Kolab Groupware OBS

Changes of Revision 6

support-tls1.1-and-later.patch Added

@@ -0,0 +1,165 @@
+--- mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c.orig	2006-10-10 06:37:35.000000000 -0700
++++ mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c	2014-11-03 14:18:59.908337004 -0800
+@@ -59,8 +59,9 @@
+ #endif /* OSF1V4D */
+ 
+ #include <errno.h>
+ #include <nspr.h>
++#include <nss.h>
+ #include <cert.h>
+ #include <key.h>
+ #include <ssl.h>
+ #include <sslproto.h>
+@@ -70,8 +71,21 @@
+ #include <ldap.h>
+ #include <ldap_ssl.h>
+ #include <ldappr.h>
+ #include <pk11func.h>
++ 
++#if NSS_VMAJOR * 100 + NSS_VMINOR >= 314
++/* TLS1.1 is defined in RFC4346. */
++#define NSS_TLS11 1
++static SSLVersionRange enabledNSSVersions;
++static SSLVersionRange ldapNSSVersions;
++#else
++/* 
++ *  * TLS1.0 is defined in RFC2246.
++ *   * Close to SSL 3.0.
++ *    */
++#define NSS_TLS10 1
++#endif
+ 
+ /*
+  * Macro that determines how many SSL options we support. As of June, 2002
+  * NSS supports 14 options numbered 1-14 (see nss/ssl.h).  We allow some
+@@ -247,8 +261,20 @@
+     PRLDAPSocketInfo	soi;
+     LDAPSSLSocketInfo	*ssoip = NULL;
+     LDAPSSLSessionInfo	*sseip;
+     PRFileDesc		*sslfd = NULL;
++#if defined(NSS_TLS11)
++    SECStatus sslStatus = SECSuccess;
++    char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION");
++    /* Get the range of the supported SSL version */
++    SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
++    if (s) {
++        ldapNSSVersions.min = enabledNSSVersions.min;
++    } else {
++        ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
++    }
++    ldapNSSVersions.max = enabledNSSVersions.max;
++#endif
+ 
+     /*
+      * Determine if secure option is set.  Also, clear secure bit in options
+      * the we pass to the standard connect() function (since it doesn't know
+@@ -305,9 +331,18 @@
+     if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
+ 	goto close_socket_and_exit_with_error;
+     }
+ 
++#if defined(NSS_TLS11)
++    sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions);
++    if (sslStatus != SECSuccess) {
++        goto close_socket_and_exit_with_error;
++    }
++#endif
+     if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
++#if defined(NSS_TLS10)
++         SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) ||
++#endif
+ 		SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
+ 		!= SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
+ 		PR_FALSE ) != SECSuccess )) {
+ 	goto close_socket_and_exit_with_error;
+@@ -505,8 +540,20 @@
+     LBER_SOCKET 	intfd = -1;
+     int			rc = LDAP_LOCAL_ERROR;
+     char 		*hostlist = NULL;
+     struct lextiof_socket_private *socketargp = NULL;
++#if defined(NSS_TLS11)
++    SECStatus sslStatus = SECSuccess;
++    char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION");
++    /* Get the range of the supported SSL version */
++    SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
++    if (s) {
++        ldapNSSVersions.min = enabledNSSVersions.min;
++    } else {
++        ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
++    }
++    ldapNSSVersions.max = enabledNSSVersions.max;
++#endif
+         
+     /*
+      * Get hostlist from LDAP Handle
+      */
+@@ -570,10 +617,18 @@
+ 	rc = LDAP_LOCAL_ERROR;
+ 	goto close_socket_and_exit_with_error;
+     }
+     
++#if defined(NSS_TLS11)
++    sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions);
++    if (sslStatus != SECSuccess) {
++        goto close_socket_and_exit_with_error;
++    }
++#endif
+     if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
+-		 SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) != SECSuccess ||
++#if defined(NSS_TLS10)
++         SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) != SECSuccess ||
++#endif
+ 		 SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure ) != SECSuccess ||
+ 		 ( secure && SSL_ResetHandshake( sslfd, PR_FALSE ) != SECSuccess ) ) {
+ 	rc = LDAP_LOCAL_ERROR;
+ 	goto close_socket_and_exit_with_error;
+@@ -1350,13 +1405,25 @@
+     PRLDAPSocketInfo				soi;
+     LDAPSSLSocketInfo				*ssoip = NULL;
+     LDAPSSLSessionInfo				*sseip;
+     PRFileDesc						*sslfd = NULL;
+-	LBER_SOCKET						intfd = -1;
+-	char							*hostlist;
+-	struct lextiof_socket_private	*socketargp;
++    LBER_SOCKET						intfd = -1;
++    char							*hostlist;
++    struct lextiof_socket_private	*socketargp;
++#if defined(NSS_TLS11)
++    SECStatus sslStatus = SECSuccess;
++    char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION");
++    /* Get the range of the supported SSL version */
++    SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
++    if (s) {
++        ldapNSSVersions.min = enabledNSSVersions.min;
++    } else {
++        ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
++    }
++    ldapNSSVersions.max = enabledNSSVersions.max;
++#endif
+ 
+-	/*
++    /*
+      * Get hostlist from LDAP Handle
+      */
+     if ( ldap_get_option(ld, LDAP_OPT_HOST_NAME, &hostlist) < 0 ) {
+ 		return( -1 );
+@@ -1411,10 +1478,18 @@
+     if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
+         goto reset_socket_and_exit_with_error;
+     }
+ 
++#if defined(NSS_TLS11)
++    sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions);
++    if (sslStatus != SECSuccess) {
++        goto reset_socket_and_exit_with_error;
++    }
++#endif
+     if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
+-				SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) ||
++#if defined(NSS_TLS10)
++                SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) ||
++#endif
+                 SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
+                 != SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
+                 PR_FALSE ) != SECSuccess )) {
+         goto reset_socket_and_exit_with_error;