| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of |
| 3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. |
| 4 * Various other functions. | 4 * Various other functions. |
| 5 * | 5 * |
| 6 * This Source Code Form is subject to the terms of the Mozilla Public | 6 * This Source Code Form is subject to the terms of the Mozilla Public |
| 7 * License, v. 2.0. If a copy of the MPL was not distributed with this | 7 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 9 /* $Id$ */ | 9 /* $Id$ */ |
| 10 #include "seccomon.h" | 10 #include "seccomon.h" |
| 11 #include "cert.h" | 11 #include "cert.h" |
| 12 #include "keyhi.h" | 12 #include "keyhi.h" |
| 13 #include "ssl.h" | 13 #include "ssl.h" |
| 14 #include "sslimpl.h" | 14 #include "sslimpl.h" |
| 15 #include "sslproto.h" | 15 #include "sslproto.h" |
| 16 #include "nspr.h" | 16 #include "nspr.h" |
| 17 #include "private/pprio.h" | 17 #include "private/pprio.h" |
| 18 #ifndef NO_PKCS11_BYPASS | 18 #ifndef NO_PKCS11_BYPASS |
| 19 #include "blapi.h" | 19 #include "blapi.h" |
| 20 #endif | 20 #endif |
| 21 #include "pk11pub.h" |
| 21 #include "nss.h" | 22 #include "nss.h" |
| 22 | 23 |
| 23 #define SET_ERROR_CODE /* reminder */ | 24 #define SET_ERROR_CODE /* reminder */ |
| 24 | 25 |
| 25 struct cipherPolicyStr { | 26 struct cipherPolicyStr { |
| 26 int cipher; | 27 int cipher; |
| 27 unsigned char export; /* policy value for export policy */ | 28 unsigned char export; /* policy value for export policy */ |
| 28 unsigned char france; /* policy value for france policy */ | 29 unsigned char france; /* policy value for france policy */ |
| 29 }; | 30 }; |
| 30 | 31 |
| (...skipping 744 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 775 if (on) | 776 if (on) |
| 776 SSL_DisableExportCipherSuites(fd); | 777 SSL_DisableExportCipherSuites(fd); |
| 777 break; | 778 break; |
| 778 | 779 |
| 779 case SSL_BYPASS_PKCS11: | 780 case SSL_BYPASS_PKCS11: |
| 780 if (ss->handshakeBegun) { | 781 if (ss->handshakeBegun) { |
| 781 PORT_SetError(PR_INVALID_STATE_ERROR); | 782 PORT_SetError(PR_INVALID_STATE_ERROR); |
| 782 rv = SECFailure; | 783 rv = SECFailure; |
| 783 } else { | 784 } else { |
| 784 if (PR_FALSE != on) { | 785 if (PR_FALSE != on) { |
| 786 /* TLS 1.2 isn't supported in bypass mode. */ |
| 787 if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 788 /* If the user requested a minimum version of TLS 1.2 then |
| 789 * we don't silently downgrade. */ |
| 790 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 791 rv = SECFailure; |
| 792 } |
| 793 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 794 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
| 795 } |
| 785 if (PR_SUCCESS == SSL_BypassSetup() ) { | 796 if (PR_SUCCESS == SSL_BypassSetup() ) { |
| 786 #ifdef NO_PKCS11_BYPASS | 797 #ifdef NO_PKCS11_BYPASS |
| 787 ss->opt.bypassPKCS11 = PR_FALSE; | 798 ss->opt.bypassPKCS11 = PR_FALSE; |
| 788 #else | 799 #else |
| 789 ss->opt.bypassPKCS11 = on; | 800 ss->opt.bypassPKCS11 = on; |
| 790 #endif | 801 #endif |
| 791 } else { | 802 } else { |
| 792 rv = SECFailure; | 803 rv = SECFailure; |
| 793 } | 804 } |
| 794 } else { | 805 } else { |
| (...skipping 1113 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1908 | 1919 |
| 1909 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { | 1920 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { |
| 1910 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 1921 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 1911 return SECFailure; | 1922 return SECFailure; |
| 1912 } | 1923 } |
| 1913 | 1924 |
| 1914 ssl_Get1stHandshakeLock(ss); | 1925 ssl_Get1stHandshakeLock(ss); |
| 1915 ssl_GetSSL3HandshakeLock(ss); | 1926 ssl_GetSSL3HandshakeLock(ss); |
| 1916 | 1927 |
| 1917 ss->vrange = *vrange; | 1928 ss->vrange = *vrange; |
| 1929 /* If we don't have a sufficiently up-to-date library then we cannot do TLS |
| 1930 * 1.2. */ |
| 1931 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && |
| 1932 !PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) { |
| 1933 /* If the user requested a minimum version of 1.2, then we don't |
| 1934 * silently downgrade. */ |
| 1935 if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 1936 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 1937 return SECFailure; |
| 1938 } |
| 1939 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
| 1940 } |
| 1941 /* PKCS#11 bypass is not supported with TLS 1.2. */ |
| 1942 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 1943 ss->opt.bypassPKCS11 = PR_FALSE; |
| 1944 } |
| 1918 | 1945 |
| 1919 ssl_ReleaseSSL3HandshakeLock(ss); | 1946 ssl_ReleaseSSL3HandshakeLock(ss); |
| 1920 ssl_Release1stHandshakeLock(ss); | 1947 ssl_Release1stHandshakeLock(ss); |
| 1921 | 1948 |
| 1922 return SECSuccess; | 1949 return SECSuccess; |
| 1923 } | 1950 } |
| 1924 | 1951 |
| 1925 const SECItemArray * | 1952 const SECItemArray * |
| 1926 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) | 1953 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) |
| 1927 { | 1954 { |
| (...skipping 1145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3073 ssl_DestroySocketContents(ss); | 3100 ssl_DestroySocketContents(ss); |
| 3074 ssl_DestroyLocks(ss); | 3101 ssl_DestroyLocks(ss); |
| 3075 PORT_Free(ss); | 3102 PORT_Free(ss); |
| 3076 ss = NULL; | 3103 ss = NULL; |
| 3077 } | 3104 } |
| 3078 ss->protocolVariant = protocolVariant; | 3105 ss->protocolVariant = protocolVariant; |
| 3079 } | 3106 } |
| 3080 return ss; | 3107 return ss; |
| 3081 } | 3108 } |
| 3082 | 3109 |
| OLD | NEW |
|---|
Chromium Code Reviews
