diff options
| author | Tim Taubert <ttaubert@mozilla.com> | 2016-09-16 13:42:56 -0700 |
|---|---|---|
| committer | Tim Taubert <ttaubert@mozilla.com> | 2016-09-16 13:42:56 -0700 |
| commit | 6c214486e9ef0f7b8653dea24689e5491de959b6 (patch) | |
| tree | 7d4d3f1347d05853217823b9b9710268e4193081 /cmd/selfserv | |
| parent | 6efedbcb0d51f696cdb7a5d44f781e69e3ca5802 (diff) | |
| download | nss-hg-6c214486e9ef0f7b8653dea24689e5491de959b6.tar.gz | |
Bug 1303224 - Remove the PKCS#11 bypass r=franziskus,mt
Diffstat (limited to 'cmd/selfserv')
| -rw-r--r-- | cmd/selfserv/selfserv.c | 84 |
1 files changed, 3 insertions, 81 deletions
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c index 03615d184..2e50907ec 100644 --- a/cmd/selfserv/selfserv.c +++ b/cmd/selfserv/selfserv.c @@ -178,8 +178,6 @@ PrintParameterUsage() " All versions are enabled by default.\n" " Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n" " Example: \"-V ssl3:\" enables SSL 3 and newer.\n" - "-B bypasses the PKCS11 layer for SSL encryption and MACing\n" - "-q checks for bypassability\n" "-D means disable Nagle delays in TCP\n" "-R means disable detection of rollback from TLS to SSL3\n" "-a configure server for SNI.\n" @@ -795,9 +793,7 @@ static SSLVersionRange enabledVersions; PRBool disableRollBack = PR_FALSE; PRBool NoReuse = PR_FALSE; PRBool hasSidCache = PR_FALSE; -PRBool bypassPKCS11 = PR_FALSE; PRBool disableLocking = PR_FALSE; -PRBool testbypass = PR_FALSE; PRBool enableSessionTickets = PR_FALSE; PRBool enableCompression = PR_FALSE; PRBool failedToNegotiateName = PR_FALSE; @@ -1860,12 +1856,6 @@ server_main( if (rv != SECSuccess) { errExit("error enabling RollBack detection "); } - if (bypassPKCS11) { - rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, PR_TRUE); - if (rv != SECSuccess) { - errExit("error enabling PKCS11 bypass "); - } - } if (disableLocking) { rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, PR_TRUE); if (rv != SECSuccess) { @@ -2208,7 +2198,6 @@ main(int argc, char **argv) PRBool debugCache = PR_FALSE; /* bug 90518 */ char emptyString[] = { "" }; char *certPrefix = emptyString; - PRUint32 protos = 0; SSL3Statistics *ssl3stats; PRUint32 i; secuPWData pwdata = { PW_NONE, 0 }; @@ -2225,10 +2214,10 @@ main(int argc, char **argv) /* please keep this list of options in ASCII collating sequence. ** numbers, then capital letters, then lower case, alphabetical. - ** XXX: 'E' and 'x' were used in the past, please leave some - ** time before resuing those. */ + ** XXX: 'B', 'E', 'q', and 'x' were used in the past but removed + ** in 3.28, please leave some time before resuing those. */ optstate = PL_CreateOptState(argc, argv, - "2:A:BC:DGH:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:yz"); + "2:A:C:DGH:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:yz"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { ++optionsFound; switch (optstate->option) { @@ -2240,10 +2229,6 @@ main(int argc, char **argv) ocspStaplingCA = PORT_Strdup(optstate->value); break; - case 'B': - bypassPKCS11 = PR_TRUE; - break; - case 'C': if (optstate->value) NumSidCacheEntries = PORT_Atoi(optstate->value); @@ -2403,10 +2388,6 @@ main(int argc, char **argv) port = PORT_Atoi(optstate->value); break; - case 'q': - testbypass = PR_TRUE; - break; - case 'r': ++requestCert; break; @@ -2658,32 +2639,6 @@ main(int argc, char **argv) PORT_Free(cstringSaved); } - if (testbypass) { - const PRUint16 *cipherSuites = SSL_ImplementedCiphers; - int i = SSL_NumImplementedCiphers; - PRBool enabled; - - for (i = 0; i < SSL_NumImplementedCiphers; i++, cipherSuites++) { - if (SSL_CipherPrefGetDefault(*cipherSuites, &enabled) == SECSuccess && - enabled) - savecipher(*cipherSuites); - } - protos = 0; - if (enabledVersions.min <= SSL_LIBRARY_VERSION_3_0 && - enabledVersions.max >= SSL_LIBRARY_VERSION_3_0) { - protos |= SSL_CBP_SSL3; - } - if (enabledVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 && - enabledVersions.max >= SSL_LIBRARY_VERSION_TLS_1_0) { - protos |= SSL_CBP_TLS1_0; - } - /* TLS 1.1 has the same SSL Bypass mode requirements as TLS 1.0 */ - if (enabledVersions.min <= SSL_LIBRARY_VERSION_TLS_1_1 && - enabledVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1) { - protos |= SSL_CBP_TLS1_0; - } - } - certStatusArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!certStatusArena) errExit("cannot allocate certStatusArena"); @@ -2700,16 +2655,6 @@ main(int argc, char **argv) nickName); exit(11); } - if (testbypass) { - PRBool bypassOK; - if (SSL_CanBypass(cert[kt_rsa], privKey[kt_rsa], protos, cipherlist, - nciphers, &bypassOK, &pwdata) != SECSuccess) { - SECU_PrintError(progName, "Bypass test failed %s\n", nickName); - exit(14); - } - fprintf(stderr, "selfserv: %s can%s bypass\n", nickName, - bypassOK ? "" : "not"); - } setupCertStatus(certStatusArena, ocspStaplingMode, cert[kt_rsa], kt_rsa, &pwdata); } @@ -2727,16 +2672,6 @@ main(int argc, char **argv) dsaNickName); exit(11); } - if (testbypass) { - PRBool bypassOK; - if (SSL_CanBypass(cert[ssl_kea_dh], privKey[ssl_kea_dh], protos, cipherlist, - nciphers, &bypassOK, &pwdata) != SECSuccess) { - SECU_PrintError(progName, "Bypass test failed %s\n", nickName); - exit(14); - } - fprintf(stderr, "selfserv: %s can%s bypass\n", nickName, - bypassOK ? "" : "not"); - } setupCertStatus(certStatusArena, ocspStaplingMode, cert[ssl_kea_dh], ssl_kea_dh, &pwdata); } @@ -2754,24 +2689,11 @@ main(int argc, char **argv) ecNickName); exit(11); } - if (testbypass) { - PRBool bypassOK; - if (SSL_CanBypass(cert[kt_ecdh], privKey[kt_ecdh], protos, cipherlist, - nciphers, &bypassOK, &pwdata) != SECSuccess) { - SECU_PrintError(progName, "Bypass test failed %s\n", ecNickName); - exit(15); - } - fprintf(stderr, "selfserv: %s can%s bypass\n", ecNickName, - bypassOK ? "" : "not"); - } setupCertStatus(certStatusArena, ocspStaplingMode, cert[kt_ecdh], kt_ecdh, &pwdata); } #endif /* NSS_DISABLE_ECC */ - if (testbypass) - goto cleanup; - if (configureWeakDHE > 0) { fprintf(stderr, "selfserv: Creating dynamic weak DH parameters\n"); rv = SSL_EnableWeakDHEPrimeGroup(NULL, PR_TRUE); |