Index: net/third_party/nss/ssl/ssl3con.c |
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c |
index 98e31d4ec68471f7f6148970ebd902fce60f9b94..41fdef791e18f0eceea37816e01965a91ffbda8a 100644 |
--- a/net/third_party/nss/ssl/ssl3con.c |
+++ b/net/third_party/nss/ssl/ssl3con.c |
@@ -88,85 +88,84 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
* in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
*/ |
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
- /* cipher_suite policy enabled is_present*/ |
+ /* cipher_suite enabled is_present */ |
#ifdef NSS_ENABLE_ECC |
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
#endif /* NSS_ENABLE_ECC */ |
- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, |
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
#ifdef NSS_ENABLE_ECC |
- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
#endif /* NSS_ENABLE_ECC */ |
- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, |
+ { TLS_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, |
#ifdef NSS_ENABLE_ECC |
- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, |
#endif /* NSS_ENABLE_ECC */ |
- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_DHE_DSS_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, |
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
#ifdef NSS_ENABLE_ECC |
- { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
#endif /* NSS_ENABLE_ECC */ |
- { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
- { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+ { TLS_RSA_WITH_SEED_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { SSL_RSA_WITH_RC4_128_SHA, PR_TRUE, PR_FALSE}, |
+ { SSL_RSA_WITH_RC4_128_MD5, PR_TRUE, PR_FALSE}, |
+ { TLS_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, |
+ { TLS_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, |
#ifdef NSS_ENABLE_ECC |
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
#endif /* NSS_ENABLE_ECC */ |
- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
+ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
+ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
#ifdef NSS_ENABLE_ECC |
- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
#endif /* NSS_ENABLE_ECC */ |
- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
- { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
+ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { SSL_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, |
- { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
- { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
+ { SSL_DHE_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { SSL_DHE_DSS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { SSL_RSA_FIPS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { SSL_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, |
- { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
+ { SSL_RSA_EXPORT_WITH_RC4_40_MD5, PR_FALSE, PR_FALSE}, |
+ { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, PR_FALSE, PR_FALSE}, |
#ifdef NSS_ENABLE_ECC |
- { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
- { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
- { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
- { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDHE_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDHE_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDH_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_ECDH_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
#endif /* NSS_ENABLE_ECC */ |
- { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
- |
+ { SSL_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, |
+ { TLS_RSA_WITH_NULL_SHA256, PR_FALSE, PR_FALSE}, |
+ { SSL_RSA_WITH_NULL_MD5, PR_FALSE, PR_FALSE}, |
}; |
/* This list of SSL3 compression methods is sorted in descending order of |
@@ -643,13 +642,13 @@ ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites) |
} |
-/* Initialize the suite->isPresent value for config_match |
+/* Initialize the suite->isPresent value for cipher_suite_available. |
* Returns count of enabled ciphers supported by extant tokens, |
- * regardless of policy or user preference. |
+ * regardless of user preference. |
* If this returns zero, the user cannot do SSL v3. |
*/ |
int |
-ssl3_config_match_init(sslSocket *ss) |
+ssl3_cipher_suite_available_init(sslSocket *ss) |
{ |
ssl3CipherSuiteCfg * suite; |
const ssl3CipherSuiteDef *cipher_def; |
@@ -745,37 +744,25 @@ ssl3_config_match_init(sslSocket *ss) |
} |
-/* return PR_TRUE if suite matches policy and enabled state */ |
-/* It would be a REALLY BAD THING (tm) if we ever permitted the use |
-** of a cipher that was NOT_ALLOWED. So, if this is ever called with |
-** policy == SSL_NOT_ALLOWED, report no match. |
-*/ |
-/* adjust suite enabled to the availability of a token that can do the |
- * cipher suite. */ |
+/* return PR_TRUE if the given cipher suite is enabled and present. */ |
static PRBool |
-config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) |
+cipher_suite_available(ssl3CipherSuiteCfg *suite) |
{ |
- PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); |
- if (policy == SSL_NOT_ALLOWED || !enabled) |
- return PR_FALSE; |
- return (PRBool)(suite->enabled && |
- suite->isPresent && |
- suite->policy != SSL_NOT_ALLOWED && |
- suite->policy <= policy); |
+ return (PRBool)(suite->enabled && suite->isPresent); |
} |
-/* return number of cipher suites that match policy and enabled state */ |
-/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
+/* return number of cipher suites that are enabled and present. |
+ * called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
static int |
-count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) |
+count_cipher_suites(sslSocket *ss) |
{ |
int i, count = 0; |
if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
- return 0; |
+ return 0; |
} |
for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
- if (config_match(&ss->cipherSuites[i], policy, enabled)) |
+ if (cipher_suite_available(&ss->cipherSuites[i])) |
count++; |
} |
if (count <= 0) { |
@@ -4738,8 +4725,6 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, |
sid->u.ssl3.sessionIDLength)); |
- |
- ss->ssl3.policy = sid->u.ssl3.policy; |
} else { |
SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); |
@@ -4789,10 +4774,11 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
return SECFailure; |
} |
- /* how many suites does our PKCS11 support (regardless of policy)? */ |
- num_suites = ssl3_config_match_init(ss); |
+ /* how many suites does our PKCS11 support? */ |
+ num_suites = ssl3_cipher_suite_available_init(ss); |
if (!num_suites) |
- return SECFailure; /* ssl3_config_match_init has set error code. */ |
+ return SECFailure; /* ssl3_cipher_suite_available_init has set |
+ * error code. */ |
/* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, |
* only if TLS is disabled. |
@@ -4830,8 +4816,8 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
ssl3_DisableNonDTLSSuites(ss); |
} |
- /* how many suites are permitted by policy and user preference? */ |
- num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); |
+ /* how many suites are permitted by user preference? */ |
+ num_suites = count_cipher_suites(ss); |
if (!num_suites) |
return SECFailure; /* count_cipher_suites has set error code. */ |
if (ss->ssl3.hs.sendingSCSV) { |
@@ -4921,7 +4907,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
} |
for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
- if (config_match(suite, ss->ssl3.policy, PR_TRUE)) { |
+ if (cipher_suite_available(suite)) { |
actual_count++; |
if (actual_count > num_suites) { |
/* set error card removal/insertion error */ |
@@ -5978,11 +5964,11 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
if (temp < 0) { |
goto loser; /* alert has been sent */ |
} |
- ssl3_config_match_init(ss); |
+ ssl3_cipher_suite_available_init(ss); |
for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
if (temp == suite->cipher_suite) { |
- if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) { |
+ if (!cipher_suite_available(suite)) { |
break; /* failure */ |
} |
if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
@@ -7155,7 +7141,6 @@ ssl3_NewSessionID(sslSocket *ss, PRBool is_server) |
sid->version = ss->version; |
sid->u.ssl3.keys.resumable = PR_TRUE; |
- sid->u.ssl3.policy = SSL_ALLOWED; |
sid->u.ssl3.clientWriteKey = NULL; |
sid->u.ssl3.serverWriteKey = NULL; |
@@ -7536,8 +7521,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
} |
#ifdef PARANOID |
- /* Look for a matching cipher suite. */ |
- j = ssl3_config_match_init(ss); |
+ /* Look for an available cipher suite. */ |
+ j = ssl3_cipher_suite_available_init(ss); |
if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
errCode = PORT_GetError(); /* error code is already set. */ |
goto alert_loser; |
@@ -7573,12 +7558,11 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
if (j <= 0) |
break; |
#ifdef PARANOID |
- /* Double check that the cached cipher suite is still enabled, |
- * implemented, and allowed by policy. Might have been disabled. |
- * The product policy won't change during the process lifetime. |
+ /* Double check that the cached cipher suite is still enabled and |
+ * implemented. Might have been disabled. |
* Implemented ("isPresent") shouldn't change for servers. |
*/ |
- if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) |
+ if (!cipher_suite_available(suite)) |
break; |
#else |
if (!suite->enabled) |
@@ -7602,8 +7586,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
/* START A NEW SESSION */ |
#ifndef PARANOID |
- /* Look for a matching cipher suite. */ |
- j = ssl3_config_match_init(ss); |
+ /* Look for an available cipher suite. */ |
+ j = ssl3_cipher_suite_available_init(ss); |
if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
errCode = PORT_GetError(); /* error code is already set. */ |
goto alert_loser; |
@@ -7626,7 +7610,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
*/ |
for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || |
+ if (!cipher_suite_available(suite) || |
!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
ss->version)) { |
continue; |
@@ -7645,7 +7629,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
goto alert_loser; |
suite_found: |
- /* Look for a matching compression algorithm. */ |
+ /* Select a compression algorithm. */ |
for (i = 0; i < comps.len; i++) { |
if (!compressionEnabled(ss, comps.data[i])) |
continue; |
@@ -7949,7 +7933,7 @@ compression_found: |
ret = SSL_SNI_SEND_ALERT; |
break; |
} |
- configedCiphers = ssl3_config_match_init(ss); |
+ configedCiphers = ssl3_cipher_suite_available_init(ss); |
if (configedCiphers <= 0) { |
/* no ciphers are working/supported */ |
errCode = PORT_GetError(); |
@@ -8146,7 +8130,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length) |
/* Disable any ECC cipher suites for which we have no cert. */ |
ssl3_FilterECCipherSuitesByServerCerts(ss); |
#endif |
- i = ssl3_config_match_init(ss); |
+ i = ssl3_cipher_suite_available_init(ss); |
if (i <= 0) { |
errCode = PORT_GetError(); /* error code is already set. */ |
goto alert_loser; |
@@ -8161,7 +8145,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length) |
*/ |
for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
- if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || |
+ if (!cipher_suite_available(suite) || |
!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, |
ss->version)) { |
continue; |
@@ -10456,7 +10440,6 @@ xmit_loser: |
/* fill in the sid */ |
sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; |
sid->u.ssl3.compression = ss->ssl3.hs.compression; |
- sid->u.ssl3.policy = ss->ssl3.policy; |
#ifdef NSS_ENABLE_ECC |
sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves; |
#endif |
@@ -11534,8 +11517,6 @@ ssl3_InitState(sslSocket *ss) |
if (ss->ssl3.initialized) |
return SECSuccess; /* Function should be idempotent */ |
- ss->ssl3.policy = SSL_ALLOWED; |
- |
ssl_GetSpecWriteLock(ss); |
ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; |
ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; |
@@ -11645,40 +11626,6 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss) |
} |
-/* record the export policy for this cipher suite */ |
-SECStatus |
-ssl3_SetPolicy(ssl3CipherSuite which, int policy) |
-{ |
- ssl3CipherSuiteCfg *suite; |
- |
- suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
- if (suite == NULL) { |
- return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ |
- } |
- suite->policy = policy; |
- |
- return SECSuccess; |
-} |
- |
-SECStatus |
-ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy) |
-{ |
- ssl3CipherSuiteCfg *suite; |
- PRInt32 policy; |
- SECStatus rv; |
- |
- suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
- if (suite) { |
- policy = suite->policy; |
- rv = SECSuccess; |
- } else { |
- policy = SSL_NOT_ALLOWED; |
- rv = SECFailure; /* err code was set by Lookup. */ |
- } |
- *oPolicy = policy; |
- return rv; |
-} |
- |
/* record the user preference for this suite */ |
SECStatus |
ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled) |
@@ -11745,9 +11692,9 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled) |
return rv; |
} |
-/* copy global default policy into socket. */ |
+/* copy global default ciphersuite preferences into socket. */ |
void |
-ssl3_InitSocketPolicy(sslSocket *ss) |
+ssl3_InitSocketCipherSuites(sslSocket *ss) |
{ |
PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); |
} |
@@ -11814,8 +11761,8 @@ loser: |
return rv; |
} |
-/* ssl3_config_match_init must have already been called by |
- * the caller of this function. |
+/* ssl3_cipher_suite_available_init must have already been called by the caller |
+ * of this function. |
*/ |
SECStatus |
ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) |
@@ -11832,14 +11779,15 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) |
return SECSuccess; |
} |
if (cs == NULL) { |
- *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); |
+ *size = count_cipher_suites(ss); |
return SECSuccess; |
} |
- /* ssl3_config_match_init was called by the caller of this function. */ |
+ /* ssl3_cipher_suite_available_init was called by the caller of this |
+ * function. */ |
for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
- if (config_match(suite, SSL_ALLOWED, PR_TRUE)) { |
+ if (cipher_suite_available(suite)) { |
if (cs != NULL) { |
*cs++ = 0x00; |
*cs++ = (suite->cipher_suite >> 8) & 0xFF; |