diff options
| author | Adam Langley <agl@chromium.org> | 2013-08-12 11:39:36 -0700 |
|---|---|---|
| committer | Adam Langley <agl@chromium.org> | 2013-08-12 11:39:36 -0700 |
| commit | 1466a9001692b94c5b1b770ee44091e985ee24c1 (patch) | |
| tree | d0f8b3425bf3d5598513d4e2effd9c16a4d15c5c | |
| parent | bc35f7c6add7ef34e7e62604a8924cf3933ad7d2 (diff) | |
| download | nss-hg-1466a9001692b94c5b1b770ee44091e985ee24c1.tar.gz | |
Bug 848384: Remove vestigial cipher suite policy code. r=wtc.
| -rw-r--r-- | lib/ssl/ssl.h | 29 | ||||
| -rw-r--r-- | lib/ssl/ssl3con.c | 248 | ||||
| -rw-r--r-- | lib/ssl/ssl3ecc.c | 2 | ||||
| -rw-r--r-- | lib/ssl/sslcon.c | 98 | ||||
| -rw-r--r-- | lib/ssl/sslimpl.h | 26 | ||||
| -rw-r--r-- | lib/ssl/sslsock.c | 151 |
6 files changed, 138 insertions, 416 deletions
diff --git a/lib/ssl/ssl.h b/lib/ssl/ssl.h index 6db0e3403..bd605e31b 100644 --- a/lib/ssl/ssl.h +++ b/lib/ssl/ssl.h @@ -233,7 +233,6 @@ SSL_IMPORT SECStatus SSL_GetNextProto(PRFileDesc *fd, ** is enabled, otherwise it is disabled. ** The "cipher" values are defined in sslproto.h (the SSL_EN_* values). ** EnableCipher records user preferences. -** SetPolicy sets the policy according to the policy module. */ #ifdef SSL_DEPRECATED_FUNCTION /* Old deprecated function names */ @@ -246,7 +245,11 @@ SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool en SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *enabled); SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); + +/* Policy functions are deprecated and no longer have any effect. They exist in + * order to maintain ABI compatibility. */ SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); +/* SSL_CipherPolicyGet sets *policy to SSL_ALLOWED and returns SECSuccess. */ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); /* SSL Version Range API @@ -320,7 +323,7 @@ SSL_IMPORT SECStatus SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange); -/* Values for "policy" argument to SSL_PolicySet */ +/* Values for "policy" argument to SSL_CipherPolicySet */ /* Values returned by SSL_CipherPolicyGet. */ #define SSL_NOT_ALLOWED 0 /* or invalid or unimplemented */ #define SSL_ALLOWED 1 @@ -791,26 +794,12 @@ SSL_IMPORT SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert, */ SSL_IMPORT SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert); -/* Set cipher policies to a predefined Domestic (U.S.A.) policy. - * This essentially enables all supported ciphers. - */ +/* +** The NSS_Set*Policy functions have no effect and exist in order to maintain +** ABI compatibility. All supported ciphers are now allowed. +*/ SSL_IMPORT SECStatus NSS_SetDomesticPolicy(void); - -/* Set cipher policies to a predefined Policy that is exportable from the USA - * according to present U.S. policies as we understand them. - * See documentation for the list. - * Note that your particular application program may be able to obtain - * an export license with more or fewer capabilities than those allowed - * by this function. In that case, you should use SSL_SetPolicy() - * to explicitly allow those ciphers you may legally export. - */ SSL_IMPORT SECStatus NSS_SetExportPolicy(void); - -/* Set cipher policies to a predefined Policy that is exportable from the USA - * according to present U.S. policies as we understand them, and that the - * nation of France will permit to be imported into their country. - * See documentation for the list. - */ SSL_IMPORT SECStatus NSS_SetFrancePolicy(void); SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void); diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index adebef9d2..8a4aa0f48 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -77,85 +77,84 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) */ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { - /* cipher_suite policy enabled is_present*/ + /* cipher_suite enabled is_present */ #ifdef NSS_ENABLE_ECC - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA256, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDH_RSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_RSA_WITH_SEED_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, PR_FALSE, PR_FALSE}, + { SSL_RSA_WITH_RC4_128_SHA, PR_TRUE, PR_FALSE}, + { SSL_RSA_WITH_RC4_128_MD5, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_128_CBC_SHA, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_128_CBC_SHA256, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, + { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, + { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, PR_FALSE, PR_FALSE}, + { SSL_RSA_WITH_3DES_EDE_CBC_SHA, PR_TRUE, PR_FALSE}, - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, + { SSL_DHE_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, + { SSL_DHE_DSS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, + { SSL_RSA_FIPS_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, + { SSL_RSA_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, + { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, PR_FALSE, PR_FALSE}, + { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, PR_FALSE, PR_FALSE}, - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, + { SSL_RSA_EXPORT_WITH_RC4_40_MD5, PR_FALSE, PR_FALSE}, + { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, PR_FALSE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - + { SSL_RSA_WITH_NULL_SHA, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_NULL_SHA256, PR_FALSE, PR_FALSE}, + { SSL_RSA_WITH_NULL_MD5, PR_FALSE, PR_FALSE}, }; /* This list of SSL3 compression methods is sorted in descending order of @@ -632,13 +631,13 @@ ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites) } -/* Initialize the suite->isPresent value for config_match +/* Initialize the suite->isPresent value for cipher_suite_available. * Returns count of enabled ciphers supported by extant tokens, - * regardless of policy or user preference. + * regardless of user preference. * If this returns zero, the user cannot do SSL v3. */ int -ssl3_config_match_init(sslSocket *ss) +ssl3_cipher_suite_available_init(sslSocket *ss) { ssl3CipherSuiteCfg * suite; const ssl3CipherSuiteDef *cipher_def; @@ -734,37 +733,25 @@ ssl3_config_match_init(sslSocket *ss) } -/* return PR_TRUE if suite matches policy and enabled state */ -/* It would be a REALLY BAD THING (tm) if we ever permitted the use -** of a cipher that was NOT_ALLOWED. So, if this is ever called with -** policy == SSL_NOT_ALLOWED, report no match. -*/ -/* adjust suite enabled to the availability of a token that can do the - * cipher suite. */ +/* return PR_TRUE if the given cipher suite is enabled and present. */ static PRBool -config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) +cipher_suite_available(ssl3CipherSuiteCfg *suite) { - PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); - if (policy == SSL_NOT_ALLOWED || !enabled) - return PR_FALSE; - return (PRBool)(suite->enabled && - suite->isPresent && - suite->policy != SSL_NOT_ALLOWED && - suite->policy <= policy); + return (PRBool)(suite->enabled && suite->isPresent); } -/* return number of cipher suites that match policy and enabled state */ -/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ +/* return number of cipher suites that are enabled and present. + * called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ static int -count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) +count_cipher_suites(sslSocket *ss) { int i, count = 0; if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { - return 0; + return 0; } for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { - if (config_match(&ss->cipherSuites[i], policy, enabled)) + if (cipher_suite_available(&ss->cipherSuites[i])) count++; } if (count <= 0) { @@ -4716,8 +4703,6 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength)); - - ss->ssl3.policy = sid->u.ssl3.policy; } else { SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); @@ -4767,10 +4752,11 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) return SECFailure; } - /* how many suites does our PKCS11 support (regardless of policy)? */ - num_suites = ssl3_config_match_init(ss); + /* how many suites does our PKCS11 support? */ + num_suites = ssl3_cipher_suite_available_init(ss); if (!num_suites) - return SECFailure; /* ssl3_config_match_init has set error code. */ + return SECFailure; /* ssl3_cipher_suite_available_init has set + * error code. */ /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, * only if we're willing to complete an SSL 3.0 handshake. @@ -4808,8 +4794,8 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) ssl3_DisableNonDTLSSuites(ss); } - /* how many suites are permitted by policy and user preference? */ - num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); + /* how many suites are permitted by user preference? */ + num_suites = count_cipher_suites(ss); if (!num_suites) return SECFailure; /* count_cipher_suites has set error code. */ if (ss->ssl3.hs.sendingSCSV) { @@ -4899,7 +4885,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) } for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; - if (config_match(suite, ss->ssl3.policy, PR_TRUE)) { + if (cipher_suite_available(suite)) { actual_count++; if (actual_count > num_suites) { /* set error card removal/insertion error */ @@ -5930,11 +5916,11 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (temp < 0) { goto loser; /* alert has been sent */ } - ssl3_config_match_init(ss); + ssl3_cipher_suite_available_init(ss); for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; if (temp == suite->cipher_suite) { - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) { + if (!cipher_suite_available(suite)) { break; /* failure */ } if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, @@ -6936,7 +6922,6 @@ ssl3_NewSessionID(sslSocket *ss, PRBool is_server) sid->version = ss->version; sid->u.ssl3.keys.resumable = PR_TRUE; - sid->u.ssl3.policy = SSL_ALLOWED; sid->u.ssl3.clientWriteKey = NULL; sid->u.ssl3.serverWriteKey = NULL; @@ -7317,8 +7302,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } #ifdef PARANOID - /* Look for a matching cipher suite. */ - j = ssl3_config_match_init(ss); + /* Look for an available cipher suite. */ + j = ssl3_cipher_suite_available_init(ss); if (j <= 0) { /* no ciphers are working/supported by PK11 */ errCode = PORT_GetError(); /* error code is already set. */ goto alert_loser; @@ -7354,12 +7339,11 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (j <= 0) break; #ifdef PARANOID - /* Double check that the cached cipher suite is still enabled, - * implemented, and allowed by policy. Might have been disabled. - * The product policy won't change during the process lifetime. + /* Double check that the cached cipher suite is still enabled and + * implemented. Might have been disabled. * Implemented ("isPresent") shouldn't change for servers. */ - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) + if (!cipher_suite_available(suite)) break; #else if (!suite->enabled) @@ -7383,8 +7367,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) /* START A NEW SESSION */ #ifndef PARANOID - /* Look for a matching cipher suite. */ - j = ssl3_config_match_init(ss); + /* Look for an available cipher suite. */ + j = ssl3_cipher_suite_available_init(ss); if (j <= 0) { /* no ciphers are working/supported by PK11 */ errCode = PORT_GetError(); /* error code is already set. */ goto alert_loser; @@ -7407,7 +7391,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) */ for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || + if (!cipher_suite_available(suite) || !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, ss->version)) { continue; @@ -7426,7 +7410,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto alert_loser; suite_found: - /* Look for a matching compression algorithm. */ + /* Select a compression algorithm. */ for (i = 0; i < comps.len; i++) { if (!compressionEnabled(ss, comps.data[i])) continue; @@ -7729,7 +7713,7 @@ compression_found: ret = SSL_SNI_SEND_ALERT; break; } - configedCiphers = ssl3_config_match_init(ss); + configedCiphers = ssl3_cipher_suite_available_init(ss); if (configedCiphers <= 0) { /* no ciphers are working/supported */ errCode = PORT_GetError(); @@ -7926,7 +7910,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length) /* Disable any ECC cipher suites for which we have no cert. */ ssl3_FilterECCipherSuitesByServerCerts(ss); #endif - i = ssl3_config_match_init(ss); + i = ssl3_cipher_suite_available_init(ss); if (i <= 0) { errCode = PORT_GetError(); /* error code is already set. */ goto alert_loser; @@ -7941,7 +7925,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length) */ for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || + if (!cipher_suite_available(suite) || !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, ss->version)) { continue; @@ -10031,7 +10015,6 @@ xmit_loser: /* fill in the sid */ sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; sid->u.ssl3.compression = ss->ssl3.hs.compression; - sid->u.ssl3.policy = ss->ssl3.policy; #ifdef NSS_ENABLE_ECC sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves; #endif @@ -11109,8 +11092,6 @@ ssl3_InitState(sslSocket *ss) if (ss->ssl3.initialized) return SECSuccess; /* Function should be idempotent */ - ss->ssl3.policy = SSL_ALLOWED; - ssl_GetSpecWriteLock(ss); ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; @@ -11220,40 +11201,6 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss) } -/* record the export policy for this cipher suite */ -SECStatus -ssl3_SetPolicy(ssl3CipherSuite which, int policy) -{ - ssl3CipherSuiteCfg *suite; - - suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); - if (suite == NULL) { - return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ - } - suite->policy = policy; - - return SECSuccess; -} - -SECStatus -ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy) -{ - ssl3CipherSuiteCfg *suite; - PRInt32 policy; - SECStatus rv; - - suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); - if (suite) { - policy = suite->policy; - rv = SECSuccess; - } else { - policy = SSL_NOT_ALLOWED; - rv = SECFailure; /* err code was set by Lookup. */ - } - *oPolicy = policy; - return rv; -} - /* record the user preference for this suite */ SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled) @@ -11320,15 +11267,15 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled) return rv; } -/* copy global default policy into socket. */ +/* copy global default ciphersuite preferences into socket. */ void -ssl3_InitSocketPolicy(sslSocket *ss) +ssl3_InitSocketCipherSuites(sslSocket *ss) { PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); } -/* ssl3_config_match_init must have already been called by - * the caller of this function. +/* ssl3_cipher_suite_available_init must have already been called by the caller + * of this function. */ SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) @@ -11345,14 +11292,15 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) return SECSuccess; } if (cs == NULL) { - *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); + *size = count_cipher_suites(ss); return SECSuccess; } - /* ssl3_config_match_init was called by the caller of this function. */ + /* ssl3_cipher_suite_available_init was called by the caller of this + * function. */ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; - if (config_match(suite, SSL_ALLOWED, PR_TRUE)) { + if (cipher_suite_available(suite)) { if (cs != NULL) { *cs++ = 0x00; *cs++ = (suite->cipher_suite >> 8) & 0xFF; diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c index 65a428f9f..215fd8181 100644 --- a/lib/ssl/ssl3ecc.c +++ b/lib/ssl/ssl3ecc.c @@ -1002,7 +1002,7 @@ ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss) } /* Ask: is ANY ECC cipher suite enabled on this socket? */ -/* Order(N^2). Yuk. Also, this ignores export policy. */ +/* Order(N^2). Yuk. */ PRBool ssl3_IsECCEnabled(sslSocket * ss) { diff --git a/lib/ssl/sslcon.c b/lib/ssl/sslcon.c index 2fc6602a2..626839e90 100644 --- a/lib/ssl/sslcon.c +++ b/lib/ssl/sslcon.c @@ -20,9 +20,6 @@ #include "prinit.h" #include "prtime.h" /* for PR_Now() */ -#define XXX -static PRBool policyWasSet; - /* This ordered list is indexed by (SSL_CK_xx * 3) */ /* Second and third bytes are MSB and LSB of master key length. */ static const PRUint8 allCipherSuites[] = { @@ -115,14 +112,12 @@ const char * const ssl_cipherName[] = { }; -/* bit-masks, showing which SSLv2 suites are allowed. +/* bit-mask, showing which SSLv2 suites are allowed. * lsb corresponds to first cipher suite in allCipherSuites[]. */ -static PRUint16 allowedByPolicy; /* all off by default */ -static PRUint16 maybeAllowedByPolicy; /* all off by default */ static PRUint16 chosenPreference = 0xff; /* all on by default */ -/* bit values for the above two bit masks */ +/* bit values for the above bit mask */ #define SSL_CB_RC4_128_WITH_MD5 (1 << SSL_CK_RC4_128_WITH_MD5) #define SSL_CB_RC4_128_EXPORT40_WITH_MD5 (1 << SSL_CK_RC4_128_EXPORT40_WITH_MD5) #define SSL_CB_RC2_128_CBC_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_WITH_MD5) @@ -157,19 +152,19 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) count = 0; PORT_Assert(ss != 0); allowed = !ss->opt.enableSSL2 ? 0 : - (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED); + (ss->chosenPreference & SSL_CB_IMPLEMENTED); while (allowed) { if (allowed & 1) ++count; allowed >>= 1; } - /* Call ssl3_config_match_init() once here, + /* Call ssl3_cipher_suite_available_init() once here, * instead of inside ssl3_ConstructV2CipherSpecsHack(), * because the latter gets called twice below, * and then again in ssl2_BeginClientHandshake(). */ - ssl3_config_match_init(ss); + ssl3_cipher_suite_available_init(ss); /* ask SSL3 how many cipher suites it has. */ rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count); @@ -193,7 +188,7 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) /* fill in cipher specs for SSL2 cipher suites */ allowed = !ss->opt.enableSSL2 ? 0 : - (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED); + (ss->chosenPreference & SSL_CB_IMPLEMENTED); for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) { const PRUint8 * hs = implementedCipherSuites + i; int ok = allowed & (1U << hs[0]); @@ -225,7 +220,6 @@ ssl2_ConstructCipherSpecs(sslSocket *ss) static SECStatus ssl2_CheckConfigSanity(sslSocket *ss) { - unsigned int allowed; int ssl3CipherCount = 0; SECStatus rv; @@ -235,11 +229,11 @@ ssl2_CheckConfigSanity(sslSocket *ss) if (!ss->cipherSpecs) goto disabled; - allowed = ss->allowedByPolicy & ss->chosenPreference; - if (! allowed) + if (!ss->chosenPreference) ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */ - /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */ + /* ssl3_cipher_suite_available_init was called in + * ssl2_ConstructCipherSpecs(). */ /* Ask how many ssl3 CipherSuites were enabled. */ rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount); if (rv != SECSuccess || ssl3CipherCount <= 0) { @@ -261,67 +255,6 @@ disabled: /* * Since this is a global (not per-socket) setting, we cannot use the * HandshakeLock to protect this. Probably want a global lock. - */ -SECStatus -ssl2_SetPolicy(PRInt32 which, PRInt32 policy) -{ - PRUint32 bitMask; - SECStatus rv = SECSuccess; - - which &= 0x000f; - bitMask = 1 << which; - - if (!(bitMask & SSL_CB_IMPLEMENTED)) { - PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); - return SECFailure; - } - - if (policy == SSL_ALLOWED) { - allowedByPolicy |= bitMask; - maybeAllowedByPolicy |= bitMask; - } else if (policy == SSL_RESTRICTED) { - allowedByPolicy &= ~bitMask; - maybeAllowedByPolicy |= bitMask; - } else { - allowedByPolicy &= ~bitMask; - maybeAllowedByPolicy &= ~bitMask; - } - allowedByPolicy &= SSL_CB_IMPLEMENTED; - maybeAllowedByPolicy &= SSL_CB_IMPLEMENTED; - - policyWasSet = PR_TRUE; - return rv; -} - -SECStatus -ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy) -{ - PRUint32 bitMask; - PRInt32 policy; - - which &= 0x000f; - bitMask = 1 << which; - - /* Caller assures oPolicy is not null. */ - if (!(bitMask & SSL_CB_IMPLEMENTED)) { - PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); - *oPolicy = SSL_NOT_ALLOWED; - return SECFailure; - } - - if (maybeAllowedByPolicy & bitMask) { - policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED; - } else { - policy = SSL_NOT_ALLOWED; - } - - *oPolicy = policy; - return SECSuccess; -} - -/* - * Since this is a global (not per-socket) setting, we cannot use the - * HandshakeLock to protect this. Probably want a global lock. * Called from SSL_CipherPrefSetDefault in sslsock.c * These changes have no effect on any sslSockets already created. */ @@ -410,12 +343,10 @@ ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled) } -/* copy global default policy into socket. */ +/* copy global default cipher suite preferences into socket. */ void -ssl2_InitSocketPolicy(sslSocket *ss) +ssl2_InitSocketCipherSuites(sslSocket *ss) { - ss->allowedByPolicy = allowedByPolicy; - ss->maybeAllowedByPolicy = maybeAllowedByPolicy; ss->chosenPreference = chosenPreference; } @@ -1556,7 +1487,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits, unsigned int dkLen; /* decrypted key length in bytes */ int modulusLen; SECStatus rv; - PRUint16 allowed; /* cipher kinds enabled and allowed by policy */ + PRUint16 allowed; /* cipher kinds enabled */ PRUint8 mkbuf[SSL_MAX_MASTER_KEY_BYTES]; PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); @@ -1584,7 +1515,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits, goto loser; } - allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED; + allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED; if (!(allowed & (1 << cipher))) { /* client chose a kind we don't allow! */ SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d", @@ -1814,8 +1745,7 @@ ssl2_ChooseSessionCypher(sslSocket *ss, } if (!ss->preferredCipher) { - unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference & - SSL_CB_IMPLEMENTED; + unsigned int allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED; if (allowed) { preferred = implementedCipherSuites; for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) { diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h index 90e9567c1..8d62d8c28 100644 --- a/lib/ssl/sslimpl.h +++ b/lib/ssl/sslimpl.h @@ -263,17 +263,15 @@ struct sslBufferStr { }; /* -** SSL3 cipher suite policy and preference struct. +** SSL3 cipher suite preference struct. */ typedef struct { #if !defined(_WIN32) unsigned int cipher_suite : 16; - unsigned int policy : 8; unsigned int enabled : 1; unsigned int isPresent : 1; #else ssl3CipherSuite cipher_suite; - PRUint8 policy; unsigned char enabled : 1; unsigned char isPresent : 1; #endif @@ -616,7 +614,6 @@ struct sslSessionIDStr { ssl3CipherSuite cipherSuite; SSLCompressionMethod compression; - int policy; ssl3SidKeys keys; CK_MECHANISM_TYPE masterWrapMech; /* mechanism used to wrap master secret */ @@ -896,10 +893,6 @@ struct ssl3StateStr { CERTCertificateList *clientCertChain; /* used by client */ PRBool sendEmptyCert; /* used by client */ - int policy; - /* This says what cipher suites we can do, and should - * be either SSL_ALLOWED or SSL_RESTRICTED - */ PLArenaPool * peerCertArena; /* These are used to keep track of the peer CA */ void * peerCertChain; @@ -1195,8 +1188,6 @@ const unsigned char * preferredCipher; PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */ - PRUint16 allowedByPolicy; /* copy of global policy bits. */ - PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */ PRUint16 chosenPreference; /* SSL2 cipher preferences. */ sslHandshakingType handshaking; @@ -1588,13 +1579,8 @@ extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled); extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled); -extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy); -extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy); -extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy); -extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy); - -extern void ssl2_InitSocketPolicy(sslSocket *ss); -extern void ssl3_InitSocketPolicy(sslSocket *ss); +extern void ssl2_InitSocketCipherSuites(sslSocket *ss); +extern void ssl3_InitSocketCipherSuites(sslSocket *ss); extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size); @@ -1730,9 +1716,9 @@ extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data, extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd); extern void ssl_FreePRSocket(PRFileDesc *fd); -/* Internal config function so SSL2 can initialize the present state of - * various ciphers */ -extern int ssl3_config_match_init(sslSocket *); +/* Internal config function so SSL3 can test the present state of various + * ciphers */ +extern int ssl3_cipher_suite_available_init(sslSocket *); /* Create a new ref counted key pair object from two keys. */ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c index da4fbff90..593a03434 100644 --- a/lib/ssl/sslsock.c +++ b/lib/ssl/sslsock.c @@ -21,88 +21,6 @@ #define SET_ERROR_CODE /* reminder */ -struct cipherPolicyStr { - int cipher; - unsigned char export; /* policy value for export policy */ - unsigned char france; /* policy value for france policy */ -}; - -typedef struct cipherPolicyStr cipherPolicy; - -/* This table contains two preconfigured policies: Export and France. -** It is used only by the functions NSS_SetDomesticPolicy, -** NSS_SetExportPolicy, and NSS_SetFrancePolicy. -** Order of entries is not important. -*/ -static cipherPolicy ssl_ciphers[] = { /* Export France */ - { SSL_EN_RC4_128_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_EN_RC2_128_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED }, - { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, -#ifdef NSS_ENABLE_ECC - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, -#endif /* NSS_ENABLE_ECC */ - { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } -}; - static const sslSocketOps ssl_default_ops = { /* No SSL. */ ssl_DefConnect, NULL, @@ -284,9 +202,7 @@ ssl_DupSocket(sslSocket *os) ss->cTimeout = os->cTimeout; ss->dbHandle = os->dbHandle; - /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ - ss->allowedByPolicy = os->allowedByPolicy; - ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; + /* copy ssl2&3 prefs, even if it's not selected (yet) */ ss->chosenPreference = os->chosenPreference; PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites); PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, @@ -1163,62 +1079,23 @@ ssl_IsRemovedCipherSuite(PRInt32 suite) } } -/* Part of the public NSS API. - * Since this is a global (not per-socket) setting, we cannot use the - * HandshakeLock to protect this. Probably want a global lock. - */ SECStatus SSL_SetPolicy(long which, int policy) { - if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { - /* one of the two old FIPS ciphers */ - if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) - which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; - else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) - which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; - } - if (ssl_IsRemovedCipherSuite(which)) - return SECSuccess; - return SSL_CipherPolicySet(which, policy); + return SECSuccess; } SECStatus SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) { - SECStatus rv = ssl_Init(); - - if (rv != SECSuccess) { - return rv; - } - - if (ssl_IsRemovedCipherSuite(which)) { - rv = SECSuccess; - } else if (SSL_IS_SSL2_CIPHER(which)) { - rv = ssl2_SetPolicy(which, policy); - } else { - rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); - } - return rv; + return SECSuccess; } SECStatus SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) { - SECStatus rv; - - if (!oPolicy) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - if (ssl_IsRemovedCipherSuite(which)) { - *oPolicy = SSL_NOT_ALLOWED; - rv = SECSuccess; - } else if (SSL_IS_SSL2_CIPHER(which)) { - rv = ssl2_GetPolicy(which, oPolicy); - } else { - rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy); - } - return rv; + *oPolicy = SSL_ALLOWED; + return SECSuccess; } /* Part of the public NSS API. @@ -1337,27 +1214,19 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) SECStatus NSS_SetDomesticPolicy(void) { - SECStatus status = SECSuccess; - cipherPolicy * policy; - - for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { - status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED); - if (status != SECSuccess) - break; - } - return status; + return SECSuccess; } SECStatus NSS_SetExportPolicy(void) { - return NSS_SetDomesticPolicy(); + return SECSuccess; } SECStatus NSS_SetFrancePolicy(void) { - return NSS_SetDomesticPolicy(); + return SECSuccess; } @@ -2981,8 +2850,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) ss->ephemeralECDHKeyPair = NULL; ssl_ChooseOps(ss); - ssl2_InitSocketPolicy(ss); - ssl3_InitSocketPolicy(ss); + ssl2_InitSocketCipherSuites(ss); + ssl3_InitSocketCipherSuites(ss); PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); if (makeLocks) { |