OLD | NEW |
1 /* | 1 /* |
2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of |
3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. |
4 * Various other functions. | 4 * Various other functions. |
5 * | 5 * |
6 * This Source Code Form is subject to the terms of the Mozilla Public | 6 * This Source Code Form is subject to the terms of the Mozilla Public |
7 * License, v. 2.0. If a copy of the MPL was not distributed with this | 7 * License, v. 2.0. If a copy of the MPL was not distributed with this |
8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
9 #include "seccomon.h" | 9 #include "seccomon.h" |
10 #include "cert.h" | 10 #include "cert.h" |
11 #include "keyhi.h" | 11 #include "keyhi.h" |
12 #include "ssl.h" | 12 #include "ssl.h" |
13 #include "sslimpl.h" | 13 #include "sslimpl.h" |
14 #include "sslproto.h" | 14 #include "sslproto.h" |
15 #include "nspr.h" | 15 #include "nspr.h" |
16 #include "private/pprio.h" | 16 #include "private/pprio.h" |
17 #ifndef NO_PKCS11_BYPASS | 17 #ifndef NO_PKCS11_BYPASS |
18 #include "blapi.h" | 18 #include "blapi.h" |
19 #endif | 19 #endif |
20 #include "pk11pub.h" | 20 #include "pk11pub.h" |
21 #include "nss.h" | 21 #include "nss.h" |
22 | 22 |
23 /* This is a bodge to allow this code to be compiled against older NSS headers | 23 /* This is a bodge to allow this code to be compiled against older NSS headers |
24 * that don't contain the TLS 1.2 changes. */ | 24 * that don't contain the TLS 1.2 changes. */ |
25 #ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 | 25 #ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 |
26 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | 26 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
27 #endif | 27 #endif |
28 | 28 |
29 #define SET_ERROR_CODE /* reminder */ | 29 #define SET_ERROR_CODE /* reminder */ |
30 | 30 |
31 static const sslSocketOps ssl_default_ops = {» /* No SSL. */ | 31 static const sslSocketOps ssl_default_ops = { /* No SSL. */ |
32 ssl_DefConnect, | 32 ssl_DefConnect, |
33 NULL, | 33 NULL, |
34 ssl_DefBind, | 34 ssl_DefBind, |
35 ssl_DefListen, | 35 ssl_DefListen, |
36 ssl_DefShutdown, | 36 ssl_DefShutdown, |
37 ssl_DefClose, | 37 ssl_DefClose, |
38 ssl_DefRecv, | 38 ssl_DefRecv, |
39 ssl_DefSend, | 39 ssl_DefSend, |
40 ssl_DefRead, | 40 ssl_DefRead, |
41 ssl_DefWrite, | 41 ssl_DefWrite, |
42 ssl_DefGetpeername, | 42 ssl_DefGetpeername, |
43 ssl_DefGetsockname | 43 ssl_DefGetsockname |
44 }; | 44 }; |
45 | 45 |
46 static const sslSocketOps ssl_secure_ops = {» /* SSL. */ | 46 static const sslSocketOps ssl_secure_ops = { /* SSL. */ |
47 ssl_SecureConnect, | 47 ssl_SecureConnect, |
48 NULL, | 48 NULL, |
49 ssl_DefBind, | 49 ssl_DefBind, |
50 ssl_DefListen, | 50 ssl_DefListen, |
51 ssl_SecureShutdown, | 51 ssl_SecureShutdown, |
52 ssl_SecureClose, | 52 ssl_SecureClose, |
53 ssl_SecureRecv, | 53 ssl_SecureRecv, |
54 ssl_SecureSend, | 54 ssl_SecureSend, |
55 ssl_SecureRead, | 55 ssl_SecureRead, |
56 ssl_SecureWrite, | 56 ssl_SecureWrite, |
57 ssl_DefGetpeername, | 57 ssl_DefGetpeername, |
58 ssl_DefGetsockname | 58 ssl_DefGetsockname |
59 }; | 59 }; |
60 | 60 |
61 /* | 61 /* |
62 ** default settings for socket enables | 62 ** default settings for socket enables |
63 */ | 63 */ |
64 static sslOptions ssl_defaults = { | 64 static sslOptions ssl_defaults = { |
65 { siBuffer, NULL, 0 }, /* nextProtoNego */ | 65 { siBuffer, NULL, 0 }, /* nextProtoNego */ |
66 PR_TRUE, » /* useSecurity */ | 66 PR_TRUE, /* useSecurity */ |
67 PR_FALSE,» /* useSocks */ | 67 PR_FALSE, /* useSocks */ |
68 PR_FALSE,» /* requestCertificate */ | 68 PR_FALSE, /* requestCertificate */ |
69 2,» /* requireCertificate */ | 69 2, /* requireCertificate */ |
70 PR_FALSE,» /* handshakeAsClient */ | 70 PR_FALSE, /* handshakeAsClient */ |
71 PR_FALSE,» /* handshakeAsServer */ | 71 PR_FALSE, /* handshakeAsServer */ |
72 PR_FALSE,» /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ | 72 PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ |
73 PR_FALSE,» /* unusedBit9 */ | 73 PR_FALSE, /* unusedBit9 */ |
74 PR_FALSE, » /* unusedBit10 */ | 74 PR_FALSE, /* unusedBit10 */ |
75 PR_FALSE,» /* noCache */ | 75 PR_FALSE, /* noCache */ |
76 PR_FALSE,» /* fdx */ | 76 PR_FALSE, /* fdx */ |
77 PR_FALSE,» /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ | 77 PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ |
78 PR_TRUE,» /* detectRollBack */ | 78 PR_TRUE, /* detectRollBack */ |
79 PR_FALSE, /* noStepDown */ | 79 PR_FALSE, /* noStepDown */ |
80 PR_FALSE, /* bypassPKCS11 */ | 80 PR_FALSE, /* bypassPKCS11 */ |
81 PR_FALSE, /* noLocks */ | 81 PR_FALSE, /* noLocks */ |
82 PR_FALSE, /* enableSessionTickets */ | 82 PR_FALSE, /* enableSessionTickets */ |
83 PR_FALSE, /* enableDeflate */ | 83 PR_FALSE, /* enableDeflate */ |
84 2, /* enableRenegotiation (default: requires extension) */ | 84 2, /* enableRenegotiation (default: requires extension) */ |
85 PR_FALSE, /* requireSafeNegotiation */ | 85 PR_FALSE, /* requireSafeNegotiation */ |
86 PR_FALSE, /* enableFalseStart */ | 86 PR_FALSE, /* enableFalseStart */ |
87 PR_TRUE, /* cbcRandomIV */ | 87 PR_TRUE, /* cbcRandomIV */ |
88 PR_FALSE, /* enableOCSPStapling */ | 88 PR_FALSE, /* enableOCSPStapling */ |
89 PR_TRUE, /* enableNPN */ | 89 PR_TRUE, /* enableNPN */ |
90 PR_FALSE, /* enableALPN */ | 90 PR_FALSE, /* enableALPN */ |
| 91 PR_TRUE, /* reuseServerECDHEKey */ |
| 92 PR_FALSE, /* enableFallbackSCSV */ |
91 PR_FALSE, /* enableSignedCertTimestamps */ | 93 PR_FALSE, /* enableSignedCertTimestamps */ |
92 PR_FALSE /* enableFallbackSCSV */ | |
93 }; | 94 }; |
94 | 95 |
95 /* | 96 /* |
96 * default range of enabled SSL/TLS protocols | 97 * default range of enabled SSL/TLS protocols |
97 */ | 98 */ |
98 static SSLVersionRange versions_defaults_stream = { | 99 static SSLVersionRange versions_defaults_stream = { |
99 SSL_LIBRARY_VERSION_3_0, | 100 SSL_LIBRARY_VERSION_3_0, |
100 SSL_LIBRARY_VERSION_TLS_1_0 | 101 SSL_LIBRARY_VERSION_TLS_1_2 |
101 }; | 102 }; |
102 | 103 |
103 static SSLVersionRange versions_defaults_datagram = { | 104 static SSLVersionRange versions_defaults_datagram = { |
104 SSL_LIBRARY_VERSION_TLS_1_1, | 105 SSL_LIBRARY_VERSION_TLS_1_1, |
105 SSL_LIBRARY_VERSION_TLS_1_1 | 106 SSL_LIBRARY_VERSION_TLS_1_2 |
106 }; | 107 }; |
107 | 108 |
108 #define VERSIONS_DEFAULTS(variant) \ | 109 #define VERSIONS_DEFAULTS(variant) \ |
109 (variant == ssl_variant_stream ? &versions_defaults_stream : \ | 110 (variant == ssl_variant_stream ? &versions_defaults_stream : \ |
110 &versions_defaults_datagram) | 111 &versions_defaults_datagram) |
111 | 112 |
112 sslSessionIDLookupFunc ssl_sid_lookup; | 113 sslSessionIDLookupFunc ssl_sid_lookup; |
113 sslSessionIDCacheFunc ssl_sid_cache; | 114 sslSessionIDCacheFunc ssl_sid_cache; |
114 sslSessionIDUncacheFunc ssl_sid_uncache; | 115 sslSessionIDUncacheFunc ssl_sid_uncache; |
115 | 116 |
116 static PRBool ssl_inited = PR_FALSE; | 117 static PRBool ssl_inited = PR_FALSE; |
117 static PRDescIdentity ssl_layer_id; | 118 static PRDescIdentity ssl_layer_id; |
118 | 119 |
119 PRBool locksEverDisabled; » /* implicitly PR_FALSE */ | 120 PRBool locksEverDisabled; /* implicitly PR_FALSE */ |
120 PRBool» » » ssl_force_locks; » /* implicitly PR_FALSE */ | 121 PRBool ssl_force_locks; /* implicitly PR_FALSE */ |
121 int ssl_lock_readers» = 1;» /* default true. */ | 122 int ssl_lock_readers = 1; /* default true. */ |
122 char ssl_debug; | 123 char ssl_debug; |
123 char ssl_trace; | 124 char ssl_trace; |
124 FILE * ssl_trace_iob; | 125 FILE * ssl_trace_iob; |
125 FILE * ssl_keylog_iob; | 126 FILE * ssl_keylog_iob; |
126 char lockStatus[] = "Locks are ENABLED. "; | 127 char lockStatus[] = "Locks are ENABLED. "; |
127 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ | 128 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ |
128 | 129 |
129 /* SRTP_NULL_HMAC_SHA1_80 and SRTP_NULL_HMAC_SHA1_32 are not implemented. */ | 130 /* SRTP_NULL_HMAC_SHA1_80 and SRTP_NULL_HMAC_SHA1_32 are not implemented. */ |
130 static const PRUint16 srtpCiphers[] = { | 131 static const PRUint16 srtpCiphers[] = { |
131 SRTP_AES128_CM_HMAC_SHA1_80, | 132 SRTP_AES128_CM_HMAC_SHA1_80, |
132 SRTP_AES128_CM_HMAC_SHA1_32, | 133 SRTP_AES128_CM_HMAC_SHA1_32, |
133 0 | 134 0 |
134 }; | 135 }; |
135 | 136 |
136 /* forward declarations. */ | 137 /* forward declarations. */ |
137 static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant); | 138 static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant); |
138 static SECStatus ssl_MakeLocks(sslSocket *ss); | 139 static SECStatus ssl_MakeLocks(sslSocket *ss); |
139 static void ssl_SetDefaultsFromEnvironment(void); | 140 static void ssl_SetDefaultsFromEnvironment(void); |
140 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, | 141 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, |
141 PRDescIdentity id); | 142 PRDescIdentity id); |
142 | 143 |
143 /************************************************************************/ | 144 /************************************************************************/ |
144 | 145 |
145 /* | 146 /* |
146 ** Lookup a socket structure from a file descriptor. | 147 ** Lookup a socket structure from a file descriptor. |
147 ** Only functions called through the PRIOMethods table should use this. | 148 ** Only functions called through the PRIOMethods table should use this. |
148 ** Other app-callable functions should use ssl_FindSocket. | 149 ** Other app-callable functions should use ssl_FindSocket. |
149 */ | 150 */ |
150 static sslSocket * | 151 static sslSocket * |
151 ssl_GetPrivate(PRFileDesc *fd) | 152 ssl_GetPrivate(PRFileDesc *fd) |
152 { | 153 { |
153 sslSocket *ss; | 154 sslSocket *ss; |
154 | 155 |
155 PORT_Assert(fd != NULL); | 156 PORT_Assert(fd != NULL); |
156 PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED); | 157 PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED); |
157 PORT_Assert(fd->identity == ssl_layer_id); | 158 PORT_Assert(fd->identity == ssl_layer_id); |
158 | 159 |
159 if (fd->methods->file_type != PR_DESC_LAYERED || | 160 if (fd->methods->file_type != PR_DESC_LAYERED || |
160 fd->identity != ssl_layer_id) { | 161 fd->identity != ssl_layer_id) { |
161 » PORT_SetError(PR_BAD_DESCRIPTOR_ERROR); | 162 PORT_SetError(PR_BAD_DESCRIPTOR_ERROR); |
162 » return NULL; | 163 return NULL; |
163 } | 164 } |
164 | 165 |
165 ss = (sslSocket *)fd->secret; | 166 ss = (sslSocket *)fd->secret; |
| 167 /* Set ss->fd lazily. We can't rely on the value of ss->fd set by |
| 168 * ssl_PushIOLayer because another PR_PushIOLayer call will switch the |
| 169 * contents of the PRFileDesc pointed by ss->fd and the new layer. |
| 170 * See bug 807250. |
| 171 */ |
166 ss->fd = fd; | 172 ss->fd = fd; |
167 return ss; | 173 return ss; |
168 } | 174 } |
169 | 175 |
170 /* This function tries to find the SSL layer in the stack. | 176 /* This function tries to find the SSL layer in the stack. |
171 * It searches for the first SSL layer at or below the argument fd, | 177 * It searches for the first SSL layer at or below the argument fd, |
172 * and failing that, it searches for the nearest SSL layer above the | 178 * and failing that, it searches for the nearest SSL layer above the |
173 * argument fd. It returns the private sslSocket from the found layer. | 179 * argument fd. It returns the private sslSocket from the found layer. |
174 */ | 180 */ |
175 sslSocket * | 181 sslSocket * |
176 ssl_FindSocket(PRFileDesc *fd) | 182 ssl_FindSocket(PRFileDesc *fd) |
177 { | 183 { |
178 PRFileDesc *layer; | 184 PRFileDesc *layer; |
179 sslSocket *ss; | 185 sslSocket *ss; |
180 | 186 |
181 PORT_Assert(fd != NULL); | 187 PORT_Assert(fd != NULL); |
182 PORT_Assert(ssl_layer_id != 0); | 188 PORT_Assert(ssl_layer_id != 0); |
183 | 189 |
184 layer = PR_GetIdentitiesLayer(fd, ssl_layer_id); | 190 layer = PR_GetIdentitiesLayer(fd, ssl_layer_id); |
185 if (layer == NULL) { | 191 if (layer == NULL) { |
186 » PORT_SetError(PR_BAD_DESCRIPTOR_ERROR); | 192 PORT_SetError(PR_BAD_DESCRIPTOR_ERROR); |
187 » return NULL; | 193 return NULL; |
188 } | 194 } |
189 | 195 |
190 ss = (sslSocket *)layer->secret; | 196 ss = (sslSocket *)layer->secret; |
| 197 /* Set ss->fd lazily. We can't rely on the value of ss->fd set by |
| 198 * ssl_PushIOLayer because another PR_PushIOLayer call will switch the |
| 199 * contents of the PRFileDesc pointed by ss->fd and the new layer. |
| 200 * See bug 807250. |
| 201 */ |
191 ss->fd = layer; | 202 ss->fd = layer; |
192 return ss; | 203 return ss; |
193 } | 204 } |
194 | 205 |
195 static sslSocket * | 206 static sslSocket * |
196 ssl_DupSocket(sslSocket *os) | 207 ssl_DupSocket(sslSocket *os) |
197 { | 208 { |
198 sslSocket *ss; | 209 sslSocket *ss; |
199 SECStatus rv; | 210 SECStatus rv; |
200 | 211 |
201 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant); | 212 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant); |
202 if (ss) { | 213 if (ss) { |
203 » ss->opt = os->opt; | 214 ss->opt = os->opt; |
204 » ss->opt.useSocks = PR_FALSE; | 215 ss->opt.useSocks = PR_FALSE; |
205 » ss->vrange = os->vrange; | 216 ss->vrange = os->vrange; |
206 | 217 |
207 » ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); | 218 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); |
208 » ss->url = !os->url ? NULL : PORT_Strdup(os->url); | 219 ss->url = !os->url ? NULL : PORT_Strdup(os->url); |
209 | 220 |
210 » ss->ops = os->ops; | 221 ss->ops = os->ops; |
211 » ss->rTimeout = os->rTimeout; | 222 ss->rTimeout = os->rTimeout; |
212 » ss->wTimeout = os->wTimeout; | 223 ss->wTimeout = os->wTimeout; |
213 » ss->cTimeout = os->cTimeout; | 224 ss->cTimeout = os->cTimeout; |
214 » ss->dbHandle = os->dbHandle; | 225 ss->dbHandle = os->dbHandle; |
215 | 226 |
216 » /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ | 227 /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ |
217 » ss->allowedByPolicy» = os->allowedByPolicy; | 228 ss->allowedByPolicy = os->allowedByPolicy; |
218 » ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; | 229 ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; |
219 » ss->chosenPreference » = os->chosenPreference; | 230 ss->chosenPreference = os->chosenPreference; |
220 » PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites)
; | 231 PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites)
; |
221 » PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, | 232 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, |
222 » » sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount); | 233 sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount); |
223 » ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount; | 234 ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount; |
224 | 235 |
225 » if (os->cipherSpecs) { | 236 if (os->cipherSpecs) { |
226 » ss->cipherSpecs = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs); | 237 ss->cipherSpecs = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs); |
227 » if (ss->cipherSpecs) | 238 if (ss->cipherSpecs) |
228 » » PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, | 239 PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, |
229 » » os->sizeCipherSpecs); | 240 os->sizeCipherSpecs); |
230 » ss->sizeCipherSpecs = os->sizeCipherSpecs; | 241 ss->sizeCipherSpecs = os->sizeCipherSpecs; |
231 » ss->preferredCipher = os->preferredCipher; | 242 ss->preferredCipher = os->preferredCipher; |
232 » } else { | 243 } else { |
233 » ss->cipherSpecs = NULL; /* produced lazily */ | 244 ss->cipherSpecs = NULL; /* produced lazily */ |
234 » ss->sizeCipherSpecs = 0; | 245 ss->sizeCipherSpecs = 0; |
235 » ss->preferredCipher = NULL; | 246 ss->preferredCipher = NULL; |
236 » } | 247 } |
237 » if (ss->opt.useSecurity) { | 248 if (ss->opt.useSecurity) { |
238 » /* This int should be SSLKEAType, but CC on Irix complains, | 249 /* This int should be SSLKEAType, but CC on Irix complains, |
239 » * during the for loop. | 250 * during the for loop. |
240 » */ | 251 */ |
241 » int i; | 252 int i; |
242 » sslServerCerts * oc = os->serverCerts; | 253 sslServerCerts * oc = os->serverCerts; |
243 » sslServerCerts * sc = ss->serverCerts; | 254 sslServerCerts * sc = ss->serverCerts; |
244 | 255 |
245 » for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) { | 256 for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) { |
246 » » if (oc->serverCert && oc->serverCertChain) { | 257 if (oc->serverCert && oc->serverCertChain) { |
247 » » sc->serverCert = CERT_DupCertificate(oc->serverCert); | 258 sc->serverCert = CERT_DupCertificate(oc->serverCert); |
248 » » sc->serverCertChain = CERT_DupCertList(oc->serverCertChain); | 259 sc->serverCertChain = CERT_DupCertList(oc->serverCertChain); |
249 » » if (!sc->serverCertChain) | 260 if (!sc->serverCertChain) |
250 » » » goto loser; | 261 goto loser; |
251 » » } else { | 262 } else { |
252 » » sc->serverCert = NULL; | 263 sc->serverCert = NULL; |
253 » » sc->serverCertChain = NULL; | 264 sc->serverCertChain = NULL; |
254 » » } | 265 } |
255 » » sc->serverKeyPair = oc->serverKeyPair ? | 266 sc->serverKeyPair = oc->serverKeyPair ? |
256 » » » » ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL; | 267 ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL; |
257 » » if (oc->serverKeyPair && !sc->serverKeyPair) | 268 if (oc->serverKeyPair && !sc->serverKeyPair) |
258 » » goto loser; | 269 goto loser; |
259 » sc->serverKeyBits = oc->serverKeyBits; | 270 sc->serverKeyBits = oc->serverKeyBits; |
260 » » ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL : | 271 ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL : |
261 » » » » SECITEM_DupArray(NULL, os->certStatusArray[i]); | 272 SECITEM_DupArray(NULL, os->certStatusArray[i]); |
262 » } | 273 } |
263 » ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL : | 274 ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL : |
264 » » ssl3_GetKeyPairRef(os->stepDownKeyPair); | 275 ssl3_GetKeyPairRef(os->stepDownKeyPair); |
265 » ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : | 276 ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : |
266 » » ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair); | 277 ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair); |
267 /* | 278 /* |
268 * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. | 279 * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. |
269 * XXX We should detect this, and not just march on with NULL pointers. | 280 * XXX We should detect this, and not just march on with NULL pointers. |
270 */ | 281 */ |
271 » ss->authCertificate = os->authCertificate; | 282 ss->authCertificate = os->authCertificate; |
272 » ss->authCertificateArg = os->authCertificateArg; | 283 ss->authCertificateArg = os->authCertificateArg; |
273 » ss->getClientAuthData = os->getClientAuthData; | 284 ss->getClientAuthData = os->getClientAuthData; |
274 » ss->getClientAuthDataArg = os->getClientAuthDataArg; | 285 ss->getClientAuthDataArg = os->getClientAuthDataArg; |
275 #ifdef NSS_PLATFORM_CLIENT_AUTH | 286 #ifdef NSS_PLATFORM_CLIENT_AUTH |
276 » ss->getPlatformClientAuthData = os->getPlatformClientAuthData; | 287 ss->getPlatformClientAuthData = os->getPlatformClientAuthData; |
277 » ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; | 288 ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; |
278 #endif | 289 #endif |
279 ss->sniSocketConfig = os->sniSocketConfig; | 290 ss->sniSocketConfig = os->sniSocketConfig; |
280 ss->sniSocketConfigArg = os->sniSocketConfigArg; | 291 ss->sniSocketConfigArg = os->sniSocketConfigArg; |
281 » ss->handleBadCert = os->handleBadCert; | 292 ss->handleBadCert = os->handleBadCert; |
282 » ss->badCertArg = os->badCertArg; | 293 ss->badCertArg = os->badCertArg; |
283 » ss->handshakeCallback = os->handshakeCallback; | 294 ss->handshakeCallback = os->handshakeCallback; |
284 » ss->handshakeCallbackData = os->handshakeCallbackData; | 295 ss->handshakeCallbackData = os->handshakeCallbackData; |
285 » ss->canFalseStartCallback = os->canFalseStartCallback; | 296 ss->canFalseStartCallback = os->canFalseStartCallback; |
286 » ss->canFalseStartCallbackData = os->canFalseStartCallbackData; | 297 ss->canFalseStartCallbackData = os->canFalseStartCallbackData; |
287 » ss->pkcs11PinArg = os->pkcs11PinArg; | 298 ss->pkcs11PinArg = os->pkcs11PinArg; |
288 » ss->getChannelID = os->getChannelID; | 299 ss->getChannelID = os->getChannelID; |
289 » ss->getChannelIDArg = os->getChannelIDArg; | 300 ss->getChannelIDArg = os->getChannelIDArg; |
290 | 301 |
291 » /* Create security data */ | 302 /* Create security data */ |
292 » rv = ssl_CopySecurityInfo(ss, os); | 303 rv = ssl_CopySecurityInfo(ss, os); |
293 » if (rv != SECSuccess) { | 304 if (rv != SECSuccess) { |
294 » » goto loser; | 305 goto loser; |
295 » } | 306 } |
296 » } | 307 } |
297 } | 308 } |
298 return ss; | 309 return ss; |
299 | 310 |
300 loser: | 311 loser: |
301 ssl_FreeSocket(ss); | 312 ssl_FreeSocket(ss); |
302 return NULL; | 313 return NULL; |
303 } | 314 } |
304 | 315 |
305 static void | 316 static void |
306 ssl_DestroyLocks(sslSocket *ss) | 317 ssl_DestroyLocks(sslSocket *ss) |
307 { | 318 { |
308 /* Destroy locks. */ | 319 /* Destroy locks. */ |
309 if (ss->firstHandshakeLock) { | 320 if (ss->firstHandshakeLock) { |
310 » PZ_DestroyMonitor(ss->firstHandshakeLock); | 321 PZ_DestroyMonitor(ss->firstHandshakeLock); |
311 » ss->firstHandshakeLock = NULL; | 322 ss->firstHandshakeLock = NULL; |
312 } | 323 } |
313 if (ss->ssl3HandshakeLock) { | 324 if (ss->ssl3HandshakeLock) { |
314 » PZ_DestroyMonitor(ss->ssl3HandshakeLock); | 325 PZ_DestroyMonitor(ss->ssl3HandshakeLock); |
315 » ss->ssl3HandshakeLock = NULL; | 326 ss->ssl3HandshakeLock = NULL; |
316 } | 327 } |
317 if (ss->specLock) { | 328 if (ss->specLock) { |
318 » NSSRWLock_Destroy(ss->specLock); | 329 NSSRWLock_Destroy(ss->specLock); |
319 » ss->specLock = NULL; | 330 ss->specLock = NULL; |
320 } | 331 } |
321 | 332 |
322 if (ss->recvLock) { | 333 if (ss->recvLock) { |
323 » PZ_DestroyLock(ss->recvLock); | 334 PZ_DestroyLock(ss->recvLock); |
324 » ss->recvLock = NULL; | 335 ss->recvLock = NULL; |
325 } | 336 } |
326 if (ss->sendLock) { | 337 if (ss->sendLock) { |
327 » PZ_DestroyLock(ss->sendLock); | 338 PZ_DestroyLock(ss->sendLock); |
328 » ss->sendLock = NULL; | 339 ss->sendLock = NULL; |
329 } | 340 } |
330 if (ss->xmitBufLock) { | 341 if (ss->xmitBufLock) { |
331 » PZ_DestroyMonitor(ss->xmitBufLock); | 342 PZ_DestroyMonitor(ss->xmitBufLock); |
332 » ss->xmitBufLock = NULL; | 343 ss->xmitBufLock = NULL; |
333 } | 344 } |
334 if (ss->recvBufLock) { | 345 if (ss->recvBufLock) { |
335 » PZ_DestroyMonitor(ss->recvBufLock); | 346 PZ_DestroyMonitor(ss->recvBufLock); |
336 » ss->recvBufLock = NULL; | 347 ss->recvBufLock = NULL; |
337 } | 348 } |
338 } | 349 } |
339 | 350 |
340 /* Caller holds any relevant locks */ | 351 /* Caller holds any relevant locks */ |
341 static void | 352 static void |
342 ssl_DestroySocketContents(sslSocket *ss) | 353 ssl_DestroySocketContents(sslSocket *ss) |
343 { | 354 { |
344 /* "i" should be of type SSLKEAType, but CC on IRIX complains during | 355 /* "i" should be of type SSLKEAType, but CC on IRIX complains during |
345 * the for loop. | 356 * the for loop. |
346 */ | 357 */ |
347 int i; | 358 int i; |
348 | 359 |
349 /* Free up socket */ | 360 /* Free up socket */ |
350 ssl_DestroySecurityInfo(&ss->sec); | 361 ssl_DestroySecurityInfo(&ss->sec); |
351 | 362 |
352 ssl3_DestroySSL3Info(ss); | 363 ssl3_DestroySSL3Info(ss); |
353 | 364 |
354 PORT_Free(ss->saveBuf.buf); | 365 PORT_Free(ss->saveBuf.buf); |
355 PORT_Free(ss->pendingBuf.buf); | 366 PORT_Free(ss->pendingBuf.buf); |
356 ssl_DestroyGather(&ss->gs); | 367 ssl_DestroyGather(&ss->gs); |
357 | 368 |
358 if (ss->peerID != NULL) | 369 if (ss->peerID != NULL) |
359 » PORT_Free(ss->peerID); | 370 PORT_Free(ss->peerID); |
360 if (ss->url != NULL) | 371 if (ss->url != NULL) |
361 » PORT_Free((void *)ss->url);» /* CONST */ | 372 PORT_Free((void *)ss->url); /* CONST */ |
362 if (ss->cipherSpecs) { | 373 if (ss->cipherSpecs) { |
363 » PORT_Free(ss->cipherSpecs); | 374 PORT_Free(ss->cipherSpecs); |
364 » ss->cipherSpecs = NULL; | 375 ss->cipherSpecs = NULL; |
365 » ss->sizeCipherSpecs = 0; | 376 ss->sizeCipherSpecs = 0; |
366 } | 377 } |
367 | 378 |
368 /* Clean up server configuration */ | 379 /* Clean up server configuration */ |
369 for (i=kt_null; i < kt_kea_size; i++) { | 380 for (i=kt_null; i < kt_kea_size; i++) { |
370 » sslServerCerts * sc = ss->serverCerts + i; | 381 sslServerCerts * sc = ss->serverCerts + i; |
371 » if (sc->serverCert != NULL) | 382 if (sc->serverCert != NULL) |
372 » CERT_DestroyCertificate(sc->serverCert); | 383 CERT_DestroyCertificate(sc->serverCert); |
373 » if (sc->serverCertChain != NULL) | 384 if (sc->serverCertChain != NULL) |
374 » CERT_DestroyCertificateList(sc->serverCertChain); | 385 CERT_DestroyCertificateList(sc->serverCertChain); |
375 » if (sc->serverKeyPair != NULL) | 386 if (sc->serverKeyPair != NULL) |
376 » ssl3_FreeKeyPair(sc->serverKeyPair); | 387 ssl3_FreeKeyPair(sc->serverKeyPair); |
377 » if (ss->certStatusArray[i] != NULL) { | 388 if (ss->certStatusArray[i] != NULL) { |
378 » SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE); | 389 SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE); |
379 » ss->certStatusArray[i] = NULL; | 390 ss->certStatusArray[i] = NULL; |
380 » } | 391 } |
381 } | 392 } |
382 if (ss->stepDownKeyPair) { | 393 if (ss->stepDownKeyPair) { |
383 » ssl3_FreeKeyPair(ss->stepDownKeyPair); | 394 ssl3_FreeKeyPair(ss->stepDownKeyPair); |
384 » ss->stepDownKeyPair = NULL; | 395 ss->stepDownKeyPair = NULL; |
385 } | 396 } |
386 if (ss->ephemeralECDHKeyPair) { | 397 if (ss->ephemeralECDHKeyPair) { |
387 » ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); | 398 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); |
388 » ss->ephemeralECDHKeyPair = NULL; | 399 ss->ephemeralECDHKeyPair = NULL; |
389 } | 400 } |
390 SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); | 401 SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); |
391 PORT_Assert(!ss->xtnData.sniNameArr); | 402 PORT_Assert(!ss->xtnData.sniNameArr); |
392 if (ss->xtnData.sniNameArr) { | 403 if (ss->xtnData.sniNameArr) { |
393 PORT_Free(ss->xtnData.sniNameArr); | 404 PORT_Free(ss->xtnData.sniNameArr); |
394 ss->xtnData.sniNameArr = NULL; | 405 ss->xtnData.sniNameArr = NULL; |
395 } | 406 } |
396 } | 407 } |
397 | 408 |
398 /* | 409 /* |
(...skipping 27 matching lines...) Expand all Loading... |
426 ssl_DestroyLocks(ss); | 437 ssl_DestroyLocks(ss); |
427 | 438 |
428 #ifdef DEBUG | 439 #ifdef DEBUG |
429 PORT_Memset(ss, 0x1f, sizeof *ss); | 440 PORT_Memset(ss, 0x1f, sizeof *ss); |
430 #endif | 441 #endif |
431 PORT_Free(ss); | 442 PORT_Free(ss); |
432 return; | 443 return; |
433 } | 444 } |
434 | 445 |
435 /************************************************************************/ | 446 /************************************************************************/ |
436 SECStatus | 447 SECStatus |
437 ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled) | 448 ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled) |
438 { | 449 { |
439 PRFileDesc * osfd = ss->fd->lower; | 450 PRFileDesc * osfd = ss->fd->lower; |
440 SECStatus rv = SECFailure; | 451 SECStatus rv = SECFailure; |
441 PRSocketOptionData opt; | 452 PRSocketOptionData opt; |
442 | 453 |
443 opt.option = PR_SockOpt_NoDelay; | 454 opt.option = PR_SockOpt_NoDelay; |
444 opt.value.no_delay = (PRBool)!enabled; | 455 opt.value.no_delay = (PRBool)!enabled; |
445 | 456 |
446 if (osfd->methods->setsocketoption) { | 457 if (osfd->methods->setsocketoption) { |
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
504 #endif | 515 #endif |
505 } | 516 } |
506 | 517 |
507 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in | 518 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in |
508 * ssl.h in the section "SSL version range setting API". | 519 * ssl.h in the section "SSL version range setting API". |
509 */ | 520 */ |
510 static void | 521 static void |
511 ssl_EnableTLS(SSLVersionRange *vrange, PRBool on) | 522 ssl_EnableTLS(SSLVersionRange *vrange, PRBool on) |
512 { | 523 { |
513 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { | 524 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { |
514 » if (on) { | 525 if (on) { |
515 » vrange->min = SSL_LIBRARY_VERSION_TLS_1_0; | 526 vrange->min = SSL_LIBRARY_VERSION_TLS_1_0; |
516 » vrange->max = SSL_LIBRARY_VERSION_TLS_1_0; | 527 vrange->max = SSL_LIBRARY_VERSION_TLS_1_0; |
517 » } /* else don't change anything */ | 528 } /* else don't change anything */ |
518 » return; | 529 return; |
519 } | 530 } |
520 | 531 |
521 if (on) { | 532 if (on) { |
522 » /* Expand the range of enabled version to include TLS 1.0 */ | 533 /* Expand the range of enabled version to include TLS 1.0 */ |
523 » vrange->min = PR_MIN(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); | 534 vrange->min = PR_MIN(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); |
524 » vrange->max = PR_MAX(vrange->max, SSL_LIBRARY_VERSION_TLS_1_0); | 535 vrange->max = PR_MAX(vrange->max, SSL_LIBRARY_VERSION_TLS_1_0); |
525 } else { | 536 } else { |
526 » /* Disable all TLS versions, leaving only SSL 3.0 if it was enabled */ | 537 /* Disable all TLS versions, leaving only SSL 3.0 if it was enabled */ |
527 » if (vrange->min == SSL_LIBRARY_VERSION_3_0) { | 538 if (vrange->min == SSL_LIBRARY_VERSION_3_0) { |
528 » vrange->max = SSL_LIBRARY_VERSION_3_0; | 539 vrange->max = SSL_LIBRARY_VERSION_3_0; |
529 » } else { | 540 } else { |
530 » /* Only TLS was enabled, so now no versions are. */ | 541 /* Only TLS was enabled, so now no versions are. */ |
531 » vrange->min = SSL_LIBRARY_VERSION_NONE; | 542 vrange->min = SSL_LIBRARY_VERSION_NONE; |
532 » vrange->max = SSL_LIBRARY_VERSION_NONE; | 543 vrange->max = SSL_LIBRARY_VERSION_NONE; |
533 » } | 544 } |
534 } | 545 } |
535 } | 546 } |
536 | 547 |
537 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_SSL3, on) described in | 548 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_SSL3, on) described in |
538 * ssl.h in the section "SSL version range setting API". | 549 * ssl.h in the section "SSL version range setting API". |
539 */ | 550 */ |
540 static void | 551 static void |
541 ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on) | 552 ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on) |
542 { | 553 { |
543 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { | 554 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { |
544 » if (on) { | 555 if (on) { |
545 » vrange->min = SSL_LIBRARY_VERSION_3_0; | 556 vrange->min = SSL_LIBRARY_VERSION_3_0; |
546 » vrange->max = SSL_LIBRARY_VERSION_3_0; | 557 vrange->max = SSL_LIBRARY_VERSION_3_0; |
547 » } /* else don't change anything */ | 558 } /* else don't change anything */ |
548 » return; | 559 return; |
549 } | 560 } |
550 | 561 |
551 if (on) { | 562 if (on) { |
552 » /* Expand the range of enabled versions to include SSL 3.0. We know | 563 /* Expand the range of enabled versions to include SSL 3.0. We know |
553 » * SSL 3.0 or some version of TLS is already enabled at this point, so | 564 * SSL 3.0 or some version of TLS is already enabled at this point, so |
554 » * we don't need to change vrange->max. | 565 * we don't need to change vrange->max. |
555 » */ | 566 */ |
556 » vrange->min = SSL_LIBRARY_VERSION_3_0; | 567 vrange->min = SSL_LIBRARY_VERSION_3_0; |
557 } else { | 568 } else { |
558 » /* Disable SSL 3.0, leaving TLS unaffected. */ | 569 /* Disable SSL 3.0, leaving TLS unaffected. */ |
559 » if (vrange->max > SSL_LIBRARY_VERSION_3_0) { | 570 if (vrange->max > SSL_LIBRARY_VERSION_3_0) { |
560 » vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); | 571 vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); |
561 » } else { | 572 } else { |
562 » /* Only SSL 3.0 was enabled, so now no versions are. */ | 573 /* Only SSL 3.0 was enabled, so now no versions are. */ |
563 » vrange->min = SSL_LIBRARY_VERSION_NONE; | 574 vrange->min = SSL_LIBRARY_VERSION_NONE; |
564 » vrange->max = SSL_LIBRARY_VERSION_NONE; | 575 vrange->max = SSL_LIBRARY_VERSION_NONE; |
565 » } | 576 } |
566 } | 577 } |
567 } | 578 } |
568 | 579 |
569 SECStatus | 580 SECStatus |
570 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) | 581 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) |
571 { | 582 { |
572 sslSocket *ss = ssl_FindSocket(fd); | 583 sslSocket *ss = ssl_FindSocket(fd); |
573 SECStatus rv = SECSuccess; | 584 SECStatus rv = SECSuccess; |
574 PRBool holdingLocks; | 585 PRBool holdingLocks; |
575 | 586 |
576 if (!ss) { | 587 if (!ss) { |
577 » SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); | 588 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); |
578 » return SECFailure; | 589 return SECFailure; |
579 } | 590 } |
580 | 591 |
581 holdingLocks = (!ss->opt.noLocks); | 592 holdingLocks = (!ss->opt.noLocks); |
582 ssl_Get1stHandshakeLock(ss); | 593 ssl_Get1stHandshakeLock(ss); |
583 ssl_GetSSL3HandshakeLock(ss); | 594 ssl_GetSSL3HandshakeLock(ss); |
584 | 595 |
585 switch (which) { | 596 switch (which) { |
586 case SSL_SOCKS: | 597 case SSL_SOCKS: |
587 » ss->opt.useSocks = PR_FALSE; | 598 ss->opt.useSocks = PR_FALSE; |
588 » rv = PrepareSocket(ss); | 599 rv = PrepareSocket(ss); |
589 » if (on) { | 600 if (on) { |
590 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 601 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
591 » rv = SECFailure; | 602 rv = SECFailure; |
592 » } | 603 } |
593 » break; | 604 break; |
594 | 605 |
595 case SSL_SECURITY: | 606 case SSL_SECURITY: |
596 » ss->opt.useSecurity = on; | 607 ss->opt.useSecurity = on; |
597 » rv = PrepareSocket(ss); | 608 rv = PrepareSocket(ss); |
598 » break; | 609 break; |
599 | 610 |
600 case SSL_REQUEST_CERTIFICATE: | 611 case SSL_REQUEST_CERTIFICATE: |
601 » ss->opt.requestCertificate = on; | 612 ss->opt.requestCertificate = on; |
602 » break; | 613 break; |
603 | 614 |
604 case SSL_REQUIRE_CERTIFICATE: | 615 case SSL_REQUIRE_CERTIFICATE: |
605 » ss->opt.requireCertificate = on; | 616 ss->opt.requireCertificate = on; |
606 » break; | 617 break; |
607 | 618 |
608 case SSL_HANDSHAKE_AS_CLIENT: | 619 case SSL_HANDSHAKE_AS_CLIENT: |
609 » if ( ss->opt.handshakeAsServer && on ) { | 620 if ( ss->opt.handshakeAsServer && on ) { |
610 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 621 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
611 » rv = SECFailure; | 622 rv = SECFailure; |
612 » break; | 623 break; |
613 » } | 624 } |
614 » ss->opt.handshakeAsClient = on; | 625 ss->opt.handshakeAsClient = on; |
615 » break; | 626 break; |
616 | 627 |
617 case SSL_HANDSHAKE_AS_SERVER: | 628 case SSL_HANDSHAKE_AS_SERVER: |
618 » if ( ss->opt.handshakeAsClient && on ) { | 629 if ( ss->opt.handshakeAsClient && on ) { |
619 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 630 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
620 » rv = SECFailure; | 631 rv = SECFailure; |
621 » break; | 632 break; |
622 » } | 633 } |
623 » ss->opt.handshakeAsServer = on; | 634 ss->opt.handshakeAsServer = on; |
624 » break; | 635 break; |
625 | 636 |
626 case SSL_ENABLE_TLS: | 637 case SSL_ENABLE_TLS: |
627 if (IS_DTLS(ss)) { | 638 if (IS_DTLS(ss)) { |
628 » if (on) { | 639 if (on) { |
629 » » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 640 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
630 » » rv = SECFailure; /* not allowed */ | 641 rv = SECFailure; /* not allowed */ |
631 » } | 642 } |
632 » break; | 643 break; |
633 » } | 644 } |
634 » ssl_EnableTLS(&ss->vrange, on); | 645 ssl_EnableTLS(&ss->vrange, on); |
635 » ss->preferredCipher = NULL; | 646 ss->preferredCipher = NULL; |
636 » if (ss->cipherSpecs) { | 647 if (ss->cipherSpecs) { |
637 » PORT_Free(ss->cipherSpecs); | 648 PORT_Free(ss->cipherSpecs); |
638 » ss->cipherSpecs = NULL; | 649 ss->cipherSpecs = NULL; |
639 » ss->sizeCipherSpecs = 0; | 650 ss->sizeCipherSpecs = 0; |
640 » } | 651 } |
641 » break; | 652 break; |
642 | 653 |
643 case SSL_ENABLE_SSL3: | 654 case SSL_ENABLE_SSL3: |
644 if (IS_DTLS(ss)) { | 655 if (IS_DTLS(ss)) { |
645 » if (on) { | 656 if (on) { |
646 » » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 657 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
647 » » rv = SECFailure; /* not allowed */ | 658 rv = SECFailure; /* not allowed */ |
648 » } | 659 } |
649 » break; | 660 break; |
650 » } | 661 } |
651 » ssl_EnableSSL3(&ss->vrange, on); | 662 ssl_EnableSSL3(&ss->vrange, on); |
652 » ss->preferredCipher = NULL; | 663 ss->preferredCipher = NULL; |
653 » if (ss->cipherSpecs) { | 664 if (ss->cipherSpecs) { |
654 » PORT_Free(ss->cipherSpecs); | 665 PORT_Free(ss->cipherSpecs); |
655 » ss->cipherSpecs = NULL; | 666 ss->cipherSpecs = NULL; |
656 » ss->sizeCipherSpecs = 0; | 667 ss->sizeCipherSpecs = 0; |
657 » } | 668 } |
658 » break; | 669 break; |
659 | 670 |
660 case SSL_ENABLE_SSL2: | 671 case SSL_ENABLE_SSL2: |
661 if (IS_DTLS(ss)) { | 672 if (IS_DTLS(ss)) { |
662 » if (on) { | 673 if (on) { |
663 » » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 674 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
664 » » rv = SECFailure; /* not allowed */ | 675 rv = SECFailure; /* not allowed */ |
665 » } | 676 } |
666 » break; | 677 break; |
667 » } | 678 } |
668 » ss->opt.enableSSL2 = on; | 679 ss->opt.enableSSL2 = on; |
669 » if (on) { | 680 if (on) { |
670 » ss->opt.v2CompatibleHello = on; | 681 ss->opt.v2CompatibleHello = on; |
671 » } | 682 } |
672 » ss->preferredCipher = NULL; | 683 ss->preferredCipher = NULL; |
673 » if (ss->cipherSpecs) { | 684 if (ss->cipherSpecs) { |
674 » PORT_Free(ss->cipherSpecs); | 685 PORT_Free(ss->cipherSpecs); |
675 » ss->cipherSpecs = NULL; | 686 ss->cipherSpecs = NULL; |
676 » ss->sizeCipherSpecs = 0; | 687 ss->sizeCipherSpecs = 0; |
677 » } | 688 } |
678 » break; | 689 break; |
679 | 690 |
680 case SSL_NO_CACHE: | 691 case SSL_NO_CACHE: |
681 » ss->opt.noCache = on; | 692 ss->opt.noCache = on; |
682 » break; | 693 break; |
683 | 694 |
684 case SSL_ENABLE_FDX: | 695 case SSL_ENABLE_FDX: |
685 » if (on && ss->opt.noLocks) { | 696 if (on && ss->opt.noLocks) { |
686 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 697 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
687 » rv = SECFailure; | 698 rv = SECFailure; |
688 » } | 699 } |
689 » ss->opt.fdx = on; | 700 ss->opt.fdx = on; |
690 » break; | 701 break; |
691 | 702 |
692 case SSL_V2_COMPATIBLE_HELLO: | 703 case SSL_V2_COMPATIBLE_HELLO: |
693 if (IS_DTLS(ss)) { | 704 if (IS_DTLS(ss)) { |
694 » if (on) { | 705 if (on) { |
695 » » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 706 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
696 » » rv = SECFailure; /* not allowed */ | 707 rv = SECFailure; /* not allowed */ |
697 » } | 708 } |
698 » break; | 709 break; |
699 » } | 710 } |
700 » ss->opt.v2CompatibleHello = on; | 711 ss->opt.v2CompatibleHello = on; |
701 » if (!on) { | 712 if (!on) { |
702 » ss->opt.enableSSL2 = on; | 713 ss->opt.enableSSL2 = on; |
703 » } | 714 } |
704 » break; | |
705 | |
706 case SSL_ROLLBACK_DETECTION: | |
707 » ss->opt.detectRollBack = on; | |
708 break; | 715 break; |
709 | 716 |
710 case SSL_NO_STEP_DOWN: | 717 case SSL_ROLLBACK_DETECTION: |
711 » ss->opt.noStepDown = on; | 718 ss->opt.detectRollBack = on; |
712 » if (on) | 719 break; |
713 » SSL_DisableExportCipherSuites(fd); | 720 |
714 » break; | 721 case SSL_NO_STEP_DOWN: |
| 722 ss->opt.noStepDown = on; |
| 723 if (on) |
| 724 SSL_DisableExportCipherSuites(fd); |
| 725 break; |
715 | 726 |
716 case SSL_BYPASS_PKCS11: | 727 case SSL_BYPASS_PKCS11: |
717 » if (ss->handshakeBegun) { | 728 if (ss->handshakeBegun) { |
718 » PORT_SetError(PR_INVALID_STATE_ERROR); | 729 PORT_SetError(PR_INVALID_STATE_ERROR); |
719 » rv = SECFailure; | 730 rv = SECFailure; |
720 » } else { | 731 } else { |
721 if (PR_FALSE != on) { | 732 if (PR_FALSE != on) { |
722 if (PR_SUCCESS == SSL_BypassSetup() ) { | 733 if (PR_SUCCESS == SSL_BypassSetup() ) { |
723 #ifdef NO_PKCS11_BYPASS | 734 #ifdef NO_PKCS11_BYPASS |
724 ss->opt.bypassPKCS11 = PR_FALSE; | 735 ss->opt.bypassPKCS11 = PR_FALSE; |
725 #else | 736 #else |
726 ss->opt.bypassPKCS11 = on; | 737 ss->opt.bypassPKCS11 = on; |
727 #endif | 738 #endif |
728 } else { | 739 } else { |
729 rv = SECFailure; | 740 rv = SECFailure; |
730 } | 741 } |
731 } else { | 742 } else { |
732 ss->opt.bypassPKCS11 = PR_FALSE; | 743 ss->opt.bypassPKCS11 = PR_FALSE; |
733 } | 744 } |
734 » } | 745 } |
735 » break; | 746 break; |
736 | 747 |
737 case SSL_NO_LOCKS: | 748 case SSL_NO_LOCKS: |
738 » if (on && ss->opt.fdx) { | 749 if (on && ss->opt.fdx) { |
739 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 750 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
740 » rv = SECFailure; | 751 rv = SECFailure; |
741 » } | 752 } |
742 » if (on && ssl_force_locks) | 753 if (on && ssl_force_locks) |
743 » on = PR_FALSE;» /* silent override */ | 754 on = PR_FALSE; /* silent override */ |
744 » ss->opt.noLocks = on; | 755 ss->opt.noLocks = on; |
745 » if (on) { | 756 if (on) { |
746 » locksEverDisabled = PR_TRUE; | 757 locksEverDisabled = PR_TRUE; |
747 » strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); | 758 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); |
748 » } else if (!holdingLocks) { | 759 } else if (!holdingLocks) { |
749 » rv = ssl_MakeLocks(ss); | 760 rv = ssl_MakeLocks(ss); |
750 » if (rv != SECSuccess) { | 761 if (rv != SECSuccess) { |
751 » » ss->opt.noLocks = PR_TRUE; | 762 ss->opt.noLocks = PR_TRUE; |
752 » } | 763 } |
753 » } | 764 } |
754 » break; | 765 break; |
755 | 766 |
756 case SSL_ENABLE_SESSION_TICKETS: | 767 case SSL_ENABLE_SESSION_TICKETS: |
757 » ss->opt.enableSessionTickets = on; | 768 ss->opt.enableSessionTickets = on; |
758 » break; | 769 break; |
759 | 770 |
760 case SSL_ENABLE_DEFLATE: | 771 case SSL_ENABLE_DEFLATE: |
761 » ss->opt.enableDeflate = on; | 772 ss->opt.enableDeflate = on; |
762 » break; | 773 break; |
763 | 774 |
764 case SSL_ENABLE_RENEGOTIATION: | 775 case SSL_ENABLE_RENEGOTIATION: |
765 » ss->opt.enableRenegotiation = on; | 776 ss->opt.enableRenegotiation = on; |
766 » break; | 777 break; |
767 | 778 |
768 case SSL_REQUIRE_SAFE_NEGOTIATION: | 779 case SSL_REQUIRE_SAFE_NEGOTIATION: |
769 » ss->opt.requireSafeNegotiation = on; | 780 ss->opt.requireSafeNegotiation = on; |
770 » break; | 781 break; |
771 | 782 |
772 case SSL_ENABLE_FALSE_START: | 783 case SSL_ENABLE_FALSE_START: |
773 » ss->opt.enableFalseStart = on; | 784 ss->opt.enableFalseStart = on; |
774 » break; | 785 break; |
775 | 786 |
776 case SSL_CBC_RANDOM_IV: | 787 case SSL_CBC_RANDOM_IV: |
777 » ss->opt.cbcRandomIV = on; | 788 ss->opt.cbcRandomIV = on; |
778 » break; | 789 break; |
779 | 790 |
780 case SSL_ENABLE_OCSP_STAPLING: | 791 case SSL_ENABLE_OCSP_STAPLING: |
781 ss->opt.enableOCSPStapling = on; | 792 ss->opt.enableOCSPStapling = on; |
782 break; | 793 break; |
783 | 794 |
784 case SSL_ENABLE_NPN: | 795 case SSL_ENABLE_NPN: |
785 » ss->opt.enableNPN = on; | 796 ss->opt.enableNPN = on; |
786 » break; | 797 break; |
787 | 798 |
788 case SSL_ENABLE_ALPN: | 799 case SSL_ENABLE_ALPN: |
789 » ss->opt.enableALPN = on; | 800 ss->opt.enableALPN = on; |
790 » break; | 801 break; |
| 802 |
| 803 case SSL_REUSE_SERVER_ECDHE_KEY: |
| 804 ss->opt.reuseServerECDHEKey = on; |
| 805 break; |
| 806 |
| 807 case SSL_ENABLE_FALLBACK_SCSV: |
| 808 ss->opt.enableFallbackSCSV = on; |
| 809 break; |
791 | 810 |
792 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | 811 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
793 » ss->opt.enableSignedCertTimestamps = on; | 812 ss->opt.enableSignedCertTimestamps = on; |
794 » break; | 813 break; |
795 | |
796 case SSL_ENABLE_FALLBACK_SCSV: | |
797 ss->opt.enableFallbackSCSV = on; | |
798 break; | |
799 | 814 |
800 default: | 815 default: |
801 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 816 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
802 » rv = SECFailure; | 817 rv = SECFailure; |
803 } | 818 } |
804 | 819 |
805 /* We can't use the macros for releasing the locks here, | 820 /* We can't use the macros for releasing the locks here, |
806 * because ss->opt.noLocks might have changed just above. | 821 * because ss->opt.noLocks might have changed just above. |
807 * We must release these locks (monitors) here, if we aquired them above, | 822 * We must release these locks (monitors) here, if we aquired them above, |
808 * regardless of the current value of ss->opt.noLocks. | 823 * regardless of the current value of ss->opt.noLocks. |
809 */ | 824 */ |
810 if (holdingLocks) { | 825 if (holdingLocks) { |
811 » PZ_ExitMonitor((ss)->ssl3HandshakeLock); | 826 PZ_ExitMonitor((ss)->ssl3HandshakeLock); |
812 » PZ_ExitMonitor((ss)->firstHandshakeLock); | 827 PZ_ExitMonitor((ss)->firstHandshakeLock); |
813 } | 828 } |
814 | 829 |
815 return rv; | 830 return rv; |
816 } | 831 } |
817 | 832 |
818 SECStatus | 833 SECStatus |
819 SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) | 834 SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) |
820 { | 835 { |
821 sslSocket *ss = ssl_FindSocket(fd); | 836 sslSocket *ss = ssl_FindSocket(fd); |
822 SECStatus rv = SECSuccess; | 837 SECStatus rv = SECSuccess; |
823 PRBool on = PR_FALSE; | 838 PRBool on = PR_FALSE; |
824 | 839 |
825 if (!pOn) { | 840 if (!pOn) { |
826 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 841 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
827 » return SECFailure; | 842 return SECFailure; |
828 } | 843 } |
829 if (!ss) { | 844 if (!ss) { |
830 » SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); | 845 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); |
831 » *pOn = PR_FALSE; | 846 *pOn = PR_FALSE; |
832 » return SECFailure; | 847 return SECFailure; |
833 } | 848 } |
834 | 849 |
835 ssl_Get1stHandshakeLock(ss); | 850 ssl_Get1stHandshakeLock(ss); |
836 ssl_GetSSL3HandshakeLock(ss); | 851 ssl_GetSSL3HandshakeLock(ss); |
837 | 852 |
838 switch (which) { | 853 switch (which) { |
839 case SSL_SOCKS: on = PR_FALSE; break; | 854 case SSL_SOCKS: on = PR_FALSE; break; |
840 case SSL_SECURITY: on = ss->opt.useSecurity; break; | 855 case SSL_SECURITY: on = ss->opt.useSecurity; break; |
841 case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break; | 856 case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break; |
842 case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break; | 857 case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break; |
843 case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break; | 858 case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break; |
844 case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break; | 859 case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break; |
845 case SSL_ENABLE_TLS: | 860 case SSL_ENABLE_TLS: |
846 » on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; | 861 on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
847 » break; | 862 break; |
848 case SSL_ENABLE_SSL3: | 863 case SSL_ENABLE_SSL3: |
849 » on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; | 864 on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; |
850 » break; | 865 break; |
851 case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break; | 866 case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break; |
852 case SSL_NO_CACHE: on = ss->opt.noCache; break; | 867 case SSL_NO_CACHE: on = ss->opt.noCache; break; |
853 case SSL_ENABLE_FDX: on = ss->opt.fdx; break; | 868 case SSL_ENABLE_FDX: on = ss->opt.fdx; break; |
854 case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break; | 869 case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break; |
855 case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break; | 870 case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break; |
856 case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break; | 871 case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break; |
857 case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break; | 872 case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break; |
858 case SSL_NO_LOCKS: on = ss->opt.noLocks; break; | 873 case SSL_NO_LOCKS: on = ss->opt.noLocks; break; |
859 case SSL_ENABLE_SESSION_TICKETS: | 874 case SSL_ENABLE_SESSION_TICKETS: |
860 » on = ss->opt.enableSessionTickets; | 875 on = ss->opt.enableSessionTickets; |
861 » break; | 876 break; |
862 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; | 877 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; |
863 case SSL_ENABLE_RENEGOTIATION: | 878 case SSL_ENABLE_RENEGOTIATION: |
864 on = ss->opt.enableRenegotiation; break; | 879 on = ss->opt.enableRenegotiation; break; |
865 case SSL_REQUIRE_SAFE_NEGOTIATION: | 880 case SSL_REQUIRE_SAFE_NEGOTIATION: |
866 on = ss->opt.requireSafeNegotiation; break; | 881 on = ss->opt.requireSafeNegotiation; break; |
867 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; | 882 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; |
868 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | 883 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; |
869 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | 884 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
870 case SSL_ENABLE_NPN: on = ss->opt.enableNPN; break; | 885 case SSL_ENABLE_NPN: on = ss->opt.enableNPN; break; |
871 case SSL_ENABLE_ALPN: on = ss->opt.enableALPN; break; | 886 case SSL_ENABLE_ALPN: on = ss->opt.enableALPN; break; |
| 887 case SSL_REUSE_SERVER_ECDHE_KEY: |
| 888 on = ss->opt.reuseServerECDHEKey; break; |
| 889 case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break; |
872 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | 890 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
873 » on = ss->opt.enableSignedCertTimestamps; | 891 on = ss->opt.enableSignedCertTimestamps; |
874 » break; | 892 break; |
875 case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break; | |
876 | 893 |
877 default: | 894 default: |
878 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 895 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
879 » rv = SECFailure; | 896 rv = SECFailure; |
880 } | 897 } |
881 | 898 |
882 ssl_ReleaseSSL3HandshakeLock(ss); | 899 ssl_ReleaseSSL3HandshakeLock(ss); |
883 ssl_Release1stHandshakeLock(ss); | 900 ssl_Release1stHandshakeLock(ss); |
884 | 901 |
885 *pOn = on; | 902 *pOn = on; |
886 return rv; | 903 return rv; |
887 } | 904 } |
888 | 905 |
889 SECStatus | 906 SECStatus |
890 SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) | 907 SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) |
891 { | 908 { |
892 SECStatus rv = SECSuccess; | 909 SECStatus rv = SECSuccess; |
893 PRBool on = PR_FALSE; | 910 PRBool on = PR_FALSE; |
894 | 911 |
895 if (!pOn) { | 912 if (!pOn) { |
896 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 913 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
897 » return SECFailure; | 914 return SECFailure; |
898 } | 915 } |
899 | 916 |
900 ssl_SetDefaultsFromEnvironment(); | 917 ssl_SetDefaultsFromEnvironment(); |
901 | 918 |
902 switch (which) { | 919 switch (which) { |
903 case SSL_SOCKS: on = PR_FALSE; break; | 920 case SSL_SOCKS: on = PR_FALSE; break; |
904 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; | 921 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; |
905 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; | 922 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; |
906 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; | 923 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; |
907 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; | 924 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; |
908 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; | 925 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; |
909 case SSL_ENABLE_TLS: | 926 case SSL_ENABLE_TLS: |
910 » on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; | 927 on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
911 » break; | 928 break; |
912 case SSL_ENABLE_SSL3: | 929 case SSL_ENABLE_SSL3: |
913 » on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; | 930 on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; |
914 » break; | 931 break; |
915 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; | 932 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; |
916 case SSL_NO_CACHE: on = ssl_defaults.noCache;» » break; | 933 case SSL_NO_CACHE: on = ssl_defaults.noCache; break; |
917 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; | 934 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; |
918 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; | 935 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; |
919 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; | 936 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; |
920 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; | 937 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; |
921 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; | 938 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; |
922 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; | 939 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; |
923 case SSL_ENABLE_SESSION_TICKETS: | 940 case SSL_ENABLE_SESSION_TICKETS: |
924 » on = ssl_defaults.enableSessionTickets; | 941 on = ssl_defaults.enableSessionTickets; |
925 » break; | 942 break; |
926 case SSL_ENABLE_DEFLATE: on = ssl_defaults.enableDeflate; break; | 943 case SSL_ENABLE_DEFLATE: on = ssl_defaults.enableDeflate; break; |
927 case SSL_ENABLE_RENEGOTIATION: | 944 case SSL_ENABLE_RENEGOTIATION: |
928 on = ssl_defaults.enableRenegotiation; break; | 945 on = ssl_defaults.enableRenegotiation; break; |
929 case SSL_REQUIRE_SAFE_NEGOTIATION: | 946 case SSL_REQUIRE_SAFE_NEGOTIATION: |
930 on = ssl_defaults.requireSafeNegotiation; | 947 on = ssl_defaults.requireSafeNegotiation; |
931 » » » » break; | 948 break; |
932 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; | 949 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; |
933 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; | 950 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; |
934 case SSL_ENABLE_OCSP_STAPLING: | 951 case SSL_ENABLE_OCSP_STAPLING: |
935 on = ssl_defaults.enableOCSPStapling; | 952 on = ssl_defaults.enableOCSPStapling; |
936 break; | 953 break; |
937 case SSL_ENABLE_NPN: on = ssl_defaults.enableNPN; break; | 954 case SSL_ENABLE_NPN: on = ssl_defaults.enableNPN; break; |
938 case SSL_ENABLE_ALPN: on = ssl_defaults.enableALPN; break; | 955 case SSL_ENABLE_ALPN: on = ssl_defaults.enableALPN; break; |
| 956 case SSL_REUSE_SERVER_ECDHE_KEY: |
| 957 on = ssl_defaults.reuseServerECDHEKey; |
| 958 break; |
| 959 case SSL_ENABLE_FALLBACK_SCSV: |
| 960 on = ssl_defaults.enableFallbackSCSV; |
| 961 break; |
939 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | 962 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
940 » on = ssl_defaults.enableSignedCertTimestamps; | 963 on = ssl_defaults.enableSignedCertTimestamps; |
941 » break; | 964 break; |
942 case SSL_ENABLE_FALLBACK_SCSV: | |
943 » on = ssl_defaults.enableFallbackSCSV; | |
944 » break; | |
945 | 965 |
946 default: | 966 default: |
947 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 967 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
948 » rv = SECFailure; | 968 rv = SECFailure; |
949 } | 969 } |
950 | 970 |
951 *pOn = on; | 971 *pOn = on; |
952 return rv; | 972 return rv; |
953 } | 973 } |
954 | 974 |
955 /* XXX Use Global Lock to protect this stuff. */ | 975 /* XXX Use Global Lock to protect this stuff. */ |
956 SECStatus | 976 SECStatus |
957 SSL_EnableDefault(int which, PRBool on) | 977 SSL_EnableDefault(int which, PRBool on) |
958 { | 978 { |
959 return SSL_OptionSetDefault(which, on); | 979 return SSL_OptionSetDefault(which, on); |
960 } | 980 } |
961 | 981 |
962 SECStatus | 982 SECStatus |
963 SSL_OptionSetDefault(PRInt32 which, PRBool on) | 983 SSL_OptionSetDefault(PRInt32 which, PRBool on) |
964 { | 984 { |
965 SECStatus status = ssl_Init(); | 985 SECStatus status = ssl_Init(); |
966 | 986 |
967 if (status != SECSuccess) { | 987 if (status != SECSuccess) { |
968 » return status; | 988 return status; |
969 } | 989 } |
970 | 990 |
971 ssl_SetDefaultsFromEnvironment(); | 991 ssl_SetDefaultsFromEnvironment(); |
972 | 992 |
973 switch (which) { | 993 switch (which) { |
974 case SSL_SOCKS: | 994 case SSL_SOCKS: |
975 » ssl_defaults.useSocks = PR_FALSE; | 995 ssl_defaults.useSocks = PR_FALSE; |
976 » if (on) { | 996 if (on) { |
977 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 997 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
978 » return SECFailure; | 998 return SECFailure; |
979 » } | 999 } |
980 » break; | 1000 break; |
981 | 1001 |
982 case SSL_SECURITY: | 1002 case SSL_SECURITY: |
983 » ssl_defaults.useSecurity = on; | 1003 ssl_defaults.useSecurity = on; |
984 » break; | 1004 break; |
985 | 1005 |
986 case SSL_REQUEST_CERTIFICATE: | 1006 case SSL_REQUEST_CERTIFICATE: |
987 » ssl_defaults.requestCertificate = on; | 1007 ssl_defaults.requestCertificate = on; |
988 » break; | 1008 break; |
989 | 1009 |
990 case SSL_REQUIRE_CERTIFICATE: | 1010 case SSL_REQUIRE_CERTIFICATE: |
991 » ssl_defaults.requireCertificate = on; | 1011 ssl_defaults.requireCertificate = on; |
992 » break; | 1012 break; |
993 | 1013 |
994 case SSL_HANDSHAKE_AS_CLIENT: | 1014 case SSL_HANDSHAKE_AS_CLIENT: |
995 » if ( ssl_defaults.handshakeAsServer && on ) { | 1015 if ( ssl_defaults.handshakeAsServer && on ) { |
996 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1016 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
997 » return SECFailure; | 1017 return SECFailure; |
998 » } | 1018 } |
999 » ssl_defaults.handshakeAsClient = on; | 1019 ssl_defaults.handshakeAsClient = on; |
1000 » break; | 1020 break; |
1001 | 1021 |
1002 case SSL_HANDSHAKE_AS_SERVER: | 1022 case SSL_HANDSHAKE_AS_SERVER: |
1003 » if ( ssl_defaults.handshakeAsClient && on ) { | 1023 if ( ssl_defaults.handshakeAsClient && on ) { |
1004 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1024 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1005 » return SECFailure; | 1025 return SECFailure; |
1006 » } | 1026 } |
1007 » ssl_defaults.handshakeAsServer = on; | 1027 ssl_defaults.handshakeAsServer = on; |
1008 » break; | 1028 break; |
1009 | 1029 |
1010 case SSL_ENABLE_TLS: | 1030 case SSL_ENABLE_TLS: |
1011 » ssl_EnableTLS(&versions_defaults_stream, on); | 1031 ssl_EnableTLS(&versions_defaults_stream, on); |
1012 » break; | 1032 break; |
1013 | 1033 |
1014 case SSL_ENABLE_SSL3: | 1034 case SSL_ENABLE_SSL3: |
1015 » ssl_EnableSSL3(&versions_defaults_stream, on); | 1035 ssl_EnableSSL3(&versions_defaults_stream, on); |
1016 » break; | 1036 break; |
1017 | 1037 |
1018 case SSL_ENABLE_SSL2: | 1038 case SSL_ENABLE_SSL2: |
1019 » ssl_defaults.enableSSL2 = on; | 1039 ssl_defaults.enableSSL2 = on; |
1020 » if (on) { | 1040 if (on) { |
1021 » ssl_defaults.v2CompatibleHello = on; | 1041 ssl_defaults.v2CompatibleHello = on; |
1022 » } | 1042 } |
1023 » break; | 1043 break; |
1024 | 1044 |
1025 case SSL_NO_CACHE: | 1045 case SSL_NO_CACHE: |
1026 » ssl_defaults.noCache = on; | 1046 ssl_defaults.noCache = on; |
1027 » break; | 1047 break; |
1028 | 1048 |
1029 case SSL_ENABLE_FDX: | 1049 case SSL_ENABLE_FDX: |
1030 » if (on && ssl_defaults.noLocks) { | 1050 if (on && ssl_defaults.noLocks) { |
1031 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1051 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1032 » return SECFailure; | 1052 return SECFailure; |
1033 » } | 1053 } |
1034 » ssl_defaults.fdx = on; | 1054 ssl_defaults.fdx = on; |
1035 » break; | 1055 break; |
1036 | 1056 |
1037 case SSL_V2_COMPATIBLE_HELLO: | 1057 case SSL_V2_COMPATIBLE_HELLO: |
1038 » ssl_defaults.v2CompatibleHello = on; | 1058 ssl_defaults.v2CompatibleHello = on; |
1039 » if (!on) { | 1059 if (!on) { |
1040 » ssl_defaults.enableSSL2 = on; | 1060 ssl_defaults.enableSSL2 = on; |
1041 » } | 1061 } |
1042 » break; | 1062 break; |
1043 | 1063 |
1044 case SSL_ROLLBACK_DETECTION: | 1064 case SSL_ROLLBACK_DETECTION: |
1045 » ssl_defaults.detectRollBack = on; | 1065 ssl_defaults.detectRollBack = on; |
1046 » break; | 1066 break; |
1047 | 1067 |
1048 case SSL_NO_STEP_DOWN: | 1068 case SSL_NO_STEP_DOWN: |
1049 » ssl_defaults.noStepDown = on; | 1069 ssl_defaults.noStepDown = on; |
1050 » if (on) | 1070 if (on) |
1051 » SSL_DisableDefaultExportCipherSuites(); | 1071 SSL_DisableDefaultExportCipherSuites(); |
1052 » break; | 1072 break; |
1053 | 1073 |
1054 case SSL_BYPASS_PKCS11: | 1074 case SSL_BYPASS_PKCS11: |
1055 if (PR_FALSE != on) { | 1075 if (PR_FALSE != on) { |
1056 if (PR_SUCCESS == SSL_BypassSetup()) { | 1076 if (PR_SUCCESS == SSL_BypassSetup()) { |
1057 #ifdef NO_PKCS11_BYPASS | 1077 #ifdef NO_PKCS11_BYPASS |
1058 ssl_defaults.bypassPKCS11 = PR_FALSE; | 1078 ssl_defaults.bypassPKCS11 = PR_FALSE; |
1059 #else | 1079 #else |
1060 ssl_defaults.bypassPKCS11 = on; | 1080 ssl_defaults.bypassPKCS11 = on; |
1061 #endif | 1081 #endif |
1062 } else { | 1082 } else { |
1063 return SECFailure; | 1083 return SECFailure; |
1064 } | 1084 } |
1065 } else { | 1085 } else { |
1066 ssl_defaults.bypassPKCS11 = PR_FALSE; | 1086 ssl_defaults.bypassPKCS11 = PR_FALSE; |
1067 } | 1087 } |
1068 » break; | 1088 break; |
1069 | 1089 |
1070 case SSL_NO_LOCKS: | 1090 case SSL_NO_LOCKS: |
1071 » if (on && ssl_defaults.fdx) { | 1091 if (on && ssl_defaults.fdx) { |
1072 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1092 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1073 » return SECFailure; | 1093 return SECFailure; |
1074 » } | 1094 } |
1075 » if (on && ssl_force_locks) | 1095 if (on && ssl_force_locks) |
1076 » on = PR_FALSE;» » /* silent override */ | 1096 on = PR_FALSE; /* silent override */ |
1077 » ssl_defaults.noLocks = on; | 1097 ssl_defaults.noLocks = on; |
1078 » if (on) { | 1098 if (on) { |
1079 » locksEverDisabled = PR_TRUE; | 1099 locksEverDisabled = PR_TRUE; |
1080 » strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); | 1100 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); |
1081 » } | 1101 } |
1082 » break; | 1102 break; |
1083 | 1103 |
1084 case SSL_ENABLE_SESSION_TICKETS: | 1104 case SSL_ENABLE_SESSION_TICKETS: |
1085 » ssl_defaults.enableSessionTickets = on; | 1105 ssl_defaults.enableSessionTickets = on; |
1086 » break; | 1106 break; |
1087 | 1107 |
1088 case SSL_ENABLE_DEFLATE: | 1108 case SSL_ENABLE_DEFLATE: |
1089 » ssl_defaults.enableDeflate = on; | 1109 ssl_defaults.enableDeflate = on; |
1090 » break; | 1110 break; |
1091 | 1111 |
1092 case SSL_ENABLE_RENEGOTIATION: | 1112 case SSL_ENABLE_RENEGOTIATION: |
1093 » ssl_defaults.enableRenegotiation = on; | 1113 ssl_defaults.enableRenegotiation = on; |
1094 » break; | 1114 break; |
1095 | 1115 |
1096 case SSL_REQUIRE_SAFE_NEGOTIATION: | 1116 case SSL_REQUIRE_SAFE_NEGOTIATION: |
1097 » ssl_defaults.requireSafeNegotiation = on; | 1117 ssl_defaults.requireSafeNegotiation = on; |
1098 » break; | 1118 break; |
1099 | 1119 |
1100 case SSL_ENABLE_FALSE_START: | 1120 case SSL_ENABLE_FALSE_START: |
1101 » ssl_defaults.enableFalseStart = on; | 1121 ssl_defaults.enableFalseStart = on; |
1102 » break; | 1122 break; |
1103 | 1123 |
1104 case SSL_CBC_RANDOM_IV: | 1124 case SSL_CBC_RANDOM_IV: |
1105 » ssl_defaults.cbcRandomIV = on; | 1125 ssl_defaults.cbcRandomIV = on; |
1106 » break; | 1126 break; |
1107 | 1127 |
1108 case SSL_ENABLE_OCSP_STAPLING: | 1128 case SSL_ENABLE_OCSP_STAPLING: |
1109 ssl_defaults.enableOCSPStapling = on; | 1129 ssl_defaults.enableOCSPStapling = on; |
1110 break; | 1130 break; |
1111 | 1131 |
1112 case SSL_ENABLE_NPN: | 1132 case SSL_ENABLE_NPN: |
1113 » ssl_defaults.enableNPN = on; | 1133 ssl_defaults.enableNPN = on; |
1114 » break; | 1134 break; |
1115 | 1135 |
1116 case SSL_ENABLE_ALPN: | 1136 case SSL_ENABLE_ALPN: |
1117 » ssl_defaults.enableALPN = on; | 1137 ssl_defaults.enableALPN = on; |
1118 » break; | 1138 break; |
| 1139 |
| 1140 case SSL_REUSE_SERVER_ECDHE_KEY: |
| 1141 ssl_defaults.reuseServerECDHEKey = on; |
| 1142 break; |
| 1143 |
| 1144 case SSL_ENABLE_FALLBACK_SCSV: |
| 1145 ssl_defaults.enableFallbackSCSV = on; |
| 1146 break; |
1119 | 1147 |
1120 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | 1148 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
1121 » ssl_defaults.enableSignedCertTimestamps = on; | 1149 ssl_defaults.enableSignedCertTimestamps = on; |
1122 » break; | 1150 break; |
1123 | |
1124 case SSL_ENABLE_FALLBACK_SCSV: | |
1125 ssl_defaults.enableFallbackSCSV = on; | |
1126 break; | |
1127 | 1151 |
1128 default: | 1152 default: |
1129 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1153 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1130 » return SECFailure; | 1154 return SECFailure; |
1131 } | 1155 } |
1132 return SECSuccess; | 1156 return SECSuccess; |
1133 } | 1157 } |
1134 | 1158 |
1135 /* function tells us if the cipher suite is one that we no longer support. */ | 1159 /* function tells us if the cipher suite is one that we no longer support. */ |
1136 static PRBool | 1160 static PRBool |
1137 ssl_IsRemovedCipherSuite(PRInt32 suite) | 1161 ssl_IsRemovedCipherSuite(PRInt32 suite) |
1138 { | 1162 { |
1139 switch (suite) { | 1163 switch (suite) { |
1140 case SSL_FORTEZZA_DMS_WITH_NULL_SHA: | 1164 case SSL_FORTEZZA_DMS_WITH_NULL_SHA: |
1141 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: | 1165 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: |
1142 case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: | 1166 case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: |
1143 » return PR_TRUE; | 1167 return PR_TRUE; |
1144 default: | 1168 default: |
1145 » return PR_FALSE; | 1169 return PR_FALSE; |
1146 } | 1170 } |
1147 } | 1171 } |
1148 | 1172 |
1149 /* Part of the public NSS API. | 1173 /* Part of the public NSS API. |
1150 * Since this is a global (not per-socket) setting, we cannot use the | 1174 * Since this is a global (not per-socket) setting, we cannot use the |
1151 * HandshakeLock to protect this. Probably want a global lock. | 1175 * HandshakeLock to protect this. Probably want a global lock. |
1152 */ | 1176 */ |
1153 SECStatus | 1177 SECStatus |
1154 SSL_SetPolicy(long which, int policy) | 1178 SSL_SetPolicy(long which, int policy) |
1155 { | 1179 { |
1156 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { | 1180 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { |
1157 » /* one of the two old FIPS ciphers */ | 1181 /* one of the two old FIPS ciphers */ |
1158 » if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) | 1182 if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) |
1159 » which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; | 1183 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; |
1160 » else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) | 1184 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) |
1161 » which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; | 1185 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; |
1162 } | 1186 } |
1163 if (ssl_IsRemovedCipherSuite(which)) | 1187 if (ssl_IsRemovedCipherSuite(which)) |
1164 » return SECSuccess; | 1188 return SECSuccess; |
1165 return SSL_CipherPolicySet(which, policy); | 1189 return SSL_CipherPolicySet(which, policy); |
1166 } | 1190 } |
1167 | 1191 |
1168 SECStatus | 1192 SECStatus |
1169 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) | 1193 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) |
1170 { | 1194 { |
1171 SECStatus rv = ssl_Init(); | 1195 SECStatus rv = ssl_Init(); |
1172 | 1196 |
1173 if (rv != SECSuccess) { | 1197 if (rv != SECSuccess) { |
1174 » return rv; | 1198 return rv; |
1175 } | 1199 } |
1176 | 1200 |
1177 if (ssl_IsRemovedCipherSuite(which)) { | 1201 if (ssl_IsRemovedCipherSuite(which)) { |
1178 » rv = SECSuccess; | 1202 rv = SECSuccess; |
1179 } else if (SSL_IS_SSL2_CIPHER(which)) { | 1203 } else if (SSL_IS_SSL2_CIPHER(which)) { |
1180 » rv = ssl2_SetPolicy(which, policy); | 1204 rv = ssl2_SetPolicy(which, policy); |
1181 } else { | 1205 } else { |
1182 » rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); | 1206 rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); |
1183 } | 1207 } |
1184 return rv; | 1208 return rv; |
1185 } | 1209 } |
1186 | 1210 |
1187 SECStatus | 1211 SECStatus |
1188 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) | 1212 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) |
1189 { | 1213 { |
1190 SECStatus rv; | 1214 SECStatus rv; |
1191 | 1215 |
1192 if (!oPolicy) { | 1216 if (!oPolicy) { |
1193 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1217 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1194 » return SECFailure; | 1218 return SECFailure; |
1195 } | 1219 } |
1196 if (ssl_IsRemovedCipherSuite(which)) { | 1220 if (ssl_IsRemovedCipherSuite(which)) { |
1197 » *oPolicy = SSL_NOT_ALLOWED; | 1221 *oPolicy = SSL_NOT_ALLOWED; |
1198 » rv = SECSuccess; | 1222 rv = SECSuccess; |
1199 } else if (SSL_IS_SSL2_CIPHER(which)) { | 1223 } else if (SSL_IS_SSL2_CIPHER(which)) { |
1200 » rv = ssl2_GetPolicy(which, oPolicy); | 1224 rv = ssl2_GetPolicy(which, oPolicy); |
1201 } else { | 1225 } else { |
1202 » rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy); | 1226 rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy); |
1203 } | 1227 } |
1204 return rv; | 1228 return rv; |
1205 } | 1229 } |
1206 | 1230 |
1207 /* Part of the public NSS API. | 1231 /* Part of the public NSS API. |
1208 * Since this is a global (not per-socket) setting, we cannot use the | 1232 * Since this is a global (not per-socket) setting, we cannot use the |
1209 * HandshakeLock to protect this. Probably want a global lock. | 1233 * HandshakeLock to protect this. Probably want a global lock. |
1210 * These changes have no effect on any sslSockets already created. | 1234 * These changes have no effect on any sslSockets already created. |
1211 */ | 1235 */ |
1212 SECStatus | 1236 SECStatus |
1213 SSL_EnableCipher(long which, PRBool enabled) | 1237 SSL_EnableCipher(long which, PRBool enabled) |
1214 { | 1238 { |
1215 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { | 1239 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { |
1216 » /* one of the two old FIPS ciphers */ | 1240 /* one of the two old FIPS ciphers */ |
1217 » if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) | 1241 if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) |
1218 » which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; | 1242 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; |
1219 » else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) | 1243 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) |
1220 » which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; | 1244 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; |
1221 } | 1245 } |
1222 if (ssl_IsRemovedCipherSuite(which)) | 1246 if (ssl_IsRemovedCipherSuite(which)) |
1223 » return SECSuccess; | 1247 return SECSuccess; |
1224 return SSL_CipherPrefSetDefault(which, enabled); | 1248 return SSL_CipherPrefSetDefault(which, enabled); |
1225 } | 1249 } |
1226 | 1250 |
1227 SECStatus | 1251 SECStatus |
1228 SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) | 1252 SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) |
1229 { | 1253 { |
1230 SECStatus rv = ssl_Init(); | 1254 SECStatus rv = ssl_Init(); |
1231 | 1255 |
1232 if (rv != SECSuccess) { | 1256 if (rv != SECSuccess) { |
1233 » return rv; | 1257 return rv; |
1234 } | 1258 } |
1235 | 1259 |
1236 if (ssl_IsRemovedCipherSuite(which)) | 1260 if (ssl_IsRemovedCipherSuite(which)) |
1237 » return SECSuccess; | 1261 return SECSuccess; |
1238 if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) { | 1262 if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) { |
1239 » PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); | 1263 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
1240 » return SECFailure; | 1264 return SECFailure; |
1241 } | 1265 } |
1242 if (SSL_IS_SSL2_CIPHER(which)) { | 1266 if (SSL_IS_SSL2_CIPHER(which)) { |
1243 » rv = ssl2_CipherPrefSetDefault(which, enabled); | 1267 rv = ssl2_CipherPrefSetDefault(which, enabled); |
1244 } else { | 1268 } else { |
1245 » rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled); | 1269 rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled); |
1246 } | 1270 } |
1247 return rv; | 1271 return rv; |
1248 } | 1272 } |
1249 | 1273 |
1250 SECStatus | 1274 SECStatus |
1251 SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled) | 1275 SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled) |
1252 { | 1276 { |
1253 SECStatus rv; | 1277 SECStatus rv; |
1254 | 1278 |
1255 if (!enabled) { | 1279 if (!enabled) { |
1256 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1280 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1257 » return SECFailure; | 1281 return SECFailure; |
1258 } | 1282 } |
1259 if (ssl_IsRemovedCipherSuite(which)) { | 1283 if (ssl_IsRemovedCipherSuite(which)) { |
1260 » *enabled = PR_FALSE; | 1284 *enabled = PR_FALSE; |
1261 » rv = SECSuccess; | 1285 rv = SECSuccess; |
1262 } else if (SSL_IS_SSL2_CIPHER(which)) { | 1286 } else if (SSL_IS_SSL2_CIPHER(which)) { |
1263 » rv = ssl2_CipherPrefGetDefault(which, enabled); | 1287 rv = ssl2_CipherPrefGetDefault(which, enabled); |
1264 } else { | 1288 } else { |
1265 » rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled); | 1289 rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled); |
1266 } | 1290 } |
1267 return rv; | 1291 return rv; |
1268 } | 1292 } |
1269 | 1293 |
1270 SECStatus | 1294 SECStatus |
1271 SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled) | 1295 SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled) |
1272 { | 1296 { |
1273 SECStatus rv; | 1297 SECStatus rv; |
1274 sslSocket *ss = ssl_FindSocket(fd); | 1298 sslSocket *ss = ssl_FindSocket(fd); |
1275 | 1299 |
1276 if (!ss) { | 1300 if (!ss) { |
1277 » SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd)); | 1301 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd)); |
1278 » return SECFailure; | 1302 return SECFailure; |
1279 } | 1303 } |
1280 if (ssl_IsRemovedCipherSuite(which)) | 1304 if (ssl_IsRemovedCipherSuite(which)) |
1281 » return SECSuccess; | 1305 return SECSuccess; |
1282 if (enabled && ss->opt.noStepDown && SSL_IsExportCipherSuite(which)) { | 1306 if (enabled && ss->opt.noStepDown && SSL_IsExportCipherSuite(which)) { |
1283 » PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); | 1307 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
1284 » return SECFailure; | 1308 return SECFailure; |
1285 } | 1309 } |
1286 if (SSL_IS_SSL2_CIPHER(which)) { | 1310 if (SSL_IS_SSL2_CIPHER(which)) { |
1287 » rv = ssl2_CipherPrefSet(ss, which, enabled); | 1311 rv = ssl2_CipherPrefSet(ss, which, enabled); |
1288 } else { | 1312 } else { |
1289 » rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled); | 1313 rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled); |
1290 } | 1314 } |
1291 return rv; | 1315 return rv; |
1292 } | 1316 } |
1293 | 1317 |
1294 SECStatus | 1318 SECStatus |
1295 SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len) | 1319 SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len) |
1296 { | 1320 { |
1297 sslSocket *ss = ssl_FindSocket(fd); | 1321 sslSocket *ss = ssl_FindSocket(fd); |
1298 | 1322 |
1299 if (!ss) { | 1323 if (!ss) { |
1300 SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(), | 1324 SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(), |
1301 fd)); | 1325 fd)); |
1302 return SECFailure; | 1326 return SECFailure; |
1303 } | 1327 } |
1304 return ssl3_CipherOrderSet(ss, ciphers, len); | 1328 return ssl3_CipherOrderSet(ss, ciphers, len); |
1305 } | 1329 } |
1306 | 1330 |
1307 SECStatus | 1331 SECStatus |
1308 SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) | 1332 SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) |
1309 { | 1333 { |
1310 SECStatus rv; | 1334 SECStatus rv; |
1311 sslSocket *ss = ssl_FindSocket(fd); | 1335 sslSocket *ss = ssl_FindSocket(fd); |
1312 | 1336 |
1313 if (!enabled) { | 1337 if (!enabled) { |
1314 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1338 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1315 » return SECFailure; | 1339 return SECFailure; |
1316 } | 1340 } |
1317 if (!ss) { | 1341 if (!ss) { |
1318 » SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd)); | 1342 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd)); |
1319 » *enabled = PR_FALSE; | 1343 *enabled = PR_FALSE; |
1320 » return SECFailure; | 1344 return SECFailure; |
1321 } | 1345 } |
1322 if (ssl_IsRemovedCipherSuite(which)) { | 1346 if (ssl_IsRemovedCipherSuite(which)) { |
1323 » *enabled = PR_FALSE; | 1347 *enabled = PR_FALSE; |
1324 » rv = SECSuccess; | 1348 rv = SECSuccess; |
1325 } else if (SSL_IS_SSL2_CIPHER(which)) { | 1349 } else if (SSL_IS_SSL2_CIPHER(which)) { |
1326 » rv = ssl2_CipherPrefGet(ss, which, enabled); | 1350 rv = ssl2_CipherPrefGet(ss, which, enabled); |
1327 } else { | 1351 } else { |
1328 » rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled); | 1352 rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled); |
1329 } | 1353 } |
1330 return rv; | 1354 return rv; |
1331 } | 1355 } |
1332 | 1356 |
1333 SECStatus | 1357 SECStatus |
1334 NSS_SetDomesticPolicy(void) | 1358 NSS_SetDomesticPolicy(void) |
1335 { | 1359 { |
1336 SECStatus status = SECSuccess; | 1360 SECStatus status = SECSuccess; |
1337 const PRUint16 *cipher; | 1361 const PRUint16 *cipher; |
1338 | 1362 |
1339 for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { | 1363 for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { |
1340 » status = SSL_SetPolicy(*cipher, SSL_ALLOWED); | 1364 status = SSL_SetPolicy(*cipher, SSL_ALLOWED); |
1341 » if (status != SECSuccess) | 1365 if (status != SECSuccess) |
1342 » break; | 1366 break; |
1343 } | 1367 } |
1344 return status; | 1368 return status; |
1345 } | 1369 } |
1346 | 1370 |
1347 SECStatus | 1371 SECStatus |
1348 NSS_SetExportPolicy(void) | 1372 NSS_SetExportPolicy(void) |
1349 { | 1373 { |
1350 return NSS_SetDomesticPolicy(); | 1374 return NSS_SetDomesticPolicy(); |
1351 } | 1375 } |
1352 | 1376 |
(...skipping 26 matching lines...) Expand all Loading... |
1379 } | 1403 } |
1380 | 1404 |
1381 | 1405 |
1382 /* LOCKS ??? XXX */ | 1406 /* LOCKS ??? XXX */ |
1383 static PRFileDesc * | 1407 static PRFileDesc * |
1384 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) | 1408 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) |
1385 { | 1409 { |
1386 sslSocket * ns = NULL; | 1410 sslSocket * ns = NULL; |
1387 PRStatus rv; | 1411 PRStatus rv; |
1388 PRNetAddr addr; | 1412 PRNetAddr addr; |
1389 SECStatus» status = ssl_Init(); | 1413 SECStatus status = ssl_Init(); |
1390 | 1414 |
1391 if (status != SECSuccess) { | 1415 if (status != SECSuccess) { |
1392 » return NULL; | 1416 return NULL; |
1393 } | 1417 } |
1394 | 1418 |
1395 if (model == NULL) { | 1419 if (model == NULL) { |
1396 » /* Just create a default socket if we're given NULL for the model */ | 1420 /* Just create a default socket if we're given NULL for the model */ |
1397 » ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant); | 1421 ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant); |
1398 } else { | 1422 } else { |
1399 » sslSocket * ss = ssl_FindSocket(model); | 1423 sslSocket * ss = ssl_FindSocket(model); |
1400 » if (ss == NULL || ss->protocolVariant != variant) { | 1424 if (ss == NULL || ss->protocolVariant != variant) { |
1401 » SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", | 1425 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", |
1402 » » SSL_GETPID(), model)); | 1426 SSL_GETPID(), model)); |
1403 » return NULL; | 1427 return NULL; |
1404 » } | 1428 } |
1405 » ns = ssl_DupSocket(ss); | 1429 ns = ssl_DupSocket(ss); |
1406 } | 1430 } |
1407 if (ns == NULL) | 1431 if (ns == NULL) |
1408 » return NULL; | 1432 return NULL; |
1409 | 1433 |
1410 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); | 1434 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); |
1411 if (rv != PR_SUCCESS) { | 1435 if (rv != PR_SUCCESS) { |
1412 » ssl_FreeSocket(ns); | 1436 ssl_FreeSocket(ns); |
1413 » SET_ERROR_CODE | 1437 SET_ERROR_CODE |
1414 » return NULL; | 1438 return NULL; |
1415 } | 1439 } |
1416 ns = ssl_FindSocket(fd); | 1440 #if defined(DEBUG) || defined(FORCE_PR_ASSERT) |
1417 PORT_Assert(ns); | 1441 { |
1418 if (ns) | 1442 sslSocket * ss = ssl_FindSocket(fd); |
1419 » ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); | 1443 PORT_Assert(ss == ns); |
| 1444 } |
| 1445 #endif |
| 1446 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); |
1420 return fd; | 1447 return fd; |
1421 } | 1448 } |
1422 | 1449 |
1423 PRFileDesc * | 1450 PRFileDesc * |
1424 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) | 1451 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) |
1425 { | 1452 { |
1426 return ssl_ImportFD(model, fd, ssl_variant_stream); | 1453 return ssl_ImportFD(model, fd, ssl_variant_stream); |
1427 } | 1454 } |
1428 | 1455 |
1429 PRFileDesc * | 1456 PRFileDesc * |
1430 DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd) | 1457 DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd) |
1431 { | 1458 { |
1432 return ssl_ImportFD(model, fd, ssl_variant_datagram); | 1459 return ssl_ImportFD(model, fd, ssl_variant_datagram); |
1433 } | 1460 } |
1434 | 1461 |
1435 /* SSL_SetNextProtoCallback is used to select an application protocol | 1462 /* SSL_SetNextProtoCallback is used to select an application protocol |
1436 * for ALPN and NPN. For ALPN, this runs on the server; for NPN it | 1463 * for ALPN and NPN. For ALPN, this runs on the server; for NPN it |
1437 * runs on the client. */ | 1464 * runs on the client. */ |
1438 /* Note: The ALPN version doesn't allow for the use of a default, setting a | 1465 /* Note: The ALPN version doesn't allow for the use of a default, setting a |
1439 * status of SSL_NEXT_PROTO_NO_OVERLAP is treated as a failure. */ | 1466 * status of SSL_NEXT_PROTO_NO_OVERLAP is treated as a failure. */ |
1440 SECStatus | 1467 SECStatus |
1441 SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback, | 1468 SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback, |
1442 » » » void *arg) | 1469 void *arg) |
1443 { | 1470 { |
1444 sslSocket *ss = ssl_FindSocket(fd); | 1471 sslSocket *ss = ssl_FindSocket(fd); |
1445 | 1472 |
1446 if (!ss) { | 1473 if (!ss) { |
1447 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoCallback", SSL_GETP
ID(), | 1474 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoCallback", SSL_GETP
ID(), |
1448 » » fd)); | 1475 fd)); |
1449 » return SECFailure; | 1476 return SECFailure; |
1450 } | 1477 } |
1451 | 1478 |
1452 ssl_GetSSL3HandshakeLock(ss); | 1479 ssl_GetSSL3HandshakeLock(ss); |
1453 ss->nextProtoCallback = callback; | 1480 ss->nextProtoCallback = callback; |
1454 ss->nextProtoArg = arg; | 1481 ss->nextProtoArg = arg; |
1455 ssl_ReleaseSSL3HandshakeLock(ss); | 1482 ssl_ReleaseSSL3HandshakeLock(ss); |
1456 | 1483 |
1457 return SECSuccess; | 1484 return SECSuccess; |
1458 } | 1485 } |
1459 | 1486 |
1460 /* ssl_NextProtoNegoCallback is set as an ALPN/NPN callback when | 1487 /* ssl_NextProtoNegoCallback is set as an ALPN/NPN callback when |
1461 * SSL_SetNextProtoNego is used. | 1488 * SSL_SetNextProtoNego is used. |
1462 */ | 1489 */ |
1463 static SECStatus | 1490 static SECStatus |
1464 ssl_NextProtoNegoCallback(void *arg, PRFileDesc *fd, | 1491 ssl_NextProtoNegoCallback(void *arg, PRFileDesc *fd, |
1465 » » » const unsigned char *protos, unsigned int protos_len, | 1492 const unsigned char *protos, unsigned int protos_len, |
1466 » » » unsigned char *protoOut, unsigned int *protoOutLen, | 1493 unsigned char *protoOut, unsigned int *protoOutLen, |
1467 » » » unsigned int protoMaxLen) | 1494 unsigned int protoMaxLen) |
1468 { | 1495 { |
1469 unsigned int i, j; | 1496 unsigned int i, j; |
1470 const unsigned char *result; | 1497 const unsigned char *result; |
1471 sslSocket *ss = ssl_FindSocket(fd); | 1498 sslSocket *ss = ssl_FindSocket(fd); |
1472 | 1499 |
1473 if (!ss) { | 1500 if (!ss) { |
1474 » SSL_DBG(("%d: SSL[%d]: bad socket in ssl_NextProtoNegoCallback", | 1501 SSL_DBG(("%d: SSL[%d]: bad socket in ssl_NextProtoNegoCallback", |
1475 » » SSL_GETPID(), fd)); | 1502 SSL_GETPID(), fd)); |
1476 » return SECFailure; | 1503 return SECFailure; |
1477 } | 1504 } |
1478 | 1505 |
1479 /* For each protocol in server preference, see if we support it. */ | 1506 /* For each protocol in server preference, see if we support it. */ |
1480 for (i = 0; i < protos_len; ) { | 1507 for (i = 0; i < protos_len; ) { |
1481 » for (j = 0; j < ss->opt.nextProtoNego.len; ) { | 1508 for (j = 0; j < ss->opt.nextProtoNego.len; ) { |
1482 » if (protos[i] == ss->opt.nextProtoNego.data[j] && | 1509 if (protos[i] == ss->opt.nextProtoNego.data[j] && |
1483 » » PORT_Memcmp(&protos[i+1], &ss->opt.nextProtoNego.data[j+1], | 1510 PORT_Memcmp(&protos[i+1], &ss->opt.nextProtoNego.data[j+1], |
1484 » » » protos[i]) == 0) { | 1511 protos[i]) == 0) { |
1485 » » /* We found a match. */ | 1512 /* We found a match. */ |
1486 » » ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED; | 1513 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED; |
1487 » » result = &protos[i]; | 1514 result = &protos[i]; |
1488 » » goto found; | 1515 goto found; |
1489 » } | 1516 } |
1490 » j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j]; | 1517 j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j]; |
1491 » } | 1518 } |
1492 » i += 1 + (unsigned int)protos[i]; | 1519 i += 1 + (unsigned int)protos[i]; |
1493 } | 1520 } |
1494 | 1521 |
1495 /* The other side supports the extension, and either doesn't have any | 1522 /* The other side supports the extension, and either doesn't have any |
1496 * protocols configured, or none of its options match ours. In this case we | 1523 * protocols configured, or none of its options match ours. In this case we |
1497 * request our favoured protocol. */ | 1524 * request our favoured protocol. */ |
1498 /* This will be treated as a failure for ALPN. */ | 1525 /* This will be treated as a failure for ALPN. */ |
1499 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NO_OVERLAP; | 1526 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NO_OVERLAP; |
1500 result = ss->opt.nextProtoNego.data; | 1527 result = ss->opt.nextProtoNego.data; |
1501 | 1528 |
1502 found: | 1529 found: |
1503 if (protoMaxLen < result[0]) { | 1530 if (protoMaxLen < result[0]) { |
1504 » PORT_SetError(SEC_ERROR_OUTPUT_LEN); | 1531 PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
1505 » return SECFailure; | 1532 return SECFailure; |
1506 } | 1533 } |
1507 memcpy(protoOut, result + 1, result[0]); | 1534 memcpy(protoOut, result + 1, result[0]); |
1508 *protoOutLen = result[0]; | 1535 *protoOutLen = result[0]; |
1509 return SECSuccess; | 1536 return SECSuccess; |
1510 } | 1537 } |
1511 | 1538 |
1512 SECStatus | 1539 SECStatus |
1513 SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, | 1540 SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, |
1514 » » unsigned int length) | 1541 unsigned int length) |
1515 { | 1542 { |
1516 sslSocket *ss; | 1543 sslSocket *ss; |
1517 SECStatus rv; | 1544 SECStatus rv; |
1518 SECItem dataItem = { siBuffer, (unsigned char *) data, length }; | 1545 SECItem dataItem = { siBuffer, (unsigned char *) data, length }; |
1519 | 1546 |
1520 ss = ssl_FindSocket(fd); | 1547 ss = ssl_FindSocket(fd); |
1521 if (!ss) { | 1548 if (!ss) { |
1522 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", | 1549 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", |
1523 » » SSL_GETPID(), fd)); | 1550 SSL_GETPID(), fd)); |
1524 » return SECFailure; | 1551 return SECFailure; |
1525 } | 1552 } |
1526 | 1553 |
1527 if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess) | 1554 if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess) |
1528 » return SECFailure; | 1555 return SECFailure; |
1529 | 1556 |
1530 ssl_GetSSL3HandshakeLock(ss); | 1557 ssl_GetSSL3HandshakeLock(ss); |
1531 SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); | 1558 SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); |
1532 rv = SECITEM_CopyItem(NULL, &ss->opt.nextProtoNego, &dataItem); | 1559 rv = SECITEM_CopyItem(NULL, &ss->opt.nextProtoNego, &dataItem); |
1533 ssl_ReleaseSSL3HandshakeLock(ss); | 1560 ssl_ReleaseSSL3HandshakeLock(ss); |
1534 | 1561 |
1535 if (rv != SECSuccess) | 1562 if (rv != SECSuccess) |
1536 » return rv; | 1563 return rv; |
1537 | 1564 |
1538 return SSL_SetNextProtoCallback(fd, ssl_NextProtoNegoCallback, NULL); | 1565 return SSL_SetNextProtoCallback(fd, ssl_NextProtoNegoCallback, NULL); |
1539 } | 1566 } |
1540 | 1567 |
1541 SECStatus | 1568 SECStatus |
1542 SSL_GetNextProto(PRFileDesc *fd, SSLNextProtoState *state, unsigned char *buf, | 1569 SSL_GetNextProto(PRFileDesc *fd, SSLNextProtoState *state, unsigned char *buf, |
1543 » » unsigned int *bufLen, unsigned int bufLenMax) | 1570 unsigned int *bufLen, unsigned int bufLenMax) |
1544 { | 1571 { |
1545 sslSocket *ss = ssl_FindSocket(fd); | 1572 sslSocket *ss = ssl_FindSocket(fd); |
1546 | 1573 |
1547 if (!ss) { | 1574 if (!ss) { |
1548 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetNextProto", SSL_GETPID(), | 1575 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetNextProto", SSL_GETPID(), |
1549 » » fd)); | 1576 fd)); |
1550 » return SECFailure; | 1577 return SECFailure; |
1551 } | 1578 } |
1552 | 1579 |
1553 if (!state || !buf || !bufLen) { | 1580 if (!state || !buf || !bufLen) { |
1554 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1581 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1555 » return SECFailure; | 1582 return SECFailure; |
1556 } | 1583 } |
1557 | 1584 |
1558 *state = ss->ssl3.nextProtoState; | 1585 *state = ss->ssl3.nextProtoState; |
1559 | 1586 |
1560 if (ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT && | 1587 if (ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT && |
1561 » ss->ssl3.nextProto.data) { | 1588 ss->ssl3.nextProto.data) { |
1562 » if (ss->ssl3.nextProto.len > bufLenMax) { | 1589 if (ss->ssl3.nextProto.len > bufLenMax) { |
1563 » PORT_SetError(SEC_ERROR_OUTPUT_LEN); | 1590 PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
1564 » return SECFailure; | 1591 return SECFailure; |
1565 » } | 1592 } |
1566 » PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len); | 1593 PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len); |
1567 » *bufLen = ss->ssl3.nextProto.len; | 1594 *bufLen = ss->ssl3.nextProto.len; |
1568 } else { | 1595 } else { |
1569 » *bufLen = 0; | 1596 *bufLen = 0; |
1570 } | 1597 } |
1571 | 1598 |
1572 return SECSuccess; | 1599 return SECSuccess; |
1573 } | 1600 } |
1574 | 1601 |
1575 SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd, | 1602 SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd, |
1576 » » » const PRUint16 *ciphers, | 1603 const PRUint16 *ciphers, |
1577 » » » unsigned int numCiphers) | 1604 unsigned int numCiphers) |
1578 { | 1605 { |
1579 sslSocket *ss; | 1606 sslSocket *ss; |
1580 unsigned int i; | 1607 unsigned int i; |
1581 | 1608 |
1582 ss = ssl_FindSocket(fd); | 1609 ss = ssl_FindSocket(fd); |
1583 if (!ss || !IS_DTLS(ss)) { | 1610 if (!ss || !IS_DTLS(ss)) { |
1584 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSRTPCiphers", | 1611 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSRTPCiphers", |
1585 » » SSL_GETPID(), fd)); | 1612 SSL_GETPID(), fd)); |
1586 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1613 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1587 » return SECFailure; | 1614 return SECFailure; |
1588 } | 1615 } |
1589 | 1616 |
1590 if (numCiphers > MAX_DTLS_SRTP_CIPHER_SUITES) { | 1617 if (numCiphers > MAX_DTLS_SRTP_CIPHER_SUITES) { |
1591 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1618 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1592 » return SECFailure; | 1619 return SECFailure; |
1593 } | 1620 } |
1594 | 1621 |
1595 ss->ssl3.dtlsSRTPCipherCount = 0; | 1622 ss->ssl3.dtlsSRTPCipherCount = 0; |
1596 for (i = 0; i < numCiphers; i++) { | 1623 for (i = 0; i < numCiphers; i++) { |
1597 » const PRUint16 *srtpCipher = srtpCiphers; | 1624 const PRUint16 *srtpCipher = srtpCiphers; |
1598 | 1625 |
1599 » while (*srtpCipher) { | 1626 while (*srtpCipher) { |
1600 » if (ciphers[i] == *srtpCipher) | 1627 if (ciphers[i] == *srtpCipher) |
1601 » » break; | 1628 break; |
1602 » srtpCipher++; | 1629 srtpCipher++; |
1603 » } | 1630 } |
1604 » if (*srtpCipher) { | 1631 if (*srtpCipher) { |
1605 » ss->ssl3.dtlsSRTPCiphers[ss->ssl3.dtlsSRTPCipherCount++] = | 1632 ss->ssl3.dtlsSRTPCiphers[ss->ssl3.dtlsSRTPCipherCount++] = |
1606 » » ciphers[i]; | 1633 ciphers[i]; |
1607 » } else { | 1634 } else { |
1608 » SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher " | 1635 SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher " |
1609 » » "suite specified: 0x%04hx", SSL_GETPID(), fd, | 1636 "suite specified: 0x%04hx", SSL_GETPID(), fd, |
1610 » » ciphers[i])); | 1637 ciphers[i])); |
1611 » } | 1638 } |
1612 } | 1639 } |
1613 | 1640 |
1614 if (ss->ssl3.dtlsSRTPCipherCount == 0) { | 1641 if (ss->ssl3.dtlsSRTPCipherCount == 0) { |
1615 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1642 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1616 » return SECFailure; | 1643 return SECFailure; |
1617 } | 1644 } |
1618 | 1645 |
1619 return SECSuccess; | 1646 return SECSuccess; |
1620 } | 1647 } |
1621 | 1648 |
1622 SECStatus | 1649 SECStatus |
1623 SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher) | 1650 SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher) |
1624 { | 1651 { |
1625 sslSocket * ss; | 1652 sslSocket * ss; |
1626 | 1653 |
1627 ss = ssl_FindSocket(fd); | 1654 ss = ssl_FindSocket(fd); |
1628 if (!ss) { | 1655 if (!ss) { |
1629 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetSRTPCipher", | 1656 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetSRTPCipher", |
1630 » » SSL_GETPID(), fd)); | 1657 SSL_GETPID(), fd)); |
1631 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1658 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1632 » return SECFailure; | 1659 return SECFailure; |
1633 } | 1660 } |
1634 | 1661 |
1635 if (!ss->ssl3.dtlsSRTPCipherSuite) { | 1662 if (!ss->ssl3.dtlsSRTPCipherSuite) { |
1636 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1663 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1637 » return SECFailure; | 1664 return SECFailure; |
1638 } | 1665 } |
1639 | 1666 |
1640 *cipher = ss->ssl3.dtlsSRTPCipherSuite; | 1667 *cipher = ss->ssl3.dtlsSRTPCipherSuite; |
1641 return SECSuccess; | 1668 return SECSuccess; |
1642 } | 1669 } |
1643 | 1670 |
1644 PRFileDesc * | 1671 PRFileDesc * |
1645 SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) | 1672 SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
1646 { | 1673 { |
1647 sslSocket * sm = NULL, *ss = NULL; | 1674 sslSocket * sm = NULL, *ss = NULL; |
1648 int i; | 1675 int i; |
1649 sslServerCerts * mc = NULL; | 1676 sslServerCerts * mc = NULL; |
1650 sslServerCerts * sc = NULL; | 1677 sslServerCerts * sc = NULL; |
1651 | 1678 |
1652 if (model == NULL) { | 1679 if (model == NULL) { |
1653 PR_SetError(SEC_ERROR_INVALID_ARGS, 0); | 1680 PR_SetError(SEC_ERROR_INVALID_ARGS, 0); |
1654 return NULL; | 1681 return NULL; |
1655 } | 1682 } |
1656 sm = ssl_FindSocket(model); | 1683 sm = ssl_FindSocket(model); |
1657 if (sm == NULL) { | 1684 if (sm == NULL) { |
1658 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ReconfigFD", | 1685 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ReconfigFD", |
1659 SSL_GETPID(), model)); | 1686 SSL_GETPID(), model)); |
1660 return NULL; | 1687 return NULL; |
1661 } | 1688 } |
1662 ss = ssl_FindSocket(fd); | 1689 ss = ssl_FindSocket(fd); |
1663 PORT_Assert(ss); | 1690 PORT_Assert(ss); |
1664 if (ss == NULL) { | 1691 if (ss == NULL) { |
1665 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1692 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1666 return NULL; | 1693 return NULL; |
1667 } | 1694 } |
1668 | 1695 |
1669 ss->opt = sm->opt; | 1696 ss->opt = sm->opt; |
1670 ss->vrange = sm->vrange; | 1697 ss->vrange = sm->vrange; |
1671 PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites); | 1698 PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites); |
1672 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers, | 1699 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers, |
1673 sizeof(PRUint16) * sm->ssl3.dtlsSRTPCipherCount); | 1700 sizeof(PRUint16) * sm->ssl3.dtlsSRTPCipherCount); |
1674 ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount; | 1701 ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount; |
1675 | 1702 |
1676 if (!ss->opt.useSecurity) { | 1703 if (!ss->opt.useSecurity) { |
1677 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1704 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1678 return NULL; | 1705 return NULL; |
1679 } | 1706 } |
1680 /* This int should be SSLKEAType, but CC on Irix complains, | 1707 /* This int should be SSLKEAType, but CC on Irix complains, |
1681 * during the for loop. | 1708 * during the for loop. |
1682 */ | 1709 */ |
1683 for (i=kt_null; i < kt_kea_size; i++) { | 1710 for (i=kt_null; i < kt_kea_size; i++) { |
1684 mc = &(sm->serverCerts[i]); | 1711 mc = &(sm->serverCerts[i]); |
1685 sc = &(ss->serverCerts[i]); | 1712 sc = &(ss->serverCerts[i]); |
1686 if (mc->serverCert && mc->serverCertChain) { | 1713 if (mc->serverCert && mc->serverCertChain) { |
1687 if (sc->serverCert) { | 1714 if (sc->serverCert) { |
1688 CERT_DestroyCertificate(sc->serverCert); | 1715 CERT_DestroyCertificate(sc->serverCert); |
1689 } | 1716 } |
1690 sc->serverCert = CERT_DupCertificate(mc->serverCert); | 1717 sc->serverCert = CERT_DupCertificate(mc->serverCert); |
1691 if (sc->serverCertChain) { | 1718 if (sc->serverCertChain) { |
1692 CERT_DestroyCertificateList(sc->serverCertChain); | 1719 CERT_DestroyCertificateList(sc->serverCertChain); |
1693 } | 1720 } |
1694 sc->serverCertChain = CERT_DupCertList(mc->serverCertChain); | 1721 sc->serverCertChain = CERT_DupCertList(mc->serverCertChain); |
1695 if (!sc->serverCertChain) | 1722 if (!sc->serverCertChain) |
1696 goto loser; | 1723 goto loser; |
1697 » if (sm->certStatusArray[i]) { | 1724 if (sm->certStatusArray[i]) { |
1698 » » if (ss->certStatusArray[i]) { | 1725 if (ss->certStatusArray[i]) { |
1699 » » SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE); | 1726 SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE); |
1700 » » ss->certStatusArray[i] = NULL; | 1727 ss->certStatusArray[i] = NULL; |
1701 » » } | 1728 } |
1702 » » ss->certStatusArray[i] = SECITEM_DupArray(NULL, sm->certStatusAr
ray[i]); | 1729 ss->certStatusArray[i] = SECITEM_DupArray(NULL, sm->certStatusAr
ray[i]); |
1703 » » if (!ss->certStatusArray[i]) | 1730 if (!ss->certStatusArray[i]) |
1704 » » goto loser; | 1731 goto loser; |
1705 » } | 1732 } |
1706 } | 1733 } |
1707 if (mc->serverKeyPair) { | 1734 if (mc->serverKeyPair) { |
1708 if (sc->serverKeyPair) { | 1735 if (sc->serverKeyPair) { |
1709 ssl3_FreeKeyPair(sc->serverKeyPair); | 1736 ssl3_FreeKeyPair(sc->serverKeyPair); |
1710 } | 1737 } |
1711 sc->serverKeyPair = ssl3_GetKeyPairRef(mc->serverKeyPair); | 1738 sc->serverKeyPair = ssl3_GetKeyPairRef(mc->serverKeyPair); |
1712 sc->serverKeyBits = mc->serverKeyBits; | 1739 sc->serverKeyBits = mc->serverKeyBits; |
1713 } | 1740 } |
1714 } | 1741 } |
1715 if (sm->stepDownKeyPair) { | 1742 if (sm->stepDownKeyPair) { |
(...skipping 12 matching lines...) Expand all Loading... |
1728 /* copy trust anchor names */ | 1755 /* copy trust anchor names */ |
1729 if (sm->ssl3.ca_list) { | 1756 if (sm->ssl3.ca_list) { |
1730 if (ss->ssl3.ca_list) { | 1757 if (ss->ssl3.ca_list) { |
1731 CERT_FreeDistNames(ss->ssl3.ca_list); | 1758 CERT_FreeDistNames(ss->ssl3.ca_list); |
1732 } | 1759 } |
1733 ss->ssl3.ca_list = CERT_DupDistNames(sm->ssl3.ca_list); | 1760 ss->ssl3.ca_list = CERT_DupDistNames(sm->ssl3.ca_list); |
1734 if (!ss->ssl3.ca_list) { | 1761 if (!ss->ssl3.ca_list) { |
1735 goto loser; | 1762 goto loser; |
1736 } | 1763 } |
1737 } | 1764 } |
1738 | 1765 |
1739 if (sm->authCertificate) | 1766 if (sm->authCertificate) |
1740 ss->authCertificate = sm->authCertificate; | 1767 ss->authCertificate = sm->authCertificate; |
1741 if (sm->authCertificateArg) | 1768 if (sm->authCertificateArg) |
1742 ss->authCertificateArg = sm->authCertificateArg; | 1769 ss->authCertificateArg = sm->authCertificateArg; |
1743 if (sm->getClientAuthData) | 1770 if (sm->getClientAuthData) |
1744 ss->getClientAuthData = sm->getClientAuthData; | 1771 ss->getClientAuthData = sm->getClientAuthData; |
1745 if (sm->getClientAuthDataArg) | 1772 if (sm->getClientAuthDataArg) |
1746 ss->getClientAuthDataArg = sm->getClientAuthDataArg; | 1773 ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
1747 #ifdef NSS_PLATFORM_CLIENT_AUTH | 1774 #ifdef NSS_PLATFORM_CLIENT_AUTH |
1748 if (sm->getPlatformClientAuthData) | 1775 if (sm->getPlatformClientAuthData) |
(...skipping 19 matching lines...) Expand all Loading... |
1768 ss->getChannelID = sm->getChannelID; | 1795 ss->getChannelID = sm->getChannelID; |
1769 if (sm->getChannelIDArg) | 1796 if (sm->getChannelIDArg) |
1770 ss->getChannelIDArg = sm->getChannelIDArg; | 1797 ss->getChannelIDArg = sm->getChannelIDArg; |
1771 return fd; | 1798 return fd; |
1772 loser: | 1799 loser: |
1773 return NULL; | 1800 return NULL; |
1774 } | 1801 } |
1775 | 1802 |
1776 PRBool | 1803 PRBool |
1777 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, | 1804 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, |
1778 » » » SSL3ProtocolVersion version) | 1805 SSL3ProtocolVersion version) |
1779 { | 1806 { |
1780 switch (protocolVariant) { | 1807 switch (protocolVariant) { |
1781 case ssl_variant_stream: | 1808 case ssl_variant_stream: |
1782 » return (version >= SSL_LIBRARY_VERSION_3_0 && | 1809 return (version >= SSL_LIBRARY_VERSION_3_0 && |
1783 » » version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); | 1810 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); |
1784 case ssl_variant_datagram: | 1811 case ssl_variant_datagram: |
1785 » return (version >= SSL_LIBRARY_VERSION_TLS_1_1 && | 1812 return (version >= SSL_LIBRARY_VERSION_TLS_1_1 && |
1786 » » version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); | 1813 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); |
1787 default: | 1814 default: |
1788 » /* Can't get here */ | 1815 /* Can't get here */ |
1789 » PORT_Assert(PR_FALSE); | 1816 PORT_Assert(PR_FALSE); |
1790 » return PR_FALSE; | 1817 return PR_FALSE; |
1791 } | 1818 } |
1792 } | 1819 } |
1793 | 1820 |
1794 /* Returns PR_TRUE if the given version range is valid and | 1821 /* Returns PR_TRUE if the given version range is valid and |
1795 ** fully supported; otherwise, returns PR_FALSE. | 1822 ** fully supported; otherwise, returns PR_FALSE. |
1796 */ | 1823 */ |
1797 static PRBool | 1824 static PRBool |
1798 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, | 1825 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, |
1799 » » » const SSLVersionRange *vrange) | 1826 const SSLVersionRange *vrange) |
1800 { | 1827 { |
1801 return vrange && | 1828 return vrange && |
1802 » vrange->min <= vrange->max && | 1829 vrange->min <= vrange->max && |
1803 » ssl3_VersionIsSupported(protocolVariant, vrange->min) && | 1830 ssl3_VersionIsSupported(protocolVariant, vrange->min) && |
1804 » ssl3_VersionIsSupported(protocolVariant, vrange->max); | 1831 ssl3_VersionIsSupported(protocolVariant, vrange->max); |
1805 } | 1832 } |
1806 | 1833 |
1807 SECStatus | 1834 SECStatus |
1808 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, | 1835 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, |
1809 » » » SSLVersionRange *vrange) | 1836 SSLVersionRange *vrange) |
1810 { | 1837 { |
1811 if (!vrange) { | 1838 if (!vrange) { |
1812 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1839 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1813 » return SECFailure; | 1840 return SECFailure; |
1814 } | 1841 } |
1815 | 1842 |
1816 switch (protocolVariant) { | 1843 switch (protocolVariant) { |
1817 case ssl_variant_stream: | 1844 case ssl_variant_stream: |
1818 » vrange->min = SSL_LIBRARY_VERSION_3_0; | 1845 vrange->min = SSL_LIBRARY_VERSION_3_0; |
1819 » vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; | 1846 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
1820 » break; | 1847 break; |
1821 case ssl_variant_datagram: | 1848 case ssl_variant_datagram: |
1822 » vrange->min = SSL_LIBRARY_VERSION_TLS_1_1; | 1849 vrange->min = SSL_LIBRARY_VERSION_TLS_1_1; |
1823 » vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; | 1850 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
1824 » break; | 1851 break; |
1825 default: | 1852 default: |
1826 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1853 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1827 » return SECFailure; | 1854 return SECFailure; |
1828 } | 1855 } |
1829 | 1856 |
1830 return SECSuccess; | 1857 return SECSuccess; |
1831 } | 1858 } |
1832 | 1859 |
1833 SECStatus | 1860 SECStatus |
1834 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, | 1861 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, |
1835 » » » SSLVersionRange *vrange) | 1862 SSLVersionRange *vrange) |
1836 { | 1863 { |
1837 if ((protocolVariant != ssl_variant_stream && | 1864 if ((protocolVariant != ssl_variant_stream && |
1838 » protocolVariant != ssl_variant_datagram) || !vrange) { | 1865 protocolVariant != ssl_variant_datagram) || !vrange) { |
1839 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1866 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1840 » return SECFailure; | 1867 return SECFailure; |
1841 } | 1868 } |
1842 | 1869 |
1843 *vrange = *VERSIONS_DEFAULTS(protocolVariant); | 1870 *vrange = *VERSIONS_DEFAULTS(protocolVariant); |
1844 | 1871 |
1845 return SECSuccess; | 1872 return SECSuccess; |
1846 } | 1873 } |
1847 | 1874 |
1848 SECStatus | 1875 SECStatus |
1849 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, | 1876 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, |
1850 » » » const SSLVersionRange *vrange) | 1877 const SSLVersionRange *vrange) |
1851 { | 1878 { |
1852 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) { | 1879 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) { |
1853 » PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 1880 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
1854 » return SECFailure; | 1881 return SECFailure; |
1855 } | 1882 } |
1856 | 1883 |
1857 *VERSIONS_DEFAULTS(protocolVariant) = *vrange; | 1884 *VERSIONS_DEFAULTS(protocolVariant) = *vrange; |
1858 | 1885 |
1859 return SECSuccess; | 1886 return SECSuccess; |
1860 } | 1887 } |
1861 | 1888 |
1862 SECStatus | 1889 SECStatus |
1863 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) | 1890 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) |
1864 { | 1891 { |
1865 sslSocket *ss = ssl_FindSocket(fd); | 1892 sslSocket *ss = ssl_FindSocket(fd); |
1866 | 1893 |
1867 if (!ss) { | 1894 if (!ss) { |
1868 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeGet", | 1895 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeGet", |
1869 » » SSL_GETPID(), fd)); | 1896 SSL_GETPID(), fd)); |
1870 » return SECFailure; | 1897 return SECFailure; |
1871 } | 1898 } |
1872 | 1899 |
1873 if (!vrange) { | 1900 if (!vrange) { |
1874 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1901 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1875 » return SECFailure; | 1902 return SECFailure; |
1876 } | 1903 } |
1877 | 1904 |
1878 ssl_Get1stHandshakeLock(ss); | 1905 ssl_Get1stHandshakeLock(ss); |
1879 ssl_GetSSL3HandshakeLock(ss); | 1906 ssl_GetSSL3HandshakeLock(ss); |
1880 | 1907 |
1881 *vrange = ss->vrange; | 1908 *vrange = ss->vrange; |
1882 | 1909 |
1883 ssl_ReleaseSSL3HandshakeLock(ss); | 1910 ssl_ReleaseSSL3HandshakeLock(ss); |
1884 ssl_Release1stHandshakeLock(ss); | 1911 ssl_Release1stHandshakeLock(ss); |
1885 | 1912 |
(...skipping 17 matching lines...) Expand all Loading... |
1903 (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); | 1930 (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); |
1904 return tls12TokenExists; | 1931 return tls12TokenExists; |
1905 } | 1932 } |
1906 | 1933 |
1907 SECStatus | 1934 SECStatus |
1908 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) | 1935 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) |
1909 { | 1936 { |
1910 sslSocket *ss = ssl_FindSocket(fd); | 1937 sslSocket *ss = ssl_FindSocket(fd); |
1911 | 1938 |
1912 if (!ss) { | 1939 if (!ss) { |
1913 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet", | 1940 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet", |
1914 » » SSL_GETPID(), fd)); | 1941 SSL_GETPID(), fd)); |
1915 » return SECFailure; | 1942 return SECFailure; |
1916 } | 1943 } |
1917 | 1944 |
1918 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { | 1945 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { |
1919 » PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 1946 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
1920 » return SECFailure; | 1947 return SECFailure; |
1921 } | 1948 } |
1922 | 1949 |
1923 ssl_Get1stHandshakeLock(ss); | 1950 ssl_Get1stHandshakeLock(ss); |
1924 ssl_GetSSL3HandshakeLock(ss); | 1951 ssl_GetSSL3HandshakeLock(ss); |
1925 | 1952 |
1926 ss->vrange = *vrange; | 1953 ss->vrange = *vrange; |
1927 /* If we don't have a sufficiently up-to-date softoken then we cannot do | 1954 /* If we don't have a sufficiently up-to-date softoken then we cannot do |
1928 * TLS 1.2. */ | 1955 * TLS 1.2. */ |
1929 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && | 1956 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && |
1930 !ssl_TLS12TokenExists()) { | 1957 !ssl_TLS12TokenExists()) { |
(...skipping 22 matching lines...) Expand all Loading... |
1953 if (!ss) { | 1980 if (!ss) { |
1954 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses", | 1981 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses", |
1955 SSL_GETPID(), fd)); | 1982 SSL_GETPID(), fd)); |
1956 return NULL; | 1983 return NULL; |
1957 } | 1984 } |
1958 | 1985 |
1959 if (!ss->sec.ci.sid) { | 1986 if (!ss->sec.ci.sid) { |
1960 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | 1987 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
1961 return NULL; | 1988 return NULL; |
1962 } | 1989 } |
1963 | 1990 |
1964 return &ss->sec.ci.sid->peerCertStatus; | 1991 return &ss->sec.ci.sid->peerCertStatus; |
1965 } | 1992 } |
1966 | 1993 |
1967 const SECItem * | 1994 const SECItem * |
1968 SSL_PeerSignedCertTimestamps(PRFileDesc *fd) | 1995 SSL_PeerSignedCertTimestamps(PRFileDesc *fd) |
1969 { | 1996 { |
1970 sslSocket *ss = ssl_FindSocket(fd); | 1997 sslSocket *ss = ssl_FindSocket(fd); |
1971 | 1998 |
1972 if (!ss) { | 1999 if (!ss) { |
1973 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", | 2000 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2017 | 2044 |
2018 /************************************************************************/ | 2045 /************************************************************************/ |
2019 /* The following functions are the TOP LEVEL SSL functions. | 2046 /* The following functions are the TOP LEVEL SSL functions. |
2020 ** They all get called through the NSPRIOMethods table below. | 2047 ** They all get called through the NSPRIOMethods table below. |
2021 */ | 2048 */ |
2022 | 2049 |
2023 static PRFileDesc * PR_CALLBACK | 2050 static PRFileDesc * PR_CALLBACK |
2024 ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) | 2051 ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) |
2025 { | 2052 { |
2026 sslSocket *ss; | 2053 sslSocket *ss; |
2027 sslSocket *ns » = NULL; | 2054 sslSocket *ns = NULL; |
2028 PRFileDesc *newfd » = NULL; | 2055 PRFileDesc *newfd = NULL; |
2029 PRFileDesc *osfd; | 2056 PRFileDesc *osfd; |
2030 PRStatus status; | 2057 PRStatus status; |
2031 | 2058 |
2032 ss = ssl_GetPrivate(fd); | 2059 ss = ssl_GetPrivate(fd); |
2033 if (!ss) { | 2060 if (!ss) { |
2034 » SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd)); | 2061 SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd)); |
2035 » return NULL; | 2062 return NULL; |
2036 } | 2063 } |
2037 | 2064 |
2038 /* IF this is a listen socket, there shouldn't be any I/O going on */ | 2065 /* IF this is a listen socket, there shouldn't be any I/O going on */ |
2039 SSL_LOCK_READER(ss); | 2066 SSL_LOCK_READER(ss); |
2040 SSL_LOCK_WRITER(ss); | 2067 SSL_LOCK_WRITER(ss); |
2041 ssl_Get1stHandshakeLock(ss); | 2068 ssl_Get1stHandshakeLock(ss); |
2042 ssl_GetSSL3HandshakeLock(ss); | 2069 ssl_GetSSL3HandshakeLock(ss); |
2043 | 2070 |
2044 ss->cTimeout = timeout; | 2071 ss->cTimeout = timeout; |
2045 | 2072 |
2046 osfd = ss->fd->lower; | 2073 osfd = ss->fd->lower; |
2047 | 2074 |
2048 /* First accept connection */ | 2075 /* First accept connection */ |
2049 newfd = osfd->methods->accept(osfd, sockaddr, timeout); | 2076 newfd = osfd->methods->accept(osfd, sockaddr, timeout); |
2050 if (newfd == NULL) { | 2077 if (newfd == NULL) { |
2051 » SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d", | 2078 SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d", |
2052 » » SSL_GETPID(), ss->fd, PORT_GetError())); | 2079 SSL_GETPID(), ss->fd, PORT_GetError())); |
2053 } else { | 2080 } else { |
2054 » /* Create ssl module */ | 2081 /* Create ssl module */ |
2055 » ns = ssl_DupSocket(ss); | 2082 ns = ssl_DupSocket(ss); |
2056 } | 2083 } |
2057 | 2084 |
2058 ssl_ReleaseSSL3HandshakeLock(ss); | 2085 ssl_ReleaseSSL3HandshakeLock(ss); |
2059 ssl_Release1stHandshakeLock(ss); | 2086 ssl_Release1stHandshakeLock(ss); |
2060 SSL_UNLOCK_WRITER(ss); | 2087 SSL_UNLOCK_WRITER(ss); |
2061 SSL_UNLOCK_READER(ss);» » » /* ss isn't used below here. */ | 2088 SSL_UNLOCK_READER(ss); /* ss isn't used below here. */ |
2062 | 2089 |
2063 if (ns == NULL) | 2090 if (ns == NULL) |
2064 » goto loser; | 2091 goto loser; |
2065 | 2092 |
2066 /* push ssl module onto the new socket */ | 2093 /* push ssl module onto the new socket */ |
2067 status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER); | 2094 status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER); |
2068 if (status != PR_SUCCESS) | 2095 if (status != PR_SUCCESS) |
2069 » goto loser; | 2096 goto loser; |
2070 | 2097 |
2071 /* Now start server connection handshake with client. | 2098 /* Now start server connection handshake with client. |
2072 ** Don't need locks here because nobody else has a reference to ns yet. | 2099 ** Don't need locks here because nobody else has a reference to ns yet. |
2073 */ | 2100 */ |
2074 if ( ns->opt.useSecurity ) { | 2101 if ( ns->opt.useSecurity ) { |
2075 » if ( ns->opt.handshakeAsClient ) { | 2102 if ( ns->opt.handshakeAsClient ) { |
2076 » ns->handshake = ssl2_BeginClientHandshake; | 2103 ns->handshake = ssl2_BeginClientHandshake; |
2077 » ss->handshaking = sslHandshakingAsClient; | 2104 ss->handshaking = sslHandshakingAsClient; |
2078 » } else { | 2105 } else { |
2079 » ns->handshake = ssl2_BeginServerHandshake; | 2106 ns->handshake = ssl2_BeginServerHandshake; |
2080 » ss->handshaking = sslHandshakingAsServer; | 2107 ss->handshaking = sslHandshakingAsServer; |
2081 » } | 2108 } |
2082 } | 2109 } |
2083 ns->TCPconnected = 1; | 2110 ns->TCPconnected = 1; |
2084 return newfd; | 2111 return newfd; |
2085 | 2112 |
2086 loser: | 2113 loser: |
2087 if (ns != NULL) | 2114 if (ns != NULL) |
2088 » ssl_FreeSocket(ns); | 2115 ssl_FreeSocket(ns); |
2089 if (newfd != NULL) | 2116 if (newfd != NULL) |
2090 » PR_Close(newfd); | 2117 PR_Close(newfd); |
2091 return NULL; | 2118 return NULL; |
2092 } | 2119 } |
2093 | 2120 |
2094 static PRStatus PR_CALLBACK | 2121 static PRStatus PR_CALLBACK |
2095 ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout) | 2122 ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout) |
2096 { | 2123 { |
2097 sslSocket *ss; | 2124 sslSocket *ss; |
2098 PRStatus rv; | 2125 PRStatus rv; |
2099 | 2126 |
2100 ss = ssl_GetPrivate(fd); | 2127 ss = ssl_GetPrivate(fd); |
2101 if (!ss) { | 2128 if (!ss) { |
2102 » SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd)); | 2129 SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd)); |
2103 » return PR_FAILURE; | 2130 return PR_FAILURE; |
2104 } | 2131 } |
2105 | 2132 |
2106 /* IF this is a listen socket, there shouldn't be any I/O going on */ | 2133 /* IF this is a listen socket, there shouldn't be any I/O going on */ |
2107 SSL_LOCK_READER(ss); | 2134 SSL_LOCK_READER(ss); |
2108 SSL_LOCK_WRITER(ss); | 2135 SSL_LOCK_WRITER(ss); |
2109 | 2136 |
2110 ss->cTimeout = timeout; | 2137 ss->cTimeout = timeout; |
2111 rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr); | 2138 rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr); |
2112 | 2139 |
2113 SSL_UNLOCK_WRITER(ss); | 2140 SSL_UNLOCK_WRITER(ss); |
2114 SSL_UNLOCK_READER(ss); | 2141 SSL_UNLOCK_READER(ss); |
2115 | 2142 |
2116 return rv; | 2143 return rv; |
2117 } | 2144 } |
2118 | 2145 |
2119 static PRStatus PR_CALLBACK | 2146 static PRStatus PR_CALLBACK |
2120 ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr) | 2147 ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr) |
2121 { | 2148 { |
2122 sslSocket * ss = ssl_GetPrivate(fd); | 2149 sslSocket * ss = ssl_GetPrivate(fd); |
2123 PRStatus rv; | 2150 PRStatus rv; |
2124 | 2151 |
2125 if (!ss) { | 2152 if (!ss) { |
2126 » SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd)); | 2153 SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd)); |
2127 » return PR_FAILURE; | 2154 return PR_FAILURE; |
2128 } | 2155 } |
2129 SSL_LOCK_READER(ss); | 2156 SSL_LOCK_READER(ss); |
2130 SSL_LOCK_WRITER(ss); | 2157 SSL_LOCK_WRITER(ss); |
2131 | 2158 |
2132 rv = (PRStatus)(*ss->ops->bind)(ss, addr); | 2159 rv = (PRStatus)(*ss->ops->bind)(ss, addr); |
2133 | 2160 |
2134 SSL_UNLOCK_WRITER(ss); | 2161 SSL_UNLOCK_WRITER(ss); |
2135 SSL_UNLOCK_READER(ss); | 2162 SSL_UNLOCK_READER(ss); |
2136 return rv; | 2163 return rv; |
2137 } | 2164 } |
2138 | 2165 |
2139 static PRStatus PR_CALLBACK | 2166 static PRStatus PR_CALLBACK |
2140 ssl_Listen(PRFileDesc *fd, PRIntn backlog) | 2167 ssl_Listen(PRFileDesc *fd, PRIntn backlog) |
2141 { | 2168 { |
2142 sslSocket * ss = ssl_GetPrivate(fd); | 2169 sslSocket * ss = ssl_GetPrivate(fd); |
2143 PRStatus rv; | 2170 PRStatus rv; |
2144 | 2171 |
2145 if (!ss) { | 2172 if (!ss) { |
2146 » SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd)); | 2173 SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd)); |
2147 » return PR_FAILURE; | 2174 return PR_FAILURE; |
2148 } | 2175 } |
2149 SSL_LOCK_READER(ss); | 2176 SSL_LOCK_READER(ss); |
2150 SSL_LOCK_WRITER(ss); | 2177 SSL_LOCK_WRITER(ss); |
2151 | 2178 |
2152 rv = (PRStatus)(*ss->ops->listen)(ss, backlog); | 2179 rv = (PRStatus)(*ss->ops->listen)(ss, backlog); |
2153 | 2180 |
2154 SSL_UNLOCK_WRITER(ss); | 2181 SSL_UNLOCK_WRITER(ss); |
2155 SSL_UNLOCK_READER(ss); | 2182 SSL_UNLOCK_READER(ss); |
2156 return rv; | 2183 return rv; |
2157 } | 2184 } |
2158 | 2185 |
2159 static PRStatus PR_CALLBACK | 2186 static PRStatus PR_CALLBACK |
2160 ssl_Shutdown(PRFileDesc *fd, PRIntn how) | 2187 ssl_Shutdown(PRFileDesc *fd, PRIntn how) |
2161 { | 2188 { |
2162 sslSocket * ss = ssl_GetPrivate(fd); | 2189 sslSocket * ss = ssl_GetPrivate(fd); |
2163 PRStatus rv; | 2190 PRStatus rv; |
2164 | 2191 |
2165 if (!ss) { | 2192 if (!ss) { |
2166 » SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd)); | 2193 SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd)); |
2167 » return PR_FAILURE; | 2194 return PR_FAILURE; |
2168 } | 2195 } |
2169 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { | 2196 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { |
2170 » SSL_LOCK_READER(ss); | 2197 SSL_LOCK_READER(ss); |
2171 } | 2198 } |
2172 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { | 2199 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { |
2173 » SSL_LOCK_WRITER(ss); | 2200 SSL_LOCK_WRITER(ss); |
2174 } | 2201 } |
2175 | 2202 |
2176 rv = (PRStatus)(*ss->ops->shutdown)(ss, how); | 2203 rv = (PRStatus)(*ss->ops->shutdown)(ss, how); |
2177 | 2204 |
2178 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { | 2205 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { |
2179 » SSL_UNLOCK_WRITER(ss); | 2206 SSL_UNLOCK_WRITER(ss); |
2180 } | 2207 } |
2181 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { | 2208 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { |
2182 » SSL_UNLOCK_READER(ss); | 2209 SSL_UNLOCK_READER(ss); |
2183 } | 2210 } |
2184 return rv; | 2211 return rv; |
2185 } | 2212 } |
2186 | 2213 |
2187 static PRStatus PR_CALLBACK | 2214 static PRStatus PR_CALLBACK |
2188 ssl_Close(PRFileDesc *fd) | 2215 ssl_Close(PRFileDesc *fd) |
2189 { | 2216 { |
2190 sslSocket *ss; | 2217 sslSocket *ss; |
2191 PRStatus rv; | 2218 PRStatus rv; |
2192 | 2219 |
2193 ss = ssl_GetPrivate(fd); | 2220 ss = ssl_GetPrivate(fd); |
2194 if (!ss) { | 2221 if (!ss) { |
2195 » SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd)); | 2222 SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd)); |
2196 » return PR_FAILURE; | 2223 return PR_FAILURE; |
2197 } | 2224 } |
2198 | 2225 |
2199 /* There must not be any I/O going on */ | 2226 /* There must not be any I/O going on */ |
2200 SSL_LOCK_READER(ss); | 2227 SSL_LOCK_READER(ss); |
2201 SSL_LOCK_WRITER(ss); | 2228 SSL_LOCK_WRITER(ss); |
2202 | 2229 |
2203 /* By the time this function returns, | 2230 /* By the time this function returns, |
2204 ** ss is an invalid pointer, and the locks to which it points have | 2231 ** ss is an invalid pointer, and the locks to which it points have |
2205 ** been unlocked and freed. So, this is the ONE PLACE in all of SSL | 2232 ** been unlocked and freed. So, this is the ONE PLACE in all of SSL |
2206 ** where the LOCK calls and the corresponding UNLOCK calls are not in | 2233 ** where the LOCK calls and the corresponding UNLOCK calls are not in |
2207 ** the same function scope. The unlock calls are in ssl_FreeSocket(). | 2234 ** the same function scope. The unlock calls are in ssl_FreeSocket(). |
2208 */ | 2235 */ |
2209 rv = (PRStatus)(*ss->ops->close)(ss); | 2236 rv = (PRStatus)(*ss->ops->close)(ss); |
2210 | 2237 |
2211 return rv; | 2238 return rv; |
2212 } | 2239 } |
2213 | 2240 |
2214 static int PR_CALLBACK | 2241 static int PR_CALLBACK |
2215 ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, | 2242 ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, |
2216 » PRIntervalTime timeout) | 2243 PRIntervalTime timeout) |
2217 { | 2244 { |
2218 sslSocket *ss; | 2245 sslSocket *ss; |
2219 int rv; | 2246 int rv; |
2220 | 2247 |
2221 ss = ssl_GetPrivate(fd); | 2248 ss = ssl_GetPrivate(fd); |
2222 if (!ss) { | 2249 if (!ss) { |
2223 » SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd)); | 2250 SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd)); |
2224 » return SECFailure; | 2251 return SECFailure; |
2225 } | 2252 } |
2226 SSL_LOCK_READER(ss); | 2253 SSL_LOCK_READER(ss); |
2227 ss->rTimeout = timeout; | 2254 ss->rTimeout = timeout; |
2228 if (!ss->opt.fdx) | 2255 if (!ss->opt.fdx) |
2229 » ss->wTimeout = timeout; | 2256 ss->wTimeout = timeout; |
2230 rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags); | 2257 rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags); |
2231 SSL_UNLOCK_READER(ss); | 2258 SSL_UNLOCK_READER(ss); |
2232 return rv; | 2259 return rv; |
2233 } | 2260 } |
2234 | 2261 |
2235 static int PR_CALLBACK | 2262 static int PR_CALLBACK |
2236 ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags, | 2263 ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags, |
2237 » PRIntervalTime timeout) | 2264 PRIntervalTime timeout) |
2238 { | 2265 { |
2239 sslSocket *ss; | 2266 sslSocket *ss; |
2240 int rv; | 2267 int rv; |
2241 | 2268 |
2242 ss = ssl_GetPrivate(fd); | 2269 ss = ssl_GetPrivate(fd); |
2243 if (!ss) { | 2270 if (!ss) { |
2244 » SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd)); | 2271 SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd)); |
2245 » return SECFailure; | 2272 return SECFailure; |
2246 } | 2273 } |
2247 SSL_LOCK_WRITER(ss); | 2274 SSL_LOCK_WRITER(ss); |
2248 ss->wTimeout = timeout; | 2275 ss->wTimeout = timeout; |
2249 if (!ss->opt.fdx) | 2276 if (!ss->opt.fdx) |
2250 » ss->rTimeout = timeout; | 2277 ss->rTimeout = timeout; |
2251 rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags); | 2278 rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags); |
2252 SSL_UNLOCK_WRITER(ss); | 2279 SSL_UNLOCK_WRITER(ss); |
2253 return rv; | 2280 return rv; |
2254 } | 2281 } |
2255 | 2282 |
2256 static int PR_CALLBACK | 2283 static int PR_CALLBACK |
2257 ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len) | 2284 ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len) |
2258 { | 2285 { |
2259 sslSocket *ss; | 2286 sslSocket *ss; |
2260 int rv; | 2287 int rv; |
2261 | 2288 |
2262 ss = ssl_GetPrivate(fd); | 2289 ss = ssl_GetPrivate(fd); |
2263 if (!ss) { | 2290 if (!ss) { |
2264 » SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd)); | 2291 SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd)); |
2265 » return SECFailure; | 2292 return SECFailure; |
2266 } | 2293 } |
2267 SSL_LOCK_READER(ss); | 2294 SSL_LOCK_READER(ss); |
2268 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; | 2295 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
2269 if (!ss->opt.fdx) | 2296 if (!ss->opt.fdx) |
2270 » ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; | 2297 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
2271 rv = (*ss->ops->read)(ss, (unsigned char*)buf, len); | 2298 rv = (*ss->ops->read)(ss, (unsigned char*)buf, len); |
2272 SSL_UNLOCK_READER(ss); | 2299 SSL_UNLOCK_READER(ss); |
2273 return rv; | 2300 return rv; |
2274 } | 2301 } |
2275 | 2302 |
2276 static int PR_CALLBACK | 2303 static int PR_CALLBACK |
2277 ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len) | 2304 ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len) |
2278 { | 2305 { |
2279 sslSocket *ss; | 2306 sslSocket *ss; |
2280 int rv; | 2307 int rv; |
2281 | 2308 |
2282 ss = ssl_GetPrivate(fd); | 2309 ss = ssl_GetPrivate(fd); |
2283 if (!ss) { | 2310 if (!ss) { |
2284 » SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd)); | 2311 SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd)); |
2285 » return SECFailure; | 2312 return SECFailure; |
2286 } | 2313 } |
2287 SSL_LOCK_WRITER(ss); | 2314 SSL_LOCK_WRITER(ss); |
2288 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; | 2315 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
2289 if (!ss->opt.fdx) | 2316 if (!ss->opt.fdx) |
2290 » ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; | 2317 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
2291 rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len); | 2318 rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len); |
2292 SSL_UNLOCK_WRITER(ss); | 2319 SSL_UNLOCK_WRITER(ss); |
2293 return rv; | 2320 return rv; |
2294 } | 2321 } |
2295 | 2322 |
2296 static PRStatus PR_CALLBACK | 2323 static PRStatus PR_CALLBACK |
2297 ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr) | 2324 ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr) |
2298 { | 2325 { |
2299 sslSocket *ss; | 2326 sslSocket *ss; |
2300 | 2327 |
2301 ss = ssl_GetPrivate(fd); | 2328 ss = ssl_GetPrivate(fd); |
2302 if (!ss) { | 2329 if (!ss) { |
2303 » SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd)); | 2330 SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd)); |
2304 » return PR_FAILURE; | 2331 return PR_FAILURE; |
2305 } | 2332 } |
2306 return (PRStatus)(*ss->ops->getpeername)(ss, addr); | 2333 return (PRStatus)(*ss->ops->getpeername)(ss, addr); |
2307 } | 2334 } |
2308 | 2335 |
2309 /* | 2336 /* |
2310 */ | 2337 */ |
2311 SECStatus | 2338 SECStatus |
2312 ssl_GetPeerInfo(sslSocket *ss) | 2339 ssl_GetPeerInfo(sslSocket *ss) |
2313 { | 2340 { |
2314 PRFileDesc * osfd; | 2341 PRFileDesc * osfd; |
2315 int rv; | 2342 int rv; |
2316 PRNetAddr sin; | 2343 PRNetAddr sin; |
2317 | 2344 |
2318 osfd = ss->fd->lower; | 2345 osfd = ss->fd->lower; |
2319 | 2346 |
2320 PORT_Memset(&sin, 0, sizeof(sin)); | 2347 PORT_Memset(&sin, 0, sizeof(sin)); |
2321 rv = osfd->methods->getpeername(osfd, &sin); | 2348 rv = osfd->methods->getpeername(osfd, &sin); |
2322 if (rv < 0) { | 2349 if (rv < 0) { |
2323 » return SECFailure; | 2350 return SECFailure; |
2324 } | 2351 } |
2325 ss->TCPconnected = 1; | 2352 ss->TCPconnected = 1; |
2326 if (sin.inet.family == PR_AF_INET) { | 2353 if (sin.inet.family == PR_AF_INET) { |
2327 PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer); | 2354 PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer); |
2328 » ss->sec.ci.port = sin.inet.port; | 2355 ss->sec.ci.port = sin.inet.port; |
2329 } else if (sin.ipv6.family == PR_AF_INET6) { | 2356 } else if (sin.ipv6.family == PR_AF_INET6) { |
2330 » ss->sec.ci.peer = sin.ipv6.ip; | 2357 ss->sec.ci.peer = sin.ipv6.ip; |
2331 » ss->sec.ci.port = sin.ipv6.port; | 2358 ss->sec.ci.port = sin.ipv6.port; |
2332 } else { | 2359 } else { |
2333 » PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR); | 2360 PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR); |
2334 » return SECFailure; | 2361 return SECFailure; |
2335 } | 2362 } |
2336 return SECSuccess; | 2363 return SECSuccess; |
2337 } | 2364 } |
2338 | 2365 |
2339 static PRStatus PR_CALLBACK | 2366 static PRStatus PR_CALLBACK |
2340 ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name) | 2367 ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name) |
2341 { | 2368 { |
2342 sslSocket *ss; | 2369 sslSocket *ss; |
2343 | 2370 |
2344 ss = ssl_GetPrivate(fd); | 2371 ss = ssl_GetPrivate(fd); |
2345 if (!ss) { | 2372 if (!ss) { |
2346 » SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd)); | 2373 SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd)); |
2347 » return PR_FAILURE; | 2374 return PR_FAILURE; |
2348 } | 2375 } |
2349 return (PRStatus)(*ss->ops->getsockname)(ss, name); | 2376 return (PRStatus)(*ss->ops->getsockname)(ss, name); |
2350 } | 2377 } |
2351 | 2378 |
2352 SECStatus | 2379 SECStatus |
2353 SSL_SetStapledOCSPResponses(PRFileDesc *fd, const SECItemArray *responses, | 2380 SSL_SetStapledOCSPResponses(PRFileDesc *fd, const SECItemArray *responses, |
2354 » » » SSLKEAType kea) | 2381 SSLKEAType kea) |
2355 { | 2382 { |
2356 sslSocket *ss; | 2383 sslSocket *ss; |
2357 | 2384 |
2358 ss = ssl_FindSocket(fd); | 2385 ss = ssl_FindSocket(fd); |
2359 if (!ss) { | 2386 if (!ss) { |
2360 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetStapledOCSPResponses", | 2387 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetStapledOCSPResponses", |
2361 » » SSL_GETPID(), fd)); | 2388 SSL_GETPID(), fd)); |
2362 » return SECFailure; | 2389 return SECFailure; |
2363 } | 2390 } |
2364 | 2391 |
2365 if ( kea <= 0 || kea >= kt_kea_size) { | 2392 if ( kea <= 0 || kea >= kt_kea_size) { |
2366 » SSL_DBG(("%d: SSL[%d]: invalid key in SSL_SetStapledOCSPResponses", | 2393 SSL_DBG(("%d: SSL[%d]: invalid key in SSL_SetStapledOCSPResponses", |
2367 » » SSL_GETPID(), fd)); | 2394 SSL_GETPID(), fd)); |
2368 » return SECFailure; | 2395 return SECFailure; |
2369 } | 2396 } |
2370 | 2397 |
2371 if (ss->certStatusArray[kea]) { | 2398 if (ss->certStatusArray[kea]) { |
2372 SECITEM_FreeArray(ss->certStatusArray[kea], PR_TRUE); | 2399 SECITEM_FreeArray(ss->certStatusArray[kea], PR_TRUE); |
2373 ss->certStatusArray[kea] = NULL; | 2400 ss->certStatusArray[kea] = NULL; |
2374 } | 2401 } |
2375 if (responses) { | 2402 if (responses) { |
2376 » ss->certStatusArray[kea] = SECITEM_DupArray(NULL, responses); | 2403 ss->certStatusArray[kea] = SECITEM_DupArray(NULL, responses); |
2377 } | 2404 } |
2378 return (ss->certStatusArray[kea] || !responses) ? SECSuccess : SECFailure; | 2405 return (ss->certStatusArray[kea] || !responses) ? SECSuccess : SECFailure; |
2379 } | 2406 } |
2380 | 2407 |
2381 SECStatus | 2408 SECStatus |
2382 SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID) | 2409 SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID) |
2383 { | 2410 { |
2384 sslSocket *ss; | 2411 sslSocket *ss; |
2385 | 2412 |
2386 ss = ssl_FindSocket(fd); | 2413 ss = ssl_FindSocket(fd); |
2387 if (!ss) { | 2414 if (!ss) { |
2388 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSockPeerID", | 2415 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSockPeerID", |
2389 » » SSL_GETPID(), fd)); | 2416 SSL_GETPID(), fd)); |
2390 » return SECFailure; | 2417 return SECFailure; |
2391 } | 2418 } |
2392 | 2419 |
2393 if (ss->peerID) { | 2420 if (ss->peerID) { |
2394 » PORT_Free(ss->peerID); | 2421 PORT_Free(ss->peerID); |
2395 » ss->peerID = NULL; | 2422 ss->peerID = NULL; |
2396 } | 2423 } |
2397 if (peerID) | 2424 if (peerID) |
2398 » ss->peerID = PORT_Strdup(peerID); | 2425 ss->peerID = PORT_Strdup(peerID); |
2399 return (ss->peerID || !peerID) ? SECSuccess : SECFailure; | 2426 return (ss->peerID || !peerID) ? SECSuccess : SECFailure; |
2400 } | 2427 } |
2401 | 2428 |
2402 #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ) | 2429 #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ) |
2403 | 2430 |
2404 static PRInt16 PR_CALLBACK | 2431 static PRInt16 PR_CALLBACK |
2405 ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) | 2432 ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) |
2406 { | 2433 { |
2407 sslSocket *ss; | 2434 sslSocket *ss; |
2408 PRInt16 new_flags = how_flags;» /* should select on these flags. */ | 2435 PRInt16 new_flags = how_flags; /* should select on these flags. */ |
2409 PRNetAddr addr; | 2436 PRNetAddr addr; |
2410 | 2437 |
2411 *p_out_flags = 0; | 2438 *p_out_flags = 0; |
2412 ss = ssl_GetPrivate(fd); | 2439 ss = ssl_GetPrivate(fd); |
2413 if (!ss) { | 2440 if (!ss) { |
2414 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll", | 2441 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll", |
2415 » » SSL_GETPID(), fd)); | 2442 SSL_GETPID(), fd)); |
2416 » return 0;» /* don't poll on this socket */ | 2443 return 0; /* don't poll on this socket */ |
2417 } | 2444 } |
2418 | 2445 |
2419 if (ss->opt.useSecurity && | 2446 if (ss->opt.useSecurity && |
2420 » ss->handshaking != sslHandshakingUndetermined && | 2447 ss->handshaking != sslHandshakingUndetermined && |
2421 !ss->firstHsDone && | 2448 !ss->firstHsDone && |
2422 » (how_flags & PR_POLL_RW)) { | 2449 (how_flags & PR_POLL_RW)) { |
2423 » if (!ss->TCPconnected) { | 2450 if (!ss->TCPconnected) { |
2424 » ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr)); | 2451 ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr)); |
2425 » } | 2452 } |
2426 » /* If it's not connected, then presumably the application is polling | 2453 /* If it's not connected, then presumably the application is polling |
2427 » ** on read or write appropriately, so don't change it. | 2454 ** on read or write appropriately, so don't change it. |
2428 » */ | 2455 */ |
2429 » if (ss->TCPconnected) { | 2456 if (ss->TCPconnected) { |
2430 » if (!ss->handshakeBegun) { | 2457 if (!ss->handshakeBegun) { |
2431 » » /* If the handshake has not begun, poll on read or write | 2458 /* If the handshake has not begun, poll on read or write |
2432 » » ** based on the local application's role in the handshake, | 2459 ** based on the local application's role in the handshake, |
2433 » » ** not based on what the application requested. | 2460 ** not based on what the application requested. |
2434 » » */ | 2461 */ |
2435 » » new_flags &= ~PR_POLL_RW; | 2462 new_flags &= ~PR_POLL_RW; |
2436 » » if (ss->handshaking == sslHandshakingAsClient) { | 2463 if (ss->handshaking == sslHandshakingAsClient) { |
2437 » » new_flags |= PR_POLL_WRITE; | 2464 new_flags |= PR_POLL_WRITE; |
2438 » » } else { /* handshaking as server */ | 2465 } else { /* handshaking as server */ |
2439 » » new_flags |= PR_POLL_READ; | 2466 new_flags |= PR_POLL_READ; |
2440 » » } | 2467 } |
2441 » } else | 2468 } else |
2442 » /* First handshake is in progress */ | 2469 /* First handshake is in progress */ |
2443 » if (ss->lastWriteBlocked) { | 2470 if (ss->lastWriteBlocked) { |
2444 » » if (new_flags & PR_POLL_READ) { | 2471 if (new_flags & PR_POLL_READ) { |
2445 » » /* The caller is waiting for data to be received, | 2472 /* The caller is waiting for data to be received, |
2446 » » ** but the initial handshake is blocked on write, or the | 2473 ** but the initial handshake is blocked on write, or the |
2447 » » ** client's first handshake record has not been written. | 2474 ** client's first handshake record has not been written. |
2448 » » ** The code should select on write, not read. | 2475 ** The code should select on write, not read. |
2449 » » */ | 2476 */ |
2450 » » new_flags ^= PR_POLL_READ;» /* don't select on read. */ | 2477 new_flags ^= PR_POLL_READ; /* don't select on read. */ |
2451 » » new_flags |= PR_POLL_WRITE; /* do select on write. */ | 2478 new_flags |= PR_POLL_WRITE; /* do select on write. */ |
2452 » » } | 2479 } |
2453 » } else if (new_flags & PR_POLL_WRITE) { | 2480 } else if (new_flags & PR_POLL_WRITE) { |
2454 » » /* The caller is trying to write, but the handshake is | 2481 /* The caller is trying to write, but the handshake is |
2455 » » ** blocked waiting for data to read, and the first | 2482 ** blocked waiting for data to read, and the first |
2456 » » ** handshake has been sent. So do NOT to poll on write | 2483 ** handshake has been sent. So do NOT to poll on write |
2457 » » ** unless we did false start. | 2484 ** unless we did false start. |
2458 » » */ | 2485 */ |
2459 » » if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 && | 2486 if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 && |
2460 » » » ss->ssl3.hs.canFalseStart)) { | 2487 ss->ssl3.hs.canFalseStart)) { |
2461 » » » new_flags ^= PR_POLL_WRITE; /* don't select on write. */ | 2488 new_flags ^= PR_POLL_WRITE; /* don't select on write. */ |
2462 » » } | 2489 } |
2463 » » new_flags |= PR_POLL_READ; /* do select on read. */ | 2490 new_flags |= PR_POLL_READ; /* do select on read. */ |
2464 » } | 2491 } |
2465 » } | 2492 } |
2466 } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) { | 2493 } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) { |
2467 » *p_out_flags = PR_POLL_READ;» /* it's ready already. */ | 2494 *p_out_flags = PR_POLL_READ; /* it's ready already. */ |
2468 » return new_flags; | 2495 return new_flags; |
2469 } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) && | 2496 } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) && |
2470 » (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */ | 2497 (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */ |
2471 » new_flags |= PR_POLL_WRITE; /* also select on write. */ | 2498 new_flags |= PR_POLL_WRITE; /* also select on write. */ |
2472 } | 2499 } |
2473 | 2500 |
2474 if (ss->version >= SSL_LIBRARY_VERSION_3_0 && | 2501 if (ss->version >= SSL_LIBRARY_VERSION_3_0 && |
2475 » ss->ssl3.hs.restartTarget != NULL) { | 2502 ss->ssl3.hs.restartTarget != NULL) { |
2476 » /* Read and write will block until the asynchronous callback completes | 2503 /* Read and write will block until the asynchronous callback completes |
2477 » * (e.g. until SSL_AuthCertificateComplete is called), so don't tell | 2504 * (e.g. until SSL_AuthCertificateComplete is called), so don't tell |
2478 » * the caller to poll the socket unless there is pending write data. | 2505 * the caller to poll the socket unless there is pending write data. |
2479 » */ | 2506 */ |
2480 » if (ss->lastWriteBlocked && ss->pendingBuf.len != 0) { | 2507 if (ss->lastWriteBlocked && ss->pendingBuf.len != 0) { |
2481 » /* Ignore any newly-received data on the socket, but do wait for | 2508 /* Ignore any newly-received data on the socket, but do wait for |
2482 » * the socket to become writable again. Here, it is OK for an error | 2509 * the socket to become writable again. Here, it is OK for an error |
2483 » * to be detected, because our logic for sending pending write data | 2510 * to be detected, because our logic for sending pending write data |
2484 » * will allow us to report the error to the caller without the risk | 2511 * will allow us to report the error to the caller without the risk |
2485 » * of the application spinning. | 2512 * of the application spinning. |
2486 » */ | 2513 */ |
2487 » new_flags &= (PR_POLL_WRITE | PR_POLL_EXCEPT); | 2514 new_flags &= (PR_POLL_WRITE | PR_POLL_EXCEPT); |
2488 » } else { | 2515 } else { |
2489 » /* Unfortunately, clearing new_flags will make it impossible for | 2516 /* Unfortunately, clearing new_flags will make it impossible for |
2490 » * the application to detect errors that it would otherwise be | 2517 * the application to detect errors that it would otherwise be |
2491 » * able to detect with PR_POLL_EXCEPT, until the asynchronous | 2518 * able to detect with PR_POLL_EXCEPT, until the asynchronous |
2492 » * callback completes. However, we must clear all the flags to | 2519 * callback completes. However, we must clear all the flags to |
2493 » * prevent the application from spinning (alternating between | 2520 * prevent the application from spinning (alternating between |
2494 » * calling PR_Poll that would return PR_POLL_EXCEPT, and send/recv | 2521 * calling PR_Poll that would return PR_POLL_EXCEPT, and send/recv |
2495 » * which won't actually report the I/O error while we are waiting | 2522 * which won't actually report the I/O error while we are waiting |
2496 » * for the asynchronous callback to complete). | 2523 * for the asynchronous callback to complete). |
2497 » */ | 2524 */ |
2498 » new_flags = 0; | 2525 new_flags = 0; |
2499 » } | 2526 } |
2500 } | 2527 } |
2501 | 2528 |
2502 if (new_flags && (fd->lower->methods->poll != NULL)) { | 2529 if (new_flags && (fd->lower->methods->poll != NULL)) { |
2503 » PRInt16 lower_out_flags = 0; | 2530 PRInt16 lower_out_flags = 0; |
2504 » PRInt16 lower_new_flags; | 2531 PRInt16 lower_new_flags; |
2505 lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, | 2532 lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, |
2506 » » » » » &lower_out_flags); | 2533 &lower_out_flags); |
2507 » if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) { | 2534 if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) { |
2508 » PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW; | 2535 PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW; |
2509 » if (lower_out_flags & PR_POLL_READ) | 2536 if (lower_out_flags & PR_POLL_READ) |
2510 » » out_flags |= PR_POLL_WRITE; | 2537 out_flags |= PR_POLL_WRITE; |
2511 » if (lower_out_flags & PR_POLL_WRITE) | 2538 if (lower_out_flags & PR_POLL_WRITE) |
2512 » » out_flags |= PR_POLL_READ; | 2539 out_flags |= PR_POLL_READ; |
2513 » *p_out_flags = out_flags; | 2540 *p_out_flags = out_flags; |
2514 » new_flags = how_flags; | 2541 new_flags = how_flags; |
2515 » } else { | 2542 } else { |
2516 » *p_out_flags = lower_out_flags; | 2543 *p_out_flags = lower_out_flags; |
2517 » new_flags = lower_new_flags; | 2544 new_flags = lower_new_flags; |
2518 » } | 2545 } |
2519 } | 2546 } |
2520 | 2547 |
2521 return new_flags; | 2548 return new_flags; |
2522 } | 2549 } |
2523 | 2550 |
2524 static PRInt32 PR_CALLBACK | 2551 static PRInt32 PR_CALLBACK |
2525 ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd, | 2552 ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd, |
2526 » » const void *headers, PRInt32 hlen, | 2553 const void *headers, PRInt32 hlen, |
2527 » » PRTransmitFileFlags flags, PRIntervalTime timeout) | 2554 PRTransmitFileFlags flags, PRIntervalTime timeout) |
2528 { | 2555 { |
2529 PRSendFileData sfd; | 2556 PRSendFileData sfd; |
2530 | 2557 |
2531 sfd.fd = fd; | 2558 sfd.fd = fd; |
2532 sfd.file_offset = 0; | 2559 sfd.file_offset = 0; |
2533 sfd.file_nbytes = 0; | 2560 sfd.file_nbytes = 0; |
2534 sfd.header = headers; | 2561 sfd.header = headers; |
2535 sfd.hlen = hlen; | 2562 sfd.hlen = hlen; |
2536 sfd.trailer = NULL; | 2563 sfd.trailer = NULL; |
2537 sfd.tlen = 0; | 2564 sfd.tlen = 0; |
2538 | 2565 |
2539 return sd->methods->sendfile(sd, &sfd, flags, timeout); | 2566 return sd->methods->sendfile(sd, &sfd, flags, timeout); |
2540 } | 2567 } |
2541 | 2568 |
2542 | 2569 |
2543 PRBool | 2570 PRBool |
2544 ssl_FdIsBlocking(PRFileDesc *fd) | 2571 ssl_FdIsBlocking(PRFileDesc *fd) |
2545 { | 2572 { |
2546 PRSocketOptionData opt; | 2573 PRSocketOptionData opt; |
2547 PRStatus status; | 2574 PRStatus status; |
2548 | 2575 |
2549 opt.option = PR_SockOpt_Nonblocking; | 2576 opt.option = PR_SockOpt_Nonblocking; |
2550 opt.value.non_blocking = PR_FALSE; | 2577 opt.value.non_blocking = PR_FALSE; |
2551 status = PR_GetSocketOption(fd, &opt); | 2578 status = PR_GetSocketOption(fd, &opt); |
2552 if (status != PR_SUCCESS) | 2579 if (status != PR_SUCCESS) |
2553 » return PR_FALSE; | 2580 return PR_FALSE; |
2554 return (PRBool)!opt.value.non_blocking; | 2581 return (PRBool)!opt.value.non_blocking; |
2555 } | 2582 } |
2556 | 2583 |
2557 PRBool | 2584 PRBool |
2558 ssl_SocketIsBlocking(sslSocket *ss) | 2585 ssl_SocketIsBlocking(sslSocket *ss) |
2559 { | 2586 { |
2560 return ssl_FdIsBlocking(ss->fd); | 2587 return ssl_FdIsBlocking(ss->fd); |
2561 } | 2588 } |
2562 | 2589 |
2563 PRInt32 sslFirstBufSize = 8 * 1024; | 2590 PRInt32 sslFirstBufSize = 8 * 1024; |
2564 PRInt32 sslCopyLimit = 1024; | 2591 PRInt32 sslCopyLimit = 1024; |
2565 | 2592 |
2566 static PRInt32 PR_CALLBACK | 2593 static PRInt32 PR_CALLBACK |
2567 ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, | 2594 ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, |
2568 PRIntervalTime timeout) | 2595 PRIntervalTime timeout) |
2569 { | 2596 { |
| 2597 PRInt32 i; |
2570 PRInt32 bufLen; | 2598 PRInt32 bufLen; |
2571 PRInt32 left; | 2599 PRInt32 left; |
2572 PRInt32 rv; | 2600 PRInt32 rv; |
2573 PRInt32 sent = 0; | 2601 PRInt32 sent = 0; |
2574 const PRInt32 first_len = sslFirstBufSize; | 2602 const PRInt32 first_len = sslFirstBufSize; |
2575 const PRInt32 limit = sslCopyLimit; | 2603 const PRInt32 limit = sslCopyLimit; |
2576 PRBool blocking; | 2604 PRBool blocking; |
2577 PRIOVec myIov» = { 0, 0 }; | 2605 PRIOVec myIov = { 0, 0 }; |
2578 char buf[MAX_FRAGMENT_LENGTH]; | 2606 char buf[MAX_FRAGMENT_LENGTH]; |
2579 | 2607 |
| 2608 if (vectors < 0) { |
| 2609 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
| 2610 return -1; |
| 2611 } |
2580 if (vectors > PR_MAX_IOVECTOR_SIZE) { | 2612 if (vectors > PR_MAX_IOVECTOR_SIZE) { |
2581 » PORT_SetError(PR_BUFFER_OVERFLOW_ERROR); | 2613 PORT_SetError(PR_BUFFER_OVERFLOW_ERROR); |
2582 » return -1; | 2614 return -1; |
| 2615 } |
| 2616 for (i = 0; i < vectors; i++) { |
| 2617 if (iov[i].iov_len < 0) { |
| 2618 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
| 2619 return -1; |
| 2620 } |
2583 } | 2621 } |
2584 blocking = ssl_FdIsBlocking(fd); | 2622 blocking = ssl_FdIsBlocking(fd); |
2585 | 2623 |
2586 #define K16 sizeof(buf) | 2624 #define K16 sizeof(buf) |
2587 #define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; } | 2625 #define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; } |
2588 #define GET_VECTOR do { myIov = *iov++; --vectors; KILL_VECTORS } while (0) | 2626 #define GET_VECTOR do { myIov = *iov++; --vectors; KILL_VECTORS } while (0) |
2589 #define HANDLE_ERR(rv, len) \ | 2627 #define HANDLE_ERR(rv, len) \ |
2590 if (rv != len) { \ | 2628 if (rv != len) { \ |
2591 » if (rv < 0) { \ | 2629 if (rv < 0) { \ |
2592 » if (!blocking \ | 2630 if (!blocking \ |
2593 » » && (PR_GetError() == PR_WOULD_BLOCK_ERROR) \ | 2631 && (PR_GetError() == PR_WOULD_BLOCK_ERROR) \ |
2594 » » && (sent > 0)) { \ | 2632 && (sent > 0)) { \ |
2595 » » return sent; \ | 2633 return sent; \ |
2596 » } else { \ | 2634 } else { \ |
2597 » » return -1; \ | 2635 return -1; \ |
2598 » } \ | 2636 } \ |
2599 » } \ | 2637 } \ |
2600 » /* Only a nonblocking socket can have partial sends */ \ | 2638 /* Only a nonblocking socket can have partial sends */ \ |
2601 » PR_ASSERT(!blocking); \ | 2639 PR_ASSERT(!blocking); \ |
2602 » return sent + rv; \ | 2640 return sent + rv; \ |
2603 } | 2641 } |
2604 #define SEND(bfr, len) \ | 2642 #define SEND(bfr, len) \ |
2605 do { \ | 2643 do { \ |
2606 » rv = ssl_Send(fd, bfr, len, 0, timeout); \ | 2644 rv = ssl_Send(fd, bfr, len, 0, timeout); \ |
2607 » HANDLE_ERR(rv, len) \ | 2645 HANDLE_ERR(rv, len) \ |
2608 » sent += len; \ | 2646 sent += len; \ |
2609 } while (0) | 2647 } while (0) |
2610 | 2648 |
2611 /* Make sure the first write is at least 8 KB, if possible. */ | 2649 /* Make sure the first write is at least 8 KB, if possible. */ |
2612 KILL_VECTORS | 2650 KILL_VECTORS |
2613 if (!vectors) | 2651 if (!vectors) |
2614 » return ssl_Send(fd, 0, 0, 0, timeout); | 2652 return ssl_Send(fd, 0, 0, 0, timeout); |
2615 GET_VECTOR; | 2653 GET_VECTOR; |
2616 if (!vectors) { | 2654 if (!vectors) { |
2617 » return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout); | 2655 return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout); |
2618 } | 2656 } |
2619 if (myIov.iov_len < first_len) { | 2657 if (myIov.iov_len < first_len) { |
2620 » PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); | 2658 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); |
2621 » bufLen = myIov.iov_len; | 2659 bufLen = myIov.iov_len; |
2622 » left = first_len - bufLen; | 2660 left = first_len - bufLen; |
2623 » while (vectors && left) { | 2661 while (vectors && left) { |
2624 » int toCopy; | 2662 int toCopy; |
2625 » GET_VECTOR; | 2663 GET_VECTOR; |
2626 » toCopy = PR_MIN(left, myIov.iov_len); | 2664 toCopy = PR_MIN(left, myIov.iov_len); |
2627 » PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy); | 2665 PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy); |
2628 » bufLen += toCopy; | 2666 bufLen += toCopy; |
2629 » left -= toCopy; | 2667 left -= toCopy; |
2630 » myIov.iov_base += toCopy; | 2668 myIov.iov_base += toCopy; |
2631 » myIov.iov_len -= toCopy; | 2669 myIov.iov_len -= toCopy; |
2632 » } | 2670 } |
2633 » SEND( buf, bufLen ); | 2671 SEND( buf, bufLen ); |
2634 } | 2672 } |
2635 | 2673 |
2636 while (vectors || myIov.iov_len) { | 2674 while (vectors || myIov.iov_len) { |
2637 » PRInt32 addLen; | 2675 PRInt32 addLen; |
2638 » if (!myIov.iov_len) { | 2676 if (!myIov.iov_len) { |
2639 » GET_VECTOR; | 2677 GET_VECTOR; |
2640 » } | 2678 } |
2641 » while (myIov.iov_len >= K16) { | 2679 while (myIov.iov_len >= K16) { |
2642 » SEND(myIov.iov_base, K16); | 2680 SEND(myIov.iov_base, K16); |
2643 » myIov.iov_base += K16; | 2681 myIov.iov_base += K16; |
2644 » myIov.iov_len -= K16; | 2682 myIov.iov_len -= K16; |
2645 » } | 2683 } |
2646 » if (!myIov.iov_len) | 2684 if (!myIov.iov_len) |
2647 » continue; | 2685 continue; |
2648 | 2686 |
2649 » if (!vectors || myIov.iov_len > limit) { | 2687 if (!vectors || myIov.iov_len > limit) { |
2650 » addLen = 0; | 2688 addLen = 0; |
2651 » } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) { | 2689 } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) { |
2652 » /* Addlen is already computed. */; | 2690 /* Addlen is already computed. */; |
2653 » } else if (vectors > 1 && | 2691 } else if (vectors > 1 && |
2654 » iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) { | 2692 iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) { |
2655 » addLen = limit - myIov.iov_len; | 2693 addLen = limit - myIov.iov_len; |
2656 » } else | 2694 } else |
2657 » addLen = 0; | 2695 addLen = 0; |
2658 | 2696 |
2659 » if (!addLen) { | 2697 if (!addLen) { |
2660 » SEND( myIov.iov_base, myIov.iov_len ); | 2698 SEND( myIov.iov_base, myIov.iov_len ); |
2661 » myIov.iov_len = 0; | 2699 myIov.iov_len = 0; |
2662 » continue; | 2700 continue; |
2663 » } | 2701 } |
2664 » PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); | 2702 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); |
2665 » bufLen = myIov.iov_len; | 2703 bufLen = myIov.iov_len; |
2666 » do { | 2704 do { |
2667 » GET_VECTOR; | 2705 GET_VECTOR; |
2668 » PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen); | 2706 PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen); |
2669 » myIov.iov_base += addLen; | 2707 myIov.iov_base += addLen; |
2670 » myIov.iov_len -= addLen; | 2708 myIov.iov_len -= addLen; |
2671 » bufLen += addLen; | 2709 bufLen += addLen; |
2672 | 2710 |
2673 » left = PR_MIN( limit, K16 - bufLen); | 2711 left = PR_MIN( limit, K16 - bufLen); |
2674 » if (!vectors » » /* no more left */ | 2712 if (!vectors /* no more left */ |
2675 » || myIov.iov_len > 0» /* we didn't use that one all up */ | 2713 || myIov.iov_len > 0 /* we didn't use that one all up */ |
2676 » || bufLen >= K16» » /* it's full. */ | 2714 || bufLen >= K16 /* it's full. */ |
2677 » ) { | 2715 ) { |
2678 » » addLen = 0; | 2716 addLen = 0; |
2679 » } else if ((addLen = iov->iov_len % K16) <= left) { | 2717 } else if ((addLen = iov->iov_len % K16) <= left) { |
2680 » » /* Addlen is already computed. */; | 2718 /* Addlen is already computed. */; |
2681 » } else if (vectors > 1 && | 2719 } else if (vectors > 1 && |
2682 » » iov[1].iov_len % K16 + addLen <= left + limit) { | 2720 iov[1].iov_len % K16 + addLen <= left + limit) { |
2683 » » addLen = left; | 2721 addLen = left; |
2684 » } else | 2722 } else |
2685 » » addLen = 0; | 2723 addLen = 0; |
2686 | 2724 |
2687 » } while (addLen); | 2725 } while (addLen); |
2688 » SEND( buf, bufLen ); | 2726 SEND( buf, bufLen ); |
2689 } | 2727 } |
2690 return sent; | 2728 return sent; |
2691 } | 2729 } |
2692 | 2730 |
2693 /* | 2731 /* |
2694 * These functions aren't implemented. | 2732 * These functions aren't implemented. |
2695 */ | 2733 */ |
2696 | 2734 |
2697 static PRInt32 PR_CALLBACK | 2735 static PRInt32 PR_CALLBACK |
2698 ssl_Available(PRFileDesc *fd) | 2736 ssl_Available(PRFileDesc *fd) |
2699 { | 2737 { |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2749 static PRStatus PR_CALLBACK | 2787 static PRStatus PR_CALLBACK |
2750 ssl_FileInfo64(PRFileDesc *fd, PRFileInfo64 *info) | 2788 ssl_FileInfo64(PRFileDesc *fd, PRFileInfo64 *info) |
2751 { | 2789 { |
2752 PORT_Assert(0); | 2790 PORT_Assert(0); |
2753 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); | 2791 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
2754 return PR_FAILURE; | 2792 return PR_FAILURE; |
2755 } | 2793 } |
2756 | 2794 |
2757 static PRInt32 PR_CALLBACK | 2795 static PRInt32 PR_CALLBACK |
2758 ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags, | 2796 ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags, |
2759 » PRNetAddr *addr, PRIntervalTime timeout) | 2797 PRNetAddr *addr, PRIntervalTime timeout) |
2760 { | 2798 { |
2761 PORT_Assert(0); | 2799 PORT_Assert(0); |
2762 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); | 2800 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
2763 return SECFailure; | 2801 return SECFailure; |
2764 } | 2802 } |
2765 | 2803 |
2766 static PRInt32 PR_CALLBACK | 2804 static PRInt32 PR_CALLBACK |
2767 ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, | 2805 ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, |
2768 » const PRNetAddr *addr, PRIntervalTime timeout) | 2806 const PRNetAddr *addr, PRIntervalTime timeout) |
2769 { | 2807 { |
2770 PORT_Assert(0); | 2808 PORT_Assert(0); |
2771 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); | 2809 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
2772 return SECFailure; | 2810 return SECFailure; |
2773 } | 2811 } |
2774 | 2812 |
2775 static const PRIOMethods ssl_methods = { | 2813 static const PRIOMethods ssl_methods = { |
2776 PR_DESC_LAYERED, | 2814 PR_DESC_LAYERED, |
2777 ssl_Close, » /* close */ | 2815 ssl_Close, /* close */ |
2778 ssl_Read, » /* read */ | 2816 ssl_Read, /* read */ |
2779 ssl_Write, » /* write */ | 2817 ssl_Write, /* write */ |
2780 ssl_Available, » /* available */ | 2818 ssl_Available, /* available */ |
2781 ssl_Available64, » /* available64 */ | 2819 ssl_Available64, /* available64 */ |
2782 ssl_FSync, » /* fsync */ | 2820 ssl_FSync, /* fsync */ |
2783 ssl_Seek, » /* seek */ | 2821 ssl_Seek, /* seek */ |
2784 ssl_Seek64, » /* seek64 */ | 2822 ssl_Seek64, /* seek64 */ |
2785 ssl_FileInfo, » /* fileInfo */ | 2823 ssl_FileInfo, /* fileInfo */ |
2786 ssl_FileInfo64, » /* fileInfo64 */ | 2824 ssl_FileInfo64, /* fileInfo64 */ |
2787 ssl_WriteV, » /* writev */ | 2825 ssl_WriteV, /* writev */ |
2788 ssl_Connect, » /* connect */ | 2826 ssl_Connect, /* connect */ |
2789 ssl_Accept, » /* accept */ | 2827 ssl_Accept, /* accept */ |
2790 ssl_Bind, » /* bind */ | 2828 ssl_Bind, /* bind */ |
2791 ssl_Listen, » /* listen */ | 2829 ssl_Listen, /* listen */ |
2792 ssl_Shutdown, » /* shutdown */ | 2830 ssl_Shutdown, /* shutdown */ |
2793 ssl_Recv, » /* recv */ | 2831 ssl_Recv, /* recv */ |
2794 ssl_Send, » /* send */ | 2832 ssl_Send, /* send */ |
2795 ssl_RecvFrom, » /* recvfrom */ | 2833 ssl_RecvFrom, /* recvfrom */ |
2796 ssl_SendTo, » /* sendto */ | 2834 ssl_SendTo, /* sendto */ |
2797 ssl_Poll, » /* poll */ | 2835 ssl_Poll, /* poll */ |
2798 PR_EmulateAcceptRead, /* acceptread */ | 2836 PR_EmulateAcceptRead, /* acceptread */ |
2799 ssl_TransmitFile, /* transmitfile */ | 2837 ssl_TransmitFile, /* transmitfile */ |
2800 ssl_GetSockName, » /* getsockname */ | 2838 ssl_GetSockName, /* getsockname */ |
2801 ssl_GetPeerName, » /* getpeername */ | 2839 ssl_GetPeerName, /* getpeername */ |
2802 NULL, » /* getsockopt OBSOLETE */ | 2840 NULL, /* getsockopt OBSOLETE */ |
2803 NULL, » /* setsockopt OBSOLETE */ | 2841 NULL, /* setsockopt OBSOLETE */ |
2804 NULL, » /* getsocketoption */ | 2842 NULL, /* getsocketoption */ |
2805 NULL, » /* setsocketoption */ | 2843 NULL, /* setsocketoption */ |
2806 PR_EmulateSendFile, » /* Send a (partial) file with header/trailer*/ | 2844 PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/ |
2807 NULL, » /* reserved for future use */ | 2845 NULL, /* reserved for future use */ |
2808 NULL, » /* reserved for future use */ | 2846 NULL, /* reserved for future use */ |
2809 NULL, » /* reserved for future use */ | 2847 NULL, /* reserved for future use */ |
2810 NULL, » /* reserved for future use */ | 2848 NULL, /* reserved for future use */ |
2811 NULL » /* reserved for future use */ | 2849 NULL /* reserved for future use */ |
2812 }; | 2850 }; |
2813 | 2851 |
2814 | 2852 |
2815 static PRIOMethods combined_methods; | 2853 static PRIOMethods combined_methods; |
2816 | 2854 |
2817 static void | 2855 static void |
2818 ssl_SetupIOMethods(void) | 2856 ssl_SetupIOMethods(void) |
2819 { | 2857 { |
2820 PRIOMethods *new_methods = &combined_methods; | 2858 PRIOMethods *new_methods = &combined_methods; |
2821 const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods(); | 2859 const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods(); |
(...skipping 20 matching lines...) Expand all Loading... |
2842 new_methods->shutdown = my_methods->shutdown; | 2880 new_methods->shutdown = my_methods->shutdown; |
2843 new_methods->recv = my_methods->recv; | 2881 new_methods->recv = my_methods->recv; |
2844 new_methods->send = my_methods->send; | 2882 new_methods->send = my_methods->send; |
2845 new_methods->recvfrom = my_methods->recvfrom; | 2883 new_methods->recvfrom = my_methods->recvfrom; |
2846 new_methods->sendto = my_methods->sendto; | 2884 new_methods->sendto = my_methods->sendto; |
2847 new_methods->poll = my_methods->poll; | 2885 new_methods->poll = my_methods->poll; |
2848 new_methods->acceptread = my_methods->acceptread; | 2886 new_methods->acceptread = my_methods->acceptread; |
2849 new_methods->transmitfile = my_methods->transmitfile; | 2887 new_methods->transmitfile = my_methods->transmitfile; |
2850 new_methods->getsockname = my_methods->getsockname; | 2888 new_methods->getsockname = my_methods->getsockname; |
2851 new_methods->getpeername = my_methods->getpeername; | 2889 new_methods->getpeername = my_methods->getpeername; |
2852 /* new_methods->getsocketoption = my_methods->getsocketoption;» */ | 2890 /* new_methods->getsocketoption = my_methods->getsocketoption; */ |
2853 /* new_methods->setsocketoption = my_methods->setsocketoption;» */ | 2891 /* new_methods->setsocketoption = my_methods->setsocketoption; */ |
2854 new_methods->sendfile = my_methods->sendfile; | 2892 new_methods->sendfile = my_methods->sendfile; |
2855 | 2893 |
2856 } | 2894 } |
2857 | 2895 |
2858 static PRCallOnceType initIoLayerOnce; | 2896 static PRCallOnceType initIoLayerOnce; |
2859 | 2897 |
2860 static PRStatus | 2898 static PRStatus |
2861 ssl_InitIOLayer(void) | 2899 ssl_InitIOLayer(void) |
2862 { | 2900 { |
2863 ssl_layer_id = PR_GetUniqueIdentity("SSL"); | 2901 ssl_layer_id = PR_GetUniqueIdentity("SSL"); |
2864 ssl_SetupIOMethods(); | 2902 ssl_SetupIOMethods(); |
2865 ssl_inited = PR_TRUE; | 2903 ssl_inited = PR_TRUE; |
2866 return PR_SUCCESS; | 2904 return PR_SUCCESS; |
2867 } | 2905 } |
2868 | 2906 |
2869 static PRStatus | 2907 static PRStatus |
2870 ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id) | 2908 ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id) |
2871 { | 2909 { |
2872 PRFileDesc *layer» = NULL; | 2910 PRFileDesc *layer = NULL; |
2873 PRStatus status; | 2911 PRStatus status; |
2874 | 2912 |
2875 if (!ssl_inited) { | 2913 if (!ssl_inited) { |
2876 » status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); | 2914 status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); |
2877 » if (status != PR_SUCCESS) | 2915 if (status != PR_SUCCESS) |
2878 » goto loser; | 2916 goto loser; |
2879 } | 2917 } |
2880 | 2918 |
2881 if (ns == NULL) | 2919 if (ns == NULL) |
2882 » goto loser; | 2920 goto loser; |
2883 | 2921 |
2884 layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods); | 2922 layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods); |
2885 if (layer == NULL) | 2923 if (layer == NULL) |
2886 » goto loser; | 2924 goto loser; |
2887 layer->secret = (PRFilePrivate *)ns; | 2925 layer->secret = (PRFilePrivate *)ns; |
2888 | 2926 |
2889 /* Here, "stack" points to the PRFileDesc on the top of the stack. | 2927 /* Here, "stack" points to the PRFileDesc on the top of the stack. |
2890 ** "layer" points to a new FD that is to be inserted into the stack. | 2928 ** "layer" points to a new FD that is to be inserted into the stack. |
2891 ** If layer is being pushed onto the top of the stack, then | 2929 ** If layer is being pushed onto the top of the stack, then |
2892 ** PR_PushIOLayer switches the contents of stack and layer, and then | 2930 ** PR_PushIOLayer switches the contents of stack and layer, and then |
2893 ** puts stack on top of layer, so that after it is done, the top of | 2931 ** puts stack on top of layer, so that after it is done, the top of |
2894 ** stack is the same "stack" as it was before, and layer is now the | 2932 ** stack is the same "stack" as it was before, and layer is now the |
2895 ** FD for the former top of stack. | 2933 ** FD for the former top of stack. |
2896 ** After this call, stack always points to the top PRFD on the stack. | 2934 ** After this call, stack always points to the top PRFD on the stack. |
2897 ** If this function fails, the contents of stack and layer are as | 2935 ** If this function fails, the contents of stack and layer are as |
2898 ** they were before the call. | 2936 ** they were before the call. |
2899 */ | 2937 */ |
2900 status = PR_PushIOLayer(stack, id, layer); | 2938 status = PR_PushIOLayer(stack, id, layer); |
2901 if (status != PR_SUCCESS) | 2939 if (status != PR_SUCCESS) |
2902 » goto loser; | 2940 goto loser; |
2903 | 2941 |
2904 ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer; | 2942 ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer; |
2905 return PR_SUCCESS; | 2943 return PR_SUCCESS; |
2906 | 2944 |
2907 loser: | 2945 loser: |
2908 if (layer) { | 2946 if (layer) { |
2909 » layer->dtor(layer); /* free layer */ | 2947 layer->dtor(layer); /* free layer */ |
2910 } | 2948 } |
2911 return PR_FAILURE; | 2949 return PR_FAILURE; |
2912 } | 2950 } |
2913 | 2951 |
2914 /* if this fails, caller must destroy socket. */ | 2952 /* if this fails, caller must destroy socket. */ |
2915 static SECStatus | 2953 static SECStatus |
2916 ssl_MakeLocks(sslSocket *ss) | 2954 ssl_MakeLocks(sslSocket *ss) |
2917 { | 2955 { |
2918 ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL); | 2956 ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL); |
2919 if (!ss->firstHandshakeLock) | 2957 if (!ss->firstHandshakeLock) |
2920 » goto loser; | 2958 goto loser; |
2921 ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL); | 2959 ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL); |
2922 if (!ss->ssl3HandshakeLock) | 2960 if (!ss->ssl3HandshakeLock) |
2923 » goto loser; | 2961 goto loser; |
2924 ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL); | 2962 ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL); |
2925 if (!ss->specLock) | 2963 if (!ss->specLock) |
2926 » goto loser; | 2964 goto loser; |
2927 ss->recvBufLock = PZ_NewMonitor(nssILockSSL); | 2965 ss->recvBufLock = PZ_NewMonitor(nssILockSSL); |
2928 if (!ss->recvBufLock) | 2966 if (!ss->recvBufLock) |
2929 » goto loser; | 2967 goto loser; |
2930 ss->xmitBufLock = PZ_NewMonitor(nssILockSSL); | 2968 ss->xmitBufLock = PZ_NewMonitor(nssILockSSL); |
2931 if (!ss->xmitBufLock) | 2969 if (!ss->xmitBufLock) |
2932 » goto loser; | 2970 goto loser; |
2933 ss->writerThread = NULL; | 2971 ss->writerThread = NULL; |
2934 if (ssl_lock_readers) { | 2972 if (ssl_lock_readers) { |
2935 » ss->recvLock = PZ_NewLock(nssILockSSL); | 2973 ss->recvLock = PZ_NewLock(nssILockSSL); |
2936 » if (!ss->recvLock) | 2974 if (!ss->recvLock) |
2937 » goto loser; | 2975 goto loser; |
2938 » ss->sendLock = PZ_NewLock(nssILockSSL); | 2976 ss->sendLock = PZ_NewLock(nssILockSSL); |
2939 » if (!ss->sendLock) | 2977 if (!ss->sendLock) |
2940 » goto loser; | 2978 goto loser; |
2941 } | 2979 } |
2942 return SECSuccess; | 2980 return SECSuccess; |
2943 loser: | 2981 loser: |
2944 ssl_DestroyLocks(ss); | 2982 ssl_DestroyLocks(ss); |
2945 return SECFailure; | 2983 return SECFailure; |
2946 } | 2984 } |
2947 | 2985 |
2948 #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) | 2986 #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) |
2949 #define NSS_HAVE_GETENV 1 | 2987 #define NSS_HAVE_GETENV 1 |
2950 #endif | 2988 #endif |
2951 | 2989 |
2952 #define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */ | 2990 #define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */ |
2953 | 2991 |
2954 static void | 2992 static void |
2955 ssl_SetDefaultsFromEnvironment(void) | 2993 ssl_SetDefaultsFromEnvironment(void) |
2956 { | 2994 { |
2957 #if defined( NSS_HAVE_GETENV ) | 2995 #if defined( NSS_HAVE_GETENV ) |
2958 static int firsttime = 1; | 2996 static int firsttime = 1; |
2959 | 2997 |
2960 if (firsttime) { | 2998 if (firsttime) { |
2961 » char * ev; | 2999 char * ev; |
2962 » firsttime = 0; | 3000 firsttime = 0; |
2963 #ifdef DEBUG | 3001 #ifdef DEBUG |
2964 » ev = getenv("SSLDEBUGFILE"); | 3002 ev = getenv("SSLDEBUGFILE"); |
2965 » if (ev && ev[0]) { | 3003 if (ev && ev[0]) { |
2966 » ssl_trace_iob = fopen(ev, "w"); | 3004 ssl_trace_iob = fopen(ev, "w"); |
2967 » } | 3005 } |
2968 » if (!ssl_trace_iob) { | 3006 if (!ssl_trace_iob) { |
2969 » ssl_trace_iob = stderr; | 3007 ssl_trace_iob = stderr; |
2970 » } | 3008 } |
2971 #ifdef TRACE | 3009 #ifdef TRACE |
2972 » ev = getenv("SSLTRACE"); | 3010 ev = getenv("SSLTRACE"); |
2973 » if (ev && ev[0]) { | 3011 if (ev && ev[0]) { |
2974 » ssl_trace = atoi(ev); | 3012 ssl_trace = atoi(ev); |
2975 » SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); | 3013 SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); |
2976 » } | 3014 } |
2977 #endif /* TRACE */ | 3015 #endif /* TRACE */ |
2978 » ev = getenv("SSLDEBUG"); | 3016 ev = getenv("SSLDEBUG"); |
2979 » if (ev && ev[0]) { | 3017 if (ev && ev[0]) { |
2980 » ssl_debug = atoi(ev); | 3018 ssl_debug = atoi(ev); |
2981 » SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); | 3019 SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); |
2982 » } | 3020 } |
2983 #endif /* DEBUG */ | 3021 #endif /* DEBUG */ |
2984 » ev = getenv("SSLKEYLOGFILE"); | 3022 ev = getenv("SSLKEYLOGFILE"); |
2985 » if (ev && ev[0]) { | 3023 if (ev && ev[0]) { |
2986 » ssl_keylog_iob = fopen(ev, "a"); | 3024 ssl_keylog_iob = fopen(ev, "a"); |
2987 » if (!ssl_keylog_iob) { | 3025 if (!ssl_keylog_iob) { |
2988 » » SSL_TRACE(("SSL: failed to open key log file")); | 3026 SSL_TRACE(("SSL: failed to open key log file")); |
2989 » } else { | 3027 } else { |
2990 » » if (ftell(ssl_keylog_iob) == 0) { | 3028 if (ftell(ssl_keylog_iob) == 0) { |
2991 » » fputs("# SSL/TLS secrets log file, generated by NSS\n", | 3029 fputs("# SSL/TLS secrets log file, generated by NSS\n", |
2992 » » » ssl_keylog_iob); | 3030 ssl_keylog_iob); |
2993 » » } | 3031 } |
2994 » » SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev)); | 3032 SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev)); |
2995 » } | 3033 } |
2996 » } | 3034 } |
2997 #ifndef NO_PKCS11_BYPASS | 3035 #ifndef NO_PKCS11_BYPASS |
2998 » ev = getenv("SSLBYPASS"); | 3036 ev = getenv("SSLBYPASS"); |
2999 » if (ev && ev[0]) { | 3037 if (ev && ev[0]) { |
3000 » ssl_defaults.bypassPKCS11 = (ev[0] == '1'); | 3038 ssl_defaults.bypassPKCS11 = (ev[0] == '1'); |
3001 » SSL_TRACE(("SSL: bypass default set to %d", \ | 3039 SSL_TRACE(("SSL: bypass default set to %d", \ |
3002 » » ssl_defaults.bypassPKCS11)); | 3040 ssl_defaults.bypassPKCS11)); |
3003 » } | 3041 } |
3004 #endif /* NO_PKCS11_BYPASS */ | 3042 #endif /* NO_PKCS11_BYPASS */ |
3005 » ev = getenv("SSLFORCELOCKS"); | 3043 ev = getenv("SSLFORCELOCKS"); |
3006 » if (ev && ev[0] == '1') { | 3044 if (ev && ev[0] == '1') { |
3007 » ssl_force_locks = PR_TRUE; | 3045 ssl_force_locks = PR_TRUE; |
3008 » ssl_defaults.noLocks = 0; | 3046 ssl_defaults.noLocks = 0; |
3009 » strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. "); | 3047 strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. "); |
3010 » SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks)); | 3048 SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks)); |
3011 » } | 3049 } |
3012 » ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION"); | 3050 ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION"); |
3013 » if (ev) { | 3051 if (ev) { |
3014 » if (ev[0] == '1' || LOWER(ev[0]) == 'u') | 3052 if (ev[0] == '1' || LOWER(ev[0]) == 'u') |
3015 » » ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; | 3053 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; |
3016 » else if (ev[0] == '0' || LOWER(ev[0]) == 'n') | 3054 else if (ev[0] == '0' || LOWER(ev[0]) == 'n') |
3017 » » ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; | 3055 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; |
3018 » else if (ev[0] == '2' || LOWER(ev[0]) == 'r') | 3056 else if (ev[0] == '2' || LOWER(ev[0]) == 'r') |
3019 » » ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; | 3057 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; |
3020 » else if (ev[0] == '3' || LOWER(ev[0]) == 't') | 3058 else if (ev[0] == '3' || LOWER(ev[0]) == 't') |
3021 » » ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL; | 3059 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL; |
3022 » SSL_TRACE(("SSL: enableRenegotiation set to %d", | 3060 SSL_TRACE(("SSL: enableRenegotiation set to %d", |
3023 » ssl_defaults.enableRenegotiation)); | 3061 ssl_defaults.enableRenegotiation)); |
3024 » } | 3062 } |
3025 » ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); | 3063 ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); |
3026 » if (ev && ev[0] == '1') { | 3064 if (ev && ev[0] == '1') { |
3027 » ssl_defaults.requireSafeNegotiation = PR_TRUE; | 3065 ssl_defaults.requireSafeNegotiation = PR_TRUE; |
3028 » SSL_TRACE(("SSL: requireSafeNegotiation set to %d", | 3066 SSL_TRACE(("SSL: requireSafeNegotiation set to %d", |
3029 » PR_TRUE)); | 3067 PR_TRUE)); |
3030 » } | 3068 } |
3031 » ev = getenv("NSS_SSL_CBC_RANDOM_IV"); | 3069 ev = getenv("NSS_SSL_CBC_RANDOM_IV"); |
3032 » if (ev && ev[0] == '0') { | 3070 if (ev && ev[0] == '0') { |
3033 » ssl_defaults.cbcRandomIV = PR_FALSE; | 3071 ssl_defaults.cbcRandomIV = PR_FALSE; |
3034 » SSL_TRACE(("SSL: cbcRandomIV set to 0")); | 3072 SSL_TRACE(("SSL: cbcRandomIV set to 0")); |
3035 » } | 3073 } |
3036 } | 3074 } |
3037 #endif /* NSS_HAVE_GETENV */ | 3075 #endif /* NSS_HAVE_GETENV */ |
3038 } | 3076 } |
3039 | 3077 |
3040 /* | 3078 /* |
3041 ** Create a newsocket structure for a file descriptor. | 3079 ** Create a newsocket structure for a file descriptor. |
3042 */ | 3080 */ |
3043 static sslSocket * | 3081 static sslSocket * |
3044 ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) | 3082 ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) |
3045 { | 3083 { |
3046 sslSocket *ss; | 3084 sslSocket *ss; |
3047 | 3085 |
3048 ssl_SetDefaultsFromEnvironment(); | 3086 ssl_SetDefaultsFromEnvironment(); |
3049 | 3087 |
3050 if (ssl_force_locks) | 3088 if (ssl_force_locks) |
3051 » makeLocks = PR_TRUE; | 3089 makeLocks = PR_TRUE; |
3052 | 3090 |
3053 /* Make a new socket and get it ready */ | 3091 /* Make a new socket and get it ready */ |
3054 ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket)); | 3092 ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket)); |
3055 if (ss) { | 3093 if (ss) { |
3056 /* This should be of type SSLKEAType, but CC on IRIX | 3094 /* This should be of type SSLKEAType, but CC on IRIX |
3057 » * complains during the for loop. | 3095 * complains during the for loop. |
3058 » */ | 3096 */ |
3059 » int i; | 3097 int i; |
3060 » SECStatus status; | 3098 SECStatus status; |
3061 | |
3062 » ss->opt = ssl_defaults; | |
3063 » ss->opt.useSocks = PR_FALSE; | |
3064 » ss->opt.noLocks = !makeLocks; | |
3065 » ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); | |
3066 » ss->protocolVariant = protocolVariant; | |
3067 | 3099 |
3068 » ss->peerID = NULL; | 3100 ss->opt = ssl_defaults; |
3069 » ss->rTimeout» = PR_INTERVAL_NO_TIMEOUT; | 3101 ss->opt.useSocks = PR_FALSE; |
3070 » ss->wTimeout» = PR_INTERVAL_NO_TIMEOUT; | 3102 ss->opt.noLocks = !makeLocks; |
3071 » ss->cTimeout» = PR_INTERVAL_NO_TIMEOUT; | 3103 ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); |
3072 » ss->cipherSpecs = NULL; | 3104 ss->protocolVariant = protocolVariant; |
| 3105 |
| 3106 ss->peerID = NULL; |
| 3107 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 3108 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 3109 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 3110 ss->cipherSpecs = NULL; |
3073 ss->sizeCipherSpecs = 0; /* produced lazily */ | 3111 ss->sizeCipherSpecs = 0; /* produced lazily */ |
3074 ss->preferredCipher = NULL; | 3112 ss->preferredCipher = NULL; |
3075 ss->url = NULL; | 3113 ss->url = NULL; |
3076 | 3114 |
3077 » for (i=kt_null; i < kt_kea_size; i++) { | 3115 for (i=kt_null; i < kt_kea_size; i++) { |
3078 » sslServerCerts * sc = ss->serverCerts + i; | 3116 sslServerCerts * sc = ss->serverCerts + i; |
3079 » sc->serverCert = NULL; | 3117 sc->serverCert = NULL; |
3080 » sc->serverCertChain = NULL; | 3118 sc->serverCertChain = NULL; |
3081 » sc->serverKeyPair = NULL; | 3119 sc->serverKeyPair = NULL; |
3082 » sc->serverKeyBits = 0; | 3120 sc->serverKeyBits = 0; |
3083 » ss->certStatusArray[i] = NULL; | 3121 ss->certStatusArray[i] = NULL; |
3084 » } | 3122 } |
3085 » ss->requestedCertTypes = NULL; | 3123 ss->requestedCertTypes = NULL; |
3086 » ss->stepDownKeyPair = NULL; | 3124 ss->stepDownKeyPair = NULL; |
3087 » ss->dbHandle = CERT_GetDefaultCertDB(); | 3125 ss->dbHandle = CERT_GetDefaultCertDB(); |
3088 | 3126 |
3089 » /* Provide default implementation of hooks */ | 3127 /* Provide default implementation of hooks */ |
3090 » ss->authCertificate = SSL_AuthCertificate; | 3128 ss->authCertificate = SSL_AuthCertificate; |
3091 » ss->authCertificateArg = (void *)ss->dbHandle; | 3129 ss->authCertificateArg = (void *)ss->dbHandle; |
3092 ss->sniSocketConfig = NULL; | 3130 ss->sniSocketConfig = NULL; |
3093 ss->sniSocketConfigArg = NULL; | 3131 ss->sniSocketConfigArg = NULL; |
3094 » ss->getClientAuthData = NULL; | 3132 ss->getClientAuthData = NULL; |
3095 #ifdef NSS_PLATFORM_CLIENT_AUTH | 3133 #ifdef NSS_PLATFORM_CLIENT_AUTH |
3096 » ss->getPlatformClientAuthData = NULL; | 3134 ss->getPlatformClientAuthData = NULL; |
3097 » ss->getPlatformClientAuthDataArg = NULL; | 3135 ss->getPlatformClientAuthDataArg = NULL; |
3098 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 3136 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
3099 » ss->handleBadCert = NULL; | 3137 ss->handleBadCert = NULL; |
3100 » ss->badCertArg = NULL; | 3138 ss->badCertArg = NULL; |
3101 » ss->pkcs11PinArg = NULL; | 3139 ss->pkcs11PinArg = NULL; |
3102 » ss->ephemeralECDHKeyPair = NULL; | 3140 ss->ephemeralECDHKeyPair = NULL; |
3103 » ss->getChannelID = NULL; | 3141 ss->getChannelID = NULL; |
3104 » ss->getChannelIDArg = NULL; | 3142 ss->getChannelIDArg = NULL; |
3105 | 3143 |
3106 » ssl_ChooseOps(ss); | 3144 ssl_ChooseOps(ss); |
3107 » ssl2_InitSocketPolicy(ss); | 3145 ssl2_InitSocketPolicy(ss); |
3108 » ssl3_InitSocketPolicy(ss); | 3146 ssl3_InitSocketPolicy(ss); |
3109 » PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); | 3147 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); |
3110 | 3148 |
3111 » if (makeLocks) { | 3149 if (makeLocks) { |
3112 » status = ssl_MakeLocks(ss); | 3150 status = ssl_MakeLocks(ss); |
3113 » if (status != SECSuccess) | 3151 if (status != SECSuccess) |
3114 » » goto loser; | 3152 goto loser; |
3115 » } | 3153 } |
3116 » status = ssl_CreateSecurityInfo(ss); | 3154 status = ssl_CreateSecurityInfo(ss); |
3117 » if (status != SECSuccess) | 3155 if (status != SECSuccess) |
3118 » goto loser; | 3156 goto loser; |
3119 » status = ssl_InitGather(&ss->gs); | 3157 status = ssl_InitGather(&ss->gs); |
3120 » if (status != SECSuccess) { | 3158 if (status != SECSuccess) { |
3121 loser: | 3159 loser: |
3122 » ssl_DestroySocketContents(ss); | 3160 ssl_DestroySocketContents(ss); |
3123 » ssl_DestroyLocks(ss); | 3161 ssl_DestroyLocks(ss); |
3124 » PORT_Free(ss); | 3162 PORT_Free(ss); |
3125 » ss = NULL; | 3163 ss = NULL; |
3126 » } | 3164 } |
3127 } | 3165 } |
3128 return ss; | 3166 return ss; |
3129 } | 3167 } |
3130 | |
OLD | NEW |