Bug 571722: merge with the "Implement SSL Version Range API [v5]" patch by

Brian Smith <bsmith@mozilla.com>. Comment changes only. Export SSL_VersionRangeGetDefault, SSL_VersionRangeGetSupported, and SSL_VersionRangeSetDefault. r=wtc. Modified Files: ssl.def ssl.h ssl3con.c sslcon.c sslimpl.h sslsock.c git-svn-id: svn://10.0.0.236/trunk@263579 18797224-902f-48f8-a5cc-f745e15eee43
2012-03-18 00:31:20 +00:00 · 2012-03-18 00:31:20 +00:00 · ca681fddad
commit ca681fddad
parent 514bd0f85b
6 changed files with 48 additions and 26 deletions
--- a/mozilla/security/nss/lib/ssl/ssl.def
+++ b/mozilla/security/nss/lib/ssl/ssl.def
@ -177,7 +177,10 @@ SSL_AuthCertificateComplete;
 ;+    global:
 SSL_ExportKeyingMaterial;
 SSL_VersionRangeGet;
+SSL_VersionRangeGetDefault;
+SSL_VersionRangeGetSupported;
 SSL_VersionRangeSet;
+SSL_VersionRangeSetDefault;
 ;+    local:
 ;+*;
 ;+};
--- a/mozilla/security/nss/lib/ssl/ssl.h
+++ b/mozilla/security/nss/lib/ssl/ssl.h
@ -36,7 +36,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl.h,v 1.53 2012-03-16 01:23:55 wtc%google.com Exp $ */
+/* $Id: ssl.h,v 1.54 2012-03-18 00:31:19 wtc%google.com Exp $ */

 #ifndef __ssl_h_
 #define __ssl_h_
@ -100,11 +100,13 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
                               		  /* (off by default) */
 #define SSL_HANDSHAKE_AS_SERVER		6 /* force connect to hs as server */
                               		  /* (off by default) */
+
+/* OBSOLETE: SSL v2 is obsolete and may be removed soon. */
 #define SSL_ENABLE_SSL2			7 /* enable ssl v2 (off by default) */

 /* OBSOLETE: See "SSL Version Range API" below for the replacement and a
- * description of the non-obvious semantics of using SSL_ENABLE_SSL3.
- */
+** description of the non-obvious semantics of using SSL_ENABLE_SSL3.
+*/
 #define SSL_ENABLE_SSL3		        8 /* enable ssl v3 (on by default) */

 #define SSL_NO_CACHE		        9 /* don't use the session cache */
@ -113,12 +115,17 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
                                          /* by default) */
 #define SSL_ENABLE_FDX                 11 /* permit simultaneous read/write */
                                          /* (off by default) */
+
+/* OBSOLETE: SSL v2 compatible hellos are not accepted by some TLS servers
+** and cannot negotiate extensions. SSL v2 is obsolete. This option may be
+** removed soon.
+*/
 #define SSL_V2_COMPATIBLE_HELLO        12 /* send v3 client hello in v2 fmt */
                                          /* (off by default) */

 /* OBSOLETE: See "SSL Version Range API" below for the replacement and a
- * description of the non-obvious semantics of using SSL_ENABLE_TLS.
- */
+** description of the non-obvious semantics of using SSL_ENABLE_TLS.
+*/
 #define SSL_ENABLE_TLS		       13 /* enable TLS (on by default) */

 #define SSL_ROLLBACK_DETECTION         14 /* for compatibility, default: on */
@ -273,8 +280,8 @@ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
 ** This API should be used to control SSL 3.0 & TLS support instead of the
 ** older SSL_Option* API; however, the SSL_Option* API MUST still be used to
 ** control SSL 2.0 support. In this version of libssl, SSL 3.0 and TLS 1.0 are
-** enabled by default. Future versions may change which versions of the
-** protocol are enabled by default.
+** enabled by default. Future versions of libssl may change which versions of
+** the protocol are enabled by default.
 **
 ** The SSLProtocolVariant enum indicates whether the protocol is of type
 ** stream or datagram. This must be provided to the functions that do not
@ -285,23 +292,31 @@ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
 ** SSL_OptionSet-based API for controlling the enabled protocol versions may
 ** cause unexpected results. Going forward, we guarantee only the following:
 **
+** SSL_OptionGet(SSL_ENABLE_TLS) will return PR_TRUE if *ANY* versions of TLS
+** are enabled.
+**
 ** SSL_OptionSet(SSL_ENABLE_TLS, PR_FALSE) will disable *ALL* versions of TLS,
 ** including TLS 1.0 and later.
 **
+** The above two properties provide compatibility for applications that use
+** SSL_OptionSet to implement the insecure fallback from TLS 1.x to SSL 3.0.
+**
 ** SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) will enable TLS 1.0, and may also
-** enable some later versions of TLS. For example, if TLS 1.2 is enabled at the
-** time the call is made, then after SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE),
-** TLS 1.0, TLS 1.1, and TLS 1.2 will be enabled, and the call will have no
-** effect on whether SSL 3.0 is enabled. If no later versions of TLS are
-** enabled at the time SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) is called, then
-** no later versions of TLS will be enabled by the call.
+** enable some later versions of TLS, if it is necessary to do so in order to
+** keep the set of enabled versions contiguous. For example, if TLS 1.2 is
+** enabled, then after SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE), TLS 1.0,
+** TLS 1.1, and TLS 1.2 will be enabled, and the call will have no effect on
+** whether SSL 3.0 is enabled. If no later versions of TLS are enabled at the
+** time SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) is called, then no later
+** versions of TLS will be enabled by the call.
 **
 ** SSL_OptionSet(SSL_ENABLE_SSL3, PR_FALSE) will disable SSL 3.0, and will not
 ** change the set of TLS versions that are enabled.
 **
 ** SSL_OptionSet(SSL_ENABLE_SSL3, PR_TRUE) will enable SSL 3.0, and may also
 ** enable some versions of TLS if TLS 1.1 or later is enabled at the time of
-** the call, the same way SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) works.
+** the call, the same way SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) works, in
+** order to keep the set of enabled versions contiguous.
 */

 /* Returns, in |*vrange|, the range of SSL3/TLS versions supported for the
--- a/mozilla/security/nss/lib/ssl/ssl3con.c
+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
@ -40,7 +40,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl3con.c,v 1.172 2012-03-16 01:23:55 wtc%google.com Exp $ */
+/* $Id: ssl3con.c,v 1.173 2012-03-18 00:31:19 wtc%google.com Exp $ */

 #include "cert.h"
 #include "ssl.h"
@ -773,8 +773,12 @@ Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
 * SSL3 Utility functions
 */

-/* If allowLargerPeerVersion is true, peerVersion is the peer's max version
- * and is allowed to be larger than our max version.
+/* allowLargerPeerVersion controls whether the function will select the
+ * highest enabled SSL version or fail when peerVersion is greater than the
+ * highest enabled version.
+ *
+ * If allowLargerPeerVersion is true, peerVersion is the peer's highest
+ * enabled version rather than the peer's selected version.
 */
 SECStatus
 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion,
--- a/mozilla/security/nss/lib/ssl/sslcon.c
+++ b/mozilla/security/nss/lib/ssl/sslcon.c
@ -37,7 +37,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: sslcon.c,v 1.47 2012-03-11 04:32:35 wtc%google.com Exp $ */
+/* $Id: sslcon.c,v 1.48 2012-03-18 00:31:20 wtc%google.com Exp $ */

 #include "nssrenam.h"
 #include "cert.h"
@ -3111,7 +3111,7 @@ ssl2_BeginClientHandshake(sslSocket *ss)
    PORT_Assert(sid != NULL);

    if ((sid->version >= SSL_LIBRARY_VERSION_3_0 || !ss->opt.v2CompatibleHello) &&
-        !SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
+	!SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
 	ss->gs.state      = GS_INIT;
 	ss->handshake     = ssl_GatherRecord1stHandshake;

--- a/mozilla/security/nss/lib/ssl/sslimpl.h
+++ b/mozilla/security/nss/lib/ssl/sslimpl.h
@ -39,7 +39,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: sslimpl.h,v 1.99 2012-03-16 01:23:55 wtc%google.com Exp $ */
+/* $Id: sslimpl.h,v 1.100 2012-03-18 00:31:20 wtc%google.com Exp $ */

 #ifndef __sslimpl_h_
 #define __sslimpl_h_
@ -324,8 +324,8 @@ typedef struct sslOptionsStr {
    unsigned int handshakeAsClient	: 1;  /*  6 */
    unsigned int handshakeAsServer	: 1;  /*  7 */
    unsigned int enableSSL2		: 1;  /*  8 */
-    unsigned int unused9		: 1;  /*  9 */
-    unsigned int unused10		: 1;  /* 10 */
+    unsigned int unusedBit9		: 1;  /*  9 */
+    unsigned int unusedBit10		: 1;  /* 10 */
    unsigned int noCache		: 1;  /* 11 */
    unsigned int fdx			: 1;  /* 12 */
    unsigned int v2CompatibleHello	: 1;  /* 13 */
--- a/mozilla/security/nss/lib/ssl/sslsock.c
+++ b/mozilla/security/nss/lib/ssl/sslsock.c
@ -40,7 +40,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsock.c,v 1.85 2012-03-16 01:23:55 wtc%google.com Exp $ */
+/* $Id: sslsock.c,v 1.86 2012-03-18 00:31:20 wtc%google.com Exp $ */
 #include "seccomon.h"
 #include "cert.h"
 #include "keyhi.h"
@ -171,8 +171,8 @@ static sslOptions ssl_defaults = {
    PR_FALSE,	/* handshakeAsClient  */
    PR_FALSE,	/* handshakeAsServer  */
    PR_FALSE,	/* enableSSL2         */ /* now defaults to off in NSS 3.13 */
-    PR_FALSE,	/* unused9            */
-    PR_FALSE, 	/* unused10           */
+    PR_FALSE,	/* unusedBit9         */
+    PR_FALSE, 	/* unusedBit10        */
    PR_FALSE,	/* noCache            */
    PR_FALSE,	/* fdx                */
    PR_FALSE,	/* v2CompatibleHello  */ /* now defaults to off in NSS 3.13 */
@ -623,7 +623,7 @@ ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on)
 	vrange->min = SSL_LIBRARY_VERSION_3_0;
   } else {
 	/* Disable SSL 3.0, leaving TLS unaffected. */
-	if (vrange->max != SSL_LIBRARY_VERSION_3_0) {
+	if (vrange->max > SSL_LIBRARY_VERSION_3_0) {
 	    vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
 	} else {
 	    /* Only SSL 3.0 was enabled, so now no versions are. */