Blob Blame History Raw
diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
--- a/lib/ssl/config.mk
+++ b/lib/ssl/config.mk
@@ -7,16 +7,20 @@ ifdef NISCC_TEST
 DEFINES += -DNISCC_TEST
 endif
 
 # Allow build-time configuration of TLS 1.3 (Experimental)
 ifdef NSS_ENABLE_TLS_1_3
 DEFINES += -DNSS_ENABLE_TLS_1_3
 endif
 
+ifdef NSS_NO_SSL2
+DEFINES += -DNSS_NO_SSL2
+endif
+
 ifdef NSS_NO_PKCS11_BYPASS
 DEFINES += -DNO_PKCS11_BYPASS
 else
 CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 
 EXTRA_LIBS += \
 	$(CRYPTOLIB) \
 	$(NULL)
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -678,16 +678,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
         if (ss->cipherSpecs) {
             PORT_Free(ss->cipherSpecs);
             ss->cipherSpecs     = NULL;
             ss->sizeCipherSpecs = 0;
         }
         break;
 
       case SSL_ENABLE_SSL2:
+#ifdef NSS_NO_SSL2
+        if (on) {
+            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+            rv = SECFailure; /* not allowed */
+        }
+#else
         if (IS_DTLS(ss)) {
             if (on) {
                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
                 rv = SECFailure; /* not allowed */
             }
             break;
         }
         ss->opt.enableSSL2       = on;
@@ -695,52 +701,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
             ss->opt.v2CompatibleHello = on;
         }
         ss->preferredCipher     = NULL;
         if (ss->cipherSpecs) {
             PORT_Free(ss->cipherSpecs);
             ss->cipherSpecs     = NULL;
             ss->sizeCipherSpecs = 0;
         }
+#endif /* NSS_NO_SSL2 */
         break;
 
       case SSL_NO_CACHE:
         ss->opt.noCache = on;
         break;
 
       case SSL_ENABLE_FDX:
         if (on && ss->opt.noLocks) {
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
         }
         ss->opt.fdx = on;
         break;
 
       case SSL_V2_COMPATIBLE_HELLO:
+#ifdef NSS_NO_SSL2
+        if (on) {
+            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+            rv = SECFailure; /* not allowed */
+        }
+#else
         if (IS_DTLS(ss)) {
             if (on) {
                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
                 rv = SECFailure; /* not allowed */
             }
             break;
         }
         ss->opt.v2CompatibleHello = on;
         if (!on) {
             ss->opt.enableSSL2    = on;
         }
+#endif /* NSS_NO_SSL2 */
         break;
 
       case SSL_ROLLBACK_DETECTION:
         ss->opt.detectRollBack = on;
         break;
 
       case SSL_NO_STEP_DOWN:
+#ifdef NSS_NO_SSL2
+        if (!on) {
+            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+            rv = SECFailure; /* not allowed */
+        }
+#else
         ss->opt.noStepDown     = on;
         if (on)
             SSL_DisableExportCipherSuites(fd);
+#endif /* NSS_NO_SSL2 */
         break;
 
       case SSL_BYPASS_PKCS11:
         if (ss->handshakeBegun) {
             PORT_SetError(PR_INVALID_STATE_ERROR);
             rv = SECFailure;
         } else {
             if (PR_FALSE != on) {
@@ -1180,16 +1201,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
     }
     return SECSuccess;
 }
 
 /* function tells us if the cipher suite is one that we no longer support. */
 static PRBool
 ssl_IsRemovedCipherSuite(PRInt32 suite)
 {
+#ifdef NSS_NO_SSL2
+    /* both ssl2 and export cipher suites disabled */
+    if (SSL_IS_SSL2_CIPHER(suite))
+        return PR_TRUE;
+    if (SSL_IsExportCipherSuite(suite)) {
+        SSLCipherSuiteInfo csdef;
+        if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
+            /* failure to retrieve info, disable */
+            return PR_TRUE;
+        }
+        if (csdef.symCipher != ssl_calg_null) {
+            /* disable all except NULL ciphersuites */
+            return PR_TRUE;
+        }
+    }
+#endif /* NSS_NO_SSL2_NO_EXPORT */
     switch (suite) {
     case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
     case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
     case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
         return PR_TRUE;
     default:
         return PR_FALSE;
     }