OLD | NEW |
---|---|
1 /* | 1 /* |
2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of |
3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. |
4 * Various other functions. | 4 * Various other functions. |
5 * | 5 * |
6 * This Source Code Form is subject to the terms of the Mozilla Public | 6 * This Source Code Form is subject to the terms of the Mozilla Public |
7 * License, v. 2.0. If a copy of the MPL was not distributed with this | 7 * License, v. 2.0. If a copy of the MPL was not distributed with this |
8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
9 #include "seccomon.h" | 9 #include "seccomon.h" |
10 #include "cert.h" | 10 #include "cert.h" |
(...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
166 PR_TRUE, /* detectRollBack */ | 166 PR_TRUE, /* detectRollBack */ |
167 PR_FALSE, /* noStepDown */ | 167 PR_FALSE, /* noStepDown */ |
168 PR_FALSE, /* bypassPKCS11 */ | 168 PR_FALSE, /* bypassPKCS11 */ |
169 PR_FALSE, /* noLocks */ | 169 PR_FALSE, /* noLocks */ |
170 PR_FALSE, /* enableSessionTickets */ | 170 PR_FALSE, /* enableSessionTickets */ |
171 PR_FALSE, /* enableDeflate */ | 171 PR_FALSE, /* enableDeflate */ |
172 2, /* enableRenegotiation (default: requires extension) */ | 172 2, /* enableRenegotiation (default: requires extension) */ |
173 PR_FALSE, /* requireSafeNegotiation */ | 173 PR_FALSE, /* requireSafeNegotiation */ |
174 PR_FALSE, /* enableFalseStart */ | 174 PR_FALSE, /* enableFalseStart */ |
175 PR_TRUE, /* cbcRandomIV */ | 175 PR_TRUE, /* cbcRandomIV */ |
176 PR_FALSE /* enableOCSPStapling */ | 176 PR_FALSE, /* enableOCSPStapling */ |
177 PR_FALSE /* enableSignedCertTimestamps */ | |
177 }; | 178 }; |
178 | 179 |
179 /* | 180 /* |
180 * default range of enabled SSL/TLS protocols | 181 * default range of enabled SSL/TLS protocols |
181 */ | 182 */ |
182 static SSLVersionRange versions_defaults_stream = { | 183 static SSLVersionRange versions_defaults_stream = { |
183 SSL_LIBRARY_VERSION_3_0, | 184 SSL_LIBRARY_VERSION_3_0, |
184 SSL_LIBRARY_VERSION_TLS_1_0 | 185 SSL_LIBRARY_VERSION_TLS_1_0 |
185 }; | 186 }; |
186 | 187 |
(...skipping 669 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
856 break; | 857 break; |
857 | 858 |
858 case SSL_CBC_RANDOM_IV: | 859 case SSL_CBC_RANDOM_IV: |
859 ss->opt.cbcRandomIV = on; | 860 ss->opt.cbcRandomIV = on; |
860 break; | 861 break; |
861 | 862 |
862 case SSL_ENABLE_OCSP_STAPLING: | 863 case SSL_ENABLE_OCSP_STAPLING: |
863 ss->opt.enableOCSPStapling = on; | 864 ss->opt.enableOCSPStapling = on; |
864 break; | 865 break; |
865 | 866 |
867 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | |
868 ss->opt.enableSignedCertTimestamps = on; | |
869 break; | |
870 | |
866 default: | 871 default: |
867 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 872 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
868 rv = SECFailure; | 873 rv = SECFailure; |
869 } | 874 } |
870 | 875 |
871 /* We can't use the macros for releasing the locks here, | 876 /* We can't use the macros for releasing the locks here, |
872 * because ss->opt.noLocks might have changed just above. | 877 * because ss->opt.noLocks might have changed just above. |
873 * We must release these locks (monitors) here, if we aquired them above, | 878 * We must release these locks (monitors) here, if we aquired them above, |
874 * regardless of the current value of ss->opt.noLocks. | 879 * regardless of the current value of ss->opt.noLocks. |
875 */ | 880 */ |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
926 on = ss->opt.enableSessionTickets; | 931 on = ss->opt.enableSessionTickets; |
927 break; | 932 break; |
928 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; | 933 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; |
929 case SSL_ENABLE_RENEGOTIATION: | 934 case SSL_ENABLE_RENEGOTIATION: |
930 on = ss->opt.enableRenegotiation; break; | 935 on = ss->opt.enableRenegotiation; break; |
931 case SSL_REQUIRE_SAFE_NEGOTIATION: | 936 case SSL_REQUIRE_SAFE_NEGOTIATION: |
932 on = ss->opt.requireSafeNegotiation; break; | 937 on = ss->opt.requireSafeNegotiation; break; |
933 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; | 938 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; |
934 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | 939 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; |
935 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | 940 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
941 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | |
942 on = ss->opt.enableSignedCertTimestamps; | |
943 break; | |
936 | 944 |
937 default: | 945 default: |
938 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 946 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
939 rv = SECFailure; | 947 rv = SECFailure; |
940 } | 948 } |
941 | 949 |
942 ssl_ReleaseSSL3HandshakeLock(ss); | 950 ssl_ReleaseSSL3HandshakeLock(ss); |
943 ssl_Release1stHandshakeLock(ss); | 951 ssl_Release1stHandshakeLock(ss); |
944 | 952 |
945 *pOn = on; | 953 *pOn = on; |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
987 case SSL_ENABLE_RENEGOTIATION: | 995 case SSL_ENABLE_RENEGOTIATION: |
988 on = ssl_defaults.enableRenegotiation; break; | 996 on = ssl_defaults.enableRenegotiation; break; |
989 case SSL_REQUIRE_SAFE_NEGOTIATION: | 997 case SSL_REQUIRE_SAFE_NEGOTIATION: |
990 on = ssl_defaults.requireSafeNegotiation; | 998 on = ssl_defaults.requireSafeNegotiation; |
991 break; | 999 break; |
992 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; | 1000 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; |
993 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; | 1001 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; |
994 case SSL_ENABLE_OCSP_STAPLING: | 1002 case SSL_ENABLE_OCSP_STAPLING: |
995 on = ssl_defaults.enableOCSPStapling; | 1003 on = ssl_defaults.enableOCSPStapling; |
996 break; | 1004 break; |
1005 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | |
1006 ssl_defaults.enableSignedCertTimestamps = on; | |
wtc
2013/11/08 19:51:31
BUG: this should be
on = ssl_defaults.enableSi
ekasper
2013/11/18 17:47:18
Yikes, I appear to have completely botched this fi
| |
1007 break; | |
997 | 1008 |
998 default: | 1009 default: |
999 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1010 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1000 rv = SECFailure; | 1011 rv = SECFailure; |
1001 } | 1012 } |
1002 | 1013 |
1003 *pOn = on; | 1014 *pOn = on; |
1004 return rv; | 1015 return rv; |
1005 } | 1016 } |
1006 | 1017 |
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1152 case SSL_ENABLE_FALSE_START: | 1163 case SSL_ENABLE_FALSE_START: |
1153 ssl_defaults.enableFalseStart = on; | 1164 ssl_defaults.enableFalseStart = on; |
1154 break; | 1165 break; |
1155 | 1166 |
1156 case SSL_CBC_RANDOM_IV: | 1167 case SSL_CBC_RANDOM_IV: |
1157 ssl_defaults.cbcRandomIV = on; | 1168 ssl_defaults.cbcRandomIV = on; |
1158 break; | 1169 break; |
1159 | 1170 |
1160 case SSL_ENABLE_OCSP_STAPLING: | 1171 case SSL_ENABLE_OCSP_STAPLING: |
1161 ssl_defaults.enableOCSPStapling = on; | 1172 ssl_defaults.enableOCSPStapling = on; |
1162 break; | 1173 break; |
wtc
2013/11/08 19:51:31
Please add a case for SSL_ENABLE_SIGNED_CERT_TIMES
ekasper
2013/11/18 17:47:18
Done.
| |
1163 | 1174 |
1164 default: | 1175 default: |
1165 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1176 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1166 return SECFailure; | 1177 return SECFailure; |
1167 } | 1178 } |
1168 return SECSuccess; | 1179 return SECSuccess; |
1169 } | 1180 } |
1170 | 1181 |
1171 /* function tells us if the cipher suite is one that we no longer support. */ | 1182 /* function tells us if the cipher suite is one that we no longer support. */ |
1172 static PRBool | 1183 static PRBool |
(...skipping 811 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1984 } | 1995 } |
1985 | 1996 |
1986 if (!ss->sec.ci.sid) { | 1997 if (!ss->sec.ci.sid) { |
1987 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | 1998 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
1988 return NULL; | 1999 return NULL; |
1989 } | 2000 } |
1990 | 2001 |
1991 return &ss->sec.ci.sid->peerCertStatus; | 2002 return &ss->sec.ci.sid->peerCertStatus; |
1992 } | 2003 } |
1993 | 2004 |
2005 const SECItem * | |
2006 SSL_PeerSignedCertTimestamps(PRFileDesc *fd) | |
2007 { | |
2008 sslSocket *ss = ssl_FindSocket(fd); | |
2009 | |
2010 if (!ss) { | |
2011 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", | |
2012 SSL_GETPID(), fd)); | |
2013 return NULL; | |
2014 } | |
2015 | |
2016 if (!ss->sec.ci.sid) { | |
2017 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | |
2018 return NULL; | |
2019 } | |
2020 | |
2021 if (ss->version < SSL_LIBRARY_VERSION_3_0) { | |
2022 return NULL; | |
wtc
2013/11/08 19:51:31
Please add:
PORT_SetError(SSL_ERROR_FEATURE_NO
ekasper
2013/11/18 17:47:18
Strictly speaking yes, but I think it's nicer to a
wtc
2013/11/19 23:52:28
Yes, it does. Thanks.
To make it clear it's the u
ekasper
2013/11/20 16:06:27
Done.
| |
2023 } | |
2024 return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; | |
2025 } | |
2026 | |
1994 SECStatus | 2027 SECStatus |
1995 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { | 2028 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { |
1996 sslSocket *ss = ssl_FindSocket(fd); | 2029 sslSocket *ss = ssl_FindSocket(fd); |
1997 | 2030 |
1998 if (!ss) { | 2031 if (!ss) { |
1999 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession", | 2032 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession", |
2000 SSL_GETPID(), fd)); | 2033 SSL_GETPID(), fd)); |
2001 return SECFailure; | 2034 return SECFailure; |
2002 } | 2035 } |
2003 | 2036 |
(...skipping 1120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3124 if (status != SECSuccess) { | 3157 if (status != SECSuccess) { |
3125 loser: | 3158 loser: |
3126 ssl_DestroySocketContents(ss); | 3159 ssl_DestroySocketContents(ss); |
3127 ssl_DestroyLocks(ss); | 3160 ssl_DestroyLocks(ss); |
3128 PORT_Free(ss); | 3161 PORT_Free(ss); |
3129 ss = NULL; | 3162 ss = NULL; |
3130 } | 3163 } |
3131 } | 3164 } |
3132 return ss; | 3165 return ss; |
3133 } | 3166 } |
3134 | |
OLD | NEW |