rpms
/
nss
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Disable support for ssl2 

- Support is disabled by setting a built time environmenet variable, export NSS_NO_SSL2=1, in the spec file
- Support can be restored by not setting that environment variable
This commit is contained in:
Elio Maldonado 2014-07-18 07:35:10 -07:00
parent fd6a1f2171
commit ab703f693c
3 changed files with 141 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
disable-sslv2-libssl.patch Normal file
View File

@ -0,0 +1,72 @@
diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
--- ./nss/lib/ssl/config.mk.disableSSL2 2014-06-24 13:45:27.000000000 -0700
+++ ./nss/lib/ssl/config.mk 2014-07-12 12:32:06.011646588 -0700
@@ -7,6 +7,10 @@ ifdef NISCC_TEST
DEFINES += -DNISCC_TEST
endif
+ifdef NSS_NO_SSL2
+DEFINES += -DNSS_NO_SSL2
+endif
+
ifdef NSS_NO_PKCS11_BYPASS
DEFINES += -DNO_PKCS11_BYPASS
else
diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c
--- ./nss/lib/ssl/sslsock.c.disableSSL2 2014-07-12 12:32:05.970645943 -0700
+++ ./nss/lib/ssl/sslsock.c 2014-07-12 12:36:46.096072901 -0700
@@ -653,6 +653,12 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
break;
case SSL_ENABLE_SSL2:
+#ifdef NSS_NO_SSL2
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -670,6 +676,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
ss->cipherSpecs = NULL;
ss->sizeCipherSpecs = 0;
}
+#endif /* NSS_NO_SSL2 */
break;
case SSL_NO_CACHE:
@@ -685,6 +692,12 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
break;
case SSL_V2_COMPATIBLE_HELLO:
+#ifdef NSS_NO_SSL2
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -696,6 +709,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
if (!on) {
ss->opt.enableSSL2 = on;
}
+#endif /* NSS_NO_SSL2 */
break;
case SSL_ROLLBACK_DETECTION:
@@ -1146,7 +1160,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
if (ssl_IsRemovedCipherSuite(which)) {
rv = SECSuccess;
} else if (SSL_IS_SSL2_CIPHER(which)) {
+#ifdef NSS_NO_SSL2
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+#else
rv = ssl2_SetPolicy(which, policy);
+#endif
} else {
rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
}

54
disable-sslv2-tests.patch Normal file
View File

@ -0,0 +1,54 @@
diff -up ./nss/tests/chains/chains.sh.disableSSL2 ./nss/tests/chains/chains.sh
--- ./nss/tests/chains/chains.sh.disableSSL2 2014-06-24 13:45:27.000000000 -0700
+++ ./nss/tests/chains/chains.sh 2014-07-12 12:38:36.407821766 -0700
@@ -40,7 +40,11 @@ is_httpserv_alive()
fi
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
+ echo "skipping kill because SSL2 was disabled"
+ else
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
+ fi
echo "httpserv with PID ${PID} found at `date`"
}
@@ -59,7 +63,11 @@ wait_for_httpserv()
echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
if [ $? -ne 0 ]; then
- html_failed "Waiting for Server"
+ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
+ html_passed "Waiting for Server is supposed to fail"
+ else
+ html_failed "Waiting for Server"
+ fi
fi
fi
is_httpserv_alive
TESTNAME="Test that OCSP server is reachable"
check_ocsp ${VALUE}
if [ $? -ne 0 ]; then
+ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
+ html_passed "$TESTNAME"
+ else
html_failed "$TESTNAME"
+ fi
break;
else
html_passed "$TESTNAME"
diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh
--- ./nss/tests/ssl/ssl.sh.disableSSL2 2014-06-24 13:45:27.000000000 -0700
+++ ./nss/tests/ssl/ssl.sh 2014-07-12 12:37:25.476697212 -0700
@@ -278,6 +278,11 @@ ssl_cov()
echo "${testname}" | grep "SSL2" > /dev/null
SSL2=$?
+ # skip export and ssl2 tests when build has disabled SSL2
+ if [[ "${NSS_NO_SSL2}" = "1" ]] && [[ -n ${EXP} -o -n ${SSL2} ]] ; then
+ continue
+ fi
+
if [ "${SSL2}" -eq 0 ] ; then
# We cannot use asynchronous cert verification with SSL2
SSL2_FLAGS=-O

17
nss.spec
View File

@ -19,7 +19,7 @@
Summary: Network Security Services
Name: nss
Version: 3.16.2
Release: 1%{?dist}
Release: 2%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@ -91,6 +91,8 @@ Patch49: nss-skip-bltest-and-fipstest.patch
# headers are older. Such is the case when starting an update with API changes or even private export changes.
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
Patch50: iquote.patch
Patch52: disable-sslv2-libssl.patch
Patch53: disable-sslv2-tests.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -178,6 +180,8 @@ low level services.
%patch47 -p0 -b .templates
%patch49 -p0 -b .skipthem
%patch50 -p0 -b .iquote
%patch52 -p0 -b .disableSSL2
%patch53 -p0 -b .disableSSL2
#########################################################
# Higher-level libraries and test tools need access to
@ -208,6 +212,8 @@ done
%build
export NSS_NO_SSL2=1
NSS_NO_PKCS11_BYPASS=1
export NSS_NO_PKCS11_BYPASS
@ -355,6 +361,10 @@ if [ ${DISABLETEST:-0} -eq 1 ]; then
fi
# Begin -- copied from the build section
# inform the ssl test scripts that SSL2 is disabled
export NSS_NO_SSL2=1
FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
@ -537,7 +547,7 @@ for f in nss-config setup-nsssysinit; do
done
# Copy the man pages for the nss tools
for f in "%{allTools}"; do
install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
done
# Copy the man pages for the configuration files
for f in pkcs11.txt; do
@ -747,6 +757,9 @@ fi
%changelog
* Fri Jul 18 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-2
- Disable support for ssl2
* Sun Jun 29 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
- Update to nss-3.16.2