Index: net/third_party/nss/ssl/sslsock.c |
=================================================================== |
--- net/third_party/nss/ssl/sslsock.c (revision 203497) |
+++ net/third_party/nss/ssl/sslsock.c (working copy) |
@@ -38,8 +38,8 @@ |
typedef struct cipherPolicyStr cipherPolicy; |
/* This table contains two preconfigured policies: Export and France. |
-** It is used only by the functions SSL_SetDomesticPolicy, |
-** SSL_SetExportPolicy, and SSL_SetFrancyPolicy. |
+** It is used only by the functions NSS_SetDomesticPolicy, |
+** NSS_SetExportPolicy, and NSS_SetFrancePolicy. |
** Order of entries is not important. |
*/ |
static cipherPolicy ssl_ciphers[] = { /* Export France */ |
@@ -62,14 +62,19 @@ |
{ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
- { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
{ SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
+ { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
+ { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED }, |
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
@@ -89,6 +94,7 @@ |
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
{ TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
@@ -99,6 +105,7 @@ |
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
#endif /* NSS_ENABLE_ECC */ |
{ 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } |
@@ -789,18 +796,10 @@ |
rv = SECFailure; |
} else { |
if (PR_FALSE != on) { |
- /* TLS 1.2 isn't supported in bypass mode. */ |
- if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
- /* If the user requested a minimum version of TLS 1.2 then |
- * we don't silently downgrade. */ |
- PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
- rv = SECFailure; |
- break; |
- } |
- if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
- ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
- } |
- if (PR_SUCCESS == SSL_BypassSetup() ) { |
+ /* PKCS#11 bypass is not supported with TLS 1.2. */ |
+ if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
+ ss->opt.bypassPKCS11 = PR_FALSE; |
wtc
2013/06/05 00:30:40
This change is necessary to make the upstream NSS
agl
2013/06/05 14:53:47
(nit: extra space before equals.)
This seems like
wtc
2013/06/05 18:51:20
Done.
|
+ } else if (PR_SUCCESS == SSL_BypassSetup() ) { |
#ifdef NO_PKCS11_BYPASS |
ss->opt.bypassPKCS11 = PR_FALSE; |
#else |