OLD | NEW |
1 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c | 1 diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c |
2 index 7c06815..1167d6d 100644 | 2 index ce92cf1..c5cb1eb 100644 |
3 --- a/ssl/ssl3con.c | 3 --- a/lib/ssl/ssl3con.c |
4 +++ b/ssl/ssl3con.c | 4 +++ b/lib/ssl/ssl3con.c |
5 @@ -31,6 +31,15 @@ | 5 @@ -33,6 +33,15 @@ |
6 #include "blapi.h" | 6 #include "blapi.h" |
7 #endif | 7 #endif |
8 | 8 |
9 +/* This is a bodge to allow this code to be compiled against older NSS headers | 9 +/* This is a bodge to allow this code to be compiled against older NSS headers |
10 + * that don't contain the TLS 1.2 changes. */ | 10 + * that don't contain the TLS 1.2 changes. */ |
11 +#ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 | 11 +#ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 |
12 +#define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) | 12 +#define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) |
13 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) | 13 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) |
14 +#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) | 14 +#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) |
15 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | 15 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
16 +#endif | 16 +#endif |
17 + | 17 + |
18 #include <stdio.h> | 18 #include <stdio.h> |
19 #ifdef NSS_ENABLE_ZLIB | 19 #ifdef NSS_ENABLE_ZLIB |
20 #include "zlib.h" | 20 #include "zlib.h" |
21 diff --git a/ssl/ssl3ecc.c b/ssl/ssl3ecc.c | 21 diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c |
22 index dac7a9e..9b91270 100644 | 22 index 6d89bbe..cf8e741 100644 |
23 --- a/ssl/ssl3ecc.c | 23 --- a/lib/ssl/ssl3ecc.c |
24 +++ b/ssl/ssl3ecc.c | 24 +++ b/lib/ssl/ssl3ecc.c |
25 @@ -31,6 +31,12 @@ | 25 @@ -31,6 +31,12 @@ |
26 | 26 |
27 #include <stdio.h> | 27 #include <stdio.h> |
28 | 28 |
29 +/* This is a bodge to allow this code to be compiled against older NSS headers | 29 +/* This is a bodge to allow this code to be compiled against older NSS headers |
30 + * that don't contain the TLS 1.2 changes. */ | 30 + * that don't contain the TLS 1.2 changes. */ |
31 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 | 31 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 |
32 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | 32 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
33 +#endif | 33 +#endif |
34 + | 34 + |
35 #ifndef NSS_DISABLE_ECC | 35 #ifndef NSS_DISABLE_ECC |
36 | 36 |
37 #ifndef PK11_SETATTRS | 37 #ifndef PK11_SETATTRS |
38 diff --git a/ssl/sslsock.c b/ssl/sslsock.c | 38 diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c |
39 index 14ff328..6a6c8d1 100644 | 39 index c9a4493..6d700a7 100644 |
40 --- a/ssl/sslsock.c | 40 --- a/lib/ssl/sslsock.c |
41 +++ b/ssl/sslsock.c | 41 +++ b/lib/ssl/sslsock.c |
42 @@ -17,8 +17,15 @@ | 42 @@ -17,9 +17,16 @@ |
43 #ifndef NO_PKCS11_BYPASS | 43 #ifndef NO_PKCS11_BYPASS |
44 #include "blapi.h" | 44 #include "blapi.h" |
45 #endif | 45 #endif |
46 +#include "pk11pub.h" | 46 +#include "pk11pub.h" |
47 #include "nss.h" | 47 #include "nss.h" |
| 48 #include "pk11pqg.h" |
48 | 49 |
49 +/* This is a bodge to allow this code to be compiled against older NSS headers | 50 +/* This is a bodge to allow this code to be compiled against older NSS headers |
50 + * that don't contain the TLS 1.2 changes. */ | 51 + * that don't contain the TLS 1.2 changes. */ |
51 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 | 52 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 |
52 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | 53 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
53 +#endif | 54 +#endif |
54 + | 55 + |
55 #define SET_ERROR_CODE /* reminder */ | 56 #define SET_ERROR_CODE /* reminder */ |
56 | 57 |
57 static const sslSocketOps ssl_default_ops = { /* No SSL. */ | 58 static const sslSocketOps ssl_default_ops = { /* No SSL. */ |
58 @@ -1878,6 +1885,24 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vran
ge) | 59 @@ -2133,6 +2140,24 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vran
ge) |
59 return SECSuccess; | 60 return SECSuccess; |
60 } | 61 } |
61 | 62 |
62 +static PRCallOnceType checkTLS12TokenOnce; | 63 +static PRCallOnceType checkTLS12TokenOnce; |
63 +static PRBool tls12TokenExists; | 64 +static PRBool tls12TokenExists; |
64 + | 65 + |
65 +static PRStatus | 66 +static PRStatus |
66 +ssl_CheckTLS12Token(void) | 67 +ssl_CheckTLS12Token(void) |
67 +{ | 68 +{ |
68 + tls12TokenExists = | 69 + tls12TokenExists = |
69 + PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256); | 70 + PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256); |
70 + return PR_SUCCESS; | 71 + return PR_SUCCESS; |
71 +} | 72 +} |
72 + | 73 + |
73 +static PRBool | 74 +static PRBool |
74 +ssl_TLS12TokenExists(void) | 75 +ssl_TLS12TokenExists(void) |
75 +{ | 76 +{ |
76 + (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); | 77 + (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); |
77 + return tls12TokenExists; | 78 + return tls12TokenExists; |
78 +} | 79 +} |
79 + | 80 + |
80 SECStatus | 81 SECStatus |
81 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) | 82 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) |
82 { | 83 { |
83 @@ -1898,6 +1923,20 @@ SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange
*vrange) | 84 @@ -2153,6 +2178,20 @@ SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange
*vrange) |
84 ssl_GetSSL3HandshakeLock(ss); | 85 ssl_GetSSL3HandshakeLock(ss); |
85 | 86 |
86 ss->vrange = *vrange; | 87 ss->vrange = *vrange; |
87 + /* If we don't have a sufficiently up-to-date softoken then we cannot do | 88 + /* If we don't have a sufficiently up-to-date softoken then we cannot do |
88 + * TLS 1.2. */ | 89 + * TLS 1.2. */ |
89 + if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && | 90 + if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && |
90 + !ssl_TLS12TokenExists()) { | 91 + !ssl_TLS12TokenExists()) { |
91 + /* If the user requested a minimum version of 1.2, then we don't | 92 + /* If the user requested a minimum version of 1.2, then we don't |
92 + * silently downgrade. */ | 93 + * silently downgrade. */ |
93 + if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { | 94 + if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
94 + ssl_ReleaseSSL3HandshakeLock(ss); | 95 + ssl_ReleaseSSL3HandshakeLock(ss); |
95 + ssl_Release1stHandshakeLock(ss); | 96 + ssl_Release1stHandshakeLock(ss); |
96 + PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | 97 + PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
97 + return SECFailure; | 98 + return SECFailure; |
98 + } | 99 + } |
99 + ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; | 100 + ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
100 + } | 101 + } |
101 | 102 |
102 ssl_ReleaseSSL3HandshakeLock(ss); | 103 ssl_ReleaseSSL3HandshakeLock(ss); |
103 ssl_Release1stHandshakeLock(ss); | 104 ssl_Release1stHandshakeLock(ss); |
OLD | NEW |