diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def index 0ceda677846..df4bb06ba2b 100644 --- a/mozilla/security/nss/lib/ssl/ssl.def +++ b/mozilla/security/nss/lib/ssl/ssl.def @@ -177,7 +177,10 @@ SSL_AuthCertificateComplete; ;+ global: SSL_ExportKeyingMaterial; SSL_VersionRangeGet; +SSL_VersionRangeGetDefault; +SSL_VersionRangeGetSupported; SSL_VersionRangeSet; +SSL_VersionRangeSetDefault; ;+ local: ;+*; ;+}; diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h index a218dd2d0bc..cff696fb2db 100644 --- a/mozilla/security/nss/lib/ssl/ssl.h +++ b/mozilla/security/nss/lib/ssl/ssl.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl.h,v 1.53 2012-03-16 01:23:55 wtc%google.com Exp $ */ +/* $Id: ssl.h,v 1.54 2012-03-18 00:31:19 wtc%google.com Exp $ */ #ifndef __ssl_h_ #define __ssl_h_ @@ -100,11 +100,13 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); /* (off by default) */ #define SSL_HANDSHAKE_AS_SERVER 6 /* force connect to hs as server */ /* (off by default) */ + +/* OBSOLETE: SSL v2 is obsolete and may be removed soon. */ #define SSL_ENABLE_SSL2 7 /* enable ssl v2 (off by default) */ /* OBSOLETE: See "SSL Version Range API" below for the replacement and a - * description of the non-obvious semantics of using SSL_ENABLE_SSL3. - */ +** description of the non-obvious semantics of using SSL_ENABLE_SSL3. +*/ #define SSL_ENABLE_SSL3 8 /* enable ssl v3 (on by default) */ #define SSL_NO_CACHE 9 /* don't use the session cache */ @@ -113,12 +115,17 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); /* by default) */ #define SSL_ENABLE_FDX 11 /* permit simultaneous read/write */ /* (off by default) */ + +/* OBSOLETE: SSL v2 compatible hellos are not accepted by some TLS servers +** and cannot negotiate extensions. SSL v2 is obsolete. This option may be +** removed soon. +*/ #define SSL_V2_COMPATIBLE_HELLO 12 /* send v3 client hello in v2 fmt */ /* (off by default) */ /* OBSOLETE: See "SSL Version Range API" below for the replacement and a - * description of the non-obvious semantics of using SSL_ENABLE_TLS. - */ +** description of the non-obvious semantics of using SSL_ENABLE_TLS. +*/ #define SSL_ENABLE_TLS 13 /* enable TLS (on by default) */ #define SSL_ROLLBACK_DETECTION 14 /* for compatibility, default: on */ @@ -273,8 +280,8 @@ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); ** This API should be used to control SSL 3.0 & TLS support instead of the ** older SSL_Option* API; however, the SSL_Option* API MUST still be used to ** control SSL 2.0 support. In this version of libssl, SSL 3.0 and TLS 1.0 are -** enabled by default. Future versions may change which versions of the -** protocol are enabled by default. +** enabled by default. Future versions of libssl may change which versions of +** the protocol are enabled by default. ** ** The SSLProtocolVariant enum indicates whether the protocol is of type ** stream or datagram. This must be provided to the functions that do not @@ -285,23 +292,31 @@ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); ** SSL_OptionSet-based API for controlling the enabled protocol versions may ** cause unexpected results. Going forward, we guarantee only the following: ** +** SSL_OptionGet(SSL_ENABLE_TLS) will return PR_TRUE if *ANY* versions of TLS +** are enabled. +** ** SSL_OptionSet(SSL_ENABLE_TLS, PR_FALSE) will disable *ALL* versions of TLS, ** including TLS 1.0 and later. ** +** The above two properties provide compatibility for applications that use +** SSL_OptionSet to implement the insecure fallback from TLS 1.x to SSL 3.0. +** ** SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) will enable TLS 1.0, and may also -** enable some later versions of TLS. For example, if TLS 1.2 is enabled at the -** time the call is made, then after SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE), -** TLS 1.0, TLS 1.1, and TLS 1.2 will be enabled, and the call will have no -** effect on whether SSL 3.0 is enabled. If no later versions of TLS are -** enabled at the time SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) is called, then -** no later versions of TLS will be enabled by the call. +** enable some later versions of TLS, if it is necessary to do so in order to +** keep the set of enabled versions contiguous. For example, if TLS 1.2 is +** enabled, then after SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE), TLS 1.0, +** TLS 1.1, and TLS 1.2 will be enabled, and the call will have no effect on +** whether SSL 3.0 is enabled. If no later versions of TLS are enabled at the +** time SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) is called, then no later +** versions of TLS will be enabled by the call. ** ** SSL_OptionSet(SSL_ENABLE_SSL3, PR_FALSE) will disable SSL 3.0, and will not ** change the set of TLS versions that are enabled. ** ** SSL_OptionSet(SSL_ENABLE_SSL3, PR_TRUE) will enable SSL 3.0, and may also ** enable some versions of TLS if TLS 1.1 or later is enabled at the time of -** the call, the same way SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) works. +** the call, the same way SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) works, in +** order to keep the set of enabled versions contiguous. */ /* Returns, in |*vrange|, the range of SSL3/TLS versions supported for the diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c index 5a28d44cd48..a55d0f08e71 100644 --- a/mozilla/security/nss/lib/ssl/ssl3con.c +++ b/mozilla/security/nss/lib/ssl/ssl3con.c @@ -40,7 +40,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl3con.c,v 1.172 2012-03-16 01:23:55 wtc%google.com Exp $ */ +/* $Id: ssl3con.c,v 1.173 2012-03-18 00:31:19 wtc%google.com Exp $ */ #include "cert.h" #include "ssl.h" @@ -773,8 +773,12 @@ Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen, * SSL3 Utility functions */ -/* If allowLargerPeerVersion is true, peerVersion is the peer's max version - * and is allowed to be larger than our max version. +/* allowLargerPeerVersion controls whether the function will select the + * highest enabled SSL version or fail when peerVersion is greater than the + * highest enabled version. + * + * If allowLargerPeerVersion is true, peerVersion is the peer's highest + * enabled version rather than the peer's selected version. */ SECStatus ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion, diff --git a/mozilla/security/nss/lib/ssl/sslcon.c b/mozilla/security/nss/lib/ssl/sslcon.c index 63bb6292f82..27cba3ca3a7 100644 --- a/mozilla/security/nss/lib/ssl/sslcon.c +++ b/mozilla/security/nss/lib/ssl/sslcon.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslcon.c,v 1.47 2012-03-11 04:32:35 wtc%google.com Exp $ */ +/* $Id: sslcon.c,v 1.48 2012-03-18 00:31:20 wtc%google.com Exp $ */ #include "nssrenam.h" #include "cert.h" @@ -3111,7 +3111,7 @@ ssl2_BeginClientHandshake(sslSocket *ss) PORT_Assert(sid != NULL); if ((sid->version >= SSL_LIBRARY_VERSION_3_0 || !ss->opt.v2CompatibleHello) && - !SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { + !SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { ss->gs.state = GS_INIT; ss->handshake = ssl_GatherRecord1stHandshake; diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h index 29a1d35d22e..4e151b37b22 100644 --- a/mozilla/security/nss/lib/ssl/sslimpl.h +++ b/mozilla/security/nss/lib/ssl/sslimpl.h @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslimpl.h,v 1.99 2012-03-16 01:23:55 wtc%google.com Exp $ */ +/* $Id: sslimpl.h,v 1.100 2012-03-18 00:31:20 wtc%google.com Exp $ */ #ifndef __sslimpl_h_ #define __sslimpl_h_ @@ -324,8 +324,8 @@ typedef struct sslOptionsStr { unsigned int handshakeAsClient : 1; /* 6 */ unsigned int handshakeAsServer : 1; /* 7 */ unsigned int enableSSL2 : 1; /* 8 */ - unsigned int unused9 : 1; /* 9 */ - unsigned int unused10 : 1; /* 10 */ + unsigned int unusedBit9 : 1; /* 9 */ + unsigned int unusedBit10 : 1; /* 10 */ unsigned int noCache : 1; /* 11 */ unsigned int fdx : 1; /* 12 */ unsigned int v2CompatibleHello : 1; /* 13 */ diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c index 001f1fea507..b86daff3fbd 100644 --- a/mozilla/security/nss/lib/ssl/sslsock.c +++ b/mozilla/security/nss/lib/ssl/sslsock.c @@ -40,7 +40,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsock.c,v 1.85 2012-03-16 01:23:55 wtc%google.com Exp $ */ +/* $Id: sslsock.c,v 1.86 2012-03-18 00:31:20 wtc%google.com Exp $ */ #include "seccomon.h" #include "cert.h" #include "keyhi.h" @@ -171,8 +171,8 @@ static sslOptions ssl_defaults = { PR_FALSE, /* handshakeAsClient */ PR_FALSE, /* handshakeAsServer */ PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ - PR_FALSE, /* unused9 */ - PR_FALSE, /* unused10 */ + PR_FALSE, /* unusedBit9 */ + PR_FALSE, /* unusedBit10 */ PR_FALSE, /* noCache */ PR_FALSE, /* fdx */ PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ @@ -623,7 +623,7 @@ ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on) vrange->min = SSL_LIBRARY_VERSION_3_0; } else { /* Disable SSL 3.0, leaving TLS unaffected. */ - if (vrange->max != SSL_LIBRARY_VERSION_3_0) { + if (vrange->max > SSL_LIBRARY_VERSION_3_0) { vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); } else { /* Only SSL 3.0 was enabled, so now no versions are. */