diff options
author | Wan-Teh Chang <wtc@google.com> | 2013-06-10 13:49:06 -0700 |
---|---|---|
committer | Wan-Teh Chang <wtc@google.com> | 2013-06-10 13:49:06 -0700 |
commit | d6a5e10b55297b26aa8dbd1b17bda7a6cc10bae1 (patch) | |
tree | 305f4cc571a2a6018683b6cacc07c2e1d15c956e | |
parent | 72dd61be624b7d4c00b2c424d0d2f3786c30c079 (diff) | |
download | nss-hg-d6a5e10b55297b26aa8dbd1b17bda7a6cc10bae1.tar.gz |
Bug 881427: Clean up the runtime check for ECC curve capabilities.NSS_3_15_1_BETA1
Fix typos in comments and minor variable and function name issues.
r=rrelyea.
-rw-r--r-- | lib/ssl/derive.c | 2 | ||||
-rw-r--r-- | lib/ssl/ssl3con.c | 2 | ||||
-rw-r--r-- | lib/ssl/ssl3ecc.c | 37 | ||||
-rw-r--r-- | lib/ssl/sslimpl.h | 4 |
4 files changed, 23 insertions, 22 deletions
diff --git a/lib/ssl/derive.c b/lib/ssl/derive.c index ccb454289..420e6781e 100644 --- a/lib/ssl/derive.c +++ b/lib/ssl/derive.c @@ -764,7 +764,7 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey, ec_curve = ssl3_GetCurveWithECKeyStrength( - ssl3_GetSupportedECCCurveMask(NULL), + ssl3_GetSupportedECCurveMask(NULL), requiredECCbits); rv = ssl3_ECName2Params(NULL, ec_curve, &ecParams); if (rv == SECFailure) { diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index 3c798ac5d..959f65b51 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -11123,7 +11123,7 @@ ssl3_InitState(sslSocket *ss) ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; #ifdef NSS_ENABLE_ECC - ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCCurveMask(ss); + ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss); #endif ssl_ReleaseSpecWriteLock(ss); diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c index f0d65d00c..65a428f9f 100644 --- a/lib/ssl/ssl3ecc.c +++ b/lib/ssl/ssl3ecc.c @@ -1053,14 +1053,14 @@ static const PRUint8 tlsECList[56] = { BE(24), BE(25) }; -static const PRUint8 ECPtFmt[6] = { +static const PRUint8 ecPtFmt[6] = { BE(11), /* Extension type */ BE( 2), /* octets that follow */ 1, /* octets that follow */ 0 /* uncompressed type only */ }; -/* This function already presumes we can do ECC, ssl_IsECCEnabled must be +/* This function already presumes we can do ECC, ssl3_IsECCEnabled must be * called before this function. It looks to see if we have a token which * is capable of doing smaller than SuiteB curves. If the token can, we * presume the token can do the whole SSL suite of curves. If it can't we @@ -1069,10 +1069,11 @@ static const PRUint8 ECPtFmt[6] = { static PRBool ssl3_SuiteBOnly(sslSocket *ss) { - /* look to see if we can handle certs less than 163 bits */ + /* See if we can support small curves (like 163). If not, assume we can + * only support Suite-B curves (P-256, P-384, P-521). */ PK11SlotInfo *slot = PK11_GetBestSlotWithAttributes(CKM_ECDH1_DERIVE, 0, 163, - ss ? ss->pkcs11PinArg : NULL); + ss ? ss->pkcs11PinArg : NULL); if (!slot) { /* nope, presume we can only do suite B */ @@ -1092,22 +1093,22 @@ ssl3_SendSupportedCurvesXtn( PRBool append, PRUint32 maxBytes) { - int ECListSize = 0; - const PRUint8 *ECList = NULL; + PRInt32 ecListSize = 0; + const PRUint8 *ecList = NULL; if (!ss || !ssl3_IsECCEnabled(ss)) return 0; if (ssl3_SuiteBOnly(ss)) { - ECListSize = sizeof (suiteBECList); - ECList = suiteBECList; + ecListSize = sizeof suiteBECList; + ecList = suiteBECList; } else { - ECListSize = sizeof (tlsECList); - ECList = tlsECList; + ecListSize = sizeof tlsECList; + ecList = tlsECList; } - if (append && maxBytes >= ECListSize) { - SECStatus rv = ssl3_AppendHandshake(ss, ECList, ECListSize); + if (append && maxBytes >= ecListSize) { + SECStatus rv = ssl3_AppendHandshake(ss, ecList, ecListSize); if (rv != SECSuccess) return -1; if (!ss->sec.isServer) { @@ -1116,11 +1117,11 @@ ssl3_SendSupportedCurvesXtn( ssl_elliptic_curves_xtn; } } - return ECListSize; + return ecListSize; } -PRInt32 -ssl3_GetSupportedECCCurveMask(sslSocket *ss) +PRUint32 +ssl3_GetSupportedECCurveMask(sslSocket *ss) { if (ssl3_SuiteBOnly(ss)) { return SSL3_SUITE_B_SUPPORTED_CURVES_MASK; @@ -1139,8 +1140,8 @@ ssl3_SendSupportedPointFormatsXtn( { if (!ss || !ssl3_IsECCEnabled(ss)) return 0; - if (append && maxBytes >= (sizeof ECPtFmt)) { - SECStatus rv = ssl3_AppendHandshake(ss, ECPtFmt, (sizeof ECPtFmt)); + if (append && maxBytes >= (sizeof ecPtFmt)) { + SECStatus rv = ssl3_AppendHandshake(ss, ecPtFmt, (sizeof ecPtFmt)); if (rv != SECSuccess) return -1; if (!ss->sec.isServer) { @@ -1149,7 +1150,7 @@ ssl3_SendSupportedPointFormatsXtn( ssl_ec_point_formats_xtn; } } - return (sizeof ECPtFmt); + return (sizeof ecPtFmt); } /* Just make sure that the remote client supports uncompressed points, diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h index 4818b47d3..b0abfd597 100644 --- a/lib/ssl/sslimpl.h +++ b/lib/ssl/sslimpl.h @@ -142,7 +142,7 @@ typedef enum { SSLAppOpRead = 0, /* Mask of the 25 named curves we support. */ #define SSL3_ALL_SUPPORTED_CURVES_MASK 0x3fffffe -/* only 3 curves, suite B*/ +/* Mask of only 3 curves, suite B */ #define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000 #ifndef BPB @@ -1499,7 +1499,7 @@ extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss); extern PRBool ssl3_IsECCEnabled(sslSocket *ss); extern SECStatus ssl3_DisableECCSuites(sslSocket * ss, const ssl3CipherSuite * suite); -extern PRInt32 ssl3_GetSupportedECCCurveMask(sslSocket *ss); +extern PRUint32 ssl3_GetSupportedECCurveMask(sslSocket *ss); /* Macro for finding a curve equivalent in strength to RSA key's */ |