summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/ssl/sslsock.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/ssl/sslsock.c')
-rw-r--r--security/nss/lib/ssl/sslsock.c475
1 files changed, 174 insertions, 301 deletions
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
index 4893cb9f9..99828c85b 100644
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -11,7 +11,6 @@
#include "cert.h"
#include "keyhi.h"
#include "ssl.h"
-#include "sslexp.h"
#include "sslimpl.h"
#include "sslproto.h"
#include "nspr.h"
@@ -80,7 +79,11 @@ static sslOptions ssl_defaults = {
PR_FALSE, /* enableSignedCertTimestamps */
PR_FALSE, /* requireDHENamedGroups */
PR_FALSE, /* enable0RttData */
- PR_FALSE /* enableTls13CompatMode */
+#ifdef NSS_ENABLE_TLS13_SHORT_HEADERS
+ PR_TRUE /* enableShortHeaders */
+#else
+ PR_FALSE /* enableShortHeaders */
+#endif
};
/*
@@ -107,6 +110,7 @@ sslSessionIDLookupFunc ssl_sid_lookup;
sslSessionIDCacheFunc ssl_sid_cache;
sslSessionIDUncacheFunc ssl_sid_uncache;
+static PRBool ssl_inited = PR_FALSE;
static PRDescIdentity ssl_layer_id;
PRBool locksEverDisabled; /* implicitly PR_FALSE */
@@ -118,7 +122,6 @@ FILE *ssl_trace_iob;
#ifdef NSS_ALLOW_SSLKEYLOGFILE
FILE *ssl_keylog_iob;
-PZLock *ssl_keylog_lock;
#endif
char lockStatus[] = "Locks are ENABLED. ";
@@ -297,7 +300,6 @@ ssl_DupSocket(sslSocket *os)
if (ss->opt.useSecurity) {
PRCList *cursor;
-
for (cursor = PR_NEXT_LINK(&os->serverCerts);
cursor != &os->serverCerts;
cursor = PR_NEXT_LINK(cursor)) {
@@ -307,6 +309,7 @@ ssl_DupSocket(sslSocket *os)
PR_APPEND_LINK(&sc->link, &ss->serverCerts);
}
+ PR_INIT_CLIST(&ss->ephemeralKeyPairs);
for (cursor = PR_NEXT_LINK(&os->ephemeralKeyPairs);
cursor != &os->ephemeralKeyPairs;
cursor = PR_NEXT_LINK(cursor)) {
@@ -317,18 +320,6 @@ ssl_DupSocket(sslSocket *os)
PR_APPEND_LINK(&skp->link, &ss->ephemeralKeyPairs);
}
- for (cursor = PR_NEXT_LINK(&os->extensionHooks);
- cursor != &os->extensionHooks;
- cursor = PR_NEXT_LINK(cursor)) {
- sslCustomExtensionHooks *oh = (sslCustomExtensionHooks *)cursor;
- sslCustomExtensionHooks *sh = PORT_ZNew(sslCustomExtensionHooks);
- if (!sh) {
- goto loser;
- }
- *sh = *oh;
- PR_APPEND_LINK(&sh->link, &ss->extensionHooks);
- }
-
/*
* XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
* XXX We should detect this, and not just march on with NULL pointers.
@@ -363,7 +354,6 @@ ssl_DupSocket(sslSocket *os)
goto loser;
}
}
-
return ss;
loser:
@@ -432,16 +422,9 @@ ssl_DestroySocketContents(sslSocket *ss)
PR_REMOVE_LINK(cursor);
ssl_FreeServerCert((sslServerCert *)cursor);
}
-
- /* Remove extension handlers. */
- ssl_ClearPRCList(&ss->extensionHooks, NULL);
-
ssl_FreeEphemeralKeyPairs(ss);
SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE);
ssl3_FreeSniNameArray(&ss->xtnData);
-
- ssl_ClearPRCList(&ss->ssl3.hs.dtlsSentHandshake, NULL);
- ssl_ClearPRCList(&ss->ssl3.hs.dtlsRcvdHandshake, NULL);
}
/*
@@ -518,7 +501,7 @@ PrepareSocket(sslSocket *ss)
}
SECStatus
-SSL_Enable(PRFileDesc *fd, int which, PRIntn on)
+SSL_Enable(PRFileDesc *fd, int which, PRBool on)
{
return SSL_OptionSet(fd, which, on);
}
@@ -530,9 +513,9 @@ static PRBool ssl_VersionIsSupportedByPolicy(
* ssl.h in the section "SSL version range setting API".
*/
static void
-ssl_EnableTLS(SSLVersionRange *vrange, PRIntn enable)
+ssl_EnableTLS(SSLVersionRange *vrange, PRBool on)
{
- if (enable) {
+ if (on) {
/* don't turn it on if tls1.0 disallowed by by policy */
if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream,
SSL_LIBRARY_VERSION_TLS_1_0)) {
@@ -540,14 +523,14 @@ ssl_EnableTLS(SSLVersionRange *vrange, PRIntn enable)
}
}
if (SSL_ALL_VERSIONS_DISABLED(vrange)) {
- if (enable) {
+ if (on) {
vrange->min = SSL_LIBRARY_VERSION_TLS_1_0;
vrange->max = SSL_LIBRARY_VERSION_TLS_1_0;
} /* else don't change anything */
return;
}
- if (enable) {
+ if (on) {
/* Expand the range of enabled version to include TLS 1.0 */
vrange->min = PR_MIN(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
vrange->max = PR_MAX(vrange->max, SSL_LIBRARY_VERSION_TLS_1_0);
@@ -567,9 +550,9 @@ ssl_EnableTLS(SSLVersionRange *vrange, PRIntn enable)
* ssl.h in the section "SSL version range setting API".
*/
static void
-ssl_EnableSSL3(SSLVersionRange *vrange, PRIntn enable)
+ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on)
{
- if (enable) {
+ if (on) {
/* don't turn it on if ssl3 disallowed by by policy */
if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream,
SSL_LIBRARY_VERSION_3_0)) {
@@ -577,14 +560,14 @@ ssl_EnableSSL3(SSLVersionRange *vrange, PRIntn enable)
}
}
if (SSL_ALL_VERSIONS_DISABLED(vrange)) {
- if (enable) {
+ if (on) {
vrange->min = SSL_LIBRARY_VERSION_3_0;
vrange->max = SSL_LIBRARY_VERSION_3_0;
} /* else don't change anything */
return;
}
- if (enable) {
+ if (on) {
/* Expand the range of enabled versions to include SSL 3.0. We know
* SSL 3.0 or some version of TLS is already enabled at this point, so
* we don't need to change vrange->max.
@@ -603,7 +586,7 @@ ssl_EnableSSL3(SSLVersionRange *vrange, PRIntn enable)
}
SECStatus
-SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val)
+SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
{
sslSocket *ss = ssl_FindSocket(fd);
SECStatus rv = SECSuccess;
@@ -622,63 +605,63 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val)
case SSL_SOCKS:
ss->opt.useSocks = PR_FALSE;
rv = PrepareSocket(ss);
- if (val) {
+ if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
}
break;
case SSL_SECURITY:
- ss->opt.useSecurity = val;
+ ss->opt.useSecurity = on;
rv = PrepareSocket(ss);
break;
case SSL_REQUEST_CERTIFICATE:
- ss->opt.requestCertificate = val;
+ ss->opt.requestCertificate = on;
break;
case SSL_REQUIRE_CERTIFICATE:
- ss->opt.requireCertificate = val;
+ ss->opt.requireCertificate = on;
break;
case SSL_HANDSHAKE_AS_CLIENT:
- if (ss->opt.handshakeAsServer && val) {
+ if (ss->opt.handshakeAsServer && on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
break;
}
- ss->opt.handshakeAsClient = val;
+ ss->opt.handshakeAsClient = on;
break;
case SSL_HANDSHAKE_AS_SERVER:
- if (ss->opt.handshakeAsClient && val) {
+ if (ss->opt.handshakeAsClient && on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
break;
}
- ss->opt.handshakeAsServer = val;
+ ss->opt.handshakeAsServer = on;
break;
case SSL_ENABLE_TLS:
if (IS_DTLS(ss)) {
- if (val) {
+ if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure; /* not allowed */
}
break;
}
- ssl_EnableTLS(&ss->vrange, val);
+ ssl_EnableTLS(&ss->vrange, on);
break;
case SSL_ENABLE_SSL3:
if (IS_DTLS(ss)) {
- if (val) {
+ if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure; /* not allowed */
}
break;
}
- ssl_EnableSSL3(&ss->vrange, val);
+ ssl_EnableSSL3(&ss->vrange, on);
break;
case SSL_ENABLE_SSL2:
@@ -687,26 +670,26 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val)
* However, if an old application requests to disable SSL v2,
* we shouldn't fail.
*/
- if (val) {
+ if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
}
break;
case SSL_NO_CACHE:
- ss->opt.noCache = val;
+ ss->opt.noCache = on;
break;
case SSL_ENABLE_FDX:
- if (val && ss->opt.noLocks) {
+ if (on && ss->opt.noLocks) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
}
- ss->opt.fdx = val;
+ ss->opt.fdx = on;
break;
case SSL_ROLLBACK_DETECTION:
- ss->opt.detectRollBack = val;
+ ss->opt.detectRollBack = on;
break;
case SSL_NO_STEP_DOWN:
@@ -716,14 +699,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val)
break;
case SSL_NO_LOCKS:
- if (val && ss->opt.fdx) {
+ if (on && ss->opt.fdx) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
}
- if (val && ssl_force_locks)
- val = PR_FALSE; /* silent override */
- ss->opt.noLocks = val;
- if (val) {
+ if (on && ssl_force_locks)
+ on = PR_FALSE; /* silent override */
+ ss->opt.noLocks = on;
+ if (on) {
locksEverDisabled = PR_TRUE;
strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
} else if (!holdingLocks) {
@@ -735,75 +718,71 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val)
break;
case SSL_ENABLE_SESSION_TICKETS:
- ss->opt.enableSessionTickets = val;
+ ss->opt.enableSessionTickets = on;
break;
case SSL_ENABLE_DEFLATE:
- ss->opt.enableDeflate = val;
+ ss->opt.enableDeflate = on;
break;
case SSL_ENABLE_RENEGOTIATION:
- if (IS_DTLS(ss) && val != SSL_RENEGOTIATE_NEVER) {
+ if (IS_DTLS(ss) && on != SSL_RENEGOTIATE_NEVER) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
break;
}
- ss->opt.enableRenegotiation = val;
+ ss->opt.enableRenegotiation = on;
break;
case SSL_REQUIRE_SAFE_NEGOTIATION:
- ss->opt.requireSafeNegotiation = val;
+ ss->opt.requireSafeNegotiation = on;
break;
case SSL_ENABLE_FALSE_START:
- ss->opt.enableFalseStart = val;
+ ss->opt.enableFalseStart = on;
break;
case SSL_CBC_RANDOM_IV:
- ss->opt.cbcRandomIV = val;
+ ss->opt.cbcRandomIV = on;
break;
case SSL_ENABLE_OCSP_STAPLING:
- ss->opt.enableOCSPStapling = val;
+ ss->opt.enableOCSPStapling = on;
break;
case SSL_ENABLE_NPN:
break;
case SSL_ENABLE_ALPN:
- ss->opt.enableALPN = val;
+ ss->opt.enableALPN = on;
break;
case SSL_REUSE_SERVER_ECDHE_KEY:
- ss->opt.reuseServerECDHEKey = val;
+ ss->opt.reuseServerECDHEKey = on;
break;
case SSL_ENABLE_FALLBACK_SCSV:
- ss->opt.enableFallbackSCSV = val;
+ ss->opt.enableFallbackSCSV = on;
break;
case SSL_ENABLE_SERVER_DHE:
- ss->opt.enableServerDhe = val;
+ ss->opt.enableServerDhe = on;
break;
case SSL_ENABLE_EXTENDED_MASTER_SECRET:
- ss->opt.enableExtendedMS = val;
+ ss->opt.enableExtendedMS = on;
break;
case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- ss->opt.enableSignedCertTimestamps = val;
+ ss->opt.enableSignedCertTimestamps = on;
break;
case SSL_REQUIRE_DH_NAMED_GROUPS:
- ss->opt.requireDHENamedGroups = val;
+ ss->opt.requireDHENamedGroups = on;
break;
case SSL_ENABLE_0RTT_DATA:
- ss->opt.enable0RttData = val;
- break;
-
- case SSL_ENABLE_TLS13_COMPAT_MODE:
- ss->opt.enableTls13CompatMode = val;
+ ss->opt.enable0RttData = on;
break;
default:
@@ -825,19 +804,19 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val)
}
SECStatus
-SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal)
+SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
{
sslSocket *ss = ssl_FindSocket(fd);
SECStatus rv = SECSuccess;
- PRIntn val = PR_FALSE;
+ PRBool on = PR_FALSE;
- if (!pVal) {
+ if (!pOn) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (!ss) {
SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
- *pVal = PR_FALSE;
+ *pOn = PR_FALSE;
return SECFailure;
}
@@ -846,101 +825,98 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal)
switch (which) {
case SSL_SOCKS:
- val = PR_FALSE;
+ on = PR_FALSE;
break;
case SSL_SECURITY:
- val = ss->opt.useSecurity;
+ on = ss->opt.useSecurity;
break;
case SSL_REQUEST_CERTIFICATE:
- val = ss->opt.requestCertificate;
+ on = ss->opt.requestCertificate;
break;
case SSL_REQUIRE_CERTIFICATE:
- val = ss->opt.requireCertificate;
+ on = ss->opt.requireCertificate;
break;
case SSL_HANDSHAKE_AS_CLIENT:
- val = ss->opt.handshakeAsClient;
+ on = ss->opt.handshakeAsClient;
break;
case SSL_HANDSHAKE_AS_SERVER:
- val = ss->opt.handshakeAsServer;
+ on = ss->opt.handshakeAsServer;
break;
case SSL_ENABLE_TLS:
- val = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
+ on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
break;
case SSL_ENABLE_SSL3:
- val = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
+ on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
break;
case SSL_ENABLE_SSL2:
case SSL_V2_COMPATIBLE_HELLO:
- val = PR_FALSE;
+ on = PR_FALSE;
break;
case SSL_NO_CACHE:
- val = ss->opt.noCache;
+ on = ss->opt.noCache;
break;
case SSL_ENABLE_FDX:
- val = ss->opt.fdx;
+ on = ss->opt.fdx;
break;
case SSL_ROLLBACK_DETECTION:
- val = ss->opt.detectRollBack;
+ on = ss->opt.detectRollBack;
break;
case SSL_NO_STEP_DOWN:
- val = PR_FALSE;
+ on = PR_FALSE;
break;
case SSL_BYPASS_PKCS11:
- val = PR_FALSE;
+ on = PR_FALSE;
break;
case SSL_NO_LOCKS:
- val = ss->opt.noLocks;
+ on = ss->opt.noLocks;
break;
case SSL_ENABLE_SESSION_TICKETS:
- val = ss->opt.enableSessionTickets;
+ on = ss->opt.enableSessionTickets;
break;
case SSL_ENABLE_DEFLATE:
- val = ss->opt.enableDeflate;
+ on = ss->opt.enableDeflate;
break;
case SSL_ENABLE_RENEGOTIATION:
- val = ss->opt.enableRenegotiation;
+ on = ss->opt.enableRenegotiation;
break;
case SSL_REQUIRE_SAFE_NEGOTIATION:
- val = ss->opt.requireSafeNegotiation;
+ on = ss->opt.requireSafeNegotiation;
break;
case SSL_ENABLE_FALSE_START:
- val = ss->opt.enableFalseStart;
+ on = ss->opt.enableFalseStart;
break;
case SSL_CBC_RANDOM_IV:
- val = ss->opt.cbcRandomIV;
+ on = ss->opt.cbcRandomIV;
break;
case SSL_ENABLE_OCSP_STAPLING:
- val = ss->opt.enableOCSPStapling;
+ on = ss->opt.enableOCSPStapling;
break;
case SSL_ENABLE_NPN:
- val = ss->opt.enableNPN;
+ on = ss->opt.enableNPN;
break;
case SSL_ENABLE_ALPN:
- val = ss->opt.enableALPN;
+ on = ss->opt.enableALPN;
break;
case SSL_REUSE_SERVER_ECDHE_KEY:
- val = ss->opt.reuseServerECDHEKey;
+ on = ss->opt.reuseServerECDHEKey;
break;
case SSL_ENABLE_FALLBACK_SCSV:
- val = ss->opt.enableFallbackSCSV;
+ on = ss->opt.enableFallbackSCSV;
break;
case SSL_ENABLE_SERVER_DHE:
- val = ss->opt.enableServerDhe;
+ on = ss->opt.enableServerDhe;
break;
case SSL_ENABLE_EXTENDED_MASTER_SECRET:
- val = ss->opt.enableExtendedMS;
+ on = ss->opt.enableExtendedMS;
break;
case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- val = ss->opt.enableSignedCertTimestamps;
+ on = ss->opt.enableSignedCertTimestamps;
break;
case SSL_REQUIRE_DH_NAMED_GROUPS:
- val = ss->opt.requireDHENamedGroups;
+ on = ss->opt.requireDHENamedGroups;
break;
case SSL_ENABLE_0RTT_DATA:
- val = ss->opt.enable0RttData;
- break;
- case SSL_ENABLE_TLS13_COMPAT_MODE:
- val = ss->opt.enableTls13CompatMode;
+ on = ss->opt.enable0RttData;
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -950,17 +926,17 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal)
ssl_ReleaseSSL3HandshakeLock(ss);
ssl_Release1stHandshakeLock(ss);
- *pVal = val;
+ *pOn = on;
return rv;
}
SECStatus
-SSL_OptionGetDefault(PRInt32 which, PRIntn *pVal)
+SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
{
SECStatus rv = SECSuccess;
- PRIntn val = PR_FALSE;
+ PRBool on = PR_FALSE;
- if (!pVal) {
+ if (!pOn) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -969,117 +945,114 @@ SSL_OptionGetDefault(PRInt32 which, PRIntn *pVal)
switch (which) {
case SSL_SOCKS:
- val = PR_FALSE;
+ on = PR_FALSE;
break;
case SSL_SECURITY:
- val = ssl_defaults.useSecurity;
+ on = ssl_defaults.useSecurity;
break;
case SSL_REQUEST_CERTIFICATE:
- val = ssl_defaults.requestCertificate;
+ on = ssl_defaults.requestCertificate;
break;
case SSL_REQUIRE_CERTIFICATE:
- val = ssl_defaults.requireCertificate;
+ on = ssl_defaults.requireCertificate;
break;
case SSL_HANDSHAKE_AS_CLIENT:
- val = ssl_defaults.handshakeAsClient;
+ on = ssl_defaults.handshakeAsClient;
break;
case SSL_HANDSHAKE_AS_SERVER:
- val = ssl_defaults.handshakeAsServer;
+ on = ssl_defaults.handshakeAsServer;
break;
case SSL_ENABLE_TLS:
- val = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
+ on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
break;
case SSL_ENABLE_SSL3:
- val = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
+ on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
break;
case SSL_ENABLE_SSL2:
case SSL_V2_COMPATIBLE_HELLO:
- val = PR_FALSE;
+ on = PR_FALSE;
break;
case SSL_NO_CACHE:
- val = ssl_defaults.noCache;
+ on = ssl_defaults.noCache;
break;
case SSL_ENABLE_FDX:
- val = ssl_defaults.fdx;
+ on = ssl_defaults.fdx;
break;
case SSL_ROLLBACK_DETECTION:
- val = ssl_defaults.detectRollBack;
+ on = ssl_defaults.detectRollBack;
break;
case SSL_NO_STEP_DOWN:
- val = PR_FALSE;
+ on = PR_FALSE;
break;
case SSL_BYPASS_PKCS11:
- val = PR_FALSE;
+ on = PR_FALSE;
break;
case SSL_NO_LOCKS:
- val = ssl_defaults.noLocks;
+ on = ssl_defaults.noLocks;
break;
case SSL_ENABLE_SESSION_TICKETS:
- val = ssl_defaults.enableSessionTickets;
+ on = ssl_defaults.enableSessionTickets;
break;
case SSL_ENABLE_DEFLATE:
- val = ssl_defaults.enableDeflate;
+ on = ssl_defaults.enableDeflate;
break;
case SSL_ENABLE_RENEGOTIATION:
- val = ssl_defaults.enableRenegotiation;
+ on = ssl_defaults.enableRenegotiation;
break;
case SSL_REQUIRE_SAFE_NEGOTIATION:
- val = ssl_defaults.requireSafeNegotiation;
+ on = ssl_defaults.requireSafeNegotiation;
break;
case SSL_ENABLE_FALSE_START:
- val = ssl_defaults.enableFalseStart;
+ on = ssl_defaults.enableFalseStart;
break;
case SSL_CBC_RANDOM_IV:
- val = ssl_defaults.cbcRandomIV;
+ on = ssl_defaults.cbcRandomIV;
break;
case SSL_ENABLE_OCSP_STAPLING:
- val = ssl_defaults.enableOCSPStapling;
+ on = ssl_defaults.enableOCSPStapling;
break;
case SSL_ENABLE_NPN:
- val = ssl_defaults.enableNPN;
+ on = ssl_defaults.enableNPN;
break;
case SSL_ENABLE_ALPN:
- val = ssl_defaults.enableALPN;
+ on = ssl_defaults.enableALPN;
break;
case SSL_REUSE_SERVER_ECDHE_KEY:
- val = ssl_defaults.reuseServerECDHEKey;
+ on = ssl_defaults.reuseServerECDHEKey;
break;
case SSL_ENABLE_FALLBACK_SCSV:
- val = ssl_defaults.enableFallbackSCSV;
+ on = ssl_defaults.enableFallbackSCSV;
break;
case SSL_ENABLE_SERVER_DHE:
- val = ssl_defaults.enableServerDhe;
+ on = ssl_defaults.enableServerDhe;
break;
case SSL_ENABLE_EXTENDED_MASTER_SECRET:
- val = ssl_defaults.enableExtendedMS;
+ on = ssl_defaults.enableExtendedMS;
break;
case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- val = ssl_defaults.enableSignedCertTimestamps;
+ on = ssl_defaults.enableSignedCertTimestamps;
break;
case SSL_ENABLE_0RTT_DATA:
- val = ssl_defaults.enable0RttData;
- break;
- case SSL_ENABLE_TLS13_COMPAT_MODE:
- val = ssl_defaults.enableTls13CompatMode;
+ on = ssl_defaults.enable0RttData;
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
}
- *pVal = val;
+ *pOn = on;
return rv;
}
/* XXX Use Global Lock to protect this stuff. */
SECStatus
-SSL_EnableDefault(int which, PRIntn val)
+SSL_EnableDefault(int which, PRBool on)
{
- return SSL_OptionSetDefault(which, val);
+ return SSL_OptionSetDefault(which, on);
}
SECStatus
-SSL_OptionSetDefault(PRInt32 which, PRIntn val)
+SSL_OptionSetDefault(PRInt32 which, PRBool on)
{
SECStatus status = ssl_Init();
@@ -1092,46 +1065,46 @@ SSL_OptionSetDefault(PRInt32 which, PRIntn val)
switch (which) {
case SSL_SOCKS:
ssl_defaults.useSocks = PR_FALSE;
- if (val) {
+ if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
break;
case SSL_SECURITY:
- ssl_defaults.useSecurity = val;
+ ssl_defaults.useSecurity = on;
break;
case SSL_REQUEST_CERTIFICATE:
- ssl_defaults.requestCertificate = val;
+ ssl_defaults.requestCertificate = on;
break;
case SSL_REQUIRE_CERTIFICATE:
- ssl_defaults.requireCertificate = val;
+ ssl_defaults.requireCertificate = on;
break;
case SSL_HANDSHAKE_AS_CLIENT:
- if (ssl_defaults.handshakeAsServer && val) {
+ if (ssl_defaults.handshakeAsServer && on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
- ssl_defaults.handshakeAsClient = val;
+ ssl_defaults.handshakeAsClient = on;
break;
case SSL_HANDSHAKE_AS_SERVER:
- if (ssl_defaults.handshakeAsClient && val) {
+ if (ssl_defaults.handshakeAsClient && on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
- ssl_defaults.handshakeAsServer = val;
+ ssl_defaults.handshakeAsServer = on;
break;
case SSL_ENABLE_TLS:
- ssl_EnableTLS(&versions_defaults_stream, val);
+ ssl_EnableTLS(&versions_defaults_stream, on);
break;
case SSL_ENABLE_SSL3:
- ssl_EnableSSL3(&versions_defaults_stream, val);
+ ssl_EnableSSL3(&versions_defaults_stream, on);
break;
case SSL_ENABLE_SSL2:
@@ -1140,26 +1113,26 @@ SSL_OptionSetDefault(PRInt32 which, PRIntn val)
* However, if an old application requests to disable SSL v2,
* we shouldn't fail.
*/
- if (val) {
+ if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
break;
case SSL_NO_CACHE:
- ssl_defaults.noCache = val;
+ ssl_defaults.noCache = on;
break;
case SSL_ENABLE_FDX:
- if (val && ssl_defaults.noLocks) {
+ if (on && ssl_defaults.noLocks) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
- ssl_defaults.fdx = val;
+ ssl_defaults.fdx = on;
break;
case SSL_ROLLBACK_DETECTION:
- ssl_defaults.detectRollBack = val;
+ ssl_defaults.detectRollBack = on;
break;
case SSL_NO_STEP_DOWN:
@@ -1169,80 +1142,76 @@ SSL_OptionSetDefault(PRInt32 which, PRIntn val)
break;
case SSL_NO_LOCKS:
- if (val && ssl_defaults.fdx) {
+ if (on && ssl_defaults.fdx) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
- if (val && ssl_force_locks)
- val = PR_FALSE; /* silent override */
- ssl_defaults.noLocks = val;
- if (val) {
+ if (on && ssl_force_locks)
+ on = PR_FALSE; /* silent override */
+ ssl_defaults.noLocks = on;
+ if (on) {
locksEverDisabled = PR_TRUE;
strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
}
break;
case SSL_ENABLE_SESSION_TICKETS:
- ssl_defaults.enableSessionTickets = val;
+ ssl_defaults.enableSessionTickets = on;
break;
case SSL_ENABLE_DEFLATE:
- ssl_defaults.enableDeflate = val;
+ ssl_defaults.enableDeflate = on;
break;
case SSL_ENABLE_RENEGOTIATION:
- ssl_defaults.enableRenegotiation = val;
+ ssl_defaults.enableRenegotiation = on;
break;
case SSL_REQUIRE_SAFE_NEGOTIATION:
- ssl_defaults.requireSafeNegotiation = val;
+ ssl_defaults.requireSafeNegotiation = on;
break;
case SSL_ENABLE_FALSE_START:
- ssl_defaults.enableFalseStart = val;
+ ssl_defaults.enableFalseStart = on;
break;
case SSL_CBC_RANDOM_IV:
- ssl_defaults.cbcRandomIV = val;
+ ssl_defaults.cbcRandomIV = on;
break;
case SSL_ENABLE_OCSP_STAPLING:
- ssl_defaults.enableOCSPStapling = val;
+ ssl_defaults.enableOCSPStapling = on;
break;
case SSL_ENABLE_NPN:
break;
case SSL_ENABLE_ALPN:
- ssl_defaults.enableALPN = val;
+ ssl_defaults.enableALPN = on;
break;
case SSL_REUSE_SERVER_ECDHE_KEY:
- ssl_defaults.reuseServerECDHEKey = val;
+ ssl_defaults.reuseServerECDHEKey = on;
break;
case SSL_ENABLE_FALLBACK_SCSV:
- ssl_defaults.enableFallbackSCSV = val;
+ ssl_defaults.enableFallbackSCSV = on;
break;
case SSL_ENABLE_SERVER_DHE:
- ssl_defaults.enableServerDhe = val;
+ ssl_defaults.enableServerDhe = on;
break;
case SSL_ENABLE_EXTENDED_MASTER_SECRET:
- ssl_defaults.enableExtendedMS = val;
+ ssl_defaults.enableExtendedMS = on;
break;
case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- ssl_defaults.enableSignedCertTimestamps = val;
+ ssl_defaults.enableSignedCertTimestamps = on;
break;
case SSL_ENABLE_0RTT_DATA:
- ssl_defaults.enable0RttData = val;
- break;
-
- case SSL_ENABLE_TLS13_COMPAT_MODE:
- ssl_defaults.enableTls13CompatMode = val;
+ ssl_defaults.enable0RttData = on;
break;
default:
@@ -2155,25 +2124,6 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
return NULL;
PR_APPEND_LINK(&skp->link, &ss->ephemeralKeyPairs);
}
-
- while (!PR_CLIST_IS_EMPTY(&ss->extensionHooks)) {
- cursor = PR_LIST_TAIL(&ss->extensionHooks);
- PR_REMOVE_LINK(cursor);
- PORT_Free(cursor);
- }
- for (cursor = PR_NEXT_LINK(&sm->extensionHooks);
- cursor != &sm->extensionHooks;
- cursor = PR_NEXT_LINK(cursor)) {
- SECStatus rv;
- sslCustomExtensionHooks *hook = (sslCustomExtensionHooks *)cursor;
- rv = SSL_InstallExtensionHooks(ss->fd, hook->type,
- hook->writer, hook->writerArg,
- hook->handler, hook->handlerArg);
- if (rv != SECSuccess) {
- return NULL;
- }
- }
-
PORT_Memcpy((void *)ss->namedGroupPreferences,
sm->namedGroupPreferences,
sizeof(ss->namedGroupPreferences));
@@ -2264,7 +2214,7 @@ ssl3_GetEffectiveVersionPolicy(SSLProtocolVariant variant,
return SECSuccess;
}
-/*
+/*
* Assumes that rangeParam values are within the supported boundaries,
* but should contain all potentially allowed versions, even if they contain
* conflicting versions.
@@ -3174,7 +3124,7 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
}
blocking = ssl_FdIsBlocking(fd);
-#define K16 ((int)sizeof(buf))
+#define K16 sizeof(buf)
#define KILL_VECTORS \
while (vectors && !iov->iov_len) { \
++iov; \
@@ -3461,6 +3411,7 @@ ssl_InitIOLayer(void)
{
ssl_layer_id = PR_GetUniqueIdentity("SSL");
ssl_SetupIOMethods();
+ ssl_inited = PR_TRUE;
return PR_SUCCESS;
}
@@ -3470,13 +3421,15 @@ ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id)
PRFileDesc *layer = NULL;
PRStatus status;
- status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
- if (status != PR_SUCCESS) {
- goto loser;
+ if (!ssl_inited) {
+ status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
+ if (status != PR_SUCCESS)
+ goto loser;
}
- if (ns == NULL) {
+
+ if (ns == NULL)
goto loser;
- }
+
layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods);
if (layer == NULL)
goto loser;
@@ -3589,12 +3542,6 @@ ssl_SetDefaultsFromEnvironment(void)
ssl_keylog_iob);
}
SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
- ssl_keylog_lock = PR_NewLock();
- if (!ssl_keylog_lock) {
- SSL_TRACE(("SSL: failed to create key log lock"));
- fclose(ssl_keylog_iob);
- ssl_keylog_iob = NULL;
- }
}
}
#endif
@@ -3799,6 +3746,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
SECStatus rv;
sslSocket *ss;
int i;
+
ssl_SetDefaultsFromEnvironment();
if (ssl_force_locks)
@@ -3829,7 +3777,6 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
PR_INIT_CLIST(&ss->serverCerts);
PR_INIT_CLIST(&ss->ephemeralKeyPairs);
- PR_INIT_CLIST(&ss->extensionHooks);
ss->dbHandle = CERT_GetDefaultCertDB();
@@ -3857,11 +3804,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
PR_INIT_CLIST(&ss->ssl3.hs.cipherSpecs);
PR_INIT_CLIST(&ss->ssl3.hs.bufferedEarlyData);
- ssl3_InitExtensionData(&ss->xtnData, ss);
- PR_INIT_CLIST(&ss->ssl3.hs.dtlsSentHandshake);
- PR_INIT_CLIST(&ss->ssl3.hs.dtlsRcvdHandshake);
- dtls_InitTimers(ss);
-
+ ssl3_InitExtensionData(&ss->xtnData);
if (makeLocks) {
rv = ssl_MakeLocks(ss);
if (rv != SECSuccess)
@@ -3873,10 +3816,6 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
rv = ssl3_InitGather(&ss->gs);
if (rv != SECSuccess)
goto loser;
- rv = ssl3_InitState(ss);
- if (rv != SECSuccess) {
- goto loser;
- }
return ss;
loser:
@@ -3901,69 +3840,3 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
*pcanbypass = PR_FALSE;
return SECSuccess;
}
-
-/* Functions that are truly experimental use EXP, functions that are no longer
- * experimental use PUB.
- *
- * When initially defining a new API, add that API here using the EXP() macro
- * and name the function with a SSLExp_ prefix. Define the experimental API as
- * a macro in sslexp.h using the SSL_EXPERIMENTAL_API() macro defined there.
- *
- * Once an API is stable and proven, move the macro definition in sslexp.h to a
- * proper function declaration in ssl.h. Keeping the function in this list
- * ensures that code built against the release that contained the experimental
- * API will continue to work; use PUB() to reference the public function.
- */
-#define EXP(n) \
- { \
- "SSL_" #n, SSLExp_##n \
- }
-#define PUB(n) \
- { \
- "SSL_" #n, SSL_##n \
- }
-struct {
- const char *const name;
- void *function;
-} ssl_experimental_functions[] = {
-#ifndef SSL_DISABLE_EXPERIMENTAL_API
- EXP(GetExtensionSupport),
- EXP(HelloRetryRequestCallback),
- EXP(InstallExtensionHooks),
- EXP(KeyUpdate),
- EXP(SendSessionTicket),
- EXP(SetupAntiReplay),
-#endif
- { "", NULL }
-};
-#undef EXP
-#undef PUB
-
-void *
-SSL_GetExperimentalAPI(const char *name)
-{
- unsigned int i;
- for (i = 0; i < PR_ARRAY_SIZE(ssl_experimental_functions); ++i) {
- if (strcmp(name, ssl_experimental_functions[i].name) == 0) {
- return ssl_experimental_functions[i].function;
- }
- }
- PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
- return NULL;
-}
-
-void
-ssl_ClearPRCList(PRCList *list, void (*f)(void *))
-{
- PRCList *cursor;
-
- while (!PR_CLIST_IS_EMPTY(list)) {
- cursor = PR_LIST_TAIL(list);
-
- PR_REMOVE_LINK(cursor);
- if (f) {
- f(cursor);
- }
- PORT_Free(cursor);
- }
-}