| Index: net/third_party/nss/ssl/sslcon.c
|
| diff --git a/net/third_party/nss/ssl/sslcon.c b/net/third_party/nss/ssl/sslcon.c
|
| index 2fc6602a2b61301eaee56bb6a0415693672350ef..626839e90494e106ad7a8a0ab7429cd2c6d67cff 100644
|
| --- a/net/third_party/nss/ssl/sslcon.c
|
| +++ b/net/third_party/nss/ssl/sslcon.c
|
| @@ -20,9 +20,6 @@
|
| #include "prinit.h"
|
| #include "prtime.h" /* for PR_Now() */
|
|
|
| -#define XXX
|
| -static PRBool policyWasSet;
|
| -
|
| /* This ordered list is indexed by (SSL_CK_xx * 3) */
|
| /* Second and third bytes are MSB and LSB of master key length. */
|
| static const PRUint8 allCipherSuites[] = {
|
| @@ -115,14 +112,12 @@ const char * const ssl_cipherName[] = {
|
| };
|
|
|
|
|
| -/* bit-masks, showing which SSLv2 suites are allowed.
|
| +/* bit-mask, showing which SSLv2 suites are allowed.
|
| * lsb corresponds to first cipher suite in allCipherSuites[].
|
| */
|
| -static PRUint16 allowedByPolicy; /* all off by default */
|
| -static PRUint16 maybeAllowedByPolicy; /* all off by default */
|
| static PRUint16 chosenPreference = 0xff; /* all on by default */
|
|
|
| -/* bit values for the above two bit masks */
|
| +/* bit values for the above bit mask */
|
| #define SSL_CB_RC4_128_WITH_MD5 (1 << SSL_CK_RC4_128_WITH_MD5)
|
| #define SSL_CB_RC4_128_EXPORT40_WITH_MD5 (1 << SSL_CK_RC4_128_EXPORT40_WITH_MD5)
|
| #define SSL_CB_RC2_128_CBC_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_WITH_MD5)
|
| @@ -157,19 +152,19 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
|
| count = 0;
|
| PORT_Assert(ss != 0);
|
| allowed = !ss->opt.enableSSL2 ? 0 :
|
| - (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
|
| + (ss->chosenPreference & SSL_CB_IMPLEMENTED);
|
| while (allowed) {
|
| if (allowed & 1)
|
| ++count;
|
| allowed >>= 1;
|
| }
|
|
|
| - /* Call ssl3_config_match_init() once here,
|
| + /* Call ssl3_cipher_suite_available_init() once here,
|
| * instead of inside ssl3_ConstructV2CipherSpecsHack(),
|
| * because the latter gets called twice below,
|
| * and then again in ssl2_BeginClientHandshake().
|
| */
|
| - ssl3_config_match_init(ss);
|
| + ssl3_cipher_suite_available_init(ss);
|
|
|
| /* ask SSL3 how many cipher suites it has. */
|
| rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count);
|
| @@ -193,7 +188,7 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
|
|
|
| /* fill in cipher specs for SSL2 cipher suites */
|
| allowed = !ss->opt.enableSSL2 ? 0 :
|
| - (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
|
| + (ss->chosenPreference & SSL_CB_IMPLEMENTED);
|
| for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
|
| const PRUint8 * hs = implementedCipherSuites + i;
|
| int ok = allowed & (1U << hs[0]);
|
| @@ -225,7 +220,6 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
|
| static SECStatus
|
| ssl2_CheckConfigSanity(sslSocket *ss)
|
| {
|
| - unsigned int allowed;
|
| int ssl3CipherCount = 0;
|
| SECStatus rv;
|
|
|
| @@ -235,11 +229,11 @@ ssl2_CheckConfigSanity(sslSocket *ss)
|
| if (!ss->cipherSpecs)
|
| goto disabled;
|
|
|
| - allowed = ss->allowedByPolicy & ss->chosenPreference;
|
| - if (! allowed)
|
| + if (!ss->chosenPreference)
|
| ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */
|
|
|
| - /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */
|
| + /* ssl3_cipher_suite_available_init was called in
|
| + * ssl2_ConstructCipherSpecs(). */
|
| /* Ask how many ssl3 CipherSuites were enabled. */
|
| rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount);
|
| if (rv != SECSuccess || ssl3CipherCount <= 0) {
|
| @@ -261,67 +255,6 @@ disabled:
|
| /*
|
| * Since this is a global (not per-socket) setting, we cannot use the
|
| * HandshakeLock to protect this. Probably want a global lock.
|
| - */
|
| -SECStatus
|
| -ssl2_SetPolicy(PRInt32 which, PRInt32 policy)
|
| -{
|
| - PRUint32 bitMask;
|
| - SECStatus rv = SECSuccess;
|
| -
|
| - which &= 0x000f;
|
| - bitMask = 1 << which;
|
| -
|
| - if (!(bitMask & SSL_CB_IMPLEMENTED)) {
|
| - PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
|
| - return SECFailure;
|
| - }
|
| -
|
| - if (policy == SSL_ALLOWED) {
|
| - allowedByPolicy |= bitMask;
|
| - maybeAllowedByPolicy |= bitMask;
|
| - } else if (policy == SSL_RESTRICTED) {
|
| - allowedByPolicy &= ~bitMask;
|
| - maybeAllowedByPolicy |= bitMask;
|
| - } else {
|
| - allowedByPolicy &= ~bitMask;
|
| - maybeAllowedByPolicy &= ~bitMask;
|
| - }
|
| - allowedByPolicy &= SSL_CB_IMPLEMENTED;
|
| - maybeAllowedByPolicy &= SSL_CB_IMPLEMENTED;
|
| -
|
| - policyWasSet = PR_TRUE;
|
| - return rv;
|
| -}
|
| -
|
| -SECStatus
|
| -ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy)
|
| -{
|
| - PRUint32 bitMask;
|
| - PRInt32 policy;
|
| -
|
| - which &= 0x000f;
|
| - bitMask = 1 << which;
|
| -
|
| - /* Caller assures oPolicy is not null. */
|
| - if (!(bitMask & SSL_CB_IMPLEMENTED)) {
|
| - PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
|
| - *oPolicy = SSL_NOT_ALLOWED;
|
| - return SECFailure;
|
| - }
|
| -
|
| - if (maybeAllowedByPolicy & bitMask) {
|
| - policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED;
|
| - } else {
|
| - policy = SSL_NOT_ALLOWED;
|
| - }
|
| -
|
| - *oPolicy = policy;
|
| - return SECSuccess;
|
| -}
|
| -
|
| -/*
|
| - * Since this is a global (not per-socket) setting, we cannot use the
|
| - * HandshakeLock to protect this. Probably want a global lock.
|
| * Called from SSL_CipherPrefSetDefault in sslsock.c
|
| * These changes have no effect on any sslSockets already created.
|
| */
|
| @@ -410,12 +343,10 @@ ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled)
|
| }
|
|
|
|
|
| -/* copy global default policy into socket. */
|
| +/* copy global default cipher suite preferences into socket. */
|
| void
|
| -ssl2_InitSocketPolicy(sslSocket *ss)
|
| +ssl2_InitSocketCipherSuites(sslSocket *ss)
|
| {
|
| - ss->allowedByPolicy = allowedByPolicy;
|
| - ss->maybeAllowedByPolicy = maybeAllowedByPolicy;
|
| ss->chosenPreference = chosenPreference;
|
| }
|
|
|
| @@ -1556,7 +1487,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
|
| unsigned int dkLen; /* decrypted key length in bytes */
|
| int modulusLen;
|
| SECStatus rv;
|
| - PRUint16 allowed; /* cipher kinds enabled and allowed by policy */
|
| + PRUint16 allowed; /* cipher kinds enabled */
|
| PRUint8 mkbuf[SSL_MAX_MASTER_KEY_BYTES];
|
|
|
| PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
|
| @@ -1584,7 +1515,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
|
| goto loser;
|
| }
|
|
|
| - allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED;
|
| + allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED;
|
| if (!(allowed & (1 << cipher))) {
|
| /* client chose a kind we don't allow! */
|
| SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d",
|
| @@ -1814,8 +1745,7 @@ ssl2_ChooseSessionCypher(sslSocket *ss,
|
| }
|
|
|
| if (!ss->preferredCipher) {
|
| - unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference &
|
| - SSL_CB_IMPLEMENTED;
|
| + unsigned int allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED;
|
| if (allowed) {
|
| preferred = implementedCipherSuites;
|
| for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) {
|
|
|
Chromium Code Reviews
Issue 21564003:
NSS: remove cipher policy framework.
Base URL: svn://svn.chromium.org/chrome/trunk/src