Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-11 12:25:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Reimplement SSL_GetChannelInfo. Add new function SSL_GetCipherSuiteInfo().

Browse Source 
Also, implement new ciphersuite preference order.  Bug 78959.
This commit is contained in:
nelsonb%netscape.com 2001-11-02 04:24:28 +00:00
parent a041591297
commit 9740e66d2f
13 changed files with 352 additions and 276 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
security/nss/cmd/selfserv/selfserv.c
View File

@ -291,26 +291,31 @@ printSecurityInfo(PRFileDesc *fd)
CERTCertificate * cert = NULL;
SSL3Statistics * ssl3stats = SSL_GetStatistics();
SECStatus result;
SSLChannelInfo info;
SSLChannelInfo channel;
SSLCipherSuiteInfo suite;
PRINTF(
"selfserv: %ld cache hits; %ld cache misses, %ld cache not reusable\n",
ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
ssl3stats->hch_sid_cache_not_ok);
result = SSL_GetChannelInfo(fd, &info, sizeof info);
if (result != SECSuccess)
return;
if (info.length >= offsetof(SSLChannelInfo, reserved)) {
FPRINTF(stderr,
"selfserv: SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
info.protocolVersion >> 8, info.protocolVersion & 0xff,
info.effectiveKeyBits, info.symCipherName,
info.macBits, info.macAlgorithmName);
FPRINTF(stderr,
"selfserv: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n",
info.authKeyBits, info.authAlgorithmName,
info.keaKeyBits, info.keaTypeName);
result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
if (result == SECSuccess &&
channel.length == sizeof channel &&
channel.cipherSuite) {
result = SSL_GetCipherSuiteInfo(channel.cipherSuite,
&suite, sizeof suite);
if (result == SECSuccess) {
FPRINTF(stderr,
"selfserv: SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
channel.protocolVersion >> 8, channel.protocolVersion & 0xff,
suite.effectiveKeyBits, suite.symCipherName,
suite.macBits, suite.macAlgorithmName);
FPRINTF(stderr,
"selfserv: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n",
channel.authKeyBits, suite.authAlgorithmName,
channel.keaKeyBits, suite.keaTypeName);
}
}
if (requestCert)
cert = SSL_RevealCert(fd);

33
security/nss/cmd/strsclnt/strsclnt.c
View File

@ -250,7 +250,8 @@ printSecurityInfo(PRFileDesc *fd)
CERTCertificate * cert;
SSL3Statistics * ssl3stats = SSL_GetStatistics();
SECStatus result;
SSLChannelInfo info;
SSLChannelInfo channel;
SSLCipherSuiteInfo suite;
#ifndef DEBUG_nelsonb
static int only_once;
@ -260,19 +261,23 @@ printSecurityInfo(PRFileDesc *fd)
only_once = 1;
#endif
result = SSL_GetChannelInfo(fd, &info, sizeof info);
if (result != SECSuccess)
return;
if (info.length >= offsetof(SSLChannelInfo, reserved)) {
fprintf(stderr,
"strsclnt: SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
info.protocolVersion >> 8, info.protocolVersion & 0xff,
info.effectiveKeyBits, info.symCipherName,
info.macBits, info.macAlgorithmName);
fprintf(stderr,
"strsclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n",
info.authKeyBits, info.authAlgorithmName,
info.keaKeyBits, info.keaTypeName);
result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
if (result == SECSuccess &&
channel.length == sizeof channel &&
channel.cipherSuite) {
result = SSL_GetCipherSuiteInfo(channel.cipherSuite,
&suite, sizeof suite);
if (result == SECSuccess) {
FPRINTF(stderr,
"strsclnt: SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
channel.protocolVersion >> 8, channel.protocolVersion & 0xff,
suite.effectiveKeyBits, suite.symCipherName,
suite.macBits, suite.macAlgorithmName);
FPRINTF(stderr,
"strsclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n",
channel.authKeyBits, suite.authAlgorithmName,
channel.keaKeyBits, suite.keaTypeName);
}
}
#if 0
cert = SSL_RevealCert(fd);

33
security/nss/cmd/tstclnt/tstclnt.c
View File

@ -131,21 +131,26 @@ void printSecurityInfo(PRFileDesc *fd)
CERTCertificate * cert;
SSL3Statistics * ssl3stats = SSL_GetStatistics();
SECStatus result;
SSLChannelInfo info;
SSLChannelInfo channel;
SSLCipherSuiteInfo suite;
result = SSL_GetChannelInfo(fd, &info, sizeof info);
if (result != SECSuccess)
return;
if (info.length >= offsetof(SSLChannelInfo, reserved)) {
fprintf(stderr,
"SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
info.protocolVersion >> 8, info.protocolVersion & 0xff,
info.effectiveKeyBits, info.symCipherName,
info.macBits, info.macAlgorithmName);
fprintf(stderr,
"Server Authentication: %d-bit %s, Key Exchange: %d-bit %s\n",
info.authKeyBits, info.authAlgorithmName,
info.keaKeyBits, info.keaTypeName);
result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
if (result == SECSuccess &&
channel.length == sizeof channel &&
channel.cipherSuite) {
result = SSL_GetCipherSuiteInfo(channel.cipherSuite,
&suite, sizeof suite);
if (result == SECSuccess) {
FPRINTF(stderr,
"tstclnt: SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
channel.protocolVersion >> 8, channel.protocolVersion & 0xff,
suite.effectiveKeyBits, suite.symCipherName,
suite.macBits, suite.macAlgorithmName);
FPRINTF(stderr,
"tstclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n",
channel.authKeyBits, suite.authAlgorithmName,
channel.keaKeyBits, suite.keaTypeName);
}
}
cert = SSL_RevealCert(fd);
if (cert) {

1
security/nss/lib/ssl/ssl.def
View File

@ -113,6 +113,7 @@ NSSSSL_VersionCheck;
SSL_GetMaxServerCacheLocks;
SSL_SetMaxServerCacheLocks;
SSL_GetChannelInfo;
SSL_GetCipherSuiteInfo;
;+ local:
;+*;
;+};

4
security/nss/lib/ssl/ssl.h
View File

@ -32,7 +32,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: ssl.h,v 1.10 2001/09/18 01:59:18 nelsonb%netscape.com Exp $
* $Id: ssl.h,v 1.11 2001/11/02 04:24:18 nelsonb%netscape.com Exp $
*/
#ifndef __ssl_h_
@ -425,6 +425,8 @@ SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void);
*/
SSL_IMPORT SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info,
PRUintn len);
SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite,
SSLCipherSuiteInfo *info, PRUintn len);
SEC_END_PROTOS

27
security/nss/lib/ssl/ssl3con.c
View File

@ -33,7 +33,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: ssl3con.c,v 1.27 2001/10/30 21:09:47 nelsonb%netscape.com Exp $
* $Id: ssl3con.c,v 1.28 2001/11/02 04:24:18 nelsonb%netscape.com Exp $
*/
#include "nssrenam.h"
@ -93,25 +93,30 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
*/
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
/* cipher_suite policy enabled is_present*/
{ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
@ -6924,6 +6929,8 @@ xmit_loser:
sid->authKeyBits = sec->authKeyBits;
sid->keaType = sec->keaType;
sid->keaKeyBits = sec->keaKeyBits;
sid->lastAccessTime = sid->creationTime = ssl_Time();
sid->expirationTime = sid->creationTime + ssl3_sid_timeout;
ssl_GetSpecReadLock(ss); /*************************************/
symKeySlot = PK11_GetSlotFromKey(ssl3->crSpec->master_secret);

35
security/nss/lib/ssl/sslcon.c
View File

@ -32,7 +32,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: sslcon.c,v 1.13 2001/10/31 20:03:29 relyea%netscape.com Exp $
* $Id: sslcon.c,v 1.14 2001/11/02 04:24:19 nelsonb%netscape.com Exp $
*/
#include "nssrenam.h"
@ -76,8 +76,8 @@ static const PRUint8 allCipherSuites[] = {
*/
static const PRUint8 implementedCipherSuites[ssl2_NUM_SUITES_IMPLEMENTED * 3] = {
SSL_CK_RC4_128_WITH_MD5, 0x00, 0x80,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5, 0x00, 0xC0,
SSL_CK_RC2_128_CBC_WITH_MD5, 0x00, 0x80,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5, 0x00, 0xC0,
SSL_CK_DES_64_CBC_WITH_MD5, 0x00, 0x40,
SSL_CK_RC4_128_EXPORT40_WITH_MD5, 0x00, 0x80,
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5, 0x00, 0x80
@ -1367,6 +1367,8 @@ ssl2_FillInSID(sslSessionID * sid,
sid->authKeyBits = authKeyBits;
sid->keaType = keaType;
sid->keaKeyBits = keaKeyBits;
sid->lastAccessTime = sid->creationTime = ssl_Time();
sid->expirationTime = sid->creationTime + ssl_sid_timeout;
if (caLen) {
sid->u.ssl2.cipherArg.data = (PRUint8*) PORT_Alloc(caLen);
@ -3084,32 +3086,36 @@ ssl2_BeginClientHandshake(sslSocket *ss)
} else {
sid = ssl_LookupSID(&ci->peer, ci->port, ss->peerID, ss->url);
}
if (sid) {
while (sid) { /* this isn't really a loop */
/* if we're not doing this SID's protocol any more, drop it. */
if (((sid->version == SSL_LIBRARY_VERSION_2) && !ss->enableSSL2) ||
if (((sid->version < SSL_LIBRARY_VERSION_3_0) && !ss->enableSSL2) ||
((sid->version == SSL_LIBRARY_VERSION_3_0) && !ss->enableSSL3) ||
((sid->version == SSL_LIBRARY_VERSION_3_1_TLS) && !ss->enableTLS)) {
((sid->version > SSL_LIBRARY_VERSION_3_0) && !ss->enableTLS)) {
sec->uncache(sid);
ssl_FreeSID(sid);
goto invalid;
sid = NULL;
break;
}
if (ss->enableSSL2 && sid->version < SSL_LIBRARY_VERSION_3_0) {
/* If the cipher in this sid is not enabled, drop it. */
for (i = 0; i < ss->sizeCipherSpecs; i += 3) {
if (ss->cipherSpecs[i] == sid->u.ssl2.cipherType)
goto sid_cipher_match;
break;
}
if (i >= ss->sizeCipherSpecs) {
sec->uncache(sid);
ssl_FreeSID(sid);
sid = NULL;
break;
}
sec->uncache(sid);
ssl_FreeSID(sid);
goto invalid;
}
sid_cipher_match:
sidLen = sizeof(sid->u.ssl2.sessionID);
PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl2.sessionID,
sidLen));
ss->version = sid->version;
} else {
invalid:
break; /* this isn't really a loop */
}
if (!sid) {
sidLen = 0;
sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
if (!sid) {
@ -3621,7 +3627,8 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
if (sid) {
/* Got a good session-id. Short cut! */
SSL_TRC(1, ("%d: SSL[%d]: server, using session-id for 0x%08x (age=%d)",
SSL_GETPID(), ss->fd, ci->peer, ssl_Time() - sid->time));
SSL_GETPID(), ss->fd, ci->peer,
ssl_Time() - sid->creationTime));
PRINT_BUF(1, (ss, "session-id value:", sd, sdLen));
ci->sid = sid;
ci->elements = CIS_HAVE_MASTER_KEY;

69
security/nss/lib/ssl/sslenum.c
View File

@ -34,7 +34,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: sslenum.c,v 1.4 2001/09/21 03:07:35 nelsonb%netscape.com Exp $
* $Id: sslenum.c,v 1.5 2001/11/02 04:24:20 nelsonb%netscape.com Exp $
*/
#include "ssl.h"
@ -42,47 +42,54 @@
const PRUint16 SSL_ImplementedCiphers[] = {
SSL_RSA_WITH_NULL_MD5,
SSL_RSA_EXPORT_WITH_RC4_40_MD5,
/* 256-bit */
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
/* 128-bit */
SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,
TLS_DHE_DSS_WITH_RC4_128_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSL_RSA_WITH_DES_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
/* 112-bit 3DES */
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
SSL_FORTEZZA_DMS_WITH_NULL_SHA,
SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,
/* 80 bit skipjack */
SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* KEA + SkipJack */
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
/* 56-bit DES "domestic" cipher suites */
SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_FIPS_WITH_DES_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA,
/* export ciphersuites with 1024-bit public key exchange keys */
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
/* export ciphersuites with 512-bit public key exchange keys */
SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
/* ciphersuites with no encryption */
SSL_FORTEZZA_DMS_WITH_NULL_SHA,
SSL_RSA_WITH_NULL_MD5,
/* SSL2 cipher suites. */
SSL_EN_RC4_128_WITH_MD5,
SSL_EN_RC4_128_EXPORT40_WITH_MD5,
SSL_EN_RC2_128_CBC_WITH_MD5,
SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,
SSL_EN_DES_192_EDE3_CBC_WITH_MD5, /* actually 112, not 192 */
SSL_EN_DES_64_CBC_WITH_MD5,
SSL_EN_DES_192_EDE3_CBC_WITH_MD5,
/* Netscape "experimental" cipher suites. */
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_FIPS_WITH_DES_CBC_SHA,
/* DHE ciphersuites */
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA,
TLS_DHE_DSS_WITH_RC4_128_SHA,
/* AES ciphersuites */
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_EN_RC4_128_EXPORT40_WITH_MD5,
SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,
0

6
security/nss/lib/ssl/sslimpl.h
View File

@ -34,7 +34,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: sslimpl.h,v 1.17 2001/09/21 03:07:35 nelsonb%netscape.com Exp $
* $Id: sslimpl.h,v 1.18 2001/11/02 04:24:20 nelsonb%netscape.com Exp $
*/
#ifndef __sslimpl_h_
@ -718,7 +718,9 @@ struct sslSessionIDStr {
SSL3ProtocolVersion version;
PRUint32 time;
PRUint32 creationTime; /* seconds since Jan 1, 1970 */
PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
Cached cached;
int references;

266
security/nss/lib/ssl/sslinfo.c
View File

@ -30,72 +30,21 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: sslinfo.c,v 1.1 2001/09/18 01:59:20 nelsonb%netscape.com Exp $
* $Id: sslinfo.c,v 1.2 2001/11/02 04:24:21 nelsonb%netscape.com Exp $
*/
#include "ssl.h"
#include "sslimpl.h"
#include "sslproto.h"
typedef struct BulkCipherInfoStr {
SSLCipherAlgorithm symCipher;
PRUint16 symKeyBits;
PRUint16 symKeySpace;
PRUint16 effectiveKeyBits;
} BulkCipherInfo;
static const BulkCipherInfo ssl2CipherInfo[] = {
/* NONE */ { ssl_calg_null, 0, 0, 0 },
/* SSL_CK_RC4_128_WITH_MD5 */ { ssl_calg_rc4, 128, 128, 128 },
/* SSL_CK_RC4_128_EXPORT40_WITH_MD5 */ { ssl_calg_rc4, 128, 40, 40 },
/* SSL_CK_RC2_128_CBC_WITH_MD5 */ { ssl_calg_rc2, 128, 128, 128 },
/* SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 */ { ssl_calg_rc2, 128, 40, 40 },
/* SSL_CK_IDEA_128_CBC_WITH_MD5 */ { ssl_calg_idea, 0, 0, 0 },
/* SSL_CK_DES_64_CBC_WITH_MD5 */ { ssl_calg_des, 64, 56, 56 },
/* SSL_CK_DES_192_EDE3_CBC_WITH_MD5 */ { ssl_calg_3des, 192, 168, 112 }
};
static const char * const authName[] = {
{ "NULL" },
{ "RSA" },
{ "DSA" }
};
static const char * const keaName[] = {
{ "NULL" },
{ "RSA" },
{ "DH" },
{ "KEA" },
{ "BOGUS" }
};
static const char * const cipherName[] = {
{ "NULL" },
{ "RC4" },
{ "RC2" },
{ "DES" },
{ "3DES" },
{ "IDEA" },
{ "SKIPJACK" },
{ "AES" }
};
static const char * const macName[] = {
{ "NULL" },
{ "MD5" },
{ "SHA" },
{ "MD5" },
{ "SHA" }
};
#define SSL_OFFSETOF(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
SECStatus
SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
{
sslSocket * ss;
sslSecurityInfo *sec;
SSLChannelInfo inf;
sslSessionID * sid;
if (!info) { /* He doesn't want it? OK. */
if (!info || len < sizeof inf.length) {
return SECSuccess;
}
@ -107,99 +56,144 @@ SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
}
memset(&inf, 0, sizeof inf);
inf.length = SSL_OFFSETOF(SSLChannelInfo, reserved);
inf.length = PR_MIN(inf.length, len);
inf.length = PR_MIN(sizeof inf, len);
sec = ss->sec;
if (ss->useSecurity && ss->firstHsDone && sec) {
if (ss->version < SSL_LIBRARY_VERSION_3_0) {
/* SSL2 */
const BulkCipherInfo * bulk = ssl2CipherInfo + ss->sec->cipherType;
inf.protocolVersion = ss->version;
sid = sec->ci.sid;
inf.protocolVersion = ss->version;
inf.authKeyBits = ss->sec->authKeyBits;
inf.keaKeyBits = ss->sec->keaKeyBits;
if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */
inf.cipherSuite = ss->sec->cipherType | 0xff00;
} else if (ss->ssl3) { /* SSL3 and TLS */
/* server auth */
inf.authAlgorithm = ss->sec->authAlgorithm;
inf.authKeyBits = ss->sec->authKeyBits;
/* key exchange */
inf.keaType = ss->sec->keaType;
inf.keaKeyBits = ss->sec->keaKeyBits;
/* symmetric cipher */
inf.symCipher = bulk->symCipher;
inf.symKeyBits = bulk->symKeyBits;
inf.symKeySpace = bulk->symKeySpace;
inf.effectiveKeyBits = bulk->effectiveKeyBits;
/* MAC info */
inf.macAlgorithm = ssl_mac_md5;
inf.macBits = MD5_LENGTH * BPB;
/* XXX These should come from crSpec */
inf.cipherSuite = ss->ssl3->hs.cipher_suite;
#if 0
/* misc */
inf.isFIPS = 0;
} else if (ss->ssl3 && ss->ssl3->crSpec &&
ss->ssl3->crSpec->cipher_def) {
/* SSL3 and TLS */
ssl3CipherSpec * crSpec = ss->ssl3->crSpec;
const ssl3BulkCipherDef * cipher_def = crSpec->cipher_def;
/* XXX NBB These should come from crSpec */
inf.protocolVersion = ss->version;
inf.cipherSuite = ss->ssl3->hs.cipher_suite;
/* server auth */
inf.authAlgorithm = ss->sec->authAlgorithm;
inf.authKeyBits = ss->sec->authKeyBits;
/* key exchange */
inf.keaType = ss->sec->keaType;
inf.keaKeyBits = ss->sec->keaKeyBits;
/* symmetric cipher */
inf.symCipher = cipher_def->calg;
switch (inf.symCipher) {
case ssl_calg_des:
inf.symKeyBits = cipher_def->key_size * 8 ;
inf.symKeySpace = \
inf.effectiveKeyBits = cipher_def->secret_key_size * 7 ;
break;
case ssl_calg_3des:
inf.symKeyBits = cipher_def->key_size * 8 ;
inf.symKeySpace = cipher_def->secret_key_size * 7 ;
inf.effectiveKeyBits = (inf.symKeySpace / 3 ) * 2;
break;
default:
inf.symKeyBits = cipher_def->key_size * BPB ;
inf.symKeySpace = \
inf.effectiveKeyBits = cipher_def->secret_key_size * BPB ;
break;
}
/* MAC info */
inf.macAlgorithm = crSpec->mac_def->mac;
inf.macBits = crSpec->mac_def->mac_size * BPB;
/* misc */
inf.isFIPS = (inf.symCipher == ssl_calg_des ||
inf.symCipher == ssl_calg_3des ||
inf.symCipher == ssl_calg_aes)
&& (inf.macAlgorithm == ssl_mac_sha ||
inf.macAlgorithm == ssl_hmac_sha)
inf.isFIPS = (inf.symCipher == ssl_calg_des || inf.symCipher == ssl_calg_3des)
&& (inf.macAlgorithm == ssl_mac_sha || inf.macAlgorithm == ssl_hmac_sha)
&& (inf.protocolVersion > SSL_LIBRARY_VERSION_3_0 ||
inf.cipherSuite >= 0xfef0);
#endif
}
if (sid) {
inf.creationTime = sid->creationTime;
inf.lastAccessTime = sid->lastAccessTime;
inf.expirationTime = sid->expirationTime;
if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */
inf.sessionIDLength = SSL2_SESSIONID_BYTES;
memcpy(inf.sessionID, sid->u.ssl2.sessionID, SSL2_SESSIONID_BYTES);
} else {
unsigned int sidLen = sid->u.ssl3.sessionIDLength;
sidLen = PR_MIN(sidLen, sizeof inf.sessionID);
inf.sessionIDLength = sidLen;
memcpy(inf.sessionID, sid->u.ssl3.sessionID, sidLen);
}
}
}
inf.authAlgorithmName = authName[ inf.authAlgorithm];
inf.keaTypeName = keaName[ inf.keaType ];
inf.symCipherName = cipherName[inf.symCipher ];
inf.macAlgorithmName = macName[ inf.macAlgorithm ];
memcpy(info, &inf, inf.length);
return SECSuccess;
}
#define kt_kea kt_fortezza
#define calg_sj calg_fortezza
#define CS(x) x, #x
#define CK(x) x | 0xff00, #x
#define S_DSA "DSA", ssl_auth_dsa
#define S_RSA "RSA", ssl_auth_rsa
#define S_KEA "KEA", ssl_auth_kea
#define K_DHE "DHE", kt_dh
#define K_RSA "RSA", kt_rsa
#define K_KEA "KEA", kt_kea
#define C_AES "AES", calg_aes
#define C_RC4 "RC4", calg_rc4
#define C_RC2 "RC2", calg_rc2
#define C_DES "DES", calg_des
#define C_3DES "3DES", calg_3des
#define C_NULL "NULL", calg_null
#define C_SJ "SKIPJACK", calg_sj
#define B_256 256, 256, 256
#define B_128 128, 128, 128
#define B_3DES 192, 156, 112
#define B_SJ 96, 80, 80
#define B_DES 64, 56, 56
#define B_56 128, 56, 56
#define B_40 128, 40, 40
#define B_0 0, 0, 0
#define M_SHA "SHA1", ssl_mac_sha, 160
#define M_MD5 "MD5", ssl_mac_md5, 128
static const SSLCipherSuiteInfo suiteInfo[] = {
/* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC> <FIPS> */
{0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_DHE, C_AES, B_256, M_SHA, 0, },
{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA), S_DSA, K_DHE, C_AES, B_256, M_SHA, 0, },
{0,CS(TLS_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_RSA, C_AES, B_256, M_SHA, 0, },
{0,CS(SSL_FORTEZZA_DMS_WITH_RC4_128_SHA), S_KEA, K_KEA, C_RC4, B_128, M_SHA, 0, },
{0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, },
{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 0, },
{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 0, },
{0,CS(SSL_RSA_WITH_RC4_128_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, },
{0,CS(SSL_RSA_WITH_RC4_128_SHA), S_RSA, K_RSA, C_RC4, B_128, M_SHA, 0, },
{0,CS(TLS_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_RSA, C_AES, B_128, M_SHA, 0, },
{0,CS(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_DHE, C_3DES,B_3DES,M_SHA, 0, },
{0,CS(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA), S_DSA, K_DHE, C_3DES,B_3DES,M_SHA, 0, },
{0,CS(SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA), S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, },
{0,CS(SSL_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, },
{0,CS(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA),S_KEA, K_KEA, C_SJ, B_SJ, M_SHA, 1, },
{0,CS(SSL_DHE_RSA_WITH_DES_CBC_SHA), S_RSA, K_DHE, C_DES, B_DES, M_SHA, 0, },
{0,CS(SSL_DHE_DSS_WITH_DES_CBC_SHA), S_DSA, K_DHE, C_DES, B_DES, M_SHA, 0, },
{0,CS(SSL_RSA_FIPS_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 1, },
{0,CS(SSL_RSA_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 1, },
{0,CS(TLS_RSA_EXPORT1024_WITH_RC4_56_SHA), S_RSA, K_RSA, C_RC4, B_56, M_SHA, 0, },
{0,CS(TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 1, },
{0,CS(SSL_RSA_EXPORT_WITH_RC4_40_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5, 0, },
{0,CS(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5), S_RSA, K_RSA, C_RC2, B_40, M_MD5, 0, },
{0,CS(SSL_FORTEZZA_DMS_WITH_NULL_SHA), S_KEA, K_KEA, C_NULL,B_0, M_SHA, 0, },
{0,CS(SSL_RSA_WITH_NULL_MD5), S_RSA, K_RSA, C_NULL,B_0, M_MD5, 0, },
/* SSL 2 table */
{0,CK(SSL_CK_RC4_128_WITH_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, },
{0,CK(SSL_CK_RC2_128_CBC_WITH_MD5), S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, },
{0,CK(SSL_CK_DES_192_EDE3_CBC_WITH_MD5), S_RSA, K_RSA, C_3DES,B_3DES,M_MD5, 0, },
{0,CK(SSL_CK_DES_64_CBC_WITH_MD5), S_RSA, K_RSA, C_DES, B_DES, M_MD5, 0, },
{0,CK(SSL_CK_RC4_128_EXPORT40_WITH_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5, 0, },
{0,CK(SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5), S_RSA, K_RSA, C_RC2, B_40, M_MD5, 0, }
};
#define NUM_SUITEINFOS ((sizeof suiteInfo) / (sizeof suiteInfo[0]))
SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite,
SSLCipherSuiteInfo *info, PRUintn len)
{
unsigned int i;
len = PR_MIN(len, sizeof suiteInfo[0]);
if (!info || len < sizeof suiteInfo[0].length) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
for (i = 0; i < NUM_SUITEINFOS; i++) {
if (suiteInfo[i].cipherSuite == cipherSuite) {
memcpy(info, &suiteInfo[i], len);
info->length = len;
return SECSuccess;
}
}
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}

17
security/nss/lib/ssl/sslnonce.c
View File

@ -32,7 +32,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: sslnonce.c,v 1.7 2001/06/09 03:20:13 nelsonb%netscape.com Exp $
* $Id: sslnonce.c,v 1.8 2001/11/02 04:24:21 nelsonb%netscape.com Exp $
*/
#include "nssrenam.h"
@ -162,13 +162,13 @@ ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID,
SSL_TRC(8, ("SSL: Lookup1: sid=0x%x", sid));
if (sid->time < now || !sid->references) {
if (sid->expirationTime < now || !sid->references) {
/*
** This session-id timed out, or was orphaned.
** Don't even care who it belongs to, blow it out of our cache.
*/
SSL_TRC(7, ("SSL: lookup1, throwing sid out, age=%d refs=%d",
now - sid->time, sid->references));
now - sid->creationTime, sid->references));
*sidp = sid->next; /* delink it from the list. */
sid->cached = invalid_cache; /* mark not on list. */
@ -193,6 +193,7 @@ ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID,
CERT_VerifyCertName(sid->peerCert, urlSvrName))) )
) {
/* Hit */
sid->lastAccessTime = now;
sid->references++;
break;
} else {
@ -215,7 +216,7 @@ CacheSID(sslSessionID *sid)
"time=%x cached=%d",
sid, sid->cached, sid->addr.pr_s6_addr32[0],
sid->addr.pr_s6_addr32[1], sid->addr.pr_s6_addr32[2],
sid->addr.pr_s6_addr32[3], sid->port, sid->time,
sid->addr.pr_s6_addr32[3], sid->port, sid->creationTime,
sid->cached));
if (sid->cached == in_client_cache)
@ -237,6 +238,11 @@ CacheSID(sslSessionID *sid)
PRINT_BUF(8, (0, "sessionID:",
sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength));
}
PORT_Assert(sid->creationTime != 0 && sid->expirationTime != 0);
if (!sid->creationTime)
sid->lastAccessTime = sid->creationTime = ssl_Time();
if (!sid->expirationTime)
sid->expirationTime = sid->creationTime + expirationPeriod;
/*
* Put sid into the cache. Bump reference count to indicate that
@ -248,7 +254,6 @@ CacheSID(sslSessionID *sid)
sid->cached = in_client_cache;
sid->next = cache;
cache = sid;
sid->time = ssl_Time() + expirationPeriod;
UNLOCK_CACHE;
}
@ -271,7 +276,7 @@ UncacheSID(sslSessionID *zap)
"time=%x cipher=%d",
zap, zap->cached, zap->addr.pr_s6_addr32[0],
zap->addr.pr_s6_addr32[1], zap->addr.pr_s6_addr32[2],
zap->addr.pr_s6_addr32[3], zap->port, zap->time,
zap->addr.pr_s6_addr32[3], zap->port, zap->creationTime,
zap->u.ssl2.cipherType));
if (zap->version < SSL_LIBRARY_VERSION_3_0) {
PRINT_BUF(8, (0, "sessionID:",

62
security/nss/lib/ssl/sslsnce.c
View File

@ -32,7 +32,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: sslsnce.c,v 1.15 2001/10/06 00:14:33 jpierre%netscape.com Exp $
* $Id: sslsnce.c,v 1.16 2001/11/02 04:24:21 nelsonb%netscape.com Exp $
*/
/* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server
@ -106,7 +106,9 @@
*/
struct sidCacheEntryStr {
/* 16 */ PRIPv6Addr addr; /* client's IP address */
/* 4 */ PRUint32 time; /* expiration time of this entry */
/* 4 */ PRUint32 creationTime;
/* 4 */ PRUint32 lastAccessTime;
/* 4 */ PRUint32 expirationTime;
/* 2 */ PRUint16 version;
/* 1 */ PRUint8 valid;
/* 1 */ PRUint8 sessionIDLength;
@ -115,7 +117,7 @@ struct sidCacheEntryStr {
/* 2 */ PRUint16 authKeyBits;
/* 2 */ PRUint16 keaType;
/* 2 */ PRUint16 keaKeyBits;
/* 64 - common header total */
/* 72 - common header total */
union {
struct {
@ -385,7 +387,7 @@ CacheCert(cacheDesc * cache, CERTCertificate *cert, sidCacheEntry *sce)
}
/*
** Convert memory based SID to file based one
** Convert local SID to shared memory one
*/
static void
ConvertFromSID(sidCacheEntry *to, sslSessionID *from)
@ -393,7 +395,9 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from)
to->valid = 1;
to->version = from->version;
to->addr = from->addr;
to->time = from->time;
to->creationTime = from->creationTime;
to->lastAccessTime = from->lastAccessTime;
to->expirationTime = from->expirationTime;
to->authAlgorithm = from->authAlgorithm;
to->authKeyBits = from->authKeyBits;
to->keaType = from->keaType;
@ -429,7 +433,7 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from)
SSL_TRC(8, ("%d: SSL: ConvertSID: masterKeyLen=%d cipherArgLen=%d "
"time=%d addr=0x%08x%08x%08x%08x cipherType=%d", myPid,
to->u.ssl2.masterKeyLen, to->u.ssl2.cipherArgLen,
to->time, to->addr.pr_s6_addr32[0],
to->creationTime, to->addr.pr_s6_addr32[0],
to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2],
to->addr.pr_s6_addr32[3], to->u.ssl2.cipherType));
} else {
@ -450,14 +454,14 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from)
SSL_TRC(8, ("%d: SSL3: ConvertSID: time=%d addr=0x%08x%08x%08x%08x "
"cipherSuite=%d",
myPid, to->time, to->addr.pr_s6_addr32[0],
myPid, to->creationTime, to->addr.pr_s6_addr32[0],
to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2],
to->addr.pr_s6_addr32[3], to->u.ssl3.cipherSuite));
}
}
/*
** Convert file based cache-entry to memory based one
** Convert shared memory cache-entry to local memory based one
** This is only called from ServerSessionIDLookup().
** Caller must hold cache lock when calling this.
*/
@ -503,7 +507,7 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce,
SSL_TRC(8, ("%d: SSL: ConvertToSID: masterKeyLen=%d cipherArgLen=%d "
"time=%d addr=0x%08x%08x%08x%08x cipherType=%d",
myPid, to->u.ssl2.masterKey.len,
to->u.ssl2.cipherArg.len, to->time,
to->u.ssl2.cipherArg.len, to->creationTime,
to->addr.pr_s6_addr32[0], to->addr.pr_s6_addr32[1],
to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3],
to->u.ssl2.cipherType));
@ -555,11 +559,13 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce,
}
}
to->version = from->version;
to->time = from->time; /* XXX ??? is expiration time */
to->cached = in_server_cache;
to->addr = from->addr;
to->references = 1;
to->version = from->version;
to->creationTime = from->creationTime;
to->lastAccessTime = from->lastAccessTime;
to->expirationTime = from->expirationTime;
to->cached = in_server_cache;
to->addr = from->addr;
to->references = 1;
to->authAlgorithm = from->authAlgorithm;
to->authKeyBits = from->authKeyBits;
to->keaType = from->keaType;
@ -631,14 +637,14 @@ FindSID(cacheDesc *cache, PRUint32 setNum, PRUint32 now,
if (!sce->valid)
continue;
if (now > sce->time) {
if (now > sce->expirationTime) {
/* SessionID has timed out. Invalidate the entry. */
SSL_TRC(7, ("%d: timed out sid entry addr=%08x%08x%08x%08x now=%x "
"time+=%x",
myPid, sce->addr.pr_s6_addr32[0],
sce->addr.pr_s6_addr32[1], sce->addr.pr_s6_addr32[2],
sce->addr.pr_s6_addr32[3], now,
sce->time + ssl_sid_timeout));
sce->expirationTime ));
sce->valid = 0;
continue;
}
@ -719,13 +725,14 @@ ServerSessionIDLookup(const PRIPv6Addr *addr,
}
}
if (psce) {
psce->lastAccessTime = now;
sce = *psce; /* grab a copy while holding the lock */
}
}
UnlockSet(cache, set);
if (psce) {
/* sce conains a copy of the cache entry.
** Convert file format to internal format
** Convert shared memory format to local format
*/
sid = ConvertToSID(&sce, pcce ? &cce : 0, dbHandle);
}
@ -751,13 +758,17 @@ ServerSessionIDCache(sslSessionID *sid)
if (sid->cached == never_cached || sid->cached == invalid_cache) {
PRUint32 set;
PORT_Assert(sid->creationTime != 0 && sid->expirationTime != 0);
if (!sid->creationTime)
sid->lastAccessTime = sid->creationTime = ssl_Time();
if (version < SSL_LIBRARY_VERSION_3_0) {
sid->time = ssl_Time() + ssl_sid_timeout;
if (!sid->expirationTime)
sid->expirationTime = sid->creationTime + ssl_sid_timeout;
SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x "
"cipher=%d", myPid, sid->cached,
sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
sid->time, sid->u.ssl2.cipherType));
sid->creationTime, sid->u.ssl2.cipherType));
PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID,
SSL2_SESSIONID_BYTES));
PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
@ -766,12 +777,13 @@ ServerSessionIDCache(sslSessionID *sid)
sid->u.ssl2.cipherArg.len));
} else {
sid->time = ssl_Time() + ssl3_sid_timeout;
if (!sid->expirationTime)
sid->expirationTime = sid->creationTime + ssl3_sid_timeout;
SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x "
"cipherSuite=%d", myPid, sid->cached,
sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
sid->time, sid->u.ssl3.cipherSuite));
sid->creationTime, sid->u.ssl3.cipherSuite));
PRINT_BUF(8, (0, "sessionID:", sid->u.ssl3.sessionID,
sid->u.ssl3.sessionIDLength));
}
@ -831,7 +843,7 @@ ServerSessionIDUncache(sslSessionID *sid)
"cipher=%d", myPid, sid->cached,
sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
sid->time, sid->u.ssl2.cipherType));
sid->creationTime, sid->u.ssl2.cipherType));
PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength));
PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
sid->u.ssl2.masterKey.len));
@ -844,7 +856,7 @@ ServerSessionIDUncache(sslSessionID *sid)
"cipherSuite=%d", myPid, sid->cached,
sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
sid->time, sid->u.ssl3.cipherSuite));
sid->creationTime, sid->u.ssl3.cipherSuite));
PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength));
}
set = SIDindex(cache, &sid->addr, sessionID, sessionIDLength);
@ -1456,7 +1468,7 @@ ssl_GetWrappingKey( PRInt32 symWrapMechIndex,
}
/* The caller passes in the new value it wants
* to set. This code tests the wrapped sym key entry in the file on disk.
* to set. This code tests the wrapped sym key entry in the shared memory.
* If it is uninitialized, this function writes the caller's value into
* the disk entry, and returns false.
* Otherwise, it overwrites the caller's wswk with the value obtained from
@ -1548,7 +1560,7 @@ ssl_GetWrappingKey( PRInt32 symWrapMechIndex,
}
/* This is a kind of test-and-set. The caller passes in the new value it wants
* to set. This code tests the wrapped sym key entry in the file on disk.
* to set. This code tests the wrapped sym key entry in the shared memory.
* If it is uninitialized, this function writes the caller's value into
* the disk entry, and returns false.
* Otherwise, it overwrites the caller's wswk with the value obtained from

42
security/nss/lib/ssl/sslt.h
View File

@ -32,7 +32,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: sslt.h,v 1.1 2001/09/18 01:59:21 nelsonb%netscape.com Exp $
* $Id: sslt.h,v 1.2 2001/11/02 04:24:21 nelsonb%netscape.com Exp $
*/
#ifndef __sslt_h_
@ -83,6 +83,13 @@ typedef enum {
ssl_sign_dsa = 2
} SSLSignType;
typedef enum {
ssl_auth_null = 0,
ssl_auth_rsa = 1,
ssl_auth_dsa = 2,
ssl_auth_kea = 3
} SSLAuthType;
typedef enum {
ssl_calg_null = 0,
ssl_calg_rc4 = 1,
@ -104,18 +111,37 @@ typedef enum {
typedef struct SSLChannelInfoStr {
PRUint32 length;
PRUint16 protocolVersion;
PRUint16 cipherSuite;
PRUint16 protocolVersion;
PRUint16 cipherSuite;
/* server authentication info */
PRUint32 authKeyBits;
/* key exchange algorithm info */
PRUint32 keaKeyBits;
/* session info */
PRUint32 creationTime; /* seconds since Jan 1, 1970 */
PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
PRUint32 sessionIDLength; /* up to 32 */
PRUint8 sessionID [32];
} SSLChannelInfo;
typedef struct SSLCipherSuiteInfoStr {
PRUint16 length;
PRUint16 cipherSuite;
/* Cipher Suite Name */
const char * cipherSuiteName;
/* server authentication info */
const char * authAlgorithmName;
SSLSignType authAlgorithm;
PRUint32 authKeyBits;
SSLAuthType authAlgorithm;
/* key exchange algorithm info */
const char * keaTypeName;
SSLKEAType keaType;
PRUint32 keaKeyBits;
/* symmetric encryption info */
const char * symCipherName;
@ -132,8 +158,6 @@ typedef struct SSLChannelInfoStr {
PRUintn isFIPS : 1;
PRUintn reservedBits :31;
PRUint8 reserved [64];
} SSLChannelInfo;
} SSLCipherSuiteInfo;
#endif /* __sslt_h_ */