| Index: net/third_party/nss/patches/rmcipherpolicy.patch
|
| diff --git a/net/third_party/nss/patches/rmcipherpolicy.patch b/net/third_party/nss/patches/rmcipherpolicy.patch
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..adb5c2a2c6a0ae6bdef0c27a389ba12b8300c6cf
|
| --- /dev/null
|
| +++ b/net/third_party/nss/patches/rmcipherpolicy.patch
|
| @@ -0,0 +1,1027 @@
|
| +diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
|
| +index c083a6b..4739fcf 100644
|
| +--- a/nss/lib/ssl/ssl.h
|
| ++++ b/nss/lib/ssl/ssl.h
|
| +@@ -244,7 +244,6 @@ SSL_IMPORT SECStatus SSL_GetNextProto(PRFileDesc *fd,
|
| + ** is enabled, otherwise it is disabled.
|
| + ** The "cipher" values are defined in sslproto.h (the SSL_EN_* values).
|
| + ** EnableCipher records user preferences.
|
| +-** SetPolicy sets the policy according to the policy module.
|
| + */
|
| + #ifdef SSL_DEPRECATED_FUNCTION
|
| + /* Old deprecated function names */
|
| +@@ -257,7 +256,11 @@ SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool en
|
| + SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *enabled);
|
| + SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled);
|
| + SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled);
|
| ++
|
| ++/* Policy functions are deprecated and no longer have any effect. They exist in
|
| ++ * order to maintain ABI compatibility. */
|
| + SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy);
|
| ++/* SSL_CipherPolicyGet sets *policy to SSL_ALLOWED and returns SECSuccess. */
|
| + SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
|
| +
|
| + /* SSLChannelBindingType enumerates the types of supported channel binding
|
| +@@ -352,7 +355,7 @@ SSL_IMPORT SECStatus SSL_VersionRangeSet(PRFileDesc *fd,
|
| + const SSLVersionRange *vrange);
|
| +
|
| +
|
| +-/* Values for "policy" argument to SSL_PolicySet */
|
| ++/* Values for "policy" argument to SSL_CipherPolicySet */
|
| + /* Values returned by SSL_CipherPolicyGet. */
|
| + #define SSL_NOT_ALLOWED 0 /* or invalid or unimplemented */
|
| + #define SSL_ALLOWED 1
|
| +@@ -892,26 +895,12 @@ SSL_IMPORT SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert,
|
| + */
|
| + SSL_IMPORT SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert);
|
| +
|
| +-/* Set cipher policies to a predefined Domestic (U.S.A.) policy.
|
| +- * This essentially enables all supported ciphers.
|
| +- */
|
| ++/*
|
| ++** The NSS_Set*Policy functions have no effect and exist in order to maintain
|
| ++** ABI compatibility. All supported ciphers are now allowed.
|
| ++*/
|
| + SSL_IMPORT SECStatus NSS_SetDomesticPolicy(void);
|
| +-
|
| +-/* Set cipher policies to a predefined Policy that is exportable from the USA
|
| +- * according to present U.S. policies as we understand them.
|
| +- * See documentation for the list.
|
| +- * Note that your particular application program may be able to obtain
|
| +- * an export license with more or fewer capabilities than those allowed
|
| +- * by this function. In that case, you should use SSL_SetPolicy()
|
| +- * to explicitly allow those ciphers you may legally export.
|
| +- */
|
| + SSL_IMPORT SECStatus NSS_SetExportPolicy(void);
|
| +-
|
| +-/* Set cipher policies to a predefined Policy that is exportable from the USA
|
| +- * according to present U.S. policies as we understand them, and that the
|
| +- * nation of France will permit to be imported into their country.
|
| +- * See documentation for the list.
|
| +- */
|
| + SSL_IMPORT SECStatus NSS_SetFrancePolicy(void);
|
| +
|
| + SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void);
|
| +diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
|
| +index 98e31d4..41fdef7 100644
|
| +--- a/nss/lib/ssl/ssl3con.c
|
| ++++ b/nss/lib/ssl/ssl3con.c
|
| +@@ -88,85 +88,84 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
|
| + * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
|
| + */
|
| + static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
|
| +- /* cipher_suite policy enabled is_present*/
|
| ++ /* cipher_suite enabled is_present */
|
| + #ifdef NSS_ENABLE_ECC
|
| +- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| ++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + #endif /* NSS_ENABLE_ECC */
|
| +- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| +- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| +- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| ++ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE},
|
| ++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE},
|
| ++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE},
|
| + #ifdef NSS_ENABLE_ECC
|
| +- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| ++ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + #endif /* NSS_ENABLE_ECC */
|
| +- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| +- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| ++ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE},
|
| ++ { TLS_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE},
|
| +
|
| + #ifdef NSS_ENABLE_ECC
|
| +- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| ++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE},
|
| + #endif /* NSS_ENABLE_ECC */
|
| +- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| +- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| +- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| ++ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_DHE_DSS_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE},
|
| ++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE},
|
| ++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE},
|
| + #ifdef NSS_ENABLE_ECC
|
| +- { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| ++ { TLS_ECDH_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + #endif /* NSS_ENABLE_ECC */
|
| +- { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| +- { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
|
| +- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| +- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| ++ { TLS_RSA_WITH_SEED_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { SSL_RSA_WITH_RC4_128_SHA, PR_TRUE, PR_FALSE},
|
| ++ { SSL_RSA_WITH_RC4_128_MD5, PR_TRUE, PR_FALSE},
|
| ++ { TLS_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE},
|
| ++ { TLS_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE},
|
| +
|
| + #ifdef NSS_ENABLE_ECC
|
| +- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| ++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + #endif /* NSS_ENABLE_ECC */
|
| +- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| +- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| ++ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE},
|
| ++ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE},
|
| + #ifdef NSS_ENABLE_ECC
|
| +- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| ++ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + #endif /* NSS_ENABLE_ECC */
|
| +- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| +- { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
|
| ++ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { SSL_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE},
|
| +
|
| +
|
| +- { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| +- { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| +- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| +- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| ++ { SSL_DHE_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { SSL_DHE_DSS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { SSL_RSA_FIPS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { SSL_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
|
| +
|
| +- { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| +- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| ++ { SSL_RSA_EXPORT_WITH_RC4_40_MD5, PR_FALSE, PR_FALSE},
|
| ++ { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, PR_FALSE, PR_FALSE},
|
| +
|
| + #ifdef NSS_ENABLE_ECC
|
| +- { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| +- { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| +- { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| +- { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDHE_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDHE_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDH_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_ECDH_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
|
| + #endif /* NSS_ENABLE_ECC */
|
| +- { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +- { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| +-
|
| ++ { SSL_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
|
| ++ { TLS_RSA_WITH_NULL_SHA256, PR_FALSE, PR_FALSE},
|
| ++ { SSL_RSA_WITH_NULL_MD5, PR_FALSE, PR_FALSE},
|
| + };
|
| +
|
| + /* This list of SSL3 compression methods is sorted in descending order of
|
| +@@ -643,13 +642,13 @@ ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
|
| + }
|
| +
|
| +
|
| +-/* Initialize the suite->isPresent value for config_match
|
| ++/* Initialize the suite->isPresent value for cipher_suite_available.
|
| + * Returns count of enabled ciphers supported by extant tokens,
|
| +- * regardless of policy or user preference.
|
| ++ * regardless of user preference.
|
| + * If this returns zero, the user cannot do SSL v3.
|
| + */
|
| + int
|
| +-ssl3_config_match_init(sslSocket *ss)
|
| ++ssl3_cipher_suite_available_init(sslSocket *ss)
|
| + {
|
| + ssl3CipherSuiteCfg * suite;
|
| + const ssl3CipherSuiteDef *cipher_def;
|
| +@@ -745,37 +744,25 @@ ssl3_config_match_init(sslSocket *ss)
|
| + }
|
| +
|
| +
|
| +-/* return PR_TRUE if suite matches policy and enabled state */
|
| +-/* It would be a REALLY BAD THING (tm) if we ever permitted the use
|
| +-** of a cipher that was NOT_ALLOWED. So, if this is ever called with
|
| +-** policy == SSL_NOT_ALLOWED, report no match.
|
| +-*/
|
| +-/* adjust suite enabled to the availability of a token that can do the
|
| +- * cipher suite. */
|
| ++/* return PR_TRUE if the given cipher suite is enabled and present. */
|
| + static PRBool
|
| +-config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
|
| ++cipher_suite_available(ssl3CipherSuiteCfg *suite)
|
| + {
|
| +- PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
|
| +- if (policy == SSL_NOT_ALLOWED || !enabled)
|
| +- return PR_FALSE;
|
| +- return (PRBool)(suite->enabled &&
|
| +- suite->isPresent &&
|
| +- suite->policy != SSL_NOT_ALLOWED &&
|
| +- suite->policy <= policy);
|
| ++ return (PRBool)(suite->enabled && suite->isPresent);
|
| + }
|
| +
|
| +-/* return number of cipher suites that match policy and enabled state */
|
| +-/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
|
| ++/* return number of cipher suites that are enabled and present.
|
| ++ * called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
|
| + static int
|
| +-count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
|
| ++count_cipher_suites(sslSocket *ss)
|
| + {
|
| + int i, count = 0;
|
| +
|
| + if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
|
| +- return 0;
|
| ++ return 0;
|
| + }
|
| + for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
|
| +- if (config_match(&ss->cipherSuites[i], policy, enabled))
|
| ++ if (cipher_suite_available(&ss->cipherSuites[i]))
|
| + count++;
|
| + }
|
| + if (count <= 0) {
|
| +@@ -4738,8 +4725,6 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
|
| +
|
| + PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
|
| + sid->u.ssl3.sessionIDLength));
|
| +-
|
| +- ss->ssl3.policy = sid->u.ssl3.policy;
|
| + } else {
|
| + SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
|
| +
|
| +@@ -4789,10 +4774,11 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
|
| + return SECFailure;
|
| + }
|
| +
|
| +- /* how many suites does our PKCS11 support (regardless of policy)? */
|
| +- num_suites = ssl3_config_match_init(ss);
|
| ++ /* how many suites does our PKCS11 support? */
|
| ++ num_suites = ssl3_cipher_suite_available_init(ss);
|
| + if (!num_suites)
|
| +- return SECFailure; /* ssl3_config_match_init has set error code. */
|
| ++ return SECFailure; /* ssl3_cipher_suite_available_init has set
|
| ++ * error code. */
|
| +
|
| + /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV,
|
| + * only if TLS is disabled.
|
| +@@ -4830,8 +4816,8 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
|
| + ssl3_DisableNonDTLSSuites(ss);
|
| + }
|
| +
|
| +- /* how many suites are permitted by policy and user preference? */
|
| +- num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
|
| ++ /* how many suites are permitted by user preference? */
|
| ++ num_suites = count_cipher_suites(ss);
|
| + if (!num_suites)
|
| + return SECFailure; /* count_cipher_suites has set error code. */
|
| + if (ss->ssl3.hs.sendingSCSV) {
|
| +@@ -4921,7 +4907,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
|
| + }
|
| + for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
|
| + ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
|
| +- if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
|
| ++ if (cipher_suite_available(suite)) {
|
| + actual_count++;
|
| + if (actual_count > num_suites) {
|
| + /* set error card removal/insertion error */
|
| +@@ -5978,11 +5964,11 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| + if (temp < 0) {
|
| + goto loser; /* alert has been sent */
|
| + }
|
| +- ssl3_config_match_init(ss);
|
| ++ ssl3_cipher_suite_available_init(ss);
|
| + for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
|
| + ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
|
| + if (temp == suite->cipher_suite) {
|
| +- if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) {
|
| ++ if (!cipher_suite_available(suite)) {
|
| + break; /* failure */
|
| + }
|
| + if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
|
| +@@ -7155,7 +7141,6 @@ ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
|
| + sid->version = ss->version;
|
| +
|
| + sid->u.ssl3.keys.resumable = PR_TRUE;
|
| +- sid->u.ssl3.policy = SSL_ALLOWED;
|
| + sid->u.ssl3.clientWriteKey = NULL;
|
| + sid->u.ssl3.serverWriteKey = NULL;
|
| +
|
| +@@ -7536,8 +7521,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| + }
|
| +
|
| + #ifdef PARANOID
|
| +- /* Look for a matching cipher suite. */
|
| +- j = ssl3_config_match_init(ss);
|
| ++ /* Look for an available cipher suite. */
|
| ++ j = ssl3_cipher_suite_available_init(ss);
|
| + if (j <= 0) { /* no ciphers are working/supported by PK11 */
|
| + errCode = PORT_GetError(); /* error code is already set. */
|
| + goto alert_loser;
|
| +@@ -7573,12 +7558,11 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| + if (j <= 0)
|
| + break;
|
| + #ifdef PARANOID
|
| +- /* Double check that the cached cipher suite is still enabled,
|
| +- * implemented, and allowed by policy. Might have been disabled.
|
| +- * The product policy won't change during the process lifetime.
|
| ++ /* Double check that the cached cipher suite is still enabled and
|
| ++ * implemented. Might have been disabled.
|
| + * Implemented ("isPresent") shouldn't change for servers.
|
| + */
|
| +- if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
|
| ++ if (!cipher_suite_available(suite))
|
| + break;
|
| + #else
|
| + if (!suite->enabled)
|
| +@@ -7602,8 +7586,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| + /* START A NEW SESSION */
|
| +
|
| + #ifndef PARANOID
|
| +- /* Look for a matching cipher suite. */
|
| +- j = ssl3_config_match_init(ss);
|
| ++ /* Look for an available cipher suite. */
|
| ++ j = ssl3_cipher_suite_available_init(ss);
|
| + if (j <= 0) { /* no ciphers are working/supported by PK11 */
|
| + errCode = PORT_GetError(); /* error code is already set. */
|
| + goto alert_loser;
|
| +@@ -7626,7 +7610,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| + */
|
| + for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
|
| + ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
|
| +- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
|
| ++ if (!cipher_suite_available(suite) ||
|
| + !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
|
| + ss->version)) {
|
| + continue;
|
| +@@ -7645,7 +7629,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| + goto alert_loser;
|
| +
|
| + suite_found:
|
| +- /* Look for a matching compression algorithm. */
|
| ++ /* Select a compression algorithm. */
|
| + for (i = 0; i < comps.len; i++) {
|
| + if (!compressionEnabled(ss, comps.data[i]))
|
| + continue;
|
| +@@ -7949,7 +7933,7 @@ compression_found:
|
| + ret = SSL_SNI_SEND_ALERT;
|
| + break;
|
| + }
|
| +- configedCiphers = ssl3_config_match_init(ss);
|
| ++ configedCiphers = ssl3_cipher_suite_available_init(ss);
|
| + if (configedCiphers <= 0) {
|
| + /* no ciphers are working/supported */
|
| + errCode = PORT_GetError();
|
| +@@ -8146,7 +8130,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
|
| + /* Disable any ECC cipher suites for which we have no cert. */
|
| + ssl3_FilterECCipherSuitesByServerCerts(ss);
|
| + #endif
|
| +- i = ssl3_config_match_init(ss);
|
| ++ i = ssl3_cipher_suite_available_init(ss);
|
| + if (i <= 0) {
|
| + errCode = PORT_GetError(); /* error code is already set. */
|
| + goto alert_loser;
|
| +@@ -8161,7 +8145,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
|
| + */
|
| + for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
|
| + ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
|
| +- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
|
| ++ if (!cipher_suite_available(suite) ||
|
| + !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
|
| + ss->version)) {
|
| + continue;
|
| +@@ -10456,7 +10440,6 @@ xmit_loser:
|
| + /* fill in the sid */
|
| + sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
|
| + sid->u.ssl3.compression = ss->ssl3.hs.compression;
|
| +- sid->u.ssl3.policy = ss->ssl3.policy;
|
| + #ifdef NSS_ENABLE_ECC
|
| + sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
|
| + #endif
|
| +@@ -11534,8 +11517,6 @@ ssl3_InitState(sslSocket *ss)
|
| + if (ss->ssl3.initialized)
|
| + return SECSuccess; /* Function should be idempotent */
|
| +
|
| +- ss->ssl3.policy = SSL_ALLOWED;
|
| +-
|
| + ssl_GetSpecWriteLock(ss);
|
| + ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
|
| + ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
|
| +@@ -11645,40 +11626,6 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss)
|
| + }
|
| +
|
| +
|
| +-/* record the export policy for this cipher suite */
|
| +-SECStatus
|
| +-ssl3_SetPolicy(ssl3CipherSuite which, int policy)
|
| +-{
|
| +- ssl3CipherSuiteCfg *suite;
|
| +-
|
| +- suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
|
| +- if (suite == NULL) {
|
| +- return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
|
| +- }
|
| +- suite->policy = policy;
|
| +-
|
| +- return SECSuccess;
|
| +-}
|
| +-
|
| +-SECStatus
|
| +-ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
|
| +-{
|
| +- ssl3CipherSuiteCfg *suite;
|
| +- PRInt32 policy;
|
| +- SECStatus rv;
|
| +-
|
| +- suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
|
| +- if (suite) {
|
| +- policy = suite->policy;
|
| +- rv = SECSuccess;
|
| +- } else {
|
| +- policy = SSL_NOT_ALLOWED;
|
| +- rv = SECFailure; /* err code was set by Lookup. */
|
| +- }
|
| +- *oPolicy = policy;
|
| +- return rv;
|
| +-}
|
| +-
|
| + /* record the user preference for this suite */
|
| + SECStatus
|
| + ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
|
| +@@ -11745,9 +11692,9 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
|
| + return rv;
|
| + }
|
| +
|
| +-/* copy global default policy into socket. */
|
| ++/* copy global default ciphersuite preferences into socket. */
|
| + void
|
| +-ssl3_InitSocketPolicy(sslSocket *ss)
|
| ++ssl3_InitSocketCipherSuites(sslSocket *ss)
|
| + {
|
| + PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
|
| + }
|
| +@@ -11814,8 +11761,8 @@ loser:
|
| + return rv;
|
| + }
|
| +
|
| +-/* ssl3_config_match_init must have already been called by
|
| +- * the caller of this function.
|
| ++/* ssl3_cipher_suite_available_init must have already been called by the caller
|
| ++ * of this function.
|
| + */
|
| + SECStatus
|
| + ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
|
| +@@ -11832,14 +11779,15 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
|
| + return SECSuccess;
|
| + }
|
| + if (cs == NULL) {
|
| +- *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
|
| ++ *size = count_cipher_suites(ss);
|
| + return SECSuccess;
|
| + }
|
| +
|
| +- /* ssl3_config_match_init was called by the caller of this function. */
|
| ++ /* ssl3_cipher_suite_available_init was called by the caller of this
|
| ++ * function. */
|
| + for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
|
| + ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
|
| +- if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
|
| ++ if (cipher_suite_available(suite)) {
|
| + if (cs != NULL) {
|
| + *cs++ = 0x00;
|
| + *cs++ = (suite->cipher_suite >> 8) & 0xFF;
|
| +diff --git a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c
|
| +index 74995f1..19a6a58 100644
|
| +--- a/nss/lib/ssl/ssl3ecc.c
|
| ++++ b/nss/lib/ssl/ssl3ecc.c
|
| +@@ -1017,7 +1017,7 @@ ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss)
|
| + }
|
| +
|
| + /* Ask: is ANY ECC cipher suite enabled on this socket? */
|
| +-/* Order(N^2). Yuk. Also, this ignores export policy. */
|
| ++/* Order(N^2). Yuk. */
|
| + PRBool
|
| + ssl3_IsECCEnabled(sslSocket * ss)
|
| + {
|
| +diff --git a/nss/lib/ssl/sslcon.c b/nss/lib/ssl/sslcon.c
|
| +index 2fc6602..626839e 100644
|
| +--- a/nss/lib/ssl/sslcon.c
|
| ++++ b/nss/lib/ssl/sslcon.c
|
| +@@ -20,9 +20,6 @@
|
| + #include "prinit.h"
|
| + #include "prtime.h" /* for PR_Now() */
|
| +
|
| +-#define XXX
|
| +-static PRBool policyWasSet;
|
| +-
|
| + /* This ordered list is indexed by (SSL_CK_xx * 3) */
|
| + /* Second and third bytes are MSB and LSB of master key length. */
|
| + static const PRUint8 allCipherSuites[] = {
|
| +@@ -115,14 +112,12 @@ const char * const ssl_cipherName[] = {
|
| + };
|
| +
|
| +
|
| +-/* bit-masks, showing which SSLv2 suites are allowed.
|
| ++/* bit-mask, showing which SSLv2 suites are allowed.
|
| + * lsb corresponds to first cipher suite in allCipherSuites[].
|
| + */
|
| +-static PRUint16 allowedByPolicy; /* all off by default */
|
| +-static PRUint16 maybeAllowedByPolicy; /* all off by default */
|
| + static PRUint16 chosenPreference = 0xff; /* all on by default */
|
| +
|
| +-/* bit values for the above two bit masks */
|
| ++/* bit values for the above bit mask */
|
| + #define SSL_CB_RC4_128_WITH_MD5 (1 << SSL_CK_RC4_128_WITH_MD5)
|
| + #define SSL_CB_RC4_128_EXPORT40_WITH_MD5 (1 << SSL_CK_RC4_128_EXPORT40_WITH_MD5)
|
| + #define SSL_CB_RC2_128_CBC_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_WITH_MD5)
|
| +@@ -157,19 +152,19 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
|
| + count = 0;
|
| + PORT_Assert(ss != 0);
|
| + allowed = !ss->opt.enableSSL2 ? 0 :
|
| +- (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
|
| ++ (ss->chosenPreference & SSL_CB_IMPLEMENTED);
|
| + while (allowed) {
|
| + if (allowed & 1)
|
| + ++count;
|
| + allowed >>= 1;
|
| + }
|
| +
|
| +- /* Call ssl3_config_match_init() once here,
|
| ++ /* Call ssl3_cipher_suite_available_init() once here,
|
| + * instead of inside ssl3_ConstructV2CipherSpecsHack(),
|
| + * because the latter gets called twice below,
|
| + * and then again in ssl2_BeginClientHandshake().
|
| + */
|
| +- ssl3_config_match_init(ss);
|
| ++ ssl3_cipher_suite_available_init(ss);
|
| +
|
| + /* ask SSL3 how many cipher suites it has. */
|
| + rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count);
|
| +@@ -193,7 +188,7 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
|
| +
|
| + /* fill in cipher specs for SSL2 cipher suites */
|
| + allowed = !ss->opt.enableSSL2 ? 0 :
|
| +- (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
|
| ++ (ss->chosenPreference & SSL_CB_IMPLEMENTED);
|
| + for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
|
| + const PRUint8 * hs = implementedCipherSuites + i;
|
| + int ok = allowed & (1U << hs[0]);
|
| +@@ -225,7 +220,6 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
|
| + static SECStatus
|
| + ssl2_CheckConfigSanity(sslSocket *ss)
|
| + {
|
| +- unsigned int allowed;
|
| + int ssl3CipherCount = 0;
|
| + SECStatus rv;
|
| +
|
| +@@ -235,11 +229,11 @@ ssl2_CheckConfigSanity(sslSocket *ss)
|
| + if (!ss->cipherSpecs)
|
| + goto disabled;
|
| +
|
| +- allowed = ss->allowedByPolicy & ss->chosenPreference;
|
| +- if (! allowed)
|
| ++ if (!ss->chosenPreference)
|
| + ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */
|
| +
|
| +- /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */
|
| ++ /* ssl3_cipher_suite_available_init was called in
|
| ++ * ssl2_ConstructCipherSpecs(). */
|
| + /* Ask how many ssl3 CipherSuites were enabled. */
|
| + rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount);
|
| + if (rv != SECSuccess || ssl3CipherCount <= 0) {
|
| +@@ -261,67 +255,6 @@ disabled:
|
| + /*
|
| + * Since this is a global (not per-socket) setting, we cannot use the
|
| + * HandshakeLock to protect this. Probably want a global lock.
|
| +- */
|
| +-SECStatus
|
| +-ssl2_SetPolicy(PRInt32 which, PRInt32 policy)
|
| +-{
|
| +- PRUint32 bitMask;
|
| +- SECStatus rv = SECSuccess;
|
| +-
|
| +- which &= 0x000f;
|
| +- bitMask = 1 << which;
|
| +-
|
| +- if (!(bitMask & SSL_CB_IMPLEMENTED)) {
|
| +- PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
|
| +- return SECFailure;
|
| +- }
|
| +-
|
| +- if (policy == SSL_ALLOWED) {
|
| +- allowedByPolicy |= bitMask;
|
| +- maybeAllowedByPolicy |= bitMask;
|
| +- } else if (policy == SSL_RESTRICTED) {
|
| +- allowedByPolicy &= ~bitMask;
|
| +- maybeAllowedByPolicy |= bitMask;
|
| +- } else {
|
| +- allowedByPolicy &= ~bitMask;
|
| +- maybeAllowedByPolicy &= ~bitMask;
|
| +- }
|
| +- allowedByPolicy &= SSL_CB_IMPLEMENTED;
|
| +- maybeAllowedByPolicy &= SSL_CB_IMPLEMENTED;
|
| +-
|
| +- policyWasSet = PR_TRUE;
|
| +- return rv;
|
| +-}
|
| +-
|
| +-SECStatus
|
| +-ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy)
|
| +-{
|
| +- PRUint32 bitMask;
|
| +- PRInt32 policy;
|
| +-
|
| +- which &= 0x000f;
|
| +- bitMask = 1 << which;
|
| +-
|
| +- /* Caller assures oPolicy is not null. */
|
| +- if (!(bitMask & SSL_CB_IMPLEMENTED)) {
|
| +- PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
|
| +- *oPolicy = SSL_NOT_ALLOWED;
|
| +- return SECFailure;
|
| +- }
|
| +-
|
| +- if (maybeAllowedByPolicy & bitMask) {
|
| +- policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED;
|
| +- } else {
|
| +- policy = SSL_NOT_ALLOWED;
|
| +- }
|
| +-
|
| +- *oPolicy = policy;
|
| +- return SECSuccess;
|
| +-}
|
| +-
|
| +-/*
|
| +- * Since this is a global (not per-socket) setting, we cannot use the
|
| +- * HandshakeLock to protect this. Probably want a global lock.
|
| + * Called from SSL_CipherPrefSetDefault in sslsock.c
|
| + * These changes have no effect on any sslSockets already created.
|
| + */
|
| +@@ -410,12 +343,10 @@ ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled)
|
| + }
|
| +
|
| +
|
| +-/* copy global default policy into socket. */
|
| ++/* copy global default cipher suite preferences into socket. */
|
| + void
|
| +-ssl2_InitSocketPolicy(sslSocket *ss)
|
| ++ssl2_InitSocketCipherSuites(sslSocket *ss)
|
| + {
|
| +- ss->allowedByPolicy = allowedByPolicy;
|
| +- ss->maybeAllowedByPolicy = maybeAllowedByPolicy;
|
| + ss->chosenPreference = chosenPreference;
|
| + }
|
| +
|
| +@@ -1556,7 +1487,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
|
| + unsigned int dkLen; /* decrypted key length in bytes */
|
| + int modulusLen;
|
| + SECStatus rv;
|
| +- PRUint16 allowed; /* cipher kinds enabled and allowed by policy */
|
| ++ PRUint16 allowed; /* cipher kinds enabled */
|
| + PRUint8 mkbuf[SSL_MAX_MASTER_KEY_BYTES];
|
| +
|
| + PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
|
| +@@ -1584,7 +1515,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
|
| + goto loser;
|
| + }
|
| +
|
| +- allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED;
|
| ++ allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED;
|
| + if (!(allowed & (1 << cipher))) {
|
| + /* client chose a kind we don't allow! */
|
| + SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d",
|
| +@@ -1814,8 +1745,7 @@ ssl2_ChooseSessionCypher(sslSocket *ss,
|
| + }
|
| +
|
| + if (!ss->preferredCipher) {
|
| +- unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference &
|
| +- SSL_CB_IMPLEMENTED;
|
| ++ unsigned int allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED;
|
| + if (allowed) {
|
| + preferred = implementedCipherSuites;
|
| + for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) {
|
| +diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
|
| +index e6792b3..0684042 100644
|
| +--- a/nss/lib/ssl/sslimpl.h
|
| ++++ b/nss/lib/ssl/sslimpl.h
|
| +@@ -273,17 +273,15 @@ struct sslBufferStr {
|
| + };
|
| +
|
| + /*
|
| +-** SSL3 cipher suite policy and preference struct.
|
| ++** SSL3 cipher suite preference struct.
|
| + */
|
| + typedef struct {
|
| + #if !defined(_WIN32)
|
| + unsigned int cipher_suite : 16;
|
| +- unsigned int policy : 8;
|
| + unsigned int enabled : 1;
|
| + unsigned int isPresent : 1;
|
| + #else
|
| + ssl3CipherSuite cipher_suite;
|
| +- PRUint8 policy;
|
| + unsigned char enabled : 1;
|
| + unsigned char isPresent : 1;
|
| + #endif
|
| +@@ -637,7 +635,6 @@ struct sslSessionIDStr {
|
| +
|
| + ssl3CipherSuite cipherSuite;
|
| + SSLCompressionMethod compression;
|
| +- int policy;
|
| + ssl3SidKeys keys;
|
| + CK_MECHANISM_TYPE masterWrapMech;
|
| + /* mechanism used to wrap master secret */
|
| +@@ -924,10 +921,6 @@ struct ssl3StateStr {
|
| + SECKEYPrivateKey *channelID; /* used by client */
|
| + SECKEYPublicKey *channelIDPub; /* used by client */
|
| +
|
| +- int policy;
|
| +- /* This says what cipher suites we can do, and should
|
| +- * be either SSL_ALLOWED or SSL_RESTRICTED
|
| +- */
|
| + PLArenaPool * peerCertArena;
|
| + /* These are used to keep track of the peer CA */
|
| + void * peerCertChain;
|
| +@@ -1233,8 +1226,6 @@ const unsigned char * preferredCipher;
|
| +
|
| + PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */
|
| +
|
| +- PRUint16 allowedByPolicy; /* copy of global policy bits. */
|
| +- PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */
|
| + PRUint16 chosenPreference; /* SSL2 cipher preferences. */
|
| +
|
| + sslHandshakingType handshaking;
|
| +@@ -1641,13 +1632,8 @@ extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool
|
| + extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
|
| + extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
|
| +
|
| +-extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
|
| +-extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
|
| +-extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
|
| +-extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
|
| +-
|
| +-extern void ssl2_InitSocketPolicy(sslSocket *ss);
|
| +-extern void ssl3_InitSocketPolicy(sslSocket *ss);
|
| ++extern void ssl2_InitSocketCipherSuites(sslSocket *ss);
|
| ++extern void ssl3_InitSocketCipherSuites(sslSocket *ss);
|
| +
|
| + extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
|
| + unsigned char *cs, int *size);
|
| +@@ -1788,9 +1774,9 @@ extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
|
| + extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
|
| + extern void ssl_FreePRSocket(PRFileDesc *fd);
|
| +
|
| +-/* Internal config function so SSL2 can initialize the present state of
|
| +- * various ciphers */
|
| +-extern int ssl3_config_match_init(sslSocket *);
|
| ++/* Internal config function so SSL3 can test the present state of various
|
| ++ * ciphers */
|
| ++extern int ssl3_cipher_suite_available_init(sslSocket *);
|
| +
|
| + /* Create a new ref counted key pair object from two keys. */
|
| + extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey,
|
| +diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
|
| +index fd71aee..3b30efd 100644
|
| +--- a/nss/lib/ssl/sslsock.c
|
| ++++ b/nss/lib/ssl/sslsock.c
|
| +@@ -28,88 +28,6 @@
|
| +
|
| + #define SET_ERROR_CODE /* reminder */
|
| +
|
| +-struct cipherPolicyStr {
|
| +- int cipher;
|
| +- unsigned char export; /* policy value for export policy */
|
| +- unsigned char france; /* policy value for france policy */
|
| +-};
|
| +-
|
| +-typedef struct cipherPolicyStr cipherPolicy;
|
| +-
|
| +-/* This table contains two preconfigured policies: Export and France.
|
| +-** It is used only by the functions NSS_SetDomesticPolicy,
|
| +-** NSS_SetExportPolicy, and NSS_SetFrancePolicy.
|
| +-** Order of entries is not important.
|
| +-*/
|
| +-static cipherPolicy ssl_ciphers[] = { /* Export France */
|
| +- { SSL_EN_RC4_128_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED },
|
| +- { SSL_EN_RC2_128_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED },
|
| +- { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED },
|
| +- { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED },
|
| +- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED },
|
| +- { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED },
|
| +- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED },
|
| +- { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED },
|
| +- { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
|
| +- { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED },
|
| +- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED },
|
| +-#ifdef NSS_ENABLE_ECC
|
| +- { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
|
| +- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
|
| +- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
|
| +- { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
|
| +- { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| +-#endif /* NSS_ENABLE_ECC */
|
| +- { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
|
| +-};
|
| +-
|
| + static const sslSocketOps ssl_default_ops = { /* No SSL. */
|
| + ssl_DefConnect,
|
| + NULL,
|
| +@@ -291,9 +209,7 @@ ssl_DupSocket(sslSocket *os)
|
| + ss->cTimeout = os->cTimeout;
|
| + ss->dbHandle = os->dbHandle;
|
| +
|
| +- /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
|
| +- ss->allowedByPolicy = os->allowedByPolicy;
|
| +- ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
|
| ++ /* copy ssl2&3 prefs, even if it's not selected (yet) */
|
| + ss->chosenPreference = os->chosenPreference;
|
| + PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
|
| + PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers,
|
| +@@ -1176,62 +1092,23 @@ ssl_IsRemovedCipherSuite(PRInt32 suite)
|
| + }
|
| + }
|
| +
|
| +-/* Part of the public NSS API.
|
| +- * Since this is a global (not per-socket) setting, we cannot use the
|
| +- * HandshakeLock to protect this. Probably want a global lock.
|
| +- */
|
| + SECStatus
|
| + SSL_SetPolicy(long which, int policy)
|
| + {
|
| +- if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
|
| +- /* one of the two old FIPS ciphers */
|
| +- if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA)
|
| +- which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
|
| +- else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
|
| +- which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
|
| +- }
|
| +- if (ssl_IsRemovedCipherSuite(which))
|
| +- return SECSuccess;
|
| +- return SSL_CipherPolicySet(which, policy);
|
| ++ return SECSuccess;
|
| + }
|
| +
|
| + SECStatus
|
| + SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
|
| + {
|
| +- SECStatus rv = ssl_Init();
|
| +-
|
| +- if (rv != SECSuccess) {
|
| +- return rv;
|
| +- }
|
| +-
|
| +- if (ssl_IsRemovedCipherSuite(which)) {
|
| +- rv = SECSuccess;
|
| +- } else if (SSL_IS_SSL2_CIPHER(which)) {
|
| +- rv = ssl2_SetPolicy(which, policy);
|
| +- } else {
|
| +- rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
|
| +- }
|
| +- return rv;
|
| ++ return SECSuccess;
|
| + }
|
| +
|
| + SECStatus
|
| + SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
|
| + {
|
| +- SECStatus rv;
|
| +-
|
| +- if (!oPolicy) {
|
| +- PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| +- return SECFailure;
|
| +- }
|
| +- if (ssl_IsRemovedCipherSuite(which)) {
|
| +- *oPolicy = SSL_NOT_ALLOWED;
|
| +- rv = SECSuccess;
|
| +- } else if (SSL_IS_SSL2_CIPHER(which)) {
|
| +- rv = ssl2_GetPolicy(which, oPolicy);
|
| +- } else {
|
| +- rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
|
| +- }
|
| +- return rv;
|
| ++ *oPolicy = SSL_ALLOWED;
|
| ++ return SECSuccess;
|
| + }
|
| +
|
| + /* Part of the public NSS API.
|
| +@@ -1350,27 +1227,19 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
|
| + SECStatus
|
| + NSS_SetDomesticPolicy(void)
|
| + {
|
| +- SECStatus status = SECSuccess;
|
| +- cipherPolicy * policy;
|
| +-
|
| +- for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
|
| +- status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED);
|
| +- if (status != SECSuccess)
|
| +- break;
|
| +- }
|
| +- return status;
|
| ++ return SECSuccess;
|
| + }
|
| +
|
| + SECStatus
|
| + NSS_SetExportPolicy(void)
|
| + {
|
| +- return NSS_SetDomesticPolicy();
|
| ++ return SECSuccess;
|
| + }
|
| +
|
| + SECStatus
|
| + NSS_SetFrancePolicy(void)
|
| + {
|
| +- return NSS_SetDomesticPolicy();
|
| ++ return SECSuccess;
|
| + }
|
| +
|
| + SECStatus
|
| +@@ -3097,8 +2966,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
|
| + ss->getChannelIDArg = NULL;
|
| +
|
| + ssl_ChooseOps(ss);
|
| +- ssl2_InitSocketPolicy(ss);
|
| +- ssl3_InitSocketPolicy(ss);
|
| ++ ssl2_InitSocketCipherSuites(ss);
|
| ++ ssl3_InitSocketCipherSuites(ss);
|
| + PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
|
| +
|
| + if (makeLocks) {
|
|
|
Chromium Code Reviews
Issue 21564003:
NSS: remove cipher policy framework.
Base URL: svn://svn.chromium.org/chrome/trunk/src