Compare commits
59 Commits
Author | SHA1 | Date |
---|---|---|
Elio Maldonado | 5025c815d9 | |
Elio Maldonado | 937aef60d8 | |
Elio Maldonado | bf75a70375 | |
Elio Maldonado | ad02ded6f4 | |
Elio Maldonado | 47ddb0da82 | |
Elio Maldonado | cd48e5fca6 | |
Elio Maldonado | ed6b91f708 | |
Elio Maldonado | 98bf48efa8 | |
Elio Maldonado | d613d7be53 | |
Elio Maldonado | 51e457fa3b | |
Elio Maldonado | 4118705ed6 | |
Elio Maldonado | 9bb2cf3374 | |
Elio Maldonado | 654b8a9495 | |
Elio Maldonado | 0a3a2fd185 | |
Elio Maldonado | 45e747b60f | |
Elio Maldonado | c30e6463f2 | |
Elio Maldonado | 89d2571dee | |
Elio Maldonado | 9dc59c604b | |
Elio Maldonado | 110714f30e | |
Elio Maldonado | 215b206468 | |
Elio Maldonado | 3f452b9eb1 | |
Elio Maldonado | 60f329e1cb | |
Elio Maldonado | b8b223eab0 | |
Elio Maldonado | 4eaa3d7b9d | |
Elio Maldonado | fd19181e5d | |
Elio Maldonado | e3678c9fec | |
Elio Maldonado | 6d72c86613 | |
Elio Maldonado | 48c7880130 | |
Elio Maldonado | 5d80a95fa1 | |
Elio Maldonado | 96dbe9c655 | |
Jaromir Capik | 606756242b | |
Jaromir Capik | 704d5a44ac | |
Elio Maldonado | 841dbb6452 | |
Elio Maldonado | 72bc650c83 | |
Elio Maldonado | 76c2979b60 | |
Elio Maldonado | 6a39c9ce51 | |
Jaromir Capik | 2a9943d7d9 | |
Jaromir Capik | 5f693b2502 | |
Elio Maldonado | 98e5efc0bd | |
Elio Maldonado | 87d2c81aa9 | |
Elio Maldonado | 79737adcc5 | |
Elio Maldonado | 9588d80ea9 | |
Elio Maldonado | 263d40bd53 | |
Elio Maldonado | 809dfe55a0 | |
Elio Maldonado | f6485c33f9 | |
Elio Maldonado | a19b6d8977 | |
Elio Maldonado | 8e329c561d | |
Elio Maldonado | 0bdf1e3055 | |
Elio Maldonado | d8b6c46b49 | |
Elio Maldonado | e3e725975b | |
Elio Maldonado | 4422fbdba4 | |
Elio Maldonado | a037ec18e4 | |
Elio Maldonado | 018a5d9705 | |
Elio Maldonado | d54d19bf56 | |
Elio Maldonado | c431cf3441 | |
Elio Maldonado | 9c7a889f44 | |
Elio Maldonado | c569d1df00 | |
Kai Engert | b2ba10483a | |
Kai Engert | 5823541645 |
|
@ -10,4 +10,4 @@ TestUser51.cert
|
|||
/nss-pem-20160308.tar.bz2
|
||||
/PayPalRootCA.cert
|
||||
/PayPalICA.cert
|
||||
/nss-3.23.0.tar.gz
|
||||
/nss-3.24.0.tar.gz
|
||||
|
|
|
@ -1,149 +0,0 @@
|
|||
--- ./lib/ssl/config.mk.disableSSL2libssl 2016-03-05 09:20:12.712130884 -0800
|
||||
+++ ./lib/ssl/config.mk 2016-03-05 09:24:22.748518581 -0800
|
||||
@@ -2,16 +2,20 @@
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
ifdef NISCC_TEST
|
||||
DEFINES += -DNISCC_TEST
|
||||
endif
|
||||
|
||||
+ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+DEFINES += -DNSS_NO_SSL2_NO_EXPORT
|
||||
+endif
|
||||
+
|
||||
ifdef NSS_NO_PKCS11_BYPASS
|
||||
DEFINES += -DNO_PKCS11_BYPASS
|
||||
else
|
||||
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
|
||||
|
||||
EXTRA_LIBS += \
|
||||
$(CRYPTOLIB) \
|
||||
$(NULL)
|
||||
--- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-03-05 09:20:12.713130866 -0800
|
||||
+++ ./lib/ssl/sslsock.c 2016-03-05 09:32:55.060592007 -0800
|
||||
@@ -707,16 +707,22 @@
|
||||
if (ss->cipherSpecs) {
|
||||
PORT_Free(ss->cipherSpecs);
|
||||
ss->cipherSpecs = NULL;
|
||||
ss->sizeCipherSpecs = 0;
|
||||
}
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_SSL2:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure; /* not allowed */
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (on) {
|
||||
@@ -731,52 +737,67 @@
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
}
|
||||
ss->preferredCipher = NULL;
|
||||
if (ss->cipherSpecs) {
|
||||
PORT_Free(ss->cipherSpecs);
|
||||
ss->cipherSpecs = NULL;
|
||||
ss->sizeCipherSpecs = 0;
|
||||
}
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_NO_CACHE:
|
||||
ss->opt.noCache = on;
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_FDX:
|
||||
if (on && ss->opt.noLocks) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure;
|
||||
}
|
||||
ss->opt.fdx = on;
|
||||
break;
|
||||
|
||||
case SSL_V2_COMPATIBLE_HELLO:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure; /* not allowed */
|
||||
}
|
||||
break;
|
||||
}
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
if (!on) {
|
||||
ss->opt.enableSSL2 = on;
|
||||
}
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_ROLLBACK_DETECTION:
|
||||
ss->opt.detectRollBack = on;
|
||||
break;
|
||||
|
||||
case SSL_NO_STEP_DOWN:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (!on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
ss->opt.noStepDown = on;
|
||||
if (on)
|
||||
SSL_DisableExportCipherSuites(fd);
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_BYPASS_PKCS11:
|
||||
if (ss->handshakeBegun) {
|
||||
PORT_SetError(PR_INVALID_STATE_ERROR);
|
||||
rv = SECFailure;
|
||||
} else {
|
||||
if (PR_FALSE != on) {
|
||||
@@ -1324,16 +1345,32 @@
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* function tells us if the cipher suite is one that we no longer support. */
|
||||
static PRBool
|
||||
ssl_IsRemovedCipherSuite(PRInt32 suite)
|
||||
{
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ /* both ssl2 and export cipher suites disabled */
|
||||
+ if (SSL_IS_SSL2_CIPHER(suite))
|
||||
+ return PR_TRUE;
|
||||
+ if (SSL_IsExportCipherSuite(suite)) {
|
||||
+ SSLCipherSuiteInfo csdef;
|
||||
+ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
|
||||
+ /* failure to retrieve info, disable */
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ if (csdef.symCipher != ssl_calg_null) {
|
||||
+ /* disable all except NULL ciphersuites */
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
switch (suite) {
|
||||
case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
|
||||
case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
|
||||
case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
|
||||
return PR_TRUE;
|
||||
default:
|
||||
return PR_FALSE;
|
||||
}
|
|
@ -1,126 +0,0 @@
|
|||
--- ./tests/ssl/ssl.sh.disableSSL2tests 2016-01-29 02:30:10.000000000 -0800
|
||||
+++ ./tests/ssl/ssl.sh 2016-02-06 11:50:26.496668124 -0800
|
||||
@@ -57,19 +57,24 @@ ssl_init()
|
||||
fi
|
||||
|
||||
PORT=${PORT-8443}
|
||||
NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
|
||||
nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
|
||||
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
|
||||
|
||||
# Test case files
|
||||
- SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
|
||||
+ else
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
+ fi
|
||||
SSLAUTH=${QADIR}/ssl/sslauth.txt
|
||||
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
|
||||
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
|
||||
|
||||
#temparary files
|
||||
SERVEROUTFILE=${TMP}/tests_server.$$
|
||||
SERVERPID=${TMP}/tests_pid.$$
|
||||
|
||||
R_SERVERPID=../tests_pid.$$
|
||||
@@ -116,17 +121,21 @@ is_selfserv_alive()
|
||||
if [ "${OS_ARCH}" = "WINNT" ] && \
|
||||
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
|
||||
PID=${SHELL_SERVERPID}
|
||||
else
|
||||
PID=`cat ${SERVERPID}`
|
||||
fi
|
||||
|
||||
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ echo "No server to kill"
|
||||
+ else
|
||||
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
|
||||
+ fi
|
||||
|
||||
echo "selfserv with PID ${PID} found at `date`"
|
||||
}
|
||||
|
||||
########################### wait_for_selfserv ##########################
|
||||
# local shell function to wait until selfserver is running and initialized
|
||||
########################################################################
|
||||
wait_for_selfserv()
|
||||
@@ -139,17 +148,21 @@ wait_for_selfserv()
|
||||
if [ $? -ne 0 ]; then
|
||||
sleep 5
|
||||
echo "retrying to connect to selfserv at `date`"
|
||||
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
|
||||
echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
|
||||
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
|
||||
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ html_passed "Server never started"
|
||||
+ else
|
||||
html_failed "Waiting for Server"
|
||||
+ fi
|
||||
fi
|
||||
fi
|
||||
is_selfserv_alive
|
||||
}
|
||||
|
||||
########################### kill_selfserv ##############################
|
||||
# local shell function to kill the selfserver after the tests are done
|
||||
########################################################################
|
||||
@@ -210,25 +223,26 @@ start_selfserv()
|
||||
ECC_OPTIONS=""
|
||||
fi
|
||||
if [ "$1" = "mixed" ]; then
|
||||
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
|
||||
fi
|
||||
echo "selfserv starting at `date`"
|
||||
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
|
||||
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
|
||||
- echo " $verbose -H 1 &"
|
||||
+ echo " $verbose -H 1 -V ssl3: &"
|
||||
if [ ${fileout} -eq 1 ]; then
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
|
||||
- > ${SERVEROUTFILE} 2>&1 &
|
||||
+ -V ssl3:> ${SERVEROUTFILE} 2>&1 &
|
||||
RET=$?
|
||||
else
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 &
|
||||
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
|
||||
+ -V ssl3: &
|
||||
RET=$?
|
||||
fi
|
||||
|
||||
# The PID $! returned by the MKS or Cygwin shell is not the PID of
|
||||
# the real background process, but rather the PID of a helper
|
||||
# process (sh.exe). MKS's kill command has a bug: invoking kill
|
||||
# on the helper process does not terminate the real background
|
||||
# process. Our workaround has been to have selfserv save its PID
|
||||
@@ -275,16 +289,22 @@ ssl_cov()
|
||||
exec < ${SSLCOV}
|
||||
while read ectype testmax param testname
|
||||
do
|
||||
echo "${testname}" | grep "EXPORT" > /dev/null
|
||||
EXP=$?
|
||||
echo "${testname}" | grep "SSL2" > /dev/null
|
||||
SSL2=$?
|
||||
|
||||
+ # skip export and ssl2 tests when build has disabled SSL2
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ echo "exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})"
|
||||
+ continue
|
||||
+ fi
|
||||
+
|
||||
if [ "${SSL2}" -eq 0 ] ; then
|
||||
# We cannot use asynchronous cert verification with SSL2
|
||||
SSL2_FLAGS=-O
|
||||
VMIN="ssl2"
|
||||
else
|
||||
# Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
|
||||
# default in libssl but it is enabled by default in tstclnt; we want
|
||||
# to test the libssl default whenever possible.
|
|
@ -0,0 +1,102 @@
|
|||
--- ./lib/ssl/sslsock.c.compatibility 2016-06-02 10:59:07.188831825 -0700
|
||||
+++ ./lib/ssl/sslsock.c 2016-06-02 10:59:07.205831404 -0700
|
||||
@@ -675,16 +675,28 @@
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure; /* not allowed */
|
||||
}
|
||||
break;
|
||||
}
|
||||
ssl_EnableSSL3(&ss->vrange, on);
|
||||
break;
|
||||
|
||||
+ case SSL_ENABLE_SSL2:
|
||||
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||
+ /* We no longer support SSL v2.
|
||||
+ * However, if an old application requests to disable SSL v2,
|
||||
+ * we shouldn't fail.
|
||||
+ */
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ rv = SECFailure;
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
case SSL_NO_CACHE:
|
||||
ss->opt.noCache = on;
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_FDX:
|
||||
if (on && ss->opt.noLocks) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure;
|
||||
@@ -856,16 +868,20 @@
|
||||
on = ss->opt.handshakeAsServer;
|
||||
break;
|
||||
case SSL_ENABLE_TLS:
|
||||
on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
break;
|
||||
case SSL_ENABLE_SSL3:
|
||||
on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
|
||||
break;
|
||||
+ case SSL_ENABLE_SSL2:
|
||||
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||
+ on = PR_FALSE;
|
||||
+ break;
|
||||
case SSL_NO_CACHE:
|
||||
on = ss->opt.noCache;
|
||||
break;
|
||||
case SSL_ENABLE_FDX:
|
||||
on = ss->opt.fdx;
|
||||
break;
|
||||
case SSL_ROLLBACK_DETECTION:
|
||||
on = ss->opt.detectRollBack;
|
||||
@@ -967,16 +983,20 @@
|
||||
on = ssl_defaults.handshakeAsServer;
|
||||
break;
|
||||
case SSL_ENABLE_TLS:
|
||||
on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
break;
|
||||
case SSL_ENABLE_SSL3:
|
||||
on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
|
||||
break;
|
||||
+ case SSL_ENABLE_SSL2:
|
||||
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||
+ on = PR_FALSE;
|
||||
+ break;
|
||||
case SSL_NO_CACHE:
|
||||
on = ssl_defaults.noCache;
|
||||
break;
|
||||
case SSL_ENABLE_FDX:
|
||||
on = ssl_defaults.fdx;
|
||||
break;
|
||||
case SSL_ROLLBACK_DETECTION:
|
||||
on = ssl_defaults.detectRollBack;
|
||||
@@ -1100,16 +1120,28 @@
|
||||
case SSL_ENABLE_TLS:
|
||||
ssl_EnableTLS(&versions_defaults_stream, on);
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_SSL3:
|
||||
ssl_EnableSSL3(&versions_defaults_stream, on);
|
||||
break;
|
||||
|
||||
+ case SSL_ENABLE_SSL2:
|
||||
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||
+ /* We no longer support SSL v2.
|
||||
+ * However, if an old application requests to disable SSL v2,
|
||||
+ * we shouldn't fail.
|
||||
+ */
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
case SSL_NO_CACHE:
|
||||
ssl_defaults.noCache = on;
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_FDX:
|
||||
if (on && ssl_defaults.noLocks) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
|
@ -1,44 +1,62 @@
|
|||
diff -up ./nss/cmd/httpserv/httpserv.c.539183 ./nss/cmd/httpserv/httpserv.c
|
||||
--- ./nss/cmd/httpserv/httpserv.c.539183 2015-11-08 21:12:59.000000000 -0800
|
||||
+++ ./nss/cmd/httpserv/httpserv.c 2015-11-12 13:28:01.574855325 -0800
|
||||
@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port
|
||||
PRNetAddr addr;
|
||||
--- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
|
||||
+++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
|
||||
@@ -953,23 +953,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSocket error");
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSockett");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
diff -up ./nss/cmd/selfserv/selfserv.c.539183 ./nss/cmd/selfserv/selfserv.c
|
||||
--- ./nss/cmd/selfserv/selfserv.c.539183 2015-11-08 21:12:59.000000000 -0800
|
||||
+++ ./nss/cmd/selfserv/selfserv.c 2015-11-12 13:26:40.498345875 -0800
|
||||
@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port
|
||||
PRNetAddr addr;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
||||
--- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
|
||||
+++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
|
||||
@@ -1711,23 +1711,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSocket error");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
--- ./lib/ssl/Makefile.allow_keylogfile 2016-06-08 21:54:29.504328764 -0700
|
||||
+++ ./lib/ssl/Makefile 2016-06-08 22:03:57.061313047 -0700
|
||||
@@ -34,19 +34,20 @@
|
||||
else
|
||||
ifeq ($(OS_TARGET),OS2)
|
||||
CSRCS += os2_err.c
|
||||
else
|
||||
CSRCS += unix_err.c
|
||||
endif
|
||||
endif
|
||||
|
||||
-# Enable key logging by default in debug builds, but not opt builds.
|
||||
-# Logging still needs to be enabled at runtime through env vars.
|
||||
-NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
|
||||
+# For Fedora stable branch compatibility, i.e f23 and f22
|
||||
+# Enable key logging by default in debug builds and opt builds.
|
||||
+# Logging doesn't need to be enabled at runtime through env vars.
|
||||
+NSS_ALLOW_SSLKEYLOGFILE = 1
|
||||
ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
|
||||
DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
|
||||
endif
|
||||
|
||||
#######################################################################
|
||||
# (5) Execute "global" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
diff -up ./lib/ckfw/pem/pinst.c.unitialized_vars ./lib/ckfw/pem/pinst.c
|
||||
--- ./lib/ckfw/pem/pinst.c.unitialized_var 2016-05-21 19:04:24.471221863 -0700
|
||||
+++ ./lib/ckfw/pem/pinst.c 2016-05-21 19:31:07.124298651 -0700
|
||||
@@ -534,9 +534,9 @@ CK_RV
|
||||
AddCertificate(char *certfile, char *keyfile, PRBool cacert,
|
||||
CK_SLOT_ID slotID)
|
||||
{
|
||||
- pemInternalObject *o;
|
||||
+ pemInternalObject *o = NULL;
|
||||
CK_RV error = 0;
|
||||
- int objid, i;
|
||||
+ int objid, i = 0;
|
||||
int nobjs = 0;
|
||||
SECItem **objs = NULL;
|
||||
char *ivstring = NULL;
|
|
@ -0,0 +1,11 @@
|
|||
diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
|
||||
--- ./external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700
|
||||
+++ ./external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700
|
||||
@@ -8,7 +8,6 @@ DEPTH = ..
|
||||
DIRS = \
|
||||
google_test \
|
||||
der_gtest \
|
||||
- util_gtest \
|
||||
pk11_gtest \
|
||||
ssl_gtest \
|
||||
$(NULL)
|
128
nss.spec
128
nss.spec
|
@ -1,6 +1,6 @@
|
|||
%global nspr_version 4.12.0
|
||||
%global nss_util_version 3.23.0
|
||||
%global nss_softokn_version 3.23.0
|
||||
%global nss_util_version 3.24.0
|
||||
%global nss_softokn_version 3.24.0
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
||||
|
||||
|
@ -18,10 +18,10 @@
|
|||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.23.0
|
||||
Version: 3.24.0
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 3%{?dist}
|
||||
Release: 1.3%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
|
@ -91,13 +91,15 @@ Patch49: nss-skip-bltest-and-fipstest.patch
|
|||
# headers are older. Such is the case when starting an update with API changes or even private export changes.
|
||||
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
|
||||
Patch50: iquote.patch
|
||||
Patch52: disableSSL2libssl.patch
|
||||
Patch53: disableSSL2tests.patch
|
||||
Patch54: tstclnt-ssl2-off-by-default.patch
|
||||
Patch55: skip_stress_TLS_RC4_128_with_MD5.patch
|
||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
|
||||
Patch60: nss-pem-unitialized-vars.path
|
||||
Patch61: nss-skip-util-gtest.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569
|
||||
Patch62: mozbz1277569backport.patch
|
||||
# Local: for stable branch compatibility
|
||||
Patch63: nss-allow-keylogfile-in-opt-builds.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -180,13 +182,14 @@ low level services.
|
|||
%patch47 -p0 -b .templates
|
||||
%patch49 -p0 -b .skipthem
|
||||
%patch50 -p0 -b .iquote
|
||||
pushd nss
|
||||
%patch52 -p1 -b .disableSSL2libssl
|
||||
%patch53 -p1 -b .disableSSL2tests
|
||||
popd
|
||||
%patch54 -p0 -b .ssl2_off
|
||||
%patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
|
||||
%patch58 -p0 -b .1185708_3des
|
||||
pushd nss
|
||||
%patch60 -p1 -b .unitialized_vars
|
||||
%patch61 -p0 -b .skip_util_gtest
|
||||
%patch62 -p1 -b .compatibility
|
||||
%patch63 -p1 -b .allow_keylogfile
|
||||
popd
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
|
@ -219,6 +222,9 @@ done
|
|||
%{__rm} -rf ./nss/cmd/fipstest
|
||||
%{__rm} -rf ./nss/cmd/rsaperf_low
|
||||
|
||||
######## Remove portions that need to statically link with libnssutil.a
|
||||
%{__rm} -rf ./nss/external_tests/util_gtests
|
||||
|
||||
pushd nss/tests/ssl
|
||||
# Create versions of sslcov.txt and sslstress.txt that disable tests
|
||||
# for SSL2 and EXPORT ciphers.
|
||||
|
@ -237,8 +243,7 @@ FREEBL_NO_DEPEND=1
|
|||
export FREEBL_NO_DEPEND
|
||||
|
||||
# Enable compiler optimizations and disable debugging code
|
||||
BUILD_OPT=1
|
||||
export BUILD_OPT
|
||||
export BUILD_OPT=1
|
||||
|
||||
# Uncomment to disable optimizations
|
||||
#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
|
||||
|
@ -302,7 +307,7 @@ export NSS_BLTEST_NOT_AVAILABLE=1
|
|||
%{__make} -C ./nss/lib/dbm
|
||||
|
||||
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
|
||||
# need nss/lib/util/verref.h which is which is exported privately,
|
||||
# need nss/lib/util/verref.h which is exported privately,
|
||||
# copy the one we saved during prep so it they can find it.
|
||||
%{__mkdir_p} ./dist/private/nss
|
||||
%{__mv} ./nss/verref.h ./dist/private/nss/verref.h
|
||||
|
@ -386,14 +391,10 @@ fi
|
|||
|
||||
# Begin -- copied from the build section
|
||||
|
||||
# inform the ssl test scripts that SSL2 is disabled
|
||||
export NSS_NO_SSL2_NO_EXPORT=1
|
||||
|
||||
FREEBL_NO_DEPEND=1
|
||||
export FREEBL_NO_DEPEND
|
||||
|
||||
BUILD_OPT=1
|
||||
export BUILD_OPT
|
||||
export BUILD_OPT=1
|
||||
|
||||
%ifnarch noarch
|
||||
%if 0%{__isa_bits} == 64
|
||||
|
@ -404,7 +405,7 @@ export USE_64
|
|||
|
||||
export NSS_BLTEST_NOT_AVAILABLE=1
|
||||
|
||||
# needed for the fips manging test
|
||||
# needed for the fips mangling test
|
||||
export SOFTOKEN_LIB_DIR=%{_libdir}
|
||||
|
||||
# End -- copied from the build section
|
||||
|
@ -450,7 +451,7 @@ pushd ./nss/tests/
|
|||
|
||||
# don't need to run all the tests when testing packaging
|
||||
# nss_cycles: standard pkix upgradedb sharedb
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains pk11_gtests der_gtests"
|
||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
|
||||
# nss_ssl_run: cov auth stress
|
||||
#
|
||||
|
@ -646,24 +647,6 @@ else
|
|||
fi
|
||||
/sbin/ldconfig
|
||||
|
||||
%posttrans
|
||||
# An earlier version of this package had an incorrect %%postun script (3.14.3-9).
|
||||
# (The incorrect %%postun always called "update-alternatives --remove",
|
||||
# because it incorrectly assumed that test -f returns false for symbolic links.)
|
||||
# The only possible remedy to fix the mistake that "always removes on upgrade"
|
||||
# made by the older %%postun script, is to repair it in %%posttrans of the new package.
|
||||
# Strategy:
|
||||
# %%posttrans is never called when uninstalling.
|
||||
# %%posttrans is only called when installing or upgrading a package.
|
||||
# Because %%posttrans is the very last action of a package install,
|
||||
# %%{_libdir}/libnssckbi.so must exist.
|
||||
# If it does not, it's the result of the incorrect removal from a broken %%postun.
|
||||
# In this case, we repeat installation of the alternatives link.
|
||||
if ! test -e %{_libdir}/libnssckbi.so; then
|
||||
%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
|
||||
%{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
|
||||
fi
|
||||
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
|
@ -815,79 +798,78 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue Mar 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-3
|
||||
* Mon Jun 1 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.3
|
||||
- Restore optimized build support for logging SSL/TLS key material to logfile
|
||||
- Resolves: Bug - 1343289 - Update to nss 3.24 removes sslkeylogfile support
|
||||
|
||||
* Thu Jun 02 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.1
|
||||
- Allow application requests to disable SSL v2 to succeed
|
||||
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
|
||||
- Update nss_tests with some of the new gtests from upstream
|
||||
|
||||
* Sat May 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.0
|
||||
- Rebase to NSS 3.24.0
|
||||
|
||||
* Thu Mar 10 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.1
|
||||
- Update pem sources to latest from nss-pem upstream
|
||||
- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key
|
||||
|
||||
* Sat Mar 05 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-2
|
||||
- Rebase to NSS 3.23
|
||||
* Sun Mar 06 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.0
|
||||
- Rebase to NSS 3.23.0
|
||||
|
||||
* Sat Feb 27 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.2-2
|
||||
* Mon Feb 29 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.2-1.0
|
||||
- Rebase to NSS 3.22.2
|
||||
|
||||
* Tue Feb 23 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-3
|
||||
* Tue Feb 23 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-1.1
|
||||
- Fix ssl2/exp test disabling to run all the required tests
|
||||
|
||||
* Sun Feb 21 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-1
|
||||
* Mon Feb 22 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-1.0
|
||||
- Rebase to NSS 3.22.1
|
||||
|
||||
* Mon Feb 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-3
|
||||
- Update .gitignore as part of updating to nss 3.22
|
||||
|
||||
* Mon Feb 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-2
|
||||
* Mon Feb 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-1.0
|
||||
- Update to NSS 3.22
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.21.0-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Fri Jan 15 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-6
|
||||
* Fri Jan 15 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.2
|
||||
- Resolves: Bug 1299040 - Enable ssl_gtests upstream test suite
|
||||
- Remove 'export NSS_DISABLE_GTESTS=1' go ssl_gtests are built
|
||||
- Use %%define when specifying the nss_tests to run
|
||||
|
||||
* Wed Dec 30 2015 Michal Toman <mtoman@fedoraproject.org> - 3.21.0-5
|
||||
- Add 64-bit MIPS to multilib arches
|
||||
|
||||
* Fri Nov 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-4
|
||||
* Fri Nov 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.1
|
||||
- Update %%{nss_util_version} and %%{nss_softokn_version} to 3.21.0
|
||||
- Resolves: Bug 1284095 - all https fails with sec_error_no_token
|
||||
|
||||
* Sun Nov 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-3
|
||||
- Add references to bugs filed upstream
|
||||
|
||||
* Fri Nov 13 2015 Elio Maldonado Batiz <emaldona@redhat.com> - 3.21.1-2
|
||||
* Mon Nov 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.0
|
||||
- Update to NSS 3.21
|
||||
- Package listsuites as part of the unsupported tools set
|
||||
- Resolves: Bug 1279912 - nss-3.21 is available
|
||||
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
|
||||
- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
|
||||
|
||||
* Fri Oct 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.1-2
|
||||
* Mon Nov 02 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.1-1.0
|
||||
- Update to NSS 3.20.1
|
||||
|
||||
* Wed Sep 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-6
|
||||
* Sun Oct 04 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.3
|
||||
- Enable ECC cipher-suites by default [hrbz#1185708]
|
||||
- Split the enabling patch in two for easier maintenance
|
||||
- Remove unused patches rendered obsolete by prior rebase
|
||||
- Remove unused patches
|
||||
|
||||
* Wed Sep 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-5
|
||||
* Wed Sep 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.2
|
||||
- Enable ECC cipher-suites by default [hrbz#1185708]
|
||||
- Implement corrections requested in code review
|
||||
|
||||
* Tue Sep 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-4
|
||||
- Enable ECC cipher-suites by default [hrbz#1185708]
|
||||
|
||||
* Mon Sep 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-3
|
||||
- Fix patches that disable ssl2 and export cipher suites support
|
||||
* Tue Sep 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.1
|
||||
- Enable ECC cipher-suites by default [rhbz#1185708]
|
||||
- Fix patches that disable ssl2 and export cipher suites support [rhbz#1263005]
|
||||
- Fix libssl patch that disable ssl2 & export cipher suites to not disable RSA_WITH_NULL ciphers
|
||||
- Fix syntax errors in patch to skip ssl2 and export cipher suite tests
|
||||
- Turn ssl2 off by default in the tstclnt tool
|
||||
- Disable ssl stress tests containing TLS RC4 128 with MD5
|
||||
|
||||
* Thu Aug 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-2
|
||||
* Fri Aug 21 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.0
|
||||
- Update to NSS 3.20
|
||||
|
||||
* Sat Aug 08 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.3-2
|
||||
* Tue Aug 11 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.3-1.0
|
||||
- Update to NSS 3.19.3
|
||||
|
||||
* Fri Jun 26 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.2-3
|
||||
|
|
|
@ -1,146 +0,0 @@
|
|||
diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
|
||||
--- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/ckpem.h 2015-11-13 12:07:29.219887390 -0800
|
||||
@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
|
||||
};
|
||||
typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
|
||||
|
||||
+/* NOTE: Discrepancy with the the way callers use of the return value as a count
|
||||
+ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
|
||||
+ */
|
||||
SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
|
||||
const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
|
||||
void pem_PopulateModulusExponent(pemInternalObject *io);
|
||||
diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
|
||||
--- ./nss/lib/ckfw/pem/pinst.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/pinst.c 2015-11-13 12:07:29.219887390 -0800
|
||||
@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
|
||||
char *ivstring = NULL;
|
||||
int cipher;
|
||||
|
||||
- nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int (a count) and the declaration as a SECStatus. */
|
||||
+ nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
if (nobjs <= 0) {
|
||||
nss_ZFreeIf(objs);
|
||||
return CKR_GENERAL_ERROR;
|
||||
@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
|
||||
if (keyfile) { /* add the private key */
|
||||
SECItem **keyobjs = NULL;
|
||||
int kobjs = 0;
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int and the declaration as a SECStatus. */
|
||||
kobjs =
|
||||
- ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
|
||||
+ (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
|
||||
&ivstring, PR_FALSE);
|
||||
if (kobjs < 1) {
|
||||
error = CKR_GENERAL_ERROR;
|
||||
diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
|
||||
--- ./nss/lib/ckfw/pem/pobject.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/pobject.c 2015-11-13 12:07:29.220887368 -0800
|
||||
@@ -630,6 +630,11 @@ pem_DestroyInternalObject
|
||||
if (io->u.key.ivstring)
|
||||
free(io->u.key.ivstring);
|
||||
break;
|
||||
+ case pemAll:
|
||||
+ /* pemAll is not used, keep the compiler happy
|
||||
+ * TODO: investigate a proper solution
|
||||
+ */
|
||||
+ return;
|
||||
}
|
||||
|
||||
if (NULL != gobj)
|
||||
@@ -1044,7 +1049,9 @@ pem_CreateObject
|
||||
int nobjs = 0;
|
||||
int i;
|
||||
int objid;
|
||||
+#if 0
|
||||
pemToken *token;
|
||||
+#endif
|
||||
int cipher;
|
||||
char *ivstring = NULL;
|
||||
pemInternalObject *listObj = NULL;
|
||||
@@ -1073,7 +1080,9 @@ pem_CreateObject
|
||||
}
|
||||
slotID = nssCKFWSlot_GetSlotID(fwSlot);
|
||||
|
||||
+#if 0
|
||||
token = (pemToken *) mdToken->etc;
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* only create keys and certs.
|
||||
@@ -1114,7 +1123,11 @@ pem_CreateObject
|
||||
}
|
||||
|
||||
if (objClass == CKO_CERTIFICATE) {
|
||||
- nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int and the declaration as a SECStatus. Typecasting as a
|
||||
+ * temporary workaround.
|
||||
+ */
|
||||
+ nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
if (nobjs < 1)
|
||||
goto loser;
|
||||
|
||||
diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
|
||||
--- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/rsawrapr.c 2015-11-13 12:07:29.220887368 -0800
|
||||
@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* unused functions */
|
||||
+#if 0
|
||||
static SHA1Context *SHA1_CloneContext(SHA1Context * original)
|
||||
{
|
||||
SHA1Context *clone = NULL;
|
||||
@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
+#endif /* unused functions */
|
||||
|
||||
/*
|
||||
* Format one block of data for public/private key encryption using
|
||||
diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
|
||||
--- ./nss/lib/ckfw/pem/util.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/util.c 2015-11-13 12:22:52.282196306 -0800
|
||||
@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
-int
|
||||
+/* FIX: Returns a SECStatus yet callers take result as a count */
|
||||
+SECStatus
|
||||
ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
|
||||
int *cipher, char **ivstring, PRBool certsonly)
|
||||
{
|
||||
@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
|
||||
goto loser;
|
||||
}
|
||||
if ((certsonly && !key) || (!certsonly && key)) {
|
||||
+ error = CKR_OK;
|
||||
PUT_Object(der, error);
|
||||
+ if (error != CKR_OK) {
|
||||
+ free(der);
|
||||
+ goto loser;
|
||||
+ }
|
||||
} else {
|
||||
free(der->data);
|
||||
free(der);
|
||||
@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
|
||||
}
|
||||
|
||||
/* NOTE: This code path has never been tested. */
|
||||
+ error = CKR_OK;
|
||||
PUT_Object(der, error);
|
||||
+ if (error != CKR_OK) {
|
||||
+ free(der);
|
||||
+ goto loser;
|
||||
+ }
|
||||
}
|
||||
|
||||
nss_ZFreeIf(filedata.data);
|
|
@ -1,11 +1,10 @@
|
|||
diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
|
||||
--- ./nss/tests/ssl/sslstress.txt.skip 2015-09-11 21:48:21.763187957 -0700
|
||||
+++ ./nss/tests/ssl/sslstress.txt 2015-09-11 21:50:10.516514535 -0700
|
||||
@@ -8,29 +8,29 @@
|
||||
--- ./nss/tests/ssl/sslstress.txt.skip 2016-05-24 09:02:26.506457846 -0700
|
||||
+++ ./nss/tests/ssl/sslstress.txt 2016-05-24 09:08:19.475268491 -0700
|
||||
@@ -8,27 +8,27 @@
|
||||
# Enable return server client Test Case name
|
||||
# ECC value params params
|
||||
# ------- ------ ------ ------ ---------------
|
||||
- noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
|
||||
|
@ -14,7 +13,6 @@ diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
|
|||
- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
|
||||
- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
|
||||
- SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
|
||||
+# noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
|
||||
|
@ -27,7 +25,6 @@ diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
|
|||
#
|
||||
# add client auth versions here...
|
||||
#
|
||||
- noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
|
||||
|
@ -37,7 +34,6 @@ diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
|
|||
- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
|
||||
- SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
|
||||
- SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
|
||||
+# noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
|
||||
|
|
2
sources
2
sources
|
@ -4,4 +4,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db
|
|||
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
|
||||
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
|
||||
4d8e770b105483e365f3327d883dd229 nss-pem-20160308.tar.bz2
|
||||
574488f97390085832299cc3b90814a8 nss-3.23.0.tar.gz
|
||||
2a3ffd2f46b60ecc116ac086343a537a nss-3.24.0.tar.gz
|
||||
|
|
|
@ -1,21 +0,0 @@
|
|||
diff -up ./nss/cmd/tstclnt/tstclnt.c.ssl2_off ./nss/cmd/tstclnt/tstclnt.c
|
||||
--- ./nss/cmd/tstclnt/tstclnt.c.ssl2_off 2015-08-07 11:12:13.000000000 -0700
|
||||
+++ ./nss/cmd/tstclnt/tstclnt.c 2015-09-11 20:08:34.771859950 -0700
|
||||
@@ -212,7 +212,7 @@ static void PrintParameterUsage(void)
|
||||
fprintf(stderr,
|
||||
"%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
|
||||
"%-20s All versions are enabled by default.\n"
|
||||
- "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
|
||||
+ "%-20s Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
|
||||
"%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
|
||||
"-V [min]:[max]", "", "", "");
|
||||
fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
|
||||
@@ -911,7 +911,7 @@ int main(int argc, char **argv)
|
||||
int npds;
|
||||
int override = 0;
|
||||
SSLVersionRange enabledVersions;
|
||||
- PRBool enableSSL2 = PR_TRUE;
|
||||
+ PRBool enableSSL2 = PR_FALSE;
|
||||
int bypassPKCS11 = 0;
|
||||
int disableLocking = 0;
|
||||
int useExportPolicy = 0;
|
Loading…
Reference in New Issue