OLD | NEW |
| (Empty) |
1 diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c | |
2 index ce92cf1..c5cb1eb 100644 | |
3 --- a/lib/ssl/ssl3con.c | |
4 +++ b/lib/ssl/ssl3con.c | |
5 @@ -33,6 +33,15 @@ | |
6 #include "blapi.h" | |
7 #endif | |
8 | |
9 +/* This is a bodge to allow this code to be compiled against older NSS headers | |
10 + * that don't contain the TLS 1.2 changes. */ | |
11 +#ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 | |
12 +#define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) | |
13 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) | |
14 +#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) | |
15 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | |
16 +#endif | |
17 + | |
18 #include <stdio.h> | |
19 #ifdef NSS_ENABLE_ZLIB | |
20 #include "zlib.h" | |
21 diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c | |
22 index 6d89bbe..cf8e741 100644 | |
23 --- a/lib/ssl/ssl3ecc.c | |
24 +++ b/lib/ssl/ssl3ecc.c | |
25 @@ -31,6 +31,12 @@ | |
26 | |
27 #include <stdio.h> | |
28 | |
29 +/* This is a bodge to allow this code to be compiled against older NSS headers | |
30 + * that don't contain the TLS 1.2 changes. */ | |
31 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 | |
32 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | |
33 +#endif | |
34 + | |
35 #ifndef NSS_DISABLE_ECC | |
36 | |
37 #ifndef PK11_SETATTRS | |
38 diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c | |
39 index c9a4493..6d700a7 100644 | |
40 --- a/lib/ssl/sslsock.c | |
41 +++ b/lib/ssl/sslsock.c | |
42 @@ -17,9 +17,16 @@ | |
43 #ifndef NO_PKCS11_BYPASS | |
44 #include "blapi.h" | |
45 #endif | |
46 +#include "pk11pub.h" | |
47 #include "nss.h" | |
48 #include "pk11pqg.h" | |
49 | |
50 +/* This is a bodge to allow this code to be compiled against older NSS headers | |
51 + * that don't contain the TLS 1.2 changes. */ | |
52 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 | |
53 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | |
54 +#endif | |
55 + | |
56 #define SET_ERROR_CODE /* reminder */ | |
57 | |
58 static const sslSocketOps ssl_default_ops = { /* No SSL. */ | |
59 @@ -2133,6 +2140,24 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vran
ge) | |
60 return SECSuccess; | |
61 } | |
62 | |
63 +static PRCallOnceType checkTLS12TokenOnce; | |
64 +static PRBool tls12TokenExists; | |
65 + | |
66 +static PRStatus | |
67 +ssl_CheckTLS12Token(void) | |
68 +{ | |
69 + tls12TokenExists = | |
70 + PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256); | |
71 + return PR_SUCCESS; | |
72 +} | |
73 + | |
74 +static PRBool | |
75 +ssl_TLS12TokenExists(void) | |
76 +{ | |
77 + (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); | |
78 + return tls12TokenExists; | |
79 +} | |
80 + | |
81 SECStatus | |
82 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) | |
83 { | |
84 @@ -2153,6 +2178,20 @@ SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange
*vrange) | |
85 ssl_GetSSL3HandshakeLock(ss); | |
86 | |
87 ss->vrange = *vrange; | |
88 + /* If we don't have a sufficiently up-to-date softoken then we cannot do | |
89 + * TLS 1.2. */ | |
90 + if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && | |
91 + !ssl_TLS12TokenExists()) { | |
92 + /* If the user requested a minimum version of 1.2, then we don't | |
93 + * silently downgrade. */ | |
94 + if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { | |
95 + ssl_ReleaseSSL3HandshakeLock(ss); | |
96 + ssl_Release1stHandshakeLock(ss); | |
97 + PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); | |
98 + return SECFailure; | |
99 + } | |
100 + ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; | |
101 + } | |
102 | |
103 ssl_ReleaseSSL3HandshakeLock(ss); | |
104 ssl_Release1stHandshakeLock(ss); | |
OLD | NEW |