Remove unused patches
This commit is contained in:
parent
dc759e0041
commit
90ab17ff72
|
@ -1,75 +0,0 @@
|
|||
diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
|
||||
--- ./nss/lib/ssl/config.mk.disableSSL2 2013-09-25 06:57:55.000000000 -0700
|
||||
+++ ./nss/lib/ssl/config.mk 2013-11-05 16:09:47.459727948 -0800
|
||||
@@ -7,6 +7,10 @@ ifdef NISCC_TEST
|
||||
DEFINES += -DNISCC_TEST
|
||||
endif
|
||||
|
||||
+ifdef NSS_NO_SSL2
|
||||
+DEFINES += -DNSS_NO_SSL2
|
||||
+endif
|
||||
+
|
||||
ifdef NSS_NO_PKCS11_BYPASS
|
||||
DEFINES += -DNO_PKCS11_BYPASS
|
||||
else
|
||||
diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c
|
||||
--- ./nss/lib/ssl/sslsock.c.disableSSL2 2013-11-05 16:09:47.419727310 -0800
|
||||
+++ ./nss/lib/ssl/sslsock.c 2013-11-05 16:09:47.461727980 -0800
|
||||
@@ -639,6 +639,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_SSL2:
|
||||
+#ifdef NSS_NO_SSL2
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+ break;
|
||||
+ ss->opt.enableSSL2 = on;
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
@@ -650,6 +658,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
if (on) {
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
}
|
||||
+#endif
|
||||
ss->preferredCipher = NULL;
|
||||
if (ss->cipherSpecs) {
|
||||
PORT_Free(ss->cipherSpecs);
|
||||
@@ -671,6 +680,13 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
break;
|
||||
|
||||
case SSL_V2_COMPATIBLE_HELLO:
|
||||
+#ifdef NSS_NO_SSL2
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ break;
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
@@ -678,6 +694,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
}
|
||||
break;
|
||||
}
|
||||
+#endif
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
if (!on) {
|
||||
ss->opt.enableSSL2 = on;
|
||||
@@ -1112,7 +1129,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
|
||||
if (ssl_IsRemovedCipherSuite(which)) {
|
||||
rv = SECSuccess;
|
||||
} else if (SSL_IS_SSL2_CIPHER(which)) {
|
||||
+#ifdef NSS_NO_SSL2
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+#else
|
||||
rv = ssl2_SetPolicy(which, policy);
|
||||
+#endif
|
||||
} else {
|
||||
rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
|
||||
}
|
|
@ -1,13 +0,0 @@
|
|||
diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh
|
||||
--- ./nss/tests/ssl/ssl.sh.disableSSL2 2013-09-25 06:57:55.000000000 -0700
|
||||
+++ ./nss/tests/ssl/ssl.sh 2013-11-03 16:43:48.905914207 -0800
|
||||
@@ -278,6 +278,9 @@ ssl_cov()
|
||||
echo "${testname}" | grep "SSL2" > /dev/null
|
||||
SSL2=$?
|
||||
|
||||
+ # skip export and ssl2 tests when build has disabled SSL2
|
||||
+ if [ "${NSS_NO_SSL2}" = 1 ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
|
||||
+
|
||||
if [ "${SSL2}" -eq 0 ] ; then
|
||||
# We cannot use asynchronous cert verification with SSL2
|
||||
SSL2_FLAGS=-O
|
|
@ -1,21 +0,0 @@
|
|||
diff -up ./tests/all.sh.lastbuild ./tests/all.sh
|
||||
--- ./tests/all.sh.lastbuild 2014-06-17 15:34:41.624628370 -0700
|
||||
+++ ./tests/all.sh 2014-06-17 15:38:49.692101477 -0700
|
||||
@@ -299,9 +299,15 @@ fi
|
||||
# created, we check for modutil to know whether the build
|
||||
# is complete. If a new file is created after that, the
|
||||
# following test for modutil should check for that instead.
|
||||
+# Exception: when building softoken only, shlibsign is the
|
||||
+# last file created.
|
||||
+if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
|
||||
+ LAST_FILE_BUILT=shlibsign
|
||||
+else
|
||||
+ LAST_FILE_BUILT=modutil
|
||||
+fi
|
||||
|
||||
-if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \
|
||||
- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
|
||||
+if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then
|
||||
echo "Build Incomplete. Aborting test." >> ${LOGFILE}
|
||||
html_head "Testing Initialization"
|
||||
Exit "Checking for build"
|
|
@ -1,123 +0,0 @@
|
|||
diff -up ./nss/lib/certdb/certi.h.1034409 ./nss/lib/certdb/certi.h
|
||||
--- ./nss/lib/certdb/certi.h.1034409 2014-01-03 11:59:10.000000000 -0800
|
||||
+++ ./nss/lib/certdb/certi.h 2014-02-20 08:46:10.345136599 -0800
|
||||
@@ -116,11 +116,16 @@ struct CRLDPCacheStr {
|
||||
#else
|
||||
PRLock* lock;
|
||||
#endif
|
||||
- CERTCertificate* issuer; /* issuer cert
|
||||
- XXX there may be multiple issuer certs,
|
||||
- with different validity dates. Also
|
||||
- need to deal with SKID/AKID . See
|
||||
- bugzilla 217387, 233118 */
|
||||
+ SECItem *issuerDERCert; /* issuer DER cert. Don't hold a reference
|
||||
+ to the actual cert so the trust can be
|
||||
+ updated on the cert automatically.
|
||||
+ XXX there may be multiple issuer certs,
|
||||
+ with different validity dates. Also
|
||||
+ need to deal with SKID/AKID . See
|
||||
+ bugzilla 217387, 233118 */
|
||||
+
|
||||
+ CERTCertDBHandle *dbHandle;
|
||||
+
|
||||
SECItem* subject; /* DER of issuer subject */
|
||||
SECItem* distributionPoint; /* DER of distribution point. This may be
|
||||
NULL when distribution points aren't
|
||||
@@ -172,7 +177,7 @@ struct CRLIssuerCacheStr {
|
||||
NSSRWLock* lock;
|
||||
CRLDPCache** dps;
|
||||
PLHashTable* distributionpoints;
|
||||
- CERTCertificate* issuer;
|
||||
+ CERTCertificate* issuer; /* This should be the DER Cert, not a cert handle */
|
||||
#endif
|
||||
};
|
||||
|
||||
diff -up ./nss/lib/certdb/crl.c.1034409 ./nss/lib/certdb/crl.c
|
||||
--- ./nss/lib/certdb/crl.c.1034409 2014-01-03 11:59:10.000000000 -0800
|
||||
+++ ./nss/lib/certdb/crl.c 2014-02-20 08:49:30.835466687 -0800
|
||||
@@ -1123,9 +1123,9 @@ static SECStatus DPCache_Destroy(CRLDPCa
|
||||
PORT_Free(cache->crls);
|
||||
}
|
||||
/* destroy the cert */
|
||||
- if (cache->issuer)
|
||||
+ if (cache->issuerDERCert)
|
||||
{
|
||||
- CERT_DestroyCertificate(cache->issuer);
|
||||
+ SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE);
|
||||
}
|
||||
/* free the subject */
|
||||
if (cache->subject)
|
||||
@@ -1571,14 +1571,20 @@ static SECStatus CachedCrl_Verify(CRLDPC
|
||||
else
|
||||
{
|
||||
SECStatus signstatus = SECFailure;
|
||||
- if (cache->issuer)
|
||||
+ if (cache->issuerDERCert)
|
||||
{
|
||||
- signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
|
||||
+ CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle,
|
||||
+ cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
|
||||
+
|
||||
+ if (issuer) {
|
||||
+ signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate,
|
||||
wincx);
|
||||
+ CERT_DestroyCertificate(issuer);
|
||||
+ }
|
||||
}
|
||||
if (SECSuccess != signstatus)
|
||||
{
|
||||
- if (!cache->issuer)
|
||||
+ if (!cache->issuerDERCert)
|
||||
{
|
||||
/* we tried to verify without an issuer cert . This is
|
||||
because this CRL came through a call to SEC_FindCrlByName.
|
||||
@@ -1925,15 +1931,16 @@ static SECStatus DPCache_GetUpToDate(CRL
|
||||
}
|
||||
|
||||
/* add issuer certificate if it was previously unavailable */
|
||||
- if (issuer && (NULL == cache->issuer) &&
|
||||
+ if (issuer && (NULL == cache->issuerDERCert) &&
|
||||
(SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
|
||||
{
|
||||
/* if we didn't have a valid issuer cert yet, but we do now. add it */
|
||||
DPCache_LockWrite();
|
||||
- if (!cache->issuer)
|
||||
+ if (!cache->issuerDERCert)
|
||||
{
|
||||
dirty = PR_TRUE;
|
||||
- cache->issuer = CERT_DupCertificate(issuer);
|
||||
+ cache->dbHandle = issuer->dbhandle;
|
||||
+ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
|
||||
}
|
||||
DPCache_UnlockWrite();
|
||||
}
|
||||
@@ -1944,7 +1951,7 @@ static SECStatus DPCache_GetUpToDate(CRL
|
||||
SEC_FindCrlByName, or through manual insertion, rather than through a
|
||||
certificate verification (CERT_CheckCRL) */
|
||||
|
||||
- if (cache->issuer && vfdate )
|
||||
+ if (cache->issuerDERCert && vfdate )
|
||||
{
|
||||
mustunlock = PR_FALSE;
|
||||
/* re-process all unverified CRLs */
|
||||
@@ -2201,7 +2208,8 @@ static SECStatus DPCache_Create(CRLDPCac
|
||||
}
|
||||
if (issuer)
|
||||
{
|
||||
- cache->issuer = CERT_DupCertificate(issuer);
|
||||
+ cache->dbHandle = issuer->dbhandle;
|
||||
+ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
|
||||
}
|
||||
cache->distributionPoint = SECITEM_DupItem(dp);
|
||||
cache->subject = SECITEM_DupItem(subject);
|
||||
diff -up ./nss/tests/chains/chains.sh.1034409 ./nss/tests/chains/chains.sh
|
||||
--- ./nss/tests/chains/chains.sh.1034409 2014-02-20 08:16:34.867686934 -0800
|
||||
+++ ./nss/tests/chains/chains.sh 2014-02-20 08:34:35.149603340 -0800
|
||||
@@ -974,6 +974,7 @@ check_ocsp()
|
||||
OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
|
||||
OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
|
||||
|
||||
+ echo "Cert = ${CERT_NICK}.cert"
|
||||
echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
|
||||
tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
|
||||
return $?
|
|
@ -1,78 +0,0 @@
|
|||
diff -up nss/lib/pk11wrap/pk11pars.c.fips nss/lib/pk11wrap/pk11pars.c
|
||||
--- nss/lib/pk11wrap/pk11pars.c.fips 2013-05-28 14:43:24.000000000 -0700
|
||||
+++ nss/lib/pk11wrap/pk11pars.c 2013-07-10 18:54:16.733465910 -0700
|
||||
@@ -150,6 +150,10 @@ SECMOD_CreateModule(const char *library,
|
||||
}
|
||||
mod->internal = NSSUTIL_ArgHasFlag("flags","internal",nssc);
|
||||
mod->isFIPS = NSSUTIL_ArgHasFlag("flags","FIPS",nssc);
|
||||
+ /* if the system FIPS mode is enabled, force FIPS to be on */
|
||||
+ if (SECMOD_GetSystemFIPSEnabled()) {
|
||||
+ mod->isFIPS = PR_TRUE;
|
||||
+ }
|
||||
mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc);
|
||||
slotParams = NSSUTIL_ArgGetParamValue("slotParams",nssc);
|
||||
mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams,
|
||||
diff -up nss/lib/pk11wrap/pk11util.c.fips nss/lib/pk11wrap/pk11util.c
|
||||
--- nss/lib/pk11wrap/pk11util.c.fips 2013-05-28 14:43:24.000000000 -0700
|
||||
+++ nss/lib/pk11wrap/pk11util.c 2013-07-10 18:54:16.734465927 -0700
|
||||
@@ -95,6 +95,25 @@ SECMOD_Shutdown()
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
+int SECMOD_GetSystemFIPSEnabled(void) {
|
||||
+#ifdef LINUX
|
||||
+ FILE *f;
|
||||
+ char d;
|
||||
+ size_t size;
|
||||
+
|
||||
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||
+ if (!f)
|
||||
+ return 0;
|
||||
+
|
||||
+ size = fread(&d, 1, 1, f);
|
||||
+ fclose(f);
|
||||
+ if (size != 1)
|
||||
+ return 0;
|
||||
+ if (d == '1')
|
||||
+ return 1;
|
||||
+#endif
|
||||
+ return 0;
|
||||
+}
|
||||
|
||||
/*
|
||||
* retrieve the internal module
|
||||
@@ -417,7 +436,7 @@ SECMOD_DeleteInternalModule(const char *
|
||||
SECMODModuleList **mlpp;
|
||||
SECStatus rv = SECFailure;
|
||||
|
||||
- if (pendingModule) {
|
||||
+ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
|
||||
PORT_SetError(SEC_ERROR_MODULE_STUCK);
|
||||
return rv;
|
||||
}
|
||||
@@ -888,7 +907,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis
|
||||
PRBool
|
||||
SECMOD_CanDeleteInternalModule(void)
|
||||
{
|
||||
- return (PRBool) (pendingModule == NULL);
|
||||
+ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up nss/lib/pk11wrap/secmodi.h.fips nss/lib/pk11wrap/secmodi.h
|
||||
--- nss/lib/pk11wrap/secmodi.h.fips 2013-07-10 18:55:06.358298154 -0700
|
||||
+++ nss/lib/pk11wrap/secmodi.h 2013-07-10 18:56:52.050069372 -0700
|
||||
@@ -116,7 +116,12 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
|
||||
CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
|
||||
SECItem **param, SECItem *pwd, PRBool faulty3DES);
|
||||
|
||||
-
|
||||
+/* Get the state of the system FIPS mode */
|
||||
+/* NSS uses this to force FIPS mode if the system bit is on. Applications which
|
||||
+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
|
||||
+ * from FIPS mode will automatically be told that they can't swith out of FIPS
|
||||
+ * mode */
|
||||
+int SECMOD_GetSystemFIPSEnabled();
|
||||
|
||||
extern void pk11sdr_Init(void);
|
||||
extern void pk11sdr_Shutdown(void);
|
|
@ -1,23 +0,0 @@
|
|||
diff --git a/tests/cipher/cipher.sh b/tests/cipher/cipher.sh
|
||||
--- a/tests/cipher/cipher.sh
|
||||
+++ b/tests/cipher/cipher.sh
|
||||
@@ -124,11 +124,17 @@ cipher_cleanup()
|
||||
# built and the cipher suite run as part of an nss-softoken build.
|
||||
if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then
|
||||
echo "bltest not built, skipping this test." >> ${LOGFILE}
|
||||
res = 0
|
||||
html_msg $res $EXP_RET "$TESTNAME"
|
||||
return 0
|
||||
fi
|
||||
cipher_init
|
||||
-cipher_main
|
||||
-cipher_gcm
|
||||
+# Skip cipher_main if this an NSS without softoken build.
|
||||
+if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then
|
||||
+ cipher_main
|
||||
+fi
|
||||
+# Skip cipher_gcm if this is a softoken only build.
|
||||
+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" != "1" ]; then
|
||||
+ cipher_gcm
|
||||
+fi
|
||||
cipher_cleanup
|
|
@ -1,38 +0,0 @@
|
|||
diff -up ./nss/tests/ssl/sslauth.txt.ocsp_sni ./nss/tests/ssl/sslauth.txt
|
||||
--- ./nss/tests/ssl/sslauth.txt.ocsp_sni 2015-05-28 10:50:45.000000000 -0700
|
||||
+++ ./nss/tests/ssl/sslauth.txt 2015-08-30 08:49:22.025299419 -0700
|
||||
@@ -65,12 +65,12 @@
|
||||
# SNI Tests
|
||||
#
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||
- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
- SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
|
||||
- SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
|
||||
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_vssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
|
||||
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||
- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
|
||||
- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
|
||||
- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
|
||||
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||
diff -up ./nss/tests/ssl/ssl.sh.ocsp_sni ./nss/tests/ssl/ssl.sh
|
||||
--- ./nss/tests/ssl/ssl.sh.ocsp_sni 2015-08-30 08:49:21.905301105 -0700
|
||||
+++ ./nss/tests/ssl/ssl.sh 2015-08-30 08:49:22.017299531 -0700
|
||||
@@ -457,10 +457,10 @@ ssl_stapling_sub()
|
||||
start_selfserv
|
||||
|
||||
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
|
||||
- echo " -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
|
||||
+ echo " -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
|
||||
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
||||
${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
|
||||
- -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
|
||||
+ -d ${P_R_CLIENTDIR} -v -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
|
||||
>${TMP}/$HOST.tmp.$$ 2>&1
|
||||
ret=$?
|
||||
cat ${TMP}/$HOST.tmp.$$
|
|
@ -1,31 +0,0 @@
|
|||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
--- a/lib/ssl/sslsock.c
|
||||
+++ b/lib/ssl/sslsock.c
|
||||
@@ -1252,25 +1252,22 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3
|
||||
rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
|
||||
}
|
||||
return rv;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
NSS_SetDomesticPolicy(void)
|
||||
{
|
||||
- SECStatus status = SECSuccess;
|
||||
const PRUint16 *cipher;
|
||||
|
||||
for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) {
|
||||
- status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
|
||||
- if (status != SECSuccess)
|
||||
- break;
|
||||
+ SSL_SetPolicy(*cipher, SSL_ALLOWED);
|
||||
}
|
||||
- return status;
|
||||
+ return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
NSS_SetExportPolicy(void)
|
||||
{
|
||||
return NSS_SetDomesticPolicy();
|
||||
}
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||
--- a/lib/ssl/ssl3con.c
|
||||
+++ b/lib/ssl/ssl3con.c
|
||||
@@ -85,27 +85,27 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
|
||||
*
|
||||
* Important: See bug 946147 before enabling, reordering, or adding any cipher
|
||||
* suites to this list.
|
||||
*/
|
||||
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
|
||||
/* cipher_suite policy enabled isPresent */
|
||||
|
||||
#ifndef NSS_DISABLE_ECC
|
||||
- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
/* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
|
||||
* bug 946147.
|
||||
*/
|
||||
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
#endif /* NSS_DISABLE_ECC */
|
||||
|
||||
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
Loading…
Reference in New Issue