diff options
Diffstat (limited to 'security/nss/lib/ssl/sslsock.c')
-rw-r--r-- | security/nss/lib/ssl/sslsock.c | 475 |
1 files changed, 174 insertions, 301 deletions
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 4893cb9f9..99828c85b 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -11,7 +11,6 @@ #include "cert.h" #include "keyhi.h" #include "ssl.h" -#include "sslexp.h" #include "sslimpl.h" #include "sslproto.h" #include "nspr.h" @@ -80,7 +79,11 @@ static sslOptions ssl_defaults = { PR_FALSE, /* enableSignedCertTimestamps */ PR_FALSE, /* requireDHENamedGroups */ PR_FALSE, /* enable0RttData */ - PR_FALSE /* enableTls13CompatMode */ +#ifdef NSS_ENABLE_TLS13_SHORT_HEADERS + PR_TRUE /* enableShortHeaders */ +#else + PR_FALSE /* enableShortHeaders */ +#endif }; /* @@ -107,6 +110,7 @@ sslSessionIDLookupFunc ssl_sid_lookup; sslSessionIDCacheFunc ssl_sid_cache; sslSessionIDUncacheFunc ssl_sid_uncache; +static PRBool ssl_inited = PR_FALSE; static PRDescIdentity ssl_layer_id; PRBool locksEverDisabled; /* implicitly PR_FALSE */ @@ -118,7 +122,6 @@ FILE *ssl_trace_iob; #ifdef NSS_ALLOW_SSLKEYLOGFILE FILE *ssl_keylog_iob; -PZLock *ssl_keylog_lock; #endif char lockStatus[] = "Locks are ENABLED. "; @@ -297,7 +300,6 @@ ssl_DupSocket(sslSocket *os) if (ss->opt.useSecurity) { PRCList *cursor; - for (cursor = PR_NEXT_LINK(&os->serverCerts); cursor != &os->serverCerts; cursor = PR_NEXT_LINK(cursor)) { @@ -307,6 +309,7 @@ ssl_DupSocket(sslSocket *os) PR_APPEND_LINK(&sc->link, &ss->serverCerts); } + PR_INIT_CLIST(&ss->ephemeralKeyPairs); for (cursor = PR_NEXT_LINK(&os->ephemeralKeyPairs); cursor != &os->ephemeralKeyPairs; cursor = PR_NEXT_LINK(cursor)) { @@ -317,18 +320,6 @@ ssl_DupSocket(sslSocket *os) PR_APPEND_LINK(&skp->link, &ss->ephemeralKeyPairs); } - for (cursor = PR_NEXT_LINK(&os->extensionHooks); - cursor != &os->extensionHooks; - cursor = PR_NEXT_LINK(cursor)) { - sslCustomExtensionHooks *oh = (sslCustomExtensionHooks *)cursor; - sslCustomExtensionHooks *sh = PORT_ZNew(sslCustomExtensionHooks); - if (!sh) { - goto loser; - } - *sh = *oh; - PR_APPEND_LINK(&sh->link, &ss->extensionHooks); - } - /* * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. * XXX We should detect this, and not just march on with NULL pointers. @@ -363,7 +354,6 @@ ssl_DupSocket(sslSocket *os) goto loser; } } - return ss; loser: @@ -432,16 +422,9 @@ ssl_DestroySocketContents(sslSocket *ss) PR_REMOVE_LINK(cursor); ssl_FreeServerCert((sslServerCert *)cursor); } - - /* Remove extension handlers. */ - ssl_ClearPRCList(&ss->extensionHooks, NULL); - ssl_FreeEphemeralKeyPairs(ss); SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); ssl3_FreeSniNameArray(&ss->xtnData); - - ssl_ClearPRCList(&ss->ssl3.hs.dtlsSentHandshake, NULL); - ssl_ClearPRCList(&ss->ssl3.hs.dtlsRcvdHandshake, NULL); } /* @@ -518,7 +501,7 @@ PrepareSocket(sslSocket *ss) } SECStatus -SSL_Enable(PRFileDesc *fd, int which, PRIntn on) +SSL_Enable(PRFileDesc *fd, int which, PRBool on) { return SSL_OptionSet(fd, which, on); } @@ -530,9 +513,9 @@ static PRBool ssl_VersionIsSupportedByPolicy( * ssl.h in the section "SSL version range setting API". */ static void -ssl_EnableTLS(SSLVersionRange *vrange, PRIntn enable) +ssl_EnableTLS(SSLVersionRange *vrange, PRBool on) { - if (enable) { + if (on) { /* don't turn it on if tls1.0 disallowed by by policy */ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_0)) { @@ -540,14 +523,14 @@ ssl_EnableTLS(SSLVersionRange *vrange, PRIntn enable) } } if (SSL_ALL_VERSIONS_DISABLED(vrange)) { - if (enable) { + if (on) { vrange->min = SSL_LIBRARY_VERSION_TLS_1_0; vrange->max = SSL_LIBRARY_VERSION_TLS_1_0; } /* else don't change anything */ return; } - if (enable) { + if (on) { /* Expand the range of enabled version to include TLS 1.0 */ vrange->min = PR_MIN(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); vrange->max = PR_MAX(vrange->max, SSL_LIBRARY_VERSION_TLS_1_0); @@ -567,9 +550,9 @@ ssl_EnableTLS(SSLVersionRange *vrange, PRIntn enable) * ssl.h in the section "SSL version range setting API". */ static void -ssl_EnableSSL3(SSLVersionRange *vrange, PRIntn enable) +ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on) { - if (enable) { + if (on) { /* don't turn it on if ssl3 disallowed by by policy */ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, SSL_LIBRARY_VERSION_3_0)) { @@ -577,14 +560,14 @@ ssl_EnableSSL3(SSLVersionRange *vrange, PRIntn enable) } } if (SSL_ALL_VERSIONS_DISABLED(vrange)) { - if (enable) { + if (on) { vrange->min = SSL_LIBRARY_VERSION_3_0; vrange->max = SSL_LIBRARY_VERSION_3_0; } /* else don't change anything */ return; } - if (enable) { + if (on) { /* Expand the range of enabled versions to include SSL 3.0. We know * SSL 3.0 or some version of TLS is already enabled at this point, so * we don't need to change vrange->max. @@ -603,7 +586,7 @@ ssl_EnableSSL3(SSLVersionRange *vrange, PRIntn enable) } SECStatus -SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val) +SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) { sslSocket *ss = ssl_FindSocket(fd); SECStatus rv = SECSuccess; @@ -622,63 +605,63 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val) case SSL_SOCKS: ss->opt.useSocks = PR_FALSE; rv = PrepareSocket(ss); - if (val) { + if (on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } break; case SSL_SECURITY: - ss->opt.useSecurity = val; + ss->opt.useSecurity = on; rv = PrepareSocket(ss); break; case SSL_REQUEST_CERTIFICATE: - ss->opt.requestCertificate = val; + ss->opt.requestCertificate = on; break; case SSL_REQUIRE_CERTIFICATE: - ss->opt.requireCertificate = val; + ss->opt.requireCertificate = on; break; case SSL_HANDSHAKE_AS_CLIENT: - if (ss->opt.handshakeAsServer && val) { + if (ss->opt.handshakeAsServer && on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; break; } - ss->opt.handshakeAsClient = val; + ss->opt.handshakeAsClient = on; break; case SSL_HANDSHAKE_AS_SERVER: - if (ss->opt.handshakeAsClient && val) { + if (ss->opt.handshakeAsClient && on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; break; } - ss->opt.handshakeAsServer = val; + ss->opt.handshakeAsServer = on; break; case SSL_ENABLE_TLS: if (IS_DTLS(ss)) { - if (val) { + if (on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; /* not allowed */ } break; } - ssl_EnableTLS(&ss->vrange, val); + ssl_EnableTLS(&ss->vrange, on); break; case SSL_ENABLE_SSL3: if (IS_DTLS(ss)) { - if (val) { + if (on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; /* not allowed */ } break; } - ssl_EnableSSL3(&ss->vrange, val); + ssl_EnableSSL3(&ss->vrange, on); break; case SSL_ENABLE_SSL2: @@ -687,26 +670,26 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val) * However, if an old application requests to disable SSL v2, * we shouldn't fail. */ - if (val) { + if (on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } break; case SSL_NO_CACHE: - ss->opt.noCache = val; + ss->opt.noCache = on; break; case SSL_ENABLE_FDX: - if (val && ss->opt.noLocks) { + if (on && ss->opt.noLocks) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } - ss->opt.fdx = val; + ss->opt.fdx = on; break; case SSL_ROLLBACK_DETECTION: - ss->opt.detectRollBack = val; + ss->opt.detectRollBack = on; break; case SSL_NO_STEP_DOWN: @@ -716,14 +699,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val) break; case SSL_NO_LOCKS: - if (val && ss->opt.fdx) { + if (on && ss->opt.fdx) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } - if (val && ssl_force_locks) - val = PR_FALSE; /* silent override */ - ss->opt.noLocks = val; - if (val) { + if (on && ssl_force_locks) + on = PR_FALSE; /* silent override */ + ss->opt.noLocks = on; + if (on) { locksEverDisabled = PR_TRUE; strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); } else if (!holdingLocks) { @@ -735,75 +718,71 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val) break; case SSL_ENABLE_SESSION_TICKETS: - ss->opt.enableSessionTickets = val; + ss->opt.enableSessionTickets = on; break; case SSL_ENABLE_DEFLATE: - ss->opt.enableDeflate = val; + ss->opt.enableDeflate = on; break; case SSL_ENABLE_RENEGOTIATION: - if (IS_DTLS(ss) && val != SSL_RENEGOTIATE_NEVER) { + if (IS_DTLS(ss) && on != SSL_RENEGOTIATE_NEVER) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; break; } - ss->opt.enableRenegotiation = val; + ss->opt.enableRenegotiation = on; break; case SSL_REQUIRE_SAFE_NEGOTIATION: - ss->opt.requireSafeNegotiation = val; + ss->opt.requireSafeNegotiation = on; break; case SSL_ENABLE_FALSE_START: - ss->opt.enableFalseStart = val; + ss->opt.enableFalseStart = on; break; case SSL_CBC_RANDOM_IV: - ss->opt.cbcRandomIV = val; + ss->opt.cbcRandomIV = on; break; case SSL_ENABLE_OCSP_STAPLING: - ss->opt.enableOCSPStapling = val; + ss->opt.enableOCSPStapling = on; break; case SSL_ENABLE_NPN: break; case SSL_ENABLE_ALPN: - ss->opt.enableALPN = val; + ss->opt.enableALPN = on; break; case SSL_REUSE_SERVER_ECDHE_KEY: - ss->opt.reuseServerECDHEKey = val; + ss->opt.reuseServerECDHEKey = on; break; case SSL_ENABLE_FALLBACK_SCSV: - ss->opt.enableFallbackSCSV = val; + ss->opt.enableFallbackSCSV = on; break; case SSL_ENABLE_SERVER_DHE: - ss->opt.enableServerDhe = val; + ss->opt.enableServerDhe = on; break; case SSL_ENABLE_EXTENDED_MASTER_SECRET: - ss->opt.enableExtendedMS = val; + ss->opt.enableExtendedMS = on; break; case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: - ss->opt.enableSignedCertTimestamps = val; + ss->opt.enableSignedCertTimestamps = on; break; case SSL_REQUIRE_DH_NAMED_GROUPS: - ss->opt.requireDHENamedGroups = val; + ss->opt.requireDHENamedGroups = on; break; case SSL_ENABLE_0RTT_DATA: - ss->opt.enable0RttData = val; - break; - - case SSL_ENABLE_TLS13_COMPAT_MODE: - ss->opt.enableTls13CompatMode = val; + ss->opt.enable0RttData = on; break; default: @@ -825,19 +804,19 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val) } SECStatus -SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal) +SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) { sslSocket *ss = ssl_FindSocket(fd); SECStatus rv = SECSuccess; - PRIntn val = PR_FALSE; + PRBool on = PR_FALSE; - if (!pVal) { + if (!pOn) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); - *pVal = PR_FALSE; + *pOn = PR_FALSE; return SECFailure; } @@ -846,101 +825,98 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal) switch (which) { case SSL_SOCKS: - val = PR_FALSE; + on = PR_FALSE; break; case SSL_SECURITY: - val = ss->opt.useSecurity; + on = ss->opt.useSecurity; break; case SSL_REQUEST_CERTIFICATE: - val = ss->opt.requestCertificate; + on = ss->opt.requestCertificate; break; case SSL_REQUIRE_CERTIFICATE: - val = ss->opt.requireCertificate; + on = ss->opt.requireCertificate; break; case SSL_HANDSHAKE_AS_CLIENT: - val = ss->opt.handshakeAsClient; + on = ss->opt.handshakeAsClient; break; case SSL_HANDSHAKE_AS_SERVER: - val = ss->opt.handshakeAsServer; + on = ss->opt.handshakeAsServer; break; case SSL_ENABLE_TLS: - val = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; + on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; break; case SSL_ENABLE_SSL3: - val = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; + on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; break; case SSL_ENABLE_SSL2: case SSL_V2_COMPATIBLE_HELLO: - val = PR_FALSE; + on = PR_FALSE; break; case SSL_NO_CACHE: - val = ss->opt.noCache; + on = ss->opt.noCache; break; case SSL_ENABLE_FDX: - val = ss->opt.fdx; + on = ss->opt.fdx; break; case SSL_ROLLBACK_DETECTION: - val = ss->opt.detectRollBack; + on = ss->opt.detectRollBack; break; case SSL_NO_STEP_DOWN: - val = PR_FALSE; + on = PR_FALSE; break; case SSL_BYPASS_PKCS11: - val = PR_FALSE; + on = PR_FALSE; break; case SSL_NO_LOCKS: - val = ss->opt.noLocks; + on = ss->opt.noLocks; break; case SSL_ENABLE_SESSION_TICKETS: - val = ss->opt.enableSessionTickets; + on = ss->opt.enableSessionTickets; break; case SSL_ENABLE_DEFLATE: - val = ss->opt.enableDeflate; + on = ss->opt.enableDeflate; break; case SSL_ENABLE_RENEGOTIATION: - val = ss->opt.enableRenegotiation; + on = ss->opt.enableRenegotiation; break; case SSL_REQUIRE_SAFE_NEGOTIATION: - val = ss->opt.requireSafeNegotiation; + on = ss->opt.requireSafeNegotiation; break; case SSL_ENABLE_FALSE_START: - val = ss->opt.enableFalseStart; + on = ss->opt.enableFalseStart; break; case SSL_CBC_RANDOM_IV: - val = ss->opt.cbcRandomIV; + on = ss->opt.cbcRandomIV; break; case SSL_ENABLE_OCSP_STAPLING: - val = ss->opt.enableOCSPStapling; + on = ss->opt.enableOCSPStapling; break; case SSL_ENABLE_NPN: - val = ss->opt.enableNPN; + on = ss->opt.enableNPN; break; case SSL_ENABLE_ALPN: - val = ss->opt.enableALPN; + on = ss->opt.enableALPN; break; case SSL_REUSE_SERVER_ECDHE_KEY: - val = ss->opt.reuseServerECDHEKey; + on = ss->opt.reuseServerECDHEKey; break; case SSL_ENABLE_FALLBACK_SCSV: - val = ss->opt.enableFallbackSCSV; + on = ss->opt.enableFallbackSCSV; break; case SSL_ENABLE_SERVER_DHE: - val = ss->opt.enableServerDhe; + on = ss->opt.enableServerDhe; break; case SSL_ENABLE_EXTENDED_MASTER_SECRET: - val = ss->opt.enableExtendedMS; + on = ss->opt.enableExtendedMS; break; case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: - val = ss->opt.enableSignedCertTimestamps; + on = ss->opt.enableSignedCertTimestamps; break; case SSL_REQUIRE_DH_NAMED_GROUPS: - val = ss->opt.requireDHENamedGroups; + on = ss->opt.requireDHENamedGroups; break; case SSL_ENABLE_0RTT_DATA: - val = ss->opt.enable0RttData; - break; - case SSL_ENABLE_TLS13_COMPAT_MODE: - val = ss->opt.enableTls13CompatMode; + on = ss->opt.enable0RttData; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -950,17 +926,17 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal) ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); - *pVal = val; + *pOn = on; return rv; } SECStatus -SSL_OptionGetDefault(PRInt32 which, PRIntn *pVal) +SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) { SECStatus rv = SECSuccess; - PRIntn val = PR_FALSE; + PRBool on = PR_FALSE; - if (!pVal) { + if (!pOn) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } @@ -969,117 +945,114 @@ SSL_OptionGetDefault(PRInt32 which, PRIntn *pVal) switch (which) { case SSL_SOCKS: - val = PR_FALSE; + on = PR_FALSE; break; case SSL_SECURITY: - val = ssl_defaults.useSecurity; + on = ssl_defaults.useSecurity; break; case SSL_REQUEST_CERTIFICATE: - val = ssl_defaults.requestCertificate; + on = ssl_defaults.requestCertificate; break; case SSL_REQUIRE_CERTIFICATE: - val = ssl_defaults.requireCertificate; + on = ssl_defaults.requireCertificate; break; case SSL_HANDSHAKE_AS_CLIENT: - val = ssl_defaults.handshakeAsClient; + on = ssl_defaults.handshakeAsClient; break; case SSL_HANDSHAKE_AS_SERVER: - val = ssl_defaults.handshakeAsServer; + on = ssl_defaults.handshakeAsServer; break; case SSL_ENABLE_TLS: - val = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; + on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; break; case SSL_ENABLE_SSL3: - val = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; + on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; break; case SSL_ENABLE_SSL2: case SSL_V2_COMPATIBLE_HELLO: - val = PR_FALSE; + on = PR_FALSE; break; case SSL_NO_CACHE: - val = ssl_defaults.noCache; + on = ssl_defaults.noCache; break; case SSL_ENABLE_FDX: - val = ssl_defaults.fdx; + on = ssl_defaults.fdx; break; case SSL_ROLLBACK_DETECTION: - val = ssl_defaults.detectRollBack; + on = ssl_defaults.detectRollBack; break; case SSL_NO_STEP_DOWN: - val = PR_FALSE; + on = PR_FALSE; break; case SSL_BYPASS_PKCS11: - val = PR_FALSE; + on = PR_FALSE; break; case SSL_NO_LOCKS: - val = ssl_defaults.noLocks; + on = ssl_defaults.noLocks; break; case SSL_ENABLE_SESSION_TICKETS: - val = ssl_defaults.enableSessionTickets; + on = ssl_defaults.enableSessionTickets; break; case SSL_ENABLE_DEFLATE: - val = ssl_defaults.enableDeflate; + on = ssl_defaults.enableDeflate; break; case SSL_ENABLE_RENEGOTIATION: - val = ssl_defaults.enableRenegotiation; + on = ssl_defaults.enableRenegotiation; break; case SSL_REQUIRE_SAFE_NEGOTIATION: - val = ssl_defaults.requireSafeNegotiation; + on = ssl_defaults.requireSafeNegotiation; break; case SSL_ENABLE_FALSE_START: - val = ssl_defaults.enableFalseStart; + on = ssl_defaults.enableFalseStart; break; case SSL_CBC_RANDOM_IV: - val = ssl_defaults.cbcRandomIV; + on = ssl_defaults.cbcRandomIV; break; case SSL_ENABLE_OCSP_STAPLING: - val = ssl_defaults.enableOCSPStapling; + on = ssl_defaults.enableOCSPStapling; break; case SSL_ENABLE_NPN: - val = ssl_defaults.enableNPN; + on = ssl_defaults.enableNPN; break; case SSL_ENABLE_ALPN: - val = ssl_defaults.enableALPN; + on = ssl_defaults.enableALPN; break; case SSL_REUSE_SERVER_ECDHE_KEY: - val = ssl_defaults.reuseServerECDHEKey; + on = ssl_defaults.reuseServerECDHEKey; break; case SSL_ENABLE_FALLBACK_SCSV: - val = ssl_defaults.enableFallbackSCSV; + on = ssl_defaults.enableFallbackSCSV; break; case SSL_ENABLE_SERVER_DHE: - val = ssl_defaults.enableServerDhe; + on = ssl_defaults.enableServerDhe; break; case SSL_ENABLE_EXTENDED_MASTER_SECRET: - val = ssl_defaults.enableExtendedMS; + on = ssl_defaults.enableExtendedMS; break; case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: - val = ssl_defaults.enableSignedCertTimestamps; + on = ssl_defaults.enableSignedCertTimestamps; break; case SSL_ENABLE_0RTT_DATA: - val = ssl_defaults.enable0RttData; - break; - case SSL_ENABLE_TLS13_COMPAT_MODE: - val = ssl_defaults.enableTls13CompatMode; + on = ssl_defaults.enable0RttData; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } - *pVal = val; + *pOn = on; return rv; } /* XXX Use Global Lock to protect this stuff. */ SECStatus -SSL_EnableDefault(int which, PRIntn val) +SSL_EnableDefault(int which, PRBool on) { - return SSL_OptionSetDefault(which, val); + return SSL_OptionSetDefault(which, on); } SECStatus -SSL_OptionSetDefault(PRInt32 which, PRIntn val) +SSL_OptionSetDefault(PRInt32 which, PRBool on) { SECStatus status = ssl_Init(); @@ -1092,46 +1065,46 @@ SSL_OptionSetDefault(PRInt32 which, PRIntn val) switch (which) { case SSL_SOCKS: ssl_defaults.useSocks = PR_FALSE; - if (val) { + if (on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } break; case SSL_SECURITY: - ssl_defaults.useSecurity = val; + ssl_defaults.useSecurity = on; break; case SSL_REQUEST_CERTIFICATE: - ssl_defaults.requestCertificate = val; + ssl_defaults.requestCertificate = on; break; case SSL_REQUIRE_CERTIFICATE: - ssl_defaults.requireCertificate = val; + ssl_defaults.requireCertificate = on; break; case SSL_HANDSHAKE_AS_CLIENT: - if (ssl_defaults.handshakeAsServer && val) { + if (ssl_defaults.handshakeAsServer && on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - ssl_defaults.handshakeAsClient = val; + ssl_defaults.handshakeAsClient = on; break; case SSL_HANDSHAKE_AS_SERVER: - if (ssl_defaults.handshakeAsClient && val) { + if (ssl_defaults.handshakeAsClient && on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - ssl_defaults.handshakeAsServer = val; + ssl_defaults.handshakeAsServer = on; break; case SSL_ENABLE_TLS: - ssl_EnableTLS(&versions_defaults_stream, val); + ssl_EnableTLS(&versions_defaults_stream, on); break; case SSL_ENABLE_SSL3: - ssl_EnableSSL3(&versions_defaults_stream, val); + ssl_EnableSSL3(&versions_defaults_stream, on); break; case SSL_ENABLE_SSL2: @@ -1140,26 +1113,26 @@ SSL_OptionSetDefault(PRInt32 which, PRIntn val) * However, if an old application requests to disable SSL v2, * we shouldn't fail. */ - if (val) { + if (on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } break; case SSL_NO_CACHE: - ssl_defaults.noCache = val; + ssl_defaults.noCache = on; break; case SSL_ENABLE_FDX: - if (val && ssl_defaults.noLocks) { + if (on && ssl_defaults.noLocks) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - ssl_defaults.fdx = val; + ssl_defaults.fdx = on; break; case SSL_ROLLBACK_DETECTION: - ssl_defaults.detectRollBack = val; + ssl_defaults.detectRollBack = on; break; case SSL_NO_STEP_DOWN: @@ -1169,80 +1142,76 @@ SSL_OptionSetDefault(PRInt32 which, PRIntn val) break; case SSL_NO_LOCKS: - if (val && ssl_defaults.fdx) { + if (on && ssl_defaults.fdx) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - if (val && ssl_force_locks) - val = PR_FALSE; /* silent override */ - ssl_defaults.noLocks = val; - if (val) { + if (on && ssl_force_locks) + on = PR_FALSE; /* silent override */ + ssl_defaults.noLocks = on; + if (on) { locksEverDisabled = PR_TRUE; strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); } break; case SSL_ENABLE_SESSION_TICKETS: - ssl_defaults.enableSessionTickets = val; + ssl_defaults.enableSessionTickets = on; break; case SSL_ENABLE_DEFLATE: - ssl_defaults.enableDeflate = val; + ssl_defaults.enableDeflate = on; break; case SSL_ENABLE_RENEGOTIATION: - ssl_defaults.enableRenegotiation = val; + ssl_defaults.enableRenegotiation = on; break; case SSL_REQUIRE_SAFE_NEGOTIATION: - ssl_defaults.requireSafeNegotiation = val; + ssl_defaults.requireSafeNegotiation = on; break; case SSL_ENABLE_FALSE_START: - ssl_defaults.enableFalseStart = val; + ssl_defaults.enableFalseStart = on; break; case SSL_CBC_RANDOM_IV: - ssl_defaults.cbcRandomIV = val; + ssl_defaults.cbcRandomIV = on; break; case SSL_ENABLE_OCSP_STAPLING: - ssl_defaults.enableOCSPStapling = val; + ssl_defaults.enableOCSPStapling = on; break; case SSL_ENABLE_NPN: break; case SSL_ENABLE_ALPN: - ssl_defaults.enableALPN = val; + ssl_defaults.enableALPN = on; break; case SSL_REUSE_SERVER_ECDHE_KEY: - ssl_defaults.reuseServerECDHEKey = val; + ssl_defaults.reuseServerECDHEKey = on; break; case SSL_ENABLE_FALLBACK_SCSV: - ssl_defaults.enableFallbackSCSV = val; + ssl_defaults.enableFallbackSCSV = on; break; case SSL_ENABLE_SERVER_DHE: - ssl_defaults.enableServerDhe = val; + ssl_defaults.enableServerDhe = on; break; case SSL_ENABLE_EXTENDED_MASTER_SECRET: - ssl_defaults.enableExtendedMS = val; + ssl_defaults.enableExtendedMS = on; break; case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: - ssl_defaults.enableSignedCertTimestamps = val; + ssl_defaults.enableSignedCertTimestamps = on; break; case SSL_ENABLE_0RTT_DATA: - ssl_defaults.enable0RttData = val; - break; - - case SSL_ENABLE_TLS13_COMPAT_MODE: - ssl_defaults.enableTls13CompatMode = val; + ssl_defaults.enable0RttData = on; break; default: @@ -2155,25 +2124,6 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) return NULL; PR_APPEND_LINK(&skp->link, &ss->ephemeralKeyPairs); } - - while (!PR_CLIST_IS_EMPTY(&ss->extensionHooks)) { - cursor = PR_LIST_TAIL(&ss->extensionHooks); - PR_REMOVE_LINK(cursor); - PORT_Free(cursor); - } - for (cursor = PR_NEXT_LINK(&sm->extensionHooks); - cursor != &sm->extensionHooks; - cursor = PR_NEXT_LINK(cursor)) { - SECStatus rv; - sslCustomExtensionHooks *hook = (sslCustomExtensionHooks *)cursor; - rv = SSL_InstallExtensionHooks(ss->fd, hook->type, - hook->writer, hook->writerArg, - hook->handler, hook->handlerArg); - if (rv != SECSuccess) { - return NULL; - } - } - PORT_Memcpy((void *)ss->namedGroupPreferences, sm->namedGroupPreferences, sizeof(ss->namedGroupPreferences)); @@ -2264,7 +2214,7 @@ ssl3_GetEffectiveVersionPolicy(SSLProtocolVariant variant, return SECSuccess; } -/* +/* * Assumes that rangeParam values are within the supported boundaries, * but should contain all potentially allowed versions, even if they contain * conflicting versions. @@ -3174,7 +3124,7 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, } blocking = ssl_FdIsBlocking(fd); -#define K16 ((int)sizeof(buf)) +#define K16 sizeof(buf) #define KILL_VECTORS \ while (vectors && !iov->iov_len) { \ ++iov; \ @@ -3461,6 +3411,7 @@ ssl_InitIOLayer(void) { ssl_layer_id = PR_GetUniqueIdentity("SSL"); ssl_SetupIOMethods(); + ssl_inited = PR_TRUE; return PR_SUCCESS; } @@ -3470,13 +3421,15 @@ ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id) PRFileDesc *layer = NULL; PRStatus status; - status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); - if (status != PR_SUCCESS) { - goto loser; + if (!ssl_inited) { + status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); + if (status != PR_SUCCESS) + goto loser; } - if (ns == NULL) { + + if (ns == NULL) goto loser; - } + layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods); if (layer == NULL) goto loser; @@ -3589,12 +3542,6 @@ ssl_SetDefaultsFromEnvironment(void) ssl_keylog_iob); } SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev)); - ssl_keylog_lock = PR_NewLock(); - if (!ssl_keylog_lock) { - SSL_TRACE(("SSL: failed to create key log lock")); - fclose(ssl_keylog_iob); - ssl_keylog_iob = NULL; - } } } #endif @@ -3799,6 +3746,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) SECStatus rv; sslSocket *ss; int i; + ssl_SetDefaultsFromEnvironment(); if (ssl_force_locks) @@ -3829,7 +3777,6 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) PR_INIT_CLIST(&ss->serverCerts); PR_INIT_CLIST(&ss->ephemeralKeyPairs); - PR_INIT_CLIST(&ss->extensionHooks); ss->dbHandle = CERT_GetDefaultCertDB(); @@ -3857,11 +3804,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); PR_INIT_CLIST(&ss->ssl3.hs.cipherSpecs); PR_INIT_CLIST(&ss->ssl3.hs.bufferedEarlyData); - ssl3_InitExtensionData(&ss->xtnData, ss); - PR_INIT_CLIST(&ss->ssl3.hs.dtlsSentHandshake); - PR_INIT_CLIST(&ss->ssl3.hs.dtlsRcvdHandshake); - dtls_InitTimers(ss); - + ssl3_InitExtensionData(&ss->xtnData); if (makeLocks) { rv = ssl_MakeLocks(ss); if (rv != SECSuccess) @@ -3873,10 +3816,6 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) rv = ssl3_InitGather(&ss->gs); if (rv != SECSuccess) goto loser; - rv = ssl3_InitState(ss); - if (rv != SECSuccess) { - goto loser; - } return ss; loser: @@ -3901,69 +3840,3 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey, *pcanbypass = PR_FALSE; return SECSuccess; } - -/* Functions that are truly experimental use EXP, functions that are no longer - * experimental use PUB. - * - * When initially defining a new API, add that API here using the EXP() macro - * and name the function with a SSLExp_ prefix. Define the experimental API as - * a macro in sslexp.h using the SSL_EXPERIMENTAL_API() macro defined there. - * - * Once an API is stable and proven, move the macro definition in sslexp.h to a - * proper function declaration in ssl.h. Keeping the function in this list - * ensures that code built against the release that contained the experimental - * API will continue to work; use PUB() to reference the public function. - */ -#define EXP(n) \ - { \ - "SSL_" #n, SSLExp_##n \ - } -#define PUB(n) \ - { \ - "SSL_" #n, SSL_##n \ - } -struct { - const char *const name; - void *function; -} ssl_experimental_functions[] = { -#ifndef SSL_DISABLE_EXPERIMENTAL_API - EXP(GetExtensionSupport), - EXP(HelloRetryRequestCallback), - EXP(InstallExtensionHooks), - EXP(KeyUpdate), - EXP(SendSessionTicket), - EXP(SetupAntiReplay), -#endif - { "", NULL } -}; -#undef EXP -#undef PUB - -void * -SSL_GetExperimentalAPI(const char *name) -{ - unsigned int i; - for (i = 0; i < PR_ARRAY_SIZE(ssl_experimental_functions); ++i) { - if (strcmp(name, ssl_experimental_functions[i].name) == 0) { - return ssl_experimental_functions[i].function; - } - } - PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); - return NULL; -} - -void -ssl_ClearPRCList(PRCList *list, void (*f)(void *)) -{ - PRCList *cursor; - - while (!PR_CLIST_IS_EMPTY(list)) { - cursor = PR_LIST_TAIL(list); - - PR_REMOVE_LINK(cursor); - if (f) { - f(cursor); - } - PORT_Free(cursor); - } -} |