From ef6c2f08e79256e47aad8cbea274f51523f40fab Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 28 Jun 2016 07:47:13 -0700 Subject: [PATCH 1/4] Remove obsolete patch and spurious lines from the spec file (#1347336) --- nss-pem-unitialized-vars.path | 15 --------------- nss.spec | 6 ++++-- 2 files changed, 4 insertions(+), 17 deletions(-) delete mode 100644 nss-pem-unitialized-vars.path diff --git a/nss-pem-unitialized-vars.path b/nss-pem-unitialized-vars.path deleted file mode 100644 index f9a93a1..0000000 --- a/nss-pem-unitialized-vars.path +++ /dev/null @@ -1,15 +0,0 @@ -diff -up ./lib/ckfw/pem/pinst.c.unitialized_vars ./lib/ckfw/pem/pinst.c ---- ./lib/ckfw/pem/pinst.c.unitialized_var 2016-05-21 19:04:24.471221863 -0700 -+++ ./lib/ckfw/pem/pinst.c 2016-05-21 19:31:07.124298651 -0700 -@@ -534,9 +534,9 @@ CK_RV - AddCertificate(char *certfile, char *keyfile, PRBool cacert, - CK_SLOT_ID slotID) - { -- pemInternalObject *o; -+ pemInternalObject *o = NULL; - CK_RV error = 0; -- int objid, i; -+ int objid, i = 0; - int nobjs = 0; - SECItem **objs = NULL; - char *ivstring = NULL; diff --git a/nss.spec b/nss.spec index 5d518bb..5239063 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.25.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 3%{?dist} +Release: 4%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -179,7 +179,6 @@ low level services. %patch2 -p0 -b .relro %patch3 -p0 -b .transitional %patch16 -p0 -b .539183 -# link pem against buildroot's freebl, essential when mixing and matching %patch40 -p0 -b .noocsptest %patch47 -p0 -b .templates %patch49 -p0 -b .skipthem @@ -811,6 +810,9 @@ fi %changelog +* Tue Jun 28 2016 Elio Maldonado - 3.25.0-4 +- Remove obsolete patch and spurious lines from the spec file (#1347336) + * Sun Jun 26 2016 Elio Maldonado - 3.25.0-3 - Cleanup spec file and patches and add references to bugs filed upstream From 68e30820ed46e61e308f791238760e050d032667 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 28 Jun 2016 09:33:42 -0700 Subject: [PATCH 2/4] Add a reference to bug filed upstream --- nss.spec | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/nss.spec b/nss.spec index 5239063..3ad7995 100644 --- a/nss.spec +++ b/nss.spec @@ -94,9 +94,7 @@ Patch50: iquote.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch59: nss-check-policy-file.patch -# TODO: file a bug usptream -# Upstream commit that caused problems with gtests -# https://git.fedorahosted.org/cgit/nss-pem.git/commit/ +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846 Patch62: nss-skip-util-gtest.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch63: tests-check-policy-file.patch @@ -308,8 +306,7 @@ export NSS_BLTEST_NOT_AVAILABLE=1 %{__make} -C ./nss/lib/dbm # Set the policy file location -# if set NSS will always check for the policy file and load it if it exists -# TODO: restore the POLICY_FILE and POLICY_PATH exports +# if set NSS will always check for the policy file and load if it exists export POLICY_FILE="nss.config" # location of the policy file export POLICY_PATH="/etc/crypto-policies/back-ends" From e666a29edf3f746aa60710bd28389ecf0491d344 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Fri, 1 Jul 2016 18:22:06 -0700 Subject: [PATCH 3/4] Add support for conditionally ignoring the system policy (#1157720) - Remove unneeded test scripts patches in order to run more tests - Remove unneeded test data modifications from the spec file --- nss-conditionally-ignore-system-policy.patch | 63 ++++++++++++ nss-skip-ecperf.patch | 6 +- nss.spec | 40 +++----- tests-check-policy-file.patch | 84 --------------- tests-data-adjust-for-policy.patch | 101 ------------------- 5 files changed, 82 insertions(+), 212 deletions(-) create mode 100644 nss-conditionally-ignore-system-policy.patch delete mode 100644 tests-check-policy-file.patch delete mode 100644 tests-data-adjust-for-policy.patch diff --git a/nss-conditionally-ignore-system-policy.patch b/nss-conditionally-ignore-system-policy.patch new file mode 100644 index 0000000..69ae0df --- /dev/null +++ b/nss-conditionally-ignore-system-policy.patch @@ -0,0 +1,63 @@ +--- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700 ++++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700 +@@ -529,16 +529,19 @@ + { + SECMODModule *parent = NULL; + PKIX_UInt32 actualMinorVersion = 0; + PKIX_Error *pkixError = NULL; + PRBool isReallyInitted; + char *configStrings = NULL; + char *configName = NULL; + PRBool passwordRequired = PR_FALSE; ++#ifdef POLICY_FILE ++ char *ignoreVar; ++#endif + + /* if we are trying to init with a traditional NSS_Init call, maintain + * the traditional idempotent behavior. */ + if (!initContextPtr && nssIsInitted) { + return SECSuccess; + } + + /* make sure our lock and condition variable are initialized one and only +@@ -678,32 +681,38 @@ + dbpath = NULL; + } + if (dbpath) { + nss_FindExternalRoot(dbpath, secmodName); + } + } + } + #ifdef POLICY_FILE +- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { ++ /* Load the system crypo policy file if it exists, ++ * unless the NSS_IGNORE_SYSTEM_POLICY environment ++ * variable has been set to 1. */ ++ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); ++ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) { ++ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { + SECMODModule *module = SECMOD_LoadModule( + "name=\"Policy File\" " + "parameters=\"configdir='sql:" POLICY_PATH "' " + "secmod='" POLICY_FILE "' " + "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " + "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", +- parent, PR_TRUE); ++ parent, PR_TRUE); + if (module) { + PRBool isLoaded = module->loaded; + SECMOD_DestroyModule(module); + if (!isLoaded) { + goto loser; + } + } + } ++ } + #endif + pk11sdr_Init(); + cert_CreateSubjectKeyIDHashTable(); + + pkixError = PKIX_Initialize + (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, + PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); + diff --git a/nss-skip-ecperf.patch b/nss-skip-ecperf.patch index 1f747ba..c488d11 100644 --- a/nss-skip-ecperf.patch +++ b/nss-skip-ecperf.patch @@ -1,6 +1,6 @@ -diff -up ./nss/cmd/manifest.mn.skip_ecperf ./nss/cmd/manifest.mn ---- ./nss/cmd/manifest.mn.noecperf 2016-06-24 08:04:53.891106841 -0700 -+++ ./nss/cmd/manifest.mn 2016-06-24 08:06:57.186887403 -0700 +diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn +--- ./cmd/manifest.mn.noecperf 2016-06-24 08:04:53.891106841 -0700 ++++ ./cmd/manifest.mn 2016-06-24 08:06:57.186887403 -0700 @@ -42,7 +42,6 @@ NSS_SRCDIRS = \ dbtest \ derdump \ diff --git a/nss.spec b/nss.spec index 3ad7995..d203fe5 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.25.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 4%{?dist} +Release: 5%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -94,12 +94,10 @@ Patch50: iquote.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch59: nss-check-policy-file.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 +Patch60: nss-conditionally-ignore-system-policy.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846 Patch62: nss-skip-util-gtest.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 -Patch63: tests-check-policy-file.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 -Patch64: tests-data-adjust-for-policy.patch # TODO: file a bug upstream similar to the one for rsaperf Patch70: nss-skip-ecperf.patch @@ -184,12 +182,10 @@ low level services. %patch58 -p0 -b .1185708_3des pushd nss %patch59 -p1 -b .check_policy_file +%patch60 -p1 -b .cond_ignore %patch62 -p0 -b .skip_util_gtest -%patch63 -p1 -b .check_policy -%patch64 -p1 -b .expected_result +%patch70 -p1 -b .skip_ecperf popd -# temporary -%patch70 -p0 -b .skip_ecperf ######################################################### # Higher-level libraries and test tools need access to @@ -225,13 +221,6 @@ popd ######## Remove portions that need to statically link with libnssutil.a %{__rm} -rf ./nss/external_tests/util_gtests -pushd nss/tests/ssl -# Create versions of ssauth.txt, sslcov.txt and sslstress.txt that disable -# tests for non policy compliant ciphers. -cat sslauth.txt| sed -r "s/^([^#].*EXPORT|^[^#].*MD5)/#disabled \1/" > sslauth.noPolicy.txt -cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*_WITH_DES_*)/#disabled \1/" > sslcov.noPolicy.txt -cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*with MD5)/#disabled \1/" > sslstress.noPolicy.txt -popd %build @@ -396,10 +385,6 @@ fi # Begin -- copied from the build section -# inform the ssl test scripts that policy is enabled -export POLICY_FILE="nss.config" -export POLICY_PATH="/etc/crypto-policies/back-ends" - FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND @@ -419,6 +404,8 @@ export SOFTOKEN_LIB_DIR=%{_libdir} # End -- copied from the build section +export NSS_IGNORE_SYSTEM_POLICY=1 + # enable the following line to force a test failure # find ./nss -name \*.chk | xargs rm -f @@ -463,13 +450,13 @@ pushd ./nss/tests/ # the full list from all.sh is: # "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" %define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" -# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr -# nss_ssl_run: cov auth stress +# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy +# nss_ssl_run: cov auth stapling stress # # Uncomment these lines if you need to temporarily # disable some test suites for faster test builds -# global nss_ssl_tests "normal_fips" -# global nss_ssl_run "cov auth" +# % define nss_ssl_tests "normal_fips" +# % define nss_ssl_run "cov" SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE` @@ -807,6 +794,11 @@ fi %changelog +* Fri Jul 01 2016 Elio Maldonado - 3.25.0-5 +- Add support for conditionally ignoring the system policy (#1157720) +- Remove unneeded test scripts patches in order to run more tests +- Remove unneeded test data modifications from the spec file + * Tue Jun 28 2016 Elio Maldonado - 3.25.0-4 - Remove obsolete patch and spurious lines from the spec file (#1347336) diff --git a/tests-check-policy-file.patch b/tests-check-policy-file.patch deleted file mode 100644 index 76f23c7..0000000 --- a/tests-check-policy-file.patch +++ /dev/null @@ -1,84 +0,0 @@ -diff -up ./tests/ssl/sslauth.txt.check_policy ./tests/ssl/sslauth.txt -diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh ---- ./tests/ssl/ssl.sh.check_policy 2016-05-17 00:58:45.000000000 -0700 -+++ ./tests/ssl/ssl.sh 2016-05-28 15:45:07.645964005 -0700 -@@ -61,10 +61,19 @@ ssl_init() - nss_ssl_run="stapling signed_cert_timestamps cov auth stress" - NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} - -+ NSS_POLICY_FILE=[ -f ${POLICY_PATH}/${POLICY_FILE} ] \ -+ ? "${POLICY_PATH}/${POLICY_FILE}" \ -+ : "" - # Test case files -- SSLCOV=${QADIR}/ssl/sslcov.txt -- SSLAUTH=${QADIR}/ssl/sslauth.txt -- SSLSTRESS=${QADIR}/ssl/sslstress.txt -+ if [ -n ${NSS_POLICY_FILE} ]; then -+ SSLAUTH=${QADIR}/ssl/sslauth.byPolicy.txt -+ SSLCOV=${QADIR}/ssl/sslcov.byPolicy.txt -+ SSLSTRESS=${QADIR}/ssl/sslstress.byPolicy.txt -+ else -+ SSLAUTH=${QADIR}/ssl/sslauth.txt -+ SSLCOV=${QADIR}/ssl/sslcov.txt -+ SSLSTRESS=${QADIR}/ssl/sslstress.txt -+ fi - SSLPOLICY=${QADIR}/ssl/sslpolicy.txt - REQUEST_FILE=${QADIR}/ssl/sslreq.dat - -@@ -122,7 +131,11 @@ is_selfserv_alive() - fi - - echo "kill -0 ${PID} >/dev/null 2>/dev/null" -+ if [ -n ${NSS_POLICY_FILE}" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then -+ echo "No server to kill" -+ else - kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" -+ fi - - echo "selfserv with PID ${PID} found at `date`" - } -@@ -145,7 +158,11 @@ wait_for_selfserv() - ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ - -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} - if [ $? -ne 0 ]; then -+ if [ -n ${NSS_POLICY_FILE} ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then -+ html_passed "Server never started" -+ else - html_failed "Waiting for Server" -+ fi - fi - fi - is_selfserv_alive -@@ -216,15 +233,16 @@ start_selfserv() - echo "selfserv starting at `date`" - echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" - echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\" -- echo " $verbose -H 1 &" -+ VMIN_OPT=[ -n ${NSS_POLICY_FILE} ] ? "-V ssl3:" : "" -+ echo " $verbose -H 1 ${VMIN_OPT} &" - if [ ${fileout} -eq 1 ]; then - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ - ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \ -- > ${SERVEROUTFILE} 2>&1 & -+ ${VMIN_OPT}> ${SERVEROUTFILE} 2>&1 & - RET=$? - else - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ -- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 & -+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 ${VMIN_OPT} & - RET=$? - fi - -@@ -275,6 +293,12 @@ ssl_cov() - echo "${testname}" | grep "EXPORT" > /dev/null - EXP=$? - -+ # trace these types of tests when build has policy enabled -+ if [ -n ${NSS_POLICY_FILE} ] && -+ [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ] || ${SSL3} -eq 0 ]]; then -+ echo "exp/ssl2/ssl3 test should fail: (NSS_NO_SSL2,EXP,SSL2,SSL3)=(${NSS_NO_SSL2},${EXP},${SSL2},${SSL3})" -+ fi -+ - if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then - echo "$SCRIPTNAME: skipping $testname (ECC only)" - elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$EXP" -eq 0 ] ; then diff --git a/tests-data-adjust-for-policy.patch b/tests-data-adjust-for-policy.patch deleted file mode 100644 index 48c350a..0000000 --- a/tests-data-adjust-for-policy.patch +++ /dev/null @@ -1,101 +0,0 @@ -diff -up ./tests/ssl/sslauth.txt.expected_result ./tests/ssl/sslauth.txt ---- ./tests/ssl/sslauth.txt.expected_result 2016-05-17 00:58:45.000000000 -0700 -+++ ./tests/ssl/sslauth.txt 2016-05-28 15:21:11.800761721 -0700 -@@ -14,12 +14,12 @@ - noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth) - noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password) - noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth) -- noECC 0 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) -- noECC 0 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) -- noECC 0 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) -+ noECC 254 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) -+ noECC 254 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) -+ noECC 254 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) - noECC 254 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth) - noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) -- noECC 0 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth) -+ noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth) - noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth) - noECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password) - noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth) -@@ -32,9 +32,9 @@ - noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth) - noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password) - noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth) -- noECC 0 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth) -- noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) -- noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) -+ noECC 254 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth) -+ noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) -+ noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) - noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth) - noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) - noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) -@@ -57,17 +57,17 @@ - ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth) - ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password) - ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth) -- ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password) -- ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth) -+ ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password) -+ ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth) - ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password) -- ECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth) -+ ECC 254 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth) - # - # SNI Tests - # - SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI - SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI - SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert -- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI -+ SNI 254 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI - SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions - SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI - SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI -diff -up ./tests/ssl/sslpolicy.txt.expected_result ./tests/ssl/sslpolicy.txt ---- ./tests/ssl/sslpolicy.txt.expected_result 2016-05-17 00:58:45.000000000 -0700 -+++ ./tests/ssl/sslpolicy.txt 2016-05-28 15:21:11.800761721 -0700 -@@ -148,26 +148,26 @@ - # Exp Enable Enable Cipher Config Policy Test Name - # Ret EC TLS - # turn on single cipher -- 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy -- 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy -- 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly -- 1 noECC SSL3 d disallow=all Disallow All Explicitly. -+# 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy -+# 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy -+# 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly -+# 1 noECC SSL3 d disallow=all Disallow All Explicitly. - # turn off signature only -- 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly. -- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow. -- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly. -+# 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly. -+# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow. -+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly. - # turn off single cipher -- 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly -- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow. -- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly. -+# 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly -+# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow. -+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly. - # turn off H-Mac -- 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly -- 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow. -- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly. -+# 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly -+# 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow. -+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly. - # turn off key exchange -- 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly. -- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow. -- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly. -+# 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly. -+# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow. -+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly. - # turn off version - 1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly - 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow. From 90700e6be21c303d361231a63467dee2790ff822 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Fri, 8 Jul 2016 12:07:05 -0700 Subject: [PATCH 4/4] Add support to listsuites to list ciphers allowed by policy --- listsuites-do-queries.patch | 111 ++++++++++++++++++++++++++++++++++++ nss.spec | 7 ++- 2 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 listsuites-do-queries.patch diff --git a/listsuites-do-queries.patch b/listsuites-do-queries.patch new file mode 100644 index 0000000..820f5ed --- /dev/null +++ b/listsuites-do-queries.patch @@ -0,0 +1,111 @@ +--- ./cmd/listsuites/listsuites.c.do_queries 2016-05-17 00:58:45.000000000 -0700 ++++ ./cmd/listsuites/listsuites.c 2016-06-23 09:39:10.563925342 -0700 +@@ -7,19 +7,48 @@ + * + * Try: ./listsuites | grep -v : | sort -b +4rn -5 +1 -2 +2 -3 +3 -4 +5r -6 + */ + + #include + #include + #include "secport.h" + #include "ssl.h" ++#include "plgetopt.h" ++#include "secutil.h" ++#include "utilpars.h" ++#include "nspr.h" ++#include "nss.h" ++ ++static const char *progName = "listsuites"; ++char *ignoreVar; ++ ++static char *policy_file_path(char *path) ++{ ++ return (PR_Access(path, PR_ACCESS_READ_OK) == PR_SUCCESS) ? path : ""; ++} ++ ++static char *ignore_system_policy_value(char *var) ++{ ++ ignoreVar = PR_GetEnvSecure(var); ++ return ignoreVar != NULL ? ignoreVar : ""; ++} ++ ++void Usage(const char *progName) ++{ ++ fprintf(stderr, ++ "\nList cipher suites or parse a policy file or query\n" ++ "Usage: %s [-i policy_file] file to parse (default is list)\n", ++ progName); ++ exit(1); ++} ++ + + int +-main(int argc, char **argv) ++list_suites(void) + { + const PRUint16 *cipherSuites = SSL_ImplementedCiphers; + int i; + int errCount = 0; + + fputs("This version of libSSL supports these cipher suites:\n\n", stdout); + + /* disable all the SSL3 cipher suites */ +@@ -56,8 +85,58 @@ + info.effectiveKeyBits, info.macAlgorithmName, + enabled ? "Enabled" : "Disabled", + info.isFIPS ? "FIPS" : "", + info.isExportable ? "Export" : "Domestic", + info.nonStandard ? "nonStandard" : ""); + } + return errCount; + } ++ ++int ++main(int argc, char **argv) ++{ ++ PLOptState *optstate = NULL; ++ PLOptStatus status; ++ SECStatus rv; ++ FILE *inFile; ++ char *ev, *path; ++ ++ optstate = PL_CreateOptState(argc, argv, "?hi:p:q:lL"); ++ while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { ++ switch (optstate->option) { ++ case '?': ++ case 'h': ++ Usage(progName); ++ break; ++ case 'p': ++ path = (char *)optstate->value; ++ fprintf(stdout, "%s=%s\n", path, policy_file_path(path)); ++ break; ++ case 'q': ++ ev = (char *)optstate->value; ++ fprintf(stdout, "%s=%s\n", ev, ignore_system_policy_value(ev)); ++ break; ++ case 'i': ++ rv = SECSuccess; ++ inFile = fopen(optstate->value, "r"); ++ if (!inFile) { ++ fprintf(stderr, ++ "%s: unable to open \"%s\" for reading\n", ++ progName, optstate->value); ++ return -1; ++ } ++ rv = SECFailure;/*ParseCryptoPolicy(optstate->value);*/ ++ fclose(inFile); ++ return (rv == SECSuccess) ? 0 : 1; ++ break; ++ case 'l': ++ case 'L': ++ return list_suites(); ++ break; ++ default: ++ Usage(progName); ++ break; ++ } ++ } ++ ++ return 0; ++} diff --git a/nss.spec b/nss.spec index d203fe5..465d75f 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.25.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 5%{?dist} +Release: 6%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -100,6 +100,7 @@ Patch60: nss-conditionally-ignore-system-policy.patch Patch62: nss-skip-util-gtest.patch # TODO: file a bug upstream similar to the one for rsaperf Patch70: nss-skip-ecperf.patch +Patch71: listsuites-do-queries.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -185,6 +186,7 @@ pushd nss %patch60 -p1 -b .cond_ignore %patch62 -p0 -b .skip_util_gtest %patch70 -p1 -b .skip_ecperf +%patch71 -p1 -b .do_queries popd ######################################################### @@ -794,6 +796,9 @@ fi %changelog +* Fri Jul 08 2016 Elio Maldonado - 3.25.0-6 +- Add support to listsuites to list ciphers allowed by policy + * Fri Jul 01 2016 Elio Maldonado - 3.25.0-5 - Add support for conditionally ignoring the system policy (#1157720) - Remove unneeded test scripts patches in order to run more tests