Index: net/third_party/nss/ssl/sslsock.c |
diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c |
index 0a8fbf0fdcd600761a6785024d602527ecd4a117..e82c91693412a9037c3920042bea4f201b0a33c3 100644 |
--- a/net/third_party/nss/ssl/sslsock.c |
+++ b/net/third_party/nss/ssl/sslsock.c |
@@ -17,46 +17,39 @@ |
#ifndef NO_PKCS11_BYPASS |
#include "blapi.h" |
#endif |
-#include "pk11pub.h" |
#include "nss.h" |
#include "pk11pqg.h" |
-/* This is a bodge to allow this code to be compiled against older NSS headers |
- * that don't contain the TLS 1.2 changes. */ |
-#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 |
-#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
-#endif |
- |
-#define SET_ERROR_CODE /* reminder */ |
- |
-static const sslSocketOps ssl_default_ops = { /* No SSL. */ |
- ssl_DefConnect, |
- NULL, |
- ssl_DefBind, |
- ssl_DefListen, |
- ssl_DefShutdown, |
- ssl_DefClose, |
- ssl_DefRecv, |
- ssl_DefSend, |
- ssl_DefRead, |
- ssl_DefWrite, |
- ssl_DefGetpeername, |
- ssl_DefGetsockname |
+#define SET_ERROR_CODE /* reminder */ |
+ |
+static const sslSocketOps ssl_default_ops = { /* No SSL. */ |
+ ssl_DefConnect, |
+ NULL, |
+ ssl_DefBind, |
+ ssl_DefListen, |
+ ssl_DefShutdown, |
+ ssl_DefClose, |
+ ssl_DefRecv, |
+ ssl_DefSend, |
+ ssl_DefRead, |
+ ssl_DefWrite, |
+ ssl_DefGetpeername, |
+ ssl_DefGetsockname |
}; |
-static const sslSocketOps ssl_secure_ops = { /* SSL. */ |
- ssl_SecureConnect, |
- NULL, |
- ssl_DefBind, |
- ssl_DefListen, |
- ssl_SecureShutdown, |
- ssl_SecureClose, |
- ssl_SecureRecv, |
- ssl_SecureSend, |
- ssl_SecureRead, |
- ssl_SecureWrite, |
- ssl_DefGetpeername, |
- ssl_DefGetsockname |
+static const sslSocketOps ssl_secure_ops = { /* SSL. */ |
+ ssl_SecureConnect, |
+ NULL, |
+ ssl_DefBind, |
+ ssl_DefListen, |
+ ssl_SecureShutdown, |
+ ssl_SecureClose, |
+ ssl_SecureRecv, |
+ ssl_SecureSend, |
+ ssl_SecureRead, |
+ ssl_SecureWrite, |
+ ssl_DefGetpeername, |
+ ssl_DefGetsockname |
}; |
/* |
@@ -64,36 +57,38 @@ static const sslSocketOps ssl_secure_ops = { /* SSL. */ |
*/ |
static sslOptions ssl_defaults = { |
{ siBuffer, NULL, 0 }, /* nextProtoNego */ |
- PR_TRUE, /* useSecurity */ |
- PR_FALSE, /* useSocks */ |
- PR_FALSE, /* requestCertificate */ |
- 2, /* requireCertificate */ |
- PR_FALSE, /* handshakeAsClient */ |
- PR_FALSE, /* handshakeAsServer */ |
- PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ |
- PR_FALSE, /* unusedBit9 */ |
- PR_FALSE, /* unusedBit10 */ |
- PR_FALSE, /* noCache */ |
- PR_FALSE, /* fdx */ |
- PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ |
- PR_TRUE, /* detectRollBack */ |
- PR_FALSE, /* noStepDown */ |
- PR_FALSE, /* bypassPKCS11 */ |
- PR_FALSE, /* noLocks */ |
- PR_FALSE, /* enableSessionTickets */ |
- PR_FALSE, /* enableDeflate */ |
- 2, /* enableRenegotiation (default: requires extension) */ |
- PR_FALSE, /* requireSafeNegotiation */ |
- PR_FALSE, /* enableFalseStart */ |
- PR_TRUE, /* cbcRandomIV */ |
- PR_FALSE, /* enableOCSPStapling */ |
- PR_TRUE, /* enableNPN */ |
- PR_FALSE, /* enableALPN */ |
- PR_TRUE, /* reuseServerECDHEKey */ |
- PR_FALSE, /* enableFallbackSCSV */ |
- PR_TRUE, /* enableServerDhe */ |
- PR_FALSE, /* enableExtendedMS */ |
- PR_FALSE, /* enableSignedCertTimestamps */ |
+ PR_TRUE, /* useSecurity */ |
+ PR_FALSE, /* useSocks */ |
+ PR_FALSE, /* requestCertificate */ |
+ 2, /* requireCertificate */ |
+ PR_FALSE, /* handshakeAsClient */ |
+ PR_FALSE, /* handshakeAsServer */ |
+ PR_FALSE, |
+ /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ |
+ PR_FALSE, /* unusedBit9 */ |
+ PR_FALSE, /* unusedBit10 */ |
+ PR_FALSE, /* noCache */ |
+ PR_FALSE, /* fdx */ |
+ PR_FALSE, |
+ /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ |
+ PR_TRUE, /* detectRollBack */ |
+ PR_FALSE, /* noStepDown */ |
+ PR_FALSE, /* bypassPKCS11 */ |
+ PR_FALSE, /* noLocks */ |
+ PR_FALSE, /* enableSessionTickets */ |
+ PR_FALSE, /* enableDeflate */ |
+ 2, /* enableRenegotiation (default: requires extension) */ |
+ PR_FALSE, /* requireSafeNegotiation */ |
+ PR_FALSE, /* enableFalseStart */ |
+ PR_TRUE, /* cbcRandomIV */ |
+ PR_FALSE, /* enableOCSPStapling */ |
+ PR_TRUE, /* enableNPN */ |
+ PR_FALSE, /* enableALPN */ |
+ PR_TRUE, /* reuseServerECDHEKey */ |
+ PR_FALSE, /* enableFallbackSCSV */ |
+ PR_TRUE, /* enableServerDhe */ |
+ PR_FALSE, /* enableExtendedMS */ |
+ PR_FALSE, /* enableSignedCertTimestamps */ |
}; |
/* |
@@ -109,24 +104,30 @@ static SSLVersionRange versions_defaults_datagram = { |
SSL_LIBRARY_VERSION_TLS_1_2 |
}; |
-#define VERSIONS_DEFAULTS(variant) \ |
+#define VERSIONS_DEFAULTS(variant) \ |
(variant == ssl_variant_stream ? &versions_defaults_stream : \ |
- &versions_defaults_datagram) |
- |
-sslSessionIDLookupFunc ssl_sid_lookup; |
-sslSessionIDCacheFunc ssl_sid_cache; |
+ &versions_defaults_datagram) |
+#define VERSIONS_POLICY_MIN(variant) \ |
+ (variant == ssl_variant_stream ? NSS_TLS_VERSION_MIN_POLICY : \ |
+ NSS_DTLS_VERSION_MIN_POLICY) |
+#define VERSIONS_POLICY_MAX(variant) \ |
+ (variant == ssl_variant_stream ? NSS_TLS_VERSION_MAX_POLICY : \ |
+ NSS_DTLS_VERSION_MAX_POLICY) |
+ |
+sslSessionIDLookupFunc ssl_sid_lookup; |
+sslSessionIDCacheFunc ssl_sid_cache; |
sslSessionIDUncacheFunc ssl_sid_uncache; |
static PRBool ssl_inited = PR_FALSE; |
static PRDescIdentity ssl_layer_id; |
-PRBool locksEverDisabled; /* implicitly PR_FALSE */ |
-PRBool ssl_force_locks; /* implicitly PR_FALSE */ |
-int ssl_lock_readers = 1; /* default true. */ |
-char ssl_debug; |
-char ssl_trace; |
-FILE * ssl_trace_iob; |
-FILE * ssl_keylog_iob; |
+PRBool locksEverDisabled; /* implicitly PR_FALSE */ |
+PRBool ssl_force_locks; /* implicitly PR_FALSE */ |
+int ssl_lock_readers = 1; /* default true. */ |
+char ssl_debug; |
+char ssl_trace; |
+FILE *ssl_trace_iob; |
+FILE *ssl_keylog_iob; |
char lockStatus[] = "Locks are ENABLED. "; |
#define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ |
@@ -139,10 +140,10 @@ static const PRUint16 srtpCiphers[] = { |
/* forward declarations. */ |
static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant); |
-static SECStatus ssl_MakeLocks(sslSocket *ss); |
-static void ssl_SetDefaultsFromEnvironment(void); |
-static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, |
- PRDescIdentity id); |
+static SECStatus ssl_MakeLocks(sslSocket *ss); |
+static void ssl_SetDefaultsFromEnvironment(void); |
+static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, |
+ PRDescIdentity id); |
/************************************************************************/ |
@@ -214,31 +215,32 @@ ssl_DupSocket(sslSocket *os) |
ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant); |
if (ss) { |
- ss->opt = os->opt; |
- ss->opt.useSocks = PR_FALSE; |
- ss->vrange = os->vrange; |
+ ss->opt = os->opt; |
+ ss->opt.useSocks = PR_FALSE; |
+ ss->vrange = os->vrange; |
- ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); |
- ss->url = !os->url ? NULL : PORT_Strdup(os->url); |
+ ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); |
+ ss->url = !os->url ? NULL : PORT_Strdup(os->url); |
- ss->ops = os->ops; |
+ ss->ops = os->ops; |
ss->rTimeout = os->rTimeout; |
ss->wTimeout = os->wTimeout; |
ss->cTimeout = os->cTimeout; |
ss->dbHandle = os->dbHandle; |
/* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ |
- ss->allowedByPolicy = os->allowedByPolicy; |
- ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; |
- ss->chosenPreference = os->chosenPreference; |
+ ss->allowedByPolicy = os->allowedByPolicy; |
+ ss->maybeAllowedByPolicy = os->maybeAllowedByPolicy; |
+ ss->chosenPreference = os->chosenPreference; |
PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites); |
PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, |
sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount); |
ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount; |
PORT_Memcpy(ss->ssl3.signatureAlgorithms, os->ssl3.signatureAlgorithms, |
sizeof(ss->ssl3.signatureAlgorithms[0]) * |
- os->ssl3.signatureAlgorithmCount); |
+ os->ssl3.signatureAlgorithmCount); |
ss->ssl3.signatureAlgorithmCount = os->ssl3.signatureAlgorithmCount; |
+ ss->ssl3.downgradeCheckVersion = os->ssl3.downgradeCheckVersion; |
ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled; |
ss->ssl3.numDHEGroups = os->ssl3.numDHEGroups; |
@@ -255,74 +257,66 @@ ssl_DupSocket(sslSocket *os) |
} |
if (os->cipherSpecs) { |
- ss->cipherSpecs = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs); |
+ ss->cipherSpecs = (unsigned char *)PORT_Alloc(os->sizeCipherSpecs); |
if (ss->cipherSpecs) |
PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, |
os->sizeCipherSpecs); |
- ss->sizeCipherSpecs = os->sizeCipherSpecs; |
- ss->preferredCipher = os->preferredCipher; |
+ ss->sizeCipherSpecs = os->sizeCipherSpecs; |
+ ss->preferredCipher = os->preferredCipher; |
} else { |
- ss->cipherSpecs = NULL; /* produced lazily */ |
- ss->sizeCipherSpecs = 0; |
- ss->preferredCipher = NULL; |
+ ss->cipherSpecs = NULL; /* produced lazily */ |
+ ss->sizeCipherSpecs = 0; |
+ ss->preferredCipher = NULL; |
} |
if (ss->opt.useSecurity) { |
/* This int should be SSLKEAType, but CC on Irix complains, |
* during the for loop. |
*/ |
int i; |
- sslServerCerts * oc = os->serverCerts; |
- sslServerCerts * sc = ss->serverCerts; |
+ sslServerCerts *oc = os->serverCerts; |
+ sslServerCerts *sc = ss->serverCerts; |
- for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) { |
+ for (i = kt_null; i < kt_kea_size; i++, oc++, sc++) { |
if (oc->serverCert && oc->serverCertChain) { |
- sc->serverCert = CERT_DupCertificate(oc->serverCert); |
+ sc->serverCert = CERT_DupCertificate(oc->serverCert); |
sc->serverCertChain = CERT_DupCertList(oc->serverCertChain); |
if (!sc->serverCertChain) |
goto loser; |
} else { |
- sc->serverCert = NULL; |
+ sc->serverCert = NULL; |
sc->serverCertChain = NULL; |
} |
- sc->serverKeyPair = oc->serverKeyPair ? |
- ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL; |
+ sc->serverKeyPair = oc->serverKeyPair ? ssl3_GetKeyPairRef(oc->serverKeyPair) |
+ : NULL; |
if (oc->serverKeyPair && !sc->serverKeyPair) |
goto loser; |
sc->serverKeyBits = oc->serverKeyBits; |
- ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL : |
- SECITEM_DupArray(NULL, os->certStatusArray[i]); |
+ ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL : SECITEM_DupArray(NULL, os->certStatusArray[i]); |
} |
- ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL : |
- ssl3_GetKeyPairRef(os->stepDownKeyPair); |
- ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : |
- ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair); |
- ss->dheKeyPair = !os->dheKeyPair ? NULL : |
- ssl3_GetKeyPairRef(os->dheKeyPair); |
+ ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL : ssl3_GetKeyPairRef(os->stepDownKeyPair); |
+ ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair); |
+ ss->dheKeyPair = !os->dheKeyPair ? NULL : ssl3_GetKeyPairRef(os->dheKeyPair); |
ss->dheParams = os->dheParams; |
-/* |
- * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. |
- * XXX We should detect this, and not just march on with NULL pointers. |
- */ |
- ss->authCertificate = os->authCertificate; |
- ss->authCertificateArg = os->authCertificateArg; |
- ss->getClientAuthData = os->getClientAuthData; |
- ss->getClientAuthDataArg = os->getClientAuthDataArg; |
-#ifdef NSS_PLATFORM_CLIENT_AUTH |
- ss->getPlatformClientAuthData = os->getPlatformClientAuthData; |
- ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg; |
-#endif |
- ss->sniSocketConfig = os->sniSocketConfig; |
- ss->sniSocketConfigArg = os->sniSocketConfigArg; |
- ss->handleBadCert = os->handleBadCert; |
- ss->badCertArg = os->badCertArg; |
- ss->handshakeCallback = os->handshakeCallback; |
+ /* |
+ * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. |
+ * XXX We should detect this, and not just march on with NULL pointers. |
+ */ |
+ ss->authCertificate = os->authCertificate; |
+ ss->authCertificateArg = os->authCertificateArg; |
+ ss->getClientAuthData = os->getClientAuthData; |
+ ss->getClientAuthDataArg = os->getClientAuthDataArg; |
+ ss->sniSocketConfig = os->sniSocketConfig; |
+ ss->sniSocketConfigArg = os->sniSocketConfigArg; |
+ ss->handleBadCert = os->handleBadCert; |
+ ss->badCertArg = os->badCertArg; |
+ ss->handshakeCallback = os->handshakeCallback; |
ss->handshakeCallbackData = os->handshakeCallbackData; |
ss->canFalseStartCallback = os->canFalseStartCallback; |
ss->canFalseStartCallbackData = os->canFalseStartCallbackData; |
- ss->pkcs11PinArg = os->pkcs11PinArg; |
- ss->getChannelID = os->getChannelID; |
- ss->getChannelIDArg = os->getChannelIDArg; |
+ ss->pkcs11PinArg = os->pkcs11PinArg; |
+ ss->getChannelID = os->getChannelID; |
+ ss->getChannelIDArg = os->getChannelIDArg; |
/* Create security data */ |
rv = ssl_CopySecurityInfo(ss, os); |
@@ -380,7 +374,7 @@ ssl_DestroySocketContents(sslSocket *ss) |
/* "i" should be of type SSLKEAType, but CC on IRIX complains during |
* the for loop. |
*/ |
- int i; |
+ int i; |
/* Free up socket */ |
ssl_DestroySecurityInfo(&ss->sec); |
@@ -394,16 +388,16 @@ ssl_DestroySocketContents(sslSocket *ss) |
if (ss->peerID != NULL) |
PORT_Free(ss->peerID); |
if (ss->url != NULL) |
- PORT_Free((void *)ss->url); /* CONST */ |
+ PORT_Free((void *)ss->url); /* CONST */ |
if (ss->cipherSpecs) { |
PORT_Free(ss->cipherSpecs); |
- ss->cipherSpecs = NULL; |
+ ss->cipherSpecs = NULL; |
ss->sizeCipherSpecs = 0; |
} |
/* Clean up server configuration */ |
- for (i=kt_null; i < kt_kea_size; i++) { |
- sslServerCerts * sc = ss->serverCerts + i; |
+ for (i = kt_null; i < kt_kea_size; i++) { |
+ sslServerCerts *sc = ss->serverCerts + i; |
if (sc->serverCert != NULL) |
CERT_DestroyCertificate(sc->serverCert); |
if (sc->serverCertChain != NULL) |
@@ -414,6 +408,9 @@ ssl_DestroySocketContents(sslSocket *ss) |
SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE); |
ss->certStatusArray[i] = NULL; |
} |
+ if (ss->signedCertTimestamps[i].data) { |
+ SECITEM_FreeItem(&ss->signedCertTimestamps[i], PR_FALSE); |
+ } |
} |
if (ss->stepDownKeyPair) { |
ssl3_FreeKeyPair(ss->stepDownKeyPair); |
@@ -440,11 +437,11 @@ ssl_DestroySocketContents(sslSocket *ss) |
void |
ssl_FreeSocket(sslSocket *ss) |
{ |
-/* Get every lock you can imagine! |
-** Caller already holds these: |
-** SSL_LOCK_READER(ss); |
-** SSL_LOCK_WRITER(ss); |
-*/ |
+ /* Get every lock you can imagine! |
+ ** Caller already holds these: |
+ ** SSL_LOCK_READER(ss); |
+ ** SSL_LOCK_WRITER(ss); |
+ */ |
ssl_Get1stHandshakeLock(ss); |
ssl_GetRecvBufLock(ss); |
ssl_GetSSL3HandshakeLock(ss); |
@@ -475,15 +472,15 @@ ssl_FreeSocket(sslSocket *ss) |
SECStatus |
ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled) |
{ |
- PRFileDesc * osfd = ss->fd->lower; |
- SECStatus rv = SECFailure; |
+ PRFileDesc *osfd = ss->fd->lower; |
+ SECStatus rv = SECFailure; |
PRSocketOptionData opt; |
- opt.option = PR_SockOpt_NoDelay; |
+ opt.option = PR_SockOpt_NoDelay; |
opt.value.no_delay = (PRBool)!enabled; |
if (osfd->methods->setsocketoption) { |
- rv = (SECStatus) osfd->methods->setsocketoption(osfd, &opt); |
+ rv = (SECStatus)osfd->methods->setsocketoption(osfd, &opt); |
} else { |
PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
} |
@@ -501,7 +498,7 @@ ssl_ChooseOps(sslSocket *ss) |
static SECStatus |
PrepareSocket(sslSocket *ss) |
{ |
- SECStatus rv = SECSuccess; |
+ SECStatus rv = SECSuccess; |
ssl_ChooseOps(ss); |
return rv; |
@@ -517,7 +514,8 @@ SSL_Enable(PRFileDesc *fd, int which, PRBool on) |
static const PRCallOnceType pristineCallOnce; |
static PRCallOnceType setupBypassOnce; |
-static SECStatus SSL_BypassShutdown(void* appData, void* nssData) |
+static SECStatus |
+SSL_BypassShutdown(void *appData, void *nssData) |
{ |
/* unload freeBL shared library from memory */ |
BL_Unload(); |
@@ -525,7 +523,8 @@ static SECStatus SSL_BypassShutdown(void* appData, void* nssData) |
return SECSuccess; |
} |
-static PRStatus SSL_BypassRegisterShutdown(void) |
+static PRStatus |
+SSL_BypassRegisterShutdown(void) |
{ |
SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL); |
PORT_Assert(SECSuccess == rv); |
@@ -533,7 +532,8 @@ static PRStatus SSL_BypassRegisterShutdown(void) |
} |
#endif |
-static PRStatus SSL_BypassSetup(void) |
+static PRStatus |
+SSL_BypassSetup(void) |
{ |
#ifdef NO_PKCS11_BYPASS |
/* Guarantee binary compatibility */ |
@@ -543,12 +543,22 @@ static PRStatus SSL_BypassSetup(void) |
#endif |
} |
+static PRBool ssl_VersionIsSupportedByPolicy( |
+ SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version); |
+ |
/* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in |
* ssl.h in the section "SSL version range setting API". |
*/ |
static void |
ssl_EnableTLS(SSLVersionRange *vrange, PRBool on) |
{ |
+ if (on) { |
+ /* don't turn it on if tls1.0 disallowed by by policy */ |
+ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, |
+ SSL_LIBRARY_VERSION_TLS_1_0)) { |
+ return; |
+ } |
+ } |
if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { |
if (on) { |
vrange->min = SSL_LIBRARY_VERSION_TLS_1_0; |
@@ -579,7 +589,14 @@ ssl_EnableTLS(SSLVersionRange *vrange, PRBool on) |
static void |
ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on) |
{ |
- if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { |
+ if (on) { |
+ /* don't turn it on if ssl3 disallowed by by policy */ |
+ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, |
+ SSL_LIBRARY_VERSION_3_0)) { |
+ return; |
+ } |
+ } |
+ if (SSL3_ALL_VERSIONS_DISABLED(vrange)) { |
if (on) { |
vrange->min = SSL_LIBRARY_VERSION_3_0; |
vrange->max = SSL_LIBRARY_VERSION_3_0; |
@@ -587,13 +604,13 @@ ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on) |
return; |
} |
- if (on) { |
+ if (on) { |
/* Expand the range of enabled versions to include SSL 3.0. We know |
* SSL 3.0 or some version of TLS is already enabled at this point, so |
* we don't need to change vrange->max. |
*/ |
vrange->min = SSL_LIBRARY_VERSION_3_0; |
- } else { |
+ } else { |
/* Disable SSL 3.0, leaving TLS unaffected. */ |
if (vrange->max > SSL_LIBRARY_VERSION_3_0) { |
vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); |
@@ -609,8 +626,8 @@ SECStatus |
SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) |
{ |
sslSocket *ss = ssl_FindSocket(fd); |
- SECStatus rv = SECSuccess; |
- PRBool holdingLocks; |
+ SECStatus rv = SECSuccess; |
+ PRBool holdingLocks; |
if (!ss) { |
SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); |
@@ -622,235 +639,242 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) |
ssl_GetSSL3HandshakeLock(ss); |
switch (which) { |
- case SSL_SOCKS: |
- ss->opt.useSocks = PR_FALSE; |
- rv = PrepareSocket(ss); |
- if (on) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; |
- } |
- break; |
- |
- case SSL_SECURITY: |
- ss->opt.useSecurity = on; |
- rv = PrepareSocket(ss); |
- break; |
- |
- case SSL_REQUEST_CERTIFICATE: |
- ss->opt.requestCertificate = on; |
- break; |
+ case SSL_SOCKS: |
+ ss->opt.useSocks = PR_FALSE; |
+ rv = PrepareSocket(ss); |
+ if (on) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; |
+ } |
+ break; |
- case SSL_REQUIRE_CERTIFICATE: |
- ss->opt.requireCertificate = on; |
- break; |
+ case SSL_SECURITY: |
+ ss->opt.useSecurity = on; |
+ rv = PrepareSocket(ss); |
+ break; |
- case SSL_HANDSHAKE_AS_CLIENT: |
- if ( ss->opt.handshakeAsServer && on ) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; |
+ case SSL_REQUEST_CERTIFICATE: |
+ ss->opt.requestCertificate = on; |
break; |
- } |
- ss->opt.handshakeAsClient = on; |
- break; |
- case SSL_HANDSHAKE_AS_SERVER: |
- if ( ss->opt.handshakeAsClient && on ) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; |
+ case SSL_REQUIRE_CERTIFICATE: |
+ ss->opt.requireCertificate = on; |
break; |
- } |
- ss->opt.handshakeAsServer = on; |
- break; |
- case SSL_ENABLE_TLS: |
- if (IS_DTLS(ss)) { |
- if (on) { |
+ case SSL_HANDSHAKE_AS_CLIENT: |
+ if (ss->opt.handshakeAsServer && on) { |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; /* not allowed */ |
+ rv = SECFailure; |
+ break; |
} |
+ ss->opt.handshakeAsClient = on; |
break; |
- } |
- ssl_EnableTLS(&ss->vrange, on); |
- ss->preferredCipher = NULL; |
- if (ss->cipherSpecs) { |
- PORT_Free(ss->cipherSpecs); |
- ss->cipherSpecs = NULL; |
- ss->sizeCipherSpecs = 0; |
- } |
- break; |
- case SSL_ENABLE_SSL3: |
- if (IS_DTLS(ss)) { |
- if (on) { |
+ case SSL_HANDSHAKE_AS_SERVER: |
+ if (ss->opt.handshakeAsClient && on) { |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; /* not allowed */ |
+ rv = SECFailure; |
+ break; |
} |
+ ss->opt.handshakeAsServer = on; |
break; |
- } |
- ssl_EnableSSL3(&ss->vrange, on); |
- ss->preferredCipher = NULL; |
- if (ss->cipherSpecs) { |
- PORT_Free(ss->cipherSpecs); |
- ss->cipherSpecs = NULL; |
- ss->sizeCipherSpecs = 0; |
- } |
- break; |
- case SSL_ENABLE_SSL2: |
- if (IS_DTLS(ss)) { |
- if (on) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; /* not allowed */ |
+ case SSL_ENABLE_TLS: |
+ if (IS_DTLS(ss)) { |
+ if (on) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; /* not allowed */ |
+ } |
+ break; |
+ } |
+ ssl_EnableTLS(&ss->vrange, on); |
+ ss->preferredCipher = NULL; |
+ if (ss->cipherSpecs) { |
+ PORT_Free(ss->cipherSpecs); |
+ ss->cipherSpecs = NULL; |
+ ss->sizeCipherSpecs = 0; |
} |
break; |
- } |
- ss->opt.enableSSL2 = on; |
- if (on) { |
- ss->opt.v2CompatibleHello = on; |
- } |
- ss->preferredCipher = NULL; |
- if (ss->cipherSpecs) { |
- PORT_Free(ss->cipherSpecs); |
- ss->cipherSpecs = NULL; |
- ss->sizeCipherSpecs = 0; |
- } |
- break; |
- |
- case SSL_NO_CACHE: |
- ss->opt.noCache = on; |
- break; |
- case SSL_ENABLE_FDX: |
- if (on && ss->opt.noLocks) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; |
- } |
- ss->opt.fdx = on; |
- break; |
+ case SSL_ENABLE_SSL3: |
+ if (IS_DTLS(ss)) { |
+ if (on) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; /* not allowed */ |
+ } |
+ break; |
+ } |
+ ssl_EnableSSL3(&ss->vrange, on); |
+ ss->preferredCipher = NULL; |
+ if (ss->cipherSpecs) { |
+ PORT_Free(ss->cipherSpecs); |
+ ss->cipherSpecs = NULL; |
+ ss->sizeCipherSpecs = 0; |
+ } |
+ break; |
- case SSL_V2_COMPATIBLE_HELLO: |
- if (IS_DTLS(ss)) { |
+ case SSL_ENABLE_SSL2: |
+ if (IS_DTLS(ss)) { |
+ if (on) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; /* not allowed */ |
+ } |
+ break; |
+ } |
if (on) { |
+ /* don't turn it on if ssl2 disallowed by by policy */ |
+ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, |
+ SSL_LIBRARY_VERSION_2)) { |
+ break; |
+ } |
+ } |
+ ss->opt.enableSSL2 = on; |
+ if (on) { |
+ ss->opt.v2CompatibleHello = on; |
+ } |
+ ss->preferredCipher = NULL; |
+ if (ss->cipherSpecs) { |
+ PORT_Free(ss->cipherSpecs); |
+ ss->cipherSpecs = NULL; |
+ ss->sizeCipherSpecs = 0; |
+ } |
+ break; |
+ |
+ case SSL_NO_CACHE: |
+ ss->opt.noCache = on; |
+ break; |
+ |
+ case SSL_ENABLE_FDX: |
+ if (on && ss->opt.noLocks) { |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; /* not allowed */ |
+ rv = SECFailure; |
} |
+ ss->opt.fdx = on; |
break; |
- } |
- ss->opt.v2CompatibleHello = on; |
- if (!on) { |
- ss->opt.enableSSL2 = on; |
- } |
- break; |
- case SSL_ROLLBACK_DETECTION: |
- ss->opt.detectRollBack = on; |
- break; |
+ case SSL_V2_COMPATIBLE_HELLO: |
+ if (IS_DTLS(ss)) { |
+ if (on) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; /* not allowed */ |
+ } |
+ break; |
+ } |
+ ss->opt.v2CompatibleHello = on; |
+ if (!on) { |
+ ss->opt.enableSSL2 = on; |
+ } |
+ break; |
- case SSL_NO_STEP_DOWN: |
- ss->opt.noStepDown = on; |
- if (on) |
- SSL_DisableExportCipherSuites(fd); |
- break; |
+ case SSL_ROLLBACK_DETECTION: |
+ ss->opt.detectRollBack = on; |
+ break; |
- case SSL_BYPASS_PKCS11: |
- if (ss->handshakeBegun) { |
- PORT_SetError(PR_INVALID_STATE_ERROR); |
- rv = SECFailure; |
- } else { |
- if (PR_FALSE != on) { |
- if (PR_SUCCESS == SSL_BypassSetup() ) { |
+ case SSL_NO_STEP_DOWN: |
+ ss->opt.noStepDown = on; |
+ if (on) |
+ SSL_DisableExportCipherSuites(fd); |
+ break; |
+ |
+ case SSL_BYPASS_PKCS11: |
+ if (ss->handshakeBegun) { |
+ PORT_SetError(PR_INVALID_STATE_ERROR); |
+ rv = SECFailure; |
+ } else { |
+ if (PR_FALSE != on) { |
+ if (PR_SUCCESS == SSL_BypassSetup()) { |
#ifdef NO_PKCS11_BYPASS |
- ss->opt.bypassPKCS11 = PR_FALSE; |
+ ss->opt.bypassPKCS11 = PR_FALSE; |
#else |
- ss->opt.bypassPKCS11 = on; |
+ ss->opt.bypassPKCS11 = on; |
#endif |
+ } else { |
+ rv = SECFailure; |
+ } |
} else { |
- rv = SECFailure; |
+ ss->opt.bypassPKCS11 = PR_FALSE; |
} |
- } else { |
- ss->opt.bypassPKCS11 = PR_FALSE; |
} |
- } |
- break; |
+ break; |
- case SSL_NO_LOCKS: |
- if (on && ss->opt.fdx) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; |
- } |
- if (on && ssl_force_locks) |
- on = PR_FALSE; /* silent override */ |
- ss->opt.noLocks = on; |
- if (on) { |
- locksEverDisabled = PR_TRUE; |
- strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); |
- } else if (!holdingLocks) { |
- rv = ssl_MakeLocks(ss); |
- if (rv != SECSuccess) { |
- ss->opt.noLocks = PR_TRUE; |
+ case SSL_NO_LOCKS: |
+ if (on && ss->opt.fdx) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; |
} |
- } |
- break; |
+ if (on && ssl_force_locks) |
+ on = PR_FALSE; /* silent override */ |
+ ss->opt.noLocks = on; |
+ if (on) { |
+ locksEverDisabled = PR_TRUE; |
+ strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); |
+ } else if (!holdingLocks) { |
+ rv = ssl_MakeLocks(ss); |
+ if (rv != SECSuccess) { |
+ ss->opt.noLocks = PR_TRUE; |
+ } |
+ } |
+ break; |
- case SSL_ENABLE_SESSION_TICKETS: |
- ss->opt.enableSessionTickets = on; |
- break; |
+ case SSL_ENABLE_SESSION_TICKETS: |
+ ss->opt.enableSessionTickets = on; |
+ break; |
- case SSL_ENABLE_DEFLATE: |
- ss->opt.enableDeflate = on; |
- break; |
+ case SSL_ENABLE_DEFLATE: |
+ ss->opt.enableDeflate = on; |
+ break; |
- case SSL_ENABLE_RENEGOTIATION: |
- ss->opt.enableRenegotiation = on; |
- break; |
+ case SSL_ENABLE_RENEGOTIATION: |
+ ss->opt.enableRenegotiation = on; |
+ break; |
- case SSL_REQUIRE_SAFE_NEGOTIATION: |
- ss->opt.requireSafeNegotiation = on; |
- break; |
+ case SSL_REQUIRE_SAFE_NEGOTIATION: |
+ ss->opt.requireSafeNegotiation = on; |
+ break; |
- case SSL_ENABLE_FALSE_START: |
- ss->opt.enableFalseStart = on; |
- break; |
+ case SSL_ENABLE_FALSE_START: |
+ ss->opt.enableFalseStart = on; |
+ break; |
- case SSL_CBC_RANDOM_IV: |
- ss->opt.cbcRandomIV = on; |
- break; |
+ case SSL_CBC_RANDOM_IV: |
+ ss->opt.cbcRandomIV = on; |
+ break; |
- case SSL_ENABLE_OCSP_STAPLING: |
- ss->opt.enableOCSPStapling = on; |
- break; |
+ case SSL_ENABLE_OCSP_STAPLING: |
+ ss->opt.enableOCSPStapling = on; |
+ break; |
- case SSL_ENABLE_NPN: |
- ss->opt.enableNPN = on; |
- break; |
+ case SSL_ENABLE_NPN: |
+ ss->opt.enableNPN = on; |
+ break; |
- case SSL_ENABLE_ALPN: |
- ss->opt.enableALPN = on; |
- break; |
+ case SSL_ENABLE_ALPN: |
+ ss->opt.enableALPN = on; |
+ break; |
- case SSL_REUSE_SERVER_ECDHE_KEY: |
- ss->opt.reuseServerECDHEKey = on; |
- break; |
+ case SSL_REUSE_SERVER_ECDHE_KEY: |
+ ss->opt.reuseServerECDHEKey = on; |
+ break; |
- case SSL_ENABLE_FALLBACK_SCSV: |
- ss->opt.enableFallbackSCSV = on; |
- break; |
+ case SSL_ENABLE_FALLBACK_SCSV: |
+ ss->opt.enableFallbackSCSV = on; |
+ break; |
- case SSL_ENABLE_SERVER_DHE: |
- ss->opt.enableServerDhe = on; |
- break; |
+ case SSL_ENABLE_SERVER_DHE: |
+ ss->opt.enableServerDhe = on; |
+ break; |
- case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
- ss->opt.enableExtendedMS = on; |
- break; |
+ case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
+ ss->opt.enableExtendedMS = on; |
+ break; |
- case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
- ss->opt.enableSignedCertTimestamps = on; |
- break; |
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
+ ss->opt.enableSignedCertTimestamps = on; |
+ break; |
- default: |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; |
} |
/* We can't use the macros for releasing the locks here, |
@@ -870,8 +894,8 @@ SECStatus |
SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) |
{ |
sslSocket *ss = ssl_FindSocket(fd); |
- SECStatus rv = SECSuccess; |
- PRBool on = PR_FALSE; |
+ SECStatus rv = SECSuccess; |
+ PRBool on = PR_FALSE; |
if (!pOn) { |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
@@ -887,52 +911,100 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) |
ssl_GetSSL3HandshakeLock(ss); |
switch (which) { |
- case SSL_SOCKS: on = PR_FALSE; break; |
- case SSL_SECURITY: on = ss->opt.useSecurity; break; |
- case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break; |
- case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break; |
- case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break; |
- case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break; |
- case SSL_ENABLE_TLS: |
- on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
- break; |
- case SSL_ENABLE_SSL3: |
- on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; |
- break; |
- case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break; |
- case SSL_NO_CACHE: on = ss->opt.noCache; break; |
- case SSL_ENABLE_FDX: on = ss->opt.fdx; break; |
- case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break; |
- case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break; |
- case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break; |
- case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break; |
- case SSL_NO_LOCKS: on = ss->opt.noLocks; break; |
- case SSL_ENABLE_SESSION_TICKETS: |
- on = ss->opt.enableSessionTickets; |
- break; |
- case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; |
- case SSL_ENABLE_RENEGOTIATION: |
- on = ss->opt.enableRenegotiation; break; |
- case SSL_REQUIRE_SAFE_NEGOTIATION: |
- on = ss->opt.requireSafeNegotiation; break; |
- case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; |
- case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; |
- case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
- case SSL_ENABLE_NPN: on = ss->opt.enableNPN; break; |
- case SSL_ENABLE_ALPN: on = ss->opt.enableALPN; break; |
- case SSL_REUSE_SERVER_ECDHE_KEY: |
- on = ss->opt.reuseServerECDHEKey; break; |
- case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break; |
- case SSL_ENABLE_SERVER_DHE: on = ss->opt.enableServerDhe; break; |
- case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
- on = ss->opt.enableExtendedMS; break; |
- case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
- on = ss->opt.enableSignedCertTimestamps; |
- break; |
- |
- default: |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; |
+ case SSL_SOCKS: |
+ on = PR_FALSE; |
+ break; |
+ case SSL_SECURITY: |
+ on = ss->opt.useSecurity; |
+ break; |
+ case SSL_REQUEST_CERTIFICATE: |
+ on = ss->opt.requestCertificate; |
+ break; |
+ case SSL_REQUIRE_CERTIFICATE: |
+ on = ss->opt.requireCertificate; |
+ break; |
+ case SSL_HANDSHAKE_AS_CLIENT: |
+ on = ss->opt.handshakeAsClient; |
+ break; |
+ case SSL_HANDSHAKE_AS_SERVER: |
+ on = ss->opt.handshakeAsServer; |
+ break; |
+ case SSL_ENABLE_TLS: |
+ on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
+ break; |
+ case SSL_ENABLE_SSL3: |
+ on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; |
+ break; |
+ case SSL_ENABLE_SSL2: |
+ on = ss->opt.enableSSL2; |
+ break; |
+ case SSL_NO_CACHE: |
+ on = ss->opt.noCache; |
+ break; |
+ case SSL_ENABLE_FDX: |
+ on = ss->opt.fdx; |
+ break; |
+ case SSL_V2_COMPATIBLE_HELLO: |
+ on = ss->opt.v2CompatibleHello; |
+ break; |
+ case SSL_ROLLBACK_DETECTION: |
+ on = ss->opt.detectRollBack; |
+ break; |
+ case SSL_NO_STEP_DOWN: |
+ on = ss->opt.noStepDown; |
+ break; |
+ case SSL_BYPASS_PKCS11: |
+ on = ss->opt.bypassPKCS11; |
+ break; |
+ case SSL_NO_LOCKS: |
+ on = ss->opt.noLocks; |
+ break; |
+ case SSL_ENABLE_SESSION_TICKETS: |
+ on = ss->opt.enableSessionTickets; |
+ break; |
+ case SSL_ENABLE_DEFLATE: |
+ on = ss->opt.enableDeflate; |
+ break; |
+ case SSL_ENABLE_RENEGOTIATION: |
+ on = ss->opt.enableRenegotiation; |
+ break; |
+ case SSL_REQUIRE_SAFE_NEGOTIATION: |
+ on = ss->opt.requireSafeNegotiation; |
+ break; |
+ case SSL_ENABLE_FALSE_START: |
+ on = ss->opt.enableFalseStart; |
+ break; |
+ case SSL_CBC_RANDOM_IV: |
+ on = ss->opt.cbcRandomIV; |
+ break; |
+ case SSL_ENABLE_OCSP_STAPLING: |
+ on = ss->opt.enableOCSPStapling; |
+ break; |
+ case SSL_ENABLE_NPN: |
+ on = ss->opt.enableNPN; |
+ break; |
+ case SSL_ENABLE_ALPN: |
+ on = ss->opt.enableALPN; |
+ break; |
+ case SSL_REUSE_SERVER_ECDHE_KEY: |
+ on = ss->opt.reuseServerECDHEKey; |
+ break; |
+ case SSL_ENABLE_FALLBACK_SCSV: |
+ on = ss->opt.enableFallbackSCSV; |
+ break; |
+ case SSL_ENABLE_SERVER_DHE: |
+ on = ss->opt.enableServerDhe; |
+ break; |
+ case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
+ on = ss->opt.enableExtendedMS; |
+ break; |
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
+ on = ss->opt.enableSignedCertTimestamps; |
+ break; |
+ |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; |
} |
ssl_ReleaseSSL3HandshakeLock(ss); |
@@ -945,8 +1017,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) |
SECStatus |
SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) |
{ |
- SECStatus rv = SECSuccess; |
- PRBool on = PR_FALSE; |
+ SECStatus rv = SECSuccess; |
+ PRBool on = PR_FALSE; |
if (!pOn) { |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
@@ -956,61 +1028,100 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) |
ssl_SetDefaultsFromEnvironment(); |
switch (which) { |
- case SSL_SOCKS: on = PR_FALSE; break; |
- case SSL_SECURITY: on = ssl_defaults.useSecurity; break; |
- case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; |
- case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; |
- case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; |
- case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; |
- case SSL_ENABLE_TLS: |
- on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
- break; |
- case SSL_ENABLE_SSL3: |
- on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; |
- break; |
- case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; |
- case SSL_NO_CACHE: on = ssl_defaults.noCache; break; |
- case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; |
- case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; |
- case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; |
- case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; |
- case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; |
- case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; |
- case SSL_ENABLE_SESSION_TICKETS: |
- on = ssl_defaults.enableSessionTickets; |
- break; |
- case SSL_ENABLE_DEFLATE: on = ssl_defaults.enableDeflate; break; |
- case SSL_ENABLE_RENEGOTIATION: |
- on = ssl_defaults.enableRenegotiation; break; |
- case SSL_REQUIRE_SAFE_NEGOTIATION: |
- on = ssl_defaults.requireSafeNegotiation; |
- break; |
- case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; |
- case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; |
- case SSL_ENABLE_OCSP_STAPLING: |
- on = ssl_defaults.enableOCSPStapling; |
- break; |
- case SSL_ENABLE_NPN: on = ssl_defaults.enableNPN; break; |
- case SSL_ENABLE_ALPN: on = ssl_defaults.enableALPN; break; |
- case SSL_REUSE_SERVER_ECDHE_KEY: |
- on = ssl_defaults.reuseServerECDHEKey; |
- break; |
- case SSL_ENABLE_FALLBACK_SCSV: |
- on = ssl_defaults.enableFallbackSCSV; |
- break; |
- case SSL_ENABLE_SERVER_DHE: |
- on = ssl_defaults.enableServerDhe; |
- break; |
- case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
- on = ssl_defaults.enableExtendedMS; |
- break; |
- case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
- on = ssl_defaults.enableSignedCertTimestamps; |
- break; |
- |
- default: |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; |
+ case SSL_SOCKS: |
+ on = PR_FALSE; |
+ break; |
+ case SSL_SECURITY: |
+ on = ssl_defaults.useSecurity; |
+ break; |
+ case SSL_REQUEST_CERTIFICATE: |
+ on = ssl_defaults.requestCertificate; |
+ break; |
+ case SSL_REQUIRE_CERTIFICATE: |
+ on = ssl_defaults.requireCertificate; |
+ break; |
+ case SSL_HANDSHAKE_AS_CLIENT: |
+ on = ssl_defaults.handshakeAsClient; |
+ break; |
+ case SSL_HANDSHAKE_AS_SERVER: |
+ on = ssl_defaults.handshakeAsServer; |
+ break; |
+ case SSL_ENABLE_TLS: |
+ on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; |
+ break; |
+ case SSL_ENABLE_SSL3: |
+ on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; |
+ break; |
+ case SSL_ENABLE_SSL2: |
+ on = ssl_defaults.enableSSL2; |
+ break; |
+ case SSL_NO_CACHE: |
+ on = ssl_defaults.noCache; |
+ break; |
+ case SSL_ENABLE_FDX: |
+ on = ssl_defaults.fdx; |
+ break; |
+ case SSL_V2_COMPATIBLE_HELLO: |
+ on = ssl_defaults.v2CompatibleHello; |
+ break; |
+ case SSL_ROLLBACK_DETECTION: |
+ on = ssl_defaults.detectRollBack; |
+ break; |
+ case SSL_NO_STEP_DOWN: |
+ on = ssl_defaults.noStepDown; |
+ break; |
+ case SSL_BYPASS_PKCS11: |
+ on = ssl_defaults.bypassPKCS11; |
+ break; |
+ case SSL_NO_LOCKS: |
+ on = ssl_defaults.noLocks; |
+ break; |
+ case SSL_ENABLE_SESSION_TICKETS: |
+ on = ssl_defaults.enableSessionTickets; |
+ break; |
+ case SSL_ENABLE_DEFLATE: |
+ on = ssl_defaults.enableDeflate; |
+ break; |
+ case SSL_ENABLE_RENEGOTIATION: |
+ on = ssl_defaults.enableRenegotiation; |
+ break; |
+ case SSL_REQUIRE_SAFE_NEGOTIATION: |
+ on = ssl_defaults.requireSafeNegotiation; |
+ break; |
+ case SSL_ENABLE_FALSE_START: |
+ on = ssl_defaults.enableFalseStart; |
+ break; |
+ case SSL_CBC_RANDOM_IV: |
+ on = ssl_defaults.cbcRandomIV; |
+ break; |
+ case SSL_ENABLE_OCSP_STAPLING: |
+ on = ssl_defaults.enableOCSPStapling; |
+ break; |
+ case SSL_ENABLE_NPN: |
+ on = ssl_defaults.enableNPN; |
+ break; |
+ case SSL_ENABLE_ALPN: |
+ on = ssl_defaults.enableALPN; |
+ break; |
+ case SSL_REUSE_SERVER_ECDHE_KEY: |
+ on = ssl_defaults.reuseServerECDHEKey; |
+ break; |
+ case SSL_ENABLE_FALLBACK_SCSV: |
+ on = ssl_defaults.enableFallbackSCSV; |
+ break; |
+ case SSL_ENABLE_SERVER_DHE: |
+ on = ssl_defaults.enableServerDhe; |
+ break; |
+ case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
+ on = ssl_defaults.enableExtendedMS; |
+ break; |
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
+ on = ssl_defaults.enableSignedCertTimestamps; |
+ break; |
+ |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; |
} |
*pOn = on; |
@@ -1036,175 +1147,182 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) |
ssl_SetDefaultsFromEnvironment(); |
switch (which) { |
- case SSL_SOCKS: |
- ssl_defaults.useSocks = PR_FALSE; |
- if (on) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return SECFailure; |
- } |
- break; |
+ case SSL_SOCKS: |
+ ssl_defaults.useSocks = PR_FALSE; |
+ if (on) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
+ } |
+ break; |
- case SSL_SECURITY: |
- ssl_defaults.useSecurity = on; |
- break; |
+ case SSL_SECURITY: |
+ ssl_defaults.useSecurity = on; |
+ break; |
- case SSL_REQUEST_CERTIFICATE: |
- ssl_defaults.requestCertificate = on; |
- break; |
+ case SSL_REQUEST_CERTIFICATE: |
+ ssl_defaults.requestCertificate = on; |
+ break; |
- case SSL_REQUIRE_CERTIFICATE: |
- ssl_defaults.requireCertificate = on; |
- break; |
+ case SSL_REQUIRE_CERTIFICATE: |
+ ssl_defaults.requireCertificate = on; |
+ break; |
- case SSL_HANDSHAKE_AS_CLIENT: |
- if ( ssl_defaults.handshakeAsServer && on ) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return SECFailure; |
- } |
- ssl_defaults.handshakeAsClient = on; |
- break; |
+ case SSL_HANDSHAKE_AS_CLIENT: |
+ if (ssl_defaults.handshakeAsServer && on) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
+ } |
+ ssl_defaults.handshakeAsClient = on; |
+ break; |
- case SSL_HANDSHAKE_AS_SERVER: |
- if ( ssl_defaults.handshakeAsClient && on ) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return SECFailure; |
- } |
- ssl_defaults.handshakeAsServer = on; |
- break; |
+ case SSL_HANDSHAKE_AS_SERVER: |
+ if (ssl_defaults.handshakeAsClient && on) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
+ } |
+ ssl_defaults.handshakeAsServer = on; |
+ break; |
- case SSL_ENABLE_TLS: |
- ssl_EnableTLS(&versions_defaults_stream, on); |
- break; |
+ case SSL_ENABLE_TLS: |
+ ssl_EnableTLS(&versions_defaults_stream, on); |
+ break; |
- case SSL_ENABLE_SSL3: |
- ssl_EnableSSL3(&versions_defaults_stream, on); |
- break; |
+ case SSL_ENABLE_SSL3: |
+ ssl_EnableSSL3(&versions_defaults_stream, on); |
+ break; |
- case SSL_ENABLE_SSL2: |
- ssl_defaults.enableSSL2 = on; |
- if (on) { |
- ssl_defaults.v2CompatibleHello = on; |
- } |
- break; |
+ case SSL_ENABLE_SSL2: |
+ if (on) { |
+ /* don't turn it on if ssl2 disallowed by by policy */ |
+ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, |
+ SSL_LIBRARY_VERSION_2)) { |
+ break; |
+ } |
+ } |
+ ssl_defaults.enableSSL2 = on; |
+ if (on) { |
+ ssl_defaults.v2CompatibleHello = on; |
+ } |
+ break; |
- case SSL_NO_CACHE: |
- ssl_defaults.noCache = on; |
- break; |
+ case SSL_NO_CACHE: |
+ ssl_defaults.noCache = on; |
+ break; |
- case SSL_ENABLE_FDX: |
- if (on && ssl_defaults.noLocks) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return SECFailure; |
- } |
- ssl_defaults.fdx = on; |
- break; |
+ case SSL_ENABLE_FDX: |
+ if (on && ssl_defaults.noLocks) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
+ } |
+ ssl_defaults.fdx = on; |
+ break; |
- case SSL_V2_COMPATIBLE_HELLO: |
- ssl_defaults.v2CompatibleHello = on; |
- if (!on) { |
- ssl_defaults.enableSSL2 = on; |
- } |
- break; |
+ case SSL_V2_COMPATIBLE_HELLO: |
+ ssl_defaults.v2CompatibleHello = on; |
+ if (!on) { |
+ ssl_defaults.enableSSL2 = on; |
+ } |
+ break; |
- case SSL_ROLLBACK_DETECTION: |
- ssl_defaults.detectRollBack = on; |
- break; |
+ case SSL_ROLLBACK_DETECTION: |
+ ssl_defaults.detectRollBack = on; |
+ break; |
- case SSL_NO_STEP_DOWN: |
- ssl_defaults.noStepDown = on; |
- if (on) |
- SSL_DisableDefaultExportCipherSuites(); |
- break; |
+ case SSL_NO_STEP_DOWN: |
+ ssl_defaults.noStepDown = on; |
+ if (on) |
+ SSL_DisableDefaultExportCipherSuites(); |
+ break; |
- case SSL_BYPASS_PKCS11: |
- if (PR_FALSE != on) { |
- if (PR_SUCCESS == SSL_BypassSetup()) { |
+ case SSL_BYPASS_PKCS11: |
+ if (PR_FALSE != on) { |
+ if (PR_SUCCESS == SSL_BypassSetup()) { |
#ifdef NO_PKCS11_BYPASS |
- ssl_defaults.bypassPKCS11 = PR_FALSE; |
+ ssl_defaults.bypassPKCS11 = PR_FALSE; |
#else |
- ssl_defaults.bypassPKCS11 = on; |
+ ssl_defaults.bypassPKCS11 = on; |
#endif |
+ } else { |
+ return SECFailure; |
+ } |
} else { |
- return SECFailure; |
+ ssl_defaults.bypassPKCS11 = PR_FALSE; |
} |
- } else { |
- ssl_defaults.bypassPKCS11 = PR_FALSE; |
- } |
- break; |
+ break; |
- case SSL_NO_LOCKS: |
- if (on && ssl_defaults.fdx) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return SECFailure; |
- } |
- if (on && ssl_force_locks) |
- on = PR_FALSE; /* silent override */ |
- ssl_defaults.noLocks = on; |
- if (on) { |
- locksEverDisabled = PR_TRUE; |
- strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); |
- } |
- break; |
+ case SSL_NO_LOCKS: |
+ if (on && ssl_defaults.fdx) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
+ } |
+ if (on && ssl_force_locks) |
+ on = PR_FALSE; /* silent override */ |
+ ssl_defaults.noLocks = on; |
+ if (on) { |
+ locksEverDisabled = PR_TRUE; |
+ strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); |
+ } |
+ break; |
- case SSL_ENABLE_SESSION_TICKETS: |
- ssl_defaults.enableSessionTickets = on; |
- break; |
+ case SSL_ENABLE_SESSION_TICKETS: |
+ ssl_defaults.enableSessionTickets = on; |
+ break; |
- case SSL_ENABLE_DEFLATE: |
- ssl_defaults.enableDeflate = on; |
- break; |
+ case SSL_ENABLE_DEFLATE: |
+ ssl_defaults.enableDeflate = on; |
+ break; |
- case SSL_ENABLE_RENEGOTIATION: |
- ssl_defaults.enableRenegotiation = on; |
- break; |
+ case SSL_ENABLE_RENEGOTIATION: |
+ ssl_defaults.enableRenegotiation = on; |
+ break; |
- case SSL_REQUIRE_SAFE_NEGOTIATION: |
- ssl_defaults.requireSafeNegotiation = on; |
- break; |
+ case SSL_REQUIRE_SAFE_NEGOTIATION: |
+ ssl_defaults.requireSafeNegotiation = on; |
+ break; |
- case SSL_ENABLE_FALSE_START: |
- ssl_defaults.enableFalseStart = on; |
- break; |
+ case SSL_ENABLE_FALSE_START: |
+ ssl_defaults.enableFalseStart = on; |
+ break; |
- case SSL_CBC_RANDOM_IV: |
- ssl_defaults.cbcRandomIV = on; |
- break; |
+ case SSL_CBC_RANDOM_IV: |
+ ssl_defaults.cbcRandomIV = on; |
+ break; |
- case SSL_ENABLE_OCSP_STAPLING: |
- ssl_defaults.enableOCSPStapling = on; |
- break; |
+ case SSL_ENABLE_OCSP_STAPLING: |
+ ssl_defaults.enableOCSPStapling = on; |
+ break; |
- case SSL_ENABLE_NPN: |
- ssl_defaults.enableNPN = on; |
- break; |
+ case SSL_ENABLE_NPN: |
+ ssl_defaults.enableNPN = on; |
+ break; |
- case SSL_ENABLE_ALPN: |
- ssl_defaults.enableALPN = on; |
- break; |
+ case SSL_ENABLE_ALPN: |
+ ssl_defaults.enableALPN = on; |
+ break; |
- case SSL_REUSE_SERVER_ECDHE_KEY: |
- ssl_defaults.reuseServerECDHEKey = on; |
- break; |
+ case SSL_REUSE_SERVER_ECDHE_KEY: |
+ ssl_defaults.reuseServerECDHEKey = on; |
+ break; |
- case SSL_ENABLE_FALLBACK_SCSV: |
- ssl_defaults.enableFallbackSCSV = on; |
- break; |
+ case SSL_ENABLE_FALLBACK_SCSV: |
+ ssl_defaults.enableFallbackSCSV = on; |
+ break; |
- case SSL_ENABLE_SERVER_DHE: |
- ssl_defaults.enableServerDhe = on; |
- break; |
+ case SSL_ENABLE_SERVER_DHE: |
+ ssl_defaults.enableServerDhe = on; |
+ break; |
- case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
- ssl_defaults.enableExtendedMS = on; |
- break; |
+ case SSL_ENABLE_EXTENDED_MASTER_SECRET: |
+ ssl_defaults.enableExtendedMS = on; |
+ break; |
- case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
- ssl_defaults.enableSignedCertTimestamps = on; |
- break; |
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
+ ssl_defaults.enableSignedCertTimestamps = on; |
+ break; |
- default: |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return SECFailure; |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
} |
return SECSuccess; |
} |
@@ -1214,12 +1332,12 @@ static PRBool |
ssl_IsRemovedCipherSuite(PRInt32 suite) |
{ |
switch (suite) { |
- case SSL_FORTEZZA_DMS_WITH_NULL_SHA: |
- case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: |
- case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: |
- return PR_TRUE; |
- default: |
- return PR_FALSE; |
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA: |
+ case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: |
+ case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: |
+ return PR_TRUE; |
+ default: |
+ return PR_FALSE; |
} |
} |
@@ -1243,13 +1361,9 @@ SSL_SetPolicy(long which, int policy) |
} |
SECStatus |
-SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) |
+ssl_CipherPolicySet(PRInt32 which, PRInt32 policy) |
{ |
- SECStatus rv = ssl_Init(); |
- |
- if (rv != SECSuccess) { |
- return rv; |
- } |
+ SECStatus rv = SECSuccess; |
if (ssl_IsRemovedCipherSuite(which)) { |
rv = SECSuccess; |
@@ -1260,6 +1374,16 @@ SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) |
} |
return rv; |
} |
+SECStatus |
+SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) |
+{ |
+ SECStatus rv = ssl_Init(); |
+ |
+ if (rv != SECSuccess) { |
+ return rv; |
+ } |
+ return ssl_CipherPolicySet(which, policy); |
+} |
SECStatus |
SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) |
@@ -1302,13 +1426,9 @@ SSL_EnableCipher(long which, PRBool enabled) |
} |
SECStatus |
-SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) |
+ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled) |
{ |
- SECStatus rv = ssl_Init(); |
- |
- if (rv != SECSuccess) { |
- return rv; |
- } |
+ SECStatus rv = SECSuccess; |
if (ssl_IsRemovedCipherSuite(which)) |
return SECSuccess; |
@@ -1325,9 +1445,20 @@ SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) |
} |
SECStatus |
+SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) |
+{ |
+ SECStatus rv = ssl_Init(); |
+ |
+ if (rv != SECSuccess) { |
+ return rv; |
+ } |
+ return ssl_CipherPrefSetDefault(which, enabled); |
+} |
+ |
+SECStatus |
SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled) |
{ |
- SECStatus rv; |
+ SECStatus rv; |
if (!enabled) { |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
@@ -1374,9 +1505,9 @@ SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len) |
sslSocket *ss = ssl_FindSocket(fd); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(), |
- fd)); |
- return SECFailure; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(), |
+ fd)); |
+ return SECFailure; |
} |
return ssl3_CipherOrderSet(ss, ciphers, len); |
} |
@@ -1384,7 +1515,7 @@ SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len) |
SECStatus |
SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) |
{ |
- SECStatus rv; |
+ SECStatus rv; |
sslSocket *ss = ssl_FindSocket(fd); |
if (!enabled) { |
@@ -1410,8 +1541,16 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) |
SECStatus |
NSS_SetDomesticPolicy(void) |
{ |
- SECStatus status = SECSuccess; |
+ SECStatus status = SECSuccess; |
const PRUint16 *cipher; |
+ SECStatus rv; |
+ PRUint32 policy; |
+ |
+ /* If we've already defined some policy oids, skip changing them */ |
+ rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy); |
+ if ((rv == SECSuccess) && (policy & NSS_USE_POLICY_IN_SSL)) { |
+ return ssl_Init(); /* make sure the policies have bee loaded */ |
+ } |
for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { |
status = SSL_SetPolicy(*cipher, SSL_ALLOWED); |
@@ -1469,7 +1608,6 @@ SSL_DHEGroupPrefSet(PRFileDesc *fd, |
return SECSuccess; |
} |
- |
PRCallOnceType gWeakDHParamsRegisterOnce; |
int gWeakDHParamsRegisterError; |
@@ -1498,7 +1636,7 @@ ssl3_CreateWeakDHParams(void) |
rv = PK11_PQG_VerifyParams(gWeakParamsPQG, vfy, &passed); |
if (rv != SECSuccess || passed != SECSuccess) { |
SSL_DBG(("%d: PK11_PQG_VerifyParams failed in ssl3_CreateWeakDHParams", |
- SSL_GETPID())); |
+ SSL_GETPID())); |
gWeakDHParamsError = PORT_GetError(); |
return PR_FAILURE; |
} |
@@ -1577,21 +1715,22 @@ SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled) |
SECStatus |
SSL_GetChannelBinding(PRFileDesc *fd, |
- SSLChannelBindingType binding_type, |
- unsigned char *out, |
- unsigned int *outLen, |
- unsigned int outLenMax) { |
+ SSLChannelBindingType binding_type, |
+ unsigned char *out, |
+ unsigned int *outLen, |
+ unsigned int outLenMax) |
+{ |
sslSocket *ss = ssl_FindSocket(fd); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding", |
- SSL_GETPID(), fd)); |
- return SECFailure; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding", |
+ SSL_GETPID(), fd)); |
+ return SECFailure; |
} |
if (binding_type != SSL_CHANNEL_BINDING_TLS_UNIQUE) { |
- PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
- return SECFailure; |
+ PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
+ return SECFailure; |
} |
return ssl3_GetTLSUniqueChannelBinding(ss, out, outLen, outLenMax); |
@@ -1636,11 +1775,11 @@ ssl3_SelectDHParams(sslSocket *ss) |
} else { |
if (ss->ssl3.dheGroups) { |
selectedGroup = selectDHEGroup(ss, ss->ssl3.dheGroups, |
- ss->ssl3.numDHEGroups); |
+ ss->ssl3.numDHEGroups); |
} else { |
size_t number_of_default_groups = PR_ARRAY_SIZE(ssl_default_dhe_groups); |
selectedGroup = selectDHEGroup(ss, ssl_default_dhe_groups, |
- number_of_default_groups); |
+ number_of_default_groups); |
} |
if (selectedGroup == ssl_dhe_group_none || |
@@ -1658,10 +1797,10 @@ ssl3_SelectDHParams(sslSocket *ss) |
static PRFileDesc * |
ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) |
{ |
- sslSocket * ns = NULL; |
- PRStatus rv; |
- PRNetAddr addr; |
- SECStatus status = ssl_Init(); |
+ sslSocket *ns = NULL; |
+ PRStatus rv; |
+ PRNetAddr addr; |
+ SECStatus status = ssl_Init(); |
if (status != SECSuccess) { |
return NULL; |
@@ -1671,10 +1810,10 @@ ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) |
/* Just create a default socket if we're given NULL for the model */ |
ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant); |
} else { |
- sslSocket * ss = ssl_FindSocket(model); |
+ sslSocket *ss = ssl_FindSocket(model); |
if (ss == NULL || ss->protocolVariant != variant) { |
SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", |
- SSL_GETPID(), model)); |
+ SSL_GETPID(), model)); |
return NULL; |
} |
ns = ssl_DupSocket(ss); |
@@ -1690,7 +1829,7 @@ ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) |
} |
#if defined(DEBUG) || defined(FORCE_PR_ASSERT) |
{ |
- sslSocket * ss = ssl_FindSocket(fd); |
+ sslSocket *ss = ssl_FindSocket(fd); |
PORT_Assert(ss == ns); |
} |
#endif |
@@ -1755,11 +1894,11 @@ ssl_NextProtoNegoCallback(void *arg, PRFileDesc *fd, |
} |
/* For each protocol in server preference, see if we support it. */ |
- for (i = 0; i < protos_len; ) { |
- for (j = 0; j < ss->opt.nextProtoNego.len; ) { |
+ for (i = 0; i < protos_len;) { |
+ for (j = 0; j < ss->opt.nextProtoNego.len;) { |
if (protos[i] == ss->opt.nextProtoNego.data[j] && |
- PORT_Memcmp(&protos[i+1], &ss->opt.nextProtoNego.data[j+1], |
- protos[i]) == 0) { |
+ PORT_Memcmp(&protos[i + 1], &ss->opt.nextProtoNego.data[j + 1], |
+ protos[i]) == 0) { |
/* We found a match. */ |
ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED; |
result = &protos[i]; |
@@ -1793,7 +1932,7 @@ SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, |
{ |
sslSocket *ss; |
SECStatus rv; |
- SECItem dataItem = { siBuffer, (unsigned char *) data, length }; |
+ SECItem dataItem = { siBuffer, (unsigned char *)data, length }; |
ss = ssl_FindSocket(fd); |
if (!ss) { |
@@ -1850,9 +1989,10 @@ SSL_GetNextProto(PRFileDesc *fd, SSLNextProtoState *state, unsigned char *buf, |
return SECSuccess; |
} |
-SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd, |
- const PRUint16 *ciphers, |
- unsigned int numCiphers) |
+SECStatus |
+SSL_SetSRTPCiphers(PRFileDesc *fd, |
+ const PRUint16 *ciphers, |
+ unsigned int numCiphers) |
{ |
sslSocket *ss; |
unsigned int i; |
@@ -1884,8 +2024,9 @@ SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd, |
ciphers[i]; |
} else { |
SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher " |
- "suite specified: 0x%04hx", SSL_GETPID(), fd, |
- ciphers[i])); |
+ "suite specified: 0x%04hx", |
+ SSL_GETPID(), fd, |
+ ciphers[i])); |
} |
} |
@@ -1900,7 +2041,7 @@ SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd, |
SECStatus |
SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher) |
{ |
- sslSocket * ss; |
+ sslSocket *ss; |
ss = ssl_FindSocket(fd); |
if (!ss) { |
@@ -1922,10 +2063,10 @@ SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher) |
PRFileDesc * |
SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
{ |
- sslSocket * sm = NULL, *ss = NULL; |
+ sslSocket *sm = NULL, *ss = NULL; |
int i; |
- sslServerCerts * mc = NULL; |
- sslServerCerts * sc = NULL; |
+ sslServerCerts *mc = NULL; |
+ sslServerCerts *sc = NULL; |
if (model == NULL) { |
PR_SetError(SEC_ERROR_INVALID_ARGS, 0); |
@@ -1944,7 +2085,7 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
return NULL; |
} |
- ss->opt = sm->opt; |
+ ss->opt = sm->opt; |
ss->vrange = sm->vrange; |
PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites); |
PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers, |
@@ -1952,8 +2093,9 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount; |
PORT_Memcpy(ss->ssl3.signatureAlgorithms, sm->ssl3.signatureAlgorithms, |
sizeof(ss->ssl3.signatureAlgorithms[0]) * |
- sm->ssl3.signatureAlgorithmCount); |
+ sm->ssl3.signatureAlgorithmCount); |
ss->ssl3.signatureAlgorithmCount = sm->ssl3.signatureAlgorithmCount; |
+ ss->ssl3.downgradeCheckVersion = sm->ssl3.downgradeCheckVersion; |
if (!ss->opt.useSecurity) { |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
@@ -1962,14 +2104,14 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
/* This int should be SSLKEAType, but CC on Irix complains, |
* during the for loop. |
*/ |
- for (i=kt_null; i < kt_kea_size; i++) { |
+ for (i = kt_null; i < kt_kea_size; i++) { |
mc = &(sm->serverCerts[i]); |
sc = &(ss->serverCerts[i]); |
if (mc->serverCert && mc->serverCertChain) { |
if (sc->serverCert) { |
CERT_DestroyCertificate(sc->serverCert); |
} |
- sc->serverCert = CERT_DupCertificate(mc->serverCert); |
+ sc->serverCert = CERT_DupCertificate(mc->serverCert); |
if (sc->serverCertChain) { |
CERT_DestroyCertificateList(sc->serverCertChain); |
} |
@@ -1985,6 +2127,17 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
if (!ss->certStatusArray[i]) |
goto loser; |
} |
+ if (sm->signedCertTimestamps[i].data) { |
+ if (ss->signedCertTimestamps[i].data) { |
+ SECITEM_FreeItem(&ss->signedCertTimestamps[i], PR_FALSE); |
+ } |
+ if (SECITEM_CopyItem(NULL, |
+ &ss->signedCertTimestamps[i], |
+ &sm->signedCertTimestamps[i]) != |
+ SECSuccess) { |
+ goto loser; |
+ } |
+ } |
} |
if (mc->serverKeyPair) { |
if (sc->serverKeyPair) { |
@@ -2019,58 +2172,148 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
} |
if (sm->authCertificate) |
- ss->authCertificate = sm->authCertificate; |
+ ss->authCertificate = sm->authCertificate; |
if (sm->authCertificateArg) |
- ss->authCertificateArg = sm->authCertificateArg; |
+ ss->authCertificateArg = sm->authCertificateArg; |
if (sm->getClientAuthData) |
- ss->getClientAuthData = sm->getClientAuthData; |
+ ss->getClientAuthData = sm->getClientAuthData; |
if (sm->getClientAuthDataArg) |
- ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
-#ifdef NSS_PLATFORM_CLIENT_AUTH |
- if (sm->getPlatformClientAuthData) |
- ss->getPlatformClientAuthData = sm->getPlatformClientAuthData; |
- if (sm->getPlatformClientAuthDataArg) |
- ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg; |
-#endif |
+ ss->getClientAuthDataArg = sm->getClientAuthDataArg; |
if (sm->sniSocketConfig) |
- ss->sniSocketConfig = sm->sniSocketConfig; |
+ ss->sniSocketConfig = sm->sniSocketConfig; |
if (sm->sniSocketConfigArg) |
- ss->sniSocketConfigArg = sm->sniSocketConfigArg; |
+ ss->sniSocketConfigArg = sm->sniSocketConfigArg; |
if (sm->handleBadCert) |
- ss->handleBadCert = sm->handleBadCert; |
+ ss->handleBadCert = sm->handleBadCert; |
if (sm->badCertArg) |
- ss->badCertArg = sm->badCertArg; |
+ ss->badCertArg = sm->badCertArg; |
if (sm->handshakeCallback) |
- ss->handshakeCallback = sm->handshakeCallback; |
+ ss->handshakeCallback = sm->handshakeCallback; |
if (sm->handshakeCallbackData) |
ss->handshakeCallbackData = sm->handshakeCallbackData; |
if (sm->pkcs11PinArg) |
- ss->pkcs11PinArg = sm->pkcs11PinArg; |
+ ss->pkcs11PinArg = sm->pkcs11PinArg; |
if (sm->getChannelID) |
- ss->getChannelID = sm->getChannelID; |
+ ss->getChannelID = sm->getChannelID; |
if (sm->getChannelIDArg) |
- ss->getChannelIDArg = sm->getChannelIDArg; |
+ ss->getChannelIDArg = sm->getChannelIDArg; |
return fd; |
loser: |
return NULL; |
} |
+/* |
+ * Get the user supplied range |
+ */ |
+static SECStatus |
+ssl3_GetRangePolicy(SSLProtocolVariant protocolVariant, SSLVersionRange *prange) |
+{ |
+ SECStatus rv; |
+ PRUint32 policy; |
+ PRInt32 option; |
+ |
+ /* only use policy constraints if we've set the apply ssl policy bit */ |
+ rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy); |
+ if ((rv != SECSuccess) || !(policy & NSS_USE_POLICY_IN_SSL)) { |
+ return SECFailure; |
+ } |
+ rv = NSS_OptionGet(VERSIONS_POLICY_MIN(protocolVariant), &option); |
+ if (rv != SECSuccess) { |
+ return rv; |
+ } |
+ prange->min = (PRUint16)option; |
+ rv = NSS_OptionGet(VERSIONS_POLICY_MAX(protocolVariant), &option); |
+ if (rv != SECSuccess) { |
+ return rv; |
+ } |
+ prange->max = (PRUint16)option; |
+ if (prange->max < prange->min) { |
+ return SECFailure; /* don't accept an invalid policy */ |
+ } |
+ return SECSuccess; |
+} |
+ |
+/* |
+ * Constrain a single protocol variant's range based on the user policy |
+ */ |
+static SECStatus |
+ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant) |
+{ |
+ SSLVersionRange vrange; |
+ SSLVersionRange pvrange; |
+ SECStatus rv; |
+ |
+ vrange = *VERSIONS_DEFAULTS(protocolVariant); |
+ rv = ssl3_GetRangePolicy(protocolVariant, &pvrange); |
+ if (rv != SECSuccess) { |
+ return SECSuccess; /* we don't have any policy */ |
+ } |
+ vrange.min = PR_MAX(vrange.min, pvrange.min); |
+ vrange.max = PR_MIN(vrange.max, pvrange.max); |
+ if (vrange.max >= vrange.min) { |
+ *VERSIONS_DEFAULTS(protocolVariant) = vrange; |
+ } else { |
+ /* there was no overlap, turn off range altogether */ |
+ pvrange.min = pvrange.max = SSL_LIBRARY_VERSION_NONE; |
+ *VERSIONS_DEFAULTS(protocolVariant) = pvrange; |
+ } |
+ return SECSuccess; |
+} |
+ |
+static PRBool |
+ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant, |
+ SSL3ProtocolVersion version) |
+{ |
+ SSLVersionRange pvrange; |
+ SECStatus rv; |
+ |
+ rv = ssl3_GetRangePolicy(protocolVariant, &pvrange); |
+ if (rv == SECSuccess) { |
+ if ((version > pvrange.max) || (version < pvrange.min)) { |
+ return PR_FALSE; /* disallowed by policy */ |
+ } |
+ } |
+ return PR_TRUE; |
+} |
+ |
+/* |
+ * This is called at SSL init time to constrain the existing range based |
+ * on user supplied policy. |
+ */ |
+SECStatus |
+ssl3_ConstrainRangeByPolicy(void) |
+{ |
+ SECStatus rv; |
+ rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream); |
+ if (rv != SECSuccess) { |
+ return rv; |
+ } |
+ rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram); |
+ if (rv != SECSuccess) { |
+ return rv; |
+ } |
+ return SECSuccess; |
+} |
+ |
PRBool |
ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, |
SSL3ProtocolVersion version) |
{ |
- switch (protocolVariant) { |
- case ssl_variant_stream: |
- return (version >= SSL_LIBRARY_VERSION_3_0 && |
- version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); |
- case ssl_variant_datagram: |
- return (version >= SSL_LIBRARY_VERSION_TLS_1_1 && |
- version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); |
- default: |
- /* Can't get here */ |
- PORT_Assert(PR_FALSE); |
+ if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) { |
return PR_FALSE; |
} |
+ switch (protocolVariant) { |
+ case ssl_variant_stream: |
+ return (version >= SSL_LIBRARY_VERSION_3_0 && |
+ version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); |
+ case ssl_variant_datagram: |
+ return (version >= SSL_LIBRARY_VERSION_TLS_1_1 && |
+ version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); |
+ default: |
+ /* Can't get here */ |
+ PORT_Assert(PR_FALSE); |
+ return PR_FALSE; |
+ } |
} |
/* Returns PR_TRUE if the given version range is valid and |
@@ -2086,6 +2329,29 @@ ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, |
ssl3_VersionIsSupported(protocolVariant, vrange->max); |
} |
+const SECItem * |
+SSL_PeerSignedCertTimestamps(PRFileDesc *fd) |
+{ |
+ sslSocket *ss = ssl_FindSocket(fd); |
+ |
+ if (!ss) { |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", |
+ SSL_GETPID(), fd)); |
+ return NULL; |
+ } |
+ |
+ if (!ss->sec.ci.sid) { |
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
+ return NULL; |
+ } |
+ |
+ if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) { |
+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); |
+ return NULL; |
+ } |
+ return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; |
+} |
+ |
SECStatus |
SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, |
SSLVersionRange *vrange) |
@@ -2096,17 +2362,17 @@ SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, |
} |
switch (protocolVariant) { |
- case ssl_variant_stream: |
- vrange->min = SSL_LIBRARY_VERSION_3_0; |
- vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
- break; |
- case ssl_variant_datagram: |
- vrange->min = SSL_LIBRARY_VERSION_TLS_1_1; |
- vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
- break; |
- default: |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return SECFailure; |
+ case ssl_variant_stream: |
+ vrange->min = SSL_LIBRARY_VERSION_3_0; |
+ vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
+ break; |
+ case ssl_variant_datagram: |
+ vrange->min = SSL_LIBRARY_VERSION_TLS_1_1; |
+ vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; |
+ break; |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
} |
return SECSuccess; |
@@ -2117,7 +2383,8 @@ SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, |
SSLVersionRange *vrange) |
{ |
if ((protocolVariant != ssl_variant_stream && |
- protocolVariant != ssl_variant_datagram) || !vrange) { |
+ protocolVariant != ssl_variant_datagram) || |
+ !vrange) { |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
return SECFailure; |
} |
@@ -2147,8 +2414,8 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) |
sslSocket *ss = ssl_FindSocket(fd); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeGet", |
- SSL_GETPID(), fd)); |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeGet", |
+ SSL_GETPID(), fd)); |
return SECFailure; |
} |
@@ -2168,32 +2435,14 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) |
return SECSuccess; |
} |
-static PRCallOnceType checkTLS12TokenOnce; |
-static PRBool tls12TokenExists; |
- |
-static PRStatus |
-ssl_CheckTLS12Token(void) |
-{ |
- tls12TokenExists = |
- PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256); |
- return PR_SUCCESS; |
-} |
- |
-static PRBool |
-ssl_TLS12TokenExists(void) |
-{ |
- (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); |
- return tls12TokenExists; |
-} |
- |
SECStatus |
SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) |
{ |
sslSocket *ss = ssl_FindSocket(fd); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet", |
- SSL_GETPID(), fd)); |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeSet", |
+ SSL_GETPID(), fd)); |
return SECFailure; |
} |
@@ -2205,78 +2454,84 @@ SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) |
ssl_Get1stHandshakeLock(ss); |
ssl_GetSSL3HandshakeLock(ss); |
- ss->vrange = *vrange; |
- /* If we don't have a sufficiently up-to-date softoken then we cannot do |
- * TLS 1.2. */ |
- if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && |
- !ssl_TLS12TokenExists()) { |
- /* If the user requested a minimum version of 1.2, then we don't |
- * silently downgrade. */ |
- if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
- ssl_ReleaseSSL3HandshakeLock(ss); |
- ssl_Release1stHandshakeLock(ss); |
- PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
- return SECFailure; |
- } |
- ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
+ if (ss->ssl3.downgradeCheckVersion && |
+ ss->vrange.max > ss->ssl3.downgradeCheckVersion) { |
+ PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
+ ssl_ReleaseSSL3HandshakeLock(ss); |
+ ssl_Release1stHandshakeLock(ss); |
+ return SECFailure; |
} |
+ ss->vrange = *vrange; |
+ |
ssl_ReleaseSSL3HandshakeLock(ss); |
ssl_Release1stHandshakeLock(ss); |
return SECSuccess; |
} |
-const SECItemArray * |
-SSL_PeerStapledOCSPResponses(PRFileDesc *fd) |
+SECStatus |
+SSL_SetDowngradeCheckVersion(PRFileDesc *fd, PRUint16 version) |
{ |
sslSocket *ss = ssl_FindSocket(fd); |
+ SECStatus rv = SECFailure; |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses", |
- SSL_GETPID(), fd)); |
- return NULL; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetDowngradeCheckVersion", |
+ SSL_GETPID(), fd)); |
+ return SECFailure; |
} |
- if (!ss->sec.ci.sid) { |
- PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
- return NULL; |
+ if (version && !ssl3_VersionIsSupported(ss->protocolVariant, version)) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
} |
- return &ss->sec.ci.sid->peerCertStatus; |
+ ssl_Get1stHandshakeLock(ss); |
+ ssl_GetSSL3HandshakeLock(ss); |
+ |
+ if (version && version < ss->vrange.max) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ goto loser; |
+ } |
+ ss->ssl3.downgradeCheckVersion = version; |
+ rv = SECSuccess; |
+ |
+loser: |
+ ssl_ReleaseSSL3HandshakeLock(ss); |
+ ssl_Release1stHandshakeLock(ss); |
+ |
+ return rv; |
} |
-const SECItem * |
-SSL_PeerSignedCertTimestamps(PRFileDesc *fd) |
+const SECItemArray * |
+SSL_PeerStapledOCSPResponses(PRFileDesc *fd) |
{ |
sslSocket *ss = ssl_FindSocket(fd); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", |
- SSL_GETPID(), fd)); |
- return NULL; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses", |
+ SSL_GETPID(), fd)); |
+ return NULL; |
} |
if (!ss->sec.ci.sid) { |
- PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
- return NULL; |
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
+ return NULL; |
} |
- if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) { |
- PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); |
- return NULL; |
- } |
- return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; |
+ return &ss->sec.ci.sid->peerCertStatus; |
} |
SECStatus |
-SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { |
+SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) |
+{ |
sslSocket *ss = ssl_FindSocket(fd); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession", |
- SSL_GETPID(), fd)); |
- return SECFailure; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession", |
+ SSL_GETPID(), fd)); |
+ return SECFailure; |
} |
*handshake_resumed = ss->ssl3.hs.isResuming; |
@@ -2286,15 +2541,16 @@ SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { |
const SECItem * |
SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd) |
{ |
- sslSocket *ss = ssl_FindSocket(fd); |
+ sslSocket *ss = ssl_FindSocket(fd); |
- if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in " |
- "SSL_GetRequestedClientCertificateTypes", SSL_GETPID(), fd)); |
- return NULL; |
- } |
+ if (!ss) { |
+ SSL_DBG(("%d: SSL[%d]: bad socket in " |
+ "SSL_GetRequestedClientCertificateTypes", |
+ SSL_GETPID(), fd)); |
+ return NULL; |
+ } |
- return ss->requestedCertTypes; |
+ return ss->requestedCertTypes; |
} |
/************************************************************************/ |
@@ -2302,14 +2558,14 @@ SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd) |
** They all get called through the NSPRIOMethods table below. |
*/ |
-static PRFileDesc * PR_CALLBACK |
+static PRFileDesc *PR_CALLBACK |
ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) |
{ |
- sslSocket *ss; |
- sslSocket *ns = NULL; |
- PRFileDesc *newfd = NULL; |
+ sslSocket *ss; |
+ sslSocket *ns = NULL; |
+ PRFileDesc *newfd = NULL; |
PRFileDesc *osfd; |
- PRStatus status; |
+ PRStatus status; |
ss = ssl_GetPrivate(fd); |
if (!ss) { |
@@ -2340,7 +2596,7 @@ ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) |
ssl_ReleaseSSL3HandshakeLock(ss); |
ssl_Release1stHandshakeLock(ss); |
SSL_UNLOCK_WRITER(ss); |
- SSL_UNLOCK_READER(ss); /* ss isn't used below here. */ |
+ SSL_UNLOCK_READER(ss); /* ss isn't used below here. */ |
if (ns == NULL) |
goto loser; |
@@ -2353,8 +2609,8 @@ ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) |
/* Now start server connection handshake with client. |
** Don't need locks here because nobody else has a reference to ns yet. |
*/ |
- if ( ns->opt.useSecurity ) { |
- if ( ns->opt.handshakeAsClient ) { |
+ if (ns->opt.useSecurity) { |
+ if (ns->opt.handshakeAsClient) { |
ns->handshake = ssl2_BeginClientHandshake; |
ss->handshaking = sslHandshakingAsClient; |
} else { |
@@ -2377,7 +2633,7 @@ static PRStatus PR_CALLBACK |
ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout) |
{ |
sslSocket *ss; |
- PRStatus rv; |
+ PRStatus rv; |
ss = ssl_GetPrivate(fd); |
if (!ss) { |
@@ -2401,8 +2657,8 @@ ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout) |
static PRStatus PR_CALLBACK |
ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr) |
{ |
- sslSocket * ss = ssl_GetPrivate(fd); |
- PRStatus rv; |
+ sslSocket *ss = ssl_GetPrivate(fd); |
+ PRStatus rv; |
if (!ss) { |
SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd)); |
@@ -2421,8 +2677,8 @@ ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr) |
static PRStatus PR_CALLBACK |
ssl_Listen(PRFileDesc *fd, PRIntn backlog) |
{ |
- sslSocket * ss = ssl_GetPrivate(fd); |
- PRStatus rv; |
+ sslSocket *ss = ssl_GetPrivate(fd); |
+ PRStatus rv; |
if (!ss) { |
SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd)); |
@@ -2441,8 +2697,8 @@ ssl_Listen(PRFileDesc *fd, PRIntn backlog) |
static PRStatus PR_CALLBACK |
ssl_Shutdown(PRFileDesc *fd, PRIntn how) |
{ |
- sslSocket * ss = ssl_GetPrivate(fd); |
- PRStatus rv; |
+ sslSocket *ss = ssl_GetPrivate(fd); |
+ PRStatus rv; |
if (!ss) { |
SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd)); |
@@ -2470,7 +2726,7 @@ static PRStatus PR_CALLBACK |
ssl_Close(PRFileDesc *fd) |
{ |
sslSocket *ss; |
- PRStatus rv; |
+ PRStatus rv; |
ss = ssl_GetPrivate(fd); |
if (!ss) { |
@@ -2498,7 +2754,7 @@ ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, |
PRIntervalTime timeout) |
{ |
sslSocket *ss; |
- int rv; |
+ int rv; |
ss = ssl_GetPrivate(fd); |
if (!ss) { |
@@ -2509,7 +2765,7 @@ ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, |
ss->rTimeout = timeout; |
if (!ss->opt.fdx) |
ss->wTimeout = timeout; |
- rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags); |
+ rv = (*ss->ops->recv)(ss, (unsigned char *)buf, len, flags); |
SSL_UNLOCK_READER(ss); |
return rv; |
} |
@@ -2519,7 +2775,7 @@ ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags, |
PRIntervalTime timeout) |
{ |
sslSocket *ss; |
- int rv; |
+ int rv; |
ss = ssl_GetPrivate(fd); |
if (!ss) { |
@@ -2530,7 +2786,7 @@ ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags, |
ss->wTimeout = timeout; |
if (!ss->opt.fdx) |
ss->rTimeout = timeout; |
- rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags); |
+ rv = (*ss->ops->send)(ss, (const unsigned char *)buf, len, flags); |
SSL_UNLOCK_WRITER(ss); |
return rv; |
} |
@@ -2539,7 +2795,7 @@ static int PR_CALLBACK |
ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len) |
{ |
sslSocket *ss; |
- int rv; |
+ int rv; |
ss = ssl_GetPrivate(fd); |
if (!ss) { |
@@ -2550,7 +2806,7 @@ ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len) |
ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
if (!ss->opt.fdx) |
ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
- rv = (*ss->ops->read)(ss, (unsigned char*)buf, len); |
+ rv = (*ss->ops->read)(ss, (unsigned char *)buf, len); |
SSL_UNLOCK_READER(ss); |
return rv; |
} |
@@ -2559,7 +2815,7 @@ static int PR_CALLBACK |
ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len) |
{ |
sslSocket *ss; |
- int rv; |
+ int rv; |
ss = ssl_GetPrivate(fd); |
if (!ss) { |
@@ -2570,7 +2826,7 @@ ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len) |
ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
if (!ss->opt.fdx) |
ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
- rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len); |
+ rv = (*ss->ops->write)(ss, (const unsigned char *)buf, len); |
SSL_UNLOCK_WRITER(ss); |
return rv; |
} |
@@ -2593,9 +2849,9 @@ ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr) |
SECStatus |
ssl_GetPeerInfo(sslSocket *ss) |
{ |
- PRFileDesc * osfd; |
- int rv; |
- PRNetAddr sin; |
+ PRFileDesc *osfd; |
+ int rv; |
+ PRNetAddr sin; |
osfd = ss->fd->lower; |
@@ -2644,8 +2900,8 @@ SSL_SetStapledOCSPResponses(PRFileDesc *fd, const SECItemArray *responses, |
return SECFailure; |
} |
- if ( kea <= 0 || kea >= kt_kea_size) { |
- SSL_DBG(("%d: SSL[%d]: invalid key in SSL_SetStapledOCSPResponses", |
+ if (kea <= 0 || kea >= kt_kea_size) { |
+ SSL_DBG(("%d: SSL[%d]: invalid key type in SSL_SetStapledOCSPResponses", |
SSL_GETPID(), fd)); |
return SECFailure; |
} |
@@ -2661,6 +2917,35 @@ SSL_SetStapledOCSPResponses(PRFileDesc *fd, const SECItemArray *responses, |
} |
SECStatus |
+SSL_SetSignedCertTimestamps(PRFileDesc *fd, const SECItem *scts, SSLKEAType kea) |
+{ |
+ sslSocket *ss; |
+ |
+ ss = ssl_FindSocket(fd); |
+ if (!ss) { |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSignedCertTimestamps", |
+ SSL_GETPID(), fd)); |
+ return SECFailure; |
+ } |
+ |
+ if (kea <= 0 || kea >= kt_kea_size) { |
+ SSL_DBG(("%d: SSL[%d]: invalid key type in SSL_SetSignedCertTimestamps", |
+ SSL_GETPID(), fd)); |
+ return SECFailure; |
+ } |
+ |
+ if (ss->signedCertTimestamps[kea].data) { |
+ SECITEM_FreeItem(&ss->signedCertTimestamps[kea], PR_FALSE); |
+ } |
+ |
+ if (!scts) { |
+ return SECSuccess; |
+ } |
+ |
+ return SECITEM_CopyItem(NULL, &ss->signedCertTimestamps[kea], scts); |
+} |
+ |
+SECStatus |
SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID) |
{ |
sslSocket *ss; |
@@ -2687,15 +2972,15 @@ static PRInt16 PR_CALLBACK |
ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) |
{ |
sslSocket *ss; |
- PRInt16 new_flags = how_flags; /* should select on these flags. */ |
- PRNetAddr addr; |
+ PRInt16 new_flags = how_flags; /* should select on these flags. */ |
+ PRNetAddr addr; |
*p_out_flags = 0; |
ss = ssl_GetPrivate(fd); |
if (!ss) { |
SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll", |
SSL_GETPID(), fd)); |
- return 0; /* don't poll on this socket */ |
+ return 0; /* don't poll on this socket */ |
} |
if (ss->opt.useSecurity && |
@@ -2721,36 +3006,36 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) |
new_flags |= PR_POLL_READ; |
} |
} else |
- /* First handshake is in progress */ |
- if (ss->lastWriteBlocked) { |
+ /* First handshake is in progress */ |
+ if (ss->lastWriteBlocked) { |
if (new_flags & PR_POLL_READ) { |
/* The caller is waiting for data to be received, |
** but the initial handshake is blocked on write, or the |
** client's first handshake record has not been written. |
** The code should select on write, not read. |
*/ |
- new_flags ^= PR_POLL_READ; /* don't select on read. */ |
- new_flags |= PR_POLL_WRITE; /* do select on write. */ |
+ new_flags ^= PR_POLL_READ; /* don't select on read. */ |
+ new_flags |= PR_POLL_WRITE; /* do select on write. */ |
} |
} else if (new_flags & PR_POLL_WRITE) { |
- /* The caller is trying to write, but the handshake is |
- ** blocked waiting for data to read, and the first |
- ** handshake has been sent. So do NOT to poll on write |
- ** unless we did false start. |
- */ |
- if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 && |
- ss->ssl3.hs.canFalseStart)) { |
- new_flags ^= PR_POLL_WRITE; /* don't select on write. */ |
- } |
- new_flags |= PR_POLL_READ; /* do select on read. */ |
+ /* The caller is trying to write, but the handshake is |
+ ** blocked waiting for data to read, and the first |
+ ** handshake has been sent. So do NOT to poll on write |
+ ** unless we did false start. |
+ */ |
+ if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 && |
+ ss->ssl3.hs.canFalseStart)) { |
+ new_flags ^= PR_POLL_WRITE; /* don't select on write. */ |
+ } |
+ new_flags |= PR_POLL_READ; /* do select on read. */ |
} |
} |
} else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) { |
- *p_out_flags = PR_POLL_READ; /* it's ready already. */ |
+ *p_out_flags = PR_POLL_READ; /* it's ready already. */ |
return new_flags; |
} else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) && |
(ss->pendingBuf.len != 0)) { /* write data waiting to be sent */ |
- new_flags |= PR_POLL_WRITE; /* also select on write. */ |
+ new_flags |= PR_POLL_WRITE; /* also select on write. */ |
} |
if (ss->version >= SSL_LIBRARY_VERSION_3_0 && |
@@ -2782,8 +3067,8 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) |
} |
if (new_flags && (fd->lower->methods->poll != NULL)) { |
- PRInt16 lower_out_flags = 0; |
- PRInt16 lower_new_flags; |
+ PRInt16 lower_out_flags = 0; |
+ PRInt16 lower_new_flags; |
lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, |
&lower_out_flags); |
if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) { |
@@ -2796,7 +3081,7 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) |
new_flags = how_flags; |
} else { |
*p_out_flags = lower_out_flags; |
- new_flags = lower_new_flags; |
+ new_flags = lower_new_flags; |
} |
} |
@@ -2821,14 +3106,13 @@ ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd, |
return sd->methods->sendfile(sd, &sfd, flags, timeout); |
} |
- |
PRBool |
ssl_FdIsBlocking(PRFileDesc *fd) |
{ |
PRSocketOptionData opt; |
- PRStatus status; |
+ PRStatus status; |
- opt.option = PR_SockOpt_Nonblocking; |
+ opt.option = PR_SockOpt_Nonblocking; |
opt.value.non_blocking = PR_FALSE; |
status = PR_GetSocketOption(fd, &opt); |
if (status != PR_SUCCESS) |
@@ -2842,23 +3126,23 @@ ssl_SocketIsBlocking(sslSocket *ss) |
return ssl_FdIsBlocking(ss->fd); |
} |
-PRInt32 sslFirstBufSize = 8 * 1024; |
-PRInt32 sslCopyLimit = 1024; |
+PRInt32 sslFirstBufSize = 8 * 1024; |
+PRInt32 sslCopyLimit = 1024; |
static PRInt32 PR_CALLBACK |
ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, |
PRIntervalTime timeout) |
{ |
- PRInt32 i; |
- PRInt32 bufLen; |
- PRInt32 left; |
- PRInt32 rv; |
- PRInt32 sent = 0; |
- const PRInt32 first_len = sslFirstBufSize; |
- const PRInt32 limit = sslCopyLimit; |
- PRBool blocking; |
- PRIOVec myIov = { 0, 0 }; |
- char buf[MAX_FRAGMENT_LENGTH]; |
+ PRInt32 i; |
+ PRInt32 bufLen; |
+ PRInt32 left; |
+ PRInt32 rv; |
+ PRInt32 sent = 0; |
+ const PRInt32 first_len = sslFirstBufSize; |
+ const PRInt32 limit = sslCopyLimit; |
+ PRBool blocking; |
+ PRIOVec myIov = { 0, 0 }; |
+ char buf[MAX_FRAGMENT_LENGTH]; |
if (vectors < 0) { |
PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
@@ -2877,28 +3161,37 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, |
blocking = ssl_FdIsBlocking(fd); |
#define K16 sizeof(buf) |
-#define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; } |
-#define GET_VECTOR do { myIov = *iov++; --vectors; KILL_VECTORS } while (0) |
-#define HANDLE_ERR(rv, len) \ |
- if (rv != len) { \ |
- if (rv < 0) { \ |
- if (!blocking \ |
- && (PR_GetError() == PR_WOULD_BLOCK_ERROR) \ |
- && (sent > 0)) { \ |
- return sent; \ |
- } else { \ |
- return -1; \ |
- } \ |
- } \ |
+#define KILL_VECTORS \ |
+ while (vectors && !iov->iov_len) { \ |
+ ++iov; \ |
+ --vectors; \ |
+ } |
+#define GET_VECTOR \ |
+ do { \ |
+ myIov = *iov++; \ |
+ --vectors; \ |
+ KILL_VECTORS \ |
+ } while (0) |
+#define HANDLE_ERR(rv, len) \ |
+ if (rv != len) { \ |
+ if (rv < 0) { \ |
+ if (!blocking && \ |
+ (PR_GetError() == PR_WOULD_BLOCK_ERROR) && \ |
+ (sent > 0)) { \ |
+ return sent; \ |
+ } else { \ |
+ return -1; \ |
+ } \ |
+ } \ |
/* Only a nonblocking socket can have partial sends */ \ |
- PR_ASSERT(!blocking); \ |
- return sent + rv; \ |
+ PR_ASSERT(!blocking); \ |
+ return sent + rv; \ |
} |
-#define SEND(bfr, len) \ |
- do { \ |
+#define SEND(bfr, len) \ |
+ do { \ |
rv = ssl_Send(fd, bfr, len, 0, timeout); \ |
- HANDLE_ERR(rv, len) \ |
- sent += len; \ |
+ HANDLE_ERR(rv, len) \ |
+ sent += len; \ |
} while (0) |
/* Make sure the first write is at least 8 KB, if possible. */ |
@@ -2918,23 +3211,23 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, |
GET_VECTOR; |
toCopy = PR_MIN(left, myIov.iov_len); |
PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy); |
- bufLen += toCopy; |
- left -= toCopy; |
+ bufLen += toCopy; |
+ left -= toCopy; |
myIov.iov_base += toCopy; |
- myIov.iov_len -= toCopy; |
+ myIov.iov_len -= toCopy; |
} |
- SEND( buf, bufLen ); |
+ SEND(buf, bufLen); |
} |
while (vectors || myIov.iov_len) { |
- PRInt32 addLen; |
+ PRInt32 addLen; |
if (!myIov.iov_len) { |
GET_VECTOR; |
} |
while (myIov.iov_len >= K16) { |
SEND(myIov.iov_base, K16); |
myIov.iov_base += K16; |
- myIov.iov_len -= K16; |
+ myIov.iov_len -= K16; |
} |
if (!myIov.iov_len) |
continue; |
@@ -2944,13 +3237,13 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, |
} else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) { |
/* Addlen is already computed. */; |
} else if (vectors > 1 && |
- iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) { |
- addLen = limit - myIov.iov_len; |
+ iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) { |
+ addLen = limit - myIov.iov_len; |
} else |
addLen = 0; |
if (!addLen) { |
- SEND( myIov.iov_base, myIov.iov_len ); |
+ SEND(myIov.iov_base, myIov.iov_len); |
myIov.iov_len = 0; |
continue; |
} |
@@ -2960,25 +3253,24 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, |
GET_VECTOR; |
PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen); |
myIov.iov_base += addLen; |
- myIov.iov_len -= addLen; |
- bufLen += addLen; |
- |
- left = PR_MIN( limit, K16 - bufLen); |
- if (!vectors /* no more left */ |
- || myIov.iov_len > 0 /* we didn't use that one all up */ |
- || bufLen >= K16 /* it's full. */ |
- ) { |
+ myIov.iov_len -= addLen; |
+ bufLen += addLen; |
+ |
+ left = PR_MIN(limit, K16 - bufLen); |
+ if (!vectors /* no more left */ |
+ || myIov.iov_len > 0 /* we didn't use that one all up */ |
+ || bufLen >= K16 /* it's full. */) { |
addLen = 0; |
} else if ((addLen = iov->iov_len % K16) <= left) { |
/* Addlen is already computed. */; |
} else if (vectors > 1 && |
- iov[1].iov_len % K16 + addLen <= left + limit) { |
- addLen = left; |
+ iov[1].iov_len % K16 + addLen <= left + limit) { |
+ addLen = left; |
} else |
addLen = 0; |
} while (addLen); |
- SEND( buf, bufLen ); |
+ SEND(buf, bufLen); |
} |
return sent; |
} |
@@ -3015,14 +3307,16 @@ ssl_FSync(PRFileDesc *fd) |
} |
static PRInt32 PR_CALLBACK |
-ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) { |
+ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) |
+{ |
PORT_Assert(0); |
PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
return SECFailure; |
} |
static PRInt64 PR_CALLBACK |
-ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) { |
+ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) |
+{ |
PRInt64 res; |
PORT_Assert(0); |
@@ -3067,85 +3361,83 @@ ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, |
static const PRIOMethods ssl_methods = { |
PR_DESC_LAYERED, |
- ssl_Close, /* close */ |
- ssl_Read, /* read */ |
- ssl_Write, /* write */ |
- ssl_Available, /* available */ |
- ssl_Available64, /* available64 */ |
- ssl_FSync, /* fsync */ |
- ssl_Seek, /* seek */ |
- ssl_Seek64, /* seek64 */ |
- ssl_FileInfo, /* fileInfo */ |
- ssl_FileInfo64, /* fileInfo64 */ |
- ssl_WriteV, /* writev */ |
- ssl_Connect, /* connect */ |
- ssl_Accept, /* accept */ |
- ssl_Bind, /* bind */ |
- ssl_Listen, /* listen */ |
- ssl_Shutdown, /* shutdown */ |
- ssl_Recv, /* recv */ |
- ssl_Send, /* send */ |
- ssl_RecvFrom, /* recvfrom */ |
- ssl_SendTo, /* sendto */ |
- ssl_Poll, /* poll */ |
- PR_EmulateAcceptRead, /* acceptread */ |
- ssl_TransmitFile, /* transmitfile */ |
- ssl_GetSockName, /* getsockname */ |
- ssl_GetPeerName, /* getpeername */ |
- NULL, /* getsockopt OBSOLETE */ |
- NULL, /* setsockopt OBSOLETE */ |
- NULL, /* getsocketoption */ |
- NULL, /* setsocketoption */ |
- PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/ |
- NULL, /* reserved for future use */ |
- NULL, /* reserved for future use */ |
- NULL, /* reserved for future use */ |
- NULL, /* reserved for future use */ |
- NULL /* reserved for future use */ |
+ ssl_Close, /* close */ |
+ ssl_Read, /* read */ |
+ ssl_Write, /* write */ |
+ ssl_Available, /* available */ |
+ ssl_Available64, /* available64 */ |
+ ssl_FSync, /* fsync */ |
+ ssl_Seek, /* seek */ |
+ ssl_Seek64, /* seek64 */ |
+ ssl_FileInfo, /* fileInfo */ |
+ ssl_FileInfo64, /* fileInfo64 */ |
+ ssl_WriteV, /* writev */ |
+ ssl_Connect, /* connect */ |
+ ssl_Accept, /* accept */ |
+ ssl_Bind, /* bind */ |
+ ssl_Listen, /* listen */ |
+ ssl_Shutdown, /* shutdown */ |
+ ssl_Recv, /* recv */ |
+ ssl_Send, /* send */ |
+ ssl_RecvFrom, /* recvfrom */ |
+ ssl_SendTo, /* sendto */ |
+ ssl_Poll, /* poll */ |
+ PR_EmulateAcceptRead, /* acceptread */ |
+ ssl_TransmitFile, /* transmitfile */ |
+ ssl_GetSockName, /* getsockname */ |
+ ssl_GetPeerName, /* getpeername */ |
+ NULL, /* getsockopt OBSOLETE */ |
+ NULL, /* setsockopt OBSOLETE */ |
+ NULL, /* getsocketoption */ |
+ NULL, /* setsocketoption */ |
+ PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/ |
+ NULL, /* reserved for future use */ |
+ NULL, /* reserved for future use */ |
+ NULL, /* reserved for future use */ |
+ NULL, /* reserved for future use */ |
+ NULL /* reserved for future use */ |
}; |
- |
static PRIOMethods combined_methods; |
static void |
ssl_SetupIOMethods(void) |
{ |
- PRIOMethods *new_methods = &combined_methods; |
+ PRIOMethods *new_methods = &combined_methods; |
const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods(); |
- const PRIOMethods *my_methods = &ssl_methods; |
+ const PRIOMethods *my_methods = &ssl_methods; |
*new_methods = *nspr_methods; |
- new_methods->file_type = my_methods->file_type; |
- new_methods->close = my_methods->close; |
- new_methods->read = my_methods->read; |
- new_methods->write = my_methods->write; |
- new_methods->available = my_methods->available; |
- new_methods->available64 = my_methods->available64; |
- new_methods->fsync = my_methods->fsync; |
- new_methods->seek = my_methods->seek; |
- new_methods->seek64 = my_methods->seek64; |
- new_methods->fileInfo = my_methods->fileInfo; |
- new_methods->fileInfo64 = my_methods->fileInfo64; |
- new_methods->writev = my_methods->writev; |
- new_methods->connect = my_methods->connect; |
- new_methods->accept = my_methods->accept; |
- new_methods->bind = my_methods->bind; |
- new_methods->listen = my_methods->listen; |
- new_methods->shutdown = my_methods->shutdown; |
- new_methods->recv = my_methods->recv; |
- new_methods->send = my_methods->send; |
- new_methods->recvfrom = my_methods->recvfrom; |
- new_methods->sendto = my_methods->sendto; |
- new_methods->poll = my_methods->poll; |
- new_methods->acceptread = my_methods->acceptread; |
- new_methods->transmitfile = my_methods->transmitfile; |
- new_methods->getsockname = my_methods->getsockname; |
- new_methods->getpeername = my_methods->getpeername; |
-/* new_methods->getsocketoption = my_methods->getsocketoption; */ |
-/* new_methods->setsocketoption = my_methods->setsocketoption; */ |
- new_methods->sendfile = my_methods->sendfile; |
- |
+ new_methods->file_type = my_methods->file_type; |
+ new_methods->close = my_methods->close; |
+ new_methods->read = my_methods->read; |
+ new_methods->write = my_methods->write; |
+ new_methods->available = my_methods->available; |
+ new_methods->available64 = my_methods->available64; |
+ new_methods->fsync = my_methods->fsync; |
+ new_methods->seek = my_methods->seek; |
+ new_methods->seek64 = my_methods->seek64; |
+ new_methods->fileInfo = my_methods->fileInfo; |
+ new_methods->fileInfo64 = my_methods->fileInfo64; |
+ new_methods->writev = my_methods->writev; |
+ new_methods->connect = my_methods->connect; |
+ new_methods->accept = my_methods->accept; |
+ new_methods->bind = my_methods->bind; |
+ new_methods->listen = my_methods->listen; |
+ new_methods->shutdown = my_methods->shutdown; |
+ new_methods->recv = my_methods->recv; |
+ new_methods->send = my_methods->send; |
+ new_methods->recvfrom = my_methods->recvfrom; |
+ new_methods->sendto = my_methods->sendto; |
+ new_methods->poll = my_methods->poll; |
+ new_methods->acceptread = my_methods->acceptread; |
+ new_methods->transmitfile = my_methods->transmitfile; |
+ new_methods->getsockname = my_methods->getsockname; |
+ new_methods->getpeername = my_methods->getpeername; |
+ /* new_methods->getsocketoption = my_methods->getsocketoption; */ |
+ /* new_methods->setsocketoption = my_methods->setsocketoption; */ |
+ new_methods->sendfile = my_methods->sendfile; |
} |
static PRCallOnceType initIoLayerOnce; |
@@ -3162,8 +3454,8 @@ ssl_InitIOLayer(void) |
static PRStatus |
ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id) |
{ |
- PRFileDesc *layer = NULL; |
- PRStatus status; |
+ PRFileDesc *layer = NULL; |
+ PRStatus status; |
if (!ssl_inited) { |
status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); |
@@ -3211,24 +3503,24 @@ ssl_MakeLocks(sslSocket *ss) |
ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL); |
if (!ss->firstHandshakeLock) |
goto loser; |
- ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL); |
+ ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL); |
if (!ss->ssl3HandshakeLock) |
goto loser; |
- ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL); |
+ ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL); |
if (!ss->specLock) |
goto loser; |
- ss->recvBufLock = PZ_NewMonitor(nssILockSSL); |
+ ss->recvBufLock = PZ_NewMonitor(nssILockSSL); |
if (!ss->recvBufLock) |
goto loser; |
- ss->xmitBufLock = PZ_NewMonitor(nssILockSSL); |
+ ss->xmitBufLock = PZ_NewMonitor(nssILockSSL); |
if (!ss->xmitBufLock) |
goto loser; |
- ss->writerThread = NULL; |
+ ss->writerThread = NULL; |
if (ssl_lock_readers) { |
- ss->recvLock = PZ_NewLock(nssILockSSL); |
+ ss->recvLock = PZ_NewLock(nssILockSSL); |
if (!ss->recvLock) |
goto loser; |
- ss->sendLock = PZ_NewLock(nssILockSSL); |
+ ss->sendLock = PZ_NewLock(nssILockSSL); |
if (!ss->sendLock) |
goto loser; |
} |
@@ -3242,19 +3534,19 @@ loser: |
#define NSS_HAVE_GETENV 1 |
#endif |
-#define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */ |
+#define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */ |
static void |
ssl_SetDefaultsFromEnvironment(void) |
{ |
-#if defined( NSS_HAVE_GETENV ) |
+#if defined(NSS_HAVE_GETENV) |
static int firsttime = 1; |
if (firsttime) { |
- char * ev; |
+ char *ev; |
firsttime = 0; |
#ifdef DEBUG |
- ev = getenv("SSLDEBUGFILE"); |
+ ev = PR_GetEnvSecure("SSLDEBUGFILE"); |
if (ev && ev[0]) { |
ssl_trace_iob = fopen(ev, "w"); |
} |
@@ -3262,19 +3554,19 @@ ssl_SetDefaultsFromEnvironment(void) |
ssl_trace_iob = stderr; |
} |
#ifdef TRACE |
- ev = getenv("SSLTRACE"); |
+ ev = PR_GetEnvSecure("SSLTRACE"); |
if (ev && ev[0]) { |
ssl_trace = atoi(ev); |
SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); |
} |
#endif /* TRACE */ |
- ev = getenv("SSLDEBUG"); |
+ ev = PR_GetEnvSecure("SSLDEBUG"); |
if (ev && ev[0]) { |
ssl_debug = atoi(ev); |
SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); |
} |
#endif /* DEBUG */ |
- ev = getenv("SSLKEYLOGFILE"); |
+ ev = PR_GetEnvSecure("SSLKEYLOGFILE"); |
if (ev && ev[0]) { |
ssl_keylog_iob = fopen(ev, "a"); |
if (!ssl_keylog_iob) { |
@@ -3288,21 +3580,21 @@ ssl_SetDefaultsFromEnvironment(void) |
} |
} |
#ifndef NO_PKCS11_BYPASS |
- ev = getenv("SSLBYPASS"); |
+ ev = PR_GetEnvSecure("SSLBYPASS"); |
if (ev && ev[0]) { |
ssl_defaults.bypassPKCS11 = (ev[0] == '1'); |
- SSL_TRACE(("SSL: bypass default set to %d", \ |
- ssl_defaults.bypassPKCS11)); |
+ SSL_TRACE(("SSL: bypass default set to %d", |
+ ssl_defaults.bypassPKCS11)); |
} |
#endif /* NO_PKCS11_BYPASS */ |
- ev = getenv("SSLFORCELOCKS"); |
+ ev = PR_GetEnvSecure("SSLFORCELOCKS"); |
if (ev && ev[0] == '1') { |
ssl_force_locks = PR_TRUE; |
ssl_defaults.noLocks = 0; |
strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. "); |
SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks)); |
} |
- ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION"); |
+ ev = PR_GetEnvSecure("NSS_SSL_ENABLE_RENEGOTIATION"); |
if (ev) { |
if (ev[0] == '1' || LOWER(ev[0]) == 'u') |
ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; |
@@ -3315,13 +3607,13 @@ ssl_SetDefaultsFromEnvironment(void) |
SSL_TRACE(("SSL: enableRenegotiation set to %d", |
ssl_defaults.enableRenegotiation)); |
} |
- ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); |
+ ev = PR_GetEnvSecure("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); |
if (ev && ev[0] == '1') { |
ssl_defaults.requireSafeNegotiation = PR_TRUE; |
SSL_TRACE(("SSL: requireSafeNegotiation set to %d", |
- PR_TRUE)); |
+ PR_TRUE)); |
} |
- ev = getenv("NSS_SSL_CBC_RANDOM_IV"); |
+ ev = PR_GetEnvSecure("NSS_SSL_CBC_RANDOM_IV"); |
if (ev && ev[0] == '0') { |
ssl_defaults.cbcRandomIV = PR_FALSE; |
SSL_TRACE(("SSL: cbcRandomIV set to 0")); |
@@ -3344,7 +3636,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) |
makeLocks = PR_TRUE; |
/* Make a new socket and get it ready */ |
- ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket)); |
+ ss = (sslSocket *)PORT_ZAlloc(sizeof(sslSocket)); |
if (ss) { |
/* This should be of type SSLKEAType, but CC on IRIX |
* complains during the for loop. |
@@ -3352,58 +3644,55 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) |
int i; |
SECStatus status; |
- ss->opt = ssl_defaults; |
- ss->opt.useSocks = PR_FALSE; |
- ss->opt.noLocks = !makeLocks; |
- ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); |
- ss->protocolVariant = protocolVariant; |
- |
- ss->peerID = NULL; |
- ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
- ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
- ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; |
- ss->cipherSpecs = NULL; |
- ss->sizeCipherSpecs = 0; /* produced lazily */ |
- ss->preferredCipher = NULL; |
- ss->url = NULL; |
- |
- for (i=kt_null; i < kt_kea_size; i++) { |
- sslServerCerts * sc = ss->serverCerts + i; |
- sc->serverCert = NULL; |
+ ss->opt = ssl_defaults; |
+ ss->opt.useSocks = PR_FALSE; |
+ ss->opt.noLocks = !makeLocks; |
+ ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); |
+ ss->protocolVariant = protocolVariant; |
+ |
+ ss->peerID = NULL; |
+ ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
+ ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
+ ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; |
+ ss->cipherSpecs = NULL; |
+ ss->sizeCipherSpecs = 0; /* produced lazily */ |
+ ss->preferredCipher = NULL; |
+ ss->url = NULL; |
+ |
+ for (i = kt_null; i < kt_kea_size; i++) { |
+ sslServerCerts *sc = ss->serverCerts + i; |
+ sc->serverCert = NULL; |
sc->serverCertChain = NULL; |
- sc->serverKeyPair = NULL; |
- sc->serverKeyBits = 0; |
+ sc->serverKeyPair = NULL; |
+ sc->serverKeyBits = 0; |
ss->certStatusArray[i] = NULL; |
} |
ss->requestedCertTypes = NULL; |
- ss->stepDownKeyPair = NULL; |
+ ss->stepDownKeyPair = NULL; |
ss->dheParams = NULL; |
ss->dheKeyPair = NULL; |
- ss->dbHandle = CERT_GetDefaultCertDB(); |
+ ss->dbHandle = CERT_GetDefaultCertDB(); |
/* Provide default implementation of hooks */ |
- ss->authCertificate = SSL_AuthCertificate; |
+ ss->authCertificate = SSL_AuthCertificate; |
ss->authCertificateArg = (void *)ss->dbHandle; |
- ss->sniSocketConfig = NULL; |
+ ss->sniSocketConfig = NULL; |
ss->sniSocketConfigArg = NULL; |
- ss->getClientAuthData = NULL; |
-#ifdef NSS_PLATFORM_CLIENT_AUTH |
- ss->getPlatformClientAuthData = NULL; |
- ss->getPlatformClientAuthDataArg = NULL; |
-#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
- ss->handleBadCert = NULL; |
- ss->badCertArg = NULL; |
- ss->pkcs11PinArg = NULL; |
+ ss->getClientAuthData = NULL; |
+ ss->handleBadCert = NULL; |
+ ss->badCertArg = NULL; |
+ ss->pkcs11PinArg = NULL; |
ss->ephemeralECDHKeyPair = NULL; |
- ss->getChannelID = NULL; |
- ss->getChannelIDArg = NULL; |
+ ss->getChannelID = NULL; |
+ ss->getChannelIDArg = NULL; |
ssl_ChooseOps(ss); |
ssl2_InitSocketPolicy(ss); |
ssl3_InitSocketPolicy(ss); |
PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); |
+ PR_INIT_CLIST(&ss->ssl3.hs.remoteKeyShares); |
if (makeLocks) { |
status = ssl_MakeLocks(ss); |
@@ -3415,7 +3704,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) |
goto loser; |
status = ssl_InitGather(&ss->gs); |
if (status != SECSuccess) { |
-loser: |
+ loser: |
ssl_DestroySocketContents(ss); |
ssl_DestroyLocks(ss); |
PORT_Free(ss); |