| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of |
| 3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. |
| 4 * Various other functions. | 4 * Various other functions. |
| 5 * | 5 * |
| 6 * This Source Code Form is subject to the terms of the Mozilla Public | 6 * This Source Code Form is subject to the terms of the Mozilla Public |
| 7 * License, v. 2.0. If a copy of the MPL was not distributed with this | 7 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 9 #include "seccomon.h" | 9 #include "seccomon.h" |
| 10 #include "cert.h" | 10 #include "cert.h" |
| (...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 166 PR_TRUE, /* detectRollBack */ | 166 PR_TRUE, /* detectRollBack */ |
| 167 PR_FALSE, /* noStepDown */ | 167 PR_FALSE, /* noStepDown */ |
| 168 PR_FALSE, /* bypassPKCS11 */ | 168 PR_FALSE, /* bypassPKCS11 */ |
| 169 PR_FALSE, /* noLocks */ | 169 PR_FALSE, /* noLocks */ |
| 170 PR_FALSE, /* enableSessionTickets */ | 170 PR_FALSE, /* enableSessionTickets */ |
| 171 PR_FALSE, /* enableDeflate */ | 171 PR_FALSE, /* enableDeflate */ |
| 172 2, /* enableRenegotiation (default: requires extension) */ | 172 2, /* enableRenegotiation (default: requires extension) */ |
| 173 PR_FALSE, /* requireSafeNegotiation */ | 173 PR_FALSE, /* requireSafeNegotiation */ |
| 174 PR_FALSE, /* enableFalseStart */ | 174 PR_FALSE, /* enableFalseStart */ |
| 175 PR_TRUE, /* cbcRandomIV */ | 175 PR_TRUE, /* cbcRandomIV */ |
| 176 PR_FALSE /* enableOCSPStapling */ | 176 PR_FALSE, /* enableOCSPStapling */ |
| 177 PR_FALSE /* enableSignedCertTimestamps */ |
| 177 }; | 178 }; |
| 178 | 179 |
| 179 /* | 180 /* |
| 180 * default range of enabled SSL/TLS protocols | 181 * default range of enabled SSL/TLS protocols |
| 181 */ | 182 */ |
| 182 static SSLVersionRange versions_defaults_stream = { | 183 static SSLVersionRange versions_defaults_stream = { |
| 183 SSL_LIBRARY_VERSION_3_0, | 184 SSL_LIBRARY_VERSION_3_0, |
| 184 SSL_LIBRARY_VERSION_TLS_1_0 | 185 SSL_LIBRARY_VERSION_TLS_1_0 |
| 185 }; | 186 }; |
| 186 | 187 |
| (...skipping 669 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 856 break; | 857 break; |
| 857 | 858 |
| 858 case SSL_CBC_RANDOM_IV: | 859 case SSL_CBC_RANDOM_IV: |
| 859 ss->opt.cbcRandomIV = on; | 860 ss->opt.cbcRandomIV = on; |
| 860 break; | 861 break; |
| 861 | 862 |
| 862 case SSL_ENABLE_OCSP_STAPLING: | 863 case SSL_ENABLE_OCSP_STAPLING: |
| 863 ss->opt.enableOCSPStapling = on; | 864 ss->opt.enableOCSPStapling = on; |
| 864 break; | 865 break; |
| 865 | 866 |
| 867 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| 868 ss->opt.enableSignedCertTimestamps = on; |
| 869 break; |
| 870 |
| 866 default: | 871 default: |
| 867 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 872 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 868 rv = SECFailure; | 873 rv = SECFailure; |
| 869 } | 874 } |
| 870 | 875 |
| 871 /* We can't use the macros for releasing the locks here, | 876 /* We can't use the macros for releasing the locks here, |
| 872 * because ss->opt.noLocks might have changed just above. | 877 * because ss->opt.noLocks might have changed just above. |
| 873 * We must release these locks (monitors) here, if we aquired them above, | 878 * We must release these locks (monitors) here, if we aquired them above, |
| 874 * regardless of the current value of ss->opt.noLocks. | 879 * regardless of the current value of ss->opt.noLocks. |
| 875 */ | 880 */ |
| (...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 926 on = ss->opt.enableSessionTickets; | 931 on = ss->opt.enableSessionTickets; |
| 927 break; | 932 break; |
| 928 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; | 933 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; |
| 929 case SSL_ENABLE_RENEGOTIATION: | 934 case SSL_ENABLE_RENEGOTIATION: |
| 930 on = ss->opt.enableRenegotiation; break; | 935 on = ss->opt.enableRenegotiation; break; |
| 931 case SSL_REQUIRE_SAFE_NEGOTIATION: | 936 case SSL_REQUIRE_SAFE_NEGOTIATION: |
| 932 on = ss->opt.requireSafeNegotiation; break; | 937 on = ss->opt.requireSafeNegotiation; break; |
| 933 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; | 938 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; |
| 934 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | 939 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; |
| 935 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | 940 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
| 941 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| 942 on = ss->opt.enableSignedCertTimestamps; |
| 943 break; |
| 936 | 944 |
| 937 default: | 945 default: |
| 938 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 946 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 939 rv = SECFailure; | 947 rv = SECFailure; |
| 940 } | 948 } |
| 941 | 949 |
| 942 ssl_ReleaseSSL3HandshakeLock(ss); | 950 ssl_ReleaseSSL3HandshakeLock(ss); |
| 943 ssl_Release1stHandshakeLock(ss); | 951 ssl_Release1stHandshakeLock(ss); |
| 944 | 952 |
| 945 *pOn = on; | 953 *pOn = on; |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 987 case SSL_ENABLE_RENEGOTIATION: | 995 case SSL_ENABLE_RENEGOTIATION: |
| 988 on = ssl_defaults.enableRenegotiation; break; | 996 on = ssl_defaults.enableRenegotiation; break; |
| 989 case SSL_REQUIRE_SAFE_NEGOTIATION: | 997 case SSL_REQUIRE_SAFE_NEGOTIATION: |
| 990 on = ssl_defaults.requireSafeNegotiation; | 998 on = ssl_defaults.requireSafeNegotiation; |
| 991 break; | 999 break; |
| 992 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; | 1000 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; |
| 993 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; | 1001 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; |
| 994 case SSL_ENABLE_OCSP_STAPLING: | 1002 case SSL_ENABLE_OCSP_STAPLING: |
| 995 on = ssl_defaults.enableOCSPStapling; | 1003 on = ssl_defaults.enableOCSPStapling; |
| 996 break; | 1004 break; |
| 1005 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| 1006 on = ssl_defaults.enableSignedCertTimestamps; |
| 1007 break; |
| 997 | 1008 |
| 998 default: | 1009 default: |
| 999 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1010 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1000 rv = SECFailure; | 1011 rv = SECFailure; |
| 1001 } | 1012 } |
| 1002 | 1013 |
| 1003 *pOn = on; | 1014 *pOn = on; |
| 1004 return rv; | 1015 return rv; |
| 1005 } | 1016 } |
| 1006 | 1017 |
| (...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1154 break; | 1165 break; |
| 1155 | 1166 |
| 1156 case SSL_CBC_RANDOM_IV: | 1167 case SSL_CBC_RANDOM_IV: |
| 1157 ssl_defaults.cbcRandomIV = on; | 1168 ssl_defaults.cbcRandomIV = on; |
| 1158 break; | 1169 break; |
| 1159 | 1170 |
| 1160 case SSL_ENABLE_OCSP_STAPLING: | 1171 case SSL_ENABLE_OCSP_STAPLING: |
| 1161 ssl_defaults.enableOCSPStapling = on; | 1172 ssl_defaults.enableOCSPStapling = on; |
| 1162 break; | 1173 break; |
| 1163 | 1174 |
| 1175 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| 1176 ssl_defaults.enableSignedCertTimestamps = on; |
| 1177 break; |
| 1178 |
| 1164 default: | 1179 default: |
| 1165 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1180 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1166 return SECFailure; | 1181 return SECFailure; |
| 1167 } | 1182 } |
| 1168 return SECSuccess; | 1183 return SECSuccess; |
| 1169 } | 1184 } |
| 1170 | 1185 |
| 1171 /* function tells us if the cipher suite is one that we no longer support. */ | 1186 /* function tells us if the cipher suite is one that we no longer support. */ |
| 1172 static PRBool | 1187 static PRBool |
| 1173 ssl_IsRemovedCipherSuite(PRInt32 suite) | 1188 ssl_IsRemovedCipherSuite(PRInt32 suite) |
| (...skipping 810 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1984 } | 1999 } |
| 1985 | 2000 |
| 1986 if (!ss->sec.ci.sid) { | 2001 if (!ss->sec.ci.sid) { |
| 1987 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | 2002 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
| 1988 return NULL; | 2003 return NULL; |
| 1989 } | 2004 } |
| 1990 | 2005 |
| 1991 return &ss->sec.ci.sid->peerCertStatus; | 2006 return &ss->sec.ci.sid->peerCertStatus; |
| 1992 } | 2007 } |
| 1993 | 2008 |
| 2009 const SECItem * |
| 2010 SSL_PeerSignedCertTimestamps(PRFileDesc *fd) |
| 2011 { |
| 2012 sslSocket *ss = ssl_FindSocket(fd); |
| 2013 |
| 2014 if (!ss) { |
| 2015 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", |
| 2016 SSL_GETPID(), fd)); |
| 2017 return NULL; |
| 2018 } |
| 2019 |
| 2020 if (!ss->sec.ci.sid) { |
| 2021 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
| 2022 return NULL; |
| 2023 } |
| 2024 |
| 2025 if (ss->version < SSL_LIBRARY_VERSION_3_0) { |
| 2026 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); |
| 2027 return NULL; |
| 2028 } |
| 2029 return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; |
| 2030 } |
| 2031 |
| 1994 SECStatus | 2032 SECStatus |
| 1995 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { | 2033 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { |
| 1996 sslSocket *ss = ssl_FindSocket(fd); | 2034 sslSocket *ss = ssl_FindSocket(fd); |
| 1997 | 2035 |
| 1998 if (!ss) { | 2036 if (!ss) { |
| 1999 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession", | 2037 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession", |
| 2000 SSL_GETPID(), fd)); | 2038 SSL_GETPID(), fd)); |
| 2001 return SECFailure; | 2039 return SECFailure; |
| 2002 } | 2040 } |
| 2003 | 2041 |
| (...skipping 1120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3124 if (status != SECSuccess) { | 3162 if (status != SECSuccess) { |
| 3125 loser: | 3163 loser: |
| 3126 ssl_DestroySocketContents(ss); | 3164 ssl_DestroySocketContents(ss); |
| 3127 ssl_DestroyLocks(ss); | 3165 ssl_DestroyLocks(ss); |
| 3128 PORT_Free(ss); | 3166 PORT_Free(ss); |
| 3129 ss = NULL; | 3167 ss = NULL; |
| 3130 } | 3168 } |
| 3131 } | 3169 } |
| 3132 return ss; | 3170 return ss; |
| 3133 } | 3171 } |
| 3134 | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 64553002:
Certificate Transparency TLS extension patch for NSS (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master