| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of |
| 3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. |
| 4 * Various other functions. | 4 * Various other functions. |
| 5 * | 5 * |
| 6 * This Source Code Form is subject to the terms of the Mozilla Public | 6 * This Source Code Form is subject to the terms of the Mozilla Public |
| 7 * License, v. 2.0. If a copy of the MPL was not distributed with this | 7 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 9 /* $Id$ */ | 9 /* $Id$ */ |
| 10 #include "seccomon.h" | 10 #include "seccomon.h" |
| 11 #include "cert.h" | 11 #include "cert.h" |
| 12 #include "keyhi.h" | 12 #include "keyhi.h" |
| 13 #include "ssl.h" | 13 #include "ssl.h" |
| 14 #include "sslimpl.h" | 14 #include "sslimpl.h" |
| 15 #include "sslproto.h" | 15 #include "sslproto.h" |
| 16 #include "nspr.h" | 16 #include "nspr.h" |
| 17 #include "private/pprio.h" | 17 #include "private/pprio.h" |
| 18 #ifndef NO_PKCS11_BYPASS | 18 #ifndef NO_PKCS11_BYPASS |
| 19 #include "blapi.h" | 19 #include "blapi.h" |
| 20 #endif | 20 #endif |
| 21 #include "pk11pub.h" |
| 21 #include "nss.h" | 22 #include "nss.h" |
| 22 | 23 |
| 24 /* This is a bodge to allow this code to be compiled against older NSS headers |
| 25 * that don't contain the TLS 1.2 changes. */ |
| 26 #ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 |
| 27 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
| 28 #endif |
| 29 |
| 23 #define SET_ERROR_CODE /* reminder */ | 30 #define SET_ERROR_CODE /* reminder */ |
| 24 | 31 |
| 25 struct cipherPolicyStr { | 32 struct cipherPolicyStr { |
| 26 int cipher; | 33 int cipher; |
| 27 unsigned char export; /* policy value for export policy */ | 34 unsigned char export; /* policy value for export policy */ |
| 28 unsigned char france; /* policy value for france policy */ | 35 unsigned char france; /* policy value for france policy */ |
| 29 }; | 36 }; |
| 30 | 37 |
| 31 typedef struct cipherPolicyStr cipherPolicy; | 38 typedef struct cipherPolicyStr cipherPolicy; |
| 32 | 39 |
| (...skipping 742 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 775 if (on) | 782 if (on) |
| 776 SSL_DisableExportCipherSuites(fd); | 783 SSL_DisableExportCipherSuites(fd); |
| 777 break; | 784 break; |
| 778 | 785 |
| 779 case SSL_BYPASS_PKCS11: | 786 case SSL_BYPASS_PKCS11: |
| 780 if (ss->handshakeBegun) { | 787 if (ss->handshakeBegun) { |
| 781 PORT_SetError(PR_INVALID_STATE_ERROR); | 788 PORT_SetError(PR_INVALID_STATE_ERROR); |
| 782 rv = SECFailure; | 789 rv = SECFailure; |
| 783 } else { | 790 } else { |
| 784 if (PR_FALSE != on) { | 791 if (PR_FALSE != on) { |
| 792 /* TLS 1.2 isn't supported in bypass mode. */ |
| 793 if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 794 /* If the user requested a minimum version of TLS 1.2 then |
| 795 * we don't silently downgrade. */ |
| 796 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 797 rv = SECFailure; |
| 798 break; |
| 799 } |
| 800 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 801 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
| 802 } |
| 785 if (PR_SUCCESS == SSL_BypassSetup() ) { | 803 if (PR_SUCCESS == SSL_BypassSetup() ) { |
| 786 #ifdef NO_PKCS11_BYPASS | 804 #ifdef NO_PKCS11_BYPASS |
| 787 ss->opt.bypassPKCS11 = PR_FALSE; | 805 ss->opt.bypassPKCS11 = PR_FALSE; |
| 788 #else | 806 #else |
| 789 ss->opt.bypassPKCS11 = on; | 807 ss->opt.bypassPKCS11 = on; |
| 790 #endif | 808 #endif |
| 791 } else { | 809 } else { |
| 792 rv = SECFailure; | 810 rv = SECFailure; |
| 793 } | 811 } |
| 794 } else { | 812 } else { |
| (...skipping 1093 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1888 ssl_GetSSL3HandshakeLock(ss); | 1906 ssl_GetSSL3HandshakeLock(ss); |
| 1889 | 1907 |
| 1890 *vrange = ss->vrange; | 1908 *vrange = ss->vrange; |
| 1891 | 1909 |
| 1892 ssl_ReleaseSSL3HandshakeLock(ss); | 1910 ssl_ReleaseSSL3HandshakeLock(ss); |
| 1893 ssl_Release1stHandshakeLock(ss); | 1911 ssl_Release1stHandshakeLock(ss); |
| 1894 | 1912 |
| 1895 return SECSuccess; | 1913 return SECSuccess; |
| 1896 } | 1914 } |
| 1897 | 1915 |
| 1916 static PRCallOnceType checkTLS12TokenOnce; |
| 1917 static PRBool tls12TokenExists; |
| 1918 |
| 1919 static PRStatus |
| 1920 ssl_CheckTLS12Token(void) |
| 1921 { |
| 1922 tls12TokenExists = |
| 1923 PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256); |
| 1924 return PR_SUCCESS; |
| 1925 } |
| 1926 |
| 1927 static PRBool |
| 1928 ssl_TLS12TokenExists(void) |
| 1929 { |
| 1930 (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); |
| 1931 return tls12TokenExists; |
| 1932 } |
| 1933 |
| 1898 SECStatus | 1934 SECStatus |
| 1899 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) | 1935 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) |
| 1900 { | 1936 { |
| 1901 sslSocket *ss = ssl_FindSocket(fd); | 1937 sslSocket *ss = ssl_FindSocket(fd); |
| 1902 | 1938 |
| 1903 if (!ss) { | 1939 if (!ss) { |
| 1904 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet", | 1940 SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet", |
| 1905 SSL_GETPID(), fd)); | 1941 SSL_GETPID(), fd)); |
| 1906 return SECFailure; | 1942 return SECFailure; |
| 1907 } | 1943 } |
| 1908 | 1944 |
| 1909 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { | 1945 if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { |
| 1910 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 1946 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 1911 return SECFailure; | 1947 return SECFailure; |
| 1912 } | 1948 } |
| 1913 | 1949 |
| 1914 ssl_Get1stHandshakeLock(ss); | 1950 ssl_Get1stHandshakeLock(ss); |
| 1915 ssl_GetSSL3HandshakeLock(ss); | 1951 ssl_GetSSL3HandshakeLock(ss); |
| 1916 | 1952 |
| 1917 ss->vrange = *vrange; | 1953 ss->vrange = *vrange; |
| 1954 /* If we don't have a sufficiently up-to-date softoken then we cannot do |
| 1955 * TLS 1.2. */ |
| 1956 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && |
| 1957 !ssl_TLS12TokenExists()) { |
| 1958 /* If the user requested a minimum version of 1.2, then we don't |
| 1959 * silently downgrade. */ |
| 1960 if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 1961 ssl_ReleaseSSL3HandshakeLock(ss); |
| 1962 ssl_Release1stHandshakeLock(ss); |
| 1963 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
| 1964 return SECFailure; |
| 1965 } |
| 1966 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
| 1967 } |
| 1968 /* PKCS#11 bypass is not supported with TLS 1.2. */ |
| 1969 if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 1970 ss->opt.bypassPKCS11 = PR_FALSE; |
| 1971 } |
| 1918 | 1972 |
| 1919 ssl_ReleaseSSL3HandshakeLock(ss); | 1973 ssl_ReleaseSSL3HandshakeLock(ss); |
| 1920 ssl_Release1stHandshakeLock(ss); | 1974 ssl_Release1stHandshakeLock(ss); |
| 1921 | 1975 |
| 1922 return SECSuccess; | 1976 return SECSuccess; |
| 1923 } | 1977 } |
| 1924 | 1978 |
| 1925 const SECItemArray * | 1979 const SECItemArray * |
| 1926 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) | 1980 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) |
| 1927 { | 1981 { |
| (...skipping 1145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3073 ssl_DestroySocketContents(ss); | 3127 ssl_DestroySocketContents(ss); |
| 3074 ssl_DestroyLocks(ss); | 3128 ssl_DestroyLocks(ss); |
| 3075 PORT_Free(ss); | 3129 PORT_Free(ss); |
| 3076 ss = NULL; | 3130 ss = NULL; |
| 3077 } | 3131 } |
| 3078 ss->protocolVariant = protocolVariant; | 3132 ss->protocolVariant = protocolVariant; |
| 3079 } | 3133 } |
| 3080 return ss; | 3134 return ss; |
| 3081 } | 3135 } |
| 3082 | 3136 |
| OLD | NEW |
|---|
Chromium Code Reviews
