OLD | NEW |
(Empty) | |
| 1 diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
| 2 index c083a6b..4739fcf 100644 |
| 3 --- a/nss/lib/ssl/ssl.h |
| 4 +++ b/nss/lib/ssl/ssl.h |
| 5 @@ -244,7 +244,6 @@ SSL_IMPORT SECStatus SSL_GetNextProto(PRFileDesc *fd, |
| 6 ** is enabled, otherwise it is disabled. |
| 7 ** The "cipher" values are defined in sslproto.h (the SSL_EN_* values). |
| 8 ** EnableCipher records user preferences. |
| 9 -** SetPolicy sets the policy according to the policy module. |
| 10 */ |
| 11 #ifdef SSL_DEPRECATED_FUNCTION |
| 12 /* Old deprecated function names */ |
| 13 @@ -257,7 +256,11 @@ SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRIn
t32 cipher, PRBool en |
| 14 SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *
enabled); |
| 15 SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); |
| 16 SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); |
| 17 + |
| 18 +/* Policy functions are deprecated and no longer have any effect. They exist in |
| 19 + * order to maintain ABI compatibility. */ |
| 20 SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); |
| 21 +/* SSL_CipherPolicyGet sets *policy to SSL_ALLOWED and returns SECSuccess. */ |
| 22 SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); |
| 23 |
| 24 /* SSLChannelBindingType enumerates the types of supported channel binding |
| 25 @@ -352,7 +355,7 @@ SSL_IMPORT SECStatus SSL_VersionRangeSet(PRFileDesc *fd, |
| 26 const SSLVersionRange *vrange); |
| 27 |
| 28 |
| 29 -/* Values for "policy" argument to SSL_PolicySet */ |
| 30 +/* Values for "policy" argument to SSL_CipherPolicySet */ |
| 31 /* Values returned by SSL_CipherPolicyGet. */ |
| 32 #define SSL_NOT_ALLOWED 0 /* or invalid or unimpleme
nted */ |
| 33 #define SSL_ALLOWED 1 |
| 34 @@ -892,26 +895,12 @@ SSL_IMPORT SECStatus NSS_CmpCertChainWCANames(CERTCertific
ate *cert, |
| 35 */ |
| 36 SSL_IMPORT SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert); |
| 37 |
| 38 -/* Set cipher policies to a predefined Domestic (U.S.A.) policy. |
| 39 - * This essentially enables all supported ciphers. |
| 40 - */ |
| 41 +/* |
| 42 +** The NSS_Set*Policy functions have no effect and exist in order to maintain |
| 43 +** ABI compatibility. All supported ciphers are now allowed. |
| 44 +*/ |
| 45 SSL_IMPORT SECStatus NSS_SetDomesticPolicy(void); |
| 46 - |
| 47 -/* Set cipher policies to a predefined Policy that is exportable from the USA |
| 48 - * according to present U.S. policies as we understand them. |
| 49 - * See documentation for the list. |
| 50 - * Note that your particular application program may be able to obtain |
| 51 - * an export license with more or fewer capabilities than those allowed |
| 52 - * by this function. In that case, you should use SSL_SetPolicy() |
| 53 - * to explicitly allow those ciphers you may legally export. |
| 54 - */ |
| 55 SSL_IMPORT SECStatus NSS_SetExportPolicy(void); |
| 56 - |
| 57 -/* Set cipher policies to a predefined Policy that is exportable from the USA |
| 58 - * according to present U.S. policies as we understand them, and that the |
| 59 - * nation of France will permit to be imported into their country. |
| 60 - * See documentation for the list. |
| 61 - */ |
| 62 SSL_IMPORT SECStatus NSS_SetFrancePolicy(void); |
| 63 |
| 64 SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void); |
| 65 diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
| 66 index 98e31d4..e7a747e 100644 |
| 67 --- a/nss/lib/ssl/ssl3con.c |
| 68 +++ b/nss/lib/ssl/ssl3con.c |
| 69 @@ -88,85 +88,84 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *outpu
t, int *outputLen, |
| 70 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
| 71 */ |
| 72 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
| 73 - /* cipher_suite policy enabled is_present*
/ |
| 74 + /* cipher_suite enabled is_present */ |
| 75 #ifdef NSS_ENABLE_ECC |
| 76 - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 77 - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 78 + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 79 + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 80 #endif /* NSS_ENABLE_ECC */ |
| 81 - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 82 - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 83 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 84 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 85 - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 86 + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 87 + { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 88 + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 89 + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 90 + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 91 #ifdef NSS_ENABLE_ECC |
| 92 - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 93 - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 94 + { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 95 + { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 96 #endif /* NSS_ENABLE_ECC */ |
| 97 - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_
FALSE}, |
| 98 - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 99 - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 100 + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 101 + { TLS_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 102 + { TLS_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 103 |
| 104 #ifdef NSS_ENABLE_ECC |
| 105 - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 106 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 107 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 108 - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 109 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 110 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 111 + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 112 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 113 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, |
| 114 + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 115 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 116 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, |
| 117 #endif /* NSS_ENABLE_ECC */ |
| 118 - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 119 - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 120 - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 121 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 122 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 123 - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 124 + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 125 + { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 126 + { TLS_DHE_DSS_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 127 + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 128 + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 129 + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 130 #ifdef NSS_ENABLE_ECC |
| 131 - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 132 - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 133 - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 134 - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 135 + { TLS_ECDH_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 136 + { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 137 + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 138 + { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 139 #endif /* NSS_ENABLE_ECC */ |
| 140 - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| 141 - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_
FALSE}, |
| 142 - { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 143 - { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
| 144 - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 145 - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 146 + { TLS_RSA_WITH_SEED_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 147 + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 148 + { SSL_RSA_WITH_RC4_128_SHA, PR_TRUE, PR_FALSE}, |
| 149 + { SSL_RSA_WITH_RC4_128_MD5, PR_TRUE, PR_FALSE}, |
| 150 + { TLS_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 151 + { TLS_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 152 |
| 153 #ifdef NSS_ENABLE_ECC |
| 154 - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 155 - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 156 + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 157 + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 158 #endif /* NSS_ENABLE_ECC */ |
| 159 - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 160 - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 161 + { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 162 + { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 163 #ifdef NSS_ENABLE_ECC |
| 164 - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 165 - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 166 + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 167 + { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 168 #endif /* NSS_ENABLE_ECC */ |
| 169 - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 170 - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
| 171 + { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 172 + { SSL_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 173 |
| 174 |
| 175 - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 176 - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 177 - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 178 - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 179 - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 180 - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 181 + { SSL_DHE_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 182 + { SSL_DHE_DSS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 183 + { SSL_RSA_FIPS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 184 + { SSL_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 185 + { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, PR_FALSE, PR_FALSE}, |
| 186 + { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 187 |
| 188 - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 189 - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 190 + { SSL_RSA_EXPORT_WITH_RC4_40_MD5, PR_FALSE, PR_FALSE}, |
| 191 + { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, PR_FALSE, PR_FALSE}, |
| 192 |
| 193 #ifdef NSS_ENABLE_ECC |
| 194 - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 195 - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 196 - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 197 - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 198 + { TLS_ECDHE_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 199 + { TLS_ECDHE_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 200 + { TLS_ECDH_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 201 + { TLS_ECDH_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 202 #endif /* NSS_ENABLE_ECC */ |
| 203 - { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 204 - { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 205 - { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 206 - |
| 207 + { SSL_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 208 + { TLS_RSA_WITH_NULL_SHA256, PR_FALSE, PR_FALSE}, |
| 209 + { SSL_RSA_WITH_NULL_MD5, PR_FALSE, PR_FALSE}, |
| 210 }; |
| 211 |
| 212 /* This list of SSL3 compression methods is sorted in descending order of |
| 213 @@ -643,13 +642,13 @@ ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3Cipher
SuiteCfg *suites) |
| 214 } |
| 215 |
| 216 |
| 217 -/* Initialize the suite->isPresent value for config_match |
| 218 +/* Initialize the suite->isPresent value for cipher_suite_available. |
| 219 * Returns count of enabled ciphers supported by extant tokens, |
| 220 - * regardless of policy or user preference. |
| 221 + * regardless of user preference. |
| 222 * If this returns zero, the user cannot do SSL v3. |
| 223 */ |
| 224 int |
| 225 -ssl3_config_match_init(sslSocket *ss) |
| 226 +ssl3_cipher_suite_available_init(sslSocket *ss) |
| 227 { |
| 228 ssl3CipherSuiteCfg * suite; |
| 229 const ssl3CipherSuiteDef *cipher_def; |
| 230 @@ -745,37 +744,25 @@ ssl3_config_match_init(sslSocket *ss) |
| 231 } |
| 232 |
| 233 |
| 234 -/* return PR_TRUE if suite matches policy and enabled state */ |
| 235 -/* It would be a REALLY BAD THING (tm) if we ever permitted the use |
| 236 -** of a cipher that was NOT_ALLOWED. So, if this is ever called with |
| 237 -** policy == SSL_NOT_ALLOWED, report no match. |
| 238 -*/ |
| 239 -/* adjust suite enabled to the availability of a token that can do the |
| 240 - * cipher suite. */ |
| 241 +/* return PR_TRUE if the given cipher suite is enabled and present. */ |
| 242 static PRBool |
| 243 -config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) |
| 244 +cipher_suite_available(ssl3CipherSuiteCfg *suite) |
| 245 { |
| 246 - PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); |
| 247 - if (policy == SSL_NOT_ALLOWED || !enabled) |
| 248 - return PR_FALSE; |
| 249 - return (PRBool)(suite->enabled && |
| 250 - suite->isPresent && |
| 251 - suite->policy != SSL_NOT_ALLOWED && |
| 252 - suite->policy <= policy); |
| 253 + return (PRBool)(suite->enabled && suite->isPresent); |
| 254 } |
| 255 |
| 256 -/* return number of cipher suites that match policy and enabled state */ |
| 257 -/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
| 258 +/* return number of cipher suites that are enabled and present. |
| 259 + * called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
| 260 static int |
| 261 -count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) |
| 262 +count_cipher_suites(sslSocket *ss) |
| 263 { |
| 264 int i, count = 0; |
| 265 |
| 266 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
| 267 - return 0; |
| 268 + return 0; |
| 269 } |
| 270 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 271 - if (config_match(&ss->cipherSuites[i], policy, enabled)) |
| 272 + if (cipher_suite_available(&ss->cipherSuites[i])) |
| 273 count++; |
| 274 } |
| 275 if (count <= 0) { |
| 276 @@ -4738,8 +4725,6 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 277 |
| 278 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, |
| 279 sid->u.ssl3.sessionIDLength)); |
| 280 - |
| 281 - ss->ssl3.policy = sid->u.ssl3.policy; |
| 282 } else { |
| 283 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); |
| 284 |
| 285 @@ -4789,10 +4774,11 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 286 return SECFailure; |
| 287 } |
| 288 |
| 289 - /* how many suites does our PKCS11 support (regardless of policy)? */ |
| 290 - num_suites = ssl3_config_match_init(ss); |
| 291 + /* how many suites does our PKCS11 support? */ |
| 292 + num_suites = ssl3_cipher_suite_available_init(ss); |
| 293 if (!num_suites) |
| 294 - return SECFailure; /* ssl3_config_match_init has set error code. */ |
| 295 + return SECFailure; /* ssl3_cipher_suite_available_init has set |
| 296 + error code. */ |
| 297 |
| 298 /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, |
| 299 * only if TLS is disabled. |
| 300 @@ -4830,8 +4816,8 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 301 ssl3_DisableNonDTLSSuites(ss); |
| 302 } |
| 303 |
| 304 - /* how many suites are permitted by policy and user preference? */ |
| 305 - num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); |
| 306 + /* how many suites are permitted by user preference? */ |
| 307 + num_suites = count_cipher_suites(ss); |
| 308 if (!num_suites) |
| 309 return SECFailure; /* count_cipher_suites has set error code. */ |
| 310 if (ss->ssl3.hs.sendingSCSV) { |
| 311 @@ -4921,7 +4907,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 312 } |
| 313 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 314 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 315 - if (config_match(suite, ss->ssl3.policy, PR_TRUE)) { |
| 316 + if (cipher_suite_available(suite)) { |
| 317 actual_count++; |
| 318 if (actual_count > num_suites) { |
| 319 /* set error card removal/insertion error */ |
| 320 @@ -5978,11 +5964,11 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRU
int32 length) |
| 321 if (temp < 0) { |
| 322 goto loser; /* alert has been sent */ |
| 323 } |
| 324 - ssl3_config_match_init(ss); |
| 325 + ssl3_cipher_suite_available_init(ss); |
| 326 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 327 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 328 if (temp == suite->cipher_suite) { |
| 329 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) { |
| 330 + if (!cipher_suite_available(suite)) { |
| 331 break; /* failure */ |
| 332 } |
| 333 if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
| 334 @@ -7155,7 +7141,6 @@ ssl3_NewSessionID(sslSocket *ss, PRBool is_server) |
| 335 sid->version = ss->version; |
| 336 |
| 337 sid->u.ssl3.keys.resumable = PR_TRUE; |
| 338 - sid->u.ssl3.policy = SSL_ALLOWED; |
| 339 sid->u.ssl3.clientWriteKey = NULL; |
| 340 sid->u.ssl3.serverWriteKey = NULL; |
| 341 |
| 342 @@ -7536,8 +7521,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
| 343 } |
| 344 |
| 345 #ifdef PARANOID |
| 346 - /* Look for a matching cipher suite. */ |
| 347 - j = ssl3_config_match_init(ss); |
| 348 + /* Look for an available cipher suite. */ |
| 349 + j = ssl3_cipher_suite_available_init(ss); |
| 350 if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
| 351 errCode = PORT_GetError(); /* error code is already set. */ |
| 352 goto alert_loser; |
| 353 @@ -7573,12 +7558,11 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRU
int32 length) |
| 354 if (j <= 0) |
| 355 break; |
| 356 #ifdef PARANOID |
| 357 - /* Double check that the cached cipher suite is still enabled, |
| 358 - * implemented, and allowed by policy. Might have been disabled. |
| 359 - * The product policy won't change during the process lifetime. |
| 360 + /* Double check that the cached cipher suite is still enabled and |
| 361 + * implemented. Might have been disabled. |
| 362 * Implemented ("isPresent") shouldn't change for servers. |
| 363 */ |
| 364 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) |
| 365 + if (!cipher_suite_available(suite)) |
| 366 break; |
| 367 #else |
| 368 if (!suite->enabled) |
| 369 @@ -7603,7 +7587,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
| 370 |
| 371 #ifndef PARANOID |
| 372 /* Look for a matching cipher suite. */ |
| 373 - j = ssl3_config_match_init(ss); |
| 374 + j = ssl3_cipher_suite_available_init(ss); |
| 375 if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
| 376 errCode = PORT_GetError(); /* error code is already set. */ |
| 377 goto alert_loser; |
| 378 @@ -7626,7 +7610,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
| 379 */ |
| 380 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
| 381 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
| 382 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || |
| 383 + if (!cipher_suite_available(suite) || |
| 384 !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
| 385 ss->version)) { |
| 386 continue; |
| 387 @@ -7949,7 +7933,7 @@ compression_found: |
| 388 ret = SSL_SNI_SEND_ALERT; |
| 389 break; |
| 390 } |
| 391 - configedCiphers = ssl3_config_match_init(ss); |
| 392 + configedCiphers = ssl3_cipher_suite_available_init(ss); |
| 393 if (configedCiphers <= 0) { |
| 394 /* no ciphers are working/supported */ |
| 395 errCode = PORT_GetError(); |
| 396 @@ -8146,7 +8130,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buf
fer, int length) |
| 397 /* Disable any ECC cipher suites for which we have no cert. */ |
| 398 ssl3_FilterECCipherSuitesByServerCerts(ss); |
| 399 #endif |
| 400 - i = ssl3_config_match_init(ss); |
| 401 + i = ssl3_cipher_suite_available_init(ss); |
| 402 if (i <= 0) { |
| 403 errCode = PORT_GetError(); /* error code is already set. */ |
| 404 goto alert_loser; |
| 405 @@ -8161,7 +8145,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buf
fer, int length) |
| 406 */ |
| 407 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
| 408 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
| 409 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || |
| 410 + if (!cipher_suite_available(suite) || |
| 411 !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
| 412 ss->version)) { |
| 413 continue; |
| 414 @@ -10456,7 +10440,6 @@ xmit_loser: |
| 415 /* fill in the sid */ |
| 416 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; |
| 417 sid->u.ssl3.compression = ss->ssl3.hs.compression; |
| 418 - sid->u.ssl3.policy = ss->ssl3.policy; |
| 419 #ifdef NSS_ENABLE_ECC |
| 420 sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves; |
| 421 #endif |
| 422 @@ -11534,8 +11517,6 @@ ssl3_InitState(sslSocket *ss) |
| 423 if (ss->ssl3.initialized) |
| 424 return SECSuccess; /* Function should be idempotent */ |
| 425 |
| 426 - ss->ssl3.policy = SSL_ALLOWED; |
| 427 - |
| 428 ssl_GetSpecWriteLock(ss); |
| 429 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; |
| 430 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; |
| 431 @@ -11645,40 +11626,6 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss) |
| 432 } |
| 433 |
| 434 |
| 435 -/* record the export policy for this cipher suite */ |
| 436 -SECStatus |
| 437 -ssl3_SetPolicy(ssl3CipherSuite which, int policy) |
| 438 -{ |
| 439 - ssl3CipherSuiteCfg *suite; |
| 440 - |
| 441 - suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
| 442 - if (suite == NULL) { |
| 443 - return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ |
| 444 - } |
| 445 - suite->policy = policy; |
| 446 - |
| 447 - return SECSuccess; |
| 448 -} |
| 449 - |
| 450 -SECStatus |
| 451 -ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy) |
| 452 -{ |
| 453 - ssl3CipherSuiteCfg *suite; |
| 454 - PRInt32 policy; |
| 455 - SECStatus rv; |
| 456 - |
| 457 - suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
| 458 - if (suite) { |
| 459 - policy = suite->policy; |
| 460 - rv = SECSuccess; |
| 461 - } else { |
| 462 - policy = SSL_NOT_ALLOWED; |
| 463 - rv = SECFailure; /* err code was set by Lookup. */ |
| 464 - } |
| 465 - *oPolicy = policy; |
| 466 - return rv; |
| 467 -} |
| 468 - |
| 469 /* record the user preference for this suite */ |
| 470 SECStatus |
| 471 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled) |
| 472 @@ -11745,9 +11692,9 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which,
PRBool *enabled) |
| 473 return rv; |
| 474 } |
| 475 |
| 476 -/* copy global default policy into socket. */ |
| 477 +/* copy global default ciphersuite preferences into socket. */ |
| 478 void |
| 479 -ssl3_InitSocketPolicy(sslSocket *ss) |
| 480 +ssl3_InitSocketCipherSuites(sslSocket *ss) |
| 481 { |
| 482 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); |
| 483 } |
| 484 @@ -11814,8 +11761,8 @@ loser: |
| 485 return rv; |
| 486 } |
| 487 |
| 488 -/* ssl3_config_match_init must have already been called by |
| 489 - * the caller of this function. |
| 490 +/* ssl3_cipher_suite_available_init must have already been called by the caller |
| 491 + * of this function. |
| 492 */ |
| 493 SECStatus |
| 494 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) |
| 495 @@ -11832,14 +11779,15 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigne
d char *cs, int *size) |
| 496 return SECSuccess; |
| 497 } |
| 498 if (cs == NULL) { |
| 499 - *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); |
| 500 + *size = count_cipher_suites(ss); |
| 501 return SECSuccess; |
| 502 } |
| 503 |
| 504 - /* ssl3_config_match_init was called by the caller of this function. */ |
| 505 + /* ssl3_cipher_suite_available_init was called by the caller of this |
| 506 + * function. */ |
| 507 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 508 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 509 - if (config_match(suite, SSL_ALLOWED, PR_TRUE)) { |
| 510 + if (cipher_suite_available(suite)) { |
| 511 if (cs != NULL) { |
| 512 *cs++ = 0x00; |
| 513 *cs++ = (suite->cipher_suite >> 8) & 0xFF; |
| 514 diff --git a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c |
| 515 index 74995f1..19a6a58 100644 |
| 516 --- a/nss/lib/ssl/ssl3ecc.c |
| 517 +++ b/nss/lib/ssl/ssl3ecc.c |
| 518 @@ -1017,7 +1017,7 @@ ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss) |
| 519 } |
| 520 |
| 521 /* Ask: is ANY ECC cipher suite enabled on this socket? */ |
| 522 -/* Order(N^2). Yuk. Also, this ignores export policy. */ |
| 523 +/* Order(N^2). Yuk. */ |
| 524 PRBool |
| 525 ssl3_IsECCEnabled(sslSocket * ss) |
| 526 { |
| 527 diff --git a/nss/lib/ssl/sslcon.c b/nss/lib/ssl/sslcon.c |
| 528 index 2fc6602..626839e 100644 |
| 529 --- a/nss/lib/ssl/sslcon.c |
| 530 +++ b/nss/lib/ssl/sslcon.c |
| 531 @@ -20,9 +20,6 @@ |
| 532 #include "prinit.h" |
| 533 #include "prtime.h" /* for PR_Now() */ |
| 534 |
| 535 -#define XXX |
| 536 -static PRBool policyWasSet; |
| 537 - |
| 538 /* This ordered list is indexed by (SSL_CK_xx * 3) */ |
| 539 /* Second and third bytes are MSB and LSB of master key length. */ |
| 540 static const PRUint8 allCipherSuites[] = { |
| 541 @@ -115,14 +112,12 @@ const char * const ssl_cipherName[] = { |
| 542 }; |
| 543 |
| 544 |
| 545 -/* bit-masks, showing which SSLv2 suites are allowed. |
| 546 +/* bit-mask, showing which SSLv2 suites are allowed. |
| 547 * lsb corresponds to first cipher suite in allCipherSuites[]. |
| 548 */ |
| 549 -static PRUint16 allowedByPolicy; /* all off by default */ |
| 550 -static PRUint16 maybeAllowedByPolicy; /* all off by default */ |
| 551 static PRUint16 chosenPreference = 0xff; /* all on by default */ |
| 552 |
| 553 -/* bit values for the above two bit masks */ |
| 554 +/* bit values for the above bit mask */ |
| 555 #define SSL_CB_RC4_128_WITH_MD5 (1 << SSL_CK_RC4_128_WITH_MD5) |
| 556 #define SSL_CB_RC4_128_EXPORT40_WITH_MD5 (1 << SSL_CK_RC4_128_EXPORT40_WITH
_MD5) |
| 557 #define SSL_CB_RC2_128_CBC_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_WITH_MD5) |
| 558 @@ -157,19 +152,19 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
| 559 count = 0; |
| 560 PORT_Assert(ss != 0); |
| 561 allowed = !ss->opt.enableSSL2 ? 0 : |
| 562 - (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 563 + (ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 564 while (allowed) { |
| 565 if (allowed & 1) |
| 566 ++count; |
| 567 allowed >>= 1; |
| 568 } |
| 569 |
| 570 - /* Call ssl3_config_match_init() once here, |
| 571 + /* Call ssl3_cipher_suite_available_init() once here, |
| 572 * instead of inside ssl3_ConstructV2CipherSpecsHack(), |
| 573 * because the latter gets called twice below, |
| 574 * and then again in ssl2_BeginClientHandshake(). |
| 575 */ |
| 576 - ssl3_config_match_init(ss); |
| 577 + ssl3_cipher_suite_available_init(ss); |
| 578 |
| 579 /* ask SSL3 how many cipher suites it has. */ |
| 580 rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count); |
| 581 @@ -193,7 +188,7 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
| 582 |
| 583 /* fill in cipher specs for SSL2 cipher suites */ |
| 584 allowed = !ss->opt.enableSSL2 ? 0 : |
| 585 - (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 586 + (ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 587 for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) { |
| 588 const PRUint8 * hs = implementedCipherSuites + i; |
| 589 int ok = allowed & (1U << hs[0]); |
| 590 @@ -225,7 +220,6 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
| 591 static SECStatus |
| 592 ssl2_CheckConfigSanity(sslSocket *ss) |
| 593 { |
| 594 - unsigned int allowed; |
| 595 int ssl3CipherCount = 0; |
| 596 SECStatus rv; |
| 597 |
| 598 @@ -235,11 +229,11 @@ ssl2_CheckConfigSanity(sslSocket *ss) |
| 599 if (!ss->cipherSpecs) |
| 600 goto disabled; |
| 601 |
| 602 - allowed = ss->allowedByPolicy & ss->chosenPreference; |
| 603 - if (! allowed) |
| 604 + if (!ss->chosenPreference) |
| 605 ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */ |
| 606 |
| 607 - /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */ |
| 608 + /* ssl3_cipher_suite_available_init was called in |
| 609 + * ssl2_ConstructCipherSpecs(). */ |
| 610 /* Ask how many ssl3 CipherSuites were enabled. */ |
| 611 rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount); |
| 612 if (rv != SECSuccess || ssl3CipherCount <= 0) { |
| 613 @@ -261,67 +255,6 @@ disabled: |
| 614 /* |
| 615 * Since this is a global (not per-socket) setting, we cannot use the |
| 616 * HandshakeLock to protect this. Probably want a global lock. |
| 617 - */ |
| 618 -SECStatus |
| 619 -ssl2_SetPolicy(PRInt32 which, PRInt32 policy) |
| 620 -{ |
| 621 - PRUint32 bitMask; |
| 622 - SECStatus rv = SECSuccess; |
| 623 - |
| 624 - which &= 0x000f; |
| 625 - bitMask = 1 << which; |
| 626 - |
| 627 - if (!(bitMask & SSL_CB_IMPLEMENTED)) { |
| 628 - PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); |
| 629 - return SECFailure; |
| 630 - } |
| 631 - |
| 632 - if (policy == SSL_ALLOWED) { |
| 633 - allowedByPolicy |= bitMask; |
| 634 - maybeAllowedByPolicy |= bitMask; |
| 635 - } else if (policy == SSL_RESTRICTED) { |
| 636 - allowedByPolicy &= ~bitMask; |
| 637 - maybeAllowedByPolicy |= bitMask; |
| 638 - } else { |
| 639 - allowedByPolicy &= ~bitMask; |
| 640 - maybeAllowedByPolicy &= ~bitMask; |
| 641 - } |
| 642 - allowedByPolicy &= SSL_CB_IMPLEMENTED; |
| 643 - maybeAllowedByPolicy &= SSL_CB_IMPLEMENTED; |
| 644 - |
| 645 - policyWasSet = PR_TRUE; |
| 646 - return rv; |
| 647 -} |
| 648 - |
| 649 -SECStatus |
| 650 -ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy) |
| 651 -{ |
| 652 - PRUint32 bitMask; |
| 653 - PRInt32 policy; |
| 654 - |
| 655 - which &= 0x000f; |
| 656 - bitMask = 1 << which; |
| 657 - |
| 658 - /* Caller assures oPolicy is not null. */ |
| 659 - if (!(bitMask & SSL_CB_IMPLEMENTED)) { |
| 660 - PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); |
| 661 - *oPolicy = SSL_NOT_ALLOWED; |
| 662 - return SECFailure; |
| 663 - } |
| 664 - |
| 665 - if (maybeAllowedByPolicy & bitMask) { |
| 666 - policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED; |
| 667 - } else { |
| 668 - policy = SSL_NOT_ALLOWED; |
| 669 - } |
| 670 - |
| 671 - *oPolicy = policy; |
| 672 - return SECSuccess; |
| 673 -} |
| 674 - |
| 675 -/* |
| 676 - * Since this is a global (not per-socket) setting, we cannot use the |
| 677 - * HandshakeLock to protect this. Probably want a global lock. |
| 678 * Called from SSL_CipherPrefSetDefault in sslsock.c |
| 679 * These changes have no effect on any sslSockets already created. |
| 680 */ |
| 681 @@ -410,12 +343,10 @@ ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *e
nabled) |
| 682 } |
| 683 |
| 684 |
| 685 -/* copy global default policy into socket. */ |
| 686 +/* copy global default cipher suite preferences into socket. */ |
| 687 void |
| 688 -ssl2_InitSocketPolicy(sslSocket *ss) |
| 689 +ssl2_InitSocketCipherSuites(sslSocket *ss) |
| 690 { |
| 691 - ss->allowedByPolicy = allowedByPolicy; |
| 692 - ss->maybeAllowedByPolicy = maybeAllowedByPolicy; |
| 693 ss->chosenPreference = chosenPreference; |
| 694 } |
| 695 |
| 696 @@ -1556,7 +1487,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, u
nsigned int keyBits, |
| 697 unsigned int dkLen; /* decrypted key length in bytes */ |
| 698 int modulusLen; |
| 699 SECStatus rv; |
| 700 - PRUint16 allowed; /* cipher kinds enabled and allowed by policy *
/ |
| 701 + PRUint16 allowed; /* cipher kinds enabled */ |
| 702 PRUint8 mkbuf[SSL_MAX_MASTER_KEY_BYTES]; |
| 703 |
| 704 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); |
| 705 @@ -1584,7 +1515,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, u
nsigned int keyBits, |
| 706 goto loser; |
| 707 } |
| 708 |
| 709 - allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED; |
| 710 + allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED; |
| 711 if (!(allowed & (1 << cipher))) { |
| 712 /* client chose a kind we don't allow! */ |
| 713 SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d", |
| 714 @@ -1814,8 +1745,7 @@ ssl2_ChooseSessionCypher(sslSocket *ss, |
| 715 } |
| 716 |
| 717 if (!ss->preferredCipher) { |
| 718 - unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference & |
| 719 - SSL_CB_IMPLEMENTED; |
| 720 + unsigned int allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED; |
| 721 if (allowed) { |
| 722 preferred = implementedCipherSuites; |
| 723 for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) { |
| 724 diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
| 725 index e6792b3..670dba8 100644 |
| 726 --- a/nss/lib/ssl/sslimpl.h |
| 727 +++ b/nss/lib/ssl/sslimpl.h |
| 728 @@ -273,17 +273,15 @@ struct sslBufferStr { |
| 729 }; |
| 730 |
| 731 /* |
| 732 -** SSL3 cipher suite policy and preference struct. |
| 733 +** SSL3 cipher suite preference struct. |
| 734 */ |
| 735 typedef struct { |
| 736 #if !defined(_WIN32) |
| 737 unsigned int cipher_suite : 16; |
| 738 - unsigned int policy : 8; |
| 739 unsigned int enabled : 1; |
| 740 unsigned int isPresent : 1; |
| 741 #else |
| 742 ssl3CipherSuite cipher_suite; |
| 743 - PRUint8 policy; |
| 744 unsigned char enabled : 1; |
| 745 unsigned char isPresent : 1; |
| 746 #endif |
| 747 @@ -637,7 +635,6 @@ struct sslSessionIDStr { |
| 748 |
| 749 ssl3CipherSuite cipherSuite; |
| 750 SSLCompressionMethod compression; |
| 751 - int policy; |
| 752 ssl3SidKeys keys; |
| 753 CK_MECHANISM_TYPE masterWrapMech; |
| 754 /* mechanism used to wrap master secret */ |
| 755 @@ -923,11 +920,6 @@ struct ssl3StateStr { |
| 756 |
| 757 SECKEYPrivateKey *channelID; /* used by client */ |
| 758 SECKEYPublicKey *channelIDPub; /* used by client */ |
| 759 - |
| 760 - int policy; |
| 761 - /* This says what cipher suites we can do, and should |
| 762 - * be either SSL_ALLOWED or SSL_RESTRICTED |
| 763 - */ |
| 764 PLArenaPool * peerCertArena; |
| 765 /* These are used to keep track of the peer CA */ |
| 766 void * peerCertChain; |
| 767 @@ -1233,8 +1225,6 @@ const unsigned char * preferredCipher; |
| 768 |
| 769 PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */ |
| 770 |
| 771 - PRUint16 allowedByPolicy; /* copy of global policy bits. */ |
| 772 - PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */ |
| 773 PRUint16 chosenPreference; /* SSL2 cipher preferences. */ |
| 774 |
| 775 sslHandshakingType handshaking; |
| 776 @@ -1641,13 +1631,8 @@ extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3Ci
pherSuite which, PRBool |
| 777 extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enable
d); |
| 778 extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabl
ed); |
| 779 |
| 780 -extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy); |
| 781 -extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy); |
| 782 -extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy); |
| 783 -extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy); |
| 784 - |
| 785 -extern void ssl2_InitSocketPolicy(sslSocket *ss); |
| 786 -extern void ssl3_InitSocketPolicy(sslSocket *ss); |
| 787 +extern void ssl2_InitSocketCipherSuites(sslSocket *ss); |
| 788 +extern void ssl3_InitSocketCipherSuites(sslSocket *ss); |
| 789 |
| 790 extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, |
| 791 unsigned char *cs, int *size); |
| 792 @@ -1788,9 +1773,9 @@ extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket
*ss, |
| 793 extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd); |
| 794 extern void ssl_FreePRSocket(PRFileDesc *fd); |
| 795 |
| 796 -/* Internal config function so SSL2 can initialize the present state of |
| 797 - * various ciphers */ |
| 798 -extern int ssl3_config_match_init(sslSocket *); |
| 799 +/* Internal config function so SSL3 can test the present state of various |
| 800 + * ciphers */ |
| 801 +extern int ssl3_cipher_suite_available_init(sslSocket *); |
| 802 |
| 803 /* Create a new ref counted key pair object from two keys. */ |
| 804 extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, |
| 805 diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
| 806 index fd71aee..3b30efd 100644 |
| 807 --- a/nss/lib/ssl/sslsock.c |
| 808 +++ b/nss/lib/ssl/sslsock.c |
| 809 @@ -28,88 +28,6 @@ |
| 810 |
| 811 #define SET_ERROR_CODE /* reminder */ |
| 812 |
| 813 -struct cipherPolicyStr { |
| 814 - int cipher; |
| 815 - unsigned char export; /* policy value for export policy */ |
| 816 - unsigned char france; /* policy value for france policy */ |
| 817 -}; |
| 818 - |
| 819 -typedef struct cipherPolicyStr cipherPolicy; |
| 820 - |
| 821 -/* This table contains two preconfigured policies: Export and France. |
| 822 -** It is used only by the functions NSS_SetDomesticPolicy, |
| 823 -** NSS_SetExportPolicy, and NSS_SetFrancePolicy. |
| 824 -** Order of entries is not important. |
| 825 -*/ |
| 826 -static cipherPolicy ssl_ciphers[] = { /* Export France */ |
| 827 - { SSL_EN_RC4_128_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 828 - { SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 829 - { SSL_EN_RC2_128_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 830 - { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 831 - { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 832 - { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 833 - { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 834 - { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 835 - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 836 - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 837 - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 838 - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 839 - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 840 - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED
}, |
| 841 - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 842 - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 843 - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 844 - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 845 - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 846 - { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 847 - { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 848 - { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED }, |
| 849 - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 850 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 851 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 852 - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 853 - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 854 - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 855 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 856 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 857 - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 858 - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 859 - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 860 - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 861 - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 862 - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 863 - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 864 - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 865 - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 866 - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, |
| 867 - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, |
| 868 -#ifdef NSS_ENABLE_ECC |
| 869 - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 870 - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 871 - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 872 - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 873 - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 874 - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 875 - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 876 - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 877 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 878 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 879 - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 880 - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 881 - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 882 - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 883 - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 884 - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 885 - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 886 - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 887 - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 888 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 889 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 890 - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 891 -#endif /* NSS_ENABLE_ECC */ |
| 892 - { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } |
| 893 -}; |
| 894 - |
| 895 static const sslSocketOps ssl_default_ops = { /* No SSL. */ |
| 896 ssl_DefConnect, |
| 897 NULL, |
| 898 @@ -291,9 +209,7 @@ ssl_DupSocket(sslSocket *os) |
| 899 ss->cTimeout = os->cTimeout; |
| 900 ss->dbHandle = os->dbHandle; |
| 901 |
| 902 - /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ |
| 903 - ss->allowedByPolicy = os->allowedByPolicy; |
| 904 - ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; |
| 905 + /* copy ssl2&3 prefs, even if it's not selected (yet) */ |
| 906 ss->chosenPreference = os->chosenPreference; |
| 907 PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites)
; |
| 908 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, |
| 909 @@ -1176,62 +1092,23 @@ ssl_IsRemovedCipherSuite(PRInt32 suite) |
| 910 } |
| 911 } |
| 912 |
| 913 -/* Part of the public NSS API. |
| 914 - * Since this is a global (not per-socket) setting, we cannot use the |
| 915 - * HandshakeLock to protect this. Probably want a global lock. |
| 916 - */ |
| 917 SECStatus |
| 918 SSL_SetPolicy(long which, int policy) |
| 919 { |
| 920 - if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { |
| 921 - /* one of the two old FIPS ciphers */ |
| 922 - if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) |
| 923 - which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; |
| 924 - else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) |
| 925 - which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; |
| 926 - } |
| 927 - if (ssl_IsRemovedCipherSuite(which)) |
| 928 - return SECSuccess; |
| 929 - return SSL_CipherPolicySet(which, policy); |
| 930 + return SECSuccess; |
| 931 } |
| 932 |
| 933 SECStatus |
| 934 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) |
| 935 { |
| 936 - SECStatus rv = ssl_Init(); |
| 937 - |
| 938 - if (rv != SECSuccess) { |
| 939 - return rv; |
| 940 - } |
| 941 - |
| 942 - if (ssl_IsRemovedCipherSuite(which)) { |
| 943 - rv = SECSuccess; |
| 944 - } else if (SSL_IS_SSL2_CIPHER(which)) { |
| 945 - rv = ssl2_SetPolicy(which, policy); |
| 946 - } else { |
| 947 - rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); |
| 948 - } |
| 949 - return rv; |
| 950 + return SECSuccess; |
| 951 } |
| 952 |
| 953 SECStatus |
| 954 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) |
| 955 { |
| 956 - SECStatus rv; |
| 957 - |
| 958 - if (!oPolicy) { |
| 959 - PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 960 - return SECFailure; |
| 961 - } |
| 962 - if (ssl_IsRemovedCipherSuite(which)) { |
| 963 - *oPolicy = SSL_NOT_ALLOWED; |
| 964 - rv = SECSuccess; |
| 965 - } else if (SSL_IS_SSL2_CIPHER(which)) { |
| 966 - rv = ssl2_GetPolicy(which, oPolicy); |
| 967 - } else { |
| 968 - rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy); |
| 969 - } |
| 970 - return rv; |
| 971 + *oPolicy = SSL_ALLOWED; |
| 972 + return SECSuccess; |
| 973 } |
| 974 |
| 975 /* Part of the public NSS API. |
| 976 @@ -1350,27 +1227,19 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool
*enabled) |
| 977 SECStatus |
| 978 NSS_SetDomesticPolicy(void) |
| 979 { |
| 980 - SECStatus status = SECSuccess; |
| 981 - cipherPolicy * policy; |
| 982 - |
| 983 - for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { |
| 984 - status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED); |
| 985 - if (status != SECSuccess) |
| 986 - break; |
| 987 - } |
| 988 - return status; |
| 989 + return SECSuccess; |
| 990 } |
| 991 |
| 992 SECStatus |
| 993 NSS_SetExportPolicy(void) |
| 994 { |
| 995 - return NSS_SetDomesticPolicy(); |
| 996 + return SECSuccess; |
| 997 } |
| 998 |
| 999 SECStatus |
| 1000 NSS_SetFrancePolicy(void) |
| 1001 { |
| 1002 - return NSS_SetDomesticPolicy(); |
| 1003 + return SECSuccess; |
| 1004 } |
| 1005 |
| 1006 SECStatus |
| 1007 @@ -3097,8 +2966,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protoco
lVariant) |
| 1008 ss->getChannelIDArg = NULL; |
| 1009 |
| 1010 ssl_ChooseOps(ss); |
| 1011 - ssl2_InitSocketPolicy(ss); |
| 1012 - ssl3_InitSocketPolicy(ss); |
| 1013 + ssl2_InitSocketCipherSuites(ss); |
| 1014 + ssl3_InitSocketCipherSuites(ss); |
| 1015 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); |
| 1016 |
| 1017 if (makeLocks) { |
OLD | NEW |