| OLD | NEW |
|---|
| (Empty) | |
| 1 diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
| 2 index 7194257..b9b1e12 100644 |
| 3 --- a/nss/lib/ssl/ssl.h |
| 4 +++ b/nss/lib/ssl/ssl.h |
| 5 @@ -239,7 +239,6 @@ SSL_IMPORT SECStatus SSL_GetNextProto(PRFileDesc *fd, |
| 6 ** is enabled, otherwise it is disabled. |
| 7 ** The "cipher" values are defined in sslproto.h (the SSL_EN_* values). |
| 8 ** EnableCipher records user preferences. |
| 9 -** SetPolicy sets the policy according to the policy module. |
| 10 */ |
| 11 #ifdef SSL_DEPRECATED_FUNCTION |
| 12 /* Old deprecated function names */ |
| 13 @@ -252,6 +251,9 @@ SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt
32 cipher, PRBool en |
| 14 SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *
enabled); |
| 15 SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); |
| 16 SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); |
| 17 + |
| 18 +/* Policy functions are deprecated and no longer have any effect. They exist in |
| 19 + * order to maintain ABI compatibility. */ |
| 20 SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); |
| 21 SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); |
| 22 |
| 23 diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
| 24 index 27d4be9..b7ef492 100644 |
| 25 --- a/nss/lib/ssl/ssl3con.c |
| 26 +++ b/nss/lib/ssl/ssl3con.c |
| 27 @@ -88,85 +88,84 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *outpu
t, int *outputLen, |
| 28 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
| 29 */ |
| 30 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
| 31 - /* cipher_suite policy enabled is_present*
/ |
| 32 + /* cipher_suite enabled is_present*/ |
| 33 #ifdef NSS_ENABLE_ECC |
| 34 - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 35 - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 36 + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 37 + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 38 #endif /* NSS_ENABLE_ECC */ |
| 39 - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 40 - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 41 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 42 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 43 - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 44 + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 45 + { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 46 + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 47 + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 48 + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 49 #ifdef NSS_ENABLE_ECC |
| 50 - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 51 - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 52 + { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 53 + { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 54 #endif /* NSS_ENABLE_ECC */ |
| 55 - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_
FALSE}, |
| 56 - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 57 - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 58 + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 59 + { TLS_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 60 + { TLS_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 61 |
| 62 #ifdef NSS_ENABLE_ECC |
| 63 - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 64 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 65 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 66 - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 67 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 68 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 69 + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 70 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 71 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, |
| 72 + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 73 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 74 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, |
| 75 #endif /* NSS_ENABLE_ECC */ |
| 76 - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 77 - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 78 - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 79 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 80 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 81 - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 82 + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 83 + { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 84 + { TLS_DHE_DSS_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 85 + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 86 + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 87 + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 88 #ifdef NSS_ENABLE_ECC |
| 89 - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 90 - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 91 - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 92 - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 93 + { TLS_ECDH_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 94 + { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 95 + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 96 + { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 97 #endif /* NSS_ENABLE_ECC */ |
| 98 - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| 99 - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_
FALSE}, |
| 100 - { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 101 - { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
| 102 - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 103 - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 104 + { TLS_RSA_WITH_SEED_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 105 + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 106 + { SSL_RSA_WITH_RC4_128_SHA, PR_TRUE, PR_FALSE}, |
| 107 + { SSL_RSA_WITH_RC4_128_MD5, PR_TRUE, PR_FALSE}, |
| 108 + { TLS_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 109 + { TLS_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 110 |
| 111 #ifdef NSS_ENABLE_ECC |
| 112 - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 113 - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 114 + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 115 + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 116 #endif /* NSS_ENABLE_ECC */ |
| 117 - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 118 - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 119 + { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 120 + { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 121 #ifdef NSS_ENABLE_ECC |
| 122 - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 123 - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 124 + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 125 + { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 126 #endif /* NSS_ENABLE_ECC */ |
| 127 - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 128 - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
| 129 + { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 130 + { SSL_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 131 |
| 132 |
| 133 - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 134 - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 135 - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 136 - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 137 - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 138 - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 139 + { SSL_DHE_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 140 + { SSL_DHE_DSS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 141 + { SSL_RSA_FIPS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 142 + { SSL_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 143 + { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, PR_FALSE, PR_FALSE}, |
| 144 + { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 145 |
| 146 - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 147 - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 148 + { SSL_RSA_EXPORT_WITH_RC4_40_MD5, PR_FALSE, PR_FALSE}, |
| 149 + { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, PR_FALSE, PR_FALSE}, |
| 150 |
| 151 #ifdef NSS_ENABLE_ECC |
| 152 - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 153 - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 154 - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 155 - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 156 + { TLS_ECDHE_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 157 + { TLS_ECDHE_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 158 + { TLS_ECDH_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 159 + { TLS_ECDH_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 160 #endif /* NSS_ENABLE_ECC */ |
| 161 - { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 162 - { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 163 - { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 164 - |
| 165 + { SSL_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 166 + { TLS_RSA_WITH_NULL_SHA256, PR_FALSE, PR_FALSE}, |
| 167 + { SSL_RSA_WITH_NULL_MD5, PR_FALSE, PR_FALSE}, |
| 168 }; |
| 169 |
| 170 /* This list of SSL3 compression methods is sorted in descending order of |
| 171 @@ -643,13 +642,13 @@ ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3Cipher
SuiteCfg *suites) |
| 172 } |
| 173 |
| 174 |
| 175 -/* Initialize the suite->isPresent value for config_match |
| 176 +/* Initialize the suite->isPresent value for cipher_suite_available. |
| 177 * Returns count of enabled ciphers supported by extant tokens, |
| 178 - * regardless of policy or user preference. |
| 179 + * regardless of user preference. |
| 180 * If this returns zero, the user cannot do SSL v3. |
| 181 */ |
| 182 int |
| 183 -ssl3_config_match_init(sslSocket *ss) |
| 184 +ssl3_cipher_suites_test_presence(sslSocket *ss) |
| 185 { |
| 186 ssl3CipherSuiteCfg * suite; |
| 187 const ssl3CipherSuiteDef *cipher_def; |
| 188 @@ -745,37 +744,25 @@ ssl3_config_match_init(sslSocket *ss) |
| 189 } |
| 190 |
| 191 |
| 192 -/* return PR_TRUE if suite matches policy and enabled state */ |
| 193 -/* It would be a REALLY BAD THING (tm) if we ever permitted the use |
| 194 -** of a cipher that was NOT_ALLOWED. So, if this is ever called with |
| 195 -** policy == SSL_NOT_ALLOWED, report no match. |
| 196 -*/ |
| 197 -/* adjust suite enabled to the availability of a token that can do the |
| 198 - * cipher suite. */ |
| 199 +/* return PR_TRUE if the given cipher suite is enabled and present. */ |
| 200 static PRBool |
| 201 -config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) |
| 202 +cipher_suite_available(ssl3CipherSuiteCfg *suite) |
| 203 { |
| 204 - PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); |
| 205 - if (policy == SSL_NOT_ALLOWED || !enabled) |
| 206 - return PR_FALSE; |
| 207 - return (PRBool)(suite->enabled && |
| 208 - suite->isPresent && |
| 209 - suite->policy != SSL_NOT_ALLOWED && |
| 210 - suite->policy <= policy); |
| 211 + return (PRBool)(suite->enabled && suite->isPresent); |
| 212 } |
| 213 |
| 214 -/* return number of cipher suites that match policy and enabled state */ |
| 215 -/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
| 216 +/* return number of cipher suites that are enabled and present. |
| 217 + * called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
| 218 static int |
| 219 -count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) |
| 220 +count_cipher_suites(sslSocket *ss) |
| 221 { |
| 222 int i, count = 0; |
| 223 |
| 224 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
| 225 - return 0; |
| 226 + return 0; |
| 227 } |
| 228 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 229 - if (config_match(&ss->cipherSuites[i], policy, enabled)) |
| 230 + if (cipher_suite_available(&ss->cipherSuites[i])) |
| 231 count++; |
| 232 } |
| 233 if (count <= 0) { |
| 234 @@ -4738,8 +4725,6 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 235 |
| 236 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, |
| 237 sid->u.ssl3.sessionIDLength)); |
| 238 - |
| 239 - ss->ssl3.policy = sid->u.ssl3.policy; |
| 240 } else { |
| 241 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); |
| 242 |
| 243 @@ -4789,10 +4774,10 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 244 return SECFailure; |
| 245 } |
| 246 |
| 247 - /* how many suites does our PKCS11 support (regardless of policy)? */ |
| 248 - num_suites = ssl3_config_match_init(ss); |
| 249 + /* how many suites does our PKCS11 support? */ |
| 250 + num_suites = ssl3_cipher_suites_test_presence(ss); |
| 251 if (!num_suites) |
| 252 - return SECFailure; /* ssl3_config_match_init has set error code. */ |
| 253 + return SECFailure; /* ssl3_cipher_suites_test_presence has set erro
r code. */ |
| 254 |
| 255 /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, |
| 256 * only if TLS is disabled. |
| 257 @@ -4830,8 +4815,8 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 258 ssl3_DisableNonDTLSSuites(ss); |
| 259 } |
| 260 |
| 261 - /* how many suites are permitted by policy and user preference? */ |
| 262 - num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); |
| 263 + /* how many suites are permitted by user preference? */ |
| 264 + num_suites = count_cipher_suites(ss); |
| 265 if (!num_suites) |
| 266 return SECFailure; /* count_cipher_suites has set error code. */ |
| 267 if (ss->ssl3.hs.sendingSCSV) { |
| 268 @@ -4921,7 +4906,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 269 } |
| 270 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 271 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 272 - if (config_match(suite, ss->ssl3.policy, PR_TRUE)) { |
| 273 + if (cipher_suite_available(suite)) { |
| 274 actual_count++; |
| 275 if (actual_count > num_suites) { |
| 276 /* set error card removal/insertion error */ |
| 277 @@ -5978,11 +5963,11 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRU
int32 length) |
| 278 if (temp < 0) { |
| 279 goto loser; /* alert has been sent */ |
| 280 } |
| 281 - ssl3_config_match_init(ss); |
| 282 + ssl3_cipher_suites_test_presence(ss); |
| 283 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 284 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 285 if (temp == suite->cipher_suite) { |
| 286 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) { |
| 287 + if (!cipher_suite_available(suite)) { |
| 288 break; /* failure */ |
| 289 } |
| 290 if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
| 291 @@ -7155,7 +7140,6 @@ ssl3_NewSessionID(sslSocket *ss, PRBool is_server) |
| 292 sid->version = ss->version; |
| 293 |
| 294 sid->u.ssl3.keys.resumable = PR_TRUE; |
| 295 - sid->u.ssl3.policy = SSL_ALLOWED; |
| 296 sid->u.ssl3.clientWriteKey = NULL; |
| 297 sid->u.ssl3.serverWriteKey = NULL; |
| 298 |
| 299 @@ -7537,7 +7521,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
| 300 |
| 301 #ifdef PARANOID |
| 302 /* Look for a matching cipher suite. */ |
| 303 - j = ssl3_config_match_init(ss); |
| 304 + j = ssl3_cipher_suites_test_presence(ss); |
| 305 if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
| 306 errCode = PORT_GetError(); /* error code is already set. */ |
| 307 goto alert_loser; |
| 308 @@ -7573,12 +7557,11 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRU
int32 length) |
| 309 if (j <= 0) |
| 310 break; |
| 311 #ifdef PARANOID |
| 312 - /* Double check that the cached cipher suite is still enabled, |
| 313 - * implemented, and allowed by policy. Might have been disabled. |
| 314 - * The product policy won't change during the process lifetime. |
| 315 + /* Double check that the cached cipher suite is still enabled, and |
| 316 + * implemented. Might have been disabled. |
| 317 * Implemented ("isPresent") shouldn't change for servers. |
| 318 */ |
| 319 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) |
| 320 + if (!cipher_suite_available(suite)) |
| 321 break; |
| 322 #else |
| 323 if (!suite->enabled) |
| 324 @@ -7603,7 +7586,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
| 325 |
| 326 #ifndef PARANOID |
| 327 /* Look for a matching cipher suite. */ |
| 328 - j = ssl3_config_match_init(ss); |
| 329 + j = ssl3_cipher_suites_test_presence(ss); |
| 330 if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
| 331 errCode = PORT_GetError(); /* error code is already set. */ |
| 332 goto alert_loser; |
| 333 @@ -7626,7 +7609,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
| 334 */ |
| 335 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
| 336 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
| 337 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || |
| 338 + if (!cipher_suite_available(suite) || |
| 339 !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
| 340 ss->version)) { |
| 341 continue; |
| 342 @@ -7949,7 +7932,7 @@ compression_found: |
| 343 ret = SSL_SNI_SEND_ALERT; |
| 344 break; |
| 345 } |
| 346 - configedCiphers = ssl3_config_match_init(ss); |
| 347 + configedCiphers = ssl3_cipher_suites_test_presence(ss); |
| 348 if (configedCiphers <= 0) { |
| 349 /* no ciphers are working/supported */ |
| 350 errCode = PORT_GetError(); |
| 351 @@ -8146,7 +8129,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buf
fer, int length) |
| 352 /* Disable any ECC cipher suites for which we have no cert. */ |
| 353 ssl3_FilterECCipherSuitesByServerCerts(ss); |
| 354 #endif |
| 355 - i = ssl3_config_match_init(ss); |
| 356 + i = ssl3_cipher_suites_test_presence(ss); |
| 357 if (i <= 0) { |
| 358 errCode = PORT_GetError(); /* error code is already set. */ |
| 359 goto alert_loser; |
| 360 @@ -8161,7 +8144,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buf
fer, int length) |
| 361 */ |
| 362 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
| 363 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
| 364 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || |
| 365 + if (!cipher_suite_available(suite) || |
| 366 !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
| 367 ss->version)) { |
| 368 continue; |
| 369 @@ -10456,7 +10439,6 @@ xmit_loser: |
| 370 /* fill in the sid */ |
| 371 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; |
| 372 sid->u.ssl3.compression = ss->ssl3.hs.compression; |
| 373 - sid->u.ssl3.policy = ss->ssl3.policy; |
| 374 #ifdef NSS_ENABLE_ECC |
| 375 sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves; |
| 376 #endif |
| 377 @@ -11533,8 +11515,6 @@ ssl3_InitState(sslSocket *ss) |
| 378 if (ss->ssl3.initialized) |
| 379 return SECSuccess; /* Function should be idempotent */ |
| 380 |
| 381 - ss->ssl3.policy = SSL_ALLOWED; |
| 382 - |
| 383 ssl_GetSpecWriteLock(ss); |
| 384 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; |
| 385 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; |
| 386 @@ -11644,40 +11624,6 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss) |
| 387 } |
| 388 |
| 389 |
| 390 -/* record the export policy for this cipher suite */ |
| 391 -SECStatus |
| 392 -ssl3_SetPolicy(ssl3CipherSuite which, int policy) |
| 393 -{ |
| 394 - ssl3CipherSuiteCfg *suite; |
| 395 - |
| 396 - suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
| 397 - if (suite == NULL) { |
| 398 - return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ |
| 399 - } |
| 400 - suite->policy = policy; |
| 401 - |
| 402 - return SECSuccess; |
| 403 -} |
| 404 - |
| 405 -SECStatus |
| 406 -ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy) |
| 407 -{ |
| 408 - ssl3CipherSuiteCfg *suite; |
| 409 - PRInt32 policy; |
| 410 - SECStatus rv; |
| 411 - |
| 412 - suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
| 413 - if (suite) { |
| 414 - policy = suite->policy; |
| 415 - rv = SECSuccess; |
| 416 - } else { |
| 417 - policy = SSL_NOT_ALLOWED; |
| 418 - rv = SECFailure; /* err code was set by Lookup. */ |
| 419 - } |
| 420 - *oPolicy = policy; |
| 421 - return rv; |
| 422 -} |
| 423 - |
| 424 /* record the user preference for this suite */ |
| 425 SECStatus |
| 426 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled) |
| 427 @@ -11744,9 +11690,9 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which,
PRBool *enabled) |
| 428 return rv; |
| 429 } |
| 430 |
| 431 -/* copy global default policy into socket. */ |
| 432 +/* copy global default ciphersuite preferences into socket. */ |
| 433 void |
| 434 -ssl3_InitSocketPolicy(sslSocket *ss) |
| 435 +ssl3_InitSocketCipherSuites(sslSocket *ss) |
| 436 { |
| 437 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); |
| 438 } |
| 439 @@ -11813,8 +11759,8 @@ loser: |
| 440 return rv; |
| 441 } |
| 442 |
| 443 -/* ssl3_config_match_init must have already been called by |
| 444 - * the caller of this function. |
| 445 +/* ssl3_cipher_suites_test_presence must have already been called by the caller |
| 446 + * of this function. |
| 447 */ |
| 448 SECStatus |
| 449 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) |
| 450 @@ -11831,14 +11777,15 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigne
d char *cs, int *size) |
| 451 return SECSuccess; |
| 452 } |
| 453 if (cs == NULL) { |
| 454 - *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); |
| 455 + *size = count_cipher_suites(ss); |
| 456 return SECSuccess; |
| 457 } |
| 458 |
| 459 - /* ssl3_config_match_init was called by the caller of this function. */ |
| 460 + /* ssl3_cipher_suites_test_presence was called by the caller of this |
| 461 + * function. */ |
| 462 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 463 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 464 - if (config_match(suite, SSL_ALLOWED, PR_TRUE)) { |
| 465 + if (cipher_suite_available(suite)) { |
| 466 if (cs != NULL) { |
| 467 *cs++ = 0x00; |
| 468 *cs++ = (suite->cipher_suite >> 8) & 0xFF; |
| 469 diff --git a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c |
| 470 index 74995f1..19a6a58 100644 |
| 471 --- a/nss/lib/ssl/ssl3ecc.c |
| 472 +++ b/nss/lib/ssl/ssl3ecc.c |
| 473 @@ -1017,7 +1017,7 @@ ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss) |
| 474 } |
| 475 |
| 476 /* Ask: is ANY ECC cipher suite enabled on this socket? */ |
| 477 -/* Order(N^2). Yuk. Also, this ignores export policy. */ |
| 478 +/* Order(N^2). Yuk. */ |
| 479 PRBool |
| 480 ssl3_IsECCEnabled(sslSocket * ss) |
| 481 { |
| 482 diff --git a/nss/lib/ssl/sslcon.c b/nss/lib/ssl/sslcon.c |
| 483 index 2fc6602..581a28c 100644 |
| 484 --- a/nss/lib/ssl/sslcon.c |
| 485 +++ b/nss/lib/ssl/sslcon.c |
| 486 @@ -20,9 +20,6 @@ |
| 487 #include "prinit.h" |
| 488 #include "prtime.h" /* for PR_Now() */ |
| 489 |
| 490 -#define XXX |
| 491 -static PRBool policyWasSet; |
| 492 - |
| 493 /* This ordered list is indexed by (SSL_CK_xx * 3) */ |
| 494 /* Second and third bytes are MSB and LSB of master key length. */ |
| 495 static const PRUint8 allCipherSuites[] = { |
| 496 @@ -118,8 +115,6 @@ const char * const ssl_cipherName[] = { |
| 497 /* bit-masks, showing which SSLv2 suites are allowed. |
| 498 * lsb corresponds to first cipher suite in allCipherSuites[]. |
| 499 */ |
| 500 -static PRUint16 allowedByPolicy; /* all off by default */ |
| 501 -static PRUint16 maybeAllowedByPolicy; /* all off by default */ |
| 502 static PRUint16 chosenPreference = 0xff; /* all on by default */ |
| 503 |
| 504 /* bit values for the above two bit masks */ |
| 505 @@ -157,19 +152,19 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
| 506 count = 0; |
| 507 PORT_Assert(ss != 0); |
| 508 allowed = !ss->opt.enableSSL2 ? 0 : |
| 509 - (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 510 + (ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 511 while (allowed) { |
| 512 if (allowed & 1) |
| 513 ++count; |
| 514 allowed >>= 1; |
| 515 } |
| 516 |
| 517 - /* Call ssl3_config_match_init() once here, |
| 518 + /* Call ssl3_cipher_suites_test_presence() once here, |
| 519 * instead of inside ssl3_ConstructV2CipherSpecsHack(), |
| 520 * because the latter gets called twice below, |
| 521 * and then again in ssl2_BeginClientHandshake(). |
| 522 */ |
| 523 - ssl3_config_match_init(ss); |
| 524 + ssl3_cipher_suites_test_presence(ss); |
| 525 |
| 526 /* ask SSL3 how many cipher suites it has. */ |
| 527 rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count); |
| 528 @@ -193,7 +188,7 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
| 529 |
| 530 /* fill in cipher specs for SSL2 cipher suites */ |
| 531 allowed = !ss->opt.enableSSL2 ? 0 : |
| 532 - (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 533 + (ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 534 for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) { |
| 535 const PRUint8 * hs = implementedCipherSuites + i; |
| 536 int ok = allowed & (1U << hs[0]); |
| 537 @@ -225,7 +220,6 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
| 538 static SECStatus |
| 539 ssl2_CheckConfigSanity(sslSocket *ss) |
| 540 { |
| 541 - unsigned int allowed; |
| 542 int ssl3CipherCount = 0; |
| 543 SECStatus rv; |
| 544 |
| 545 @@ -235,11 +229,10 @@ ssl2_CheckConfigSanity(sslSocket *ss) |
| 546 if (!ss->cipherSpecs) |
| 547 goto disabled; |
| 548 |
| 549 - allowed = ss->allowedByPolicy & ss->chosenPreference; |
| 550 - if (! allowed) |
| 551 + if (!ss->chosenPreference) |
| 552 ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */ |
| 553 |
| 554 - /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */ |
| 555 + /* ssl3_cipher_suites_test_presence was called in ssl2_ConstructCipherSpecs
(). */ |
| 556 /* Ask how many ssl3 CipherSuites were enabled. */ |
| 557 rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount); |
| 558 if (rv != SECSuccess || ssl3CipherCount <= 0) { |
| 559 @@ -261,67 +254,6 @@ disabled: |
| 560 /* |
| 561 * Since this is a global (not per-socket) setting, we cannot use the |
| 562 * HandshakeLock to protect this. Probably want a global lock. |
| 563 - */ |
| 564 -SECStatus |
| 565 -ssl2_SetPolicy(PRInt32 which, PRInt32 policy) |
| 566 -{ |
| 567 - PRUint32 bitMask; |
| 568 - SECStatus rv = SECSuccess; |
| 569 - |
| 570 - which &= 0x000f; |
| 571 - bitMask = 1 << which; |
| 572 - |
| 573 - if (!(bitMask & SSL_CB_IMPLEMENTED)) { |
| 574 - PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); |
| 575 - return SECFailure; |
| 576 - } |
| 577 - |
| 578 - if (policy == SSL_ALLOWED) { |
| 579 - allowedByPolicy |= bitMask; |
| 580 - maybeAllowedByPolicy |= bitMask; |
| 581 - } else if (policy == SSL_RESTRICTED) { |
| 582 - allowedByPolicy &= ~bitMask; |
| 583 - maybeAllowedByPolicy |= bitMask; |
| 584 - } else { |
| 585 - allowedByPolicy &= ~bitMask; |
| 586 - maybeAllowedByPolicy &= ~bitMask; |
| 587 - } |
| 588 - allowedByPolicy &= SSL_CB_IMPLEMENTED; |
| 589 - maybeAllowedByPolicy &= SSL_CB_IMPLEMENTED; |
| 590 - |
| 591 - policyWasSet = PR_TRUE; |
| 592 - return rv; |
| 593 -} |
| 594 - |
| 595 -SECStatus |
| 596 -ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy) |
| 597 -{ |
| 598 - PRUint32 bitMask; |
| 599 - PRInt32 policy; |
| 600 - |
| 601 - which &= 0x000f; |
| 602 - bitMask = 1 << which; |
| 603 - |
| 604 - /* Caller assures oPolicy is not null. */ |
| 605 - if (!(bitMask & SSL_CB_IMPLEMENTED)) { |
| 606 - PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); |
| 607 - *oPolicy = SSL_NOT_ALLOWED; |
| 608 - return SECFailure; |
| 609 - } |
| 610 - |
| 611 - if (maybeAllowedByPolicy & bitMask) { |
| 612 - policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED; |
| 613 - } else { |
| 614 - policy = SSL_NOT_ALLOWED; |
| 615 - } |
| 616 - |
| 617 - *oPolicy = policy; |
| 618 - return SECSuccess; |
| 619 -} |
| 620 - |
| 621 -/* |
| 622 - * Since this is a global (not per-socket) setting, we cannot use the |
| 623 - * HandshakeLock to protect this. Probably want a global lock. |
| 624 * Called from SSL_CipherPrefSetDefault in sslsock.c |
| 625 * These changes have no effect on any sslSockets already created. |
| 626 */ |
| 627 @@ -410,12 +342,10 @@ ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *e
nabled) |
| 628 } |
| 629 |
| 630 |
| 631 -/* copy global default policy into socket. */ |
| 632 +/* copy global default cipher suite preferences into socket. */ |
| 633 void |
| 634 -ssl2_InitSocketPolicy(sslSocket *ss) |
| 635 +ssl2_InitSocketCipherSuites(sslSocket *ss) |
| 636 { |
| 637 - ss->allowedByPolicy = allowedByPolicy; |
| 638 - ss->maybeAllowedByPolicy = maybeAllowedByPolicy; |
| 639 ss->chosenPreference = chosenPreference; |
| 640 } |
| 641 |
| 642 @@ -1556,7 +1486,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, u
nsigned int keyBits, |
| 643 unsigned int dkLen; /* decrypted key length in bytes */ |
| 644 int modulusLen; |
| 645 SECStatus rv; |
| 646 - PRUint16 allowed; /* cipher kinds enabled and allowed by policy *
/ |
| 647 + PRUint16 allowed; /* cipher kinds enabled */ |
| 648 PRUint8 mkbuf[SSL_MAX_MASTER_KEY_BYTES]; |
| 649 |
| 650 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); |
| 651 @@ -1584,7 +1514,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, u
nsigned int keyBits, |
| 652 goto loser; |
| 653 } |
| 654 |
| 655 - allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED; |
| 656 + allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED; |
| 657 if (!(allowed & (1 << cipher))) { |
| 658 /* client chose a kind we don't allow! */ |
| 659 SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d", |
| 660 @@ -1814,8 +1744,7 @@ ssl2_ChooseSessionCypher(sslSocket *ss, |
| 661 } |
| 662 |
| 663 if (!ss->preferredCipher) { |
| 664 - unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference & |
| 665 - SSL_CB_IMPLEMENTED; |
| 666 + unsigned int allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED; |
| 667 if (allowed) { |
| 668 preferred = implementedCipherSuites; |
| 669 for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) { |
| 670 diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
| 671 index e6792b3..ef085ba 100644 |
| 672 --- a/nss/lib/ssl/sslimpl.h |
| 673 +++ b/nss/lib/ssl/sslimpl.h |
| 674 @@ -273,17 +273,15 @@ struct sslBufferStr { |
| 675 }; |
| 676 |
| 677 /* |
| 678 -** SSL3 cipher suite policy and preference struct. |
| 679 +** SSL3 cipher suite preference struct. |
| 680 */ |
| 681 typedef struct { |
| 682 #if !defined(_WIN32) |
| 683 unsigned int cipher_suite : 16; |
| 684 - unsigned int policy : 8; |
| 685 unsigned int enabled : 1; |
| 686 unsigned int isPresent : 1; |
| 687 #else |
| 688 ssl3CipherSuite cipher_suite; |
| 689 - PRUint8 policy; |
| 690 unsigned char enabled : 1; |
| 691 unsigned char isPresent : 1; |
| 692 #endif |
| 693 @@ -637,7 +635,6 @@ struct sslSessionIDStr { |
| 694 |
| 695 ssl3CipherSuite cipherSuite; |
| 696 SSLCompressionMethod compression; |
| 697 - int policy; |
| 698 ssl3SidKeys keys; |
| 699 CK_MECHANISM_TYPE masterWrapMech; |
| 700 /* mechanism used to wrap master secret */ |
| 701 @@ -924,10 +921,6 @@ struct ssl3StateStr { |
| 702 SECKEYPrivateKey *channelID; /* used by client */ |
| 703 SECKEYPublicKey *channelIDPub; /* used by client */ |
| 704 |
| 705 - int policy; |
| 706 - /* This says what cipher suites we can do, and should |
| 707 - * be either SSL_ALLOWED or SSL_RESTRICTED |
| 708 - */ |
| 709 PLArenaPool * peerCertArena; |
| 710 /* These are used to keep track of the peer CA */ |
| 711 void * peerCertChain; |
| 712 @@ -1233,8 +1226,6 @@ const unsigned char * preferredCipher; |
| 713 |
| 714 PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */ |
| 715 |
| 716 - PRUint16 allowedByPolicy; /* copy of global policy bits. */ |
| 717 - PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */ |
| 718 PRUint16 chosenPreference; /* SSL2 cipher preferences. */ |
| 719 |
| 720 sslHandshakingType handshaking; |
| 721 @@ -1641,13 +1632,8 @@ extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3Ci
pherSuite which, PRBool |
| 722 extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enable
d); |
| 723 extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabl
ed); |
| 724 |
| 725 -extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy); |
| 726 -extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy); |
| 727 -extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy); |
| 728 -extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy); |
| 729 - |
| 730 -extern void ssl2_InitSocketPolicy(sslSocket *ss); |
| 731 -extern void ssl3_InitSocketPolicy(sslSocket *ss); |
| 732 +extern void ssl2_InitSocketCipherSuites(sslSocket *ss); |
| 733 +extern void ssl3_InitSocketCipherSuites(sslSocket *ss); |
| 734 |
| 735 extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, |
| 736 unsigned char *cs, int *size); |
| 737 @@ -1788,9 +1774,9 @@ extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket
*ss, |
| 738 extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd); |
| 739 extern void ssl_FreePRSocket(PRFileDesc *fd); |
| 740 |
| 741 -/* Internal config function so SSL2 can initialize the present state of |
| 742 +/* Internal config function so SSL2 can initialize the present state of |
| 743 * various ciphers */ |
| 744 -extern int ssl3_config_match_init(sslSocket *); |
| 745 +extern int ssl3_cipher_suites_test_presence(sslSocket *); |
| 746 |
| 747 /* Create a new ref counted key pair object from two keys. */ |
| 748 extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, |
| 749 diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
| 750 index fd71aee..937a3b5 100644 |
| 751 --- a/nss/lib/ssl/sslsock.c |
| 752 +++ b/nss/lib/ssl/sslsock.c |
| 753 @@ -28,88 +28,6 @@ |
| 754 |
| 755 #define SET_ERROR_CODE /* reminder */ |
| 756 |
| 757 -struct cipherPolicyStr { |
| 758 - int cipher; |
| 759 - unsigned char export; /* policy value for export policy */ |
| 760 - unsigned char france; /* policy value for france policy */ |
| 761 -}; |
| 762 - |
| 763 -typedef struct cipherPolicyStr cipherPolicy; |
| 764 - |
| 765 -/* This table contains two preconfigured policies: Export and France. |
| 766 -** It is used only by the functions NSS_SetDomesticPolicy, |
| 767 -** NSS_SetExportPolicy, and NSS_SetFrancePolicy. |
| 768 -** Order of entries is not important. |
| 769 -*/ |
| 770 -static cipherPolicy ssl_ciphers[] = { /* Export France */ |
| 771 - { SSL_EN_RC4_128_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 772 - { SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 773 - { SSL_EN_RC2_128_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 774 - { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 775 - { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 776 - { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 777 - { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 778 - { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 779 - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 780 - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 781 - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 782 - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 783 - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 784 - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED
}, |
| 785 - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 786 - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 787 - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 788 - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 789 - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 790 - { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 791 - { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 792 - { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED }, |
| 793 - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 794 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 795 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 796 - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 797 - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 798 - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 799 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 800 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 801 - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 802 - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 803 - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 804 - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 805 - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 806 - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 807 - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 808 - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 809 - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 810 - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, |
| 811 - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, |
| 812 -#ifdef NSS_ENABLE_ECC |
| 813 - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 814 - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 815 - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 816 - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 817 - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 818 - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 819 - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 820 - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 821 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 822 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 823 - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 824 - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 825 - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 826 - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 827 - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 828 - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 829 - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 830 - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 831 - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 832 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 833 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 834 - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 835 -#endif /* NSS_ENABLE_ECC */ |
| 836 - { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } |
| 837 -}; |
| 838 - |
| 839 static const sslSocketOps ssl_default_ops = { /* No SSL. */ |
| 840 ssl_DefConnect, |
| 841 NULL, |
| 842 @@ -291,9 +209,7 @@ ssl_DupSocket(sslSocket *os) |
| 843 ss->cTimeout = os->cTimeout; |
| 844 ss->dbHandle = os->dbHandle; |
| 845 |
| 846 - /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ |
| 847 - ss->allowedByPolicy = os->allowedByPolicy; |
| 848 - ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; |
| 849 + /* copy ssl2&3 prefs, even if it's not selected (yet) */ |
| 850 ss->chosenPreference = os->chosenPreference; |
| 851 PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites)
; |
| 852 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, |
| 853 @@ -1183,55 +1099,20 @@ ssl_IsRemovedCipherSuite(PRInt32 suite) |
| 854 SECStatus |
| 855 SSL_SetPolicy(long which, int policy) |
| 856 { |
| 857 - if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { |
| 858 - /* one of the two old FIPS ciphers */ |
| 859 - if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) |
| 860 - which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; |
| 861 - else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) |
| 862 - which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; |
| 863 - } |
| 864 - if (ssl_IsRemovedCipherSuite(which)) |
| 865 - return SECSuccess; |
| 866 - return SSL_CipherPolicySet(which, policy); |
| 867 + return SECSuccess; |
| 868 } |
| 869 |
| 870 SECStatus |
| 871 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) |
| 872 { |
| 873 - SECStatus rv = ssl_Init(); |
| 874 - |
| 875 - if (rv != SECSuccess) { |
| 876 - return rv; |
| 877 - } |
| 878 - |
| 879 - if (ssl_IsRemovedCipherSuite(which)) { |
| 880 - rv = SECSuccess; |
| 881 - } else if (SSL_IS_SSL2_CIPHER(which)) { |
| 882 - rv = ssl2_SetPolicy(which, policy); |
| 883 - } else { |
| 884 - rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); |
| 885 - } |
| 886 - return rv; |
| 887 + return SECSuccess; |
| 888 } |
| 889 |
| 890 SECStatus |
| 891 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) |
| 892 { |
| 893 - SECStatus rv; |
| 894 - |
| 895 - if (!oPolicy) { |
| 896 - PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 897 - return SECFailure; |
| 898 - } |
| 899 - if (ssl_IsRemovedCipherSuite(which)) { |
| 900 - *oPolicy = SSL_NOT_ALLOWED; |
| 901 - rv = SECSuccess; |
| 902 - } else if (SSL_IS_SSL2_CIPHER(which)) { |
| 903 - rv = ssl2_GetPolicy(which, oPolicy); |
| 904 - } else { |
| 905 - rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy); |
| 906 - } |
| 907 - return rv; |
| 908 + *oPolicy = 0; |
| 909 + return SECSuccess; |
| 910 } |
| 911 |
| 912 /* Part of the public NSS API. |
| 913 @@ -1350,27 +1231,19 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool
*enabled) |
| 914 SECStatus |
| 915 NSS_SetDomesticPolicy(void) |
| 916 { |
| 917 - SECStatus status = SECSuccess; |
| 918 - cipherPolicy * policy; |
| 919 - |
| 920 - for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { |
| 921 - status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED); |
| 922 - if (status != SECSuccess) |
| 923 - break; |
| 924 - } |
| 925 - return status; |
| 926 + return SECSuccess; |
| 927 } |
| 928 |
| 929 SECStatus |
| 930 NSS_SetExportPolicy(void) |
| 931 { |
| 932 - return NSS_SetDomesticPolicy(); |
| 933 + return SECSuccess; |
| 934 } |
| 935 |
| 936 SECStatus |
| 937 NSS_SetFrancePolicy(void) |
| 938 { |
| 939 - return NSS_SetDomesticPolicy(); |
| 940 + return SECSuccess; |
| 941 } |
| 942 |
| 943 SECStatus |
| 944 @@ -3097,8 +2970,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protoco
lVariant) |
| 945 ss->getChannelIDArg = NULL; |
| 946 |
| 947 ssl_ChooseOps(ss); |
| 948 - ssl2_InitSocketPolicy(ss); |
| 949 - ssl3_InitSocketPolicy(ss); |
| 950 + ssl2_InitSocketCipherSuites(ss); |
| 951 + ssl3_InitSocketCipherSuites(ss); |
| 952 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); |
| 953 |
| 954 if (makeLocks) { |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 21564003:
NSS: remove cipher policy framework.
Base URL: svn://svn.chromium.org/chrome/trunk/src