OLD | NEW |
1 /* | 1 /* |
2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of |
3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. |
4 * Various other functions. | 4 * Various other functions. |
5 * | 5 * |
6 * ***** BEGIN LICENSE BLOCK ***** | 6 * ***** BEGIN LICENSE BLOCK ***** |
7 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 7 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
8 * | 8 * |
9 * The contents of this file are subject to the Mozilla Public License Version | 9 * The contents of this file are subject to the Mozilla Public License Version |
10 * 1.1 (the "License"); you may not use this file except in compliance with | 10 * 1.1 (the "License"); you may not use this file except in compliance with |
(...skipping 176 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
187 PR_FALSE, /* enableFalseStart */ | 187 PR_FALSE, /* enableFalseStart */ |
188 PR_TRUE, /* cbcRandomIV */ | 188 PR_TRUE, /* cbcRandomIV */ |
189 PR_FALSE, /* enableOCSPStapling */ | 189 PR_FALSE, /* enableOCSPStapling */ |
190 PR_FALSE, /* enableOBCerts */ | 190 PR_FALSE, /* enableOBCerts */ |
191 PR_FALSE, /* encryptClientCerts */ | 191 PR_FALSE, /* encryptClientCerts */ |
192 }; | 192 }; |
193 | 193 |
194 /* | 194 /* |
195 * default range of enabled SSL/TLS protocols | 195 * default range of enabled SSL/TLS protocols |
196 */ | 196 */ |
197 static SSLVersionRange versions_defaults = { | 197 static SSLVersionRange versions_defaults_stream = { |
198 SSL_LIBRARY_VERSION_3_0, | 198 SSL_LIBRARY_VERSION_3_0, |
199 SSL_LIBRARY_VERSION_TLS_1_0 | 199 SSL_LIBRARY_VERSION_TLS_1_0 |
200 }; | 200 }; |
201 | 201 |
| 202 static SSLVersionRange versions_defaults_datagram = { |
| 203 SSL_LIBRARY_VERSION_TLS_1_1, |
| 204 SSL_LIBRARY_VERSION_TLS_1_1 |
| 205 }; |
| 206 |
| 207 #define VERSIONS_DEFAULTS(variant) \ |
| 208 (variant == ssl_variant_stream ? &versions_defaults_stream : \ |
| 209 &versions_defaults_datagram) |
| 210 |
202 sslSessionIDLookupFunc ssl_sid_lookup; | 211 sslSessionIDLookupFunc ssl_sid_lookup; |
203 sslSessionIDCacheFunc ssl_sid_cache; | 212 sslSessionIDCacheFunc ssl_sid_cache; |
204 sslSessionIDUncacheFunc ssl_sid_uncache; | 213 sslSessionIDUncacheFunc ssl_sid_uncache; |
205 | 214 |
206 static PRBool ssl_inited = PR_FALSE; | 215 static PRBool ssl_inited = PR_FALSE; |
207 static PRDescIdentity ssl_layer_id; | 216 static PRDescIdentity ssl_layer_id; |
208 | 217 |
209 PRBool locksEverDisabled; /* implicitly PR_FALSE */ | 218 PRBool locksEverDisabled; /* implicitly PR_FALSE */ |
210 PRBool ssl_force_locks; /* implicitly PR_FALSE */ | 219 PRBool ssl_force_locks; /* implicitly PR_FALSE */ |
211 int ssl_lock_readers = 1; /* default true. */ | 220 int ssl_lock_readers = 1; /* default true. */ |
212 char ssl_debug; | 221 char ssl_debug; |
213 char ssl_trace; | 222 char ssl_trace; |
214 FILE * ssl_trace_iob; | 223 FILE * ssl_trace_iob; |
215 FILE * ssl_keylog_iob; | 224 FILE * ssl_keylog_iob; |
216 char lockStatus[] = "Locks are ENABLED. "; | 225 char lockStatus[] = "Locks are ENABLED. "; |
217 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ | 226 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ |
218 | 227 |
219 /* forward declarations. */ | 228 /* forward declarations. */ |
220 static sslSocket *ssl_NewSocket(PRBool makeLocks); | 229 static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant); |
221 static SECStatus ssl_MakeLocks(sslSocket *ss); | 230 static SECStatus ssl_MakeLocks(sslSocket *ss); |
222 static void ssl_SetDefaultsFromEnvironment(void); | 231 static void ssl_SetDefaultsFromEnvironment(void); |
223 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, | 232 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, |
224 PRDescIdentity id); | 233 PRDescIdentity id); |
225 | 234 |
226 /************************************************************************/ | 235 /************************************************************************/ |
227 | 236 |
228 /* | 237 /* |
229 ** Lookup a socket structure from a file descriptor. | 238 ** Lookup a socket structure from a file descriptor. |
230 ** Only functions called through the PRIOMethods table should use this. | 239 ** Only functions called through the PRIOMethods table should use this. |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
274 ss->fd = layer; | 283 ss->fd = layer; |
275 return ss; | 284 return ss; |
276 } | 285 } |
277 | 286 |
278 sslSocket * | 287 sslSocket * |
279 ssl_DupSocket(sslSocket *os) | 288 ssl_DupSocket(sslSocket *os) |
280 { | 289 { |
281 sslSocket *ss; | 290 sslSocket *ss; |
282 SECStatus rv; | 291 SECStatus rv; |
283 | 292 |
284 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks)); | 293 /* Not implemented for datagram */ |
| 294 if (IS_DTLS(os)) { |
| 295 » PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| 296 » return NULL; |
| 297 } |
| 298 |
| 299 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant); |
285 if (ss) { | 300 if (ss) { |
286 ss->opt = os->opt; | 301 ss->opt = os->opt; |
287 ss->opt.useSocks = PR_FALSE; | 302 ss->opt.useSocks = PR_FALSE; |
288 ss->vrange = os->vrange; | 303 ss->vrange = os->vrange; |
289 | 304 |
290 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); | 305 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); |
291 ss->url = !os->url ? NULL : PORT_Strdup(os->url); | 306 ss->url = !os->url ? NULL : PORT_Strdup(os->url); |
292 | 307 |
293 ss->ops = os->ops; | 308 ss->ops = os->ops; |
294 ss->rTimeout = os->rTimeout; | 309 ss->rTimeout = os->rTimeout; |
(...skipping 396 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
691 case SSL_HANDSHAKE_AS_SERVER: | 706 case SSL_HANDSHAKE_AS_SERVER: |
692 if ( ss->opt.handshakeAsClient && on ) { | 707 if ( ss->opt.handshakeAsClient && on ) { |
693 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 708 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
694 rv = SECFailure; | 709 rv = SECFailure; |
695 break; | 710 break; |
696 } | 711 } |
697 ss->opt.handshakeAsServer = on; | 712 ss->opt.handshakeAsServer = on; |
698 break; | 713 break; |
699 | 714 |
700 case SSL_ENABLE_TLS: | 715 case SSL_ENABLE_TLS: |
| 716 if (IS_DTLS(ss)) { |
| 717 if (on) { |
| 718 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 719 rv = SECFailure; /* not allowed */ |
| 720 } |
| 721 break; |
| 722 } |
701 ssl_EnableTLS(&ss->vrange, on); | 723 ssl_EnableTLS(&ss->vrange, on); |
702 ss->preferredCipher = NULL; | 724 ss->preferredCipher = NULL; |
703 if (ss->cipherSpecs) { | 725 if (ss->cipherSpecs) { |
704 PORT_Free(ss->cipherSpecs); | 726 PORT_Free(ss->cipherSpecs); |
705 ss->cipherSpecs = NULL; | 727 ss->cipherSpecs = NULL; |
706 ss->sizeCipherSpecs = 0; | 728 ss->sizeCipherSpecs = 0; |
707 } | 729 } |
708 break; | 730 break; |
709 | 731 |
710 case SSL_ENABLE_SSL3: | 732 case SSL_ENABLE_SSL3: |
| 733 if (IS_DTLS(ss)) { |
| 734 if (on) { |
| 735 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 736 rv = SECFailure; /* not allowed */ |
| 737 } |
| 738 break; |
| 739 } |
711 ssl_EnableSSL3(&ss->vrange, on); | 740 ssl_EnableSSL3(&ss->vrange, on); |
712 ss->preferredCipher = NULL; | 741 ss->preferredCipher = NULL; |
713 if (ss->cipherSpecs) { | 742 if (ss->cipherSpecs) { |
714 PORT_Free(ss->cipherSpecs); | 743 PORT_Free(ss->cipherSpecs); |
715 ss->cipherSpecs = NULL; | 744 ss->cipherSpecs = NULL; |
716 ss->sizeCipherSpecs = 0; | 745 ss->sizeCipherSpecs = 0; |
717 } | 746 } |
718 break; | 747 break; |
719 | 748 |
720 case SSL_ENABLE_SSL2: | 749 case SSL_ENABLE_SSL2: |
| 750 if (IS_DTLS(ss)) { |
| 751 if (on) { |
| 752 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 753 rv = SECFailure; /* not allowed */ |
| 754 } |
| 755 break; |
| 756 } |
721 ss->opt.enableSSL2 = on; | 757 ss->opt.enableSSL2 = on; |
722 if (on) { | 758 if (on) { |
723 ss->opt.v2CompatibleHello = on; | 759 ss->opt.v2CompatibleHello = on; |
724 } | 760 } |
725 ss->preferredCipher = NULL; | 761 ss->preferredCipher = NULL; |
726 if (ss->cipherSpecs) { | 762 if (ss->cipherSpecs) { |
727 PORT_Free(ss->cipherSpecs); | 763 PORT_Free(ss->cipherSpecs); |
728 ss->cipherSpecs = NULL; | 764 ss->cipherSpecs = NULL; |
729 ss->sizeCipherSpecs = 0; | 765 ss->sizeCipherSpecs = 0; |
730 } | 766 } |
731 break; | 767 break; |
732 | 768 |
733 case SSL_NO_CACHE: | 769 case SSL_NO_CACHE: |
734 ss->opt.noCache = on; | 770 ss->opt.noCache = on; |
735 break; | 771 break; |
736 | 772 |
737 case SSL_ENABLE_FDX: | 773 case SSL_ENABLE_FDX: |
738 if (on && ss->opt.noLocks) { | 774 if (on && ss->opt.noLocks) { |
739 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 775 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
740 rv = SECFailure; | 776 rv = SECFailure; |
741 } | 777 } |
742 ss->opt.fdx = on; | 778 ss->opt.fdx = on; |
743 break; | 779 break; |
744 | 780 |
745 case SSL_V2_COMPATIBLE_HELLO: | 781 case SSL_V2_COMPATIBLE_HELLO: |
| 782 if (IS_DTLS(ss)) { |
| 783 if (on) { |
| 784 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 785 rv = SECFailure; /* not allowed */ |
| 786 } |
| 787 break; |
| 788 } |
746 ss->opt.v2CompatibleHello = on; | 789 ss->opt.v2CompatibleHello = on; |
747 if (!on) { | 790 if (!on) { |
748 ss->opt.enableSSL2 = on; | 791 ss->opt.enableSSL2 = on; |
749 } | 792 } |
750 break; | 793 break; |
751 | 794 |
752 case SSL_ROLLBACK_DETECTION: | 795 case SSL_ROLLBACK_DETECTION: |
753 ss->opt.detectRollBack = on; | 796 ss->opt.detectRollBack = on; |
754 break; | 797 break; |
755 | 798 |
(...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
931 ssl_SetDefaultsFromEnvironment(); | 974 ssl_SetDefaultsFromEnvironment(); |
932 | 975 |
933 switch (which) { | 976 switch (which) { |
934 case SSL_SOCKS: on = PR_FALSE; break; | 977 case SSL_SOCKS: on = PR_FALSE; break; |
935 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; | 978 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; |
936 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; | 979 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; |
937 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; | 980 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; |
938 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; | 981 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; |
939 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; | 982 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; |
940 case SSL_ENABLE_TLS: | 983 case SSL_ENABLE_TLS: |
941 » on = versions_defaults.max >= SSL_LIBRARY_VERSION_TLS_1_0; | 984 » on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
942 break; | 985 break; |
943 case SSL_ENABLE_SSL3: | 986 case SSL_ENABLE_SSL3: |
944 » on = versions_defaults.min == SSL_LIBRARY_VERSION_3_0; | 987 » on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; |
945 break; | 988 break; |
946 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; | 989 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; |
947 case SSL_NO_CACHE: on = ssl_defaults.noCache; break; | 990 case SSL_NO_CACHE: on = ssl_defaults.noCache; break; |
948 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; | 991 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; |
949 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; | 992 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; |
950 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; | 993 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; |
951 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; | 994 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; |
952 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; | 995 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; |
953 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; | 996 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; |
954 case SSL_ENABLE_SESSION_TICKETS: | 997 case SSL_ENABLE_SESSION_TICKETS: |
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1027 | 1070 |
1028 case SSL_HANDSHAKE_AS_SERVER: | 1071 case SSL_HANDSHAKE_AS_SERVER: |
1029 if ( ssl_defaults.handshakeAsClient && on ) { | 1072 if ( ssl_defaults.handshakeAsClient && on ) { |
1030 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1073 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1031 return SECFailure; | 1074 return SECFailure; |
1032 } | 1075 } |
1033 ssl_defaults.handshakeAsServer = on; | 1076 ssl_defaults.handshakeAsServer = on; |
1034 break; | 1077 break; |
1035 | 1078 |
1036 case SSL_ENABLE_TLS: | 1079 case SSL_ENABLE_TLS: |
1037 » ssl_EnableTLS(&versions_defaults, on); | 1080 » ssl_EnableTLS(&versions_defaults_stream, on); |
1038 break; | 1081 break; |
1039 | 1082 |
1040 case SSL_ENABLE_SSL3: | 1083 case SSL_ENABLE_SSL3: |
1041 » ssl_EnableSSL3(&versions_defaults, on); | 1084 » ssl_EnableSSL3(&versions_defaults_stream, on); |
1042 break; | 1085 break; |
1043 | 1086 |
1044 case SSL_ENABLE_SSL2: | 1087 case SSL_ENABLE_SSL2: |
1045 ssl_defaults.enableSSL2 = on; | 1088 ssl_defaults.enableSSL2 = on; |
1046 if (on) { | 1089 if (on) { |
1047 ssl_defaults.v2CompatibleHello = on; | 1090 ssl_defaults.v2CompatibleHello = on; |
1048 } | 1091 } |
1049 break; | 1092 break; |
1050 | 1093 |
1051 case SSL_NO_CACHE: | 1094 case SSL_NO_CACHE: |
(...skipping 301 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1353 | 1396 |
1354 SECStatus | 1397 SECStatus |
1355 NSS_SetFrancePolicy(void) | 1398 NSS_SetFrancePolicy(void) |
1356 { | 1399 { |
1357 return NSS_SetDomesticPolicy(); | 1400 return NSS_SetDomesticPolicy(); |
1358 } | 1401 } |
1359 | 1402 |
1360 | 1403 |
1361 | 1404 |
1362 /* LOCKS ??? XXX */ | 1405 /* LOCKS ??? XXX */ |
1363 PRFileDesc * | 1406 static PRFileDesc * |
1364 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) | 1407 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) |
1365 { | 1408 { |
1366 sslSocket * ns = NULL; | 1409 sslSocket * ns = NULL; |
1367 PRStatus rv; | 1410 PRStatus rv; |
1368 PRNetAddr addr; | 1411 PRNetAddr addr; |
1369 SECStatus status = ssl_Init(); | 1412 SECStatus status = ssl_Init(); |
1370 | 1413 |
1371 if (status != SECSuccess) { | 1414 if (status != SECSuccess) { |
1372 return NULL; | 1415 return NULL; |
1373 } | 1416 } |
1374 | 1417 |
1375 if (model == NULL) { | 1418 if (model == NULL) { |
1376 /* Just create a default socket if we're given NULL for the model */ | 1419 /* Just create a default socket if we're given NULL for the model */ |
1377 » ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks)); | 1420 » ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant); |
1378 } else { | 1421 } else { |
1379 sslSocket * ss = ssl_FindSocket(model); | 1422 sslSocket * ss = ssl_FindSocket(model); |
1380 » if (ss == NULL) { | 1423 » if (ss == NULL || ss->protocolVariant != variant) { |
1381 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", | 1424 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", |
1382 SSL_GETPID(), model)); | 1425 SSL_GETPID(), model)); |
1383 return NULL; | 1426 return NULL; |
1384 } | 1427 } |
1385 ns = ssl_DupSocket(ss); | 1428 ns = ssl_DupSocket(ss); |
1386 } | 1429 } |
1387 if (ns == NULL) | 1430 if (ns == NULL) |
1388 return NULL; | 1431 return NULL; |
1389 | 1432 |
1390 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); | 1433 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); |
1391 if (rv != PR_SUCCESS) { | 1434 if (rv != PR_SUCCESS) { |
1392 ssl_FreeSocket(ns); | 1435 ssl_FreeSocket(ns); |
1393 SET_ERROR_CODE | 1436 SET_ERROR_CODE |
1394 return NULL; | 1437 return NULL; |
1395 } | 1438 } |
1396 #ifdef _WIN32 | 1439 #ifdef _WIN32 |
1397 PR_Sleep(PR_INTERVAL_NO_WAIT); /* workaround NT winsock connect bug. */ | 1440 PR_Sleep(PR_INTERVAL_NO_WAIT); /* workaround NT winsock connect bug. */ |
1398 #endif | 1441 #endif |
1399 ns = ssl_FindSocket(fd); | 1442 ns = ssl_FindSocket(fd); |
1400 PORT_Assert(ns); | 1443 PORT_Assert(ns); |
1401 if (ns) | 1444 if (ns) |
1402 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); | 1445 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); |
1403 return fd; | 1446 return fd; |
1404 } | 1447 } |
1405 | 1448 |
| 1449 PRFileDesc * |
| 1450 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) |
| 1451 { |
| 1452 return ssl_ImportFD(model, fd, ssl_variant_stream); |
| 1453 } |
| 1454 |
| 1455 PRFileDesc * |
| 1456 DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd) |
| 1457 { |
| 1458 return ssl_ImportFD(model, fd, ssl_variant_datagram); |
| 1459 } |
| 1460 |
1406 SECStatus | 1461 SECStatus |
1407 SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback, | 1462 SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback, |
1408 void *arg) | 1463 void *arg) |
1409 { | 1464 { |
1410 sslSocket *ss = ssl_FindSocket(fd); | 1465 sslSocket *ss = ssl_FindSocket(fd); |
1411 | 1466 |
1412 if (!ss) { | 1467 if (!ss) { |
1413 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoCallback", SSL_GETP
ID(), | 1468 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoCallback", SSL_GETP
ID(), |
1414 fd)); | 1469 fd)); |
1415 return SECFailure; | 1470 return SECFailure; |
(...skipping 244 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1660 return fd; | 1715 return fd; |
1661 loser: | 1716 loser: |
1662 return NULL; | 1717 return NULL; |
1663 #endif | 1718 #endif |
1664 } | 1719 } |
1665 | 1720 |
1666 PRBool | 1721 PRBool |
1667 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, | 1722 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, |
1668 SSL3ProtocolVersion version) | 1723 SSL3ProtocolVersion version) |
1669 { | 1724 { |
1670 return protocolVariant == ssl_variant_stream && | 1725 switch (protocolVariant) { |
1671 » version >= SSL_LIBRARY_VERSION_3_0 && | 1726 case ssl_variant_stream: |
1672 » version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED; | 1727 » return (version >= SSL_LIBRARY_VERSION_3_0 && |
| 1728 » » version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); |
| 1729 case ssl_variant_datagram: |
| 1730 » return (version >= SSL_LIBRARY_VERSION_TLS_1_1 && |
| 1731 » » version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); |
| 1732 default: |
| 1733 » /* Can't get here */ |
| 1734 » PORT_Assert(PR_FALSE); |
| 1735 » return PR_FALSE; |
| 1736 } |
1673 } | 1737 } |
1674 | 1738 |
1675 /* Returns PR_TRUE if the given version range is valid and | 1739 /* Returns PR_TRUE if the given version range is valid and |
1676 ** fully supported; otherwise, returns PR_FALSE. | 1740 ** fully supported; otherwise, returns PR_FALSE. |
1677 */ | 1741 */ |
1678 static PRBool | 1742 static PRBool |
1679 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, | 1743 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, |
1680 const SSLVersionRange *vrange) | 1744 const SSLVersionRange *vrange) |
1681 { | 1745 { |
1682 return vrange && | 1746 return vrange && |
1683 vrange->min <= vrange->max && | 1747 vrange->min <= vrange->max && |
1684 ssl3_VersionIsSupported(protocolVariant, vrange->min) && | 1748 ssl3_VersionIsSupported(protocolVariant, vrange->min) && |
1685 ssl3_VersionIsSupported(protocolVariant, vrange->max); | 1749 ssl3_VersionIsSupported(protocolVariant, vrange->max); |
1686 } | 1750 } |
1687 | 1751 |
1688 SECStatus | 1752 SECStatus |
1689 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, | 1753 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, |
1690 SSLVersionRange *vrange) | 1754 SSLVersionRange *vrange) |
1691 { | 1755 { |
1692 if (protocolVariant != ssl_variant_stream || !vrange) { | 1756 if (!vrange) { |
1693 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1757 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1694 return SECFailure; | 1758 return SECFailure; |
1695 } | 1759 } |
1696 | 1760 |
1697 vrange->min = SSL_LIBRARY_VERSION_3_0; | 1761 switch (protocolVariant) { |
1698 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; | 1762 case ssl_variant_stream: |
| 1763 » vrange->min = SSL_LIBRARY_VERSION_3_0; |
| 1764 » vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
| 1765 » break; |
| 1766 case ssl_variant_datagram: |
| 1767 » vrange->min = SSL_LIBRARY_VERSION_TLS_1_1; |
| 1768 » vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
| 1769 » break; |
| 1770 default: |
| 1771 » PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1772 » return SECFailure; |
| 1773 } |
1699 | 1774 |
1700 return SECSuccess; | 1775 return SECSuccess; |
1701 } | 1776 } |
1702 | 1777 |
1703 SECStatus | 1778 SECStatus |
1704 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, | 1779 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, |
1705 SSLVersionRange *vrange) | 1780 SSLVersionRange *vrange) |
1706 { | 1781 { |
1707 if (protocolVariant != ssl_variant_stream || !vrange) { | 1782 if ((protocolVariant != ssl_variant_stream && |
| 1783 » protocolVariant != ssl_variant_datagram) || !vrange) { |
1708 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1784 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1709 return SECFailure; | 1785 return SECFailure; |
1710 } | 1786 } |
1711 | 1787 |
1712 *vrange = versions_defaults; | 1788 *vrange = *VERSIONS_DEFAULTS(protocolVariant); |
1713 | 1789 |
1714 return SECSuccess; | 1790 return SECSuccess; |
1715 } | 1791 } |
1716 | 1792 |
1717 SECStatus | 1793 SECStatus |
1718 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, | 1794 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, |
1719 const SSLVersionRange *vrange) | 1795 const SSLVersionRange *vrange) |
1720 { | 1796 { |
1721 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) { | 1797 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) { |
1722 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 1798 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
1723 return SECFailure; | 1799 return SECFailure; |
1724 } | 1800 } |
1725 | 1801 |
1726 versions_defaults = *vrange; | 1802 *VERSIONS_DEFAULTS(protocolVariant) = *vrange; |
1727 | 1803 |
1728 return SECSuccess; | 1804 return SECSuccess; |
1729 } | 1805 } |
1730 | 1806 |
1731 SECStatus | 1807 SECStatus |
1732 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) | 1808 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) |
1733 { | 1809 { |
1734 sslSocket *ss = ssl_FindSocket(fd); | 1810 sslSocket *ss = ssl_FindSocket(fd); |
1735 | 1811 |
1736 if (!ss) { | 1812 if (!ss) { |
(...skipping 1086 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2823 SSL_TRACE(("SSL: cbcRandomIV set to 0")); | 2899 SSL_TRACE(("SSL: cbcRandomIV set to 0")); |
2824 } | 2900 } |
2825 } | 2901 } |
2826 #endif /* NSS_HAVE_GETENV */ | 2902 #endif /* NSS_HAVE_GETENV */ |
2827 } | 2903 } |
2828 | 2904 |
2829 /* | 2905 /* |
2830 ** Create a newsocket structure for a file descriptor. | 2906 ** Create a newsocket structure for a file descriptor. |
2831 */ | 2907 */ |
2832 static sslSocket * | 2908 static sslSocket * |
2833 ssl_NewSocket(PRBool makeLocks) | 2909 ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) |
2834 { | 2910 { |
2835 sslSocket *ss; | 2911 sslSocket *ss; |
2836 | 2912 |
2837 ssl_SetDefaultsFromEnvironment(); | 2913 ssl_SetDefaultsFromEnvironment(); |
2838 | 2914 |
2839 if (ssl_force_locks) | 2915 if (ssl_force_locks) |
2840 makeLocks = PR_TRUE; | 2916 makeLocks = PR_TRUE; |
2841 | 2917 |
2842 /* Make a new socket and get it ready */ | 2918 /* Make a new socket and get it ready */ |
2843 ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket)); | 2919 ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket)); |
2844 if (ss) { | 2920 if (ss) { |
2845 /* This should be of type SSLKEAType, but CC on IRIX | 2921 /* This should be of type SSLKEAType, but CC on IRIX |
2846 * complains during the for loop. | 2922 * complains during the for loop. |
2847 */ | 2923 */ |
2848 int i; | 2924 int i; |
2849 SECStatus status; | 2925 SECStatus status; |
2850 | 2926 |
2851 ss->opt = ssl_defaults; | 2927 ss->opt = ssl_defaults; |
2852 ss->opt.useSocks = PR_FALSE; | 2928 ss->opt.useSocks = PR_FALSE; |
2853 ss->opt.noLocks = !makeLocks; | 2929 ss->opt.noLocks = !makeLocks; |
2854 » ss->vrange = versions_defaults; | 2930 » ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); |
2855 | 2931 |
2856 ss->peerID = NULL; | 2932 ss->peerID = NULL; |
2857 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; | 2933 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
2858 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; | 2934 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
2859 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; | 2935 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; |
2860 ss->cipherSpecs = NULL; | 2936 ss->cipherSpecs = NULL; |
2861 ss->sizeCipherSpecs = 0; /* produced lazily */ | 2937 ss->sizeCipherSpecs = 0; /* produced lazily */ |
2862 ss->preferredCipher = NULL; | 2938 ss->preferredCipher = NULL; |
2863 ss->url = NULL; | 2939 ss->url = NULL; |
2864 | 2940 |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2900 if (status != SECSuccess) | 2976 if (status != SECSuccess) |
2901 goto loser; | 2977 goto loser; |
2902 status = ssl_InitGather(&ss->gs); | 2978 status = ssl_InitGather(&ss->gs); |
2903 if (status != SECSuccess) { | 2979 if (status != SECSuccess) { |
2904 loser: | 2980 loser: |
2905 ssl_DestroySocketContents(ss); | 2981 ssl_DestroySocketContents(ss); |
2906 ssl_DestroyLocks(ss); | 2982 ssl_DestroyLocks(ss); |
2907 PORT_Free(ss); | 2983 PORT_Free(ss); |
2908 ss = NULL; | 2984 ss = NULL; |
2909 } | 2985 } |
| 2986 ss->protocolVariant = protocolVariant; |
2910 } | 2987 } |
2911 return ss; | 2988 return ss; |
2912 } | 2989 } |
2913 | 2990 |
OLD | NEW |