Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(385)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/nss/ssl/sslsock.c

Issue 1844813002: Uprev NSS to 3.23 on iOS (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Update patches Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/third_party/nss/ssl/ssl3con.c ('K') | « net/third_party/nss/ssl/sslsnce.c ('k') | net/third_party/nss/ssl/sslt.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/ssl/sslsock.c
diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
index 0a8fbf0fdcd600761a6785024d602527ecd4a117..e82c91693412a9037c3920042bea4f201b0a33c3 100644
--- a/net/third_party/nss/ssl/sslsock.c
+++ b/net/third_party/nss/ssl/sslsock.c
@@ -17,46 +17,39 @@
#ifndef NO_PKCS11_BYPASS
#include "blapi.h"
#endif
-#include "pk11pub.h"
#include "nss.h"
#include "pk11pqg.h"
-/* This is a bodge to allow this code to be compiled against older NSS headers
- * that don't contain the TLS 1.2 changes. */
-#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256
-#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
-#endif
-
-#define SET_ERROR_CODE /* reminder */
-
-static const sslSocketOps ssl_default_ops = { /* No SSL. */
- ssl_DefConnect,
- NULL,
- ssl_DefBind,
- ssl_DefListen,
- ssl_DefShutdown,
- ssl_DefClose,
- ssl_DefRecv,
- ssl_DefSend,
- ssl_DefRead,
- ssl_DefWrite,
- ssl_DefGetpeername,
- ssl_DefGetsockname
+#define SET_ERROR_CODE /* reminder */
+
+static const sslSocketOps ssl_default_ops = { /* No SSL. */
+ ssl_DefConnect,
+ NULL,
+ ssl_DefBind,
+ ssl_DefListen,
+ ssl_DefShutdown,
+ ssl_DefClose,
+ ssl_DefRecv,
+ ssl_DefSend,
+ ssl_DefRead,
+ ssl_DefWrite,
+ ssl_DefGetpeername,
+ ssl_DefGetsockname
};
-static const sslSocketOps ssl_secure_ops = { /* SSL. */
- ssl_SecureConnect,
- NULL,
- ssl_DefBind,
- ssl_DefListen,
- ssl_SecureShutdown,
- ssl_SecureClose,
- ssl_SecureRecv,
- ssl_SecureSend,
- ssl_SecureRead,
- ssl_SecureWrite,
- ssl_DefGetpeername,
- ssl_DefGetsockname
+static const sslSocketOps ssl_secure_ops = { /* SSL. */
+ ssl_SecureConnect,
+ NULL,
+ ssl_DefBind,
+ ssl_DefListen,
+ ssl_SecureShutdown,
+ ssl_SecureClose,
+ ssl_SecureRecv,
+ ssl_SecureSend,
+ ssl_SecureRead,
+ ssl_SecureWrite,
+ ssl_DefGetpeername,
+ ssl_DefGetsockname
};
/*
@@ -64,36 +57,38 @@ static const sslSocketOps ssl_secure_ops = { /* SSL. */
*/
static sslOptions ssl_defaults = {
{ siBuffer, NULL, 0 }, /* nextProtoNego */
- PR_TRUE, /* useSecurity */
- PR_FALSE, /* useSocks */
- PR_FALSE, /* requestCertificate */
- 2, /* requireCertificate */
- PR_FALSE, /* handshakeAsClient */
- PR_FALSE, /* handshakeAsServer */
- PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */
- PR_FALSE, /* unusedBit9 */
- PR_FALSE, /* unusedBit10 */
- PR_FALSE, /* noCache */
- PR_FALSE, /* fdx */
- PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */
- PR_TRUE, /* detectRollBack */
- PR_FALSE, /* noStepDown */
- PR_FALSE, /* bypassPKCS11 */
- PR_FALSE, /* noLocks */
- PR_FALSE, /* enableSessionTickets */
- PR_FALSE, /* enableDeflate */
- 2, /* enableRenegotiation (default: requires extension) */
- PR_FALSE, /* requireSafeNegotiation */
- PR_FALSE, /* enableFalseStart */
- PR_TRUE, /* cbcRandomIV */
- PR_FALSE, /* enableOCSPStapling */
- PR_TRUE, /* enableNPN */
- PR_FALSE, /* enableALPN */
- PR_TRUE, /* reuseServerECDHEKey */
- PR_FALSE, /* enableFallbackSCSV */
- PR_TRUE, /* enableServerDhe */
- PR_FALSE, /* enableExtendedMS */
- PR_FALSE, /* enableSignedCertTimestamps */
+ PR_TRUE, /* useSecurity */
+ PR_FALSE, /* useSocks */
+ PR_FALSE, /* requestCertificate */
+ 2, /* requireCertificate */
+ PR_FALSE, /* handshakeAsClient */
+ PR_FALSE, /* handshakeAsServer */
+ PR_FALSE,
+ /* enableSSL2 */ /* now defaults to off in NSS 3.13 */
+ PR_FALSE, /* unusedBit9 */
+ PR_FALSE, /* unusedBit10 */
+ PR_FALSE, /* noCache */
+ PR_FALSE, /* fdx */
+ PR_FALSE,
+ /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */
+ PR_TRUE, /* detectRollBack */
+ PR_FALSE, /* noStepDown */
+ PR_FALSE, /* bypassPKCS11 */
+ PR_FALSE, /* noLocks */
+ PR_FALSE, /* enableSessionTickets */
+ PR_FALSE, /* enableDeflate */
+ 2, /* enableRenegotiation (default: requires extension) */
+ PR_FALSE, /* requireSafeNegotiation */
+ PR_FALSE, /* enableFalseStart */
+ PR_TRUE, /* cbcRandomIV */
+ PR_FALSE, /* enableOCSPStapling */
+ PR_TRUE, /* enableNPN */
+ PR_FALSE, /* enableALPN */
+ PR_TRUE, /* reuseServerECDHEKey */
+ PR_FALSE, /* enableFallbackSCSV */
+ PR_TRUE, /* enableServerDhe */
+ PR_FALSE, /* enableExtendedMS */
+ PR_FALSE, /* enableSignedCertTimestamps */
};
/*
@@ -109,24 +104,30 @@ static SSLVersionRange versions_defaults_datagram = {
SSL_LIBRARY_VERSION_TLS_1_2
};
-#define VERSIONS_DEFAULTS(variant) \
+#define VERSIONS_DEFAULTS(variant) \
(variant == ssl_variant_stream ? &versions_defaults_stream : \
- &versions_defaults_datagram)
-
-sslSessionIDLookupFunc ssl_sid_lookup;
-sslSessionIDCacheFunc ssl_sid_cache;
+ &versions_defaults_datagram)
+#define VERSIONS_POLICY_MIN(variant) \
+ (variant == ssl_variant_stream ? NSS_TLS_VERSION_MIN_POLICY : \
+ NSS_DTLS_VERSION_MIN_POLICY)
+#define VERSIONS_POLICY_MAX(variant) \
+ (variant == ssl_variant_stream ? NSS_TLS_VERSION_MAX_POLICY : \
+ NSS_DTLS_VERSION_MAX_POLICY)
+
+sslSessionIDLookupFunc ssl_sid_lookup;
+sslSessionIDCacheFunc ssl_sid_cache;
sslSessionIDUncacheFunc ssl_sid_uncache;
static PRBool ssl_inited = PR_FALSE;
static PRDescIdentity ssl_layer_id;
-PRBool locksEverDisabled; /* implicitly PR_FALSE */
-PRBool ssl_force_locks; /* implicitly PR_FALSE */
-int ssl_lock_readers = 1; /* default true. */
-char ssl_debug;
-char ssl_trace;
-FILE * ssl_trace_iob;
-FILE * ssl_keylog_iob;
+PRBool locksEverDisabled; /* implicitly PR_FALSE */
+PRBool ssl_force_locks; /* implicitly PR_FALSE */
+int ssl_lock_readers = 1; /* default true. */
+char ssl_debug;
+char ssl_trace;
+FILE *ssl_trace_iob;
+FILE *ssl_keylog_iob;
char lockStatus[] = "Locks are ENABLED. ";
#define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */
@@ -139,10 +140,10 @@ static const PRUint16 srtpCiphers[] = {
/* forward declarations. */
static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant);
-static SECStatus ssl_MakeLocks(sslSocket *ss);
-static void ssl_SetDefaultsFromEnvironment(void);
-static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack,
- PRDescIdentity id);
+static SECStatus ssl_MakeLocks(sslSocket *ss);
+static void ssl_SetDefaultsFromEnvironment(void);
+static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack,
+ PRDescIdentity id);
/************************************************************************/
@@ -214,31 +215,32 @@ ssl_DupSocket(sslSocket *os)
ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant);
if (ss) {
- ss->opt = os->opt;
- ss->opt.useSocks = PR_FALSE;
- ss->vrange = os->vrange;
+ ss->opt = os->opt;
+ ss->opt.useSocks = PR_FALSE;
+ ss->vrange = os->vrange;
- ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID);
- ss->url = !os->url ? NULL : PORT_Strdup(os->url);
+ ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID);
+ ss->url = !os->url ? NULL : PORT_Strdup(os->url);
- ss->ops = os->ops;
+ ss->ops = os->ops;
ss->rTimeout = os->rTimeout;
ss->wTimeout = os->wTimeout;
ss->cTimeout = os->cTimeout;
ss->dbHandle = os->dbHandle;
/* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
- ss->allowedByPolicy = os->allowedByPolicy;
- ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
- ss->chosenPreference = os->chosenPreference;
+ ss->allowedByPolicy = os->allowedByPolicy;
+ ss->maybeAllowedByPolicy = os->maybeAllowedByPolicy;
+ ss->chosenPreference = os->chosenPreference;
PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers,
sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount);
ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount;
PORT_Memcpy(ss->ssl3.signatureAlgorithms, os->ssl3.signatureAlgorithms,
sizeof(ss->ssl3.signatureAlgorithms[0]) *
- os->ssl3.signatureAlgorithmCount);
+ os->ssl3.signatureAlgorithmCount);
ss->ssl3.signatureAlgorithmCount = os->ssl3.signatureAlgorithmCount;
+ ss->ssl3.downgradeCheckVersion = os->ssl3.downgradeCheckVersion;
ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled;
ss->ssl3.numDHEGroups = os->ssl3.numDHEGroups;
@@ -255,74 +257,66 @@ ssl_DupSocket(sslSocket *os)
}
if (os->cipherSpecs) {
- ss->cipherSpecs = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
+ ss->cipherSpecs = (unsigned char *)PORT_Alloc(os->sizeCipherSpecs);
if (ss->cipherSpecs)
PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs,
os->sizeCipherSpecs);
- ss->sizeCipherSpecs = os->sizeCipherSpecs;
- ss->preferredCipher = os->preferredCipher;
+ ss->sizeCipherSpecs = os->sizeCipherSpecs;
+ ss->preferredCipher = os->preferredCipher;
} else {
- ss->cipherSpecs = NULL; /* produced lazily */
- ss->sizeCipherSpecs = 0;
- ss->preferredCipher = NULL;
+ ss->cipherSpecs = NULL; /* produced lazily */
+ ss->sizeCipherSpecs = 0;
+ ss->preferredCipher = NULL;
}
if (ss->opt.useSecurity) {
/* This int should be SSLKEAType, but CC on Irix complains,
* during the for loop.
*/
int i;
- sslServerCerts * oc = os->serverCerts;
- sslServerCerts * sc = ss->serverCerts;
+ sslServerCerts *oc = os->serverCerts;
+ sslServerCerts *sc = ss->serverCerts;
- for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) {
+ for (i = kt_null; i < kt_kea_size; i++, oc++, sc++) {
if (oc->serverCert && oc->serverCertChain) {
- sc->serverCert = CERT_DupCertificate(oc->serverCert);
+ sc->serverCert = CERT_DupCertificate(oc->serverCert);
sc->serverCertChain = CERT_DupCertList(oc->serverCertChain);
if (!sc->serverCertChain)
goto loser;
} else {
- sc->serverCert = NULL;
+ sc->serverCert = NULL;
sc->serverCertChain = NULL;
}
- sc->serverKeyPair = oc->serverKeyPair ?
- ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL;
+ sc->serverKeyPair = oc->serverKeyPair ? ssl3_GetKeyPairRef(oc->serverKeyPair)
+ : NULL;
if (oc->serverKeyPair && !sc->serverKeyPair)
goto loser;
sc->serverKeyBits = oc->serverKeyBits;
- ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL :
- SECITEM_DupArray(NULL, os->certStatusArray[i]);
+ ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL : SECITEM_DupArray(NULL, os->certStatusArray[i]);
}
- ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL :
- ssl3_GetKeyPairRef(os->stepDownKeyPair);
- ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL :
- ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair);
- ss->dheKeyPair = !os->dheKeyPair ? NULL :
- ssl3_GetKeyPairRef(os->dheKeyPair);
+ ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL : ssl3_GetKeyPairRef(os->stepDownKeyPair);
+ ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair);
+ ss->dheKeyPair = !os->dheKeyPair ? NULL : ssl3_GetKeyPairRef(os->dheKeyPair);
ss->dheParams = os->dheParams;
-/*
- * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
- * XXX We should detect this, and not just march on with NULL pointers.
- */
- ss->authCertificate = os->authCertificate;
- ss->authCertificateArg = os->authCertificateArg;
- ss->getClientAuthData = os->getClientAuthData;
- ss->getClientAuthDataArg = os->getClientAuthDataArg;
-#ifdef NSS_PLATFORM_CLIENT_AUTH
- ss->getPlatformClientAuthData = os->getPlatformClientAuthData;
- ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg;
-#endif
- ss->sniSocketConfig = os->sniSocketConfig;
- ss->sniSocketConfigArg = os->sniSocketConfigArg;
- ss->handleBadCert = os->handleBadCert;
- ss->badCertArg = os->badCertArg;
- ss->handshakeCallback = os->handshakeCallback;
+ /*
+ * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
+ * XXX We should detect this, and not just march on with NULL pointers.
+ */
+ ss->authCertificate = os->authCertificate;
+ ss->authCertificateArg = os->authCertificateArg;
+ ss->getClientAuthData = os->getClientAuthData;
+ ss->getClientAuthDataArg = os->getClientAuthDataArg;
+ ss->sniSocketConfig = os->sniSocketConfig;
+ ss->sniSocketConfigArg = os->sniSocketConfigArg;
+ ss->handleBadCert = os->handleBadCert;
+ ss->badCertArg = os->badCertArg;
+ ss->handshakeCallback = os->handshakeCallback;
ss->handshakeCallbackData = os->handshakeCallbackData;
ss->canFalseStartCallback = os->canFalseStartCallback;
ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
- ss->pkcs11PinArg = os->pkcs11PinArg;
- ss->getChannelID = os->getChannelID;
- ss->getChannelIDArg = os->getChannelIDArg;
+ ss->pkcs11PinArg = os->pkcs11PinArg;
+ ss->getChannelID = os->getChannelID;
+ ss->getChannelIDArg = os->getChannelIDArg;
/* Create security data */
rv = ssl_CopySecurityInfo(ss, os);
@@ -380,7 +374,7 @@ ssl_DestroySocketContents(sslSocket *ss)
/* "i" should be of type SSLKEAType, but CC on IRIX complains during
* the for loop.
*/
- int i;
+ int i;
/* Free up socket */
ssl_DestroySecurityInfo(&ss->sec);
@@ -394,16 +388,16 @@ ssl_DestroySocketContents(sslSocket *ss)
if (ss->peerID != NULL)
PORT_Free(ss->peerID);
if (ss->url != NULL)
- PORT_Free((void *)ss->url); /* CONST */
+ PORT_Free((void *)ss->url); /* CONST */
if (ss->cipherSpecs) {
PORT_Free(ss->cipherSpecs);
- ss->cipherSpecs = NULL;
+ ss->cipherSpecs = NULL;
ss->sizeCipherSpecs = 0;
}
/* Clean up server configuration */
- for (i=kt_null; i < kt_kea_size; i++) {
- sslServerCerts * sc = ss->serverCerts + i;
+ for (i = kt_null; i < kt_kea_size; i++) {
+ sslServerCerts *sc = ss->serverCerts + i;
if (sc->serverCert != NULL)
CERT_DestroyCertificate(sc->serverCert);
if (sc->serverCertChain != NULL)
@@ -414,6 +408,9 @@ ssl_DestroySocketContents(sslSocket *ss)
SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE);
ss->certStatusArray[i] = NULL;
}
+ if (ss->signedCertTimestamps[i].data) {
+ SECITEM_FreeItem(&ss->signedCertTimestamps[i], PR_FALSE);
+ }
}
if (ss->stepDownKeyPair) {
ssl3_FreeKeyPair(ss->stepDownKeyPair);
@@ -440,11 +437,11 @@ ssl_DestroySocketContents(sslSocket *ss)
void
ssl_FreeSocket(sslSocket *ss)
{
-/* Get every lock you can imagine!
-** Caller already holds these:
-** SSL_LOCK_READER(ss);
-** SSL_LOCK_WRITER(ss);
-*/
+ /* Get every lock you can imagine!
+ ** Caller already holds these:
+ ** SSL_LOCK_READER(ss);
+ ** SSL_LOCK_WRITER(ss);
+ */
ssl_Get1stHandshakeLock(ss);
ssl_GetRecvBufLock(ss);
ssl_GetSSL3HandshakeLock(ss);
@@ -475,15 +472,15 @@ ssl_FreeSocket(sslSocket *ss)
SECStatus
ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled)
{
- PRFileDesc * osfd = ss->fd->lower;
- SECStatus rv = SECFailure;
+ PRFileDesc *osfd = ss->fd->lower;
+ SECStatus rv = SECFailure;
PRSocketOptionData opt;
- opt.option = PR_SockOpt_NoDelay;
+ opt.option = PR_SockOpt_NoDelay;
opt.value.no_delay = (PRBool)!enabled;
if (osfd->methods->setsocketoption) {
- rv = (SECStatus) osfd->methods->setsocketoption(osfd, &opt);
+ rv = (SECStatus)osfd->methods->setsocketoption(osfd, &opt);
} else {
PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
}
@@ -501,7 +498,7 @@ ssl_ChooseOps(sslSocket *ss)
static SECStatus
PrepareSocket(sslSocket *ss)
{
- SECStatus rv = SECSuccess;
+ SECStatus rv = SECSuccess;
ssl_ChooseOps(ss);
return rv;
@@ -517,7 +514,8 @@ SSL_Enable(PRFileDesc *fd, int which, PRBool on)
static const PRCallOnceType pristineCallOnce;
static PRCallOnceType setupBypassOnce;
-static SECStatus SSL_BypassShutdown(void* appData, void* nssData)
+static SECStatus
+SSL_BypassShutdown(void *appData, void *nssData)
{
/* unload freeBL shared library from memory */
BL_Unload();
@@ -525,7 +523,8 @@ static SECStatus SSL_BypassShutdown(void* appData, void* nssData)
return SECSuccess;
}
-static PRStatus SSL_BypassRegisterShutdown(void)
+static PRStatus
+SSL_BypassRegisterShutdown(void)
{
SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL);
PORT_Assert(SECSuccess == rv);
@@ -533,7 +532,8 @@ static PRStatus SSL_BypassRegisterShutdown(void)
}
#endif
-static PRStatus SSL_BypassSetup(void)
+static PRStatus
+SSL_BypassSetup(void)
{
#ifdef NO_PKCS11_BYPASS
/* Guarantee binary compatibility */
@@ -543,12 +543,22 @@ static PRStatus SSL_BypassSetup(void)
#endif
}
+static PRBool ssl_VersionIsSupportedByPolicy(
+ SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version);
+
/* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in
* ssl.h in the section "SSL version range setting API".
*/
static void
ssl_EnableTLS(SSLVersionRange *vrange, PRBool on)
{
+ if (on) {
+ /* don't turn it on if tls1.0 disallowed by by policy */
+ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream,
+ SSL_LIBRARY_VERSION_TLS_1_0)) {
+ return;
+ }
+ }
if (SSL3_ALL_VERSIONS_DISABLED(vrange)) {
if (on) {
vrange->min = SSL_LIBRARY_VERSION_TLS_1_0;
@@ -579,7 +589,14 @@ ssl_EnableTLS(SSLVersionRange *vrange, PRBool on)
static void
ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on)
{
- if (SSL3_ALL_VERSIONS_DISABLED(vrange)) {
+ if (on) {
+ /* don't turn it on if ssl3 disallowed by by policy */
+ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream,
+ SSL_LIBRARY_VERSION_3_0)) {
+ return;
+ }
+ }
+ if (SSL3_ALL_VERSIONS_DISABLED(vrange)) {
if (on) {
vrange->min = SSL_LIBRARY_VERSION_3_0;
vrange->max = SSL_LIBRARY_VERSION_3_0;
@@ -587,13 +604,13 @@ ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on)
return;
}
- if (on) {
+ if (on) {
/* Expand the range of enabled versions to include SSL 3.0. We know
* SSL 3.0 or some version of TLS is already enabled at this point, so
* we don't need to change vrange->max.
*/
vrange->min = SSL_LIBRARY_VERSION_3_0;
- } else {
+ } else {
/* Disable SSL 3.0, leaving TLS unaffected. */
if (vrange->max > SSL_LIBRARY_VERSION_3_0) {
vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
@@ -609,8 +626,8 @@ SECStatus
SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
{
sslSocket *ss = ssl_FindSocket(fd);
- SECStatus rv = SECSuccess;
- PRBool holdingLocks;
+ SECStatus rv = SECSuccess;
+ PRBool holdingLocks;
if (!ss) {
SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
@@ -622,235 +639,242 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
ssl_GetSSL3HandshakeLock(ss);
switch (which) {
- case SSL_SOCKS:
- ss->opt.useSocks = PR_FALSE;
- rv = PrepareSocket(ss);
- if (on) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure;
- }
- break;
-
- case SSL_SECURITY:
- ss->opt.useSecurity = on;
- rv = PrepareSocket(ss);
- break;
-
- case SSL_REQUEST_CERTIFICATE:
- ss->opt.requestCertificate = on;
- break;
+ case SSL_SOCKS:
+ ss->opt.useSocks = PR_FALSE;
+ rv = PrepareSocket(ss);
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
+ }
+ break;
- case SSL_REQUIRE_CERTIFICATE:
- ss->opt.requireCertificate = on;
- break;
+ case SSL_SECURITY:
+ ss->opt.useSecurity = on;
+ rv = PrepareSocket(ss);
+ break;
- case SSL_HANDSHAKE_AS_CLIENT:
- if ( ss->opt.handshakeAsServer && on ) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure;
+ case SSL_REQUEST_CERTIFICATE:
+ ss->opt.requestCertificate = on;
break;
- }
- ss->opt.handshakeAsClient = on;
- break;
- case SSL_HANDSHAKE_AS_SERVER:
- if ( ss->opt.handshakeAsClient && on ) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure;
+ case SSL_REQUIRE_CERTIFICATE:
+ ss->opt.requireCertificate = on;
break;
- }
- ss->opt.handshakeAsServer = on;
- break;
- case SSL_ENABLE_TLS:
- if (IS_DTLS(ss)) {
- if (on) {
+ case SSL_HANDSHAKE_AS_CLIENT:
+ if (ss->opt.handshakeAsServer && on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure; /* not allowed */
+ rv = SECFailure;
+ break;
}
+ ss->opt.handshakeAsClient = on;
break;
- }
- ssl_EnableTLS(&ss->vrange, on);
- ss->preferredCipher = NULL;
- if (ss->cipherSpecs) {
- PORT_Free(ss->cipherSpecs);
- ss->cipherSpecs = NULL;
- ss->sizeCipherSpecs = 0;
- }
- break;
- case SSL_ENABLE_SSL3:
- if (IS_DTLS(ss)) {
- if (on) {
+ case SSL_HANDSHAKE_AS_SERVER:
+ if (ss->opt.handshakeAsClient && on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure; /* not allowed */
+ rv = SECFailure;
+ break;
}
+ ss->opt.handshakeAsServer = on;
break;
- }
- ssl_EnableSSL3(&ss->vrange, on);
- ss->preferredCipher = NULL;
- if (ss->cipherSpecs) {
- PORT_Free(ss->cipherSpecs);
- ss->cipherSpecs = NULL;
- ss->sizeCipherSpecs = 0;
- }
- break;
- case SSL_ENABLE_SSL2:
- if (IS_DTLS(ss)) {
- if (on) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure; /* not allowed */
+ case SSL_ENABLE_TLS:
+ if (IS_DTLS(ss)) {
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure; /* not allowed */
+ }
+ break;
+ }
+ ssl_EnableTLS(&ss->vrange, on);
+ ss->preferredCipher = NULL;
+ if (ss->cipherSpecs) {
+ PORT_Free(ss->cipherSpecs);
+ ss->cipherSpecs = NULL;
+ ss->sizeCipherSpecs = 0;
}
break;
- }
- ss->opt.enableSSL2 = on;
- if (on) {
- ss->opt.v2CompatibleHello = on;
- }
- ss->preferredCipher = NULL;
- if (ss->cipherSpecs) {
- PORT_Free(ss->cipherSpecs);
- ss->cipherSpecs = NULL;
- ss->sizeCipherSpecs = 0;
- }
- break;
-
- case SSL_NO_CACHE:
- ss->opt.noCache = on;
- break;
- case SSL_ENABLE_FDX:
- if (on && ss->opt.noLocks) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure;
- }
- ss->opt.fdx = on;
- break;
+ case SSL_ENABLE_SSL3:
+ if (IS_DTLS(ss)) {
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure; /* not allowed */
+ }
+ break;
+ }
+ ssl_EnableSSL3(&ss->vrange, on);
+ ss->preferredCipher = NULL;
+ if (ss->cipherSpecs) {
+ PORT_Free(ss->cipherSpecs);
+ ss->cipherSpecs = NULL;
+ ss->sizeCipherSpecs = 0;
+ }
+ break;
- case SSL_V2_COMPATIBLE_HELLO:
- if (IS_DTLS(ss)) {
+ case SSL_ENABLE_SSL2:
+ if (IS_DTLS(ss)) {
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure; /* not allowed */
+ }
+ break;
+ }
if (on) {
+ /* don't turn it on if ssl2 disallowed by by policy */
+ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream,
+ SSL_LIBRARY_VERSION_2)) {
+ break;
+ }
+ }
+ ss->opt.enableSSL2 = on;
+ if (on) {
+ ss->opt.v2CompatibleHello = on;
+ }
+ ss->preferredCipher = NULL;
+ if (ss->cipherSpecs) {
+ PORT_Free(ss->cipherSpecs);
+ ss->cipherSpecs = NULL;
+ ss->sizeCipherSpecs = 0;
+ }
+ break;
+
+ case SSL_NO_CACHE:
+ ss->opt.noCache = on;
+ break;
+
+ case SSL_ENABLE_FDX:
+ if (on && ss->opt.noLocks) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure; /* not allowed */
+ rv = SECFailure;
}
+ ss->opt.fdx = on;
break;
- }
- ss->opt.v2CompatibleHello = on;
- if (!on) {
- ss->opt.enableSSL2 = on;
- }
- break;
- case SSL_ROLLBACK_DETECTION:
- ss->opt.detectRollBack = on;
- break;
+ case SSL_V2_COMPATIBLE_HELLO:
+ if (IS_DTLS(ss)) {
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure; /* not allowed */
+ }
+ break;
+ }
+ ss->opt.v2CompatibleHello = on;
+ if (!on) {
+ ss->opt.enableSSL2 = on;
+ }
+ break;
- case SSL_NO_STEP_DOWN:
- ss->opt.noStepDown = on;
- if (on)
- SSL_DisableExportCipherSuites(fd);
- break;
+ case SSL_ROLLBACK_DETECTION:
+ ss->opt.detectRollBack = on;
+ break;
- case SSL_BYPASS_PKCS11:
- if (ss->handshakeBegun) {
- PORT_SetError(PR_INVALID_STATE_ERROR);
- rv = SECFailure;
- } else {
- if (PR_FALSE != on) {
- if (PR_SUCCESS == SSL_BypassSetup() ) {
+ case SSL_NO_STEP_DOWN:
+ ss->opt.noStepDown = on;
+ if (on)
+ SSL_DisableExportCipherSuites(fd);
+ break;
+
+ case SSL_BYPASS_PKCS11:
+ if (ss->handshakeBegun) {
+ PORT_SetError(PR_INVALID_STATE_ERROR);
+ rv = SECFailure;
+ } else {
+ if (PR_FALSE != on) {
+ if (PR_SUCCESS == SSL_BypassSetup()) {
#ifdef NO_PKCS11_BYPASS
- ss->opt.bypassPKCS11 = PR_FALSE;
+ ss->opt.bypassPKCS11 = PR_FALSE;
#else
- ss->opt.bypassPKCS11 = on;
+ ss->opt.bypassPKCS11 = on;
#endif
+ } else {
+ rv = SECFailure;
+ }
} else {
- rv = SECFailure;
+ ss->opt.bypassPKCS11 = PR_FALSE;
}
- } else {
- ss->opt.bypassPKCS11 = PR_FALSE;
}
- }
- break;
+ break;
- case SSL_NO_LOCKS:
- if (on && ss->opt.fdx) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure;
- }
- if (on && ssl_force_locks)
- on = PR_FALSE; /* silent override */
- ss->opt.noLocks = on;
- if (on) {
- locksEverDisabled = PR_TRUE;
- strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
- } else if (!holdingLocks) {
- rv = ssl_MakeLocks(ss);
- if (rv != SECSuccess) {
- ss->opt.noLocks = PR_TRUE;
+ case SSL_NO_LOCKS:
+ if (on && ss->opt.fdx) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
}
- }
- break;
+ if (on && ssl_force_locks)
+ on = PR_FALSE; /* silent override */
+ ss->opt.noLocks = on;
+ if (on) {
+ locksEverDisabled = PR_TRUE;
+ strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
+ } else if (!holdingLocks) {
+ rv = ssl_MakeLocks(ss);
+ if (rv != SECSuccess) {
+ ss->opt.noLocks = PR_TRUE;
+ }
+ }
+ break;
- case SSL_ENABLE_SESSION_TICKETS:
- ss->opt.enableSessionTickets = on;
- break;
+ case SSL_ENABLE_SESSION_TICKETS:
+ ss->opt.enableSessionTickets = on;
+ break;
- case SSL_ENABLE_DEFLATE:
- ss->opt.enableDeflate = on;
- break;
+ case SSL_ENABLE_DEFLATE:
+ ss->opt.enableDeflate = on;
+ break;
- case SSL_ENABLE_RENEGOTIATION:
- ss->opt.enableRenegotiation = on;
- break;
+ case SSL_ENABLE_RENEGOTIATION:
+ ss->opt.enableRenegotiation = on;
+ break;
- case SSL_REQUIRE_SAFE_NEGOTIATION:
- ss->opt.requireSafeNegotiation = on;
- break;
+ case SSL_REQUIRE_SAFE_NEGOTIATION:
+ ss->opt.requireSafeNegotiation = on;
+ break;
- case SSL_ENABLE_FALSE_START:
- ss->opt.enableFalseStart = on;
- break;
+ case SSL_ENABLE_FALSE_START:
+ ss->opt.enableFalseStart = on;
+ break;
- case SSL_CBC_RANDOM_IV:
- ss->opt.cbcRandomIV = on;
- break;
+ case SSL_CBC_RANDOM_IV:
+ ss->opt.cbcRandomIV = on;
+ break;
- case SSL_ENABLE_OCSP_STAPLING:
- ss->opt.enableOCSPStapling = on;
- break;
+ case SSL_ENABLE_OCSP_STAPLING:
+ ss->opt.enableOCSPStapling = on;
+ break;
- case SSL_ENABLE_NPN:
- ss->opt.enableNPN = on;
- break;
+ case SSL_ENABLE_NPN:
+ ss->opt.enableNPN = on;
+ break;
- case SSL_ENABLE_ALPN:
- ss->opt.enableALPN = on;
- break;
+ case SSL_ENABLE_ALPN:
+ ss->opt.enableALPN = on;
+ break;
- case SSL_REUSE_SERVER_ECDHE_KEY:
- ss->opt.reuseServerECDHEKey = on;
- break;
+ case SSL_REUSE_SERVER_ECDHE_KEY:
+ ss->opt.reuseServerECDHEKey = on;
+ break;
- case SSL_ENABLE_FALLBACK_SCSV:
- ss->opt.enableFallbackSCSV = on;
- break;
+ case SSL_ENABLE_FALLBACK_SCSV:
+ ss->opt.enableFallbackSCSV = on;
+ break;
- case SSL_ENABLE_SERVER_DHE:
- ss->opt.enableServerDhe = on;
- break;
+ case SSL_ENABLE_SERVER_DHE:
+ ss->opt.enableServerDhe = on;
+ break;
- case SSL_ENABLE_EXTENDED_MASTER_SECRET:
- ss->opt.enableExtendedMS = on;
- break;
+ case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+ ss->opt.enableExtendedMS = on;
+ break;
- case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- ss->opt.enableSignedCertTimestamps = on;
- break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+ ss->opt.enableSignedCertTimestamps = on;
+ break;
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
}
/* We can't use the macros for releasing the locks here,
@@ -870,8 +894,8 @@ SECStatus
SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
{
sslSocket *ss = ssl_FindSocket(fd);
- SECStatus rv = SECSuccess;
- PRBool on = PR_FALSE;
+ SECStatus rv = SECSuccess;
+ PRBool on = PR_FALSE;
if (!pOn) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -887,52 +911,100 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
ssl_GetSSL3HandshakeLock(ss);
switch (which) {
- case SSL_SOCKS: on = PR_FALSE; break;
- case SSL_SECURITY: on = ss->opt.useSecurity; break;
- case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break;
- case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break;
- case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break;
- case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break;
- case SSL_ENABLE_TLS:
- on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
- break;
- case SSL_ENABLE_SSL3:
- on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
- break;
- case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break;
- case SSL_NO_CACHE: on = ss->opt.noCache; break;
- case SSL_ENABLE_FDX: on = ss->opt.fdx; break;
- case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break;
- case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break;
- case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break;
- case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break;
- case SSL_NO_LOCKS: on = ss->opt.noLocks; break;
- case SSL_ENABLE_SESSION_TICKETS:
- on = ss->opt.enableSessionTickets;
- break;
- case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break;
- case SSL_ENABLE_RENEGOTIATION:
- on = ss->opt.enableRenegotiation; break;
- case SSL_REQUIRE_SAFE_NEGOTIATION:
- on = ss->opt.requireSafeNegotiation; break;
- case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break;
- case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
- case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
- case SSL_ENABLE_NPN: on = ss->opt.enableNPN; break;
- case SSL_ENABLE_ALPN: on = ss->opt.enableALPN; break;
- case SSL_REUSE_SERVER_ECDHE_KEY:
- on = ss->opt.reuseServerECDHEKey; break;
- case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break;
- case SSL_ENABLE_SERVER_DHE: on = ss->opt.enableServerDhe; break;
- case SSL_ENABLE_EXTENDED_MASTER_SECRET:
- on = ss->opt.enableExtendedMS; break;
- case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- on = ss->opt.enableSignedCertTimestamps;
- break;
-
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure;
+ case SSL_SOCKS:
+ on = PR_FALSE;
+ break;
+ case SSL_SECURITY:
+ on = ss->opt.useSecurity;
+ break;
+ case SSL_REQUEST_CERTIFICATE:
+ on = ss->opt.requestCertificate;
+ break;
+ case SSL_REQUIRE_CERTIFICATE:
+ on = ss->opt.requireCertificate;
+ break;
+ case SSL_HANDSHAKE_AS_CLIENT:
+ on = ss->opt.handshakeAsClient;
+ break;
+ case SSL_HANDSHAKE_AS_SERVER:
+ on = ss->opt.handshakeAsServer;
+ break;
+ case SSL_ENABLE_TLS:
+ on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
+ break;
+ case SSL_ENABLE_SSL3:
+ on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
+ break;
+ case SSL_ENABLE_SSL2:
+ on = ss->opt.enableSSL2;
+ break;
+ case SSL_NO_CACHE:
+ on = ss->opt.noCache;
+ break;
+ case SSL_ENABLE_FDX:
+ on = ss->opt.fdx;
+ break;
+ case SSL_V2_COMPATIBLE_HELLO:
+ on = ss->opt.v2CompatibleHello;
+ break;
+ case SSL_ROLLBACK_DETECTION:
+ on = ss->opt.detectRollBack;
+ break;
+ case SSL_NO_STEP_DOWN:
+ on = ss->opt.noStepDown;
+ break;
+ case SSL_BYPASS_PKCS11:
+ on = ss->opt.bypassPKCS11;
+ break;
+ case SSL_NO_LOCKS:
+ on = ss->opt.noLocks;
+ break;
+ case SSL_ENABLE_SESSION_TICKETS:
+ on = ss->opt.enableSessionTickets;
+ break;
+ case SSL_ENABLE_DEFLATE:
+ on = ss->opt.enableDeflate;
+ break;
+ case SSL_ENABLE_RENEGOTIATION:
+ on = ss->opt.enableRenegotiation;
+ break;
+ case SSL_REQUIRE_SAFE_NEGOTIATION:
+ on = ss->opt.requireSafeNegotiation;
+ break;
+ case SSL_ENABLE_FALSE_START:
+ on = ss->opt.enableFalseStart;
+ break;
+ case SSL_CBC_RANDOM_IV:
+ on = ss->opt.cbcRandomIV;
+ break;
+ case SSL_ENABLE_OCSP_STAPLING:
+ on = ss->opt.enableOCSPStapling;
+ break;
+ case SSL_ENABLE_NPN:
+ on = ss->opt.enableNPN;
+ break;
+ case SSL_ENABLE_ALPN:
+ on = ss->opt.enableALPN;
+ break;
+ case SSL_REUSE_SERVER_ECDHE_KEY:
+ on = ss->opt.reuseServerECDHEKey;
+ break;
+ case SSL_ENABLE_FALLBACK_SCSV:
+ on = ss->opt.enableFallbackSCSV;
+ break;
+ case SSL_ENABLE_SERVER_DHE:
+ on = ss->opt.enableServerDhe;
+ break;
+ case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+ on = ss->opt.enableExtendedMS;
+ break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+ on = ss->opt.enableSignedCertTimestamps;
+ break;
+
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
}
ssl_ReleaseSSL3HandshakeLock(ss);
@@ -945,8 +1017,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
SECStatus
SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
{
- SECStatus rv = SECSuccess;
- PRBool on = PR_FALSE;
+ SECStatus rv = SECSuccess;
+ PRBool on = PR_FALSE;
if (!pOn) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -956,61 +1028,100 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
ssl_SetDefaultsFromEnvironment();
switch (which) {
- case SSL_SOCKS: on = PR_FALSE; break;
- case SSL_SECURITY: on = ssl_defaults.useSecurity; break;
- case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break;
- case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break;
- case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break;
- case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break;
- case SSL_ENABLE_TLS:
- on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
- break;
- case SSL_ENABLE_SSL3:
- on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
- break;
- case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break;
- case SSL_NO_CACHE: on = ssl_defaults.noCache; break;
- case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break;
- case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break;
- case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break;
- case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break;
- case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break;
- case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break;
- case SSL_ENABLE_SESSION_TICKETS:
- on = ssl_defaults.enableSessionTickets;
- break;
- case SSL_ENABLE_DEFLATE: on = ssl_defaults.enableDeflate; break;
- case SSL_ENABLE_RENEGOTIATION:
- on = ssl_defaults.enableRenegotiation; break;
- case SSL_REQUIRE_SAFE_NEGOTIATION:
- on = ssl_defaults.requireSafeNegotiation;
- break;
- case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break;
- case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break;
- case SSL_ENABLE_OCSP_STAPLING:
- on = ssl_defaults.enableOCSPStapling;
- break;
- case SSL_ENABLE_NPN: on = ssl_defaults.enableNPN; break;
- case SSL_ENABLE_ALPN: on = ssl_defaults.enableALPN; break;
- case SSL_REUSE_SERVER_ECDHE_KEY:
- on = ssl_defaults.reuseServerECDHEKey;
- break;
- case SSL_ENABLE_FALLBACK_SCSV:
- on = ssl_defaults.enableFallbackSCSV;
- break;
- case SSL_ENABLE_SERVER_DHE:
- on = ssl_defaults.enableServerDhe;
- break;
- case SSL_ENABLE_EXTENDED_MASTER_SECRET:
- on = ssl_defaults.enableExtendedMS;
- break;
- case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- on = ssl_defaults.enableSignedCertTimestamps;
- break;
-
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure;
+ case SSL_SOCKS:
+ on = PR_FALSE;
+ break;
+ case SSL_SECURITY:
+ on = ssl_defaults.useSecurity;
+ break;
+ case SSL_REQUEST_CERTIFICATE:
+ on = ssl_defaults.requestCertificate;
+ break;
+ case SSL_REQUIRE_CERTIFICATE:
+ on = ssl_defaults.requireCertificate;
+ break;
+ case SSL_HANDSHAKE_AS_CLIENT:
+ on = ssl_defaults.handshakeAsClient;
+ break;
+ case SSL_HANDSHAKE_AS_SERVER:
+ on = ssl_defaults.handshakeAsServer;
+ break;
+ case SSL_ENABLE_TLS:
+ on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
+ break;
+ case SSL_ENABLE_SSL3:
+ on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
+ break;
+ case SSL_ENABLE_SSL2:
+ on = ssl_defaults.enableSSL2;
+ break;
+ case SSL_NO_CACHE:
+ on = ssl_defaults.noCache;
+ break;
+ case SSL_ENABLE_FDX:
+ on = ssl_defaults.fdx;
+ break;
+ case SSL_V2_COMPATIBLE_HELLO:
+ on = ssl_defaults.v2CompatibleHello;
+ break;
+ case SSL_ROLLBACK_DETECTION:
+ on = ssl_defaults.detectRollBack;
+ break;
+ case SSL_NO_STEP_DOWN:
+ on = ssl_defaults.noStepDown;
+ break;
+ case SSL_BYPASS_PKCS11:
+ on = ssl_defaults.bypassPKCS11;
+ break;
+ case SSL_NO_LOCKS:
+ on = ssl_defaults.noLocks;
+ break;
+ case SSL_ENABLE_SESSION_TICKETS:
+ on = ssl_defaults.enableSessionTickets;
+ break;
+ case SSL_ENABLE_DEFLATE:
+ on = ssl_defaults.enableDeflate;
+ break;
+ case SSL_ENABLE_RENEGOTIATION:
+ on = ssl_defaults.enableRenegotiation;
+ break;
+ case SSL_REQUIRE_SAFE_NEGOTIATION:
+ on = ssl_defaults.requireSafeNegotiation;
+ break;
+ case SSL_ENABLE_FALSE_START:
+ on = ssl_defaults.enableFalseStart;
+ break;
+ case SSL_CBC_RANDOM_IV:
+ on = ssl_defaults.cbcRandomIV;
+ break;
+ case SSL_ENABLE_OCSP_STAPLING:
+ on = ssl_defaults.enableOCSPStapling;
+ break;
+ case SSL_ENABLE_NPN:
+ on = ssl_defaults.enableNPN;
+ break;
+ case SSL_ENABLE_ALPN:
+ on = ssl_defaults.enableALPN;
+ break;
+ case SSL_REUSE_SERVER_ECDHE_KEY:
+ on = ssl_defaults.reuseServerECDHEKey;
+ break;
+ case SSL_ENABLE_FALLBACK_SCSV:
+ on = ssl_defaults.enableFallbackSCSV;
+ break;
+ case SSL_ENABLE_SERVER_DHE:
+ on = ssl_defaults.enableServerDhe;
+ break;
+ case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+ on = ssl_defaults.enableExtendedMS;
+ break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+ on = ssl_defaults.enableSignedCertTimestamps;
+ break;
+
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
}
*pOn = on;
@@ -1036,175 +1147,182 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
ssl_SetDefaultsFromEnvironment();
switch (which) {
- case SSL_SOCKS:
- ssl_defaults.useSocks = PR_FALSE;
- if (on) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
- break;
+ case SSL_SOCKS:
+ ssl_defaults.useSocks = PR_FALSE;
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ break;
- case SSL_SECURITY:
- ssl_defaults.useSecurity = on;
- break;
+ case SSL_SECURITY:
+ ssl_defaults.useSecurity = on;
+ break;
- case SSL_REQUEST_CERTIFICATE:
- ssl_defaults.requestCertificate = on;
- break;
+ case SSL_REQUEST_CERTIFICATE:
+ ssl_defaults.requestCertificate = on;
+ break;
- case SSL_REQUIRE_CERTIFICATE:
- ssl_defaults.requireCertificate = on;
- break;
+ case SSL_REQUIRE_CERTIFICATE:
+ ssl_defaults.requireCertificate = on;
+ break;
- case SSL_HANDSHAKE_AS_CLIENT:
- if ( ssl_defaults.handshakeAsServer && on ) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
- ssl_defaults.handshakeAsClient = on;
- break;
+ case SSL_HANDSHAKE_AS_CLIENT:
+ if (ssl_defaults.handshakeAsServer && on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ ssl_defaults.handshakeAsClient = on;
+ break;
- case SSL_HANDSHAKE_AS_SERVER:
- if ( ssl_defaults.handshakeAsClient && on ) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
- ssl_defaults.handshakeAsServer = on;
- break;
+ case SSL_HANDSHAKE_AS_SERVER:
+ if (ssl_defaults.handshakeAsClient && on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ ssl_defaults.handshakeAsServer = on;
+ break;
- case SSL_ENABLE_TLS:
- ssl_EnableTLS(&versions_defaults_stream, on);
- break;
+ case SSL_ENABLE_TLS:
+ ssl_EnableTLS(&versions_defaults_stream, on);
+ break;
- case SSL_ENABLE_SSL3:
- ssl_EnableSSL3(&versions_defaults_stream, on);
- break;
+ case SSL_ENABLE_SSL3:
+ ssl_EnableSSL3(&versions_defaults_stream, on);
+ break;
- case SSL_ENABLE_SSL2:
- ssl_defaults.enableSSL2 = on;
- if (on) {
- ssl_defaults.v2CompatibleHello = on;
- }
- break;
+ case SSL_ENABLE_SSL2:
+ if (on) {
+ /* don't turn it on if ssl2 disallowed by by policy */
+ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream,
+ SSL_LIBRARY_VERSION_2)) {
+ break;
+ }
+ }
+ ssl_defaults.enableSSL2 = on;
+ if (on) {
+ ssl_defaults.v2CompatibleHello = on;
+ }
+ break;
- case SSL_NO_CACHE:
- ssl_defaults.noCache = on;
- break;
+ case SSL_NO_CACHE:
+ ssl_defaults.noCache = on;
+ break;
- case SSL_ENABLE_FDX:
- if (on && ssl_defaults.noLocks) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
- ssl_defaults.fdx = on;
- break;
+ case SSL_ENABLE_FDX:
+ if (on && ssl_defaults.noLocks) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ ssl_defaults.fdx = on;
+ break;
- case SSL_V2_COMPATIBLE_HELLO:
- ssl_defaults.v2CompatibleHello = on;
- if (!on) {
- ssl_defaults.enableSSL2 = on;
- }
- break;
+ case SSL_V2_COMPATIBLE_HELLO:
+ ssl_defaults.v2CompatibleHello = on;
+ if (!on) {
+ ssl_defaults.enableSSL2 = on;
+ }
+ break;
- case SSL_ROLLBACK_DETECTION:
- ssl_defaults.detectRollBack = on;
- break;
+ case SSL_ROLLBACK_DETECTION:
+ ssl_defaults.detectRollBack = on;
+ break;
- case SSL_NO_STEP_DOWN:
- ssl_defaults.noStepDown = on;
- if (on)
- SSL_DisableDefaultExportCipherSuites();
- break;
+ case SSL_NO_STEP_DOWN:
+ ssl_defaults.noStepDown = on;
+ if (on)
+ SSL_DisableDefaultExportCipherSuites();
+ break;
- case SSL_BYPASS_PKCS11:
- if (PR_FALSE != on) {
- if (PR_SUCCESS == SSL_BypassSetup()) {
+ case SSL_BYPASS_PKCS11:
+ if (PR_FALSE != on) {
+ if (PR_SUCCESS == SSL_BypassSetup()) {
#ifdef NO_PKCS11_BYPASS
- ssl_defaults.bypassPKCS11 = PR_FALSE;
+ ssl_defaults.bypassPKCS11 = PR_FALSE;
#else
- ssl_defaults.bypassPKCS11 = on;
+ ssl_defaults.bypassPKCS11 = on;
#endif
+ } else {
+ return SECFailure;
+ }
} else {
- return SECFailure;
+ ssl_defaults.bypassPKCS11 = PR_FALSE;
}
- } else {
- ssl_defaults.bypassPKCS11 = PR_FALSE;
- }
- break;
+ break;
- case SSL_NO_LOCKS:
- if (on && ssl_defaults.fdx) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
- if (on && ssl_force_locks)
- on = PR_FALSE; /* silent override */
- ssl_defaults.noLocks = on;
- if (on) {
- locksEverDisabled = PR_TRUE;
- strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
- }
- break;
+ case SSL_NO_LOCKS:
+ if (on && ssl_defaults.fdx) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ if (on && ssl_force_locks)
+ on = PR_FALSE; /* silent override */
+ ssl_defaults.noLocks = on;
+ if (on) {
+ locksEverDisabled = PR_TRUE;
+ strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
+ }
+ break;
- case SSL_ENABLE_SESSION_TICKETS:
- ssl_defaults.enableSessionTickets = on;
- break;
+ case SSL_ENABLE_SESSION_TICKETS:
+ ssl_defaults.enableSessionTickets = on;
+ break;
- case SSL_ENABLE_DEFLATE:
- ssl_defaults.enableDeflate = on;
- break;
+ case SSL_ENABLE_DEFLATE:
+ ssl_defaults.enableDeflate = on;
+ break;
- case SSL_ENABLE_RENEGOTIATION:
- ssl_defaults.enableRenegotiation = on;
- break;
+ case SSL_ENABLE_RENEGOTIATION:
+ ssl_defaults.enableRenegotiation = on;
+ break;
- case SSL_REQUIRE_SAFE_NEGOTIATION:
- ssl_defaults.requireSafeNegotiation = on;
- break;
+ case SSL_REQUIRE_SAFE_NEGOTIATION:
+ ssl_defaults.requireSafeNegotiation = on;
+ break;
- case SSL_ENABLE_FALSE_START:
- ssl_defaults.enableFalseStart = on;
- break;
+ case SSL_ENABLE_FALSE_START:
+ ssl_defaults.enableFalseStart = on;
+ break;
- case SSL_CBC_RANDOM_IV:
- ssl_defaults.cbcRandomIV = on;
- break;
+ case SSL_CBC_RANDOM_IV:
+ ssl_defaults.cbcRandomIV = on;
+ break;
- case SSL_ENABLE_OCSP_STAPLING:
- ssl_defaults.enableOCSPStapling = on;
- break;
+ case SSL_ENABLE_OCSP_STAPLING:
+ ssl_defaults.enableOCSPStapling = on;
+ break;
- case SSL_ENABLE_NPN:
- ssl_defaults.enableNPN = on;
- break;
+ case SSL_ENABLE_NPN:
+ ssl_defaults.enableNPN = on;
+ break;
- case SSL_ENABLE_ALPN:
- ssl_defaults.enableALPN = on;
- break;
+ case SSL_ENABLE_ALPN:
+ ssl_defaults.enableALPN = on;
+ break;
- case SSL_REUSE_SERVER_ECDHE_KEY:
- ssl_defaults.reuseServerECDHEKey = on;
- break;
+ case SSL_REUSE_SERVER_ECDHE_KEY:
+ ssl_defaults.reuseServerECDHEKey = on;
+ break;
- case SSL_ENABLE_FALLBACK_SCSV:
- ssl_defaults.enableFallbackSCSV = on;
- break;
+ case SSL_ENABLE_FALLBACK_SCSV:
+ ssl_defaults.enableFallbackSCSV = on;
+ break;
- case SSL_ENABLE_SERVER_DHE:
- ssl_defaults.enableServerDhe = on;
- break;
+ case SSL_ENABLE_SERVER_DHE:
+ ssl_defaults.enableServerDhe = on;
+ break;
- case SSL_ENABLE_EXTENDED_MASTER_SECRET:
- ssl_defaults.enableExtendedMS = on;
- break;
+ case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+ ssl_defaults.enableExtendedMS = on;
+ break;
- case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- ssl_defaults.enableSignedCertTimestamps = on;
- break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+ ssl_defaults.enableSignedCertTimestamps = on;
+ break;
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
return SECSuccess;
}
@@ -1214,12 +1332,12 @@ static PRBool
ssl_IsRemovedCipherSuite(PRInt32 suite)
{
switch (suite) {
- case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
- case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
- case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
- return PR_TRUE;
- default:
- return PR_FALSE;
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+ case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
+ case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
+ return PR_TRUE;
+ default:
+ return PR_FALSE;
}
}
@@ -1243,13 +1361,9 @@ SSL_SetPolicy(long which, int policy)
}
SECStatus
-SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
+ssl_CipherPolicySet(PRInt32 which, PRInt32 policy)
{
- SECStatus rv = ssl_Init();
-
- if (rv != SECSuccess) {
- return rv;
- }
+ SECStatus rv = SECSuccess;
if (ssl_IsRemovedCipherSuite(which)) {
rv = SECSuccess;
@@ -1260,6 +1374,16 @@ SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
}
return rv;
}
+SECStatus
+SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
+{
+ SECStatus rv = ssl_Init();
+
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ return ssl_CipherPolicySet(which, policy);
+}
SECStatus
SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
@@ -1302,13 +1426,9 @@ SSL_EnableCipher(long which, PRBool enabled)
}
SECStatus
-SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
+ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
{
- SECStatus rv = ssl_Init();
-
- if (rv != SECSuccess) {
- return rv;
- }
+ SECStatus rv = SECSuccess;
if (ssl_IsRemovedCipherSuite(which))
return SECSuccess;
@@ -1325,9 +1445,20 @@ SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
}
SECStatus
+SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
+{
+ SECStatus rv = ssl_Init();
+
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ return ssl_CipherPrefSetDefault(which, enabled);
+}
+
+SECStatus
SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
{
- SECStatus rv;
+ SECStatus rv;
if (!enabled) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1374,9 +1505,9 @@ SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len)
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(),
- fd));
- return SECFailure;
+ SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(),
+ fd));
+ return SECFailure;
}
return ssl3_CipherOrderSet(ss, ciphers, len);
}
@@ -1384,7 +1515,7 @@ SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len)
SECStatus
SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
{
- SECStatus rv;
+ SECStatus rv;
sslSocket *ss = ssl_FindSocket(fd);
if (!enabled) {
@@ -1410,8 +1541,16 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
SECStatus
NSS_SetDomesticPolicy(void)
{
- SECStatus status = SECSuccess;
+ SECStatus status = SECSuccess;
const PRUint16 *cipher;
+ SECStatus rv;
+ PRUint32 policy;
+
+ /* If we've already defined some policy oids, skip changing them */
+ rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy);
+ if ((rv == SECSuccess) && (policy & NSS_USE_POLICY_IN_SSL)) {
+ return ssl_Init(); /* make sure the policies have bee loaded */
svaldez 2016/04/01 19:50:01 *been
+ }
for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) {
status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
@@ -1469,7 +1608,6 @@ SSL_DHEGroupPrefSet(PRFileDesc *fd,
return SECSuccess;
}
-
PRCallOnceType gWeakDHParamsRegisterOnce;
int gWeakDHParamsRegisterError;
@@ -1498,7 +1636,7 @@ ssl3_CreateWeakDHParams(void)
rv = PK11_PQG_VerifyParams(gWeakParamsPQG, vfy, &passed);
if (rv != SECSuccess || passed != SECSuccess) {
SSL_DBG(("%d: PK11_PQG_VerifyParams failed in ssl3_CreateWeakDHParams",
- SSL_GETPID()));
+ SSL_GETPID()));
gWeakDHParamsError = PORT_GetError();
return PR_FAILURE;
}
@@ -1577,21 +1715,22 @@ SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled)
SECStatus
SSL_GetChannelBinding(PRFileDesc *fd,
- SSLChannelBindingType binding_type,
- unsigned char *out,
- unsigned int *outLen,
- unsigned int outLenMax) {
+ SSLChannelBindingType binding_type,
+ unsigned char *out,
+ unsigned int *outLen,
+ unsigned int outLenMax)
+{
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding",
- SSL_GETPID(), fd));
- return SECFailure;
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding",
+ SSL_GETPID(), fd));
+ return SECFailure;
}
if (binding_type != SSL_CHANNEL_BINDING_TLS_UNIQUE) {
- PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
- return SECFailure;
+ PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+ return SECFailure;
}
return ssl3_GetTLSUniqueChannelBinding(ss, out, outLen, outLenMax);
@@ -1636,11 +1775,11 @@ ssl3_SelectDHParams(sslSocket *ss)
} else {
if (ss->ssl3.dheGroups) {
selectedGroup = selectDHEGroup(ss, ss->ssl3.dheGroups,
- ss->ssl3.numDHEGroups);
+ ss->ssl3.numDHEGroups);
} else {
size_t number_of_default_groups = PR_ARRAY_SIZE(ssl_default_dhe_groups);
selectedGroup = selectDHEGroup(ss, ssl_default_dhe_groups,
- number_of_default_groups);
+ number_of_default_groups);
}
if (selectedGroup == ssl_dhe_group_none ||
@@ -1658,10 +1797,10 @@ ssl3_SelectDHParams(sslSocket *ss)
static PRFileDesc *
ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant)
{
- sslSocket * ns = NULL;
- PRStatus rv;
- PRNetAddr addr;
- SECStatus status = ssl_Init();
+ sslSocket *ns = NULL;
+ PRStatus rv;
+ PRNetAddr addr;
+ SECStatus status = ssl_Init();
if (status != SECSuccess) {
return NULL;
@@ -1671,10 +1810,10 @@ ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant)
/* Just create a default socket if we're given NULL for the model */
ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant);
} else {
- sslSocket * ss = ssl_FindSocket(model);
+ sslSocket *ss = ssl_FindSocket(model);
if (ss == NULL || ss->protocolVariant != variant) {
SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD",
- SSL_GETPID(), model));
+ SSL_GETPID(), model));
return NULL;
}
ns = ssl_DupSocket(ss);
@@ -1690,7 +1829,7 @@ ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant)
}
#if defined(DEBUG) || defined(FORCE_PR_ASSERT)
{
- sslSocket * ss = ssl_FindSocket(fd);
+ sslSocket *ss = ssl_FindSocket(fd);
PORT_Assert(ss == ns);
}
#endif
@@ -1755,11 +1894,11 @@ ssl_NextProtoNegoCallback(void *arg, PRFileDesc *fd,
}
/* For each protocol in server preference, see if we support it. */
- for (i = 0; i < protos_len; ) {
- for (j = 0; j < ss->opt.nextProtoNego.len; ) {
+ for (i = 0; i < protos_len;) {
+ for (j = 0; j < ss->opt.nextProtoNego.len;) {
if (protos[i] == ss->opt.nextProtoNego.data[j] &&
- PORT_Memcmp(&protos[i+1], &ss->opt.nextProtoNego.data[j+1],
- protos[i]) == 0) {
+ PORT_Memcmp(&protos[i + 1], &ss->opt.nextProtoNego.data[j + 1],
+ protos[i]) == 0) {
/* We found a match. */
ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED;
result = &protos[i];
@@ -1793,7 +1932,7 @@ SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data,
{
sslSocket *ss;
SECStatus rv;
- SECItem dataItem = { siBuffer, (unsigned char *) data, length };
+ SECItem dataItem = { siBuffer, (unsigned char *)data, length };
ss = ssl_FindSocket(fd);
if (!ss) {
@@ -1850,9 +1989,10 @@ SSL_GetNextProto(PRFileDesc *fd, SSLNextProtoState *state, unsigned char *buf,
return SECSuccess;
}
-SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd,
- const PRUint16 *ciphers,
- unsigned int numCiphers)
+SECStatus
+SSL_SetSRTPCiphers(PRFileDesc *fd,
+ const PRUint16 *ciphers,
+ unsigned int numCiphers)
{
sslSocket *ss;
unsigned int i;
@@ -1884,8 +2024,9 @@ SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd,
ciphers[i];
} else {
SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher "
- "suite specified: 0x%04hx", SSL_GETPID(), fd,
- ciphers[i]));
+ "suite specified: 0x%04hx",
+ SSL_GETPID(), fd,
+ ciphers[i]));
}
}
@@ -1900,7 +2041,7 @@ SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd,
SECStatus
SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher)
{
- sslSocket * ss;
+ sslSocket *ss;
ss = ssl_FindSocket(fd);
if (!ss) {
@@ -1922,10 +2063,10 @@ SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher)
PRFileDesc *
SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
{
- sslSocket * sm = NULL, *ss = NULL;
+ sslSocket *sm = NULL, *ss = NULL;
int i;
- sslServerCerts * mc = NULL;
- sslServerCerts * sc = NULL;
+ sslServerCerts *mc = NULL;
+ sslServerCerts *sc = NULL;
if (model == NULL) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
@@ -1944,7 +2085,7 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
return NULL;
}
- ss->opt = sm->opt;
+ ss->opt = sm->opt;
ss->vrange = sm->vrange;
PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites);
PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers,
@@ -1952,8 +2093,9 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount;
PORT_Memcpy(ss->ssl3.signatureAlgorithms, sm->ssl3.signatureAlgorithms,
sizeof(ss->ssl3.signatureAlgorithms[0]) *
- sm->ssl3.signatureAlgorithmCount);
+ sm->ssl3.signatureAlgorithmCount);
ss->ssl3.signatureAlgorithmCount = sm->ssl3.signatureAlgorithmCount;
+ ss->ssl3.downgradeCheckVersion = sm->ssl3.downgradeCheckVersion;
if (!ss->opt.useSecurity) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1962,14 +2104,14 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
/* This int should be SSLKEAType, but CC on Irix complains,
* during the for loop.
*/
- for (i=kt_null; i < kt_kea_size; i++) {
+ for (i = kt_null; i < kt_kea_size; i++) {
mc = &(sm->serverCerts[i]);
sc = &(ss->serverCerts[i]);
if (mc->serverCert && mc->serverCertChain) {
if (sc->serverCert) {
CERT_DestroyCertificate(sc->serverCert);
}
- sc->serverCert = CERT_DupCertificate(mc->serverCert);
+ sc->serverCert = CERT_DupCertificate(mc->serverCert);
if (sc->serverCertChain) {
CERT_DestroyCertificateList(sc->serverCertChain);
}
@@ -1985,6 +2127,17 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
if (!ss->certStatusArray[i])
goto loser;
}
+ if (sm->signedCertTimestamps[i].data) {
+ if (ss->signedCertTimestamps[i].data) {
+ SECITEM_FreeItem(&ss->signedCertTimestamps[i], PR_FALSE);
+ }
+ if (SECITEM_CopyItem(NULL,
+ &ss->signedCertTimestamps[i],
+ &sm->signedCertTimestamps[i]) !=
+ SECSuccess) {
+ goto loser;
+ }
+ }
}
if (mc->serverKeyPair) {
if (sc->serverKeyPair) {
@@ -2019,58 +2172,148 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
}
if (sm->authCertificate)
- ss->authCertificate = sm->authCertificate;
+ ss->authCertificate = sm->authCertificate;
if (sm->authCertificateArg)
- ss->authCertificateArg = sm->authCertificateArg;
+ ss->authCertificateArg = sm->authCertificateArg;
if (sm->getClientAuthData)
- ss->getClientAuthData = sm->getClientAuthData;
+ ss->getClientAuthData = sm->getClientAuthData;
if (sm->getClientAuthDataArg)
- ss->getClientAuthDataArg = sm->getClientAuthDataArg;
-#ifdef NSS_PLATFORM_CLIENT_AUTH
- if (sm->getPlatformClientAuthData)
- ss->getPlatformClientAuthData = sm->getPlatformClientAuthData;
- if (sm->getPlatformClientAuthDataArg)
- ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg;
-#endif
+ ss->getClientAuthDataArg = sm->getClientAuthDataArg;
if (sm->sniSocketConfig)
- ss->sniSocketConfig = sm->sniSocketConfig;
+ ss->sniSocketConfig = sm->sniSocketConfig;
if (sm->sniSocketConfigArg)
- ss->sniSocketConfigArg = sm->sniSocketConfigArg;
+ ss->sniSocketConfigArg = sm->sniSocketConfigArg;
if (sm->handleBadCert)
- ss->handleBadCert = sm->handleBadCert;
+ ss->handleBadCert = sm->handleBadCert;
if (sm->badCertArg)
- ss->badCertArg = sm->badCertArg;
+ ss->badCertArg = sm->badCertArg;
if (sm->handshakeCallback)
- ss->handshakeCallback = sm->handshakeCallback;
+ ss->handshakeCallback = sm->handshakeCallback;
if (sm->handshakeCallbackData)
ss->handshakeCallbackData = sm->handshakeCallbackData;
if (sm->pkcs11PinArg)
- ss->pkcs11PinArg = sm->pkcs11PinArg;
+ ss->pkcs11PinArg = sm->pkcs11PinArg;
if (sm->getChannelID)
- ss->getChannelID = sm->getChannelID;
+ ss->getChannelID = sm->getChannelID;
if (sm->getChannelIDArg)
- ss->getChannelIDArg = sm->getChannelIDArg;
+ ss->getChannelIDArg = sm->getChannelIDArg;
return fd;
loser:
return NULL;
}
+/*
+ * Get the user supplied range
+ */
+static SECStatus
+ssl3_GetRangePolicy(SSLProtocolVariant protocolVariant, SSLVersionRange *prange)
+{
+ SECStatus rv;
+ PRUint32 policy;
+ PRInt32 option;
+
+ /* only use policy constraints if we've set the apply ssl policy bit */
+ rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy);
+ if ((rv != SECSuccess) || !(policy & NSS_USE_POLICY_IN_SSL)) {
+ return SECFailure;
+ }
+ rv = NSS_OptionGet(VERSIONS_POLICY_MIN(protocolVariant), &option);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ prange->min = (PRUint16)option;
+ rv = NSS_OptionGet(VERSIONS_POLICY_MAX(protocolVariant), &option);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ prange->max = (PRUint16)option;
+ if (prange->max < prange->min) {
+ return SECFailure; /* don't accept an invalid policy */
+ }
+ return SECSuccess;
+}
+
+/*
+ * Constrain a single protocol variant's range based on the user policy
+ */
+static SECStatus
+ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant)
+{
+ SSLVersionRange vrange;
+ SSLVersionRange pvrange;
+ SECStatus rv;
+
+ vrange = *VERSIONS_DEFAULTS(protocolVariant);
+ rv = ssl3_GetRangePolicy(protocolVariant, &pvrange);
+ if (rv != SECSuccess) {
+ return SECSuccess; /* we don't have any policy */
+ }
+ vrange.min = PR_MAX(vrange.min, pvrange.min);
+ vrange.max = PR_MIN(vrange.max, pvrange.max);
+ if (vrange.max >= vrange.min) {
+ *VERSIONS_DEFAULTS(protocolVariant) = vrange;
+ } else {
+ /* there was no overlap, turn off range altogether */
+ pvrange.min = pvrange.max = SSL_LIBRARY_VERSION_NONE;
+ *VERSIONS_DEFAULTS(protocolVariant) = pvrange;
+ }
+ return SECSuccess;
+}
+
+static PRBool
+ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant,
+ SSL3ProtocolVersion version)
+{
+ SSLVersionRange pvrange;
+ SECStatus rv;
+
+ rv = ssl3_GetRangePolicy(protocolVariant, &pvrange);
+ if (rv == SECSuccess) {
+ if ((version > pvrange.max) || (version < pvrange.min)) {
+ return PR_FALSE; /* disallowed by policy */
+ }
+ }
+ return PR_TRUE;
+}
+
+/*
+ * This is called at SSL init time to constrain the existing range based
+ * on user supplied policy.
+ */
+SECStatus
+ssl3_ConstrainRangeByPolicy(void)
+{
+ SECStatus rv;
+ rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ return SECSuccess;
+}
+
PRBool
ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
SSL3ProtocolVersion version)
{
- switch (protocolVariant) {
- case ssl_variant_stream:
- return (version >= SSL_LIBRARY_VERSION_3_0 &&
- version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
- case ssl_variant_datagram:
- return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
- version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
- default:
- /* Can't get here */
- PORT_Assert(PR_FALSE);
+ if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) {
return PR_FALSE;
}
+ switch (protocolVariant) {
+ case ssl_variant_stream:
+ return (version >= SSL_LIBRARY_VERSION_3_0 &&
+ version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
+ case ssl_variant_datagram:
+ return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
+ version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
+ default:
+ /* Can't get here */
+ PORT_Assert(PR_FALSE);
+ return PR_FALSE;
+ }
}
/* Returns PR_TRUE if the given version range is valid and
@@ -2086,6 +2329,29 @@ ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant,
ssl3_VersionIsSupported(protocolVariant, vrange->max);
}
+const SECItem *
+SSL_PeerSignedCertTimestamps(PRFileDesc *fd)
+{
+ sslSocket *ss = ssl_FindSocket(fd);
+
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps",
+ SSL_GETPID(), fd));
+ return NULL;
+ }
+
+ if (!ss->sec.ci.sid) {
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+ return NULL;
+ }
+
+ if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) {
+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+ return NULL;
+ }
+ return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps;
+}
+
SECStatus
SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant,
SSLVersionRange *vrange)
@@ -2096,17 +2362,17 @@ SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant,
}
switch (protocolVariant) {
- case ssl_variant_stream:
- vrange->min = SSL_LIBRARY_VERSION_3_0;
- vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
- break;
- case ssl_variant_datagram:
- vrange->min = SSL_LIBRARY_VERSION_TLS_1_1;
- vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
- break;
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ case ssl_variant_stream:
+ vrange->min = SSL_LIBRARY_VERSION_3_0;
+ vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
+ break;
+ case ssl_variant_datagram:
+ vrange->min = SSL_LIBRARY_VERSION_TLS_1_1;
+ vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
return SECSuccess;
@@ -2117,7 +2383,8 @@ SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant,
SSLVersionRange *vrange)
{
if ((protocolVariant != ssl_variant_stream &&
- protocolVariant != ssl_variant_datagram) || !vrange) {
+ protocolVariant != ssl_variant_datagram) ||
+ !vrange) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -2147,8 +2414,8 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange)
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeGet",
- SSL_GETPID(), fd));
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeGet",
+ SSL_GETPID(), fd));
return SECFailure;
}
@@ -2168,32 +2435,14 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange)
return SECSuccess;
}
-static PRCallOnceType checkTLS12TokenOnce;
-static PRBool tls12TokenExists;
-
-static PRStatus
-ssl_CheckTLS12Token(void)
-{
- tls12TokenExists =
- PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256);
- return PR_SUCCESS;
-}
-
-static PRBool
-ssl_TLS12TokenExists(void)
-{
- (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token);
- return tls12TokenExists;
-}
-
SECStatus
SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
{
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet",
- SSL_GETPID(), fd));
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeSet",
+ SSL_GETPID(), fd));
return SECFailure;
}
@@ -2205,78 +2454,84 @@ SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
ssl_Get1stHandshakeLock(ss);
ssl_GetSSL3HandshakeLock(ss);
- ss->vrange = *vrange;
- /* If we don't have a sufficiently up-to-date softoken then we cannot do
- * TLS 1.2. */
- if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 &&
- !ssl_TLS12TokenExists()) {
- /* If the user requested a minimum version of 1.2, then we don't
- * silently downgrade. */
- if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) {
- ssl_ReleaseSSL3HandshakeLock(ss);
- ssl_Release1stHandshakeLock(ss);
- PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
- return SECFailure;
- }
- ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1;
+ if (ss->ssl3.downgradeCheckVersion &&
+ ss->vrange.max > ss->ssl3.downgradeCheckVersion) {
+ PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
+ ssl_ReleaseSSL3HandshakeLock(ss);
+ ssl_Release1stHandshakeLock(ss);
+ return SECFailure;
}
+ ss->vrange = *vrange;
+
ssl_ReleaseSSL3HandshakeLock(ss);
ssl_Release1stHandshakeLock(ss);
return SECSuccess;
}
-const SECItemArray *
-SSL_PeerStapledOCSPResponses(PRFileDesc *fd)
+SECStatus
+SSL_SetDowngradeCheckVersion(PRFileDesc *fd, PRUint16 version)
{
sslSocket *ss = ssl_FindSocket(fd);
+ SECStatus rv = SECFailure;
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses",
- SSL_GETPID(), fd));
- return NULL;
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetDowngradeCheckVersion",
+ SSL_GETPID(), fd));
+ return SECFailure;
}
- if (!ss->sec.ci.sid) {
- PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
- return NULL;
+ if (version && !ssl3_VersionIsSupported(ss->protocolVariant, version)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
- return &ss->sec.ci.sid->peerCertStatus;
+ ssl_Get1stHandshakeLock(ss);
+ ssl_GetSSL3HandshakeLock(ss);
+
+ if (version && version < ss->vrange.max) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto loser;
+ }
+ ss->ssl3.downgradeCheckVersion = version;
+ rv = SECSuccess;
+
+loser:
+ ssl_ReleaseSSL3HandshakeLock(ss);
+ ssl_Release1stHandshakeLock(ss);
+
+ return rv;
}
-const SECItem *
-SSL_PeerSignedCertTimestamps(PRFileDesc *fd)
+const SECItemArray *
+SSL_PeerStapledOCSPResponses(PRFileDesc *fd)
{
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps",
- SSL_GETPID(), fd));
- return NULL;
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses",
+ SSL_GETPID(), fd));
+ return NULL;
}
if (!ss->sec.ci.sid) {
- PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
- return NULL;
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+ return NULL;
}
- if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) {
- PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
- return NULL;
- }
- return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps;
+ return &ss->sec.ci.sid->peerCertStatus;
}
SECStatus
-SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) {
+SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed)
+{
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession",
- SSL_GETPID(), fd));
- return SECFailure;
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession",
+ SSL_GETPID(), fd));
+ return SECFailure;
}
*handshake_resumed = ss->ssl3.hs.isResuming;
@@ -2286,15 +2541,16 @@ SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) {
const SECItem *
SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd)
{
- sslSocket *ss = ssl_FindSocket(fd);
+ sslSocket *ss = ssl_FindSocket(fd);
- if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in "
- "SSL_GetRequestedClientCertificateTypes", SSL_GETPID(), fd));
- return NULL;
- }
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in "
+ "SSL_GetRequestedClientCertificateTypes",
+ SSL_GETPID(), fd));
+ return NULL;
+ }
- return ss->requestedCertTypes;
+ return ss->requestedCertTypes;
}
/************************************************************************/
@@ -2302,14 +2558,14 @@ SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd)
** They all get called through the NSPRIOMethods table below.
*/
-static PRFileDesc * PR_CALLBACK
+static PRFileDesc *PR_CALLBACK
ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
{
- sslSocket *ss;
- sslSocket *ns = NULL;
- PRFileDesc *newfd = NULL;
+ sslSocket *ss;
+ sslSocket *ns = NULL;
+ PRFileDesc *newfd = NULL;
PRFileDesc *osfd;
- PRStatus status;
+ PRStatus status;
ss = ssl_GetPrivate(fd);
if (!ss) {
@@ -2340,7 +2596,7 @@ ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
ssl_ReleaseSSL3HandshakeLock(ss);
ssl_Release1stHandshakeLock(ss);
SSL_UNLOCK_WRITER(ss);
- SSL_UNLOCK_READER(ss); /* ss isn't used below here. */
+ SSL_UNLOCK_READER(ss); /* ss isn't used below here. */
if (ns == NULL)
goto loser;
@@ -2353,8 +2609,8 @@ ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
/* Now start server connection handshake with client.
** Don't need locks here because nobody else has a reference to ns yet.
*/
- if ( ns->opt.useSecurity ) {
- if ( ns->opt.handshakeAsClient ) {
+ if (ns->opt.useSecurity) {
+ if (ns->opt.handshakeAsClient) {
ns->handshake = ssl2_BeginClientHandshake;
ss->handshaking = sslHandshakingAsClient;
} else {
@@ -2377,7 +2633,7 @@ static PRStatus PR_CALLBACK
ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout)
{
sslSocket *ss;
- PRStatus rv;
+ PRStatus rv;
ss = ssl_GetPrivate(fd);
if (!ss) {
@@ -2401,8 +2657,8 @@ ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout)
static PRStatus PR_CALLBACK
ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr)
{
- sslSocket * ss = ssl_GetPrivate(fd);
- PRStatus rv;
+ sslSocket *ss = ssl_GetPrivate(fd);
+ PRStatus rv;
if (!ss) {
SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd));
@@ -2421,8 +2677,8 @@ ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr)
static PRStatus PR_CALLBACK
ssl_Listen(PRFileDesc *fd, PRIntn backlog)
{
- sslSocket * ss = ssl_GetPrivate(fd);
- PRStatus rv;
+ sslSocket *ss = ssl_GetPrivate(fd);
+ PRStatus rv;
if (!ss) {
SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd));
@@ -2441,8 +2697,8 @@ ssl_Listen(PRFileDesc *fd, PRIntn backlog)
static PRStatus PR_CALLBACK
ssl_Shutdown(PRFileDesc *fd, PRIntn how)
{
- sslSocket * ss = ssl_GetPrivate(fd);
- PRStatus rv;
+ sslSocket *ss = ssl_GetPrivate(fd);
+ PRStatus rv;
if (!ss) {
SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd));
@@ -2470,7 +2726,7 @@ static PRStatus PR_CALLBACK
ssl_Close(PRFileDesc *fd)
{
sslSocket *ss;
- PRStatus rv;
+ PRStatus rv;
ss = ssl_GetPrivate(fd);
if (!ss) {
@@ -2498,7 +2754,7 @@ ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags,
PRIntervalTime timeout)
{
sslSocket *ss;
- int rv;
+ int rv;
ss = ssl_GetPrivate(fd);
if (!ss) {
@@ -2509,7 +2765,7 @@ ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags,
ss->rTimeout = timeout;
if (!ss->opt.fdx)
ss->wTimeout = timeout;
- rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags);
+ rv = (*ss->ops->recv)(ss, (unsigned char *)buf, len, flags);
SSL_UNLOCK_READER(ss);
return rv;
}
@@ -2519,7 +2775,7 @@ ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
PRIntervalTime timeout)
{
sslSocket *ss;
- int rv;
+ int rv;
ss = ssl_GetPrivate(fd);
if (!ss) {
@@ -2530,7 +2786,7 @@ ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
ss->wTimeout = timeout;
if (!ss->opt.fdx)
ss->rTimeout = timeout;
- rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags);
+ rv = (*ss->ops->send)(ss, (const unsigned char *)buf, len, flags);
SSL_UNLOCK_WRITER(ss);
return rv;
}
@@ -2539,7 +2795,7 @@ static int PR_CALLBACK
ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len)
{
sslSocket *ss;
- int rv;
+ int rv;
ss = ssl_GetPrivate(fd);
if (!ss) {
@@ -2550,7 +2806,7 @@ ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len)
ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
if (!ss->opt.fdx)
ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
- rv = (*ss->ops->read)(ss, (unsigned char*)buf, len);
+ rv = (*ss->ops->read)(ss, (unsigned char *)buf, len);
SSL_UNLOCK_READER(ss);
return rv;
}
@@ -2559,7 +2815,7 @@ static int PR_CALLBACK
ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
{
sslSocket *ss;
- int rv;
+ int rv;
ss = ssl_GetPrivate(fd);
if (!ss) {
@@ -2570,7 +2826,7 @@ ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
if (!ss->opt.fdx)
ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
- rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len);
+ rv = (*ss->ops->write)(ss, (const unsigned char *)buf, len);
SSL_UNLOCK_WRITER(ss);
return rv;
}
@@ -2593,9 +2849,9 @@ ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr)
SECStatus
ssl_GetPeerInfo(sslSocket *ss)
{
- PRFileDesc * osfd;
- int rv;
- PRNetAddr sin;
+ PRFileDesc *osfd;
+ int rv;
+ PRNetAddr sin;
osfd = ss->fd->lower;
@@ -2644,8 +2900,8 @@ SSL_SetStapledOCSPResponses(PRFileDesc *fd, const SECItemArray *responses,
return SECFailure;
}
- if ( kea <= 0 || kea >= kt_kea_size) {
- SSL_DBG(("%d: SSL[%d]: invalid key in SSL_SetStapledOCSPResponses",
+ if (kea <= 0 || kea >= kt_kea_size) {
+ SSL_DBG(("%d: SSL[%d]: invalid key type in SSL_SetStapledOCSPResponses",
SSL_GETPID(), fd));
return SECFailure;
}
@@ -2661,6 +2917,35 @@ SSL_SetStapledOCSPResponses(PRFileDesc *fd, const SECItemArray *responses,
}
SECStatus
+SSL_SetSignedCertTimestamps(PRFileDesc *fd, const SECItem *scts, SSLKEAType kea)
+{
+ sslSocket *ss;
+
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSignedCertTimestamps",
+ SSL_GETPID(), fd));
+ return SECFailure;
+ }
+
+ if (kea <= 0 || kea >= kt_kea_size) {
+ SSL_DBG(("%d: SSL[%d]: invalid key type in SSL_SetSignedCertTimestamps",
+ SSL_GETPID(), fd));
+ return SECFailure;
+ }
+
+ if (ss->signedCertTimestamps[kea].data) {
+ SECITEM_FreeItem(&ss->signedCertTimestamps[kea], PR_FALSE);
+ }
+
+ if (!scts) {
+ return SECSuccess;
+ }
+
+ return SECITEM_CopyItem(NULL, &ss->signedCertTimestamps[kea], scts);
+}
+
+SECStatus
SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID)
{
sslSocket *ss;
@@ -2687,15 +2972,15 @@ static PRInt16 PR_CALLBACK
ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
{
sslSocket *ss;
- PRInt16 new_flags = how_flags; /* should select on these flags. */
- PRNetAddr addr;
+ PRInt16 new_flags = how_flags; /* should select on these flags. */
+ PRNetAddr addr;
*p_out_flags = 0;
ss = ssl_GetPrivate(fd);
if (!ss) {
SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll",
SSL_GETPID(), fd));
- return 0; /* don't poll on this socket */
+ return 0; /* don't poll on this socket */
}
if (ss->opt.useSecurity &&
@@ -2721,36 +3006,36 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
new_flags |= PR_POLL_READ;
}
} else
- /* First handshake is in progress */
- if (ss->lastWriteBlocked) {
+ /* First handshake is in progress */
+ if (ss->lastWriteBlocked) {
if (new_flags & PR_POLL_READ) {
/* The caller is waiting for data to be received,
** but the initial handshake is blocked on write, or the
** client's first handshake record has not been written.
** The code should select on write, not read.
*/
- new_flags ^= PR_POLL_READ; /* don't select on read. */
- new_flags |= PR_POLL_WRITE; /* do select on write. */
+ new_flags ^= PR_POLL_READ; /* don't select on read. */
+ new_flags |= PR_POLL_WRITE; /* do select on write. */
}
} else if (new_flags & PR_POLL_WRITE) {
- /* The caller is trying to write, but the handshake is
- ** blocked waiting for data to read, and the first
- ** handshake has been sent. So do NOT to poll on write
- ** unless we did false start.
- */
- if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
- ss->ssl3.hs.canFalseStart)) {
- new_flags ^= PR_POLL_WRITE; /* don't select on write. */
- }
- new_flags |= PR_POLL_READ; /* do select on read. */
+ /* The caller is trying to write, but the handshake is
+ ** blocked waiting for data to read, and the first
+ ** handshake has been sent. So do NOT to poll on write
+ ** unless we did false start.
+ */
+ if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
+ ss->ssl3.hs.canFalseStart)) {
+ new_flags ^= PR_POLL_WRITE; /* don't select on write. */
+ }
+ new_flags |= PR_POLL_READ; /* do select on read. */
}
}
} else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
- *p_out_flags = PR_POLL_READ; /* it's ready already. */
+ *p_out_flags = PR_POLL_READ; /* it's ready already. */
return new_flags;
} else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) &&
(ss->pendingBuf.len != 0)) { /* write data waiting to be sent */
- new_flags |= PR_POLL_WRITE; /* also select on write. */
+ new_flags |= PR_POLL_WRITE; /* also select on write. */
}
if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
@@ -2782,8 +3067,8 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
}
if (new_flags && (fd->lower->methods->poll != NULL)) {
- PRInt16 lower_out_flags = 0;
- PRInt16 lower_new_flags;
+ PRInt16 lower_out_flags = 0;
+ PRInt16 lower_new_flags;
lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags,
&lower_out_flags);
if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) {
@@ -2796,7 +3081,7 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
new_flags = how_flags;
} else {
*p_out_flags = lower_out_flags;
- new_flags = lower_new_flags;
+ new_flags = lower_new_flags;
}
}
@@ -2821,14 +3106,13 @@ ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd,
return sd->methods->sendfile(sd, &sfd, flags, timeout);
}
-
PRBool
ssl_FdIsBlocking(PRFileDesc *fd)
{
PRSocketOptionData opt;
- PRStatus status;
+ PRStatus status;
- opt.option = PR_SockOpt_Nonblocking;
+ opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;
status = PR_GetSocketOption(fd, &opt);
if (status != PR_SUCCESS)
@@ -2842,23 +3126,23 @@ ssl_SocketIsBlocking(sslSocket *ss)
return ssl_FdIsBlocking(ss->fd);
}
-PRInt32 sslFirstBufSize = 8 * 1024;
-PRInt32 sslCopyLimit = 1024;
+PRInt32 sslFirstBufSize = 8 * 1024;
+PRInt32 sslCopyLimit = 1024;
static PRInt32 PR_CALLBACK
ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
PRIntervalTime timeout)
{
- PRInt32 i;
- PRInt32 bufLen;
- PRInt32 left;
- PRInt32 rv;
- PRInt32 sent = 0;
- const PRInt32 first_len = sslFirstBufSize;
- const PRInt32 limit = sslCopyLimit;
- PRBool blocking;
- PRIOVec myIov = { 0, 0 };
- char buf[MAX_FRAGMENT_LENGTH];
+ PRInt32 i;
+ PRInt32 bufLen;
+ PRInt32 left;
+ PRInt32 rv;
+ PRInt32 sent = 0;
+ const PRInt32 first_len = sslFirstBufSize;
+ const PRInt32 limit = sslCopyLimit;
+ PRBool blocking;
+ PRIOVec myIov = { 0, 0 };
+ char buf[MAX_FRAGMENT_LENGTH];
if (vectors < 0) {
PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
@@ -2877,28 +3161,37 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
blocking = ssl_FdIsBlocking(fd);
#define K16 sizeof(buf)
-#define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; }
-#define GET_VECTOR do { myIov = *iov++; --vectors; KILL_VECTORS } while (0)
-#define HANDLE_ERR(rv, len) \
- if (rv != len) { \
- if (rv < 0) { \
- if (!blocking \
- && (PR_GetError() == PR_WOULD_BLOCK_ERROR) \
- && (sent > 0)) { \
- return sent; \
- } else { \
- return -1; \
- } \
- } \
+#define KILL_VECTORS \
+ while (vectors && !iov->iov_len) { \
+ ++iov; \
+ --vectors; \
+ }
+#define GET_VECTOR \
+ do { \
+ myIov = *iov++; \
+ --vectors; \
+ KILL_VECTORS \
+ } while (0)
+#define HANDLE_ERR(rv, len) \
+ if (rv != len) { \
+ if (rv < 0) { \
+ if (!blocking && \
+ (PR_GetError() == PR_WOULD_BLOCK_ERROR) && \
+ (sent > 0)) { \
+ return sent; \
+ } else { \
+ return -1; \
+ } \
+ } \
/* Only a nonblocking socket can have partial sends */ \
- PR_ASSERT(!blocking); \
- return sent + rv; \
+ PR_ASSERT(!blocking); \
+ return sent + rv; \
}
-#define SEND(bfr, len) \
- do { \
+#define SEND(bfr, len) \
+ do { \
rv = ssl_Send(fd, bfr, len, 0, timeout); \
- HANDLE_ERR(rv, len) \
- sent += len; \
+ HANDLE_ERR(rv, len) \
+ sent += len; \
} while (0)
/* Make sure the first write is at least 8 KB, if possible. */
@@ -2918,23 +3211,23 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
GET_VECTOR;
toCopy = PR_MIN(left, myIov.iov_len);
PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy);
- bufLen += toCopy;
- left -= toCopy;
+ bufLen += toCopy;
+ left -= toCopy;
myIov.iov_base += toCopy;
- myIov.iov_len -= toCopy;
+ myIov.iov_len -= toCopy;
}
- SEND( buf, bufLen );
+ SEND(buf, bufLen);
}
while (vectors || myIov.iov_len) {
- PRInt32 addLen;
+ PRInt32 addLen;
if (!myIov.iov_len) {
GET_VECTOR;
}
while (myIov.iov_len >= K16) {
SEND(myIov.iov_base, K16);
myIov.iov_base += K16;
- myIov.iov_len -= K16;
+ myIov.iov_len -= K16;
}
if (!myIov.iov_len)
continue;
@@ -2944,13 +3237,13 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
} else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
/* Addlen is already computed. */;
} else if (vectors > 1 &&
- iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
- addLen = limit - myIov.iov_len;
+ iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
+ addLen = limit - myIov.iov_len;
} else
addLen = 0;
if (!addLen) {
- SEND( myIov.iov_base, myIov.iov_len );
+ SEND(myIov.iov_base, myIov.iov_len);
myIov.iov_len = 0;
continue;
}
@@ -2960,25 +3253,24 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
GET_VECTOR;
PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen);
myIov.iov_base += addLen;
- myIov.iov_len -= addLen;
- bufLen += addLen;
-
- left = PR_MIN( limit, K16 - bufLen);
- if (!vectors /* no more left */
- || myIov.iov_len > 0 /* we didn't use that one all up */
- || bufLen >= K16 /* it's full. */
- ) {
+ myIov.iov_len -= addLen;
+ bufLen += addLen;
+
+ left = PR_MIN(limit, K16 - bufLen);
+ if (!vectors /* no more left */
+ || myIov.iov_len > 0 /* we didn't use that one all up */
+ || bufLen >= K16 /* it's full. */) {
addLen = 0;
} else if ((addLen = iov->iov_len % K16) <= left) {
/* Addlen is already computed. */;
} else if (vectors > 1 &&
- iov[1].iov_len % K16 + addLen <= left + limit) {
- addLen = left;
+ iov[1].iov_len % K16 + addLen <= left + limit) {
+ addLen = left;
} else
addLen = 0;
} while (addLen);
- SEND( buf, bufLen );
+ SEND(buf, bufLen);
}
return sent;
}
@@ -3015,14 +3307,16 @@ ssl_FSync(PRFileDesc *fd)
}
static PRInt32 PR_CALLBACK
-ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) {
+ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how)
+{
PORT_Assert(0);
PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
return SECFailure;
}
static PRInt64 PR_CALLBACK
-ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) {
+ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how)
+{
PRInt64 res;
PORT_Assert(0);
@@ -3067,85 +3361,83 @@ ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags,
static const PRIOMethods ssl_methods = {
PR_DESC_LAYERED,
- ssl_Close, /* close */
- ssl_Read, /* read */
- ssl_Write, /* write */
- ssl_Available, /* available */
- ssl_Available64, /* available64 */
- ssl_FSync, /* fsync */
- ssl_Seek, /* seek */
- ssl_Seek64, /* seek64 */
- ssl_FileInfo, /* fileInfo */
- ssl_FileInfo64, /* fileInfo64 */
- ssl_WriteV, /* writev */
- ssl_Connect, /* connect */
- ssl_Accept, /* accept */
- ssl_Bind, /* bind */
- ssl_Listen, /* listen */
- ssl_Shutdown, /* shutdown */
- ssl_Recv, /* recv */
- ssl_Send, /* send */
- ssl_RecvFrom, /* recvfrom */
- ssl_SendTo, /* sendto */
- ssl_Poll, /* poll */
- PR_EmulateAcceptRead, /* acceptread */
- ssl_TransmitFile, /* transmitfile */
- ssl_GetSockName, /* getsockname */
- ssl_GetPeerName, /* getpeername */
- NULL, /* getsockopt OBSOLETE */
- NULL, /* setsockopt OBSOLETE */
- NULL, /* getsocketoption */
- NULL, /* setsocketoption */
- PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/
- NULL, /* reserved for future use */
- NULL, /* reserved for future use */
- NULL, /* reserved for future use */
- NULL, /* reserved for future use */
- NULL /* reserved for future use */
+ ssl_Close, /* close */
+ ssl_Read, /* read */
+ ssl_Write, /* write */
+ ssl_Available, /* available */
+ ssl_Available64, /* available64 */
+ ssl_FSync, /* fsync */
+ ssl_Seek, /* seek */
+ ssl_Seek64, /* seek64 */
+ ssl_FileInfo, /* fileInfo */
+ ssl_FileInfo64, /* fileInfo64 */
+ ssl_WriteV, /* writev */
+ ssl_Connect, /* connect */
+ ssl_Accept, /* accept */
+ ssl_Bind, /* bind */
+ ssl_Listen, /* listen */
+ ssl_Shutdown, /* shutdown */
+ ssl_Recv, /* recv */
+ ssl_Send, /* send */
+ ssl_RecvFrom, /* recvfrom */
+ ssl_SendTo, /* sendto */
+ ssl_Poll, /* poll */
+ PR_EmulateAcceptRead, /* acceptread */
+ ssl_TransmitFile, /* transmitfile */
+ ssl_GetSockName, /* getsockname */
+ ssl_GetPeerName, /* getpeername */
+ NULL, /* getsockopt OBSOLETE */
+ NULL, /* setsockopt OBSOLETE */
+ NULL, /* getsocketoption */
+ NULL, /* setsocketoption */
+ PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/
+ NULL, /* reserved for future use */
+ NULL, /* reserved for future use */
+ NULL, /* reserved for future use */
+ NULL, /* reserved for future use */
+ NULL /* reserved for future use */
};
-
static PRIOMethods combined_methods;
static void
ssl_SetupIOMethods(void)
{
- PRIOMethods *new_methods = &combined_methods;
+ PRIOMethods *new_methods = &combined_methods;
const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods();
- const PRIOMethods *my_methods = &ssl_methods;
+ const PRIOMethods *my_methods = &ssl_methods;
*new_methods = *nspr_methods;
- new_methods->file_type = my_methods->file_type;
- new_methods->close = my_methods->close;
- new_methods->read = my_methods->read;
- new_methods->write = my_methods->write;
- new_methods->available = my_methods->available;
- new_methods->available64 = my_methods->available64;
- new_methods->fsync = my_methods->fsync;
- new_methods->seek = my_methods->seek;
- new_methods->seek64 = my_methods->seek64;
- new_methods->fileInfo = my_methods->fileInfo;
- new_methods->fileInfo64 = my_methods->fileInfo64;
- new_methods->writev = my_methods->writev;
- new_methods->connect = my_methods->connect;
- new_methods->accept = my_methods->accept;
- new_methods->bind = my_methods->bind;
- new_methods->listen = my_methods->listen;
- new_methods->shutdown = my_methods->shutdown;
- new_methods->recv = my_methods->recv;
- new_methods->send = my_methods->send;
- new_methods->recvfrom = my_methods->recvfrom;
- new_methods->sendto = my_methods->sendto;
- new_methods->poll = my_methods->poll;
- new_methods->acceptread = my_methods->acceptread;
- new_methods->transmitfile = my_methods->transmitfile;
- new_methods->getsockname = my_methods->getsockname;
- new_methods->getpeername = my_methods->getpeername;
-/* new_methods->getsocketoption = my_methods->getsocketoption; */
-/* new_methods->setsocketoption = my_methods->setsocketoption; */
- new_methods->sendfile = my_methods->sendfile;
-
+ new_methods->file_type = my_methods->file_type;
+ new_methods->close = my_methods->close;
+ new_methods->read = my_methods->read;
+ new_methods->write = my_methods->write;
+ new_methods->available = my_methods->available;
+ new_methods->available64 = my_methods->available64;
+ new_methods->fsync = my_methods->fsync;
+ new_methods->seek = my_methods->seek;
+ new_methods->seek64 = my_methods->seek64;
+ new_methods->fileInfo = my_methods->fileInfo;
+ new_methods->fileInfo64 = my_methods->fileInfo64;
+ new_methods->writev = my_methods->writev;
+ new_methods->connect = my_methods->connect;
+ new_methods->accept = my_methods->accept;
+ new_methods->bind = my_methods->bind;
+ new_methods->listen = my_methods->listen;
+ new_methods->shutdown = my_methods->shutdown;
+ new_methods->recv = my_methods->recv;
+ new_methods->send = my_methods->send;
+ new_methods->recvfrom = my_methods->recvfrom;
+ new_methods->sendto = my_methods->sendto;
+ new_methods->poll = my_methods->poll;
+ new_methods->acceptread = my_methods->acceptread;
+ new_methods->transmitfile = my_methods->transmitfile;
+ new_methods->getsockname = my_methods->getsockname;
+ new_methods->getpeername = my_methods->getpeername;
+ /* new_methods->getsocketoption = my_methods->getsocketoption; */
+ /* new_methods->setsocketoption = my_methods->setsocketoption; */
+ new_methods->sendfile = my_methods->sendfile;
}
static PRCallOnceType initIoLayerOnce;
@@ -3162,8 +3454,8 @@ ssl_InitIOLayer(void)
static PRStatus
ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id)
{
- PRFileDesc *layer = NULL;
- PRStatus status;
+ PRFileDesc *layer = NULL;
+ PRStatus status;
if (!ssl_inited) {
status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
@@ -3211,24 +3503,24 @@ ssl_MakeLocks(sslSocket *ss)
ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL);
if (!ss->firstHandshakeLock)
goto loser;
- ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL);
+ ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL);
if (!ss->ssl3HandshakeLock)
goto loser;
- ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL);
+ ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL);
if (!ss->specLock)
goto loser;
- ss->recvBufLock = PZ_NewMonitor(nssILockSSL);
+ ss->recvBufLock = PZ_NewMonitor(nssILockSSL);
if (!ss->recvBufLock)
goto loser;
- ss->xmitBufLock = PZ_NewMonitor(nssILockSSL);
+ ss->xmitBufLock = PZ_NewMonitor(nssILockSSL);
if (!ss->xmitBufLock)
goto loser;
- ss->writerThread = NULL;
+ ss->writerThread = NULL;
if (ssl_lock_readers) {
- ss->recvLock = PZ_NewLock(nssILockSSL);
+ ss->recvLock = PZ_NewLock(nssILockSSL);
if (!ss->recvLock)
goto loser;
- ss->sendLock = PZ_NewLock(nssILockSSL);
+ ss->sendLock = PZ_NewLock(nssILockSSL);
if (!ss->sendLock)
goto loser;
}
@@ -3242,19 +3534,19 @@ loser:
#define NSS_HAVE_GETENV 1
#endif
-#define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */
+#define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */
static void
ssl_SetDefaultsFromEnvironment(void)
{
-#if defined( NSS_HAVE_GETENV )
+#if defined(NSS_HAVE_GETENV)
static int firsttime = 1;
if (firsttime) {
- char * ev;
+ char *ev;
firsttime = 0;
#ifdef DEBUG
- ev = getenv("SSLDEBUGFILE");
+ ev = PR_GetEnvSecure("SSLDEBUGFILE");
if (ev && ev[0]) {
ssl_trace_iob = fopen(ev, "w");
}
@@ -3262,19 +3554,19 @@ ssl_SetDefaultsFromEnvironment(void)
ssl_trace_iob = stderr;
}
#ifdef TRACE
- ev = getenv("SSLTRACE");
+ ev = PR_GetEnvSecure("SSLTRACE");
if (ev && ev[0]) {
ssl_trace = atoi(ev);
SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
}
#endif /* TRACE */
- ev = getenv("SSLDEBUG");
+ ev = PR_GetEnvSecure("SSLDEBUG");
if (ev && ev[0]) {
ssl_debug = atoi(ev);
SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
}
#endif /* DEBUG */
- ev = getenv("SSLKEYLOGFILE");
+ ev = PR_GetEnvSecure("SSLKEYLOGFILE");
if (ev && ev[0]) {
ssl_keylog_iob = fopen(ev, "a");
if (!ssl_keylog_iob) {
@@ -3288,21 +3580,21 @@ ssl_SetDefaultsFromEnvironment(void)
}
}
#ifndef NO_PKCS11_BYPASS
- ev = getenv("SSLBYPASS");
+ ev = PR_GetEnvSecure("SSLBYPASS");
if (ev && ev[0]) {
ssl_defaults.bypassPKCS11 = (ev[0] == '1');
- SSL_TRACE(("SSL: bypass default set to %d", \
- ssl_defaults.bypassPKCS11));
+ SSL_TRACE(("SSL: bypass default set to %d",
+ ssl_defaults.bypassPKCS11));
}
#endif /* NO_PKCS11_BYPASS */
- ev = getenv("SSLFORCELOCKS");
+ ev = PR_GetEnvSecure("SSLFORCELOCKS");
if (ev && ev[0] == '1') {
ssl_force_locks = PR_TRUE;
ssl_defaults.noLocks = 0;
strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. ");
SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks));
}
- ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION");
+ ev = PR_GetEnvSecure("NSS_SSL_ENABLE_RENEGOTIATION");
if (ev) {
if (ev[0] == '1' || LOWER(ev[0]) == 'u')
ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED;
@@ -3315,13 +3607,13 @@ ssl_SetDefaultsFromEnvironment(void)
SSL_TRACE(("SSL: enableRenegotiation set to %d",
ssl_defaults.enableRenegotiation));
}
- ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION");
+ ev = PR_GetEnvSecure("NSS_SSL_REQUIRE_SAFE_NEGOTIATION");
if (ev && ev[0] == '1') {
ssl_defaults.requireSafeNegotiation = PR_TRUE;
SSL_TRACE(("SSL: requireSafeNegotiation set to %d",
- PR_TRUE));
+ PR_TRUE));
}
- ev = getenv("NSS_SSL_CBC_RANDOM_IV");
+ ev = PR_GetEnvSecure("NSS_SSL_CBC_RANDOM_IV");
if (ev && ev[0] == '0') {
ssl_defaults.cbcRandomIV = PR_FALSE;
SSL_TRACE(("SSL: cbcRandomIV set to 0"));
@@ -3344,7 +3636,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
makeLocks = PR_TRUE;
/* Make a new socket and get it ready */
- ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket));
+ ss = (sslSocket *)PORT_ZAlloc(sizeof(sslSocket));
if (ss) {
/* This should be of type SSLKEAType, but CC on IRIX
* complains during the for loop.
@@ -3352,58 +3644,55 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
int i;
SECStatus status;
- ss->opt = ssl_defaults;
- ss->opt.useSocks = PR_FALSE;
- ss->opt.noLocks = !makeLocks;
- ss->vrange = *VERSIONS_DEFAULTS(protocolVariant);
- ss->protocolVariant = protocolVariant;
-
- ss->peerID = NULL;
- ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
- ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
- ss->cTimeout = PR_INTERVAL_NO_TIMEOUT;
- ss->cipherSpecs = NULL;
- ss->sizeCipherSpecs = 0; /* produced lazily */
- ss->preferredCipher = NULL;
- ss->url = NULL;
-
- for (i=kt_null; i < kt_kea_size; i++) {
- sslServerCerts * sc = ss->serverCerts + i;
- sc->serverCert = NULL;
+ ss->opt = ssl_defaults;
+ ss->opt.useSocks = PR_FALSE;
+ ss->opt.noLocks = !makeLocks;
+ ss->vrange = *VERSIONS_DEFAULTS(protocolVariant);
+ ss->protocolVariant = protocolVariant;
+
+ ss->peerID = NULL;
+ ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
+ ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
+ ss->cTimeout = PR_INTERVAL_NO_TIMEOUT;
+ ss->cipherSpecs = NULL;
+ ss->sizeCipherSpecs = 0; /* produced lazily */
+ ss->preferredCipher = NULL;
+ ss->url = NULL;
+
+ for (i = kt_null; i < kt_kea_size; i++) {
+ sslServerCerts *sc = ss->serverCerts + i;
+ sc->serverCert = NULL;
sc->serverCertChain = NULL;
- sc->serverKeyPair = NULL;
- sc->serverKeyBits = 0;
+ sc->serverKeyPair = NULL;
+ sc->serverKeyBits = 0;
ss->certStatusArray[i] = NULL;
}
ss->requestedCertTypes = NULL;
- ss->stepDownKeyPair = NULL;
+ ss->stepDownKeyPair = NULL;
ss->dheParams = NULL;
ss->dheKeyPair = NULL;
- ss->dbHandle = CERT_GetDefaultCertDB();
+ ss->dbHandle = CERT_GetDefaultCertDB();
/* Provide default implementation of hooks */
- ss->authCertificate = SSL_AuthCertificate;
+ ss->authCertificate = SSL_AuthCertificate;
ss->authCertificateArg = (void *)ss->dbHandle;
- ss->sniSocketConfig = NULL;
+ ss->sniSocketConfig = NULL;
ss->sniSocketConfigArg = NULL;
- ss->getClientAuthData = NULL;
-#ifdef NSS_PLATFORM_CLIENT_AUTH
- ss->getPlatformClientAuthData = NULL;
- ss->getPlatformClientAuthDataArg = NULL;
-#endif /* NSS_PLATFORM_CLIENT_AUTH */
- ss->handleBadCert = NULL;
- ss->badCertArg = NULL;
- ss->pkcs11PinArg = NULL;
+ ss->getClientAuthData = NULL;
+ ss->handleBadCert = NULL;
+ ss->badCertArg = NULL;
+ ss->pkcs11PinArg = NULL;
ss->ephemeralECDHKeyPair = NULL;
- ss->getChannelID = NULL;
- ss->getChannelIDArg = NULL;
+ ss->getChannelID = NULL;
+ ss->getChannelIDArg = NULL;
ssl_ChooseOps(ss);
ssl2_InitSocketPolicy(ss);
ssl3_InitSocketPolicy(ss);
PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
+ PR_INIT_CLIST(&ss->ssl3.hs.remoteKeyShares);
if (makeLocks) {
status = ssl_MakeLocks(ss);
@@ -3415,7 +3704,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
goto loser;
status = ssl_InitGather(&ss->gs);
if (status != SECSuccess) {
-loser:
+ loser:
ssl_DestroySocketContents(ss);
ssl_DestroyLocks(ss);
PORT_Free(ss);
« net/third_party/nss/ssl/ssl3con.c ('K') | « net/third_party/nss/ssl/sslsnce.c ('k') | net/third_party/nss/ssl/sslt.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698