|
 |
9d7d3f |
From 311a22b801693bf8b748169f35bde7bef744da8c Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
Date: Wed, 29 Jan 2014 12:55:36 +0100
|
|
|
9d7d3f |
Subject: [PATCH 1/2] nss: do not fail if NSS does not implement a cipher
|
|
|
9d7d3f |
|
|
|
9d7d3f |
... that the user does not ask for
|
|
|
9d7d3f |
|
|
|
9d7d3f |
[upstream commit e15e73b741a2ddc88d166d2cec86d2bebb5d349e]
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
lib/nss.c | 9 +++++----
|
|
|
9d7d3f |
1 files changed, 5 insertions(+), 4 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
9d7d3f |
index a2c5c63..c4ffe7b 100644
|
|
|
9d7d3f |
--- a/lib/nss.c
|
|
|
9d7d3f |
+++ b/lib/nss.c
|
|
|
9d7d3f |
@@ -192,14 +192,13 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
|
|
|
9d7d3f |
PRBool cipher_state[NUM_OF_CIPHERS];
|
|
|
9d7d3f |
PRBool found;
|
|
|
9d7d3f |
char *cipher;
|
|
|
9d7d3f |
- SECStatus rv;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
/* First disable all ciphers. This uses a different max value in case
|
|
|
9d7d3f |
* NSS adds more ciphers later we don't want them available by
|
|
|
9d7d3f |
* accident
|
|
|
9d7d3f |
*/
|
|
|
9d7d3f |
for(i=0; i
|
|
|
9d7d3f |
- SSL_CipherPrefSet(model, SSL_ImplementedCiphers[i], SSL_NOT_ALLOWED);
|
|
|
9d7d3f |
+ SSL_CipherPrefSet(model, SSL_ImplementedCiphers[i], PR_FALSE);
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
/* Set every entry in our list to false */
|
|
|
9d7d3f |
@@ -239,8 +238,10 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
|
|
|
9d7d3f |
|
|
|
9d7d3f |
/* Finally actually enable the selected ciphers */
|
|
|
9d7d3f |
for(i=0; i
|
|
|
9d7d3f |
- rv = SSL_CipherPrefSet(model, cipherlist[i].num, cipher_state[i]);
|
|
|
9d7d3f |
- if(rv != SECSuccess) {
|
|
|
9d7d3f |
+ if(!cipher_state[i])
|
|
|
9d7d3f |
+ continue;
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
+ if(SSL_CipherPrefSet(model, cipherlist[i].num, PR_TRUE) != SECSuccess) {
|
|
|
9d7d3f |
failf(data, "cipher-suite not supported by NSS: %s", cipherlist[i].name);
|
|
|
9d7d3f |
return SECFailure;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
1.7.1
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
From 9fe38c72787ba6658456a30477d48fe7960947ed Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
Date: Wed, 29 Jan 2014 13:03:46 +0100
|
|
|
9d7d3f |
Subject: [PATCH 2/2] nss: do not use the NSS_ENABLE_ECC define
|
|
|
9d7d3f |
|
|
|
9d7d3f |
It is not provided by NSS public headers.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
Bug: https://bugzilla.redhat.com/1058776
|
|
|
9d7d3f |
|
|
|
9d7d3f |
[upstream commit 665c160f0a4635565b44704ca281d2a03e715d6d]
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
lib/nss.c | 2 --
|
|
|
9d7d3f |
1 files changed, 0 insertions(+), 2 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
9d7d3f |
index c4ffe7b..111982f 100644
|
|
|
9d7d3f |
--- a/lib/nss.c
|
|
|
9d7d3f |
+++ b/lib/nss.c
|
|
|
9d7d3f |
@@ -126,7 +126,6 @@ static const cipher_s cipherlist[] = {
|
|
|
9d7d3f |
/* AES ciphers. */
|
|
|
9d7d3f |
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA},
|
|
|
9d7d3f |
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA},
|
|
|
9d7d3f |
-#ifdef NSS_ENABLE_ECC
|
|
|
9d7d3f |
/* ECC ciphers. */
|
|
|
9d7d3f |
{"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA},
|
|
|
9d7d3f |
{"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA},
|
|
|
9d7d3f |
@@ -153,7 +152,6 @@ static const cipher_s cipherlist[] = {
|
|
|
9d7d3f |
{"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA},
|
|
|
9d7d3f |
{"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA},
|
|
|
9d7d3f |
{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA},
|
|
|
9d7d3f |
-#endif
|
|
|
9d7d3f |
};
|
|
|
9d7d3f |
|
|
|
9d7d3f |
/* following ciphers are new in NSS 3.4 and not enabled by default, therefore
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
1.7.1
|
|
|
9d7d3f |
|