X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Ftls_m.c;h=9dfa2f00bd268372c32299fe224e4f9b7b9863dc;hb=a23fc2fd947fa86b240732d5421e82528e42509e;hp=36dc989ef0c42fd84f226a6194e8ec2b10a5ccae;hpb=752fdfd4455fb0c3784a10f69b16f64c65df78cb;p=openldap

diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 36dc989ef0..9dfa2f00bd 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2008-2013 The OpenLDAP Foundation.
+ * Copyright 2008-2015 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1641,6 +1641,8 @@ tlsm_deferred_init( void *arg )
 	NSSInitContext *initctx = NULL;
 	PK11SlotInfo *certdb_slot = NULL;
 #endif
+	SSLVersionRange range;
+	SSLProtocolVariant variant;
 	SECStatus rc;
 	int done = 0;
 
@@ -1825,6 +1827,16 @@ tlsm_deferred_init( void *arg )
 			ctx->tc_using_pem = PR_TRUE;
 		}
 
+		/*
+		 * Set the SSL version range.  MozNSS SSL versions are the same as openldap's:
+		 *
+		 * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
+		 */
+		SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
+		range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
+		variant = ssl_variant_stream;
+		SSL_VersionRangeSetDefault(variant, &range);
+
 		NSS_SetDomesticPolicy();
 
 		PK11_SetPasswordFunc( tlsm_pin_prompt );
@@ -2066,8 +2078,10 @@ tlsm_ctx_free ( tls_ctx *ctx )
 				   errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
 		}
 	}
-	PL_strfree( c->tc_pin_file );
-	c->tc_pin_file = NULL;
+	if ( c->tc_pin_file ) {
+		PL_strfree( c->tc_pin_file );
+		c->tc_pin_file = NULL;
+	}
 	tlsm_free_pem_objs( c );
 #ifdef HAVE_NSS_INITCONTEXT
 	if ( c->tc_initctx ) {
@@ -2317,7 +2331,8 @@ tlsm_deferred_ctx_init( void *arg )
 				return rc;
 			}
 		} else {
-			PL_strfree( ctx->tc_pin_file );
+			if ( ctx->tc_pin_file )
+				PL_strfree( ctx->tc_pin_file );
 			ctx->tc_pin_file = PL_strdup( lt->lt_keyfile );
 		}
 	}
@@ -2847,7 +2862,11 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
 	return 0;
 }
 
-/* Yet again, we're pasting in glue that MozNSS ought to provide itself. */
+/*
+ * Yet again, we're pasting in glue that MozNSS ought to provide itself.
+ *
+ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
+ */
 static struct {
 	const char *name;
 	int num;
@@ -2856,6 +2875,8 @@ static struct {
 	{ "SSLv3", SSL_LIBRARY_VERSION_3_0 },
 	{ "TLSv1", SSL_LIBRARY_VERSION_TLS_1_0 },
 	{ "TLSv1.1", SSL_LIBRARY_VERSION_TLS_1_1 },
+	{ "TLSv1.2", SSL_LIBRARY_VERSION_TLS_1_2 },
+	{ "TLSv1.3", SSL_LIBRARY_VERSION_TLS_1_3 },
 	{ NULL, 0 }
 };