Allow application requests to disable SSL v2 to succeed

- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
- Update nss_tests with some of the new gtests from upstream
This commit is contained in:
Elio Maldonado 2016-06-02 14:09:34 -07:00
parent 51e457fa3b
commit ed6b91f708
3 changed files with 115 additions and 6 deletions

102
mozbz1277569backport.patch Normal file
View File

@ -0,0 +1,102 @@
--- ./lib/ssl/sslsock.c.compatibility 2016-06-02 10:59:07.188831825 -0700
+++ ./lib/ssl/sslsock.c 2016-06-02 10:59:07.205831404 -0700
@@ -675,16 +675,28 @@
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure; /* not allowed */
}
break;
}
ssl_EnableSSL3(&ss->vrange, on);
break;
+ case SSL_ENABLE_SSL2:
+ case SSL_V2_COMPATIBLE_HELLO:
+ /* We no longer support SSL v2.
+ * However, if an old application requests to disable SSL v2,
+ * we shouldn't fail.
+ */
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
+ }
+ break;
+
case SSL_NO_CACHE:
ss->opt.noCache = on;
break;
case SSL_ENABLE_FDX:
if (on && ss->opt.noLocks) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
@@ -856,16 +868,20 @@
on = ss->opt.handshakeAsServer;
break;
case SSL_ENABLE_TLS:
on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
break;
case SSL_ENABLE_SSL3:
on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
break;
+ case SSL_ENABLE_SSL2:
+ case SSL_V2_COMPATIBLE_HELLO:
+ on = PR_FALSE;
+ break;
case SSL_NO_CACHE:
on = ss->opt.noCache;
break;
case SSL_ENABLE_FDX:
on = ss->opt.fdx;
break;
case SSL_ROLLBACK_DETECTION:
on = ss->opt.detectRollBack;
@@ -967,16 +983,20 @@
on = ssl_defaults.handshakeAsServer;
break;
case SSL_ENABLE_TLS:
on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
break;
case SSL_ENABLE_SSL3:
on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
break;
+ case SSL_ENABLE_SSL2:
+ case SSL_V2_COMPATIBLE_HELLO:
+ on = PR_FALSE;
+ break;
case SSL_NO_CACHE:
on = ssl_defaults.noCache;
break;
case SSL_ENABLE_FDX:
on = ssl_defaults.fdx;
break;
case SSL_ROLLBACK_DETECTION:
on = ssl_defaults.detectRollBack;
@@ -1100,16 +1120,28 @@
case SSL_ENABLE_TLS:
ssl_EnableTLS(&versions_defaults_stream, on);
break;
case SSL_ENABLE_SSL3:
ssl_EnableSSL3(&versions_defaults_stream, on);
break;
+ case SSL_ENABLE_SSL2:
+ case SSL_V2_COMPATIBLE_HELLO:
+ /* We no longer support SSL v2.
+ * However, if an old application requests to disable SSL v2,
+ * we shouldn't fail.
+ */
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ break;
+
case SSL_NO_CACHE:
ssl_defaults.noCache = on;
break;
case SSL_ENABLE_FDX:
if (on && ssl_defaults.noLocks) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;

View File

@ -1,6 +1,6 @@
diff -up ./nss/external_tests/manifest.mn.skip_util_gtest ./nss/external_tests/manifest.mn diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
--- ./nss/external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700 --- ./external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700
+++ ./nss/external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700 +++ ./external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700
@@ -8,7 +8,6 @@ DEPTH = .. @@ -8,7 +8,6 @@ DEPTH = ..
DIRS = \ DIRS = \
google_test \ google_test \

View File

@ -96,7 +96,8 @@ Patch55: skip_stress_TLS_RC4_128_with_MD5.patch
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
Patch60: nss-pem-unitialized-vars.path Patch60: nss-pem-unitialized-vars.path
Patch61: nss-skip-util-gtest.patch Patch61: nss-skip-util-gtest.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569
Patch62: mozbz1277569backport.patch
%description %description
Network Security Services (NSS) is a set of libraries designed to Network Security Services (NSS) is a set of libraries designed to
@ -183,8 +184,9 @@ low level services.
%patch58 -p0 -b .1185708_3des %patch58 -p0 -b .1185708_3des
pushd nss pushd nss
%patch60 -p1 -b .unitialized_vars %patch60 -p1 -b .unitialized_vars
popd
%patch61 -p0 -b .skip_util_gtest %patch61 -p0 -b .skip_util_gtest
%patch62 -p1 -b .compatibility
popd
######################################################### #########################################################
# Higher-level libraries and test tools need access to # Higher-level libraries and test tools need access to
@ -446,7 +448,7 @@ pushd ./nss/tests/
# don't need to run all the tests when testing packaging # don't need to run all the tests when testing packaging
# nss_cycles: standard pkix upgradedb sharedb # nss_cycles: standard pkix upgradedb sharedb
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains" %define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains pk11_gtests der_gtests"
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
# nss_ssl_run: cov auth stress # nss_ssl_run: cov auth stress
# #
@ -793,6 +795,11 @@ fi
%changelog %changelog
* Thu Jun 02 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.2
- Allow application requests to disable SSL v2 to succeed
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
- Update nss_tests with some of the new gtests from upstream
* Fri May 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.0 * Fri May 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.0
- Rebase to NSS 3.24.0 - Rebase to NSS 3.24.0