From 301f5142f8eac474ff3f92d83450cdd3b023c92b Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 19 Sep 2016 16:37:05 +0200
Subject: [PATCH 1/3] nss: fix typo in ecdhe_rsa_null cipher suite string
As it seems to be a rarely used cipher suite (for securely established
but _unencrypted_ connections), I believe it is fine not to provide an
alias for the misspelled variant.
Upstream-commit: 75912202709e0f74a5bab91ef57254d7038f5f42
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/nss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/nss.c b/lib/nss.c
index 7b4fe57..d0db3cd 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -144,7 +144,7 @@ static const cipher_s cipherlist[] = {
{"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA},
{"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA},
{"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA},
- {"echde_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA},
+ {"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA},
{"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA},
{"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA},
{"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
--
2.7.4
From 3b11781032d9c04ba8a9500899339a4758da4ad7 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 19 Sep 2016 17:38:23 +0200
Subject: [PATCH 2/3] nss: add cipher suites using SHA384 if supported by NSS
Upstream-commit: 049aa9254687f6738642bd73da9bf96d8af2a833
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/nss.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/lib/nss.c b/lib/nss.c
index d0db3cd..16b0218 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -174,6 +174,16 @@ static const cipher_s cipherlist[] = {
{"ecdhe_rsa_aes_128_gcm_sha_256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
{"ecdh_rsa_aes_128_gcm_sha_256", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256},
#endif
+#ifdef TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ /* cipher suites using SHA384 */
+ {"rsa_aes_256_gcm_sha_384", TLS_RSA_WITH_AES_256_GCM_SHA384},
+ {"dhe_rsa_aes_256_gcm_sha_384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
+ {"dhe_dss_aes_256_gcm_sha_384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384},
+ {"ecdhe_ecdsa_aes_256_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
+ {"ecdhe_rsa_aes_256_sha_384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
+ {"ecdhe_ecdsa_aes_256_gcm_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
+ {"ecdhe_rsa_aes_256_gcm_sha_384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
+#endif
};
static const char* pem_library = "libnsspem.so";
--
2.7.4
From e796e68d2f1ef647a91afa10deb0986e082a14be Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 19 Sep 2016 17:45:53 +0200
Subject: [PATCH 3/3] nss: add chacha20-poly1305 cipher suites if supported by
NSS
Upstream-commit: d1f1c857ad559eafef9373621d30174c046261ef
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/nss.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/lib/nss.c b/lib/nss.c
index 16b0218..36c100d 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -184,6 +184,15 @@ static const cipher_s cipherlist[] = {
{"ecdhe_ecdsa_aes_256_gcm_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
{"ecdhe_rsa_aes_256_gcm_sha_384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
#endif
+#ifdef TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ /* chacha20-poly1305 cipher suites */
+ {"ecdhe_rsa_chacha20_poly1305_sha_256",
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
+ {"ecdhe_ecdsa_chacha20_poly1305_sha_256",
+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
+ {"dhe_rsa_chacha20_poly1305_sha_256",
+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
+#endif
};
static const char* pem_library = "libnsspem.so";
--
2.7.4