OLD | NEW |
1 /* | 1 /* |
2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of |
3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. |
4 * Various other functions. | 4 * Various other functions. |
5 * | 5 * |
6 * This Source Code Form is subject to the terms of the Mozilla Public | 6 * This Source Code Form is subject to the terms of the Mozilla Public |
7 * License, v. 2.0. If a copy of the MPL was not distributed with this | 7 * License, v. 2.0. If a copy of the MPL was not distributed with this |
8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
9 /* $Id$ */ | 9 /* $Id$ */ |
10 #include "seccomon.h" | 10 #include "seccomon.h" |
11 #include "cert.h" | 11 #include "cert.h" |
12 #include "keyhi.h" | 12 #include "keyhi.h" |
13 #include "ssl.h" | 13 #include "ssl.h" |
14 #include "sslimpl.h" | 14 #include "sslimpl.h" |
15 #include "sslproto.h" | 15 #include "sslproto.h" |
16 #include "nspr.h" | 16 #include "nspr.h" |
17 #include "private/pprio.h" | 17 #include "private/pprio.h" |
18 #ifndef NO_PKCS11_BYPASS | 18 #ifndef NO_PKCS11_BYPASS |
19 #include "blapi.h" | 19 #include "blapi.h" |
20 #endif | 20 #endif |
| 21 #include "pk11pub.h" |
21 #include "nss.h" | 22 #include "nss.h" |
22 | 23 |
| 24 /* This is a bodge to allow this code to be compiled against older NSS headers |
| 25 * that don't contain the TLS 1.2 changes. */ |
| 26 #ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 |
| 27 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
| 28 #endif |
| 29 |
23 #define SET_ERROR_CODE /* reminder */ | 30 #define SET_ERROR_CODE /* reminder */ |
24 | 31 |
25 struct cipherPolicyStr { | 32 struct cipherPolicyStr { |
26 int cipher; | 33 int cipher; |
27 unsigned char export; /* policy value for export policy */ | 34 unsigned char export; /* policy value for export policy */ |
28 unsigned char france; /* policy value for france policy */ | 35 unsigned char france; /* policy value for france policy */ |
29 }; | 36 }; |
30 | 37 |
31 typedef struct cipherPolicyStr cipherPolicy; | 38 typedef struct cipherPolicyStr cipherPolicy; |
32 | 39 |
(...skipping 742 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
775 if (on) | 782 if (on) |
776 SSL_DisableExportCipherSuites(fd); | 783 SSL_DisableExportCipherSuites(fd); |
777 break; | 784 break; |
778 | 785 |
779 case SSL_BYPASS_PKCS11: | 786 case SSL_BYPASS_PKCS11: |
780 if (ss->handshakeBegun) { | 787 if (ss->handshakeBegun) { |
781 PORT_SetError(PR_INVALID_STATE_ERROR); | 788 PORT_SetError(PR_INVALID_STATE_ERROR); |
782 rv = SECFailure; | 789 rv = SECFailure; |
783 } else { | 790 } else { |
784 if (PR_FALSE != on) { | 791 if (PR_FALSE != on) { |
| 792 /* TLS 1.2 isn't supported in bypass mode. */ |
| 793 if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 794 /* If the user requested a minimum version of TLS 1.2 then |
| 795 * we don't silently downgrade. */ |
| 796 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 797 rv = SECFailure; |
| 798 break; |
| 799 } |
| 800 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 801 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
| 802 } |
785 if (PR_SUCCESS == SSL_BypassSetup() ) { | 803 if (PR_SUCCESS == SSL_BypassSetup() ) { |
786 #ifdef NO_PKCS11_BYPASS | 804 #ifdef NO_PKCS11_BYPASS |
787 ss->opt.bypassPKCS11 = PR_FALSE; | 805 ss->opt.bypassPKCS11 = PR_FALSE; |
788 #else | 806 #else |
789 ss->opt.bypassPKCS11 = on; | 807 ss->opt.bypassPKCS11 = on; |
790 #endif | 808 #endif |
791 } else { | 809 } else { |
792 rv = SECFailure; | 810 rv = SECFailure; |
793 } | 811 } |
794 } else { | 812 } else { |
(...skipping 1093 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1888 ssl_GetSSL3HandshakeLock(ss); | 1906 ssl_GetSSL3HandshakeLock(ss); |
1889 | 1907 |
1890 *vrange = ss->vrange; | 1908 *vrange = ss->vrange; |
1891 | 1909 |
1892 ssl_ReleaseSSL3HandshakeLock(ss); | 1910 ssl_ReleaseSSL3HandshakeLock(ss); |
1893 ssl_Release1stHandshakeLock(ss); | 1911 ssl_Release1stHandshakeLock(ss); |
1894 | 1912 |
1895 return SECSuccess; | 1913 return SECSuccess; |
1896 } | 1914 } |
1897 | 1915 |
| 1916 static PRCallOnceType checkTLS12TokenOnce; |
| 1917 static PRBool tls12TokenExists; |
| 1918 |
| 1919 static PRStatus |
| 1920 ssl_CheckTLS12Token(void) |
| 1921 { |
| 1922 tls12TokenExists = |
| 1923 PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256); |
| 1924 return PR_SUCCESS; |
| 1925 } |
| 1926 |
| 1927 static PRBool |
| 1928 ssl_TLS12TokenExists(void) |
| 1929 { |
| 1930 (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); |
| 1931 return tls12TokenExists; |
| 1932 } |
| 1933 |
1898 SECStatus | 1934 SECStatus |
1899 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) | 1935 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) |
1900 { | 1936 { |
1901 sslSocket *ss = ssl_FindSocket(fd); | 1937 sslSocket *ss = ssl_FindSocket(fd); |
1902 | 1938 |
1903 if (!ss) { | 1939 if (!ss) { |
1904 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet", | 1940 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet", |
1905 SSL_GETPID(), fd)); | 1941 SSL_GETPID(), fd)); |
1906 return SECFailure; | 1942 return SECFailure; |
1907 } | 1943 } |
1908 | 1944 |
1909 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { | 1945 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { |
1910 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 1946 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
1911 return SECFailure; | 1947 return SECFailure; |
1912 } | 1948 } |
1913 | 1949 |
1914 ssl_Get1stHandshakeLock(ss); | 1950 ssl_Get1stHandshakeLock(ss); |
1915 ssl_GetSSL3HandshakeLock(ss); | 1951 ssl_GetSSL3HandshakeLock(ss); |
1916 | 1952 |
1917 ss->vrange = *vrange; | 1953 ss->vrange = *vrange; |
| 1954 /* If we don't have a sufficiently up-to-date softoken then we cannot do |
| 1955 * TLS 1.2. */ |
| 1956 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && |
| 1957 !ssl_TLS12TokenExists()) { |
| 1958 /* If the user requested a minimum version of 1.2, then we don't |
| 1959 * silently downgrade. */ |
| 1960 if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 1961 ssl_ReleaseSSL3HandshakeLock(ss); |
| 1962 ssl_Release1stHandshakeLock(ss); |
| 1963 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 1964 return SECFailure; |
| 1965 } |
| 1966 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
| 1967 } |
| 1968 /* PKCS#11 bypass is not supported with TLS 1.2. */ |
| 1969 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 1970 ss->opt.bypassPKCS11 = PR_FALSE; |
| 1971 } |
1918 | 1972 |
1919 ssl_ReleaseSSL3HandshakeLock(ss); | 1973 ssl_ReleaseSSL3HandshakeLock(ss); |
1920 ssl_Release1stHandshakeLock(ss); | 1974 ssl_Release1stHandshakeLock(ss); |
1921 | 1975 |
1922 return SECSuccess; | 1976 return SECSuccess; |
1923 } | 1977 } |
1924 | 1978 |
1925 const SECItemArray * | 1979 const SECItemArray * |
1926 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) | 1980 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) |
1927 { | 1981 { |
(...skipping 1145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3073 ssl_DestroySocketContents(ss); | 3127 ssl_DestroySocketContents(ss); |
3074 ssl_DestroyLocks(ss); | 3128 ssl_DestroyLocks(ss); |
3075 PORT_Free(ss); | 3129 PORT_Free(ss); |
3076 ss = NULL; | 3130 ss = NULL; |
3077 } | 3131 } |
3078 ss->protocolVariant = protocolVariant; | 3132 ss->protocolVariant = protocolVariant; |
3079 } | 3133 } |
3080 return ss; | 3134 return ss; |
3081 } | 3135 } |
3082 | 3136 |
OLD | NEW |