[nss/private-disableSSL2ForF22] Disable support for ssl2
Elio Maldonado
emaldonado at fedoraproject.org
Fri Jul 18 14:38:18 UTC 2014
commit ab703f693c452c4e7fcaba5df81d0a0180114e3a
Author: Elio Maldonado <emaldona at redhat.com>
Date: Fri Jul 18 07:35:10 2014 -0700
Disable support for ssl2
- Support is disabled by setting a built time environmenet variable, export NSS_NO_SSL2=1, in the spec file
- Support can be restored by not setting that environment variable
disable-sslv2-libssl.patch | 72 ++++++++++++++++++++++++++++++++++++++++++++
disable-sslv2-tests.patch | 54 +++++++++++++++++++++++++++++++++
nss.spec | 17 +++++++++-
3 files changed, 141 insertions(+), 2 deletions(-)
---
diff --git a/disable-sslv2-libssl.patch b/disable-sslv2-libssl.patch
new file mode 100644
index 0000000..5c64f33
--- /dev/null
+++ b/disable-sslv2-libssl.patch
@@ -0,0 +1,72 @@
+diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
+--- ./nss/lib/ssl/config.mk.disableSSL2 2014-06-24 13:45:27.000000000 -0700
++++ ./nss/lib/ssl/config.mk 2014-07-12 12:32:06.011646588 -0700
+@@ -7,6 +7,10 @@ ifdef NISCC_TEST
+ DEFINES += -DNISCC_TEST
+ endif
+
++ifdef NSS_NO_SSL2
++DEFINES += -DNSS_NO_SSL2
++endif
++
+ ifdef NSS_NO_PKCS11_BYPASS
+ DEFINES += -DNO_PKCS11_BYPASS
+ else
+diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c
+--- ./nss/lib/ssl/sslsock.c.disableSSL2 2014-07-12 12:32:05.970645943 -0700
++++ ./nss/lib/ssl/sslsock.c 2014-07-12 12:36:46.096072901 -0700
+@@ -653,6 +653,12 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ break;
+
+ case SSL_ENABLE_SSL2:
++#ifdef NSS_NO_SSL2
++ if (on) {
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++ }
++#else
+ if (IS_DTLS(ss)) {
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -670,6 +676,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ ss->cipherSpecs = NULL;
+ ss->sizeCipherSpecs = 0;
+ }
++#endif /* NSS_NO_SSL2 */
+ break;
+
+ case SSL_NO_CACHE:
+@@ -685,6 +692,12 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ break;
+
+ case SSL_V2_COMPATIBLE_HELLO:
++#ifdef NSS_NO_SSL2
++ if (on) {
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++ }
++#else
+ if (IS_DTLS(ss)) {
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -696,6 +709,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ if (!on) {
+ ss->opt.enableSSL2 = on;
+ }
++#endif /* NSS_NO_SSL2 */
+ break;
+
+ case SSL_ROLLBACK_DETECTION:
+@@ -1146,7 +1160,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
+ if (ssl_IsRemovedCipherSuite(which)) {
+ rv = SECSuccess;
+ } else if (SSL_IS_SSL2_CIPHER(which)) {
++#ifdef NSS_NO_SSL2
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++#else
+ rv = ssl2_SetPolicy(which, policy);
++#endif
+ } else {
+ rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+ }
diff --git a/disable-sslv2-tests.patch b/disable-sslv2-tests.patch
new file mode 100644
index 0000000..d314904
--- /dev/null
+++ b/disable-sslv2-tests.patch
@@ -0,0 +1,54 @@
+diff -up ./nss/tests/chains/chains.sh.disableSSL2 ./nss/tests/chains/chains.sh
+--- ./nss/tests/chains/chains.sh.disableSSL2 2014-06-24 13:45:27.000000000 -0700
++++ ./nss/tests/chains/chains.sh 2014-07-12 12:38:36.407821766 -0700
+@@ -40,7 +40,11 @@ is_httpserv_alive()
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
++ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
++ echo "skipping kill because SSL2 was disabled"
++ else
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
++ fi
+
+ echo "httpserv with PID ${PID} found at `date`"
+ }
+@@ -59,7 +63,11 @@ wait_for_httpserv()
+ echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+ ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+ if [ $? -ne 0 ]; then
+- html_failed "Waiting for Server"
++ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
++ html_passed "Waiting for Server is supposed to fail"
++ else
++ html_failed "Waiting for Server"
++ fi
+ fi
+ fi
+ is_httpserv_alive
+ TESTNAME="Test that OCSP server is reachable"
+ check_ocsp ${VALUE}
+ if [ $? -ne 0 ]; then
++ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
++ html_passed "$TESTNAME"
++ else
+ html_failed "$TESTNAME"
++ fi
+ break;
+ else
+ html_passed "$TESTNAME"
+diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh
+--- ./nss/tests/ssl/ssl.sh.disableSSL2 2014-06-24 13:45:27.000000000 -0700
++++ ./nss/tests/ssl/ssl.sh 2014-07-12 12:37:25.476697212 -0700
+@@ -278,6 +278,11 @@ ssl_cov()
+ echo "${testname}" | grep "SSL2" > /dev/null
+ SSL2=$?
+
++ # skip export and ssl2 tests when build has disabled SSL2
++ if [[ "${NSS_NO_SSL2}" = "1" ]] && [[ -n ${EXP} -o -n ${SSL2} ]] ; then
++ continue
++ fi
++
+ if [ "${SSL2}" -eq 0 ] ; then
+ # We cannot use asynchronous cert verification with SSL2
+ SSL2_FLAGS=-O
diff --git a/nss.spec b/nss.spec
index 75c55bc..5e95883 100644
--- a/nss.spec
+++ b/nss.spec
@@ -19,7 +19,7 @@
Summary: Network Security Services
Name: nss
Version: 3.16.2
-Release: 1%{?dist}
+Release: 2%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -91,6 +91,8 @@ Patch49: nss-skip-bltest-and-fipstest.patch
# headers are older. Such is the case when starting an update with API changes or even private export changes.
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
Patch50: iquote.patch
+Patch52: disable-sslv2-libssl.patch
+Patch53: disable-sslv2-tests.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -178,6 +180,8 @@ low level services.
%patch47 -p0 -b .templates
%patch49 -p0 -b .skipthem
%patch50 -p0 -b .iquote
+%patch52 -p0 -b .disableSSL2
+%patch53 -p0 -b .disableSSL2
#########################################################
# Higher-level libraries and test tools need access to
@@ -208,6 +212,8 @@ done
%build
+export NSS_NO_SSL2=1
+
NSS_NO_PKCS11_BYPASS=1
export NSS_NO_PKCS11_BYPASS
@@ -355,6 +361,10 @@ if [ ${DISABLETEST:-0} -eq 1 ]; then
fi
# Begin -- copied from the build section
+
+# inform the ssl test scripts that SSL2 is disabled
+export NSS_NO_SSL2=1
+
FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
@@ -537,7 +547,7 @@ for f in nss-config setup-nsssysinit; do
done
# Copy the man pages for the nss tools
for f in "%{allTools}"; do
- install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+ install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
done
# Copy the man pages for the configuration files
for f in pkcs11.txt; do
@@ -747,6 +757,9 @@ fi
%changelog
+* Fri Jul 18 2014 Elio Maldonado <emaldona at redhat.com> - 3.16.2-2
+- Disable support for ssl2
+
* Sun Jun 29 2014 Elio Maldonado <emaldona at redhat.com> - 3.16.2-1
- Update to nss-3.16.2
More information about the scm-commits
mailing list