Uprev NSS (in libssl) to NSS 3.21

net/third_party/nss/ssl/sslcon.c

 /* 
  * SSL v2 handshake functions, and functions common to SSL2 and SSL3.
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nssrenam.h"
 #include "cert.h"
 #include "secitem.h"
 #include "sechash.h"
 #include "cryptohi.h"           /* for SGN_ funcs */
 #include "keyhi.h"              /* for SECKEY_ high level functions. */
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "ssl3prot.h"
 #include "sslerr.h"
 #include "pk11func.h"
 #include "prinit.h"
 #include "prtime.h"     /* for PR_Now() */
 
 static PRBool policyWasSet;
 
-/* This ordered list is indexed by (SSL_CK_xx * 3)   */
-/* Second and third bytes are MSB and LSB of master key length. */
-static const PRUint8 allCipherSuites[] = {
-    0,                                          0,    0,
-    SSL_CK_RC4_128_WITH_MD5,                    0x00, 0x80,
-    SSL_CK_RC4_128_EXPORT40_WITH_MD5,           0x00, 0x80,
-    SSL_CK_RC2_128_CBC_WITH_MD5,                0x00, 0x80,
-    SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,       0x00, 0x80,
-    SSL_CK_IDEA_128_CBC_WITH_MD5,               0x00, 0x80,
-    SSL_CK_DES_64_CBC_WITH_MD5,                 0x00, 0x40,
-    SSL_CK_DES_192_EDE3_CBC_WITH_MD5,           0x00, 0xC0,
-    0,                                          0,    0
-};
-
 #define ssl2_NUM_SUITES_IMPLEMENTED 6
 
 /* This list is sent back to the client when the client-hello message 
  * contains no overlapping ciphers, so the client can report what ciphers
  * are supported by the server.  Unlike allCipherSuites (above), this list
  * is sorted by descending preference, not by cipherSuite number. 
  */
 static const PRUint8 implementedCipherSuites[ssl2_NUM_SUITES_IMPLEMENTED * 3] = {
     SSL_CK_RC4_128_WITH_MD5,                    0x00, 0x80,
     SSL_CK_RC2_128_CBC_WITH_MD5,                0x00, 0x80,
@@ skipping 795 matching lines @@
 ** Send some data in the clear. 
 ** Package up data with the length header and send it.
 **
 ** Return count of bytes successfully written, or negative number (failure).
 */
 static PRInt32 
 ssl2_SendClear(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
 {
     PRUint8         * out;
     int               rv;
-    int               amount;
+    unsigned int amount;
     int               count     = 0;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes in the clear",
                  SSL_GETPID(), ss->fd, len));
     PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
 
     while (len) {
         amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
@@ skipping 55 matching lines @@
 static PRInt32 
 ssl2_SendStream(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
 {
     PRUint8       *  out;
     int              rv;
     int              count      = 0;
 
     int              amount;
     PRUint8          macLen;
     int              nout;
-    int              buflen;
+    unsigned int buflen;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using stream cipher",
                  SSL_GETPID(), ss->fd, len));
     PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
 
     while (len) {
         ssl_GetSpecReadLock(ss);  /*************************************/
 
@@ skipping 83 matching lines @@
     PRUint8       *  out;                   /* begining of output buffer.    */
     PRUint8       *  op;                    /* next output byte goes here.   */
     int              rv;                    /* value from funcs we called.   */
     int              count      = 0;        /* this function's return value. */
 
     unsigned int     hlen;                  /* output record hdr len, 2 or 3 */
     unsigned int     macLen;                /* MAC is this many bytes long.  */
     int              amount;                /* of plaintext to go in record. */
     unsigned int     padding;               /* add this many padding byte.   */
     int              nout;                  /* ciphertext size after header. */
-    int              buflen;                /* size of generated record.     */
+    unsigned int buflen;                    /* size of generated record.     */
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using block cipher",
                  SSL_GETPID(), ss->fd, len));
     PRINT_BUF(50, (ss, "clear data:", in, len));
 
     while (len) {
         ssl_GetSpecReadLock(ss);  /*************************************/
 
@@ skipping 503 matching lines @@
                          PRUint8 *ek, unsigned int ekLen,
                          PRUint8 *ca, unsigned int caLen)
 {
     PRUint8      *    dk   = NULL; /* decrypted master key */
     sslSessionID *    sid;
     sslServerCerts *  sc   = ss->serverCerts + kt_rsa;
     PRUint8       *   kbuf = 0; /* buffer for RSA decrypted data. */
     unsigned int      ddLen;    /* length of RSA decrypted data in kbuf */
     unsigned int      keySize;
     unsigned int      dkLen;    /* decrypted key length in bytes */
-    int               modulusLen;
+    int modulusLen;
     SECStatus         rv;
     PRUint16          allowed;  /* cipher kinds enabled and allowed by policy */
     PRUint8           mkbuf[SSL_MAX_MASTER_KEY_BYTES];
 
     PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
     PORT_Assert((sc->SERVERKEY != 0));
     PORT_Assert((ss->sec.ci.sid != 0));
     sid = ss->sec.ci.sid;
 
@@ skipping 41 matching lines @@
     }
 
     if (caLen != ssl_Specs[cipher].ivLen) {
         SSL_DBG(("%d: SSL[%d]: invalid key args length, caLen=%d (bytes)!",
                  SSL_GETPID(), ss->fd, caLen));
         PORT_SetError(SSL_ERROR_BAD_CLIENT);
         goto loser;
     }
 
     modulusLen = PK11_GetPrivateModulusLen(sc->SERVERKEY);
-    if (modulusLen == -1) {
+    if (modulusLen < 0) {
         /* XXX If the key is bad, then PK11_PubDecryptRaw will fail below. */
         modulusLen = ekLen;
     }
-    if (ekLen > modulusLen || ekLen + ckLen < keySize) {
+    if (ekLen > (unsigned int)modulusLen || ekLen + ckLen < keySize) {
         SSL_DBG(("%d: SSL[%d]: invalid encrypted key length, ekLen=%d (bytes)!",
                  SSL_GETPID(), ss->fd, ekLen));
         PORT_SetError(SSL_ERROR_BAD_CLIENT);
         goto loser;
     }
 
     /* allocate the buffer to hold the decrypted portion of the key. */
     kbuf = (PRUint8*)PORT_Alloc(modulusLen);
     if (!kbuf) {
         goto loser;
@@ skipping 853 matching lines @@
 ** Called from ssl_Do1stHandshake().
 ** 
 */
 static SECStatus
 ssl2_HandleMessage(sslSocket *ss)
 {
     PRUint8 *        data;
     PRUint8 *        cid;
     unsigned         len, certType, certLen, responseLen;
     int              rv;
-    int              rv2;
 
     PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     ssl_GetRecvBufLock(ss);
 
     data = ss->gs.buf.buf + ss->gs.recordOffset;
 
     if (ss->gs.recordLen < 1) {
         goto bad_peer;
     }
@@ skipping 97 matching lines @@
             > ss->gs.recordLen) {
             /* prevent overflow crash. */
             rv = SECFailure;
         } else
         rv = ssl2_HandleClientCertificate(ss, data[1],
                 data + SSL_HL_CLIENT_CERTIFICATE_HBYTES,
                 certLen,
                 data + SSL_HL_CLIENT_CERTIFICATE_HBYTES + certLen,
                 responseLen);
         if (rv) {
-            rv2 = ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
+            (void)ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
             SET_ERROR_CODE
             goto loser;
         }
         ss->sec.ci.elements |= CIS_HAVE_CERTIFICATE;
         break;
 
     case SSL_MT_ERROR:
         rv = (data[1] << 8) | data[2];
         SSL_TRC(2, ("%d: SSL[%d]: got error message, error=0x%x",
                     SSL_GETPID(), ss->fd, rv));
@@ skipping 107 matching lines @@
  * Called from ssl_Do1stHandshake after ssl2_BeginClientHandshake()
  */
 SECStatus
 ssl2_HandleServerHelloMessage(sslSocket *ss)
 {
     sslSessionID *   sid;
     PRUint8 *        cert;
     PRUint8 *        cs;
     PRUint8 *        data;
     SECStatus        rv; 
-    int              needed, sidHit, certLen, csLen, cidLen, certType, err;
+    unsigned int needed, sidHit, certLen, csLen, cidLen, certType, err;
 
     PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     if (!ss->opt.enableSSL2) {
         PORT_SetError(SSL_ERROR_SSL2_DISABLED);
         return SECFailure;
     }
 
     ssl_GetRecvBufLock(ss);
 
@@ skipping 907 matching lines @@
 loser:
     return SECFailure;
 }
 
 /* This function doesn't really belong in this file.
 ** It's here to keep AIX compilers from optimizing it away, 
 ** and not including it in the DSO.
 */
 
 #include "nss.h"
-extern const char __nss_ssl_rcsid[];
-extern const char __nss_ssl_sccsid[];
+extern const char __nss_ssl_version[];
 
 PRBool
 NSSSSL_VersionCheck(const char *importedVersion)
 {
+#define NSS_VERSION_VARIABLE __nss_ssl_version
+#include "verref.h"
+
     /*
      * This is the secret handshake algorithm.
      *
      * This release has a simple version compatibility
      * check algorithm.  This release is not backward
      * compatible with previous major releases.  It is
      * not compatible with future major, minor, or
      * patch releases.
      */
-    volatile char c; /* force a reference that won't get optimized away */
-
-    c = __nss_ssl_rcsid[0] + __nss_ssl_sccsid[0]; 
     return NSS_VersionCheck(importedVersion);
 }
 
 const char *
 NSSSSL_GetVersion(void)
 {
     return NSS_VERSION;
 }