--- mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c.orig 2006-10-10 06:37:35.000000000 -0700
+++ mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c 2014-11-03 14:18:59.908337004 -0800
@@ -59,8 +59,9 @@
#endif /* OSF1V4D */
#include <errno.h>
#include <nspr.h>
+#include <nss.h>
#include <cert.h>
#include <key.h>
#include <ssl.h>
#include <sslproto.h>
@@ -70,8 +71,21 @@
#include <ldap.h>
#include <ldap_ssl.h>
#include <ldappr.h>
#include <pk11func.h>
+
+#if NSS_VMAJOR * 100 + NSS_VMINOR >= 314
+/* TLS1.1 is defined in RFC4346. */
+#define NSS_TLS11 1
+static SSLVersionRange enabledNSSVersions;
+static SSLVersionRange ldapNSSVersions;
+#else
+/*
+ * * TLS1.0 is defined in RFC2246.
+ * * Close to SSL 3.0.
+ * */
+#define NSS_TLS10 1
+#endif
/*
* Macro that determines how many SSL options we support. As of June, 2002
* NSS supports 14 options numbered 1-14 (see nss/ssl.h). We allow some
@@ -247,8 +261,20 @@
PRLDAPSocketInfo soi;
LDAPSSLSocketInfo *ssoip = NULL;
LDAPSSLSessionInfo *sseip;
PRFileDesc *sslfd = NULL;
+#if defined(NSS_TLS11)
+ SECStatus sslStatus = SECSuccess;
+ char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION");
+ /* Get the range of the supported SSL version */
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
+ if (s) {
+ ldapNSSVersions.min = enabledNSSVersions.min;
+ } else {
+ ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
+ }
+ ldapNSSVersions.max = enabledNSSVersions.max;
+#endif
/*
* Determine if secure option is set. Also, clear secure bit in options
* the we pass to the standard connect() function (since it doesn't know
@@ -305,9 +331,18 @@
if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
goto close_socket_and_exit_with_error;
}
+#if defined(NSS_TLS11)
+ sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions);
+ if (sslStatus != SECSuccess) {
+ goto close_socket_and_exit_with_error;
+ }
+#endif
if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
+#if defined(NSS_TLS10)
+ SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) ||
+#endif
SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
!= SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
PR_FALSE ) != SECSuccess )) {
goto close_socket_and_exit_with_error;
@@ -505,8 +540,20 @@
LBER_SOCKET intfd = -1;
int rc = LDAP_LOCAL_ERROR;
char *hostlist = NULL;
struct lextiof_socket_private *socketargp = NULL;
+#if defined(NSS_TLS11)
+ SECStatus sslStatus = SECSuccess;
+ char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION");
+ /* Get the range of the supported SSL version */
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
+ if (s) {
+ ldapNSSVersions.min = enabledNSSVersions.min;
+ } else {
+ ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
+ }
+ ldapNSSVersions.max = enabledNSSVersions.max;
+#endif
/*
* Get hostlist from LDAP Handle
*/
@@ -570,10 +617,18 @@
rc = LDAP_LOCAL_ERROR;
goto close_socket_and_exit_with_error;
}
+#if defined(NSS_TLS11)
+ sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions);
+ if (sslStatus != SECSuccess) {
+ goto close_socket_and_exit_with_error;
+ }
+#endif
if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
- SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) != SECSuccess ||
+#if defined(NSS_TLS10)
+ SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) != SECSuccess ||
+#endif
SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure ) != SECSuccess ||
( secure && SSL_ResetHandshake( sslfd, PR_FALSE ) != SECSuccess ) ) {
rc = LDAP_LOCAL_ERROR;
goto close_socket_and_exit_with_error;
@@ -1350,13 +1405,25 @@
PRLDAPSocketInfo soi;
LDAPSSLSocketInfo *ssoip = NULL;
LDAPSSLSessionInfo *sseip;
PRFileDesc *sslfd = NULL;
- LBER_SOCKET intfd = -1;
- char *hostlist;
- struct lextiof_socket_private *socketargp;
+ LBER_SOCKET intfd = -1;
+ char *hostlist;
+ struct lextiof_socket_private *socketargp;
+#if defined(NSS_TLS11)
+ SECStatus sslStatus = SECSuccess;
+ char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION");
+ /* Get the range of the supported SSL version */
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
+ if (s) {
+ ldapNSSVersions.min = enabledNSSVersions.min;
+ } else {
+ ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
+ }
+ ldapNSSVersions.max = enabledNSSVersions.max;
+#endif
- /*
+ /*
* Get hostlist from LDAP Handle
*/
if ( ldap_get_option(ld, LDAP_OPT_HOST_NAME, &hostlist) < 0 ) {
return( -1 );
@@ -1411,10 +1478,18 @@
if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
goto reset_socket_and_exit_with_error;
}
+#if defined(NSS_TLS11)
+ sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions);
+ if (sslStatus != SECSuccess) {
+ goto reset_socket_and_exit_with_error;
+ }
+#endif
if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
- SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) ||
+#if defined(NSS_TLS10)
+ SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) ||
+#endif
SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
!= SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
PR_FALSE ) != SECSuccess )) {
goto reset_socket_and_exit_with_error;