| From 6c5bb879f09c490ad9aebf50670cbe546d0aba4a Mon Sep 17 00:00:00 2001 |
| From: Kamil Dudka <kdudka@redhat.com> |
| Date: Fri, 7 Mar 2014 13:02:03 +0100 |
| Subject: [PATCH 1/3] nss: do not enable AES cipher-suites by default |
| |
| ... but allow them to be enabled/disabled explicitly. The default |
| policy should be maintained at the NSS level. |
| |
| Upstream-commit: b4f6cd46eb1b5a98573e0c0e619dc71646affdc8 |
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
| |
| lib/nss.c | 27 ++++----------------------- |
| 1 file changed, 4 insertions(+), 23 deletions(-) |
| |
| diff --git a/lib/nss.c b/lib/nss.c |
| index abc8a91..289c55b 100644 |
| |
| |
| @@ -122,6 +122,10 @@ static const cipher_s cipherlist[] = { |
| {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA}, |
| {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, |
| /* AES ciphers. */ |
| + {"dhe_dss_aes_128_cbc_sha", TLS_DHE_DSS_WITH_AES_128_CBC_SHA}, |
| + {"dhe_dss_aes_256_cbc_sha", TLS_DHE_DSS_WITH_AES_256_CBC_SHA}, |
| + {"dhe_rsa_aes_128_cbc_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA}, |
| + {"dhe_rsa_aes_256_cbc_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA}, |
| {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, |
| {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA}, |
| /* ECC ciphers. */ |
| @@ -152,18 +156,6 @@ static const cipher_s cipherlist[] = { |
| {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA}, |
| }; |
| |
| -/* following ciphers are new in NSS 3.4 and not enabled by default, therefore |
| - they are enabled explicitly */ |
| -static const int enable_ciphers_by_default[] = { |
| - TLS_DHE_DSS_WITH_AES_128_CBC_SHA, |
| - TLS_DHE_DSS_WITH_AES_256_CBC_SHA, |
| - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, |
| - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, |
| - TLS_RSA_WITH_AES_128_CBC_SHA, |
| - TLS_RSA_WITH_AES_256_CBC_SHA, |
| - SSL_NULL_WITH_NULL_NULL |
| -}; |
| - |
| static const char* pem_library = "libnsspem.so"; |
| SECMODModule* mod = NULL; |
| |
| @@ -1214,7 +1206,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) |
| curl_socket_t sockfd = conn->sock[sockindex]; |
| struct ssl_connect_data *connssl = &conn->ssl[sockindex]; |
| CURLcode curlerr; |
| - const int *cipher_to_enable; |
| PRSocketOptionData sock_opt; |
| long time_left; |
| PRUint32 timeout; |
| @@ -1304,16 +1295,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) |
| /* reset the flag to avoid an infinite loop */ |
| data->state.ssl_connect_retry = FALSE; |
| |
| - /* enable all ciphers from enable_ciphers_by_default */ |
| - cipher_to_enable = enable_ciphers_by_default; |
| - while(SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) { |
| - if(SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) { |
| - curlerr = CURLE_SSL_CIPHER; |
| - goto error; |
| - } |
| - cipher_to_enable++; |
| - } |
| - |
| if(data->set.ssl.cipher_list) { |
| if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { |
| curlerr = CURLE_SSL_CIPHER; |
| -- |
| 2.1.0 |
| |
| |
| From 0dac41d2469fe2990197912f4e2d58e1de6957e6 Mon Sep 17 00:00:00 2001 |
| From: Kamil Dudka <kdudka@redhat.com> |
| Date: Fri, 7 Mar 2014 13:10:54 +0100 |
| Subject: [PATCH 2/3] nss: allow to enable/disable new HMAC-SHA256 |
| cipher-suites |
| |
| ... if built against a new enough version of NSS |
| |
| Upstream-commit: c864d81289297b04dbbca14e3c5307ef15e6f258 |
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
| |
| lib/nss.c | 10 ++++++++++ |
| 1 file changed, 10 insertions(+) |
| |
| diff --git a/lib/nss.c b/lib/nss.c |
| index 289c55b..ea0d4ef 100644 |
| |
| |
| @@ -154,6 +154,16 @@ static const cipher_s cipherlist[] = { |
| {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA}, |
| {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA}, |
| {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA}, |
| +#ifdef TLS_RSA_WITH_NULL_SHA256 |
| + /* new HMAC-SHA256 cipher suites specified in RFC */ |
| + {"rsa_null_sha_256", TLS_RSA_WITH_NULL_SHA256}, |
| + {"rsa_aes_128_cbc_sha_256", TLS_RSA_WITH_AES_128_CBC_SHA256}, |
| + {"rsa_aes_256_cbc_sha_256", TLS_RSA_WITH_AES_256_CBC_SHA256}, |
| + {"dhe_rsa_aes_128_cbc_sha_256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256}, |
| + {"dhe_rsa_aes_256_cbc_sha_256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256}, |
| + {"ecdhe_ecdsa_aes_128_cbc_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256}, |
| + {"ecdhe_rsa_aes_128_cbc_sha_256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256}, |
| +#endif |
| }; |
| |
| static const char* pem_library = "libnsspem.so"; |
| -- |
| 2.1.0 |
| |
| |
| From f9c89d4cf767a7e2ae39ae668ec30a71513a3d98 Mon Sep 17 00:00:00 2001 |
| From: Kamil Dudka <kdudka@redhat.com> |
| Date: Fri, 7 Mar 2014 13:14:08 +0100 |
| Subject: [PATCH 3/3] nss: allow to enable/disable new AES GCM cipher-suites |
| |
| ... if built against a new enough version of NSS |
| |
| Upstream-commit: 67061e3f4ec1c2f3b4bb02bbe2d91ccdeb147c60 |
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
| |
| lib/nss.c | 10 ++++++++++ |
| 1 file changed, 10 insertions(+) |
| |
| diff --git a/lib/nss.c b/lib/nss.c |
| index ea0d4ef..1381dc4 100644 |
| |
| |
| @@ -164,6 +164,16 @@ static const cipher_s cipherlist[] = { |
| {"ecdhe_ecdsa_aes_128_cbc_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256}, |
| {"ecdhe_rsa_aes_128_cbc_sha_256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256}, |
| #endif |
| +#ifdef TLS_RSA_WITH_AES_128_GCM_SHA256 |
| + /* AES GCM cipher suites in RFC 5288 and RFC 5289 */ |
| + {"rsa_aes_128_gcm_sha_256", TLS_RSA_WITH_AES_128_GCM_SHA256}, |
| + {"dhe_rsa_aes_128_gcm_sha_256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, |
| + {"dhe_dss_aes_128_gcm_sha_256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256}, |
| + {"ecdhe_ecdsa_aes_128_gcm_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, |
| + {"ecdh_ecdsa_aes_128_gcm_sha_256", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256}, |
| + {"ecdhe_rsa_aes_128_gcm_sha_256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, |
| + {"ecdh_rsa_aes_128_gcm_sha_256", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256}, |
| +#endif |
| }; |
| |
| static const char* pem_library = "libnsspem.so"; |
| -- |
| 2.1.0 |
| |