| Index: net/third_party/nss/ssl/ssl3con.c
|
| diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
|
| index 98e31d4ec68471f7f6148970ebd902fce60f9b94..41fdef791e18f0eceea37816e01965a91ffbda8a 100644
|
| --- a/net/third_party/nss/ssl/ssl3con.c
|
| +++ b/net/third_party/nss/ssl/ssl3con.c
|
| @@ -88,85 +88,84 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
|
| * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
|
| */
|
| static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
|
| - /* cipher_suite policy enabled is_present*/
|
| + /* cipher_suite enabled is_present */
|
| #ifdef NSS_ENABLE_ECC
|
| - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| #endif /* NSS_ENABLE_ECC */
|
| - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE},
|
| + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE},
|
| + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE},
|
| #ifdef NSS_ENABLE_ECC
|
| - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| + { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| #endif /* NSS_ENABLE_ECC */
|
| - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE},
|
| + { TLS_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE},
|
|
|
| #ifdef NSS_ENABLE_ECC
|
| - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE},
|
| #endif /* NSS_ENABLE_ECC */
|
| - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_DHE_DSS_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE},
|
| + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE},
|
| + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE},
|
| #ifdef NSS_ENABLE_ECC
|
| - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| + { TLS_ECDH_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| #endif /* NSS_ENABLE_ECC */
|
| - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| - { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
|
| - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| + { TLS_RSA_WITH_SEED_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { SSL_RSA_WITH_RC4_128_SHA, PR_TRUE, PR_FALSE},
|
| + { SSL_RSA_WITH_RC4_128_MD5, PR_TRUE, PR_FALSE},
|
| + { TLS_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE},
|
| + { TLS_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE},
|
|
|
| #ifdef NSS_ENABLE_ECC
|
| - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
|
| #endif /* NSS_ENABLE_ECC */
|
| - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
|
| + { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE},
|
| + { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE},
|
| #ifdef NSS_ENABLE_ECC
|
| - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
|
| #endif /* NSS_ENABLE_ECC */
|
| - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
|
| + { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { SSL_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE},
|
|
|
|
|
| - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| + { SSL_DHE_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { SSL_DHE_DSS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { SSL_RSA_FIPS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { SSL_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE},
|
|
|
| - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| + { SSL_RSA_EXPORT_WITH_RC4_40_MD5, PR_FALSE, PR_FALSE},
|
| + { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, PR_FALSE, PR_FALSE},
|
|
|
| #ifdef NSS_ENABLE_ECC
|
| - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDHE_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDHE_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDH_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_ECDH_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
|
| #endif /* NSS_ENABLE_ECC */
|
| - { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| - { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| -
|
| + { SSL_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE},
|
| + { TLS_RSA_WITH_NULL_SHA256, PR_FALSE, PR_FALSE},
|
| + { SSL_RSA_WITH_NULL_MD5, PR_FALSE, PR_FALSE},
|
| };
|
|
|
| /* This list of SSL3 compression methods is sorted in descending order of
|
| @@ -643,13 +642,13 @@ ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
|
| }
|
|
|
|
|
| -/* Initialize the suite->isPresent value for config_match
|
| +/* Initialize the suite->isPresent value for cipher_suite_available.
|
| * Returns count of enabled ciphers supported by extant tokens,
|
| - * regardless of policy or user preference.
|
| + * regardless of user preference.
|
| * If this returns zero, the user cannot do SSL v3.
|
| */
|
| int
|
| -ssl3_config_match_init(sslSocket *ss)
|
| +ssl3_cipher_suite_available_init(sslSocket *ss)
|
| {
|
| ssl3CipherSuiteCfg * suite;
|
| const ssl3CipherSuiteDef *cipher_def;
|
| @@ -745,37 +744,25 @@ ssl3_config_match_init(sslSocket *ss)
|
| }
|
|
|
|
|
| -/* return PR_TRUE if suite matches policy and enabled state */
|
| -/* It would be a REALLY BAD THING (tm) if we ever permitted the use
|
| -** of a cipher that was NOT_ALLOWED. So, if this is ever called with
|
| -** policy == SSL_NOT_ALLOWED, report no match.
|
| -*/
|
| -/* adjust suite enabled to the availability of a token that can do the
|
| - * cipher suite. */
|
| +/* return PR_TRUE if the given cipher suite is enabled and present. */
|
| static PRBool
|
| -config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
|
| +cipher_suite_available(ssl3CipherSuiteCfg *suite)
|
| {
|
| - PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
|
| - if (policy == SSL_NOT_ALLOWED || !enabled)
|
| - return PR_FALSE;
|
| - return (PRBool)(suite->enabled &&
|
| - suite->isPresent &&
|
| - suite->policy != SSL_NOT_ALLOWED &&
|
| - suite->policy <= policy);
|
| + return (PRBool)(suite->enabled && suite->isPresent);
|
| }
|
|
|
| -/* return number of cipher suites that match policy and enabled state */
|
| -/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
|
| +/* return number of cipher suites that are enabled and present.
|
| + * called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
|
| static int
|
| -count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
|
| +count_cipher_suites(sslSocket *ss)
|
| {
|
| int i, count = 0;
|
|
|
| if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
|
| - return 0;
|
| + return 0;
|
| }
|
| for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
|
| - if (config_match(&ss->cipherSuites[i], policy, enabled))
|
| + if (cipher_suite_available(&ss->cipherSuites[i]))
|
| count++;
|
| }
|
| if (count <= 0) {
|
| @@ -4738,8 +4725,6 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
|
|
|
| PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
|
| sid->u.ssl3.sessionIDLength));
|
| -
|
| - ss->ssl3.policy = sid->u.ssl3.policy;
|
| } else {
|
| SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
|
|
|
| @@ -4789,10 +4774,11 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
|
| return SECFailure;
|
| }
|
|
|
| - /* how many suites does our PKCS11 support (regardless of policy)? */
|
| - num_suites = ssl3_config_match_init(ss);
|
| + /* how many suites does our PKCS11 support? */
|
| + num_suites = ssl3_cipher_suite_available_init(ss);
|
| if (!num_suites)
|
| - return SECFailure; /* ssl3_config_match_init has set error code. */
|
| + return SECFailure; /* ssl3_cipher_suite_available_init has set
|
| + * error code. */
|
|
|
| /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV,
|
| * only if TLS is disabled.
|
| @@ -4830,8 +4816,8 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
|
| ssl3_DisableNonDTLSSuites(ss);
|
| }
|
|
|
| - /* how many suites are permitted by policy and user preference? */
|
| - num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
|
| + /* how many suites are permitted by user preference? */
|
| + num_suites = count_cipher_suites(ss);
|
| if (!num_suites)
|
| return SECFailure; /* count_cipher_suites has set error code. */
|
| if (ss->ssl3.hs.sendingSCSV) {
|
| @@ -4921,7 +4907,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
|
| }
|
| for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
|
| ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
|
| - if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
|
| + if (cipher_suite_available(suite)) {
|
| actual_count++;
|
| if (actual_count > num_suites) {
|
| /* set error card removal/insertion error */
|
| @@ -5978,11 +5964,11 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| if (temp < 0) {
|
| goto loser; /* alert has been sent */
|
| }
|
| - ssl3_config_match_init(ss);
|
| + ssl3_cipher_suite_available_init(ss);
|
| for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
|
| ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
|
| if (temp == suite->cipher_suite) {
|
| - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) {
|
| + if (!cipher_suite_available(suite)) {
|
| break; /* failure */
|
| }
|
| if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
|
| @@ -7155,7 +7141,6 @@ ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
|
| sid->version = ss->version;
|
|
|
| sid->u.ssl3.keys.resumable = PR_TRUE;
|
| - sid->u.ssl3.policy = SSL_ALLOWED;
|
| sid->u.ssl3.clientWriteKey = NULL;
|
| sid->u.ssl3.serverWriteKey = NULL;
|
|
|
| @@ -7536,8 +7521,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| }
|
|
|
| #ifdef PARANOID
|
| - /* Look for a matching cipher suite. */
|
| - j = ssl3_config_match_init(ss);
|
| + /* Look for an available cipher suite. */
|
| + j = ssl3_cipher_suite_available_init(ss);
|
| if (j <= 0) { /* no ciphers are working/supported by PK11 */
|
| errCode = PORT_GetError(); /* error code is already set. */
|
| goto alert_loser;
|
| @@ -7573,12 +7558,11 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| if (j <= 0)
|
| break;
|
| #ifdef PARANOID
|
| - /* Double check that the cached cipher suite is still enabled,
|
| - * implemented, and allowed by policy. Might have been disabled.
|
| - * The product policy won't change during the process lifetime.
|
| + /* Double check that the cached cipher suite is still enabled and
|
| + * implemented. Might have been disabled.
|
| * Implemented ("isPresent") shouldn't change for servers.
|
| */
|
| - if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
|
| + if (!cipher_suite_available(suite))
|
| break;
|
| #else
|
| if (!suite->enabled)
|
| @@ -7602,8 +7586,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| /* START A NEW SESSION */
|
|
|
| #ifndef PARANOID
|
| - /* Look for a matching cipher suite. */
|
| - j = ssl3_config_match_init(ss);
|
| + /* Look for an available cipher suite. */
|
| + j = ssl3_cipher_suite_available_init(ss);
|
| if (j <= 0) { /* no ciphers are working/supported by PK11 */
|
| errCode = PORT_GetError(); /* error code is already set. */
|
| goto alert_loser;
|
| @@ -7626,7 +7610,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| */
|
| for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
|
| ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
|
| - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
|
| + if (!cipher_suite_available(suite) ||
|
| !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
|
| ss->version)) {
|
| continue;
|
| @@ -7645,7 +7629,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| goto alert_loser;
|
|
|
| suite_found:
|
| - /* Look for a matching compression algorithm. */
|
| + /* Select a compression algorithm. */
|
| for (i = 0; i < comps.len; i++) {
|
| if (!compressionEnabled(ss, comps.data[i]))
|
| continue;
|
| @@ -7949,7 +7933,7 @@ compression_found:
|
| ret = SSL_SNI_SEND_ALERT;
|
| break;
|
| }
|
| - configedCiphers = ssl3_config_match_init(ss);
|
| + configedCiphers = ssl3_cipher_suite_available_init(ss);
|
| if (configedCiphers <= 0) {
|
| /* no ciphers are working/supported */
|
| errCode = PORT_GetError();
|
| @@ -8146,7 +8130,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
|
| /* Disable any ECC cipher suites for which we have no cert. */
|
| ssl3_FilterECCipherSuitesByServerCerts(ss);
|
| #endif
|
| - i = ssl3_config_match_init(ss);
|
| + i = ssl3_cipher_suite_available_init(ss);
|
| if (i <= 0) {
|
| errCode = PORT_GetError(); /* error code is already set. */
|
| goto alert_loser;
|
| @@ -8161,7 +8145,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
|
| */
|
| for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
|
| ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
|
| - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
|
| + if (!cipher_suite_available(suite) ||
|
| !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
|
| ss->version)) {
|
| continue;
|
| @@ -10456,7 +10440,6 @@ xmit_loser:
|
| /* fill in the sid */
|
| sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
|
| sid->u.ssl3.compression = ss->ssl3.hs.compression;
|
| - sid->u.ssl3.policy = ss->ssl3.policy;
|
| #ifdef NSS_ENABLE_ECC
|
| sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
|
| #endif
|
| @@ -11534,8 +11517,6 @@ ssl3_InitState(sslSocket *ss)
|
| if (ss->ssl3.initialized)
|
| return SECSuccess; /* Function should be idempotent */
|
|
|
| - ss->ssl3.policy = SSL_ALLOWED;
|
| -
|
| ssl_GetSpecWriteLock(ss);
|
| ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
|
| ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
|
| @@ -11645,40 +11626,6 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss)
|
| }
|
|
|
|
|
| -/* record the export policy for this cipher suite */
|
| -SECStatus
|
| -ssl3_SetPolicy(ssl3CipherSuite which, int policy)
|
| -{
|
| - ssl3CipherSuiteCfg *suite;
|
| -
|
| - suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
|
| - if (suite == NULL) {
|
| - return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
|
| - }
|
| - suite->policy = policy;
|
| -
|
| - return SECSuccess;
|
| -}
|
| -
|
| -SECStatus
|
| -ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
|
| -{
|
| - ssl3CipherSuiteCfg *suite;
|
| - PRInt32 policy;
|
| - SECStatus rv;
|
| -
|
| - suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
|
| - if (suite) {
|
| - policy = suite->policy;
|
| - rv = SECSuccess;
|
| - } else {
|
| - policy = SSL_NOT_ALLOWED;
|
| - rv = SECFailure; /* err code was set by Lookup. */
|
| - }
|
| - *oPolicy = policy;
|
| - return rv;
|
| -}
|
| -
|
| /* record the user preference for this suite */
|
| SECStatus
|
| ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
|
| @@ -11745,9 +11692,9 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
|
| return rv;
|
| }
|
|
|
| -/* copy global default policy into socket. */
|
| +/* copy global default ciphersuite preferences into socket. */
|
| void
|
| -ssl3_InitSocketPolicy(sslSocket *ss)
|
| +ssl3_InitSocketCipherSuites(sslSocket *ss)
|
| {
|
| PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
|
| }
|
| @@ -11814,8 +11761,8 @@ loser:
|
| return rv;
|
| }
|
|
|
| -/* ssl3_config_match_init must have already been called by
|
| - * the caller of this function.
|
| +/* ssl3_cipher_suite_available_init must have already been called by the caller
|
| + * of this function.
|
| */
|
| SECStatus
|
| ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
|
| @@ -11832,14 +11779,15 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
|
| return SECSuccess;
|
| }
|
| if (cs == NULL) {
|
| - *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
|
| + *size = count_cipher_suites(ss);
|
| return SECSuccess;
|
| }
|
|
|
| - /* ssl3_config_match_init was called by the caller of this function. */
|
| + /* ssl3_cipher_suite_available_init was called by the caller of this
|
| + * function. */
|
| for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
|
| ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
|
| - if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
|
| + if (cipher_suite_available(suite)) {
|
| if (cs != NULL) {
|
| *cs++ = 0x00;
|
| *cs++ = (suite->cipher_suite >> 8) & 0xFF;
|
|
|
Chromium Code Reviews
Issue 21564003:
NSS: remove cipher policy framework.
Base URL: svn://svn.chromium.org/chrome/trunk/src