--- ./lib/ssl/config.mk.disableSSL2libssl 2016-01-29 02:30:10.000000000 -0800 +++ ./lib/ssl/config.mk 2016-02-06 11:20:50.322990421 -0800 @@ -2,16 +2,20 @@ # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. ifdef NISCC_TEST DEFINES += -DNISCC_TEST endif +ifdef NSS_NO_SSL2_NO_EXPORT +DEFINES += -DNSS_NO_SSL2_NO_EXPORT +endif + # Allow build-time configuration of TLS 1.3 (Experimental) ifdef NSS_ENABLE_TLS_1_3 DEFINES += -DNSS_ENABLE_TLS_1_3 endif ifdef NSS_NO_PKCS11_BYPASS DEFINES += -DNO_PKCS11_BYPASS else --- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-02-06 11:20:50.312990617 -0800 +++ ./lib/ssl/sslsock.c 2016-02-06 11:26:04.123828138 -0800 @@ -705,16 +705,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh if (ss->cipherSpecs) { PORT_Free(ss->cipherSpecs); ss->cipherSpecs = NULL; ss->sizeCipherSpecs = 0; } break; case SSL_ENABLE_SSL2: +#ifdef NSS_NO_SSL2_NO_EXPORT + if (on) { + PORT_SetError(SSL_ERROR_SSL2_DISABLED); + rv = SECFailure; /* not allowed */ + } +#else if (IS_DTLS(ss)) { if (on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; /* not allowed */ } break; } if (on) { @@ -729,52 +735,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh ss->opt.v2CompatibleHello = on; } ss->preferredCipher = NULL; if (ss->cipherSpecs) { PORT_Free(ss->cipherSpecs); ss->cipherSpecs = NULL; ss->sizeCipherSpecs = 0; } +#endif /* NSS_NO_SSL2_NO_EXPORT */ break; case SSL_NO_CACHE: ss->opt.noCache = on; break; case SSL_ENABLE_FDX: if (on && ss->opt.noLocks) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } ss->opt.fdx = on; break; case SSL_V2_COMPATIBLE_HELLO: +#ifdef NSS_NO_SSL2_NO_EXPORT + if (on) { + PORT_SetError(SSL_ERROR_SSL2_DISABLED); + rv = SECFailure; /* not allowed */ + } +#else if (IS_DTLS(ss)) { if (on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; /* not allowed */ } break; } ss->opt.v2CompatibleHello = on; if (!on) { ss->opt.enableSSL2 = on; } +#endif /* NSS_NO_SSL2_NO_EXPORT */ break; case SSL_ROLLBACK_DETECTION: ss->opt.detectRollBack = on; break; case SSL_NO_STEP_DOWN: +#ifdef NSS_NO_SSL2_NO_EXPORT + if (!on) { + PORT_SetError(SSL_ERROR_SSL2_DISABLED); + rv = SECFailure; /* not allowed */ + } +#else ss->opt.noStepDown = on; if (on) SSL_DisableExportCipherSuites(fd); +#endif /* NSS_NO_SSL2_NO_EXPORT */ break; case SSL_BYPASS_PKCS11: if (ss->handshakeBegun) { PORT_SetError(PR_INVALID_STATE_ERROR); rv = SECFailure; } else { if (PR_FALSE != on) { @@ -1235,16 +1256,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo } return SECSuccess; } /* function tells us if the cipher suite is one that we no longer support. */ static PRBool ssl_IsRemovedCipherSuite(PRInt32 suite) { +#ifdef NSS_NO_SSL2_NO_EXPORT + /* both ssl2 and export cipher suites disabled */ + if (SSL_IS_SSL2_CIPHER(suite)) + return PR_TRUE; + if (SSL_IsExportCipherSuite(suite)) { + SSLCipherSuiteInfo csdef; + if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) { + /* failure to retrieve info, disable */ + return PR_TRUE; + } + if (csdef.symCipher != ssl_calg_null) { + /* disable all except NULL ciphersuites */ + return PR_TRUE; + } + } +#endif /* NSS_NO_SSL2_NO_EXPORT */ switch (suite) { case SSL_FORTEZZA_DMS_WITH_NULL_SHA: case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: return PR_TRUE; default: return PR_FALSE; }