[389-commits] ldap/servers
Noriko Hosoi
nhosoi at fedoraproject.org
Wed Dec 4 19:11:58 UTC 2013
ldap/servers/slapd/ssl.c | 43 ++++++++++++++++++++++++++++++++++++-------
1 file changed, 36 insertions(+), 7 deletions(-)
New commits:
commit 5d60dab087712ac2a7d84613e49a0c110cdf8df1
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Wed Dec 4 10:41:53 2013 -0800
Ticket #605 - support TLS 1.1 - adding backward compatibility
Description: commit 88d4beccb9d9f7bb89f5e24c47828d7516ba7ca8 always
expected the NSS version supporting TLS 1.2. It broke the build on
the system having the NSS version that only supports TLS 1.1 (and
older). This patch checks the NSS version and switches the supported
TLS in ssl.c based upon the version info.
https://fedorahosted.org/389/ticket/605
Reviewed by rmeggins at redhat.com (Thank you, Rich!!)
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 7b9bf2a..95bfa5c 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -80,9 +80,19 @@
#define MAXPATHLEN 1024
#endif
+#if NSS_VMAJOR * 100 + NSS_VMINOR >= 315
+#define NSS_TLS12 1
+#elif NSS_VMAJOR * 100 + NSS_VMINOR >= 314
+#define NSS_TLS11 1
+#else
+#define NSS_TLS10 1
+#endif
+
extern char* slapd_SSL3ciphers;
extern symbol_t supported_ciphers[];
+#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
static SSLVersionRange enabledNSSVersions;
+#endif
/* dongle_file_name is set in slapd_nss_init when we set the path for the
key, cert, and secmod files - the dongle file must be in the same directory
@@ -166,11 +176,12 @@ static cipherstruct _conf_ciphers[] = {
/*{"TLS","tls_dhe_dss_1024_des_sha", TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA}, */
{"TLS","tls_dhe_dss_1024_rc4_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},
{"TLS","tls_dhe_dss_rc4_128_sha", TLS_DHE_DSS_WITH_RC4_128_SHA},
- /* New in NSS 3.14 */
+#if defined(NSS_TLS12)
+ /* New in NSS 3.15 */
{"TLS","tls_rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256},
{"TLS","tls_dhe_rsa_aes_128_gcm_sha", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
{"TLS","tls_dhe_dss_aes_128_gcm_sha", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256},
-
+#endif
{NULL, NULL, 0}
};
@@ -523,6 +534,7 @@ warn_if_no_key_file(const char *dir, int no_log)
return ret;
}
+#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
typedef struct _nss_version_list {
PRUint16 vnum;
char* vname;
@@ -533,7 +545,9 @@ NSSVersion_list _NSSVersion_list[] =
{SSL_LIBRARY_VERSION_3_0, "SSL3"},
{SSL_LIBRARY_VERSION_TLS_1_0, "TLS1.0"},
{SSL_LIBRARY_VERSION_TLS_1_1, "TLS1.1"},
+#if defined(NSS_TLS12)
{SSL_LIBRARY_VERSION_TLS_1_2, "TLS1.2"},
+#endif
{0, "unknown"}
};
@@ -637,6 +651,7 @@ restrict_SSLVersionRange(SSLVersionRange *sslversion, PRBool enableSSL3, PRBool
getNSSVersion_str(sslversion->max));
}
}
+#endif
/*
* slapd_nss_init() is always called from main(), even if we do not
@@ -662,6 +677,7 @@ slapd_nss_init(int init_ssl, int config_available)
char *certdb_file_name = NULL;
char *keydb_file_name = NULL;
char *secmoddb_file_name = NULL;
+#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
/* Get the range of the supported SSL version */
SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
@@ -669,6 +685,7 @@ slapd_nss_init(int init_ssl, int config_available)
"supported range: min: %s, max: %s\n",
getNSSVersion_str(enabledNSSVersions.min),
getNSSVersion_str(enabledNSSVersions.max));
+#endif
/* set in slapd_bootstrap_config,
thus certdir is available even if config_available is false */
@@ -982,6 +999,7 @@ slapd_ssl_init() {
}
+#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
/*
* val: sslVersionMin/Max value set in cn=encription,cn=config (INPUT)
* rval: Corresponding value to set SSLVersionRange (OUTPUT)
@@ -1113,6 +1131,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
}
}
} else if (tlsv < 1.3) { /* TLS1.2 */
+#if defined(NSS_TLS12)
if (ismin) {
if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) {
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
@@ -1135,17 +1154,18 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
(*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
}
}
- } else { /* TLS newer than 1.2 */
+#endif
+ } else { /* Specified TLS is newer than supported */
if (ismin) {
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is out of the range of the supported version; "
- "the default value \"%s\" is used.\n",
+ "the default value \"%s\" is used.\n",
val, getNSSVersion_str(enabledNSSVersions.min));
(*rval) = enabledNSSVersions.min;
} else {
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is out of the range of the supported version; "
- "the default value \"%s\" is used.\n",
+ "the default value \"%s\" is used.\n",
val, getNSSVersion_str(enabledNSSVersions.min));
(*rval) = enabledNSSVersions.max;
}
@@ -1153,12 +1173,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
} else {
if (ismin) {
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
- "\"%s\" is invalid; the default value \"%s\" is used.\n",
+ "\"%s\" is invalid; the default value \"%s\" is used.\n",
val, getNSSVersion_str(enabledNSSVersions.min));
(*rval) = enabledNSSVersions.min;
} else {
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
- "\"%s\" is invalid; the default value \"%s\" is used.\n",
+ "\"%s\" is invalid; the default value \"%s\" is used.\n",
val, getNSSVersion_str(enabledNSSVersions.min));
(*rval) = enabledNSSVersions.max;
}
@@ -1169,6 +1189,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
#undef SSLLEN
#undef TLSSTR
#undef TLSLEN
+#endif
int
slapd_ssl_init2(PRFileDesc **fd, int startTLS)
@@ -1191,8 +1212,10 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
PRBool enableSSL3 = PR_TRUE;
PRBool enableTLS1 = PR_TRUE;
PRBool fipsMode = PR_FALSE;
+#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
PRUint16 NSSVersionMin = enabledNSSVersions.min;
PRUint16 NSSVersionMax = enabledNSSVersions.max;
+#endif
/* turn off the PKCS11 pin interactive mode */
#ifndef _WIN32
@@ -1536,6 +1559,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
}
}
slapi_ch_free_string( &val );
+#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
val = slapi_entry_attr_get_charptr( e, "sslVersionMin" );
if ( val ) {
(void)set_NSS_version(val, &NSSVersionMin, 1);
@@ -1557,7 +1581,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
NSSVersionMin = enabledNSSVersions.min;
NSSVersionMax = enabledNSSVersions.max;
}
+#endif
}
+#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
if (NSSVersionMin > 0) {
/* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */
SSLVersionRange myNSSVersions;
@@ -1574,6 +1600,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
getNSSVersion_str(myNSSVersions.max));
}
} else {
+#endif
/* deprecated code */
sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3, enableSSL3);
if (sslStatus != SECSuccess) {
@@ -1592,7 +1619,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
enableTLS1 ? "enable" : "disable",
errorCode, slapd_pr_strerror(errorCode));
}
+#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
}
+#endif
freeConfigEntry( &e );
if(( slapd_SSLclientAuth = config_get_SSLclientAuth()) != SLAPD_SSLCLIENTAUTH_OFF ) {
More information about the 389-commits
mailing list