_VERSION_TLS_1_1; | |
1772 » vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; | |
1773 » break; | |
1774 default: | |
1775 » /* Can't get here */ | |
1776 » PORT_Assert(PR_FALSE); | |
1694 return SECFailure; | 1777 return SECFailure; |
1695 } | 1778 } |
1696 | 1779 |
1697 vrange->min = SSL_LIBRARY_VERSION_3_0; | |
1698 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; | |
1699 | |
1700 return SECSuccess; | 1780 return SECSuccess; |
1701 } | 1781 } |
1702 | 1782 |
1703 SECStatus | 1783 SECStatus |
1704 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, | 1784 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, |
1705 SSLVersionRange *vrange) | 1785 SSLVersionRange *vrange) |
1706 { | 1786 { |
1707 if (protocolVariant != ssl_variant_stream || !vrange) { | 1787 if ((protocolVariant != ssl_variant_stream |
1788 » && protocolVariant != ssl_variant_datagram) | |
1789 » || !vrange) { | |
1708 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1790 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1709 return SECFailure; | 1791 return SECFailure; |
1710 } | 1792 } |
1711 | 1793 |
1712 *vrange = versions_defaults; | 1794 *vrange = *VERSIONS_DEFAULTS(protocolVariant); |
1713 | 1795 |
1714 return SECSuccess; | 1796 return SECSuccess; |
1715 } | 1797 } |
1716 | 1798 |
1717 SECStatus | 1799 SECStatus |
1718 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, | 1800 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, |
1719 const SSLVersionRange *vrange) | 1801 const SSLVersionRange *vrange) |
1720 { | 1802 { |
1721 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) { | 1803 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) { |
1722 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 1804 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
1723 return SECFailure; | 1805 return SECFailure; |
1724 } | 1806 } |
1725 | 1807 |
1726 versions_defaults = *vrange; | 1808 *VERSIONS_DEFAULTS(protocolVariant) = *vrange; |
1727 | 1809 |
1728 return SECSuccess; | 1810 return SECSuccess; |
1729 } | 1811 } |
1730 | 1812 |
1731 SECStatus | 1813 SECStatus |
1732 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) | 1814 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) |
1733 { | 1815 { |
1734 sslSocket *ss = ssl_FindSocket(fd); | 1816 sslSocket *ss = ssl_FindSocket(fd); |
1735 | 1817 |
1736 if (!ss) { | 1818 if (!ss) { |
(...skipping 1086 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2823 SSL_TRACE(("SSL: cbcRandomIV set to 0")); | 2905 SSL_TRACE(("SSL: cbcRandomIV set to 0")); |
2824 } | 2906 } |
2825 } | 2907 } |
2826 #endif /* NSS_HAVE_GETENV */ | 2908 #endif /* NSS_HAVE_GETENV */ |
2827 } | 2909 } |
2828 | 2910 |
2829 /* | 2911 /* |
2830 ** Create a newsocket structure for a file descriptor. | 2912 ** Create a newsocket structure for a file descriptor. |
2831 */ | 2913 */ |
2832 static sslSocket * | 2914 static sslSocket * |
2833 ssl_NewSocket(PRBool makeLocks) | 2915 ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) |
2834 { | 2916 { |
2835 sslSocket *ss; | 2917 sslSocket *ss; |
2836 | 2918 |
2837 ssl_SetDefaultsFromEnvironment(); | 2919 ssl_SetDefaultsFromEnvironment(); |
2838 | 2920 |
2839 if (ssl_force_locks) | 2921 if (ssl_force_locks) |
2840 makeLocks = PR_TRUE; | 2922 makeLocks = PR_TRUE; |
2841 | 2923 |
2842 /* Make a new socket and get it ready */ | 2924 /* Make a new socket and get it ready */ |
2843 ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket)); | 2925 ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket)); |
2844 if (ss) { | 2926 if (ss) { |
2845 /* This should be of type SSLKEAType, but CC on IRIX | 2927 /* This should be of type SSLKEAType, but CC on IRIX |
2846 * complains during the for loop. | 2928 * complains during the for loop. |
2847 */ | 2929 */ |
2848 int i; | 2930 int i; |
2849 SECStatus status; | 2931 SECStatus status; |
2850 | 2932 |
2851 ss->opt = ssl_defaults; | 2933 ss->opt = ssl_defaults; |
2852 ss->opt.useSocks = PR_FALSE; | 2934 ss->opt.useSocks = PR_FALSE; |
2853 ss->opt.noLocks = !makeLocks; | 2935 ss->opt.noLocks = !makeLocks; |
2854 » ss->vrange = versions_defaults; | 2936 » ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); |
2855 | 2937 |
2856 ss->peerID = NULL; | 2938 ss->peerID = NULL; |
2857 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; | 2939 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
2858 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; | 2940 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
2859 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; | 2941 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; |
2860 ss->cipherSpecs = NULL; | 2942 ss->cipherSpecs = NULL; |
2861 ss->sizeCipherSpecs = 0; /* produced lazily */ | 2943 ss->sizeCipherSpecs = 0; /* produced lazily */ |
2862 ss->preferredCipher = NULL; | 2944 ss->preferredCipher = NULL; |
2863 ss->url = NULL; | 2945 ss->url = NULL; |
2864 | 2946 |
(...skipping 18 matching lines...) Expand all Loading... | |
2883 ss->getPlatformClientAuthData = NULL; | 2965 ss->getPlatformClientAuthData = NULL; |
2884 ss->getPlatformClientAuthDataArg = NULL; | 2966 ss->getPlatformClientAuthDataArg = NULL; |
2885 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 2967 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
2886 ss->handleBadCert = NULL; | 2968 ss->handleBadCert = NULL; |
2887 ss->badCertArg = NULL; | 2969 ss->badCertArg = NULL; |
2888 ss->pkcs11PinArg = NULL; | 2970 ss->pkcs11PinArg = NULL; |
2889 | 2971 |
2890 ssl_ChooseOps(ss); | 2972 ssl_ChooseOps(ss); |
2891 ssl2_InitSocketPolicy(ss); | 2973 ssl2_InitSocketPolicy(ss); |
2892 ssl3_InitSocketPolicy(ss); | 2974 ssl3_InitSocketPolicy(ss); |
2893 | 2975 |
2894 if (makeLocks) { | 2976 if (makeLocks) { |
2895 status = ssl_MakeLocks(ss); | 2977 status = ssl_MakeLocks(ss); |
2896 if (status != SECSuccess) | 2978 if (status != SECSuccess) |
2897 goto loser; | 2979 goto loser; |
2898 } | 2980 } |
2899 status = ssl_CreateSecurityInfo(ss); | 2981 status = ssl_CreateSecurityInfo(ss); |
2900 if (status != SECSuccess) | 2982 if (status != SECSuccess) |
2901 goto loser; | 2983 goto loser; |
2902 status = ssl_InitGather(&ss->gs); | 2984 status = ssl_InitGather(&ss->gs); |
2903 if (status != SECSuccess) { | 2985 if (status != SECSuccess) { |
2904 loser: | 2986 loser: |
2905 ssl_DestroySocketContents(ss); | 2987 ssl_DestroySocketContents(ss); |
2906 ssl_DestroyLocks(ss); | 2988 ssl_DestroyLocks(ss); |
2907 PORT_Free(ss); | 2989 PORT_Free(ss); |
2908 ss = NULL; | 2990 ss = NULL; |
2909 } | 2991 } |
2992 ss->protocolVariant = protocolVariant; | |
2910 } | 2993 } |
2911 return ss; | 2994 return ss; |
2912 } | 2995 } |
2913 | 2996 |
OLD | NEW |