From 82653be6b2f5ba30079543caf889120a0b3e54b5 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Wed, 30 Sep 2015 11:34:48 -0700 Subject: [PATCH] Enable ECC cipher-suites by default [hrbz#1185708] - Split the enabling patch in two for easier maintenance - Remove unused patches rendered obsolete by prior rebase --- nss.spec | 12 ++- ...8-enable-ecc-3des-ciphers-by-default.patch | 14 +++ ...185708-enable-ecc-ciphers-by-default.patch | 10 +-- scripts-syntax-errors.patch | 87 ------------------- tls12.patch | 36 -------- 5 files changed, 27 insertions(+), 132 deletions(-) create mode 100644 rhbz1185708-enable-ecc-3des-ciphers-by-default.patch delete mode 100644 scripts-syntax-errors.patch delete mode 100644 tls12.patch diff --git a/nss.spec b/nss.spec index 6b7fd9f..947372d 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.20.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 5%{?dist} +Release: 6%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -96,8 +96,10 @@ Patch55: skip_stress_TLS_RC4_128_with_MD5.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1009429 # See https://hg.mozilla.org/projects/nss/raw-rev/dc7bb2f8cc50 Patch56: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch -# TODO: File a bug usptream +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1205688 Patch57: rhbz1185708-enable-ecc-ciphers-by-default.patch +# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers +Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -190,6 +192,7 @@ popd pushd nss %patch57 -p1 -b .1185708 popd +%patch58 -p0 -b .1185708_3des ######################################################### # Higher-level libraries and test tools need access to @@ -803,6 +806,11 @@ fi %changelog +* Wed Sep 30 2015 Elio Maldonado - 3.20.0-6 +- Enable ECC cipher-suites by default [hrbz#1185708] +- Split the enabling patch in two for easier maintenance +- Remove unused patches rendered obsolete by prior rebase + * Wed Sep 16 2015 Elio Maldonado - 3.20.0-5 - Enable ECC cipher-suites by default [hrbz#1185708] - Implement corrections requested in code review diff --git a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch new file mode 100644 index 0000000..69ad4db --- /dev/null +++ b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch @@ -0,0 +1,14 @@ +diff -up ./nss/lib/ssl/ssl3con.c.1185708_3des ./nss/lib/ssl/ssl3con.c +--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2015-09-29 16:24:18.717593591 -0700 ++++ ./nss/lib/ssl/ssl3con.c 2015-09-29 16:25:22.672879926 -0700 +@@ -101,8 +101,8 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + #endif /* NSS_DISABLE_ECC */ diff --git a/rhbz1185708-enable-ecc-ciphers-by-default.patch b/rhbz1185708-enable-ecc-ciphers-by-default.patch index aaa524d..80cf4a2 100644 --- a/rhbz1185708-enable-ecc-ciphers-by-default.patch +++ b/rhbz1185708-enable-ecc-ciphers-by-default.patch @@ -1,7 +1,7 @@ diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c -@@ -85,29 +85,29 @@ static SECStatus ssl3_AESGCMBypass(ssl3K +@@ -85,27 +85,27 @@ static SECStatus ssl3_AESGCMBypass(ssl3K * * Important: See bug 946147 before enabling, reordering, or adding any cipher * suites to this list. @@ -23,21 +23,17 @@ diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #endif /* NSS_DISABLE_ECC */ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, diff --git a/scripts-syntax-errors.patch b/scripts-syntax-errors.patch deleted file mode 100644 index 28cfc4a..0000000 --- a/scripts-syntax-errors.patch +++ /dev/null @@ -1,87 +0,0 @@ -diff --git a/tests/all.sh b/tests/all.sh ---- a/tests/all.sh -+++ b/tests/all.sh -@@ -296,17 +296,17 @@ fi - - # NOTE: - # Since in make at the top level, modutil is the last file - # created, we check for modutil to know whether the build - # is complete. If a new file is created after that, the - # following test for modutil should check for that instead. - # Exception: when building softoken only, shlibsign is the - # last file created. --if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then -+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then - LAST_FILE_BUILT=shlibsign - else - LAST_FILE_BUILT=modutil - fi - - if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then - echo "Build Incomplete. Aborting test." >> ${LOGFILE} - html_head "Testing Initialization" -diff --git a/tests/cipher/cipher.sh b/tests/cipher/cipher.sh ---- a/tests/cipher/cipher.sh -+++ b/tests/cipher/cipher.sh -@@ -119,17 +119,17 @@ cipher_cleanup() - } - - ################## main ################################################# - - # When building without softoken, bltest isn't built. It was already - # built and the cipher suite run as part of an nss-softoken build. - if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then - echo "bltest not built, skipping this test." >> ${LOGFILE} -- res = 0 -+ res=0 - html_msg $res $EXP_RET "$TESTNAME" - return 0 - fi - cipher_init - # Skip cipher_main if this an NSS without softoken build. - if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then - cipher_main - fi -diff --git a/tests/common/init.sh b/tests/common/init.sh ---- a/tests/common/init.sh -+++ b/tests/common/init.sh -@@ -220,17 +220,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU - { - - html "" - html "" - echo "$SCRIPTNAME: $* ===============================" - } - html_msg() - { -- if [ "$1" -ne "$2" ] ; then -+ if [ $1 -ne $2 ] ; then - html_failed "$3" "$4" - else - html_passed "$3" "$4" - fi - } - HTML_FAILED='' - HTML_FAILED_CORE='' - HTML_PASSED='' -diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh ---- a/tests/dbtests/dbtests.sh -+++ b/tests/dbtests/dbtests.sh -@@ -170,7 +170,7 @@ dbtest_main() - - # skipping the next two tests when user is root, - # otherwise they would fail due to rooty powers -- if [ $UID -ne 0 ] then -+ if [[ $EUID -ne 0 ]]; then - ${BINDIR}/dbtest -d $RONLY_DIR - ret=$? - if [ $ret -ne 46 ]; then -@@ -181,7 +181,7 @@ dbtest_main() - else - html_passed "Skipping Dbtest r/w in a readonly dir because user is root" - fi -- if [ $UID -ne 0 ] then -+ if [[ $EUID -ne 0 ]]; then - ${BINDIR}/certutil -D -n "TestUser" -d . - ret=$? - if [ $ret -ne 255 ]; then diff --git a/tls12.patch b/tls12.patch deleted file mode 100644 index 0293383..0000000 --- a/tls12.patch +++ /dev/null @@ -1,36 +0,0 @@ -# HG changeset patch -# User Martin Thomson -# Date 1413479112 25200 -# Thu Oct 16 10:05:12 2014 -0700 -# Node ID f7e1c2c652f4c2522a0a5ec232ecebae1983053d -# Parent 24852c6f89ea7ed2b8f231320d9a0a03bdd706d4 -Bug 1083900 - Updating default maximum version to 1.2 - -diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c ---- a/lib/ssl/sslsock.c -+++ b/lib/ssl/sslsock.c -@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = { - PR_FALSE /* enableFallbackSCSV */ - }; - - /* - * default range of enabled SSL/TLS protocols - */ - static SSLVersionRange versions_defaults_stream = { - SSL_LIBRARY_VERSION_3_0, -- SSL_LIBRARY_VERSION_TLS_1_0 -+ SSL_LIBRARY_VERSION_TLS_1_2 - }; - - static SSLVersionRange versions_defaults_datagram = { - SSL_LIBRARY_VERSION_TLS_1_1, -- SSL_LIBRARY_VERSION_TLS_1_1 -+ SSL_LIBRARY_VERSION_TLS_1_2 - }; - - #define VERSIONS_DEFAULTS(variant) \ - (variant == ssl_variant_stream ? &versions_defaults_stream : \ - &versions_defaults_datagram) - - sslSessionIDLookupFunc ssl_sid_lookup; - sslSessionIDCacheFunc ssl_sid_cache;
$*
Test CaseResult
Failed
Failed Core
Passed