Index: net/third_party/nss/patches/rmcipherpolicy.patch |
diff --git a/net/third_party/nss/patches/rmcipherpolicy.patch b/net/third_party/nss/patches/rmcipherpolicy.patch |
new file mode 100644 |
index 0000000000000000000000000000000000000000..adb5c2a2c6a0ae6bdef0c27a389ba12b8300c6cf |
--- /dev/null |
+++ b/net/third_party/nss/patches/rmcipherpolicy.patch |
@@ -0,0 +1,1027 @@ |
+diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
+index c083a6b..4739fcf 100644 |
+--- a/nss/lib/ssl/ssl.h |
++++ b/nss/lib/ssl/ssl.h |
+@@ -244,7 +244,6 @@ SSL_IMPORT SECStatus SSL_GetNextProto(PRFileDesc *fd, |
+ ** is enabled, otherwise it is disabled. |
+ ** The "cipher" values are defined in sslproto.h (the SSL_EN_* values). |
+ ** EnableCipher records user preferences. |
+-** SetPolicy sets the policy according to the policy module. |
+ */ |
+ #ifdef SSL_DEPRECATED_FUNCTION |
+ /* Old deprecated function names */ |
+@@ -257,7 +256,11 @@ SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool en |
+ SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *enabled); |
+ SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); |
+ SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); |
++ |
++/* Policy functions are deprecated and no longer have any effect. They exist in |
++ * order to maintain ABI compatibility. */ |
+ SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); |
++/* SSL_CipherPolicyGet sets *policy to SSL_ALLOWED and returns SECSuccess. */ |
+ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); |
+ |
+ /* SSLChannelBindingType enumerates the types of supported channel binding |
+@@ -352,7 +355,7 @@ SSL_IMPORT SECStatus SSL_VersionRangeSet(PRFileDesc *fd, |
+ const SSLVersionRange *vrange); |
+ |
+ |
+-/* Values for "policy" argument to SSL_PolicySet */ |
++/* Values for "policy" argument to SSL_CipherPolicySet */ |
+ /* Values returned by SSL_CipherPolicyGet. */ |
+ #define SSL_NOT_ALLOWED 0 /* or invalid or unimplemented */ |
+ #define SSL_ALLOWED 1 |
+@@ -892,26 +895,12 @@ SSL_IMPORT SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert, |
+ */ |
+ SSL_IMPORT SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert); |
+ |
+-/* Set cipher policies to a predefined Domestic (U.S.A.) policy. |
+- * This essentially enables all supported ciphers. |
+- */ |
++/* |
++** The NSS_Set*Policy functions have no effect and exist in order to maintain |
++** ABI compatibility. All supported ciphers are now allowed. |
++*/ |
+ SSL_IMPORT SECStatus NSS_SetDomesticPolicy(void); |
+- |
+-/* Set cipher policies to a predefined Policy that is exportable from the USA |
+- * according to present U.S. policies as we understand them. |
+- * See documentation for the list. |
+- * Note that your particular application program may be able to obtain |
+- * an export license with more or fewer capabilities than those allowed |
+- * by this function. In that case, you should use SSL_SetPolicy() |
+- * to explicitly allow those ciphers you may legally export. |
+- */ |
+ SSL_IMPORT SECStatus NSS_SetExportPolicy(void); |
+- |
+-/* Set cipher policies to a predefined Policy that is exportable from the USA |
+- * according to present U.S. policies as we understand them, and that the |
+- * nation of France will permit to be imported into their country. |
+- * See documentation for the list. |
+- */ |
+ SSL_IMPORT SECStatus NSS_SetFrancePolicy(void); |
+ |
+ SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void); |
+diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
+index 98e31d4..41fdef7 100644 |
+--- a/nss/lib/ssl/ssl3con.c |
++++ b/nss/lib/ssl/ssl3con.c |
+@@ -88,85 +88,84 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
+ * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
+ */ |
+ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
+- /* cipher_suite policy enabled is_present*/ |
++ /* cipher_suite enabled is_present */ |
+ #ifdef NSS_ENABLE_ECC |
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ #endif /* NSS_ENABLE_ECC */ |
+- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
++ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, |
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
+ #ifdef NSS_ENABLE_ECC |
+- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
++ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ #endif /* NSS_ENABLE_ECC */ |
+- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
++ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
++ { TLS_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, |
+ |
+ #ifdef NSS_ENABLE_ECC |
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, |
+ #endif /* NSS_ENABLE_ECC */ |
+- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
++ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_DHE_DSS_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, |
++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
+ #ifdef NSS_ENABLE_ECC |
+- { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
++ { TLS_ECDH_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ #endif /* NSS_ENABLE_ECC */ |
+- { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+- { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
+- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
++ { TLS_RSA_WITH_SEED_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { SSL_RSA_WITH_RC4_128_SHA, PR_TRUE, PR_FALSE}, |
++ { SSL_RSA_WITH_RC4_128_MD5, PR_TRUE, PR_FALSE}, |
++ { TLS_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
++ { TLS_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, |
+ |
+ #ifdef NSS_ENABLE_ECC |
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ #endif /* NSS_ENABLE_ECC */ |
+- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
++ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
++ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
+ #ifdef NSS_ENABLE_ECC |
+- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
++ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ #endif /* NSS_ENABLE_ECC */ |
+- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
+- { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
++ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { SSL_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
+ |
+ |
+- { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
+- { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
+- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
+- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
++ { SSL_DHE_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { SSL_DHE_DSS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { SSL_RSA_FIPS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { SSL_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ |
+- { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
+- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
++ { SSL_RSA_EXPORT_WITH_RC4_40_MD5, PR_FALSE, PR_FALSE}, |
++ { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, PR_FALSE, PR_FALSE}, |
+ |
+ #ifdef NSS_ENABLE_ECC |
+- { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
+- { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
+- { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
+- { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDHE_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDHE_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDH_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_ECDH_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
+ #endif /* NSS_ENABLE_ECC */ |
+- { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+- |
++ { SSL_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
++ { TLS_RSA_WITH_NULL_SHA256, PR_FALSE, PR_FALSE}, |
++ { SSL_RSA_WITH_NULL_MD5, PR_FALSE, PR_FALSE}, |
+ }; |
+ |
+ /* This list of SSL3 compression methods is sorted in descending order of |
+@@ -643,13 +642,13 @@ ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites) |
+ } |
+ |
+ |
+-/* Initialize the suite->isPresent value for config_match |
++/* Initialize the suite->isPresent value for cipher_suite_available. |
+ * Returns count of enabled ciphers supported by extant tokens, |
+- * regardless of policy or user preference. |
++ * regardless of user preference. |
+ * If this returns zero, the user cannot do SSL v3. |
+ */ |
+ int |
+-ssl3_config_match_init(sslSocket *ss) |
++ssl3_cipher_suite_available_init(sslSocket *ss) |
+ { |
+ ssl3CipherSuiteCfg * suite; |
+ const ssl3CipherSuiteDef *cipher_def; |
+@@ -745,37 +744,25 @@ ssl3_config_match_init(sslSocket *ss) |
+ } |
+ |
+ |
+-/* return PR_TRUE if suite matches policy and enabled state */ |
+-/* It would be a REALLY BAD THING (tm) if we ever permitted the use |
+-** of a cipher that was NOT_ALLOWED. So, if this is ever called with |
+-** policy == SSL_NOT_ALLOWED, report no match. |
+-*/ |
+-/* adjust suite enabled to the availability of a token that can do the |
+- * cipher suite. */ |
++/* return PR_TRUE if the given cipher suite is enabled and present. */ |
+ static PRBool |
+-config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) |
++cipher_suite_available(ssl3CipherSuiteCfg *suite) |
+ { |
+- PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); |
+- if (policy == SSL_NOT_ALLOWED || !enabled) |
+- return PR_FALSE; |
+- return (PRBool)(suite->enabled && |
+- suite->isPresent && |
+- suite->policy != SSL_NOT_ALLOWED && |
+- suite->policy <= policy); |
++ return (PRBool)(suite->enabled && suite->isPresent); |
+ } |
+ |
+-/* return number of cipher suites that match policy and enabled state */ |
+-/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
++/* return number of cipher suites that are enabled and present. |
++ * called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
+ static int |
+-count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) |
++count_cipher_suites(sslSocket *ss) |
+ { |
+ int i, count = 0; |
+ |
+ if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
+- return 0; |
++ return 0; |
+ } |
+ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
+- if (config_match(&ss->cipherSuites[i], policy, enabled)) |
++ if (cipher_suite_available(&ss->cipherSuites[i])) |
+ count++; |
+ } |
+ if (count <= 0) { |
+@@ -4738,8 +4725,6 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
+ |
+ PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, |
+ sid->u.ssl3.sessionIDLength)); |
+- |
+- ss->ssl3.policy = sid->u.ssl3.policy; |
+ } else { |
+ SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); |
+ |
+@@ -4789,10 +4774,11 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
+ return SECFailure; |
+ } |
+ |
+- /* how many suites does our PKCS11 support (regardless of policy)? */ |
+- num_suites = ssl3_config_match_init(ss); |
++ /* how many suites does our PKCS11 support? */ |
++ num_suites = ssl3_cipher_suite_available_init(ss); |
+ if (!num_suites) |
+- return SECFailure; /* ssl3_config_match_init has set error code. */ |
++ return SECFailure; /* ssl3_cipher_suite_available_init has set |
++ * error code. */ |
+ |
+ /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, |
+ * only if TLS is disabled. |
+@@ -4830,8 +4816,8 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
+ ssl3_DisableNonDTLSSuites(ss); |
+ } |
+ |
+- /* how many suites are permitted by policy and user preference? */ |
+- num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); |
++ /* how many suites are permitted by user preference? */ |
++ num_suites = count_cipher_suites(ss); |
+ if (!num_suites) |
+ return SECFailure; /* count_cipher_suites has set error code. */ |
+ if (ss->ssl3.hs.sendingSCSV) { |
+@@ -4921,7 +4907,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
+ } |
+ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
+- if (config_match(suite, ss->ssl3.policy, PR_TRUE)) { |
++ if (cipher_suite_available(suite)) { |
+ actual_count++; |
+ if (actual_count > num_suites) { |
+ /* set error card removal/insertion error */ |
+@@ -5978,11 +5964,11 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
+ if (temp < 0) { |
+ goto loser; /* alert has been sent */ |
+ } |
+- ssl3_config_match_init(ss); |
++ ssl3_cipher_suite_available_init(ss); |
+ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
+ if (temp == suite->cipher_suite) { |
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) { |
++ if (!cipher_suite_available(suite)) { |
+ break; /* failure */ |
+ } |
+ if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
+@@ -7155,7 +7141,6 @@ ssl3_NewSessionID(sslSocket *ss, PRBool is_server) |
+ sid->version = ss->version; |
+ |
+ sid->u.ssl3.keys.resumable = PR_TRUE; |
+- sid->u.ssl3.policy = SSL_ALLOWED; |
+ sid->u.ssl3.clientWriteKey = NULL; |
+ sid->u.ssl3.serverWriteKey = NULL; |
+ |
+@@ -7536,8 +7521,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
+ } |
+ |
+ #ifdef PARANOID |
+- /* Look for a matching cipher suite. */ |
+- j = ssl3_config_match_init(ss); |
++ /* Look for an available cipher suite. */ |
++ j = ssl3_cipher_suite_available_init(ss); |
+ if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
+ errCode = PORT_GetError(); /* error code is already set. */ |
+ goto alert_loser; |
+@@ -7573,12 +7558,11 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
+ if (j <= 0) |
+ break; |
+ #ifdef PARANOID |
+- /* Double check that the cached cipher suite is still enabled, |
+- * implemented, and allowed by policy. Might have been disabled. |
+- * The product policy won't change during the process lifetime. |
++ /* Double check that the cached cipher suite is still enabled and |
++ * implemented. Might have been disabled. |
+ * Implemented ("isPresent") shouldn't change for servers. |
+ */ |
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) |
++ if (!cipher_suite_available(suite)) |
+ break; |
+ #else |
+ if (!suite->enabled) |
+@@ -7602,8 +7586,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
+ /* START A NEW SESSION */ |
+ |
+ #ifndef PARANOID |
+- /* Look for a matching cipher suite. */ |
+- j = ssl3_config_match_init(ss); |
++ /* Look for an available cipher suite. */ |
++ j = ssl3_cipher_suite_available_init(ss); |
+ if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
+ errCode = PORT_GetError(); /* error code is already set. */ |
+ goto alert_loser; |
+@@ -7626,7 +7610,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
+ */ |
+ for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || |
++ if (!cipher_suite_available(suite) || |
+ !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
+ ss->version)) { |
+ continue; |
+@@ -7645,7 +7629,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
+ goto alert_loser; |
+ |
+ suite_found: |
+- /* Look for a matching compression algorithm. */ |
++ /* Select a compression algorithm. */ |
+ for (i = 0; i < comps.len; i++) { |
+ if (!compressionEnabled(ss, comps.data[i])) |
+ continue; |
+@@ -7949,7 +7933,7 @@ compression_found: |
+ ret = SSL_SNI_SEND_ALERT; |
+ break; |
+ } |
+- configedCiphers = ssl3_config_match_init(ss); |
++ configedCiphers = ssl3_cipher_suite_available_init(ss); |
+ if (configedCiphers <= 0) { |
+ /* no ciphers are working/supported */ |
+ errCode = PORT_GetError(); |
+@@ -8146,7 +8130,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length) |
+ /* Disable any ECC cipher suites for which we have no cert. */ |
+ ssl3_FilterECCipherSuitesByServerCerts(ss); |
+ #endif |
+- i = ssl3_config_match_init(ss); |
++ i = ssl3_cipher_suite_available_init(ss); |
+ if (i <= 0) { |
+ errCode = PORT_GetError(); /* error code is already set. */ |
+ goto alert_loser; |
+@@ -8161,7 +8145,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length) |
+ */ |
+ for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || |
++ if (!cipher_suite_available(suite) || |
+ !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
+ ss->version)) { |
+ continue; |
+@@ -10456,7 +10440,6 @@ xmit_loser: |
+ /* fill in the sid */ |
+ sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; |
+ sid->u.ssl3.compression = ss->ssl3.hs.compression; |
+- sid->u.ssl3.policy = ss->ssl3.policy; |
+ #ifdef NSS_ENABLE_ECC |
+ sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves; |
+ #endif |
+@@ -11534,8 +11517,6 @@ ssl3_InitState(sslSocket *ss) |
+ if (ss->ssl3.initialized) |
+ return SECSuccess; /* Function should be idempotent */ |
+ |
+- ss->ssl3.policy = SSL_ALLOWED; |
+- |
+ ssl_GetSpecWriteLock(ss); |
+ ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; |
+ ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; |
+@@ -11645,40 +11626,6 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss) |
+ } |
+ |
+ |
+-/* record the export policy for this cipher suite */ |
+-SECStatus |
+-ssl3_SetPolicy(ssl3CipherSuite which, int policy) |
+-{ |
+- ssl3CipherSuiteCfg *suite; |
+- |
+- suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
+- if (suite == NULL) { |
+- return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ |
+- } |
+- suite->policy = policy; |
+- |
+- return SECSuccess; |
+-} |
+- |
+-SECStatus |
+-ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy) |
+-{ |
+- ssl3CipherSuiteCfg *suite; |
+- PRInt32 policy; |
+- SECStatus rv; |
+- |
+- suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
+- if (suite) { |
+- policy = suite->policy; |
+- rv = SECSuccess; |
+- } else { |
+- policy = SSL_NOT_ALLOWED; |
+- rv = SECFailure; /* err code was set by Lookup. */ |
+- } |
+- *oPolicy = policy; |
+- return rv; |
+-} |
+- |
+ /* record the user preference for this suite */ |
+ SECStatus |
+ ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled) |
+@@ -11745,9 +11692,9 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled) |
+ return rv; |
+ } |
+ |
+-/* copy global default policy into socket. */ |
++/* copy global default ciphersuite preferences into socket. */ |
+ void |
+-ssl3_InitSocketPolicy(sslSocket *ss) |
++ssl3_InitSocketCipherSuites(sslSocket *ss) |
+ { |
+ PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); |
+ } |
+@@ -11814,8 +11761,8 @@ loser: |
+ return rv; |
+ } |
+ |
+-/* ssl3_config_match_init must have already been called by |
+- * the caller of this function. |
++/* ssl3_cipher_suite_available_init must have already been called by the caller |
++ * of this function. |
+ */ |
+ SECStatus |
+ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) |
+@@ -11832,14 +11779,15 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) |
+ return SECSuccess; |
+ } |
+ if (cs == NULL) { |
+- *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); |
++ *size = count_cipher_suites(ss); |
+ return SECSuccess; |
+ } |
+ |
+- /* ssl3_config_match_init was called by the caller of this function. */ |
++ /* ssl3_cipher_suite_available_init was called by the caller of this |
++ * function. */ |
+ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
+- if (config_match(suite, SSL_ALLOWED, PR_TRUE)) { |
++ if (cipher_suite_available(suite)) { |
+ if (cs != NULL) { |
+ *cs++ = 0x00; |
+ *cs++ = (suite->cipher_suite >> 8) & 0xFF; |
+diff --git a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c |
+index 74995f1..19a6a58 100644 |
+--- a/nss/lib/ssl/ssl3ecc.c |
++++ b/nss/lib/ssl/ssl3ecc.c |
+@@ -1017,7 +1017,7 @@ ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss) |
+ } |
+ |
+ /* Ask: is ANY ECC cipher suite enabled on this socket? */ |
+-/* Order(N^2). Yuk. Also, this ignores export policy. */ |
++/* Order(N^2). Yuk. */ |
+ PRBool |
+ ssl3_IsECCEnabled(sslSocket * ss) |
+ { |
+diff --git a/nss/lib/ssl/sslcon.c b/nss/lib/ssl/sslcon.c |
+index 2fc6602..626839e 100644 |
+--- a/nss/lib/ssl/sslcon.c |
++++ b/nss/lib/ssl/sslcon.c |
+@@ -20,9 +20,6 @@ |
+ #include "prinit.h" |
+ #include "prtime.h" /* for PR_Now() */ |
+ |
+-#define XXX |
+-static PRBool policyWasSet; |
+- |
+ /* This ordered list is indexed by (SSL_CK_xx * 3) */ |
+ /* Second and third bytes are MSB and LSB of master key length. */ |
+ static const PRUint8 allCipherSuites[] = { |
+@@ -115,14 +112,12 @@ const char * const ssl_cipherName[] = { |
+ }; |
+ |
+ |
+-/* bit-masks, showing which SSLv2 suites are allowed. |
++/* bit-mask, showing which SSLv2 suites are allowed. |
+ * lsb corresponds to first cipher suite in allCipherSuites[]. |
+ */ |
+-static PRUint16 allowedByPolicy; /* all off by default */ |
+-static PRUint16 maybeAllowedByPolicy; /* all off by default */ |
+ static PRUint16 chosenPreference = 0xff; /* all on by default */ |
+ |
+-/* bit values for the above two bit masks */ |
++/* bit values for the above bit mask */ |
+ #define SSL_CB_RC4_128_WITH_MD5 (1 << SSL_CK_RC4_128_WITH_MD5) |
+ #define SSL_CB_RC4_128_EXPORT40_WITH_MD5 (1 << SSL_CK_RC4_128_EXPORT40_WITH_MD5) |
+ #define SSL_CB_RC2_128_CBC_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_WITH_MD5) |
+@@ -157,19 +152,19 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
+ count = 0; |
+ PORT_Assert(ss != 0); |
+ allowed = !ss->opt.enableSSL2 ? 0 : |
+- (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED); |
++ (ss->chosenPreference & SSL_CB_IMPLEMENTED); |
+ while (allowed) { |
+ if (allowed & 1) |
+ ++count; |
+ allowed >>= 1; |
+ } |
+ |
+- /* Call ssl3_config_match_init() once here, |
++ /* Call ssl3_cipher_suite_available_init() once here, |
+ * instead of inside ssl3_ConstructV2CipherSpecsHack(), |
+ * because the latter gets called twice below, |
+ * and then again in ssl2_BeginClientHandshake(). |
+ */ |
+- ssl3_config_match_init(ss); |
++ ssl3_cipher_suite_available_init(ss); |
+ |
+ /* ask SSL3 how many cipher suites it has. */ |
+ rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count); |
+@@ -193,7 +188,7 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
+ |
+ /* fill in cipher specs for SSL2 cipher suites */ |
+ allowed = !ss->opt.enableSSL2 ? 0 : |
+- (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED); |
++ (ss->chosenPreference & SSL_CB_IMPLEMENTED); |
+ for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) { |
+ const PRUint8 * hs = implementedCipherSuites + i; |
+ int ok = allowed & (1U << hs[0]); |
+@@ -225,7 +220,6 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) |
+ static SECStatus |
+ ssl2_CheckConfigSanity(sslSocket *ss) |
+ { |
+- unsigned int allowed; |
+ int ssl3CipherCount = 0; |
+ SECStatus rv; |
+ |
+@@ -235,11 +229,11 @@ ssl2_CheckConfigSanity(sslSocket *ss) |
+ if (!ss->cipherSpecs) |
+ goto disabled; |
+ |
+- allowed = ss->allowedByPolicy & ss->chosenPreference; |
+- if (! allowed) |
++ if (!ss->chosenPreference) |
+ ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */ |
+ |
+- /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */ |
++ /* ssl3_cipher_suite_available_init was called in |
++ * ssl2_ConstructCipherSpecs(). */ |
+ /* Ask how many ssl3 CipherSuites were enabled. */ |
+ rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount); |
+ if (rv != SECSuccess || ssl3CipherCount <= 0) { |
+@@ -261,67 +255,6 @@ disabled: |
+ /* |
+ * Since this is a global (not per-socket) setting, we cannot use the |
+ * HandshakeLock to protect this. Probably want a global lock. |
+- */ |
+-SECStatus |
+-ssl2_SetPolicy(PRInt32 which, PRInt32 policy) |
+-{ |
+- PRUint32 bitMask; |
+- SECStatus rv = SECSuccess; |
+- |
+- which &= 0x000f; |
+- bitMask = 1 << which; |
+- |
+- if (!(bitMask & SSL_CB_IMPLEMENTED)) { |
+- PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); |
+- return SECFailure; |
+- } |
+- |
+- if (policy == SSL_ALLOWED) { |
+- allowedByPolicy |= bitMask; |
+- maybeAllowedByPolicy |= bitMask; |
+- } else if (policy == SSL_RESTRICTED) { |
+- allowedByPolicy &= ~bitMask; |
+- maybeAllowedByPolicy |= bitMask; |
+- } else { |
+- allowedByPolicy &= ~bitMask; |
+- maybeAllowedByPolicy &= ~bitMask; |
+- } |
+- allowedByPolicy &= SSL_CB_IMPLEMENTED; |
+- maybeAllowedByPolicy &= SSL_CB_IMPLEMENTED; |
+- |
+- policyWasSet = PR_TRUE; |
+- return rv; |
+-} |
+- |
+-SECStatus |
+-ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy) |
+-{ |
+- PRUint32 bitMask; |
+- PRInt32 policy; |
+- |
+- which &= 0x000f; |
+- bitMask = 1 << which; |
+- |
+- /* Caller assures oPolicy is not null. */ |
+- if (!(bitMask & SSL_CB_IMPLEMENTED)) { |
+- PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); |
+- *oPolicy = SSL_NOT_ALLOWED; |
+- return SECFailure; |
+- } |
+- |
+- if (maybeAllowedByPolicy & bitMask) { |
+- policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED; |
+- } else { |
+- policy = SSL_NOT_ALLOWED; |
+- } |
+- |
+- *oPolicy = policy; |
+- return SECSuccess; |
+-} |
+- |
+-/* |
+- * Since this is a global (not per-socket) setting, we cannot use the |
+- * HandshakeLock to protect this. Probably want a global lock. |
+ * Called from SSL_CipherPrefSetDefault in sslsock.c |
+ * These changes have no effect on any sslSockets already created. |
+ */ |
+@@ -410,12 +343,10 @@ ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled) |
+ } |
+ |
+ |
+-/* copy global default policy into socket. */ |
++/* copy global default cipher suite preferences into socket. */ |
+ void |
+-ssl2_InitSocketPolicy(sslSocket *ss) |
++ssl2_InitSocketCipherSuites(sslSocket *ss) |
+ { |
+- ss->allowedByPolicy = allowedByPolicy; |
+- ss->maybeAllowedByPolicy = maybeAllowedByPolicy; |
+ ss->chosenPreference = chosenPreference; |
+ } |
+ |
+@@ -1556,7 +1487,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits, |
+ unsigned int dkLen; /* decrypted key length in bytes */ |
+ int modulusLen; |
+ SECStatus rv; |
+- PRUint16 allowed; /* cipher kinds enabled and allowed by policy */ |
++ PRUint16 allowed; /* cipher kinds enabled */ |
+ PRUint8 mkbuf[SSL_MAX_MASTER_KEY_BYTES]; |
+ |
+ PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); |
+@@ -1584,7 +1515,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits, |
+ goto loser; |
+ } |
+ |
+- allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED; |
++ allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED; |
+ if (!(allowed & (1 << cipher))) { |
+ /* client chose a kind we don't allow! */ |
+ SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d", |
+@@ -1814,8 +1745,7 @@ ssl2_ChooseSessionCypher(sslSocket *ss, |
+ } |
+ |
+ if (!ss->preferredCipher) { |
+- unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference & |
+- SSL_CB_IMPLEMENTED; |
++ unsigned int allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED; |
+ if (allowed) { |
+ preferred = implementedCipherSuites; |
+ for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) { |
+diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
+index e6792b3..0684042 100644 |
+--- a/nss/lib/ssl/sslimpl.h |
++++ b/nss/lib/ssl/sslimpl.h |
+@@ -273,17 +273,15 @@ struct sslBufferStr { |
+ }; |
+ |
+ /* |
+-** SSL3 cipher suite policy and preference struct. |
++** SSL3 cipher suite preference struct. |
+ */ |
+ typedef struct { |
+ #if !defined(_WIN32) |
+ unsigned int cipher_suite : 16; |
+- unsigned int policy : 8; |
+ unsigned int enabled : 1; |
+ unsigned int isPresent : 1; |
+ #else |
+ ssl3CipherSuite cipher_suite; |
+- PRUint8 policy; |
+ unsigned char enabled : 1; |
+ unsigned char isPresent : 1; |
+ #endif |
+@@ -637,7 +635,6 @@ struct sslSessionIDStr { |
+ |
+ ssl3CipherSuite cipherSuite; |
+ SSLCompressionMethod compression; |
+- int policy; |
+ ssl3SidKeys keys; |
+ CK_MECHANISM_TYPE masterWrapMech; |
+ /* mechanism used to wrap master secret */ |
+@@ -924,10 +921,6 @@ struct ssl3StateStr { |
+ SECKEYPrivateKey *channelID; /* used by client */ |
+ SECKEYPublicKey *channelIDPub; /* used by client */ |
+ |
+- int policy; |
+- /* This says what cipher suites we can do, and should |
+- * be either SSL_ALLOWED or SSL_RESTRICTED |
+- */ |
+ PLArenaPool * peerCertArena; |
+ /* These are used to keep track of the peer CA */ |
+ void * peerCertChain; |
+@@ -1233,8 +1226,6 @@ const unsigned char * preferredCipher; |
+ |
+ PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */ |
+ |
+- PRUint16 allowedByPolicy; /* copy of global policy bits. */ |
+- PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */ |
+ PRUint16 chosenPreference; /* SSL2 cipher preferences. */ |
+ |
+ sslHandshakingType handshaking; |
+@@ -1641,13 +1632,8 @@ extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool |
+ extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled); |
+ extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled); |
+ |
+-extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy); |
+-extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy); |
+-extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy); |
+-extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy); |
+- |
+-extern void ssl2_InitSocketPolicy(sslSocket *ss); |
+-extern void ssl3_InitSocketPolicy(sslSocket *ss); |
++extern void ssl2_InitSocketCipherSuites(sslSocket *ss); |
++extern void ssl3_InitSocketCipherSuites(sslSocket *ss); |
+ |
+ extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, |
+ unsigned char *cs, int *size); |
+@@ -1788,9 +1774,9 @@ extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, |
+ extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd); |
+ extern void ssl_FreePRSocket(PRFileDesc *fd); |
+ |
+-/* Internal config function so SSL2 can initialize the present state of |
+- * various ciphers */ |
+-extern int ssl3_config_match_init(sslSocket *); |
++/* Internal config function so SSL3 can test the present state of various |
++ * ciphers */ |
++extern int ssl3_cipher_suite_available_init(sslSocket *); |
+ |
+ /* Create a new ref counted key pair object from two keys. */ |
+ extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, |
+diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
+index fd71aee..3b30efd 100644 |
+--- a/nss/lib/ssl/sslsock.c |
++++ b/nss/lib/ssl/sslsock.c |
+@@ -28,88 +28,6 @@ |
+ |
+ #define SET_ERROR_CODE /* reminder */ |
+ |
+-struct cipherPolicyStr { |
+- int cipher; |
+- unsigned char export; /* policy value for export policy */ |
+- unsigned char france; /* policy value for france policy */ |
+-}; |
+- |
+-typedef struct cipherPolicyStr cipherPolicy; |
+- |
+-/* This table contains two preconfigured policies: Export and France. |
+-** It is used only by the functions NSS_SetDomesticPolicy, |
+-** NSS_SetExportPolicy, and NSS_SetFrancePolicy. |
+-** Order of entries is not important. |
+-*/ |
+-static cipherPolicy ssl_ciphers[] = { /* Export France */ |
+- { SSL_EN_RC4_128_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
+- { SSL_EN_RC2_128_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
+- { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
+- { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
+- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
+- { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
+- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
+- { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
+- { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
+- { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED }, |
+- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, |
+-#ifdef NSS_ENABLE_ECC |
+- { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
+- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
+- { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
+- { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
+-#endif /* NSS_ENABLE_ECC */ |
+- { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } |
+-}; |
+- |
+ static const sslSocketOps ssl_default_ops = { /* No SSL. */ |
+ ssl_DefConnect, |
+ NULL, |
+@@ -291,9 +209,7 @@ ssl_DupSocket(sslSocket *os) |
+ ss->cTimeout = os->cTimeout; |
+ ss->dbHandle = os->dbHandle; |
+ |
+- /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ |
+- ss->allowedByPolicy = os->allowedByPolicy; |
+- ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; |
++ /* copy ssl2&3 prefs, even if it's not selected (yet) */ |
+ ss->chosenPreference = os->chosenPreference; |
+ PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites); |
+ PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, |
+@@ -1176,62 +1092,23 @@ ssl_IsRemovedCipherSuite(PRInt32 suite) |
+ } |
+ } |
+ |
+-/* Part of the public NSS API. |
+- * Since this is a global (not per-socket) setting, we cannot use the |
+- * HandshakeLock to protect this. Probably want a global lock. |
+- */ |
+ SECStatus |
+ SSL_SetPolicy(long which, int policy) |
+ { |
+- if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { |
+- /* one of the two old FIPS ciphers */ |
+- if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) |
+- which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; |
+- else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) |
+- which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; |
+- } |
+- if (ssl_IsRemovedCipherSuite(which)) |
+- return SECSuccess; |
+- return SSL_CipherPolicySet(which, policy); |
++ return SECSuccess; |
+ } |
+ |
+ SECStatus |
+ SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) |
+ { |
+- SECStatus rv = ssl_Init(); |
+- |
+- if (rv != SECSuccess) { |
+- return rv; |
+- } |
+- |
+- if (ssl_IsRemovedCipherSuite(which)) { |
+- rv = SECSuccess; |
+- } else if (SSL_IS_SSL2_CIPHER(which)) { |
+- rv = ssl2_SetPolicy(which, policy); |
+- } else { |
+- rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); |
+- } |
+- return rv; |
++ return SECSuccess; |
+ } |
+ |
+ SECStatus |
+ SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) |
+ { |
+- SECStatus rv; |
+- |
+- if (!oPolicy) { |
+- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+- return SECFailure; |
+- } |
+- if (ssl_IsRemovedCipherSuite(which)) { |
+- *oPolicy = SSL_NOT_ALLOWED; |
+- rv = SECSuccess; |
+- } else if (SSL_IS_SSL2_CIPHER(which)) { |
+- rv = ssl2_GetPolicy(which, oPolicy); |
+- } else { |
+- rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy); |
+- } |
+- return rv; |
++ *oPolicy = SSL_ALLOWED; |
++ return SECSuccess; |
+ } |
+ |
+ /* Part of the public NSS API. |
+@@ -1350,27 +1227,19 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) |
+ SECStatus |
+ NSS_SetDomesticPolicy(void) |
+ { |
+- SECStatus status = SECSuccess; |
+- cipherPolicy * policy; |
+- |
+- for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { |
+- status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED); |
+- if (status != SECSuccess) |
+- break; |
+- } |
+- return status; |
++ return SECSuccess; |
+ } |
+ |
+ SECStatus |
+ NSS_SetExportPolicy(void) |
+ { |
+- return NSS_SetDomesticPolicy(); |
++ return SECSuccess; |
+ } |
+ |
+ SECStatus |
+ NSS_SetFrancePolicy(void) |
+ { |
+- return NSS_SetDomesticPolicy(); |
++ return SECSuccess; |
+ } |
+ |
+ SECStatus |
+@@ -3097,8 +2966,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) |
+ ss->getChannelIDArg = NULL; |
+ |
+ ssl_ChooseOps(ss); |
+- ssl2_InitSocketPolicy(ss); |
+- ssl3_InitSocketPolicy(ss); |
++ ssl2_InitSocketCipherSuites(ss); |
++ ssl3_InitSocketCipherSuites(ss); |
+ PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); |
+ |
+ if (makeLocks) { |