diff --git a/disableSSL2libssl.patch b/disableSSL2libssl.patch new file mode 100644 index 0000000..38d092a --- /dev/null +++ b/disableSSL2libssl.patch @@ -0,0 +1,123 @@ +diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk +--- a/lib/ssl/config.mk ++++ b/lib/ssl/config.mk +@@ -2,16 +2,20 @@ + # This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. + + ifdef NISCC_TEST + DEFINES += -DNISCC_TEST + endif + ++ifdef NSS_NO_SSL2 ++DEFINES += -DNSS_NO_SSL2 ++endif ++ + # Allow build-time configuration of TLS 1.3 (Experimental) + ifdef NSS_ENABLE_TLS_1_3 + DEFINES += -DNSS_ENABLE_TLS_1_3 + endif + + ifdef NSS_NO_PKCS11_BYPASS + DEFINES += -DNO_PKCS11_BYPASS + else +diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c +--- a/lib/ssl/sslsock.c ++++ b/lib/ssl/sslsock.c +@@ -650,16 +650,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh + if (ss->cipherSpecs) { + PORT_Free(ss->cipherSpecs); + ss->cipherSpecs = NULL; + ss->sizeCipherSpecs = 0; + } + break; + + case SSL_ENABLE_SSL2: ++#ifdef NSS_NO_SSL2 ++ if (on) { ++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); ++ rv = SECFailure; /* not allowed */ ++ } ++#else + if (IS_DTLS(ss)) { + if (on) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; /* not allowed */ + } + break; + } + ss->opt.enableSSL2 = on; +@@ -667,42 +673,50 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh + ss->opt.v2CompatibleHello = on; + } + ss->preferredCipher = NULL; + if (ss->cipherSpecs) { + PORT_Free(ss->cipherSpecs); + ss->cipherSpecs = NULL; + ss->sizeCipherSpecs = 0; + } ++#endif /* NSS_NO_SSL2 */ + break; + + case SSL_NO_CACHE: + ss->opt.noCache = on; + break; + + case SSL_ENABLE_FDX: + if (on && ss->opt.noLocks) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; + } + ss->opt.fdx = on; + break; + + case SSL_V2_COMPATIBLE_HELLO: ++#ifdef NSS_NO_SSL2 ++ if (on) { ++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); ++ rv = SECFailure; /* not allowed */ ++ } ++#else + if (IS_DTLS(ss)) { + if (on) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; /* not allowed */ + } + break; + } + ss->opt.v2CompatibleHello = on; + if (!on) { + ss->opt.enableSSL2 = on; + } ++#endif /* NSS_NO_SSL2 */ + break; + + case SSL_ROLLBACK_DETECTION: + ss->opt.detectRollBack = on; + break; + + case SSL_NO_STEP_DOWN: + ss->opt.noStepDown = on; +@@ -1168,17 +1182,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt + + if (rv != SECSuccess) { + return rv; + } + + if (ssl_IsRemovedCipherSuite(which)) { + rv = SECSuccess; + } else if (SSL_IS_SSL2_CIPHER(which)) { ++#ifdef NSS_NO_SSL2 ++ rv = SSL_ERROR_SSL2_DISABLED; ++#else + rv = ssl2_SetPolicy(which, policy); ++#endif /* NSS_NO_SSL2 */ + } else { + rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); + } + return rv; + } + + SECStatus + SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) diff --git a/disableSSL2tests.patch b/disableSSL2tests.patch new file mode 100644 index 0000000..d0d9871 --- /dev/null +++ b/disableSSL2tests.patch @@ -0,0 +1,289 @@ +diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh +--- a/tests/ssl/ssl.sh ++++ b/tests/ssl/ssl.sh +@@ -57,18 +57,23 @@ ssl_init() + fi + + PORT=${PORT-8443} + NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} + nss_ssl_run="stapling cov auth stress" + NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} + + # Test case files +- SSLCOV=${QADIR}/ssl/sslcov.txt ++ SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \ ++ && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \ ++ || ${QADIR}/ssl/sslcov.txt + SSLAUTH=${QADIR}/ssl/sslauth.txt ++ SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \ ++ && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \ ++ || ${QADIR}/ssl/sslstress.txt + SSLSTRESS=${QADIR}/ssl/sslstress.txt + REQUEST_FILE=${QADIR}/ssl/sslreq.dat + + #temparary files + SERVEROUTFILE=${TMP}/tests_server.$$ + SERVERPID=${TMP}/tests_pid.$$ + + R_SERVERPID=../tests_pid.$$ +@@ -115,17 +120,21 @@ is_selfserv_alive() + if [ "${OS_ARCH}" = "WINNT" ] && \ + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then + PID=${SHELL_SERVERPID} + else + PID=`cat ${SERVERPID}` + fi + + echo "kill -0 ${PID} >/dev/null 2>/dev/null" ++ if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then ++ echo "No server to kill" ++ else + kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" ++ fi + + echo "selfserv with PID ${PID} found at `date`" + } + + ########################### wait_for_selfserv ########################## + # local shell function to wait until selfserver is running and initialized + ######################################################################## + wait_for_selfserv() +@@ -138,17 +147,21 @@ wait_for_selfserv() + if [ $? -ne 0 ]; then + sleep 5 + echo "retrying to connect to selfserv at `date`" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" + echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}" + ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} + if [ $? -ne 0 ]; then ++ if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then ++ html_passed "Server never started" ++ else + html_failed "Waiting for Server" ++ fi + fi + fi + is_selfserv_alive + } + + ########################### kill_selfserv ############################## + # local shell function to kill the selfserver after the tests are done + ######################################################################## +@@ -273,16 +286,19 @@ ssl_cov() + exec < ${SSLCOV} + while read ectype testmax param testname + do + echo "${testname}" | grep "EXPORT" > /dev/null + EXP=$? + echo "${testname}" | grep "SSL2" > /dev/null + SSL2=$? + ++ # skip export and ssl2 tests when build has disabled SSL2 ++ [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue ++ + if [ "${SSL2}" -eq 0 ] ; then + # We cannot use asynchronous cert verification with SSL2 + SSL2_FLAGS=-O + VMIN="ssl2" + else + # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by + # default in libssl but it is enabled by default in tstclnt; we want + # to test the libssl default whenever possible. +diff --git a/tests/ssl/sslcov.noSSL2orExport.txt b/tests/ssl/sslcov.noSSL2orExport.txt +new file mode 100644 +--- /dev/null ++++ b/tests/ssl/sslcov.noSSL2orExport.txt +@@ -0,0 +1,134 @@ ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++# ++# This file enables test coverage of the various SSL ciphers ++# ++# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We ++# mix up the enable functions so we can tests boths paths. ++# ++# Enable Enable Cipher Test Name ++# EC TLS ++# ++# ++ noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5 ++ noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA ++ noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA ++ noECC SSL3 i SSL3_RSA_WITH_NULL_MD5 ++ noECC SSL3 j SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA ++ noECC SSL3 k SSL3_RSA_FIPS_WITH_DES_CBC_SHA ++ noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA ++ noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA ++ noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA ++ noECC SSL3 z SSL3_RSA_WITH_NULL_SHA ++# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA ++# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ++# ++ noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5 ++ noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA ++ noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA ++ noECC TLS10 i TLS_RSA_WITH_NULL_MD5 ++ noECC TLS10 j TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA ++ noECC TLS10 k TLS_RSA_FIPS_WITH_DES_CBC_SHA ++ noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA ++ noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA ++ noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA ++ noECC TLS10 z TLS_RSA_WITH_NULL_SHA ++# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA ++# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ++# ++# ++ noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5 ++ noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA ++ noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA ++ noECC TLS11 i TLS11_RSA_WITH_NULL_MD5 ++ noECC TLS11 j TLS11_RSA_FIPS_WITH_3DES_EDE_CBC_SHA ++ noECC TLS11 k TLS11_RSA_FIPS_WITH_DES_CBC_SHA ++ noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA ++ noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA ++ noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA ++ noECC TLS11 z TLS11_RSA_WITH_NULL_SHA ++# ++ noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5 ++ noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA ++ noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA ++ noECC TLS12 i TLS12_RSA_WITH_NULL_MD5 ++ noECC TLS12 j TLS12_RSA_FIPS_WITH_3DES_EDE_CBC_SHA ++ noECC TLS12 k TLS12_RSA_FIPS_WITH_DES_CBC_SHA ++ noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA ++ noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA ++ noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA ++ noECC TLS12 z TLS12_RSA_WITH_NULL_SHA ++ noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256 ++ noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256 ++ noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256 ++ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256 ++# ++# ECC ciphers (TLS) ++# ++ ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA ++ ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA ++ ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ++ ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ++ ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA ++ ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ++ ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ++ ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ++ ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA ++ ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA ++ ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ++ ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ++ ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA ++ ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA ++ ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ++ ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ++# ++ ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA ++ ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA ++ ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA ++ ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA ++ ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA ++ ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA ++ ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ++ ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ++ ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA ++ ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA ++ ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA ++ ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA ++ ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA ++ ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA ++ ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA ++ ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA ++# ++ ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA ++ ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA ++ ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA ++ ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA ++ ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA ++ ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA ++ ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ++ ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ++ ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA ++ ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA ++ ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA ++ ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA ++ ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA ++ ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA ++ ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ++ ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA ++ ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA ++ ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ++ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ++ ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ++ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +diff --git a/tests/ssl/sslstress.noSSL2orExport.txt b/tests/ssl/sslstress.noSSL2orExport.txt +new file mode 100644 +--- /dev/null ++++ b/tests/ssl/sslstress.noSSL2orExport.txt +@@ -0,0 +1,53 @@ ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++# ++# This file defines the stress tests for SSL/TLS. ++# ++# expected ++# Enable return server client Test Case name ++# ECC value params params ++# ------- ------ ------ ------ --------------- ++ noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5 ++ noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 ++ noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) ++ noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) ++ noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) ++ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) ++ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) ++ SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) ++ ++# ++# add client auth versions here... ++# ++ noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) ++ noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) ++ noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) ++ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) ++ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) ++ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) ++ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) ++ SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) ++ SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) ++ ++# ++# ############################ ECC ciphers ############################ ++# ++ ECC 0 -c_:C009 -V_ssl3:_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse) ++ ECC 0 -c_:C023 -V_ssl3:_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse) ++ ECC 0 -c_:C02B -V_ssl3:_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse) ++ ECC 0 -c_:C004 -V_ssl3:_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse) ++ ECC 0 -c_:C00E -V_ssl3:_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) ++ ECC 0 -c_:C013 -V_ssl3:_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA ++ ECC 0 -c_:C027 -V_ssl3:_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256 ++ ECC 0 -c_:C02F -V_ssl3:_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM ++ ECC 0 -c_:C004_-u -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket) ++# ++# add client auth versions here... ++# ++ ECC 0 -r_-r_-c_:C009 -V_ssl3:_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth) ++ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth) ++ ECC 0 -r_-r_-c_:C004 -V_ssl3:_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth) ++ ECC 0 -r_-r_-c_:C00E -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) ++ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth) ++ ECC 0 -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth) diff --git a/nss.spec b/nss.spec index 8b08e40..1fdc26e 100644 --- a/nss.spec +++ b/nss.spec @@ -19,7 +19,7 @@ Summary: Network Security Services Name: nss Version: 3.17.4 -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -92,6 +92,11 @@ Patch49: nss-skip-bltest-and-fipstest.patch Patch50: iquote.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900 Patch51: tls12.patch +# SSL2 support has been disabled downstream in RHEL since RHEL-7.0 +Patch52: disableSSL2libssl.patch +Patch53: disableSSL2tests.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1128367 +Patch92: scripts-syntax-errors.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -180,6 +185,9 @@ low level services. %patch50 -p0 -b .iquote pushd nss %patch51 -p1 -b .994599 +%patch52 -p1 -b .disableSSL2libssl +%patch53 -p1 -b .disableSSL2tests +%patch92 -p1 -b .syntax popd ######################################################### @@ -211,6 +219,8 @@ done %build +export NSS_NO_SSL2=1 + NSS_NO_PKCS11_BYPASS=1 export NSS_NO_PKCS11_BYPASS @@ -358,6 +368,10 @@ if [ ${DISABLETEST:-0} -eq 1 ]; then fi # Begin -- copied from the build section + +# inform the ssl test scripts that SSL2 is disabled +export NSS_NO_SSL2=1 + FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND @@ -781,6 +795,11 @@ fi %changelog +* Mon Feb 09 2015 Elio Maldonado - 3.17.4-2 +- Disable SSL2 support at build time +- Fix syntax errors in various shell scripts +- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites + * Wed Jan 28 2015 Elio Maldonado - 3.17.4-1 - Update to nss-3.17.4 diff --git a/scripts-syntax-errors.patch b/scripts-syntax-errors.patch new file mode 100644 index 0000000..aeff0ab --- /dev/null +++ b/scripts-syntax-errors.patch @@ -0,0 +1,87 @@ +diff --git a/tests/all.sh b/tests/all.sh +--- a/tests/all.sh ++++ b/tests/all.sh +@@ -296,17 +296,17 @@ fi + + # NOTE: + # Since in make at the top level, modutil is the last file + # created, we check for modutil to know whether the build + # is complete. If a new file is created after that, the + # following test for modutil should check for that instead. + # Exception: when building softoken only, shlibsign is the + # last file created. +-if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then ++if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then + LAST_FILE_BUILT=shlibsign + else + LAST_FILE_BUILT=modutil + fi + + if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then + echo "Build Incomplete. Aborting test." >> ${LOGFILE} + html_head "Testing Initialization" +diff --git a/tests/cipher/cipher.sh b/tests/cipher/cipher.sh +--- a/tests/cipher/cipher.sh ++++ b/tests/cipher/cipher.sh +@@ -119,17 +119,17 @@ cipher_cleanup() + } + + ################## main ################################################# + + # When building without softoken, bltest isn't built. It was already + # built and the cipher suite run as part of an nss-softoken build. + if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then + echo "bltest not built, skipping this test." >> ${LOGFILE} +- res = 0 ++ res=0 + html_msg $res $EXP_RET "$TESTNAME" + return 0 + fi + cipher_init + # Skip cipher_main if this an NSS without softoken build. + if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then + cipher_main + fi +diff --git a/tests/common/init.sh b/tests/common/init.sh +--- a/tests/common/init.sh ++++ b/tests/common/init.sh +@@ -220,17 +220,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU + { + + html "" + html "" + echo "$SCRIPTNAME: $* ===============================" + } + html_msg() + { +- if [ "$1" -ne "$2" ] ; then ++ if [ $1 -ne $2 ] ; then + html_failed "$3" "$4" + else + html_passed "$3" "$4" + fi + } + HTML_FAILED='' + HTML_FAILED_CORE='' + HTML_PASSED='' +diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh +--- a/tests/dbtests/dbtests.sh ++++ b/tests/dbtests/dbtests.sh +@@ -170,7 +170,7 @@ dbtest_main() + + # skipping the next two tests when user is root, + # otherwise they would fail due to rooty powers +- if [ $UID -ne 0 ] then ++ if [[ $EUID -ne 0 ]]; then + ${BINDIR}/dbtest -d $RONLY_DIR + ret=$? + if [ $ret -ne 46 ]; then +@@ -181,7 +181,7 @@ dbtest_main() + else + html_passed "Skipping Dbtest r/w in a readonly dir because user is root" + fi +- if [ $UID -ne 0 ] then ++ if [[ $EUID -ne 0 ]]; then + ${BINDIR}/certutil -D -n "TestUser" -d . + ret=$? + if [ $ret -ne 255 ]; then
$*
Test CaseResult
Failed
Failed Core
Passed