Compare commits
26 Commits
Author | SHA1 | Date |
---|---|---|
Daiki Ueno | 31e6f832ea | |
Daiki Ueno | 75d7e4f171 | |
Daiki Ueno | 88a7dca599 | |
Daiki Ueno | 51ea22c0ae | |
Daiki Ueno | 59d6576ae3 | |
Daiki Ueno | 4b8ce1e9a2 | |
Daiki Ueno | 2f6ed8e621 | |
Daiki Ueno | 23d923663d | |
Daiki Ueno | ab0cf790fc | |
Kai Engert | 02d2d2e6ff | |
Daiki Ueno | 3f9e705c49 | |
Daiki Ueno | 0d986ea964 | |
Daiki Ueno | c305f0f5af | |
Daiki Ueno | 7a09c1cf34 | |
Kamil Dudka | e7c1973f6e | |
Elio Maldonado | da1e2f1008 | |
Elio Maldonado | 689db2cb2b | |
Elio Maldonado | c901508114 | |
Elio Maldonado | d0d1a5f997 | |
Elio Maldonado | 996e173db6 | |
Elio Maldonado | 9bb2cf3374 | |
Elio Maldonado | 654b8a9495 | |
Elio Maldonado | c30e6463f2 | |
Elio Maldonado | 89d2571dee | |
Elio Maldonado | 215b206468 | |
Elio Maldonado | b8b223eab0 |
|
@ -7,7 +7,6 @@ PayPalEE.cert
|
|||
TestCA.ca.cert
|
||||
TestUser50.cert
|
||||
TestUser51.cert
|
||||
/nss-pem-20160308.tar.bz2
|
||||
/PayPalRootCA.cert
|
||||
/PayPalICA.cert
|
||||
/nss-3.23.0.tar.gz
|
||||
/nss-3.30.2.tar.gz
|
||||
|
|
|
@ -1,149 +0,0 @@
|
|||
--- ./lib/ssl/config.mk.disableSSL2libssl 2016-03-05 09:20:12.712130884 -0800
|
||||
+++ ./lib/ssl/config.mk 2016-03-05 09:24:22.748518581 -0800
|
||||
@@ -2,16 +2,20 @@
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
ifdef NISCC_TEST
|
||||
DEFINES += -DNISCC_TEST
|
||||
endif
|
||||
|
||||
+ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+DEFINES += -DNSS_NO_SSL2_NO_EXPORT
|
||||
+endif
|
||||
+
|
||||
ifdef NSS_NO_PKCS11_BYPASS
|
||||
DEFINES += -DNO_PKCS11_BYPASS
|
||||
else
|
||||
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
|
||||
|
||||
EXTRA_LIBS += \
|
||||
$(CRYPTOLIB) \
|
||||
$(NULL)
|
||||
--- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-03-05 09:20:12.713130866 -0800
|
||||
+++ ./lib/ssl/sslsock.c 2016-03-05 09:32:55.060592007 -0800
|
||||
@@ -707,16 +707,22 @@
|
||||
if (ss->cipherSpecs) {
|
||||
PORT_Free(ss->cipherSpecs);
|
||||
ss->cipherSpecs = NULL;
|
||||
ss->sizeCipherSpecs = 0;
|
||||
}
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_SSL2:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure; /* not allowed */
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (on) {
|
||||
@@ -731,52 +737,67 @@
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
}
|
||||
ss->preferredCipher = NULL;
|
||||
if (ss->cipherSpecs) {
|
||||
PORT_Free(ss->cipherSpecs);
|
||||
ss->cipherSpecs = NULL;
|
||||
ss->sizeCipherSpecs = 0;
|
||||
}
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_NO_CACHE:
|
||||
ss->opt.noCache = on;
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_FDX:
|
||||
if (on && ss->opt.noLocks) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure;
|
||||
}
|
||||
ss->opt.fdx = on;
|
||||
break;
|
||||
|
||||
case SSL_V2_COMPATIBLE_HELLO:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure; /* not allowed */
|
||||
}
|
||||
break;
|
||||
}
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
if (!on) {
|
||||
ss->opt.enableSSL2 = on;
|
||||
}
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_ROLLBACK_DETECTION:
|
||||
ss->opt.detectRollBack = on;
|
||||
break;
|
||||
|
||||
case SSL_NO_STEP_DOWN:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (!on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
ss->opt.noStepDown = on;
|
||||
if (on)
|
||||
SSL_DisableExportCipherSuites(fd);
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_BYPASS_PKCS11:
|
||||
if (ss->handshakeBegun) {
|
||||
PORT_SetError(PR_INVALID_STATE_ERROR);
|
||||
rv = SECFailure;
|
||||
} else {
|
||||
if (PR_FALSE != on) {
|
||||
@@ -1324,16 +1345,32 @@
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* function tells us if the cipher suite is one that we no longer support. */
|
||||
static PRBool
|
||||
ssl_IsRemovedCipherSuite(PRInt32 suite)
|
||||
{
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ /* both ssl2 and export cipher suites disabled */
|
||||
+ if (SSL_IS_SSL2_CIPHER(suite))
|
||||
+ return PR_TRUE;
|
||||
+ if (SSL_IsExportCipherSuite(suite)) {
|
||||
+ SSLCipherSuiteInfo csdef;
|
||||
+ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
|
||||
+ /* failure to retrieve info, disable */
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ if (csdef.symCipher != ssl_calg_null) {
|
||||
+ /* disable all except NULL ciphersuites */
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
switch (suite) {
|
||||
case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
|
||||
case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
|
||||
case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
|
||||
return PR_TRUE;
|
||||
default:
|
||||
return PR_FALSE;
|
||||
}
|
|
@ -1,126 +0,0 @@
|
|||
--- ./tests/ssl/ssl.sh.disableSSL2tests 2016-01-29 02:30:10.000000000 -0800
|
||||
+++ ./tests/ssl/ssl.sh 2016-02-06 11:50:26.496668124 -0800
|
||||
@@ -57,19 +57,24 @@ ssl_init()
|
||||
fi
|
||||
|
||||
PORT=${PORT-8443}
|
||||
NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
|
||||
nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
|
||||
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
|
||||
|
||||
# Test case files
|
||||
- SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
|
||||
+ else
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
+ fi
|
||||
SSLAUTH=${QADIR}/ssl/sslauth.txt
|
||||
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
|
||||
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
|
||||
|
||||
#temparary files
|
||||
SERVEROUTFILE=${TMP}/tests_server.$$
|
||||
SERVERPID=${TMP}/tests_pid.$$
|
||||
|
||||
R_SERVERPID=../tests_pid.$$
|
||||
@@ -116,17 +121,21 @@ is_selfserv_alive()
|
||||
if [ "${OS_ARCH}" = "WINNT" ] && \
|
||||
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
|
||||
PID=${SHELL_SERVERPID}
|
||||
else
|
||||
PID=`cat ${SERVERPID}`
|
||||
fi
|
||||
|
||||
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ echo "No server to kill"
|
||||
+ else
|
||||
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
|
||||
+ fi
|
||||
|
||||
echo "selfserv with PID ${PID} found at `date`"
|
||||
}
|
||||
|
||||
########################### wait_for_selfserv ##########################
|
||||
# local shell function to wait until selfserver is running and initialized
|
||||
########################################################################
|
||||
wait_for_selfserv()
|
||||
@@ -139,17 +148,21 @@ wait_for_selfserv()
|
||||
if [ $? -ne 0 ]; then
|
||||
sleep 5
|
||||
echo "retrying to connect to selfserv at `date`"
|
||||
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
|
||||
echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
|
||||
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
|
||||
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ html_passed "Server never started"
|
||||
+ else
|
||||
html_failed "Waiting for Server"
|
||||
+ fi
|
||||
fi
|
||||
fi
|
||||
is_selfserv_alive
|
||||
}
|
||||
|
||||
########################### kill_selfserv ##############################
|
||||
# local shell function to kill the selfserver after the tests are done
|
||||
########################################################################
|
||||
@@ -210,25 +223,26 @@ start_selfserv()
|
||||
ECC_OPTIONS=""
|
||||
fi
|
||||
if [ "$1" = "mixed" ]; then
|
||||
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
|
||||
fi
|
||||
echo "selfserv starting at `date`"
|
||||
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
|
||||
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
|
||||
- echo " $verbose -H 1 &"
|
||||
+ echo " $verbose -H 1 -V ssl3: &"
|
||||
if [ ${fileout} -eq 1 ]; then
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
|
||||
- > ${SERVEROUTFILE} 2>&1 &
|
||||
+ -V ssl3:> ${SERVEROUTFILE} 2>&1 &
|
||||
RET=$?
|
||||
else
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 &
|
||||
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
|
||||
+ -V ssl3: &
|
||||
RET=$?
|
||||
fi
|
||||
|
||||
# The PID $! returned by the MKS or Cygwin shell is not the PID of
|
||||
# the real background process, but rather the PID of a helper
|
||||
# process (sh.exe). MKS's kill command has a bug: invoking kill
|
||||
# on the helper process does not terminate the real background
|
||||
# process. Our workaround has been to have selfserv save its PID
|
||||
@@ -275,16 +289,22 @@ ssl_cov()
|
||||
exec < ${SSLCOV}
|
||||
while read ectype testmax param testname
|
||||
do
|
||||
echo "${testname}" | grep "EXPORT" > /dev/null
|
||||
EXP=$?
|
||||
echo "${testname}" | grep "SSL2" > /dev/null
|
||||
SSL2=$?
|
||||
|
||||
+ # skip export and ssl2 tests when build has disabled SSL2
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ echo "exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})"
|
||||
+ continue
|
||||
+ fi
|
||||
+
|
||||
if [ "${SSL2}" -eq 0 ] ; then
|
||||
# We cannot use asynchronous cert verification with SSL2
|
||||
SSL2_FLAGS=-O
|
||||
VMIN="ssl2"
|
||||
else
|
||||
# Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
|
||||
# default in libssl but it is enabled by default in tstclnt; we want
|
||||
# to test the libssl default whenever possible.
|
12
iquote.patch
12
iquote.patch
|
@ -125,9 +125,9 @@ diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
|
|||
endif
|
||||
|
||||
ifndef NSS_LIB_DIR
|
||||
diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk11_gtest/Makefile
|
||||
--- ./nss/external_tests/pk11_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/external_tests/pk11_gtest/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
diff -up ./nss/gtests/pk11_gtest/Makefile.iquote ./nss/gtests/pk11_gtest/Makefile
|
||||
--- ./nss/gtests/pk11_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/gtests/pk11_gtest/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
@ -136,9 +136,9 @@ diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk
|
|||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile
|
||||
--- ./nss/external_tests/ssl_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/external_tests/ssl_gtest/Makefile 2016-03-05 12:05:17.208082475 -0800
|
||||
diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
|
||||
--- ./nss/gtests/ssl_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/gtests/ssl_gtest/Makefile 2016-03-05 12:05:17.208082475 -0800
|
||||
@@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
|
|
@ -0,0 +1,754 @@
|
|||
diff --git a/gtests/nss_bogo_shim/nss_bogo_shim.cc b/gtests/nss_bogo_shim/nss_bogo_shim.cc
|
||||
--- a/gtests/nss_bogo_shim/nss_bogo_shim.cc
|
||||
+++ b/gtests/nss_bogo_shim/nss_bogo_shim.cc
|
||||
@@ -260,16 +260,22 @@ class TestAgent {
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
SSLVersionRange vrange;
|
||||
if (!GetVersionRange(&vrange, ssl_variant_stream)) return false;
|
||||
|
||||
rv = SSL_VersionRangeSet(ssl_fd_, &vrange);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
+ SSLVersionRange verify_vrange;
|
||||
+ rv = SSL_VersionRangeGet(ssl_fd_, &verify_vrange);
|
||||
+ if (rv != SECSuccess) return false;
|
||||
+ if (vrange.min != verify_vrange.min || vrange.max != verify_vrange.max)
|
||||
+ return false;
|
||||
+
|
||||
rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE, false);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
auto alpn = cfg_.get<std::string>("advertise-alpn");
|
||||
if (!alpn.empty()) {
|
||||
assert(!cfg_.get<bool>("server"));
|
||||
|
||||
rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_ALPN, PR_TRUE);
|
||||
diff --git a/gtests/ssl_gtest/tls_agent.cc b/gtests/ssl_gtest/tls_agent.cc
|
||||
--- a/gtests/ssl_gtest/tls_agent.cc
|
||||
+++ b/gtests/ssl_gtest/tls_agent.cc
|
||||
@@ -20,16 +20,21 @@ extern "C" {
|
||||
|
||||
#define GTEST_HAS_RTTI 0
|
||||
#include "gtest/gtest.h"
|
||||
#include "gtest_utils.h"
|
||||
#include "scoped_ptrs.h"
|
||||
|
||||
extern std::string g_working_dir_path;
|
||||
|
||||
+static bool SSLVersionRangesAreEqual(SSLVersionRange& vr1,
|
||||
+ SSLVersionRange& vr2) {
|
||||
+ return vr1.min == vr2.min && vr1.max == vr2.max;
|
||||
+}
|
||||
+
|
||||
namespace nss_test {
|
||||
|
||||
const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
|
||||
|
||||
const std::string TlsAgent::kClient = "client"; // both sign and encrypt
|
||||
const std::string TlsAgent::kRsa2048 = "rsa2048"; // bigger
|
||||
const std::string TlsAgent::kServerRsa = "rsa"; // both sign and encrypt
|
||||
const std::string TlsAgent::kServerRsaSign = "rsa_sign";
|
||||
@@ -156,16 +161,26 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc
|
||||
return false;
|
||||
}
|
||||
dummy_fd.release(); // Now subsumed by ssl_fd_.
|
||||
|
||||
SECStatus rv = SSL_VersionRangeSet(ssl_fd(), &vrange_);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
+ SSLVersionRange verify_vrange;
|
||||
+ rv = SSL_VersionRangeGet(ssl_fd(), &verify_vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv);
|
||||
+ if (rv != SECSuccess) return false;
|
||||
+
|
||||
+ bool ranges_are_equal = SSLVersionRangesAreEqual(vrange_, verify_vrange);
|
||||
+ EXPECT_TRUE(ranges_are_equal)
|
||||
+ << "System policy must not restrict the allowed min/max SSL/TLS range";
|
||||
+ if (!ranges_are_equal) return false;
|
||||
+
|
||||
if (role_ == SERVER) {
|
||||
EXPECT_TRUE(ConfigServerCert(name_, true));
|
||||
|
||||
rv = SSL_SNISocketConfigHook(ssl_fd(), SniHook, this);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
ScopedCERTCertList anchors(CERT_NewCertList());
|
||||
@@ -400,16 +415,23 @@ void TlsAgent::SetShortHeadersEnabled()
|
||||
|
||||
void TlsAgent::SetVersionRange(uint16_t minver, uint16_t maxver) {
|
||||
vrange_.min = minver;
|
||||
vrange_.max = maxver;
|
||||
|
||||
if (ssl_fd()) {
|
||||
SECStatus rv = SSL_VersionRangeSet(ssl_fd(), &vrange_);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
+
|
||||
+ SSLVersionRange verify_vrange;
|
||||
+ rv = SSL_VersionRangeGet(ssl_fd(), &verify_vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv);
|
||||
+ bool ranges_are_equal = SSLVersionRangesAreEqual(vrange_, verify_vrange);
|
||||
+ EXPECT_TRUE(ranges_are_equal)
|
||||
+ << "System policy must not restrict the allowed min/max SSL/TLS range";
|
||||
}
|
||||
}
|
||||
|
||||
void TlsAgent::GetVersionRange(uint16_t* minver, uint16_t* maxver) {
|
||||
*minver = vrange_.min;
|
||||
*maxver = vrange_.max;
|
||||
}
|
||||
|
||||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
--- a/lib/ssl/sslsock.c
|
||||
+++ b/lib/ssl/sslsock.c
|
||||
@@ -2202,38 +2202,42 @@ ssl3_GetRangePolicy(SSLProtocolVariant p
|
||||
return SECFailure; /* don't accept an invalid policy */
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/*
|
||||
* Constrain a single protocol variant's range based on the user policy
|
||||
*/
|
||||
-static SECStatus
|
||||
-ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant)
|
||||
+static void
|
||||
+ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant,
|
||||
+ SSLVersionRange *rangeParam /* in and out */)
|
||||
{
|
||||
SSLVersionRange vrange;
|
||||
SSLVersionRange pvrange;
|
||||
SECStatus rv;
|
||||
|
||||
- vrange = *VERSIONS_DEFAULTS(protocolVariant);
|
||||
+ if (!rangeParam) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ vrange = *rangeParam;
|
||||
rv = ssl3_GetRangePolicy(protocolVariant, &pvrange);
|
||||
if (rv != SECSuccess) {
|
||||
- return SECSuccess; /* we don't have any policy */
|
||||
+ return; /* we don't have any policy */
|
||||
}
|
||||
vrange.min = PR_MAX(vrange.min, pvrange.min);
|
||||
vrange.max = PR_MIN(vrange.max, pvrange.max);
|
||||
if (vrange.max >= vrange.min) {
|
||||
- *VERSIONS_DEFAULTS(protocolVariant) = vrange;
|
||||
+ *rangeParam = vrange;
|
||||
} else {
|
||||
/* there was no overlap, turn off range altogether */
|
||||
pvrange.min = pvrange.max = SSL_LIBRARY_VERSION_NONE;
|
||||
- *VERSIONS_DEFAULTS(protocolVariant) = pvrange;
|
||||
+ *rangeParam = pvrange;
|
||||
}
|
||||
- return SECSuccess;
|
||||
}
|
||||
|
||||
static PRBool
|
||||
ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant,
|
||||
SSL3ProtocolVersion version)
|
||||
{
|
||||
SSLVersionRange pvrange;
|
||||
SECStatus rv;
|
||||
@@ -2249,60 +2253,59 @@ ssl_VersionIsSupportedByPolicy(SSLProtoc
|
||||
|
||||
/*
|
||||
* This is called at SSL init time to constrain the existing range based
|
||||
* on user supplied policy.
|
||||
*/
|
||||
SECStatus
|
||||
ssl3_ConstrainRangeByPolicy(void)
|
||||
{
|
||||
- SECStatus rv;
|
||||
- rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream);
|
||||
- if (rv != SECSuccess) {
|
||||
- return rv;
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream,
|
||||
+ VERSIONS_DEFAULTS(ssl_variant_stream));
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram,
|
||||
+ VERSIONS_DEFAULTS(ssl_variant_datagram));
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
+PRBool
|
||||
+ssl3_VersionIsSupportedByCode(SSLProtocolVariant protocolVariant,
|
||||
+ SSL3ProtocolVersion version)
|
||||
+{
|
||||
+ switch (protocolVariant) {
|
||||
+ case ssl_variant_stream:
|
||||
+ return (version >= SSL_LIBRARY_VERSION_3_0 &&
|
||||
+ version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
+ case ssl_variant_datagram:
|
||||
+ return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
|
||||
+ version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
}
|
||||
- rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram);
|
||||
- if (rv != SECSuccess) {
|
||||
- return rv;
|
||||
- }
|
||||
- return SECSuccess;
|
||||
+
|
||||
+ /* Can't get here */
|
||||
+ PORT_Assert(PR_FALSE);
|
||||
+ return PR_FALSE;
|
||||
}
|
||||
|
||||
PRBool
|
||||
ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
|
||||
SSL3ProtocolVersion version)
|
||||
{
|
||||
if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
- switch (protocolVariant) {
|
||||
- case ssl_variant_stream:
|
||||
- return (version >= SSL_LIBRARY_VERSION_3_0 &&
|
||||
- version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
- case ssl_variant_datagram:
|
||||
- return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
|
||||
- version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
- default:
|
||||
- /* Can't get here */
|
||||
- PORT_Assert(PR_FALSE);
|
||||
- return PR_FALSE;
|
||||
- }
|
||||
+ return ssl3_VersionIsSupportedByCode(protocolVariant, version);
|
||||
}
|
||||
|
||||
-/* Returns PR_TRUE if the given version range is valid and
|
||||
-** fully supported; otherwise, returns PR_FALSE.
|
||||
-*/
|
||||
static PRBool
|
||||
ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant,
|
||||
const SSLVersionRange *vrange)
|
||||
{
|
||||
return vrange &&
|
||||
vrange->min <= vrange->max &&
|
||||
- ssl3_VersionIsSupported(protocolVariant, vrange->min) &&
|
||||
- ssl3_VersionIsSupported(protocolVariant, vrange->max) &&
|
||||
+ ssl3_VersionIsSupportedByCode(protocolVariant, vrange->min) &&
|
||||
+ ssl3_VersionIsSupportedByCode(protocolVariant, vrange->max) &&
|
||||
(vrange->min > SSL_LIBRARY_VERSION_3_0 ||
|
||||
vrange->max < SSL_LIBRARY_VERSION_TLS_1_3);
|
||||
}
|
||||
|
||||
const SECItem *
|
||||
SSL_PeerSignedCertTimestamps(PRFileDesc *fd)
|
||||
{
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
@@ -2329,60 +2332,116 @@ SSL_VersionRangeGetSupported(SSLProtocol
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
switch (protocolVariant) {
|
||||
case ssl_variant_stream:
|
||||
vrange->min = SSL_LIBRARY_VERSION_3_0;
|
||||
vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
|
||||
- // We don't allow SSLv3 and TLSv1.3 together.
|
||||
- if (vrange->max == SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
- vrange->min = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
- }
|
||||
+ /* We don't allow SSLv3 and TLSv1.3 together.
|
||||
+ * However, don't check yet, apply the policy first.
|
||||
+ * Because if the effective supported range doesn't use TLS 1.3,
|
||||
+ * then we don't need to increase the minimum. */
|
||||
break;
|
||||
case ssl_variant_datagram:
|
||||
vrange->min = SSL_LIBRARY_VERSION_TLS_1_1;
|
||||
vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
|
||||
break;
|
||||
default:
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(protocolVariant, vrange);
|
||||
+ if (vrange->min == SSL_LIBRARY_VERSION_NONE) {
|
||||
+ /* Library default and policy don't overlap. */
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (protocolVariant == ssl_variant_stream) {
|
||||
+ /* We don't allow SSLv3 and TLSv1.3 together */
|
||||
+ if (vrange->max == SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
+ vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant,
|
||||
SSLVersionRange *vrange)
|
||||
{
|
||||
if ((protocolVariant != ssl_variant_stream &&
|
||||
protocolVariant != ssl_variant_datagram) ||
|
||||
!vrange) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
*vrange = *VERSIONS_DEFAULTS(protocolVariant);
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(protocolVariant, vrange);
|
||||
+
|
||||
+ if (vrange->min == SSL_LIBRARY_VERSION_NONE) {
|
||||
+ /* Library default and policy don't overlap. */
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
-SECStatus
|
||||
-SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant,
|
||||
- const SSLVersionRange *vrange)
|
||||
+static SECStatus
|
||||
+ssl3_CheckRangeValidAndConstrainByPolicy(SSLProtocolVariant protocolVariant,
|
||||
+ SSLVersionRange *vrange)
|
||||
{
|
||||
if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) {
|
||||
PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- *VERSIONS_DEFAULTS(protocolVariant) = *vrange;
|
||||
-
|
||||
+ /* Try to adjust the received range using our policy.
|
||||
+ * If there's overlap, we'll use the (possibly reduced) range.
|
||||
+ * If there isn't overlap, it's failure. */
|
||||
+
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(protocolVariant, vrange);
|
||||
+ if (vrange->min == SSL_LIBRARY_VERSION_NONE) {
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (protocolVariant == ssl_variant_stream) {
|
||||
+ /* We don't allow SSLv3 and TLSv1.3 together */
|
||||
+ if (vrange->max == SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
+ vrange->min =
|
||||
+ PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
+SECStatus
|
||||
+SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant,
|
||||
+ const SSLVersionRange *vrange)
|
||||
+{
|
||||
+ SSLVersionRange constrainedRange;
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ if (!vrange) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ constrainedRange = *vrange;
|
||||
+ rv = ssl3_CheckRangeValidAndConstrainByPolicy(protocolVariant,
|
||||
+ &constrainedRange);
|
||||
+ if (rv != SECSuccess)
|
||||
+ return rv;
|
||||
+
|
||||
+ *VERSIONS_DEFAULTS(protocolVariant) = constrainedRange;
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange)
|
||||
{
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
|
||||
@@ -2406,41 +2465,50 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLV
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
|
||||
{
|
||||
- sslSocket *ss = ssl_FindSocket(fd);
|
||||
-
|
||||
+ SSLVersionRange constrainedRange;
|
||||
+ sslSocket *ss;
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ if (!vrange) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeSet",
|
||||
SSL_GETPID(), fd));
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) {
|
||||
- PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
|
||||
- return SECFailure;
|
||||
- }
|
||||
+ constrainedRange = *vrange;
|
||||
+ rv = ssl3_CheckRangeValidAndConstrainByPolicy(ss->protocolVariant,
|
||||
+ &constrainedRange);
|
||||
+ if (rv != SECSuccess)
|
||||
+ return rv;
|
||||
|
||||
ssl_Get1stHandshakeLock(ss);
|
||||
ssl_GetSSL3HandshakeLock(ss);
|
||||
|
||||
if (ss->ssl3.downgradeCheckVersion &&
|
||||
ss->vrange.max > ss->ssl3.downgradeCheckVersion) {
|
||||
PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
|
||||
ssl_ReleaseSSL3HandshakeLock(ss);
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- ss->vrange = *vrange;
|
||||
+ ss->vrange = constrainedRange;
|
||||
|
||||
ssl_ReleaseSSL3HandshakeLock(ss);
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
diff --git a/gtests/ssl_gtest/Makefile b/gtests/ssl_gtest/Makefile
|
||||
--- a/gtests/ssl_gtest/Makefile
|
||||
+++ b/gtests/ssl_gtest/Makefile
|
||||
@@ -32,16 +32,18 @@ CFLAGS += -I$(CORE_DEPTH)/lib/ssl
|
||||
ifdef NSS_SSL_ENABLE_ZLIB
|
||||
include $(CORE_DEPTH)/coreconf/zlib.mk
|
||||
endif
|
||||
|
||||
ifdef NSS_DISABLE_TLS_1_3
|
||||
NSS_DISABLE_TLS_1_3=1
|
||||
# Run parameterized tests only, for which we can easily exclude TLS 1.3
|
||||
CPPSRCS := $(filter-out $(shell grep -l '^TEST_F' $(CPPSRCS)), $(CPPSRCS))
|
||||
+# But always include ssl_versionpolicy_unittest.cc
|
||||
+CPPSRCS += ssl_versionpolicy_unittest.cc
|
||||
CFLAGS += -DNSS_DISABLE_TLS_1_3
|
||||
endif
|
||||
|
||||
#######################################################################
|
||||
# (5) Execute "global" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
diff --git a/gtests/ssl_gtest/manifest.mn b/gtests/ssl_gtest/manifest.mn
|
||||
--- a/gtests/ssl_gtest/manifest.mn
|
||||
+++ b/gtests/ssl_gtest/manifest.mn
|
||||
@@ -33,16 +33,17 @@ CPPSRCS = \
|
||||
ssl_hrr_unittest.cc \
|
||||
ssl_loopback_unittest.cc \
|
||||
ssl_record_unittest.cc \
|
||||
ssl_resumption_unittest.cc \
|
||||
ssl_skip_unittest.cc \
|
||||
ssl_staticrsa_unittest.cc \
|
||||
ssl_v2_client_hello_unittest.cc \
|
||||
ssl_version_unittest.cc \
|
||||
+ ssl_versionpolicy_unittest.cc \
|
||||
test_io.cc \
|
||||
tls_agent.cc \
|
||||
tls_connect.cc \
|
||||
tls_hkdf_unittest.cc \
|
||||
tls_filter.cc \
|
||||
tls_parser.cc \
|
||||
tls_protect.cc \
|
||||
$(NULL)
|
||||
diff --git a/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc b/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
|
||||
@@ -0,0 +1,281 @@
|
||||
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
+/* vim: set ts=2 et sw=2 tw=80: */
|
||||
+/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
+
|
||||
+#include "nss.h"
|
||||
+#include "secerr.h"
|
||||
+#include "ssl.h"
|
||||
+#include "ssl3prot.h"
|
||||
+#include "sslerr.h"
|
||||
+#include "sslproto.h"
|
||||
+
|
||||
+#include "gtest_utils.h"
|
||||
+#include "scoped_ptrs.h"
|
||||
+#include "tls_connect.h"
|
||||
+#include "tls_filter.h"
|
||||
+#include "tls_parser.h"
|
||||
+
|
||||
+static bool SSLVersionRangesAreEqual(SSLVersionRange &vr1,
|
||||
+ SSLVersionRange &vr2) {
|
||||
+ return vr1.min == vr2.min && vr1.max == vr2.max;
|
||||
+}
|
||||
+
|
||||
+namespace nss_test {
|
||||
+
|
||||
+class TestVersionRangePolicy : public ::testing::Test {
|
||||
+ protected:
|
||||
+ PRInt32 savedMinTLS;
|
||||
+ PRInt32 savedMaxTLS;
|
||||
+ PRInt32 savedMinDTLS;
|
||||
+ PRInt32 savedMaxDTLS;
|
||||
+ PRUint32 savedAlgorithmPolicy;
|
||||
+
|
||||
+ public:
|
||||
+ void SaveOriginalPolicy() {
|
||||
+ NSS_OptionGet(NSS_TLS_VERSION_MIN_POLICY, &savedMinTLS);
|
||||
+ NSS_OptionGet(NSS_TLS_VERSION_MAX_POLICY, &savedMaxTLS);
|
||||
+ NSS_OptionGet(NSS_DTLS_VERSION_MIN_POLICY, &savedMinDTLS);
|
||||
+ NSS_OptionGet(NSS_DTLS_VERSION_MAX_POLICY, &savedMaxDTLS);
|
||||
+ NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &savedAlgorithmPolicy);
|
||||
+ }
|
||||
+ void SetUsePolicyInSSL() {
|
||||
+ NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
|
||||
+ }
|
||||
+ void RestoreOriginalPolicy() {
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MIN_POLICY, savedMinTLS);
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MAX_POLICY, savedMaxTLS);
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MIN_POLICY, savedMinDTLS);
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MAX_POLICY, savedMaxDTLS);
|
||||
+ /* If it wasn't set initially, clear the bit that we set. */
|
||||
+ if (!(savedAlgorithmPolicy & NSS_USE_POLICY_IN_SSL)) {
|
||||
+ NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, 0,
|
||||
+ NSS_USE_POLICY_IN_SSL);
|
||||
+ }
|
||||
+ }
|
||||
+ void SetTLSPolicy(SSLVersionRange &policy) {
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MIN_POLICY, policy.min);
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MAX_POLICY, policy.max);
|
||||
+ }
|
||||
+ void SetDTLSPolicy(SSLVersionRange &policy) {
|
||||
+ /* SSL3 isn't allowed for DTLS, but isn't a problem to allow by policy */
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MIN_POLICY, policy.min);
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MAX_POLICY, policy.max);
|
||||
+ }
|
||||
+ std::string version_to_string(PRInt32 v) {
|
||||
+ switch (v) {
|
||||
+ case SSL_LIBRARY_VERSION_3_0:
|
||||
+ return "ssl3";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_0:
|
||||
+ return "tls1.0";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_1:
|
||||
+ return "tls1.1";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_2:
|
||||
+ return "tls1.2";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_3:
|
||||
+ return "tls1.3";
|
||||
+ case SSL_LIBRARY_VERSION_NONE:
|
||||
+ return "NONE";
|
||||
+ }
|
||||
+ return "undefined???";
|
||||
+ }
|
||||
+ std::string info_str(const SSLVersionRange &policy,
|
||||
+ const SSLVersionRange &vrange,
|
||||
+ const SSLVersionRange *expectation,
|
||||
+ const SSLVersionRange *result, bool testDTLS) {
|
||||
+ return std::string(testDTLS ? "DTLS" : "TLS") + std::string(" policy: ") +
|
||||
+ version_to_string(policy.min) + std::string(",") +
|
||||
+ version_to_string(policy.max) + std::string(" input: ") +
|
||||
+ version_to_string(vrange.min) + std::string(",") +
|
||||
+ version_to_string(vrange.max) +
|
||||
+ (expectation
|
||||
+ ? (std::string(" expected: ") +
|
||||
+ version_to_string(expectation->min) + std::string(",") +
|
||||
+ version_to_string(expectation->max))
|
||||
+ : std::string()) +
|
||||
+ (result
|
||||
+ ? (std::string(" result: ") + version_to_string(result->min) +
|
||||
+ std::string(",") + version_to_string(result->max))
|
||||
+ : std::string());
|
||||
+ }
|
||||
+ void TestPolicyRangeExpectation(SSLVersionRange &policy,
|
||||
+ SSLVersionRange &vrange,
|
||||
+ SSLVersionRange &expectation, bool testDTLS) {
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ SetTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_stream, &vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, false);
|
||||
+
|
||||
+ SSLVersionRange result;
|
||||
+ rv = SSL_VersionRangeGetDefault(ssl_variant_stream, &result);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeGetDefault: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, false);
|
||||
+
|
||||
+ EXPECT_EQ(true, SSLVersionRangesAreEqual(result, expectation))
|
||||
+ << "range returned by SSL_VersionRangeGetDefault doesn't match "
|
||||
+ "expectation: "
|
||||
+ << info_str(policy, vrange, &expectation, &result, false);
|
||||
+
|
||||
+ if (testDTLS) {
|
||||
+ SetDTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_datagram, &vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, true);
|
||||
+
|
||||
+ SSLVersionRange result;
|
||||
+ rv = SSL_VersionRangeGetDefault(ssl_variant_datagram, &result);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeGetDefault: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, true);
|
||||
+
|
||||
+ EXPECT_EQ(true, SSLVersionRangesAreEqual(result, expectation))
|
||||
+ << "range returned by SSL_VersionRangeGetDefault doesn't match "
|
||||
+ "expectation: "
|
||||
+ << info_str(policy, vrange, &expectation, &result, true);
|
||||
+ }
|
||||
+ }
|
||||
+ void TestPolicyRangeFailure(SSLVersionRange &policy, SSLVersionRange &vrange,
|
||||
+ bool testDTLS) {
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ SetTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_stream, &vrange);
|
||||
+ EXPECT_EQ(SECFailure, rv)
|
||||
+ << "expected failure return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, NULL, NULL, false);
|
||||
+
|
||||
+ if (testDTLS) {
|
||||
+ SetDTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_datagram, &vrange);
|
||||
+ EXPECT_EQ(SECFailure, rv)
|
||||
+ << "expected failure return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, NULL, NULL, true);
|
||||
+ }
|
||||
+ }
|
||||
+ void Run() {
|
||||
+ SaveOriginalPolicy();
|
||||
+ SetUsePolicyInSSL();
|
||||
+
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ SSLVersionRange range3to13{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range10to13{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range11to13{SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range12to13{SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range13to13{SSL_LIBRARY_VERSION_TLS_1_3,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+#endif
|
||||
+
|
||||
+ SSLVersionRange range3to12{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+ SSLVersionRange range10to12{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+ SSLVersionRange range11to12{SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+ SSLVersionRange range12to12{SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+
|
||||
+ SSLVersionRange range3to11{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_1};
|
||||
+ SSLVersionRange range10to11{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_1};
|
||||
+ SSLVersionRange range11to11{SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_1};
|
||||
+
|
||||
+ SSLVersionRange range3to10{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_0};
|
||||
+ SSLVersionRange range10to10{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_0};
|
||||
+
|
||||
+ SSLVersionRange range3to3{SSL_LIBRARY_VERSION_3_0, SSL_LIBRARY_VERSION_3_0};
|
||||
+
|
||||
+// When testing SSL3 or TLS1.0, we set "test DTLS" to false.
|
||||
+
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ // Invalid range input (cannot enable both SSL3 and TLS1.3)
|
||||
+ TestPolicyRangeFailure(range3to13, range3to13, false);
|
||||
+#endif
|
||||
+
|
||||
+ // No overlap between policy and range input
|
||||
+ TestPolicyRangeFailure(range11to11, range10to10, false);
|
||||
+ TestPolicyRangeFailure(range11to11, range12to12, true);
|
||||
+ TestPolicyRangeFailure(range10to12, range3to3, false);
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ TestPolicyRangeFailure(range10to12, range13to13, true);
|
||||
+#endif
|
||||
+
|
||||
+ // straightforward overlap tests
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range3to11, range10to12, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to12, range10to12, false);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range11to12, range10to12, range11to12, false);
|
||||
+ TestPolicyRangeExpectation(range11to12, range11to12, range11to12, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range12to12, range10to12, range12to12, false);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to3, range3to3, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to10, range3to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to11, range3to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to12, range3to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range11to11, range11to11, true);
|
||||
+ TestPolicyRangeExpectation(range3to12, range11to12, range11to12, true);
|
||||
+ TestPolicyRangeExpectation(range3to12, range12to12, range12to12, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range10to12, range3to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range3to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range3to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range11to11, range11to11, true);
|
||||
+ TestPolicyRangeExpectation(range10to12, range11to12, range11to12, true);
|
||||
+ TestPolicyRangeExpectation(range10to12, range12to12, range12to12, true);
|
||||
+
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to13, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range10to13, range10to13, range10to13, false);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range11to13, range10to13, range11to13, false);
|
||||
+ TestPolicyRangeExpectation(range11to13, range11to13, range11to13, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range12to13, range10to13, range12to13, false);
|
||||
+ TestPolicyRangeExpectation(range12to13, range11to13, range12to13, true);
|
||||
+ TestPolicyRangeExpectation(range12to13, range12to13, range12to13, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to3, range3to3, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to10, range3to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to11, range3to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to12, range3to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to13, range10to13, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range11to11, range11to11, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range11to12, range11to12, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range12to12, range12to12, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range12to13, range12to13, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range13to13, range13to13, true);
|
||||
+#endif
|
||||
+
|
||||
+ RestoreOriginalPolicy();
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+TEST_F(TestVersionRangePolicy, TestVersionRangesAndCryptoPolicyInteraction) {
|
||||
+ Run();
|
||||
+}
|
||||
+
|
||||
+} // namespace nss_test
|
|
@ -1,44 +1,62 @@
|
|||
diff -up ./nss/cmd/httpserv/httpserv.c.539183 ./nss/cmd/httpserv/httpserv.c
|
||||
--- ./nss/cmd/httpserv/httpserv.c.539183 2015-11-08 21:12:59.000000000 -0800
|
||||
+++ ./nss/cmd/httpserv/httpserv.c 2015-11-12 13:28:01.574855325 -0800
|
||||
@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port
|
||||
PRNetAddr addr;
|
||||
--- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
|
||||
+++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
|
||||
@@ -953,23 +953,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSocket error");
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSockett");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
diff -up ./nss/cmd/selfserv/selfserv.c.539183 ./nss/cmd/selfserv/selfserv.c
|
||||
--- ./nss/cmd/selfserv/selfserv.c.539183 2015-11-08 21:12:59.000000000 -0800
|
||||
+++ ./nss/cmd/selfserv/selfserv.c 2015-11-12 13:26:40.498345875 -0800
|
||||
@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port
|
||||
PRNetAddr addr;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
||||
--- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
|
||||
+++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
|
||||
@@ -1711,23 +1711,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSocket error");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
|
||||
--- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-01-06 13:21:47.002952050 +0100
|
||||
+++ nss/lib/pk11wrap/pk11pars.c 2017-01-06 13:28:18.972536334 +0100
|
||||
@@ -109,6 +109,7 @@ secmod_NewModule(void)
|
||||
*other flags are set */
|
||||
#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
|
||||
#define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
|
||||
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
|
||||
|
||||
/* private flags for internal (field in SECMODModule). */
|
||||
/* The meaing of these flags is as follows:
|
||||
@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
|
||||
if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
|
||||
flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
|
||||
}
|
||||
+ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
|
||||
+ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
|
||||
+ }
|
||||
/* additional moduleDB flags could be added here in the future */
|
||||
mod->isModuleDB = (PRBool)flags;
|
||||
}
|
||||
@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
|
||||
}
|
||||
|
||||
PRBool
|
||||
+secmod_PolicyOnly(SECMODModule *mod)
|
||||
+{
|
||||
+ char flags = (char) mod->isModuleDB;
|
||||
+
|
||||
+ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
|
||||
+}
|
||||
+
|
||||
+PRBool
|
||||
secmod_IsInternalKeySlot(SECMODModule *mod)
|
||||
{
|
||||
char flags = (char)mod->internal;
|
||||
@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
|
||||
if (!module) {
|
||||
goto loser;
|
||||
}
|
||||
+
|
||||
+ /* a policy only stanza doesn't actually get 'loaded'. policy has already
|
||||
+ * been parsed as a side effect of the CreateModuleEx call */
|
||||
+ if (secmod_PolicyOnly(module)) {
|
||||
+ return module;
|
||||
+ }
|
||||
if (parent) {
|
||||
module->parent = SECMOD_ReferenceModule(parent);
|
||||
if (module->internal && secmod_IsInternalKeySlot(parent)) {
|
|
@ -0,0 +1,167 @@
|
|||
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||
--- a/lib/ssl/ssl3con.c
|
||||
+++ b/lib/ssl/ssl3con.c
|
||||
@@ -7061,49 +7061,68 @@ ssl3_SendClientKeyExchange(sslSocket *ss
|
||||
|
||||
loser:
|
||||
if (serverKey)
|
||||
SECKEY_DestroyPublicKey(serverKey);
|
||||
return rv; /* err code already set. */
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
-ssl_PickSignatureScheme(sslSocket *ss, SECKEYPublicKey *key,
|
||||
+ssl_PickSignatureScheme(sslSocket *ss,
|
||||
+ SECKEYPublicKey *pubKey,
|
||||
+ SECKEYPrivateKey *privKey,
|
||||
const SignatureScheme *peerSchemes,
|
||||
unsigned int peerSchemeCount,
|
||||
PRBool requireSha1)
|
||||
{
|
||||
unsigned int i, j;
|
||||
const namedGroupDef *group = NULL;
|
||||
KeyType keyType;
|
||||
+ PK11SlotInfo *slot;
|
||||
+ PRBool slotDoesPss;
|
||||
PRBool isTLS13 = ss->version == SSL_LIBRARY_VERSION_TLS_1_3;
|
||||
|
||||
- if (!key) {
|
||||
+ if (!pubKey || !privKey) {
|
||||
PORT_Assert(0);
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
- keyType = SECKEY_GetPublicKeyType(key);
|
||||
+ slot = PK11_GetSlotFromPrivateKey(privKey);
|
||||
+ if (!slot) {
|
||||
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ slotDoesPss = PK11_DoesMechanism(slot, auth_alg_defs[ssl_auth_rsa_pss]);
|
||||
+ PK11_FreeSlot(slot);
|
||||
+
|
||||
+ keyType = SECKEY_GetPublicKeyType(pubKey);
|
||||
+
|
||||
if (keyType == ecKey) {
|
||||
- group = ssl_ECPubKey2NamedGroup(key);
|
||||
+ group = ssl_ECPubKey2NamedGroup(pubKey);
|
||||
}
|
||||
|
||||
/* Here we look for the first local preference that the client has
|
||||
* indicated support for in their signature_algorithms extension. */
|
||||
for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||
SSLHashType hashType;
|
||||
SECOidTag hashOID;
|
||||
SignatureScheme preferred = ss->ssl3.signatureSchemes[i];
|
||||
PRUint32 policy;
|
||||
|
||||
if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group,
|
||||
preferred)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
+ /* Skip RSA-PSS schemes when the certificate's private key slot does
|
||||
+ * not support this signature mechanism. */
|
||||
+ if (ssl_IsRsaPssSignatureScheme(preferred) && !slotDoesPss) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
hashType = ssl_SignatureSchemeToHashType(preferred);
|
||||
hashOID = ssl3_HashTypeToOID(hashType);
|
||||
if (requireSha1 && hashOID != SEC_OID_SHA1) {
|
||||
continue;
|
||||
}
|
||||
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
|
||||
!(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||
/* we ignore hashes we don't support */
|
||||
@@ -7148,51 +7167,54 @@ ssl3_PickServerSignatureScheme(sslSocket
|
||||
PORT_Assert(0);
|
||||
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
return SECFailure;
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* Sets error code, if needed. */
|
||||
- return ssl_PickSignatureScheme(ss, keyPair->pubKey,
|
||||
+ return ssl_PickSignatureScheme(ss, keyPair->pubKey, keyPair->privKey,
|
||||
ss->ssl3.hs.clientSigSchemes,
|
||||
ss->ssl3.hs.numClientSigScheme,
|
||||
- PR_FALSE);
|
||||
+ PR_FALSE /* requireSha1 */);
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
ssl_PickClientSignatureScheme(sslSocket *ss, const SignatureScheme *schemes,
|
||||
unsigned int numSchemes)
|
||||
{
|
||||
- SECKEYPublicKey *key;
|
||||
+ SECKEYPrivateKey *privKey = ss->ssl3.clientPrivateKey;
|
||||
+ SECKEYPublicKey *pubKey;
|
||||
SECStatus rv;
|
||||
|
||||
- key = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
|
||||
- PORT_Assert(key);
|
||||
+ pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
|
||||
+ PORT_Assert(pubKey);
|
||||
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
|
||||
- (SECKEY_GetPublicKeyType(key) == rsaKey ||
|
||||
- SECKEY_GetPublicKeyType(key) == dsaKey) &&
|
||||
- SECKEY_PublicKeyStrengthInBits(key) <= 1024) {
|
||||
+ (SECKEY_GetPublicKeyType(pubKey) == rsaKey ||
|
||||
+ SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&
|
||||
+ SECKEY_PublicKeyStrengthInBits(pubKey) <= 1024) {
|
||||
/* If the key is a 1024-bit RSA or DSA key, assume conservatively that
|
||||
* it may be unable to sign SHA-256 hashes. This is the case for older
|
||||
* Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
|
||||
* older, DSA key size is at most 1024 bits and the hash function must
|
||||
* be SHA-1.
|
||||
*/
|
||||
- rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_TRUE);
|
||||
+ rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
|
||||
+ PR_TRUE /* requireSha1 */);
|
||||
if (rv == SECSuccess) {
|
||||
- SECKEY_DestroyPublicKey(key);
|
||||
+ SECKEY_DestroyPublicKey(pubKey);
|
||||
return SECSuccess;
|
||||
}
|
||||
/* If this fails, that's because the peer doesn't advertise SHA-1,
|
||||
* so fall back to the full negotiation. */
|
||||
}
|
||||
- rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_FALSE);
|
||||
- SECKEY_DestroyPublicKey(key);
|
||||
+ rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
|
||||
+ PR_FALSE /* requireSha1 */);
|
||||
+ SECKEY_DestroyPublicKey(pubKey);
|
||||
return rv;
|
||||
}
|
||||
|
||||
/* Called from ssl3_HandleServerHelloDone(). */
|
||||
static SECStatus
|
||||
ssl3_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey)
|
||||
{
|
||||
SECStatus rv = SECFailure;
|
||||
@@ -10593,16 +10615,23 @@ ssl3_EncodeSigAlgs(sslSocket *ss, PRUint
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||
PRUint32 policy = 0;
|
||||
SSLHashType hashType = ssl_SignatureSchemeToHashType(
|
||||
ss->ssl3.signatureSchemes[i]);
|
||||
SECOidTag hashOID = ssl3_HashTypeToOID(hashType);
|
||||
+
|
||||
+ /* Skip RSA-PSS schemes if there are no tokens to verify them. */
|
||||
+ if (ssl_IsRsaPssSignatureScheme(ss->ssl3.signatureSchemes[i]) &&
|
||||
+ !PK11_TokenExists(auth_alg_defs[ssl_auth_rsa_pss])) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) ||
|
||||
(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||
p = ssl_EncodeUintX((PRUint32)ss->ssl3.signatureSchemes[i], 2, p);
|
||||
}
|
||||
}
|
||||
|
||||
if (p == buf) {
|
||||
PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
|
@ -1,12 +0,0 @@
|
|||
diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn
|
||||
--- nss/lib/ckfw/manifest.mn.libpem 2013-05-28 14:43:24.000000000 -0700
|
||||
+++ nss/lib/ckfw/manifest.mn 2013-05-30 22:14:49.247459672 -0700
|
||||
@@ -5,7 +5,7 @@
|
||||
|
||||
CORE_DEPTH = ../..
|
||||
|
||||
-DIRS = builtins
|
||||
+DIRS = builtins pem
|
||||
|
||||
PRIVATE_EXPORTS = \
|
||||
ck.h \
|
|
@ -0,0 +1,12 @@
|
|||
diff -up nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c.gcc7 nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
|
||||
--- nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c.gcc7 2017-02-08 14:34:04.212655936 +0100
|
||||
+++ nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c 2017-02-08 14:37:33.326388891 +0100
|
||||
@@ -89,7 +89,7 @@ pkix_pl_OcspRequest_Hashcode(
|
||||
PKIX_HASHCODE(ocspRq->signerCert, &signerHash, plContext,
|
||||
PKIX_CERTHASHCODEFAILED);
|
||||
|
||||
- *pHashcode = (((((extensionHash << 8) || certHash) << 8) ||
|
||||
+ *pHashcode = ((PKIX_UInt32)(((PKIX_UInt32)((extensionHash << 8) || certHash) << 8) ||
|
||||
dateHash) << 8) || signerHash;
|
||||
|
||||
cleanup:
|
|
@ -0,0 +1,55 @@
|
|||
# HG changeset patch
|
||||
# User Tim Taubert <ttaubert@mozilla.com>
|
||||
# Date 1488574640 -3600
|
||||
# Fri Mar 03 21:57:20 2017 +0100
|
||||
# Branch NSS_3_28_BRANCH
|
||||
# Node ID b8145d465ad4086439c4e52df434d9046949127a
|
||||
# Parent 3b9ccd6b37c7242f69404fa4a444b43efb12e319
|
||||
Bug 1342358 - Make sure xtnData->remoteKeyShares was initialized before calling tls13_DestroyKeyShares() r=franziskus
|
||||
|
||||
Differential Revision: https://nss-review.dev.mozaws.net/D234
|
||||
|
||||
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||
--- a/lib/ssl/ssl3con.c
|
||||
+++ b/lib/ssl/ssl3con.c
|
||||
@@ -13294,8 +13294,6 @@ ssl3_DestroySSL3Info(sslSocket *ss)
|
||||
tls13_DestroyEarlyData(&ss->ssl3.hs.bufferedEarlyData);
|
||||
|
||||
ss->ssl3.initialized = PR_FALSE;
|
||||
-
|
||||
- SECITEM_FreeItem(&ss->xtnData.nextProto, PR_FALSE);
|
||||
}
|
||||
|
||||
#define MAP_NULL(x) (((x) != 0) ? (x) : SEC_OID_NULL_CIPHER)
|
||||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
--- a/lib/ssl/sslsock.c
|
||||
+++ b/lib/ssl/sslsock.c
|
||||
@@ -3704,6 +3704,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
|
||||
PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
|
||||
PR_INIT_CLIST(&ss->ssl3.hs.cipherSpecs);
|
||||
PR_INIT_CLIST(&ss->ssl3.hs.bufferedEarlyData);
|
||||
+ ssl3_InitExtensionData(&ss->xtnData);
|
||||
if (makeLocks) {
|
||||
rv = ssl_MakeLocks(ss);
|
||||
if (rv != SECSuccess)
|
||||
@@ -3715,7 +3716,6 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
|
||||
rv = ssl3_InitGather(&ss->gs);
|
||||
if (rv != SECSuccess)
|
||||
goto loser;
|
||||
- ssl3_InitExtensionData(&ss->xtnData);
|
||||
return ss;
|
||||
|
||||
loser:
|
||||
diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
|
||||
--- a/lib/ssl/tls13con.c
|
||||
+++ b/lib/ssl/tls13con.c
|
||||
@@ -2853,6 +2853,9 @@ tls13_DestroyKeyShares(PRCList *list)
|
||||
{
|
||||
PRCList *cur_p;
|
||||
|
||||
+ /* The list must be initialized. */
|
||||
+ PORT_Assert(PR_LIST_HEAD(list));
|
||||
+
|
||||
while (!PR_CLIST_IS_EMPTY(list)) {
|
||||
cur_p = PR_LIST_TAIL(list);
|
||||
PR_REMOVE_LINK(cur_p);
|
|
@ -1,17 +1,15 @@
|
|||
diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile
|
||||
--- nss/cmd/Makefile.nobltest 2013-05-28 14:43:24.000000000 -0700
|
||||
+++ nss/cmd/Makefile 2013-06-15 11:51:11.669655168 -0700
|
||||
@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS
|
||||
DIRS += libpkix
|
||||
endif
|
||||
|
||||
-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
|
||||
diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
|
||||
--- ./nss/cmd/Makefile.skipthem 2017-01-06 13:17:27.477848351 +0100
|
||||
+++ ./nss/cmd/Makefile 2017-01-06 13:19:30.244586100 +0100
|
||||
@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
|
||||
ECPERF_SRCDIR =
|
||||
FREEBL_ECTEST_SRCDIR =
|
||||
FIPSTEST_SRCDIR =
|
||||
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
|
||||
BLTEST_SRCDIR =
|
||||
-FIPSTEST_SRCDIR =
|
||||
-SHLIBSIGN_SRCDIR =
|
||||
+FIPSTEST_SRCDIR =
|
||||
+SHLIBSIGN_SRCDIR = shlibsign
|
||||
+else
|
||||
SHLIBSIGN_SRCDIR =
|
||||
+endif
|
||||
else
|
||||
BLTEST_SRCDIR = bltest
|
||||
FIPSTEST_SRCDIR = fipstest
|
||||
ECPERF_SRCDIR = ecperf
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
diff -up ./gtests/manifest.mn.skip_util_gtest ./gtests/manifest.mn
|
||||
--- ./gtests/manifest.mn.skip_util_gtest 2016-09-29 12:05:28.858019733 +0200
|
||||
+++ ./gtests/manifest.mn 2016-09-29 12:06:17.298681765 +0200
|
||||
@@ -9,8 +9,5 @@ DIRS = \
|
||||
google_test \
|
||||
common \
|
||||
der_gtest \
|
||||
- util_gtest \
|
||||
- pk11_gtest \
|
||||
- ssl_gtest \
|
||||
nss_bogo_shim \
|
||||
$(NULL)
|
243
nss.spec
243
nss.spec
|
@ -1,6 +1,6 @@
|
|||
%global nspr_version 4.12.0
|
||||
%global nss_util_version 3.23.0
|
||||
%global nss_softokn_version 3.23.0
|
||||
%global nspr_version 4.14.0
|
||||
%global nss_util_version 3.30.2
|
||||
%global nss_softokn_version 3.30.2
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
||||
|
||||
|
@ -18,10 +18,10 @@
|
|||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.23.0
|
||||
Version: 3.30.2
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 3%{?dist}
|
||||
Release: 1.0%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
|
@ -45,8 +45,30 @@ BuildRequires: gawk
|
|||
BuildRequires: psmisc
|
||||
BuildRequires: perl
|
||||
|
||||
%{!?nss_ckbi_suffix:%define full_nss_version %{version}}
|
||||
%{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}}
|
||||
# nss-pem used to be bundled with the nss package on Fedora -- make sure that
|
||||
# programs relying on that continue to work until they are fixed to require
|
||||
# nss-pem instead. Once all of them are fixed, the following line can be
|
||||
# removed. See https://bugzilla.redhat.com/1346806 for details.
|
||||
Requires: nss-pem
|
||||
|
||||
# NSS 3.28.1 introduced a curve, that is smaller than a check in old
|
||||
# Mozilla code allows.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1413182
|
||||
Conflicts: firefox < 50.1.0-3
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1414983
|
||||
Conflicts: xulrunner < 44.0-9
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1414929
|
||||
Conflicts: thunderbird < 45.6.0-5
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1414982
|
||||
Conflicts: seamonkey < 2.46-2
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1414987
|
||||
Conflicts: icecat < 45.5.1-5
|
||||
|
||||
%if %{defined nss_ckbi_suffix}
|
||||
%define full_nss_version %{version}%{nss_ckbi_suffix}
|
||||
%else
|
||||
%define full_nss_version %{version}
|
||||
%endif
|
||||
|
||||
Source0: %{name}-%{full_nss_version}.tar.gz
|
||||
Source1: nss.pc.in
|
||||
|
@ -58,7 +80,6 @@ Source6: blank-cert9.db
|
|||
Source7: blank-key4.db
|
||||
Source8: system-pkcs11.txt
|
||||
Source9: setup-nsssysinit.sh
|
||||
Source12: %{name}-pem-20160308.tar.bz2
|
||||
Source20: nss-config.xml
|
||||
Source21: setup-nsssysinit.xml
|
||||
Source22: pkcs11.txt.xml
|
||||
|
@ -70,14 +91,8 @@ Source27: secmod.db.xml
|
|||
|
||||
Patch2: add-relro-linker-option.patch
|
||||
Patch3: renegotiate-transitional.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=402712
|
||||
Patch6: nss-enable-pem.patch
|
||||
# Below reference applies to most pem module related patches
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
||||
Patch16: nss-539183.patch
|
||||
# must statically link pem against the freebl in the buildroot
|
||||
# Needed only when freebl on tree has new APIS
|
||||
Patch25: nsspem-use-system-freebl.patch
|
||||
# TODO: Remove this patch when the ocsp test are fixed
|
||||
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
||||
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
||||
|
@ -91,13 +106,13 @@ Patch49: nss-skip-bltest-and-fipstest.patch
|
|||
# headers are older. Such is the case when starting an update with API changes or even private export changes.
|
||||
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
|
||||
Patch50: iquote.patch
|
||||
Patch52: disableSSL2libssl.patch
|
||||
Patch53: disableSSL2tests.patch
|
||||
Patch54: tstclnt-ssl2-off-by-default.patch
|
||||
Patch55: skip_stress_TLS_RC4_128_with_MD5.patch
|
||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch59: nss-check-policy-file.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
|
||||
Patch62: nss-skip-util-gtest.patch
|
||||
Patch63: nss-1328318-v8-3.30.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -168,25 +183,21 @@ low level services.
|
|||
|
||||
%prep
|
||||
%setup -q
|
||||
%setup -q -T -D -n %{name}-%{version} -a 12
|
||||
%setup -q -T -D -n %{name}-%{version}
|
||||
|
||||
%patch2 -p0 -b .relro
|
||||
%patch3 -p0 -b .transitional
|
||||
%patch6 -p0 -b .libpem
|
||||
%patch16 -p0 -b .539183
|
||||
# link pem against buildroot's freebl, essential when mixing and matching
|
||||
%patch25 -p0 -b .systemfreebl
|
||||
%patch40 -p0 -b .noocsptest
|
||||
%patch47 -p0 -b .templates
|
||||
%patch49 -p0 -b .skipthem
|
||||
%patch50 -p0 -b .iquote
|
||||
pushd nss
|
||||
%patch52 -p1 -b .disableSSL2libssl
|
||||
%patch53 -p1 -b .disableSSL2tests
|
||||
popd
|
||||
%patch54 -p0 -b .ssl2_off
|
||||
%patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
|
||||
%patch58 -p0 -b .1185708_3des
|
||||
pushd nss
|
||||
%patch59 -p1 -b .check_policy_file
|
||||
%patch62 -p0 -b .skip_util_gtest
|
||||
%patch63 -p1 -b .1328318
|
||||
popd
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
|
@ -194,12 +205,7 @@ popd
|
|||
# until fixed upstream we must copy some headers locally
|
||||
#########################################################
|
||||
|
||||
pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt"
|
||||
for file in ${pemNeedsFromSoftoken}; do
|
||||
%{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/
|
||||
done
|
||||
|
||||
# Copying these header until the upstream bug is accepted
|
||||
# Copying these headers until the upstream bug is accepted
|
||||
# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
|
||||
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
|
||||
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
|
||||
|
@ -219,17 +225,12 @@ done
|
|||
%{__rm} -rf ./nss/cmd/fipstest
|
||||
%{__rm} -rf ./nss/cmd/rsaperf_low
|
||||
|
||||
pushd nss/tests/ssl
|
||||
# Create versions of sslcov.txt and sslstress.txt that disable tests
|
||||
# for SSL2 and EXPORT ciphers.
|
||||
cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslcov.noSSL2orExport.txt
|
||||
cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslstress.noSSL2orExport.txt
|
||||
popd
|
||||
######## Remove portions that need to statically link with libnssutil.a
|
||||
%{__rm} -rf ./nss/external_tests/util_gtests
|
||||
|
||||
|
||||
%build
|
||||
|
||||
export NSS_NO_SSL2_NO_EXPORT=1
|
||||
|
||||
NSS_NO_PKCS11_BYPASS=1
|
||||
export NSS_NO_PKCS11_BYPASS
|
||||
|
||||
|
@ -237,8 +238,7 @@ FREEBL_NO_DEPEND=1
|
|||
export FREEBL_NO_DEPEND
|
||||
|
||||
# Enable compiler optimizations and disable debugging code
|
||||
BUILD_OPT=1
|
||||
export BUILD_OPT
|
||||
export BUILD_OPT=1
|
||||
|
||||
# Uncomment to disable optimizations
|
||||
#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
|
||||
|
@ -294,15 +294,21 @@ export USE_64
|
|||
export IN_TREE_FREEBL_HEADERS_FIRST=1
|
||||
|
||||
##### phase 2: build the rest of nss
|
||||
# nss supports pluggable ecc with more than suite-b
|
||||
export NSS_ECC_MORE_THAN_SUITE_B=1
|
||||
|
||||
export NSS_BLTEST_NOT_AVAILABLE=1
|
||||
|
||||
export NSS_DISABLE_TLS_1_3=1
|
||||
|
||||
%{__make} -C ./nss/coreconf
|
||||
%{__make} -C ./nss/lib/dbm
|
||||
|
||||
# Set the policy file location
|
||||
# if set NSS will always check for the policy file and load if it exists
|
||||
export POLICY_FILE="nss.config"
|
||||
# location of the policy file
|
||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
||||
|
||||
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
|
||||
# need nss/lib/util/verref.h which is which is exported privately,
|
||||
# need nss/lib/util/verref.h which is exported privately,
|
||||
# copy the one we saved during prep so it they can find it.
|
||||
%{__mkdir_p} ./dist/private/nss
|
||||
%{__mv} ./nss/verref.h ./dist/private/nss/verref.h
|
||||
|
@ -379,6 +385,12 @@ done
|
|||
|
||||
|
||||
%check
|
||||
|
||||
%ifarch armv7hl
|
||||
#temporarily disable tests on armv7hl because infrastructure is running into timeouts
|
||||
DISABLETEST=1
|
||||
%endif
|
||||
|
||||
if [ ${DISABLETEST:-0} -eq 1 ]; then
|
||||
echo "testing disabled"
|
||||
exit 0
|
||||
|
@ -386,14 +398,10 @@ fi
|
|||
|
||||
# Begin -- copied from the build section
|
||||
|
||||
# inform the ssl test scripts that SSL2 is disabled
|
||||
export NSS_NO_SSL2_NO_EXPORT=1
|
||||
|
||||
FREEBL_NO_DEPEND=1
|
||||
export FREEBL_NO_DEPEND
|
||||
|
||||
BUILD_OPT=1
|
||||
export BUILD_OPT
|
||||
export BUILD_OPT=1
|
||||
|
||||
%ifnarch noarch
|
||||
%if 0%{__isa_bits} == 64
|
||||
|
@ -404,11 +412,17 @@ export USE_64
|
|||
|
||||
export NSS_BLTEST_NOT_AVAILABLE=1
|
||||
|
||||
# needed for the fips manging test
|
||||
export NSS_DISABLE_TLS_1_3=1
|
||||
|
||||
# needed for the fips mangling test
|
||||
export SOFTOKEN_LIB_DIR=%{_libdir}
|
||||
|
||||
# End -- copied from the build section
|
||||
|
||||
# This is necessary because the test suite tests algorithms that are
|
||||
# disabled by the system policy.
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
|
||||
# enable the following line to force a test failure
|
||||
# find ./nss -name \*.chk | xargs rm -f
|
||||
|
||||
|
@ -450,14 +464,16 @@ pushd ./nss/tests/
|
|||
|
||||
# don't need to run all the tests when testing packaging
|
||||
# nss_cycles: standard pkix upgradedb sharedb
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
|
||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
|
||||
# nss_ssl_run: cov auth stress
|
||||
# the full list from all.sh is:
|
||||
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
|
||||
# nss_ssl_run: cov auth stapling stress
|
||||
#
|
||||
# Uncomment these lines if you need to temporarily
|
||||
# disable some test suites for faster test builds
|
||||
# global nss_ssl_tests "normal_fips"
|
||||
# global nss_ssl_run "cov auth"
|
||||
# % define nss_ssl_tests "normal_fips"
|
||||
# % define nss_ssl_run "cov"
|
||||
|
||||
SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
|
||||
|
||||
|
@ -530,7 +546,7 @@ touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
|
|||
%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
|
||||
|
||||
# Copy the binary libraries we want
|
||||
for file in libnss3.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so
|
||||
for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
|
||||
do
|
||||
%{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
|
||||
done
|
||||
|
@ -646,24 +662,6 @@ else
|
|||
fi
|
||||
/sbin/ldconfig
|
||||
|
||||
%posttrans
|
||||
# An earlier version of this package had an incorrect %%postun script (3.14.3-9).
|
||||
# (The incorrect %%postun always called "update-alternatives --remove",
|
||||
# because it incorrectly assumed that test -f returns false for symbolic links.)
|
||||
# The only possible remedy to fix the mistake that "always removes on upgrade"
|
||||
# made by the older %%postun script, is to repair it in %%posttrans of the new package.
|
||||
# Strategy:
|
||||
# %%posttrans is never called when uninstalling.
|
||||
# %%posttrans is only called when installing or upgrading a package.
|
||||
# Because %%posttrans is the very last action of a package install,
|
||||
# %%{_libdir}/libnssckbi.so must exist.
|
||||
# If it does not, it's the result of the incorrect removal from a broken %%postun.
|
||||
# In this case, we repeat installation of the alternatives link.
|
||||
if ! test -e %{_libdir}/libnssckbi.so; then
|
||||
%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
|
||||
%{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
|
||||
fi
|
||||
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
|
@ -674,7 +672,6 @@ fi
|
|||
%{_libdir}/libsmime3.so
|
||||
%ghost %{_libdir}/libnssckbi.so
|
||||
%{_libdir}/nss/libnssckbi.so
|
||||
%{_libdir}/libnsspem.so
|
||||
%dir %{_sysconfdir}/pki/nssdb
|
||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
|
||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
|
||||
|
@ -770,7 +767,6 @@ fi
|
|||
%{_includedir}/nss3/keythi.h
|
||||
%{_includedir}/nss3/nss.h
|
||||
%{_includedir}/nss3/nssckbi.h
|
||||
%{_includedir}/nss3/nsspem.h
|
||||
%{_includedir}/nss3/ocsp.h
|
||||
%{_includedir}/nss3/ocspt.h
|
||||
%{_includedir}/nss3/p12.h
|
||||
|
@ -815,14 +811,93 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue Mar 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-3
|
||||
* Mon Apr 24 2017 Daiki Ueno <dueno@redhat.com> - 3.30.2-2
|
||||
- Rebase to NSS 3.30.2
|
||||
|
||||
* Wed Mar 29 2017 Daiki Ueno <dueno@redhat.com> - 3.29.3-1.1
|
||||
- Backport mozbz#1334976 and mozbz#1336487, from F26
|
||||
|
||||
* Mon Mar 20 2017 Daiki Ueno <dueno@redhat.com> - 3.29.3-1.0
|
||||
- Rebase to NSS 3.29.3
|
||||
- Remove upstreamed patch for fixing crash in tls13_DestroyKeyShares
|
||||
|
||||
* Thu Mar 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-1.1
|
||||
- Fix crash in tls13_DestroyKeyShares
|
||||
|
||||
* Tue Feb 21 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-1.0
|
||||
- Rebase to NSS 3.28.3
|
||||
|
||||
* Fri Jan 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-1.3
|
||||
- Disable TLS 1.3
|
||||
- Add "Conflicts" with packages using older Mozilla codebase, which is
|
||||
not compatible with NSS 3.28.1
|
||||
- Remove NSS_ECC_MORE_THAN_SUITE_B setting, as it was removed in upstream
|
||||
|
||||
* Tue Jan 17 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-1.2
|
||||
- Add "Conflicts" with older firefox packages which don't have support
|
||||
for smaller curves added in NSS 3.28.1
|
||||
|
||||
* Fri Jan 13 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-1.1
|
||||
- Fix incorrect version specification in %%nss_{util,softokn}_version,
|
||||
pointed by Elio Maldonado
|
||||
|
||||
* Thu Jan 12 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-1.0
|
||||
- Rebase to NSS 3.28.1
|
||||
- Remove upstreamed patch for disabling RSA-PSS
|
||||
- Re-enable TLS 1.3
|
||||
|
||||
* Tue Nov 15 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.3
|
||||
- Revert the previous fix for RSA-PSS and use the upstream fix instead
|
||||
|
||||
* Wed Nov 02 2016 Kai Engert <kaie@redhat.com> - 3.27.0-1.2
|
||||
- Disable the use of RSA-PSS with SSL/TLS. #1383809
|
||||
|
||||
* Sun Oct 2 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.1
|
||||
- Disable TLS 1.3 for now, to avoid reported regression with TLS to
|
||||
version intolerant servers
|
||||
|
||||
* Thu Sep 29 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.0
|
||||
- Rebase to NSS 3.27.0
|
||||
- Remove upstreamed ectest patch
|
||||
|
||||
* Mon Aug 8 2016 Daiki Ueno <dueno@redhat.com> - 3.26.0-1.0
|
||||
- Rebase to NSS 3.26.0
|
||||
- Update check policy file patch to better match what was upstreamed
|
||||
- Remove conditionally ignore system policy patch as it has been upstreamed
|
||||
- Skip ectest as well as ecperf, which are built as part of nss-softokn
|
||||
- Fix rpmlint error regarding %%define usage
|
||||
|
||||
* Wed Jul 20 2016 Kamil Dudka <kdudka@redhat.com> - 3.25.0-1.2
|
||||
- decouple nss-pem from the nss package (#1347336)
|
||||
|
||||
* Fri Jul 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-1.1
|
||||
- Tidy up the spec file
|
||||
|
||||
* Mon Jun 27 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-1.0
|
||||
- Rebase to nss 3.25
|
||||
|
||||
* Thu Jun 02 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.2
|
||||
- Allow application requests to disable SSL v2 to succeed
|
||||
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
|
||||
|
||||
* Mon May 30 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.1
|
||||
- Update nss_tests with some of the new gtests from upstream
|
||||
|
||||
* Fri May 27 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.0
|
||||
- Rebase to NSS 3.24.0
|
||||
|
||||
* Tue Mar 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.2
|
||||
- Remove unused patch rendered obsolete by pem update
|
||||
- Fix release number in previous changelog entry
|
||||
|
||||
* Tue Mar 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.1
|
||||
- Update pem sources to latest from nss-pem upstream
|
||||
- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key
|
||||
|
||||
* Sat Mar 05 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-2
|
||||
* Sun Mar 06 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.0
|
||||
- Rebase to NSS 3.23
|
||||
|
||||
* Sat Feb 27 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.2-2
|
||||
* Sun Feb 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.2-1.0
|
||||
- Rebase to NSS 3.22.2
|
||||
|
||||
* Tue Feb 23 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-3
|
||||
|
|
|
@ -1,80 +0,0 @@
|
|||
diff -up nss/lib/ckfw/pem/config.mk.systemfreebl nss/lib/ckfw/pem/config.mk
|
||||
--- nss/lib/ckfw/pem/config.mk.systemfreebl 2012-08-11 09:06:59.000000000 -0700
|
||||
+++ nss/lib/ckfw/pem/config.mk 2013-04-04 16:02:33.805744145 -0700
|
||||
@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m
|
||||
# are specifed as dependencies within rules.mk.
|
||||
#
|
||||
|
||||
+
|
||||
+EXTRA_LIBS += \
|
||||
+ $(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
|
||||
+ $(NULL)
|
||||
+
|
||||
TARGETS = $(SHARED_LIBRARY)
|
||||
LIBRARY =
|
||||
IMPORT_LIBRARY =
|
||||
@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS)
|
||||
MKSHLIB += -R '$$ORIGIN'
|
||||
endif
|
||||
|
||||
+# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and
|
||||
+# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil
|
||||
+# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf.
|
||||
+ifdef USE_SYSTEM_NSSUTIL
|
||||
+OS_LIBS += $(NSSUTIL_LIBS)
|
||||
+else
|
||||
+NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX)
|
||||
+EXTRA_LIBS += $(NSSUTIL_LIBS)
|
||||
+endif
|
||||
+# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and
|
||||
+# FREEBL_LIBS to the linker command-line arguments for the system nssutil
|
||||
+# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf.
|
||||
+ifdef USE_SYSTEM_FREEBL
|
||||
+OS_LIBS += $(FREEBL_LIBS)
|
||||
+else
|
||||
+FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX)
|
||||
+EXTRA_LIBS += $(FREEBL_LIBS)
|
||||
+endif
|
||||
+
|
||||
diff -up nss/lib/ckfw/pem/Makefile.systemfreebl nss/lib/ckfw/pem/Makefile
|
||||
--- nss/lib/ckfw/pem/Makefile.systemfreebl 2012-08-11 09:06:59.000000000 -0700
|
||||
+++ nss/lib/ckfw/pem/Makefile 2013-04-04 16:02:33.806744154 -0700
|
||||
@@ -43,8 +43,7 @@ include config.mk
|
||||
EXTRA_LIBS = \
|
||||
$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
|
||||
$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
|
||||
- $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
|
||||
- $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
|
||||
+ $(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
|
||||
$(NULL)
|
||||
|
||||
# can't do this in manifest.mn because OS_TARGET isn't defined there.
|
||||
@@ -56,6 +55,9 @@ EXTRA_LIBS += \
|
||||
-lplc4 \
|
||||
-lplds4 \
|
||||
-lnspr4 \
|
||||
+ -L$(NSSUTIL_LIB_DIR) \
|
||||
+ -lnssutil3 \
|
||||
+ -lfreebl3
|
||||
$(NULL)
|
||||
else
|
||||
EXTRA_SHARED_LIBS += \
|
||||
@@ -74,6 +76,9 @@ EXTRA_LIBS += \
|
||||
-lplc4 \
|
||||
-lplds4 \
|
||||
-lnspr4 \
|
||||
+ -L$(NSSUTIL_LIB_DIR) \
|
||||
+ -lnssutil3 \
|
||||
+ -lfreebl3 \
|
||||
$(NULL)
|
||||
endif
|
||||
|
||||
diff -up nss/lib/ckfw/pem/manifest.mn.systemfreebl nss/lib/ckfw/pem/manifest.mn
|
||||
--- nss/lib/ckfw/pem/manifest.mn.systemfreebl 2012-08-11 09:06:59.000000000 -0700
|
||||
+++ nss/lib/ckfw/pem/manifest.mn 2013-04-04 16:02:33.807744163 -0700
|
||||
@@ -65,4 +65,4 @@ REQUIRES = nspr
|
||||
|
||||
LIBRARY_NAME = nsspem
|
||||
|
||||
-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
|
||||
+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3
|
|
@ -1,146 +0,0 @@
|
|||
diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
|
||||
--- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/ckpem.h 2015-11-13 12:07:29.219887390 -0800
|
||||
@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
|
||||
};
|
||||
typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
|
||||
|
||||
+/* NOTE: Discrepancy with the the way callers use of the return value as a count
|
||||
+ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
|
||||
+ */
|
||||
SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
|
||||
const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
|
||||
void pem_PopulateModulusExponent(pemInternalObject *io);
|
||||
diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
|
||||
--- ./nss/lib/ckfw/pem/pinst.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/pinst.c 2015-11-13 12:07:29.219887390 -0800
|
||||
@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
|
||||
char *ivstring = NULL;
|
||||
int cipher;
|
||||
|
||||
- nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int (a count) and the declaration as a SECStatus. */
|
||||
+ nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
if (nobjs <= 0) {
|
||||
nss_ZFreeIf(objs);
|
||||
return CKR_GENERAL_ERROR;
|
||||
@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
|
||||
if (keyfile) { /* add the private key */
|
||||
SECItem **keyobjs = NULL;
|
||||
int kobjs = 0;
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int and the declaration as a SECStatus. */
|
||||
kobjs =
|
||||
- ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
|
||||
+ (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
|
||||
&ivstring, PR_FALSE);
|
||||
if (kobjs < 1) {
|
||||
error = CKR_GENERAL_ERROR;
|
||||
diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
|
||||
--- ./nss/lib/ckfw/pem/pobject.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/pobject.c 2015-11-13 12:07:29.220887368 -0800
|
||||
@@ -630,6 +630,11 @@ pem_DestroyInternalObject
|
||||
if (io->u.key.ivstring)
|
||||
free(io->u.key.ivstring);
|
||||
break;
|
||||
+ case pemAll:
|
||||
+ /* pemAll is not used, keep the compiler happy
|
||||
+ * TODO: investigate a proper solution
|
||||
+ */
|
||||
+ return;
|
||||
}
|
||||
|
||||
if (NULL != gobj)
|
||||
@@ -1044,7 +1049,9 @@ pem_CreateObject
|
||||
int nobjs = 0;
|
||||
int i;
|
||||
int objid;
|
||||
+#if 0
|
||||
pemToken *token;
|
||||
+#endif
|
||||
int cipher;
|
||||
char *ivstring = NULL;
|
||||
pemInternalObject *listObj = NULL;
|
||||
@@ -1073,7 +1080,9 @@ pem_CreateObject
|
||||
}
|
||||
slotID = nssCKFWSlot_GetSlotID(fwSlot);
|
||||
|
||||
+#if 0
|
||||
token = (pemToken *) mdToken->etc;
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* only create keys and certs.
|
||||
@@ -1114,7 +1123,11 @@ pem_CreateObject
|
||||
}
|
||||
|
||||
if (objClass == CKO_CERTIFICATE) {
|
||||
- nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int and the declaration as a SECStatus. Typecasting as a
|
||||
+ * temporary workaround.
|
||||
+ */
|
||||
+ nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
if (nobjs < 1)
|
||||
goto loser;
|
||||
|
||||
diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
|
||||
--- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/rsawrapr.c 2015-11-13 12:07:29.220887368 -0800
|
||||
@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* unused functions */
|
||||
+#if 0
|
||||
static SHA1Context *SHA1_CloneContext(SHA1Context * original)
|
||||
{
|
||||
SHA1Context *clone = NULL;
|
||||
@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
+#endif /* unused functions */
|
||||
|
||||
/*
|
||||
* Format one block of data for public/private key encryption using
|
||||
diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
|
||||
--- ./nss/lib/ckfw/pem/util.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/util.c 2015-11-13 12:22:52.282196306 -0800
|
||||
@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
-int
|
||||
+/* FIX: Returns a SECStatus yet callers take result as a count */
|
||||
+SECStatus
|
||||
ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
|
||||
int *cipher, char **ivstring, PRBool certsonly)
|
||||
{
|
||||
@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
|
||||
goto loser;
|
||||
}
|
||||
if ((certsonly && !key) || (!certsonly && key)) {
|
||||
+ error = CKR_OK;
|
||||
PUT_Object(der, error);
|
||||
+ if (error != CKR_OK) {
|
||||
+ free(der);
|
||||
+ goto loser;
|
||||
+ }
|
||||
} else {
|
||||
free(der->data);
|
||||
free(der);
|
||||
@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
|
||||
}
|
||||
|
||||
/* NOTE: This code path has never been tested. */
|
||||
+ error = CKR_OK;
|
||||
PUT_Object(der, error);
|
||||
+ if (error != CKR_OK) {
|
||||
+ free(der);
|
||||
+ goto loser;
|
||||
+ }
|
||||
}
|
||||
|
||||
nss_ZFreeIf(filedata.data);
|
|
@ -1,12 +1,12 @@
|
|||
diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
|
||||
--- ./nss/lib/ssl/sslsock.c.transitional 2016-03-05 08:54:13.871412639 -0800
|
||||
+++ ./nss/lib/ssl/sslsock.c 2016-03-05 09:00:27.721889811 -0800
|
||||
@@ -77,7 +77,7 @@ static sslOptions ssl_defaults = {
|
||||
PR_FALSE, /* noLocks */
|
||||
PR_FALSE, /* enableSessionTickets */
|
||||
PR_FALSE, /* enableDeflate */
|
||||
- 2, /* enableRenegotiation (default: requires extension) */
|
||||
+ 3, /* enableRenegotiation (default: transitional) */
|
||||
PR_FALSE, /* requireSafeNegotiation */
|
||||
PR_FALSE, /* enableFalseStart */
|
||||
PR_TRUE, /* cbcRandomIV */
|
||||
--- ./nss/lib/ssl/sslsock.c.transitional 2016-06-23 21:03:16.316480089 -0400
|
||||
+++ ./nss/lib/ssl/sslsock.c 2016-06-23 21:08:07.290202477 -0400
|
||||
@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
|
||||
PR_FALSE, /* noLocks */
|
||||
PR_FALSE, /* enableSessionTickets */
|
||||
PR_FALSE, /* enableDeflate */
|
||||
- 2, /* enableRenegotiation (default: requires extension) */
|
||||
+ 3, /* enableRenegotiation (default: transitional) */
|
||||
PR_FALSE, /* requireSafeNegotiation */
|
||||
PR_FALSE, /* enableFalseStart */
|
||||
PR_TRUE, /* cbcRandomIV */
|
||||
|
|
|
@ -1,14 +1,23 @@
|
|||
diff -up ./nss/lib/ssl/ssl3con.c.1185708_3des ./nss/lib/ssl/ssl3con.c
|
||||
--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2015-09-29 16:24:18.717593591 -0700
|
||||
+++ ./nss/lib/ssl/ssl3con.c 2015-09-29 16:25:22.672879926 -0700
|
||||
@@ -101,8 +101,8 @@ static ssl3CipherSuiteCfg cipherSuites[s
|
||||
--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2016-06-23 21:10:09.765992512 -0400
|
||||
+++ ./nss/lib/ssl/ssl3con.c 2016-06-23 22:58:39.121398601 -0400
|
||||
@@ -118,18 +118,18 @@
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
#endif /* NSS_DISABLE_ECC */
|
||||
|
||||
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE},
|
||||
{ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
|
||||
--- ./nss/tests/ssl/sslstress.txt.skip 2015-09-11 21:48:21.763187957 -0700
|
||||
+++ ./nss/tests/ssl/sslstress.txt 2015-09-11 21:50:10.516514535 -0700
|
||||
@@ -8,29 +8,29 @@
|
||||
# Enable return server client Test Case name
|
||||
# ECC value params params
|
||||
# ------- ------ ------ ------ ---------------
|
||||
- noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
|
||||
- noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
|
||||
- noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
|
||||
- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
|
||||
- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
|
||||
- SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
|
||||
+# noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
|
||||
+# noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
|
||||
+# noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
|
||||
+# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
|
||||
+# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
|
||||
+# SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
|
||||
|
||||
#
|
||||
# add client auth versions here...
|
||||
#
|
||||
- noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
|
||||
- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
|
||||
- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
|
||||
- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
|
||||
- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
|
||||
- SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
|
||||
- SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
|
||||
+# noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
|
||||
+# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
|
||||
+# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
|
||||
+# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
|
||||
+# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
|
||||
+# SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
|
||||
+# SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
|
||||
|
||||
#
|
||||
# ############################ ECC ciphers ############################
|
13
sources
13
sources
|
@ -1,7 +1,6 @@
|
|||
a5ae49867124ac75f029a9a33af31bad blank-cert8.db
|
||||
9315689bbd9f28ceebd47894f99fccbd blank-key3.db
|
||||
73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db
|
||||
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
|
||||
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
|
||||
4d8e770b105483e365f3327d883dd229 nss-pem-20160308.tar.bz2
|
||||
574488f97390085832299cc3b90814a8 nss-3.23.0.tar.gz
|
||||
SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
|
||||
SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
|
||||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||
SHA512 (nss-3.30.2.tar.gz) = 02f14bc000cbde42268c4b6f42df80680b010d1491643ef9b11e0bac31a286a2e7fa251c40cb4ac70b64883a1b90efc64440ef9d797357f8a47cd37195fc5500
|
||||
|
|
|
@ -1,21 +0,0 @@
|
|||
diff -up ./nss/cmd/tstclnt/tstclnt.c.ssl2_off ./nss/cmd/tstclnt/tstclnt.c
|
||||
--- ./nss/cmd/tstclnt/tstclnt.c.ssl2_off 2015-08-07 11:12:13.000000000 -0700
|
||||
+++ ./nss/cmd/tstclnt/tstclnt.c 2015-09-11 20:08:34.771859950 -0700
|
||||
@@ -212,7 +212,7 @@ static void PrintParameterUsage(void)
|
||||
fprintf(stderr,
|
||||
"%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
|
||||
"%-20s All versions are enabled by default.\n"
|
||||
- "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
|
||||
+ "%-20s Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
|
||||
"%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
|
||||
"-V [min]:[max]", "", "", "");
|
||||
fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
|
||||
@@ -911,7 +911,7 @@ int main(int argc, char **argv)
|
||||
int npds;
|
||||
int override = 0;
|
||||
SSLVersionRange enabledVersions;
|
||||
- PRBool enableSSL2 = PR_TRUE;
|
||||
+ PRBool enableSSL2 = PR_FALSE;
|
||||
int bypassPKCS11 = 0;
|
||||
int disableLocking = 0;
|
||||
int useExportPolicy = 0;
|
Loading…
Reference in New Issue