Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(120)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/nss/patches/rmcipherpolicy.patch

Issue 21564003: NSS: remove cipher policy framework. Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 7 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/ssl.h » ('j') | net/third_party/nss/ssl/ssl.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/patches/rmcipherpolicy.patch
diff --git a/net/third_party/nss/patches/rmcipherpolicy.patch b/net/third_party/nss/patches/rmcipherpolicy.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e4efde7a0274137cca75b4ff4ec966fcd652a34d
--- /dev/null
+++ b/net/third_party/nss/patches/rmcipherpolicy.patch
@@ -0,0 +1,954 @@
+diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
+index 7194257..b9b1e12 100644
+--- a/nss/lib/ssl/ssl.h
++++ b/nss/lib/ssl/ssl.h
+@@ -239,7 +239,6 @@ SSL_IMPORT SECStatus SSL_GetNextProto(PRFileDesc *fd,
+ ** is enabled, otherwise it is disabled.
+ ** The "cipher" values are defined in sslproto.h (the SSL_EN_* values).
+ ** EnableCipher records user preferences.
+-** SetPolicy sets the policy according to the policy module.
+ */
+ #ifdef SSL_DEPRECATED_FUNCTION
+ /* Old deprecated function names */
+@@ -252,6 +251,9 @@ SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool en
+ SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *enabled);
+ SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled);
+ SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled);
++
++/* Policy functions are deprecated and no longer have any effect. They exist in
++ * order to maintain ABI compatibility. */
+ SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy);
+ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
+
+diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
+index 27d4be9..b7ef492 100644
+--- a/nss/lib/ssl/ssl3con.c
++++ b/nss/lib/ssl/ssl3con.c
+@@ -88,85 +88,84 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
+ * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
+ */
+ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+- /* cipher_suite policy enabled is_present*/
++ /* cipher_suite enabled is_present*/
+ #ifdef NSS_ENABLE_ECC
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
+ #endif /* NSS_ENABLE_ECC */
+- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
++ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE},
+ #ifdef NSS_ENABLE_ECC
+- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
++ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
+ #endif /* NSS_ENABLE_ECC */
+- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
++ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE},
+
+ #ifdef NSS_ENABLE_ECC
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE},
+ #endif /* NSS_ENABLE_ECC */
+- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
++ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE},
+ #ifdef NSS_ENABLE_ECC
+- { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
++ { TLS_ECDH_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
+ #endif /* NSS_ENABLE_ECC */
+- { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+- { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
++ { TLS_RSA_WITH_SEED_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE},
++ { SSL_RSA_WITH_RC4_128_SHA, PR_TRUE, PR_FALSE},
++ { SSL_RSA_WITH_RC4_128_MD5, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE},
+
+ #ifdef NSS_ENABLE_ECC
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
+ #endif /* NSS_ENABLE_ECC */
+- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
++ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE},
++ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE},
+ #ifdef NSS_ENABLE_ECC
+- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
++ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
+ #endif /* NSS_ENABLE_ECC */
+- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+- { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
++ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
++ { SSL_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE},
+
+
+- { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+- { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
++ { SSL_DHE_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
++ { SSL_DHE_DSS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
++ { SSL_RSA_FIPS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
++ { SSL_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
++ { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, PR_FALSE, PR_FALSE},
++ { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
+
+- { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
++ { SSL_RSA_EXPORT_WITH_RC4_40_MD5, PR_FALSE, PR_FALSE},
++ { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, PR_FALSE, PR_FALSE},
+
+ #ifdef NSS_ENABLE_ECC
+- { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
+ #endif /* NSS_ENABLE_ECC */
+- { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+-
++ { SSL_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_NULL_SHA256, PR_FALSE, PR_FALSE},
++ { SSL_RSA_WITH_NULL_MD5, PR_FALSE, PR_FALSE},
+ };
+
+ /* This list of SSL3 compression methods is sorted in descending order of
+@@ -643,13 +642,13 @@ ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
+ }
+
+
+-/* Initialize the suite->isPresent value for config_match
++/* Initialize the suite->isPresent value for cipher_suite_available.
+ * Returns count of enabled ciphers supported by extant tokens,
+- * regardless of policy or user preference.
++ * regardless of user preference.
+ * If this returns zero, the user cannot do SSL v3.
+ */
+ int
+-ssl3_config_match_init(sslSocket *ss)
++ssl3_cipher_suites_test_presence(sslSocket *ss)
+ {
+ ssl3CipherSuiteCfg * suite;
+ const ssl3CipherSuiteDef *cipher_def;
+@@ -745,37 +744,25 @@ ssl3_config_match_init(sslSocket *ss)
+ }
+
+
+-/* return PR_TRUE if suite matches policy and enabled state */
+-/* It would be a REALLY BAD THING (tm) if we ever permitted the use
+-** of a cipher that was NOT_ALLOWED. So, if this is ever called with
+-** policy == SSL_NOT_ALLOWED, report no match.
+-*/
+-/* adjust suite enabled to the availability of a token that can do the
+- * cipher suite. */
++/* return PR_TRUE if the given cipher suite is enabled and present. */
+ static PRBool
+-config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
++cipher_suite_available(ssl3CipherSuiteCfg *suite)
+ {
+- PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
+- if (policy == SSL_NOT_ALLOWED || !enabled)
+- return PR_FALSE;
+- return (PRBool)(suite->enabled &&
+- suite->isPresent &&
+- suite->policy != SSL_NOT_ALLOWED &&
+- suite->policy <= policy);
++ return (PRBool)(suite->enabled && suite->isPresent);
+ }
+
+-/* return number of cipher suites that match policy and enabled state */
+-/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
++/* return number of cipher suites that are enabled and present.
++ * called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
+ static int
+-count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
++count_cipher_suites(sslSocket *ss)
+ {
+ int i, count = 0;
+
+ if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
+- return 0;
++ return 0;
+ }
+ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+- if (config_match(&ss->cipherSuites[i], policy, enabled))
++ if (cipher_suite_available(&ss->cipherSuites[i]))
+ count++;
+ }
+ if (count <= 0) {
+@@ -4738,8 +4725,6 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
+
+ PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
+ sid->u.ssl3.sessionIDLength));
+-
+- ss->ssl3.policy = sid->u.ssl3.policy;
+ } else {
+ SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
+
+@@ -4789,10 +4774,10 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
+ return SECFailure;
+ }
+
+- /* how many suites does our PKCS11 support (regardless of policy)? */
+- num_suites = ssl3_config_match_init(ss);
++ /* how many suites does our PKCS11 support? */
++ num_suites = ssl3_cipher_suites_test_presence(ss);
+ if (!num_suites)
+- return SECFailure; /* ssl3_config_match_init has set error code. */
++ return SECFailure; /* ssl3_cipher_suites_test_presence has set error code. */
+
+ /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV,
+ * only if TLS is disabled.
+@@ -4830,8 +4815,8 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
+ ssl3_DisableNonDTLSSuites(ss);
+ }
+
+- /* how many suites are permitted by policy and user preference? */
+- num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
++ /* how many suites are permitted by user preference? */
++ num_suites = count_cipher_suites(ss);
+ if (!num_suites)
+ return SECFailure; /* count_cipher_suites has set error code. */
+ if (ss->ssl3.hs.sendingSCSV) {
+@@ -4921,7 +4906,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
+ }
+ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+- if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
++ if (cipher_suite_available(suite)) {
+ actual_count++;
+ if (actual_count > num_suites) {
+ /* set error card removal/insertion error */
+@@ -5978,11 +5963,11 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+ if (temp < 0) {
+ goto loser; /* alert has been sent */
+ }
+- ssl3_config_match_init(ss);
++ ssl3_cipher_suites_test_presence(ss);
+ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+ if (temp == suite->cipher_suite) {
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) {
++ if (!cipher_suite_available(suite)) {
+ break; /* failure */
+ }
+ if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
+@@ -7155,7 +7140,6 @@ ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
+ sid->version = ss->version;
+
+ sid->u.ssl3.keys.resumable = PR_TRUE;
+- sid->u.ssl3.policy = SSL_ALLOWED;
+ sid->u.ssl3.clientWriteKey = NULL;
+ sid->u.ssl3.serverWriteKey = NULL;
+
+@@ -7537,7 +7521,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+
+ #ifdef PARANOID
+ /* Look for a matching cipher suite. */
+- j = ssl3_config_match_init(ss);
++ j = ssl3_cipher_suites_test_presence(ss);
+ if (j <= 0) { /* no ciphers are working/supported by PK11 */
+ errCode = PORT_GetError(); /* error code is already set. */
+ goto alert_loser;
+@@ -7573,12 +7557,11 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+ if (j <= 0)
+ break;
+ #ifdef PARANOID
+- /* Double check that the cached cipher suite is still enabled,
+- * implemented, and allowed by policy. Might have been disabled.
+- * The product policy won't change during the process lifetime.
++ /* Double check that the cached cipher suite is still enabled, and
++ * implemented. Might have been disabled.
+ * Implemented ("isPresent") shouldn't change for servers.
+ */
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
++ if (!cipher_suite_available(suite))
+ break;
+ #else
+ if (!suite->enabled)
+@@ -7603,7 +7586,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+
+ #ifndef PARANOID
+ /* Look for a matching cipher suite. */
+- j = ssl3_config_match_init(ss);
++ j = ssl3_cipher_suites_test_presence(ss);
+ if (j <= 0) { /* no ciphers are working/supported by PK11 */
+ errCode = PORT_GetError(); /* error code is already set. */
+ goto alert_loser;
+@@ -7626,7 +7609,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+ */
+ for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
++ if (!cipher_suite_available(suite) ||
+ !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
+ ss->version)) {
+ continue;
+@@ -7949,7 +7932,7 @@ compression_found:
+ ret = SSL_SNI_SEND_ALERT;
+ break;
+ }
+- configedCiphers = ssl3_config_match_init(ss);
++ configedCiphers = ssl3_cipher_suites_test_presence(ss);
+ if (configedCiphers <= 0) {
+ /* no ciphers are working/supported */
+ errCode = PORT_GetError();
+@@ -8146,7 +8129,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
+ /* Disable any ECC cipher suites for which we have no cert. */
+ ssl3_FilterECCipherSuitesByServerCerts(ss);
+ #endif
+- i = ssl3_config_match_init(ss);
++ i = ssl3_cipher_suites_test_presence(ss);
+ if (i <= 0) {
+ errCode = PORT_GetError(); /* error code is already set. */
+ goto alert_loser;
+@@ -8161,7 +8144,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
+ */
+ for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
++ if (!cipher_suite_available(suite) ||
+ !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
+ ss->version)) {
+ continue;
+@@ -10456,7 +10439,6 @@ xmit_loser:
+ /* fill in the sid */
+ sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
+ sid->u.ssl3.compression = ss->ssl3.hs.compression;
+- sid->u.ssl3.policy = ss->ssl3.policy;
+ #ifdef NSS_ENABLE_ECC
+ sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
+ #endif
+@@ -11533,8 +11515,6 @@ ssl3_InitState(sslSocket *ss)
+ if (ss->ssl3.initialized)
+ return SECSuccess; /* Function should be idempotent */
+
+- ss->ssl3.policy = SSL_ALLOWED;
+-
+ ssl_GetSpecWriteLock(ss);
+ ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
+ ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
+@@ -11644,40 +11624,6 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss)
+ }
+
+
+-/* record the export policy for this cipher suite */
+-SECStatus
+-ssl3_SetPolicy(ssl3CipherSuite which, int policy)
+-{
+- ssl3CipherSuiteCfg *suite;
+-
+- suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
+- if (suite == NULL) {
+- return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
+- }
+- suite->policy = policy;
+-
+- return SECSuccess;
+-}
+-
+-SECStatus
+-ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
+-{
+- ssl3CipherSuiteCfg *suite;
+- PRInt32 policy;
+- SECStatus rv;
+-
+- suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
+- if (suite) {
+- policy = suite->policy;
+- rv = SECSuccess;
+- } else {
+- policy = SSL_NOT_ALLOWED;
+- rv = SECFailure; /* err code was set by Lookup. */
+- }
+- *oPolicy = policy;
+- return rv;
+-}
+-
+ /* record the user preference for this suite */
+ SECStatus
+ ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
+@@ -11744,9 +11690,9 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
+ return rv;
+ }
+
+-/* copy global default policy into socket. */
++/* copy global default ciphersuite preferences into socket. */
+ void
+-ssl3_InitSocketPolicy(sslSocket *ss)
++ssl3_InitSocketCipherSuites(sslSocket *ss)
+ {
+ PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
+ }
+@@ -11813,8 +11759,8 @@ loser:
+ return rv;
+ }
+
+-/* ssl3_config_match_init must have already been called by
+- * the caller of this function.
++/* ssl3_cipher_suites_test_presence must have already been called by the caller
++ * of this function.
+ */
+ SECStatus
+ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
+@@ -11831,14 +11777,15 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
+ return SECSuccess;
+ }
+ if (cs == NULL) {
+- *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
++ *size = count_cipher_suites(ss);
+ return SECSuccess;
+ }
+
+- /* ssl3_config_match_init was called by the caller of this function. */
++ /* ssl3_cipher_suites_test_presence was called by the caller of this
++ * function. */
+ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+- if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
++ if (cipher_suite_available(suite)) {
+ if (cs != NULL) {
+ *cs++ = 0x00;
+ *cs++ = (suite->cipher_suite >> 8) & 0xFF;
+diff --git a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c
+index 74995f1..19a6a58 100644
+--- a/nss/lib/ssl/ssl3ecc.c
++++ b/nss/lib/ssl/ssl3ecc.c
+@@ -1017,7 +1017,7 @@ ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss)
+ }
+
+ /* Ask: is ANY ECC cipher suite enabled on this socket? */
+-/* Order(N^2). Yuk. Also, this ignores export policy. */
++/* Order(N^2). Yuk. */
+ PRBool
+ ssl3_IsECCEnabled(sslSocket * ss)
+ {
+diff --git a/nss/lib/ssl/sslcon.c b/nss/lib/ssl/sslcon.c
+index 2fc6602..581a28c 100644
+--- a/nss/lib/ssl/sslcon.c
++++ b/nss/lib/ssl/sslcon.c
+@@ -20,9 +20,6 @@
+ #include "prinit.h"
+ #include "prtime.h" /* for PR_Now() */
+
+-#define XXX
+-static PRBool policyWasSet;
+-
+ /* This ordered list is indexed by (SSL_CK_xx * 3) */
+ /* Second and third bytes are MSB and LSB of master key length. */
+ static const PRUint8 allCipherSuites[] = {
+@@ -118,8 +115,6 @@ const char * const ssl_cipherName[] = {
+ /* bit-masks, showing which SSLv2 suites are allowed.
+ * lsb corresponds to first cipher suite in allCipherSuites[].
+ */
+-static PRUint16 allowedByPolicy; /* all off by default */
+-static PRUint16 maybeAllowedByPolicy; /* all off by default */
+ static PRUint16 chosenPreference = 0xff; /* all on by default */
+
+ /* bit values for the above two bit masks */
+@@ -157,19 +152,19 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
+ count = 0;
+ PORT_Assert(ss != 0);
+ allowed = !ss->opt.enableSSL2 ? 0 :
+- (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
++ (ss->chosenPreference & SSL_CB_IMPLEMENTED);
+ while (allowed) {
+ if (allowed & 1)
+ ++count;
+ allowed >>= 1;
+ }
+
+- /* Call ssl3_config_match_init() once here,
++ /* Call ssl3_cipher_suites_test_presence() once here,
+ * instead of inside ssl3_ConstructV2CipherSpecsHack(),
+ * because the latter gets called twice below,
+ * and then again in ssl2_BeginClientHandshake().
+ */
+- ssl3_config_match_init(ss);
++ ssl3_cipher_suites_test_presence(ss);
+
+ /* ask SSL3 how many cipher suites it has. */
+ rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count);
+@@ -193,7 +188,7 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
+
+ /* fill in cipher specs for SSL2 cipher suites */
+ allowed = !ss->opt.enableSSL2 ? 0 :
+- (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
++ (ss->chosenPreference & SSL_CB_IMPLEMENTED);
+ for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
+ const PRUint8 * hs = implementedCipherSuites + i;
+ int ok = allowed & (1U << hs[0]);
+@@ -225,7 +220,6 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
+ static SECStatus
+ ssl2_CheckConfigSanity(sslSocket *ss)
+ {
+- unsigned int allowed;
+ int ssl3CipherCount = 0;
+ SECStatus rv;
+
+@@ -235,11 +229,10 @@ ssl2_CheckConfigSanity(sslSocket *ss)
+ if (!ss->cipherSpecs)
+ goto disabled;
+
+- allowed = ss->allowedByPolicy & ss->chosenPreference;
+- if (! allowed)
++ if (!ss->chosenPreference)
+ ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */
+
+- /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */
++ /* ssl3_cipher_suites_test_presence was called in ssl2_ConstructCipherSpecs(). */
+ /* Ask how many ssl3 CipherSuites were enabled. */
+ rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount);
+ if (rv != SECSuccess || ssl3CipherCount <= 0) {
+@@ -261,67 +254,6 @@ disabled:
+ /*
+ * Since this is a global (not per-socket) setting, we cannot use the
+ * HandshakeLock to protect this. Probably want a global lock.
+- */
+-SECStatus
+-ssl2_SetPolicy(PRInt32 which, PRInt32 policy)
+-{
+- PRUint32 bitMask;
+- SECStatus rv = SECSuccess;
+-
+- which &= 0x000f;
+- bitMask = 1 << which;
+-
+- if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+- PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+- return SECFailure;
+- }
+-
+- if (policy == SSL_ALLOWED) {
+- allowedByPolicy |= bitMask;
+- maybeAllowedByPolicy |= bitMask;
+- } else if (policy == SSL_RESTRICTED) {
+- allowedByPolicy &= ~bitMask;
+- maybeAllowedByPolicy |= bitMask;
+- } else {
+- allowedByPolicy &= ~bitMask;
+- maybeAllowedByPolicy &= ~bitMask;
+- }
+- allowedByPolicy &= SSL_CB_IMPLEMENTED;
+- maybeAllowedByPolicy &= SSL_CB_IMPLEMENTED;
+-
+- policyWasSet = PR_TRUE;
+- return rv;
+-}
+-
+-SECStatus
+-ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy)
+-{
+- PRUint32 bitMask;
+- PRInt32 policy;
+-
+- which &= 0x000f;
+- bitMask = 1 << which;
+-
+- /* Caller assures oPolicy is not null. */
+- if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+- PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+- *oPolicy = SSL_NOT_ALLOWED;
+- return SECFailure;
+- }
+-
+- if (maybeAllowedByPolicy & bitMask) {
+- policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED;
+- } else {
+- policy = SSL_NOT_ALLOWED;
+- }
+-
+- *oPolicy = policy;
+- return SECSuccess;
+-}
+-
+-/*
+- * Since this is a global (not per-socket) setting, we cannot use the
+- * HandshakeLock to protect this. Probably want a global lock.
+ * Called from SSL_CipherPrefSetDefault in sslsock.c
+ * These changes have no effect on any sslSockets already created.
+ */
+@@ -410,12 +342,10 @@ ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled)
+ }
+
+
+-/* copy global default policy into socket. */
++/* copy global default cipher suite preferences into socket. */
+ void
+-ssl2_InitSocketPolicy(sslSocket *ss)
++ssl2_InitSocketCipherSuites(sslSocket *ss)
+ {
+- ss->allowedByPolicy = allowedByPolicy;
+- ss->maybeAllowedByPolicy = maybeAllowedByPolicy;
+ ss->chosenPreference = chosenPreference;
+ }
+
+@@ -1556,7 +1486,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
+ unsigned int dkLen; /* decrypted key length in bytes */
+ int modulusLen;
+ SECStatus rv;
+- PRUint16 allowed; /* cipher kinds enabled and allowed by policy */
++ PRUint16 allowed; /* cipher kinds enabled */
+ PRUint8 mkbuf[SSL_MAX_MASTER_KEY_BYTES];
+
+ PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+@@ -1584,7 +1514,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
+ goto loser;
+ }
+
+- allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED;
++ allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED;
+ if (!(allowed & (1 << cipher))) {
+ /* client chose a kind we don't allow! */
+ SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d",
+@@ -1814,8 +1744,7 @@ ssl2_ChooseSessionCypher(sslSocket *ss,
+ }
+
+ if (!ss->preferredCipher) {
+- unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference &
+- SSL_CB_IMPLEMENTED;
++ unsigned int allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED;
+ if (allowed) {
+ preferred = implementedCipherSuites;
+ for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) {
+diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
+index e6792b3..ef085ba 100644
+--- a/nss/lib/ssl/sslimpl.h
++++ b/nss/lib/ssl/sslimpl.h
+@@ -273,17 +273,15 @@ struct sslBufferStr {
+ };
+
+ /*
+-** SSL3 cipher suite policy and preference struct.
++** SSL3 cipher suite preference struct.
+ */
+ typedef struct {
+ #if !defined(_WIN32)
+ unsigned int cipher_suite : 16;
+- unsigned int policy : 8;
+ unsigned int enabled : 1;
+ unsigned int isPresent : 1;
+ #else
+ ssl3CipherSuite cipher_suite;
+- PRUint8 policy;
+ unsigned char enabled : 1;
+ unsigned char isPresent : 1;
+ #endif
+@@ -637,7 +635,6 @@ struct sslSessionIDStr {
+
+ ssl3CipherSuite cipherSuite;
+ SSLCompressionMethod compression;
+- int policy;
+ ssl3SidKeys keys;
+ CK_MECHANISM_TYPE masterWrapMech;
+ /* mechanism used to wrap master secret */
+@@ -924,10 +921,6 @@ struct ssl3StateStr {
+ SECKEYPrivateKey *channelID; /* used by client */
+ SECKEYPublicKey *channelIDPub; /* used by client */
+
+- int policy;
+- /* This says what cipher suites we can do, and should
+- * be either SSL_ALLOWED or SSL_RESTRICTED
+- */
+ PLArenaPool * peerCertArena;
+ /* These are used to keep track of the peer CA */
+ void * peerCertChain;
+@@ -1233,8 +1226,6 @@ const unsigned char * preferredCipher;
+
+ PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */
+
+- PRUint16 allowedByPolicy; /* copy of global policy bits. */
+- PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */
+ PRUint16 chosenPreference; /* SSL2 cipher preferences. */
+
+ sslHandshakingType handshaking;
+@@ -1641,13 +1632,8 @@ extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool
+ extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
+ extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
+
+-extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
+-extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
+-extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
+-extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
+-
+-extern void ssl2_InitSocketPolicy(sslSocket *ss);
+-extern void ssl3_InitSocketPolicy(sslSocket *ss);
++extern void ssl2_InitSocketCipherSuites(sslSocket *ss);
++extern void ssl3_InitSocketCipherSuites(sslSocket *ss);
+
+ extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
+ unsigned char *cs, int *size);
+@@ -1788,9 +1774,9 @@ extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
+ extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
+ extern void ssl_FreePRSocket(PRFileDesc *fd);
+
+-/* Internal config function so SSL2 can initialize the present state of
++/* Internal config function so SSL2 can initialize the present state of
+ * various ciphers */
+-extern int ssl3_config_match_init(sslSocket *);
++extern int ssl3_cipher_suites_test_presence(sslSocket *);
+
+ /* Create a new ref counted key pair object from two keys. */
+ extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey,
+diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
+index fd71aee..937a3b5 100644
+--- a/nss/lib/ssl/sslsock.c
++++ b/nss/lib/ssl/sslsock.c
+@@ -28,88 +28,6 @@
+
+ #define SET_ERROR_CODE /* reminder */
+
+-struct cipherPolicyStr {
+- int cipher;
+- unsigned char export; /* policy value for export policy */
+- unsigned char france; /* policy value for france policy */
+-};
+-
+-typedef struct cipherPolicyStr cipherPolicy;
+-
+-/* This table contains two preconfigured policies: Export and France.
+-** It is used only by the functions NSS_SetDomesticPolicy,
+-** NSS_SetExportPolicy, and NSS_SetFrancePolicy.
+-** Order of entries is not important.
+-*/
+-static cipherPolicy ssl_ciphers[] = { /* Export France */
+- { SSL_EN_RC4_128_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED },
+- { SSL_EN_RC2_128_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED },
+- { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED },
+- { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED },
+- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED },
+- { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED },
+- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED },
+- { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED },
+- { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
+- { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED },
+- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED },
+-#ifdef NSS_ENABLE_ECC
+- { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
+- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
+- { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
+- { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+-#endif /* NSS_ENABLE_ECC */
+- { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
+-};
+-
+ static const sslSocketOps ssl_default_ops = { /* No SSL. */
+ ssl_DefConnect,
+ NULL,
+@@ -291,9 +209,7 @@ ssl_DupSocket(sslSocket *os)
+ ss->cTimeout = os->cTimeout;
+ ss->dbHandle = os->dbHandle;
+
+- /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
+- ss->allowedByPolicy = os->allowedByPolicy;
+- ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
++ /* copy ssl2&3 prefs, even if it's not selected (yet) */
+ ss->chosenPreference = os->chosenPreference;
+ PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
+ PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers,
+@@ -1183,55 +1099,20 @@ ssl_IsRemovedCipherSuite(PRInt32 suite)
+ SECStatus
+ SSL_SetPolicy(long which, int policy)
+ {
+- if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
+- /* one of the two old FIPS ciphers */
+- if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA)
+- which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
+- else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
+- which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
+- }
+- if (ssl_IsRemovedCipherSuite(which))
+- return SECSuccess;
+- return SSL_CipherPolicySet(which, policy);
++ return SECSuccess;
+ }
+
+ SECStatus
+ SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
+ {
+- SECStatus rv = ssl_Init();
+-
+- if (rv != SECSuccess) {
+- return rv;
+- }
+-
+- if (ssl_IsRemovedCipherSuite(which)) {
+- rv = SECSuccess;
+- } else if (SSL_IS_SSL2_CIPHER(which)) {
+- rv = ssl2_SetPolicy(which, policy);
+- } else {
+- rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+- }
+- return rv;
++ return SECSuccess;
+ }
+
+ SECStatus
+ SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
+ {
+- SECStatus rv;
+-
+- if (!oPolicy) {
+- PORT_SetError(SEC_ERROR_INVALID_ARGS);
+- return SECFailure;
+- }
+- if (ssl_IsRemovedCipherSuite(which)) {
+- *oPolicy = SSL_NOT_ALLOWED;
+- rv = SECSuccess;
+- } else if (SSL_IS_SSL2_CIPHER(which)) {
+- rv = ssl2_GetPolicy(which, oPolicy);
+- } else {
+- rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
+- }
+- return rv;
++ *oPolicy = 0;
++ return SECSuccess;
+ }
+
+ /* Part of the public NSS API.
+@@ -1350,27 +1231,19 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
+ SECStatus
+ NSS_SetDomesticPolicy(void)
+ {
+- SECStatus status = SECSuccess;
+- cipherPolicy * policy;
+-
+- for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
+- status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED);
+- if (status != SECSuccess)
+- break;
+- }
+- return status;
++ return SECSuccess;
+ }
+
+ SECStatus
+ NSS_SetExportPolicy(void)
+ {
+- return NSS_SetDomesticPolicy();
++ return SECSuccess;
+ }
+
+ SECStatus
+ NSS_SetFrancePolicy(void)
+ {
+- return NSS_SetDomesticPolicy();
++ return SECSuccess;
+ }
+
+ SECStatus
+@@ -3097,8 +2970,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
+ ss->getChannelIDArg = NULL;
+
+ ssl_ChooseOps(ss);
+- ssl2_InitSocketPolicy(ss);
+- ssl3_InitSocketPolicy(ss);
++ ssl2_InitSocketCipherSuites(ss);
++ ssl3_InitSocketCipherSuites(ss);
+ PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
+
+ if (makeLocks) {
« no previous file with comments | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/ssl.h » ('j') | net/third_party/nss/ssl/ssl.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698