diff options
| author | John M. Schanck <jschanck@mozilla.com> | 2023-03-02 14:38:29 -0800 |
|---|---|---|
| committer | John M. Schanck <jschanck@mozilla.com> | 2023-03-02 14:38:29 -0800 |
| commit | fd8d15350f7560f35085b4b945eb3e34a0dfa708 (patch) | |
| tree | c66b55dc65ee34047a03113a0e98c24266e57727 /lib/ssl | |
| parent | 65aef21637ba6551e24933a4903f6e3b5c2e77a6 (diff) | |
| download | nss-hg-fd8d15350f7560f35085b4b945eb3e34a0dfa708.tar.gz | |
Backed out changeset 761e7d215e0a for causing gtest failuresNSS_3_89_BETA1
Diffstat (limited to 'lib/ssl')
| -rw-r--r-- | lib/ssl/ssl3con.c | 39 |
1 files changed, 10 insertions, 29 deletions
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index a2618e00c..867c13ee7 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -7450,8 +7450,7 @@ ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length) SECItem dh_Ys = { siBuffer, NULL, 0 }; unsigned dh_p_bits; unsigned dh_g_bits; - PRInt32 minDH = 0; - PRInt32 optval; + PRInt32 minDH; SSL3Hashes hashes; SECItem signature = { siBuffer, NULL, 0 }; @@ -7462,12 +7461,9 @@ ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length) if (rv != SECSuccess) { goto loser; /* malformed. */ } - rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval); - if ((rv == SECSuccess) && (optval & NSS_KEY_SIZE_POLICY_SSL_FLAG)) { - (void)NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH); - } - if (minDH <= 0) { + rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH); + if (rv != SECSuccess || minDH <= 0) { minDH = SSL_DH_MIN_P_BITS; } dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p); @@ -11539,22 +11535,15 @@ SECStatus ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey) { SECStatus rv; - PRUint32 minKey = 0; + PRUint32 minKey; PRInt32 optval; - PRBool usePolicyLength = PR_TRUE; - - rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval); - if (rv == SECSuccess) { - usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG); - } ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey); switch (SECKEY_GetPublicKeyType(pubKey)) { case rsaKey: case rsaPssKey: case rsaOaepKey: - rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval) - : SECFailure; + rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval); if (rv == SECSuccess && optval > 0) { minKey = (PRUint32)optval; } else { @@ -11563,8 +11552,7 @@ ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey) break; case dsaKey: - rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval) - : SECFailure; + rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval); if (rv == SECSuccess && optval > 0) { minKey = (PRUint32)optval; } else { @@ -11573,8 +11561,7 @@ ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey) break; case dhKey: - rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval) - : SECFailure; + rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval); if (rv == SECSuccess && optval > 0) { minKey = (PRUint32)optval; } else { @@ -11583,15 +11570,9 @@ ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey) break; case ecKey: - rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval) - : SECFailure; - if (rv == SECSuccess && optval > 0) { - minKey = (PRUint32)optval; - } else { - /* Don't check EC strength here on the understanding that we - * only support curves we like. */ - minKey = ss->sec.authKeyBits; - } + /* Don't check EC strength here on the understanding that we only + * support curves we like. */ + minKey = ss->sec.authKeyBits; break; default: |