OLD | NEW |
(Empty) | |
| 1 diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
| 2 index c083a6b..4739fcf 100644 |
| 3 --- a/nss/lib/ssl/ssl.h |
| 4 +++ b/nss/lib/ssl/ssl.h |
| 5 @@ -244,7 +244,6 @@ SSL_IMPORT SECStatus SSL_GetNextProto(PRFileDesc *fd, |
| 6 ** is enabled, otherwise it is disabled. |
| 7 ** The "cipher" values are defined in sslproto.h (the SSL_EN_* values). |
| 8 ** EnableCipher records user preferences. |
| 9 -** SetPolicy sets the policy according to the policy module. |
| 10 */ |
| 11 #ifdef SSL_DEPRECATED_FUNCTION |
| 12 /* Old deprecated function names */ |
| 13 @@ -257,7 +256,11 @@ SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRIn
t32 cipher, PRBool en |
| 14 SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *
enabled); |
| 15 SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); |
| 16 SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); |
| 17 + |
| 18 +/* Policy functions are deprecated and no longer have any effect. They exist in |
| 19 + * order to maintain ABI compatibility. */ |
| 20 SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); |
| 21 +/* SSL_CipherPolicyGet sets *policy to SSL_ALLOWED and returns SECSuccess. */ |
| 22 SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); |
| 23 |
| 24 /* SSLChannelBindingType enumerates the types of supported channel binding |
| 25 @@ -352,7 +355,7 @@ SSL_IMPORT SECStatus SSL_VersionRangeSet(PRFileDesc *fd, |
| 26 const SSLVersionRange *vrange); |
| 27 |
| 28 |
| 29 -/* Values for "policy" argument to SSL_PolicySet */ |
| 30 +/* Values for "policy" argument to SSL_CipherPolicySet */ |
| 31 /* Values returned by SSL_CipherPolicyGet. */ |
| 32 #define SSL_NOT_ALLOWED 0 /* or invalid or unimpleme
nted */ |
| 33 #define SSL_ALLOWED 1 |
| 34 @@ -892,26 +895,12 @@ SSL_IMPORT SECStatus NSS_CmpCertChainWCANames(CERTCertific
ate *cert, |
| 35 */ |
| 36 SSL_IMPORT SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert); |
| 37 |
| 38 -/* Set cipher policies to a predefined Domestic (U.S.A.) policy. |
| 39 - * This essentially enables all supported ciphers. |
| 40 - */ |
| 41 +/* |
| 42 +** The NSS_Set*Policy functions have no effect and exist in order to maintain |
| 43 +** ABI compatibility. All supported ciphers are now allowed. |
| 44 +*/ |
| 45 SSL_IMPORT SECStatus NSS_SetDomesticPolicy(void); |
| 46 - |
| 47 -/* Set cipher policies to a predefined Policy that is exportable from the USA |
| 48 - * according to present U.S. policies as we understand them. |
| 49 - * See documentation for the list. |
| 50 - * Note that your particular application program may be able to obtain |
| 51 - * an export license with more or fewer capabilities than those allowed |
| 52 - * by this function. In that case, you should use SSL_SetPolicy() |
| 53 - * to explicitly allow those ciphers you may legally export. |
| 54 - */ |
| 55 SSL_IMPORT SECStatus NSS_SetExportPolicy(void); |
| 56 - |
| 57 -/* Set cipher policies to a predefined Policy that is exportable from the USA |
| 58 - * according to present U.S. policies as we understand them, and that the |
| 59 - * nation of France will permit to be imported into their country. |
| 60 - * See documentation for the list. |
| 61 - */ |
| 62 SSL_IMPORT SECStatus NSS_SetFrancePolicy(void); |
| 63 |
| 64 SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void); |
| 65 diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
| 66 index 98e31d4..41fdef7 100644 |
| 67 --- a/nss/lib/ssl/ssl3con.c |
| 68 +++ b/nss/lib/ssl/ssl3con.c |
| 69 @@ -88,85 +88,84 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *outpu
t, int *outputLen, |
| 70 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
| 71 */ |
| 72 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
| 73 - /* cipher_suite policy enabled is_present*
/ |
| 74 + /* cipher_suite enabled is_present */ |
| 75 #ifdef NSS_ENABLE_ECC |
| 76 - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 77 - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 78 + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 79 + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 80 #endif /* NSS_ENABLE_ECC */ |
| 81 - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 82 - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 83 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 84 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 85 - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 86 + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 87 + { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 88 + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 89 + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 90 + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 91 #ifdef NSS_ENABLE_ECC |
| 92 - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 93 - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 94 + { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 95 + { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 96 #endif /* NSS_ENABLE_ECC */ |
| 97 - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_
FALSE}, |
| 98 - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 99 - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 100 + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 101 + { TLS_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 102 + { TLS_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 103 |
| 104 #ifdef NSS_ENABLE_ECC |
| 105 - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 106 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 107 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 108 - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 109 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 110 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 111 + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 112 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 113 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, |
| 114 + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 115 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 116 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, |
| 117 #endif /* NSS_ENABLE_ECC */ |
| 118 - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 119 - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 120 - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 121 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 122 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 123 - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 124 + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 125 + { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 126 + { TLS_DHE_DSS_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 127 + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 128 + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 129 + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 130 #ifdef NSS_ENABLE_ECC |
| 131 - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 132 - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 133 - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 134 - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 135 + { TLS_ECDH_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 136 + { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 137 + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
| 138 + { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 139 #endif /* NSS_ENABLE_ECC */ |
| 140 - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| 141 - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_
FALSE}, |
| 142 - { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 143 - { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
| 144 - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 145 - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 146 + { TLS_RSA_WITH_SEED_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 147 + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 148 + { SSL_RSA_WITH_RC4_128_SHA, PR_TRUE, PR_FALSE}, |
| 149 + { SSL_RSA_WITH_RC4_128_MD5, PR_TRUE, PR_FALSE}, |
| 150 + { TLS_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 151 + { TLS_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, |
| 152 |
| 153 #ifdef NSS_ENABLE_ECC |
| 154 - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 155 - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 156 + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 157 + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 158 #endif /* NSS_ENABLE_ECC */ |
| 159 - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 160 - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 161 + { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 162 + { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 163 #ifdef NSS_ENABLE_ECC |
| 164 - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 165 - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 166 + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 167 + { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 168 #endif /* NSS_ENABLE_ECC */ |
| 169 - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 170 - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
| 171 + { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 172 + { SSL_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
| 173 |
| 174 |
| 175 - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 176 - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 177 - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 178 - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 179 - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 180 - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 181 + { SSL_DHE_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 182 + { SSL_DHE_DSS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 183 + { SSL_RSA_FIPS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 184 + { SSL_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 185 + { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, PR_FALSE, PR_FALSE}, |
| 186 + { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
| 187 |
| 188 - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 189 - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 190 + { SSL_RSA_EXPORT_WITH_RC4_40_MD5, PR_FALSE, PR_FALSE}, |
| 191 + { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, PR_FALSE, PR_FALSE}, |
| 192 |
| 193 #ifdef NSS_ENABLE_ECC |
| 194 - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 195 - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 196 - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 197 - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}
, |
| 198 + { TLS_ECDHE_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 199 + { TLS_ECDHE_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 200 + { TLS_ECDH_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 201 + { TLS_ECDH_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 202 #endif /* NSS_ENABLE_ECC */ |
| 203 - { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 204 - { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 205 - { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 206 - |
| 207 + { SSL_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
| 208 + { TLS_RSA_WITH_NULL_SHA256, PR_FALSE, PR_FALSE}, |
| 209 + { SSL_RSA_WITH_NULL_MD5, PR_FALSE, PR_FALSE}, |
| 210 }; |
| 211 |
| 212 /* This list of SSL3 compression methods is sorted in descending order of |
| 213 @@ -643,13 +642,13 @@ ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3Cipher
SuiteCfg *suites) |
| 214 } |
| 215 |
| 216 |
| 217 -/* Initialize the suite->isPresent value for config_match |
| 218 +/* Initialize the suite->isPresent value for cipher_suite_available. |
| 219 * Returns count of enabled ciphers supported by extant tokens, |
| 220 - * regardless of policy or user preference. |
| 221 + * regardless of user preference. |
| 222 * If this returns zero, the user cannot do SSL v3. |
| 223 */ |
| 224 int |
| 225 -ssl3_config_match_init(sslSocket *ss) |
| 226 +ssl3_cipher_suite_available_init(sslSocket *ss) |
| 227 { |
| 228 ssl3CipherSuiteCfg * suite; |
| 229 const ssl3CipherSuiteDef *cipher_def; |
| 230 @@ -745,37 +744,25 @@ ssl3_config_match_init(sslSocket *ss) |
| 231 } |
| 232 |
| 233 |
| 234 -/* return PR_TRUE if suite matches policy and enabled state */ |
| 235 -/* It would be a REALLY BAD THING (tm) if we ever permitted the use |
| 236 -** of a cipher that was NOT_ALLOWED. So, if this is ever called with |
| 237 -** policy == SSL_NOT_ALLOWED, report no match. |
| 238 -*/ |
| 239 -/* adjust suite enabled to the availability of a token that can do the |
| 240 - * cipher suite. */ |
| 241 +/* return PR_TRUE if the given cipher suite is enabled and present. */ |
| 242 static PRBool |
| 243 -config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) |
| 244 +cipher_suite_available(ssl3CipherSuiteCfg *suite) |
| 245 { |
| 246 - PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); |
| 247 - if (policy == SSL_NOT_ALLOWED || !enabled) |
| 248 - return PR_FALSE; |
| 249 - return (PRBool)(suite->enabled && |
| 250 - suite->isPresent && |
| 251 - suite->policy != SSL_NOT_ALLOWED && |
| 252 - suite->policy <= policy); |
| 253 + return (PRBool)(suite->enabled && suite->isPresent); |
| 254 } |
| 255 |
| 256 -/* return number of cipher suites that match policy and enabled state */ |
| 257 -/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
| 258 +/* return number of cipher suites that are enabled and present. |
| 259 + * called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
| 260 static int |
| 261 -count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) |
| 262 +count_cipher_suites(sslSocket *ss) |
| 263 { |
| 264 int i, count = 0; |
| 265 |
| 266 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
| 267 - return 0; |
| 268 + return 0; |
| 269 } |
| 270 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 271 - if (config_match(&ss->cipherSuites[i], policy, enabled)) |
| 272 + if (cipher_suite_available(&ss->cipherSuites[i])) |
| 273 count++; |
| 274 } |
| 275 if (count <= 0) { |
| 276 @@ -4738,8 +4725,6 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 277 |
| 278 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, |
| 279 sid->u.ssl3.sessionIDLength)); |
| 280 - |
| 281 - ss->ssl3.policy = sid->u.ssl3.policy; |
| 282 } else { |
| 283 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); |
| 284 |
| 285 @@ -4789,10 +4774,11 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 286 return SECFailure; |
| 287 } |
| 288 |
| 289 - /* how many suites does our PKCS11 support (regardless of policy)? */ |
| 290 - num_suites = ssl3_config_match_init(ss); |
| 291 + /* how many suites does our PKCS11 support? */ |
| 292 + num_suites = ssl3_cipher_suite_available_init(ss); |
| 293 if (!num_suites) |
| 294 - return SECFailure; /* ssl3_config_match_init has set error code. */ |
| 295 + return SECFailure; /* ssl3_cipher_suite_available_init has set |
| 296 + * error code. */ |
| 297 |
| 298 /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, |
| 299 * only if TLS is disabled. |
| 300 @@ -4830,8 +4816,8 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 301 ssl3_DisableNonDTLSSuites(ss); |
| 302 } |
| 303 |
| 304 - /* how many suites are permitted by policy and user preference? */ |
| 305 - num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); |
| 306 + /* how many suites are permitted by user preference? */ |
| 307 + num_suites = count_cipher_suites(ss); |
| 308 if (!num_suites) |
| 309 return SECFailure; /* count_cipher_suites has set error code. */ |
| 310 if (ss->ssl3.hs.sendingSCSV) { |
| 311 @@ -4921,7 +4907,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 312 } |
| 313 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 314 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 315 - if (config_match(suite, ss->ssl3.policy, PR_TRUE)) { |
| 316 + if (cipher_suite_available(suite)) { |
| 317 actual_count++; |
| 318 if (actual_count > num_suites) { |
| 319 /* set error card removal/insertion error */ |
| 320 @@ -5978,11 +5964,11 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRU
int32 length) |
| 321 if (temp < 0) { |
| 322 goto loser; /* alert has been sent */ |
| 323 } |
| 324 - ssl3_config_match_init(ss); |
| 325 + ssl3_cipher_suite_available_init(ss); |
| 326 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 327 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 328 if (temp == suite->cipher_suite) { |
| 329 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) { |
| 330 + if (!cipher_suite_available(suite)) { |
| 331 break; /* failure */ |
| 332 } |
| 333 if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
| 334 @@ -7155,7 +7141,6 @@ ssl3_NewSessionID(sslSocket *ss, PRBool is_server) |
| 335 sid->version = ss->version; |
| 336 |
| 337 sid->u.ssl3.keys.resumable = PR_TRUE; |
| 338 - sid->u.ssl3.policy = SSL_ALLOWED; |
| 339 sid->u.ssl3.clientWriteKey = NULL; |
| 340 sid->u.ssl3.serverWriteKey = NULL; |
| 341 |
| 342 @@ -7536,8 +7521,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
| 343 } |
| 344 |
| 345 #ifdef PARANOID |
| 346 - /* Look for a matching cipher suite. */ |
| 347 - j = ssl3_config_match_init(ss); |
| 348 + /* Look for an available cipher suite. */ |
| 349 + j = ssl3_cipher_suite_available_init(ss); |
| 350 if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
| 351 errCode = PORT_GetError(); /* error code is already set. */ |
| 352 goto alert_loser; |
| 353 @@ -7573,12 +7558,11 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRU
int32 length) |
| 354 if (j <= 0) |
| 355 break; |
| 356 #ifdef PARANOID |
| 357 - /* Double check that the cached cipher suite is still enabled, |
| 358 - * implemented, and allowed by policy. Might have been disabled. |
| 359 - * The product policy won't change during the process lifetime. |
| 360 + /* Double check that the cached cipher suite is still enabled and |
| 361 + * implemented. Might have been disabled. |
| 362 * Implemented ("isPresent") shouldn't change for servers. |
| 363 */ |
| 364 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) |
| 365 + if (!cipher_suite_available(suite)) |
| 366 break; |
| 367 #else |
| 368 if (!suite->enabled) |
| 369 @@ -7602,8 +7586,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
| 370 /* START A NEW SESSION */ |
| 371 |
| 372 #ifndef PARANOID |
| 373 - /* Look for a matching cipher suite. */ |
| 374 - j = ssl3_config_match_init(ss); |
| 375 + /* Look for an available cipher suite. */ |
| 376 + j = ssl3_cipher_suite_available_init(ss); |
| 377 if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
| 378 errCode = PORT_GetError(); /* error code is already set. */ |
| 379 goto alert_loser; |
| 380 @@ -7626,7 +7610,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
| 381 */ |
| 382 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
| 383 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
| 384 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || |
| 385 + if (!cipher_suite_available(suite) || |
| 386 !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
| 387 ss->version)) { |
| 388 continue; |
| 389 @@ -7645,7 +7629,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
| 390 goto alert_loser; |
| 391 |
| 392 suite_found: |
| 393 - /* Look for a matching compression algorithm. */ |
| 394 + /* Select a compression algorithm. */ |
| 395 for (i = 0; i < comps.len; i++) { |
| 396 if (!compressionEnabled(ss, comps.data[i])) |
| 397 continue; |
| 398 @@ -7949,7 +7933,7 @@ compression_found: |
| 399 ret = SSL_SNI_SEND_ALERT; |
| 400 break; |
| 401 } |
| 402 - configedCiphers = ssl3_config_match_init(ss); |
| 403 + configedCiphers = ssl3_cipher_suite_available_init(ss); |
| 404 if (configedCiphers <= 0) { |
| 405 /* no ciphers are working/supported */ |
| 406 errCode = PORT_GetError(); |
| 407 @@ -8146,7 +8130,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buf
fer, int length) |
| 408 /* Disable any ECC cipher suites for which we have no cert. */ |
| 409 ssl3_FilterECCipherSuitesByServerCerts(ss); |
| 410 #endif |
| 411 - i = ssl3_config_match_init(ss); |
| 412 + i = ssl3_cipher_suite_available_init(ss); |
| 413 if (i <= 0) { |
| 414 errCode = PORT_GetError(); /* error code is already set. */ |
| 415 goto alert_loser; |
| 416 @@ -8161,7 +8145,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buf
fer, int length) |
| 417 */ |
| 418 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
| 419 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
| 420 - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || |
| 421 + if (!cipher_suite_available(suite) || |
| 422 !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
| 423 ss->version)) { |
| 424 continue; |
| 425 @@ -10456,7 +10440,6 @@ xmit_loser: |
| 426 /* fill in the sid */ |
| 427 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; |
| 428 sid->u.ssl3.compression = ss->ssl3.hs.compression; |
| 429 - sid->u.ssl3.policy = ss->ssl3.policy; |
| 430 #ifdef NSS_ENABLE_ECC |
| 431 sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves; |
| 432 #endif |
| 433 @@ -11534,8 +11517,6 @@ ssl3_InitState(sslSocket *ss) |
| 434 if (ss->ssl3.initialized) |
| 435 return SECSuccess; /* Function should be idempotent */ |
| 436 |
| 437 - ss->ssl3.policy = SSL_ALLOWED; |
| 438 - |
| 439 ssl_GetSpecWriteLock(ss); |
| 440 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; |
| 441 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; |
| 442 @@ -11645,40 +11626,6 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss) |
| 443 } |
| 444 |
| 445 |
| 446 -/* record the export policy for this cipher suite */ |
| 447 -SECStatus |
| 448 -ssl3_SetPolicy(ssl3CipherSuite which, int policy) |
| 449 -{ |
| 450 - ssl3CipherSuiteCfg *suite; |
| 451 - |
| 452 - suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
| 453 - if (suite == NULL) { |
| 454 - return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ |
| 455 - } |
| 456 - suite->policy = policy; |
| 457 - |
| 458 - return SECSuccess; |
| 459 -} |
| 460 - |
| 461 -SECStatus |
| 462 -ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy) |
| 463 -{ |
| 464 - ssl3CipherSuiteCfg *suite; |
| 465 - PRInt32 policy; |
| 466 - SECStatus rv; |
| 467 - |
| 468 - suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
| 469 - if (suite) { |
| 470 - policy = suite->policy; |
| 471 - rv = SECSuccess; |
| 472 - } else { |
| 473 - policy = SSL_NOT_ALLOWED; |
| 474 - rv = SECFailure; /* err code was set by Lookup. */ |
| 475 - } |
| 476 - *oPolicy = policy; |
| 477 - return rv; |
| 478 -} |
| 479 - |
| 480 /* record the user preference for this suite */ |
| 481 SECStatus |
| 482 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled) |
| 483 @@ -11745,9 +11692,9 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which,
PRBool *enabled) |
| 484 return rv; |
| 485 } |
| 486 |
| 487 -/* copy global default policy into socket. */ |
| 488 +/* copy global default ciphersuite preferences into socket. */ |
| 489 void |
| 490 -ssl3_InitSocketPolicy(sslSocket *ss) |
| 491 +ssl3_InitSocketCipherSuites(sslSocket *ss) |
| 492 { |
| 493 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); |
| 494 } |
| 495 @@ -11814,8 +11761,8 @@ loser: |
| 496 return rv; |
| 497 } |
| 498 |
| 499 -/* ssl3_config_match_init must have already been called by |
| 500 - * the caller of this function. |
| 501 +/* ssl3_cipher_suite_available_init must have already been called by the caller |
| 502 + * of this function. |
| 503 */ |
| 504 SECStatus |
| 505 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) |
| 506 @@ -11832,14 +11779,15 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigne
d char *cs, int *size) |
| 507 return SECSuccess; |
| 508 } |
| 509 if (cs == NULL) { |
| 510 - *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); |
| 511 + *size = count_cipher_suites(ss); |
| 512 return SECSuccess; |
| 513 } |
| 514 |
| 515 - /* ssl3_config_match_init was called by the caller of this function. */ |
| 516 + /* ssl3_cipher_suite_available_init was called by the caller of this |
| 517 + * function. */ |
| 518 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 519 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 520 - if (config_match(suite, SSL_ALLOWED, PR_TRUE)) { |
| 521 + if (cipher_suite_available(suite)) { |
| 522 if (cs != NULL) { |
| 523 *cs++ = 0x00; |
| 524 *cs++ = (suite->cipher_suite >> 8) & 0xFF; |
| 525 diff --git a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c |
| 526 index 74995f1..19a6a58 100644 |
| 527 --- a/nss/lib/ssl/ssl3ecc.c |
| 528 +++ b/nss/lib/ssl/ssl3ecc.c |
| 529 @@ -1017,7 +1017,7 @@ ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss) |
| 530 } |
| 531 |
| 532 /* Ask: is ANY ECC cipher suite enabled on this socket? */ |
| 533 -/* Order(N^2). Yuk. Also, this ignores export policy. */ |
| 534 +/* Order(N^2). Yuk. */ |
| 535 PRBool |
| 536 ssl3_IsECCEnabled(sslSocket * ss) |
| 537 { |
| 538 diff --git a/nss/lib/ssl/sslcon.c b/nss/lib/ssl/sslcon.c |
| 539 index 2fc6602..626839e 100644 |
| 540 --- a/nss/lib/ssl/sslcon.c |
| 541 +++ b/nss/lib/ssl/sslcon.c |
| 542 @@ -20,9 +20,6 @@ |
| 543 #include "prinit.h" |
| 544 #include "prtime.h" /* for PR_Now() */ |
| 545 |
| 546 -#define XXX |
| 547 -static PRBool policyWasSet; |
| 548 - |
| 549 /* This ordered list is indexed by (SSL_CK_xx * 3) */ |
| 550 /* Second and third bytes are MSB and LSB of master key length. */ |
| 551 static const PRUint8 allCipherSuites[] = { |
| 552 @@ -115,14 +112,12 @@ const char * const ssl_cipherName[] = { |
| 553 }; |
| 554 |
| 555 |
| 556 -/* bit-masks, showing which SSLv2 suites are allowed. |
| 557 +/* bit-mask, showing which SSLv2 suites are allowed. |
| 558 * lsb corresponds to first cipher suite in allCipherSuites[]. |
| 559 */ |
| 560 -static PRUint16 allowedByPolicy; /* all off by default */ |
| 561 -static PRUint16 maybeAllowedByPolicy; /* all off by default */ |
| 562 static PRUint16 chosenPreference = 0xff; /* all on by default */ |
| 563 |
| 564 -/* bit values for the above two bit masks */ |
| 565 +/* bit values for the above bit mask */ |
| 566 #define SSL_CB_RC4_128_WITH_MD5 (1 << SSL_CK_RC4_128_WITH_MD5) |
| 567 #define SSL_CB_RC4_128_EXPORT40_WITH_MD5 (1 << SSL_CK_RC4_128_EXPORT40_WITH
_MD5) |
| 568 #define SSL_CB_RC2_128_CBC_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_WITH_MD5) |
| 569 @@ -157,19 +152,19 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
| 570 count = 0; |
| 571 PORT_Assert(ss != 0); |
| 572 allowed = !ss->opt.enableSSL2 ? 0 : |
| 573 - (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 574 + (ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 575 while (allowed) { |
| 576 if (allowed & 1) |
| 577 ++count; |
| 578 allowed >>= 1; |
| 579 } |
| 580 |
| 581 - /* Call ssl3_config_match_init() once here, |
| 582 + /* Call ssl3_cipher_suite_available_init() once here, |
| 583 * instead of inside ssl3_ConstructV2CipherSpecsHack(), |
| 584 * because the latter gets called twice below, |
| 585 * and then again in ssl2_BeginClientHandshake(). |
| 586 */ |
| 587 - ssl3_config_match_init(ss); |
| 588 + ssl3_cipher_suite_available_init(ss); |
| 589 |
| 590 /* ask SSL3 how many cipher suites it has. */ |
| 591 rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count); |
| 592 @@ -193,7 +188,7 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
| 593 |
| 594 /* fill in cipher specs for SSL2 cipher suites */ |
| 595 allowed = !ss->opt.enableSSL2 ? 0 : |
| 596 - (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 597 + (ss->chosenPreference & SSL_CB_IMPLEMENTED); |
| 598 for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) { |
| 599 const PRUint8 * hs = implementedCipherSuites + i; |
| 600 int ok = allowed & (1U << hs[0]); |
| 601 @@ -225,7 +220,6 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
| 602 static SECStatus |
| 603 ssl2_CheckConfigSanity(sslSocket *ss) |
| 604 { |
| 605 - unsigned int allowed; |
| 606 int ssl3CipherCount = 0; |
| 607 SECStatus rv; |
| 608 |
| 609 @@ -235,11 +229,11 @@ ssl2_CheckConfigSanity(sslSocket *ss) |
| 610 if (!ss->cipherSpecs) |
| 611 goto disabled; |
| 612 |
| 613 - allowed = ss->allowedByPolicy & ss->chosenPreference; |
| 614 - if (! allowed) |
| 615 + if (!ss->chosenPreference) |
| 616 ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */ |
| 617 |
| 618 - /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */ |
| 619 + /* ssl3_cipher_suite_available_init was called in |
| 620 + * ssl2_ConstructCipherSpecs(). */ |
| 621 /* Ask how many ssl3 CipherSuites were enabled. */ |
| 622 rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount); |
| 623 if (rv != SECSuccess || ssl3CipherCount <= 0) { |
| 624 @@ -261,67 +255,6 @@ disabled: |
| 625 /* |
| 626 * Since this is a global (not per-socket) setting, we cannot use the |
| 627 * HandshakeLock to protect this. Probably want a global lock. |
| 628 - */ |
| 629 -SECStatus |
| 630 -ssl2_SetPolicy(PRInt32 which, PRInt32 policy) |
| 631 -{ |
| 632 - PRUint32 bitMask; |
| 633 - SECStatus rv = SECSuccess; |
| 634 - |
| 635 - which &= 0x000f; |
| 636 - bitMask = 1 << which; |
| 637 - |
| 638 - if (!(bitMask & SSL_CB_IMPLEMENTED)) { |
| 639 - PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); |
| 640 - return SECFailure; |
| 641 - } |
| 642 - |
| 643 - if (policy == SSL_ALLOWED) { |
| 644 - allowedByPolicy |= bitMask; |
| 645 - maybeAllowedByPolicy |= bitMask; |
| 646 - } else if (policy == SSL_RESTRICTED) { |
| 647 - allowedByPolicy &= ~bitMask; |
| 648 - maybeAllowedByPolicy |= bitMask; |
| 649 - } else { |
| 650 - allowedByPolicy &= ~bitMask; |
| 651 - maybeAllowedByPolicy &= ~bitMask; |
| 652 - } |
| 653 - allowedByPolicy &= SSL_CB_IMPLEMENTED; |
| 654 - maybeAllowedByPolicy &= SSL_CB_IMPLEMENTED; |
| 655 - |
| 656 - policyWasSet = PR_TRUE; |
| 657 - return rv; |
| 658 -} |
| 659 - |
| 660 -SECStatus |
| 661 -ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy) |
| 662 -{ |
| 663 - PRUint32 bitMask; |
| 664 - PRInt32 policy; |
| 665 - |
| 666 - which &= 0x000f; |
| 667 - bitMask = 1 << which; |
| 668 - |
| 669 - /* Caller assures oPolicy is not null. */ |
| 670 - if (!(bitMask & SSL_CB_IMPLEMENTED)) { |
| 671 - PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); |
| 672 - *oPolicy = SSL_NOT_ALLOWED; |
| 673 - return SECFailure; |
| 674 - } |
| 675 - |
| 676 - if (maybeAllowedByPolicy & bitMask) { |
| 677 - policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED; |
| 678 - } else { |
| 679 - policy = SSL_NOT_ALLOWED; |
| 680 - } |
| 681 - |
| 682 - *oPolicy = policy; |
| 683 - return SECSuccess; |
| 684 -} |
| 685 - |
| 686 -/* |
| 687 - * Since this is a global (not per-socket) setting, we cannot use the |
| 688 - * HandshakeLock to protect this. Probably want a global lock. |
| 689 * Called from SSL_CipherPrefSetDefault in sslsock.c |
| 690 * These changes have no effect on any sslSockets already created. |
| 691 */ |
| 692 @@ -410,12 +343,10 @@ ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *e
nabled) |
| 693 } |
| 694 |
| 695 |
| 696 -/* copy global default policy into socket. */ |
| 697 +/* copy global default cipher suite preferences into socket. */ |
| 698 void |
| 699 -ssl2_InitSocketPolicy(sslSocket *ss) |
| 700 +ssl2_InitSocketCipherSuites(sslSocket *ss) |
| 701 { |
| 702 - ss->allowedByPolicy = allowedByPolicy; |
| 703 - ss->maybeAllowedByPolicy = maybeAllowedByPolicy; |
| 704 ss->chosenPreference = chosenPreference; |
| 705 } |
| 706 |
| 707 @@ -1556,7 +1487,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, u
nsigned int keyBits, |
| 708 unsigned int dkLen; /* decrypted key length in bytes */ |
| 709 int modulusLen; |
| 710 SECStatus rv; |
| 711 - PRUint16 allowed; /* cipher kinds enabled and allowed by policy *
/ |
| 712 + PRUint16 allowed; /* cipher kinds enabled */ |
| 713 PRUint8 mkbuf[SSL_MAX_MASTER_KEY_BYTES]; |
| 714 |
| 715 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); |
| 716 @@ -1584,7 +1515,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, u
nsigned int keyBits, |
| 717 goto loser; |
| 718 } |
| 719 |
| 720 - allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED; |
| 721 + allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED; |
| 722 if (!(allowed & (1 << cipher))) { |
| 723 /* client chose a kind we don't allow! */ |
| 724 SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d", |
| 725 @@ -1814,8 +1745,7 @@ ssl2_ChooseSessionCypher(sslSocket *ss, |
| 726 } |
| 727 |
| 728 if (!ss->preferredCipher) { |
| 729 - unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference & |
| 730 - SSL_CB_IMPLEMENTED; |
| 731 + unsigned int allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED; |
| 732 if (allowed) { |
| 733 preferred = implementedCipherSuites; |
| 734 for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) { |
| 735 diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
| 736 index e6792b3..0684042 100644 |
| 737 --- a/nss/lib/ssl/sslimpl.h |
| 738 +++ b/nss/lib/ssl/sslimpl.h |
| 739 @@ -273,17 +273,15 @@ struct sslBufferStr { |
| 740 }; |
| 741 |
| 742 /* |
| 743 -** SSL3 cipher suite policy and preference struct. |
| 744 +** SSL3 cipher suite preference struct. |
| 745 */ |
| 746 typedef struct { |
| 747 #if !defined(_WIN32) |
| 748 unsigned int cipher_suite : 16; |
| 749 - unsigned int policy : 8; |
| 750 unsigned int enabled : 1; |
| 751 unsigned int isPresent : 1; |
| 752 #else |
| 753 ssl3CipherSuite cipher_suite; |
| 754 - PRUint8 policy; |
| 755 unsigned char enabled : 1; |
| 756 unsigned char isPresent : 1; |
| 757 #endif |
| 758 @@ -637,7 +635,6 @@ struct sslSessionIDStr { |
| 759 |
| 760 ssl3CipherSuite cipherSuite; |
| 761 SSLCompressionMethod compression; |
| 762 - int policy; |
| 763 ssl3SidKeys keys; |
| 764 CK_MECHANISM_TYPE masterWrapMech; |
| 765 /* mechanism used to wrap master secret */ |
| 766 @@ -924,10 +921,6 @@ struct ssl3StateStr { |
| 767 SECKEYPrivateKey *channelID; /* used by client */ |
| 768 SECKEYPublicKey *channelIDPub; /* used by client */ |
| 769 |
| 770 - int policy; |
| 771 - /* This says what cipher suites we can do, and should |
| 772 - * be either SSL_ALLOWED or SSL_RESTRICTED |
| 773 - */ |
| 774 PLArenaPool * peerCertArena; |
| 775 /* These are used to keep track of the peer CA */ |
| 776 void * peerCertChain; |
| 777 @@ -1233,8 +1226,6 @@ const unsigned char * preferredCipher; |
| 778 |
| 779 PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */ |
| 780 |
| 781 - PRUint16 allowedByPolicy; /* copy of global policy bits. */ |
| 782 - PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */ |
| 783 PRUint16 chosenPreference; /* SSL2 cipher preferences. */ |
| 784 |
| 785 sslHandshakingType handshaking; |
| 786 @@ -1641,13 +1632,8 @@ extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3Ci
pherSuite which, PRBool |
| 787 extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enable
d); |
| 788 extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabl
ed); |
| 789 |
| 790 -extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy); |
| 791 -extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy); |
| 792 -extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy); |
| 793 -extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy); |
| 794 - |
| 795 -extern void ssl2_InitSocketPolicy(sslSocket *ss); |
| 796 -extern void ssl3_InitSocketPolicy(sslSocket *ss); |
| 797 +extern void ssl2_InitSocketCipherSuites(sslSocket *ss); |
| 798 +extern void ssl3_InitSocketCipherSuites(sslSocket *ss); |
| 799 |
| 800 extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, |
| 801 unsigned char *cs, int *size); |
| 802 @@ -1788,9 +1774,9 @@ extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket
*ss, |
| 803 extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd); |
| 804 extern void ssl_FreePRSocket(PRFileDesc *fd); |
| 805 |
| 806 -/* Internal config function so SSL2 can initialize the present state of |
| 807 - * various ciphers */ |
| 808 -extern int ssl3_config_match_init(sslSocket *); |
| 809 +/* Internal config function so SSL3 can test the present state of various |
| 810 + * ciphers */ |
| 811 +extern int ssl3_cipher_suite_available_init(sslSocket *); |
| 812 |
| 813 /* Create a new ref counted key pair object from two keys. */ |
| 814 extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, |
| 815 diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
| 816 index fd71aee..3b30efd 100644 |
| 817 --- a/nss/lib/ssl/sslsock.c |
| 818 +++ b/nss/lib/ssl/sslsock.c |
| 819 @@ -28,88 +28,6 @@ |
| 820 |
| 821 #define SET_ERROR_CODE /* reminder */ |
| 822 |
| 823 -struct cipherPolicyStr { |
| 824 - int cipher; |
| 825 - unsigned char export; /* policy value for export policy */ |
| 826 - unsigned char france; /* policy value for france policy */ |
| 827 -}; |
| 828 - |
| 829 -typedef struct cipherPolicyStr cipherPolicy; |
| 830 - |
| 831 -/* This table contains two preconfigured policies: Export and France. |
| 832 -** It is used only by the functions NSS_SetDomesticPolicy, |
| 833 -** NSS_SetExportPolicy, and NSS_SetFrancePolicy. |
| 834 -** Order of entries is not important. |
| 835 -*/ |
| 836 -static cipherPolicy ssl_ciphers[] = { /* Export France */ |
| 837 - { SSL_EN_RC4_128_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 838 - { SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 839 - { SSL_EN_RC2_128_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 840 - { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 841 - { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 842 - { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 843 - { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 844 - { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 845 - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 846 - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 847 - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 848 - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 849 - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 850 - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED
}, |
| 851 - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 852 - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 853 - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 854 - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 855 - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 856 - { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 857 - { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 858 - { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED }, |
| 859 - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 860 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 861 - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 862 - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 863 - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 864 - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 865 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 866 - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 867 - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 868 - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 869 - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 870 - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 871 - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 872 - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 873 - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 874 - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALL
OWED }, |
| 875 - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 876 - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, |
| 877 - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, |
| 878 -#ifdef NSS_ENABLE_ECC |
| 879 - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 880 - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 881 - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 882 - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 883 - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 884 - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 885 - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 886 - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 887 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 888 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 889 - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 890 - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 891 - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 892 - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 893 - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 894 - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 895 - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 896 - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 897 - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 898 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 899 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 900 - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 901 -#endif /* NSS_ENABLE_ECC */ |
| 902 - { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } |
| 903 -}; |
| 904 - |
| 905 static const sslSocketOps ssl_default_ops = { /* No SSL. */ |
| 906 ssl_DefConnect, |
| 907 NULL, |
| 908 @@ -291,9 +209,7 @@ ssl_DupSocket(sslSocket *os) |
| 909 ss->cTimeout = os->cTimeout; |
| 910 ss->dbHandle = os->dbHandle; |
| 911 |
| 912 - /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ |
| 913 - ss->allowedByPolicy = os->allowedByPolicy; |
| 914 - ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; |
| 915 + /* copy ssl2&3 prefs, even if it's not selected (yet) */ |
| 916 ss->chosenPreference = os->chosenPreference; |
| 917 PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites)
; |
| 918 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, |
| 919 @@ -1176,62 +1092,23 @@ ssl_IsRemovedCipherSuite(PRInt32 suite) |
| 920 } |
| 921 } |
| 922 |
| 923 -/* Part of the public NSS API. |
| 924 - * Since this is a global (not per-socket) setting, we cannot use the |
| 925 - * HandshakeLock to protect this. Probably want a global lock. |
| 926 - */ |
| 927 SECStatus |
| 928 SSL_SetPolicy(long which, int policy) |
| 929 { |
| 930 - if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { |
| 931 - /* one of the two old FIPS ciphers */ |
| 932 - if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) |
| 933 - which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; |
| 934 - else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) |
| 935 - which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; |
| 936 - } |
| 937 - if (ssl_IsRemovedCipherSuite(which)) |
| 938 - return SECSuccess; |
| 939 - return SSL_CipherPolicySet(which, policy); |
| 940 + return SECSuccess; |
| 941 } |
| 942 |
| 943 SECStatus |
| 944 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) |
| 945 { |
| 946 - SECStatus rv = ssl_Init(); |
| 947 - |
| 948 - if (rv != SECSuccess) { |
| 949 - return rv; |
| 950 - } |
| 951 - |
| 952 - if (ssl_IsRemovedCipherSuite(which)) { |
| 953 - rv = SECSuccess; |
| 954 - } else if (SSL_IS_SSL2_CIPHER(which)) { |
| 955 - rv = ssl2_SetPolicy(which, policy); |
| 956 - } else { |
| 957 - rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); |
| 958 - } |
| 959 - return rv; |
| 960 + return SECSuccess; |
| 961 } |
| 962 |
| 963 SECStatus |
| 964 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) |
| 965 { |
| 966 - SECStatus rv; |
| 967 - |
| 968 - if (!oPolicy) { |
| 969 - PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 970 - return SECFailure; |
| 971 - } |
| 972 - if (ssl_IsRemovedCipherSuite(which)) { |
| 973 - *oPolicy = SSL_NOT_ALLOWED; |
| 974 - rv = SECSuccess; |
| 975 - } else if (SSL_IS_SSL2_CIPHER(which)) { |
| 976 - rv = ssl2_GetPolicy(which, oPolicy); |
| 977 - } else { |
| 978 - rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy); |
| 979 - } |
| 980 - return rv; |
| 981 + *oPolicy = SSL_ALLOWED; |
| 982 + return SECSuccess; |
| 983 } |
| 984 |
| 985 /* Part of the public NSS API. |
| 986 @@ -1350,27 +1227,19 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool
*enabled) |
| 987 SECStatus |
| 988 NSS_SetDomesticPolicy(void) |
| 989 { |
| 990 - SECStatus status = SECSuccess; |
| 991 - cipherPolicy * policy; |
| 992 - |
| 993 - for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { |
| 994 - status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED); |
| 995 - if (status != SECSuccess) |
| 996 - break; |
| 997 - } |
| 998 - return status; |
| 999 + return SECSuccess; |
| 1000 } |
| 1001 |
| 1002 SECStatus |
| 1003 NSS_SetExportPolicy(void) |
| 1004 { |
| 1005 - return NSS_SetDomesticPolicy(); |
| 1006 + return SECSuccess; |
| 1007 } |
| 1008 |
| 1009 SECStatus |
| 1010 NSS_SetFrancePolicy(void) |
| 1011 { |
| 1012 - return NSS_SetDomesticPolicy(); |
| 1013 + return SECSuccess; |
| 1014 } |
| 1015 |
| 1016 SECStatus |
| 1017 @@ -3097,8 +2966,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protoco
lVariant) |
| 1018 ss->getChannelIDArg = NULL; |
| 1019 |
| 1020 ssl_ChooseOps(ss); |
| 1021 - ssl2_InitSocketPolicy(ss); |
| 1022 - ssl3_InitSocketPolicy(ss); |
| 1023 + ssl2_InitSocketCipherSuites(ss); |
| 1024 + ssl3_InitSocketCipherSuites(ss); |
| 1025 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); |
| 1026 |
| 1027 if (makeLocks) { |
OLD | NEW |