OLD | NEW |
1 /* | 1 /* |
2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of |
3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. |
4 * Various other functions. | 4 * Various other functions. |
5 * | 5 * |
6 * This Source Code Form is subject to the terms of the Mozilla Public | 6 * This Source Code Form is subject to the terms of the Mozilla Public |
7 * License, v. 2.0. If a copy of the MPL was not distributed with this | 7 * License, v. 2.0. If a copy of the MPL was not distributed with this |
8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
9 #include "seccomon.h" | 9 #include "seccomon.h" |
10 #include "cert.h" | 10 #include "cert.h" |
11 #include "keyhi.h" | 11 #include "keyhi.h" |
12 #include "ssl.h" | 12 #include "ssl.h" |
13 #include "sslimpl.h" | 13 #include "sslimpl.h" |
14 #include "sslproto.h" | 14 #include "sslproto.h" |
15 #include "nspr.h" | 15 #include "nspr.h" |
16 #include "private/pprio.h" | 16 #include "private/pprio.h" |
17 #ifndef NO_PKCS11_BYPASS | 17 #ifndef NO_PKCS11_BYPASS |
18 #include "blapi.h" | 18 #include "blapi.h" |
19 #endif | 19 #endif |
20 #include "pk11pub.h" | |
21 #include "nss.h" | 20 #include "nss.h" |
22 #include "pk11pqg.h" | 21 #include "pk11pqg.h" |
23 | 22 |
24 /* This is a bodge to allow this code to be compiled against older NSS headers | 23 #define SET_ERROR_CODE /* reminder */ |
25 * that don't contain the TLS 1.2 changes. */ | |
26 #ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 | |
27 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | |
28 #endif | |
29 | 24 |
30 #define SET_ERROR_CODE /* reminder */ | 25 static const sslSocketOps ssl_default_ops = { /* No SSL. */ |
31 | 26 ssl_DefConnect, |
32 static const sslSocketOps ssl_default_ops = { /* No SSL. */ | 27 NULL, |
33 ssl_DefConnect, | 28 ssl_DefBind, |
34 NULL, | 29 ssl_DefListen, |
35 ssl_DefBind, | 30 ssl_DefShutdown, |
36 ssl_DefListen, | 31 ssl_DefClose, |
37 ssl_DefShutdown, | 32 ssl_DefRecv, |
38 ssl_DefClose, | 33 ssl_DefSend, |
39 ssl_DefRecv, | 34 ssl_DefRead, |
40 ssl_DefSend, | 35 ssl_DefWrite, |
41 ssl_DefRead, | 36 ssl_DefGetpeername, |
42 ssl_DefWrite, | 37 ssl_DefGetsockname |
43 ssl_DefGetpeername, | |
44 ssl_DefGetsockname | |
45 }; | 38 }; |
46 | 39 |
47 static const sslSocketOps ssl_secure_ops = { /* SSL. */ | 40 static const sslSocketOps ssl_secure_ops = { /* SSL. */ |
48 ssl_SecureConnect, | 41 ssl_SecureConnect, |
49 NULL, | 42 NULL, |
50 ssl_DefBind, | 43 ssl_DefBind, |
51 ssl_DefListen, | 44 ssl_DefListen, |
52 ssl_SecureShutdown, | 45 ssl_SecureShutdown, |
53 ssl_SecureClose, | 46 ssl_SecureClose, |
54 ssl_SecureRecv, | 47 ssl_SecureRecv, |
55 ssl_SecureSend, | 48 ssl_SecureSend, |
56 ssl_SecureRead, | 49 ssl_SecureRead, |
57 ssl_SecureWrite, | 50 ssl_SecureWrite, |
58 ssl_DefGetpeername, | 51 ssl_DefGetpeername, |
59 ssl_DefGetsockname | 52 ssl_DefGetsockname |
60 }; | 53 }; |
61 | 54 |
62 /* | 55 /* |
63 ** default settings for socket enables | 56 ** default settings for socket enables |
64 */ | 57 */ |
65 static sslOptions ssl_defaults = { | 58 static sslOptions ssl_defaults = { |
66 { siBuffer, NULL, 0 }, /* nextProtoNego */ | 59 { siBuffer, NULL, 0 }, /* nextProtoNego */ |
67 PR_TRUE, /* useSecurity */ | 60 PR_TRUE, /* useSecurity */ |
68 PR_FALSE, /* useSocks */ | 61 PR_FALSE, /* useSocks */ |
69 PR_FALSE, /* requestCertificate */ | 62 PR_FALSE, /* requestCertificate */ |
70 2, /* requireCertificate */ | 63 2, /* requireCertificate */ |
71 PR_FALSE, /* handshakeAsClient */ | 64 PR_FALSE, /* handshakeAsClient */ |
72 PR_FALSE, /* handshakeAsServer */ | 65 PR_FALSE, /* handshakeAsServer */ |
73 PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ | 66 PR_FALSE, |
74 PR_FALSE, /* unusedBit9 */ | 67 /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ |
75 PR_FALSE, /* unusedBit10 */ | 68 PR_FALSE, /* unusedBit9 */ |
76 PR_FALSE, /* noCache */ | 69 PR_FALSE, /* unusedBit10 */ |
77 PR_FALSE, /* fdx */ | 70 PR_FALSE, /* noCache */ |
78 PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ | 71 PR_FALSE, /* fdx */ |
79 PR_TRUE, /* detectRollBack */ | 72 PR_FALSE, |
80 PR_FALSE, /* noStepDown */ | 73 /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ |
81 PR_FALSE, /* bypassPKCS11 */ | 74 PR_TRUE, /* detectRollBack */ |
82 PR_FALSE, /* noLocks */ | 75 PR_FALSE, /* noStepDown */ |
83 PR_FALSE, /* enableSessionTickets */ | 76 PR_FALSE, /* bypassPKCS11 */ |
84 PR_FALSE, /* enableDeflate */ | 77 PR_FALSE, /* noLocks */ |
85 2, /* enableRenegotiation (default: requires extension) */ | 78 PR_FALSE, /* enableSessionTickets */ |
86 PR_FALSE, /* requireSafeNegotiation */ | 79 PR_FALSE, /* enableDeflate */ |
87 PR_FALSE, /* enableFalseStart */ | 80 2, /* enableRenegotiation (default: requires extension
) */ |
88 PR_TRUE, /* cbcRandomIV */ | 81 PR_FALSE, /* requireSafeNegotiation */ |
89 PR_FALSE, /* enableOCSPStapling */ | 82 PR_FALSE, /* enableFalseStart */ |
90 PR_TRUE, /* enableNPN */ | 83 PR_TRUE, /* cbcRandomIV */ |
91 PR_FALSE, /* enableALPN */ | 84 PR_FALSE, /* enableOCSPStapling */ |
92 PR_TRUE, /* reuseServerECDHEKey */ | 85 PR_TRUE, /* enableNPN */ |
93 PR_FALSE, /* enableFallbackSCSV */ | 86 PR_FALSE, /* enableALPN */ |
94 PR_TRUE, /* enableServerDhe */ | 87 PR_TRUE, /* reuseServerECDHEKey */ |
95 PR_FALSE, /* enableExtendedMS */ | 88 PR_FALSE, /* enableFallbackSCSV */ |
96 PR_FALSE, /* enableSignedCertTimestamps */ | 89 PR_TRUE, /* enableServerDhe */ |
| 90 PR_FALSE, /* enableExtendedMS */ |
| 91 PR_FALSE, /* enableSignedCertTimestamps */ |
97 }; | 92 }; |
98 | 93 |
99 /* | 94 /* |
100 * default range of enabled SSL/TLS protocols | 95 * default range of enabled SSL/TLS protocols |
101 */ | 96 */ |
102 static SSLVersionRange versions_defaults_stream = { | 97 static SSLVersionRange versions_defaults_stream = { |
103 SSL_LIBRARY_VERSION_TLS_1_0, | 98 SSL_LIBRARY_VERSION_TLS_1_0, |
104 SSL_LIBRARY_VERSION_TLS_1_2 | 99 SSL_LIBRARY_VERSION_TLS_1_2 |
105 }; | 100 }; |
106 | 101 |
107 static SSLVersionRange versions_defaults_datagram = { | 102 static SSLVersionRange versions_defaults_datagram = { |
108 SSL_LIBRARY_VERSION_TLS_1_1, | 103 SSL_LIBRARY_VERSION_TLS_1_1, |
109 SSL_LIBRARY_VERSION_TLS_1_2 | 104 SSL_LIBRARY_VERSION_TLS_1_2 |
110 }; | 105 }; |
111 | 106 |
112 #define VERSIONS_DEFAULTS(variant) \ | 107 #define VERSIONS_DEFAULTS(variant) \ |
113 (variant == ssl_variant_stream ? &versions_defaults_stream : \ | 108 (variant == ssl_variant_stream ? &versions_defaults_stream : \ |
114 &versions_defaults_datagram) | 109 &versions_defaults_datagram) |
| 110 #define VERSIONS_POLICY_MIN(variant) \ |
| 111 (variant == ssl_variant_stream ? NSS_TLS_VERSION_MIN_POLICY : \ |
| 112 NSS_DTLS_VERSION_MIN_POLICY) |
| 113 #define VERSIONS_POLICY_MAX(variant) \ |
| 114 (variant == ssl_variant_stream ? NSS_TLS_VERSION_MAX_POLICY : \ |
| 115 NSS_DTLS_VERSION_MAX_POLICY) |
115 | 116 |
116 sslSessionIDLookupFunc ssl_sid_lookup; | 117 sslSessionIDLookupFunc ssl_sid_lookup; |
117 sslSessionIDCacheFunc ssl_sid_cache; | 118 sslSessionIDCacheFunc ssl_sid_cache; |
118 sslSessionIDUncacheFunc ssl_sid_uncache; | 119 sslSessionIDUncacheFunc ssl_sid_uncache; |
119 | 120 |
120 static PRBool ssl_inited = PR_FALSE; | 121 static PRBool ssl_inited = PR_FALSE; |
121 static PRDescIdentity ssl_layer_id; | 122 static PRDescIdentity ssl_layer_id; |
122 | 123 |
123 PRBool locksEverDisabled; /* implicitly PR_FALSE */ | 124 PRBool locksEverDisabled; /* implicitly PR_FALSE */ |
124 PRBool ssl_force_locks; /* implicitly PR_FALSE */ | 125 PRBool ssl_force_locks; /* implicitly PR_FALSE */ |
125 int ssl_lock_readers = 1; /* default true. */ | 126 int ssl_lock_readers = 1; /* default true. */ |
126 char ssl_debug; | 127 char ssl_debug; |
127 char ssl_trace; | 128 char ssl_trace; |
128 FILE * ssl_trace_iob; | 129 FILE *ssl_trace_iob; |
129 FILE * ssl_keylog_iob; | 130 FILE *ssl_keylog_iob; |
130 char lockStatus[] = "Locks are ENABLED. "; | 131 char lockStatus[] = "Locks are ENABLED. "; |
131 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ | 132 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ |
132 | 133 |
133 /* SRTP_NULL_HMAC_SHA1_80 and SRTP_NULL_HMAC_SHA1_32 are not implemented. */ | 134 /* SRTP_NULL_HMAC_SHA1_80 and SRTP_NULL_HMAC_SHA1_32 are not implemented. */ |
134 static const PRUint16 srtpCiphers[] = { | 135 static const PRUint16 srtpCiphers[] = { |
135 SRTP_AES128_CM_HMAC_SHA1_80, | 136 SRTP_AES128_CM_HMAC_SHA1_80, |
136 SRTP_AES128_CM_HMAC_SHA1_32, | 137 SRTP_AES128_CM_HMAC_SHA1_32, |
137 0 | 138 0 |
138 }; | 139 }; |
139 | 140 |
140 /* forward declarations. */ | 141 /* forward declarations. */ |
141 static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant); | 142 static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant); |
142 static SECStatus ssl_MakeLocks(sslSocket *ss); | 143 static SECStatus ssl_MakeLocks(sslSocket *ss); |
143 static void ssl_SetDefaultsFromEnvironment(void); | 144 static void ssl_SetDefaultsFromEnvironment(void); |
144 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, | 145 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, |
145 PRDescIdentity id); | 146 PRDescIdentity id); |
146 | 147 |
147 /************************************************************************/ | 148 /************************************************************************/ |
148 | 149 |
149 /* | 150 /* |
150 ** Lookup a socket structure from a file descriptor. | 151 ** Lookup a socket structure from a file descriptor. |
151 ** Only functions called through the PRIOMethods table should use this. | 152 ** Only functions called through the PRIOMethods table should use this. |
152 ** Other app-callable functions should use ssl_FindSocket. | 153 ** Other app-callable functions should use ssl_FindSocket. |
153 */ | 154 */ |
154 static sslSocket * | 155 static sslSocket * |
155 ssl_GetPrivate(PRFileDesc *fd) | 156 ssl_GetPrivate(PRFileDesc *fd) |
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
207 } | 208 } |
208 | 209 |
209 static sslSocket * | 210 static sslSocket * |
210 ssl_DupSocket(sslSocket *os) | 211 ssl_DupSocket(sslSocket *os) |
211 { | 212 { |
212 sslSocket *ss; | 213 sslSocket *ss; |
213 SECStatus rv; | 214 SECStatus rv; |
214 | 215 |
215 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant); | 216 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant); |
216 if (ss) { | 217 if (ss) { |
217 ss->opt = os->opt; | 218 ss->opt = os->opt; |
218 ss->opt.useSocks = PR_FALSE; | 219 ss->opt.useSocks = PR_FALSE; |
219 ss->vrange = os->vrange; | 220 ss->vrange = os->vrange; |
220 | 221 |
221 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); | 222 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); |
222 ss->url = !os->url ? NULL : PORT_Strdup(os->url); | 223 ss->url = !os->url ? NULL : PORT_Strdup(os->url); |
223 | 224 |
224 ss->ops = os->ops; | 225 ss->ops = os->ops; |
225 ss->rTimeout = os->rTimeout; | 226 ss->rTimeout = os->rTimeout; |
226 ss->wTimeout = os->wTimeout; | 227 ss->wTimeout = os->wTimeout; |
227 ss->cTimeout = os->cTimeout; | 228 ss->cTimeout = os->cTimeout; |
228 ss->dbHandle = os->dbHandle; | 229 ss->dbHandle = os->dbHandle; |
229 | 230 |
230 /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ | 231 /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ |
231 ss->allowedByPolicy = os->allowedByPolicy; | 232 ss->allowedByPolicy = os->allowedByPolicy; |
232 ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; | 233 ss->maybeAllowedByPolicy = os->maybeAllowedByPolicy; |
233 ss->chosenPreference = os->chosenPreference; | 234 ss->chosenPreference = os->chosenPreference; |
234 PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites)
; | 235 PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites)
; |
235 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, | 236 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, |
236 sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount); | 237 sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount); |
237 ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount; | 238 ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount; |
238 PORT_Memcpy(ss->ssl3.signatureAlgorithms, os->ssl3.signatureAlgorithms, | 239 PORT_Memcpy(ss->ssl3.signatureAlgorithms, os->ssl3.signatureAlgorithms, |
239 sizeof(ss->ssl3.signatureAlgorithms[0]) * | 240 sizeof(ss->ssl3.signatureAlgorithms[0]) * |
240 os->ssl3.signatureAlgorithmCount); | 241 os->ssl3.signatureAlgorithmCount); |
241 ss->ssl3.signatureAlgorithmCount = os->ssl3.signatureAlgorithmCount; | 242 ss->ssl3.signatureAlgorithmCount = os->ssl3.signatureAlgorithmCount; |
| 243 ss->ssl3.downgradeCheckVersion = os->ssl3.downgradeCheckVersion; |
242 | 244 |
243 ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled; | 245 ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled; |
244 ss->ssl3.numDHEGroups = os->ssl3.numDHEGroups; | 246 ss->ssl3.numDHEGroups = os->ssl3.numDHEGroups; |
245 if (os->ssl3.dheGroups) { | 247 if (os->ssl3.dheGroups) { |
246 ss->ssl3.dheGroups = PORT_NewArray(SSLDHEGroupType, | 248 ss->ssl3.dheGroups = PORT_NewArray(SSLDHEGroupType, |
247 os->ssl3.numDHEGroups); | 249 os->ssl3.numDHEGroups); |
248 if (!ss->ssl3.dheGroups) { | 250 if (!ss->ssl3.dheGroups) { |
249 goto loser; | 251 goto loser; |
250 } | 252 } |
251 PORT_Memcpy(ss->ssl3.dheGroups, os->ssl3.dheGroups, | 253 PORT_Memcpy(ss->ssl3.dheGroups, os->ssl3.dheGroups, |
252 sizeof(SSLDHEGroupType) * os->ssl3.numDHEGroups); | 254 sizeof(SSLDHEGroupType) * os->ssl3.numDHEGroups); |
253 } else { | 255 } else { |
254 ss->ssl3.dheGroups = NULL; | 256 ss->ssl3.dheGroups = NULL; |
255 } | 257 } |
256 | 258 |
257 if (os->cipherSpecs) { | 259 if (os->cipherSpecs) { |
258 ss->cipherSpecs = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs); | 260 ss->cipherSpecs = (unsigned char *)PORT_Alloc(os->sizeCipherSpecs); |
259 if (ss->cipherSpecs) | 261 if (ss->cipherSpecs) |
260 PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, | 262 PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, |
261 os->sizeCipherSpecs); | 263 os->sizeCipherSpecs); |
262 ss->sizeCipherSpecs = os->sizeCipherSpecs; | 264 ss->sizeCipherSpecs = os->sizeCipherSpecs; |
263 ss->preferredCipher = os->preferredCipher; | 265 ss->preferredCipher = os->preferredCipher; |
264 } else { | 266 } else { |
265 ss->cipherSpecs = NULL; /* produced lazily */ | 267 ss->cipherSpecs = NULL; /* produced lazily */ |
266 ss->sizeCipherSpecs = 0; | 268 ss->sizeCipherSpecs = 0; |
267 ss->preferredCipher = NULL; | 269 ss->preferredCipher = NULL; |
268 } | 270 } |
269 if (ss->opt.useSecurity) { | 271 if (ss->opt.useSecurity) { |
270 /* This int should be SSLKEAType, but CC on Irix complains, | 272 /* This int should be SSLKEAType, but CC on Irix complains, |
271 * during the for loop. | 273 * during the for loop. |
272 */ | 274 */ |
273 int i; | 275 int i; |
274 sslServerCerts * oc = os->serverCerts; | 276 sslServerCerts *oc = os->serverCerts; |
275 sslServerCerts * sc = ss->serverCerts; | 277 sslServerCerts *sc = ss->serverCerts; |
276 | 278 |
277 for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) { | 279 for (i = kt_null; i < kt_kea_size; i++, oc++, sc++) { |
278 if (oc->serverCert && oc->serverCertChain) { | 280 if (oc->serverCert && oc->serverCertChain) { |
279 sc->serverCert = CERT_DupCertificate(oc->serverCert); | 281 sc->serverCert = CERT_DupCertificate(oc->serverCert); |
280 sc->serverCertChain = CERT_DupCertList(oc->serverCertChain); | 282 sc->serverCertChain = CERT_DupCertList(oc->serverCertChain); |
281 if (!sc->serverCertChain) | 283 if (!sc->serverCertChain) |
282 goto loser; | 284 goto loser; |
283 } else { | 285 } else { |
284 sc->serverCert = NULL; | 286 sc->serverCert = NULL; |
285 sc->serverCertChain = NULL; | 287 sc->serverCertChain = NULL; |
286 } | 288 } |
287 sc->serverKeyPair = oc->serverKeyPair ? | 289 sc->serverKeyPair = oc->serverKeyPair ? ssl3_GetKeyPairRef(oc->s
erverKeyPair) |
288 ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL; | 290 : NULL; |
289 if (oc->serverKeyPair && !sc->serverKeyPair) | 291 if (oc->serverKeyPair && !sc->serverKeyPair) |
290 goto loser; | 292 goto loser; |
291 sc->serverKeyBits = oc->serverKeyBits; | 293 sc->serverKeyBits = oc->serverKeyBits; |
292 ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL : | 294 ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL : SECITE
M_DupArray(NULL, os->certStatusArray[i]); |
293 SECITEM_DupArray(NULL, os->certStatusArray[i]); | |
294 } | 295 } |
295 ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL : | 296 ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL : ssl3_GetKeyPairR
ef(os->stepDownKeyPair); |
296 ssl3_GetKeyPairRef(os->stepDownKeyPair); | 297 ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : ssl3_G
etKeyPairRef(os->ephemeralECDHKeyPair); |
297 ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : | 298 ss->dheKeyPair = !os->dheKeyPair ? NULL : ssl3_GetKeyPairRef(os->dhe
KeyPair); |
298 ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair); | |
299 ss->dheKeyPair = !os->dheKeyPair ? NULL : | |
300 ssl3_GetKeyPairRef(os->dheKeyPair); | |
301 ss->dheParams = os->dheParams; | 299 ss->dheParams = os->dheParams; |
302 | 300 |
303 /* | 301 /* |
304 * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. | 302 * XXX the preceding CERT_ and SECKEY_ functions can fail and return
NULL. |
305 * XXX We should detect this, and not just march on with NULL pointers. | 303 * XXX We should detect this, and not just march on with NULL pointe
rs. |
306 */ | 304 */ |
307 ss->authCertificate = os->authCertificate; | 305 ss->authCertificate = os->authCertificate; |
308 ss->authCertificateArg = os->authCertificateArg; | 306 ss->authCertificateArg = os->authCertificateArg; |
309 ss->getClientAuthData = os->getClientAuthData; | 307 ss->getClientAuthData = os->getClientAuthData; |
310 ss->getClientAuthDataArg = os->getClientAuthDataArg; | 308 ss->getClientAuthDataArg = os->getClientAuthDataArg; |
311 #ifdef NSS_PLATFORM_CLIENT_AUTH | 309 ss->sniSocketConfig = os->sniSocketConfig; |
312 ss->getPlatformClientAuthData = os->getPlatformClientAuthData; | 310 ss->sniSocketConfigArg = os->sniSocketConfigArg; |
313 ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; | 311 ss->handleBadCert = os->handleBadCert; |
314 #endif | 312 ss->badCertArg = os->badCertArg; |
315 ss->sniSocketConfig = os->sniSocketConfig; | 313 ss->handshakeCallback = os->handshakeCallback; |
316 ss->sniSocketConfigArg = os->sniSocketConfigArg; | |
317 ss->handleBadCert = os->handleBadCert; | |
318 ss->badCertArg = os->badCertArg; | |
319 ss->handshakeCallback = os->handshakeCallback; | |
320 ss->handshakeCallbackData = os->handshakeCallbackData; | 314 ss->handshakeCallbackData = os->handshakeCallbackData; |
321 ss->canFalseStartCallback = os->canFalseStartCallback; | 315 ss->canFalseStartCallback = os->canFalseStartCallback; |
322 ss->canFalseStartCallbackData = os->canFalseStartCallbackData; | 316 ss->canFalseStartCallbackData = os->canFalseStartCallbackData; |
323 ss->pkcs11PinArg = os->pkcs11PinArg; | 317 ss->pkcs11PinArg = os->pkcs11PinArg; |
324 ss->getChannelID = os->getChannelID; | 318 ss->getChannelID = os->getChannelID; |
325 ss->getChannelIDArg = os->getChannelIDArg; | 319 ss->getChannelIDArg = os->getChannelIDArg; |
326 | 320 |
327 /* Create security data */ | 321 /* Create security data */ |
328 rv = ssl_CopySecurityInfo(ss, os); | 322 rv = ssl_CopySecurityInfo(ss, os); |
329 if (rv != SECSuccess) { | 323 if (rv != SECSuccess) { |
330 goto loser; | 324 goto loser; |
331 } | 325 } |
332 } | 326 } |
333 } | 327 } |
334 return ss; | 328 return ss; |
335 | 329 |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
373 } | 367 } |
374 } | 368 } |
375 | 369 |
376 /* Caller holds any relevant locks */ | 370 /* Caller holds any relevant locks */ |
377 static void | 371 static void |
378 ssl_DestroySocketContents(sslSocket *ss) | 372 ssl_DestroySocketContents(sslSocket *ss) |
379 { | 373 { |
380 /* "i" should be of type SSLKEAType, but CC on IRIX complains during | 374 /* "i" should be of type SSLKEAType, but CC on IRIX complains during |
381 * the for loop. | 375 * the for loop. |
382 */ | 376 */ |
383 int i; | 377 int i; |
384 | 378 |
385 /* Free up socket */ | 379 /* Free up socket */ |
386 ssl_DestroySecurityInfo(&ss->sec); | 380 ssl_DestroySecurityInfo(&ss->sec); |
387 | 381 |
388 ssl3_DestroySSL3Info(ss); | 382 ssl3_DestroySSL3Info(ss); |
389 | 383 |
390 PORT_Free(ss->saveBuf.buf); | 384 PORT_Free(ss->saveBuf.buf); |
391 PORT_Free(ss->pendingBuf.buf); | 385 PORT_Free(ss->pendingBuf.buf); |
392 ssl_DestroyGather(&ss->gs); | 386 ssl_DestroyGather(&ss->gs); |
393 | 387 |
394 if (ss->peerID != NULL) | 388 if (ss->peerID != NULL) |
395 PORT_Free(ss->peerID); | 389 PORT_Free(ss->peerID); |
396 if (ss->url != NULL) | 390 if (ss->url != NULL) |
397 PORT_Free((void *)ss->url); /* CONST */ | 391 PORT_Free((void *)ss->url); /* CONST */ |
398 if (ss->cipherSpecs) { | 392 if (ss->cipherSpecs) { |
399 PORT_Free(ss->cipherSpecs); | 393 PORT_Free(ss->cipherSpecs); |
400 ss->cipherSpecs = NULL; | 394 ss->cipherSpecs = NULL; |
401 ss->sizeCipherSpecs = 0; | 395 ss->sizeCipherSpecs = 0; |
402 } | 396 } |
403 | 397 |
404 /* Clean up server configuration */ | 398 /* Clean up server configuration */ |
405 for (i=kt_null; i < kt_kea_size; i++) { | 399 for (i = kt_null; i < kt_kea_size; i++) { |
406 sslServerCerts * sc = ss->serverCerts + i; | 400 sslServerCerts *sc = ss->serverCerts + i; |
407 if (sc->serverCert != NULL) | 401 if (sc->serverCert != NULL) |
408 CERT_DestroyCertificate(sc->serverCert); | 402 CERT_DestroyCertificate(sc->serverCert); |
409 if (sc->serverCertChain != NULL) | 403 if (sc->serverCertChain != NULL) |
410 CERT_DestroyCertificateList(sc->serverCertChain); | 404 CERT_DestroyCertificateList(sc->serverCertChain); |
411 if (sc->serverKeyPair != NULL) | 405 if (sc->serverKeyPair != NULL) |
412 ssl3_FreeKeyPair(sc->serverKeyPair); | 406 ssl3_FreeKeyPair(sc->serverKeyPair); |
413 if (ss->certStatusArray[i] != NULL) { | 407 if (ss->certStatusArray[i] != NULL) { |
414 SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE); | 408 SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE); |
415 ss->certStatusArray[i] = NULL; | 409 ss->certStatusArray[i] = NULL; |
416 } | 410 } |
| 411 if (ss->signedCertTimestamps[i].data) { |
| 412 SECITEM_FreeItem(&ss->signedCertTimestamps[i], PR_FALSE); |
| 413 } |
417 } | 414 } |
418 if (ss->stepDownKeyPair) { | 415 if (ss->stepDownKeyPair) { |
419 ssl3_FreeKeyPair(ss->stepDownKeyPair); | 416 ssl3_FreeKeyPair(ss->stepDownKeyPair); |
420 ss->stepDownKeyPair = NULL; | 417 ss->stepDownKeyPair = NULL; |
421 } | 418 } |
422 if (ss->ephemeralECDHKeyPair) { | 419 if (ss->ephemeralECDHKeyPair) { |
423 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); | 420 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); |
424 ss->ephemeralECDHKeyPair = NULL; | 421 ss->ephemeralECDHKeyPair = NULL; |
425 } | 422 } |
426 if (ss->dheKeyPair) { | 423 if (ss->dheKeyPair) { |
427 ssl3_FreeKeyPair(ss->dheKeyPair); | 424 ssl3_FreeKeyPair(ss->dheKeyPair); |
428 ss->dheKeyPair = NULL; | 425 ss->dheKeyPair = NULL; |
429 } | 426 } |
430 SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); | 427 SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); |
431 if (ss->xtnData.sniNameArr) { | 428 if (ss->xtnData.sniNameArr) { |
432 PORT_Free(ss->xtnData.sniNameArr); | 429 PORT_Free(ss->xtnData.sniNameArr); |
433 ss->xtnData.sniNameArr = NULL; | 430 ss->xtnData.sniNameArr = NULL; |
434 } | 431 } |
435 } | 432 } |
436 | 433 |
437 /* | 434 /* |
438 * free an sslSocket struct, and all the stuff that hangs off of it | 435 * free an sslSocket struct, and all the stuff that hangs off of it |
439 */ | 436 */ |
440 void | 437 void |
441 ssl_FreeSocket(sslSocket *ss) | 438 ssl_FreeSocket(sslSocket *ss) |
442 { | 439 { |
443 /* Get every lock you can imagine! | 440 /* Get every lock you can imagine! |
444 ** Caller already holds these: | 441 ** Caller already holds these: |
445 ** SSL_LOCK_READER(ss); | 442 ** SSL_LOCK_READER(ss); |
446 ** SSL_LOCK_WRITER(ss); | 443 ** SSL_LOCK_WRITER(ss); |
447 */ | 444 */ |
448 ssl_Get1stHandshakeLock(ss); | 445 ssl_Get1stHandshakeLock(ss); |
449 ssl_GetRecvBufLock(ss); | 446 ssl_GetRecvBufLock(ss); |
450 ssl_GetSSL3HandshakeLock(ss); | 447 ssl_GetSSL3HandshakeLock(ss); |
451 ssl_GetXmitBufLock(ss); | 448 ssl_GetXmitBufLock(ss); |
452 ssl_GetSpecWriteLock(ss); | 449 ssl_GetSpecWriteLock(ss); |
453 | 450 |
454 ssl_DestroySocketContents(ss); | 451 ssl_DestroySocketContents(ss); |
455 | 452 |
456 /* Release all the locks acquired above. */ | 453 /* Release all the locks acquired above. */ |
457 SSL_UNLOCK_READER(ss); | 454 SSL_UNLOCK_READER(ss); |
(...skipping 10 matching lines...) Expand all Loading... |
468 PORT_Memset(ss, 0x1f, sizeof *ss); | 465 PORT_Memset(ss, 0x1f, sizeof *ss); |
469 #endif | 466 #endif |
470 PORT_Free(ss); | 467 PORT_Free(ss); |
471 return; | 468 return; |
472 } | 469 } |
473 | 470 |
474 /************************************************************************/ | 471 /************************************************************************/ |
475 SECStatus | 472 SECStatus |
476 ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled) | 473 ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled) |
477 { | 474 { |
478 PRFileDesc * osfd = ss->fd->lower; | 475 PRFileDesc *osfd = ss->fd->lower; |
479 SECStatus rv = SECFailure; | 476 SECStatus rv = SECFailure; |
480 PRSocketOptionData opt; | 477 PRSocketOptionData opt; |
481 | 478 |
482 opt.option = PR_SockOpt_NoDelay; | 479 opt.option = PR_SockOpt_NoDelay; |
483 opt.value.no_delay = (PRBool)!enabled; | 480 opt.value.no_delay = (PRBool)!enabled; |
484 | 481 |
485 if (osfd->methods->setsocketoption) { | 482 if (osfd->methods->setsocketoption) { |
486 rv = (SECStatus) osfd->methods->setsocketoption(osfd, &opt); | 483 rv = (SECStatus)osfd->methods->setsocketoption(osfd, &opt); |
487 } else { | 484 } else { |
488 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); | 485 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
489 } | 486 } |
490 | 487 |
491 return rv; | 488 return rv; |
492 } | 489 } |
493 | 490 |
494 static void | 491 static void |
495 ssl_ChooseOps(sslSocket *ss) | 492 ssl_ChooseOps(sslSocket *ss) |
496 { | 493 { |
497 ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops; | 494 ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops; |
498 } | 495 } |
499 | 496 |
500 /* Called from SSL_Enable (immediately below) */ | 497 /* Called from SSL_Enable (immediately below) */ |
501 static SECStatus | 498 static SECStatus |
502 PrepareSocket(sslSocket *ss) | 499 PrepareSocket(sslSocket *ss) |
503 { | 500 { |
504 SECStatus rv = SECSuccess; | 501 SECStatus rv = SECSuccess; |
505 | 502 |
506 ssl_ChooseOps(ss); | 503 ssl_ChooseOps(ss); |
507 return rv; | 504 return rv; |
508 } | 505 } |
509 | 506 |
510 SECStatus | 507 SECStatus |
511 SSL_Enable(PRFileDesc *fd, int which, PRBool on) | 508 SSL_Enable(PRFileDesc *fd, int which, PRBool on) |
512 { | 509 { |
513 return SSL_OptionSet(fd, which, on); | 510 return SSL_OptionSet(fd, which, on); |
514 } | 511 } |
515 | 512 |
516 #ifndef NO_PKCS11_BYPASS | 513 #ifndef NO_PKCS11_BYPASS |
517 static const PRCallOnceType pristineCallOnce; | 514 static const PRCallOnceType pristineCallOnce; |
518 static PRCallOnceType setupBypassOnce; | 515 static PRCallOnceType setupBypassOnce; |
519 | 516 |
520 static SECStatus SSL_BypassShutdown(void* appData, void* nssData) | 517 static SECStatus |
| 518 SSL_BypassShutdown(void *appData, void *nssData) |
521 { | 519 { |
522 /* unload freeBL shared library from memory */ | 520 /* unload freeBL shared library from memory */ |
523 BL_Unload(); | 521 BL_Unload(); |
524 setupBypassOnce = pristineCallOnce; | 522 setupBypassOnce = pristineCallOnce; |
525 return SECSuccess; | 523 return SECSuccess; |
526 } | 524 } |
527 | 525 |
528 static PRStatus SSL_BypassRegisterShutdown(void) | 526 static PRStatus |
| 527 SSL_BypassRegisterShutdown(void) |
529 { | 528 { |
530 SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL); | 529 SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL); |
531 PORT_Assert(SECSuccess == rv); | 530 PORT_Assert(SECSuccess == rv); |
532 return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE; | 531 return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE; |
533 } | 532 } |
534 #endif | 533 #endif |
535 | 534 |
536 static PRStatus SSL_BypassSetup(void) | 535 static PRStatus |
| 536 SSL_BypassSetup(void) |
537 { | 537 { |
538 #ifdef NO_PKCS11_BYPASS | 538 #ifdef NO_PKCS11_BYPASS |
539 /* Guarantee binary compatibility */ | 539 /* Guarantee binary compatibility */ |
540 return PR_SUCCESS; | 540 return PR_SUCCESS; |
541 #else | 541 #else |
542 return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown); | 542 return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown); |
543 #endif | 543 #endif |
544 } | 544 } |
545 | 545 |
| 546 static PRBool ssl_VersionIsSupportedByPolicy( |
| 547 SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version); |
| 548 |
546 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in | 549 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in |
547 * ssl.h in the section "SSL version range setting API". | 550 * ssl.h in the section "SSL version range setting API". |
548 */ | 551 */ |
549 static void | 552 static void |
550 ssl_EnableTLS(SSLVersionRange *vrange, PRBool on) | 553 ssl_EnableTLS(SSLVersionRange *vrange, PRBool on) |
551 { | 554 { |
| 555 if (on) { |
| 556 /* don't turn it on if tls1.0 disallowed by by policy */ |
| 557 if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, |
| 558 SSL_LIBRARY_VERSION_TLS_1_0)) { |
| 559 return; |
| 560 } |
| 561 } |
552 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { | 562 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { |
553 if (on) { | 563 if (on) { |
554 vrange->min = SSL_LIBRARY_VERSION_TLS_1_0; | 564 vrange->min = SSL_LIBRARY_VERSION_TLS_1_0; |
555 vrange->max = SSL_LIBRARY_VERSION_TLS_1_0; | 565 vrange->max = SSL_LIBRARY_VERSION_TLS_1_0; |
556 } /* else don't change anything */ | 566 } /* else don't change anything */ |
557 return; | 567 return; |
558 } | 568 } |
559 | 569 |
560 if (on) { | 570 if (on) { |
561 /* Expand the range of enabled version to include TLS 1.0 */ | 571 /* Expand the range of enabled version to include TLS 1.0 */ |
(...skipping 10 matching lines...) Expand all Loading... |
572 } | 582 } |
573 } | 583 } |
574 } | 584 } |
575 | 585 |
576 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_SSL3, on) described in | 586 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_SSL3, on) described in |
577 * ssl.h in the section "SSL version range setting API". | 587 * ssl.h in the section "SSL version range setting API". |
578 */ | 588 */ |
579 static void | 589 static void |
580 ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on) | 590 ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on) |
581 { | 591 { |
582 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { | 592 if (on) { |
| 593 /* don't turn it on if ssl3 disallowed by by policy */ |
| 594 if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, |
| 595 SSL_LIBRARY_VERSION_3_0)) { |
| 596 return; |
| 597 } |
| 598 } |
| 599 if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { |
583 if (on) { | 600 if (on) { |
584 vrange->min = SSL_LIBRARY_VERSION_3_0; | 601 vrange->min = SSL_LIBRARY_VERSION_3_0; |
585 vrange->max = SSL_LIBRARY_VERSION_3_0; | 602 vrange->max = SSL_LIBRARY_VERSION_3_0; |
586 } /* else don't change anything */ | 603 } /* else don't change anything */ |
587 return; | 604 return; |
588 } | 605 } |
589 | 606 |
590 if (on) { | 607 if (on) { |
591 /* Expand the range of enabled versions to include SSL 3.0. We know | 608 /* Expand the range of enabled versions to include SSL 3.0. We know |
592 * SSL 3.0 or some version of TLS is already enabled at this point, so | 609 * SSL 3.0 or some version of TLS is already enabled at this point, so |
593 * we don't need to change vrange->max. | 610 * we don't need to change vrange->max. |
594 */ | 611 */ |
595 vrange->min = SSL_LIBRARY_VERSION_3_0; | 612 vrange->min = SSL_LIBRARY_VERSION_3_0; |
596 } else { | 613 } else { |
597 /* Disable SSL 3.0, leaving TLS unaffected. */ | 614 /* Disable SSL 3.0, leaving TLS unaffected. */ |
598 if (vrange->max > SSL_LIBRARY_VERSION_3_0) { | 615 if (vrange->max > SSL_LIBRARY_VERSION_3_0) { |
599 vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); | 616 vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); |
600 } else { | 617 } else { |
601 /* Only SSL 3.0 was enabled, so now no versions are. */ | 618 /* Only SSL 3.0 was enabled, so now no versions are. */ |
602 vrange->min = SSL_LIBRARY_VERSION_NONE; | 619 vrange->min = SSL_LIBRARY_VERSION_NONE; |
603 vrange->max = SSL_LIBRARY_VERSION_NONE; | 620 vrange->max = SSL_LIBRARY_VERSION_NONE; |
604 } | 621 } |
605 } | 622 } |
606 } | 623 } |
607 | 624 |
608 SECStatus | 625 SECStatus |
609 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) | 626 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) |
610 { | 627 { |
611 sslSocket *ss = ssl_FindSocket(fd); | 628 sslSocket *ss = ssl_FindSocket(fd); |
612 SECStatus rv = SECSuccess; | 629 SECStatus rv = SECSuccess; |
613 PRBool holdingLocks; | 630 PRBool holdingLocks; |
614 | 631 |
615 if (!ss) { | 632 if (!ss) { |
616 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); | 633 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); |
617 return SECFailure; | 634 return SECFailure; |
618 } | 635 } |
619 | 636 |
620 holdingLocks = (!ss->opt.noLocks); | 637 holdingLocks = (!ss->opt.noLocks); |
621 ssl_Get1stHandshakeLock(ss); | 638 ssl_Get1stHandshakeLock(ss); |
622 ssl_GetSSL3HandshakeLock(ss); | 639 ssl_GetSSL3HandshakeLock(ss); |
623 | 640 |
624 switch (which) { | 641 switch (which) { |
625 case SSL_SOCKS: | 642 case SSL_SOCKS: |
626 ss->opt.useSocks = PR_FALSE; | 643 ss->opt.useSocks = PR_FALSE; |
627 rv = PrepareSocket(ss); | 644 rv = PrepareSocket(ss); |
628 if (on) { | 645 if (on) { |
| 646 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 647 rv = SECFailure; |
| 648 } |
| 649 break; |
| 650 |
| 651 case SSL_SECURITY: |
| 652 ss->opt.useSecurity = on; |
| 653 rv = PrepareSocket(ss); |
| 654 break; |
| 655 |
| 656 case SSL_REQUEST_CERTIFICATE: |
| 657 ss->opt.requestCertificate = on; |
| 658 break; |
| 659 |
| 660 case SSL_REQUIRE_CERTIFICATE: |
| 661 ss->opt.requireCertificate = on; |
| 662 break; |
| 663 |
| 664 case SSL_HANDSHAKE_AS_CLIENT: |
| 665 if (ss->opt.handshakeAsServer && on) { |
| 666 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 667 rv = SECFailure; |
| 668 break; |
| 669 } |
| 670 ss->opt.handshakeAsClient = on; |
| 671 break; |
| 672 |
| 673 case SSL_HANDSHAKE_AS_SERVER: |
| 674 if (ss->opt.handshakeAsClient && on) { |
| 675 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 676 rv = SECFailure; |
| 677 break; |
| 678 } |
| 679 ss->opt.handshakeAsServer = on; |
| 680 break; |
| 681 |
| 682 case SSL_ENABLE_TLS: |
| 683 if (IS_DTLS(ss)) { |
| 684 if (on) { |
| 685 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 686 rv = SECFailure; /* not allowed */ |
| 687 } |
| 688 break; |
| 689 } |
| 690 ssl_EnableTLS(&ss->vrange, on); |
| 691 ss->preferredCipher = NULL; |
| 692 if (ss->cipherSpecs) { |
| 693 PORT_Free(ss->cipherSpecs); |
| 694 ss->cipherSpecs = NULL; |
| 695 ss->sizeCipherSpecs = 0; |
| 696 } |
| 697 break; |
| 698 |
| 699 case SSL_ENABLE_SSL3: |
| 700 if (IS_DTLS(ss)) { |
| 701 if (on) { |
| 702 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 703 rv = SECFailure; /* not allowed */ |
| 704 } |
| 705 break; |
| 706 } |
| 707 ssl_EnableSSL3(&ss->vrange, on); |
| 708 ss->preferredCipher = NULL; |
| 709 if (ss->cipherSpecs) { |
| 710 PORT_Free(ss->cipherSpecs); |
| 711 ss->cipherSpecs = NULL; |
| 712 ss->sizeCipherSpecs = 0; |
| 713 } |
| 714 break; |
| 715 |
| 716 case SSL_ENABLE_SSL2: |
| 717 if (IS_DTLS(ss)) { |
| 718 if (on) { |
| 719 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 720 rv = SECFailure; /* not allowed */ |
| 721 } |
| 722 break; |
| 723 } |
| 724 if (on) { |
| 725 /* don't turn it on if ssl2 disallowed by by policy */ |
| 726 if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, |
| 727 SSL_LIBRARY_VERSION_2)) { |
| 728 break; |
| 729 } |
| 730 } |
| 731 ss->opt.enableSSL2 = on; |
| 732 if (on) { |
| 733 ss->opt.v2CompatibleHello = on; |
| 734 } |
| 735 ss->preferredCipher = NULL; |
| 736 if (ss->cipherSpecs) { |
| 737 PORT_Free(ss->cipherSpecs); |
| 738 ss->cipherSpecs = NULL; |
| 739 ss->sizeCipherSpecs = 0; |
| 740 } |
| 741 break; |
| 742 |
| 743 case SSL_NO_CACHE: |
| 744 ss->opt.noCache = on; |
| 745 break; |
| 746 |
| 747 case SSL_ENABLE_FDX: |
| 748 if (on && ss->opt.noLocks) { |
| 749 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 750 rv = SECFailure; |
| 751 } |
| 752 ss->opt.fdx = on; |
| 753 break; |
| 754 |
| 755 case SSL_V2_COMPATIBLE_HELLO: |
| 756 if (IS_DTLS(ss)) { |
| 757 if (on) { |
| 758 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 759 rv = SECFailure; /* not allowed */ |
| 760 } |
| 761 break; |
| 762 } |
| 763 ss->opt.v2CompatibleHello = on; |
| 764 if (!on) { |
| 765 ss->opt.enableSSL2 = on; |
| 766 } |
| 767 break; |
| 768 |
| 769 case SSL_ROLLBACK_DETECTION: |
| 770 ss->opt.detectRollBack = on; |
| 771 break; |
| 772 |
| 773 case SSL_NO_STEP_DOWN: |
| 774 ss->opt.noStepDown = on; |
| 775 if (on) |
| 776 SSL_DisableExportCipherSuites(fd); |
| 777 break; |
| 778 |
| 779 case SSL_BYPASS_PKCS11: |
| 780 if (ss->handshakeBegun) { |
| 781 PORT_SetError(PR_INVALID_STATE_ERROR); |
| 782 rv = SECFailure; |
| 783 } else { |
| 784 if (PR_FALSE != on) { |
| 785 if (PR_SUCCESS == SSL_BypassSetup()) { |
| 786 #ifdef NO_PKCS11_BYPASS |
| 787 ss->opt.bypassPKCS11 = PR_FALSE; |
| 788 #else |
| 789 ss->opt.bypassPKCS11 = on; |
| 790 #endif |
| 791 } else { |
| 792 rv = SECFailure; |
| 793 } |
| 794 } else { |
| 795 ss->opt.bypassPKCS11 = PR_FALSE; |
| 796 } |
| 797 } |
| 798 break; |
| 799 |
| 800 case SSL_NO_LOCKS: |
| 801 if (on && ss->opt.fdx) { |
| 802 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 803 rv = SECFailure; |
| 804 } |
| 805 if (on && ssl_force_locks) |
| 806 on = PR_FALSE; /* silent override */ |
| 807 ss->opt.noLocks = on; |
| 808 if (on) { |
| 809 locksEverDisabled = PR_TRUE; |
| 810 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); |
| 811 } else if (!holdingLocks) { |
| 812 rv = ssl_MakeLocks(ss); |
| 813 if (rv != SECSuccess) { |
| 814 ss->opt.noLocks = PR_TRUE; |
| 815 } |
| 816 } |
| 817 break; |
| 818 |
| 819 case SSL_ENABLE_SESSION_TICKETS: |
| 820 ss->opt.enableSessionTickets = on; |
| 821 break; |
| 822 |
| 823 case SSL_ENABLE_DEFLATE: |
| 824 ss->opt.enableDeflate = on; |
| 825 break; |
| 826 |
| 827 case SSL_ENABLE_RENEGOTIATION: |
| 828 ss->opt.enableRenegotiation = on; |
| 829 break; |
| 830 |
| 831 case SSL_REQUIRE_SAFE_NEGOTIATION: |
| 832 ss->opt.requireSafeNegotiation = on; |
| 833 break; |
| 834 |
| 835 case SSL_ENABLE_FALSE_START: |
| 836 ss->opt.enableFalseStart = on; |
| 837 break; |
| 838 |
| 839 case SSL_CBC_RANDOM_IV: |
| 840 ss->opt.cbcRandomIV = on; |
| 841 break; |
| 842 |
| 843 case SSL_ENABLE_OCSP_STAPLING: |
| 844 ss->opt.enableOCSPStapling = on; |
| 845 break; |
| 846 |
| 847 case SSL_ENABLE_NPN: |
| 848 ss->opt.enableNPN = on; |
| 849 break; |
| 850 |
| 851 case SSL_ENABLE_ALPN: |
| 852 ss->opt.enableALPN = on; |
| 853 break; |
| 854 |
| 855 case SSL_REUSE_SERVER_ECDHE_KEY: |
| 856 ss->opt.reuseServerECDHEKey = on; |
| 857 break; |
| 858 |
| 859 case SSL_ENABLE_FALLBACK_SCSV: |
| 860 ss->opt.enableFallbackSCSV = on; |
| 861 break; |
| 862 |
| 863 case SSL_ENABLE_SERVER_DHE: |
| 864 ss->opt.enableServerDhe = on; |
| 865 break; |
| 866 |
| 867 case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
| 868 ss->opt.enableExtendedMS = on; |
| 869 break; |
| 870 |
| 871 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| 872 ss->opt.enableSignedCertTimestamps = on; |
| 873 break; |
| 874 |
| 875 default: |
629 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 876 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
630 rv = SECFailure; | 877 rv = SECFailure; |
631 } | |
632 break; | |
633 | |
634 case SSL_SECURITY: | |
635 ss->opt.useSecurity = on; | |
636 rv = PrepareSocket(ss); | |
637 break; | |
638 | |
639 case SSL_REQUEST_CERTIFICATE: | |
640 ss->opt.requestCertificate = on; | |
641 break; | |
642 | |
643 case SSL_REQUIRE_CERTIFICATE: | |
644 ss->opt.requireCertificate = on; | |
645 break; | |
646 | |
647 case SSL_HANDSHAKE_AS_CLIENT: | |
648 if ( ss->opt.handshakeAsServer && on ) { | |
649 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
650 rv = SECFailure; | |
651 break; | |
652 } | |
653 ss->opt.handshakeAsClient = on; | |
654 break; | |
655 | |
656 case SSL_HANDSHAKE_AS_SERVER: | |
657 if ( ss->opt.handshakeAsClient && on ) { | |
658 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
659 rv = SECFailure; | |
660 break; | |
661 } | |
662 ss->opt.handshakeAsServer = on; | |
663 break; | |
664 | |
665 case SSL_ENABLE_TLS: | |
666 if (IS_DTLS(ss)) { | |
667 if (on) { | |
668 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
669 rv = SECFailure; /* not allowed */ | |
670 } | |
671 break; | |
672 } | |
673 ssl_EnableTLS(&ss->vrange, on); | |
674 ss->preferredCipher = NULL; | |
675 if (ss->cipherSpecs) { | |
676 PORT_Free(ss->cipherSpecs); | |
677 ss->cipherSpecs = NULL; | |
678 ss->sizeCipherSpecs = 0; | |
679 } | |
680 break; | |
681 | |
682 case SSL_ENABLE_SSL3: | |
683 if (IS_DTLS(ss)) { | |
684 if (on) { | |
685 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
686 rv = SECFailure; /* not allowed */ | |
687 } | |
688 break; | |
689 } | |
690 ssl_EnableSSL3(&ss->vrange, on); | |
691 ss->preferredCipher = NULL; | |
692 if (ss->cipherSpecs) { | |
693 PORT_Free(ss->cipherSpecs); | |
694 ss->cipherSpecs = NULL; | |
695 ss->sizeCipherSpecs = 0; | |
696 } | |
697 break; | |
698 | |
699 case SSL_ENABLE_SSL2: | |
700 if (IS_DTLS(ss)) { | |
701 if (on) { | |
702 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
703 rv = SECFailure; /* not allowed */ | |
704 } | |
705 break; | |
706 } | |
707 ss->opt.enableSSL2 = on; | |
708 if (on) { | |
709 ss->opt.v2CompatibleHello = on; | |
710 } | |
711 ss->preferredCipher = NULL; | |
712 if (ss->cipherSpecs) { | |
713 PORT_Free(ss->cipherSpecs); | |
714 ss->cipherSpecs = NULL; | |
715 ss->sizeCipherSpecs = 0; | |
716 } | |
717 break; | |
718 | |
719 case SSL_NO_CACHE: | |
720 ss->opt.noCache = on; | |
721 break; | |
722 | |
723 case SSL_ENABLE_FDX: | |
724 if (on && ss->opt.noLocks) { | |
725 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
726 rv = SECFailure; | |
727 } | |
728 ss->opt.fdx = on; | |
729 break; | |
730 | |
731 case SSL_V2_COMPATIBLE_HELLO: | |
732 if (IS_DTLS(ss)) { | |
733 if (on) { | |
734 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
735 rv = SECFailure; /* not allowed */ | |
736 } | |
737 break; | |
738 } | |
739 ss->opt.v2CompatibleHello = on; | |
740 if (!on) { | |
741 ss->opt.enableSSL2 = on; | |
742 } | |
743 break; | |
744 | |
745 case SSL_ROLLBACK_DETECTION: | |
746 ss->opt.detectRollBack = on; | |
747 break; | |
748 | |
749 case SSL_NO_STEP_DOWN: | |
750 ss->opt.noStepDown = on; | |
751 if (on) | |
752 SSL_DisableExportCipherSuites(fd); | |
753 break; | |
754 | |
755 case SSL_BYPASS_PKCS11: | |
756 if (ss->handshakeBegun) { | |
757 PORT_SetError(PR_INVALID_STATE_ERROR); | |
758 rv = SECFailure; | |
759 } else { | |
760 if (PR_FALSE != on) { | |
761 if (PR_SUCCESS == SSL_BypassSetup() ) { | |
762 #ifdef NO_PKCS11_BYPASS | |
763 ss->opt.bypassPKCS11 = PR_FALSE; | |
764 #else | |
765 ss->opt.bypassPKCS11 = on; | |
766 #endif | |
767 } else { | |
768 rv = SECFailure; | |
769 } | |
770 } else { | |
771 ss->opt.bypassPKCS11 = PR_FALSE; | |
772 } | |
773 } | |
774 break; | |
775 | |
776 case SSL_NO_LOCKS: | |
777 if (on && ss->opt.fdx) { | |
778 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
779 rv = SECFailure; | |
780 } | |
781 if (on && ssl_force_locks) | |
782 on = PR_FALSE; /* silent override */ | |
783 ss->opt.noLocks = on; | |
784 if (on) { | |
785 locksEverDisabled = PR_TRUE; | |
786 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); | |
787 } else if (!holdingLocks) { | |
788 rv = ssl_MakeLocks(ss); | |
789 if (rv != SECSuccess) { | |
790 ss->opt.noLocks = PR_TRUE; | |
791 } | |
792 } | |
793 break; | |
794 | |
795 case SSL_ENABLE_SESSION_TICKETS: | |
796 ss->opt.enableSessionTickets = on; | |
797 break; | |
798 | |
799 case SSL_ENABLE_DEFLATE: | |
800 ss->opt.enableDeflate = on; | |
801 break; | |
802 | |
803 case SSL_ENABLE_RENEGOTIATION: | |
804 ss->opt.enableRenegotiation = on; | |
805 break; | |
806 | |
807 case SSL_REQUIRE_SAFE_NEGOTIATION: | |
808 ss->opt.requireSafeNegotiation = on; | |
809 break; | |
810 | |
811 case SSL_ENABLE_FALSE_START: | |
812 ss->opt.enableFalseStart = on; | |
813 break; | |
814 | |
815 case SSL_CBC_RANDOM_IV: | |
816 ss->opt.cbcRandomIV = on; | |
817 break; | |
818 | |
819 case SSL_ENABLE_OCSP_STAPLING: | |
820 ss->opt.enableOCSPStapling = on; | |
821 break; | |
822 | |
823 case SSL_ENABLE_NPN: | |
824 ss->opt.enableNPN = on; | |
825 break; | |
826 | |
827 case SSL_ENABLE_ALPN: | |
828 ss->opt.enableALPN = on; | |
829 break; | |
830 | |
831 case SSL_REUSE_SERVER_ECDHE_KEY: | |
832 ss->opt.reuseServerECDHEKey = on; | |
833 break; | |
834 | |
835 case SSL_ENABLE_FALLBACK_SCSV: | |
836 ss->opt.enableFallbackSCSV = on; | |
837 break; | |
838 | |
839 case SSL_ENABLE_SERVER_DHE: | |
840 ss->opt.enableServerDhe = on; | |
841 break; | |
842 | |
843 case SSL_ENABLE_EXTENDED_MASTER_SECRET: | |
844 ss->opt.enableExtendedMS = on; | |
845 break; | |
846 | |
847 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | |
848 ss->opt.enableSignedCertTimestamps = on; | |
849 break; | |
850 | |
851 default: | |
852 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
853 rv = SECFailure; | |
854 } | 878 } |
855 | 879 |
856 /* We can't use the macros for releasing the locks here, | 880 /* We can't use the macros for releasing the locks here, |
857 * because ss->opt.noLocks might have changed just above. | 881 * because ss->opt.noLocks might have changed just above. |
858 * We must release these locks (monitors) here, if we aquired them above, | 882 * We must release these locks (monitors) here, if we aquired them above, |
859 * regardless of the current value of ss->opt.noLocks. | 883 * regardless of the current value of ss->opt.noLocks. |
860 */ | 884 */ |
861 if (holdingLocks) { | 885 if (holdingLocks) { |
862 PZ_ExitMonitor((ss)->ssl3HandshakeLock); | 886 PZ_ExitMonitor((ss)->ssl3HandshakeLock); |
863 PZ_ExitMonitor((ss)->firstHandshakeLock); | 887 PZ_ExitMonitor((ss)->firstHandshakeLock); |
864 } | 888 } |
865 | 889 |
866 return rv; | 890 return rv; |
867 } | 891 } |
868 | 892 |
869 SECStatus | 893 SECStatus |
870 SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) | 894 SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) |
871 { | 895 { |
872 sslSocket *ss = ssl_FindSocket(fd); | 896 sslSocket *ss = ssl_FindSocket(fd); |
873 SECStatus rv = SECSuccess; | 897 SECStatus rv = SECSuccess; |
874 PRBool on = PR_FALSE; | 898 PRBool on = PR_FALSE; |
875 | 899 |
876 if (!pOn) { | 900 if (!pOn) { |
877 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 901 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
878 return SECFailure; | 902 return SECFailure; |
879 } | 903 } |
880 if (!ss) { | 904 if (!ss) { |
881 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); | 905 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); |
882 *pOn = PR_FALSE; | 906 *pOn = PR_FALSE; |
883 return SECFailure; | 907 return SECFailure; |
884 } | 908 } |
885 | 909 |
886 ssl_Get1stHandshakeLock(ss); | 910 ssl_Get1stHandshakeLock(ss); |
887 ssl_GetSSL3HandshakeLock(ss); | 911 ssl_GetSSL3HandshakeLock(ss); |
888 | 912 |
889 switch (which) { | 913 switch (which) { |
890 case SSL_SOCKS: on = PR_FALSE; break; | 914 case SSL_SOCKS: |
891 case SSL_SECURITY: on = ss->opt.useSecurity; break; | 915 on = PR_FALSE; |
892 case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break; | 916 break; |
893 case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break; | 917 case SSL_SECURITY: |
894 case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break; | 918 on = ss->opt.useSecurity; |
895 case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break; | 919 break; |
896 case SSL_ENABLE_TLS: | 920 case SSL_REQUEST_CERTIFICATE: |
897 on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; | 921 on = ss->opt.requestCertificate; |
898 break; | 922 break; |
899 case SSL_ENABLE_SSL3: | 923 case SSL_REQUIRE_CERTIFICATE: |
900 on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; | 924 on = ss->opt.requireCertificate; |
901 break; | 925 break; |
902 case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break; | 926 case SSL_HANDSHAKE_AS_CLIENT: |
903 case SSL_NO_CACHE: on = ss->opt.noCache; break; | 927 on = ss->opt.handshakeAsClient; |
904 case SSL_ENABLE_FDX: on = ss->opt.fdx; break; | 928 break; |
905 case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break; | 929 case SSL_HANDSHAKE_AS_SERVER: |
906 case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break; | 930 on = ss->opt.handshakeAsServer; |
907 case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break; | 931 break; |
908 case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break; | 932 case SSL_ENABLE_TLS: |
909 case SSL_NO_LOCKS: on = ss->opt.noLocks; break; | 933 on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
910 case SSL_ENABLE_SESSION_TICKETS: | 934 break; |
911 on = ss->opt.enableSessionTickets; | 935 case SSL_ENABLE_SSL3: |
912 break; | 936 on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; |
913 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; | 937 break; |
914 case SSL_ENABLE_RENEGOTIATION: | 938 case SSL_ENABLE_SSL2: |
915 on = ss->opt.enableRenegotiation; break; | 939 on = ss->opt.enableSSL2; |
916 case SSL_REQUIRE_SAFE_NEGOTIATION: | 940 break; |
917 on = ss->opt.requireSafeNegotiation; break; | 941 case SSL_NO_CACHE: |
918 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; | 942 on = ss->opt.noCache; |
919 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | 943 break; |
920 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | 944 case SSL_ENABLE_FDX: |
921 case SSL_ENABLE_NPN: on = ss->opt.enableNPN; break; | 945 on = ss->opt.fdx; |
922 case SSL_ENABLE_ALPN: on = ss->opt.enableALPN; break; | 946 break; |
923 case SSL_REUSE_SERVER_ECDHE_KEY: | 947 case SSL_V2_COMPATIBLE_HELLO: |
924 on = ss->opt.reuseServerECDHEKey; break; | 948 on = ss->opt.v2CompatibleHello; |
925 case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break; | 949 break; |
926 case SSL_ENABLE_SERVER_DHE: on = ss->opt.enableServerDhe; break; | 950 case SSL_ROLLBACK_DETECTION: |
927 case SSL_ENABLE_EXTENDED_MASTER_SECRET: | 951 on = ss->opt.detectRollBack; |
928 on = ss->opt.enableExtendedMS; break; | 952 break; |
929 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | 953 case SSL_NO_STEP_DOWN: |
930 on = ss->opt.enableSignedCertTimestamps; | 954 on = ss->opt.noStepDown; |
931 break; | 955 break; |
| 956 case SSL_BYPASS_PKCS11: |
| 957 on = ss->opt.bypassPKCS11; |
| 958 break; |
| 959 case SSL_NO_LOCKS: |
| 960 on = ss->opt.noLocks; |
| 961 break; |
| 962 case SSL_ENABLE_SESSION_TICKETS: |
| 963 on = ss->opt.enableSessionTickets; |
| 964 break; |
| 965 case SSL_ENABLE_DEFLATE: |
| 966 on = ss->opt.enableDeflate; |
| 967 break; |
| 968 case SSL_ENABLE_RENEGOTIATION: |
| 969 on = ss->opt.enableRenegotiation; |
| 970 break; |
| 971 case SSL_REQUIRE_SAFE_NEGOTIATION: |
| 972 on = ss->opt.requireSafeNegotiation; |
| 973 break; |
| 974 case SSL_ENABLE_FALSE_START: |
| 975 on = ss->opt.enableFalseStart; |
| 976 break; |
| 977 case SSL_CBC_RANDOM_IV: |
| 978 on = ss->opt.cbcRandomIV; |
| 979 break; |
| 980 case SSL_ENABLE_OCSP_STAPLING: |
| 981 on = ss->opt.enableOCSPStapling; |
| 982 break; |
| 983 case SSL_ENABLE_NPN: |
| 984 on = ss->opt.enableNPN; |
| 985 break; |
| 986 case SSL_ENABLE_ALPN: |
| 987 on = ss->opt.enableALPN; |
| 988 break; |
| 989 case SSL_REUSE_SERVER_ECDHE_KEY: |
| 990 on = ss->opt.reuseServerECDHEKey; |
| 991 break; |
| 992 case SSL_ENABLE_FALLBACK_SCSV: |
| 993 on = ss->opt.enableFallbackSCSV; |
| 994 break; |
| 995 case SSL_ENABLE_SERVER_DHE: |
| 996 on = ss->opt.enableServerDhe; |
| 997 break; |
| 998 case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
| 999 on = ss->opt.enableExtendedMS; |
| 1000 break; |
| 1001 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| 1002 on = ss->opt.enableSignedCertTimestamps; |
| 1003 break; |
932 | 1004 |
933 default: | 1005 default: |
934 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1006 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
935 rv = SECFailure; | 1007 rv = SECFailure; |
936 } | 1008 } |
937 | 1009 |
938 ssl_ReleaseSSL3HandshakeLock(ss); | 1010 ssl_ReleaseSSL3HandshakeLock(ss); |
939 ssl_Release1stHandshakeLock(ss); | 1011 ssl_Release1stHandshakeLock(ss); |
940 | 1012 |
941 *pOn = on; | 1013 *pOn = on; |
942 return rv; | 1014 return rv; |
943 } | 1015 } |
944 | 1016 |
945 SECStatus | 1017 SECStatus |
946 SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) | 1018 SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) |
947 { | 1019 { |
948 SECStatus rv = SECSuccess; | 1020 SECStatus rv = SECSuccess; |
949 PRBool on = PR_FALSE; | 1021 PRBool on = PR_FALSE; |
950 | 1022 |
951 if (!pOn) { | 1023 if (!pOn) { |
952 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1024 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
953 return SECFailure; | 1025 return SECFailure; |
954 } | 1026 } |
955 | 1027 |
956 ssl_SetDefaultsFromEnvironment(); | 1028 ssl_SetDefaultsFromEnvironment(); |
957 | 1029 |
958 switch (which) { | 1030 switch (which) { |
959 case SSL_SOCKS: on = PR_FALSE; break; | 1031 case SSL_SOCKS: |
960 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; | 1032 on = PR_FALSE; |
961 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; | 1033 break; |
962 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; | 1034 case SSL_SECURITY: |
963 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; | 1035 on = ssl_defaults.useSecurity; |
964 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; | 1036 break; |
965 case SSL_ENABLE_TLS: | 1037 case SSL_REQUEST_CERTIFICATE: |
966 on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; | 1038 on = ssl_defaults.requestCertificate; |
967 break; | 1039 break; |
968 case SSL_ENABLE_SSL3: | 1040 case SSL_REQUIRE_CERTIFICATE: |
969 on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; | 1041 on = ssl_defaults.requireCertificate; |
970 break; | 1042 break; |
971 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; | 1043 case SSL_HANDSHAKE_AS_CLIENT: |
972 case SSL_NO_CACHE: on = ssl_defaults.noCache; break; | 1044 on = ssl_defaults.handshakeAsClient; |
973 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; | 1045 break; |
974 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; | 1046 case SSL_HANDSHAKE_AS_SERVER: |
975 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; | 1047 on = ssl_defaults.handshakeAsServer; |
976 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; | 1048 break; |
977 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; | 1049 case SSL_ENABLE_TLS: |
978 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; | 1050 on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
979 case SSL_ENABLE_SESSION_TICKETS: | 1051 break; |
980 on = ssl_defaults.enableSessionTickets; | 1052 case SSL_ENABLE_SSL3: |
981 break; | 1053 on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; |
982 case SSL_ENABLE_DEFLATE: on = ssl_defaults.enableDeflate; break; | 1054 break; |
983 case SSL_ENABLE_RENEGOTIATION: | 1055 case SSL_ENABLE_SSL2: |
984 on = ssl_defaults.enableRenegotiation; break; | 1056 on = ssl_defaults.enableSSL2; |
985 case SSL_REQUIRE_SAFE_NEGOTIATION: | 1057 break; |
986 on = ssl_defaults.requireSafeNegotiation; | 1058 case SSL_NO_CACHE: |
987 break; | 1059 on = ssl_defaults.noCache; |
988 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; | 1060 break; |
989 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; | 1061 case SSL_ENABLE_FDX: |
990 case SSL_ENABLE_OCSP_STAPLING: | 1062 on = ssl_defaults.fdx; |
991 on = ssl_defaults.enableOCSPStapling; | 1063 break; |
992 break; | 1064 case SSL_V2_COMPATIBLE_HELLO: |
993 case SSL_ENABLE_NPN: on = ssl_defaults.enableNPN; break; | 1065 on = ssl_defaults.v2CompatibleHello; |
994 case SSL_ENABLE_ALPN: on = ssl_defaults.enableALPN; break; | 1066 break; |
995 case SSL_REUSE_SERVER_ECDHE_KEY: | 1067 case SSL_ROLLBACK_DETECTION: |
996 on = ssl_defaults.reuseServerECDHEKey; | 1068 on = ssl_defaults.detectRollBack; |
997 break; | 1069 break; |
998 case SSL_ENABLE_FALLBACK_SCSV: | 1070 case SSL_NO_STEP_DOWN: |
999 on = ssl_defaults.enableFallbackSCSV; | 1071 on = ssl_defaults.noStepDown; |
1000 break; | 1072 break; |
1001 case SSL_ENABLE_SERVER_DHE: | 1073 case SSL_BYPASS_PKCS11: |
1002 on = ssl_defaults.enableServerDhe; | 1074 on = ssl_defaults.bypassPKCS11; |
1003 break; | 1075 break; |
1004 case SSL_ENABLE_EXTENDED_MASTER_SECRET: | 1076 case SSL_NO_LOCKS: |
1005 on = ssl_defaults.enableExtendedMS; | 1077 on = ssl_defaults.noLocks; |
1006 break; | 1078 break; |
1007 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | 1079 case SSL_ENABLE_SESSION_TICKETS: |
1008 on = ssl_defaults.enableSignedCertTimestamps; | 1080 on = ssl_defaults.enableSessionTickets; |
1009 break; | 1081 break; |
| 1082 case SSL_ENABLE_DEFLATE: |
| 1083 on = ssl_defaults.enableDeflate; |
| 1084 break; |
| 1085 case SSL_ENABLE_RENEGOTIATION: |
| 1086 on = ssl_defaults.enableRenegotiation; |
| 1087 break; |
| 1088 case SSL_REQUIRE_SAFE_NEGOTIATION: |
| 1089 on = ssl_defaults.requireSafeNegotiation; |
| 1090 break; |
| 1091 case SSL_ENABLE_FALSE_START: |
| 1092 on = ssl_defaults.enableFalseStart; |
| 1093 break; |
| 1094 case SSL_CBC_RANDOM_IV: |
| 1095 on = ssl_defaults.cbcRandomIV; |
| 1096 break; |
| 1097 case SSL_ENABLE_OCSP_STAPLING: |
| 1098 on = ssl_defaults.enableOCSPStapling; |
| 1099 break; |
| 1100 case SSL_ENABLE_NPN: |
| 1101 on = ssl_defaults.enableNPN; |
| 1102 break; |
| 1103 case SSL_ENABLE_ALPN: |
| 1104 on = ssl_defaults.enableALPN; |
| 1105 break; |
| 1106 case SSL_REUSE_SERVER_ECDHE_KEY: |
| 1107 on = ssl_defaults.reuseServerECDHEKey; |
| 1108 break; |
| 1109 case SSL_ENABLE_FALLBACK_SCSV: |
| 1110 on = ssl_defaults.enableFallbackSCSV; |
| 1111 break; |
| 1112 case SSL_ENABLE_SERVER_DHE: |
| 1113 on = ssl_defaults.enableServerDhe; |
| 1114 break; |
| 1115 case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
| 1116 on = ssl_defaults.enableExtendedMS; |
| 1117 break; |
| 1118 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| 1119 on = ssl_defaults.enableSignedCertTimestamps; |
| 1120 break; |
1010 | 1121 |
1011 default: | 1122 default: |
1012 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1123 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1013 rv = SECFailure; | 1124 rv = SECFailure; |
1014 } | 1125 } |
1015 | 1126 |
1016 *pOn = on; | 1127 *pOn = on; |
1017 return rv; | 1128 return rv; |
1018 } | 1129 } |
1019 | 1130 |
1020 /* XXX Use Global Lock to protect this stuff. */ | 1131 /* XXX Use Global Lock to protect this stuff. */ |
1021 SECStatus | 1132 SECStatus |
1022 SSL_EnableDefault(int which, PRBool on) | 1133 SSL_EnableDefault(int which, PRBool on) |
1023 { | 1134 { |
1024 return SSL_OptionSetDefault(which, on); | 1135 return SSL_OptionSetDefault(which, on); |
1025 } | 1136 } |
1026 | 1137 |
1027 SECStatus | 1138 SECStatus |
1028 SSL_OptionSetDefault(PRInt32 which, PRBool on) | 1139 SSL_OptionSetDefault(PRInt32 which, PRBool on) |
1029 { | 1140 { |
1030 SECStatus status = ssl_Init(); | 1141 SECStatus status = ssl_Init(); |
1031 | 1142 |
1032 if (status != SECSuccess) { | 1143 if (status != SECSuccess) { |
1033 return status; | 1144 return status; |
1034 } | 1145 } |
1035 | 1146 |
1036 ssl_SetDefaultsFromEnvironment(); | 1147 ssl_SetDefaultsFromEnvironment(); |
1037 | 1148 |
1038 switch (which) { | 1149 switch (which) { |
1039 case SSL_SOCKS: | 1150 case SSL_SOCKS: |
1040 ssl_defaults.useSocks = PR_FALSE; | 1151 ssl_defaults.useSocks = PR_FALSE; |
1041 if (on) { | 1152 if (on) { |
| 1153 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1154 return SECFailure; |
| 1155 } |
| 1156 break; |
| 1157 |
| 1158 case SSL_SECURITY: |
| 1159 ssl_defaults.useSecurity = on; |
| 1160 break; |
| 1161 |
| 1162 case SSL_REQUEST_CERTIFICATE: |
| 1163 ssl_defaults.requestCertificate = on; |
| 1164 break; |
| 1165 |
| 1166 case SSL_REQUIRE_CERTIFICATE: |
| 1167 ssl_defaults.requireCertificate = on; |
| 1168 break; |
| 1169 |
| 1170 case SSL_HANDSHAKE_AS_CLIENT: |
| 1171 if (ssl_defaults.handshakeAsServer && on) { |
| 1172 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1173 return SECFailure; |
| 1174 } |
| 1175 ssl_defaults.handshakeAsClient = on; |
| 1176 break; |
| 1177 |
| 1178 case SSL_HANDSHAKE_AS_SERVER: |
| 1179 if (ssl_defaults.handshakeAsClient && on) { |
| 1180 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1181 return SECFailure; |
| 1182 } |
| 1183 ssl_defaults.handshakeAsServer = on; |
| 1184 break; |
| 1185 |
| 1186 case SSL_ENABLE_TLS: |
| 1187 ssl_EnableTLS(&versions_defaults_stream, on); |
| 1188 break; |
| 1189 |
| 1190 case SSL_ENABLE_SSL3: |
| 1191 ssl_EnableSSL3(&versions_defaults_stream, on); |
| 1192 break; |
| 1193 |
| 1194 case SSL_ENABLE_SSL2: |
| 1195 if (on) { |
| 1196 /* don't turn it on if ssl2 disallowed by by policy */ |
| 1197 if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, |
| 1198 SSL_LIBRARY_VERSION_2)) { |
| 1199 break; |
| 1200 } |
| 1201 } |
| 1202 ssl_defaults.enableSSL2 = on; |
| 1203 if (on) { |
| 1204 ssl_defaults.v2CompatibleHello = on; |
| 1205 } |
| 1206 break; |
| 1207 |
| 1208 case SSL_NO_CACHE: |
| 1209 ssl_defaults.noCache = on; |
| 1210 break; |
| 1211 |
| 1212 case SSL_ENABLE_FDX: |
| 1213 if (on && ssl_defaults.noLocks) { |
| 1214 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1215 return SECFailure; |
| 1216 } |
| 1217 ssl_defaults.fdx = on; |
| 1218 break; |
| 1219 |
| 1220 case SSL_V2_COMPATIBLE_HELLO: |
| 1221 ssl_defaults.v2CompatibleHello = on; |
| 1222 if (!on) { |
| 1223 ssl_defaults.enableSSL2 = on; |
| 1224 } |
| 1225 break; |
| 1226 |
| 1227 case SSL_ROLLBACK_DETECTION: |
| 1228 ssl_defaults.detectRollBack = on; |
| 1229 break; |
| 1230 |
| 1231 case SSL_NO_STEP_DOWN: |
| 1232 ssl_defaults.noStepDown = on; |
| 1233 if (on) |
| 1234 SSL_DisableDefaultExportCipherSuites(); |
| 1235 break; |
| 1236 |
| 1237 case SSL_BYPASS_PKCS11: |
| 1238 if (PR_FALSE != on) { |
| 1239 if (PR_SUCCESS == SSL_BypassSetup()) { |
| 1240 #ifdef NO_PKCS11_BYPASS |
| 1241 ssl_defaults.bypassPKCS11 = PR_FALSE; |
| 1242 #else |
| 1243 ssl_defaults.bypassPKCS11 = on; |
| 1244 #endif |
| 1245 } else { |
| 1246 return SECFailure; |
| 1247 } |
| 1248 } else { |
| 1249 ssl_defaults.bypassPKCS11 = PR_FALSE; |
| 1250 } |
| 1251 break; |
| 1252 |
| 1253 case SSL_NO_LOCKS: |
| 1254 if (on && ssl_defaults.fdx) { |
| 1255 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1256 return SECFailure; |
| 1257 } |
| 1258 if (on && ssl_force_locks) |
| 1259 on = PR_FALSE; /* silent override */ |
| 1260 ssl_defaults.noLocks = on; |
| 1261 if (on) { |
| 1262 locksEverDisabled = PR_TRUE; |
| 1263 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); |
| 1264 } |
| 1265 break; |
| 1266 |
| 1267 case SSL_ENABLE_SESSION_TICKETS: |
| 1268 ssl_defaults.enableSessionTickets = on; |
| 1269 break; |
| 1270 |
| 1271 case SSL_ENABLE_DEFLATE: |
| 1272 ssl_defaults.enableDeflate = on; |
| 1273 break; |
| 1274 |
| 1275 case SSL_ENABLE_RENEGOTIATION: |
| 1276 ssl_defaults.enableRenegotiation = on; |
| 1277 break; |
| 1278 |
| 1279 case SSL_REQUIRE_SAFE_NEGOTIATION: |
| 1280 ssl_defaults.requireSafeNegotiation = on; |
| 1281 break; |
| 1282 |
| 1283 case SSL_ENABLE_FALSE_START: |
| 1284 ssl_defaults.enableFalseStart = on; |
| 1285 break; |
| 1286 |
| 1287 case SSL_CBC_RANDOM_IV: |
| 1288 ssl_defaults.cbcRandomIV = on; |
| 1289 break; |
| 1290 |
| 1291 case SSL_ENABLE_OCSP_STAPLING: |
| 1292 ssl_defaults.enableOCSPStapling = on; |
| 1293 break; |
| 1294 |
| 1295 case SSL_ENABLE_NPN: |
| 1296 ssl_defaults.enableNPN = on; |
| 1297 break; |
| 1298 |
| 1299 case SSL_ENABLE_ALPN: |
| 1300 ssl_defaults.enableALPN = on; |
| 1301 break; |
| 1302 |
| 1303 case SSL_REUSE_SERVER_ECDHE_KEY: |
| 1304 ssl_defaults.reuseServerECDHEKey = on; |
| 1305 break; |
| 1306 |
| 1307 case SSL_ENABLE_FALLBACK_SCSV: |
| 1308 ssl_defaults.enableFallbackSCSV = on; |
| 1309 break; |
| 1310 |
| 1311 case SSL_ENABLE_SERVER_DHE: |
| 1312 ssl_defaults.enableServerDhe = on; |
| 1313 break; |
| 1314 |
| 1315 case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
| 1316 ssl_defaults.enableExtendedMS = on; |
| 1317 break; |
| 1318 |
| 1319 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| 1320 ssl_defaults.enableSignedCertTimestamps = on; |
| 1321 break; |
| 1322 |
| 1323 default: |
1042 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1324 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1043 return SECFailure; | 1325 return SECFailure; |
1044 } | |
1045 break; | |
1046 | |
1047 case SSL_SECURITY: | |
1048 ssl_defaults.useSecurity = on; | |
1049 break; | |
1050 | |
1051 case SSL_REQUEST_CERTIFICATE: | |
1052 ssl_defaults.requestCertificate = on; | |
1053 break; | |
1054 | |
1055 case SSL_REQUIRE_CERTIFICATE: | |
1056 ssl_defaults.requireCertificate = on; | |
1057 break; | |
1058 | |
1059 case SSL_HANDSHAKE_AS_CLIENT: | |
1060 if ( ssl_defaults.handshakeAsServer && on ) { | |
1061 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
1062 return SECFailure; | |
1063 } | |
1064 ssl_defaults.handshakeAsClient = on; | |
1065 break; | |
1066 | |
1067 case SSL_HANDSHAKE_AS_SERVER: | |
1068 if ( ssl_defaults.handshakeAsClient && on ) { | |
1069 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
1070 return SECFailure; | |
1071 } | |
1072 ssl_defaults.handshakeAsServer = on; | |
1073 break; | |
1074 | |
1075 case SSL_ENABLE_TLS: | |
1076 ssl_EnableTLS(&versions_defaults_stream, on); | |
1077 break; | |
1078 | |
1079 case SSL_ENABLE_SSL3: | |
1080 ssl_EnableSSL3(&versions_defaults_stream, on); | |
1081 break; | |
1082 | |
1083 case SSL_ENABLE_SSL2: | |
1084 ssl_defaults.enableSSL2 = on; | |
1085 if (on) { | |
1086 ssl_defaults.v2CompatibleHello = on; | |
1087 } | |
1088 break; | |
1089 | |
1090 case SSL_NO_CACHE: | |
1091 ssl_defaults.noCache = on; | |
1092 break; | |
1093 | |
1094 case SSL_ENABLE_FDX: | |
1095 if (on && ssl_defaults.noLocks) { | |
1096 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
1097 return SECFailure; | |
1098 } | |
1099 ssl_defaults.fdx = on; | |
1100 break; | |
1101 | |
1102 case SSL_V2_COMPATIBLE_HELLO: | |
1103 ssl_defaults.v2CompatibleHello = on; | |
1104 if (!on) { | |
1105 ssl_defaults.enableSSL2 = on; | |
1106 } | |
1107 break; | |
1108 | |
1109 case SSL_ROLLBACK_DETECTION: | |
1110 ssl_defaults.detectRollBack = on; | |
1111 break; | |
1112 | |
1113 case SSL_NO_STEP_DOWN: | |
1114 ssl_defaults.noStepDown = on; | |
1115 if (on) | |
1116 SSL_DisableDefaultExportCipherSuites(); | |
1117 break; | |
1118 | |
1119 case SSL_BYPASS_PKCS11: | |
1120 if (PR_FALSE != on) { | |
1121 if (PR_SUCCESS == SSL_BypassSetup()) { | |
1122 #ifdef NO_PKCS11_BYPASS | |
1123 ssl_defaults.bypassPKCS11 = PR_FALSE; | |
1124 #else | |
1125 ssl_defaults.bypassPKCS11 = on; | |
1126 #endif | |
1127 } else { | |
1128 return SECFailure; | |
1129 } | |
1130 } else { | |
1131 ssl_defaults.bypassPKCS11 = PR_FALSE; | |
1132 } | |
1133 break; | |
1134 | |
1135 case SSL_NO_LOCKS: | |
1136 if (on && ssl_defaults.fdx) { | |
1137 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
1138 return SECFailure; | |
1139 } | |
1140 if (on && ssl_force_locks) | |
1141 on = PR_FALSE; /* silent override */ | |
1142 ssl_defaults.noLocks = on; | |
1143 if (on) { | |
1144 locksEverDisabled = PR_TRUE; | |
1145 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); | |
1146 } | |
1147 break; | |
1148 | |
1149 case SSL_ENABLE_SESSION_TICKETS: | |
1150 ssl_defaults.enableSessionTickets = on; | |
1151 break; | |
1152 | |
1153 case SSL_ENABLE_DEFLATE: | |
1154 ssl_defaults.enableDeflate = on; | |
1155 break; | |
1156 | |
1157 case SSL_ENABLE_RENEGOTIATION: | |
1158 ssl_defaults.enableRenegotiation = on; | |
1159 break; | |
1160 | |
1161 case SSL_REQUIRE_SAFE_NEGOTIATION: | |
1162 ssl_defaults.requireSafeNegotiation = on; | |
1163 break; | |
1164 | |
1165 case SSL_ENABLE_FALSE_START: | |
1166 ssl_defaults.enableFalseStart = on; | |
1167 break; | |
1168 | |
1169 case SSL_CBC_RANDOM_IV: | |
1170 ssl_defaults.cbcRandomIV = on; | |
1171 break; | |
1172 | |
1173 case SSL_ENABLE_OCSP_STAPLING: | |
1174 ssl_defaults.enableOCSPStapling = on; | |
1175 break; | |
1176 | |
1177 case SSL_ENABLE_NPN: | |
1178 ssl_defaults.enableNPN = on; | |
1179 break; | |
1180 | |
1181 case SSL_ENABLE_ALPN: | |
1182 ssl_defaults.enableALPN = on; | |
1183 break; | |
1184 | |
1185 case SSL_REUSE_SERVER_ECDHE_KEY: | |
1186 ssl_defaults.reuseServerECDHEKey = on; | |
1187 break; | |
1188 | |
1189 case SSL_ENABLE_FALLBACK_SCSV: | |
1190 ssl_defaults.enableFallbackSCSV = on; | |
1191 break; | |
1192 | |
1193 case SSL_ENABLE_SERVER_DHE: | |
1194 ssl_defaults.enableServerDhe = on; | |
1195 break; | |
1196 | |
1197 case SSL_ENABLE_EXTENDED_MASTER_SECRET: | |
1198 ssl_defaults.enableExtendedMS = on; | |
1199 break; | |
1200 | |
1201 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | |
1202 ssl_defaults.enableSignedCertTimestamps = on; | |
1203 break; | |
1204 | |
1205 default: | |
1206 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
1207 return SECFailure; | |
1208 } | 1326 } |
1209 return SECSuccess; | 1327 return SECSuccess; |
1210 } | 1328 } |
1211 | 1329 |
1212 /* function tells us if the cipher suite is one that we no longer support. */ | 1330 /* function tells us if the cipher suite is one that we no longer support. */ |
1213 static PRBool | 1331 static PRBool |
1214 ssl_IsRemovedCipherSuite(PRInt32 suite) | 1332 ssl_IsRemovedCipherSuite(PRInt32 suite) |
1215 { | 1333 { |
1216 switch (suite) { | 1334 switch (suite) { |
1217 case SSL_FORTEZZA_DMS_WITH_NULL_SHA: | 1335 case SSL_FORTEZZA_DMS_WITH_NULL_SHA: |
1218 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: | 1336 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: |
1219 case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: | 1337 case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: |
1220 return PR_TRUE; | 1338 return PR_TRUE; |
1221 default: | 1339 default: |
1222 return PR_FALSE; | 1340 return PR_FALSE; |
1223 } | 1341 } |
1224 } | 1342 } |
1225 | 1343 |
1226 /* Part of the public NSS API. | 1344 /* Part of the public NSS API. |
1227 * Since this is a global (not per-socket) setting, we cannot use the | 1345 * Since this is a global (not per-socket) setting, we cannot use the |
1228 * HandshakeLock to protect this. Probably want a global lock. | 1346 * HandshakeLock to protect this. Probably want a global lock. |
1229 */ | 1347 */ |
1230 SECStatus | 1348 SECStatus |
1231 SSL_SetPolicy(long which, int policy) | 1349 SSL_SetPolicy(long which, int policy) |
1232 { | 1350 { |
1233 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { | 1351 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { |
1234 /* one of the two old FIPS ciphers */ | 1352 /* one of the two old FIPS ciphers */ |
1235 if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) | 1353 if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) |
1236 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; | 1354 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; |
1237 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) | 1355 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) |
1238 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; | 1356 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; |
1239 } | 1357 } |
1240 if (ssl_IsRemovedCipherSuite(which)) | 1358 if (ssl_IsRemovedCipherSuite(which)) |
1241 return SECSuccess; | 1359 return SECSuccess; |
1242 return SSL_CipherPolicySet(which, policy); | 1360 return SSL_CipherPolicySet(which, policy); |
1243 } | 1361 } |
1244 | 1362 |
1245 SECStatus | 1363 SECStatus |
1246 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) | 1364 ssl_CipherPolicySet(PRInt32 which, PRInt32 policy) |
1247 { | 1365 { |
1248 SECStatus rv = ssl_Init(); | 1366 SECStatus rv = SECSuccess; |
1249 | |
1250 if (rv != SECSuccess) { | |
1251 return rv; | |
1252 } | |
1253 | 1367 |
1254 if (ssl_IsRemovedCipherSuite(which)) { | 1368 if (ssl_IsRemovedCipherSuite(which)) { |
1255 rv = SECSuccess; | 1369 rv = SECSuccess; |
1256 } else if (SSL_IS_SSL2_CIPHER(which)) { | 1370 } else if (SSL_IS_SSL2_CIPHER(which)) { |
1257 rv = ssl2_SetPolicy(which, policy); | 1371 rv = ssl2_SetPolicy(which, policy); |
1258 } else { | 1372 } else { |
1259 rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); | 1373 rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); |
1260 } | 1374 } |
1261 return rv; | 1375 return rv; |
1262 } | 1376 } |
| 1377 SECStatus |
| 1378 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) |
| 1379 { |
| 1380 SECStatus rv = ssl_Init(); |
| 1381 |
| 1382 if (rv != SECSuccess) { |
| 1383 return rv; |
| 1384 } |
| 1385 return ssl_CipherPolicySet(which, policy); |
| 1386 } |
1263 | 1387 |
1264 SECStatus | 1388 SECStatus |
1265 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) | 1389 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) |
1266 { | 1390 { |
1267 SECStatus rv; | 1391 SECStatus rv; |
1268 | 1392 |
1269 if (!oPolicy) { | 1393 if (!oPolicy) { |
1270 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1394 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1271 return SECFailure; | 1395 return SECFailure; |
1272 } | 1396 } |
(...skipping 22 matching lines...) Expand all Loading... |
1295 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; | 1419 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; |
1296 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) | 1420 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) |
1297 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; | 1421 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; |
1298 } | 1422 } |
1299 if (ssl_IsRemovedCipherSuite(which)) | 1423 if (ssl_IsRemovedCipherSuite(which)) |
1300 return SECSuccess; | 1424 return SECSuccess; |
1301 return SSL_CipherPrefSetDefault(which, enabled); | 1425 return SSL_CipherPrefSetDefault(which, enabled); |
1302 } | 1426 } |
1303 | 1427 |
1304 SECStatus | 1428 SECStatus |
1305 SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) | 1429 ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled) |
1306 { | 1430 { |
1307 SECStatus rv = ssl_Init(); | 1431 SECStatus rv = SECSuccess; |
1308 | |
1309 if (rv != SECSuccess) { | |
1310 return rv; | |
1311 } | |
1312 | 1432 |
1313 if (ssl_IsRemovedCipherSuite(which)) | 1433 if (ssl_IsRemovedCipherSuite(which)) |
1314 return SECSuccess; | 1434 return SECSuccess; |
1315 if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) { | 1435 if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) { |
1316 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); | 1436 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
1317 return SECFailure; | 1437 return SECFailure; |
1318 } | 1438 } |
1319 if (SSL_IS_SSL2_CIPHER(which)) { | 1439 if (SSL_IS_SSL2_CIPHER(which)) { |
1320 rv = ssl2_CipherPrefSetDefault(which, enabled); | 1440 rv = ssl2_CipherPrefSetDefault(which, enabled); |
1321 } else { | 1441 } else { |
1322 rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled); | 1442 rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled); |
1323 } | 1443 } |
1324 return rv; | 1444 return rv; |
1325 } | 1445 } |
1326 | 1446 |
1327 SECStatus | 1447 SECStatus |
| 1448 SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) |
| 1449 { |
| 1450 SECStatus rv = ssl_Init(); |
| 1451 |
| 1452 if (rv != SECSuccess) { |
| 1453 return rv; |
| 1454 } |
| 1455 return ssl_CipherPrefSetDefault(which, enabled); |
| 1456 } |
| 1457 |
| 1458 SECStatus |
1328 SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled) | 1459 SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled) |
1329 { | 1460 { |
1330 SECStatus rv; | 1461 SECStatus rv; |
1331 | 1462 |
1332 if (!enabled) { | 1463 if (!enabled) { |
1333 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1464 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1334 return SECFailure; | 1465 return SECFailure; |
1335 } | 1466 } |
1336 if (ssl_IsRemovedCipherSuite(which)) { | 1467 if (ssl_IsRemovedCipherSuite(which)) { |
1337 *enabled = PR_FALSE; | 1468 *enabled = PR_FALSE; |
1338 rv = SECSuccess; | 1469 rv = SECSuccess; |
1339 } else if (SSL_IS_SSL2_CIPHER(which)) { | 1470 } else if (SSL_IS_SSL2_CIPHER(which)) { |
1340 rv = ssl2_CipherPrefGetDefault(which, enabled); | 1471 rv = ssl2_CipherPrefGetDefault(which, enabled); |
(...skipping 26 matching lines...) Expand all Loading... |
1367 } | 1498 } |
1368 return rv; | 1499 return rv; |
1369 } | 1500 } |
1370 | 1501 |
1371 SECStatus | 1502 SECStatus |
1372 SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len) | 1503 SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len) |
1373 { | 1504 { |
1374 sslSocket *ss = ssl_FindSocket(fd); | 1505 sslSocket *ss = ssl_FindSocket(fd); |
1375 | 1506 |
1376 if (!ss) { | 1507 if (!ss) { |
1377 » SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(), | 1508 SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(), |
1378 » » fd)); | 1509 fd)); |
1379 » return SECFailure; | 1510 return SECFailure; |
1380 } | 1511 } |
1381 return ssl3_CipherOrderSet(ss, ciphers, len); | 1512 return ssl3_CipherOrderSet(ss, ciphers, len); |
1382 } | 1513 } |
1383 | 1514 |
1384 SECStatus | 1515 SECStatus |
1385 SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) | 1516 SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) |
1386 { | 1517 { |
1387 SECStatus rv; | 1518 SECStatus rv; |
1388 sslSocket *ss = ssl_FindSocket(fd); | 1519 sslSocket *ss = ssl_FindSocket(fd); |
1389 | 1520 |
1390 if (!enabled) { | 1521 if (!enabled) { |
1391 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1522 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1392 return SECFailure; | 1523 return SECFailure; |
1393 } | 1524 } |
1394 if (!ss) { | 1525 if (!ss) { |
1395 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd)); | 1526 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd)); |
1396 *enabled = PR_FALSE; | 1527 *enabled = PR_FALSE; |
1397 return SECFailure; | 1528 return SECFailure; |
1398 } | 1529 } |
1399 if (ssl_IsRemovedCipherSuite(which)) { | 1530 if (ssl_IsRemovedCipherSuite(which)) { |
1400 *enabled = PR_FALSE; | 1531 *enabled = PR_FALSE; |
1401 rv = SECSuccess; | 1532 rv = SECSuccess; |
1402 } else if (SSL_IS_SSL2_CIPHER(which)) { | 1533 } else if (SSL_IS_SSL2_CIPHER(which)) { |
1403 rv = ssl2_CipherPrefGet(ss, which, enabled); | 1534 rv = ssl2_CipherPrefGet(ss, which, enabled); |
1404 } else { | 1535 } else { |
1405 rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled); | 1536 rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled); |
1406 } | 1537 } |
1407 return rv; | 1538 return rv; |
1408 } | 1539 } |
1409 | 1540 |
1410 SECStatus | 1541 SECStatus |
1411 NSS_SetDomesticPolicy(void) | 1542 NSS_SetDomesticPolicy(void) |
1412 { | 1543 { |
1413 SECStatus status = SECSuccess; | 1544 SECStatus status = SECSuccess; |
1414 const PRUint16 *cipher; | 1545 const PRUint16 *cipher; |
| 1546 SECStatus rv; |
| 1547 PRUint32 policy; |
| 1548 |
| 1549 /* If we've already defined some policy oids, skip changing them */ |
| 1550 rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy); |
| 1551 if ((rv == SECSuccess) && (policy & NSS_USE_POLICY_IN_SSL)) { |
| 1552 return ssl_Init(); /* make sure the policies have bee loaded */ |
| 1553 } |
1415 | 1554 |
1416 for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { | 1555 for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { |
1417 status = SSL_SetPolicy(*cipher, SSL_ALLOWED); | 1556 status = SSL_SetPolicy(*cipher, SSL_ALLOWED); |
1418 if (status != SECSuccess) | 1557 if (status != SECSuccess) |
1419 break; | 1558 break; |
1420 } | 1559 } |
1421 return status; | 1560 return status; |
1422 } | 1561 } |
1423 | 1562 |
1424 SECStatus | 1563 SECStatus |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1462 if (!ss->ssl3.dheGroups) { | 1601 if (!ss->ssl3.dheGroups) { |
1463 PORT_SetError(SEC_ERROR_NO_MEMORY); | 1602 PORT_SetError(SEC_ERROR_NO_MEMORY); |
1464 return SECFailure; | 1603 return SECFailure; |
1465 } | 1604 } |
1466 PORT_Memcpy(ss->ssl3.dheGroups, groups, | 1605 PORT_Memcpy(ss->ssl3.dheGroups, groups, |
1467 sizeof(SSLDHEGroupType) * num_groups); | 1606 sizeof(SSLDHEGroupType) * num_groups); |
1468 } | 1607 } |
1469 return SECSuccess; | 1608 return SECSuccess; |
1470 } | 1609 } |
1471 | 1610 |
1472 | |
1473 PRCallOnceType gWeakDHParamsRegisterOnce; | 1611 PRCallOnceType gWeakDHParamsRegisterOnce; |
1474 int gWeakDHParamsRegisterError; | 1612 int gWeakDHParamsRegisterError; |
1475 | 1613 |
1476 PRCallOnceType gWeakDHParamsOnce; | 1614 PRCallOnceType gWeakDHParamsOnce; |
1477 int gWeakDHParamsError; | 1615 int gWeakDHParamsError; |
1478 /* As our code allocates type PQGParams, we'll keep it around, | 1616 /* As our code allocates type PQGParams, we'll keep it around, |
1479 * even though we only make use of it's parameters through gWeakDHParam. */ | 1617 * even though we only make use of it's parameters through gWeakDHParam. */ |
1480 static PQGParams *gWeakParamsPQG; | 1618 static PQGParams *gWeakParamsPQG; |
1481 static ssl3DHParams *gWeakDHParams; | 1619 static ssl3DHParams *gWeakDHParams; |
1482 | 1620 |
1483 static PRStatus | 1621 static PRStatus |
1484 ssl3_CreateWeakDHParams(void) | 1622 ssl3_CreateWeakDHParams(void) |
1485 { | 1623 { |
1486 PQGVerify *vfy; | 1624 PQGVerify *vfy; |
1487 SECStatus rv, passed; | 1625 SECStatus rv, passed; |
1488 | 1626 |
1489 PORT_Assert(!gWeakDHParams && !gWeakParamsPQG); | 1627 PORT_Assert(!gWeakDHParams && !gWeakParamsPQG); |
1490 | 1628 |
1491 rv = PK11_PQG_ParamGenV2(1024, 160, 64 /*maximum seed that will work*/, | 1629 rv = PK11_PQG_ParamGenV2(1024, 160, 64 /*maximum seed that will work*/, |
1492 &gWeakParamsPQG, &vfy); | 1630 &gWeakParamsPQG, &vfy); |
1493 if (rv != SECSuccess) { | 1631 if (rv != SECSuccess) { |
1494 gWeakDHParamsError = PORT_GetError(); | 1632 gWeakDHParamsError = PORT_GetError(); |
1495 return PR_FAILURE; | 1633 return PR_FAILURE; |
1496 } | 1634 } |
1497 | 1635 |
1498 rv = PK11_PQG_VerifyParams(gWeakParamsPQG, vfy, &passed); | 1636 rv = PK11_PQG_VerifyParams(gWeakParamsPQG, vfy, &passed); |
1499 if (rv != SECSuccess || passed != SECSuccess) { | 1637 if (rv != SECSuccess || passed != SECSuccess) { |
1500 SSL_DBG(("%d: PK11_PQG_VerifyParams failed in ssl3_CreateWeakDHParams", | 1638 SSL_DBG(("%d: PK11_PQG_VerifyParams failed in ssl3_CreateWeakDHParams", |
1501 SSL_GETPID())); | 1639 SSL_GETPID())); |
1502 gWeakDHParamsError = PORT_GetError(); | 1640 gWeakDHParamsError = PORT_GetError(); |
1503 return PR_FAILURE; | 1641 return PR_FAILURE; |
1504 } | 1642 } |
1505 | 1643 |
1506 gWeakDHParams = PORT_ArenaNew(gWeakParamsPQG->arena, ssl3DHParams); | 1644 gWeakDHParams = PORT_ArenaNew(gWeakParamsPQG->arena, ssl3DHParams); |
1507 if (!gWeakDHParams) { | 1645 if (!gWeakDHParams) { |
1508 gWeakDHParamsError = PORT_GetError(); | 1646 gWeakDHParamsError = PORT_GetError(); |
1509 return PR_FAILURE; | 1647 return PR_FAILURE; |
1510 } | 1648 } |
1511 | 1649 |
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1570 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(),
fd)); | 1708 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(),
fd)); |
1571 return SECFailure; | 1709 return SECFailure; |
1572 } | 1710 } |
1573 | 1711 |
1574 ss->ssl3.dheWeakGroupEnabled = enabled; | 1712 ss->ssl3.dheWeakGroupEnabled = enabled; |
1575 return SECSuccess; | 1713 return SECSuccess; |
1576 } | 1714 } |
1577 | 1715 |
1578 SECStatus | 1716 SECStatus |
1579 SSL_GetChannelBinding(PRFileDesc *fd, | 1717 SSL_GetChannelBinding(PRFileDesc *fd, |
1580 » » SSLChannelBindingType binding_type, | 1718 SSLChannelBindingType binding_type, |
1581 » » unsigned char *out, | 1719 unsigned char *out, |
1582 » » unsigned int *outLen, | 1720 unsigned int *outLen, |
1583 » » unsigned int outLenMax) { | 1721 unsigned int outLenMax) |
| 1722 { |
1584 sslSocket *ss = ssl_FindSocket(fd); | 1723 sslSocket *ss = ssl_FindSocket(fd); |
1585 | 1724 |
1586 if (!ss) { | 1725 if (!ss) { |
1587 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding", | 1726 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding", |
1588 » » SSL_GETPID(), fd)); | 1727 SSL_GETPID(), fd)); |
1589 » return SECFailure; | 1728 return SECFailure; |
1590 } | 1729 } |
1591 | 1730 |
1592 if (binding_type != SSL_CHANNEL_BINDING_TLS_UNIQUE) { | 1731 if (binding_type != SSL_CHANNEL_BINDING_TLS_UNIQUE) { |
1593 » PORT_SetError(PR_INVALID_ARGUMENT_ERROR); | 1732 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
1594 » return SECFailure; | 1733 return SECFailure; |
1595 } | 1734 } |
1596 | 1735 |
1597 return ssl3_GetTLSUniqueChannelBinding(ss, out, outLen, outLenMax); | 1736 return ssl3_GetTLSUniqueChannelBinding(ss, out, outLen, outLenMax); |
1598 } | 1737 } |
1599 | 1738 |
1600 #include "dhe-param.c" | 1739 #include "dhe-param.c" |
1601 | 1740 |
1602 static const SSLDHEGroupType ssl_default_dhe_groups[] = { | 1741 static const SSLDHEGroupType ssl_default_dhe_groups[] = { |
1603 ssl_ff_dhe_2048_group | 1742 ssl_ff_dhe_2048_group |
1604 }; | 1743 }; |
(...skipping 24 matching lines...) Expand all Loading... |
1629 SECStatus | 1768 SECStatus |
1630 ssl3_SelectDHParams(sslSocket *ss) | 1769 ssl3_SelectDHParams(sslSocket *ss) |
1631 { | 1770 { |
1632 SSLDHEGroupType selectedGroup = ssl_dhe_group_none; | 1771 SSLDHEGroupType selectedGroup = ssl_dhe_group_none; |
1633 | 1772 |
1634 if (ss->ssl3.dheWeakGroupEnabled) { | 1773 if (ss->ssl3.dheWeakGroupEnabled) { |
1635 ss->dheParams = gWeakDHParams; | 1774 ss->dheParams = gWeakDHParams; |
1636 } else { | 1775 } else { |
1637 if (ss->ssl3.dheGroups) { | 1776 if (ss->ssl3.dheGroups) { |
1638 selectedGroup = selectDHEGroup(ss, ss->ssl3.dheGroups, | 1777 selectedGroup = selectDHEGroup(ss, ss->ssl3.dheGroups, |
1639 ss->ssl3.numDHEGroups); | 1778 ss->ssl3.numDHEGroups); |
1640 } else { | 1779 } else { |
1641 size_t number_of_default_groups = PR_ARRAY_SIZE(ssl_default_dhe_grou
ps); | 1780 size_t number_of_default_groups = PR_ARRAY_SIZE(ssl_default_dhe_grou
ps); |
1642 selectedGroup = selectDHEGroup(ss, ssl_default_dhe_groups, | 1781 selectedGroup = selectDHEGroup(ss, ssl_default_dhe_groups, |
1643 number_of_default_groups); | 1782 number_of_default_groups); |
1644 } | 1783 } |
1645 | 1784 |
1646 if (selectedGroup == ssl_dhe_group_none || | 1785 if (selectedGroup == ssl_dhe_group_none || |
1647 selectedGroup >= ssl_dhe_group_max) { | 1786 selectedGroup >= ssl_dhe_group_max) { |
1648 return SECFailure; | 1787 return SECFailure; |
1649 } | 1788 } |
1650 | 1789 |
1651 ss->dheParams = all_ssl3DHParams[selectedGroup]; | 1790 ss->dheParams = all_ssl3DHParams[selectedGroup]; |
1652 } | 1791 } |
1653 | 1792 |
1654 return SECSuccess; | 1793 return SECSuccess; |
1655 } | 1794 } |
1656 | 1795 |
1657 /* LOCKS ??? XXX */ | 1796 /* LOCKS ??? XXX */ |
1658 static PRFileDesc * | 1797 static PRFileDesc * |
1659 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) | 1798 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) |
1660 { | 1799 { |
1661 sslSocket * ns = NULL; | 1800 sslSocket *ns = NULL; |
1662 PRStatus rv; | 1801 PRStatus rv; |
1663 PRNetAddr addr; | 1802 PRNetAddr addr; |
1664 SECStatus status = ssl_Init(); | 1803 SECStatus status = ssl_Init(); |
1665 | 1804 |
1666 if (status != SECSuccess) { | 1805 if (status != SECSuccess) { |
1667 return NULL; | 1806 return NULL; |
1668 } | 1807 } |
1669 | 1808 |
1670 if (model == NULL) { | 1809 if (model == NULL) { |
1671 /* Just create a default socket if we're given NULL for the model */ | 1810 /* Just create a default socket if we're given NULL for the model */ |
1672 ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant); | 1811 ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant); |
1673 } else { | 1812 } else { |
1674 sslSocket * ss = ssl_FindSocket(model); | 1813 sslSocket *ss = ssl_FindSocket(model); |
1675 if (ss == NULL || ss->protocolVariant != variant) { | 1814 if (ss == NULL || ss->protocolVariant != variant) { |
1676 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", | 1815 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", |
1677 SSL_GETPID(), model)); | 1816 SSL_GETPID(), model)); |
1678 return NULL; | 1817 return NULL; |
1679 } | 1818 } |
1680 ns = ssl_DupSocket(ss); | 1819 ns = ssl_DupSocket(ss); |
1681 } | 1820 } |
1682 if (ns == NULL) | 1821 if (ns == NULL) |
1683 return NULL; | 1822 return NULL; |
1684 | 1823 |
1685 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); | 1824 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); |
1686 if (rv != PR_SUCCESS) { | 1825 if (rv != PR_SUCCESS) { |
1687 ssl_FreeSocket(ns); | 1826 ssl_FreeSocket(ns); |
1688 SET_ERROR_CODE | 1827 SET_ERROR_CODE |
1689 return NULL; | 1828 return NULL; |
1690 } | 1829 } |
1691 #if defined(DEBUG) || defined(FORCE_PR_ASSERT) | 1830 #if defined(DEBUG) || defined(FORCE_PR_ASSERT) |
1692 { | 1831 { |
1693 sslSocket * ss = ssl_FindSocket(fd); | 1832 sslSocket *ss = ssl_FindSocket(fd); |
1694 PORT_Assert(ss == ns); | 1833 PORT_Assert(ss == ns); |
1695 } | 1834 } |
1696 #endif | 1835 #endif |
1697 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); | 1836 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); |
1698 return fd; | 1837 return fd; |
1699 } | 1838 } |
1700 | 1839 |
1701 PRFileDesc * | 1840 PRFileDesc * |
1702 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) | 1841 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) |
1703 { | 1842 { |
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1748 const unsigned char *result; | 1887 const unsigned char *result; |
1749 sslSocket *ss = ssl_FindSocket(fd); | 1888 sslSocket *ss = ssl_FindSocket(fd); |
1750 | 1889 |
1751 if (!ss) { | 1890 if (!ss) { |
1752 SSL_DBG(("%d: SSL[%d]: bad socket in ssl_NextProtoNegoCallback", | 1891 SSL_DBG(("%d: SSL[%d]: bad socket in ssl_NextProtoNegoCallback", |
1753 SSL_GETPID(), fd)); | 1892 SSL_GETPID(), fd)); |
1754 return SECFailure; | 1893 return SECFailure; |
1755 } | 1894 } |
1756 | 1895 |
1757 /* For each protocol in server preference, see if we support it. */ | 1896 /* For each protocol in server preference, see if we support it. */ |
1758 for (i = 0; i < protos_len; ) { | 1897 for (i = 0; i < protos_len;) { |
1759 for (j = 0; j < ss->opt.nextProtoNego.len; ) { | 1898 for (j = 0; j < ss->opt.nextProtoNego.len;) { |
1760 if (protos[i] == ss->opt.nextProtoNego.data[j] && | 1899 if (protos[i] == ss->opt.nextProtoNego.data[j] && |
1761 PORT_Memcmp(&protos[i+1], &ss->opt.nextProtoNego.data[j+1], | 1900 PORT_Memcmp(&protos[i + 1], &ss->opt.nextProtoNego.data[j + 1], |
1762 protos[i]) == 0) { | 1901 protos[i]) == 0) { |
1763 /* We found a match. */ | 1902 /* We found a match. */ |
1764 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED; | 1903 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED; |
1765 result = &protos[i]; | 1904 result = &protos[i]; |
1766 goto found; | 1905 goto found; |
1767 } | 1906 } |
1768 j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j]; | 1907 j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j]; |
1769 } | 1908 } |
1770 i += 1 + (unsigned int)protos[i]; | 1909 i += 1 + (unsigned int)protos[i]; |
1771 } | 1910 } |
1772 | 1911 |
(...skipping 13 matching lines...) Expand all Loading... |
1786 *protoOutLen = result[0]; | 1925 *protoOutLen = result[0]; |
1787 return SECSuccess; | 1926 return SECSuccess; |
1788 } | 1927 } |
1789 | 1928 |
1790 SECStatus | 1929 SECStatus |
1791 SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, | 1930 SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, |
1792 unsigned int length) | 1931 unsigned int length) |
1793 { | 1932 { |
1794 sslSocket *ss; | 1933 sslSocket *ss; |
1795 SECStatus rv; | 1934 SECStatus rv; |
1796 SECItem dataItem = { siBuffer, (unsigned char *) data, length }; | 1935 SECItem dataItem = { siBuffer, (unsigned char *)data, length }; |
1797 | 1936 |
1798 ss = ssl_FindSocket(fd); | 1937 ss = ssl_FindSocket(fd); |
1799 if (!ss) { | 1938 if (!ss) { |
1800 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", | 1939 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", |
1801 SSL_GETPID(), fd)); | 1940 SSL_GETPID(), fd)); |
1802 return SECFailure; | 1941 return SECFailure; |
1803 } | 1942 } |
1804 | 1943 |
1805 if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess) | 1944 if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess) |
1806 return SECFailure; | 1945 return SECFailure; |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1843 } | 1982 } |
1844 PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len); | 1983 PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len); |
1845 *bufLen = ss->ssl3.nextProto.len; | 1984 *bufLen = ss->ssl3.nextProto.len; |
1846 } else { | 1985 } else { |
1847 *bufLen = 0; | 1986 *bufLen = 0; |
1848 } | 1987 } |
1849 | 1988 |
1850 return SECSuccess; | 1989 return SECSuccess; |
1851 } | 1990 } |
1852 | 1991 |
1853 SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd, | 1992 SECStatus |
1854 const PRUint16 *ciphers, | 1993 SSL_SetSRTPCiphers(PRFileDesc *fd, |
1855 unsigned int numCiphers) | 1994 const PRUint16 *ciphers, |
| 1995 unsigned int numCiphers) |
1856 { | 1996 { |
1857 sslSocket *ss; | 1997 sslSocket *ss; |
1858 unsigned int i; | 1998 unsigned int i; |
1859 | 1999 |
1860 ss = ssl_FindSocket(fd); | 2000 ss = ssl_FindSocket(fd); |
1861 if (!ss || !IS_DTLS(ss)) { | 2001 if (!ss || !IS_DTLS(ss)) { |
1862 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSRTPCiphers", | 2002 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSRTPCiphers", |
1863 SSL_GETPID(), fd)); | 2003 SSL_GETPID(), fd)); |
1864 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2004 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1865 return SECFailure; | 2005 return SECFailure; |
(...skipping 11 matching lines...) Expand all Loading... |
1877 while (*srtpCipher) { | 2017 while (*srtpCipher) { |
1878 if (ciphers[i] == *srtpCipher) | 2018 if (ciphers[i] == *srtpCipher) |
1879 break; | 2019 break; |
1880 srtpCipher++; | 2020 srtpCipher++; |
1881 } | 2021 } |
1882 if (*srtpCipher) { | 2022 if (*srtpCipher) { |
1883 ss->ssl3.dtlsSRTPCiphers[ss->ssl3.dtlsSRTPCipherCount++] = | 2023 ss->ssl3.dtlsSRTPCiphers[ss->ssl3.dtlsSRTPCipherCount++] = |
1884 ciphers[i]; | 2024 ciphers[i]; |
1885 } else { | 2025 } else { |
1886 SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher " | 2026 SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher " |
1887 "suite specified: 0x%04hx", SSL_GETPID(), fd, | 2027 "suite specified: 0x%04hx", |
1888 ciphers[i])); | 2028 SSL_GETPID(), fd, |
| 2029 ciphers[i])); |
1889 } | 2030 } |
1890 } | 2031 } |
1891 | 2032 |
1892 if (ss->ssl3.dtlsSRTPCipherCount == 0) { | 2033 if (ss->ssl3.dtlsSRTPCipherCount == 0) { |
1893 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2034 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1894 return SECFailure; | 2035 return SECFailure; |
1895 } | 2036 } |
1896 | 2037 |
1897 return SECSuccess; | 2038 return SECSuccess; |
1898 } | 2039 } |
1899 | 2040 |
1900 SECStatus | 2041 SECStatus |
1901 SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher) | 2042 SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher) |
1902 { | 2043 { |
1903 sslSocket * ss; | 2044 sslSocket *ss; |
1904 | 2045 |
1905 ss = ssl_FindSocket(fd); | 2046 ss = ssl_FindSocket(fd); |
1906 if (!ss) { | 2047 if (!ss) { |
1907 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetSRTPCipher", | 2048 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetSRTPCipher", |
1908 SSL_GETPID(), fd)); | 2049 SSL_GETPID(), fd)); |
1909 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2050 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1910 return SECFailure; | 2051 return SECFailure; |
1911 } | 2052 } |
1912 | 2053 |
1913 if (!ss->ssl3.dtlsSRTPCipherSuite) { | 2054 if (!ss->ssl3.dtlsSRTPCipherSuite) { |
1914 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2055 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1915 return SECFailure; | 2056 return SECFailure; |
1916 } | 2057 } |
1917 | 2058 |
1918 *cipher = ss->ssl3.dtlsSRTPCipherSuite; | 2059 *cipher = ss->ssl3.dtlsSRTPCipherSuite; |
1919 return SECSuccess; | 2060 return SECSuccess; |
1920 } | 2061 } |
1921 | 2062 |
1922 PRFileDesc * | 2063 PRFileDesc * |
1923 SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) | 2064 SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
1924 { | 2065 { |
1925 sslSocket * sm = NULL, *ss = NULL; | 2066 sslSocket *sm = NULL, *ss = NULL; |
1926 int i; | 2067 int i; |
1927 sslServerCerts * mc = NULL; | 2068 sslServerCerts *mc = NULL; |
1928 sslServerCerts * sc = NULL; | 2069 sslServerCerts *sc = NULL; |
1929 | 2070 |
1930 if (model == NULL) { | 2071 if (model == NULL) { |
1931 PR_SetError(SEC_ERROR_INVALID_ARGS, 0); | 2072 PR_SetError(SEC_ERROR_INVALID_ARGS, 0); |
1932 return NULL; | 2073 return NULL; |
1933 } | 2074 } |
1934 sm = ssl_FindSocket(model); | 2075 sm = ssl_FindSocket(model); |
1935 if (sm == NULL) { | 2076 if (sm == NULL) { |
1936 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ReconfigFD", | 2077 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ReconfigFD", |
1937 SSL_GETPID(), model)); | 2078 SSL_GETPID(), model)); |
1938 return NULL; | 2079 return NULL; |
1939 } | 2080 } |
1940 ss = ssl_FindSocket(fd); | 2081 ss = ssl_FindSocket(fd); |
1941 PORT_Assert(ss); | 2082 PORT_Assert(ss); |
1942 if (ss == NULL) { | 2083 if (ss == NULL) { |
1943 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2084 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1944 return NULL; | 2085 return NULL; |
1945 } | 2086 } |
1946 | 2087 |
1947 ss->opt = sm->opt; | 2088 ss->opt = sm->opt; |
1948 ss->vrange = sm->vrange; | 2089 ss->vrange = sm->vrange; |
1949 PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites); | 2090 PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites); |
1950 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers, | 2091 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers, |
1951 sizeof(PRUint16) * sm->ssl3.dtlsSRTPCipherCount); | 2092 sizeof(PRUint16) * sm->ssl3.dtlsSRTPCipherCount); |
1952 ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount; | 2093 ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount; |
1953 PORT_Memcpy(ss->ssl3.signatureAlgorithms, sm->ssl3.signatureAlgorithms, | 2094 PORT_Memcpy(ss->ssl3.signatureAlgorithms, sm->ssl3.signatureAlgorithms, |
1954 sizeof(ss->ssl3.signatureAlgorithms[0]) * | 2095 sizeof(ss->ssl3.signatureAlgorithms[0]) * |
1955 sm->ssl3.signatureAlgorithmCount); | 2096 sm->ssl3.signatureAlgorithmCount); |
1956 ss->ssl3.signatureAlgorithmCount = sm->ssl3.signatureAlgorithmCount; | 2097 ss->ssl3.signatureAlgorithmCount = sm->ssl3.signatureAlgorithmCount; |
| 2098 ss->ssl3.downgradeCheckVersion = sm->ssl3.downgradeCheckVersion; |
1957 | 2099 |
1958 if (!ss->opt.useSecurity) { | 2100 if (!ss->opt.useSecurity) { |
1959 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2101 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1960 return NULL; | 2102 return NULL; |
1961 } | 2103 } |
1962 /* This int should be SSLKEAType, but CC on Irix complains, | 2104 /* This int should be SSLKEAType, but CC on Irix complains, |
1963 * during the for loop. | 2105 * during the for loop. |
1964 */ | 2106 */ |
1965 for (i=kt_null; i < kt_kea_size; i++) { | 2107 for (i = kt_null; i < kt_kea_size; i++) { |
1966 mc = &(sm->serverCerts[i]); | 2108 mc = &(sm->serverCerts[i]); |
1967 sc = &(ss->serverCerts[i]); | 2109 sc = &(ss->serverCerts[i]); |
1968 if (mc->serverCert && mc->serverCertChain) { | 2110 if (mc->serverCert && mc->serverCertChain) { |
1969 if (sc->serverCert) { | 2111 if (sc->serverCert) { |
1970 CERT_DestroyCertificate(sc->serverCert); | 2112 CERT_DestroyCertificate(sc->serverCert); |
1971 } | 2113 } |
1972 sc->serverCert = CERT_DupCertificate(mc->serverCert); | 2114 sc->serverCert = CERT_DupCertificate(mc->serverCert); |
1973 if (sc->serverCertChain) { | 2115 if (sc->serverCertChain) { |
1974 CERT_DestroyCertificateList(sc->serverCertChain); | 2116 CERT_DestroyCertificateList(sc->serverCertChain); |
1975 } | 2117 } |
1976 sc->serverCertChain = CERT_DupCertList(mc->serverCertChain); | 2118 sc->serverCertChain = CERT_DupCertList(mc->serverCertChain); |
1977 if (!sc->serverCertChain) | 2119 if (!sc->serverCertChain) |
1978 goto loser; | 2120 goto loser; |
1979 if (sm->certStatusArray[i]) { | 2121 if (sm->certStatusArray[i]) { |
1980 if (ss->certStatusArray[i]) { | 2122 if (ss->certStatusArray[i]) { |
1981 SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE); | 2123 SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE); |
1982 ss->certStatusArray[i] = NULL; | 2124 ss->certStatusArray[i] = NULL; |
1983 } | 2125 } |
1984 ss->certStatusArray[i] = SECITEM_DupArray(NULL, sm->certStatusAr
ray[i]); | 2126 ss->certStatusArray[i] = SECITEM_DupArray(NULL, sm->certStatusAr
ray[i]); |
1985 if (!ss->certStatusArray[i]) | 2127 if (!ss->certStatusArray[i]) |
1986 goto loser; | 2128 goto loser; |
1987 } | 2129 } |
| 2130 if (sm->signedCertTimestamps[i].data) { |
| 2131 if (ss->signedCertTimestamps[i].data) { |
| 2132 SECITEM_FreeItem(&ss->signedCertTimestamps[i], PR_FALSE); |
| 2133 } |
| 2134 if (SECITEM_CopyItem(NULL, |
| 2135 &ss->signedCertTimestamps[i], |
| 2136 &sm->signedCertTimestamps[i]) != |
| 2137 SECSuccess) { |
| 2138 goto loser; |
| 2139 } |
| 2140 } |
1988 } | 2141 } |
1989 if (mc->serverKeyPair) { | 2142 if (mc->serverKeyPair) { |
1990 if (sc->serverKeyPair) { | 2143 if (sc->serverKeyPair) { |
1991 ssl3_FreeKeyPair(sc->serverKeyPair); | 2144 ssl3_FreeKeyPair(sc->serverKeyPair); |
1992 } | 2145 } |
1993 sc->serverKeyPair = ssl3_GetKeyPairRef(mc->serverKeyPair); | 2146 sc->serverKeyPair = ssl3_GetKeyPairRef(mc->serverKeyPair); |
1994 sc->serverKeyBits = mc->serverKeyBits; | 2147 sc->serverKeyBits = mc->serverKeyBits; |
1995 } | 2148 } |
1996 } | 2149 } |
1997 if (sm->stepDownKeyPair) { | 2150 if (sm->stepDownKeyPair) { |
(...skipping 14 matching lines...) Expand all Loading... |
2012 if (ss->ssl3.ca_list) { | 2165 if (ss->ssl3.ca_list) { |
2013 CERT_FreeDistNames(ss->ssl3.ca_list); | 2166 CERT_FreeDistNames(ss->ssl3.ca_list); |
2014 } | 2167 } |
2015 ss->ssl3.ca_list = CERT_DupDistNames(sm->ssl3.ca_list); | 2168 ss->ssl3.ca_list = CERT_DupDistNames(sm->ssl3.ca_list); |
2016 if (!ss->ssl3.ca_list) { | 2169 if (!ss->ssl3.ca_list) { |
2017 goto loser; | 2170 goto loser; |
2018 } | 2171 } |
2019 } | 2172 } |
2020 | 2173 |
2021 if (sm->authCertificate) | 2174 if (sm->authCertificate) |
2022 ss->authCertificate = sm->authCertificate; | 2175 ss->authCertificate = sm->authCertificate; |
2023 if (sm->authCertificateArg) | 2176 if (sm->authCertificateArg) |
2024 ss->authCertificateArg = sm->authCertificateArg; | 2177 ss->authCertificateArg = sm->authCertificateArg; |
2025 if (sm->getClientAuthData) | 2178 if (sm->getClientAuthData) |
2026 ss->getClientAuthData = sm->getClientAuthData; | 2179 ss->getClientAuthData = sm->getClientAuthData; |
2027 if (sm->getClientAuthDataArg) | 2180 if (sm->getClientAuthDataArg) |
2028 ss->getClientAuthDataArg = sm->getClientAuthDataArg; | 2181 ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
2029 #ifdef NSS_PLATFORM_CLIENT_AUTH | |
2030 if (sm->getPlatformClientAuthData) | |
2031 ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; | |
2032 if (sm->getPlatformClientAuthDataArg) | |
2033 ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; | |
2034 #endif | |
2035 if (sm->sniSocketConfig) | 2182 if (sm->sniSocketConfig) |
2036 ss->sniSocketConfig = sm->sniSocketConfig; | 2183 ss->sniSocketConfig = sm->sniSocketConfig; |
2037 if (sm->sniSocketConfigArg) | 2184 if (sm->sniSocketConfigArg) |
2038 ss->sniSocketConfigArg = sm->sniSocketConfigArg; | 2185 ss->sniSocketConfigArg = sm->sniSocketConfigArg; |
2039 if (sm->handleBadCert) | 2186 if (sm->handleBadCert) |
2040 ss->handleBadCert = sm->handleBadCert; | 2187 ss->handleBadCert = sm->handleBadCert; |
2041 if (sm->badCertArg) | 2188 if (sm->badCertArg) |
2042 ss->badCertArg = sm->badCertArg; | 2189 ss->badCertArg = sm->badCertArg; |
2043 if (sm->handshakeCallback) | 2190 if (sm->handshakeCallback) |
2044 ss->handshakeCallback = sm->handshakeCallback; | 2191 ss->handshakeCallback = sm->handshakeCallback; |
2045 if (sm->handshakeCallbackData) | 2192 if (sm->handshakeCallbackData) |
2046 ss->handshakeCallbackData = sm->handshakeCallbackData; | 2193 ss->handshakeCallbackData = sm->handshakeCallbackData; |
2047 if (sm->pkcs11PinArg) | 2194 if (sm->pkcs11PinArg) |
2048 ss->pkcs11PinArg = sm->pkcs11PinArg; | 2195 ss->pkcs11PinArg = sm->pkcs11PinArg; |
2049 if (sm->getChannelID) | 2196 if (sm->getChannelID) |
2050 ss->getChannelID = sm->getChannelID; | 2197 ss->getChannelID = sm->getChannelID; |
2051 if (sm->getChannelIDArg) | 2198 if (sm->getChannelIDArg) |
2052 ss->getChannelIDArg = sm->getChannelIDArg; | 2199 ss->getChannelIDArg = sm->getChannelIDArg; |
2053 return fd; | 2200 return fd; |
2054 loser: | 2201 loser: |
2055 return NULL; | 2202 return NULL; |
2056 } | 2203 } |
2057 | 2204 |
| 2205 /* |
| 2206 * Get the user supplied range |
| 2207 */ |
| 2208 static SECStatus |
| 2209 ssl3_GetRangePolicy(SSLProtocolVariant protocolVariant, SSLVersionRange *prange) |
| 2210 { |
| 2211 SECStatus rv; |
| 2212 PRUint32 policy; |
| 2213 PRInt32 option; |
| 2214 |
| 2215 /* only use policy constraints if we've set the apply ssl policy bit */ |
| 2216 rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy); |
| 2217 if ((rv != SECSuccess) || !(policy & NSS_USE_POLICY_IN_SSL)) { |
| 2218 return SECFailure; |
| 2219 } |
| 2220 rv = NSS_OptionGet(VERSIONS_POLICY_MIN(protocolVariant), &option); |
| 2221 if (rv != SECSuccess) { |
| 2222 return rv; |
| 2223 } |
| 2224 prange->min = (PRUint16)option; |
| 2225 rv = NSS_OptionGet(VERSIONS_POLICY_MAX(protocolVariant), &option); |
| 2226 if (rv != SECSuccess) { |
| 2227 return rv; |
| 2228 } |
| 2229 prange->max = (PRUint16)option; |
| 2230 if (prange->max < prange->min) { |
| 2231 return SECFailure; /* don't accept an invalid policy */ |
| 2232 } |
| 2233 return SECSuccess; |
| 2234 } |
| 2235 |
| 2236 /* |
| 2237 * Constrain a single protocol variant's range based on the user policy |
| 2238 */ |
| 2239 static SECStatus |
| 2240 ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant) |
| 2241 { |
| 2242 SSLVersionRange vrange; |
| 2243 SSLVersionRange pvrange; |
| 2244 SECStatus rv; |
| 2245 |
| 2246 vrange = *VERSIONS_DEFAULTS(protocolVariant); |
| 2247 rv = ssl3_GetRangePolicy(protocolVariant, &pvrange); |
| 2248 if (rv != SECSuccess) { |
| 2249 return SECSuccess; /* we don't have any policy */ |
| 2250 } |
| 2251 vrange.min = PR_MAX(vrange.min, pvrange.min); |
| 2252 vrange.max = PR_MIN(vrange.max, pvrange.max); |
| 2253 if (vrange.max >= vrange.min) { |
| 2254 *VERSIONS_DEFAULTS(protocolVariant) = vrange; |
| 2255 } else { |
| 2256 /* there was no overlap, turn off range altogether */ |
| 2257 pvrange.min = pvrange.max = SSL_LIBRARY_VERSION_NONE; |
| 2258 *VERSIONS_DEFAULTS(protocolVariant) = pvrange; |
| 2259 } |
| 2260 return SECSuccess; |
| 2261 } |
| 2262 |
| 2263 static PRBool |
| 2264 ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant, |
| 2265 SSL3ProtocolVersion version) |
| 2266 { |
| 2267 SSLVersionRange pvrange; |
| 2268 SECStatus rv; |
| 2269 |
| 2270 rv = ssl3_GetRangePolicy(protocolVariant, &pvrange); |
| 2271 if (rv == SECSuccess) { |
| 2272 if ((version > pvrange.max) || (version < pvrange.min)) { |
| 2273 return PR_FALSE; /* disallowed by policy */ |
| 2274 } |
| 2275 } |
| 2276 return PR_TRUE; |
| 2277 } |
| 2278 |
| 2279 /* |
| 2280 * This is called at SSL init time to constrain the existing range based |
| 2281 * on user supplied policy. |
| 2282 */ |
| 2283 SECStatus |
| 2284 ssl3_ConstrainRangeByPolicy(void) |
| 2285 { |
| 2286 SECStatus rv; |
| 2287 rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream); |
| 2288 if (rv != SECSuccess) { |
| 2289 return rv; |
| 2290 } |
| 2291 rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram); |
| 2292 if (rv != SECSuccess) { |
| 2293 return rv; |
| 2294 } |
| 2295 return SECSuccess; |
| 2296 } |
| 2297 |
2058 PRBool | 2298 PRBool |
2059 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, | 2299 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, |
2060 SSL3ProtocolVersion version) | 2300 SSL3ProtocolVersion version) |
2061 { | 2301 { |
| 2302 if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) { |
| 2303 return PR_FALSE; |
| 2304 } |
2062 switch (protocolVariant) { | 2305 switch (protocolVariant) { |
2063 case ssl_variant_stream: | 2306 case ssl_variant_stream: |
2064 return (version >= SSL_LIBRARY_VERSION_3_0 && | 2307 return (version >= SSL_LIBRARY_VERSION_3_0 && |
2065 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); | 2308 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); |
2066 case ssl_variant_datagram: | 2309 case ssl_variant_datagram: |
2067 return (version >= SSL_LIBRARY_VERSION_TLS_1_1 && | 2310 return (version >= SSL_LIBRARY_VERSION_TLS_1_1 && |
2068 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); | 2311 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); |
2069 default: | 2312 default: |
2070 /* Can't get here */ | 2313 /* Can't get here */ |
2071 PORT_Assert(PR_FALSE); | 2314 PORT_Assert(PR_FALSE); |
2072 return PR_FALSE; | 2315 return PR_FALSE; |
2073 } | 2316 } |
2074 } | 2317 } |
2075 | 2318 |
2076 /* Returns PR_TRUE if the given version range is valid and | 2319 /* Returns PR_TRUE if the given version range is valid and |
2077 ** fully supported; otherwise, returns PR_FALSE. | 2320 ** fully supported; otherwise, returns PR_FALSE. |
2078 */ | 2321 */ |
2079 static PRBool | 2322 static PRBool |
2080 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, | 2323 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, |
2081 const SSLVersionRange *vrange) | 2324 const SSLVersionRange *vrange) |
2082 { | 2325 { |
2083 return vrange && | 2326 return vrange && |
2084 vrange->min <= vrange->max && | 2327 vrange->min <= vrange->max && |
2085 ssl3_VersionIsSupported(protocolVariant, vrange->min) && | 2328 ssl3_VersionIsSupported(protocolVariant, vrange->min) && |
2086 ssl3_VersionIsSupported(protocolVariant, vrange->max); | 2329 ssl3_VersionIsSupported(protocolVariant, vrange->max); |
2087 } | 2330 } |
2088 | 2331 |
| 2332 const SECItem * |
| 2333 SSL_PeerSignedCertTimestamps(PRFileDesc *fd) |
| 2334 { |
| 2335 sslSocket *ss = ssl_FindSocket(fd); |
| 2336 |
| 2337 if (!ss) { |
| 2338 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", |
| 2339 SSL_GETPID(), fd)); |
| 2340 return NULL; |
| 2341 } |
| 2342 |
| 2343 if (!ss->sec.ci.sid) { |
| 2344 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
| 2345 return NULL; |
| 2346 } |
| 2347 |
| 2348 if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) { |
| 2349 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); |
| 2350 return NULL; |
| 2351 } |
| 2352 return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; |
| 2353 } |
| 2354 |
2089 SECStatus | 2355 SECStatus |
2090 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, | 2356 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, |
2091 SSLVersionRange *vrange) | 2357 SSLVersionRange *vrange) |
2092 { | 2358 { |
2093 if (!vrange) { | 2359 if (!vrange) { |
2094 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2360 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
2095 return SECFailure; | 2361 return SECFailure; |
2096 } | 2362 } |
2097 | 2363 |
2098 switch (protocolVariant) { | 2364 switch (protocolVariant) { |
2099 case ssl_variant_stream: | 2365 case ssl_variant_stream: |
2100 vrange->min = SSL_LIBRARY_VERSION_3_0; | 2366 vrange->min = SSL_LIBRARY_VERSION_3_0; |
2101 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; | 2367 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
2102 break; | 2368 break; |
2103 case ssl_variant_datagram: | 2369 case ssl_variant_datagram: |
2104 vrange->min = SSL_LIBRARY_VERSION_TLS_1_1; | 2370 vrange->min = SSL_LIBRARY_VERSION_TLS_1_1; |
2105 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; | 2371 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
2106 break; | 2372 break; |
2107 default: | 2373 default: |
2108 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2374 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
2109 return SECFailure; | 2375 return SECFailure; |
2110 } | 2376 } |
2111 | 2377 |
2112 return SECSuccess; | 2378 return SECSuccess; |
2113 } | 2379 } |
2114 | 2380 |
2115 SECStatus | 2381 SECStatus |
2116 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, | 2382 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, |
2117 SSLVersionRange *vrange) | 2383 SSLVersionRange *vrange) |
2118 { | 2384 { |
2119 if ((protocolVariant != ssl_variant_stream && | 2385 if ((protocolVariant != ssl_variant_stream && |
2120 protocolVariant != ssl_variant_datagram) || !vrange) { | 2386 protocolVariant != ssl_variant_datagram) || |
| 2387 !vrange) { |
2121 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2388 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
2122 return SECFailure; | 2389 return SECFailure; |
2123 } | 2390 } |
2124 | 2391 |
2125 *vrange = *VERSIONS_DEFAULTS(protocolVariant); | 2392 *vrange = *VERSIONS_DEFAULTS(protocolVariant); |
2126 | 2393 |
2127 return SECSuccess; | 2394 return SECSuccess; |
2128 } | 2395 } |
2129 | 2396 |
2130 SECStatus | 2397 SECStatus |
2131 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, | 2398 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, |
2132 const SSLVersionRange *vrange) | 2399 const SSLVersionRange *vrange) |
2133 { | 2400 { |
2134 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) { | 2401 if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) { |
2135 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 2402 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
2136 return SECFailure; | 2403 return SECFailure; |
2137 } | 2404 } |
2138 | 2405 |
2139 *VERSIONS_DEFAULTS(protocolVariant) = *vrange; | 2406 *VERSIONS_DEFAULTS(protocolVariant) = *vrange; |
2140 | 2407 |
2141 return SECSuccess; | 2408 return SECSuccess; |
2142 } | 2409 } |
2143 | 2410 |
2144 SECStatus | 2411 SECStatus |
2145 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) | 2412 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) |
2146 { | 2413 { |
2147 sslSocket *ss = ssl_FindSocket(fd); | 2414 sslSocket *ss = ssl_FindSocket(fd); |
2148 | 2415 |
2149 if (!ss) { | 2416 if (!ss) { |
2150 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeGet", | 2417 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeGet", |
2151 SSL_GETPID(), fd)); | 2418 SSL_GETPID(), fd)); |
2152 return SECFailure; | 2419 return SECFailure; |
2153 } | 2420 } |
2154 | 2421 |
2155 if (!vrange) { | 2422 if (!vrange) { |
2156 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2423 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
2157 return SECFailure; | 2424 return SECFailure; |
2158 } | 2425 } |
2159 | 2426 |
2160 ssl_Get1stHandshakeLock(ss); | 2427 ssl_Get1stHandshakeLock(ss); |
2161 ssl_GetSSL3HandshakeLock(ss); | 2428 ssl_GetSSL3HandshakeLock(ss); |
2162 | 2429 |
2163 *vrange = ss->vrange; | 2430 *vrange = ss->vrange; |
2164 | 2431 |
2165 ssl_ReleaseSSL3HandshakeLock(ss); | 2432 ssl_ReleaseSSL3HandshakeLock(ss); |
2166 ssl_Release1stHandshakeLock(ss); | 2433 ssl_Release1stHandshakeLock(ss); |
2167 | 2434 |
2168 return SECSuccess; | 2435 return SECSuccess; |
2169 } | 2436 } |
2170 | 2437 |
2171 static PRCallOnceType checkTLS12TokenOnce; | |
2172 static PRBool tls12TokenExists; | |
2173 | |
2174 static PRStatus | |
2175 ssl_CheckTLS12Token(void) | |
2176 { | |
2177 tls12TokenExists = | |
2178 PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256); | |
2179 return PR_SUCCESS; | |
2180 } | |
2181 | |
2182 static PRBool | |
2183 ssl_TLS12TokenExists(void) | |
2184 { | |
2185 (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); | |
2186 return tls12TokenExists; | |
2187 } | |
2188 | |
2189 SECStatus | 2438 SECStatus |
2190 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) | 2439 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) |
2191 { | 2440 { |
2192 sslSocket *ss = ssl_FindSocket(fd); | 2441 sslSocket *ss = ssl_FindSocket(fd); |
2193 | 2442 |
2194 if (!ss) { | 2443 if (!ss) { |
2195 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet", | 2444 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeSet", |
2196 SSL_GETPID(), fd)); | 2445 SSL_GETPID(), fd)); |
2197 return SECFailure; | 2446 return SECFailure; |
2198 } | 2447 } |
2199 | 2448 |
2200 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { | 2449 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { |
2201 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 2450 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
2202 return SECFailure; | 2451 return SECFailure; |
2203 } | 2452 } |
2204 | 2453 |
2205 ssl_Get1stHandshakeLock(ss); | 2454 ssl_Get1stHandshakeLock(ss); |
2206 ssl_GetSSL3HandshakeLock(ss); | 2455 ssl_GetSSL3HandshakeLock(ss); |
2207 | 2456 |
| 2457 if (ss->ssl3.downgradeCheckVersion && |
| 2458 ss->vrange.max > ss->ssl3.downgradeCheckVersion) { |
| 2459 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 2460 ssl_ReleaseSSL3HandshakeLock(ss); |
| 2461 ssl_Release1stHandshakeLock(ss); |
| 2462 return SECFailure; |
| 2463 } |
| 2464 |
2208 ss->vrange = *vrange; | 2465 ss->vrange = *vrange; |
2209 /* If we don't have a sufficiently up-to-date softoken then we cannot do | |
2210 * TLS 1.2. */ | |
2211 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && | |
2212 !ssl_TLS12TokenExists()) { | |
2213 /* If the user requested a minimum version of 1.2, then we don't | |
2214 * silently downgrade. */ | |
2215 if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { | |
2216 ssl_ReleaseSSL3HandshakeLock(ss); | |
2217 ssl_Release1stHandshakeLock(ss); | |
2218 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | |
2219 return SECFailure; | |
2220 } | |
2221 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; | |
2222 } | |
2223 | 2466 |
2224 ssl_ReleaseSSL3HandshakeLock(ss); | 2467 ssl_ReleaseSSL3HandshakeLock(ss); |
2225 ssl_Release1stHandshakeLock(ss); | 2468 ssl_Release1stHandshakeLock(ss); |
2226 | 2469 |
2227 return SECSuccess; | 2470 return SECSuccess; |
2228 } | 2471 } |
2229 | 2472 |
| 2473 SECStatus |
| 2474 SSL_SetDowngradeCheckVersion(PRFileDesc *fd, PRUint16 version) |
| 2475 { |
| 2476 sslSocket *ss = ssl_FindSocket(fd); |
| 2477 SECStatus rv = SECFailure; |
| 2478 |
| 2479 if (!ss) { |
| 2480 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetDowngradeCheckVersion", |
| 2481 SSL_GETPID(), fd)); |
| 2482 return SECFailure; |
| 2483 } |
| 2484 |
| 2485 if (version && !ssl3_VersionIsSupported(ss->protocolVariant, version)) { |
| 2486 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 2487 return SECFailure; |
| 2488 } |
| 2489 |
| 2490 ssl_Get1stHandshakeLock(ss); |
| 2491 ssl_GetSSL3HandshakeLock(ss); |
| 2492 |
| 2493 if (version && version < ss->vrange.max) { |
| 2494 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 2495 goto loser; |
| 2496 } |
| 2497 ss->ssl3.downgradeCheckVersion = version; |
| 2498 rv = SECSuccess; |
| 2499 |
| 2500 loser: |
| 2501 ssl_ReleaseSSL3HandshakeLock(ss); |
| 2502 ssl_Release1stHandshakeLock(ss); |
| 2503 |
| 2504 return rv; |
| 2505 } |
| 2506 |
2230 const SECItemArray * | 2507 const SECItemArray * |
2231 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) | 2508 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) |
2232 { | 2509 { |
2233 sslSocket *ss = ssl_FindSocket(fd); | 2510 sslSocket *ss = ssl_FindSocket(fd); |
2234 | 2511 |
2235 if (!ss) { | 2512 if (!ss) { |
2236 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses", | 2513 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses", |
2237 SSL_GETPID(), fd)); | 2514 SSL_GETPID(), fd)); |
2238 return NULL; | 2515 return NULL; |
2239 } | 2516 } |
2240 | 2517 |
2241 if (!ss->sec.ci.sid) { | 2518 if (!ss->sec.ci.sid) { |
2242 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | 2519 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
2243 return NULL; | 2520 return NULL; |
2244 } | 2521 } |
2245 | 2522 |
2246 return &ss->sec.ci.sid->peerCertStatus; | 2523 return &ss->sec.ci.sid->peerCertStatus; |
2247 } | 2524 } |
2248 | 2525 |
2249 const SECItem * | 2526 SECStatus |
2250 SSL_PeerSignedCertTimestamps(PRFileDesc *fd) | 2527 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) |
2251 { | 2528 { |
2252 sslSocket *ss = ssl_FindSocket(fd); | 2529 sslSocket *ss = ssl_FindSocket(fd); |
2253 | 2530 |
2254 if (!ss) { | 2531 if (!ss) { |
2255 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", | 2532 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession", |
2256 » » SSL_GETPID(), fd)); | 2533 SSL_GETPID(), fd)); |
2257 return NULL; | 2534 return SECFailure; |
2258 } | |
2259 | |
2260 if (!ss->sec.ci.sid) { | |
2261 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | |
2262 return NULL; | |
2263 } | |
2264 | |
2265 if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) { | |
2266 » PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); | |
2267 » return NULL; | |
2268 } | |
2269 return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; | |
2270 } | |
2271 | |
2272 SECStatus | |
2273 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { | |
2274 sslSocket *ss = ssl_FindSocket(fd); | |
2275 | |
2276 if (!ss) { | |
2277 » SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession", | |
2278 » » SSL_GETPID(), fd)); | |
2279 » return SECFailure; | |
2280 } | 2535 } |
2281 | 2536 |
2282 *handshake_resumed = ss->ssl3.hs.isResuming; | 2537 *handshake_resumed = ss->ssl3.hs.isResuming; |
2283 return SECSuccess; | 2538 return SECSuccess; |
2284 } | 2539 } |
2285 | 2540 |
2286 const SECItem * | 2541 const SECItem * |
2287 SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd) | 2542 SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd) |
2288 { | 2543 { |
2289 sslSocket *ss = ssl_FindSocket(fd); | 2544 sslSocket *ss = ssl_FindSocket(fd); |
2290 | 2545 |
2291 if (!ss) { | 2546 if (!ss) { |
2292 SSL_DBG(("%d: SSL[%d]: bad socket in " | 2547 SSL_DBG(("%d: SSL[%d]: bad socket in " |
2293 "SSL_GetRequestedClientCertificateTypes", SSL_GETPID(), fd)); | 2548 "SSL_GetRequestedClientCertificateTypes", |
2294 return NULL; | 2549 SSL_GETPID(), fd)); |
2295 } | 2550 return NULL; |
| 2551 } |
2296 | 2552 |
2297 return ss->requestedCertTypes; | 2553 return ss->requestedCertTypes; |
2298 } | 2554 } |
2299 | 2555 |
2300 /************************************************************************/ | 2556 /************************************************************************/ |
2301 /* The following functions are the TOP LEVEL SSL functions. | 2557 /* The following functions are the TOP LEVEL SSL functions. |
2302 ** They all get called through the NSPRIOMethods table below. | 2558 ** They all get called through the NSPRIOMethods table below. |
2303 */ | 2559 */ |
2304 | 2560 |
2305 static PRFileDesc * PR_CALLBACK | 2561 static PRFileDesc *PR_CALLBACK |
2306 ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) | 2562 ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) |
2307 { | 2563 { |
2308 sslSocket *ss; | 2564 sslSocket *ss; |
2309 sslSocket *ns = NULL; | 2565 sslSocket *ns = NULL; |
2310 PRFileDesc *newfd = NULL; | 2566 PRFileDesc *newfd = NULL; |
2311 PRFileDesc *osfd; | 2567 PRFileDesc *osfd; |
2312 PRStatus status; | 2568 PRStatus status; |
2313 | 2569 |
2314 ss = ssl_GetPrivate(fd); | 2570 ss = ssl_GetPrivate(fd); |
2315 if (!ss) { | 2571 if (!ss) { |
2316 SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd)); | 2572 SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd)); |
2317 return NULL; | 2573 return NULL; |
2318 } | 2574 } |
2319 | 2575 |
2320 /* IF this is a listen socket, there shouldn't be any I/O going on */ | 2576 /* IF this is a listen socket, there shouldn't be any I/O going on */ |
2321 SSL_LOCK_READER(ss); | 2577 SSL_LOCK_READER(ss); |
2322 SSL_LOCK_WRITER(ss); | 2578 SSL_LOCK_WRITER(ss); |
(...skipping 10 matching lines...) Expand all Loading... |
2333 SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d", | 2589 SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d", |
2334 SSL_GETPID(), ss->fd, PORT_GetError())); | 2590 SSL_GETPID(), ss->fd, PORT_GetError())); |
2335 } else { | 2591 } else { |
2336 /* Create ssl module */ | 2592 /* Create ssl module */ |
2337 ns = ssl_DupSocket(ss); | 2593 ns = ssl_DupSocket(ss); |
2338 } | 2594 } |
2339 | 2595 |
2340 ssl_ReleaseSSL3HandshakeLock(ss); | 2596 ssl_ReleaseSSL3HandshakeLock(ss); |
2341 ssl_Release1stHandshakeLock(ss); | 2597 ssl_Release1stHandshakeLock(ss); |
2342 SSL_UNLOCK_WRITER(ss); | 2598 SSL_UNLOCK_WRITER(ss); |
2343 SSL_UNLOCK_READER(ss); /* ss isn't used below here. */ | 2599 SSL_UNLOCK_READER(ss); /* ss isn't used below here. */ |
2344 | 2600 |
2345 if (ns == NULL) | 2601 if (ns == NULL) |
2346 goto loser; | 2602 goto loser; |
2347 | 2603 |
2348 /* push ssl module onto the new socket */ | 2604 /* push ssl module onto the new socket */ |
2349 status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER); | 2605 status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER); |
2350 if (status != PR_SUCCESS) | 2606 if (status != PR_SUCCESS) |
2351 goto loser; | 2607 goto loser; |
2352 | 2608 |
2353 /* Now start server connection handshake with client. | 2609 /* Now start server connection handshake with client. |
2354 ** Don't need locks here because nobody else has a reference to ns yet. | 2610 ** Don't need locks here because nobody else has a reference to ns yet. |
2355 */ | 2611 */ |
2356 if ( ns->opt.useSecurity ) { | 2612 if (ns->opt.useSecurity) { |
2357 if ( ns->opt.handshakeAsClient ) { | 2613 if (ns->opt.handshakeAsClient) { |
2358 ns->handshake = ssl2_BeginClientHandshake; | 2614 ns->handshake = ssl2_BeginClientHandshake; |
2359 ss->handshaking = sslHandshakingAsClient; | 2615 ss->handshaking = sslHandshakingAsClient; |
2360 } else { | 2616 } else { |
2361 ns->handshake = ssl2_BeginServerHandshake; | 2617 ns->handshake = ssl2_BeginServerHandshake; |
2362 ss->handshaking = sslHandshakingAsServer; | 2618 ss->handshaking = sslHandshakingAsServer; |
2363 } | 2619 } |
2364 } | 2620 } |
2365 ns->TCPconnected = 1; | 2621 ns->TCPconnected = 1; |
2366 return newfd; | 2622 return newfd; |
2367 | 2623 |
2368 loser: | 2624 loser: |
2369 if (ns != NULL) | 2625 if (ns != NULL) |
2370 ssl_FreeSocket(ns); | 2626 ssl_FreeSocket(ns); |
2371 if (newfd != NULL) | 2627 if (newfd != NULL) |
2372 PR_Close(newfd); | 2628 PR_Close(newfd); |
2373 return NULL; | 2629 return NULL; |
2374 } | 2630 } |
2375 | 2631 |
2376 static PRStatus PR_CALLBACK | 2632 static PRStatus PR_CALLBACK |
2377 ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout) | 2633 ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout) |
2378 { | 2634 { |
2379 sslSocket *ss; | 2635 sslSocket *ss; |
2380 PRStatus rv; | 2636 PRStatus rv; |
2381 | 2637 |
2382 ss = ssl_GetPrivate(fd); | 2638 ss = ssl_GetPrivate(fd); |
2383 if (!ss) { | 2639 if (!ss) { |
2384 SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd)); | 2640 SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd)); |
2385 return PR_FAILURE; | 2641 return PR_FAILURE; |
2386 } | 2642 } |
2387 | 2643 |
2388 /* IF this is a listen socket, there shouldn't be any I/O going on */ | 2644 /* IF this is a listen socket, there shouldn't be any I/O going on */ |
2389 SSL_LOCK_READER(ss); | 2645 SSL_LOCK_READER(ss); |
2390 SSL_LOCK_WRITER(ss); | 2646 SSL_LOCK_WRITER(ss); |
2391 | 2647 |
2392 ss->cTimeout = timeout; | 2648 ss->cTimeout = timeout; |
2393 rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr); | 2649 rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr); |
2394 | 2650 |
2395 SSL_UNLOCK_WRITER(ss); | 2651 SSL_UNLOCK_WRITER(ss); |
2396 SSL_UNLOCK_READER(ss); | 2652 SSL_UNLOCK_READER(ss); |
2397 | 2653 |
2398 return rv; | 2654 return rv; |
2399 } | 2655 } |
2400 | 2656 |
2401 static PRStatus PR_CALLBACK | 2657 static PRStatus PR_CALLBACK |
2402 ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr) | 2658 ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr) |
2403 { | 2659 { |
2404 sslSocket * ss = ssl_GetPrivate(fd); | 2660 sslSocket *ss = ssl_GetPrivate(fd); |
2405 PRStatus rv; | 2661 PRStatus rv; |
2406 | 2662 |
2407 if (!ss) { | 2663 if (!ss) { |
2408 SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd)); | 2664 SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd)); |
2409 return PR_FAILURE; | 2665 return PR_FAILURE; |
2410 } | 2666 } |
2411 SSL_LOCK_READER(ss); | 2667 SSL_LOCK_READER(ss); |
2412 SSL_LOCK_WRITER(ss); | 2668 SSL_LOCK_WRITER(ss); |
2413 | 2669 |
2414 rv = (PRStatus)(*ss->ops->bind)(ss, addr); | 2670 rv = (PRStatus)(*ss->ops->bind)(ss, addr); |
2415 | 2671 |
2416 SSL_UNLOCK_WRITER(ss); | 2672 SSL_UNLOCK_WRITER(ss); |
2417 SSL_UNLOCK_READER(ss); | 2673 SSL_UNLOCK_READER(ss); |
2418 return rv; | 2674 return rv; |
2419 } | 2675 } |
2420 | 2676 |
2421 static PRStatus PR_CALLBACK | 2677 static PRStatus PR_CALLBACK |
2422 ssl_Listen(PRFileDesc *fd, PRIntn backlog) | 2678 ssl_Listen(PRFileDesc *fd, PRIntn backlog) |
2423 { | 2679 { |
2424 sslSocket * ss = ssl_GetPrivate(fd); | 2680 sslSocket *ss = ssl_GetPrivate(fd); |
2425 PRStatus rv; | 2681 PRStatus rv; |
2426 | 2682 |
2427 if (!ss) { | 2683 if (!ss) { |
2428 SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd)); | 2684 SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd)); |
2429 return PR_FAILURE; | 2685 return PR_FAILURE; |
2430 } | 2686 } |
2431 SSL_LOCK_READER(ss); | 2687 SSL_LOCK_READER(ss); |
2432 SSL_LOCK_WRITER(ss); | 2688 SSL_LOCK_WRITER(ss); |
2433 | 2689 |
2434 rv = (PRStatus)(*ss->ops->listen)(ss, backlog); | 2690 rv = (PRStatus)(*ss->ops->listen)(ss, backlog); |
2435 | 2691 |
2436 SSL_UNLOCK_WRITER(ss); | 2692 SSL_UNLOCK_WRITER(ss); |
2437 SSL_UNLOCK_READER(ss); | 2693 SSL_UNLOCK_READER(ss); |
2438 return rv; | 2694 return rv; |
2439 } | 2695 } |
2440 | 2696 |
2441 static PRStatus PR_CALLBACK | 2697 static PRStatus PR_CALLBACK |
2442 ssl_Shutdown(PRFileDesc *fd, PRIntn how) | 2698 ssl_Shutdown(PRFileDesc *fd, PRIntn how) |
2443 { | 2699 { |
2444 sslSocket * ss = ssl_GetPrivate(fd); | 2700 sslSocket *ss = ssl_GetPrivate(fd); |
2445 PRStatus rv; | 2701 PRStatus rv; |
2446 | 2702 |
2447 if (!ss) { | 2703 if (!ss) { |
2448 SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd)); | 2704 SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd)); |
2449 return PR_FAILURE; | 2705 return PR_FAILURE; |
2450 } | 2706 } |
2451 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { | 2707 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { |
2452 SSL_LOCK_READER(ss); | 2708 SSL_LOCK_READER(ss); |
2453 } | 2709 } |
2454 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { | 2710 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { |
2455 SSL_LOCK_WRITER(ss); | 2711 SSL_LOCK_WRITER(ss); |
2456 } | 2712 } |
2457 | 2713 |
2458 rv = (PRStatus)(*ss->ops->shutdown)(ss, how); | 2714 rv = (PRStatus)(*ss->ops->shutdown)(ss, how); |
2459 | 2715 |
2460 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { | 2716 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { |
2461 SSL_UNLOCK_WRITER(ss); | 2717 SSL_UNLOCK_WRITER(ss); |
2462 } | 2718 } |
2463 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { | 2719 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { |
2464 SSL_UNLOCK_READER(ss); | 2720 SSL_UNLOCK_READER(ss); |
2465 } | 2721 } |
2466 return rv; | 2722 return rv; |
2467 } | 2723 } |
2468 | 2724 |
2469 static PRStatus PR_CALLBACK | 2725 static PRStatus PR_CALLBACK |
2470 ssl_Close(PRFileDesc *fd) | 2726 ssl_Close(PRFileDesc *fd) |
2471 { | 2727 { |
2472 sslSocket *ss; | 2728 sslSocket *ss; |
2473 PRStatus rv; | 2729 PRStatus rv; |
2474 | 2730 |
2475 ss = ssl_GetPrivate(fd); | 2731 ss = ssl_GetPrivate(fd); |
2476 if (!ss) { | 2732 if (!ss) { |
2477 SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd)); | 2733 SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd)); |
2478 return PR_FAILURE; | 2734 return PR_FAILURE; |
2479 } | 2735 } |
2480 | 2736 |
2481 /* There must not be any I/O going on */ | 2737 /* There must not be any I/O going on */ |
2482 SSL_LOCK_READER(ss); | 2738 SSL_LOCK_READER(ss); |
2483 SSL_LOCK_WRITER(ss); | 2739 SSL_LOCK_WRITER(ss); |
2484 | 2740 |
2485 /* By the time this function returns, | 2741 /* By the time this function returns, |
2486 ** ss is an invalid pointer, and the locks to which it points have | 2742 ** ss is an invalid pointer, and the locks to which it points have |
2487 ** been unlocked and freed. So, this is the ONE PLACE in all of SSL | 2743 ** been unlocked and freed. So, this is the ONE PLACE in all of SSL |
2488 ** where the LOCK calls and the corresponding UNLOCK calls are not in | 2744 ** where the LOCK calls and the corresponding UNLOCK calls are not in |
2489 ** the same function scope. The unlock calls are in ssl_FreeSocket(). | 2745 ** the same function scope. The unlock calls are in ssl_FreeSocket(). |
2490 */ | 2746 */ |
2491 rv = (PRStatus)(*ss->ops->close)(ss); | 2747 rv = (PRStatus)(*ss->ops->close)(ss); |
2492 | 2748 |
2493 return rv; | 2749 return rv; |
2494 } | 2750 } |
2495 | 2751 |
2496 static int PR_CALLBACK | 2752 static int PR_CALLBACK |
2497 ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, | 2753 ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, |
2498 PRIntervalTime timeout) | 2754 PRIntervalTime timeout) |
2499 { | 2755 { |
2500 sslSocket *ss; | 2756 sslSocket *ss; |
2501 int rv; | 2757 int rv; |
2502 | 2758 |
2503 ss = ssl_GetPrivate(fd); | 2759 ss = ssl_GetPrivate(fd); |
2504 if (!ss) { | 2760 if (!ss) { |
2505 SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd)); | 2761 SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd)); |
2506 return SECFailure; | 2762 return SECFailure; |
2507 } | 2763 } |
2508 SSL_LOCK_READER(ss); | 2764 SSL_LOCK_READER(ss); |
2509 ss->rTimeout = timeout; | 2765 ss->rTimeout = timeout; |
2510 if (!ss->opt.fdx) | 2766 if (!ss->opt.fdx) |
2511 ss->wTimeout = timeout; | 2767 ss->wTimeout = timeout; |
2512 rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags); | 2768 rv = (*ss->ops->recv)(ss, (unsigned char *)buf, len, flags); |
2513 SSL_UNLOCK_READER(ss); | 2769 SSL_UNLOCK_READER(ss); |
2514 return rv; | 2770 return rv; |
2515 } | 2771 } |
2516 | 2772 |
2517 static int PR_CALLBACK | 2773 static int PR_CALLBACK |
2518 ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags, | 2774 ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags, |
2519 PRIntervalTime timeout) | 2775 PRIntervalTime timeout) |
2520 { | 2776 { |
2521 sslSocket *ss; | 2777 sslSocket *ss; |
2522 int rv; | 2778 int rv; |
2523 | 2779 |
2524 ss = ssl_GetPrivate(fd); | 2780 ss = ssl_GetPrivate(fd); |
2525 if (!ss) { | 2781 if (!ss) { |
2526 SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd)); | 2782 SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd)); |
2527 return SECFailure; | 2783 return SECFailure; |
2528 } | 2784 } |
2529 SSL_LOCK_WRITER(ss); | 2785 SSL_LOCK_WRITER(ss); |
2530 ss->wTimeout = timeout; | 2786 ss->wTimeout = timeout; |
2531 if (!ss->opt.fdx) | 2787 if (!ss->opt.fdx) |
2532 ss->rTimeout = timeout; | 2788 ss->rTimeout = timeout; |
2533 rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags); | 2789 rv = (*ss->ops->send)(ss, (const unsigned char *)buf, len, flags); |
2534 SSL_UNLOCK_WRITER(ss); | 2790 SSL_UNLOCK_WRITER(ss); |
2535 return rv; | 2791 return rv; |
2536 } | 2792 } |
2537 | 2793 |
2538 static int PR_CALLBACK | 2794 static int PR_CALLBACK |
2539 ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len) | 2795 ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len) |
2540 { | 2796 { |
2541 sslSocket *ss; | 2797 sslSocket *ss; |
2542 int rv; | 2798 int rv; |
2543 | 2799 |
2544 ss = ssl_GetPrivate(fd); | 2800 ss = ssl_GetPrivate(fd); |
2545 if (!ss) { | 2801 if (!ss) { |
2546 SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd)); | 2802 SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd)); |
2547 return SECFailure; | 2803 return SECFailure; |
2548 } | 2804 } |
2549 SSL_LOCK_READER(ss); | 2805 SSL_LOCK_READER(ss); |
2550 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; | 2806 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
2551 if (!ss->opt.fdx) | 2807 if (!ss->opt.fdx) |
2552 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; | 2808 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
2553 rv = (*ss->ops->read)(ss, (unsigned char*)buf, len); | 2809 rv = (*ss->ops->read)(ss, (unsigned char *)buf, len); |
2554 SSL_UNLOCK_READER(ss); | 2810 SSL_UNLOCK_READER(ss); |
2555 return rv; | 2811 return rv; |
2556 } | 2812 } |
2557 | 2813 |
2558 static int PR_CALLBACK | 2814 static int PR_CALLBACK |
2559 ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len) | 2815 ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len) |
2560 { | 2816 { |
2561 sslSocket *ss; | 2817 sslSocket *ss; |
2562 int rv; | 2818 int rv; |
2563 | 2819 |
2564 ss = ssl_GetPrivate(fd); | 2820 ss = ssl_GetPrivate(fd); |
2565 if (!ss) { | 2821 if (!ss) { |
2566 SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd)); | 2822 SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd)); |
2567 return SECFailure; | 2823 return SECFailure; |
2568 } | 2824 } |
2569 SSL_LOCK_WRITER(ss); | 2825 SSL_LOCK_WRITER(ss); |
2570 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; | 2826 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
2571 if (!ss->opt.fdx) | 2827 if (!ss->opt.fdx) |
2572 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; | 2828 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
2573 rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len); | 2829 rv = (*ss->ops->write)(ss, (const unsigned char *)buf, len); |
2574 SSL_UNLOCK_WRITER(ss); | 2830 SSL_UNLOCK_WRITER(ss); |
2575 return rv; | 2831 return rv; |
2576 } | 2832 } |
2577 | 2833 |
2578 static PRStatus PR_CALLBACK | 2834 static PRStatus PR_CALLBACK |
2579 ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr) | 2835 ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr) |
2580 { | 2836 { |
2581 sslSocket *ss; | 2837 sslSocket *ss; |
2582 | 2838 |
2583 ss = ssl_GetPrivate(fd); | 2839 ss = ssl_GetPrivate(fd); |
2584 if (!ss) { | 2840 if (!ss) { |
2585 SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd)); | 2841 SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd)); |
2586 return PR_FAILURE; | 2842 return PR_FAILURE; |
2587 } | 2843 } |
2588 return (PRStatus)(*ss->ops->getpeername)(ss, addr); | 2844 return (PRStatus)(*ss->ops->getpeername)(ss, addr); |
2589 } | 2845 } |
2590 | 2846 |
2591 /* | 2847 /* |
2592 */ | 2848 */ |
2593 SECStatus | 2849 SECStatus |
2594 ssl_GetPeerInfo(sslSocket *ss) | 2850 ssl_GetPeerInfo(sslSocket *ss) |
2595 { | 2851 { |
2596 PRFileDesc * osfd; | 2852 PRFileDesc *osfd; |
2597 int rv; | 2853 int rv; |
2598 PRNetAddr sin; | 2854 PRNetAddr sin; |
2599 | 2855 |
2600 osfd = ss->fd->lower; | 2856 osfd = ss->fd->lower; |
2601 | 2857 |
2602 PORT_Memset(&sin, 0, sizeof(sin)); | 2858 PORT_Memset(&sin, 0, sizeof(sin)); |
2603 rv = osfd->methods->getpeername(osfd, &sin); | 2859 rv = osfd->methods->getpeername(osfd, &sin); |
2604 if (rv < 0) { | 2860 if (rv < 0) { |
2605 return SECFailure; | 2861 return SECFailure; |
2606 } | 2862 } |
2607 ss->TCPconnected = 1; | 2863 ss->TCPconnected = 1; |
2608 if (sin.inet.family == PR_AF_INET) { | 2864 if (sin.inet.family == PR_AF_INET) { |
(...skipping 28 matching lines...) Expand all Loading... |
2637 { | 2893 { |
2638 sslSocket *ss; | 2894 sslSocket *ss; |
2639 | 2895 |
2640 ss = ssl_FindSocket(fd); | 2896 ss = ssl_FindSocket(fd); |
2641 if (!ss) { | 2897 if (!ss) { |
2642 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetStapledOCSPResponses", | 2898 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetStapledOCSPResponses", |
2643 SSL_GETPID(), fd)); | 2899 SSL_GETPID(), fd)); |
2644 return SECFailure; | 2900 return SECFailure; |
2645 } | 2901 } |
2646 | 2902 |
2647 if ( kea <= 0 || kea >= kt_kea_size) { | 2903 if (kea <= 0 || kea >= kt_kea_size) { |
2648 SSL_DBG(("%d: SSL[%d]: invalid key in SSL_SetStapledOCSPResponses", | 2904 SSL_DBG(("%d: SSL[%d]: invalid key type in SSL_SetStapledOCSPResponses", |
2649 SSL_GETPID(), fd)); | 2905 SSL_GETPID(), fd)); |
2650 return SECFailure; | 2906 return SECFailure; |
2651 } | 2907 } |
2652 | 2908 |
2653 if (ss->certStatusArray[kea]) { | 2909 if (ss->certStatusArray[kea]) { |
2654 SECITEM_FreeArray(ss->certStatusArray[kea], PR_TRUE); | 2910 SECITEM_FreeArray(ss->certStatusArray[kea], PR_TRUE); |
2655 ss->certStatusArray[kea] = NULL; | 2911 ss->certStatusArray[kea] = NULL; |
2656 } | 2912 } |
2657 if (responses) { | 2913 if (responses) { |
2658 ss->certStatusArray[kea] = SECITEM_DupArray(NULL, responses); | 2914 ss->certStatusArray[kea] = SECITEM_DupArray(NULL, responses); |
2659 } | 2915 } |
2660 return (ss->certStatusArray[kea] || !responses) ? SECSuccess : SECFailure; | 2916 return (ss->certStatusArray[kea] || !responses) ? SECSuccess : SECFailure; |
2661 } | 2917 } |
2662 | 2918 |
2663 SECStatus | 2919 SECStatus |
| 2920 SSL_SetSignedCertTimestamps(PRFileDesc *fd, const SECItem *scts, SSLKEAType kea) |
| 2921 { |
| 2922 sslSocket *ss; |
| 2923 |
| 2924 ss = ssl_FindSocket(fd); |
| 2925 if (!ss) { |
| 2926 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSignedCertTimestamps", |
| 2927 SSL_GETPID(), fd)); |
| 2928 return SECFailure; |
| 2929 } |
| 2930 |
| 2931 if (kea <= 0 || kea >= kt_kea_size) { |
| 2932 SSL_DBG(("%d: SSL[%d]: invalid key type in SSL_SetSignedCertTimestamps", |
| 2933 SSL_GETPID(), fd)); |
| 2934 return SECFailure; |
| 2935 } |
| 2936 |
| 2937 if (ss->signedCertTimestamps[kea].data) { |
| 2938 SECITEM_FreeItem(&ss->signedCertTimestamps[kea], PR_FALSE); |
| 2939 } |
| 2940 |
| 2941 if (!scts) { |
| 2942 return SECSuccess; |
| 2943 } |
| 2944 |
| 2945 return SECITEM_CopyItem(NULL, &ss->signedCertTimestamps[kea], scts); |
| 2946 } |
| 2947 |
| 2948 SECStatus |
2664 SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID) | 2949 SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID) |
2665 { | 2950 { |
2666 sslSocket *ss; | 2951 sslSocket *ss; |
2667 | 2952 |
2668 ss = ssl_FindSocket(fd); | 2953 ss = ssl_FindSocket(fd); |
2669 if (!ss) { | 2954 if (!ss) { |
2670 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSockPeerID", | 2955 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSockPeerID", |
2671 SSL_GETPID(), fd)); | 2956 SSL_GETPID(), fd)); |
2672 return SECFailure; | 2957 return SECFailure; |
2673 } | 2958 } |
2674 | 2959 |
2675 if (ss->peerID) { | 2960 if (ss->peerID) { |
2676 PORT_Free(ss->peerID); | 2961 PORT_Free(ss->peerID); |
2677 ss->peerID = NULL; | 2962 ss->peerID = NULL; |
2678 } | 2963 } |
2679 if (peerID) | 2964 if (peerID) |
2680 ss->peerID = PORT_Strdup(peerID); | 2965 ss->peerID = PORT_Strdup(peerID); |
2681 return (ss->peerID || !peerID) ? SECSuccess : SECFailure; | 2966 return (ss->peerID || !peerID) ? SECSuccess : SECFailure; |
2682 } | 2967 } |
2683 | 2968 |
2684 #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ) | 2969 #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ) |
2685 | 2970 |
2686 static PRInt16 PR_CALLBACK | 2971 static PRInt16 PR_CALLBACK |
2687 ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) | 2972 ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) |
2688 { | 2973 { |
2689 sslSocket *ss; | 2974 sslSocket *ss; |
2690 PRInt16 new_flags = how_flags; /* should select on these flags. */ | 2975 PRInt16 new_flags = how_flags; /* should select on these flags. */ |
2691 PRNetAddr addr; | 2976 PRNetAddr addr; |
2692 | 2977 |
2693 *p_out_flags = 0; | 2978 *p_out_flags = 0; |
2694 ss = ssl_GetPrivate(fd); | 2979 ss = ssl_GetPrivate(fd); |
2695 if (!ss) { | 2980 if (!ss) { |
2696 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll", | 2981 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll", |
2697 SSL_GETPID(), fd)); | 2982 SSL_GETPID(), fd)); |
2698 return 0; /* don't poll on this socket */ | 2983 return 0; /* don't poll on this socket */ |
2699 } | 2984 } |
2700 | 2985 |
2701 if (ss->opt.useSecurity && | 2986 if (ss->opt.useSecurity && |
2702 ss->handshaking != sslHandshakingUndetermined && | 2987 ss->handshaking != sslHandshakingUndetermined && |
2703 !ss->firstHsDone && | 2988 !ss->firstHsDone && |
2704 (how_flags & PR_POLL_RW)) { | 2989 (how_flags & PR_POLL_RW)) { |
2705 if (!ss->TCPconnected) { | 2990 if (!ss->TCPconnected) { |
2706 ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr)); | 2991 ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr)); |
2707 } | 2992 } |
2708 /* If it's not connected, then presumably the application is polling | 2993 /* If it's not connected, then presumably the application is polling |
2709 ** on read or write appropriately, so don't change it. | 2994 ** on read or write appropriately, so don't change it. |
2710 */ | 2995 */ |
2711 if (ss->TCPconnected) { | 2996 if (ss->TCPconnected) { |
2712 if (!ss->handshakeBegun) { | 2997 if (!ss->handshakeBegun) { |
2713 /* If the handshake has not begun, poll on read or write | 2998 /* If the handshake has not begun, poll on read or write |
2714 ** based on the local application's role in the handshake, | 2999 ** based on the local application's role in the handshake, |
2715 ** not based on what the application requested. | 3000 ** not based on what the application requested. |
2716 */ | 3001 */ |
2717 new_flags &= ~PR_POLL_RW; | 3002 new_flags &= ~PR_POLL_RW; |
2718 if (ss->handshaking == sslHandshakingAsClient) { | 3003 if (ss->handshaking == sslHandshakingAsClient) { |
2719 new_flags |= PR_POLL_WRITE; | 3004 new_flags |= PR_POLL_WRITE; |
2720 } else { /* handshaking as server */ | 3005 } else { /* handshaking as server */ |
2721 new_flags |= PR_POLL_READ; | 3006 new_flags |= PR_POLL_READ; |
2722 } | 3007 } |
2723 } else | 3008 } else |
2724 /* First handshake is in progress */ | 3009 /* First handshake is in progress */ |
2725 if (ss->lastWriteBlocked) { | 3010 if (ss->lastWriteBlocked) { |
2726 if (new_flags & PR_POLL_READ) { | 3011 if (new_flags & PR_POLL_READ) { |
2727 /* The caller is waiting for data to be received, | 3012 /* The caller is waiting for data to be received, |
2728 ** but the initial handshake is blocked on write, or the | 3013 ** but the initial handshake is blocked on write, or the |
2729 ** client's first handshake record has not been written. | 3014 ** client's first handshake record has not been written. |
2730 ** The code should select on write, not read. | 3015 ** The code should select on write, not read. |
2731 */ | 3016 */ |
2732 new_flags ^= PR_POLL_READ; /* don't select on read. */ | 3017 new_flags ^= PR_POLL_READ; /* don't select on read. */ |
2733 new_flags |= PR_POLL_WRITE; /* do select on write. */ | 3018 new_flags |= PR_POLL_WRITE; /* do select on write. */ |
2734 } | 3019 } |
2735 } else if (new_flags & PR_POLL_WRITE) { | 3020 } else if (new_flags & PR_POLL_WRITE) { |
2736 /* The caller is trying to write, but the handshake is | 3021 /* The caller is trying to write, but the handshake is |
2737 ** blocked waiting for data to read, and the first | 3022 ** blocked waiting for data to read, and the first |
2738 ** handshake has been sent. So do NOT to poll on write | 3023 ** handshake has been sent. So do NOT to poll on write |
2739 ** unless we did false start. | 3024 ** unless we did false start. |
2740 */ | 3025 */ |
2741 if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 && | 3026 if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 && |
2742 ss->ssl3.hs.canFalseStart)) { | 3027 ss->ssl3.hs.canFalseStart)) { |
2743 new_flags ^= PR_POLL_WRITE; /* don't select on write. */ | 3028 new_flags ^= PR_POLL_WRITE; /* don't select on write. */ |
2744 } | 3029 } |
2745 new_flags |= PR_POLL_READ; /* do select on read. */ | 3030 new_flags |= PR_POLL_READ; /* do select on read. */ |
2746 } | 3031 } |
2747 } | 3032 } |
2748 } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) { | 3033 } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) { |
2749 *p_out_flags = PR_POLL_READ; /* it's ready already. */ | 3034 *p_out_flags = PR_POLL_READ; /* it's ready already. */ |
2750 return new_flags; | 3035 return new_flags; |
2751 } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) && | 3036 } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) && |
2752 (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */ | 3037 (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */ |
2753 new_flags |= PR_POLL_WRITE; /* also select on write. */ | 3038 new_flags |= PR_POLL_WRITE; /* also select on write. */ |
2754 } | 3039 } |
2755 | 3040 |
2756 if (ss->version >= SSL_LIBRARY_VERSION_3_0 && | 3041 if (ss->version >= SSL_LIBRARY_VERSION_3_0 && |
2757 ss->ssl3.hs.restartTarget != NULL) { | 3042 ss->ssl3.hs.restartTarget != NULL) { |
2758 /* Read and write will block until the asynchronous callback completes | 3043 /* Read and write will block until the asynchronous callback completes |
2759 * (e.g. until SSL_AuthCertificateComplete is called), so don't tell | 3044 * (e.g. until SSL_AuthCertificateComplete is called), so don't tell |
2760 * the caller to poll the socket unless there is pending write data. | 3045 * the caller to poll the socket unless there is pending write data. |
2761 */ | 3046 */ |
2762 if (ss->lastWriteBlocked && ss->pendingBuf.len != 0) { | 3047 if (ss->lastWriteBlocked && ss->pendingBuf.len != 0) { |
2763 /* Ignore any newly-received data on the socket, but do wait for | 3048 /* Ignore any newly-received data on the socket, but do wait for |
(...skipping 11 matching lines...) Expand all Loading... |
2775 * prevent the application from spinning (alternating between | 3060 * prevent the application from spinning (alternating between |
2776 * calling PR_Poll that would return PR_POLL_EXCEPT, and send/recv | 3061 * calling PR_Poll that would return PR_POLL_EXCEPT, and send/recv |
2777 * which won't actually report the I/O error while we are waiting | 3062 * which won't actually report the I/O error while we are waiting |
2778 * for the asynchronous callback to complete). | 3063 * for the asynchronous callback to complete). |
2779 */ | 3064 */ |
2780 new_flags = 0; | 3065 new_flags = 0; |
2781 } | 3066 } |
2782 } | 3067 } |
2783 | 3068 |
2784 if (new_flags && (fd->lower->methods->poll != NULL)) { | 3069 if (new_flags && (fd->lower->methods->poll != NULL)) { |
2785 PRInt16 lower_out_flags = 0; | 3070 PRInt16 lower_out_flags = 0; |
2786 PRInt16 lower_new_flags; | 3071 PRInt16 lower_new_flags; |
2787 lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, | 3072 lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, |
2788 &lower_out_flags); | 3073 &lower_out_flags); |
2789 if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) { | 3074 if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) { |
2790 PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW; | 3075 PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW; |
2791 if (lower_out_flags & PR_POLL_READ) | 3076 if (lower_out_flags & PR_POLL_READ) |
2792 out_flags |= PR_POLL_WRITE; | 3077 out_flags |= PR_POLL_WRITE; |
2793 if (lower_out_flags & PR_POLL_WRITE) | 3078 if (lower_out_flags & PR_POLL_WRITE) |
2794 out_flags |= PR_POLL_READ; | 3079 out_flags |= PR_POLL_READ; |
2795 *p_out_flags = out_flags; | 3080 *p_out_flags = out_flags; |
2796 new_flags = how_flags; | 3081 new_flags = how_flags; |
2797 } else { | 3082 } else { |
2798 *p_out_flags = lower_out_flags; | 3083 *p_out_flags = lower_out_flags; |
2799 new_flags = lower_new_flags; | 3084 new_flags = lower_new_flags; |
2800 } | 3085 } |
2801 } | 3086 } |
2802 | 3087 |
2803 return new_flags; | 3088 return new_flags; |
2804 } | 3089 } |
2805 | 3090 |
2806 static PRInt32 PR_CALLBACK | 3091 static PRInt32 PR_CALLBACK |
2807 ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd, | 3092 ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd, |
2808 const void *headers, PRInt32 hlen, | 3093 const void *headers, PRInt32 hlen, |
2809 PRTransmitFileFlags flags, PRIntervalTime timeout) | 3094 PRTransmitFileFlags flags, PRIntervalTime timeout) |
2810 { | 3095 { |
2811 PRSendFileData sfd; | 3096 PRSendFileData sfd; |
2812 | 3097 |
2813 sfd.fd = fd; | 3098 sfd.fd = fd; |
2814 sfd.file_offset = 0; | 3099 sfd.file_offset = 0; |
2815 sfd.file_nbytes = 0; | 3100 sfd.file_nbytes = 0; |
2816 sfd.header = headers; | 3101 sfd.header = headers; |
2817 sfd.hlen = hlen; | 3102 sfd.hlen = hlen; |
2818 sfd.trailer = NULL; | 3103 sfd.trailer = NULL; |
2819 sfd.tlen = 0; | 3104 sfd.tlen = 0; |
2820 | 3105 |
2821 return sd->methods->sendfile(sd, &sfd, flags, timeout); | 3106 return sd->methods->sendfile(sd, &sfd, flags, timeout); |
2822 } | 3107 } |
2823 | 3108 |
2824 | |
2825 PRBool | 3109 PRBool |
2826 ssl_FdIsBlocking(PRFileDesc *fd) | 3110 ssl_FdIsBlocking(PRFileDesc *fd) |
2827 { | 3111 { |
2828 PRSocketOptionData opt; | 3112 PRSocketOptionData opt; |
2829 PRStatus status; | 3113 PRStatus status; |
2830 | 3114 |
2831 opt.option = PR_SockOpt_Nonblocking; | 3115 opt.option = PR_SockOpt_Nonblocking; |
2832 opt.value.non_blocking = PR_FALSE; | 3116 opt.value.non_blocking = PR_FALSE; |
2833 status = PR_GetSocketOption(fd, &opt); | 3117 status = PR_GetSocketOption(fd, &opt); |
2834 if (status != PR_SUCCESS) | 3118 if (status != PR_SUCCESS) |
2835 return PR_FALSE; | 3119 return PR_FALSE; |
2836 return (PRBool)!opt.value.non_blocking; | 3120 return (PRBool)!opt.value.non_blocking; |
2837 } | 3121 } |
2838 | 3122 |
2839 PRBool | 3123 PRBool |
2840 ssl_SocketIsBlocking(sslSocket *ss) | 3124 ssl_SocketIsBlocking(sslSocket *ss) |
2841 { | 3125 { |
2842 return ssl_FdIsBlocking(ss->fd); | 3126 return ssl_FdIsBlocking(ss->fd); |
2843 } | 3127 } |
2844 | 3128 |
2845 PRInt32 sslFirstBufSize = 8 * 1024; | 3129 PRInt32 sslFirstBufSize = 8 * 1024; |
2846 PRInt32 sslCopyLimit = 1024; | 3130 PRInt32 sslCopyLimit = 1024; |
2847 | 3131 |
2848 static PRInt32 PR_CALLBACK | 3132 static PRInt32 PR_CALLBACK |
2849 ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, | 3133 ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, |
2850 PRIntervalTime timeout) | 3134 PRIntervalTime timeout) |
2851 { | 3135 { |
2852 PRInt32 i; | 3136 PRInt32 i; |
2853 PRInt32 bufLen; | 3137 PRInt32 bufLen; |
2854 PRInt32 left; | 3138 PRInt32 left; |
2855 PRInt32 rv; | 3139 PRInt32 rv; |
2856 PRInt32 sent = 0; | 3140 PRInt32 sent = 0; |
2857 const PRInt32 first_len = sslFirstBufSize; | 3141 const PRInt32 first_len = sslFirstBufSize; |
2858 const PRInt32 limit = sslCopyLimit; | 3142 const PRInt32 limit = sslCopyLimit; |
2859 PRBool blocking; | 3143 PRBool blocking; |
2860 PRIOVec myIov = { 0, 0 }; | 3144 PRIOVec myIov = { 0, 0 }; |
2861 char buf[MAX_FRAGMENT_LENGTH]; | 3145 char buf[MAX_FRAGMENT_LENGTH]; |
2862 | 3146 |
2863 if (vectors < 0) { | 3147 if (vectors < 0) { |
2864 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); | 3148 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
2865 return -1; | 3149 return -1; |
2866 } | 3150 } |
2867 if (vectors > PR_MAX_IOVECTOR_SIZE) { | 3151 if (vectors > PR_MAX_IOVECTOR_SIZE) { |
2868 PORT_SetError(PR_BUFFER_OVERFLOW_ERROR); | 3152 PORT_SetError(PR_BUFFER_OVERFLOW_ERROR); |
2869 return -1; | 3153 return -1; |
2870 } | 3154 } |
2871 for (i = 0; i < vectors; i++) { | 3155 for (i = 0; i < vectors; i++) { |
2872 if (iov[i].iov_len < 0) { | 3156 if (iov[i].iov_len < 0) { |
2873 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); | 3157 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
2874 return -1; | 3158 return -1; |
2875 } | 3159 } |
2876 } | 3160 } |
2877 blocking = ssl_FdIsBlocking(fd); | 3161 blocking = ssl_FdIsBlocking(fd); |
2878 | 3162 |
2879 #define K16 sizeof(buf) | 3163 #define K16 sizeof(buf) |
2880 #define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; } | 3164 #define KILL_VECTORS \ |
2881 #define GET_VECTOR do { myIov = *iov++; --vectors; KILL_VECTORS } while (0) | 3165 while (vectors && !iov->iov_len) { \ |
2882 #define HANDLE_ERR(rv, len) \ | 3166 ++iov; \ |
2883 if (rv != len) { \ | 3167 --vectors; \ |
2884 if (rv < 0) { \ | 3168 } |
2885 if (!blocking \ | 3169 #define GET_VECTOR \ |
2886 && (PR_GetError() == PR_WOULD_BLOCK_ERROR) \ | 3170 do { \ |
2887 && (sent > 0)) { \ | 3171 myIov = *iov++; \ |
2888 return sent; \ | 3172 --vectors; \ |
2889 } else { \ | 3173 KILL_VECTORS \ |
2890 return -1; \ | 3174 } while (0) |
2891 } \ | 3175 #define HANDLE_ERR(rv, len) \ |
2892 } \ | 3176 if (rv != len) { \ |
| 3177 if (rv < 0) { \ |
| 3178 if (!blocking && \ |
| 3179 (PR_GetError() == PR_WOULD_BLOCK_ERROR) && \ |
| 3180 (sent > 0)) { \ |
| 3181 return sent; \ |
| 3182 } else { \ |
| 3183 return -1; \ |
| 3184 } \ |
| 3185 } \ |
2893 /* Only a nonblocking socket can have partial sends */ \ | 3186 /* Only a nonblocking socket can have partial sends */ \ |
2894 PR_ASSERT(!blocking); \ | 3187 PR_ASSERT(!blocking); \ |
2895 return sent + rv; \ | 3188 return sent + rv; \ |
2896 } | 3189 } |
2897 #define SEND(bfr, len) \ | 3190 #define SEND(bfr, len) \ |
2898 do { \ | 3191 do { \ |
2899 rv = ssl_Send(fd, bfr, len, 0, timeout); \ | 3192 rv = ssl_Send(fd, bfr, len, 0, timeout); \ |
2900 HANDLE_ERR(rv, len) \ | 3193 HANDLE_ERR(rv, len) \ |
2901 sent += len; \ | 3194 sent += len; \ |
2902 } while (0) | 3195 } while (0) |
2903 | 3196 |
2904 /* Make sure the first write is at least 8 KB, if possible. */ | 3197 /* Make sure the first write is at least 8 KB, if possible. */ |
2905 KILL_VECTORS | 3198 KILL_VECTORS |
2906 if (!vectors) | 3199 if (!vectors) |
2907 return ssl_Send(fd, 0, 0, 0, timeout); | 3200 return ssl_Send(fd, 0, 0, 0, timeout); |
2908 GET_VECTOR; | 3201 GET_VECTOR; |
2909 if (!vectors) { | 3202 if (!vectors) { |
2910 return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout); | 3203 return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout); |
2911 } | 3204 } |
2912 if (myIov.iov_len < first_len) { | 3205 if (myIov.iov_len < first_len) { |
2913 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); | 3206 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); |
2914 bufLen = myIov.iov_len; | 3207 bufLen = myIov.iov_len; |
2915 left = first_len - bufLen; | 3208 left = first_len - bufLen; |
2916 while (vectors && left) { | 3209 while (vectors && left) { |
2917 int toCopy; | 3210 int toCopy; |
2918 GET_VECTOR; | 3211 GET_VECTOR; |
2919 toCopy = PR_MIN(left, myIov.iov_len); | 3212 toCopy = PR_MIN(left, myIov.iov_len); |
2920 PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy); | 3213 PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy); |
2921 bufLen += toCopy; | 3214 bufLen += toCopy; |
2922 left -= toCopy; | 3215 left -= toCopy; |
2923 myIov.iov_base += toCopy; | 3216 myIov.iov_base += toCopy; |
2924 myIov.iov_len -= toCopy; | 3217 myIov.iov_len -= toCopy; |
2925 } | 3218 } |
2926 SEND( buf, bufLen ); | 3219 SEND(buf, bufLen); |
2927 } | 3220 } |
2928 | 3221 |
2929 while (vectors || myIov.iov_len) { | 3222 while (vectors || myIov.iov_len) { |
2930 PRInt32 addLen; | 3223 PRInt32 addLen; |
2931 if (!myIov.iov_len) { | 3224 if (!myIov.iov_len) { |
2932 GET_VECTOR; | 3225 GET_VECTOR; |
2933 } | 3226 } |
2934 while (myIov.iov_len >= K16) { | 3227 while (myIov.iov_len >= K16) { |
2935 SEND(myIov.iov_base, K16); | 3228 SEND(myIov.iov_base, K16); |
2936 myIov.iov_base += K16; | 3229 myIov.iov_base += K16; |
2937 myIov.iov_len -= K16; | 3230 myIov.iov_len -= K16; |
2938 } | 3231 } |
2939 if (!myIov.iov_len) | 3232 if (!myIov.iov_len) |
2940 continue; | 3233 continue; |
2941 | 3234 |
2942 if (!vectors || myIov.iov_len > limit) { | 3235 if (!vectors || myIov.iov_len > limit) { |
2943 addLen = 0; | 3236 addLen = 0; |
2944 } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) { | 3237 } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) { |
2945 /* Addlen is already computed. */; | 3238 /* Addlen is already computed. */; |
2946 } else if (vectors > 1 && | 3239 } else if (vectors > 1 && |
2947 iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) { | 3240 iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) { |
2948 addLen = limit - myIov.iov_len; | 3241 addLen = limit - myIov.iov_len; |
2949 } else | 3242 } else |
2950 addLen = 0; | 3243 addLen = 0; |
2951 | 3244 |
2952 if (!addLen) { | 3245 if (!addLen) { |
2953 SEND( myIov.iov_base, myIov.iov_len ); | 3246 SEND(myIov.iov_base, myIov.iov_len); |
2954 myIov.iov_len = 0; | 3247 myIov.iov_len = 0; |
2955 continue; | 3248 continue; |
2956 } | 3249 } |
2957 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); | 3250 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); |
2958 bufLen = myIov.iov_len; | 3251 bufLen = myIov.iov_len; |
2959 do { | 3252 do { |
2960 GET_VECTOR; | 3253 GET_VECTOR; |
2961 PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen); | 3254 PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen); |
2962 myIov.iov_base += addLen; | 3255 myIov.iov_base += addLen; |
2963 myIov.iov_len -= addLen; | 3256 myIov.iov_len -= addLen; |
2964 bufLen += addLen; | 3257 bufLen += addLen; |
2965 | 3258 |
2966 left = PR_MIN( limit, K16 - bufLen); | 3259 left = PR_MIN(limit, K16 - bufLen); |
2967 if (!vectors /* no more left */ | 3260 if (!vectors /* no more left */ |
2968 || myIov.iov_len > 0 /* we didn't use that one all up */ | 3261 || myIov.iov_len > 0 /* we didn't use that one all up */ |
2969 || bufLen >= K16 /* it's full. */ | 3262 || bufLen >= K16 /* it's full. */) { |
2970 ) { | |
2971 addLen = 0; | 3263 addLen = 0; |
2972 } else if ((addLen = iov->iov_len % K16) <= left) { | 3264 } else if ((addLen = iov->iov_len % K16) <= left) { |
2973 /* Addlen is already computed. */; | 3265 /* Addlen is already computed. */; |
2974 } else if (vectors > 1 && | 3266 } else if (vectors > 1 && |
2975 iov[1].iov_len % K16 + addLen <= left + limit) { | 3267 iov[1].iov_len % K16 + addLen <= left + limit) { |
2976 addLen = left; | 3268 addLen = left; |
2977 } else | 3269 } else |
2978 addLen = 0; | 3270 addLen = 0; |
2979 | 3271 |
2980 } while (addLen); | 3272 } while (addLen); |
2981 SEND( buf, bufLen ); | 3273 SEND(buf, bufLen); |
2982 } | 3274 } |
2983 return sent; | 3275 return sent; |
2984 } | 3276 } |
2985 | 3277 |
2986 /* | 3278 /* |
2987 * These functions aren't implemented. | 3279 * These functions aren't implemented. |
2988 */ | 3280 */ |
2989 | 3281 |
2990 static PRInt32 PR_CALLBACK | 3282 static PRInt32 PR_CALLBACK |
2991 ssl_Available(PRFileDesc *fd) | 3283 ssl_Available(PRFileDesc *fd) |
(...skipping 16 matching lines...) Expand all Loading... |
3008 | 3300 |
3009 static PRStatus PR_CALLBACK | 3301 static PRStatus PR_CALLBACK |
3010 ssl_FSync(PRFileDesc *fd) | 3302 ssl_FSync(PRFileDesc *fd) |
3011 { | 3303 { |
3012 PORT_Assert(0); | 3304 PORT_Assert(0); |
3013 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); | 3305 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
3014 return PR_FAILURE; | 3306 return PR_FAILURE; |
3015 } | 3307 } |
3016 | 3308 |
3017 static PRInt32 PR_CALLBACK | 3309 static PRInt32 PR_CALLBACK |
3018 ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) { | 3310 ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) |
| 3311 { |
3019 PORT_Assert(0); | 3312 PORT_Assert(0); |
3020 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); | 3313 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
3021 return SECFailure; | 3314 return SECFailure; |
3022 } | 3315 } |
3023 | 3316 |
3024 static PRInt64 PR_CALLBACK | 3317 static PRInt64 PR_CALLBACK |
3025 ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) { | 3318 ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) |
| 3319 { |
3026 PRInt64 res; | 3320 PRInt64 res; |
3027 | 3321 |
3028 PORT_Assert(0); | 3322 PORT_Assert(0); |
3029 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); | 3323 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
3030 LL_I2L(res, -1L); | 3324 LL_I2L(res, -1L); |
3031 return res; | 3325 return res; |
3032 } | 3326 } |
3033 | 3327 |
3034 static PRStatus PR_CALLBACK | 3328 static PRStatus PR_CALLBACK |
3035 ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info) | 3329 ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info) |
(...skipping 24 matching lines...) Expand all Loading... |
3060 ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, | 3354 ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, |
3061 const PRNetAddr *addr, PRIntervalTime timeout) | 3355 const PRNetAddr *addr, PRIntervalTime timeout) |
3062 { | 3356 { |
3063 PORT_Assert(0); | 3357 PORT_Assert(0); |
3064 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); | 3358 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
3065 return SECFailure; | 3359 return SECFailure; |
3066 } | 3360 } |
3067 | 3361 |
3068 static const PRIOMethods ssl_methods = { | 3362 static const PRIOMethods ssl_methods = { |
3069 PR_DESC_LAYERED, | 3363 PR_DESC_LAYERED, |
3070 ssl_Close, /* close */ | 3364 ssl_Close, /* close */ |
3071 ssl_Read, /* read */ | 3365 ssl_Read, /* read */ |
3072 ssl_Write, /* write */ | 3366 ssl_Write, /* write */ |
3073 ssl_Available, /* available */ | 3367 ssl_Available, /* available */ |
3074 ssl_Available64, /* available64 */ | 3368 ssl_Available64, /* available64 */ |
3075 ssl_FSync, /* fsync */ | 3369 ssl_FSync, /* fsync */ |
3076 ssl_Seek, /* seek */ | 3370 ssl_Seek, /* seek */ |
3077 ssl_Seek64, /* seek64 */ | 3371 ssl_Seek64, /* seek64 */ |
3078 ssl_FileInfo, /* fileInfo */ | 3372 ssl_FileInfo, /* fileInfo */ |
3079 ssl_FileInfo64, /* fileInfo64 */ | 3373 ssl_FileInfo64, /* fileInfo64 */ |
3080 ssl_WriteV, /* writev */ | 3374 ssl_WriteV, /* writev */ |
3081 ssl_Connect, /* connect */ | 3375 ssl_Connect, /* connect */ |
3082 ssl_Accept, /* accept */ | 3376 ssl_Accept, /* accept */ |
3083 ssl_Bind, /* bind */ | 3377 ssl_Bind, /* bind */ |
3084 ssl_Listen, /* listen */ | 3378 ssl_Listen, /* listen */ |
3085 ssl_Shutdown, /* shutdown */ | 3379 ssl_Shutdown, /* shutdown */ |
3086 ssl_Recv, /* recv */ | 3380 ssl_Recv, /* recv */ |
3087 ssl_Send, /* send */ | 3381 ssl_Send, /* send */ |
3088 ssl_RecvFrom, /* recvfrom */ | 3382 ssl_RecvFrom, /* recvfrom */ |
3089 ssl_SendTo, /* sendto */ | 3383 ssl_SendTo, /* sendto */ |
3090 ssl_Poll, /* poll */ | 3384 ssl_Poll, /* poll */ |
3091 PR_EmulateAcceptRead, /* acceptread */ | 3385 PR_EmulateAcceptRead, /* acceptread */ |
3092 ssl_TransmitFile, /* transmitfile */ | 3386 ssl_TransmitFile, /* transmitfile */ |
3093 ssl_GetSockName, /* getsockname */ | 3387 ssl_GetSockName, /* getsockname */ |
3094 ssl_GetPeerName, /* getpeername */ | 3388 ssl_GetPeerName, /* getpeername */ |
3095 NULL, /* getsockopt OBSOLETE */ | 3389 NULL, /* getsockopt OBSOLETE */ |
3096 NULL, /* setsockopt OBSOLETE */ | 3390 NULL, /* setsockopt OBSOLETE */ |
3097 NULL, /* getsocketoption */ | 3391 NULL, /* getsocketoption */ |
3098 NULL, /* setsocketoption */ | 3392 NULL, /* setsocketoption */ |
3099 PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/ | 3393 PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/ |
3100 NULL, /* reserved for future use */ | 3394 NULL, /* reserved for future use */ |
3101 NULL, /* reserved for future use */ | 3395 NULL, /* reserved for future use */ |
3102 NULL, /* reserved for future use */ | 3396 NULL, /* reserved for future use */ |
3103 NULL, /* reserved for future use */ | 3397 NULL, /* reserved for future use */ |
3104 NULL /* reserved for future use */ | 3398 NULL /* reserved for future use */ |
3105 }; | 3399 }; |
3106 | 3400 |
3107 | |
3108 static PRIOMethods combined_methods; | 3401 static PRIOMethods combined_methods; |
3109 | 3402 |
3110 static void | 3403 static void |
3111 ssl_SetupIOMethods(void) | 3404 ssl_SetupIOMethods(void) |
3112 { | 3405 { |
3113 PRIOMethods *new_methods = &combined_methods; | 3406 PRIOMethods *new_methods = &combined_methods; |
3114 const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods(); | 3407 const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods(); |
3115 const PRIOMethods *my_methods = &ssl_methods; | 3408 const PRIOMethods *my_methods = &ssl_methods; |
3116 | 3409 |
3117 *new_methods = *nspr_methods; | 3410 *new_methods = *nspr_methods; |
3118 | 3411 |
3119 new_methods->file_type = my_methods->file_type; | 3412 new_methods->file_type = my_methods->file_type; |
3120 new_methods->close = my_methods->close; | 3413 new_methods->close = my_methods->close; |
3121 new_methods->read = my_methods->read; | 3414 new_methods->read = my_methods->read; |
3122 new_methods->write = my_methods->write; | 3415 new_methods->write = my_methods->write; |
3123 new_methods->available = my_methods->available; | 3416 new_methods->available = my_methods->available; |
3124 new_methods->available64 = my_methods->available64; | 3417 new_methods->available64 = my_methods->available64; |
3125 new_methods->fsync = my_methods->fsync; | 3418 new_methods->fsync = my_methods->fsync; |
3126 new_methods->seek = my_methods->seek; | 3419 new_methods->seek = my_methods->seek; |
3127 new_methods->seek64 = my_methods->seek64; | 3420 new_methods->seek64 = my_methods->seek64; |
3128 new_methods->fileInfo = my_methods->fileInfo; | 3421 new_methods->fileInfo = my_methods->fileInfo; |
3129 new_methods->fileInfo64 = my_methods->fileInfo64; | 3422 new_methods->fileInfo64 = my_methods->fileInfo64; |
3130 new_methods->writev = my_methods->writev; | 3423 new_methods->writev = my_methods->writev; |
3131 new_methods->connect = my_methods->connect; | 3424 new_methods->connect = my_methods->connect; |
3132 new_methods->accept = my_methods->accept; | 3425 new_methods->accept = my_methods->accept; |
3133 new_methods->bind = my_methods->bind; | 3426 new_methods->bind = my_methods->bind; |
3134 new_methods->listen = my_methods->listen; | 3427 new_methods->listen = my_methods->listen; |
3135 new_methods->shutdown = my_methods->shutdown; | 3428 new_methods->shutdown = my_methods->shutdown; |
3136 new_methods->recv = my_methods->recv; | 3429 new_methods->recv = my_methods->recv; |
3137 new_methods->send = my_methods->send; | 3430 new_methods->send = my_methods->send; |
3138 new_methods->recvfrom = my_methods->recvfrom; | 3431 new_methods->recvfrom = my_methods->recvfrom; |
3139 new_methods->sendto = my_methods->sendto; | 3432 new_methods->sendto = my_methods->sendto; |
3140 new_methods->poll = my_methods->poll; | 3433 new_methods->poll = my_methods->poll; |
3141 new_methods->acceptread = my_methods->acceptread; | 3434 new_methods->acceptread = my_methods->acceptread; |
3142 new_methods->transmitfile = my_methods->transmitfile; | 3435 new_methods->transmitfile = my_methods->transmitfile; |
3143 new_methods->getsockname = my_methods->getsockname; | 3436 new_methods->getsockname = my_methods->getsockname; |
3144 new_methods->getpeername = my_methods->getpeername; | 3437 new_methods->getpeername = my_methods->getpeername; |
3145 /* new_methods->getsocketoption = my_methods->getsocketoption; */ | 3438 /* new_methods->getsocketoption = my_methods->getsocketoption; */ |
3146 /* new_methods->setsocketoption = my_methods->setsocketoption; */ | 3439 /* new_methods->setsocketoption = my_methods->setsocketoption; */ |
3147 new_methods->sendfile = my_methods->sendfile; | 3440 new_methods->sendfile = my_methods->sendfile; |
3148 | |
3149 } | 3441 } |
3150 | 3442 |
3151 static PRCallOnceType initIoLayerOnce; | 3443 static PRCallOnceType initIoLayerOnce; |
3152 | 3444 |
3153 static PRStatus | 3445 static PRStatus |
3154 ssl_InitIOLayer(void) | 3446 ssl_InitIOLayer(void) |
3155 { | 3447 { |
3156 ssl_layer_id = PR_GetUniqueIdentity("SSL"); | 3448 ssl_layer_id = PR_GetUniqueIdentity("SSL"); |
3157 ssl_SetupIOMethods(); | 3449 ssl_SetupIOMethods(); |
3158 ssl_inited = PR_TRUE; | 3450 ssl_inited = PR_TRUE; |
3159 return PR_SUCCESS; | 3451 return PR_SUCCESS; |
3160 } | 3452 } |
3161 | 3453 |
3162 static PRStatus | 3454 static PRStatus |
3163 ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id) | 3455 ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id) |
3164 { | 3456 { |
3165 PRFileDesc *layer = NULL; | 3457 PRFileDesc *layer = NULL; |
3166 PRStatus status; | 3458 PRStatus status; |
3167 | 3459 |
3168 if (!ssl_inited) { | 3460 if (!ssl_inited) { |
3169 status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); | 3461 status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); |
3170 if (status != PR_SUCCESS) | 3462 if (status != PR_SUCCESS) |
3171 goto loser; | 3463 goto loser; |
3172 } | 3464 } |
3173 | 3465 |
3174 if (ns == NULL) | 3466 if (ns == NULL) |
3175 goto loser; | 3467 goto loser; |
3176 | 3468 |
(...skipping 27 matching lines...) Expand all Loading... |
3204 return PR_FAILURE; | 3496 return PR_FAILURE; |
3205 } | 3497 } |
3206 | 3498 |
3207 /* if this fails, caller must destroy socket. */ | 3499 /* if this fails, caller must destroy socket. */ |
3208 static SECStatus | 3500 static SECStatus |
3209 ssl_MakeLocks(sslSocket *ss) | 3501 ssl_MakeLocks(sslSocket *ss) |
3210 { | 3502 { |
3211 ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL); | 3503 ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL); |
3212 if (!ss->firstHandshakeLock) | 3504 if (!ss->firstHandshakeLock) |
3213 goto loser; | 3505 goto loser; |
3214 ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL); | 3506 ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL); |
3215 if (!ss->ssl3HandshakeLock) | 3507 if (!ss->ssl3HandshakeLock) |
3216 goto loser; | 3508 goto loser; |
3217 ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL); | 3509 ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL); |
3218 if (!ss->specLock) | 3510 if (!ss->specLock) |
3219 goto loser; | 3511 goto loser; |
3220 ss->recvBufLock = PZ_NewMonitor(nssILockSSL); | 3512 ss->recvBufLock = PZ_NewMonitor(nssILockSSL); |
3221 if (!ss->recvBufLock) | 3513 if (!ss->recvBufLock) |
3222 goto loser; | 3514 goto loser; |
3223 ss->xmitBufLock = PZ_NewMonitor(nssILockSSL); | 3515 ss->xmitBufLock = PZ_NewMonitor(nssILockSSL); |
3224 if (!ss->xmitBufLock) | 3516 if (!ss->xmitBufLock) |
3225 goto loser; | 3517 goto loser; |
3226 ss->writerThread = NULL; | 3518 ss->writerThread = NULL; |
3227 if (ssl_lock_readers) { | 3519 if (ssl_lock_readers) { |
3228 ss->recvLock = PZ_NewLock(nssILockSSL); | 3520 ss->recvLock = PZ_NewLock(nssILockSSL); |
3229 if (!ss->recvLock) | 3521 if (!ss->recvLock) |
3230 goto loser; | 3522 goto loser; |
3231 ss->sendLock = PZ_NewLock(nssILockSSL); | 3523 ss->sendLock = PZ_NewLock(nssILockSSL); |
3232 if (!ss->sendLock) | 3524 if (!ss->sendLock) |
3233 goto loser; | 3525 goto loser; |
3234 } | 3526 } |
3235 return SECSuccess; | 3527 return SECSuccess; |
3236 loser: | 3528 loser: |
3237 ssl_DestroyLocks(ss); | 3529 ssl_DestroyLocks(ss); |
3238 return SECFailure; | 3530 return SECFailure; |
3239 } | 3531 } |
3240 | 3532 |
3241 #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) | 3533 #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) |
3242 #define NSS_HAVE_GETENV 1 | 3534 #define NSS_HAVE_GETENV 1 |
3243 #endif | 3535 #endif |
3244 | 3536 |
3245 #define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */ | 3537 #define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */ |
3246 | 3538 |
3247 static void | 3539 static void |
3248 ssl_SetDefaultsFromEnvironment(void) | 3540 ssl_SetDefaultsFromEnvironment(void) |
3249 { | 3541 { |
3250 #if defined( NSS_HAVE_GETENV ) | 3542 #if defined(NSS_HAVE_GETENV) |
3251 static int firsttime = 1; | 3543 static int firsttime = 1; |
3252 | 3544 |
3253 if (firsttime) { | 3545 if (firsttime) { |
3254 char * ev; | 3546 char *ev; |
3255 firsttime = 0; | 3547 firsttime = 0; |
3256 #ifdef DEBUG | 3548 #ifdef DEBUG |
3257 ev = getenv("SSLDEBUGFILE"); | 3549 ev = PR_GetEnvSecure("SSLDEBUGFILE"); |
3258 if (ev && ev[0]) { | 3550 if (ev && ev[0]) { |
3259 ssl_trace_iob = fopen(ev, "w"); | 3551 ssl_trace_iob = fopen(ev, "w"); |
3260 } | 3552 } |
3261 if (!ssl_trace_iob) { | 3553 if (!ssl_trace_iob) { |
3262 ssl_trace_iob = stderr; | 3554 ssl_trace_iob = stderr; |
3263 } | 3555 } |
3264 #ifdef TRACE | 3556 #ifdef TRACE |
3265 ev = getenv("SSLTRACE"); | 3557 ev = PR_GetEnvSecure("SSLTRACE"); |
3266 if (ev && ev[0]) { | 3558 if (ev && ev[0]) { |
3267 ssl_trace = atoi(ev); | 3559 ssl_trace = atoi(ev); |
3268 SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); | 3560 SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); |
3269 } | 3561 } |
3270 #endif /* TRACE */ | 3562 #endif /* TRACE */ |
3271 ev = getenv("SSLDEBUG"); | 3563 ev = PR_GetEnvSecure("SSLDEBUG"); |
3272 if (ev && ev[0]) { | 3564 if (ev && ev[0]) { |
3273 ssl_debug = atoi(ev); | 3565 ssl_debug = atoi(ev); |
3274 SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); | 3566 SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); |
3275 } | 3567 } |
3276 #endif /* DEBUG */ | 3568 #endif /* DEBUG */ |
3277 ev = getenv("SSLKEYLOGFILE"); | 3569 ev = PR_GetEnvSecure("SSLKEYLOGFILE"); |
3278 if (ev && ev[0]) { | 3570 if (ev && ev[0]) { |
3279 ssl_keylog_iob = fopen(ev, "a"); | 3571 ssl_keylog_iob = fopen(ev, "a"); |
3280 if (!ssl_keylog_iob) { | 3572 if (!ssl_keylog_iob) { |
3281 SSL_TRACE(("SSL: failed to open key log file")); | 3573 SSL_TRACE(("SSL: failed to open key log file")); |
3282 } else { | 3574 } else { |
3283 if (ftell(ssl_keylog_iob) == 0) { | 3575 if (ftell(ssl_keylog_iob) == 0) { |
3284 fputs("# SSL/TLS secrets log file, generated by NSS\n", | 3576 fputs("# SSL/TLS secrets log file, generated by NSS\n", |
3285 ssl_keylog_iob); | 3577 ssl_keylog_iob); |
3286 } | 3578 } |
3287 SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev)); | 3579 SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev)); |
3288 } | 3580 } |
3289 } | 3581 } |
3290 #ifndef NO_PKCS11_BYPASS | 3582 #ifndef NO_PKCS11_BYPASS |
3291 ev = getenv("SSLBYPASS"); | 3583 ev = PR_GetEnvSecure("SSLBYPASS"); |
3292 if (ev && ev[0]) { | 3584 if (ev && ev[0]) { |
3293 ssl_defaults.bypassPKCS11 = (ev[0] == '1'); | 3585 ssl_defaults.bypassPKCS11 = (ev[0] == '1'); |
3294 SSL_TRACE(("SSL: bypass default set to %d", \ | 3586 SSL_TRACE(("SSL: bypass default set to %d", |
3295 ssl_defaults.bypassPKCS11)); | 3587 ssl_defaults.bypassPKCS11)); |
3296 } | 3588 } |
3297 #endif /* NO_PKCS11_BYPASS */ | 3589 #endif /* NO_PKCS11_BYPASS */ |
3298 ev = getenv("SSLFORCELOCKS"); | 3590 ev = PR_GetEnvSecure("SSLFORCELOCKS"); |
3299 if (ev && ev[0] == '1') { | 3591 if (ev && ev[0] == '1') { |
3300 ssl_force_locks = PR_TRUE; | 3592 ssl_force_locks = PR_TRUE; |
3301 ssl_defaults.noLocks = 0; | 3593 ssl_defaults.noLocks = 0; |
3302 strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. "); | 3594 strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. "); |
3303 SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks)); | 3595 SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks)); |
3304 } | 3596 } |
3305 ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION"); | 3597 ev = PR_GetEnvSecure("NSS_SSL_ENABLE_RENEGOTIATION"); |
3306 if (ev) { | 3598 if (ev) { |
3307 if (ev[0] == '1' || LOWER(ev[0]) == 'u') | 3599 if (ev[0] == '1' || LOWER(ev[0]) == 'u') |
3308 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; | 3600 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; |
3309 else if (ev[0] == '0' || LOWER(ev[0]) == 'n') | 3601 else if (ev[0] == '0' || LOWER(ev[0]) == 'n') |
3310 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; | 3602 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; |
3311 else if (ev[0] == '2' || LOWER(ev[0]) == 'r') | 3603 else if (ev[0] == '2' || LOWER(ev[0]) == 'r') |
3312 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; | 3604 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; |
3313 else if (ev[0] == '3' || LOWER(ev[0]) == 't') | 3605 else if (ev[0] == '3' || LOWER(ev[0]) == 't') |
3314 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL; | 3606 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL; |
3315 SSL_TRACE(("SSL: enableRenegotiation set to %d", | 3607 SSL_TRACE(("SSL: enableRenegotiation set to %d", |
3316 ssl_defaults.enableRenegotiation)); | 3608 ssl_defaults.enableRenegotiation)); |
3317 } | 3609 } |
3318 ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); | 3610 ev = PR_GetEnvSecure("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); |
3319 if (ev && ev[0] == '1') { | 3611 if (ev && ev[0] == '1') { |
3320 ssl_defaults.requireSafeNegotiation = PR_TRUE; | 3612 ssl_defaults.requireSafeNegotiation = PR_TRUE; |
3321 SSL_TRACE(("SSL: requireSafeNegotiation set to %d", | 3613 SSL_TRACE(("SSL: requireSafeNegotiation set to %d", |
3322 PR_TRUE)); | 3614 PR_TRUE)); |
3323 } | 3615 } |
3324 ev = getenv("NSS_SSL_CBC_RANDOM_IV"); | 3616 ev = PR_GetEnvSecure("NSS_SSL_CBC_RANDOM_IV"); |
3325 if (ev && ev[0] == '0') { | 3617 if (ev && ev[0] == '0') { |
3326 ssl_defaults.cbcRandomIV = PR_FALSE; | 3618 ssl_defaults.cbcRandomIV = PR_FALSE; |
3327 SSL_TRACE(("SSL: cbcRandomIV set to 0")); | 3619 SSL_TRACE(("SSL: cbcRandomIV set to 0")); |
3328 } | 3620 } |
3329 } | 3621 } |
3330 #endif /* NSS_HAVE_GETENV */ | 3622 #endif /* NSS_HAVE_GETENV */ |
3331 } | 3623 } |
3332 | 3624 |
3333 /* | 3625 /* |
3334 ** Create a newsocket structure for a file descriptor. | 3626 ** Create a newsocket structure for a file descriptor. |
3335 */ | 3627 */ |
3336 static sslSocket * | 3628 static sslSocket * |
3337 ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) | 3629 ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) |
3338 { | 3630 { |
3339 sslSocket *ss; | 3631 sslSocket *ss; |
3340 | 3632 |
3341 ssl_SetDefaultsFromEnvironment(); | 3633 ssl_SetDefaultsFromEnvironment(); |
3342 | 3634 |
3343 if (ssl_force_locks) | 3635 if (ssl_force_locks) |
3344 makeLocks = PR_TRUE; | 3636 makeLocks = PR_TRUE; |
3345 | 3637 |
3346 /* Make a new socket and get it ready */ | 3638 /* Make a new socket and get it ready */ |
3347 ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket)); | 3639 ss = (sslSocket *)PORT_ZAlloc(sizeof(sslSocket)); |
3348 if (ss) { | 3640 if (ss) { |
3349 /* This should be of type SSLKEAType, but CC on IRIX | 3641 /* This should be of type SSLKEAType, but CC on IRIX |
3350 * complains during the for loop. | 3642 * complains during the for loop. |
3351 */ | 3643 */ |
3352 int i; | 3644 int i; |
3353 SECStatus status; | 3645 SECStatus status; |
3354 | 3646 |
3355 ss->opt = ssl_defaults; | 3647 ss->opt = ssl_defaults; |
3356 ss->opt.useSocks = PR_FALSE; | 3648 ss->opt.useSocks = PR_FALSE; |
3357 ss->opt.noLocks = !makeLocks; | 3649 ss->opt.noLocks = !makeLocks; |
3358 ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); | 3650 ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); |
3359 ss->protocolVariant = protocolVariant; | 3651 ss->protocolVariant = protocolVariant; |
3360 | 3652 |
3361 ss->peerID = NULL; | 3653 ss->peerID = NULL; |
3362 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; | 3654 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
3363 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; | 3655 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
3364 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; | 3656 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; |
3365 ss->cipherSpecs = NULL; | 3657 ss->cipherSpecs = NULL; |
3366 ss->sizeCipherSpecs = 0; /* produced lazily */ | 3658 ss->sizeCipherSpecs = 0; /* produced lazily */ |
3367 ss->preferredCipher = NULL; | 3659 ss->preferredCipher = NULL; |
3368 ss->url = NULL; | 3660 ss->url = NULL; |
3369 | 3661 |
3370 for (i=kt_null; i < kt_kea_size; i++) { | 3662 for (i = kt_null; i < kt_kea_size; i++) { |
3371 sslServerCerts * sc = ss->serverCerts + i; | 3663 sslServerCerts *sc = ss->serverCerts + i; |
3372 sc->serverCert = NULL; | 3664 sc->serverCert = NULL; |
3373 sc->serverCertChain = NULL; | 3665 sc->serverCertChain = NULL; |
3374 sc->serverKeyPair = NULL; | 3666 sc->serverKeyPair = NULL; |
3375 sc->serverKeyBits = 0; | 3667 sc->serverKeyBits = 0; |
3376 ss->certStatusArray[i] = NULL; | 3668 ss->certStatusArray[i] = NULL; |
3377 } | 3669 } |
3378 ss->requestedCertTypes = NULL; | 3670 ss->requestedCertTypes = NULL; |
3379 ss->stepDownKeyPair = NULL; | 3671 ss->stepDownKeyPair = NULL; |
3380 | 3672 |
3381 ss->dheParams = NULL; | 3673 ss->dheParams = NULL; |
3382 ss->dheKeyPair = NULL; | 3674 ss->dheKeyPair = NULL; |
3383 | 3675 |
3384 ss->dbHandle = CERT_GetDefaultCertDB(); | 3676 ss->dbHandle = CERT_GetDefaultCertDB(); |
3385 | 3677 |
3386 /* Provide default implementation of hooks */ | 3678 /* Provide default implementation of hooks */ |
3387 ss->authCertificate = SSL_AuthCertificate; | 3679 ss->authCertificate = SSL_AuthCertificate; |
3388 ss->authCertificateArg = (void *)ss->dbHandle; | 3680 ss->authCertificateArg = (void *)ss->dbHandle; |
3389 ss->sniSocketConfig = NULL; | 3681 ss->sniSocketConfig = NULL; |
3390 ss->sniSocketConfigArg = NULL; | 3682 ss->sniSocketConfigArg = NULL; |
3391 ss->getClientAuthData = NULL; | 3683 ss->getClientAuthData = NULL; |
3392 #ifdef NSS_PLATFORM_CLIENT_AUTH | 3684 ss->handleBadCert = NULL; |
3393 ss->getPlatformClientAuthData = NULL; | 3685 ss->badCertArg = NULL; |
3394 ss->getPlatformClientAuthDataArg = NULL; | 3686 ss->pkcs11PinArg = NULL; |
3395 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | |
3396 ss->handleBadCert = NULL; | |
3397 ss->badCertArg = NULL; | |
3398 ss->pkcs11PinArg = NULL; | |
3399 ss->ephemeralECDHKeyPair = NULL; | 3687 ss->ephemeralECDHKeyPair = NULL; |
3400 ss->getChannelID = NULL; | 3688 ss->getChannelID = NULL; |
3401 ss->getChannelIDArg = NULL; | 3689 ss->getChannelIDArg = NULL; |
3402 | 3690 |
3403 ssl_ChooseOps(ss); | 3691 ssl_ChooseOps(ss); |
3404 ssl2_InitSocketPolicy(ss); | 3692 ssl2_InitSocketPolicy(ss); |
3405 ssl3_InitSocketPolicy(ss); | 3693 ssl3_InitSocketPolicy(ss); |
3406 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); | 3694 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); |
| 3695 PR_INIT_CLIST(&ss->ssl3.hs.remoteKeyShares); |
3407 | 3696 |
3408 if (makeLocks) { | 3697 if (makeLocks) { |
3409 status = ssl_MakeLocks(ss); | 3698 status = ssl_MakeLocks(ss); |
3410 if (status != SECSuccess) | 3699 if (status != SECSuccess) |
3411 goto loser; | 3700 goto loser; |
3412 } | 3701 } |
3413 status = ssl_CreateSecurityInfo(ss); | 3702 status = ssl_CreateSecurityInfo(ss); |
3414 if (status != SECSuccess) | 3703 if (status != SECSuccess) |
3415 goto loser; | 3704 goto loser; |
3416 status = ssl_InitGather(&ss->gs); | 3705 status = ssl_InitGather(&ss->gs); |
3417 if (status != SECSuccess) { | 3706 if (status != SECSuccess) { |
3418 loser: | 3707 loser: |
3419 ssl_DestroySocketContents(ss); | 3708 ssl_DestroySocketContents(ss); |
3420 ssl_DestroyLocks(ss); | 3709 ssl_DestroyLocks(ss); |
3421 PORT_Free(ss); | 3710 PORT_Free(ss); |
3422 ss = NULL; | 3711 ss = NULL; |
3423 } | 3712 } |
3424 } | 3713 } |
3425 return ss; | 3714 return ss; |
3426 } | 3715 } |
OLD | NEW |