NSS: Enhance OpenLDAP to support TLSv1.3 protocol with NSS

Resolves: #1435689
2017-03-23 13:43:39 +01:00 · 2017-03-23 13:43:39 +01:00 · 54f6fd1feb
commit 54f6fd1feb
parent d0828bee6c
4 changed files with 15 additions and 4 deletions
--- a/openldap-nss-cipher-attributes.patch
+++ b/openldap-nss-cipher-attributes.patch
@ -67,7 +67,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 
 /* cipher strength */
 #define SSL_NULL      0x00000001L
-@@ -240,10 +257,14 @@ typedef struct {
+@@ -240,10 +257,15 @@ typedef struct {
 #define SSL_MEDIUM    0x00000010L
 #define SSL_HIGH      0x00000020L
 
@ -79,6 +79,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 /* OpenSSL treats SSL3 and TLSv1 the same */
 #define TLS1  SSL3
 +#define TLS1_2 0x00000004L
+#define TLS1_3 0x00000008L
 
 /* Cipher translation */
 static cipher_properties ciphers_def[] = {
--- a/openldap-nss-ciphers-definitions.patch
+++ b/openldap-nss-ciphers-definitions.patch
@ -6,7 +6,7 @@ PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
-@@ -268,29 +268,104 @@ typedef struct {
+@@ -268,29 +268,109 @@ typedef struct {
 
 /* Cipher translation */
 static cipher_properties ciphers_def[] = {
@ -129,6 +129,11 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 +	//{"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
 +	//{"ECDHE-RSA-CHACHA20-POLY1305",   0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */,   SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD,   TLS1_2, SSL_HIGH},
 +	//{"DHE-RSA-CHACHA20-POLY1305",     0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */,     SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD,     TLS1_2, SSL_HIGH},
+
+	// TLSv1.3
+	{"TLS13-AES-128-GCM-SHA256",	0x1301 /* TLS_AES_128_GCM_SHA256 */,	SSL_AES128|SSL_AESGCM|SSL_AEAD,	TLS1_3, SSL_HIGH},
+	{"TLS13-AES-256-GCM-SHA384",	0x1302 /* TLS_AES_256_GCM_SHA384 */,	SSL_AES256|SSL_AESGCM|SSL_AEAD,	TLS1_3, SSL_HIGH},
+	{"TLS13-CHACHA20-POLY1305-SHA256",     0x1303 /* TLS_CHACHA20_POLY1305_SHA256 */,	SSL_CHACHA20POLY1305|SSL_AEAD,	TLS1_3, SSL_HIGH},
 };
 
 #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
--- a/openldap-nss-ciphers-parsing.patch
+++ b/openldap-nss-ciphers-parsing.patch
@ -69,7 +69,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 				} else if (!strcmp(cipher, "3DES")) {
 					mask |= SSL_3DES;
 				} else if (!strcmp(cipher, "DES")) {
-@@ -693,26 +707,67 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -693,26 +707,69 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
 					mask |= SSL_RC2;
 				} else if (!strcmp(cipher, "MD5")) {
 					mask |= SSL_MD5;
@ -122,6 +122,8 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 					protocol |= TLS1;
 +				} else if (!strcmp(cipher, "TLSv1.2")) {
 +					protocol |= TLS1_2;
+				} else if (!strcmp(cipher, "TLSv1.3")) {
+					protocol |= TLS1_3;
 				} else if (!strcmp(cipher, "HIGH")) {
 					strength |= SSL_HIGH;
 				} else if (!strcmp(cipher, "MEDIUM")) {
--- a/openldap.spec
+++ b/openldap.spec
@ -5,7 +5,7 @@

 Name: openldap
 Version: 2.4.44
-Release: 8%{?dist}
+Release: 9%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@ -548,6 +548,9 @@ exit 0
 %{_mandir}/man3/*

 %changelog
+* Fri Mar 24 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-9
+- NSS: Enhance OpenLDAP to support TLSv1.3 protocol with NSS (#1435689)
+
 * Fri Mar 24 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-8
 - NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435689)