Mercurial > projects > nss / changeset / aa8e62e782f5a56ec003858b43b51b6ecc71ef59
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1013088: disallow ECC cipher suites if SSL 3.0 is negotiated. r=wtc.
authorJulien Pierre <julien.pierre@oracle.com>
Thu, 22 May 2014 15:17:43 -0700
changeset 11159 aa8e62e782f5a56ec003858b43b51b6ecc71ef59
parent 11158 1846aba9176cb5f6c1c126d23561df4cad748757
child 11160 33c165684527a4e765e364f7a9f28362e9a4c97d
push id401
push userwtc@google.com
push dateThu, 22 May 2014 22:17:51 +0000
reviewerswtc
bugs1013088
Bug 1013088: disallow ECC cipher suites if SSL 3.0 is negotiated. r=wtc.
lib/ssl/ssl3con.c file | annotate | diff | comparison | revisions 
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -628,28 +628,54 @@ ssl3_CipherSuiteAllowedForVersionRange(
      *   TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:   never implemented
      *   TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:   never implemented
      *   TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:  never implemented
      *   TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:  never implemented
      *   TLS_DH_anon_EXPORT_WITH_RC4_40_MD5:     never implemented
      *   TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA:  never implemented
      */
 	return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
+
     case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
     case TLS_RSA_WITH_AES_256_CBC_SHA256:
     case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
     case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
     case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
     case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
     case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
     case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
     case TLS_RSA_WITH_AES_128_CBC_SHA256:
     case TLS_RSA_WITH_AES_128_GCM_SHA256:
     case TLS_RSA_WITH_NULL_SHA256:
 	return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
+
+    /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and
+     * point formats.*/
+    case TLS_ECDH_ECDSA_WITH_NULL_SHA:
+    case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
+    case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
+    case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
+    case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
+    case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
+    case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
+    case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
+    case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
+    case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
+    case TLS_ECDH_RSA_WITH_NULL_SHA:
+    case TLS_ECDH_RSA_WITH_RC4_128_SHA:
+    case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
+    case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
+    case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
+    case TLS_ECDHE_RSA_WITH_NULL_SHA:
+    case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
+    case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
+    case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
+    case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
+	return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_0;
+
     default:
 	return PR_TRUE;
     }
 }
 
 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */
 /* XXX This does a linear search.  A binary search would be better. */
 static const ssl3CipherSuiteDef *
nss
Deployed from 5d77717bd6fb at 2024-06-12T14:54:05Z.