OLD | NEW |
1 /* | 1 /* |
2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of |
3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. |
4 * Various other functions. | 4 * Various other functions. |
5 * | 5 * |
6 * This Source Code Form is subject to the terms of the Mozilla Public | 6 * This Source Code Form is subject to the terms of the Mozilla Public |
7 * License, v. 2.0. If a copy of the MPL was not distributed with this | 7 * License, v. 2.0. If a copy of the MPL was not distributed with this |
8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
9 /* $Id$ */ | 9 /* $Id$ */ |
10 #include "seccomon.h" | 10 #include "seccomon.h" |
11 #include "cert.h" | 11 #include "cert.h" |
12 #include "keyhi.h" | 12 #include "keyhi.h" |
13 #include "ssl.h" | 13 #include "ssl.h" |
14 #include "sslimpl.h" | 14 #include "sslimpl.h" |
15 #include "sslproto.h" | 15 #include "sslproto.h" |
16 #include "nspr.h" | 16 #include "nspr.h" |
17 #include "private/pprio.h" | 17 #include "private/pprio.h" |
18 #ifndef NO_PKCS11_BYPASS | 18 #ifndef NO_PKCS11_BYPASS |
19 #include "blapi.h" | 19 #include "blapi.h" |
20 #endif | 20 #endif |
| 21 #include "pk11pub.h" |
21 #include "nss.h" | 22 #include "nss.h" |
22 | 23 |
23 #define SET_ERROR_CODE /* reminder */ | 24 #define SET_ERROR_CODE /* reminder */ |
24 | 25 |
25 struct cipherPolicyStr { | 26 struct cipherPolicyStr { |
26 int cipher; | 27 int cipher; |
27 unsigned char export; /* policy value for export policy */ | 28 unsigned char export; /* policy value for export policy */ |
28 unsigned char france; /* policy value for france policy */ | 29 unsigned char france; /* policy value for france policy */ |
29 }; | 30 }; |
30 | 31 |
(...skipping 744 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
775 if (on) | 776 if (on) |
776 SSL_DisableExportCipherSuites(fd); | 777 SSL_DisableExportCipherSuites(fd); |
777 break; | 778 break; |
778 | 779 |
779 case SSL_BYPASS_PKCS11: | 780 case SSL_BYPASS_PKCS11: |
780 if (ss->handshakeBegun) { | 781 if (ss->handshakeBegun) { |
781 PORT_SetError(PR_INVALID_STATE_ERROR); | 782 PORT_SetError(PR_INVALID_STATE_ERROR); |
782 rv = SECFailure; | 783 rv = SECFailure; |
783 } else { | 784 } else { |
784 if (PR_FALSE != on) { | 785 if (PR_FALSE != on) { |
| 786 /* TLS 1.2 isn't supported in bypass mode. */ |
| 787 if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 788 /* If the user requested a minimum version of TLS 1.2 then |
| 789 * we don't silently downgrade. */ |
| 790 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 791 rv = SECFailure; |
| 792 } |
| 793 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 794 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
| 795 } |
785 if (PR_SUCCESS == SSL_BypassSetup() ) { | 796 if (PR_SUCCESS == SSL_BypassSetup() ) { |
786 #ifdef NO_PKCS11_BYPASS | 797 #ifdef NO_PKCS11_BYPASS |
787 ss->opt.bypassPKCS11 = PR_FALSE; | 798 ss->opt.bypassPKCS11 = PR_FALSE; |
788 #else | 799 #else |
789 ss->opt.bypassPKCS11 = on; | 800 ss->opt.bypassPKCS11 = on; |
790 #endif | 801 #endif |
791 } else { | 802 } else { |
792 rv = SECFailure; | 803 rv = SECFailure; |
793 } | 804 } |
794 } else { | 805 } else { |
(...skipping 1113 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1908 | 1919 |
1909 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { | 1920 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { |
1910 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 1921 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
1911 return SECFailure; | 1922 return SECFailure; |
1912 } | 1923 } |
1913 | 1924 |
1914 ssl_Get1stHandshakeLock(ss); | 1925 ssl_Get1stHandshakeLock(ss); |
1915 ssl_GetSSL3HandshakeLock(ss); | 1926 ssl_GetSSL3HandshakeLock(ss); |
1916 | 1927 |
1917 ss->vrange = *vrange; | 1928 ss->vrange = *vrange; |
| 1929 /* If we don't have a sufficiently up-to-date library then we cannot do TLS |
| 1930 * 1.2. */ |
| 1931 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && |
| 1932 !PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) { |
| 1933 /* If the user requested a minimum version of 1.2, then we don't |
| 1934 * silently downgrade. */ |
| 1935 if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 1936 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 1937 return SECFailure; |
| 1938 } |
| 1939 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
| 1940 } |
| 1941 /* PKCS#11 bypass is not supported with TLS 1.2. */ |
| 1942 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 1943 ss->opt.bypassPKCS11 = PR_FALSE; |
| 1944 } |
1918 | 1945 |
1919 ssl_ReleaseSSL3HandshakeLock(ss); | 1946 ssl_ReleaseSSL3HandshakeLock(ss); |
1920 ssl_Release1stHandshakeLock(ss); | 1947 ssl_Release1stHandshakeLock(ss); |
1921 | 1948 |
1922 return SECSuccess; | 1949 return SECSuccess; |
1923 } | 1950 } |
1924 | 1951 |
1925 const SECItemArray * | 1952 const SECItemArray * |
1926 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) | 1953 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) |
1927 { | 1954 { |
(...skipping 1145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3073 ssl_DestroySocketContents(ss); | 3100 ssl_DestroySocketContents(ss); |
3074 ssl_DestroyLocks(ss); | 3101 ssl_DestroyLocks(ss); |
3075 PORT_Free(ss); | 3102 PORT_Free(ss); |
3076 ss = NULL; | 3103 ss = NULL; |
3077 } | 3104 } |
3078 ss->protocolVariant = protocolVariant; | 3105 ss->protocolVariant = protocolVariant; |
3079 } | 3106 } |
3080 return ss; | 3107 return ss; |
3081 } | 3108 } |
3082 | 3109 |
OLD | NEW |