Compare commits

...

2 Commits

Author SHA1 Message Date
Elio Maldonado 2e6c4e9da8 Disable SSL2 support and fix syntax errors in various shell scripts
- sync. up with latest changes for rawhide
2015-02-04 14:33:04 -08:00
Elio Maldonado ab703f693c Disable support for ssl2
- Support is disabled by setting a built time environmenet variable, export NSS_NO_SSL2=1, in the spec file
- Support can be restored by not setting that environment variable
2014-07-18 07:35:10 -07:00
8 changed files with 405 additions and 34 deletions

2
.gitignore vendored
View File

@ -8,4 +8,4 @@ TestCA.ca.cert
TestUser50.cert
TestUser51.cert
/nss-pem-20140125.tar.bz2
/nss-3.16.2.tar.gz
/nss-3.17.4.tar.gz

View File

@ -0,0 +1,72 @@
diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
--- ./nss/lib/ssl/config.mk.disableSSL2 2014-06-24 13:45:27.000000000 -0700
+++ ./nss/lib/ssl/config.mk 2014-07-12 12:32:06.011646588 -0700
@@ -7,6 +7,10 @@ ifdef NISCC_TEST
DEFINES += -DNISCC_TEST
endif
+ifdef NSS_NO_SSL2
+DEFINES += -DNSS_NO_SSL2
+endif
+
ifdef NSS_NO_PKCS11_BYPASS
DEFINES += -DNO_PKCS11_BYPASS
else
diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c
--- ./nss/lib/ssl/sslsock.c.disableSSL2 2014-07-12 12:32:05.970645943 -0700
+++ ./nss/lib/ssl/sslsock.c 2014-07-12 12:36:46.096072901 -0700
@@ -653,6 +653,12 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
break;
case SSL_ENABLE_SSL2:
+#ifdef NSS_NO_SSL2
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -670,6 +676,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
ss->cipherSpecs = NULL;
ss->sizeCipherSpecs = 0;
}
+#endif /* NSS_NO_SSL2 */
break;
case SSL_NO_CACHE:
@@ -685,6 +692,12 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
break;
case SSL_V2_COMPATIBLE_HELLO:
+#ifdef NSS_NO_SSL2
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -696,6 +709,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
if (!on) {
ss->opt.enableSSL2 = on;
}
+#endif /* NSS_NO_SSL2 */
break;
case SSL_ROLLBACK_DETECTION:
@@ -1146,7 +1160,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
if (ssl_IsRemovedCipherSuite(which)) {
rv = SECSuccess;
} else if (SSL_IS_SSL2_CIPHER(which)) {
+#ifdef NSS_NO_SSL2
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+#else
rv = ssl2_SetPolicy(which, policy);
+#endif
} else {
rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
}

54
disable-sslv2-tests.patch Normal file
View File

@ -0,0 +1,54 @@
diff -up ./nss/tests/chains/chains.sh.disableSSL2 ./nss/tests/chains/chains.sh
--- ./nss/tests/chains/chains.sh.disableSSL2 2014-06-24 13:45:27.000000000 -0700
+++ ./nss/tests/chains/chains.sh 2014-07-12 12:38:36.407821766 -0700
@@ -40,7 +40,11 @@ is_httpserv_alive()
fi
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
+ echo "skipping kill because SSL2 was disabled"
+ else
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
+ fi
echo "httpserv with PID ${PID} found at `date`"
}
@@ -59,7 +63,11 @@ wait_for_httpserv()
echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
if [ $? -ne 0 ]; then
- html_failed "Waiting for Server"
+ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
+ html_passed "Waiting for Server is supposed to fail"
+ else
+ html_failed "Waiting for Server"
+ fi
fi
fi
is_httpserv_alive
TESTNAME="Test that OCSP server is reachable"
check_ocsp ${VALUE}
if [ $? -ne 0 ]; then
+ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
+ html_passed "$TESTNAME"
+ else
html_failed "$TESTNAME"
+ fi
break;
else
html_passed "$TESTNAME"
diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh
--- ./nss/tests/ssl/ssl.sh.disableSSL2 2014-06-24 13:45:27.000000000 -0700
+++ ./nss/tests/ssl/ssl.sh 2014-07-12 12:37:25.476697212 -0700
@@ -278,6 +278,11 @@ ssl_cov()
echo "${testname}" | grep "SSL2" > /dev/null
SSL2=$?
+ # skip export and ssl2 tests when build has disabled SSL2
+ if [[ "${NSS_NO_SSL2}" = "1" ]] && [[ -n ${EXP} -o -n ${SSL2} ]] ; then
+ continue
+ fi
+
if [ "${SSL2}" -eq 0 ] ; then
# We cannot use asynchronous cert verification with SSL2
SSL2_FLAGS=-O

View File

@ -9,6 +9,32 @@ diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
#######################################################################
diff -up nss/cmd/certcgi/Makefile.iquote nss/cmd/certcgi/Makefile
--- nss/cmd/certcgi/Makefile.iquote 2014-08-19 10:18:35.713017904 -0700
+++ nss/cmd/certcgi/Makefile 2014-08-19 10:19:36.106528087 -0700
@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/cmd/certutil/Makefile.iquote nss/cmd/certutil/Makefile
--- nss/cmd/certutil/Makefile.iquote 2014-08-19 10:23:39.697585905 -0700
+++ nss/cmd/certutil/Makefile 2014-08-19 10:24:31.060019803 -0700
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile
--- nss/cmd/lib/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/cmd/lib/Makefile 2014-05-06 07:15:41.174387806 -0700

158
nss.spec
View File

@ -1,8 +1,8 @@
%global nspr_version 4.10.6
%global nss_util_version 3.16.2
%global nss_softokn_version 3.16.2
%global nspr_version 4.10.7
%global nss_util_version 3.17.4
%global nss_softokn_version 3.17.4
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
# solution taken from icedtea-web.spec
%define multilib_arches %{power64} sparc64 x86_64
@ -18,8 +18,8 @@
Summary: Network Security Services
Name: nss
Version: 3.16.2
Release: 1%{?dist}
Version: 3.17.4
Release: 2%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@ -74,7 +74,6 @@ Patch2: add-relro-linker-option.patch
Patch3: renegotiate-transitional.patch
Patch6: nss-enable-pem.patch
Patch16: nss-539183.patch
Patch18: nss-646045.patch
# must statically link pem against the freebl in the buildroot
# Needed only when freebl on tree has new APIS
Patch25: nsspem-use-system-freebl.patch
@ -91,6 +90,15 @@ Patch49: nss-skip-bltest-and-fipstest.patch
# headers are older. Such is the case when starting an update with API changes or even private export changes.
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
Patch50: iquote.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900
Patch51: tls12.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1057463
# Implementing TLS 1.3 is a tracking bug and it's possible that
# it may necessitate disabling SSL2 support. SSL2 support has been
# disabled downstream in Red Hat Enterprise Linux since RHEL-7.0
Patch52: disableSSL2.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1128367
Patch92: scripts-syntax-errors.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -171,13 +179,17 @@ low level services.
%patch3 -p0 -b .transitional
%patch6 -p0 -b .libpem
%patch16 -p0 -b .539183
%patch18 -p0 -b .646045
# link pem against buildroot's freebl, essential when mixing and matching
%patch25 -p0 -b .systemfreebl
%patch40 -p0 -b .noocsptest
%patch47 -p0 -b .templates
%patch49 -p0 -b .skipthem
%patch50 -p0 -b .iquote
pushd nss
%patch51 -p1 -b .994599
%patch52 -p1 -b .disableSSL2
%patch92 -p1 -b .syntax
popd
#########################################################
# Higher-level libraries and test tools need access to
@ -208,6 +220,8 @@ done
%build
export NSS_NO_SSL2=1
NSS_NO_PKCS11_BYPASS=1
export NSS_NO_PKCS11_BYPASS
@ -355,6 +369,10 @@ if [ ${DISABLETEST:-0} -eq 1 ]; then
fi
# Begin -- copied from the build section
# inform the ssl test scripts that SSL2 is disabled
export NSS_NO_SSL2=1
FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
@ -423,7 +441,13 @@ nss_tests="libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits c
# global nss_ssl_tests "normal_fips"
# global nss_ssl_run "cov auth"
HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
else
echo "skipped test suite"
fi
popd
@ -434,7 +458,13 @@ popd
# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
killall $RANDSERV || :
TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
else
TEST_FAILURES=0
GREP_EXIT_STATUS=1
fi
if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
echo "okay: test suite detected no failures"
else
@ -468,6 +498,12 @@ echo "test suite completed"
%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}
%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
%if %{defined rhel}
# not needed for rhel and its derivatives only fedora
%else
# because of the pp.1 conflict with perl-PAR-Packer
%{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
%endif
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
@ -537,8 +573,14 @@ for f in nss-config setup-nsssysinit; do
done
# Copy the man pages for the nss tools
for f in "%{allTools}"; do
install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
done
%if %{defined rhel}
install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
%else
install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
%endif
# Copy the man pages for the configuration files
for f in pkcs11.txt; do
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
@ -607,6 +649,8 @@ fi
%files
%defattr(-,root,root)
%{!?_licensedir:%global license %%doc}
%license nss/COPYING
%{_libdir}/libnss3.so
%{_libdir}/libssl3.so
%{_libdir}/libsmime3.so
@ -620,12 +664,12 @@ fi
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz
%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz
%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz
%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
%attr(0644,root,root) %doc %{_mandir}/man5/cert8.db.5.gz
%attr(0644,root,root) %doc %{_mandir}/man5/key3.db.5.gz
%attr(0644,root,root) %doc %{_mandir}/man5/secmod.db.5.gz
%attr(0644,root,root) %doc %{_mandir}/man5/cert9.db.5.gz
%attr(0644,root,root) %doc %{_mandir}/man5/key4.db.5.gz
%attr(0644,root,root) %doc %{_mandir}/man5/pkcs11.txt.5.gz
%files sysinit
%defattr(-,root,root)
@ -633,7 +677,7 @@ fi
%{_bindir}/setup-nsssysinit.sh
# symbolic link to setup-nsssysinit.sh
%{_bindir}/setup-nsssysinit
%attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/setup-nsssysinit.1.gz
%files tools
%defattr(-,root,root)
@ -658,26 +702,31 @@ fi
%{unsupported_tools_directory}/vfychain
# instead of %%{_mandir}/man*/* let's list them explicitely
# supported tools
%attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz
%attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz
%attr(0644,root,root) %doc /usr/share/man/man1/crlutil.1.gz
%attr(0644,root,root) %doc /usr/share/man/man1/modutil.1.gz
%attr(0644,root,root) %doc /usr/share/man/man1/pk12util.1.gz
%attr(0644,root,root) %doc /usr/share/man/man1/signtool.1.gz
%attr(0644,root,root) %doc /usr/share/man/man1/signver.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/certutil.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/cmsutil.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/crlutil.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/modutil.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/pk12util.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/signtool.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/signver.1.gz
# unsupported tools
%attr(0644,root,root) %doc /usr/share/man/man1/derdump.1.gz
%attr(0644,root,root) %doc /usr/share/man/man1/pp.1.gz
%attr(0644,root,root) %doc /usr/share/man/man1/ssltap.1.gz
%attr(0644,root,root) %doc /usr/share/man/man1/vfychain.1.gz
%attr(0644,root,root) %doc /usr/share/man/man1/vfyserv.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/derdump.1.gz
%if %{defined rhel}
%attr(0644,root,root) %doc %{_mandir}/man1/pp.1.gz
%else
%dir %{_datadir}/doc/nss-tools
%attr(0644,root,root) %doc %{_datadir}/doc/nss-tools/pp.1
%endif
%attr(0644,root,root) %doc %{_mandir}/man1/ssltap.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/vfychain.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/vfyserv.1.gz
%files devel
%defattr(-,root,root)
%{_libdir}/libcrmf.a
%{_libdir}/pkgconfig/nss.pc
%{_bindir}/nss-config
%attr(0644,root,root) %doc /usr/share/man/man1/nss-config.1.gz
%attr(0644,root,root) %doc %{_mandir}/man1/nss-config.1.gz
%dir %{_includedir}/nss3
%{_includedir}/nss3/cert.h
@ -747,6 +796,53 @@ fi
%changelog
* Wed Feb 04 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-2
- Disable SSL2 support and fix syntax errors in various shell scripts
* Wed Jan 28 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-1
- Update to nss-3.17.4
* Sat Jan 24 2015 Ville Skyttä <ville.skytta@iki.fi> - 3.17.3-4
- Own the %%{_datadir}/doc/nss-tools dir
* Tue Dec 16 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-3
- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
- Install pp man page in %%{_datadir}/doc/nss-tools/pp.1
- Use %%{_mandir} instead of /usr/share/man as more generic
* Mon Dec 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-2
- Install pp man page in alternative location
- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
* Fri Dec 05 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-1
- Update to nss-3.17.3
- Resolves: Bug 1171012 - nss-3.17.3 is available
* Thu Oct 16 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.2-2
- Resolves: Bug 994599 - Enable TLS 1.2 by default
* Sun Oct 12 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.2-1
- Update to nss-3.17.2
* Wed Sep 24 2014 Kai Engert <kaie@redhat.com> - 3.17.1-1
- Update to nss-3.17.1
- Add a mechanism to skip test suite execution during development work
* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 3.17.0-2
- Rebuild for rpm bug 1131960
* Tue Aug 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.0-1
- Update to nss-3.17.0
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.16.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Wed Jul 30 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-3
- Replace expired PayPal test cert with current one to prevent build failure
* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 3.16.2-2
- fix license handling
* Sun Jun 29 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
- Update to nss-3.16.2

View File

@ -0,0 +1,87 @@
diff --git a/tests/all.sh b/tests/all.sh
--- a/tests/all.sh
+++ b/tests/all.sh
@@ -296,17 +296,17 @@ fi
# NOTE:
# Since in make at the top level, modutil is the last file
# created, we check for modutil to know whether the build
# is complete. If a new file is created after that, the
# following test for modutil should check for that instead.
# Exception: when building softoken only, shlibsign is the
# last file created.
-if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
+if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then
LAST_FILE_BUILT=shlibsign
else
LAST_FILE_BUILT=modutil
fi
if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then
echo "Build Incomplete. Aborting test." >> ${LOGFILE}
html_head "Testing Initialization"
diff --git a/tests/cipher/cipher.sh b/tests/cipher/cipher.sh
--- a/tests/cipher/cipher.sh
+++ b/tests/cipher/cipher.sh
@@ -119,17 +119,17 @@ cipher_cleanup()
}
################## main #################################################
# When building without softoken, bltest isn't built. It was already
# built and the cipher suite run as part of an nss-softoken build.
if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then
echo "bltest not built, skipping this test." >> ${LOGFILE}
- res = 0
+ #res = 0
html_msg $res $EXP_RET "$TESTNAME"
return 0
fi
cipher_init
# Skip cipher_main if this an NSS without softoken build.
if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then
cipher_main
fi
diff --git a/tests/common/init.sh b/tests/common/init.sh
--- a/tests/common/init.sh
+++ b/tests/common/init.sh
@@ -220,17 +220,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
{
html "<TABLE BORDER=1 ${TABLE_ARGS}><TR><TH COLSPAN=3>$*</TH></TR>"
html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>"
echo "$SCRIPTNAME: $* ==============================="
}
html_msg()
{
- if [ "$1" -ne "$2" ] ; then
+ if [ "$1" != "$2" ] ; then
html_failed "$3" "$4"
else
html_passed "$3" "$4"
fi
}
HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>'
HTML_FAILED_CORE='</TD><TD bgcolor=red>Failed Core</TD><TR>'
HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>'
diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh
--- a/tests/dbtests/dbtests.sh
+++ b/tests/dbtests/dbtests.sh
@@ -170,7 +170,7 @@ dbtest_main()
# skipping the next two tests when user is root,
# otherwise they would fail due to rooty powers
- if [ $UID -ne 0 ] then
+ if [[ $UID -ne 0 ]]; then
${BINDIR}/dbtest -d $RONLY_DIR
ret=$?
if [ $ret -ne 46 ]; then
@@ -181,7 +181,7 @@ dbtest_main()
else
html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
fi
- if [ $UID -ne 0 ] then
+ if [[ $UID -ne 0 ]]; then
${BINDIR}/certutil -D -n "TestUser" -d .
ret=$?
if [ $ret -ne 255 ]; then

View File

@ -3,9 +3,9 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db
73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
838b7b6e0c3563059f6e77d149666448 PayPalEE.cert
c9fefa97dc184a5857f12d938517ed81 PayPalEE.cert
f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert
1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert
ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert
b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2
afc6789c9d805db5be1e5f3c533394f1 nss-3.16.2.tar.gz
a77df26072cabf8afb26911b6fa9b755 nss-3.17.4.tar.gz

36
tls12.patch Normal file
View File

@ -0,0 +1,36 @@
# HG changeset patch
# User Martin Thomson <martin.thomson@gmail.com>
# Date 1413479112 25200
# Thu Oct 16 10:05:12 2014 -0700
# Node ID f7e1c2c652f4c2522a0a5ec232ecebae1983053d
# Parent 24852c6f89ea7ed2b8f231320d9a0a03bdd706d4
Bug 1083900 - Updating default maximum version to 1.2
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = {
PR_FALSE /* enableFallbackSCSV */
};
/*
* default range of enabled SSL/TLS protocols
*/
static SSLVersionRange versions_defaults_stream = {
SSL_LIBRARY_VERSION_3_0,
- SSL_LIBRARY_VERSION_TLS_1_0
+ SSL_LIBRARY_VERSION_TLS_1_2
};
static SSLVersionRange versions_defaults_datagram = {
SSL_LIBRARY_VERSION_TLS_1_1,
- SSL_LIBRARY_VERSION_TLS_1_1
+ SSL_LIBRARY_VERSION_TLS_1_2
};
#define VERSIONS_DEFAULTS(variant) \
(variant == ssl_variant_stream ? &versions_defaults_stream : \
&versions_defaults_datagram)
sslSessionIDLookupFunc ssl_sid_lookup;
sslSessionIDCacheFunc ssl_sid_cache;