8cfb70a447
- Fix syntax errors in various shell scripts - Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
124 lines
3.2 KiB
Diff
124 lines
3.2 KiB
Diff
diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
|
|
--- a/lib/ssl/config.mk
|
|
+++ b/lib/ssl/config.mk
|
|
@@ -2,16 +2,20 @@
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
ifdef NISCC_TEST
|
|
DEFINES += -DNISCC_TEST
|
|
endif
|
|
|
|
+ifdef NSS_NO_SSL2
|
|
+DEFINES += -DNSS_NO_SSL2
|
|
+endif
|
|
+
|
|
# Allow build-time configuration of TLS 1.3 (Experimental)
|
|
ifdef NSS_ENABLE_TLS_1_3
|
|
DEFINES += -DNSS_ENABLE_TLS_1_3
|
|
endif
|
|
|
|
ifdef NSS_NO_PKCS11_BYPASS
|
|
DEFINES += -DNO_PKCS11_BYPASS
|
|
else
|
|
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
|
--- a/lib/ssl/sslsock.c
|
|
+++ b/lib/ssl/sslsock.c
|
|
@@ -650,16 +650,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
|
if (ss->cipherSpecs) {
|
|
PORT_Free(ss->cipherSpecs);
|
|
ss->cipherSpecs = NULL;
|
|
ss->sizeCipherSpecs = 0;
|
|
}
|
|
break;
|
|
|
|
case SSL_ENABLE_SSL2:
|
|
+#ifdef NSS_NO_SSL2
|
|
+ if (on) {
|
|
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
|
+ rv = SECFailure; /* not allowed */
|
|
+ }
|
|
+#else
|
|
if (IS_DTLS(ss)) {
|
|
if (on) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
rv = SECFailure; /* not allowed */
|
|
}
|
|
break;
|
|
}
|
|
ss->opt.enableSSL2 = on;
|
|
@@ -667,42 +673,50 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
|
ss->opt.v2CompatibleHello = on;
|
|
}
|
|
ss->preferredCipher = NULL;
|
|
if (ss->cipherSpecs) {
|
|
PORT_Free(ss->cipherSpecs);
|
|
ss->cipherSpecs = NULL;
|
|
ss->sizeCipherSpecs = 0;
|
|
}
|
|
+#endif /* NSS_NO_SSL2 */
|
|
break;
|
|
|
|
case SSL_NO_CACHE:
|
|
ss->opt.noCache = on;
|
|
break;
|
|
|
|
case SSL_ENABLE_FDX:
|
|
if (on && ss->opt.noLocks) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
rv = SECFailure;
|
|
}
|
|
ss->opt.fdx = on;
|
|
break;
|
|
|
|
case SSL_V2_COMPATIBLE_HELLO:
|
|
+#ifdef NSS_NO_SSL2
|
|
+ if (on) {
|
|
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
|
+ rv = SECFailure; /* not allowed */
|
|
+ }
|
|
+#else
|
|
if (IS_DTLS(ss)) {
|
|
if (on) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
rv = SECFailure; /* not allowed */
|
|
}
|
|
break;
|
|
}
|
|
ss->opt.v2CompatibleHello = on;
|
|
if (!on) {
|
|
ss->opt.enableSSL2 = on;
|
|
}
|
|
+#endif /* NSS_NO_SSL2 */
|
|
break;
|
|
|
|
case SSL_ROLLBACK_DETECTION:
|
|
ss->opt.detectRollBack = on;
|
|
break;
|
|
|
|
case SSL_NO_STEP_DOWN:
|
|
ss->opt.noStepDown = on;
|
|
@@ -1168,17 +1182,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
|
|
|
|
if (rv != SECSuccess) {
|
|
return rv;
|
|
}
|
|
|
|
if (ssl_IsRemovedCipherSuite(which)) {
|
|
rv = SECSuccess;
|
|
} else if (SSL_IS_SSL2_CIPHER(which)) {
|
|
+#ifdef NSS_NO_SSL2
|
|
+ rv = SSL_ERROR_SSL2_DISABLED;
|
|
+#else
|
|
rv = ssl2_SetPolicy(which, policy);
|
|
+#endif /* NSS_NO_SSL2 */
|
|
} else {
|
|
rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
SECStatus
|
|
SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
|