[nss] Disable export suites and SSL2 support at build time
Elio Maldonado
emaldonado at fedoraproject.org
Tue Mar 3 22:50:07 UTC 2015
commit 9b7199b3db56b6cdd2669fef9ec0bfef3d8621b9
Author: Elio Maldonado <emaldona at redhat.com>
Date: Tue Mar 3 14:35:20 2015 -0800
Disable export suites and SSL2 support at build time
- Fix syntax errors in various shell scripts
- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
disableSSL2libssl.patch | 69 +++++++++++++++++++++++++++++----------------
disableSSL2tests.patch | 32 +++++++++++----------
nss.spec | 14 +++++----
scripts-syntax-errors.patch | 2 +-
4 files changed, 70 insertions(+), 47 deletions(-)
---
diff --git a/disableSSL2libssl.patch b/disableSSL2libssl.patch
index 38d092a..6286184 100644
--- a/disableSSL2libssl.patch
+++ b/disableSSL2libssl.patch
@@ -10,8 +10,8 @@ diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
DEFINES += -DNISCC_TEST
endif
-+ifdef NSS_NO_SSL2
-+DEFINES += -DNSS_NO_SSL2
++ifdef NSS_NO_SSL2_NO_EXPORT
++DEFINES += -DNSS_NO_SSL2_NO_EXPORT
+endif
+
# Allow build-time configuration of TLS 1.3 (Experimental)
@@ -34,7 +34,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
break;
case SSL_ENABLE_SSL2:
-+#ifdef NSS_NO_SSL2
++#ifdef NSS_NO_SSL2_NO_EXPORT
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
@@ -48,7 +48,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
break;
}
ss->opt.enableSSL2 = on;
-@@ -667,42 +673,50 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+@@ -667,52 +673,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
ss->opt.v2CompatibleHello = on;
}
ss->preferredCipher = NULL;
@@ -57,7 +57,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
ss->cipherSpecs = NULL;
ss->sizeCipherSpecs = 0;
}
-+#endif /* NSS_NO_SSL2 */
++#endif /* NSS_NO_SSL2_NO_EXPORT */
break;
case SSL_NO_CACHE:
@@ -73,7 +73,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
break;
case SSL_V2_COMPATIBLE_HELLO:
-+#ifdef NSS_NO_SSL2
++#ifdef NSS_NO_SSL2_NO_EXPORT
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
@@ -90,7 +90,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
if (!on) {
ss->opt.enableSSL2 = on;
}
-+#endif /* NSS_NO_SSL2 */
++#endif /* NSS_NO_SSL2_NO_EXPORT */
break;
case SSL_ROLLBACK_DETECTION:
@@ -98,26 +98,45 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
break;
case SSL_NO_STEP_DOWN:
++#ifdef NSS_NO_SSL2_NO_EXPORT
++ if (!on) {
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++ }
++#else
ss->opt.noStepDown = on;
-@@ -1168,17 +1182,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
-
- if (rv != SECSuccess) {
- return rv;
- }
+ if (on)
+ SSL_DisableExportCipherSuites(fd);
++#endif /* NSS_NO_SSL2_NO_EXPORT */
+ break;
- if (ssl_IsRemovedCipherSuite(which)) {
- rv = SECSuccess;
- } else if (SSL_IS_SSL2_CIPHER(which)) {
-+#ifdef NSS_NO_SSL2
-+ rv = SSL_ERROR_SSL2_DISABLED;
-+#else
- rv = ssl2_SetPolicy(which, policy);
-+#endif /* NSS_NO_SSL2 */
- } else {
- rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+ case SSL_BYPASS_PKCS11:
+ if (ss->handshakeBegun) {
+ PORT_SetError(PR_INVALID_STATE_ERROR);
+ rv = SECFailure;
+ } else {
+ if (PR_FALSE != on) {
+@@ -1127,16 +1148,23 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
}
- return rv;
+ return SECSuccess;
}
- SECStatus
- SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
+ /* function tells us if the cipher suite is one that we no longer support. */
+ static PRBool
+ ssl_IsRemovedCipherSuite(PRInt32 suite)
+ {
++#ifdef NSS_NO_SSL2_NO_EXPORT
++ /* both ssl2 and export cipher suites disabled */
++ if (SSL_IS_SSL2_CIPHER(suite))
++ return PR_TRUE;
++ if (SSL_IsExportCipherSuite(suite))
++ return PR_TRUE;
++#endif /* NSS_NO_SSL2_NO_EXPORT */
+ switch (suite) {
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+ case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
+ case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
+ return PR_TRUE;
+ default:
+ return PR_FALSE;
+ }
diff --git a/disableSSL2tests.patch b/disableSSL2tests.patch
index d0d9871..4fecca2 100644
--- a/disableSSL2tests.patch
+++ b/disableSSL2tests.patch
@@ -1,7 +1,7 @@
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
-@@ -57,18 +57,23 @@ ssl_init()
+@@ -57,19 +57,23 @@ ssl_init()
fi
PORT=${PORT-8443}
@@ -11,14 +11,15 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
# Test case files
- SSLCOV=${QADIR}/ssl/sslcov.txt
-+ SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \
-+ && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \
-+ || ${QADIR}/ssl/sslcov.txt
- SSLAUTH=${QADIR}/ssl/sslauth.txt
-+ SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \
-+ && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \
-+ || ${QADIR}/ssl/sslstress.txt
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
+- SSLAUTH=${QADIR}/ssl/sslauth.txt
+- SSLSTRESS=${QADIR}/ssl/sslstress.txt
++ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then
++ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
++ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
++ else
++ SSLCOV=${QADIR}/ssl/sslcov.txt
++ SSLSTRESS=${QADIR}/ssl/sslstress.txt
++ fi
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
#temparary files
@@ -26,7 +27,8 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
SERVERPID=${TMP}/tests_pid.$$
R_SERVERPID=../tests_pid.$$
-@@ -115,17 +120,21 @@ is_selfserv_alive()
+
+@@ -115,17 +119,21 @@ is_selfserv_alive()
if [ "${OS_ARCH}" = "WINNT" ] && \
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
PID=${SHELL_SERVERPID}
@@ -35,7 +37,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
fi
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
-+ if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then
++ if [[ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then
+ echo "No server to kill"
+ else
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
@@ -48,7 +50,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
# local shell function to wait until selfserver is running and initialized
########################################################################
wait_for_selfserv()
-@@ -138,17 +147,21 @@ wait_for_selfserv()
+@@ -138,17 +146,21 @@ wait_for_selfserv()
if [ $? -ne 0 ]; then
sleep 5
echo "retrying to connect to selfserv at `date`"
@@ -57,7 +59,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
if [ $? -ne 0 ]; then
-+ if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
++ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
+ html_passed "Server never started"
+ else
html_failed "Waiting for Server"
@@ -70,7 +72,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
########################### kill_selfserv ##############################
# local shell function to kill the selfserver after the tests are done
########################################################################
-@@ -273,16 +286,19 @@ ssl_cov()
+@@ -273,16 +285,19 @@ ssl_cov()
exec < ${SSLCOV}
while read ectype testmax param testname
do
@@ -80,7 +82,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
SSL2=$?
+ # skip export and ssl2 tests when build has disabled SSL2
-+ [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
++ [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
+
if [ "${SSL2}" -eq 0 ] ; then
# We cannot use asynchronous cert verification with SSL2
diff --git a/nss.spec b/nss.spec
index 510d139..bab90b2 100644
--- a/nss.spec
+++ b/nss.spec
@@ -19,7 +19,7 @@
Summary: Network Security Services
Name: nss
Version: 3.17.4
-Release: 4%{?dist}
+Release: 5%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -92,7 +92,6 @@ Patch49: nss-skip-bltest-and-fipstest.patch
Patch50: iquote.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900
Patch51: tls12.patch
-# SSL2 support has been disabled downstream in RHEL since RHEL-7.0
Patch52: disableSSL2libssl.patch
Patch53: disableSSL2tests.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1128367
@@ -219,8 +218,7 @@ done
%build
-# uncomment this line when the work is ready
-#export NSS_NO_SSL2=1
+export NSS_NO_SSL2_NO_EXPORT=1
NSS_NO_PKCS11_BYPASS=1
export NSS_NO_PKCS11_BYPASS
@@ -371,8 +369,7 @@ fi
# Begin -- copied from the build section
# inform the ssl test scripts that SSL2 is disabled
-# uncomment this line when the work is ready
-#export NSS_NO_SSL2=1
+export NSS_NO_SSL2_NO_EXPORT=1
FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
@@ -797,6 +794,11 @@ fi
%changelog
+* Tue Mar 03 2015 Elio Maldonado <emaldona at redhat.com> - 3.17.4-5
+- Disable export suites and SSL2 support at build time
+- Fix syntax errors in various shell scripts
+- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
+
* Sat Feb 21 2015 Till Maas <opensource at till.name> - 3.17.4-4
- Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
diff --git a/scripts-syntax-errors.patch b/scripts-syntax-errors.patch
index aeff0ab..28cfc4a 100644
--- a/scripts-syntax-errors.patch
+++ b/scripts-syntax-errors.patch
@@ -11,7 +11,7 @@ diff --git a/tests/all.sh b/tests/all.sh
# Exception: when building softoken only, shlibsign is the
# last file created.
-if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
-+if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then
++if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
LAST_FILE_BUILT=shlibsign
else
LAST_FILE_BUILT=modutil
More information about the scm-commits
mailing list