OLD | NEW |
1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c | 1 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c |
2 --- a/nss/lib/ssl/ssl3con.c» 2014-01-17 18:00:11.213237373 -0800 | 2 index 67c8f6d..da0abfb 100644 |
3 +++ b/nss/lib/ssl/ssl3con.c» 2014-01-17 18:04:22.497405273 -0800 | 3 --- a/ssl/ssl3con.c |
| 4 +++ b/ssl/ssl3con.c |
4 @@ -31,6 +31,15 @@ | 5 @@ -31,6 +31,15 @@ |
5 #include "blapi.h" | 6 #include "blapi.h" |
6 #endif | 7 #endif |
7 | 8 |
8 +/* This is a bodge to allow this code to be compiled against older NSS headers | 9 +/* This is a bodge to allow this code to be compiled against older NSS headers |
9 + * that don't contain the TLS 1.2 changes. */ | 10 + * that don't contain the TLS 1.2 changes. */ |
10 +#ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 | 11 +#ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 |
11 +#define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) | 12 +#define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) |
12 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) | 13 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) |
13 +#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) | 14 +#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) |
14 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | 15 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
15 +#endif | 16 +#endif |
16 + | 17 + |
17 #include <stdio.h> | 18 #include <stdio.h> |
18 #ifdef NSS_ENABLE_ZLIB | 19 #ifdef NSS_ENABLE_ZLIB |
19 #include "zlib.h" | 20 #include "zlib.h" |
20 diff -pu a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c | 21 diff --git a/ssl/ssl3ecc.c b/ssl/ssl3ecc.c |
21 --- a/nss/lib/ssl/ssl3ecc.c» 2014-01-17 18:01:31.474568608 -0800 | 22 index 0f805ec..003ed78 100644 |
22 +++ b/nss/lib/ssl/ssl3ecc.c» 2014-01-17 18:04:22.497405273 -0800 | 23 --- a/ssl/ssl3ecc.c |
| 24 +++ b/ssl/ssl3ecc.c |
23 @@ -30,6 +30,12 @@ | 25 @@ -30,6 +30,12 @@ |
24 | 26 |
25 #include <stdio.h> | 27 #include <stdio.h> |
26 | 28 |
27 +/* This is a bodge to allow this code to be compiled against older NSS headers | 29 +/* This is a bodge to allow this code to be compiled against older NSS headers |
28 + * that don't contain the TLS 1.2 changes. */ | 30 + * that don't contain the TLS 1.2 changes. */ |
29 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 | 31 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 |
30 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | 32 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
31 +#endif | 33 +#endif |
32 + | 34 + |
33 #ifdef NSS_ENABLE_ECC | 35 #ifndef NSS_DISABLE_ECC |
34 | 36 |
35 #ifndef PK11_SETATTRS | 37 #ifndef PK11_SETATTRS |
36 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c | 38 diff --git a/ssl/sslsock.c b/ssl/sslsock.c |
37 --- a/nss/lib/ssl/sslsock.c» 2014-01-17 18:00:11.213237373 -0800 | 39 index 47906e0..0d12273 100644 |
38 +++ b/nss/lib/ssl/sslsock.c» 2014-01-17 18:04:22.497405273 -0800 | 40 --- a/ssl/sslsock.c |
| 41 +++ b/ssl/sslsock.c |
39 @@ -17,8 +17,15 @@ | 42 @@ -17,8 +17,15 @@ |
40 #ifndef NO_PKCS11_BYPASS | 43 #ifndef NO_PKCS11_BYPASS |
41 #include "blapi.h" | 44 #include "blapi.h" |
42 #endif | 45 #endif |
43 +#include "pk11pub.h" | 46 +#include "pk11pub.h" |
44 #include "nss.h" | 47 #include "nss.h" |
45 | 48 |
46 +/* This is a bodge to allow this code to be compiled against older NSS headers | 49 +/* This is a bodge to allow this code to be compiled against older NSS headers |
47 + * that don't contain the TLS 1.2 changes. */ | 50 + * that don't contain the TLS 1.2 changes. */ |
48 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 | 51 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 |
49 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | 52 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
50 +#endif | 53 +#endif |
51 + | 54 + |
52 #define SET_ERROR_CODE /* reminder */ | 55 #define SET_ERROR_CODE /* reminder */ |
53 | 56 |
54 static const sslSocketOps ssl_default_ops = {» /* No SSL. */ | 57 static const sslSocketOps ssl_default_ops = { /* No SSL. */ |
55 @@ -1836,6 +1843,24 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLV | 58 @@ -1878,6 +1885,24 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vran
ge) |
56 return SECSuccess; | 59 return SECSuccess; |
57 } | 60 } |
58 | 61 |
59 +static PRCallOnceType checkTLS12TokenOnce; | 62 +static PRCallOnceType checkTLS12TokenOnce; |
60 +static PRBool tls12TokenExists; | 63 +static PRBool tls12TokenExists; |
61 + | 64 + |
62 +static PRStatus | 65 +static PRStatus |
63 +ssl_CheckTLS12Token(void) | 66 +ssl_CheckTLS12Token(void) |
64 +{ | 67 +{ |
65 + tls12TokenExists = | 68 + tls12TokenExists = |
66 + PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256); | 69 + PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256); |
67 + return PR_SUCCESS; | 70 + return PR_SUCCESS; |
68 +} | 71 +} |
69 + | 72 + |
70 +static PRBool | 73 +static PRBool |
71 +ssl_TLS12TokenExists(void) | 74 +ssl_TLS12TokenExists(void) |
72 +{ | 75 +{ |
73 + (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); | 76 + (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); |
74 + return tls12TokenExists; | 77 + return tls12TokenExists; |
75 +} | 78 +} |
76 + | 79 + |
77 SECStatus | 80 SECStatus |
78 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) | 81 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) |
79 { | 82 { |
80 @@ -1856,6 +1881,20 @@ SSL_VersionRangeSet(PRFileDesc *fd, cons | 83 @@ -1898,6 +1923,20 @@ SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange
*vrange) |
81 ssl_GetSSL3HandshakeLock(ss); | 84 ssl_GetSSL3HandshakeLock(ss); |
82 | 85 |
83 ss->vrange = *vrange; | 86 ss->vrange = *vrange; |
84 + /* If we don't have a sufficiently up-to-date softoken then we cannot do | 87 + /* If we don't have a sufficiently up-to-date softoken then we cannot do |
85 + * TLS 1.2. */ | 88 + * TLS 1.2. */ |
86 + if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && | 89 + if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && |
87 + !ssl_TLS12TokenExists()) { | 90 + !ssl_TLS12TokenExists()) { |
88 + /* If the user requested a minimum version of 1.2, then we don't | 91 + /* If the user requested a minimum version of 1.2, then we don't |
89 + * silently downgrade. */ | 92 + * silently downgrade. */ |
90 + if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { | 93 + if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
91 + ssl_ReleaseSSL3HandshakeLock(ss); | 94 + ssl_ReleaseSSL3HandshakeLock(ss); |
92 + ssl_Release1stHandshakeLock(ss); | 95 + ssl_Release1stHandshakeLock(ss); |
93 + PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 96 + PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
94 + return SECFailure; | 97 + return SECFailure; |
95 + } | 98 + } |
96 + ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; | 99 + ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
97 + } | 100 + } |
98 | 101 |
99 ssl_ReleaseSSL3HandshakeLock(ss); | 102 ssl_ReleaseSSL3HandshakeLock(ss); |
100 ssl_Release1stHandshakeLock(ss); | 103 ssl_Release1stHandshakeLock(ss); |
OLD | NEW |