| Index: net/third_party/nss/ssl/sslsock.c
|
| diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
|
| index fd71aee8379db5af74143fe5c359d32b33c7cb1b..3b30efd0ce10229c72dd4907c597d09e2e0748b6 100644
|
| --- a/net/third_party/nss/ssl/sslsock.c
|
| +++ b/net/third_party/nss/ssl/sslsock.c
|
| @@ -28,88 +28,6 @@
|
|
|
| #define SET_ERROR_CODE /* reminder */
|
|
|
| -struct cipherPolicyStr {
|
| - int cipher;
|
| - unsigned char export; /* policy value for export policy */
|
| - unsigned char france; /* policy value for france policy */
|
| -};
|
| -
|
| -typedef struct cipherPolicyStr cipherPolicy;
|
| -
|
| -/* This table contains two preconfigured policies: Export and France.
|
| -** It is used only by the functions NSS_SetDomesticPolicy,
|
| -** NSS_SetExportPolicy, and NSS_SetFrancePolicy.
|
| -** Order of entries is not important.
|
| -*/
|
| -static cipherPolicy ssl_ciphers[] = { /* Export France */
|
| - { SSL_EN_RC4_128_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED },
|
| - { SSL_EN_RC2_128_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED },
|
| - { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED },
|
| - { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED },
|
| - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED },
|
| - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED },
|
| - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED },
|
| - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED },
|
| - { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
|
| - { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED },
|
| - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED },
|
| -#ifdef NSS_ENABLE_ECC
|
| - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
|
| - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
|
| - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
|
| - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
|
| - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| -#endif /* NSS_ENABLE_ECC */
|
| - { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
|
| -};
|
| -
|
| static const sslSocketOps ssl_default_ops = { /* No SSL. */
|
| ssl_DefConnect,
|
| NULL,
|
| @@ -291,9 +209,7 @@ ssl_DupSocket(sslSocket *os)
|
| ss->cTimeout = os->cTimeout;
|
| ss->dbHandle = os->dbHandle;
|
|
|
| - /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
|
| - ss->allowedByPolicy = os->allowedByPolicy;
|
| - ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
|
| + /* copy ssl2&3 prefs, even if it's not selected (yet) */
|
| ss->chosenPreference = os->chosenPreference;
|
| PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
|
| PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers,
|
| @@ -1176,62 +1092,23 @@ ssl_IsRemovedCipherSuite(PRInt32 suite)
|
| }
|
| }
|
|
|
| -/* Part of the public NSS API.
|
| - * Since this is a global (not per-socket) setting, we cannot use the
|
| - * HandshakeLock to protect this. Probably want a global lock.
|
| - */
|
| SECStatus
|
| SSL_SetPolicy(long which, int policy)
|
| {
|
| - if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
|
| - /* one of the two old FIPS ciphers */
|
| - if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA)
|
| - which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
|
| - else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
|
| - which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
|
| - }
|
| - if (ssl_IsRemovedCipherSuite(which))
|
| - return SECSuccess;
|
| - return SSL_CipherPolicySet(which, policy);
|
| + return SECSuccess;
|
| }
|
|
|
| SECStatus
|
| SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
|
| {
|
| - SECStatus rv = ssl_Init();
|
| -
|
| - if (rv != SECSuccess) {
|
| - return rv;
|
| - }
|
| -
|
| - if (ssl_IsRemovedCipherSuite(which)) {
|
| - rv = SECSuccess;
|
| - } else if (SSL_IS_SSL2_CIPHER(which)) {
|
| - rv = ssl2_SetPolicy(which, policy);
|
| - } else {
|
| - rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
|
| - }
|
| - return rv;
|
| + return SECSuccess;
|
| }
|
|
|
| SECStatus
|
| SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
|
| {
|
| - SECStatus rv;
|
| -
|
| - if (!oPolicy) {
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - return SECFailure;
|
| - }
|
| - if (ssl_IsRemovedCipherSuite(which)) {
|
| - *oPolicy = SSL_NOT_ALLOWED;
|
| - rv = SECSuccess;
|
| - } else if (SSL_IS_SSL2_CIPHER(which)) {
|
| - rv = ssl2_GetPolicy(which, oPolicy);
|
| - } else {
|
| - rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
|
| - }
|
| - return rv;
|
| + *oPolicy = SSL_ALLOWED;
|
| + return SECSuccess;
|
| }
|
|
|
| /* Part of the public NSS API.
|
| @@ -1350,27 +1227,19 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
|
| SECStatus
|
| NSS_SetDomesticPolicy(void)
|
| {
|
| - SECStatus status = SECSuccess;
|
| - cipherPolicy * policy;
|
| -
|
| - for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
|
| - status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED);
|
| - if (status != SECSuccess)
|
| - break;
|
| - }
|
| - return status;
|
| + return SECSuccess;
|
| }
|
|
|
| SECStatus
|
| NSS_SetExportPolicy(void)
|
| {
|
| - return NSS_SetDomesticPolicy();
|
| + return SECSuccess;
|
| }
|
|
|
| SECStatus
|
| NSS_SetFrancePolicy(void)
|
| {
|
| - return NSS_SetDomesticPolicy();
|
| + return SECSuccess;
|
| }
|
|
|
| SECStatus
|
| @@ -3097,8 +2966,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
|
| ss->getChannelIDArg = NULL;
|
|
|
| ssl_ChooseOps(ss);
|
| - ssl2_InitSocketPolicy(ss);
|
| - ssl3_InitSocketPolicy(ss);
|
| + ssl2_InitSocketCipherSuites(ss);
|
| + ssl3_InitSocketCipherSuites(ss);
|
| PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
|
|
|
| if (makeLocks) {
|
|
|
Chromium Code Reviews
Issue 21564003:
NSS: remove cipher policy framework.
Base URL: svn://svn.chromium.org/chrome/trunk/src