rpms / mod_nss

Clone
Source Code
GIT

Files

  1.   b7538d7d21fa98950e139ed7c53b8c4426d37c7b
  2.   SOURCES
  3.   mod_nss-sha384_cipher.patch
Blob Blame History Raw 
diff -up --recursive mod_nss-1.0.11/nss_engine_cipher.c mod_nss-1.0.11.cipher/nss_engine_cipher.c
--- mod_nss-1.0.11/nss_engine_cipher.c	2015-09-22 10:08:46.977756724 -0400
+++ mod_nss-1.0.11.cipher/nss_engine_cipher.c	2015-09-22 13:50:49.320055436 -0400
@@ -42,6 +42,7 @@ cipher_properties ciphers_def[ciphernum]
     {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, "EXP1024-RC4-SHA", SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_EXPORT56, 56, 128},
     {"camelia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "CAMELLIA256-SHA", SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256},
     {"rsa_aes_128_gcm_sha_256", TLS_RSA_WITH_AES_128_GCM_SHA256, "AES128-GCM-SHA256", SSL_kRSA|SSL_aRSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128},
+    {"rsa_aes_256_gcm_sha_384", TLS_RSA_WITH_AES_256_GCM_SHA384, "AES256-GCM-SHA384", SSL_kRSA|SSL_aRSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256},
     {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "FIPS-DES-CBC3-SHA", SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSLV3, SSL_HIGH, 112, 168},
     {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, "FIPS-DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56},
 #ifdef NSS_ENABLE_ECC
@@ -73,6 +74,10 @@ cipher_properties ciphers_def[ciphernum]
     {"ecdhe_ecdsa_aes_128_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "ECDHE-ECDSA-AES128-SHA256", SSL_kEECDH|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLSV1_2, SSL_HIGH, 128, 128},
     {"ecdhe_rsa_aes_128_sha_256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "ECDHE-RSA-AES128-SHA256", SSL_kEECDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLSV1_2, SSL_HIGH, 128, 128},
     {"ecdhe_ecdsa_aes_128_gcm_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "ECDHE-ECDSA-AES128-GCM-SHA256", SSL_kEECDH|SSL_aECDSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128},
+    {"ecdhe_ecdsa_aes_256_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "ECDHE-ECDSA-AES256-SHA384", SSL_kEECDH|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLSV1_2, SSL_HIGH, 256, 256},
+    {"ecdhe_rsa_aes_256_sha_384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "ECDHE-RSA-AES256-SHA384", SSL_kEECDH|SSL_aRSA|SSL_AES256|SSL_SHA384, TLSV1_2, SSL_HIGH, 256, 256},
+    {"ecdhe_ecdsa_aes_256_gcm_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "ECDHE-ECDSA-AES256-GCM-SHA384", SSL_kEECDH|SSL_aECDSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256},
+    {"ecdhe_rsa_aes_256_gcm_sha_384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "ECDHE-RSA-AES256-GCM-SHA384", SSL_kEECDH|SSL_aRSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256},
     {"ecdhe_rsa_aes_128_gcm_sha_256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "ECDHE-RSA-AES128-GCM-SHA256", SSL_kEECDH|SSL_aRSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128},
     /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 is not implemented */
     /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 is not implemented */
@@ -323,6 +328,8 @@ static int parse_openssl_ciphers(server_
                     mask |= SSL_SHA1;
                 } else if (!strcmp(cipher, "SHA256")) {
                     mask |= SSL_SHA256;
+                } else if (!strcmp(cipher, "SHA384")) {
+                    mask |= SSL_SHA384;
                 } else if (!strcmp(cipher, "SSLv2")) {
                     /* no-op */
                 } else if (!strcmp(cipher, "SSLv3")) {
diff -up --recursive mod_nss-1.0.11/nss_engine_cipher.h mod_nss-1.0.11.cipher/nss_engine_cipher.h
--- mod_nss-1.0.11/nss_engine_cipher.h	2015-09-22 10:08:13.915509295 -0400
+++ mod_nss-1.0.11.cipher/nss_engine_cipher.h	2015-09-22 13:45:18.838532130 -0400
@@ -70,7 +70,8 @@ typedef struct
 #define SSL_AES128GCM     0x04000000L
 #define SSL_AES256GCM     0x08000000L
 #define SSL_SHA256        0x10000000L
-#define SSL_AEAD          0x20000000L
+#define SSL_SHA384        0x20000000L
+#define SSL_AEAD          0x40000000L
 
 #define SSL_AES           (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
 #define SSL_CAMELLIA      (SSL_CAMELLIA128|SSL_CAMELLIA256)
@@ -83,9 +84,9 @@ typedef struct
 
 /* the table itself is defined in nss_engine_cipher.c */
 #ifdef NSS_ENABLE_ECC
-#define ciphernum 49
+#define ciphernum 54
 #else
-#define ciphernum 20
+#define ciphernum 21
 #endif
 
 /* function prototypes */
diff -up --recursive mod_nss-1.0.11/test/test_cipher.py mod_nss-1.0.11.cipher/test/test_cipher.py
--- mod_nss-1.0.11/test/test_cipher.py	2015-09-22 10:08:46.977756724 -0400
+++ mod_nss-1.0.11.cipher/test/test_cipher.py	2015-09-22 13:50:05.214717202 -0400
@@ -19,6 +19,10 @@ CIPHERS_NOT_IN_NSS = ['ECDH-RSA-AES128-S
                       'ECDH-ECDSA-AES128-SHA256',
                       'ECDH-RSA-AES128-GCM-SHA256',
                       'EXP-DES-CBC-SHA',
+                      'ECDH-RSA-AES256-GCM-SHA384',
+                      'ECDH-ECDSA-AES256-SHA384',
+                      'ECDH-RSA-AES256-SHA384',
+                      'ECDH-ECDSA-AES256-GCM-SHA384',
 ]
 
 def assert_equal_openssl(nss_ciphers, ossl_ciphers):
@@ -34,12 +38,10 @@ def assert_equal_openssl(nss_ciphers, os
     ossl_list = list(set(ossl_list))
     ossl_list.sort()
 
-    # NSS doesn't support the SHA-384 ciphers, remove them from the OpenSSL
-    # output.
+    # NSS doesn't support the all the same ciphers as OpenSSL. Remove
+    # the ones we know about from the OpenSSL output.
     t = list()
     for o in ossl_list:
-        if 'SHA384' in o:
-            continue
         if o in CIPHERS_NOT_IN_NSS:
             continue
         t.append(o)

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation