Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(169)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/sslsock.c

Issue 1844813002: Uprev NSS to 3.23 on iOS (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Update patches Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/third_party/nss/ssl/ssl3con.c ('K') | « net/third_party/nss/ssl/sslsnce.c ('k') | net/third_party/nss/ssl/sslt.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * vtables (and methods that call through them) for the 4 types of 2 * vtables (and methods that call through them) for the 4 types of
3 * SSLSockets supported. Only one type is still supported. 3 * SSLSockets supported. Only one type is still supported.
4 * Various other functions. 4 * Various other functions.
5 * 5 *
6 * This Source Code Form is subject to the terms of the Mozilla Public 6 * This Source Code Form is subject to the terms of the Mozilla Public
7 * License, v. 2.0. If a copy of the MPL was not distributed with this 7 * License, v. 2.0. If a copy of the MPL was not distributed with this
8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
9 #include "seccomon.h" 9 #include "seccomon.h"
10 #include "cert.h" 10 #include "cert.h"
11 #include "keyhi.h" 11 #include "keyhi.h"
12 #include "ssl.h" 12 #include "ssl.h"
13 #include "sslimpl.h" 13 #include "sslimpl.h"
14 #include "sslproto.h" 14 #include "sslproto.h"
15 #include "nspr.h" 15 #include "nspr.h"
16 #include "private/pprio.h" 16 #include "private/pprio.h"
17 #ifndef NO_PKCS11_BYPASS 17 #ifndef NO_PKCS11_BYPASS
18 #include "blapi.h" 18 #include "blapi.h"
19 #endif 19 #endif
20 #include "pk11pub.h"
21 #include "nss.h" 20 #include "nss.h"
22 #include "pk11pqg.h" 21 #include "pk11pqg.h"
23 22
24 /* This is a bodge to allow this code to be compiled against older NSS headers 23 #define SET_ERROR_CODE /* reminder */
25 * that don't contain the TLS 1.2 changes. */
26 #ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256
27 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
28 #endif
29 24
30 #define SET_ERROR_CODE /* reminder */ 25 static const sslSocketOps ssl_default_ops = { /* No SSL. */
31 26 ssl_DefConnect,
32 static const sslSocketOps ssl_default_ops = { /* No SSL. */ 27 NULL,
33 ssl_DefConnect, 28 ssl_DefBind,
34 NULL, 29 ssl_DefListen,
35 ssl_DefBind, 30 ssl_DefShutdown,
36 ssl_DefListen, 31 ssl_DefClose,
37 ssl_DefShutdown, 32 ssl_DefRecv,
38 ssl_DefClose, 33 ssl_DefSend,
39 ssl_DefRecv, 34 ssl_DefRead,
40 ssl_DefSend, 35 ssl_DefWrite,
41 ssl_DefRead, 36 ssl_DefGetpeername,
42 ssl_DefWrite, 37 ssl_DefGetsockname
43 ssl_DefGetpeername,
44 ssl_DefGetsockname
45 }; 38 };
46 39
47 static const sslSocketOps ssl_secure_ops = { /* SSL. */ 40 static const sslSocketOps ssl_secure_ops = { /* SSL. */
48 ssl_SecureConnect, 41 ssl_SecureConnect,
49 NULL, 42 NULL,
50 ssl_DefBind, 43 ssl_DefBind,
51 ssl_DefListen, 44 ssl_DefListen,
52 ssl_SecureShutdown, 45 ssl_SecureShutdown,
53 ssl_SecureClose, 46 ssl_SecureClose,
54 ssl_SecureRecv, 47 ssl_SecureRecv,
55 ssl_SecureSend, 48 ssl_SecureSend,
56 ssl_SecureRead, 49 ssl_SecureRead,
57 ssl_SecureWrite, 50 ssl_SecureWrite,
58 ssl_DefGetpeername, 51 ssl_DefGetpeername,
59 ssl_DefGetsockname 52 ssl_DefGetsockname
60 }; 53 };
61 54
62 /* 55 /*
63 ** default settings for socket enables 56 ** default settings for socket enables
64 */ 57 */
65 static sslOptions ssl_defaults = { 58 static sslOptions ssl_defaults = {
66 { siBuffer, NULL, 0 }, /* nextProtoNego */ 59 { siBuffer, NULL, 0 }, /* nextProtoNego */
67 PR_TRUE, /* useSecurity */ 60 PR_TRUE, /* useSecurity */
68 PR_FALSE, /* useSocks */ 61 PR_FALSE, /* useSocks */
69 PR_FALSE, /* requestCertificate */ 62 PR_FALSE, /* requestCertificate */
70 2, /* requireCertificate */ 63 2, /* requireCertificate */
71 PR_FALSE, /* handshakeAsClient */ 64 PR_FALSE, /* handshakeAsClient */
72 PR_FALSE, /* handshakeAsServer */ 65 PR_FALSE, /* handshakeAsServer */
73 PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ 66 PR_FALSE,
74 PR_FALSE, /* unusedBit9 */ 67 /* enableSSL2 */ /* now defaults to off in NSS 3.13 */
75 PR_FALSE, /* unusedBit10 */ 68 PR_FALSE, /* unusedBit9 */
76 PR_FALSE, /* noCache */ 69 PR_FALSE, /* unusedBit10 */
77 PR_FALSE, /* fdx */ 70 PR_FALSE, /* noCache */
78 PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ 71 PR_FALSE, /* fdx */
79 PR_TRUE, /* detectRollBack */ 72 PR_FALSE,
80 PR_FALSE, /* noStepDown */ 73 /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */
81 PR_FALSE, /* bypassPKCS11 */ 74 PR_TRUE, /* detectRollBack */
82 PR_FALSE, /* noLocks */ 75 PR_FALSE, /* noStepDown */
83 PR_FALSE, /* enableSessionTickets */ 76 PR_FALSE, /* bypassPKCS11 */
84 PR_FALSE, /* enableDeflate */ 77 PR_FALSE, /* noLocks */
85 2, /* enableRenegotiation (default: requires extension) */ 78 PR_FALSE, /* enableSessionTickets */
86 PR_FALSE, /* requireSafeNegotiation */ 79 PR_FALSE, /* enableDeflate */
87 PR_FALSE, /* enableFalseStart */ 80 2, /* enableRenegotiation (default: requires extension ) */
88 PR_TRUE, /* cbcRandomIV */ 81 PR_FALSE, /* requireSafeNegotiation */
89 PR_FALSE, /* enableOCSPStapling */ 82 PR_FALSE, /* enableFalseStart */
90 PR_TRUE, /* enableNPN */ 83 PR_TRUE, /* cbcRandomIV */
91 PR_FALSE, /* enableALPN */ 84 PR_FALSE, /* enableOCSPStapling */
92 PR_TRUE, /* reuseServerECDHEKey */ 85 PR_TRUE, /* enableNPN */
93 PR_FALSE, /* enableFallbackSCSV */ 86 PR_FALSE, /* enableALPN */
94 PR_TRUE, /* enableServerDhe */ 87 PR_TRUE, /* reuseServerECDHEKey */
95 PR_FALSE, /* enableExtendedMS */ 88 PR_FALSE, /* enableFallbackSCSV */
96 PR_FALSE, /* enableSignedCertTimestamps */ 89 PR_TRUE, /* enableServerDhe */
90 PR_FALSE, /* enableExtendedMS */
91 PR_FALSE, /* enableSignedCertTimestamps */
97 }; 92 };
98 93
99 /* 94 /*
100 * default range of enabled SSL/TLS protocols 95 * default range of enabled SSL/TLS protocols
101 */ 96 */
102 static SSLVersionRange versions_defaults_stream = { 97 static SSLVersionRange versions_defaults_stream = {
103 SSL_LIBRARY_VERSION_TLS_1_0, 98 SSL_LIBRARY_VERSION_TLS_1_0,
104 SSL_LIBRARY_VERSION_TLS_1_2 99 SSL_LIBRARY_VERSION_TLS_1_2
105 }; 100 };
106 101
107 static SSLVersionRange versions_defaults_datagram = { 102 static SSLVersionRange versions_defaults_datagram = {
108 SSL_LIBRARY_VERSION_TLS_1_1, 103 SSL_LIBRARY_VERSION_TLS_1_1,
109 SSL_LIBRARY_VERSION_TLS_1_2 104 SSL_LIBRARY_VERSION_TLS_1_2
110 }; 105 };
111 106
112 #define VERSIONS_DEFAULTS(variant) \ 107 #define VERSIONS_DEFAULTS(variant) \
113 (variant == ssl_variant_stream ? &versions_defaults_stream : \ 108 (variant == ssl_variant_stream ? &versions_defaults_stream : \
114 &versions_defaults_datagram) 109 &versions_defaults_datagram)
110 #define VERSIONS_POLICY_MIN(variant) \
111 (variant == ssl_variant_stream ? NSS_TLS_VERSION_MIN_POLICY : \
112 NSS_DTLS_VERSION_MIN_POLICY)
113 #define VERSIONS_POLICY_MAX(variant) \
114 (variant == ssl_variant_stream ? NSS_TLS_VERSION_MAX_POLICY : \
115 NSS_DTLS_VERSION_MAX_POLICY)
115 116
116 sslSessionIDLookupFunc ssl_sid_lookup; 117 sslSessionIDLookupFunc ssl_sid_lookup;
117 sslSessionIDCacheFunc ssl_sid_cache; 118 sslSessionIDCacheFunc ssl_sid_cache;
118 sslSessionIDUncacheFunc ssl_sid_uncache; 119 sslSessionIDUncacheFunc ssl_sid_uncache;
119 120
120 static PRBool ssl_inited = PR_FALSE; 121 static PRBool ssl_inited = PR_FALSE;
121 static PRDescIdentity ssl_layer_id; 122 static PRDescIdentity ssl_layer_id;
122 123
123 PRBool locksEverDisabled; /* implicitly PR_FALSE */ 124 PRBool locksEverDisabled; /* implicitly PR_FALSE */
124 PRBool ssl_force_locks; /* implicitly PR_FALSE */ 125 PRBool ssl_force_locks; /* implicitly PR_FALSE */
125 int ssl_lock_readers = 1; /* default true. */ 126 int ssl_lock_readers = 1; /* default true. */
126 char ssl_debug; 127 char ssl_debug;
127 char ssl_trace; 128 char ssl_trace;
128 FILE * ssl_trace_iob; 129 FILE *ssl_trace_iob;
129 FILE * ssl_keylog_iob; 130 FILE *ssl_keylog_iob;
130 char lockStatus[] = "Locks are ENABLED. "; 131 char lockStatus[] = "Locks are ENABLED. ";
131 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ 132 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */
132 133
133 /* SRTP_NULL_HMAC_SHA1_80 and SRTP_NULL_HMAC_SHA1_32 are not implemented. */ 134 /* SRTP_NULL_HMAC_SHA1_80 and SRTP_NULL_HMAC_SHA1_32 are not implemented. */
134 static const PRUint16 srtpCiphers[] = { 135 static const PRUint16 srtpCiphers[] = {
135 SRTP_AES128_CM_HMAC_SHA1_80, 136 SRTP_AES128_CM_HMAC_SHA1_80,
136 SRTP_AES128_CM_HMAC_SHA1_32, 137 SRTP_AES128_CM_HMAC_SHA1_32,
137 0 138 0
138 }; 139 };
139 140
140 /* forward declarations. */ 141 /* forward declarations. */
141 static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant); 142 static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant);
142 static SECStatus ssl_MakeLocks(sslSocket *ss); 143 static SECStatus ssl_MakeLocks(sslSocket *ss);
143 static void ssl_SetDefaultsFromEnvironment(void); 144 static void ssl_SetDefaultsFromEnvironment(void);
144 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, 145 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack,
145 PRDescIdentity id); 146 PRDescIdentity id);
146 147
147 /************************************************************************/ 148 /************************************************************************/
148 149
149 /* 150 /*
150 ** Lookup a socket structure from a file descriptor. 151 ** Lookup a socket structure from a file descriptor.
151 ** Only functions called through the PRIOMethods table should use this. 152 ** Only functions called through the PRIOMethods table should use this.
152 ** Other app-callable functions should use ssl_FindSocket. 153 ** Other app-callable functions should use ssl_FindSocket.
153 */ 154 */
154 static sslSocket * 155 static sslSocket *
155 ssl_GetPrivate(PRFileDesc *fd) 156 ssl_GetPrivate(PRFileDesc *fd)
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after
207 } 208 }
208 209
209 static sslSocket * 210 static sslSocket *
210 ssl_DupSocket(sslSocket *os) 211 ssl_DupSocket(sslSocket *os)
211 { 212 {
212 sslSocket *ss; 213 sslSocket *ss;
213 SECStatus rv; 214 SECStatus rv;
214 215
215 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant); 216 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant);
216 if (ss) { 217 if (ss) {
217 ss->opt = os->opt; 218 ss->opt = os->opt;
218 ss->opt.useSocks = PR_FALSE; 219 ss->opt.useSocks = PR_FALSE;
219 ss->vrange = os->vrange; 220 ss->vrange = os->vrange;
220 221
221 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); 222 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID);
222 ss->url = !os->url ? NULL : PORT_Strdup(os->url); 223 ss->url = !os->url ? NULL : PORT_Strdup(os->url);
223 224
224 ss->ops = os->ops; 225 ss->ops = os->ops;
225 ss->rTimeout = os->rTimeout; 226 ss->rTimeout = os->rTimeout;
226 ss->wTimeout = os->wTimeout; 227 ss->wTimeout = os->wTimeout;
227 ss->cTimeout = os->cTimeout; 228 ss->cTimeout = os->cTimeout;
228 ss->dbHandle = os->dbHandle; 229 ss->dbHandle = os->dbHandle;
229 230
230 /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ 231 /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
231 ss->allowedByPolicy = os->allowedByPolicy; 232 ss->allowedByPolicy = os->allowedByPolicy;
232 ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; 233 ss->maybeAllowedByPolicy = os->maybeAllowedByPolicy;
233 ss->chosenPreference = os->chosenPreference; 234 ss->chosenPreference = os->chosenPreference;
234 PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites) ; 235 PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites) ;
235 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, 236 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers,
236 sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount); 237 sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount);
237 ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount; 238 ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount;
238 PORT_Memcpy(ss->ssl3.signatureAlgorithms, os->ssl3.signatureAlgorithms, 239 PORT_Memcpy(ss->ssl3.signatureAlgorithms, os->ssl3.signatureAlgorithms,
239 sizeof(ss->ssl3.signatureAlgorithms[0]) * 240 sizeof(ss->ssl3.signatureAlgorithms[0]) *
240 os->ssl3.signatureAlgorithmCount); 241 os->ssl3.signatureAlgorithmCount);
241 ss->ssl3.signatureAlgorithmCount = os->ssl3.signatureAlgorithmCount; 242 ss->ssl3.signatureAlgorithmCount = os->ssl3.signatureAlgorithmCount;
243 ss->ssl3.downgradeCheckVersion = os->ssl3.downgradeCheckVersion;
242 244
243 ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled; 245 ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled;
244 ss->ssl3.numDHEGroups = os->ssl3.numDHEGroups; 246 ss->ssl3.numDHEGroups = os->ssl3.numDHEGroups;
245 if (os->ssl3.dheGroups) { 247 if (os->ssl3.dheGroups) {
246 ss->ssl3.dheGroups = PORT_NewArray(SSLDHEGroupType, 248 ss->ssl3.dheGroups = PORT_NewArray(SSLDHEGroupType,
247 os->ssl3.numDHEGroups); 249 os->ssl3.numDHEGroups);
248 if (!ss->ssl3.dheGroups) { 250 if (!ss->ssl3.dheGroups) {
249 goto loser; 251 goto loser;
250 } 252 }
251 PORT_Memcpy(ss->ssl3.dheGroups, os->ssl3.dheGroups, 253 PORT_Memcpy(ss->ssl3.dheGroups, os->ssl3.dheGroups,
252 sizeof(SSLDHEGroupType) * os->ssl3.numDHEGroups); 254 sizeof(SSLDHEGroupType) * os->ssl3.numDHEGroups);
253 } else { 255 } else {
254 ss->ssl3.dheGroups = NULL; 256 ss->ssl3.dheGroups = NULL;
255 } 257 }
256 258
257 if (os->cipherSpecs) { 259 if (os->cipherSpecs) {
258 ss->cipherSpecs = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs); 260 ss->cipherSpecs = (unsigned char *)PORT_Alloc(os->sizeCipherSpecs);
259 if (ss->cipherSpecs) 261 if (ss->cipherSpecs)
260 PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, 262 PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs,
261 os->sizeCipherSpecs); 263 os->sizeCipherSpecs);
262 ss->sizeCipherSpecs = os->sizeCipherSpecs; 264 ss->sizeCipherSpecs = os->sizeCipherSpecs;
263 ss->preferredCipher = os->preferredCipher; 265 ss->preferredCipher = os->preferredCipher;
264 } else { 266 } else {
265 ss->cipherSpecs = NULL; /* produced lazily */ 267 ss->cipherSpecs = NULL; /* produced lazily */
266 ss->sizeCipherSpecs = 0; 268 ss->sizeCipherSpecs = 0;
267 ss->preferredCipher = NULL; 269 ss->preferredCipher = NULL;
268 } 270 }
269 if (ss->opt.useSecurity) { 271 if (ss->opt.useSecurity) {
270 /* This int should be SSLKEAType, but CC on Irix complains, 272 /* This int should be SSLKEAType, but CC on Irix complains,
271 * during the for loop. 273 * during the for loop.
272 */ 274 */
273 int i; 275 int i;
274 sslServerCerts * oc = os->serverCerts; 276 sslServerCerts *oc = os->serverCerts;
275 sslServerCerts * sc = ss->serverCerts; 277 sslServerCerts *sc = ss->serverCerts;
276 278
277 for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) { 279 for (i = kt_null; i < kt_kea_size; i++, oc++, sc++) {
278 if (oc->serverCert && oc->serverCertChain) { 280 if (oc->serverCert && oc->serverCertChain) {
279 sc->serverCert = CERT_DupCertificate(oc->serverCert); 281 sc->serverCert = CERT_DupCertificate(oc->serverCert);
280 sc->serverCertChain = CERT_DupCertList(oc->serverCertChain); 282 sc->serverCertChain = CERT_DupCertList(oc->serverCertChain);
281 if (!sc->serverCertChain) 283 if (!sc->serverCertChain)
282 goto loser; 284 goto loser;
283 } else { 285 } else {
284 sc->serverCert = NULL; 286 sc->serverCert = NULL;
285 sc->serverCertChain = NULL; 287 sc->serverCertChain = NULL;
286 } 288 }
287 sc->serverKeyPair = oc->serverKeyPair ? 289 sc->serverKeyPair = oc->serverKeyPair ? ssl3_GetKeyPairRef(oc->s erverKeyPair)
288 ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL; 290 : NULL;
289 if (oc->serverKeyPair && !sc->serverKeyPair) 291 if (oc->serverKeyPair && !sc->serverKeyPair)
290 goto loser; 292 goto loser;
291 sc->serverKeyBits = oc->serverKeyBits; 293 sc->serverKeyBits = oc->serverKeyBits;
292 ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL : 294 ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL : SECITE M_DupArray(NULL, os->certStatusArray[i]);
293 SECITEM_DupArray(NULL, os->certStatusArray[i]);
294 } 295 }
295 ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL : 296 ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL : ssl3_GetKeyPairR ef(os->stepDownKeyPair);
296 ssl3_GetKeyPairRef(os->stepDownKeyPair); 297 ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : ssl3_G etKeyPairRef(os->ephemeralECDHKeyPair);
297 ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : 298 ss->dheKeyPair = !os->dheKeyPair ? NULL : ssl3_GetKeyPairRef(os->dhe KeyPair);
298 ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair);
299 ss->dheKeyPair = !os->dheKeyPair ? NULL :
300 ssl3_GetKeyPairRef(os->dheKeyPair);
301 ss->dheParams = os->dheParams; 299 ss->dheParams = os->dheParams;
302 300
303 /* 301 /*
304 * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. 302 * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
305 * XXX We should detect this, and not just march on with NULL pointers. 303 * XXX We should detect this, and not just march on with NULL pointe rs.
306 */ 304 */
307 ss->authCertificate = os->authCertificate; 305 ss->authCertificate = os->authCertificate;
308 ss->authCertificateArg = os->authCertificateArg; 306 ss->authCertificateArg = os->authCertificateArg;
309 ss->getClientAuthData = os->getClientAuthData; 307 ss->getClientAuthData = os->getClientAuthData;
310 ss->getClientAuthDataArg = os->getClientAuthDataArg; 308 ss->getClientAuthDataArg = os->getClientAuthDataArg;
311 #ifdef NSS_PLATFORM_CLIENT_AUTH 309 ss->sniSocketConfig = os->sniSocketConfig;
312 ss->getPlatformClientAuthData = os->getPlatformClientAuthData; 310 ss->sniSocketConfigArg = os->sniSocketConfigArg;
313 ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; 311 ss->handleBadCert = os->handleBadCert;
314 #endif 312 ss->badCertArg = os->badCertArg;
315 ss->sniSocketConfig = os->sniSocketConfig; 313 ss->handshakeCallback = os->handshakeCallback;
316 ss->sniSocketConfigArg = os->sniSocketConfigArg;
317 ss->handleBadCert = os->handleBadCert;
318 ss->badCertArg = os->badCertArg;
319 ss->handshakeCallback = os->handshakeCallback;
320 ss->handshakeCallbackData = os->handshakeCallbackData; 314 ss->handshakeCallbackData = os->handshakeCallbackData;
321 ss->canFalseStartCallback = os->canFalseStartCallback; 315 ss->canFalseStartCallback = os->canFalseStartCallback;
322 ss->canFalseStartCallbackData = os->canFalseStartCallbackData; 316 ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
323 ss->pkcs11PinArg = os->pkcs11PinArg; 317 ss->pkcs11PinArg = os->pkcs11PinArg;
324 ss->getChannelID = os->getChannelID; 318 ss->getChannelID = os->getChannelID;
325 ss->getChannelIDArg = os->getChannelIDArg; 319 ss->getChannelIDArg = os->getChannelIDArg;
326 320
327 /* Create security data */ 321 /* Create security data */
328 rv = ssl_CopySecurityInfo(ss, os); 322 rv = ssl_CopySecurityInfo(ss, os);
329 if (rv != SECSuccess) { 323 if (rv != SECSuccess) {
330 goto loser; 324 goto loser;
331 } 325 }
332 } 326 }
333 } 327 }
334 return ss; 328 return ss;
335 329
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
373 } 367 }
374 } 368 }
375 369
376 /* Caller holds any relevant locks */ 370 /* Caller holds any relevant locks */
377 static void 371 static void
378 ssl_DestroySocketContents(sslSocket *ss) 372 ssl_DestroySocketContents(sslSocket *ss)
379 { 373 {
380 /* "i" should be of type SSLKEAType, but CC on IRIX complains during 374 /* "i" should be of type SSLKEAType, but CC on IRIX complains during
381 * the for loop. 375 * the for loop.
382 */ 376 */
383 int i; 377 int i;
384 378
385 /* Free up socket */ 379 /* Free up socket */
386 ssl_DestroySecurityInfo(&ss->sec); 380 ssl_DestroySecurityInfo(&ss->sec);
387 381
388 ssl3_DestroySSL3Info(ss); 382 ssl3_DestroySSL3Info(ss);
389 383
390 PORT_Free(ss->saveBuf.buf); 384 PORT_Free(ss->saveBuf.buf);
391 PORT_Free(ss->pendingBuf.buf); 385 PORT_Free(ss->pendingBuf.buf);
392 ssl_DestroyGather(&ss->gs); 386 ssl_DestroyGather(&ss->gs);
393 387
394 if (ss->peerID != NULL) 388 if (ss->peerID != NULL)
395 PORT_Free(ss->peerID); 389 PORT_Free(ss->peerID);
396 if (ss->url != NULL) 390 if (ss->url != NULL)
397 PORT_Free((void *)ss->url); /* CONST */ 391 PORT_Free((void *)ss->url); /* CONST */
398 if (ss->cipherSpecs) { 392 if (ss->cipherSpecs) {
399 PORT_Free(ss->cipherSpecs); 393 PORT_Free(ss->cipherSpecs);
400 ss->cipherSpecs = NULL; 394 ss->cipherSpecs = NULL;
401 ss->sizeCipherSpecs = 0; 395 ss->sizeCipherSpecs = 0;
402 } 396 }
403 397
404 /* Clean up server configuration */ 398 /* Clean up server configuration */
405 for (i=kt_null; i < kt_kea_size; i++) { 399 for (i = kt_null; i < kt_kea_size; i++) {
406 sslServerCerts * sc = ss->serverCerts + i; 400 sslServerCerts *sc = ss->serverCerts + i;
407 if (sc->serverCert != NULL) 401 if (sc->serverCert != NULL)
408 CERT_DestroyCertificate(sc->serverCert); 402 CERT_DestroyCertificate(sc->serverCert);
409 if (sc->serverCertChain != NULL) 403 if (sc->serverCertChain != NULL)
410 CERT_DestroyCertificateList(sc->serverCertChain); 404 CERT_DestroyCertificateList(sc->serverCertChain);
411 if (sc->serverKeyPair != NULL) 405 if (sc->serverKeyPair != NULL)
412 ssl3_FreeKeyPair(sc->serverKeyPair); 406 ssl3_FreeKeyPair(sc->serverKeyPair);
413 if (ss->certStatusArray[i] != NULL) { 407 if (ss->certStatusArray[i] != NULL) {
414 SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE); 408 SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE);
415 ss->certStatusArray[i] = NULL; 409 ss->certStatusArray[i] = NULL;
416 } 410 }
411 if (ss->signedCertTimestamps[i].data) {
412 SECITEM_FreeItem(&ss->signedCertTimestamps[i], PR_FALSE);
413 }
417 } 414 }
418 if (ss->stepDownKeyPair) { 415 if (ss->stepDownKeyPair) {
419 ssl3_FreeKeyPair(ss->stepDownKeyPair); 416 ssl3_FreeKeyPair(ss->stepDownKeyPair);
420 ss->stepDownKeyPair = NULL; 417 ss->stepDownKeyPair = NULL;
421 } 418 }
422 if (ss->ephemeralECDHKeyPair) { 419 if (ss->ephemeralECDHKeyPair) {
423 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); 420 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
424 ss->ephemeralECDHKeyPair = NULL; 421 ss->ephemeralECDHKeyPair = NULL;
425 } 422 }
426 if (ss->dheKeyPair) { 423 if (ss->dheKeyPair) {
427 ssl3_FreeKeyPair(ss->dheKeyPair); 424 ssl3_FreeKeyPair(ss->dheKeyPair);
428 ss->dheKeyPair = NULL; 425 ss->dheKeyPair = NULL;
429 } 426 }
430 SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); 427 SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE);
431 if (ss->xtnData.sniNameArr) { 428 if (ss->xtnData.sniNameArr) {
432 PORT_Free(ss->xtnData.sniNameArr); 429 PORT_Free(ss->xtnData.sniNameArr);
433 ss->xtnData.sniNameArr = NULL; 430 ss->xtnData.sniNameArr = NULL;
434 } 431 }
435 } 432 }
436 433
437 /* 434 /*
438 * free an sslSocket struct, and all the stuff that hangs off of it 435 * free an sslSocket struct, and all the stuff that hangs off of it
439 */ 436 */
440 void 437 void
441 ssl_FreeSocket(sslSocket *ss) 438 ssl_FreeSocket(sslSocket *ss)
442 { 439 {
443 /* Get every lock you can imagine! 440 /* Get every lock you can imagine!
444 ** Caller already holds these: 441 ** Caller already holds these:
445 ** SSL_LOCK_READER(ss); 442 ** SSL_LOCK_READER(ss);
446 ** SSL_LOCK_WRITER(ss); 443 ** SSL_LOCK_WRITER(ss);
447 */ 444 */
448 ssl_Get1stHandshakeLock(ss); 445 ssl_Get1stHandshakeLock(ss);
449 ssl_GetRecvBufLock(ss); 446 ssl_GetRecvBufLock(ss);
450 ssl_GetSSL3HandshakeLock(ss); 447 ssl_GetSSL3HandshakeLock(ss);
451 ssl_GetXmitBufLock(ss); 448 ssl_GetXmitBufLock(ss);
452 ssl_GetSpecWriteLock(ss); 449 ssl_GetSpecWriteLock(ss);
453 450
454 ssl_DestroySocketContents(ss); 451 ssl_DestroySocketContents(ss);
455 452
456 /* Release all the locks acquired above. */ 453 /* Release all the locks acquired above. */
457 SSL_UNLOCK_READER(ss); 454 SSL_UNLOCK_READER(ss);
(...skipping 10 matching lines...) Expand all
468 PORT_Memset(ss, 0x1f, sizeof *ss); 465 PORT_Memset(ss, 0x1f, sizeof *ss);
469 #endif 466 #endif
470 PORT_Free(ss); 467 PORT_Free(ss);
471 return; 468 return;
472 } 469 }
473 470
474 /************************************************************************/ 471 /************************************************************************/
475 SECStatus 472 SECStatus
476 ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled) 473 ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled)
477 { 474 {
478 PRFileDesc * osfd = ss->fd->lower; 475 PRFileDesc *osfd = ss->fd->lower;
479 SECStatus rv = SECFailure; 476 SECStatus rv = SECFailure;
480 PRSocketOptionData opt; 477 PRSocketOptionData opt;
481 478
482 opt.option = PR_SockOpt_NoDelay; 479 opt.option = PR_SockOpt_NoDelay;
483 opt.value.no_delay = (PRBool)!enabled; 480 opt.value.no_delay = (PRBool)!enabled;
484 481
485 if (osfd->methods->setsocketoption) { 482 if (osfd->methods->setsocketoption) {
486 rv = (SECStatus) osfd->methods->setsocketoption(osfd, &opt); 483 rv = (SECStatus)osfd->methods->setsocketoption(osfd, &opt);
487 } else { 484 } else {
488 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 485 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
489 } 486 }
490 487
491 return rv; 488 return rv;
492 } 489 }
493 490
494 static void 491 static void
495 ssl_ChooseOps(sslSocket *ss) 492 ssl_ChooseOps(sslSocket *ss)
496 { 493 {
497 ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops; 494 ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops;
498 } 495 }
499 496
500 /* Called from SSL_Enable (immediately below) */ 497 /* Called from SSL_Enable (immediately below) */
501 static SECStatus 498 static SECStatus
502 PrepareSocket(sslSocket *ss) 499 PrepareSocket(sslSocket *ss)
503 { 500 {
504 SECStatus rv = SECSuccess; 501 SECStatus rv = SECSuccess;
505 502
506 ssl_ChooseOps(ss); 503 ssl_ChooseOps(ss);
507 return rv; 504 return rv;
508 } 505 }
509 506
510 SECStatus 507 SECStatus
511 SSL_Enable(PRFileDesc *fd, int which, PRBool on) 508 SSL_Enable(PRFileDesc *fd, int which, PRBool on)
512 { 509 {
513 return SSL_OptionSet(fd, which, on); 510 return SSL_OptionSet(fd, which, on);
514 } 511 }
515 512
516 #ifndef NO_PKCS11_BYPASS 513 #ifndef NO_PKCS11_BYPASS
517 static const PRCallOnceType pristineCallOnce; 514 static const PRCallOnceType pristineCallOnce;
518 static PRCallOnceType setupBypassOnce; 515 static PRCallOnceType setupBypassOnce;
519 516
520 static SECStatus SSL_BypassShutdown(void* appData, void* nssData) 517 static SECStatus
518 SSL_BypassShutdown(void *appData, void *nssData)
521 { 519 {
522 /* unload freeBL shared library from memory */ 520 /* unload freeBL shared library from memory */
523 BL_Unload(); 521 BL_Unload();
524 setupBypassOnce = pristineCallOnce; 522 setupBypassOnce = pristineCallOnce;
525 return SECSuccess; 523 return SECSuccess;
526 } 524 }
527 525
528 static PRStatus SSL_BypassRegisterShutdown(void) 526 static PRStatus
527 SSL_BypassRegisterShutdown(void)
529 { 528 {
530 SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL); 529 SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL);
531 PORT_Assert(SECSuccess == rv); 530 PORT_Assert(SECSuccess == rv);
532 return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE; 531 return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE;
533 } 532 }
534 #endif 533 #endif
535 534
536 static PRStatus SSL_BypassSetup(void) 535 static PRStatus
536 SSL_BypassSetup(void)
537 { 537 {
538 #ifdef NO_PKCS11_BYPASS 538 #ifdef NO_PKCS11_BYPASS
539 /* Guarantee binary compatibility */ 539 /* Guarantee binary compatibility */
540 return PR_SUCCESS; 540 return PR_SUCCESS;
541 #else 541 #else
542 return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown); 542 return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
543 #endif 543 #endif
544 } 544 }
545 545
546 static PRBool ssl_VersionIsSupportedByPolicy(
547 SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version);
548
546 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in 549 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in
547 * ssl.h in the section "SSL version range setting API". 550 * ssl.h in the section "SSL version range setting API".
548 */ 551 */
549 static void 552 static void
550 ssl_EnableTLS(SSLVersionRange *vrange, PRBool on) 553 ssl_EnableTLS(SSLVersionRange *vrange, PRBool on)
551 { 554 {
555 if (on) {
556 /* don't turn it on if tls1.0 disallowed by by policy */
557 if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream,
558 SSL_LIBRARY_VERSION_TLS_1_0)) {
559 return;
560 }
561 }
552 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { 562 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) {
553 if (on) { 563 if (on) {
554 vrange->min = SSL_LIBRARY_VERSION_TLS_1_0; 564 vrange->min = SSL_LIBRARY_VERSION_TLS_1_0;
555 vrange->max = SSL_LIBRARY_VERSION_TLS_1_0; 565 vrange->max = SSL_LIBRARY_VERSION_TLS_1_0;
556 } /* else don't change anything */ 566 } /* else don't change anything */
557 return; 567 return;
558 } 568 }
559 569
560 if (on) { 570 if (on) {
561 /* Expand the range of enabled version to include TLS 1.0 */ 571 /* Expand the range of enabled version to include TLS 1.0 */
(...skipping 10 matching lines...) Expand all
572 } 582 }
573 } 583 }
574 } 584 }
575 585
576 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_SSL3, on) described in 586 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_SSL3, on) described in
577 * ssl.h in the section "SSL version range setting API". 587 * ssl.h in the section "SSL version range setting API".
578 */ 588 */
579 static void 589 static void
580 ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on) 590 ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on)
581 { 591 {
582 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { 592 if (on) {
593 /* don't turn it on if ssl3 disallowed by by policy */
594 if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream,
595 SSL_LIBRARY_VERSION_3_0)) {
596 return;
597 }
598 }
599 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) {
583 if (on) { 600 if (on) {
584 vrange->min = SSL_LIBRARY_VERSION_3_0; 601 vrange->min = SSL_LIBRARY_VERSION_3_0;
585 vrange->max = SSL_LIBRARY_VERSION_3_0; 602 vrange->max = SSL_LIBRARY_VERSION_3_0;
586 } /* else don't change anything */ 603 } /* else don't change anything */
587 return; 604 return;
588 } 605 }
589 606
590 if (on) { 607 if (on) {
591 /* Expand the range of enabled versions to include SSL 3.0. We know 608 /* Expand the range of enabled versions to include SSL 3.0. We know
592 * SSL 3.0 or some version of TLS is already enabled at this point, so 609 * SSL 3.0 or some version of TLS is already enabled at this point, so
593 * we don't need to change vrange->max. 610 * we don't need to change vrange->max.
594 */ 611 */
595 vrange->min = SSL_LIBRARY_VERSION_3_0; 612 vrange->min = SSL_LIBRARY_VERSION_3_0;
596 } else { 613 } else {
597 /* Disable SSL 3.0, leaving TLS unaffected. */ 614 /* Disable SSL 3.0, leaving TLS unaffected. */
598 if (vrange->max > SSL_LIBRARY_VERSION_3_0) { 615 if (vrange->max > SSL_LIBRARY_VERSION_3_0) {
599 vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); 616 vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
600 } else { 617 } else {
601 /* Only SSL 3.0 was enabled, so now no versions are. */ 618 /* Only SSL 3.0 was enabled, so now no versions are. */
602 vrange->min = SSL_LIBRARY_VERSION_NONE; 619 vrange->min = SSL_LIBRARY_VERSION_NONE;
603 vrange->max = SSL_LIBRARY_VERSION_NONE; 620 vrange->max = SSL_LIBRARY_VERSION_NONE;
604 } 621 }
605 } 622 }
606 } 623 }
607 624
608 SECStatus 625 SECStatus
609 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) 626 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
610 { 627 {
611 sslSocket *ss = ssl_FindSocket(fd); 628 sslSocket *ss = ssl_FindSocket(fd);
612 SECStatus rv = SECSuccess; 629 SECStatus rv = SECSuccess;
613 PRBool holdingLocks; 630 PRBool holdingLocks;
614 631
615 if (!ss) { 632 if (!ss) {
616 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); 633 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
617 return SECFailure; 634 return SECFailure;
618 } 635 }
619 636
620 holdingLocks = (!ss->opt.noLocks); 637 holdingLocks = (!ss->opt.noLocks);
621 ssl_Get1stHandshakeLock(ss); 638 ssl_Get1stHandshakeLock(ss);
622 ssl_GetSSL3HandshakeLock(ss); 639 ssl_GetSSL3HandshakeLock(ss);
623 640
624 switch (which) { 641 switch (which) {
625 case SSL_SOCKS: 642 case SSL_SOCKS:
626 ss->opt.useSocks = PR_FALSE; 643 ss->opt.useSocks = PR_FALSE;
627 rv = PrepareSocket(ss); 644 rv = PrepareSocket(ss);
628 if (on) { 645 if (on) {
646 PORT_SetError(SEC_ERROR_INVALID_ARGS);
647 rv = SECFailure;
648 }
649 break;
650
651 case SSL_SECURITY:
652 ss->opt.useSecurity = on;
653 rv = PrepareSocket(ss);
654 break;
655
656 case SSL_REQUEST_CERTIFICATE:
657 ss->opt.requestCertificate = on;
658 break;
659
660 case SSL_REQUIRE_CERTIFICATE:
661 ss->opt.requireCertificate = on;
662 break;
663
664 case SSL_HANDSHAKE_AS_CLIENT:
665 if (ss->opt.handshakeAsServer && on) {
666 PORT_SetError(SEC_ERROR_INVALID_ARGS);
667 rv = SECFailure;
668 break;
669 }
670 ss->opt.handshakeAsClient = on;
671 break;
672
673 case SSL_HANDSHAKE_AS_SERVER:
674 if (ss->opt.handshakeAsClient && on) {
675 PORT_SetError(SEC_ERROR_INVALID_ARGS);
676 rv = SECFailure;
677 break;
678 }
679 ss->opt.handshakeAsServer = on;
680 break;
681
682 case SSL_ENABLE_TLS:
683 if (IS_DTLS(ss)) {
684 if (on) {
685 PORT_SetError(SEC_ERROR_INVALID_ARGS);
686 rv = SECFailure; /* not allowed */
687 }
688 break;
689 }
690 ssl_EnableTLS(&ss->vrange, on);
691 ss->preferredCipher = NULL;
692 if (ss->cipherSpecs) {
693 PORT_Free(ss->cipherSpecs);
694 ss->cipherSpecs = NULL;
695 ss->sizeCipherSpecs = 0;
696 }
697 break;
698
699 case SSL_ENABLE_SSL3:
700 if (IS_DTLS(ss)) {
701 if (on) {
702 PORT_SetError(SEC_ERROR_INVALID_ARGS);
703 rv = SECFailure; /* not allowed */
704 }
705 break;
706 }
707 ssl_EnableSSL3(&ss->vrange, on);
708 ss->preferredCipher = NULL;
709 if (ss->cipherSpecs) {
710 PORT_Free(ss->cipherSpecs);
711 ss->cipherSpecs = NULL;
712 ss->sizeCipherSpecs = 0;
713 }
714 break;
715
716 case SSL_ENABLE_SSL2:
717 if (IS_DTLS(ss)) {
718 if (on) {
719 PORT_SetError(SEC_ERROR_INVALID_ARGS);
720 rv = SECFailure; /* not allowed */
721 }
722 break;
723 }
724 if (on) {
725 /* don't turn it on if ssl2 disallowed by by policy */
726 if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream,
727 SSL_LIBRARY_VERSION_2)) {
728 break;
729 }
730 }
731 ss->opt.enableSSL2 = on;
732 if (on) {
733 ss->opt.v2CompatibleHello = on;
734 }
735 ss->preferredCipher = NULL;
736 if (ss->cipherSpecs) {
737 PORT_Free(ss->cipherSpecs);
738 ss->cipherSpecs = NULL;
739 ss->sizeCipherSpecs = 0;
740 }
741 break;
742
743 case SSL_NO_CACHE:
744 ss->opt.noCache = on;
745 break;
746
747 case SSL_ENABLE_FDX:
748 if (on && ss->opt.noLocks) {
749 PORT_SetError(SEC_ERROR_INVALID_ARGS);
750 rv = SECFailure;
751 }
752 ss->opt.fdx = on;
753 break;
754
755 case SSL_V2_COMPATIBLE_HELLO:
756 if (IS_DTLS(ss)) {
757 if (on) {
758 PORT_SetError(SEC_ERROR_INVALID_ARGS);
759 rv = SECFailure; /* not allowed */
760 }
761 break;
762 }
763 ss->opt.v2CompatibleHello = on;
764 if (!on) {
765 ss->opt.enableSSL2 = on;
766 }
767 break;
768
769 case SSL_ROLLBACK_DETECTION:
770 ss->opt.detectRollBack = on;
771 break;
772
773 case SSL_NO_STEP_DOWN:
774 ss->opt.noStepDown = on;
775 if (on)
776 SSL_DisableExportCipherSuites(fd);
777 break;
778
779 case SSL_BYPASS_PKCS11:
780 if (ss->handshakeBegun) {
781 PORT_SetError(PR_INVALID_STATE_ERROR);
782 rv = SECFailure;
783 } else {
784 if (PR_FALSE != on) {
785 if (PR_SUCCESS == SSL_BypassSetup()) {
786 #ifdef NO_PKCS11_BYPASS
787 ss->opt.bypassPKCS11 = PR_FALSE;
788 #else
789 ss->opt.bypassPKCS11 = on;
790 #endif
791 } else {
792 rv = SECFailure;
793 }
794 } else {
795 ss->opt.bypassPKCS11 = PR_FALSE;
796 }
797 }
798 break;
799
800 case SSL_NO_LOCKS:
801 if (on && ss->opt.fdx) {
802 PORT_SetError(SEC_ERROR_INVALID_ARGS);
803 rv = SECFailure;
804 }
805 if (on && ssl_force_locks)
806 on = PR_FALSE; /* silent override */
807 ss->opt.noLocks = on;
808 if (on) {
809 locksEverDisabled = PR_TRUE;
810 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
811 } else if (!holdingLocks) {
812 rv = ssl_MakeLocks(ss);
813 if (rv != SECSuccess) {
814 ss->opt.noLocks = PR_TRUE;
815 }
816 }
817 break;
818
819 case SSL_ENABLE_SESSION_TICKETS:
820 ss->opt.enableSessionTickets = on;
821 break;
822
823 case SSL_ENABLE_DEFLATE:
824 ss->opt.enableDeflate = on;
825 break;
826
827 case SSL_ENABLE_RENEGOTIATION:
828 ss->opt.enableRenegotiation = on;
829 break;
830
831 case SSL_REQUIRE_SAFE_NEGOTIATION:
832 ss->opt.requireSafeNegotiation = on;
833 break;
834
835 case SSL_ENABLE_FALSE_START:
836 ss->opt.enableFalseStart = on;
837 break;
838
839 case SSL_CBC_RANDOM_IV:
840 ss->opt.cbcRandomIV = on;
841 break;
842
843 case SSL_ENABLE_OCSP_STAPLING:
844 ss->opt.enableOCSPStapling = on;
845 break;
846
847 case SSL_ENABLE_NPN:
848 ss->opt.enableNPN = on;
849 break;
850
851 case SSL_ENABLE_ALPN:
852 ss->opt.enableALPN = on;
853 break;
854
855 case SSL_REUSE_SERVER_ECDHE_KEY:
856 ss->opt.reuseServerECDHEKey = on;
857 break;
858
859 case SSL_ENABLE_FALLBACK_SCSV:
860 ss->opt.enableFallbackSCSV = on;
861 break;
862
863 case SSL_ENABLE_SERVER_DHE:
864 ss->opt.enableServerDhe = on;
865 break;
866
867 case SSL_ENABLE_EXTENDED_MASTER_SECRET:
868 ss->opt.enableExtendedMS = on;
869 break;
870
871 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
872 ss->opt.enableSignedCertTimestamps = on;
873 break;
874
875 default:
629 PORT_SetError(SEC_ERROR_INVALID_ARGS); 876 PORT_SetError(SEC_ERROR_INVALID_ARGS);
630 rv = SECFailure; 877 rv = SECFailure;
631 }
632 break;
633
634 case SSL_SECURITY:
635 ss->opt.useSecurity = on;
636 rv = PrepareSocket(ss);
637 break;
638
639 case SSL_REQUEST_CERTIFICATE:
640 ss->opt.requestCertificate = on;
641 break;
642
643 case SSL_REQUIRE_CERTIFICATE:
644 ss->opt.requireCertificate = on;
645 break;
646
647 case SSL_HANDSHAKE_AS_CLIENT:
648 if ( ss->opt.handshakeAsServer && on ) {
649 PORT_SetError(SEC_ERROR_INVALID_ARGS);
650 rv = SECFailure;
651 break;
652 }
653 ss->opt.handshakeAsClient = on;
654 break;
655
656 case SSL_HANDSHAKE_AS_SERVER:
657 if ( ss->opt.handshakeAsClient && on ) {
658 PORT_SetError(SEC_ERROR_INVALID_ARGS);
659 rv = SECFailure;
660 break;
661 }
662 ss->opt.handshakeAsServer = on;
663 break;
664
665 case SSL_ENABLE_TLS:
666 if (IS_DTLS(ss)) {
667 if (on) {
668 PORT_SetError(SEC_ERROR_INVALID_ARGS);
669 rv = SECFailure; /* not allowed */
670 }
671 break;
672 }
673 ssl_EnableTLS(&ss->vrange, on);
674 ss->preferredCipher = NULL;
675 if (ss->cipherSpecs) {
676 PORT_Free(ss->cipherSpecs);
677 ss->cipherSpecs = NULL;
678 ss->sizeCipherSpecs = 0;
679 }
680 break;
681
682 case SSL_ENABLE_SSL3:
683 if (IS_DTLS(ss)) {
684 if (on) {
685 PORT_SetError(SEC_ERROR_INVALID_ARGS);
686 rv = SECFailure; /* not allowed */
687 }
688 break;
689 }
690 ssl_EnableSSL3(&ss->vrange, on);
691 ss->preferredCipher = NULL;
692 if (ss->cipherSpecs) {
693 PORT_Free(ss->cipherSpecs);
694 ss->cipherSpecs = NULL;
695 ss->sizeCipherSpecs = 0;
696 }
697 break;
698
699 case SSL_ENABLE_SSL2:
700 if (IS_DTLS(ss)) {
701 if (on) {
702 PORT_SetError(SEC_ERROR_INVALID_ARGS);
703 rv = SECFailure; /* not allowed */
704 }
705 break;
706 }
707 ss->opt.enableSSL2 = on;
708 if (on) {
709 ss->opt.v2CompatibleHello = on;
710 }
711 ss->preferredCipher = NULL;
712 if (ss->cipherSpecs) {
713 PORT_Free(ss->cipherSpecs);
714 ss->cipherSpecs = NULL;
715 ss->sizeCipherSpecs = 0;
716 }
717 break;
718
719 case SSL_NO_CACHE:
720 ss->opt.noCache = on;
721 break;
722
723 case SSL_ENABLE_FDX:
724 if (on && ss->opt.noLocks) {
725 PORT_SetError(SEC_ERROR_INVALID_ARGS);
726 rv = SECFailure;
727 }
728 ss->opt.fdx = on;
729 break;
730
731 case SSL_V2_COMPATIBLE_HELLO:
732 if (IS_DTLS(ss)) {
733 if (on) {
734 PORT_SetError(SEC_ERROR_INVALID_ARGS);
735 rv = SECFailure; /* not allowed */
736 }
737 break;
738 }
739 ss->opt.v2CompatibleHello = on;
740 if (!on) {
741 ss->opt.enableSSL2 = on;
742 }
743 break;
744
745 case SSL_ROLLBACK_DETECTION:
746 ss->opt.detectRollBack = on;
747 break;
748
749 case SSL_NO_STEP_DOWN:
750 ss->opt.noStepDown = on;
751 if (on)
752 SSL_DisableExportCipherSuites(fd);
753 break;
754
755 case SSL_BYPASS_PKCS11:
756 if (ss->handshakeBegun) {
757 PORT_SetError(PR_INVALID_STATE_ERROR);
758 rv = SECFailure;
759 } else {
760 if (PR_FALSE != on) {
761 if (PR_SUCCESS == SSL_BypassSetup() ) {
762 #ifdef NO_PKCS11_BYPASS
763 ss->opt.bypassPKCS11 = PR_FALSE;
764 #else
765 ss->opt.bypassPKCS11 = on;
766 #endif
767 } else {
768 rv = SECFailure;
769 }
770 } else {
771 ss->opt.bypassPKCS11 = PR_FALSE;
772 }
773 }
774 break;
775
776 case SSL_NO_LOCKS:
777 if (on && ss->opt.fdx) {
778 PORT_SetError(SEC_ERROR_INVALID_ARGS);
779 rv = SECFailure;
780 }
781 if (on && ssl_force_locks)
782 on = PR_FALSE; /* silent override */
783 ss->opt.noLocks = on;
784 if (on) {
785 locksEverDisabled = PR_TRUE;
786 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
787 } else if (!holdingLocks) {
788 rv = ssl_MakeLocks(ss);
789 if (rv != SECSuccess) {
790 ss->opt.noLocks = PR_TRUE;
791 }
792 }
793 break;
794
795 case SSL_ENABLE_SESSION_TICKETS:
796 ss->opt.enableSessionTickets = on;
797 break;
798
799 case SSL_ENABLE_DEFLATE:
800 ss->opt.enableDeflate = on;
801 break;
802
803 case SSL_ENABLE_RENEGOTIATION:
804 ss->opt.enableRenegotiation = on;
805 break;
806
807 case SSL_REQUIRE_SAFE_NEGOTIATION:
808 ss->opt.requireSafeNegotiation = on;
809 break;
810
811 case SSL_ENABLE_FALSE_START:
812 ss->opt.enableFalseStart = on;
813 break;
814
815 case SSL_CBC_RANDOM_IV:
816 ss->opt.cbcRandomIV = on;
817 break;
818
819 case SSL_ENABLE_OCSP_STAPLING:
820 ss->opt.enableOCSPStapling = on;
821 break;
822
823 case SSL_ENABLE_NPN:
824 ss->opt.enableNPN = on;
825 break;
826
827 case SSL_ENABLE_ALPN:
828 ss->opt.enableALPN = on;
829 break;
830
831 case SSL_REUSE_SERVER_ECDHE_KEY:
832 ss->opt.reuseServerECDHEKey = on;
833 break;
834
835 case SSL_ENABLE_FALLBACK_SCSV:
836 ss->opt.enableFallbackSCSV = on;
837 break;
838
839 case SSL_ENABLE_SERVER_DHE:
840 ss->opt.enableServerDhe = on;
841 break;
842
843 case SSL_ENABLE_EXTENDED_MASTER_SECRET:
844 ss->opt.enableExtendedMS = on;
845 break;
846
847 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
848 ss->opt.enableSignedCertTimestamps = on;
849 break;
850
851 default:
852 PORT_SetError(SEC_ERROR_INVALID_ARGS);
853 rv = SECFailure;
854 } 878 }
855 879
856 /* We can't use the macros for releasing the locks here, 880 /* We can't use the macros for releasing the locks here,
857 * because ss->opt.noLocks might have changed just above. 881 * because ss->opt.noLocks might have changed just above.
858 * We must release these locks (monitors) here, if we aquired them above, 882 * We must release these locks (monitors) here, if we aquired them above,
859 * regardless of the current value of ss->opt.noLocks. 883 * regardless of the current value of ss->opt.noLocks.
860 */ 884 */
861 if (holdingLocks) { 885 if (holdingLocks) {
862 PZ_ExitMonitor((ss)->ssl3HandshakeLock); 886 PZ_ExitMonitor((ss)->ssl3HandshakeLock);
863 PZ_ExitMonitor((ss)->firstHandshakeLock); 887 PZ_ExitMonitor((ss)->firstHandshakeLock);
864 } 888 }
865 889
866 return rv; 890 return rv;
867 } 891 }
868 892
869 SECStatus 893 SECStatus
870 SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) 894 SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
871 { 895 {
872 sslSocket *ss = ssl_FindSocket(fd); 896 sslSocket *ss = ssl_FindSocket(fd);
873 SECStatus rv = SECSuccess; 897 SECStatus rv = SECSuccess;
874 PRBool on = PR_FALSE; 898 PRBool on = PR_FALSE;
875 899
876 if (!pOn) { 900 if (!pOn) {
877 PORT_SetError(SEC_ERROR_INVALID_ARGS); 901 PORT_SetError(SEC_ERROR_INVALID_ARGS);
878 return SECFailure; 902 return SECFailure;
879 } 903 }
880 if (!ss) { 904 if (!ss) {
881 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); 905 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
882 *pOn = PR_FALSE; 906 *pOn = PR_FALSE;
883 return SECFailure; 907 return SECFailure;
884 } 908 }
885 909
886 ssl_Get1stHandshakeLock(ss); 910 ssl_Get1stHandshakeLock(ss);
887 ssl_GetSSL3HandshakeLock(ss); 911 ssl_GetSSL3HandshakeLock(ss);
888 912
889 switch (which) { 913 switch (which) {
890 case SSL_SOCKS: on = PR_FALSE; break; 914 case SSL_SOCKS:
891 case SSL_SECURITY: on = ss->opt.useSecurity; break; 915 on = PR_FALSE;
892 case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break; 916 break;
893 case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break; 917 case SSL_SECURITY:
894 case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break; 918 on = ss->opt.useSecurity;
895 case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break; 919 break;
896 case SSL_ENABLE_TLS: 920 case SSL_REQUEST_CERTIFICATE:
897 on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; 921 on = ss->opt.requestCertificate;
898 break; 922 break;
899 case SSL_ENABLE_SSL3: 923 case SSL_REQUIRE_CERTIFICATE:
900 on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; 924 on = ss->opt.requireCertificate;
901 break; 925 break;
902 case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break; 926 case SSL_HANDSHAKE_AS_CLIENT:
903 case SSL_NO_CACHE: on = ss->opt.noCache; break; 927 on = ss->opt.handshakeAsClient;
904 case SSL_ENABLE_FDX: on = ss->opt.fdx; break; 928 break;
905 case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break; 929 case SSL_HANDSHAKE_AS_SERVER:
906 case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break; 930 on = ss->opt.handshakeAsServer;
907 case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break; 931 break;
908 case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break; 932 case SSL_ENABLE_TLS:
909 case SSL_NO_LOCKS: on = ss->opt.noLocks; break; 933 on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
910 case SSL_ENABLE_SESSION_TICKETS: 934 break;
911 on = ss->opt.enableSessionTickets; 935 case SSL_ENABLE_SSL3:
912 break; 936 on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
913 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; 937 break;
914 case SSL_ENABLE_RENEGOTIATION: 938 case SSL_ENABLE_SSL2:
915 on = ss->opt.enableRenegotiation; break; 939 on = ss->opt.enableSSL2;
916 case SSL_REQUIRE_SAFE_NEGOTIATION: 940 break;
917 on = ss->opt.requireSafeNegotiation; break; 941 case SSL_NO_CACHE:
918 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; 942 on = ss->opt.noCache;
919 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; 943 break;
920 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; 944 case SSL_ENABLE_FDX:
921 case SSL_ENABLE_NPN: on = ss->opt.enableNPN; break; 945 on = ss->opt.fdx;
922 case SSL_ENABLE_ALPN: on = ss->opt.enableALPN; break; 946 break;
923 case SSL_REUSE_SERVER_ECDHE_KEY: 947 case SSL_V2_COMPATIBLE_HELLO:
924 on = ss->opt.reuseServerECDHEKey; break; 948 on = ss->opt.v2CompatibleHello;
925 case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break; 949 break;
926 case SSL_ENABLE_SERVER_DHE: on = ss->opt.enableServerDhe; break; 950 case SSL_ROLLBACK_DETECTION:
927 case SSL_ENABLE_EXTENDED_MASTER_SECRET: 951 on = ss->opt.detectRollBack;
928 on = ss->opt.enableExtendedMS; break; 952 break;
929 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 953 case SSL_NO_STEP_DOWN:
930 on = ss->opt.enableSignedCertTimestamps; 954 on = ss->opt.noStepDown;
931 break; 955 break;
956 case SSL_BYPASS_PKCS11:
957 on = ss->opt.bypassPKCS11;
958 break;
959 case SSL_NO_LOCKS:
960 on = ss->opt.noLocks;
961 break;
962 case SSL_ENABLE_SESSION_TICKETS:
963 on = ss->opt.enableSessionTickets;
964 break;
965 case SSL_ENABLE_DEFLATE:
966 on = ss->opt.enableDeflate;
967 break;
968 case SSL_ENABLE_RENEGOTIATION:
969 on = ss->opt.enableRenegotiation;
970 break;
971 case SSL_REQUIRE_SAFE_NEGOTIATION:
972 on = ss->opt.requireSafeNegotiation;
973 break;
974 case SSL_ENABLE_FALSE_START:
975 on = ss->opt.enableFalseStart;
976 break;
977 case SSL_CBC_RANDOM_IV:
978 on = ss->opt.cbcRandomIV;
979 break;
980 case SSL_ENABLE_OCSP_STAPLING:
981 on = ss->opt.enableOCSPStapling;
982 break;
983 case SSL_ENABLE_NPN:
984 on = ss->opt.enableNPN;
985 break;
986 case SSL_ENABLE_ALPN:
987 on = ss->opt.enableALPN;
988 break;
989 case SSL_REUSE_SERVER_ECDHE_KEY:
990 on = ss->opt.reuseServerECDHEKey;
991 break;
992 case SSL_ENABLE_FALLBACK_SCSV:
993 on = ss->opt.enableFallbackSCSV;
994 break;
995 case SSL_ENABLE_SERVER_DHE:
996 on = ss->opt.enableServerDhe;
997 break;
998 case SSL_ENABLE_EXTENDED_MASTER_SECRET:
999 on = ss->opt.enableExtendedMS;
1000 break;
1001 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
1002 on = ss->opt.enableSignedCertTimestamps;
1003 break;
932 1004
933 default: 1005 default:
934 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1006 PORT_SetError(SEC_ERROR_INVALID_ARGS);
935 rv = SECFailure; 1007 rv = SECFailure;
936 } 1008 }
937 1009
938 ssl_ReleaseSSL3HandshakeLock(ss); 1010 ssl_ReleaseSSL3HandshakeLock(ss);
939 ssl_Release1stHandshakeLock(ss); 1011 ssl_Release1stHandshakeLock(ss);
940 1012
941 *pOn = on; 1013 *pOn = on;
942 return rv; 1014 return rv;
943 } 1015 }
944 1016
945 SECStatus 1017 SECStatus
946 SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) 1018 SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
947 { 1019 {
948 SECStatus rv = SECSuccess; 1020 SECStatus rv = SECSuccess;
949 PRBool on = PR_FALSE; 1021 PRBool on = PR_FALSE;
950 1022
951 if (!pOn) { 1023 if (!pOn) {
952 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1024 PORT_SetError(SEC_ERROR_INVALID_ARGS);
953 return SECFailure; 1025 return SECFailure;
954 } 1026 }
955 1027
956 ssl_SetDefaultsFromEnvironment(); 1028 ssl_SetDefaultsFromEnvironment();
957 1029
958 switch (which) { 1030 switch (which) {
959 case SSL_SOCKS: on = PR_FALSE; break; 1031 case SSL_SOCKS:
960 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; 1032 on = PR_FALSE;
961 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; 1033 break;
962 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; 1034 case SSL_SECURITY:
963 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; 1035 on = ssl_defaults.useSecurity;
964 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; 1036 break;
965 case SSL_ENABLE_TLS: 1037 case SSL_REQUEST_CERTIFICATE:
966 on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; 1038 on = ssl_defaults.requestCertificate;
967 break; 1039 break;
968 case SSL_ENABLE_SSL3: 1040 case SSL_REQUIRE_CERTIFICATE:
969 on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; 1041 on = ssl_defaults.requireCertificate;
970 break; 1042 break;
971 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; 1043 case SSL_HANDSHAKE_AS_CLIENT:
972 case SSL_NO_CACHE: on = ssl_defaults.noCache; break; 1044 on = ssl_defaults.handshakeAsClient;
973 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; 1045 break;
974 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; 1046 case SSL_HANDSHAKE_AS_SERVER:
975 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; 1047 on = ssl_defaults.handshakeAsServer;
976 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; 1048 break;
977 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; 1049 case SSL_ENABLE_TLS:
978 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; 1050 on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
979 case SSL_ENABLE_SESSION_TICKETS: 1051 break;
980 on = ssl_defaults.enableSessionTickets; 1052 case SSL_ENABLE_SSL3:
981 break; 1053 on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
982 case SSL_ENABLE_DEFLATE: on = ssl_defaults.enableDeflate; break; 1054 break;
983 case SSL_ENABLE_RENEGOTIATION: 1055 case SSL_ENABLE_SSL2:
984 on = ssl_defaults.enableRenegotiation; break; 1056 on = ssl_defaults.enableSSL2;
985 case SSL_REQUIRE_SAFE_NEGOTIATION: 1057 break;
986 on = ssl_defaults.requireSafeNegotiation; 1058 case SSL_NO_CACHE:
987 break; 1059 on = ssl_defaults.noCache;
988 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; 1060 break;
989 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; 1061 case SSL_ENABLE_FDX:
990 case SSL_ENABLE_OCSP_STAPLING: 1062 on = ssl_defaults.fdx;
991 on = ssl_defaults.enableOCSPStapling; 1063 break;
992 break; 1064 case SSL_V2_COMPATIBLE_HELLO:
993 case SSL_ENABLE_NPN: on = ssl_defaults.enableNPN; break; 1065 on = ssl_defaults.v2CompatibleHello;
994 case SSL_ENABLE_ALPN: on = ssl_defaults.enableALPN; break; 1066 break;
995 case SSL_REUSE_SERVER_ECDHE_KEY: 1067 case SSL_ROLLBACK_DETECTION:
996 on = ssl_defaults.reuseServerECDHEKey; 1068 on = ssl_defaults.detectRollBack;
997 break; 1069 break;
998 case SSL_ENABLE_FALLBACK_SCSV: 1070 case SSL_NO_STEP_DOWN:
999 on = ssl_defaults.enableFallbackSCSV; 1071 on = ssl_defaults.noStepDown;
1000 break; 1072 break;
1001 case SSL_ENABLE_SERVER_DHE: 1073 case SSL_BYPASS_PKCS11:
1002 on = ssl_defaults.enableServerDhe; 1074 on = ssl_defaults.bypassPKCS11;
1003 break; 1075 break;
1004 case SSL_ENABLE_EXTENDED_MASTER_SECRET: 1076 case SSL_NO_LOCKS:
1005 on = ssl_defaults.enableExtendedMS; 1077 on = ssl_defaults.noLocks;
1006 break; 1078 break;
1007 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 1079 case SSL_ENABLE_SESSION_TICKETS:
1008 on = ssl_defaults.enableSignedCertTimestamps; 1080 on = ssl_defaults.enableSessionTickets;
1009 break; 1081 break;
1082 case SSL_ENABLE_DEFLATE:
1083 on = ssl_defaults.enableDeflate;
1084 break;
1085 case SSL_ENABLE_RENEGOTIATION:
1086 on = ssl_defaults.enableRenegotiation;
1087 break;
1088 case SSL_REQUIRE_SAFE_NEGOTIATION:
1089 on = ssl_defaults.requireSafeNegotiation;
1090 break;
1091 case SSL_ENABLE_FALSE_START:
1092 on = ssl_defaults.enableFalseStart;
1093 break;
1094 case SSL_CBC_RANDOM_IV:
1095 on = ssl_defaults.cbcRandomIV;
1096 break;
1097 case SSL_ENABLE_OCSP_STAPLING:
1098 on = ssl_defaults.enableOCSPStapling;
1099 break;
1100 case SSL_ENABLE_NPN:
1101 on = ssl_defaults.enableNPN;
1102 break;
1103 case SSL_ENABLE_ALPN:
1104 on = ssl_defaults.enableALPN;
1105 break;
1106 case SSL_REUSE_SERVER_ECDHE_KEY:
1107 on = ssl_defaults.reuseServerECDHEKey;
1108 break;
1109 case SSL_ENABLE_FALLBACK_SCSV:
1110 on = ssl_defaults.enableFallbackSCSV;
1111 break;
1112 case SSL_ENABLE_SERVER_DHE:
1113 on = ssl_defaults.enableServerDhe;
1114 break;
1115 case SSL_ENABLE_EXTENDED_MASTER_SECRET:
1116 on = ssl_defaults.enableExtendedMS;
1117 break;
1118 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
1119 on = ssl_defaults.enableSignedCertTimestamps;
1120 break;
1010 1121
1011 default: 1122 default:
1012 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1123 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1013 rv = SECFailure; 1124 rv = SECFailure;
1014 } 1125 }
1015 1126
1016 *pOn = on; 1127 *pOn = on;
1017 return rv; 1128 return rv;
1018 } 1129 }
1019 1130
1020 /* XXX Use Global Lock to protect this stuff. */ 1131 /* XXX Use Global Lock to protect this stuff. */
1021 SECStatus 1132 SECStatus
1022 SSL_EnableDefault(int which, PRBool on) 1133 SSL_EnableDefault(int which, PRBool on)
1023 { 1134 {
1024 return SSL_OptionSetDefault(which, on); 1135 return SSL_OptionSetDefault(which, on);
1025 } 1136 }
1026 1137
1027 SECStatus 1138 SECStatus
1028 SSL_OptionSetDefault(PRInt32 which, PRBool on) 1139 SSL_OptionSetDefault(PRInt32 which, PRBool on)
1029 { 1140 {
1030 SECStatus status = ssl_Init(); 1141 SECStatus status = ssl_Init();
1031 1142
1032 if (status != SECSuccess) { 1143 if (status != SECSuccess) {
1033 return status; 1144 return status;
1034 } 1145 }
1035 1146
1036 ssl_SetDefaultsFromEnvironment(); 1147 ssl_SetDefaultsFromEnvironment();
1037 1148
1038 switch (which) { 1149 switch (which) {
1039 case SSL_SOCKS: 1150 case SSL_SOCKS:
1040 ssl_defaults.useSocks = PR_FALSE; 1151 ssl_defaults.useSocks = PR_FALSE;
1041 if (on) { 1152 if (on) {
1153 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1154 return SECFailure;
1155 }
1156 break;
1157
1158 case SSL_SECURITY:
1159 ssl_defaults.useSecurity = on;
1160 break;
1161
1162 case SSL_REQUEST_CERTIFICATE:
1163 ssl_defaults.requestCertificate = on;
1164 break;
1165
1166 case SSL_REQUIRE_CERTIFICATE:
1167 ssl_defaults.requireCertificate = on;
1168 break;
1169
1170 case SSL_HANDSHAKE_AS_CLIENT:
1171 if (ssl_defaults.handshakeAsServer && on) {
1172 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1173 return SECFailure;
1174 }
1175 ssl_defaults.handshakeAsClient = on;
1176 break;
1177
1178 case SSL_HANDSHAKE_AS_SERVER:
1179 if (ssl_defaults.handshakeAsClient && on) {
1180 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1181 return SECFailure;
1182 }
1183 ssl_defaults.handshakeAsServer = on;
1184 break;
1185
1186 case SSL_ENABLE_TLS:
1187 ssl_EnableTLS(&versions_defaults_stream, on);
1188 break;
1189
1190 case SSL_ENABLE_SSL3:
1191 ssl_EnableSSL3(&versions_defaults_stream, on);
1192 break;
1193
1194 case SSL_ENABLE_SSL2:
1195 if (on) {
1196 /* don't turn it on if ssl2 disallowed by by policy */
1197 if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream,
1198 SSL_LIBRARY_VERSION_2)) {
1199 break;
1200 }
1201 }
1202 ssl_defaults.enableSSL2 = on;
1203 if (on) {
1204 ssl_defaults.v2CompatibleHello = on;
1205 }
1206 break;
1207
1208 case SSL_NO_CACHE:
1209 ssl_defaults.noCache = on;
1210 break;
1211
1212 case SSL_ENABLE_FDX:
1213 if (on && ssl_defaults.noLocks) {
1214 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1215 return SECFailure;
1216 }
1217 ssl_defaults.fdx = on;
1218 break;
1219
1220 case SSL_V2_COMPATIBLE_HELLO:
1221 ssl_defaults.v2CompatibleHello = on;
1222 if (!on) {
1223 ssl_defaults.enableSSL2 = on;
1224 }
1225 break;
1226
1227 case SSL_ROLLBACK_DETECTION:
1228 ssl_defaults.detectRollBack = on;
1229 break;
1230
1231 case SSL_NO_STEP_DOWN:
1232 ssl_defaults.noStepDown = on;
1233 if (on)
1234 SSL_DisableDefaultExportCipherSuites();
1235 break;
1236
1237 case SSL_BYPASS_PKCS11:
1238 if (PR_FALSE != on) {
1239 if (PR_SUCCESS == SSL_BypassSetup()) {
1240 #ifdef NO_PKCS11_BYPASS
1241 ssl_defaults.bypassPKCS11 = PR_FALSE;
1242 #else
1243 ssl_defaults.bypassPKCS11 = on;
1244 #endif
1245 } else {
1246 return SECFailure;
1247 }
1248 } else {
1249 ssl_defaults.bypassPKCS11 = PR_FALSE;
1250 }
1251 break;
1252
1253 case SSL_NO_LOCKS:
1254 if (on && ssl_defaults.fdx) {
1255 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1256 return SECFailure;
1257 }
1258 if (on && ssl_force_locks)
1259 on = PR_FALSE; /* silent override */
1260 ssl_defaults.noLocks = on;
1261 if (on) {
1262 locksEverDisabled = PR_TRUE;
1263 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
1264 }
1265 break;
1266
1267 case SSL_ENABLE_SESSION_TICKETS:
1268 ssl_defaults.enableSessionTickets = on;
1269 break;
1270
1271 case SSL_ENABLE_DEFLATE:
1272 ssl_defaults.enableDeflate = on;
1273 break;
1274
1275 case SSL_ENABLE_RENEGOTIATION:
1276 ssl_defaults.enableRenegotiation = on;
1277 break;
1278
1279 case SSL_REQUIRE_SAFE_NEGOTIATION:
1280 ssl_defaults.requireSafeNegotiation = on;
1281 break;
1282
1283 case SSL_ENABLE_FALSE_START:
1284 ssl_defaults.enableFalseStart = on;
1285 break;
1286
1287 case SSL_CBC_RANDOM_IV:
1288 ssl_defaults.cbcRandomIV = on;
1289 break;
1290
1291 case SSL_ENABLE_OCSP_STAPLING:
1292 ssl_defaults.enableOCSPStapling = on;
1293 break;
1294
1295 case SSL_ENABLE_NPN:
1296 ssl_defaults.enableNPN = on;
1297 break;
1298
1299 case SSL_ENABLE_ALPN:
1300 ssl_defaults.enableALPN = on;
1301 break;
1302
1303 case SSL_REUSE_SERVER_ECDHE_KEY:
1304 ssl_defaults.reuseServerECDHEKey = on;
1305 break;
1306
1307 case SSL_ENABLE_FALLBACK_SCSV:
1308 ssl_defaults.enableFallbackSCSV = on;
1309 break;
1310
1311 case SSL_ENABLE_SERVER_DHE:
1312 ssl_defaults.enableServerDhe = on;
1313 break;
1314
1315 case SSL_ENABLE_EXTENDED_MASTER_SECRET:
1316 ssl_defaults.enableExtendedMS = on;
1317 break;
1318
1319 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
1320 ssl_defaults.enableSignedCertTimestamps = on;
1321 break;
1322
1323 default:
1042 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1324 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1043 return SECFailure; 1325 return SECFailure;
1044 }
1045 break;
1046
1047 case SSL_SECURITY:
1048 ssl_defaults.useSecurity = on;
1049 break;
1050
1051 case SSL_REQUEST_CERTIFICATE:
1052 ssl_defaults.requestCertificate = on;
1053 break;
1054
1055 case SSL_REQUIRE_CERTIFICATE:
1056 ssl_defaults.requireCertificate = on;
1057 break;
1058
1059 case SSL_HANDSHAKE_AS_CLIENT:
1060 if ( ssl_defaults.handshakeAsServer && on ) {
1061 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1062 return SECFailure;
1063 }
1064 ssl_defaults.handshakeAsClient = on;
1065 break;
1066
1067 case SSL_HANDSHAKE_AS_SERVER:
1068 if ( ssl_defaults.handshakeAsClient && on ) {
1069 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1070 return SECFailure;
1071 }
1072 ssl_defaults.handshakeAsServer = on;
1073 break;
1074
1075 case SSL_ENABLE_TLS:
1076 ssl_EnableTLS(&versions_defaults_stream, on);
1077 break;
1078
1079 case SSL_ENABLE_SSL3:
1080 ssl_EnableSSL3(&versions_defaults_stream, on);
1081 break;
1082
1083 case SSL_ENABLE_SSL2:
1084 ssl_defaults.enableSSL2 = on;
1085 if (on) {
1086 ssl_defaults.v2CompatibleHello = on;
1087 }
1088 break;
1089
1090 case SSL_NO_CACHE:
1091 ssl_defaults.noCache = on;
1092 break;
1093
1094 case SSL_ENABLE_FDX:
1095 if (on && ssl_defaults.noLocks) {
1096 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1097 return SECFailure;
1098 }
1099 ssl_defaults.fdx = on;
1100 break;
1101
1102 case SSL_V2_COMPATIBLE_HELLO:
1103 ssl_defaults.v2CompatibleHello = on;
1104 if (!on) {
1105 ssl_defaults.enableSSL2 = on;
1106 }
1107 break;
1108
1109 case SSL_ROLLBACK_DETECTION:
1110 ssl_defaults.detectRollBack = on;
1111 break;
1112
1113 case SSL_NO_STEP_DOWN:
1114 ssl_defaults.noStepDown = on;
1115 if (on)
1116 SSL_DisableDefaultExportCipherSuites();
1117 break;
1118
1119 case SSL_BYPASS_PKCS11:
1120 if (PR_FALSE != on) {
1121 if (PR_SUCCESS == SSL_BypassSetup()) {
1122 #ifdef NO_PKCS11_BYPASS
1123 ssl_defaults.bypassPKCS11 = PR_FALSE;
1124 #else
1125 ssl_defaults.bypassPKCS11 = on;
1126 #endif
1127 } else {
1128 return SECFailure;
1129 }
1130 } else {
1131 ssl_defaults.bypassPKCS11 = PR_FALSE;
1132 }
1133 break;
1134
1135 case SSL_NO_LOCKS:
1136 if (on && ssl_defaults.fdx) {
1137 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1138 return SECFailure;
1139 }
1140 if (on && ssl_force_locks)
1141 on = PR_FALSE; /* silent override */
1142 ssl_defaults.noLocks = on;
1143 if (on) {
1144 locksEverDisabled = PR_TRUE;
1145 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
1146 }
1147 break;
1148
1149 case SSL_ENABLE_SESSION_TICKETS:
1150 ssl_defaults.enableSessionTickets = on;
1151 break;
1152
1153 case SSL_ENABLE_DEFLATE:
1154 ssl_defaults.enableDeflate = on;
1155 break;
1156
1157 case SSL_ENABLE_RENEGOTIATION:
1158 ssl_defaults.enableRenegotiation = on;
1159 break;
1160
1161 case SSL_REQUIRE_SAFE_NEGOTIATION:
1162 ssl_defaults.requireSafeNegotiation = on;
1163 break;
1164
1165 case SSL_ENABLE_FALSE_START:
1166 ssl_defaults.enableFalseStart = on;
1167 break;
1168
1169 case SSL_CBC_RANDOM_IV:
1170 ssl_defaults.cbcRandomIV = on;
1171 break;
1172
1173 case SSL_ENABLE_OCSP_STAPLING:
1174 ssl_defaults.enableOCSPStapling = on;
1175 break;
1176
1177 case SSL_ENABLE_NPN:
1178 ssl_defaults.enableNPN = on;
1179 break;
1180
1181 case SSL_ENABLE_ALPN:
1182 ssl_defaults.enableALPN = on;
1183 break;
1184
1185 case SSL_REUSE_SERVER_ECDHE_KEY:
1186 ssl_defaults.reuseServerECDHEKey = on;
1187 break;
1188
1189 case SSL_ENABLE_FALLBACK_SCSV:
1190 ssl_defaults.enableFallbackSCSV = on;
1191 break;
1192
1193 case SSL_ENABLE_SERVER_DHE:
1194 ssl_defaults.enableServerDhe = on;
1195 break;
1196
1197 case SSL_ENABLE_EXTENDED_MASTER_SECRET:
1198 ssl_defaults.enableExtendedMS = on;
1199 break;
1200
1201 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
1202 ssl_defaults.enableSignedCertTimestamps = on;
1203 break;
1204
1205 default:
1206 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1207 return SECFailure;
1208 } 1326 }
1209 return SECSuccess; 1327 return SECSuccess;
1210 } 1328 }
1211 1329
1212 /* function tells us if the cipher suite is one that we no longer support. */ 1330 /* function tells us if the cipher suite is one that we no longer support. */
1213 static PRBool 1331 static PRBool
1214 ssl_IsRemovedCipherSuite(PRInt32 suite) 1332 ssl_IsRemovedCipherSuite(PRInt32 suite)
1215 { 1333 {
1216 switch (suite) { 1334 switch (suite) {
1217 case SSL_FORTEZZA_DMS_WITH_NULL_SHA: 1335 case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
1218 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: 1336 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
1219 case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: 1337 case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
1220 return PR_TRUE; 1338 return PR_TRUE;
1221 default: 1339 default:
1222 return PR_FALSE; 1340 return PR_FALSE;
1223 } 1341 }
1224 } 1342 }
1225 1343
1226 /* Part of the public NSS API. 1344 /* Part of the public NSS API.
1227 * Since this is a global (not per-socket) setting, we cannot use the 1345 * Since this is a global (not per-socket) setting, we cannot use the
1228 * HandshakeLock to protect this. Probably want a global lock. 1346 * HandshakeLock to protect this. Probably want a global lock.
1229 */ 1347 */
1230 SECStatus 1348 SECStatus
1231 SSL_SetPolicy(long which, int policy) 1349 SSL_SetPolicy(long which, int policy)
1232 { 1350 {
1233 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { 1351 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
1234 /* one of the two old FIPS ciphers */ 1352 /* one of the two old FIPS ciphers */
1235 if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 1353 if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA)
1236 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; 1354 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
1237 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) 1355 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
1238 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; 1356 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
1239 } 1357 }
1240 if (ssl_IsRemovedCipherSuite(which)) 1358 if (ssl_IsRemovedCipherSuite(which))
1241 return SECSuccess; 1359 return SECSuccess;
1242 return SSL_CipherPolicySet(which, policy); 1360 return SSL_CipherPolicySet(which, policy);
1243 } 1361 }
1244 1362
1245 SECStatus 1363 SECStatus
1246 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) 1364 ssl_CipherPolicySet(PRInt32 which, PRInt32 policy)
1247 { 1365 {
1248 SECStatus rv = ssl_Init(); 1366 SECStatus rv = SECSuccess;
1249
1250 if (rv != SECSuccess) {
1251 return rv;
1252 }
1253 1367
1254 if (ssl_IsRemovedCipherSuite(which)) { 1368 if (ssl_IsRemovedCipherSuite(which)) {
1255 rv = SECSuccess; 1369 rv = SECSuccess;
1256 } else if (SSL_IS_SSL2_CIPHER(which)) { 1370 } else if (SSL_IS_SSL2_CIPHER(which)) {
1257 rv = ssl2_SetPolicy(which, policy); 1371 rv = ssl2_SetPolicy(which, policy);
1258 } else { 1372 } else {
1259 rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); 1373 rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
1260 } 1374 }
1261 return rv; 1375 return rv;
1262 } 1376 }
1377 SECStatus
1378 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
1379 {
1380 SECStatus rv = ssl_Init();
1381
1382 if (rv != SECSuccess) {
1383 return rv;
1384 }
1385 return ssl_CipherPolicySet(which, policy);
1386 }
1263 1387
1264 SECStatus 1388 SECStatus
1265 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) 1389 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
1266 { 1390 {
1267 SECStatus rv; 1391 SECStatus rv;
1268 1392
1269 if (!oPolicy) { 1393 if (!oPolicy) {
1270 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1394 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1271 return SECFailure; 1395 return SECFailure;
1272 } 1396 }
(...skipping 22 matching lines...) Expand all
1295 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; 1419 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
1296 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) 1420 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
1297 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; 1421 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
1298 } 1422 }
1299 if (ssl_IsRemovedCipherSuite(which)) 1423 if (ssl_IsRemovedCipherSuite(which))
1300 return SECSuccess; 1424 return SECSuccess;
1301 return SSL_CipherPrefSetDefault(which, enabled); 1425 return SSL_CipherPrefSetDefault(which, enabled);
1302 } 1426 }
1303 1427
1304 SECStatus 1428 SECStatus
1305 SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) 1429 ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
1306 { 1430 {
1307 SECStatus rv = ssl_Init(); 1431 SECStatus rv = SECSuccess;
1308
1309 if (rv != SECSuccess) {
1310 return rv;
1311 }
1312 1432
1313 if (ssl_IsRemovedCipherSuite(which)) 1433 if (ssl_IsRemovedCipherSuite(which))
1314 return SECSuccess; 1434 return SECSuccess;
1315 if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) { 1435 if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) {
1316 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); 1436 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
1317 return SECFailure; 1437 return SECFailure;
1318 } 1438 }
1319 if (SSL_IS_SSL2_CIPHER(which)) { 1439 if (SSL_IS_SSL2_CIPHER(which)) {
1320 rv = ssl2_CipherPrefSetDefault(which, enabled); 1440 rv = ssl2_CipherPrefSetDefault(which, enabled);
1321 } else { 1441 } else {
1322 rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled); 1442 rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled);
1323 } 1443 }
1324 return rv; 1444 return rv;
1325 } 1445 }
1326 1446
1327 SECStatus 1447 SECStatus
1448 SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
1449 {
1450 SECStatus rv = ssl_Init();
1451
1452 if (rv != SECSuccess) {
1453 return rv;
1454 }
1455 return ssl_CipherPrefSetDefault(which, enabled);
1456 }
1457
1458 SECStatus
1328 SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled) 1459 SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
1329 { 1460 {
1330 SECStatus rv; 1461 SECStatus rv;
1331 1462
1332 if (!enabled) { 1463 if (!enabled) {
1333 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1464 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1334 return SECFailure; 1465 return SECFailure;
1335 } 1466 }
1336 if (ssl_IsRemovedCipherSuite(which)) { 1467 if (ssl_IsRemovedCipherSuite(which)) {
1337 *enabled = PR_FALSE; 1468 *enabled = PR_FALSE;
1338 rv = SECSuccess; 1469 rv = SECSuccess;
1339 } else if (SSL_IS_SSL2_CIPHER(which)) { 1470 } else if (SSL_IS_SSL2_CIPHER(which)) {
1340 rv = ssl2_CipherPrefGetDefault(which, enabled); 1471 rv = ssl2_CipherPrefGetDefault(which, enabled);
(...skipping 26 matching lines...) Expand all
1367 } 1498 }
1368 return rv; 1499 return rv;
1369 } 1500 }
1370 1501
1371 SECStatus 1502 SECStatus
1372 SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len) 1503 SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len)
1373 { 1504 {
1374 sslSocket *ss = ssl_FindSocket(fd); 1505 sslSocket *ss = ssl_FindSocket(fd);
1375 1506
1376 if (!ss) { 1507 if (!ss) {
1377 » SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(), 1508 SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(),
1378 » » fd)); 1509 fd));
1379 » return SECFailure; 1510 return SECFailure;
1380 } 1511 }
1381 return ssl3_CipherOrderSet(ss, ciphers, len); 1512 return ssl3_CipherOrderSet(ss, ciphers, len);
1382 } 1513 }
1383 1514
1384 SECStatus 1515 SECStatus
1385 SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) 1516 SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
1386 { 1517 {
1387 SECStatus rv; 1518 SECStatus rv;
1388 sslSocket *ss = ssl_FindSocket(fd); 1519 sslSocket *ss = ssl_FindSocket(fd);
1389 1520
1390 if (!enabled) { 1521 if (!enabled) {
1391 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1522 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1392 return SECFailure; 1523 return SECFailure;
1393 } 1524 }
1394 if (!ss) { 1525 if (!ss) {
1395 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd)); 1526 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd));
1396 *enabled = PR_FALSE; 1527 *enabled = PR_FALSE;
1397 return SECFailure; 1528 return SECFailure;
1398 } 1529 }
1399 if (ssl_IsRemovedCipherSuite(which)) { 1530 if (ssl_IsRemovedCipherSuite(which)) {
1400 *enabled = PR_FALSE; 1531 *enabled = PR_FALSE;
1401 rv = SECSuccess; 1532 rv = SECSuccess;
1402 } else if (SSL_IS_SSL2_CIPHER(which)) { 1533 } else if (SSL_IS_SSL2_CIPHER(which)) {
1403 rv = ssl2_CipherPrefGet(ss, which, enabled); 1534 rv = ssl2_CipherPrefGet(ss, which, enabled);
1404 } else { 1535 } else {
1405 rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled); 1536 rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
1406 } 1537 }
1407 return rv; 1538 return rv;
1408 } 1539 }
1409 1540
1410 SECStatus 1541 SECStatus
1411 NSS_SetDomesticPolicy(void) 1542 NSS_SetDomesticPolicy(void)
1412 { 1543 {
1413 SECStatus status = SECSuccess; 1544 SECStatus status = SECSuccess;
1414 const PRUint16 *cipher; 1545 const PRUint16 *cipher;
1546 SECStatus rv;
1547 PRUint32 policy;
1548
1549 /* If we've already defined some policy oids, skip changing them */
1550 rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy);
1551 if ((rv == SECSuccess) && (policy & NSS_USE_POLICY_IN_SSL)) {
1552 return ssl_Init(); /* make sure the policies have bee loaded */
svaldez 2016/04/01 19:50:01 *been
1553 }
1415 1554
1416 for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { 1555 for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) {
1417 status = SSL_SetPolicy(*cipher, SSL_ALLOWED); 1556 status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
1418 if (status != SECSuccess) 1557 if (status != SECSuccess)
1419 break; 1558 break;
1420 } 1559 }
1421 return status; 1560 return status;
1422 } 1561 }
1423 1562
1424 SECStatus 1563 SECStatus
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
1462 if (!ss->ssl3.dheGroups) { 1601 if (!ss->ssl3.dheGroups) {
1463 PORT_SetError(SEC_ERROR_NO_MEMORY); 1602 PORT_SetError(SEC_ERROR_NO_MEMORY);
1464 return SECFailure; 1603 return SECFailure;
1465 } 1604 }
1466 PORT_Memcpy(ss->ssl3.dheGroups, groups, 1605 PORT_Memcpy(ss->ssl3.dheGroups, groups,
1467 sizeof(SSLDHEGroupType) * num_groups); 1606 sizeof(SSLDHEGroupType) * num_groups);
1468 } 1607 }
1469 return SECSuccess; 1608 return SECSuccess;
1470 } 1609 }
1471 1610
1472
1473 PRCallOnceType gWeakDHParamsRegisterOnce; 1611 PRCallOnceType gWeakDHParamsRegisterOnce;
1474 int gWeakDHParamsRegisterError; 1612 int gWeakDHParamsRegisterError;
1475 1613
1476 PRCallOnceType gWeakDHParamsOnce; 1614 PRCallOnceType gWeakDHParamsOnce;
1477 int gWeakDHParamsError; 1615 int gWeakDHParamsError;
1478 /* As our code allocates type PQGParams, we'll keep it around, 1616 /* As our code allocates type PQGParams, we'll keep it around,
1479 * even though we only make use of it's parameters through gWeakDHParam. */ 1617 * even though we only make use of it's parameters through gWeakDHParam. */
1480 static PQGParams *gWeakParamsPQG; 1618 static PQGParams *gWeakParamsPQG;
1481 static ssl3DHParams *gWeakDHParams; 1619 static ssl3DHParams *gWeakDHParams;
1482 1620
1483 static PRStatus 1621 static PRStatus
1484 ssl3_CreateWeakDHParams(void) 1622 ssl3_CreateWeakDHParams(void)
1485 { 1623 {
1486 PQGVerify *vfy; 1624 PQGVerify *vfy;
1487 SECStatus rv, passed; 1625 SECStatus rv, passed;
1488 1626
1489 PORT_Assert(!gWeakDHParams && !gWeakParamsPQG); 1627 PORT_Assert(!gWeakDHParams && !gWeakParamsPQG);
1490 1628
1491 rv = PK11_PQG_ParamGenV2(1024, 160, 64 /*maximum seed that will work*/, 1629 rv = PK11_PQG_ParamGenV2(1024, 160, 64 /*maximum seed that will work*/,
1492 &gWeakParamsPQG, &vfy); 1630 &gWeakParamsPQG, &vfy);
1493 if (rv != SECSuccess) { 1631 if (rv != SECSuccess) {
1494 gWeakDHParamsError = PORT_GetError(); 1632 gWeakDHParamsError = PORT_GetError();
1495 return PR_FAILURE; 1633 return PR_FAILURE;
1496 } 1634 }
1497 1635
1498 rv = PK11_PQG_VerifyParams(gWeakParamsPQG, vfy, &passed); 1636 rv = PK11_PQG_VerifyParams(gWeakParamsPQG, vfy, &passed);
1499 if (rv != SECSuccess || passed != SECSuccess) { 1637 if (rv != SECSuccess || passed != SECSuccess) {
1500 SSL_DBG(("%d: PK11_PQG_VerifyParams failed in ssl3_CreateWeakDHParams", 1638 SSL_DBG(("%d: PK11_PQG_VerifyParams failed in ssl3_CreateWeakDHParams",
1501 SSL_GETPID())); 1639 SSL_GETPID()));
1502 gWeakDHParamsError = PORT_GetError(); 1640 gWeakDHParamsError = PORT_GetError();
1503 return PR_FAILURE; 1641 return PR_FAILURE;
1504 } 1642 }
1505 1643
1506 gWeakDHParams = PORT_ArenaNew(gWeakParamsPQG->arena, ssl3DHParams); 1644 gWeakDHParams = PORT_ArenaNew(gWeakParamsPQG->arena, ssl3DHParams);
1507 if (!gWeakDHParams) { 1645 if (!gWeakDHParams) {
1508 gWeakDHParamsError = PORT_GetError(); 1646 gWeakDHParamsError = PORT_GetError();
1509 return PR_FAILURE; 1647 return PR_FAILURE;
1510 } 1648 }
1511 1649
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after
1570 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd)); 1708 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd));
1571 return SECFailure; 1709 return SECFailure;
1572 } 1710 }
1573 1711
1574 ss->ssl3.dheWeakGroupEnabled = enabled; 1712 ss->ssl3.dheWeakGroupEnabled = enabled;
1575 return SECSuccess; 1713 return SECSuccess;
1576 } 1714 }
1577 1715
1578 SECStatus 1716 SECStatus
1579 SSL_GetChannelBinding(PRFileDesc *fd, 1717 SSL_GetChannelBinding(PRFileDesc *fd,
1580 » » SSLChannelBindingType binding_type, 1718 SSLChannelBindingType binding_type,
1581 » » unsigned char *out, 1719 unsigned char *out,
1582 » » unsigned int *outLen, 1720 unsigned int *outLen,
1583 » » unsigned int outLenMax) { 1721 unsigned int outLenMax)
1722 {
1584 sslSocket *ss = ssl_FindSocket(fd); 1723 sslSocket *ss = ssl_FindSocket(fd);
1585 1724
1586 if (!ss) { 1725 if (!ss) {
1587 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding", 1726 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding",
1588 » » SSL_GETPID(), fd)); 1727 SSL_GETPID(), fd));
1589 » return SECFailure; 1728 return SECFailure;
1590 } 1729 }
1591 1730
1592 if (binding_type != SSL_CHANNEL_BINDING_TLS_UNIQUE) { 1731 if (binding_type != SSL_CHANNEL_BINDING_TLS_UNIQUE) {
1593 » PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 1732 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
1594 » return SECFailure; 1733 return SECFailure;
1595 } 1734 }
1596 1735
1597 return ssl3_GetTLSUniqueChannelBinding(ss, out, outLen, outLenMax); 1736 return ssl3_GetTLSUniqueChannelBinding(ss, out, outLen, outLenMax);
1598 } 1737 }
1599 1738
1600 #include "dhe-param.c" 1739 #include "dhe-param.c"
1601 1740
1602 static const SSLDHEGroupType ssl_default_dhe_groups[] = { 1741 static const SSLDHEGroupType ssl_default_dhe_groups[] = {
1603 ssl_ff_dhe_2048_group 1742 ssl_ff_dhe_2048_group
1604 }; 1743 };
(...skipping 24 matching lines...) Expand all
1629 SECStatus 1768 SECStatus
1630 ssl3_SelectDHParams(sslSocket *ss) 1769 ssl3_SelectDHParams(sslSocket *ss)
1631 { 1770 {
1632 SSLDHEGroupType selectedGroup = ssl_dhe_group_none; 1771 SSLDHEGroupType selectedGroup = ssl_dhe_group_none;
1633 1772
1634 if (ss->ssl3.dheWeakGroupEnabled) { 1773 if (ss->ssl3.dheWeakGroupEnabled) {
1635 ss->dheParams = gWeakDHParams; 1774 ss->dheParams = gWeakDHParams;
1636 } else { 1775 } else {
1637 if (ss->ssl3.dheGroups) { 1776 if (ss->ssl3.dheGroups) {
1638 selectedGroup = selectDHEGroup(ss, ss->ssl3.dheGroups, 1777 selectedGroup = selectDHEGroup(ss, ss->ssl3.dheGroups,
1639 ss->ssl3.numDHEGroups); 1778 ss->ssl3.numDHEGroups);
1640 } else { 1779 } else {
1641 size_t number_of_default_groups = PR_ARRAY_SIZE(ssl_default_dhe_grou ps); 1780 size_t number_of_default_groups = PR_ARRAY_SIZE(ssl_default_dhe_grou ps);
1642 selectedGroup = selectDHEGroup(ss, ssl_default_dhe_groups, 1781 selectedGroup = selectDHEGroup(ss, ssl_default_dhe_groups,
1643 number_of_default_groups); 1782 number_of_default_groups);
1644 } 1783 }
1645 1784
1646 if (selectedGroup == ssl_dhe_group_none || 1785 if (selectedGroup == ssl_dhe_group_none ||
1647 selectedGroup >= ssl_dhe_group_max) { 1786 selectedGroup >= ssl_dhe_group_max) {
1648 return SECFailure; 1787 return SECFailure;
1649 } 1788 }
1650 1789
1651 ss->dheParams = all_ssl3DHParams[selectedGroup]; 1790 ss->dheParams = all_ssl3DHParams[selectedGroup];
1652 } 1791 }
1653 1792
1654 return SECSuccess; 1793 return SECSuccess;
1655 } 1794 }
1656 1795
1657 /* LOCKS ??? XXX */ 1796 /* LOCKS ??? XXX */
1658 static PRFileDesc * 1797 static PRFileDesc *
1659 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) 1798 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant)
1660 { 1799 {
1661 sslSocket * ns = NULL; 1800 sslSocket *ns = NULL;
1662 PRStatus rv; 1801 PRStatus rv;
1663 PRNetAddr addr; 1802 PRNetAddr addr;
1664 SECStatus status = ssl_Init(); 1803 SECStatus status = ssl_Init();
1665 1804
1666 if (status != SECSuccess) { 1805 if (status != SECSuccess) {
1667 return NULL; 1806 return NULL;
1668 } 1807 }
1669 1808
1670 if (model == NULL) { 1809 if (model == NULL) {
1671 /* Just create a default socket if we're given NULL for the model */ 1810 /* Just create a default socket if we're given NULL for the model */
1672 ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant); 1811 ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant);
1673 } else { 1812 } else {
1674 sslSocket * ss = ssl_FindSocket(model); 1813 sslSocket *ss = ssl_FindSocket(model);
1675 if (ss == NULL || ss->protocolVariant != variant) { 1814 if (ss == NULL || ss->protocolVariant != variant) {
1676 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", 1815 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD",
1677 SSL_GETPID(), model)); 1816 SSL_GETPID(), model));
1678 return NULL; 1817 return NULL;
1679 } 1818 }
1680 ns = ssl_DupSocket(ss); 1819 ns = ssl_DupSocket(ss);
1681 } 1820 }
1682 if (ns == NULL) 1821 if (ns == NULL)
1683 return NULL; 1822 return NULL;
1684 1823
1685 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); 1824 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER);
1686 if (rv != PR_SUCCESS) { 1825 if (rv != PR_SUCCESS) {
1687 ssl_FreeSocket(ns); 1826 ssl_FreeSocket(ns);
1688 SET_ERROR_CODE 1827 SET_ERROR_CODE
1689 return NULL; 1828 return NULL;
1690 } 1829 }
1691 #if defined(DEBUG) || defined(FORCE_PR_ASSERT) 1830 #if defined(DEBUG) || defined(FORCE_PR_ASSERT)
1692 { 1831 {
1693 sslSocket * ss = ssl_FindSocket(fd); 1832 sslSocket *ss = ssl_FindSocket(fd);
1694 PORT_Assert(ss == ns); 1833 PORT_Assert(ss == ns);
1695 } 1834 }
1696 #endif 1835 #endif
1697 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); 1836 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
1698 return fd; 1837 return fd;
1699 } 1838 }
1700 1839
1701 PRFileDesc * 1840 PRFileDesc *
1702 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) 1841 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
1703 { 1842 {
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after
1748 const unsigned char *result; 1887 const unsigned char *result;
1749 sslSocket *ss = ssl_FindSocket(fd); 1888 sslSocket *ss = ssl_FindSocket(fd);
1750 1889
1751 if (!ss) { 1890 if (!ss) {
1752 SSL_DBG(("%d: SSL[%d]: bad socket in ssl_NextProtoNegoCallback", 1891 SSL_DBG(("%d: SSL[%d]: bad socket in ssl_NextProtoNegoCallback",
1753 SSL_GETPID(), fd)); 1892 SSL_GETPID(), fd));
1754 return SECFailure; 1893 return SECFailure;
1755 } 1894 }
1756 1895
1757 /* For each protocol in server preference, see if we support it. */ 1896 /* For each protocol in server preference, see if we support it. */
1758 for (i = 0; i < protos_len; ) { 1897 for (i = 0; i < protos_len;) {
1759 for (j = 0; j < ss->opt.nextProtoNego.len; ) { 1898 for (j = 0; j < ss->opt.nextProtoNego.len;) {
1760 if (protos[i] == ss->opt.nextProtoNego.data[j] && 1899 if (protos[i] == ss->opt.nextProtoNego.data[j] &&
1761 PORT_Memcmp(&protos[i+1], &ss->opt.nextProtoNego.data[j+1], 1900 PORT_Memcmp(&protos[i + 1], &ss->opt.nextProtoNego.data[j + 1],
1762 protos[i]) == 0) { 1901 protos[i]) == 0) {
1763 /* We found a match. */ 1902 /* We found a match. */
1764 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED; 1903 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED;
1765 result = &protos[i]; 1904 result = &protos[i];
1766 goto found; 1905 goto found;
1767 } 1906 }
1768 j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j]; 1907 j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j];
1769 } 1908 }
1770 i += 1 + (unsigned int)protos[i]; 1909 i += 1 + (unsigned int)protos[i];
1771 } 1910 }
1772 1911
(...skipping 13 matching lines...) Expand all
1786 *protoOutLen = result[0]; 1925 *protoOutLen = result[0];
1787 return SECSuccess; 1926 return SECSuccess;
1788 } 1927 }
1789 1928
1790 SECStatus 1929 SECStatus
1791 SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, 1930 SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data,
1792 unsigned int length) 1931 unsigned int length)
1793 { 1932 {
1794 sslSocket *ss; 1933 sslSocket *ss;
1795 SECStatus rv; 1934 SECStatus rv;
1796 SECItem dataItem = { siBuffer, (unsigned char *) data, length }; 1935 SECItem dataItem = { siBuffer, (unsigned char *)data, length };
1797 1936
1798 ss = ssl_FindSocket(fd); 1937 ss = ssl_FindSocket(fd);
1799 if (!ss) { 1938 if (!ss) {
1800 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", 1939 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego",
1801 SSL_GETPID(), fd)); 1940 SSL_GETPID(), fd));
1802 return SECFailure; 1941 return SECFailure;
1803 } 1942 }
1804 1943
1805 if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess) 1944 if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess)
1806 return SECFailure; 1945 return SECFailure;
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after
1843 } 1982 }
1844 PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len); 1983 PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len);
1845 *bufLen = ss->ssl3.nextProto.len; 1984 *bufLen = ss->ssl3.nextProto.len;
1846 } else { 1985 } else {
1847 *bufLen = 0; 1986 *bufLen = 0;
1848 } 1987 }
1849 1988
1850 return SECSuccess; 1989 return SECSuccess;
1851 } 1990 }
1852 1991
1853 SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd, 1992 SECStatus
1854 const PRUint16 *ciphers, 1993 SSL_SetSRTPCiphers(PRFileDesc *fd,
1855 unsigned int numCiphers) 1994 const PRUint16 *ciphers,
1995 unsigned int numCiphers)
1856 { 1996 {
1857 sslSocket *ss; 1997 sslSocket *ss;
1858 unsigned int i; 1998 unsigned int i;
1859 1999
1860 ss = ssl_FindSocket(fd); 2000 ss = ssl_FindSocket(fd);
1861 if (!ss || !IS_DTLS(ss)) { 2001 if (!ss || !IS_DTLS(ss)) {
1862 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSRTPCiphers", 2002 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSRTPCiphers",
1863 SSL_GETPID(), fd)); 2003 SSL_GETPID(), fd));
1864 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2004 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1865 return SECFailure; 2005 return SECFailure;
(...skipping 11 matching lines...) Expand all
1877 while (*srtpCipher) { 2017 while (*srtpCipher) {
1878 if (ciphers[i] == *srtpCipher) 2018 if (ciphers[i] == *srtpCipher)
1879 break; 2019 break;
1880 srtpCipher++; 2020 srtpCipher++;
1881 } 2021 }
1882 if (*srtpCipher) { 2022 if (*srtpCipher) {
1883 ss->ssl3.dtlsSRTPCiphers[ss->ssl3.dtlsSRTPCipherCount++] = 2023 ss->ssl3.dtlsSRTPCiphers[ss->ssl3.dtlsSRTPCipherCount++] =
1884 ciphers[i]; 2024 ciphers[i];
1885 } else { 2025 } else {
1886 SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher " 2026 SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher "
1887 "suite specified: 0x%04hx", SSL_GETPID(), fd, 2027 "suite specified: 0x%04hx",
1888 ciphers[i])); 2028 SSL_GETPID(), fd,
2029 ciphers[i]));
1889 } 2030 }
1890 } 2031 }
1891 2032
1892 if (ss->ssl3.dtlsSRTPCipherCount == 0) { 2033 if (ss->ssl3.dtlsSRTPCipherCount == 0) {
1893 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2034 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1894 return SECFailure; 2035 return SECFailure;
1895 } 2036 }
1896 2037
1897 return SECSuccess; 2038 return SECSuccess;
1898 } 2039 }
1899 2040
1900 SECStatus 2041 SECStatus
1901 SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher) 2042 SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher)
1902 { 2043 {
1903 sslSocket * ss; 2044 sslSocket *ss;
1904 2045
1905 ss = ssl_FindSocket(fd); 2046 ss = ssl_FindSocket(fd);
1906 if (!ss) { 2047 if (!ss) {
1907 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetSRTPCipher", 2048 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetSRTPCipher",
1908 SSL_GETPID(), fd)); 2049 SSL_GETPID(), fd));
1909 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2050 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1910 return SECFailure; 2051 return SECFailure;
1911 } 2052 }
1912 2053
1913 if (!ss->ssl3.dtlsSRTPCipherSuite) { 2054 if (!ss->ssl3.dtlsSRTPCipherSuite) {
1914 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2055 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1915 return SECFailure; 2056 return SECFailure;
1916 } 2057 }
1917 2058
1918 *cipher = ss->ssl3.dtlsSRTPCipherSuite; 2059 *cipher = ss->ssl3.dtlsSRTPCipherSuite;
1919 return SECSuccess; 2060 return SECSuccess;
1920 } 2061 }
1921 2062
1922 PRFileDesc * 2063 PRFileDesc *
1923 SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) 2064 SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
1924 { 2065 {
1925 sslSocket * sm = NULL, *ss = NULL; 2066 sslSocket *sm = NULL, *ss = NULL;
1926 int i; 2067 int i;
1927 sslServerCerts * mc = NULL; 2068 sslServerCerts *mc = NULL;
1928 sslServerCerts * sc = NULL; 2069 sslServerCerts *sc = NULL;
1929 2070
1930 if (model == NULL) { 2071 if (model == NULL) {
1931 PR_SetError(SEC_ERROR_INVALID_ARGS, 0); 2072 PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
1932 return NULL; 2073 return NULL;
1933 } 2074 }
1934 sm = ssl_FindSocket(model); 2075 sm = ssl_FindSocket(model);
1935 if (sm == NULL) { 2076 if (sm == NULL) {
1936 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ReconfigFD", 2077 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ReconfigFD",
1937 SSL_GETPID(), model)); 2078 SSL_GETPID(), model));
1938 return NULL; 2079 return NULL;
1939 } 2080 }
1940 ss = ssl_FindSocket(fd); 2081 ss = ssl_FindSocket(fd);
1941 PORT_Assert(ss); 2082 PORT_Assert(ss);
1942 if (ss == NULL) { 2083 if (ss == NULL) {
1943 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2084 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1944 return NULL; 2085 return NULL;
1945 } 2086 }
1946 2087
1947 ss->opt = sm->opt; 2088 ss->opt = sm->opt;
1948 ss->vrange = sm->vrange; 2089 ss->vrange = sm->vrange;
1949 PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites); 2090 PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites);
1950 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers, 2091 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers,
1951 sizeof(PRUint16) * sm->ssl3.dtlsSRTPCipherCount); 2092 sizeof(PRUint16) * sm->ssl3.dtlsSRTPCipherCount);
1952 ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount; 2093 ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount;
1953 PORT_Memcpy(ss->ssl3.signatureAlgorithms, sm->ssl3.signatureAlgorithms, 2094 PORT_Memcpy(ss->ssl3.signatureAlgorithms, sm->ssl3.signatureAlgorithms,
1954 sizeof(ss->ssl3.signatureAlgorithms[0]) * 2095 sizeof(ss->ssl3.signatureAlgorithms[0]) *
1955 sm->ssl3.signatureAlgorithmCount); 2096 sm->ssl3.signatureAlgorithmCount);
1956 ss->ssl3.signatureAlgorithmCount = sm->ssl3.signatureAlgorithmCount; 2097 ss->ssl3.signatureAlgorithmCount = sm->ssl3.signatureAlgorithmCount;
2098 ss->ssl3.downgradeCheckVersion = sm->ssl3.downgradeCheckVersion;
1957 2099
1958 if (!ss->opt.useSecurity) { 2100 if (!ss->opt.useSecurity) {
1959 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2101 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1960 return NULL; 2102 return NULL;
1961 } 2103 }
1962 /* This int should be SSLKEAType, but CC on Irix complains, 2104 /* This int should be SSLKEAType, but CC on Irix complains,
1963 * during the for loop. 2105 * during the for loop.
1964 */ 2106 */
1965 for (i=kt_null; i < kt_kea_size; i++) { 2107 for (i = kt_null; i < kt_kea_size; i++) {
1966 mc = &(sm->serverCerts[i]); 2108 mc = &(sm->serverCerts[i]);
1967 sc = &(ss->serverCerts[i]); 2109 sc = &(ss->serverCerts[i]);
1968 if (mc->serverCert && mc->serverCertChain) { 2110 if (mc->serverCert && mc->serverCertChain) {
1969 if (sc->serverCert) { 2111 if (sc->serverCert) {
1970 CERT_DestroyCertificate(sc->serverCert); 2112 CERT_DestroyCertificate(sc->serverCert);
1971 } 2113 }
1972 sc->serverCert = CERT_DupCertificate(mc->serverCert); 2114 sc->serverCert = CERT_DupCertificate(mc->serverCert);
1973 if (sc->serverCertChain) { 2115 if (sc->serverCertChain) {
1974 CERT_DestroyCertificateList(sc->serverCertChain); 2116 CERT_DestroyCertificateList(sc->serverCertChain);
1975 } 2117 }
1976 sc->serverCertChain = CERT_DupCertList(mc->serverCertChain); 2118 sc->serverCertChain = CERT_DupCertList(mc->serverCertChain);
1977 if (!sc->serverCertChain) 2119 if (!sc->serverCertChain)
1978 goto loser; 2120 goto loser;
1979 if (sm->certStatusArray[i]) { 2121 if (sm->certStatusArray[i]) {
1980 if (ss->certStatusArray[i]) { 2122 if (ss->certStatusArray[i]) {
1981 SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE); 2123 SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE);
1982 ss->certStatusArray[i] = NULL; 2124 ss->certStatusArray[i] = NULL;
1983 } 2125 }
1984 ss->certStatusArray[i] = SECITEM_DupArray(NULL, sm->certStatusAr ray[i]); 2126 ss->certStatusArray[i] = SECITEM_DupArray(NULL, sm->certStatusAr ray[i]);
1985 if (!ss->certStatusArray[i]) 2127 if (!ss->certStatusArray[i])
1986 goto loser; 2128 goto loser;
1987 } 2129 }
2130 if (sm->signedCertTimestamps[i].data) {
2131 if (ss->signedCertTimestamps[i].data) {
2132 SECITEM_FreeItem(&ss->signedCertTimestamps[i], PR_FALSE);
2133 }
2134 if (SECITEM_CopyItem(NULL,
2135 &ss->signedCertTimestamps[i],
2136 &sm->signedCertTimestamps[i]) !=
2137 SECSuccess) {
2138 goto loser;
2139 }
2140 }
1988 } 2141 }
1989 if (mc->serverKeyPair) { 2142 if (mc->serverKeyPair) {
1990 if (sc->serverKeyPair) { 2143 if (sc->serverKeyPair) {
1991 ssl3_FreeKeyPair(sc->serverKeyPair); 2144 ssl3_FreeKeyPair(sc->serverKeyPair);
1992 } 2145 }
1993 sc->serverKeyPair = ssl3_GetKeyPairRef(mc->serverKeyPair); 2146 sc->serverKeyPair = ssl3_GetKeyPairRef(mc->serverKeyPair);
1994 sc->serverKeyBits = mc->serverKeyBits; 2147 sc->serverKeyBits = mc->serverKeyBits;
1995 } 2148 }
1996 } 2149 }
1997 if (sm->stepDownKeyPair) { 2150 if (sm->stepDownKeyPair) {
(...skipping 14 matching lines...) Expand all
2012 if (ss->ssl3.ca_list) { 2165 if (ss->ssl3.ca_list) {
2013 CERT_FreeDistNames(ss->ssl3.ca_list); 2166 CERT_FreeDistNames(ss->ssl3.ca_list);
2014 } 2167 }
2015 ss->ssl3.ca_list = CERT_DupDistNames(sm->ssl3.ca_list); 2168 ss->ssl3.ca_list = CERT_DupDistNames(sm->ssl3.ca_list);
2016 if (!ss->ssl3.ca_list) { 2169 if (!ss->ssl3.ca_list) {
2017 goto loser; 2170 goto loser;
2018 } 2171 }
2019 } 2172 }
2020 2173
2021 if (sm->authCertificate) 2174 if (sm->authCertificate)
2022 ss->authCertificate = sm->authCertificate; 2175 ss->authCertificate = sm->authCertificate;
2023 if (sm->authCertificateArg) 2176 if (sm->authCertificateArg)
2024 ss->authCertificateArg = sm->authCertificateArg; 2177 ss->authCertificateArg = sm->authCertificateArg;
2025 if (sm->getClientAuthData) 2178 if (sm->getClientAuthData)
2026 ss->getClientAuthData = sm->getClientAuthData; 2179 ss->getClientAuthData = sm->getClientAuthData;
2027 if (sm->getClientAuthDataArg) 2180 if (sm->getClientAuthDataArg)
2028 ss->getClientAuthDataArg = sm->getClientAuthDataArg; 2181 ss->getClientAuthDataArg = sm->getClientAuthDataArg;
2029 #ifdef NSS_PLATFORM_CLIENT_AUTH
2030 if (sm->getPlatformClientAuthData)
2031 ss->getPlatformClientAuthData = sm->getPlatformClientAuthData;
2032 if (sm->getPlatformClientAuthDataArg)
2033 ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg;
2034 #endif
2035 if (sm->sniSocketConfig) 2182 if (sm->sniSocketConfig)
2036 ss->sniSocketConfig = sm->sniSocketConfig; 2183 ss->sniSocketConfig = sm->sniSocketConfig;
2037 if (sm->sniSocketConfigArg) 2184 if (sm->sniSocketConfigArg)
2038 ss->sniSocketConfigArg = sm->sniSocketConfigArg; 2185 ss->sniSocketConfigArg = sm->sniSocketConfigArg;
2039 if (sm->handleBadCert) 2186 if (sm->handleBadCert)
2040 ss->handleBadCert = sm->handleBadCert; 2187 ss->handleBadCert = sm->handleBadCert;
2041 if (sm->badCertArg) 2188 if (sm->badCertArg)
2042 ss->badCertArg = sm->badCertArg; 2189 ss->badCertArg = sm->badCertArg;
2043 if (sm->handshakeCallback) 2190 if (sm->handshakeCallback)
2044 ss->handshakeCallback = sm->handshakeCallback; 2191 ss->handshakeCallback = sm->handshakeCallback;
2045 if (sm->handshakeCallbackData) 2192 if (sm->handshakeCallbackData)
2046 ss->handshakeCallbackData = sm->handshakeCallbackData; 2193 ss->handshakeCallbackData = sm->handshakeCallbackData;
2047 if (sm->pkcs11PinArg) 2194 if (sm->pkcs11PinArg)
2048 ss->pkcs11PinArg = sm->pkcs11PinArg; 2195 ss->pkcs11PinArg = sm->pkcs11PinArg;
2049 if (sm->getChannelID) 2196 if (sm->getChannelID)
2050 ss->getChannelID = sm->getChannelID; 2197 ss->getChannelID = sm->getChannelID;
2051 if (sm->getChannelIDArg) 2198 if (sm->getChannelIDArg)
2052 ss->getChannelIDArg = sm->getChannelIDArg; 2199 ss->getChannelIDArg = sm->getChannelIDArg;
2053 return fd; 2200 return fd;
2054 loser: 2201 loser:
2055 return NULL; 2202 return NULL;
2056 } 2203 }
2057 2204
2205 /*
2206 * Get the user supplied range
2207 */
2208 static SECStatus
2209 ssl3_GetRangePolicy(SSLProtocolVariant protocolVariant, SSLVersionRange *prange)
2210 {
2211 SECStatus rv;
2212 PRUint32 policy;
2213 PRInt32 option;
2214
2215 /* only use policy constraints if we've set the apply ssl policy bit */
2216 rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy);
2217 if ((rv != SECSuccess) || !(policy & NSS_USE_POLICY_IN_SSL)) {
2218 return SECFailure;
2219 }
2220 rv = NSS_OptionGet(VERSIONS_POLICY_MIN(protocolVariant), &option);
2221 if (rv != SECSuccess) {
2222 return rv;
2223 }
2224 prange->min = (PRUint16)option;
2225 rv = NSS_OptionGet(VERSIONS_POLICY_MAX(protocolVariant), &option);
2226 if (rv != SECSuccess) {
2227 return rv;
2228 }
2229 prange->max = (PRUint16)option;
2230 if (prange->max < prange->min) {
2231 return SECFailure; /* don't accept an invalid policy */
2232 }
2233 return SECSuccess;
2234 }
2235
2236 /*
2237 * Constrain a single protocol variant's range based on the user policy
2238 */
2239 static SECStatus
2240 ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant)
2241 {
2242 SSLVersionRange vrange;
2243 SSLVersionRange pvrange;
2244 SECStatus rv;
2245
2246 vrange = *VERSIONS_DEFAULTS(protocolVariant);
2247 rv = ssl3_GetRangePolicy(protocolVariant, &pvrange);
2248 if (rv != SECSuccess) {
2249 return SECSuccess; /* we don't have any policy */
2250 }
2251 vrange.min = PR_MAX(vrange.min, pvrange.min);
2252 vrange.max = PR_MIN(vrange.max, pvrange.max);
2253 if (vrange.max >= vrange.min) {
2254 *VERSIONS_DEFAULTS(protocolVariant) = vrange;
2255 } else {
2256 /* there was no overlap, turn off range altogether */
2257 pvrange.min = pvrange.max = SSL_LIBRARY_VERSION_NONE;
2258 *VERSIONS_DEFAULTS(protocolVariant) = pvrange;
2259 }
2260 return SECSuccess;
2261 }
2262
2263 static PRBool
2264 ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant,
2265 SSL3ProtocolVersion version)
2266 {
2267 SSLVersionRange pvrange;
2268 SECStatus rv;
2269
2270 rv = ssl3_GetRangePolicy(protocolVariant, &pvrange);
2271 if (rv == SECSuccess) {
2272 if ((version > pvrange.max) || (version < pvrange.min)) {
2273 return PR_FALSE; /* disallowed by policy */
2274 }
2275 }
2276 return PR_TRUE;
2277 }
2278
2279 /*
2280 * This is called at SSL init time to constrain the existing range based
2281 * on user supplied policy.
2282 */
2283 SECStatus
2284 ssl3_ConstrainRangeByPolicy(void)
2285 {
2286 SECStatus rv;
2287 rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream);
2288 if (rv != SECSuccess) {
2289 return rv;
2290 }
2291 rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram);
2292 if (rv != SECSuccess) {
2293 return rv;
2294 }
2295 return SECSuccess;
2296 }
2297
2058 PRBool 2298 PRBool
2059 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, 2299 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
2060 SSL3ProtocolVersion version) 2300 SSL3ProtocolVersion version)
2061 { 2301 {
2302 if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) {
2303 return PR_FALSE;
2304 }
2062 switch (protocolVariant) { 2305 switch (protocolVariant) {
2063 case ssl_variant_stream: 2306 case ssl_variant_stream:
2064 return (version >= SSL_LIBRARY_VERSION_3_0 && 2307 return (version >= SSL_LIBRARY_VERSION_3_0 &&
2065 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); 2308 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
2066 case ssl_variant_datagram: 2309 case ssl_variant_datagram:
2067 return (version >= SSL_LIBRARY_VERSION_TLS_1_1 && 2310 return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
2068 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); 2311 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
2069 default: 2312 default:
2070 /* Can't get here */ 2313 /* Can't get here */
2071 PORT_Assert(PR_FALSE); 2314 PORT_Assert(PR_FALSE);
2072 return PR_FALSE; 2315 return PR_FALSE;
2073 } 2316 }
2074 } 2317 }
2075 2318
2076 /* Returns PR_TRUE if the given version range is valid and 2319 /* Returns PR_TRUE if the given version range is valid and
2077 ** fully supported; otherwise, returns PR_FALSE. 2320 ** fully supported; otherwise, returns PR_FALSE.
2078 */ 2321 */
2079 static PRBool 2322 static PRBool
2080 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, 2323 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant,
2081 const SSLVersionRange *vrange) 2324 const SSLVersionRange *vrange)
2082 { 2325 {
2083 return vrange && 2326 return vrange &&
2084 vrange->min <= vrange->max && 2327 vrange->min <= vrange->max &&
2085 ssl3_VersionIsSupported(protocolVariant, vrange->min) && 2328 ssl3_VersionIsSupported(protocolVariant, vrange->min) &&
2086 ssl3_VersionIsSupported(protocolVariant, vrange->max); 2329 ssl3_VersionIsSupported(protocolVariant, vrange->max);
2087 } 2330 }
2088 2331
2332 const SECItem *
2333 SSL_PeerSignedCertTimestamps(PRFileDesc *fd)
2334 {
2335 sslSocket *ss = ssl_FindSocket(fd);
2336
2337 if (!ss) {
2338 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps",
2339 SSL_GETPID(), fd));
2340 return NULL;
2341 }
2342
2343 if (!ss->sec.ci.sid) {
2344 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
2345 return NULL;
2346 }
2347
2348 if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) {
2349 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
2350 return NULL;
2351 }
2352 return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps;
2353 }
2354
2089 SECStatus 2355 SECStatus
2090 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, 2356 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant,
2091 SSLVersionRange *vrange) 2357 SSLVersionRange *vrange)
2092 { 2358 {
2093 if (!vrange) { 2359 if (!vrange) {
2094 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2360 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2095 return SECFailure; 2361 return SECFailure;
2096 } 2362 }
2097 2363
2098 switch (protocolVariant) { 2364 switch (protocolVariant) {
2099 case ssl_variant_stream: 2365 case ssl_variant_stream:
2100 vrange->min = SSL_LIBRARY_VERSION_3_0; 2366 vrange->min = SSL_LIBRARY_VERSION_3_0;
2101 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; 2367 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
2102 break; 2368 break;
2103 case ssl_variant_datagram: 2369 case ssl_variant_datagram:
2104 vrange->min = SSL_LIBRARY_VERSION_TLS_1_1; 2370 vrange->min = SSL_LIBRARY_VERSION_TLS_1_1;
2105 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; 2371 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
2106 break; 2372 break;
2107 default: 2373 default:
2108 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2374 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2109 return SECFailure; 2375 return SECFailure;
2110 } 2376 }
2111 2377
2112 return SECSuccess; 2378 return SECSuccess;
2113 } 2379 }
2114 2380
2115 SECStatus 2381 SECStatus
2116 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, 2382 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant,
2117 SSLVersionRange *vrange) 2383 SSLVersionRange *vrange)
2118 { 2384 {
2119 if ((protocolVariant != ssl_variant_stream && 2385 if ((protocolVariant != ssl_variant_stream &&
2120 protocolVariant != ssl_variant_datagram) || !vrange) { 2386 protocolVariant != ssl_variant_datagram) ||
2387 !vrange) {
2121 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2388 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2122 return SECFailure; 2389 return SECFailure;
2123 } 2390 }
2124 2391
2125 *vrange = *VERSIONS_DEFAULTS(protocolVariant); 2392 *vrange = *VERSIONS_DEFAULTS(protocolVariant);
2126 2393
2127 return SECSuccess; 2394 return SECSuccess;
2128 } 2395 }
2129 2396
2130 SECStatus 2397 SECStatus
2131 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, 2398 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant,
2132 const SSLVersionRange *vrange) 2399 const SSLVersionRange *vrange)
2133 { 2400 {
2134 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) { 2401 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) {
2135 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); 2402 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
2136 return SECFailure; 2403 return SECFailure;
2137 } 2404 }
2138 2405
2139 *VERSIONS_DEFAULTS(protocolVariant) = *vrange; 2406 *VERSIONS_DEFAULTS(protocolVariant) = *vrange;
2140 2407
2141 return SECSuccess; 2408 return SECSuccess;
2142 } 2409 }
2143 2410
2144 SECStatus 2411 SECStatus
2145 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) 2412 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange)
2146 { 2413 {
2147 sslSocket *ss = ssl_FindSocket(fd); 2414 sslSocket *ss = ssl_FindSocket(fd);
2148 2415
2149 if (!ss) { 2416 if (!ss) {
2150 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeGet", 2417 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeGet",
2151 SSL_GETPID(), fd)); 2418 SSL_GETPID(), fd));
2152 return SECFailure; 2419 return SECFailure;
2153 } 2420 }
2154 2421
2155 if (!vrange) { 2422 if (!vrange) {
2156 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2423 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2157 return SECFailure; 2424 return SECFailure;
2158 } 2425 }
2159 2426
2160 ssl_Get1stHandshakeLock(ss); 2427 ssl_Get1stHandshakeLock(ss);
2161 ssl_GetSSL3HandshakeLock(ss); 2428 ssl_GetSSL3HandshakeLock(ss);
2162 2429
2163 *vrange = ss->vrange; 2430 *vrange = ss->vrange;
2164 2431
2165 ssl_ReleaseSSL3HandshakeLock(ss); 2432 ssl_ReleaseSSL3HandshakeLock(ss);
2166 ssl_Release1stHandshakeLock(ss); 2433 ssl_Release1stHandshakeLock(ss);
2167 2434
2168 return SECSuccess; 2435 return SECSuccess;
2169 } 2436 }
2170 2437
2171 static PRCallOnceType checkTLS12TokenOnce;
2172 static PRBool tls12TokenExists;
2173
2174 static PRStatus
2175 ssl_CheckTLS12Token(void)
2176 {
2177 tls12TokenExists =
2178 PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256);
2179 return PR_SUCCESS;
2180 }
2181
2182 static PRBool
2183 ssl_TLS12TokenExists(void)
2184 {
2185 (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token);
2186 return tls12TokenExists;
2187 }
2188
2189 SECStatus 2438 SECStatus
2190 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) 2439 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
2191 { 2440 {
2192 sslSocket *ss = ssl_FindSocket(fd); 2441 sslSocket *ss = ssl_FindSocket(fd);
2193 2442
2194 if (!ss) { 2443 if (!ss) {
2195 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet", 2444 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeSet",
2196 SSL_GETPID(), fd)); 2445 SSL_GETPID(), fd));
2197 return SECFailure; 2446 return SECFailure;
2198 } 2447 }
2199 2448
2200 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { 2449 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) {
2201 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); 2450 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
2202 return SECFailure; 2451 return SECFailure;
2203 } 2452 }
2204 2453
2205 ssl_Get1stHandshakeLock(ss); 2454 ssl_Get1stHandshakeLock(ss);
2206 ssl_GetSSL3HandshakeLock(ss); 2455 ssl_GetSSL3HandshakeLock(ss);
2207 2456
2457 if (ss->ssl3.downgradeCheckVersion &&
2458 ss->vrange.max > ss->ssl3.downgradeCheckVersion) {
2459 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
2460 ssl_ReleaseSSL3HandshakeLock(ss);
2461 ssl_Release1stHandshakeLock(ss);
2462 return SECFailure;
2463 }
2464
2208 ss->vrange = *vrange; 2465 ss->vrange = *vrange;
2209 /* If we don't have a sufficiently up-to-date softoken then we cannot do
2210 * TLS 1.2. */
2211 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 &&
2212 !ssl_TLS12TokenExists()) {
2213 /* If the user requested a minimum version of 1.2, then we don't
2214 * silently downgrade. */
2215 if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) {
2216 ssl_ReleaseSSL3HandshakeLock(ss);
2217 ssl_Release1stHandshakeLock(ss);
2218 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
2219 return SECFailure;
2220 }
2221 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1;
2222 }
2223 2466
2224 ssl_ReleaseSSL3HandshakeLock(ss); 2467 ssl_ReleaseSSL3HandshakeLock(ss);
2225 ssl_Release1stHandshakeLock(ss); 2468 ssl_Release1stHandshakeLock(ss);
2226 2469
2227 return SECSuccess; 2470 return SECSuccess;
2228 } 2471 }
2229 2472
2473 SECStatus
2474 SSL_SetDowngradeCheckVersion(PRFileDesc *fd, PRUint16 version)
2475 {
2476 sslSocket *ss = ssl_FindSocket(fd);
2477 SECStatus rv = SECFailure;
2478
2479 if (!ss) {
2480 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetDowngradeCheckVersion",
2481 SSL_GETPID(), fd));
2482 return SECFailure;
2483 }
2484
2485 if (version && !ssl3_VersionIsSupported(ss->protocolVariant, version)) {
2486 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2487 return SECFailure;
2488 }
2489
2490 ssl_Get1stHandshakeLock(ss);
2491 ssl_GetSSL3HandshakeLock(ss);
2492
2493 if (version && version < ss->vrange.max) {
2494 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2495 goto loser;
2496 }
2497 ss->ssl3.downgradeCheckVersion = version;
2498 rv = SECSuccess;
2499
2500 loser:
2501 ssl_ReleaseSSL3HandshakeLock(ss);
2502 ssl_Release1stHandshakeLock(ss);
2503
2504 return rv;
2505 }
2506
2230 const SECItemArray * 2507 const SECItemArray *
2231 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) 2508 SSL_PeerStapledOCSPResponses(PRFileDesc *fd)
2232 { 2509 {
2233 sslSocket *ss = ssl_FindSocket(fd); 2510 sslSocket *ss = ssl_FindSocket(fd);
2234 2511
2235 if (!ss) { 2512 if (!ss) {
2236 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses", 2513 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses",
2237 SSL_GETPID(), fd)); 2514 SSL_GETPID(), fd));
2238 return NULL; 2515 return NULL;
2239 } 2516 }
2240 2517
2241 if (!ss->sec.ci.sid) { 2518 if (!ss->sec.ci.sid) {
2242 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); 2519 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
2243 return NULL; 2520 return NULL;
2244 } 2521 }
2245 2522
2246 return &ss->sec.ci.sid->peerCertStatus; 2523 return &ss->sec.ci.sid->peerCertStatus;
2247 } 2524 }
2248 2525
2249 const SECItem * 2526 SECStatus
2250 SSL_PeerSignedCertTimestamps(PRFileDesc *fd) 2527 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed)
2251 { 2528 {
2252 sslSocket *ss = ssl_FindSocket(fd); 2529 sslSocket *ss = ssl_FindSocket(fd);
2253 2530
2254 if (!ss) { 2531 if (!ss) {
2255 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", 2532 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession",
2256 » » SSL_GETPID(), fd)); 2533 SSL_GETPID(), fd));
2257 return NULL; 2534 return SECFailure;
2258 }
2259
2260 if (!ss->sec.ci.sid) {
2261 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
2262 return NULL;
2263 }
2264
2265 if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) {
2266 » PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
2267 » return NULL;
2268 }
2269 return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps;
2270 }
2271
2272 SECStatus
2273 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) {
2274 sslSocket *ss = ssl_FindSocket(fd);
2275
2276 if (!ss) {
2277 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession",
2278 » » SSL_GETPID(), fd));
2279 » return SECFailure;
2280 } 2535 }
2281 2536
2282 *handshake_resumed = ss->ssl3.hs.isResuming; 2537 *handshake_resumed = ss->ssl3.hs.isResuming;
2283 return SECSuccess; 2538 return SECSuccess;
2284 } 2539 }
2285 2540
2286 const SECItem * 2541 const SECItem *
2287 SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd) 2542 SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd)
2288 { 2543 {
2289 sslSocket *ss = ssl_FindSocket(fd); 2544 sslSocket *ss = ssl_FindSocket(fd);
2290 2545
2291 if (!ss) { 2546 if (!ss) {
2292 SSL_DBG(("%d: SSL[%d]: bad socket in " 2547 SSL_DBG(("%d: SSL[%d]: bad socket in "
2293 "SSL_GetRequestedClientCertificateTypes", SSL_GETPID(), fd)); 2548 "SSL_GetRequestedClientCertificateTypes",
2294 return NULL; 2549 SSL_GETPID(), fd));
2295 } 2550 return NULL;
2551 }
2296 2552
2297 return ss->requestedCertTypes; 2553 return ss->requestedCertTypes;
2298 } 2554 }
2299 2555
2300 /************************************************************************/ 2556 /************************************************************************/
2301 /* The following functions are the TOP LEVEL SSL functions. 2557 /* The following functions are the TOP LEVEL SSL functions.
2302 ** They all get called through the NSPRIOMethods table below. 2558 ** They all get called through the NSPRIOMethods table below.
2303 */ 2559 */
2304 2560
2305 static PRFileDesc * PR_CALLBACK 2561 static PRFileDesc *PR_CALLBACK
2306 ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) 2562 ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
2307 { 2563 {
2308 sslSocket *ss; 2564 sslSocket *ss;
2309 sslSocket *ns = NULL; 2565 sslSocket *ns = NULL;
2310 PRFileDesc *newfd = NULL; 2566 PRFileDesc *newfd = NULL;
2311 PRFileDesc *osfd; 2567 PRFileDesc *osfd;
2312 PRStatus status; 2568 PRStatus status;
2313 2569
2314 ss = ssl_GetPrivate(fd); 2570 ss = ssl_GetPrivate(fd);
2315 if (!ss) { 2571 if (!ss) {
2316 SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd)); 2572 SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd));
2317 return NULL; 2573 return NULL;
2318 } 2574 }
2319 2575
2320 /* IF this is a listen socket, there shouldn't be any I/O going on */ 2576 /* IF this is a listen socket, there shouldn't be any I/O going on */
2321 SSL_LOCK_READER(ss); 2577 SSL_LOCK_READER(ss);
2322 SSL_LOCK_WRITER(ss); 2578 SSL_LOCK_WRITER(ss);
(...skipping 10 matching lines...) Expand all
2333 SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d", 2589 SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d",
2334 SSL_GETPID(), ss->fd, PORT_GetError())); 2590 SSL_GETPID(), ss->fd, PORT_GetError()));
2335 } else { 2591 } else {
2336 /* Create ssl module */ 2592 /* Create ssl module */
2337 ns = ssl_DupSocket(ss); 2593 ns = ssl_DupSocket(ss);
2338 } 2594 }
2339 2595
2340 ssl_ReleaseSSL3HandshakeLock(ss); 2596 ssl_ReleaseSSL3HandshakeLock(ss);
2341 ssl_Release1stHandshakeLock(ss); 2597 ssl_Release1stHandshakeLock(ss);
2342 SSL_UNLOCK_WRITER(ss); 2598 SSL_UNLOCK_WRITER(ss);
2343 SSL_UNLOCK_READER(ss); /* ss isn't used below here. */ 2599 SSL_UNLOCK_READER(ss); /* ss isn't used below here. */
2344 2600
2345 if (ns == NULL) 2601 if (ns == NULL)
2346 goto loser; 2602 goto loser;
2347 2603
2348 /* push ssl module onto the new socket */ 2604 /* push ssl module onto the new socket */
2349 status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER); 2605 status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER);
2350 if (status != PR_SUCCESS) 2606 if (status != PR_SUCCESS)
2351 goto loser; 2607 goto loser;
2352 2608
2353 /* Now start server connection handshake with client. 2609 /* Now start server connection handshake with client.
2354 ** Don't need locks here because nobody else has a reference to ns yet. 2610 ** Don't need locks here because nobody else has a reference to ns yet.
2355 */ 2611 */
2356 if ( ns->opt.useSecurity ) { 2612 if (ns->opt.useSecurity) {
2357 if ( ns->opt.handshakeAsClient ) { 2613 if (ns->opt.handshakeAsClient) {
2358 ns->handshake = ssl2_BeginClientHandshake; 2614 ns->handshake = ssl2_BeginClientHandshake;
2359 ss->handshaking = sslHandshakingAsClient; 2615 ss->handshaking = sslHandshakingAsClient;
2360 } else { 2616 } else {
2361 ns->handshake = ssl2_BeginServerHandshake; 2617 ns->handshake = ssl2_BeginServerHandshake;
2362 ss->handshaking = sslHandshakingAsServer; 2618 ss->handshaking = sslHandshakingAsServer;
2363 } 2619 }
2364 } 2620 }
2365 ns->TCPconnected = 1; 2621 ns->TCPconnected = 1;
2366 return newfd; 2622 return newfd;
2367 2623
2368 loser: 2624 loser:
2369 if (ns != NULL) 2625 if (ns != NULL)
2370 ssl_FreeSocket(ns); 2626 ssl_FreeSocket(ns);
2371 if (newfd != NULL) 2627 if (newfd != NULL)
2372 PR_Close(newfd); 2628 PR_Close(newfd);
2373 return NULL; 2629 return NULL;
2374 } 2630 }
2375 2631
2376 static PRStatus PR_CALLBACK 2632 static PRStatus PR_CALLBACK
2377 ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout) 2633 ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout)
2378 { 2634 {
2379 sslSocket *ss; 2635 sslSocket *ss;
2380 PRStatus rv; 2636 PRStatus rv;
2381 2637
2382 ss = ssl_GetPrivate(fd); 2638 ss = ssl_GetPrivate(fd);
2383 if (!ss) { 2639 if (!ss) {
2384 SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd)); 2640 SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd));
2385 return PR_FAILURE; 2641 return PR_FAILURE;
2386 } 2642 }
2387 2643
2388 /* IF this is a listen socket, there shouldn't be any I/O going on */ 2644 /* IF this is a listen socket, there shouldn't be any I/O going on */
2389 SSL_LOCK_READER(ss); 2645 SSL_LOCK_READER(ss);
2390 SSL_LOCK_WRITER(ss); 2646 SSL_LOCK_WRITER(ss);
2391 2647
2392 ss->cTimeout = timeout; 2648 ss->cTimeout = timeout;
2393 rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr); 2649 rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr);
2394 2650
2395 SSL_UNLOCK_WRITER(ss); 2651 SSL_UNLOCK_WRITER(ss);
2396 SSL_UNLOCK_READER(ss); 2652 SSL_UNLOCK_READER(ss);
2397 2653
2398 return rv; 2654 return rv;
2399 } 2655 }
2400 2656
2401 static PRStatus PR_CALLBACK 2657 static PRStatus PR_CALLBACK
2402 ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr) 2658 ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr)
2403 { 2659 {
2404 sslSocket * ss = ssl_GetPrivate(fd); 2660 sslSocket *ss = ssl_GetPrivate(fd);
2405 PRStatus rv; 2661 PRStatus rv;
2406 2662
2407 if (!ss) { 2663 if (!ss) {
2408 SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd)); 2664 SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd));
2409 return PR_FAILURE; 2665 return PR_FAILURE;
2410 } 2666 }
2411 SSL_LOCK_READER(ss); 2667 SSL_LOCK_READER(ss);
2412 SSL_LOCK_WRITER(ss); 2668 SSL_LOCK_WRITER(ss);
2413 2669
2414 rv = (PRStatus)(*ss->ops->bind)(ss, addr); 2670 rv = (PRStatus)(*ss->ops->bind)(ss, addr);
2415 2671
2416 SSL_UNLOCK_WRITER(ss); 2672 SSL_UNLOCK_WRITER(ss);
2417 SSL_UNLOCK_READER(ss); 2673 SSL_UNLOCK_READER(ss);
2418 return rv; 2674 return rv;
2419 } 2675 }
2420 2676
2421 static PRStatus PR_CALLBACK 2677 static PRStatus PR_CALLBACK
2422 ssl_Listen(PRFileDesc *fd, PRIntn backlog) 2678 ssl_Listen(PRFileDesc *fd, PRIntn backlog)
2423 { 2679 {
2424 sslSocket * ss = ssl_GetPrivate(fd); 2680 sslSocket *ss = ssl_GetPrivate(fd);
2425 PRStatus rv; 2681 PRStatus rv;
2426 2682
2427 if (!ss) { 2683 if (!ss) {
2428 SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd)); 2684 SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd));
2429 return PR_FAILURE; 2685 return PR_FAILURE;
2430 } 2686 }
2431 SSL_LOCK_READER(ss); 2687 SSL_LOCK_READER(ss);
2432 SSL_LOCK_WRITER(ss); 2688 SSL_LOCK_WRITER(ss);
2433 2689
2434 rv = (PRStatus)(*ss->ops->listen)(ss, backlog); 2690 rv = (PRStatus)(*ss->ops->listen)(ss, backlog);
2435 2691
2436 SSL_UNLOCK_WRITER(ss); 2692 SSL_UNLOCK_WRITER(ss);
2437 SSL_UNLOCK_READER(ss); 2693 SSL_UNLOCK_READER(ss);
2438 return rv; 2694 return rv;
2439 } 2695 }
2440 2696
2441 static PRStatus PR_CALLBACK 2697 static PRStatus PR_CALLBACK
2442 ssl_Shutdown(PRFileDesc *fd, PRIntn how) 2698 ssl_Shutdown(PRFileDesc *fd, PRIntn how)
2443 { 2699 {
2444 sslSocket * ss = ssl_GetPrivate(fd); 2700 sslSocket *ss = ssl_GetPrivate(fd);
2445 PRStatus rv; 2701 PRStatus rv;
2446 2702
2447 if (!ss) { 2703 if (!ss) {
2448 SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd)); 2704 SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd));
2449 return PR_FAILURE; 2705 return PR_FAILURE;
2450 } 2706 }
2451 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { 2707 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
2452 SSL_LOCK_READER(ss); 2708 SSL_LOCK_READER(ss);
2453 } 2709 }
2454 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { 2710 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
2455 SSL_LOCK_WRITER(ss); 2711 SSL_LOCK_WRITER(ss);
2456 } 2712 }
2457 2713
2458 rv = (PRStatus)(*ss->ops->shutdown)(ss, how); 2714 rv = (PRStatus)(*ss->ops->shutdown)(ss, how);
2459 2715
2460 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { 2716 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
2461 SSL_UNLOCK_WRITER(ss); 2717 SSL_UNLOCK_WRITER(ss);
2462 } 2718 }
2463 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { 2719 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
2464 SSL_UNLOCK_READER(ss); 2720 SSL_UNLOCK_READER(ss);
2465 } 2721 }
2466 return rv; 2722 return rv;
2467 } 2723 }
2468 2724
2469 static PRStatus PR_CALLBACK 2725 static PRStatus PR_CALLBACK
2470 ssl_Close(PRFileDesc *fd) 2726 ssl_Close(PRFileDesc *fd)
2471 { 2727 {
2472 sslSocket *ss; 2728 sslSocket *ss;
2473 PRStatus rv; 2729 PRStatus rv;
2474 2730
2475 ss = ssl_GetPrivate(fd); 2731 ss = ssl_GetPrivate(fd);
2476 if (!ss) { 2732 if (!ss) {
2477 SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd)); 2733 SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd));
2478 return PR_FAILURE; 2734 return PR_FAILURE;
2479 } 2735 }
2480 2736
2481 /* There must not be any I/O going on */ 2737 /* There must not be any I/O going on */
2482 SSL_LOCK_READER(ss); 2738 SSL_LOCK_READER(ss);
2483 SSL_LOCK_WRITER(ss); 2739 SSL_LOCK_WRITER(ss);
2484 2740
2485 /* By the time this function returns, 2741 /* By the time this function returns,
2486 ** ss is an invalid pointer, and the locks to which it points have 2742 ** ss is an invalid pointer, and the locks to which it points have
2487 ** been unlocked and freed. So, this is the ONE PLACE in all of SSL 2743 ** been unlocked and freed. So, this is the ONE PLACE in all of SSL
2488 ** where the LOCK calls and the corresponding UNLOCK calls are not in 2744 ** where the LOCK calls and the corresponding UNLOCK calls are not in
2489 ** the same function scope. The unlock calls are in ssl_FreeSocket(). 2745 ** the same function scope. The unlock calls are in ssl_FreeSocket().
2490 */ 2746 */
2491 rv = (PRStatus)(*ss->ops->close)(ss); 2747 rv = (PRStatus)(*ss->ops->close)(ss);
2492 2748
2493 return rv; 2749 return rv;
2494 } 2750 }
2495 2751
2496 static int PR_CALLBACK 2752 static int PR_CALLBACK
2497 ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, 2753 ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags,
2498 PRIntervalTime timeout) 2754 PRIntervalTime timeout)
2499 { 2755 {
2500 sslSocket *ss; 2756 sslSocket *ss;
2501 int rv; 2757 int rv;
2502 2758
2503 ss = ssl_GetPrivate(fd); 2759 ss = ssl_GetPrivate(fd);
2504 if (!ss) { 2760 if (!ss) {
2505 SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd)); 2761 SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd));
2506 return SECFailure; 2762 return SECFailure;
2507 } 2763 }
2508 SSL_LOCK_READER(ss); 2764 SSL_LOCK_READER(ss);
2509 ss->rTimeout = timeout; 2765 ss->rTimeout = timeout;
2510 if (!ss->opt.fdx) 2766 if (!ss->opt.fdx)
2511 ss->wTimeout = timeout; 2767 ss->wTimeout = timeout;
2512 rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags); 2768 rv = (*ss->ops->recv)(ss, (unsigned char *)buf, len, flags);
2513 SSL_UNLOCK_READER(ss); 2769 SSL_UNLOCK_READER(ss);
2514 return rv; 2770 return rv;
2515 } 2771 }
2516 2772
2517 static int PR_CALLBACK 2773 static int PR_CALLBACK
2518 ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags, 2774 ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
2519 PRIntervalTime timeout) 2775 PRIntervalTime timeout)
2520 { 2776 {
2521 sslSocket *ss; 2777 sslSocket *ss;
2522 int rv; 2778 int rv;
2523 2779
2524 ss = ssl_GetPrivate(fd); 2780 ss = ssl_GetPrivate(fd);
2525 if (!ss) { 2781 if (!ss) {
2526 SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd)); 2782 SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd));
2527 return SECFailure; 2783 return SECFailure;
2528 } 2784 }
2529 SSL_LOCK_WRITER(ss); 2785 SSL_LOCK_WRITER(ss);
2530 ss->wTimeout = timeout; 2786 ss->wTimeout = timeout;
2531 if (!ss->opt.fdx) 2787 if (!ss->opt.fdx)
2532 ss->rTimeout = timeout; 2788 ss->rTimeout = timeout;
2533 rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags); 2789 rv = (*ss->ops->send)(ss, (const unsigned char *)buf, len, flags);
2534 SSL_UNLOCK_WRITER(ss); 2790 SSL_UNLOCK_WRITER(ss);
2535 return rv; 2791 return rv;
2536 } 2792 }
2537 2793
2538 static int PR_CALLBACK 2794 static int PR_CALLBACK
2539 ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len) 2795 ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len)
2540 { 2796 {
2541 sslSocket *ss; 2797 sslSocket *ss;
2542 int rv; 2798 int rv;
2543 2799
2544 ss = ssl_GetPrivate(fd); 2800 ss = ssl_GetPrivate(fd);
2545 if (!ss) { 2801 if (!ss) {
2546 SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd)); 2802 SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd));
2547 return SECFailure; 2803 return SECFailure;
2548 } 2804 }
2549 SSL_LOCK_READER(ss); 2805 SSL_LOCK_READER(ss);
2550 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; 2806 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
2551 if (!ss->opt.fdx) 2807 if (!ss->opt.fdx)
2552 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; 2808 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
2553 rv = (*ss->ops->read)(ss, (unsigned char*)buf, len); 2809 rv = (*ss->ops->read)(ss, (unsigned char *)buf, len);
2554 SSL_UNLOCK_READER(ss); 2810 SSL_UNLOCK_READER(ss);
2555 return rv; 2811 return rv;
2556 } 2812 }
2557 2813
2558 static int PR_CALLBACK 2814 static int PR_CALLBACK
2559 ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len) 2815 ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
2560 { 2816 {
2561 sslSocket *ss; 2817 sslSocket *ss;
2562 int rv; 2818 int rv;
2563 2819
2564 ss = ssl_GetPrivate(fd); 2820 ss = ssl_GetPrivate(fd);
2565 if (!ss) { 2821 if (!ss) {
2566 SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd)); 2822 SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd));
2567 return SECFailure; 2823 return SECFailure;
2568 } 2824 }
2569 SSL_LOCK_WRITER(ss); 2825 SSL_LOCK_WRITER(ss);
2570 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; 2826 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
2571 if (!ss->opt.fdx) 2827 if (!ss->opt.fdx)
2572 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; 2828 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
2573 rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len); 2829 rv = (*ss->ops->write)(ss, (const unsigned char *)buf, len);
2574 SSL_UNLOCK_WRITER(ss); 2830 SSL_UNLOCK_WRITER(ss);
2575 return rv; 2831 return rv;
2576 } 2832 }
2577 2833
2578 static PRStatus PR_CALLBACK 2834 static PRStatus PR_CALLBACK
2579 ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr) 2835 ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr)
2580 { 2836 {
2581 sslSocket *ss; 2837 sslSocket *ss;
2582 2838
2583 ss = ssl_GetPrivate(fd); 2839 ss = ssl_GetPrivate(fd);
2584 if (!ss) { 2840 if (!ss) {
2585 SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd)); 2841 SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd));
2586 return PR_FAILURE; 2842 return PR_FAILURE;
2587 } 2843 }
2588 return (PRStatus)(*ss->ops->getpeername)(ss, addr); 2844 return (PRStatus)(*ss->ops->getpeername)(ss, addr);
2589 } 2845 }
2590 2846
2591 /* 2847 /*
2592 */ 2848 */
2593 SECStatus 2849 SECStatus
2594 ssl_GetPeerInfo(sslSocket *ss) 2850 ssl_GetPeerInfo(sslSocket *ss)
2595 { 2851 {
2596 PRFileDesc * osfd; 2852 PRFileDesc *osfd;
2597 int rv; 2853 int rv;
2598 PRNetAddr sin; 2854 PRNetAddr sin;
2599 2855
2600 osfd = ss->fd->lower; 2856 osfd = ss->fd->lower;
2601 2857
2602 PORT_Memset(&sin, 0, sizeof(sin)); 2858 PORT_Memset(&sin, 0, sizeof(sin));
2603 rv = osfd->methods->getpeername(osfd, &sin); 2859 rv = osfd->methods->getpeername(osfd, &sin);
2604 if (rv < 0) { 2860 if (rv < 0) {
2605 return SECFailure; 2861 return SECFailure;
2606 } 2862 }
2607 ss->TCPconnected = 1; 2863 ss->TCPconnected = 1;
2608 if (sin.inet.family == PR_AF_INET) { 2864 if (sin.inet.family == PR_AF_INET) {
(...skipping 28 matching lines...) Expand all
2637 { 2893 {
2638 sslSocket *ss; 2894 sslSocket *ss;
2639 2895
2640 ss = ssl_FindSocket(fd); 2896 ss = ssl_FindSocket(fd);
2641 if (!ss) { 2897 if (!ss) {
2642 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetStapledOCSPResponses", 2898 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetStapledOCSPResponses",
2643 SSL_GETPID(), fd)); 2899 SSL_GETPID(), fd));
2644 return SECFailure; 2900 return SECFailure;
2645 } 2901 }
2646 2902
2647 if ( kea <= 0 || kea >= kt_kea_size) { 2903 if (kea <= 0 || kea >= kt_kea_size) {
2648 SSL_DBG(("%d: SSL[%d]: invalid key in SSL_SetStapledOCSPResponses", 2904 SSL_DBG(("%d: SSL[%d]: invalid key type in SSL_SetStapledOCSPResponses",
2649 SSL_GETPID(), fd)); 2905 SSL_GETPID(), fd));
2650 return SECFailure; 2906 return SECFailure;
2651 } 2907 }
2652 2908
2653 if (ss->certStatusArray[kea]) { 2909 if (ss->certStatusArray[kea]) {
2654 SECITEM_FreeArray(ss->certStatusArray[kea], PR_TRUE); 2910 SECITEM_FreeArray(ss->certStatusArray[kea], PR_TRUE);
2655 ss->certStatusArray[kea] = NULL; 2911 ss->certStatusArray[kea] = NULL;
2656 } 2912 }
2657 if (responses) { 2913 if (responses) {
2658 ss->certStatusArray[kea] = SECITEM_DupArray(NULL, responses); 2914 ss->certStatusArray[kea] = SECITEM_DupArray(NULL, responses);
2659 } 2915 }
2660 return (ss->certStatusArray[kea] || !responses) ? SECSuccess : SECFailure; 2916 return (ss->certStatusArray[kea] || !responses) ? SECSuccess : SECFailure;
2661 } 2917 }
2662 2918
2663 SECStatus 2919 SECStatus
2920 SSL_SetSignedCertTimestamps(PRFileDesc *fd, const SECItem *scts, SSLKEAType kea)
2921 {
2922 sslSocket *ss;
2923
2924 ss = ssl_FindSocket(fd);
2925 if (!ss) {
2926 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSignedCertTimestamps",
2927 SSL_GETPID(), fd));
2928 return SECFailure;
2929 }
2930
2931 if (kea <= 0 || kea >= kt_kea_size) {
2932 SSL_DBG(("%d: SSL[%d]: invalid key type in SSL_SetSignedCertTimestamps",
2933 SSL_GETPID(), fd));
2934 return SECFailure;
2935 }
2936
2937 if (ss->signedCertTimestamps[kea].data) {
2938 SECITEM_FreeItem(&ss->signedCertTimestamps[kea], PR_FALSE);
2939 }
2940
2941 if (!scts) {
2942 return SECSuccess;
2943 }
2944
2945 return SECITEM_CopyItem(NULL, &ss->signedCertTimestamps[kea], scts);
2946 }
2947
2948 SECStatus
2664 SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID) 2949 SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID)
2665 { 2950 {
2666 sslSocket *ss; 2951 sslSocket *ss;
2667 2952
2668 ss = ssl_FindSocket(fd); 2953 ss = ssl_FindSocket(fd);
2669 if (!ss) { 2954 if (!ss) {
2670 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSockPeerID", 2955 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSockPeerID",
2671 SSL_GETPID(), fd)); 2956 SSL_GETPID(), fd));
2672 return SECFailure; 2957 return SECFailure;
2673 } 2958 }
2674 2959
2675 if (ss->peerID) { 2960 if (ss->peerID) {
2676 PORT_Free(ss->peerID); 2961 PORT_Free(ss->peerID);
2677 ss->peerID = NULL; 2962 ss->peerID = NULL;
2678 } 2963 }
2679 if (peerID) 2964 if (peerID)
2680 ss->peerID = PORT_Strdup(peerID); 2965 ss->peerID = PORT_Strdup(peerID);
2681 return (ss->peerID || !peerID) ? SECSuccess : SECFailure; 2966 return (ss->peerID || !peerID) ? SECSuccess : SECFailure;
2682 } 2967 }
2683 2968
2684 #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ) 2969 #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ)
2685 2970
2686 static PRInt16 PR_CALLBACK 2971 static PRInt16 PR_CALLBACK
2687 ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) 2972 ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
2688 { 2973 {
2689 sslSocket *ss; 2974 sslSocket *ss;
2690 PRInt16 new_flags = how_flags; /* should select on these flags. */ 2975 PRInt16 new_flags = how_flags; /* should select on these flags. */
2691 PRNetAddr addr; 2976 PRNetAddr addr;
2692 2977
2693 *p_out_flags = 0; 2978 *p_out_flags = 0;
2694 ss = ssl_GetPrivate(fd); 2979 ss = ssl_GetPrivate(fd);
2695 if (!ss) { 2980 if (!ss) {
2696 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll", 2981 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll",
2697 SSL_GETPID(), fd)); 2982 SSL_GETPID(), fd));
2698 return 0; /* don't poll on this socket */ 2983 return 0; /* don't poll on this socket */
2699 } 2984 }
2700 2985
2701 if (ss->opt.useSecurity && 2986 if (ss->opt.useSecurity &&
2702 ss->handshaking != sslHandshakingUndetermined && 2987 ss->handshaking != sslHandshakingUndetermined &&
2703 !ss->firstHsDone && 2988 !ss->firstHsDone &&
2704 (how_flags & PR_POLL_RW)) { 2989 (how_flags & PR_POLL_RW)) {
2705 if (!ss->TCPconnected) { 2990 if (!ss->TCPconnected) {
2706 ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr)); 2991 ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
2707 } 2992 }
2708 /* If it's not connected, then presumably the application is polling 2993 /* If it's not connected, then presumably the application is polling
2709 ** on read or write appropriately, so don't change it. 2994 ** on read or write appropriately, so don't change it.
2710 */ 2995 */
2711 if (ss->TCPconnected) { 2996 if (ss->TCPconnected) {
2712 if (!ss->handshakeBegun) { 2997 if (!ss->handshakeBegun) {
2713 /* If the handshake has not begun, poll on read or write 2998 /* If the handshake has not begun, poll on read or write
2714 ** based on the local application's role in the handshake, 2999 ** based on the local application's role in the handshake,
2715 ** not based on what the application requested. 3000 ** not based on what the application requested.
2716 */ 3001 */
2717 new_flags &= ~PR_POLL_RW; 3002 new_flags &= ~PR_POLL_RW;
2718 if (ss->handshaking == sslHandshakingAsClient) { 3003 if (ss->handshaking == sslHandshakingAsClient) {
2719 new_flags |= PR_POLL_WRITE; 3004 new_flags |= PR_POLL_WRITE;
2720 } else { /* handshaking as server */ 3005 } else { /* handshaking as server */
2721 new_flags |= PR_POLL_READ; 3006 new_flags |= PR_POLL_READ;
2722 } 3007 }
2723 } else 3008 } else
2724 /* First handshake is in progress */ 3009 /* First handshake is in progress */
2725 if (ss->lastWriteBlocked) { 3010 if (ss->lastWriteBlocked) {
2726 if (new_flags & PR_POLL_READ) { 3011 if (new_flags & PR_POLL_READ) {
2727 /* The caller is waiting for data to be received, 3012 /* The caller is waiting for data to be received,
2728 ** but the initial handshake is blocked on write, or the 3013 ** but the initial handshake is blocked on write, or the
2729 ** client's first handshake record has not been written. 3014 ** client's first handshake record has not been written.
2730 ** The code should select on write, not read. 3015 ** The code should select on write, not read.
2731 */ 3016 */
2732 new_flags ^= PR_POLL_READ; /* don't select on read. */ 3017 new_flags ^= PR_POLL_READ; /* don't select on read. */
2733 new_flags |= PR_POLL_WRITE; /* do select on write. */ 3018 new_flags |= PR_POLL_WRITE; /* do select on write. */
2734 } 3019 }
2735 } else if (new_flags & PR_POLL_WRITE) { 3020 } else if (new_flags & PR_POLL_WRITE) {
2736 /* The caller is trying to write, but the handshake is 3021 /* The caller is trying to write, but the handshake is
2737 ** blocked waiting for data to read, and the first 3022 ** blocked waiting for data to read, and the first
2738 ** handshake has been sent. So do NOT to poll on write 3023 ** handshake has been sent. So do NOT to poll on write
2739 ** unless we did false start. 3024 ** unless we did false start.
2740 */ 3025 */
2741 if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 && 3026 if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
2742 ss->ssl3.hs.canFalseStart)) { 3027 ss->ssl3.hs.canFalseStart)) {
2743 new_flags ^= PR_POLL_WRITE; /* don't select on write. */ 3028 new_flags ^= PR_POLL_WRITE; /* don't select on write. */
2744 } 3029 }
2745 new_flags |= PR_POLL_READ; /* do select on read. */ 3030 new_flags |= PR_POLL_READ; /* do select on read. */
2746 } 3031 }
2747 } 3032 }
2748 } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) { 3033 } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
2749 *p_out_flags = PR_POLL_READ; /* it's ready already. */ 3034 *p_out_flags = PR_POLL_READ; /* it's ready already. */
2750 return new_flags; 3035 return new_flags;
2751 } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) && 3036 } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) &&
2752 (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */ 3037 (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */
2753 new_flags |= PR_POLL_WRITE; /* also select on write. */ 3038 new_flags |= PR_POLL_WRITE; /* also select on write. */
2754 } 3039 }
2755 3040
2756 if (ss->version >= SSL_LIBRARY_VERSION_3_0 && 3041 if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
2757 ss->ssl3.hs.restartTarget != NULL) { 3042 ss->ssl3.hs.restartTarget != NULL) {
2758 /* Read and write will block until the asynchronous callback completes 3043 /* Read and write will block until the asynchronous callback completes
2759 * (e.g. until SSL_AuthCertificateComplete is called), so don't tell 3044 * (e.g. until SSL_AuthCertificateComplete is called), so don't tell
2760 * the caller to poll the socket unless there is pending write data. 3045 * the caller to poll the socket unless there is pending write data.
2761 */ 3046 */
2762 if (ss->lastWriteBlocked && ss->pendingBuf.len != 0) { 3047 if (ss->lastWriteBlocked && ss->pendingBuf.len != 0) {
2763 /* Ignore any newly-received data on the socket, but do wait for 3048 /* Ignore any newly-received data on the socket, but do wait for
(...skipping 11 matching lines...) Expand all
2775 * prevent the application from spinning (alternating between 3060 * prevent the application from spinning (alternating between
2776 * calling PR_Poll that would return PR_POLL_EXCEPT, and send/recv 3061 * calling PR_Poll that would return PR_POLL_EXCEPT, and send/recv
2777 * which won't actually report the I/O error while we are waiting 3062 * which won't actually report the I/O error while we are waiting
2778 * for the asynchronous callback to complete). 3063 * for the asynchronous callback to complete).
2779 */ 3064 */
2780 new_flags = 0; 3065 new_flags = 0;
2781 } 3066 }
2782 } 3067 }
2783 3068
2784 if (new_flags && (fd->lower->methods->poll != NULL)) { 3069 if (new_flags && (fd->lower->methods->poll != NULL)) {
2785 PRInt16 lower_out_flags = 0; 3070 PRInt16 lower_out_flags = 0;
2786 PRInt16 lower_new_flags; 3071 PRInt16 lower_new_flags;
2787 lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, 3072 lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags,
2788 &lower_out_flags); 3073 &lower_out_flags);
2789 if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) { 3074 if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) {
2790 PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW; 3075 PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW;
2791 if (lower_out_flags & PR_POLL_READ) 3076 if (lower_out_flags & PR_POLL_READ)
2792 out_flags |= PR_POLL_WRITE; 3077 out_flags |= PR_POLL_WRITE;
2793 if (lower_out_flags & PR_POLL_WRITE) 3078 if (lower_out_flags & PR_POLL_WRITE)
2794 out_flags |= PR_POLL_READ; 3079 out_flags |= PR_POLL_READ;
2795 *p_out_flags = out_flags; 3080 *p_out_flags = out_flags;
2796 new_flags = how_flags; 3081 new_flags = how_flags;
2797 } else { 3082 } else {
2798 *p_out_flags = lower_out_flags; 3083 *p_out_flags = lower_out_flags;
2799 new_flags = lower_new_flags; 3084 new_flags = lower_new_flags;
2800 } 3085 }
2801 } 3086 }
2802 3087
2803 return new_flags; 3088 return new_flags;
2804 } 3089 }
2805 3090
2806 static PRInt32 PR_CALLBACK 3091 static PRInt32 PR_CALLBACK
2807 ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd, 3092 ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd,
2808 const void *headers, PRInt32 hlen, 3093 const void *headers, PRInt32 hlen,
2809 PRTransmitFileFlags flags, PRIntervalTime timeout) 3094 PRTransmitFileFlags flags, PRIntervalTime timeout)
2810 { 3095 {
2811 PRSendFileData sfd; 3096 PRSendFileData sfd;
2812 3097
2813 sfd.fd = fd; 3098 sfd.fd = fd;
2814 sfd.file_offset = 0; 3099 sfd.file_offset = 0;
2815 sfd.file_nbytes = 0; 3100 sfd.file_nbytes = 0;
2816 sfd.header = headers; 3101 sfd.header = headers;
2817 sfd.hlen = hlen; 3102 sfd.hlen = hlen;
2818 sfd.trailer = NULL; 3103 sfd.trailer = NULL;
2819 sfd.tlen = 0; 3104 sfd.tlen = 0;
2820 3105
2821 return sd->methods->sendfile(sd, &sfd, flags, timeout); 3106 return sd->methods->sendfile(sd, &sfd, flags, timeout);
2822 } 3107 }
2823 3108
2824
2825 PRBool 3109 PRBool
2826 ssl_FdIsBlocking(PRFileDesc *fd) 3110 ssl_FdIsBlocking(PRFileDesc *fd)
2827 { 3111 {
2828 PRSocketOptionData opt; 3112 PRSocketOptionData opt;
2829 PRStatus status; 3113 PRStatus status;
2830 3114
2831 opt.option = PR_SockOpt_Nonblocking; 3115 opt.option = PR_SockOpt_Nonblocking;
2832 opt.value.non_blocking = PR_FALSE; 3116 opt.value.non_blocking = PR_FALSE;
2833 status = PR_GetSocketOption(fd, &opt); 3117 status = PR_GetSocketOption(fd, &opt);
2834 if (status != PR_SUCCESS) 3118 if (status != PR_SUCCESS)
2835 return PR_FALSE; 3119 return PR_FALSE;
2836 return (PRBool)!opt.value.non_blocking; 3120 return (PRBool)!opt.value.non_blocking;
2837 } 3121 }
2838 3122
2839 PRBool 3123 PRBool
2840 ssl_SocketIsBlocking(sslSocket *ss) 3124 ssl_SocketIsBlocking(sslSocket *ss)
2841 { 3125 {
2842 return ssl_FdIsBlocking(ss->fd); 3126 return ssl_FdIsBlocking(ss->fd);
2843 } 3127 }
2844 3128
2845 PRInt32 sslFirstBufSize = 8 * 1024; 3129 PRInt32 sslFirstBufSize = 8 * 1024;
2846 PRInt32 sslCopyLimit = 1024; 3130 PRInt32 sslCopyLimit = 1024;
2847 3131
2848 static PRInt32 PR_CALLBACK 3132 static PRInt32 PR_CALLBACK
2849 ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, 3133 ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
2850 PRIntervalTime timeout) 3134 PRIntervalTime timeout)
2851 { 3135 {
2852 PRInt32 i; 3136 PRInt32 i;
2853 PRInt32 bufLen; 3137 PRInt32 bufLen;
2854 PRInt32 left; 3138 PRInt32 left;
2855 PRInt32 rv; 3139 PRInt32 rv;
2856 PRInt32 sent = 0; 3140 PRInt32 sent = 0;
2857 const PRInt32 first_len = sslFirstBufSize; 3141 const PRInt32 first_len = sslFirstBufSize;
2858 const PRInt32 limit = sslCopyLimit; 3142 const PRInt32 limit = sslCopyLimit;
2859 PRBool blocking; 3143 PRBool blocking;
2860 PRIOVec myIov = { 0, 0 }; 3144 PRIOVec myIov = { 0, 0 };
2861 char buf[MAX_FRAGMENT_LENGTH]; 3145 char buf[MAX_FRAGMENT_LENGTH];
2862 3146
2863 if (vectors < 0) { 3147 if (vectors < 0) {
2864 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 3148 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
2865 return -1; 3149 return -1;
2866 } 3150 }
2867 if (vectors > PR_MAX_IOVECTOR_SIZE) { 3151 if (vectors > PR_MAX_IOVECTOR_SIZE) {
2868 PORT_SetError(PR_BUFFER_OVERFLOW_ERROR); 3152 PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
2869 return -1; 3153 return -1;
2870 } 3154 }
2871 for (i = 0; i < vectors; i++) { 3155 for (i = 0; i < vectors; i++) {
2872 if (iov[i].iov_len < 0) { 3156 if (iov[i].iov_len < 0) {
2873 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 3157 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
2874 return -1; 3158 return -1;
2875 } 3159 }
2876 } 3160 }
2877 blocking = ssl_FdIsBlocking(fd); 3161 blocking = ssl_FdIsBlocking(fd);
2878 3162
2879 #define K16 sizeof(buf) 3163 #define K16 sizeof(buf)
2880 #define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; } 3164 #define KILL_VECTORS \
2881 #define GET_VECTOR do { myIov = *iov++; --vectors; KILL_VECTORS } while (0) 3165 while (vectors && !iov->iov_len) { \
2882 #define HANDLE_ERR(rv, len) \ 3166 ++iov; \
2883 if (rv != len) { \ 3167 --vectors; \
2884 if (rv < 0) { \ 3168 }
2885 if (!blocking \ 3169 #define GET_VECTOR \
2886 && (PR_GetError() == PR_WOULD_BLOCK_ERROR) \ 3170 do { \
2887 && (sent > 0)) { \ 3171 myIov = *iov++; \
2888 return sent; \ 3172 --vectors; \
2889 } else { \ 3173 KILL_VECTORS \
2890 return -1; \ 3174 } while (0)
2891 } \ 3175 #define HANDLE_ERR(rv, len) \
2892 } \ 3176 if (rv != len) { \
3177 if (rv < 0) { \
3178 if (!blocking && \
3179 (PR_GetError() == PR_WOULD_BLOCK_ERROR) && \
3180 (sent > 0)) { \
3181 return sent; \
3182 } else { \
3183 return -1; \
3184 } \
3185 } \
2893 /* Only a nonblocking socket can have partial sends */ \ 3186 /* Only a nonblocking socket can have partial sends */ \
2894 PR_ASSERT(!blocking); \ 3187 PR_ASSERT(!blocking); \
2895 return sent + rv; \ 3188 return sent + rv; \
2896 } 3189 }
2897 #define SEND(bfr, len) \ 3190 #define SEND(bfr, len) \
2898 do { \ 3191 do { \
2899 rv = ssl_Send(fd, bfr, len, 0, timeout); \ 3192 rv = ssl_Send(fd, bfr, len, 0, timeout); \
2900 HANDLE_ERR(rv, len) \ 3193 HANDLE_ERR(rv, len) \
2901 sent += len; \ 3194 sent += len; \
2902 } while (0) 3195 } while (0)
2903 3196
2904 /* Make sure the first write is at least 8 KB, if possible. */ 3197 /* Make sure the first write is at least 8 KB, if possible. */
2905 KILL_VECTORS 3198 KILL_VECTORS
2906 if (!vectors) 3199 if (!vectors)
2907 return ssl_Send(fd, 0, 0, 0, timeout); 3200 return ssl_Send(fd, 0, 0, 0, timeout);
2908 GET_VECTOR; 3201 GET_VECTOR;
2909 if (!vectors) { 3202 if (!vectors) {
2910 return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout); 3203 return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout);
2911 } 3204 }
2912 if (myIov.iov_len < first_len) { 3205 if (myIov.iov_len < first_len) {
2913 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); 3206 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
2914 bufLen = myIov.iov_len; 3207 bufLen = myIov.iov_len;
2915 left = first_len - bufLen; 3208 left = first_len - bufLen;
2916 while (vectors && left) { 3209 while (vectors && left) {
2917 int toCopy; 3210 int toCopy;
2918 GET_VECTOR; 3211 GET_VECTOR;
2919 toCopy = PR_MIN(left, myIov.iov_len); 3212 toCopy = PR_MIN(left, myIov.iov_len);
2920 PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy); 3213 PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy);
2921 bufLen += toCopy; 3214 bufLen += toCopy;
2922 left -= toCopy; 3215 left -= toCopy;
2923 myIov.iov_base += toCopy; 3216 myIov.iov_base += toCopy;
2924 myIov.iov_len -= toCopy; 3217 myIov.iov_len -= toCopy;
2925 } 3218 }
2926 SEND( buf, bufLen ); 3219 SEND(buf, bufLen);
2927 } 3220 }
2928 3221
2929 while (vectors || myIov.iov_len) { 3222 while (vectors || myIov.iov_len) {
2930 PRInt32 addLen; 3223 PRInt32 addLen;
2931 if (!myIov.iov_len) { 3224 if (!myIov.iov_len) {
2932 GET_VECTOR; 3225 GET_VECTOR;
2933 } 3226 }
2934 while (myIov.iov_len >= K16) { 3227 while (myIov.iov_len >= K16) {
2935 SEND(myIov.iov_base, K16); 3228 SEND(myIov.iov_base, K16);
2936 myIov.iov_base += K16; 3229 myIov.iov_base += K16;
2937 myIov.iov_len -= K16; 3230 myIov.iov_len -= K16;
2938 } 3231 }
2939 if (!myIov.iov_len) 3232 if (!myIov.iov_len)
2940 continue; 3233 continue;
2941 3234
2942 if (!vectors || myIov.iov_len > limit) { 3235 if (!vectors || myIov.iov_len > limit) {
2943 addLen = 0; 3236 addLen = 0;
2944 } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) { 3237 } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
2945 /* Addlen is already computed. */; 3238 /* Addlen is already computed. */;
2946 } else if (vectors > 1 && 3239 } else if (vectors > 1 &&
2947 iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) { 3240 iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
2948 addLen = limit - myIov.iov_len; 3241 addLen = limit - myIov.iov_len;
2949 } else 3242 } else
2950 addLen = 0; 3243 addLen = 0;
2951 3244
2952 if (!addLen) { 3245 if (!addLen) {
2953 SEND( myIov.iov_base, myIov.iov_len ); 3246 SEND(myIov.iov_base, myIov.iov_len);
2954 myIov.iov_len = 0; 3247 myIov.iov_len = 0;
2955 continue; 3248 continue;
2956 } 3249 }
2957 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); 3250 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
2958 bufLen = myIov.iov_len; 3251 bufLen = myIov.iov_len;
2959 do { 3252 do {
2960 GET_VECTOR; 3253 GET_VECTOR;
2961 PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen); 3254 PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen);
2962 myIov.iov_base += addLen; 3255 myIov.iov_base += addLen;
2963 myIov.iov_len -= addLen; 3256 myIov.iov_len -= addLen;
2964 bufLen += addLen; 3257 bufLen += addLen;
2965 3258
2966 left = PR_MIN( limit, K16 - bufLen); 3259 left = PR_MIN(limit, K16 - bufLen);
2967 if (!vectors /* no more left */ 3260 if (!vectors /* no more left */
2968 || myIov.iov_len > 0 /* we didn't use that one all up */ 3261 || myIov.iov_len > 0 /* we didn't use that one all up */
2969 || bufLen >= K16 /* it's full. */ 3262 || bufLen >= K16 /* it's full. */) {
2970 ) {
2971 addLen = 0; 3263 addLen = 0;
2972 } else if ((addLen = iov->iov_len % K16) <= left) { 3264 } else if ((addLen = iov->iov_len % K16) <= left) {
2973 /* Addlen is already computed. */; 3265 /* Addlen is already computed. */;
2974 } else if (vectors > 1 && 3266 } else if (vectors > 1 &&
2975 iov[1].iov_len % K16 + addLen <= left + limit) { 3267 iov[1].iov_len % K16 + addLen <= left + limit) {
2976 addLen = left; 3268 addLen = left;
2977 } else 3269 } else
2978 addLen = 0; 3270 addLen = 0;
2979 3271
2980 } while (addLen); 3272 } while (addLen);
2981 SEND( buf, bufLen ); 3273 SEND(buf, bufLen);
2982 } 3274 }
2983 return sent; 3275 return sent;
2984 } 3276 }
2985 3277
2986 /* 3278 /*
2987 * These functions aren't implemented. 3279 * These functions aren't implemented.
2988 */ 3280 */
2989 3281
2990 static PRInt32 PR_CALLBACK 3282 static PRInt32 PR_CALLBACK
2991 ssl_Available(PRFileDesc *fd) 3283 ssl_Available(PRFileDesc *fd)
(...skipping 16 matching lines...) Expand all
3008 3300
3009 static PRStatus PR_CALLBACK 3301 static PRStatus PR_CALLBACK
3010 ssl_FSync(PRFileDesc *fd) 3302 ssl_FSync(PRFileDesc *fd)
3011 { 3303 {
3012 PORT_Assert(0); 3304 PORT_Assert(0);
3013 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3305 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
3014 return PR_FAILURE; 3306 return PR_FAILURE;
3015 } 3307 }
3016 3308
3017 static PRInt32 PR_CALLBACK 3309 static PRInt32 PR_CALLBACK
3018 ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) { 3310 ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how)
3311 {
3019 PORT_Assert(0); 3312 PORT_Assert(0);
3020 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3313 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
3021 return SECFailure; 3314 return SECFailure;
3022 } 3315 }
3023 3316
3024 static PRInt64 PR_CALLBACK 3317 static PRInt64 PR_CALLBACK
3025 ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) { 3318 ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how)
3319 {
3026 PRInt64 res; 3320 PRInt64 res;
3027 3321
3028 PORT_Assert(0); 3322 PORT_Assert(0);
3029 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3323 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
3030 LL_I2L(res, -1L); 3324 LL_I2L(res, -1L);
3031 return res; 3325 return res;
3032 } 3326 }
3033 3327
3034 static PRStatus PR_CALLBACK 3328 static PRStatus PR_CALLBACK
3035 ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info) 3329 ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info)
(...skipping 24 matching lines...) Expand all
3060 ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, 3354 ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags,
3061 const PRNetAddr *addr, PRIntervalTime timeout) 3355 const PRNetAddr *addr, PRIntervalTime timeout)
3062 { 3356 {
3063 PORT_Assert(0); 3357 PORT_Assert(0);
3064 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3358 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
3065 return SECFailure; 3359 return SECFailure;
3066 } 3360 }
3067 3361
3068 static const PRIOMethods ssl_methods = { 3362 static const PRIOMethods ssl_methods = {
3069 PR_DESC_LAYERED, 3363 PR_DESC_LAYERED,
3070 ssl_Close, /* close */ 3364 ssl_Close, /* close */
3071 ssl_Read, /* read */ 3365 ssl_Read, /* read */
3072 ssl_Write, /* write */ 3366 ssl_Write, /* write */
3073 ssl_Available, /* available */ 3367 ssl_Available, /* available */
3074 ssl_Available64, /* available64 */ 3368 ssl_Available64, /* available64 */
3075 ssl_FSync, /* fsync */ 3369 ssl_FSync, /* fsync */
3076 ssl_Seek, /* seek */ 3370 ssl_Seek, /* seek */
3077 ssl_Seek64, /* seek64 */ 3371 ssl_Seek64, /* seek64 */
3078 ssl_FileInfo, /* fileInfo */ 3372 ssl_FileInfo, /* fileInfo */
3079 ssl_FileInfo64, /* fileInfo64 */ 3373 ssl_FileInfo64, /* fileInfo64 */
3080 ssl_WriteV, /* writev */ 3374 ssl_WriteV, /* writev */
3081 ssl_Connect, /* connect */ 3375 ssl_Connect, /* connect */
3082 ssl_Accept, /* accept */ 3376 ssl_Accept, /* accept */
3083 ssl_Bind, /* bind */ 3377 ssl_Bind, /* bind */
3084 ssl_Listen, /* listen */ 3378 ssl_Listen, /* listen */
3085 ssl_Shutdown, /* shutdown */ 3379 ssl_Shutdown, /* shutdown */
3086 ssl_Recv, /* recv */ 3380 ssl_Recv, /* recv */
3087 ssl_Send, /* send */ 3381 ssl_Send, /* send */
3088 ssl_RecvFrom, /* recvfrom */ 3382 ssl_RecvFrom, /* recvfrom */
3089 ssl_SendTo, /* sendto */ 3383 ssl_SendTo, /* sendto */
3090 ssl_Poll, /* poll */ 3384 ssl_Poll, /* poll */
3091 PR_EmulateAcceptRead, /* acceptread */ 3385 PR_EmulateAcceptRead, /* acceptread */
3092 ssl_TransmitFile, /* transmitfile */ 3386 ssl_TransmitFile, /* transmitfile */
3093 ssl_GetSockName, /* getsockname */ 3387 ssl_GetSockName, /* getsockname */
3094 ssl_GetPeerName, /* getpeername */ 3388 ssl_GetPeerName, /* getpeername */
3095 NULL, /* getsockopt OBSOLETE */ 3389 NULL, /* getsockopt OBSOLETE */
3096 NULL, /* setsockopt OBSOLETE */ 3390 NULL, /* setsockopt OBSOLETE */
3097 NULL, /* getsocketoption */ 3391 NULL, /* getsocketoption */
3098 NULL, /* setsocketoption */ 3392 NULL, /* setsocketoption */
3099 PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/ 3393 PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/
3100 NULL, /* reserved for future use */ 3394 NULL, /* reserved for future use */
3101 NULL, /* reserved for future use */ 3395 NULL, /* reserved for future use */
3102 NULL, /* reserved for future use */ 3396 NULL, /* reserved for future use */
3103 NULL, /* reserved for future use */ 3397 NULL, /* reserved for future use */
3104 NULL /* reserved for future use */ 3398 NULL /* reserved for future use */
3105 }; 3399 };
3106 3400
3107
3108 static PRIOMethods combined_methods; 3401 static PRIOMethods combined_methods;
3109 3402
3110 static void 3403 static void
3111 ssl_SetupIOMethods(void) 3404 ssl_SetupIOMethods(void)
3112 { 3405 {
3113 PRIOMethods *new_methods = &combined_methods; 3406 PRIOMethods *new_methods = &combined_methods;
3114 const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods(); 3407 const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods();
3115 const PRIOMethods *my_methods = &ssl_methods; 3408 const PRIOMethods *my_methods = &ssl_methods;
3116 3409
3117 *new_methods = *nspr_methods; 3410 *new_methods = *nspr_methods;
3118 3411
3119 new_methods->file_type = my_methods->file_type; 3412 new_methods->file_type = my_methods->file_type;
3120 new_methods->close = my_methods->close; 3413 new_methods->close = my_methods->close;
3121 new_methods->read = my_methods->read; 3414 new_methods->read = my_methods->read;
3122 new_methods->write = my_methods->write; 3415 new_methods->write = my_methods->write;
3123 new_methods->available = my_methods->available; 3416 new_methods->available = my_methods->available;
3124 new_methods->available64 = my_methods->available64; 3417 new_methods->available64 = my_methods->available64;
3125 new_methods->fsync = my_methods->fsync; 3418 new_methods->fsync = my_methods->fsync;
3126 new_methods->seek = my_methods->seek; 3419 new_methods->seek = my_methods->seek;
3127 new_methods->seek64 = my_methods->seek64; 3420 new_methods->seek64 = my_methods->seek64;
3128 new_methods->fileInfo = my_methods->fileInfo; 3421 new_methods->fileInfo = my_methods->fileInfo;
3129 new_methods->fileInfo64 = my_methods->fileInfo64; 3422 new_methods->fileInfo64 = my_methods->fileInfo64;
3130 new_methods->writev = my_methods->writev; 3423 new_methods->writev = my_methods->writev;
3131 new_methods->connect = my_methods->connect; 3424 new_methods->connect = my_methods->connect;
3132 new_methods->accept = my_methods->accept; 3425 new_methods->accept = my_methods->accept;
3133 new_methods->bind = my_methods->bind; 3426 new_methods->bind = my_methods->bind;
3134 new_methods->listen = my_methods->listen; 3427 new_methods->listen = my_methods->listen;
3135 new_methods->shutdown = my_methods->shutdown; 3428 new_methods->shutdown = my_methods->shutdown;
3136 new_methods->recv = my_methods->recv; 3429 new_methods->recv = my_methods->recv;
3137 new_methods->send = my_methods->send; 3430 new_methods->send = my_methods->send;
3138 new_methods->recvfrom = my_methods->recvfrom; 3431 new_methods->recvfrom = my_methods->recvfrom;
3139 new_methods->sendto = my_methods->sendto; 3432 new_methods->sendto = my_methods->sendto;
3140 new_methods->poll = my_methods->poll; 3433 new_methods->poll = my_methods->poll;
3141 new_methods->acceptread = my_methods->acceptread; 3434 new_methods->acceptread = my_methods->acceptread;
3142 new_methods->transmitfile = my_methods->transmitfile; 3435 new_methods->transmitfile = my_methods->transmitfile;
3143 new_methods->getsockname = my_methods->getsockname; 3436 new_methods->getsockname = my_methods->getsockname;
3144 new_methods->getpeername = my_methods->getpeername; 3437 new_methods->getpeername = my_methods->getpeername;
3145 /* new_methods->getsocketoption = my_methods->getsocketoption; */ 3438 /* new_methods->getsocketoption = my_methods->getsocketoption; */
3146 /* new_methods->setsocketoption = my_methods->setsocketoption; */ 3439 /* new_methods->setsocketoption = my_methods->setsocketoption; */
3147 new_methods->sendfile = my_methods->sendfile; 3440 new_methods->sendfile = my_methods->sendfile;
3148
3149 } 3441 }
3150 3442
3151 static PRCallOnceType initIoLayerOnce; 3443 static PRCallOnceType initIoLayerOnce;
3152 3444
3153 static PRStatus 3445 static PRStatus
3154 ssl_InitIOLayer(void) 3446 ssl_InitIOLayer(void)
3155 { 3447 {
3156 ssl_layer_id = PR_GetUniqueIdentity("SSL"); 3448 ssl_layer_id = PR_GetUniqueIdentity("SSL");
3157 ssl_SetupIOMethods(); 3449 ssl_SetupIOMethods();
3158 ssl_inited = PR_TRUE; 3450 ssl_inited = PR_TRUE;
3159 return PR_SUCCESS; 3451 return PR_SUCCESS;
3160 } 3452 }
3161 3453
3162 static PRStatus 3454 static PRStatus
3163 ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id) 3455 ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id)
3164 { 3456 {
3165 PRFileDesc *layer = NULL; 3457 PRFileDesc *layer = NULL;
3166 PRStatus status; 3458 PRStatus status;
3167 3459
3168 if (!ssl_inited) { 3460 if (!ssl_inited) {
3169 status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); 3461 status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
3170 if (status != PR_SUCCESS) 3462 if (status != PR_SUCCESS)
3171 goto loser; 3463 goto loser;
3172 } 3464 }
3173 3465
3174 if (ns == NULL) 3466 if (ns == NULL)
3175 goto loser; 3467 goto loser;
3176 3468
(...skipping 27 matching lines...) Expand all
3204 return PR_FAILURE; 3496 return PR_FAILURE;
3205 } 3497 }
3206 3498
3207 /* if this fails, caller must destroy socket. */ 3499 /* if this fails, caller must destroy socket. */
3208 static SECStatus 3500 static SECStatus
3209 ssl_MakeLocks(sslSocket *ss) 3501 ssl_MakeLocks(sslSocket *ss)
3210 { 3502 {
3211 ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL); 3503 ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL);
3212 if (!ss->firstHandshakeLock) 3504 if (!ss->firstHandshakeLock)
3213 goto loser; 3505 goto loser;
3214 ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL); 3506 ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL);
3215 if (!ss->ssl3HandshakeLock) 3507 if (!ss->ssl3HandshakeLock)
3216 goto loser; 3508 goto loser;
3217 ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL); 3509 ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL);
3218 if (!ss->specLock) 3510 if (!ss->specLock)
3219 goto loser; 3511 goto loser;
3220 ss->recvBufLock = PZ_NewMonitor(nssILockSSL); 3512 ss->recvBufLock = PZ_NewMonitor(nssILockSSL);
3221 if (!ss->recvBufLock) 3513 if (!ss->recvBufLock)
3222 goto loser; 3514 goto loser;
3223 ss->xmitBufLock = PZ_NewMonitor(nssILockSSL); 3515 ss->xmitBufLock = PZ_NewMonitor(nssILockSSL);
3224 if (!ss->xmitBufLock) 3516 if (!ss->xmitBufLock)
3225 goto loser; 3517 goto loser;
3226 ss->writerThread = NULL; 3518 ss->writerThread = NULL;
3227 if (ssl_lock_readers) { 3519 if (ssl_lock_readers) {
3228 ss->recvLock = PZ_NewLock(nssILockSSL); 3520 ss->recvLock = PZ_NewLock(nssILockSSL);
3229 if (!ss->recvLock) 3521 if (!ss->recvLock)
3230 goto loser; 3522 goto loser;
3231 ss->sendLock = PZ_NewLock(nssILockSSL); 3523 ss->sendLock = PZ_NewLock(nssILockSSL);
3232 if (!ss->sendLock) 3524 if (!ss->sendLock)
3233 goto loser; 3525 goto loser;
3234 } 3526 }
3235 return SECSuccess; 3527 return SECSuccess;
3236 loser: 3528 loser:
3237 ssl_DestroyLocks(ss); 3529 ssl_DestroyLocks(ss);
3238 return SECFailure; 3530 return SECFailure;
3239 } 3531 }
3240 3532
3241 #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) 3533 #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)
3242 #define NSS_HAVE_GETENV 1 3534 #define NSS_HAVE_GETENV 1
3243 #endif 3535 #endif
3244 3536
3245 #define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */ 3537 #define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */
3246 3538
3247 static void 3539 static void
3248 ssl_SetDefaultsFromEnvironment(void) 3540 ssl_SetDefaultsFromEnvironment(void)
3249 { 3541 {
3250 #if defined( NSS_HAVE_GETENV ) 3542 #if defined(NSS_HAVE_GETENV)
3251 static int firsttime = 1; 3543 static int firsttime = 1;
3252 3544
3253 if (firsttime) { 3545 if (firsttime) {
3254 char * ev; 3546 char *ev;
3255 firsttime = 0; 3547 firsttime = 0;
3256 #ifdef DEBUG 3548 #ifdef DEBUG
3257 ev = getenv("SSLDEBUGFILE"); 3549 ev = PR_GetEnvSecure("SSLDEBUGFILE");
3258 if (ev && ev[0]) { 3550 if (ev && ev[0]) {
3259 ssl_trace_iob = fopen(ev, "w"); 3551 ssl_trace_iob = fopen(ev, "w");
3260 } 3552 }
3261 if (!ssl_trace_iob) { 3553 if (!ssl_trace_iob) {
3262 ssl_trace_iob = stderr; 3554 ssl_trace_iob = stderr;
3263 } 3555 }
3264 #ifdef TRACE 3556 #ifdef TRACE
3265 ev = getenv("SSLTRACE"); 3557 ev = PR_GetEnvSecure("SSLTRACE");
3266 if (ev && ev[0]) { 3558 if (ev && ev[0]) {
3267 ssl_trace = atoi(ev); 3559 ssl_trace = atoi(ev);
3268 SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); 3560 SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
3269 } 3561 }
3270 #endif /* TRACE */ 3562 #endif /* TRACE */
3271 ev = getenv("SSLDEBUG"); 3563 ev = PR_GetEnvSecure("SSLDEBUG");
3272 if (ev && ev[0]) { 3564 if (ev && ev[0]) {
3273 ssl_debug = atoi(ev); 3565 ssl_debug = atoi(ev);
3274 SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); 3566 SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
3275 } 3567 }
3276 #endif /* DEBUG */ 3568 #endif /* DEBUG */
3277 ev = getenv("SSLKEYLOGFILE"); 3569 ev = PR_GetEnvSecure("SSLKEYLOGFILE");
3278 if (ev && ev[0]) { 3570 if (ev && ev[0]) {
3279 ssl_keylog_iob = fopen(ev, "a"); 3571 ssl_keylog_iob = fopen(ev, "a");
3280 if (!ssl_keylog_iob) { 3572 if (!ssl_keylog_iob) {
3281 SSL_TRACE(("SSL: failed to open key log file")); 3573 SSL_TRACE(("SSL: failed to open key log file"));
3282 } else { 3574 } else {
3283 if (ftell(ssl_keylog_iob) == 0) { 3575 if (ftell(ssl_keylog_iob) == 0) {
3284 fputs("# SSL/TLS secrets log file, generated by NSS\n", 3576 fputs("# SSL/TLS secrets log file, generated by NSS\n",
3285 ssl_keylog_iob); 3577 ssl_keylog_iob);
3286 } 3578 }
3287 SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev)); 3579 SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
3288 } 3580 }
3289 } 3581 }
3290 #ifndef NO_PKCS11_BYPASS 3582 #ifndef NO_PKCS11_BYPASS
3291 ev = getenv("SSLBYPASS"); 3583 ev = PR_GetEnvSecure("SSLBYPASS");
3292 if (ev && ev[0]) { 3584 if (ev && ev[0]) {
3293 ssl_defaults.bypassPKCS11 = (ev[0] == '1'); 3585 ssl_defaults.bypassPKCS11 = (ev[0] == '1');
3294 SSL_TRACE(("SSL: bypass default set to %d", \ 3586 SSL_TRACE(("SSL: bypass default set to %d",
3295 ssl_defaults.bypassPKCS11)); 3587 ssl_defaults.bypassPKCS11));
3296 } 3588 }
3297 #endif /* NO_PKCS11_BYPASS */ 3589 #endif /* NO_PKCS11_BYPASS */
3298 ev = getenv("SSLFORCELOCKS"); 3590 ev = PR_GetEnvSecure("SSLFORCELOCKS");
3299 if (ev && ev[0] == '1') { 3591 if (ev && ev[0] == '1') {
3300 ssl_force_locks = PR_TRUE; 3592 ssl_force_locks = PR_TRUE;
3301 ssl_defaults.noLocks = 0; 3593 ssl_defaults.noLocks = 0;
3302 strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. "); 3594 strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. ");
3303 SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks)); 3595 SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks));
3304 } 3596 }
3305 ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION"); 3597 ev = PR_GetEnvSecure("NSS_SSL_ENABLE_RENEGOTIATION");
3306 if (ev) { 3598 if (ev) {
3307 if (ev[0] == '1' || LOWER(ev[0]) == 'u') 3599 if (ev[0] == '1' || LOWER(ev[0]) == 'u')
3308 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; 3600 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED;
3309 else if (ev[0] == '0' || LOWER(ev[0]) == 'n') 3601 else if (ev[0] == '0' || LOWER(ev[0]) == 'n')
3310 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; 3602 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER;
3311 else if (ev[0] == '2' || LOWER(ev[0]) == 'r') 3603 else if (ev[0] == '2' || LOWER(ev[0]) == 'r')
3312 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; 3604 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN;
3313 else if (ev[0] == '3' || LOWER(ev[0]) == 't') 3605 else if (ev[0] == '3' || LOWER(ev[0]) == 't')
3314 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL; 3606 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL;
3315 SSL_TRACE(("SSL: enableRenegotiation set to %d", 3607 SSL_TRACE(("SSL: enableRenegotiation set to %d",
3316 ssl_defaults.enableRenegotiation)); 3608 ssl_defaults.enableRenegotiation));
3317 } 3609 }
3318 ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); 3610 ev = PR_GetEnvSecure("NSS_SSL_REQUIRE_SAFE_NEGOTIATION");
3319 if (ev && ev[0] == '1') { 3611 if (ev && ev[0] == '1') {
3320 ssl_defaults.requireSafeNegotiation = PR_TRUE; 3612 ssl_defaults.requireSafeNegotiation = PR_TRUE;
3321 SSL_TRACE(("SSL: requireSafeNegotiation set to %d", 3613 SSL_TRACE(("SSL: requireSafeNegotiation set to %d",
3322 PR_TRUE)); 3614 PR_TRUE));
3323 } 3615 }
3324 ev = getenv("NSS_SSL_CBC_RANDOM_IV"); 3616 ev = PR_GetEnvSecure("NSS_SSL_CBC_RANDOM_IV");
3325 if (ev && ev[0] == '0') { 3617 if (ev && ev[0] == '0') {
3326 ssl_defaults.cbcRandomIV = PR_FALSE; 3618 ssl_defaults.cbcRandomIV = PR_FALSE;
3327 SSL_TRACE(("SSL: cbcRandomIV set to 0")); 3619 SSL_TRACE(("SSL: cbcRandomIV set to 0"));
3328 } 3620 }
3329 } 3621 }
3330 #endif /* NSS_HAVE_GETENV */ 3622 #endif /* NSS_HAVE_GETENV */
3331 } 3623 }
3332 3624
3333 /* 3625 /*
3334 ** Create a newsocket structure for a file descriptor. 3626 ** Create a newsocket structure for a file descriptor.
3335 */ 3627 */
3336 static sslSocket * 3628 static sslSocket *
3337 ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) 3629 ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
3338 { 3630 {
3339 sslSocket *ss; 3631 sslSocket *ss;
3340 3632
3341 ssl_SetDefaultsFromEnvironment(); 3633 ssl_SetDefaultsFromEnvironment();
3342 3634
3343 if (ssl_force_locks) 3635 if (ssl_force_locks)
3344 makeLocks = PR_TRUE; 3636 makeLocks = PR_TRUE;
3345 3637
3346 /* Make a new socket and get it ready */ 3638 /* Make a new socket and get it ready */
3347 ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket)); 3639 ss = (sslSocket *)PORT_ZAlloc(sizeof(sslSocket));
3348 if (ss) { 3640 if (ss) {
3349 /* This should be of type SSLKEAType, but CC on IRIX 3641 /* This should be of type SSLKEAType, but CC on IRIX
3350 * complains during the for loop. 3642 * complains during the for loop.
3351 */ 3643 */
3352 int i; 3644 int i;
3353 SECStatus status; 3645 SECStatus status;
3354 3646
3355 ss->opt = ssl_defaults; 3647 ss->opt = ssl_defaults;
3356 ss->opt.useSocks = PR_FALSE; 3648 ss->opt.useSocks = PR_FALSE;
3357 ss->opt.noLocks = !makeLocks; 3649 ss->opt.noLocks = !makeLocks;
3358 ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); 3650 ss->vrange = *VERSIONS_DEFAULTS(protocolVariant);
3359 ss->protocolVariant = protocolVariant; 3651 ss->protocolVariant = protocolVariant;
3360 3652
3361 ss->peerID = NULL; 3653 ss->peerID = NULL;
3362 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; 3654 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
3363 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; 3655 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
3364 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; 3656 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT;
3365 ss->cipherSpecs = NULL; 3657 ss->cipherSpecs = NULL;
3366 ss->sizeCipherSpecs = 0; /* produced lazily */ 3658 ss->sizeCipherSpecs = 0; /* produced lazily */
3367 ss->preferredCipher = NULL; 3659 ss->preferredCipher = NULL;
3368 ss->url = NULL; 3660 ss->url = NULL;
3369 3661
3370 for (i=kt_null; i < kt_kea_size; i++) { 3662 for (i = kt_null; i < kt_kea_size; i++) {
3371 sslServerCerts * sc = ss->serverCerts + i; 3663 sslServerCerts *sc = ss->serverCerts + i;
3372 sc->serverCert = NULL; 3664 sc->serverCert = NULL;
3373 sc->serverCertChain = NULL; 3665 sc->serverCertChain = NULL;
3374 sc->serverKeyPair = NULL; 3666 sc->serverKeyPair = NULL;
3375 sc->serverKeyBits = 0; 3667 sc->serverKeyBits = 0;
3376 ss->certStatusArray[i] = NULL; 3668 ss->certStatusArray[i] = NULL;
3377 } 3669 }
3378 ss->requestedCertTypes = NULL; 3670 ss->requestedCertTypes = NULL;
3379 ss->stepDownKeyPair = NULL; 3671 ss->stepDownKeyPair = NULL;
3380 3672
3381 ss->dheParams = NULL; 3673 ss->dheParams = NULL;
3382 ss->dheKeyPair = NULL; 3674 ss->dheKeyPair = NULL;
3383 3675
3384 ss->dbHandle = CERT_GetDefaultCertDB(); 3676 ss->dbHandle = CERT_GetDefaultCertDB();
3385 3677
3386 /* Provide default implementation of hooks */ 3678 /* Provide default implementation of hooks */
3387 ss->authCertificate = SSL_AuthCertificate; 3679 ss->authCertificate = SSL_AuthCertificate;
3388 ss->authCertificateArg = (void *)ss->dbHandle; 3680 ss->authCertificateArg = (void *)ss->dbHandle;
3389 ss->sniSocketConfig = NULL; 3681 ss->sniSocketConfig = NULL;
3390 ss->sniSocketConfigArg = NULL; 3682 ss->sniSocketConfigArg = NULL;
3391 ss->getClientAuthData = NULL; 3683 ss->getClientAuthData = NULL;
3392 #ifdef NSS_PLATFORM_CLIENT_AUTH 3684 ss->handleBadCert = NULL;
3393 ss->getPlatformClientAuthData = NULL; 3685 ss->badCertArg = NULL;
3394 ss->getPlatformClientAuthDataArg = NULL; 3686 ss->pkcs11PinArg = NULL;
3395 #endif /* NSS_PLATFORM_CLIENT_AUTH */
3396 ss->handleBadCert = NULL;
3397 ss->badCertArg = NULL;
3398 ss->pkcs11PinArg = NULL;
3399 ss->ephemeralECDHKeyPair = NULL; 3687 ss->ephemeralECDHKeyPair = NULL;
3400 ss->getChannelID = NULL; 3688 ss->getChannelID = NULL;
3401 ss->getChannelIDArg = NULL; 3689 ss->getChannelIDArg = NULL;
3402 3690
3403 ssl_ChooseOps(ss); 3691 ssl_ChooseOps(ss);
3404 ssl2_InitSocketPolicy(ss); 3692 ssl2_InitSocketPolicy(ss);
3405 ssl3_InitSocketPolicy(ss); 3693 ssl3_InitSocketPolicy(ss);
3406 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); 3694 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
3695 PR_INIT_CLIST(&ss->ssl3.hs.remoteKeyShares);
3407 3696
3408 if (makeLocks) { 3697 if (makeLocks) {
3409 status = ssl_MakeLocks(ss); 3698 status = ssl_MakeLocks(ss);
3410 if (status != SECSuccess) 3699 if (status != SECSuccess)
3411 goto loser; 3700 goto loser;
3412 } 3701 }
3413 status = ssl_CreateSecurityInfo(ss); 3702 status = ssl_CreateSecurityInfo(ss);
3414 if (status != SECSuccess) 3703 if (status != SECSuccess)
3415 goto loser; 3704 goto loser;
3416 status = ssl_InitGather(&ss->gs); 3705 status = ssl_InitGather(&ss->gs);
3417 if (status != SECSuccess) { 3706 if (status != SECSuccess) {
3418 loser: 3707 loser:
3419 ssl_DestroySocketContents(ss); 3708 ssl_DestroySocketContents(ss);
3420 ssl_DestroyLocks(ss); 3709 ssl_DestroyLocks(ss);
3421 PORT_Free(ss); 3710 PORT_Free(ss);
3422 ss = NULL; 3711 ss = NULL;
3423 } 3712 }
3424 } 3713 }
3425 return ss; 3714 return ss;
3426 } 3715 }
OLDNEW
« net/third_party/nss/ssl/ssl3con.c ('K') | « net/third_party/nss/ssl/sslsnce.c ('k') | net/third_party/nss/ssl/sslt.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698