Blame SOURCES/Bug-1001841-disable-sslv2-libssl.patch

652e94
diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
652e94
--- a/lib/ssl/config.mk
652e94
+++ b/lib/ssl/config.mk
1b6f66
@@ -7,16 +7,20 @@ ifdef NISCC_TEST
f57139
 DEFINES += -DNISCC_TEST
f57139
 endif
f57139
 
2533fc
 # Allow build-time configuration of TLS 1.3 (Experimental)
2533fc
 ifdef NSS_ENABLE_TLS_1_3
2533fc
 DEFINES += -DNSS_ENABLE_TLS_1_3
2533fc
 endif
2533fc
 
1b6f66
+ifdef NSS_NO_SSL2
1b6f66
+DEFINES += -DNSS_NO_SSL2
1b6f66
+endif
1b6f66
+
f57139
 ifdef NSS_NO_PKCS11_BYPASS
f57139
 DEFINES += -DNO_PKCS11_BYPASS
f57139
 else
1b6f66
 CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
1b6f66
 
1b6f66
 EXTRA_LIBS += \
1b6f66
 	$(CRYPTOLIB) \
1b6f66
 	$(NULL)
652e94
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
652e94
--- a/lib/ssl/sslsock.c
652e94
+++ b/lib/ssl/sslsock.c
1b6f66
@@ -678,16 +678,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
652e94
         if (ss->cipherSpecs) {
652e94
             PORT_Free(ss->cipherSpecs);
652e94
             ss->cipherSpecs     = NULL;
652e94
             ss->sizeCipherSpecs = 0;
652e94
         }
652e94
         break;
f57139
 
f57139
       case SSL_ENABLE_SSL2:
f57139
+#ifdef NSS_NO_SSL2
652e94
+        if (on) {
652e94
+            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
652e94
+            rv = SECFailure; /* not allowed */
652e94
+        }
f57139
+#else
f57139
         if (IS_DTLS(ss)) {
652e94
             if (on) {
652e94
                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
652e94
                 rv = SECFailure; /* not allowed */
652e94
             }
652e94
             break;
652e94
         }
652e94
         ss->opt.enableSSL2       = on;
1b6f66
@@ -695,52 +701,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
652e94
             ss->opt.v2CompatibleHello = on;
652e94
         }
652e94
         ss->preferredCipher     = NULL;
652e94
         if (ss->cipherSpecs) {
652e94
             PORT_Free(ss->cipherSpecs);
652e94
             ss->cipherSpecs     = NULL;
652e94
             ss->sizeCipherSpecs = 0;
652e94
         }
652e94
+#endif /* NSS_NO_SSL2 */
652e94
         break;
652e94
 
652e94
       case SSL_NO_CACHE:
652e94
         ss->opt.noCache = on;
652e94
         break;
652e94
 
652e94
       case SSL_ENABLE_FDX:
652e94
         if (on && ss->opt.noLocks) {
652e94
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
652e94
             rv = SECFailure;
652e94
         }
652e94
         ss->opt.fdx = on;
652e94
         break;
f57139
 
f57139
       case SSL_V2_COMPATIBLE_HELLO:
f57139
+#ifdef NSS_NO_SSL2
652e94
+        if (on) {
652e94
+            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
652e94
+            rv = SECFailure; /* not allowed */
652e94
+        }
f57139
+#else
f57139
         if (IS_DTLS(ss)) {
652e94
             if (on) {
652e94
                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
652e94
                 rv = SECFailure; /* not allowed */
652e94
             }
652e94
             break;
652e94
         }
652e94
         ss->opt.v2CompatibleHello = on;
652e94
         if (!on) {
652e94
             ss->opt.enableSSL2    = on;
652e94
         }
652e94
+#endif /* NSS_NO_SSL2 */
652e94
         break;
652e94
 
652e94
       case SSL_ROLLBACK_DETECTION:
652e94
         ss->opt.detectRollBack = on;
652e94
         break;
652e94
 
652e94
       case SSL_NO_STEP_DOWN:
f57139
+#ifdef NSS_NO_SSL2
2533fc
+        if (!on) {
2533fc
+            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
2533fc
+            rv = SECFailure; /* not allowed */
2533fc
+        }
f57139
+#else
2533fc
         ss->opt.noStepDown     = on;
2533fc
         if (on)
2533fc
             SSL_DisableExportCipherSuites(fd);
652e94
+#endif /* NSS_NO_SSL2 */
2533fc
         break;
2533fc
 
2533fc
       case SSL_BYPASS_PKCS11:
2533fc
         if (ss->handshakeBegun) {
2533fc
             PORT_SetError(PR_INVALID_STATE_ERROR);
2533fc
             rv = SECFailure;
2533fc
         } else {
2533fc
             if (PR_FALSE != on) {
1b6f66
@@ -1180,16 +1201,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
f57139
     }
2533fc
     return SECSuccess;
652e94
 }
652e94
 
2533fc
 /* function tells us if the cipher suite is one that we no longer support. */
2533fc
 static PRBool
2533fc
 ssl_IsRemovedCipherSuite(PRInt32 suite)
2533fc
 {
2533fc
+#ifdef NSS_NO_SSL2
2533fc
+    /* both ssl2 and export cipher suites disabled */
2533fc
+    if (SSL_IS_SSL2_CIPHER(suite))
2533fc
+        return PR_TRUE;
1b6f66
+    if (SSL_IsExportCipherSuite(suite)) {
1b6f66
+        SSLCipherSuiteInfo csdef;
1b6f66
+        if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
1b6f66
+            /* failure to retrieve info, disable */
1b6f66
+            return PR_TRUE;
1b6f66
+        }
1b6f66
+        if (csdef.symCipher != ssl_calg_null) {
1b6f66
+            /* disable all except NULL ciphersuites */
1b6f66
+            return PR_TRUE;
1b6f66
+        }
1b6f66
+    }
2533fc
+#endif /* NSS_NO_SSL2_NO_EXPORT */
2533fc
     switch (suite) {
2533fc
     case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
2533fc
     case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
2533fc
     case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
2533fc
         return PR_TRUE;
2533fc
     default:
2533fc
         return PR_FALSE;
2533fc
     }