Compare commits
39 Commits
Author | SHA1 | Date |
---|---|---|
Daiki Ueno | 9f02c9e77f | |
Kai Engert | adcc8fa311 | |
Daiki Ueno | 8baf3374a0 | |
Daiki Ueno | 96e48417c4 | |
Daiki Ueno | 32f2f104a0 | |
Kamil Dudka | 277c53ec53 | |
Kamil Dudka | 6d945e783b | |
Elio Maldonado | bcd5e0b440 | |
Elio Maldonado | bf75a70375 | |
Elio Maldonado | ad02ded6f4 | |
Elio Maldonado | cd48e5fca6 | |
Elio Maldonado | 98bf48efa8 | |
Elio Maldonado | d613d7be53 | |
Elio Maldonado | 4118705ed6 | |
Elio Maldonado | 9bb2cf3374 | |
Elio Maldonado | 654b8a9495 | |
Elio Maldonado | 45e747b60f | |
Elio Maldonado | c30e6463f2 | |
Elio Maldonado | 89d2571dee | |
Elio Maldonado | 110714f30e | |
Elio Maldonado | 215b206468 | |
Elio Maldonado | 60f329e1cb | |
Elio Maldonado | b8b223eab0 | |
Elio Maldonado | 4eaa3d7b9d | |
Elio Maldonado | fd19181e5d | |
Elio Maldonado | e3678c9fec | |
Elio Maldonado | 48c7880130 | |
Elio Maldonado | 96dbe9c655 | |
Jaromir Capik | 606756242b | |
Elio Maldonado | 72bc650c83 | |
Elio Maldonado | 6a39c9ce51 | |
Jaromir Capik | 5f693b2502 | |
Elio Maldonado | 87d2c81aa9 | |
Elio Maldonado | 263d40bd53 | |
Elio Maldonado | a19b6d8977 | |
Elio Maldonado | 0bdf1e3055 | |
Elio Maldonado | e3e725975b | |
Elio Maldonado | a037ec18e4 | |
Elio Maldonado | d54d19bf56 |
|
@ -7,7 +7,6 @@ PayPalEE.cert
|
|||
TestCA.ca.cert
|
||||
TestUser50.cert
|
||||
TestUser51.cert
|
||||
/nss-pem-20160308.tar.bz2
|
||||
/PayPalRootCA.cert
|
||||
/PayPalICA.cert
|
||||
/nss-3.23.0.tar.gz
|
||||
/nss-3.27.0.tar.gz
|
||||
|
|
|
@ -1,149 +0,0 @@
|
|||
--- ./lib/ssl/config.mk.disableSSL2libssl 2016-03-05 09:20:12.712130884 -0800
|
||||
+++ ./lib/ssl/config.mk 2016-03-05 09:24:22.748518581 -0800
|
||||
@@ -2,16 +2,20 @@
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
ifdef NISCC_TEST
|
||||
DEFINES += -DNISCC_TEST
|
||||
endif
|
||||
|
||||
+ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+DEFINES += -DNSS_NO_SSL2_NO_EXPORT
|
||||
+endif
|
||||
+
|
||||
ifdef NSS_NO_PKCS11_BYPASS
|
||||
DEFINES += -DNO_PKCS11_BYPASS
|
||||
else
|
||||
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
|
||||
|
||||
EXTRA_LIBS += \
|
||||
$(CRYPTOLIB) \
|
||||
$(NULL)
|
||||
--- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-03-05 09:20:12.713130866 -0800
|
||||
+++ ./lib/ssl/sslsock.c 2016-03-05 09:32:55.060592007 -0800
|
||||
@@ -707,16 +707,22 @@
|
||||
if (ss->cipherSpecs) {
|
||||
PORT_Free(ss->cipherSpecs);
|
||||
ss->cipherSpecs = NULL;
|
||||
ss->sizeCipherSpecs = 0;
|
||||
}
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_SSL2:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure; /* not allowed */
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (on) {
|
||||
@@ -731,52 +737,67 @@
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
}
|
||||
ss->preferredCipher = NULL;
|
||||
if (ss->cipherSpecs) {
|
||||
PORT_Free(ss->cipherSpecs);
|
||||
ss->cipherSpecs = NULL;
|
||||
ss->sizeCipherSpecs = 0;
|
||||
}
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_NO_CACHE:
|
||||
ss->opt.noCache = on;
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_FDX:
|
||||
if (on && ss->opt.noLocks) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure;
|
||||
}
|
||||
ss->opt.fdx = on;
|
||||
break;
|
||||
|
||||
case SSL_V2_COMPATIBLE_HELLO:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure; /* not allowed */
|
||||
}
|
||||
break;
|
||||
}
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
if (!on) {
|
||||
ss->opt.enableSSL2 = on;
|
||||
}
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_ROLLBACK_DETECTION:
|
||||
ss->opt.detectRollBack = on;
|
||||
break;
|
||||
|
||||
case SSL_NO_STEP_DOWN:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (!on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
ss->opt.noStepDown = on;
|
||||
if (on)
|
||||
SSL_DisableExportCipherSuites(fd);
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_BYPASS_PKCS11:
|
||||
if (ss->handshakeBegun) {
|
||||
PORT_SetError(PR_INVALID_STATE_ERROR);
|
||||
rv = SECFailure;
|
||||
} else {
|
||||
if (PR_FALSE != on) {
|
||||
@@ -1324,16 +1345,32 @@
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* function tells us if the cipher suite is one that we no longer support. */
|
||||
static PRBool
|
||||
ssl_IsRemovedCipherSuite(PRInt32 suite)
|
||||
{
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ /* both ssl2 and export cipher suites disabled */
|
||||
+ if (SSL_IS_SSL2_CIPHER(suite))
|
||||
+ return PR_TRUE;
|
||||
+ if (SSL_IsExportCipherSuite(suite)) {
|
||||
+ SSLCipherSuiteInfo csdef;
|
||||
+ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
|
||||
+ /* failure to retrieve info, disable */
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ if (csdef.symCipher != ssl_calg_null) {
|
||||
+ /* disable all except NULL ciphersuites */
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
switch (suite) {
|
||||
case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
|
||||
case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
|
||||
case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
|
||||
return PR_TRUE;
|
||||
default:
|
||||
return PR_FALSE;
|
||||
}
|
|
@ -1,126 +0,0 @@
|
|||
--- ./tests/ssl/ssl.sh.disableSSL2tests 2016-01-29 02:30:10.000000000 -0800
|
||||
+++ ./tests/ssl/ssl.sh 2016-02-06 11:50:26.496668124 -0800
|
||||
@@ -57,19 +57,24 @@ ssl_init()
|
||||
fi
|
||||
|
||||
PORT=${PORT-8443}
|
||||
NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
|
||||
nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
|
||||
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
|
||||
|
||||
# Test case files
|
||||
- SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
|
||||
+ else
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
+ fi
|
||||
SSLAUTH=${QADIR}/ssl/sslauth.txt
|
||||
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
|
||||
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
|
||||
|
||||
#temparary files
|
||||
SERVEROUTFILE=${TMP}/tests_server.$$
|
||||
SERVERPID=${TMP}/tests_pid.$$
|
||||
|
||||
R_SERVERPID=../tests_pid.$$
|
||||
@@ -116,17 +121,21 @@ is_selfserv_alive()
|
||||
if [ "${OS_ARCH}" = "WINNT" ] && \
|
||||
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
|
||||
PID=${SHELL_SERVERPID}
|
||||
else
|
||||
PID=`cat ${SERVERPID}`
|
||||
fi
|
||||
|
||||
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ echo "No server to kill"
|
||||
+ else
|
||||
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
|
||||
+ fi
|
||||
|
||||
echo "selfserv with PID ${PID} found at `date`"
|
||||
}
|
||||
|
||||
########################### wait_for_selfserv ##########################
|
||||
# local shell function to wait until selfserver is running and initialized
|
||||
########################################################################
|
||||
wait_for_selfserv()
|
||||
@@ -139,17 +148,21 @@ wait_for_selfserv()
|
||||
if [ $? -ne 0 ]; then
|
||||
sleep 5
|
||||
echo "retrying to connect to selfserv at `date`"
|
||||
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
|
||||
echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
|
||||
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
|
||||
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ html_passed "Server never started"
|
||||
+ else
|
||||
html_failed "Waiting for Server"
|
||||
+ fi
|
||||
fi
|
||||
fi
|
||||
is_selfserv_alive
|
||||
}
|
||||
|
||||
########################### kill_selfserv ##############################
|
||||
# local shell function to kill the selfserver after the tests are done
|
||||
########################################################################
|
||||
@@ -210,25 +223,26 @@ start_selfserv()
|
||||
ECC_OPTIONS=""
|
||||
fi
|
||||
if [ "$1" = "mixed" ]; then
|
||||
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
|
||||
fi
|
||||
echo "selfserv starting at `date`"
|
||||
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
|
||||
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
|
||||
- echo " $verbose -H 1 &"
|
||||
+ echo " $verbose -H 1 -V ssl3: &"
|
||||
if [ ${fileout} -eq 1 ]; then
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
|
||||
- > ${SERVEROUTFILE} 2>&1 &
|
||||
+ -V ssl3:> ${SERVEROUTFILE} 2>&1 &
|
||||
RET=$?
|
||||
else
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 &
|
||||
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
|
||||
+ -V ssl3: &
|
||||
RET=$?
|
||||
fi
|
||||
|
||||
# The PID $! returned by the MKS or Cygwin shell is not the PID of
|
||||
# the real background process, but rather the PID of a helper
|
||||
# process (sh.exe). MKS's kill command has a bug: invoking kill
|
||||
# on the helper process does not terminate the real background
|
||||
# process. Our workaround has been to have selfserv save its PID
|
||||
@@ -275,16 +289,22 @@ ssl_cov()
|
||||
exec < ${SSLCOV}
|
||||
while read ectype testmax param testname
|
||||
do
|
||||
echo "${testname}" | grep "EXPORT" > /dev/null
|
||||
EXP=$?
|
||||
echo "${testname}" | grep "SSL2" > /dev/null
|
||||
SSL2=$?
|
||||
|
||||
+ # skip export and ssl2 tests when build has disabled SSL2
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ echo "exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})"
|
||||
+ continue
|
||||
+ fi
|
||||
+
|
||||
if [ "${SSL2}" -eq 0 ] ; then
|
||||
# We cannot use asynchronous cert verification with SSL2
|
||||
SSL2_FLAGS=-O
|
||||
VMIN="ssl2"
|
||||
else
|
||||
# Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
|
||||
# default in libssl but it is enabled by default in tstclnt; we want
|
||||
# to test the libssl default whenever possible.
|
|
@ -1,44 +1,62 @@
|
|||
diff -up ./nss/cmd/httpserv/httpserv.c.539183 ./nss/cmd/httpserv/httpserv.c
|
||||
--- ./nss/cmd/httpserv/httpserv.c.539183 2015-11-08 21:12:59.000000000 -0800
|
||||
+++ ./nss/cmd/httpserv/httpserv.c 2015-11-12 13:28:01.574855325 -0800
|
||||
@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port
|
||||
PRNetAddr addr;
|
||||
--- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
|
||||
+++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
|
||||
@@ -953,23 +953,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSocket error");
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSockett");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
diff -up ./nss/cmd/selfserv/selfserv.c.539183 ./nss/cmd/selfserv/selfserv.c
|
||||
--- ./nss/cmd/selfserv/selfserv.c.539183 2015-11-08 21:12:59.000000000 -0800
|
||||
+++ ./nss/cmd/selfserv/selfserv.c 2015-11-12 13:26:40.498345875 -0800
|
||||
@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port
|
||||
PRNetAddr addr;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
||||
--- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
|
||||
+++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
|
||||
@@ -1711,23 +1711,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSocket error");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
||||
|
|
|
@ -0,0 +1,89 @@
|
|||
diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
|
||||
--- a/lib/pk11wrap/pk11pars.c
|
||||
+++ b/lib/pk11wrap/pk11pars.c
|
||||
@@ -105,16 +105,17 @@ secmod_NewModule(void)
|
||||
* This allows system NSS to delegate those changes to the user's module DB,
|
||||
* preserving the user's ability to load new PKCS #11 modules (which only
|
||||
* affect him), from existing applications like Firefox.
|
||||
*/
|
||||
#define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB 0x01 /* must be set if any of the
|
||||
*other flags are set */
|
||||
#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
|
||||
#define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
|
||||
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
|
||||
|
||||
|
||||
/* private flags for internal (field in SECMODModule). */
|
||||
/* The meaing of these flags is as follows:
|
||||
*
|
||||
* SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is
|
||||
* the internal module (that is, softoken). This bit is the same as the
|
||||
* already existing meaning of internal = PR_TRUE. None of the other
|
||||
@@ -699,16 +700,19 @@ SECMOD_CreateModuleEx(const char *librar
|
||||
if (mod->isModuleDB) {
|
||||
char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB;
|
||||
if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) {
|
||||
flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST;
|
||||
}
|
||||
if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) {
|
||||
flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
|
||||
}
|
||||
+ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
|
||||
+ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
|
||||
+ }
|
||||
/* additional moduleDB flags could be added here in the future */
|
||||
mod->isModuleDB = (PRBool) flags;
|
||||
}
|
||||
|
||||
if (mod->internal) {
|
||||
char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL;
|
||||
|
||||
if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) {
|
||||
@@ -738,16 +742,24 @@ PRBool
|
||||
SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
|
||||
{
|
||||
char flags = (char) mod->isModuleDB;
|
||||
|
||||
return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
|
||||
}
|
||||
|
||||
PRBool
|
||||
+secmod_PolicyOnly(SECMODModule *mod)
|
||||
+{
|
||||
+ char flags = (char) mod->isModuleDB;
|
||||
+
|
||||
+ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
|
||||
+}
|
||||
+
|
||||
+PRBool
|
||||
secmod_IsInternalKeySlot(SECMODModule *mod)
|
||||
{
|
||||
char flags = (char) mod->internal;
|
||||
|
||||
return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -1521,16 +1533,22 @@ SECMOD_LoadModule(char *modulespec,SECMO
|
||||
if (library) PORT_Free(library);
|
||||
if (moduleName) PORT_Free(moduleName);
|
||||
if (parameters) PORT_Free(parameters);
|
||||
if (nss) PORT_Free(nss);
|
||||
if (config) PORT_Free(config);
|
||||
if (!module) {
|
||||
goto loser;
|
||||
}
|
||||
+
|
||||
+ /* a policy only stanza doesn't actually get 'loaded'. policy has already
|
||||
+ * been parsed as a side effect of the CreateModuleEx call */
|
||||
+ if (secmod_PolicyOnly(module)) {
|
||||
+ return module;
|
||||
+ }
|
||||
if (parent) {
|
||||
module->parent = SECMOD_ReferenceModule(parent);
|
||||
if (module->internal && secmod_IsInternalKeySlot(parent)) {
|
||||
module->internal = parent->internal;
|
||||
}
|
||||
}
|
||||
|
||||
/* load it */
|
|
@ -0,0 +1,167 @@
|
|||
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||
--- a/lib/ssl/ssl3con.c
|
||||
+++ b/lib/ssl/ssl3con.c
|
||||
@@ -7061,49 +7061,68 @@ ssl3_SendClientKeyExchange(sslSocket *ss
|
||||
|
||||
loser:
|
||||
if (serverKey)
|
||||
SECKEY_DestroyPublicKey(serverKey);
|
||||
return rv; /* err code already set. */
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
-ssl_PickSignatureScheme(sslSocket *ss, SECKEYPublicKey *key,
|
||||
+ssl_PickSignatureScheme(sslSocket *ss,
|
||||
+ SECKEYPublicKey *pubKey,
|
||||
+ SECKEYPrivateKey *privKey,
|
||||
const SignatureScheme *peerSchemes,
|
||||
unsigned int peerSchemeCount,
|
||||
PRBool requireSha1)
|
||||
{
|
||||
unsigned int i, j;
|
||||
const namedGroupDef *group = NULL;
|
||||
KeyType keyType;
|
||||
+ PK11SlotInfo *slot;
|
||||
+ PRBool slotDoesPss;
|
||||
PRBool isTLS13 = ss->version == SSL_LIBRARY_VERSION_TLS_1_3;
|
||||
|
||||
- if (!key) {
|
||||
+ if (!pubKey || !privKey) {
|
||||
PORT_Assert(0);
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
- keyType = SECKEY_GetPublicKeyType(key);
|
||||
+ slot = PK11_GetSlotFromPrivateKey(privKey);
|
||||
+ if (!slot) {
|
||||
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ slotDoesPss = PK11_DoesMechanism(slot, auth_alg_defs[ssl_auth_rsa_pss]);
|
||||
+ PK11_FreeSlot(slot);
|
||||
+
|
||||
+ keyType = SECKEY_GetPublicKeyType(pubKey);
|
||||
+
|
||||
if (keyType == ecKey) {
|
||||
- group = ssl_ECPubKey2NamedGroup(key);
|
||||
+ group = ssl_ECPubKey2NamedGroup(pubKey);
|
||||
}
|
||||
|
||||
/* Here we look for the first local preference that the client has
|
||||
* indicated support for in their signature_algorithms extension. */
|
||||
for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||
SSLHashType hashType;
|
||||
SECOidTag hashOID;
|
||||
SignatureScheme preferred = ss->ssl3.signatureSchemes[i];
|
||||
PRUint32 policy;
|
||||
|
||||
if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group,
|
||||
preferred)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
+ /* Skip RSA-PSS schemes when the certificate's private key slot does
|
||||
+ * not support this signature mechanism. */
|
||||
+ if (ssl_IsRsaPssSignatureScheme(preferred) && !slotDoesPss) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
hashType = ssl_SignatureSchemeToHashType(preferred);
|
||||
hashOID = ssl3_HashTypeToOID(hashType);
|
||||
if (requireSha1 && hashOID != SEC_OID_SHA1) {
|
||||
continue;
|
||||
}
|
||||
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
|
||||
!(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||
/* we ignore hashes we don't support */
|
||||
@@ -7148,51 +7167,54 @@ ssl3_PickServerSignatureScheme(sslSocket
|
||||
PORT_Assert(0);
|
||||
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
return SECFailure;
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* Sets error code, if needed. */
|
||||
- return ssl_PickSignatureScheme(ss, keyPair->pubKey,
|
||||
+ return ssl_PickSignatureScheme(ss, keyPair->pubKey, keyPair->privKey,
|
||||
ss->ssl3.hs.clientSigSchemes,
|
||||
ss->ssl3.hs.numClientSigScheme,
|
||||
- PR_FALSE);
|
||||
+ PR_FALSE /* requireSha1 */);
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
ssl_PickClientSignatureScheme(sslSocket *ss, const SignatureScheme *schemes,
|
||||
unsigned int numSchemes)
|
||||
{
|
||||
- SECKEYPublicKey *key;
|
||||
+ SECKEYPrivateKey *privKey = ss->ssl3.clientPrivateKey;
|
||||
+ SECKEYPublicKey *pubKey;
|
||||
SECStatus rv;
|
||||
|
||||
- key = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
|
||||
- PORT_Assert(key);
|
||||
+ pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
|
||||
+ PORT_Assert(pubKey);
|
||||
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
|
||||
- (SECKEY_GetPublicKeyType(key) == rsaKey ||
|
||||
- SECKEY_GetPublicKeyType(key) == dsaKey) &&
|
||||
- SECKEY_PublicKeyStrengthInBits(key) <= 1024) {
|
||||
+ (SECKEY_GetPublicKeyType(pubKey) == rsaKey ||
|
||||
+ SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&
|
||||
+ SECKEY_PublicKeyStrengthInBits(pubKey) <= 1024) {
|
||||
/* If the key is a 1024-bit RSA or DSA key, assume conservatively that
|
||||
* it may be unable to sign SHA-256 hashes. This is the case for older
|
||||
* Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
|
||||
* older, DSA key size is at most 1024 bits and the hash function must
|
||||
* be SHA-1.
|
||||
*/
|
||||
- rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_TRUE);
|
||||
+ rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
|
||||
+ PR_TRUE /* requireSha1 */);
|
||||
if (rv == SECSuccess) {
|
||||
- SECKEY_DestroyPublicKey(key);
|
||||
+ SECKEY_DestroyPublicKey(pubKey);
|
||||
return SECSuccess;
|
||||
}
|
||||
/* If this fails, that's because the peer doesn't advertise SHA-1,
|
||||
* so fall back to the full negotiation. */
|
||||
}
|
||||
- rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_FALSE);
|
||||
- SECKEY_DestroyPublicKey(key);
|
||||
+ rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
|
||||
+ PR_FALSE /* requireSha1 */);
|
||||
+ SECKEY_DestroyPublicKey(pubKey);
|
||||
return rv;
|
||||
}
|
||||
|
||||
/* Called from ssl3_HandleServerHelloDone(). */
|
||||
static SECStatus
|
||||
ssl3_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey)
|
||||
{
|
||||
SECStatus rv = SECFailure;
|
||||
@@ -10593,16 +10615,23 @@ ssl3_EncodeSigAlgs(sslSocket *ss, PRUint
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||
PRUint32 policy = 0;
|
||||
SSLHashType hashType = ssl_SignatureSchemeToHashType(
|
||||
ss->ssl3.signatureSchemes[i]);
|
||||
SECOidTag hashOID = ssl3_HashTypeToOID(hashType);
|
||||
+
|
||||
+ /* Skip RSA-PSS schemes if there are no tokens to verify them. */
|
||||
+ if (ssl_IsRsaPssSignatureScheme(ss->ssl3.signatureSchemes[i]) &&
|
||||
+ !PK11_TokenExists(auth_alg_defs[ssl_auth_rsa_pss])) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) ||
|
||||
(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||
p = ssl_EncodeUintX((PRUint32)ss->ssl3.signatureSchemes[i], 2, p);
|
||||
}
|
||||
}
|
||||
|
||||
if (p == buf) {
|
||||
PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
|
@ -1,12 +0,0 @@
|
|||
diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn
|
||||
--- nss/lib/ckfw/manifest.mn.libpem 2013-05-28 14:43:24.000000000 -0700
|
||||
+++ nss/lib/ckfw/manifest.mn 2013-05-30 22:14:49.247459672 -0700
|
||||
@@ -5,7 +5,7 @@
|
||||
|
||||
CORE_DEPTH = ../..
|
||||
|
||||
-DIRS = builtins
|
||||
+DIRS = builtins pem
|
||||
|
||||
PRIVATE_EXPORTS = \
|
||||
ck.h \
|
|
@ -1,17 +1,15 @@
|
|||
diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile
|
||||
--- nss/cmd/Makefile.nobltest 2013-05-28 14:43:24.000000000 -0700
|
||||
+++ nss/cmd/Makefile 2013-06-15 11:51:11.669655168 -0700
|
||||
@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS
|
||||
DIRS += libpkix
|
||||
endif
|
||||
|
||||
-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
|
||||
diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
|
||||
--- ./nss/cmd/Makefile.skipthem 2016-09-29 12:02:16.143413684 +0200
|
||||
+++ ./nss/cmd/Makefile 2016-09-29 12:03:58.776522901 +0200
|
||||
@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
|
||||
ECPERF_SRCDIR =
|
||||
ECTEST_SRCDIR =
|
||||
FIPSTEST_SRCDIR =
|
||||
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
|
||||
BLTEST_SRCDIR =
|
||||
-FIPSTEST_SRCDIR =
|
||||
-SHLIBSIGN_SRCDIR =
|
||||
+FIPSTEST_SRCDIR =
|
||||
+SHLIBSIGN_SRCDIR = shlibsign
|
||||
+else
|
||||
SHLIBSIGN_SRCDIR =
|
||||
+endif
|
||||
else
|
||||
BLTEST_SRCDIR = bltest
|
||||
FIPSTEST_SRCDIR = fipstest
|
||||
ECPERF_SRCDIR = ecperf
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
|
||||
--- ./external_tests/manifest.mn.skip_util_gtest 2016-09-29 12:05:28.858019733 +0200
|
||||
+++ ./external_tests/manifest.mn 2016-09-29 12:06:17.298681765 +0200
|
||||
@@ -9,8 +9,5 @@ DIRS = \
|
||||
google_test \
|
||||
common \
|
||||
der_gtest \
|
||||
- util_gtest \
|
||||
- pk11_gtest \
|
||||
- ssl_gtest \
|
||||
nss_bogo_shim \
|
||||
$(NULL)
|
240
nss.spec
240
nss.spec
|
@ -1,6 +1,6 @@
|
|||
%global nspr_version 4.12.0
|
||||
%global nss_util_version 3.23.0
|
||||
%global nss_softokn_version 3.23.0
|
||||
%global nspr_version 4.13.0
|
||||
%global nss_util_version 3.27.0
|
||||
%global nss_softokn_version 3.27.0
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
||||
|
||||
|
@ -18,10 +18,10 @@
|
|||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.23.0
|
||||
Version: 3.27.0
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 3%{?dist}
|
||||
Release: 1.3%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
|
@ -45,8 +45,17 @@ BuildRequires: gawk
|
|||
BuildRequires: psmisc
|
||||
BuildRequires: perl
|
||||
|
||||
%{!?nss_ckbi_suffix:%define full_nss_version %{version}}
|
||||
%{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}}
|
||||
# nss-pem used to be bundled with the nss package on Fedora -- make sure that
|
||||
# programs relying on that continue to work until they are fixed to require
|
||||
# nss-pem instead. Once all of them are fixed, the following line can be
|
||||
# removed. See https://bugzilla.redhat.com/1346806 for details.
|
||||
Requires: nss-pem
|
||||
|
||||
%if %{defined nss_ckbi_suffix}
|
||||
%define full_nss_version %{version}%{nss_ckbi_suffix}
|
||||
%else
|
||||
%define full_nss_version %{version}
|
||||
%endif
|
||||
|
||||
Source0: %{name}-%{full_nss_version}.tar.gz
|
||||
Source1: nss.pc.in
|
||||
|
@ -58,7 +67,6 @@ Source6: blank-cert9.db
|
|||
Source7: blank-key4.db
|
||||
Source8: system-pkcs11.txt
|
||||
Source9: setup-nsssysinit.sh
|
||||
Source12: %{name}-pem-20160308.tar.bz2
|
||||
Source20: nss-config.xml
|
||||
Source21: setup-nsssysinit.xml
|
||||
Source22: pkcs11.txt.xml
|
||||
|
@ -70,14 +78,8 @@ Source27: secmod.db.xml
|
|||
|
||||
Patch2: add-relro-linker-option.patch
|
||||
Patch3: renegotiate-transitional.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=402712
|
||||
Patch6: nss-enable-pem.patch
|
||||
# Below reference applies to most pem module related patches
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
||||
Patch16: nss-539183.patch
|
||||
# must statically link pem against the freebl in the buildroot
|
||||
# Needed only when freebl on tree has new APIS
|
||||
Patch25: nsspem-use-system-freebl.patch
|
||||
# TODO: Remove this patch when the ocsp test are fixed
|
||||
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
||||
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
||||
|
@ -91,13 +93,13 @@ Patch49: nss-skip-bltest-and-fipstest.patch
|
|||
# headers are older. Such is the case when starting an update with API changes or even private export changes.
|
||||
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
|
||||
Patch50: iquote.patch
|
||||
Patch52: disableSSL2libssl.patch
|
||||
Patch53: disableSSL2tests.patch
|
||||
Patch54: tstclnt-ssl2-off-by-default.patch
|
||||
Patch55: skip_stress_TLS_RC4_128_with_MD5.patch
|
||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch59: nss-check-policy-file.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
|
||||
Patch62: nss-skip-util-gtest.patch
|
||||
Patch70: nss-check-pss.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -168,25 +170,21 @@ low level services.
|
|||
|
||||
%prep
|
||||
%setup -q
|
||||
%setup -q -T -D -n %{name}-%{version} -a 12
|
||||
%setup -q -T -D -n %{name}-%{version}
|
||||
|
||||
%patch2 -p0 -b .relro
|
||||
%patch3 -p0 -b .transitional
|
||||
%patch6 -p0 -b .libpem
|
||||
%patch16 -p0 -b .539183
|
||||
# link pem against buildroot's freebl, essential when mixing and matching
|
||||
%patch25 -p0 -b .systemfreebl
|
||||
%patch40 -p0 -b .noocsptest
|
||||
%patch47 -p0 -b .templates
|
||||
%patch49 -p0 -b .skipthem
|
||||
%patch50 -p0 -b .iquote
|
||||
pushd nss
|
||||
%patch52 -p1 -b .disableSSL2libssl
|
||||
%patch53 -p1 -b .disableSSL2tests
|
||||
popd
|
||||
%patch54 -p0 -b .ssl2_off
|
||||
%patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
|
||||
%patch58 -p0 -b .1185708_3des
|
||||
pushd nss
|
||||
%patch59 -p1 -b .check_policy_file
|
||||
%patch62 -p0 -b .skip_util_gtest
|
||||
%patch70 -p1 -b .check_pss
|
||||
popd
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
|
@ -194,12 +192,7 @@ popd
|
|||
# until fixed upstream we must copy some headers locally
|
||||
#########################################################
|
||||
|
||||
pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt"
|
||||
for file in ${pemNeedsFromSoftoken}; do
|
||||
%{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/
|
||||
done
|
||||
|
||||
# Copying these header until the upstream bug is accepted
|
||||
# Copying these headers until the upstream bug is accepted
|
||||
# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
|
||||
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
|
||||
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
|
||||
|
@ -219,17 +212,12 @@ done
|
|||
%{__rm} -rf ./nss/cmd/fipstest
|
||||
%{__rm} -rf ./nss/cmd/rsaperf_low
|
||||
|
||||
pushd nss/tests/ssl
|
||||
# Create versions of sslcov.txt and sslstress.txt that disable tests
|
||||
# for SSL2 and EXPORT ciphers.
|
||||
cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslcov.noSSL2orExport.txt
|
||||
cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslstress.noSSL2orExport.txt
|
||||
popd
|
||||
######## Remove portions that need to statically link with libnssutil.a
|
||||
%{__rm} -rf ./nss/external_tests/util_gtests
|
||||
|
||||
|
||||
%build
|
||||
|
||||
export NSS_NO_SSL2_NO_EXPORT=1
|
||||
|
||||
NSS_NO_PKCS11_BYPASS=1
|
||||
export NSS_NO_PKCS11_BYPASS
|
||||
|
||||
|
@ -237,8 +225,7 @@ FREEBL_NO_DEPEND=1
|
|||
export FREEBL_NO_DEPEND
|
||||
|
||||
# Enable compiler optimizations and disable debugging code
|
||||
BUILD_OPT=1
|
||||
export BUILD_OPT
|
||||
export BUILD_OPT=1
|
||||
|
||||
# Uncomment to disable optimizations
|
||||
#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
|
||||
|
@ -298,11 +285,29 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
|
|||
export NSS_ECC_MORE_THAN_SUITE_B=1
|
||||
|
||||
export NSS_BLTEST_NOT_AVAILABLE=1
|
||||
|
||||
# NSS 3.27 enabled TLS 1.3 by default, disable it for now.
|
||||
#
|
||||
# The rationale is, while the maximum TLS version enabled by default
|
||||
# is TLS 1.2, some applications query the maximum TLS version and
|
||||
# enable it. That prevents those applications from connecting to
|
||||
# servers which are not tolerant ot TLS versions.
|
||||
#
|
||||
# Note that this is a temporary solution and should be removed when
|
||||
# packaging the next upstream release.
|
||||
export NSS_DISABLE_TLS_1_3=1
|
||||
|
||||
%{__make} -C ./nss/coreconf
|
||||
%{__make} -C ./nss/lib/dbm
|
||||
|
||||
# Set the policy file location
|
||||
# if set NSS will always check for the policy file and load if it exists
|
||||
export POLICY_FILE="nss.config"
|
||||
# location of the policy file
|
||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
||||
|
||||
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
|
||||
# need nss/lib/util/verref.h which is which is exported privately,
|
||||
# need nss/lib/util/verref.h which is exported privately,
|
||||
# copy the one we saved during prep so it they can find it.
|
||||
%{__mkdir_p} ./dist/private/nss
|
||||
%{__mv} ./nss/verref.h ./dist/private/nss/verref.h
|
||||
|
@ -386,14 +391,10 @@ fi
|
|||
|
||||
# Begin -- copied from the build section
|
||||
|
||||
# inform the ssl test scripts that SSL2 is disabled
|
||||
export NSS_NO_SSL2_NO_EXPORT=1
|
||||
|
||||
FREEBL_NO_DEPEND=1
|
||||
export FREEBL_NO_DEPEND
|
||||
|
||||
BUILD_OPT=1
|
||||
export BUILD_OPT
|
||||
export BUILD_OPT=1
|
||||
|
||||
%ifnarch noarch
|
||||
%if 0%{__isa_bits} == 64
|
||||
|
@ -404,11 +405,17 @@ export USE_64
|
|||
|
||||
export NSS_BLTEST_NOT_AVAILABLE=1
|
||||
|
||||
# needed for the fips manging test
|
||||
export NSS_DISABLE_TLS_1_3=1
|
||||
|
||||
# needed for the fips mangling test
|
||||
export SOFTOKEN_LIB_DIR=%{_libdir}
|
||||
|
||||
# End -- copied from the build section
|
||||
|
||||
# This is necessary because the test suite tests algorithms that are
|
||||
# disabled by the system policy.
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
|
||||
# enable the following line to force a test failure
|
||||
# find ./nss -name \*.chk | xargs rm -f
|
||||
|
||||
|
@ -450,14 +457,16 @@ pushd ./nss/tests/
|
|||
|
||||
# don't need to run all the tests when testing packaging
|
||||
# nss_cycles: standard pkix upgradedb sharedb
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
|
||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
|
||||
# nss_ssl_run: cov auth stress
|
||||
# the full list from all.sh is:
|
||||
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
|
||||
# nss_ssl_run: cov auth stapling stress
|
||||
#
|
||||
# Uncomment these lines if you need to temporarily
|
||||
# disable some test suites for faster test builds
|
||||
# global nss_ssl_tests "normal_fips"
|
||||
# global nss_ssl_run "cov auth"
|
||||
# % define nss_ssl_tests "normal_fips"
|
||||
# % define nss_ssl_run "cov"
|
||||
|
||||
SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
|
||||
|
||||
|
@ -530,7 +539,7 @@ touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
|
|||
%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
|
||||
|
||||
# Copy the binary libraries we want
|
||||
for file in libnss3.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so
|
||||
for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
|
||||
do
|
||||
%{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
|
||||
done
|
||||
|
@ -646,24 +655,6 @@ else
|
|||
fi
|
||||
/sbin/ldconfig
|
||||
|
||||
%posttrans
|
||||
# An earlier version of this package had an incorrect %%postun script (3.14.3-9).
|
||||
# (The incorrect %%postun always called "update-alternatives --remove",
|
||||
# because it incorrectly assumed that test -f returns false for symbolic links.)
|
||||
# The only possible remedy to fix the mistake that "always removes on upgrade"
|
||||
# made by the older %%postun script, is to repair it in %%posttrans of the new package.
|
||||
# Strategy:
|
||||
# %%posttrans is never called when uninstalling.
|
||||
# %%posttrans is only called when installing or upgrading a package.
|
||||
# Because %%posttrans is the very last action of a package install,
|
||||
# %%{_libdir}/libnssckbi.so must exist.
|
||||
# If it does not, it's the result of the incorrect removal from a broken %%postun.
|
||||
# In this case, we repeat installation of the alternatives link.
|
||||
if ! test -e %{_libdir}/libnssckbi.so; then
|
||||
%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
|
||||
%{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
|
||||
fi
|
||||
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
|
@ -674,7 +665,6 @@ fi
|
|||
%{_libdir}/libsmime3.so
|
||||
%ghost %{_libdir}/libnssckbi.so
|
||||
%{_libdir}/nss/libnssckbi.so
|
||||
%{_libdir}/libnsspem.so
|
||||
%dir %{_sysconfdir}/pki/nssdb
|
||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
|
||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
|
||||
|
@ -770,7 +760,6 @@ fi
|
|||
%{_includedir}/nss3/keythi.h
|
||||
%{_includedir}/nss3/nss.h
|
||||
%{_includedir}/nss3/nssckbi.h
|
||||
%{_includedir}/nss3/nsspem.h
|
||||
%{_includedir}/nss3/ocsp.h
|
||||
%{_includedir}/nss3/ocspt.h
|
||||
%{_includedir}/nss3/p12.h
|
||||
|
@ -815,79 +804,110 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue Mar 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-3
|
||||
* Tue Nov 15 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.3
|
||||
- Revert the previous fix for RSA-PSS and use the upstream fix instead
|
||||
|
||||
* Wed Nov 02 2016 Kai Engert <kaie@redhat.com> - 3.27.0-1.2
|
||||
- Disable the use of RSA-PSS with SSL/TLS. #1383809
|
||||
|
||||
* Sun Oct 2 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.1
|
||||
- Disable TLS 1.3 for now, to avoid reported regression with TLS to
|
||||
version intolerant servers
|
||||
|
||||
* Thu Sep 29 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.0
|
||||
- Rebase to NSS 3.27.0
|
||||
- Remove upstreamed ectest patch
|
||||
|
||||
* Mon Aug 8 2016 Daiki Ueno <dueno@redhat.com> - 3.26.0-1.0
|
||||
- Rebase to NSS 3.26.0
|
||||
- Update check policy file patch to better match what was upstreamed
|
||||
- Remove conditionally ignore system policy patch as it has been upstreamed
|
||||
- Skip ectest as well as ecperf, which are built as part of nss-softokn
|
||||
- Fix rpmlint error regarding %%define usage
|
||||
|
||||
* Wed Jul 20 2016 Kamil Dudka <kdudka@redhat.com> - 3.25.0-1.2
|
||||
- decouple nss-pem from the nss package (#1347336)
|
||||
|
||||
* Fri Jul 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-1.1
|
||||
- Tidy up the spec file
|
||||
|
||||
* Mon Jul 04 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-1.0
|
||||
- Rebase to nss 3.25
|
||||
|
||||
* Thu Jun 09 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.3
|
||||
- Restore optimized build support for logging SSL/TLS key material to logfile
|
||||
- Resolves: Bug - 1343289 - Update to nss 3.24 removes sslkeylogfile support
|
||||
|
||||
* Thu Jun 02 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.2
|
||||
- Allow application requests to disable SSL v2 to succeed
|
||||
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
|
||||
|
||||
* Tue May 31 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.1
|
||||
- Update nss_tests with some of the new gtests from upstream
|
||||
|
||||
* Sat May 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.0
|
||||
- Rebase to NSS 3.24.0
|
||||
|
||||
* Thu Mar 10 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.1
|
||||
- Update pem sources to latest from nss-pem upstream
|
||||
- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key
|
||||
|
||||
* Sat Mar 05 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-2
|
||||
- Rebase to NSS 3.23
|
||||
* Sun Mar 06 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.0
|
||||
- Rebase to NSS 3.23.0
|
||||
|
||||
* Sat Feb 27 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.2-2
|
||||
* Mon Feb 29 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.2-1.0
|
||||
- Rebase to NSS 3.22.2
|
||||
|
||||
* Tue Feb 23 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-3
|
||||
* Tue Feb 23 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-1.1
|
||||
- Fix ssl2/exp test disabling to run all the required tests
|
||||
|
||||
* Sun Feb 21 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-1
|
||||
* Mon Feb 22 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-1.0
|
||||
- Rebase to NSS 3.22.1
|
||||
|
||||
* Mon Feb 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-3
|
||||
- Update .gitignore as part of updating to nss 3.22
|
||||
|
||||
* Mon Feb 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-2
|
||||
* Mon Feb 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-1.0
|
||||
- Update to NSS 3.22
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.21.0-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Fri Jan 15 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-6
|
||||
* Fri Jan 15 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.2
|
||||
- Resolves: Bug 1299040 - Enable ssl_gtests upstream test suite
|
||||
- Remove 'export NSS_DISABLE_GTESTS=1' go ssl_gtests are built
|
||||
- Use %%define when specifying the nss_tests to run
|
||||
|
||||
* Wed Dec 30 2015 Michal Toman <mtoman@fedoraproject.org> - 3.21.0-5
|
||||
- Add 64-bit MIPS to multilib arches
|
||||
|
||||
* Fri Nov 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-4
|
||||
* Fri Nov 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.1
|
||||
- Update %%{nss_util_version} and %%{nss_softokn_version} to 3.21.0
|
||||
- Resolves: Bug 1284095 - all https fails with sec_error_no_token
|
||||
|
||||
* Sun Nov 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-3
|
||||
- Add references to bugs filed upstream
|
||||
|
||||
* Fri Nov 13 2015 Elio Maldonado Batiz <emaldona@redhat.com> - 3.21.1-2
|
||||
* Mon Nov 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.0
|
||||
- Update to NSS 3.21
|
||||
- Package listsuites as part of the unsupported tools set
|
||||
- Resolves: Bug 1279912 - nss-3.21 is available
|
||||
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
|
||||
- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
|
||||
|
||||
* Fri Oct 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.1-2
|
||||
* Mon Nov 02 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.1-1.0
|
||||
- Update to NSS 3.20.1
|
||||
|
||||
* Wed Sep 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-6
|
||||
* Sun Oct 04 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.3
|
||||
- Enable ECC cipher-suites by default [hrbz#1185708]
|
||||
- Split the enabling patch in two for easier maintenance
|
||||
- Remove unused patches rendered obsolete by prior rebase
|
||||
- Remove unused patches
|
||||
|
||||
* Wed Sep 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-5
|
||||
* Wed Sep 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.2
|
||||
- Enable ECC cipher-suites by default [hrbz#1185708]
|
||||
- Implement corrections requested in code review
|
||||
|
||||
* Tue Sep 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-4
|
||||
- Enable ECC cipher-suites by default [hrbz#1185708]
|
||||
|
||||
* Mon Sep 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-3
|
||||
- Fix patches that disable ssl2 and export cipher suites support
|
||||
* Tue Sep 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.1
|
||||
- Enable ECC cipher-suites by default [rhbz#1185708]
|
||||
- Fix patches that disable ssl2 and export cipher suites support [rhbz#1263005]
|
||||
- Fix libssl patch that disable ssl2 & export cipher suites to not disable RSA_WITH_NULL ciphers
|
||||
- Fix syntax errors in patch to skip ssl2 and export cipher suite tests
|
||||
- Turn ssl2 off by default in the tstclnt tool
|
||||
- Disable ssl stress tests containing TLS RC4 128 with MD5
|
||||
|
||||
* Thu Aug 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-2
|
||||
* Fri Aug 21 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.0
|
||||
- Update to NSS 3.20
|
||||
|
||||
* Sat Aug 08 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.3-2
|
||||
* Tue Aug 11 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.3-1.0
|
||||
- Update to NSS 3.19.3
|
||||
|
||||
* Fri Jun 26 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.2-3
|
||||
|
|
|
@ -1,80 +0,0 @@
|
|||
diff -up nss/lib/ckfw/pem/config.mk.systemfreebl nss/lib/ckfw/pem/config.mk
|
||||
--- nss/lib/ckfw/pem/config.mk.systemfreebl 2012-08-11 09:06:59.000000000 -0700
|
||||
+++ nss/lib/ckfw/pem/config.mk 2013-04-04 16:02:33.805744145 -0700
|
||||
@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m
|
||||
# are specifed as dependencies within rules.mk.
|
||||
#
|
||||
|
||||
+
|
||||
+EXTRA_LIBS += \
|
||||
+ $(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
|
||||
+ $(NULL)
|
||||
+
|
||||
TARGETS = $(SHARED_LIBRARY)
|
||||
LIBRARY =
|
||||
IMPORT_LIBRARY =
|
||||
@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS)
|
||||
MKSHLIB += -R '$$ORIGIN'
|
||||
endif
|
||||
|
||||
+# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and
|
||||
+# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil
|
||||
+# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf.
|
||||
+ifdef USE_SYSTEM_NSSUTIL
|
||||
+OS_LIBS += $(NSSUTIL_LIBS)
|
||||
+else
|
||||
+NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX)
|
||||
+EXTRA_LIBS += $(NSSUTIL_LIBS)
|
||||
+endif
|
||||
+# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and
|
||||
+# FREEBL_LIBS to the linker command-line arguments for the system nssutil
|
||||
+# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf.
|
||||
+ifdef USE_SYSTEM_FREEBL
|
||||
+OS_LIBS += $(FREEBL_LIBS)
|
||||
+else
|
||||
+FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX)
|
||||
+EXTRA_LIBS += $(FREEBL_LIBS)
|
||||
+endif
|
||||
+
|
||||
diff -up nss/lib/ckfw/pem/Makefile.systemfreebl nss/lib/ckfw/pem/Makefile
|
||||
--- nss/lib/ckfw/pem/Makefile.systemfreebl 2012-08-11 09:06:59.000000000 -0700
|
||||
+++ nss/lib/ckfw/pem/Makefile 2013-04-04 16:02:33.806744154 -0700
|
||||
@@ -43,8 +43,7 @@ include config.mk
|
||||
EXTRA_LIBS = \
|
||||
$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
|
||||
$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
|
||||
- $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
|
||||
- $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
|
||||
+ $(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
|
||||
$(NULL)
|
||||
|
||||
# can't do this in manifest.mn because OS_TARGET isn't defined there.
|
||||
@@ -56,6 +55,9 @@ EXTRA_LIBS += \
|
||||
-lplc4 \
|
||||
-lplds4 \
|
||||
-lnspr4 \
|
||||
+ -L$(NSSUTIL_LIB_DIR) \
|
||||
+ -lnssutil3 \
|
||||
+ -lfreebl3
|
||||
$(NULL)
|
||||
else
|
||||
EXTRA_SHARED_LIBS += \
|
||||
@@ -74,6 +76,9 @@ EXTRA_LIBS += \
|
||||
-lplc4 \
|
||||
-lplds4 \
|
||||
-lnspr4 \
|
||||
+ -L$(NSSUTIL_LIB_DIR) \
|
||||
+ -lnssutil3 \
|
||||
+ -lfreebl3 \
|
||||
$(NULL)
|
||||
endif
|
||||
|
||||
diff -up nss/lib/ckfw/pem/manifest.mn.systemfreebl nss/lib/ckfw/pem/manifest.mn
|
||||
--- nss/lib/ckfw/pem/manifest.mn.systemfreebl 2012-08-11 09:06:59.000000000 -0700
|
||||
+++ nss/lib/ckfw/pem/manifest.mn 2013-04-04 16:02:33.807744163 -0700
|
||||
@@ -65,4 +65,4 @@ REQUIRES = nspr
|
||||
|
||||
LIBRARY_NAME = nsspem
|
||||
|
||||
-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
|
||||
+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3
|
|
@ -1,146 +0,0 @@
|
|||
diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
|
||||
--- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/ckpem.h 2015-11-13 12:07:29.219887390 -0800
|
||||
@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
|
||||
};
|
||||
typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
|
||||
|
||||
+/* NOTE: Discrepancy with the the way callers use of the return value as a count
|
||||
+ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
|
||||
+ */
|
||||
SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
|
||||
const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
|
||||
void pem_PopulateModulusExponent(pemInternalObject *io);
|
||||
diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
|
||||
--- ./nss/lib/ckfw/pem/pinst.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/pinst.c 2015-11-13 12:07:29.219887390 -0800
|
||||
@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
|
||||
char *ivstring = NULL;
|
||||
int cipher;
|
||||
|
||||
- nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int (a count) and the declaration as a SECStatus. */
|
||||
+ nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
if (nobjs <= 0) {
|
||||
nss_ZFreeIf(objs);
|
||||
return CKR_GENERAL_ERROR;
|
||||
@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
|
||||
if (keyfile) { /* add the private key */
|
||||
SECItem **keyobjs = NULL;
|
||||
int kobjs = 0;
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int and the declaration as a SECStatus. */
|
||||
kobjs =
|
||||
- ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
|
||||
+ (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
|
||||
&ivstring, PR_FALSE);
|
||||
if (kobjs < 1) {
|
||||
error = CKR_GENERAL_ERROR;
|
||||
diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
|
||||
--- ./nss/lib/ckfw/pem/pobject.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/pobject.c 2015-11-13 12:07:29.220887368 -0800
|
||||
@@ -630,6 +630,11 @@ pem_DestroyInternalObject
|
||||
if (io->u.key.ivstring)
|
||||
free(io->u.key.ivstring);
|
||||
break;
|
||||
+ case pemAll:
|
||||
+ /* pemAll is not used, keep the compiler happy
|
||||
+ * TODO: investigate a proper solution
|
||||
+ */
|
||||
+ return;
|
||||
}
|
||||
|
||||
if (NULL != gobj)
|
||||
@@ -1044,7 +1049,9 @@ pem_CreateObject
|
||||
int nobjs = 0;
|
||||
int i;
|
||||
int objid;
|
||||
+#if 0
|
||||
pemToken *token;
|
||||
+#endif
|
||||
int cipher;
|
||||
char *ivstring = NULL;
|
||||
pemInternalObject *listObj = NULL;
|
||||
@@ -1073,7 +1080,9 @@ pem_CreateObject
|
||||
}
|
||||
slotID = nssCKFWSlot_GetSlotID(fwSlot);
|
||||
|
||||
+#if 0
|
||||
token = (pemToken *) mdToken->etc;
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* only create keys and certs.
|
||||
@@ -1114,7 +1123,11 @@ pem_CreateObject
|
||||
}
|
||||
|
||||
if (objClass == CKO_CERTIFICATE) {
|
||||
- nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int and the declaration as a SECStatus. Typecasting as a
|
||||
+ * temporary workaround.
|
||||
+ */
|
||||
+ nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
if (nobjs < 1)
|
||||
goto loser;
|
||||
|
||||
diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
|
||||
--- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/rsawrapr.c 2015-11-13 12:07:29.220887368 -0800
|
||||
@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* unused functions */
|
||||
+#if 0
|
||||
static SHA1Context *SHA1_CloneContext(SHA1Context * original)
|
||||
{
|
||||
SHA1Context *clone = NULL;
|
||||
@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
+#endif /* unused functions */
|
||||
|
||||
/*
|
||||
* Format one block of data for public/private key encryption using
|
||||
diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
|
||||
--- ./nss/lib/ckfw/pem/util.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/util.c 2015-11-13 12:22:52.282196306 -0800
|
||||
@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
-int
|
||||
+/* FIX: Returns a SECStatus yet callers take result as a count */
|
||||
+SECStatus
|
||||
ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
|
||||
int *cipher, char **ivstring, PRBool certsonly)
|
||||
{
|
||||
@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
|
||||
goto loser;
|
||||
}
|
||||
if ((certsonly && !key) || (!certsonly && key)) {
|
||||
+ error = CKR_OK;
|
||||
PUT_Object(der, error);
|
||||
+ if (error != CKR_OK) {
|
||||
+ free(der);
|
||||
+ goto loser;
|
||||
+ }
|
||||
} else {
|
||||
free(der->data);
|
||||
free(der);
|
||||
@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
|
||||
}
|
||||
|
||||
/* NOTE: This code path has never been tested. */
|
||||
+ error = CKR_OK;
|
||||
PUT_Object(der, error);
|
||||
+ if (error != CKR_OK) {
|
||||
+ free(der);
|
||||
+ goto loser;
|
||||
+ }
|
||||
}
|
||||
|
||||
nss_ZFreeIf(filedata.data);
|
|
@ -1,12 +1,12 @@
|
|||
diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
|
||||
--- ./nss/lib/ssl/sslsock.c.transitional 2016-03-05 08:54:13.871412639 -0800
|
||||
+++ ./nss/lib/ssl/sslsock.c 2016-03-05 09:00:27.721889811 -0800
|
||||
@@ -77,7 +77,7 @@ static sslOptions ssl_defaults = {
|
||||
PR_FALSE, /* noLocks */
|
||||
PR_FALSE, /* enableSessionTickets */
|
||||
PR_FALSE, /* enableDeflate */
|
||||
- 2, /* enableRenegotiation (default: requires extension) */
|
||||
+ 3, /* enableRenegotiation (default: transitional) */
|
||||
PR_FALSE, /* requireSafeNegotiation */
|
||||
PR_FALSE, /* enableFalseStart */
|
||||
PR_TRUE, /* cbcRandomIV */
|
||||
--- ./nss/lib/ssl/sslsock.c.transitional 2016-06-23 21:03:16.316480089 -0400
|
||||
+++ ./nss/lib/ssl/sslsock.c 2016-06-23 21:08:07.290202477 -0400
|
||||
@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
|
||||
PR_FALSE, /* noLocks */
|
||||
PR_FALSE, /* enableSessionTickets */
|
||||
PR_FALSE, /* enableDeflate */
|
||||
- 2, /* enableRenegotiation (default: requires extension) */
|
||||
+ 3, /* enableRenegotiation (default: transitional) */
|
||||
PR_FALSE, /* requireSafeNegotiation */
|
||||
PR_FALSE, /* enableFalseStart */
|
||||
PR_TRUE, /* cbcRandomIV */
|
||||
|
|
|
@ -1,14 +1,23 @@
|
|||
diff -up ./nss/lib/ssl/ssl3con.c.1185708_3des ./nss/lib/ssl/ssl3con.c
|
||||
--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2015-09-29 16:24:18.717593591 -0700
|
||||
+++ ./nss/lib/ssl/ssl3con.c 2015-09-29 16:25:22.672879926 -0700
|
||||
@@ -101,8 +101,8 @@ static ssl3CipherSuiteCfg cipherSuites[s
|
||||
--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2016-06-23 21:10:09.765992512 -0400
|
||||
+++ ./nss/lib/ssl/ssl3con.c 2016-06-23 22:58:39.121398601 -0400
|
||||
@@ -118,18 +118,18 @@
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
#endif /* NSS_DISABLE_ECC */
|
||||
|
||||
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE},
|
||||
{ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
|
||||
--- ./nss/tests/ssl/sslstress.txt.skip 2015-09-11 21:48:21.763187957 -0700
|
||||
+++ ./nss/tests/ssl/sslstress.txt 2015-09-11 21:50:10.516514535 -0700
|
||||
@@ -8,29 +8,29 @@
|
||||
# Enable return server client Test Case name
|
||||
# ECC value params params
|
||||
# ------- ------ ------ ------ ---------------
|
||||
- noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
|
||||
- noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
|
||||
- noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
|
||||
- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
|
||||
- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
|
||||
- SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
|
||||
+# noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
|
||||
+# noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
|
||||
+# noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
|
||||
+# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
|
||||
+# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
|
||||
+# SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
|
||||
|
||||
#
|
||||
# add client auth versions here...
|
||||
#
|
||||
- noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
|
||||
- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
|
||||
- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
|
||||
- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
|
||||
- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
|
||||
- SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
|
||||
- SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
|
||||
+# noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
|
||||
+# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
|
||||
+# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
|
||||
+# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
|
||||
+# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
|
||||
+# SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
|
||||
+# SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
|
||||
|
||||
#
|
||||
# ############################ ECC ciphers ############################
|
3
sources
3
sources
|
@ -3,5 +3,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db
|
|||
73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db
|
||||
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
|
||||
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
|
||||
4d8e770b105483e365f3327d883dd229 nss-pem-20160308.tar.bz2
|
||||
574488f97390085832299cc3b90814a8 nss-3.23.0.tar.gz
|
||||
e980f7c3bb70ca122e0f6f5e914ec29a nss-3.27.0.tar.gz
|
||||
|
|
|
@ -1,21 +0,0 @@
|
|||
diff -up ./nss/cmd/tstclnt/tstclnt.c.ssl2_off ./nss/cmd/tstclnt/tstclnt.c
|
||||
--- ./nss/cmd/tstclnt/tstclnt.c.ssl2_off 2015-08-07 11:12:13.000000000 -0700
|
||||
+++ ./nss/cmd/tstclnt/tstclnt.c 2015-09-11 20:08:34.771859950 -0700
|
||||
@@ -212,7 +212,7 @@ static void PrintParameterUsage(void)
|
||||
fprintf(stderr,
|
||||
"%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
|
||||
"%-20s All versions are enabled by default.\n"
|
||||
- "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
|
||||
+ "%-20s Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
|
||||
"%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
|
||||
"-V [min]:[max]", "", "", "");
|
||||
fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
|
||||
@@ -911,7 +911,7 @@ int main(int argc, char **argv)
|
||||
int npds;
|
||||
int override = 0;
|
||||
SSLVersionRange enabledVersions;
|
||||
- PRBool enableSSL2 = PR_TRUE;
|
||||
+ PRBool enableSSL2 = PR_FALSE;
|
||||
int bypassPKCS11 = 0;
|
||||
int disableLocking = 0;
|
||||
int useExportPolicy = 0;
|
Loading…
Reference in New Issue