Compare commits
26 Commits
Author | SHA1 | Date |
---|---|---|
Daiki Ueno | 31e6f832ea | |
Daiki Ueno | 75d7e4f171 | |
Daiki Ueno | 88a7dca599 | |
Daiki Ueno | 51ea22c0ae | |
Daiki Ueno | 59d6576ae3 | |
Daiki Ueno | 4b8ce1e9a2 | |
Daiki Ueno | 2f6ed8e621 | |
Daiki Ueno | 23d923663d | |
Daiki Ueno | ab0cf790fc | |
Kai Engert | 02d2d2e6ff | |
Daiki Ueno | 3f9e705c49 | |
Daiki Ueno | 0d986ea964 | |
Daiki Ueno | c305f0f5af | |
Daiki Ueno | 7a09c1cf34 | |
Kamil Dudka | e7c1973f6e | |
Elio Maldonado | da1e2f1008 | |
Elio Maldonado | 689db2cb2b | |
Elio Maldonado | c901508114 | |
Elio Maldonado | d0d1a5f997 | |
Elio Maldonado | 996e173db6 | |
Elio Maldonado | 9bb2cf3374 | |
Elio Maldonado | 654b8a9495 | |
Elio Maldonado | c30e6463f2 | |
Elio Maldonado | 89d2571dee | |
Elio Maldonado | 215b206468 | |
Elio Maldonado | b8b223eab0 |
|
@ -9,43 +9,4 @@ TestUser50.cert
|
|||
TestUser51.cert
|
||||
/PayPalRootCA.cert
|
||||
/PayPalICA.cert
|
||||
/nss-3.25.0.tar.gz
|
||||
/nss-3.26.0.tar.gz
|
||||
/nss-3.27.0.tar.gz
|
||||
/nss-3.27.2.tar.gz
|
||||
/nss-3.28.1.tar.gz
|
||||
/nss-3.29.0.tar.gz
|
||||
/nss-3.29.1.tar.gz
|
||||
/nss-3.30.0.tar.gz
|
||||
/nss-3.30.2.tar.gz
|
||||
/nss-3.31.0.tar.gz
|
||||
/nss-3.32.0.tar.gz
|
||||
/nss-3.32.1.tar.gz
|
||||
/nss-3.33.0.tar.gz
|
||||
/nss-3.34.0.tar.gz
|
||||
/nss-3.35.0.tar.gz
|
||||
/nss-3.36.0.tar.gz
|
||||
/nss-3.36.1.tar.gz
|
||||
/nss-3.37.1.tar.gz
|
||||
/nss-3.37.3.tar.gz
|
||||
/nss-3.38.0.tar.gz
|
||||
/nss-3.39.tar.gz
|
||||
/nss-3.40.1.tar.gz
|
||||
/nss-3.41.tar.gz
|
||||
/nss-3.42.tar.gz
|
||||
/nss-3.42.1.tar.gz
|
||||
/nss-3.43.tar.gz
|
||||
/nss-3.44.tar.gz
|
||||
/nss-3.44.1.tar.gz
|
||||
/nss-3.45.tar.gz
|
||||
/nss-3.46.tar.gz
|
||||
/nss-3.46.1.tar.gz
|
||||
/nss-3.47.tar.gz
|
||||
/nss-3.47.1.tar.gz
|
||||
/nss-3.48.tar.gz
|
||||
/nss-3.49.tar.gz
|
||||
/nss-3.49.2.tar.gz
|
||||
/nss-3.50.tar.gz
|
||||
/nss-3.51.tar.gz
|
||||
/nss-3.51.1.tar.gz
|
||||
/nss-3.52.tar.gz
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
|
||||
--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700
|
||||
+++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700
|
||||
@@ -174,6 +174,12 @@ endif
|
||||
endif
|
||||
endif
|
||||
|
||||
+# harden DSOs/executables a bit against exploits
|
||||
+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
|
||||
+DSO_LDOPTS+=-Wl,-z,relro
|
||||
+LDFLAGS += -Wl,-z,relro
|
||||
+endif
|
||||
+
|
||||
USE_SYSTEM_ZLIB = 1
|
||||
ZLIB_LIBS = -lz
|
||||
|
220
iquote.patch
220
iquote.patch
|
@ -1,13 +1,211 @@
|
|||
diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
|
||||
--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
|
||||
+++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
|
||||
@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
|
||||
SQLITE_LIB_NAME = sqlite3
|
||||
diff -up ./nss/cmd/certcgi/Makefile.iquote ./nss/cmd/certcgi/Makefile
|
||||
--- ./nss/cmd/certcgi/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/certcgi/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
|
||||
--- ./nss/cmd/certutil/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/certutil/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
|
||||
--- ./nss/cmd/lib/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/lib/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
|
||||
--- ./nss/cmd/modutil/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/modutil/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
|
||||
#######################################################################
|
||||
diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
|
||||
--- ./nss/cmd/selfserv/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/selfserv/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
|
||||
--- ./nss/cmd/ssltap/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/ssltap/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
|
||||
--- ./nss/cmd/strsclnt/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/strsclnt/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
|
||||
--- ./nss/cmd/tstclnt/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/tstclnt/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
#######################################################################
|
||||
|
||||
#include ../platlibs.mk
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
|
||||
--- ./nss/cmd/vfyserv/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/vfyserv/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
#######################################################################
|
||||
|
||||
#include ../platlibs.mk
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
|
||||
--- ./nss/coreconf/location.mk.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/coreconf/location.mk 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -45,6 +45,10 @@ endif
|
||||
|
||||
ifdef NSS_INCLUDE_DIR
|
||||
INCLUDES += -I$(NSS_INCLUDE_DIR)
|
||||
+ ifdef IN_TREE_FREEBL_HEADERS_FIRST
|
||||
+ INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+ INCLUDES += -iquote $(DIST)/../private/nss
|
||||
+ endif
|
||||
endif
|
||||
|
||||
+# Prefer in-tree headers over system headers
|
||||
+ifdef IN_TREE_FREEBL_HEADERS_FIRST
|
||||
+ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
|
||||
+endif
|
||||
+
|
||||
MK_LOCATION = included
|
||||
ifndef NSS_LIB_DIR
|
||||
diff -up ./nss/gtests/pk11_gtest/Makefile.iquote ./nss/gtests/pk11_gtest/Makefile
|
||||
--- ./nss/gtests/pk11_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/gtests/pk11_gtest/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
|
||||
--- ./nss/gtests/ssl_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/gtests/ssl_gtest/Makefile 2016-03-05 12:05:17.208082475 -0800
|
||||
@@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
|
||||
--- ./nss/lib/certhigh/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/certhigh/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
|
||||
--- ./nss/lib/cryptohi/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/cryptohi/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
|
||||
--- ./nss/lib/nss/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/nss/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile
|
||||
--- ./nss/lib/pk11wrap/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/pk11wrap/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
|
||||
--- ./nss/lib/ssl/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/ssl/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
|
|
|
@ -0,0 +1,754 @@
|
|||
diff --git a/gtests/nss_bogo_shim/nss_bogo_shim.cc b/gtests/nss_bogo_shim/nss_bogo_shim.cc
|
||||
--- a/gtests/nss_bogo_shim/nss_bogo_shim.cc
|
||||
+++ b/gtests/nss_bogo_shim/nss_bogo_shim.cc
|
||||
@@ -260,16 +260,22 @@ class TestAgent {
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
SSLVersionRange vrange;
|
||||
if (!GetVersionRange(&vrange, ssl_variant_stream)) return false;
|
||||
|
||||
rv = SSL_VersionRangeSet(ssl_fd_, &vrange);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
+ SSLVersionRange verify_vrange;
|
||||
+ rv = SSL_VersionRangeGet(ssl_fd_, &verify_vrange);
|
||||
+ if (rv != SECSuccess) return false;
|
||||
+ if (vrange.min != verify_vrange.min || vrange.max != verify_vrange.max)
|
||||
+ return false;
|
||||
+
|
||||
rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE, false);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
auto alpn = cfg_.get<std::string>("advertise-alpn");
|
||||
if (!alpn.empty()) {
|
||||
assert(!cfg_.get<bool>("server"));
|
||||
|
||||
rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_ALPN, PR_TRUE);
|
||||
diff --git a/gtests/ssl_gtest/tls_agent.cc b/gtests/ssl_gtest/tls_agent.cc
|
||||
--- a/gtests/ssl_gtest/tls_agent.cc
|
||||
+++ b/gtests/ssl_gtest/tls_agent.cc
|
||||
@@ -20,16 +20,21 @@ extern "C" {
|
||||
|
||||
#define GTEST_HAS_RTTI 0
|
||||
#include "gtest/gtest.h"
|
||||
#include "gtest_utils.h"
|
||||
#include "scoped_ptrs.h"
|
||||
|
||||
extern std::string g_working_dir_path;
|
||||
|
||||
+static bool SSLVersionRangesAreEqual(SSLVersionRange& vr1,
|
||||
+ SSLVersionRange& vr2) {
|
||||
+ return vr1.min == vr2.min && vr1.max == vr2.max;
|
||||
+}
|
||||
+
|
||||
namespace nss_test {
|
||||
|
||||
const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
|
||||
|
||||
const std::string TlsAgent::kClient = "client"; // both sign and encrypt
|
||||
const std::string TlsAgent::kRsa2048 = "rsa2048"; // bigger
|
||||
const std::string TlsAgent::kServerRsa = "rsa"; // both sign and encrypt
|
||||
const std::string TlsAgent::kServerRsaSign = "rsa_sign";
|
||||
@@ -156,16 +161,26 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc
|
||||
return false;
|
||||
}
|
||||
dummy_fd.release(); // Now subsumed by ssl_fd_.
|
||||
|
||||
SECStatus rv = SSL_VersionRangeSet(ssl_fd(), &vrange_);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
+ SSLVersionRange verify_vrange;
|
||||
+ rv = SSL_VersionRangeGet(ssl_fd(), &verify_vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv);
|
||||
+ if (rv != SECSuccess) return false;
|
||||
+
|
||||
+ bool ranges_are_equal = SSLVersionRangesAreEqual(vrange_, verify_vrange);
|
||||
+ EXPECT_TRUE(ranges_are_equal)
|
||||
+ << "System policy must not restrict the allowed min/max SSL/TLS range";
|
||||
+ if (!ranges_are_equal) return false;
|
||||
+
|
||||
if (role_ == SERVER) {
|
||||
EXPECT_TRUE(ConfigServerCert(name_, true));
|
||||
|
||||
rv = SSL_SNISocketConfigHook(ssl_fd(), SniHook, this);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
ScopedCERTCertList anchors(CERT_NewCertList());
|
||||
@@ -400,16 +415,23 @@ void TlsAgent::SetShortHeadersEnabled()
|
||||
|
||||
void TlsAgent::SetVersionRange(uint16_t minver, uint16_t maxver) {
|
||||
vrange_.min = minver;
|
||||
vrange_.max = maxver;
|
||||
|
||||
if (ssl_fd()) {
|
||||
SECStatus rv = SSL_VersionRangeSet(ssl_fd(), &vrange_);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
+
|
||||
+ SSLVersionRange verify_vrange;
|
||||
+ rv = SSL_VersionRangeGet(ssl_fd(), &verify_vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv);
|
||||
+ bool ranges_are_equal = SSLVersionRangesAreEqual(vrange_, verify_vrange);
|
||||
+ EXPECT_TRUE(ranges_are_equal)
|
||||
+ << "System policy must not restrict the allowed min/max SSL/TLS range";
|
||||
}
|
||||
}
|
||||
|
||||
void TlsAgent::GetVersionRange(uint16_t* minver, uint16_t* maxver) {
|
||||
*minver = vrange_.min;
|
||||
*maxver = vrange_.max;
|
||||
}
|
||||
|
||||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
--- a/lib/ssl/sslsock.c
|
||||
+++ b/lib/ssl/sslsock.c
|
||||
@@ -2202,38 +2202,42 @@ ssl3_GetRangePolicy(SSLProtocolVariant p
|
||||
return SECFailure; /* don't accept an invalid policy */
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/*
|
||||
* Constrain a single protocol variant's range based on the user policy
|
||||
*/
|
||||
-static SECStatus
|
||||
-ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant)
|
||||
+static void
|
||||
+ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant,
|
||||
+ SSLVersionRange *rangeParam /* in and out */)
|
||||
{
|
||||
SSLVersionRange vrange;
|
||||
SSLVersionRange pvrange;
|
||||
SECStatus rv;
|
||||
|
||||
- vrange = *VERSIONS_DEFAULTS(protocolVariant);
|
||||
+ if (!rangeParam) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ vrange = *rangeParam;
|
||||
rv = ssl3_GetRangePolicy(protocolVariant, &pvrange);
|
||||
if (rv != SECSuccess) {
|
||||
- return SECSuccess; /* we don't have any policy */
|
||||
+ return; /* we don't have any policy */
|
||||
}
|
||||
vrange.min = PR_MAX(vrange.min, pvrange.min);
|
||||
vrange.max = PR_MIN(vrange.max, pvrange.max);
|
||||
if (vrange.max >= vrange.min) {
|
||||
- *VERSIONS_DEFAULTS(protocolVariant) = vrange;
|
||||
+ *rangeParam = vrange;
|
||||
} else {
|
||||
/* there was no overlap, turn off range altogether */
|
||||
pvrange.min = pvrange.max = SSL_LIBRARY_VERSION_NONE;
|
||||
- *VERSIONS_DEFAULTS(protocolVariant) = pvrange;
|
||||
+ *rangeParam = pvrange;
|
||||
}
|
||||
- return SECSuccess;
|
||||
}
|
||||
|
||||
static PRBool
|
||||
ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant,
|
||||
SSL3ProtocolVersion version)
|
||||
{
|
||||
SSLVersionRange pvrange;
|
||||
SECStatus rv;
|
||||
@@ -2249,60 +2253,59 @@ ssl_VersionIsSupportedByPolicy(SSLProtoc
|
||||
|
||||
/*
|
||||
* This is called at SSL init time to constrain the existing range based
|
||||
* on user supplied policy.
|
||||
*/
|
||||
SECStatus
|
||||
ssl3_ConstrainRangeByPolicy(void)
|
||||
{
|
||||
- SECStatus rv;
|
||||
- rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream);
|
||||
- if (rv != SECSuccess) {
|
||||
- return rv;
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream,
|
||||
+ VERSIONS_DEFAULTS(ssl_variant_stream));
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram,
|
||||
+ VERSIONS_DEFAULTS(ssl_variant_datagram));
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
+PRBool
|
||||
+ssl3_VersionIsSupportedByCode(SSLProtocolVariant protocolVariant,
|
||||
+ SSL3ProtocolVersion version)
|
||||
+{
|
||||
+ switch (protocolVariant) {
|
||||
+ case ssl_variant_stream:
|
||||
+ return (version >= SSL_LIBRARY_VERSION_3_0 &&
|
||||
+ version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
+ case ssl_variant_datagram:
|
||||
+ return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
|
||||
+ version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
}
|
||||
- rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram);
|
||||
- if (rv != SECSuccess) {
|
||||
- return rv;
|
||||
- }
|
||||
- return SECSuccess;
|
||||
+
|
||||
+ /* Can't get here */
|
||||
+ PORT_Assert(PR_FALSE);
|
||||
+ return PR_FALSE;
|
||||
}
|
||||
|
||||
PRBool
|
||||
ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
|
||||
SSL3ProtocolVersion version)
|
||||
{
|
||||
if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
- switch (protocolVariant) {
|
||||
- case ssl_variant_stream:
|
||||
- return (version >= SSL_LIBRARY_VERSION_3_0 &&
|
||||
- version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
- case ssl_variant_datagram:
|
||||
- return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
|
||||
- version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
- default:
|
||||
- /* Can't get here */
|
||||
- PORT_Assert(PR_FALSE);
|
||||
- return PR_FALSE;
|
||||
- }
|
||||
+ return ssl3_VersionIsSupportedByCode(protocolVariant, version);
|
||||
}
|
||||
|
||||
-/* Returns PR_TRUE if the given version range is valid and
|
||||
-** fully supported; otherwise, returns PR_FALSE.
|
||||
-*/
|
||||
static PRBool
|
||||
ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant,
|
||||
const SSLVersionRange *vrange)
|
||||
{
|
||||
return vrange &&
|
||||
vrange->min <= vrange->max &&
|
||||
- ssl3_VersionIsSupported(protocolVariant, vrange->min) &&
|
||||
- ssl3_VersionIsSupported(protocolVariant, vrange->max) &&
|
||||
+ ssl3_VersionIsSupportedByCode(protocolVariant, vrange->min) &&
|
||||
+ ssl3_VersionIsSupportedByCode(protocolVariant, vrange->max) &&
|
||||
(vrange->min > SSL_LIBRARY_VERSION_3_0 ||
|
||||
vrange->max < SSL_LIBRARY_VERSION_TLS_1_3);
|
||||
}
|
||||
|
||||
const SECItem *
|
||||
SSL_PeerSignedCertTimestamps(PRFileDesc *fd)
|
||||
{
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
@@ -2329,60 +2332,116 @@ SSL_VersionRangeGetSupported(SSLProtocol
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
switch (protocolVariant) {
|
||||
case ssl_variant_stream:
|
||||
vrange->min = SSL_LIBRARY_VERSION_3_0;
|
||||
vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
|
||||
- // We don't allow SSLv3 and TLSv1.3 together.
|
||||
- if (vrange->max == SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
- vrange->min = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
- }
|
||||
+ /* We don't allow SSLv3 and TLSv1.3 together.
|
||||
+ * However, don't check yet, apply the policy first.
|
||||
+ * Because if the effective supported range doesn't use TLS 1.3,
|
||||
+ * then we don't need to increase the minimum. */
|
||||
break;
|
||||
case ssl_variant_datagram:
|
||||
vrange->min = SSL_LIBRARY_VERSION_TLS_1_1;
|
||||
vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
|
||||
break;
|
||||
default:
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(protocolVariant, vrange);
|
||||
+ if (vrange->min == SSL_LIBRARY_VERSION_NONE) {
|
||||
+ /* Library default and policy don't overlap. */
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (protocolVariant == ssl_variant_stream) {
|
||||
+ /* We don't allow SSLv3 and TLSv1.3 together */
|
||||
+ if (vrange->max == SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
+ vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant,
|
||||
SSLVersionRange *vrange)
|
||||
{
|
||||
if ((protocolVariant != ssl_variant_stream &&
|
||||
protocolVariant != ssl_variant_datagram) ||
|
||||
!vrange) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
*vrange = *VERSIONS_DEFAULTS(protocolVariant);
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(protocolVariant, vrange);
|
||||
+
|
||||
+ if (vrange->min == SSL_LIBRARY_VERSION_NONE) {
|
||||
+ /* Library default and policy don't overlap. */
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
-SECStatus
|
||||
-SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant,
|
||||
- const SSLVersionRange *vrange)
|
||||
+static SECStatus
|
||||
+ssl3_CheckRangeValidAndConstrainByPolicy(SSLProtocolVariant protocolVariant,
|
||||
+ SSLVersionRange *vrange)
|
||||
{
|
||||
if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) {
|
||||
PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- *VERSIONS_DEFAULTS(protocolVariant) = *vrange;
|
||||
-
|
||||
+ /* Try to adjust the received range using our policy.
|
||||
+ * If there's overlap, we'll use the (possibly reduced) range.
|
||||
+ * If there isn't overlap, it's failure. */
|
||||
+
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(protocolVariant, vrange);
|
||||
+ if (vrange->min == SSL_LIBRARY_VERSION_NONE) {
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (protocolVariant == ssl_variant_stream) {
|
||||
+ /* We don't allow SSLv3 and TLSv1.3 together */
|
||||
+ if (vrange->max == SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
+ vrange->min =
|
||||
+ PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
+SECStatus
|
||||
+SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant,
|
||||
+ const SSLVersionRange *vrange)
|
||||
+{
|
||||
+ SSLVersionRange constrainedRange;
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ if (!vrange) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ constrainedRange = *vrange;
|
||||
+ rv = ssl3_CheckRangeValidAndConstrainByPolicy(protocolVariant,
|
||||
+ &constrainedRange);
|
||||
+ if (rv != SECSuccess)
|
||||
+ return rv;
|
||||
+
|
||||
+ *VERSIONS_DEFAULTS(protocolVariant) = constrainedRange;
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange)
|
||||
{
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
|
||||
@@ -2406,41 +2465,50 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLV
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
|
||||
{
|
||||
- sslSocket *ss = ssl_FindSocket(fd);
|
||||
-
|
||||
+ SSLVersionRange constrainedRange;
|
||||
+ sslSocket *ss;
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ if (!vrange) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeSet",
|
||||
SSL_GETPID(), fd));
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) {
|
||||
- PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
|
||||
- return SECFailure;
|
||||
- }
|
||||
+ constrainedRange = *vrange;
|
||||
+ rv = ssl3_CheckRangeValidAndConstrainByPolicy(ss->protocolVariant,
|
||||
+ &constrainedRange);
|
||||
+ if (rv != SECSuccess)
|
||||
+ return rv;
|
||||
|
||||
ssl_Get1stHandshakeLock(ss);
|
||||
ssl_GetSSL3HandshakeLock(ss);
|
||||
|
||||
if (ss->ssl3.downgradeCheckVersion &&
|
||||
ss->vrange.max > ss->ssl3.downgradeCheckVersion) {
|
||||
PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
|
||||
ssl_ReleaseSSL3HandshakeLock(ss);
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- ss->vrange = *vrange;
|
||||
+ ss->vrange = constrainedRange;
|
||||
|
||||
ssl_ReleaseSSL3HandshakeLock(ss);
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
diff --git a/gtests/ssl_gtest/Makefile b/gtests/ssl_gtest/Makefile
|
||||
--- a/gtests/ssl_gtest/Makefile
|
||||
+++ b/gtests/ssl_gtest/Makefile
|
||||
@@ -32,16 +32,18 @@ CFLAGS += -I$(CORE_DEPTH)/lib/ssl
|
||||
ifdef NSS_SSL_ENABLE_ZLIB
|
||||
include $(CORE_DEPTH)/coreconf/zlib.mk
|
||||
endif
|
||||
|
||||
ifdef NSS_DISABLE_TLS_1_3
|
||||
NSS_DISABLE_TLS_1_3=1
|
||||
# Run parameterized tests only, for which we can easily exclude TLS 1.3
|
||||
CPPSRCS := $(filter-out $(shell grep -l '^TEST_F' $(CPPSRCS)), $(CPPSRCS))
|
||||
+# But always include ssl_versionpolicy_unittest.cc
|
||||
+CPPSRCS += ssl_versionpolicy_unittest.cc
|
||||
CFLAGS += -DNSS_DISABLE_TLS_1_3
|
||||
endif
|
||||
|
||||
#######################################################################
|
||||
# (5) Execute "global" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
diff --git a/gtests/ssl_gtest/manifest.mn b/gtests/ssl_gtest/manifest.mn
|
||||
--- a/gtests/ssl_gtest/manifest.mn
|
||||
+++ b/gtests/ssl_gtest/manifest.mn
|
||||
@@ -33,16 +33,17 @@ CPPSRCS = \
|
||||
ssl_hrr_unittest.cc \
|
||||
ssl_loopback_unittest.cc \
|
||||
ssl_record_unittest.cc \
|
||||
ssl_resumption_unittest.cc \
|
||||
ssl_skip_unittest.cc \
|
||||
ssl_staticrsa_unittest.cc \
|
||||
ssl_v2_client_hello_unittest.cc \
|
||||
ssl_version_unittest.cc \
|
||||
+ ssl_versionpolicy_unittest.cc \
|
||||
test_io.cc \
|
||||
tls_agent.cc \
|
||||
tls_connect.cc \
|
||||
tls_hkdf_unittest.cc \
|
||||
tls_filter.cc \
|
||||
tls_parser.cc \
|
||||
tls_protect.cc \
|
||||
$(NULL)
|
||||
diff --git a/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc b/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
|
||||
@@ -0,0 +1,281 @@
|
||||
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
+/* vim: set ts=2 et sw=2 tw=80: */
|
||||
+/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
+
|
||||
+#include "nss.h"
|
||||
+#include "secerr.h"
|
||||
+#include "ssl.h"
|
||||
+#include "ssl3prot.h"
|
||||
+#include "sslerr.h"
|
||||
+#include "sslproto.h"
|
||||
+
|
||||
+#include "gtest_utils.h"
|
||||
+#include "scoped_ptrs.h"
|
||||
+#include "tls_connect.h"
|
||||
+#include "tls_filter.h"
|
||||
+#include "tls_parser.h"
|
||||
+
|
||||
+static bool SSLVersionRangesAreEqual(SSLVersionRange &vr1,
|
||||
+ SSLVersionRange &vr2) {
|
||||
+ return vr1.min == vr2.min && vr1.max == vr2.max;
|
||||
+}
|
||||
+
|
||||
+namespace nss_test {
|
||||
+
|
||||
+class TestVersionRangePolicy : public ::testing::Test {
|
||||
+ protected:
|
||||
+ PRInt32 savedMinTLS;
|
||||
+ PRInt32 savedMaxTLS;
|
||||
+ PRInt32 savedMinDTLS;
|
||||
+ PRInt32 savedMaxDTLS;
|
||||
+ PRUint32 savedAlgorithmPolicy;
|
||||
+
|
||||
+ public:
|
||||
+ void SaveOriginalPolicy() {
|
||||
+ NSS_OptionGet(NSS_TLS_VERSION_MIN_POLICY, &savedMinTLS);
|
||||
+ NSS_OptionGet(NSS_TLS_VERSION_MAX_POLICY, &savedMaxTLS);
|
||||
+ NSS_OptionGet(NSS_DTLS_VERSION_MIN_POLICY, &savedMinDTLS);
|
||||
+ NSS_OptionGet(NSS_DTLS_VERSION_MAX_POLICY, &savedMaxDTLS);
|
||||
+ NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &savedAlgorithmPolicy);
|
||||
+ }
|
||||
+ void SetUsePolicyInSSL() {
|
||||
+ NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
|
||||
+ }
|
||||
+ void RestoreOriginalPolicy() {
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MIN_POLICY, savedMinTLS);
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MAX_POLICY, savedMaxTLS);
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MIN_POLICY, savedMinDTLS);
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MAX_POLICY, savedMaxDTLS);
|
||||
+ /* If it wasn't set initially, clear the bit that we set. */
|
||||
+ if (!(savedAlgorithmPolicy & NSS_USE_POLICY_IN_SSL)) {
|
||||
+ NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, 0,
|
||||
+ NSS_USE_POLICY_IN_SSL);
|
||||
+ }
|
||||
+ }
|
||||
+ void SetTLSPolicy(SSLVersionRange &policy) {
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MIN_POLICY, policy.min);
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MAX_POLICY, policy.max);
|
||||
+ }
|
||||
+ void SetDTLSPolicy(SSLVersionRange &policy) {
|
||||
+ /* SSL3 isn't allowed for DTLS, but isn't a problem to allow by policy */
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MIN_POLICY, policy.min);
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MAX_POLICY, policy.max);
|
||||
+ }
|
||||
+ std::string version_to_string(PRInt32 v) {
|
||||
+ switch (v) {
|
||||
+ case SSL_LIBRARY_VERSION_3_0:
|
||||
+ return "ssl3";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_0:
|
||||
+ return "tls1.0";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_1:
|
||||
+ return "tls1.1";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_2:
|
||||
+ return "tls1.2";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_3:
|
||||
+ return "tls1.3";
|
||||
+ case SSL_LIBRARY_VERSION_NONE:
|
||||
+ return "NONE";
|
||||
+ }
|
||||
+ return "undefined???";
|
||||
+ }
|
||||
+ std::string info_str(const SSLVersionRange &policy,
|
||||
+ const SSLVersionRange &vrange,
|
||||
+ const SSLVersionRange *expectation,
|
||||
+ const SSLVersionRange *result, bool testDTLS) {
|
||||
+ return std::string(testDTLS ? "DTLS" : "TLS") + std::string(" policy: ") +
|
||||
+ version_to_string(policy.min) + std::string(",") +
|
||||
+ version_to_string(policy.max) + std::string(" input: ") +
|
||||
+ version_to_string(vrange.min) + std::string(",") +
|
||||
+ version_to_string(vrange.max) +
|
||||
+ (expectation
|
||||
+ ? (std::string(" expected: ") +
|
||||
+ version_to_string(expectation->min) + std::string(",") +
|
||||
+ version_to_string(expectation->max))
|
||||
+ : std::string()) +
|
||||
+ (result
|
||||
+ ? (std::string(" result: ") + version_to_string(result->min) +
|
||||
+ std::string(",") + version_to_string(result->max))
|
||||
+ : std::string());
|
||||
+ }
|
||||
+ void TestPolicyRangeExpectation(SSLVersionRange &policy,
|
||||
+ SSLVersionRange &vrange,
|
||||
+ SSLVersionRange &expectation, bool testDTLS) {
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ SetTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_stream, &vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, false);
|
||||
+
|
||||
+ SSLVersionRange result;
|
||||
+ rv = SSL_VersionRangeGetDefault(ssl_variant_stream, &result);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeGetDefault: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, false);
|
||||
+
|
||||
+ EXPECT_EQ(true, SSLVersionRangesAreEqual(result, expectation))
|
||||
+ << "range returned by SSL_VersionRangeGetDefault doesn't match "
|
||||
+ "expectation: "
|
||||
+ << info_str(policy, vrange, &expectation, &result, false);
|
||||
+
|
||||
+ if (testDTLS) {
|
||||
+ SetDTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_datagram, &vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, true);
|
||||
+
|
||||
+ SSLVersionRange result;
|
||||
+ rv = SSL_VersionRangeGetDefault(ssl_variant_datagram, &result);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeGetDefault: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, true);
|
||||
+
|
||||
+ EXPECT_EQ(true, SSLVersionRangesAreEqual(result, expectation))
|
||||
+ << "range returned by SSL_VersionRangeGetDefault doesn't match "
|
||||
+ "expectation: "
|
||||
+ << info_str(policy, vrange, &expectation, &result, true);
|
||||
+ }
|
||||
+ }
|
||||
+ void TestPolicyRangeFailure(SSLVersionRange &policy, SSLVersionRange &vrange,
|
||||
+ bool testDTLS) {
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ SetTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_stream, &vrange);
|
||||
+ EXPECT_EQ(SECFailure, rv)
|
||||
+ << "expected failure return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, NULL, NULL, false);
|
||||
+
|
||||
+ if (testDTLS) {
|
||||
+ SetDTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_datagram, &vrange);
|
||||
+ EXPECT_EQ(SECFailure, rv)
|
||||
+ << "expected failure return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, NULL, NULL, true);
|
||||
+ }
|
||||
+ }
|
||||
+ void Run() {
|
||||
+ SaveOriginalPolicy();
|
||||
+ SetUsePolicyInSSL();
|
||||
+
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ SSLVersionRange range3to13{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range10to13{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range11to13{SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range12to13{SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range13to13{SSL_LIBRARY_VERSION_TLS_1_3,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+#endif
|
||||
+
|
||||
+ SSLVersionRange range3to12{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+ SSLVersionRange range10to12{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+ SSLVersionRange range11to12{SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+ SSLVersionRange range12to12{SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+
|
||||
+ SSLVersionRange range3to11{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_1};
|
||||
+ SSLVersionRange range10to11{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_1};
|
||||
+ SSLVersionRange range11to11{SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_1};
|
||||
+
|
||||
+ SSLVersionRange range3to10{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_0};
|
||||
+ SSLVersionRange range10to10{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_0};
|
||||
+
|
||||
+ SSLVersionRange range3to3{SSL_LIBRARY_VERSION_3_0, SSL_LIBRARY_VERSION_3_0};
|
||||
+
|
||||
+// When testing SSL3 or TLS1.0, we set "test DTLS" to false.
|
||||
+
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ // Invalid range input (cannot enable both SSL3 and TLS1.3)
|
||||
+ TestPolicyRangeFailure(range3to13, range3to13, false);
|
||||
+#endif
|
||||
+
|
||||
+ // No overlap between policy and range input
|
||||
+ TestPolicyRangeFailure(range11to11, range10to10, false);
|
||||
+ TestPolicyRangeFailure(range11to11, range12to12, true);
|
||||
+ TestPolicyRangeFailure(range10to12, range3to3, false);
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ TestPolicyRangeFailure(range10to12, range13to13, true);
|
||||
+#endif
|
||||
+
|
||||
+ // straightforward overlap tests
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range3to11, range10to12, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to12, range10to12, false);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range11to12, range10to12, range11to12, false);
|
||||
+ TestPolicyRangeExpectation(range11to12, range11to12, range11to12, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range12to12, range10to12, range12to12, false);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to3, range3to3, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to10, range3to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to11, range3to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to12, range3to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range11to11, range11to11, true);
|
||||
+ TestPolicyRangeExpectation(range3to12, range11to12, range11to12, true);
|
||||
+ TestPolicyRangeExpectation(range3to12, range12to12, range12to12, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range10to12, range3to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range3to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range3to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range11to11, range11to11, true);
|
||||
+ TestPolicyRangeExpectation(range10to12, range11to12, range11to12, true);
|
||||
+ TestPolicyRangeExpectation(range10to12, range12to12, range12to12, true);
|
||||
+
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to13, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range10to13, range10to13, range10to13, false);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range11to13, range10to13, range11to13, false);
|
||||
+ TestPolicyRangeExpectation(range11to13, range11to13, range11to13, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range12to13, range10to13, range12to13, false);
|
||||
+ TestPolicyRangeExpectation(range12to13, range11to13, range12to13, true);
|
||||
+ TestPolicyRangeExpectation(range12to13, range12to13, range12to13, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to3, range3to3, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to10, range3to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to11, range3to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to12, range3to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to13, range10to13, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range11to11, range11to11, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range11to12, range11to12, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range12to12, range12to12, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range12to13, range12to13, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range13to13, range13to13, true);
|
||||
+#endif
|
||||
+
|
||||
+ RestoreOriginalPolicy();
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+TEST_F(TestVersionRangePolicy, TestVersionRangesAndCryptoPolicyInteraction) {
|
||||
+ Run();
|
||||
+}
|
||||
+
|
||||
+} // namespace nss_test
|
|
@ -0,0 +1,11 @@
|
|||
diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
|
||||
--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700
|
||||
+++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700
|
||||
@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
|
||||
realcerts.cfg
|
||||
dsa.cfg
|
||||
revoc.cfg
|
||||
-ocsp.cfg
|
||||
crldp.cfg
|
||||
trustanchors.cfg
|
||||
nameconstraints.cfg
|
|
@ -1,5 +1,5 @@
|
|||
--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
|
||||
+++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
|
||||
--- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
|
||||
+++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
|
||||
@@ -953,23 +953,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
|
@ -29,8 +29,8 @@
|
|||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
||||
--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
|
||||
+++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
|
||||
--- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
|
||||
+++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
|
||||
@@ -1711,23 +1711,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
|
||||
--- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-01-06 13:21:47.002952050 +0100
|
||||
+++ nss/lib/pk11wrap/pk11pars.c 2017-01-06 13:28:18.972536334 +0100
|
||||
@@ -109,6 +109,7 @@ secmod_NewModule(void)
|
||||
*other flags are set */
|
||||
#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
|
||||
#define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
|
||||
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
|
||||
|
||||
/* private flags for internal (field in SECMODModule). */
|
||||
/* The meaing of these flags is as follows:
|
||||
@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
|
||||
if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
|
||||
flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
|
||||
}
|
||||
+ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
|
||||
+ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
|
||||
+ }
|
||||
/* additional moduleDB flags could be added here in the future */
|
||||
mod->isModuleDB = (PRBool)flags;
|
||||
}
|
||||
@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
|
||||
}
|
||||
|
||||
PRBool
|
||||
+secmod_PolicyOnly(SECMODModule *mod)
|
||||
+{
|
||||
+ char flags = (char) mod->isModuleDB;
|
||||
+
|
||||
+ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
|
||||
+}
|
||||
+
|
||||
+PRBool
|
||||
secmod_IsInternalKeySlot(SECMODModule *mod)
|
||||
{
|
||||
char flags = (char)mod->internal;
|
||||
@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
|
||||
if (!module) {
|
||||
goto loser;
|
||||
}
|
||||
+
|
||||
+ /* a policy only stanza doesn't actually get 'loaded'. policy has already
|
||||
+ * been parsed as a side effect of the CreateModuleEx call */
|
||||
+ if (secmod_PolicyOnly(module)) {
|
||||
+ return module;
|
||||
+ }
|
||||
if (parent) {
|
||||
module->parent = SECMOD_ReferenceModule(parent);
|
||||
if (module->internal && secmod_IsInternalKeySlot(parent)) {
|
|
@ -0,0 +1,167 @@
|
|||
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||
--- a/lib/ssl/ssl3con.c
|
||||
+++ b/lib/ssl/ssl3con.c
|
||||
@@ -7061,49 +7061,68 @@ ssl3_SendClientKeyExchange(sslSocket *ss
|
||||
|
||||
loser:
|
||||
if (serverKey)
|
||||
SECKEY_DestroyPublicKey(serverKey);
|
||||
return rv; /* err code already set. */
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
-ssl_PickSignatureScheme(sslSocket *ss, SECKEYPublicKey *key,
|
||||
+ssl_PickSignatureScheme(sslSocket *ss,
|
||||
+ SECKEYPublicKey *pubKey,
|
||||
+ SECKEYPrivateKey *privKey,
|
||||
const SignatureScheme *peerSchemes,
|
||||
unsigned int peerSchemeCount,
|
||||
PRBool requireSha1)
|
||||
{
|
||||
unsigned int i, j;
|
||||
const namedGroupDef *group = NULL;
|
||||
KeyType keyType;
|
||||
+ PK11SlotInfo *slot;
|
||||
+ PRBool slotDoesPss;
|
||||
PRBool isTLS13 = ss->version == SSL_LIBRARY_VERSION_TLS_1_3;
|
||||
|
||||
- if (!key) {
|
||||
+ if (!pubKey || !privKey) {
|
||||
PORT_Assert(0);
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
- keyType = SECKEY_GetPublicKeyType(key);
|
||||
+ slot = PK11_GetSlotFromPrivateKey(privKey);
|
||||
+ if (!slot) {
|
||||
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ slotDoesPss = PK11_DoesMechanism(slot, auth_alg_defs[ssl_auth_rsa_pss]);
|
||||
+ PK11_FreeSlot(slot);
|
||||
+
|
||||
+ keyType = SECKEY_GetPublicKeyType(pubKey);
|
||||
+
|
||||
if (keyType == ecKey) {
|
||||
- group = ssl_ECPubKey2NamedGroup(key);
|
||||
+ group = ssl_ECPubKey2NamedGroup(pubKey);
|
||||
}
|
||||
|
||||
/* Here we look for the first local preference that the client has
|
||||
* indicated support for in their signature_algorithms extension. */
|
||||
for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||
SSLHashType hashType;
|
||||
SECOidTag hashOID;
|
||||
SignatureScheme preferred = ss->ssl3.signatureSchemes[i];
|
||||
PRUint32 policy;
|
||||
|
||||
if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group,
|
||||
preferred)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
+ /* Skip RSA-PSS schemes when the certificate's private key slot does
|
||||
+ * not support this signature mechanism. */
|
||||
+ if (ssl_IsRsaPssSignatureScheme(preferred) && !slotDoesPss) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
hashType = ssl_SignatureSchemeToHashType(preferred);
|
||||
hashOID = ssl3_HashTypeToOID(hashType);
|
||||
if (requireSha1 && hashOID != SEC_OID_SHA1) {
|
||||
continue;
|
||||
}
|
||||
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
|
||||
!(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||
/* we ignore hashes we don't support */
|
||||
@@ -7148,51 +7167,54 @@ ssl3_PickServerSignatureScheme(sslSocket
|
||||
PORT_Assert(0);
|
||||
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
return SECFailure;
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* Sets error code, if needed. */
|
||||
- return ssl_PickSignatureScheme(ss, keyPair->pubKey,
|
||||
+ return ssl_PickSignatureScheme(ss, keyPair->pubKey, keyPair->privKey,
|
||||
ss->ssl3.hs.clientSigSchemes,
|
||||
ss->ssl3.hs.numClientSigScheme,
|
||||
- PR_FALSE);
|
||||
+ PR_FALSE /* requireSha1 */);
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
ssl_PickClientSignatureScheme(sslSocket *ss, const SignatureScheme *schemes,
|
||||
unsigned int numSchemes)
|
||||
{
|
||||
- SECKEYPublicKey *key;
|
||||
+ SECKEYPrivateKey *privKey = ss->ssl3.clientPrivateKey;
|
||||
+ SECKEYPublicKey *pubKey;
|
||||
SECStatus rv;
|
||||
|
||||
- key = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
|
||||
- PORT_Assert(key);
|
||||
+ pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
|
||||
+ PORT_Assert(pubKey);
|
||||
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
|
||||
- (SECKEY_GetPublicKeyType(key) == rsaKey ||
|
||||
- SECKEY_GetPublicKeyType(key) == dsaKey) &&
|
||||
- SECKEY_PublicKeyStrengthInBits(key) <= 1024) {
|
||||
+ (SECKEY_GetPublicKeyType(pubKey) == rsaKey ||
|
||||
+ SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&
|
||||
+ SECKEY_PublicKeyStrengthInBits(pubKey) <= 1024) {
|
||||
/* If the key is a 1024-bit RSA or DSA key, assume conservatively that
|
||||
* it may be unable to sign SHA-256 hashes. This is the case for older
|
||||
* Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
|
||||
* older, DSA key size is at most 1024 bits and the hash function must
|
||||
* be SHA-1.
|
||||
*/
|
||||
- rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_TRUE);
|
||||
+ rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
|
||||
+ PR_TRUE /* requireSha1 */);
|
||||
if (rv == SECSuccess) {
|
||||
- SECKEY_DestroyPublicKey(key);
|
||||
+ SECKEY_DestroyPublicKey(pubKey);
|
||||
return SECSuccess;
|
||||
}
|
||||
/* If this fails, that's because the peer doesn't advertise SHA-1,
|
||||
* so fall back to the full negotiation. */
|
||||
}
|
||||
- rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_FALSE);
|
||||
- SECKEY_DestroyPublicKey(key);
|
||||
+ rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
|
||||
+ PR_FALSE /* requireSha1 */);
|
||||
+ SECKEY_DestroyPublicKey(pubKey);
|
||||
return rv;
|
||||
}
|
||||
|
||||
/* Called from ssl3_HandleServerHelloDone(). */
|
||||
static SECStatus
|
||||
ssl3_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey)
|
||||
{
|
||||
SECStatus rv = SECFailure;
|
||||
@@ -10593,16 +10615,23 @@ ssl3_EncodeSigAlgs(sslSocket *ss, PRUint
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||
PRUint32 policy = 0;
|
||||
SSLHashType hashType = ssl_SignatureSchemeToHashType(
|
||||
ss->ssl3.signatureSchemes[i]);
|
||||
SECOidTag hashOID = ssl3_HashTypeToOID(hashType);
|
||||
+
|
||||
+ /* Skip RSA-PSS schemes if there are no tokens to verify them. */
|
||||
+ if (ssl_IsRsaPssSignatureScheme(ss->ssl3.signatureSchemes[i]) &&
|
||||
+ !PK11_TokenExists(auth_alg_defs[ssl_auth_rsa_pss])) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) ||
|
||||
(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||
p = ssl_EncodeUintX((PRUint32)ss->ssl3.signatureSchemes[i], 2, p);
|
||||
}
|
||||
}
|
||||
|
||||
if (p == buf) {
|
||||
PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
|
@ -0,0 +1,12 @@
|
|||
diff -up nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c.gcc7 nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
|
||||
--- nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c.gcc7 2017-02-08 14:34:04.212655936 +0100
|
||||
+++ nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c 2017-02-08 14:37:33.326388891 +0100
|
||||
@@ -89,7 +89,7 @@ pkix_pl_OcspRequest_Hashcode(
|
||||
PKIX_HASHCODE(ocspRq->signerCert, &signerHash, plContext,
|
||||
PKIX_CERTHASHCODEFAILED);
|
||||
|
||||
- *pHashcode = (((((extensionHash << 8) || certHash) << 8) ||
|
||||
+ *pHashcode = ((PKIX_UInt32)(((PKIX_UInt32)((extensionHash << 8) || certHash) << 8) ||
|
||||
dateHash) << 8) || signerHash;
|
||||
|
||||
cleanup:
|
|
@ -1,21 +0,0 @@
|
|||
diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
|
||||
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700
|
||||
+++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700
|
||||
@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
|
||||
typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
|
||||
|
||||
/* deprecated #defines. Drop in future NSS releases */
|
||||
-#ifdef NSS_PKCS11_2_0_COMPAT
|
||||
+#ifndef NSS_PKCS11_3_0_STRICT
|
||||
|
||||
/* defines that were changed between NSS's PKCS #11 and the Oasis headers */
|
||||
#define CKF_EC_FP CKF_EC_F_P
|
||||
@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
|
||||
#define CKT_NETSCAPE_VALID CKT_NSS_VALID
|
||||
#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
|
||||
#else
|
||||
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
|
||||
+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
|
||||
typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
|
||||
typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
|
||||
#endif
|
|
@ -0,0 +1,55 @@
|
|||
# HG changeset patch
|
||||
# User Tim Taubert <ttaubert@mozilla.com>
|
||||
# Date 1488574640 -3600
|
||||
# Fri Mar 03 21:57:20 2017 +0100
|
||||
# Branch NSS_3_28_BRANCH
|
||||
# Node ID b8145d465ad4086439c4e52df434d9046949127a
|
||||
# Parent 3b9ccd6b37c7242f69404fa4a444b43efb12e319
|
||||
Bug 1342358 - Make sure xtnData->remoteKeyShares was initialized before calling tls13_DestroyKeyShares() r=franziskus
|
||||
|
||||
Differential Revision: https://nss-review.dev.mozaws.net/D234
|
||||
|
||||
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||
--- a/lib/ssl/ssl3con.c
|
||||
+++ b/lib/ssl/ssl3con.c
|
||||
@@ -13294,8 +13294,6 @@ ssl3_DestroySSL3Info(sslSocket *ss)
|
||||
tls13_DestroyEarlyData(&ss->ssl3.hs.bufferedEarlyData);
|
||||
|
||||
ss->ssl3.initialized = PR_FALSE;
|
||||
-
|
||||
- SECITEM_FreeItem(&ss->xtnData.nextProto, PR_FALSE);
|
||||
}
|
||||
|
||||
#define MAP_NULL(x) (((x) != 0) ? (x) : SEC_OID_NULL_CIPHER)
|
||||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
--- a/lib/ssl/sslsock.c
|
||||
+++ b/lib/ssl/sslsock.c
|
||||
@@ -3704,6 +3704,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
|
||||
PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
|
||||
PR_INIT_CLIST(&ss->ssl3.hs.cipherSpecs);
|
||||
PR_INIT_CLIST(&ss->ssl3.hs.bufferedEarlyData);
|
||||
+ ssl3_InitExtensionData(&ss->xtnData);
|
||||
if (makeLocks) {
|
||||
rv = ssl_MakeLocks(ss);
|
||||
if (rv != SECSuccess)
|
||||
@@ -3715,7 +3716,6 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
|
||||
rv = ssl3_InitGather(&ss->gs);
|
||||
if (rv != SECSuccess)
|
||||
goto loser;
|
||||
- ssl3_InitExtensionData(&ss->xtnData);
|
||||
return ss;
|
||||
|
||||
loser:
|
||||
diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
|
||||
--- a/lib/ssl/tls13con.c
|
||||
+++ b/lib/ssl/tls13con.c
|
||||
@@ -2853,6 +2853,9 @@ tls13_DestroyKeyShares(PRCList *list)
|
||||
{
|
||||
PRCList *cur_p;
|
||||
|
||||
+ /* The list must be initialized. */
|
||||
+ PORT_Assert(PR_LIST_HEAD(list));
|
||||
+
|
||||
while (!PR_CLIST_IS_EMPTY(list)) {
|
||||
cur_p = PR_LIST_TAIL(list);
|
||||
PR_REMOVE_LINK(cur_p);
|
|
@ -1,31 +0,0 @@
|
|||
Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||
+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||
@@ -56,9 +56,10 @@ typedef const char *Prims_string;
|
||||
!defined(__clang__)
|
||||
#include <emmintrin.h>
|
||||
typedef __m128i FStar_UInt128_uint128;
|
||||
-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
|
||||
+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
|
||||
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
|
||||
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
|
||||
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
|
||||
+ defined(__s390x__))
|
||||
typedef unsigned __int128 FStar_UInt128_uint128;
|
||||
#elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
|
||||
typedef __uint128_t FStar_UInt128_uint128;
|
||||
Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||
+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||
@@ -26,7 +26,8 @@
|
||||
|
||||
#if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
|
||||
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
|
||||
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
|
||||
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
|
||||
+ defined(__s390x__))
|
||||
|
||||
/* GCC + using native unsigned __int128 support */
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
name=p11-kit-proxy
|
||||
library=p11-kit-proxy.so
|
||||
|
||||
|
|
@ -1,94 +0,0 @@
|
|||
diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
|
||||
--- a/cmd/modutil/install.c
|
||||
+++ b/cmd/modutil/install.c
|
||||
@@ -825,17 +825,20 @@ rm_dash_r(char *path)
|
||||
|
||||
dir = PR_OpenDir(path);
|
||||
if (!dir) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Recursively delete all entries in the directory */
|
||||
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
|
||||
- sprintf(filename, "%s/%s", path, entry->name);
|
||||
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
|
||||
+ PR_CloseDir(dir);
|
||||
+ return -1;
|
||||
+ }
|
||||
if (rm_dash_r(filename)) {
|
||||
PR_CloseDir(dir);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (PR_CloseDir(dir) != PR_SUCCESS) {
|
||||
return -1;
|
||||
diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
|
||||
--- a/cmd/signtool/util.c
|
||||
+++ b/cmd/signtool/util.c
|
||||
@@ -132,17 +132,20 @@ rm_dash_r(char *path)
|
||||
if (!dir) {
|
||||
PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
|
||||
errorCount++;
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Recursively delete all entries in the directory */
|
||||
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
|
||||
- sprintf(filename, "%s/%s", path, entry->name);
|
||||
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
|
||||
+ errorCount++;
|
||||
+ return -1;
|
||||
+ }
|
||||
if (rm_dash_r(filename))
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (PR_CloseDir(dir) != PR_SUCCESS) {
|
||||
PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
|
||||
errorCount++;
|
||||
return -1;
|
||||
diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
|
||||
--- a/lib/libpkix/pkix/util/pkix_list.c
|
||||
+++ b/lib/libpkix/pkix/util/pkix_list.c
|
||||
@@ -1530,17 +1530,17 @@ cleanup:
|
||||
*/
|
||||
PKIX_Error *
|
||||
PKIX_List_SetItem(
|
||||
PKIX_List *list,
|
||||
PKIX_UInt32 index,
|
||||
PKIX_PL_Object *item,
|
||||
void *plContext)
|
||||
{
|
||||
- PKIX_List *element;
|
||||
+ PKIX_List *element = NULL;
|
||||
|
||||
PKIX_ENTER(LIST, "PKIX_List_SetItem");
|
||||
PKIX_NULLCHECK_ONE(list);
|
||||
|
||||
if (list->immutable){
|
||||
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
|
||||
}
|
||||
|
||||
diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||
@@ -102,17 +102,17 @@ cleanup:
|
||||
*/
|
||||
static PKIX_Error *
|
||||
pkix_pl_OID_Equals(
|
||||
PKIX_PL_Object *first,
|
||||
PKIX_PL_Object *second,
|
||||
PKIX_Boolean *pResult,
|
||||
void *plContext)
|
||||
{
|
||||
- PKIX_Int32 cmpResult;
|
||||
+ PKIX_Int32 cmpResult = 0;
|
||||
|
||||
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
|
||||
PKIX_NULLCHECK_THREE(first, second, pResult);
|
||||
|
||||
PKIX_CHECK(pkix_pl_OID_Comparator
|
||||
(first, second, &cmpResult, plContext),
|
||||
PKIX_OIDCOMPARATORFAILED);
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
|
||||
--- ./nss/cmd/Makefile.skipthem 2017-01-06 13:17:27.477848351 +0100
|
||||
+++ ./nss/cmd/Makefile 2017-01-06 13:19:30.244586100 +0100
|
||||
@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
|
||||
ECPERF_SRCDIR =
|
||||
FREEBL_ECTEST_SRCDIR =
|
||||
FIPSTEST_SRCDIR =
|
||||
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
|
||||
+SHLIBSIGN_SRCDIR = shlibsign
|
||||
+else
|
||||
SHLIBSIGN_SRCDIR =
|
||||
+endif
|
||||
else
|
||||
BLTEST_SRCDIR = bltest
|
||||
ECPERF_SRCDIR = ecperf
|
|
@ -0,0 +1,12 @@
|
|||
diff -up ./gtests/manifest.mn.skip_util_gtest ./gtests/manifest.mn
|
||||
--- ./gtests/manifest.mn.skip_util_gtest 2016-09-29 12:05:28.858019733 +0200
|
||||
+++ ./gtests/manifest.mn 2016-09-29 12:06:17.298681765 +0200
|
||||
@@ -9,8 +9,5 @@ DIRS = \
|
||||
google_test \
|
||||
common \
|
||||
der_gtest \
|
||||
- util_gtest \
|
||||
- pk11_gtest \
|
||||
- ssl_gtest \
|
||||
nss_bogo_shim \
|
||||
$(NULL)
|
|
@ -1,116 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
prefix=@prefix@
|
||||
|
||||
major_version=@MOD_MAJOR_VERSION@
|
||||
minor_version=@MOD_MINOR_VERSION@
|
||||
patch_version=@MOD_PATCH_VERSION@
|
||||
|
||||
usage()
|
||||
{
|
||||
cat <<EOF
|
||||
Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
|
||||
Options:
|
||||
[--prefix[=DIR]]
|
||||
[--exec-prefix[=DIR]]
|
||||
[--includedir[=DIR]]
|
||||
[--libdir[=DIR]]
|
||||
[--version]
|
||||
[--libs]
|
||||
[--cflags]
|
||||
Dynamic Libraries:
|
||||
softokn3 - Requires full dynamic linking
|
||||
freebl3 - for internal use only (and glibc for self-integrity check)
|
||||
nssdbm3 - for internal use only
|
||||
Dymamically linked
|
||||
EOF
|
||||
exit $1
|
||||
}
|
||||
|
||||
if test $# -eq 0; then
|
||||
usage 1 1>&2
|
||||
fi
|
||||
|
||||
while test $# -gt 0; do
|
||||
case "$1" in
|
||||
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
|
||||
*) optarg= ;;
|
||||
esac
|
||||
|
||||
case $1 in
|
||||
--prefix=*)
|
||||
prefix=$optarg
|
||||
;;
|
||||
--prefix)
|
||||
echo_prefix=yes
|
||||
;;
|
||||
--exec-prefix=*)
|
||||
exec_prefix=$optarg
|
||||
;;
|
||||
--exec-prefix)
|
||||
echo_exec_prefix=yes
|
||||
;;
|
||||
--includedir=*)
|
||||
includedir=$optarg
|
||||
;;
|
||||
--includedir)
|
||||
echo_includedir=yes
|
||||
;;
|
||||
--libdir=*)
|
||||
libdir=$optarg
|
||||
;;
|
||||
--libdir)
|
||||
echo_libdir=yes
|
||||
;;
|
||||
--version)
|
||||
echo ${major_version}.${minor_version}.${patch_version}
|
||||
;;
|
||||
--cflags)
|
||||
echo_cflags=yes
|
||||
;;
|
||||
--libs)
|
||||
echo_libs=yes
|
||||
;;
|
||||
*)
|
||||
usage 1 1>&2
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
# Set variables that may be dependent upon other variables
|
||||
if test -z "$exec_prefix"; then
|
||||
exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
|
||||
fi
|
||||
if test -z "$includedir"; then
|
||||
includedir=`pkg-config --variable=includedir nss-softokn`
|
||||
fi
|
||||
if test -z "$libdir"; then
|
||||
libdir=`pkg-config --variable=libdir nss-softokn`
|
||||
fi
|
||||
|
||||
if test "$echo_prefix" = "yes"; then
|
||||
echo $prefix
|
||||
fi
|
||||
|
||||
if test "$echo_exec_prefix" = "yes"; then
|
||||
echo $exec_prefix
|
||||
fi
|
||||
|
||||
if test "$echo_includedir" = "yes"; then
|
||||
echo $includedir
|
||||
fi
|
||||
|
||||
if test "$echo_libdir" = "yes"; then
|
||||
echo $libdir
|
||||
fi
|
||||
|
||||
if test "$echo_cflags" = "yes"; then
|
||||
echo -I$includedir
|
||||
fi
|
||||
|
||||
if test "$echo_libs" = "yes"; then
|
||||
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
|
||||
echo $libdirs
|
||||
fi
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
#!/bin/bash
|
||||
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
|
||||
# ex: ts=8 sw=4 sts=4 et filetype=sh
|
||||
|
||||
check() {
|
||||
return 255
|
||||
}
|
||||
|
||||
depends() {
|
||||
return 0
|
||||
}
|
||||
|
||||
install() {
|
||||
local _dir
|
||||
|
||||
inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
|
||||
libfreebl3.so
|
||||
}
|
|
@ -1,3 +0,0 @@
|
|||
# turn on nss-softokn module
|
||||
|
||||
add_dracutmodules+=" nss-softokn "
|
|
@ -1,11 +0,0 @@
|
|||
prefix=%prefix%
|
||||
exec_prefix=%exec_prefix%
|
||||
libdir=%libdir%
|
||||
includedir=%includedir%
|
||||
|
||||
Name: NSS-SOFTOKN
|
||||
Description: Network Security Services Softoken PKCS #11 Module
|
||||
Version: %SOFTOKEN_VERSION%
|
||||
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
|
||||
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
|
||||
Cflags: -I${includedir}
|
|
@ -1,118 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
prefix=@prefix@
|
||||
|
||||
major_version=@MOD_MAJOR_VERSION@
|
||||
minor_version=@MOD_MINOR_VERSION@
|
||||
patch_version=@MOD_PATCH_VERSION@
|
||||
|
||||
usage()
|
||||
{
|
||||
cat <<EOF
|
||||
Usage: nss-util-config [OPTIONS] [LIBRARIES]
|
||||
Options:
|
||||
[--prefix[=DIR]]
|
||||
[--exec-prefix[=DIR]]
|
||||
[--includedir[=DIR]]
|
||||
[--libdir[=DIR]]
|
||||
[--version]
|
||||
[--libs]
|
||||
[--cflags]
|
||||
Dynamic Libraries:
|
||||
nssutil
|
||||
EOF
|
||||
exit $1
|
||||
}
|
||||
|
||||
if test $# -eq 0; then
|
||||
usage 1 1>&2
|
||||
fi
|
||||
|
||||
lib_nssutil=yes
|
||||
|
||||
while test $# -gt 0; do
|
||||
case "$1" in
|
||||
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
|
||||
*) optarg= ;;
|
||||
esac
|
||||
|
||||
case $1 in
|
||||
--prefix=*)
|
||||
prefix=$optarg
|
||||
;;
|
||||
--prefix)
|
||||
echo_prefix=yes
|
||||
;;
|
||||
--exec-prefix=*)
|
||||
exec_prefix=$optarg
|
||||
;;
|
||||
--exec-prefix)
|
||||
echo_exec_prefix=yes
|
||||
;;
|
||||
--includedir=*)
|
||||
includedir=$optarg
|
||||
;;
|
||||
--includedir)
|
||||
echo_includedir=yes
|
||||
;;
|
||||
--libdir=*)
|
||||
libdir=$optarg
|
||||
;;
|
||||
--libdir)
|
||||
echo_libdir=yes
|
||||
;;
|
||||
--version)
|
||||
echo ${major_version}.${minor_version}.${patch_version}
|
||||
;;
|
||||
--cflags)
|
||||
echo_cflags=yes
|
||||
;;
|
||||
--libs)
|
||||
echo_libs=yes
|
||||
;;
|
||||
*)
|
||||
usage 1 1>&2
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
# Set variables that may be dependent upon other variables
|
||||
if test -z "$exec_prefix"; then
|
||||
exec_prefix=`pkg-config --variable=exec_prefix nss-util`
|
||||
fi
|
||||
if test -z "$includedir"; then
|
||||
includedir=`pkg-config --variable=includedir nss-util`
|
||||
fi
|
||||
if test -z "$libdir"; then
|
||||
libdir=`pkg-config --variable=libdir nss-util`
|
||||
fi
|
||||
|
||||
if test "$echo_prefix" = "yes"; then
|
||||
echo $prefix
|
||||
fi
|
||||
|
||||
if test "$echo_exec_prefix" = "yes"; then
|
||||
echo $exec_prefix
|
||||
fi
|
||||
|
||||
if test "$echo_includedir" = "yes"; then
|
||||
echo $includedir
|
||||
fi
|
||||
|
||||
if test "$echo_libdir" = "yes"; then
|
||||
echo $libdir
|
||||
fi
|
||||
|
||||
if test "$echo_cflags" = "yes"; then
|
||||
echo -I$includedir
|
||||
fi
|
||||
|
||||
if test "$echo_libs" = "yes"; then
|
||||
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
|
||||
if test -n "$lib_nssutil"; then
|
||||
libdirs="$libdirs -lnssutil${major_version}"
|
||||
fi
|
||||
echo $libdirs
|
||||
fi
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
prefix=%prefix%
|
||||
exec_prefix=%exec_prefix%
|
||||
libdir=%libdir%
|
||||
includedir=%includedir%
|
||||
|
||||
Name: NSS-UTIL
|
||||
Description: Network Security Services Utility Library
|
||||
Version: %NSSUTIL_VERSION%
|
||||
Requires: nspr >= %NSPR_VERSION%
|
||||
Libs: -L${libdir} -lnssutil3
|
||||
Cflags: -I${includedir}
|
|
@ -0,0 +1,12 @@
|
|||
diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
|
||||
--- ./nss/lib/ssl/sslsock.c.transitional 2016-06-23 21:03:16.316480089 -0400
|
||||
+++ ./nss/lib/ssl/sslsock.c 2016-06-23 21:08:07.290202477 -0400
|
||||
@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
|
||||
PR_FALSE, /* noLocks */
|
||||
PR_FALSE, /* enableSessionTickets */
|
||||
PR_FALSE, /* enableDeflate */
|
||||
- 2, /* enableRenegotiation (default: requires extension) */
|
||||
+ 3, /* enableRenegotiation (default: transitional) */
|
||||
PR_FALSE, /* requireSafeNegotiation */
|
||||
PR_FALSE, /* enableFalseStart */
|
||||
PR_TRUE, /* cbcRandomIV */
|
|
@ -0,0 +1,23 @@
|
|||
--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2016-06-23 21:10:09.765992512 -0400
|
||||
+++ ./nss/lib/ssl/ssl3con.c 2016-06-23 22:58:39.121398601 -0400
|
||||
@@ -118,18 +118,18 @@
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
|
||||
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE},
|
||||
{ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
2
sources
2
sources
|
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
|
|||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||
SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
|
||||
SHA512 (nss-3.30.2.tar.gz) = 02f14bc000cbde42268c4b6f42df80680b010d1491643ef9b11e0bac31a286a2e7fa251c40cb4ac70b64883a1b90efc64440ef9d797357f8a47cd37195fc5500
|
||||
|
|
|
@ -1,64 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
|
||||
# Description: NSS tools should not use SHA1 by default when
|
||||
# Author: Hubert Kario <hkario@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA)
|
||||
@echo "Type: Regression" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: nss openssl" >> $(METADATA)
|
||||
@echo "Requires: nss nss-tools openssl" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
|
@ -1,4 +0,0 @@
|
|||
PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
|
||||
Description: NSS tools should not use SHA1 by default when
|
||||
Author: Hubert Kario <hkario@redhat.com>
|
||||
Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates
|
|
@ -1,125 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
|
||||
# Description: NSS tools should not use SHA1 by default when
|
||||
# Author: Hubert Kario <hkario@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="nss"
|
||||
PACKAGES="nss openssl"
|
||||
DBDIR="nssdb"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm --all
|
||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||
rlRun "pushd $TmpDir"
|
||||
rlRun "mkdir nssdb"
|
||||
rlRun "certutil -N -d $DBDIR --empty-password"
|
||||
rlLogInfo "Create a JAR file"
|
||||
rlRun "mkdir java-dir"
|
||||
rlRun "pushd java-dir"
|
||||
rlRun "mkdir META-INF mypackage"
|
||||
rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
|
||||
rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
|
||||
#rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
|
||||
rlRun "popd"
|
||||
#rlRun "mv java-dir/package.jar ."
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Self signing certificates"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
|
||||
rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Signing certificates"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
|
||||
rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Certificate request"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "mkdir srv2db"
|
||||
rlRun "certutil -d srv2db -N --empty-password"
|
||||
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
|
||||
rlRun -s "openssl req -noout -text -in srv2.req"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
|
||||
rlRun -s "openssl x509 -in srv2.crt -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlRun "rm -rf srv2db"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Certificate request with SHA1"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "mkdir srv2db"
|
||||
rlRun "certutil -d srv2db -N --empty-password"
|
||||
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
|
||||
rlRun -s "openssl req -noout -text -in srv2.req"
|
||||
rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
|
||||
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
|
||||
rlRun -s "openssl x509 -in srv2.crt -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlRun "rm -rf srv2db"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Signing CMS messages"
|
||||
rlRun "echo 'This is a document' > document.txt"
|
||||
rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
|
||||
rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
|
||||
rlAssertGrep "algorithm: sha256" $rlRun_LOG
|
||||
rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "CRL signing"
|
||||
rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
|
||||
rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
|
||||
rlRun "echo addext crlNumber 0 1245 >>script"
|
||||
rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
|
||||
rlRun "echo addext reasonCode 0 0 >>script"
|
||||
rlRun "cat script"
|
||||
rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
|
||||
rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "popd"
|
||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
|
@ -1,12 +0,0 @@
|
|||
---
|
||||
# This first play always runs on the local staging system
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-beakerlib
|
||||
tags:
|
||||
- classic
|
||||
tests:
|
||||
- NSS-tools-should-not-use-SHA1-by-default-when
|
||||
required_packages:
|
||||
- nss-tools
|
||||
- nss
|
|
@ -0,0 +1,14 @@
|
|||
diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
|
||||
--- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700
|
||||
+++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700
|
||||
@@ -3,6 +3,10 @@
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
+#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
|
||||
+INCLUDES += -I/usr/include/nss3/templates
|
||||
+#endif
|
||||
+
|
||||
# can't do this in manifest.mn because OS_TARGET isn't defined there.
|
||||
ifeq (,$(filter-out WIN%,$(OS_TARGET)))
|
||||
|
Loading…
Reference in New Issue