diff --git a/.gitignore b/.gitignore index 67272da..1d16491 100644 --- a/.gitignore +++ b/.gitignore @@ -9,7 +9,7 @@ SOURCES/cert8.db.xml SOURCES/cert9.db.xml SOURCES/key3.db.xml SOURCES/key4.db.xml -SOURCES/nss-3.21.3.tar.gz +SOURCES/nss-3.28.2.tar.gz SOURCES/nss-config.xml SOURCES/nss-pem-20140125.tar.bz2 SOURCES/secmod.db.xml diff --git a/.nss.metadata b/.nss.metadata index e8b243f..bb1ad7d 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -1,4 +1,4 @@ -86cf4eb313dda4bd86a6d096ecc5aee07ee5e124 SOURCES/PayPalEE.cert +83025bf9062b026aae49ef8775c6432507159bca SOURCES/PayPalEE.cert a031c46782e6e6c662c2c87c76da9aa62ccabd8e SOURCES/PayPalICA.cert d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db @@ -9,7 +9,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db 7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml 24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml -b6e2612dbf78a04cac2a81784143e918ed03aea7 SOURCES/nss-3.21.3.tar.gz +4f972f53cef8f87416a12199863e1ec043f0050d SOURCES/nss-3.28.2.tar.gz 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml 66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2 ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch index fd29f44..527b312 100644 --- a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch +++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch @@ -1,151 +1,26 @@ -diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk ---- a/lib/ssl/config.mk -+++ b/lib/ssl/config.mk -@@ -7,16 +7,20 @@ ifdef NISCC_TEST - DEFINES += -DNISCC_TEST +diff -up nss/lib/ssl/config.mk.disableSSL2libssl nss/lib/ssl/config.mk +--- nss/lib/ssl/config.mk.disableSSL2libssl 2017-01-04 15:24:24.000000000 +0100 ++++ nss/lib/ssl/config.mk 2017-01-16 10:53:47.629894929 +0100 +@@ -69,3 +69,8 @@ endif + ifdef NSS_DISABLE_TLS_1_3 + DEFINES += -DNSS_DISABLE_TLS_1_3 endif - - # Allow build-time configuration of TLS 1.3 (Experimental) - ifdef NSS_ENABLE_TLS_1_3 - DEFINES += -DNSS_ENABLE_TLS_1_3 - endif - ++ +ifdef NSS_NO_SSL2 +DEFINES += -DNSS_NO_SSL2 +endif + - ifdef NSS_NO_PKCS11_BYPASS - DEFINES += -DNO_PKCS11_BYPASS - else - CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) - - EXTRA_LIBS += \ - $(CRYPTOLIB) \ - $(NULL) -diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c ---- a/lib/ssl/sslsock.c -+++ b/lib/ssl/sslsock.c -@@ -678,16 +678,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh - if (ss->cipherSpecs) { - PORT_Free(ss->cipherSpecs); - ss->cipherSpecs = NULL; - ss->sizeCipherSpecs = 0; - } - break; - - case SSL_ENABLE_SSL2: -+#ifdef NSS_NO_SSL2 -+ if (on) { -+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); -+ rv = SECFailure; /* not allowed */ -+ } -+#else - if (IS_DTLS(ss)) { - if (on) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; /* not allowed */ - } - break; - } - ss->opt.enableSSL2 = on; -@@ -695,52 +701,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh - ss->opt.v2CompatibleHello = on; - } - ss->preferredCipher = NULL; - if (ss->cipherSpecs) { - PORT_Free(ss->cipherSpecs); - ss->cipherSpecs = NULL; - ss->sizeCipherSpecs = 0; - } -+#endif /* NSS_NO_SSL2 */ - break; - - case SSL_NO_CACHE: - ss->opt.noCache = on; - break; - - case SSL_ENABLE_FDX: - if (on && ss->opt.noLocks) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - } - ss->opt.fdx = on; - break; - - case SSL_V2_COMPATIBLE_HELLO: -+#ifdef NSS_NO_SSL2 -+ if (on) { -+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); -+ rv = SECFailure; /* not allowed */ -+ } -+#else - if (IS_DTLS(ss)) { - if (on) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; /* not allowed */ - } - break; - } - ss->opt.v2CompatibleHello = on; - if (!on) { - ss->opt.enableSSL2 = on; - } -+#endif /* NSS_NO_SSL2 */ - break; - - case SSL_ROLLBACK_DETECTION: - ss->opt.detectRollBack = on; - break; - - case SSL_NO_STEP_DOWN: -+#ifdef NSS_NO_SSL2 -+ if (!on) { -+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); -+ rv = SECFailure; /* not allowed */ -+ } -+#else - ss->opt.noStepDown = on; - if (on) - SSL_DisableExportCipherSuites(fd); -+#endif /* NSS_NO_SSL2 */ - break; - - case SSL_BYPASS_PKCS11: - if (ss->handshakeBegun) { - PORT_SetError(PR_INVALID_STATE_ERROR); - rv = SECFailure; - } else { - if (PR_FALSE != on) { -@@ -1180,16 +1201,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo - } - return SECSuccess; - } - - /* function tells us if the cipher suite is one that we no longer support. */ +diff -up nss/lib/ssl/sslsock.c.disableSSL2libssl nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.disableSSL2libssl 2017-01-16 10:53:47.615895344 +0100 ++++ nss/lib/ssl/sslsock.c 2017-01-16 10:54:16.088051233 +0100 +@@ -1221,6 +1221,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo static PRBool ssl_IsRemovedCipherSuite(PRInt32 suite) { +#ifdef NSS_NO_SSL2 -+ /* both ssl2 and export cipher suites disabled */ + if (SSL_IS_SSL2_CIPHER(suite)) + return PR_TRUE; -+ if (SSL_IsExportCipherSuite(suite)) { -+ SSLCipherSuiteInfo csdef; -+ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) { -+ /* failure to retrieve info, disable */ -+ return PR_TRUE; -+ } -+ if (csdef.symCipher != ssl_calg_null) { -+ /* disable all except NULL ciphersuites */ -+ return PR_TRUE; -+ } -+ } -+#endif /* NSS_NO_SSL2_NO_EXPORT */ ++#endif /* NSS_NO_SSL2 */ switch (suite) { - case SSL_FORTEZZA_DMS_WITH_NULL_SHA: - case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: - case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: - return PR_TRUE; - default: - return PR_FALSE; - } + case SSL_FORTEZZA_DMS_WITH_NULL_SHA: + case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch index 4479ab1..3defed5 100644 --- a/SOURCES/Bug-1001841-disable-sslv2-tests.patch +++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch @@ -1,11 +1,10 @@ -diff -up ./tests/ssl/ssl.sh.disableSSL2tests ./tests/ssl/ssl.sh ---- ./tests/ssl/ssl.sh.disableSSL2tests 2015-11-08 21:12:59.000000000 -0800 -+++ ./tests/ssl/ssl.sh 2016-02-19 21:36:48.900345950 -0800 -@@ -62,9 +62,14 @@ ssl_init() - NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} +diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh +--- nss/tests/ssl/ssl.sh.disableSSL2tests 2017-01-04 15:24:24.000000000 +0100 ++++ nss/tests/ssl/ssl.sh 2017-01-13 16:51:20.759277059 +0100 +@@ -63,8 +63,14 @@ ssl_init() # Test case files -- SSLCOV=${QADIR}/ssl/sslcov.txt + SSLCOV=${QADIR}/ssl/sslcov.txt + if [ "${NSS_NO_SSL2}" = "1" ]; then + SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt + SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt @@ -15,13 +14,13 @@ diff -up ./tests/ssl/ssl.sh.disableSSL2tests ./tests/ssl/ssl.sh + fi SSLAUTH=${QADIR}/ssl/sslauth.txt - SSLSTRESS=${QADIR}/ssl/sslstress.txt + SSLPOLICY=${QADIR}/ssl/sslpolicy.txt REQUEST_FILE=${QADIR}/ssl/sslreq.dat - #temparary files -@@ -120,7 +125,11 @@ is_selfserv_alive() +@@ -129,7 +135,11 @@ is_selfserv_alive() fi - echo "kill -0 ${PID} >/dev/null 2>/dev/null" + echo "kill -0 ${PID} >/dev/null 2>/dev/null" + if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then + echo "No server to kill" + else @@ -30,9 +29,9 @@ diff -up ./tests/ssl/ssl.sh.disableSSL2tests ./tests/ssl/ssl.sh echo "selfserv with PID ${PID} found at `date`" } -@@ -143,7 +152,11 @@ wait_for_selfserv() +@@ -153,7 +163,11 @@ wait_for_selfserv() ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ - -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} + -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} if [ $? -ne 0 ]; then + if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then + html_passed "Server never started" @@ -42,45 +41,25 @@ diff -up ./tests/ssl/ssl.sh.disableSSL2tests ./tests/ssl/ssl.sh fi fi is_selfserv_alive -@@ -214,15 +227,16 @@ start_selfserv() - echo "selfserv starting at `date`" - echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" - echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\" -- echo " $verbose -H 1 &" -+ echo " $verbose -H 1 -V ssl3: &" - if [ ${fileout} -eq 1 ]; then - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ - ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \ -- > ${SERVEROUTFILE} 2>&1 & -+ -V ssl3:> ${SERVEROUTFILE} 2>&1 & - RET=$? - else - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ -- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 & -+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \ -+ -V ssl3: & - RET=$? - fi - -@@ -269,7 +283,7 @@ ssl_cov() +@@ -272,7 +286,7 @@ ssl_cov() start_selfserv # Launch the server - VMIN="ssl2" + VMIN="ssl3" - VMAX="tls1.1" + VMAX="tls1.2" - + exec < ${SSLCOV} while read ectype testmax param testname -@@ -279,6 +293,12 @@ ssl_cov() - echo "${testname}" | grep "SSL2" > /dev/null - SSL2=$? +@@ -280,6 +294,12 @@ ssl_cov() + echo "${testname}" | grep "EXPORT" > /dev/null + EXP=$? -+ # skip export and ssl2 tests when build has disabled SSL2 -+ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then -+ echo "exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})" ++ # skip export tests ++ if [ ${EXP} -eq 0 ]; then ++ echo "export test skipped" + continue + fi + - if [ "${SSL2}" -eq 0 ] ; then - # We cannot use asynchronous cert verification with SSL2 - SSL2_FLAGS=-O + if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then diff --git a/SOURCES/call-restartmodules-in-nssinit.patch b/SOURCES/call-restartmodules-in-nssinit.patch deleted file mode 100644 index 6a72aa8..0000000 --- a/SOURCES/call-restartmodules-in-nssinit.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c ---- a/lib/nss/nssinit.c -+++ b/lib/nss/nssinit.c -@@ -621,16 +621,31 @@ nss_Init(const char *configdir, const ch - initParams->minPWLen); - if (configStrings == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - goto loser; - } - configName = initParams->libraryDescription; - passwordRequired = initParams->passwordRequired; - } -+ -+ /* If we're NSS_ContextInit, we're probably a library. It could be -+ * possible that the application initialized NSS then forked(). The -+ * library would have no knowledge of that. If we call -+ * SECMOD_RestartModules() here, we will be able to continue on with -+ * NSS as normal. SECMOD_RestartModules() does have the side affect -+ * of losing all our PKCS #11 objects in the new process, but only if -+ * the module needs to be reinited. If it needs to be reinit those -+ * objects are inaccessible anyway, it it's always save to call -+ * SECMOD_RestartModules(PR_FALSE). -+ */ -+ /* NOTE: We could call SECMOD_Init() here, but if we aren't already -+ * inited, then there's no modules to restart, so SECMOD_RestartModules -+ * will return immediately */ -+ SECMOD_RestartModules(PR_FALSE); - } else { - configStrings = pk11_config_strings; - configName = pk11_config_name; - passwordRequired = pk11_password_required; - } - - /* Skip the module init if we are already initted and we are trying - * to init with noCertDB and noModDB */ diff --git a/SOURCES/client_auth_for_sha384_prf_support.patch b/SOURCES/client_auth_for_sha384_prf_support.patch deleted file mode 100644 index de0d1aa..0000000 --- a/SOURCES/client_auth_for_sha384_prf_support.patch +++ /dev/null @@ -1,159 +0,0 @@ -diff -up ./lib/ssl/ssl3con.c.client_auth_prf ./lib/ssl/ssl3con.c ---- ./lib/ssl/ssl3con.c.client_auth_prf 2016-02-14 09:14:32.821182333 -0800 -+++ ./lib/ssl/ssl3con.c 2016-02-14 09:52:47.506071502 -0800 -@@ -270,6 +270,27 @@ static const /*SSL3ClientCertificateType - ct_DSS_sign, - }; - -+/* This block is the contents of the supported_signature_algorithms field of -+ * our TLS 1.2 CertificateRequest message, in wire format. See -+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 -+ * -+ * We only support TLS 1.2 -+ * CertificateVerify messages that use the handshake PRF hash. */ -+static const PRUint8 supported_signature_algorithms_sha256[] = { -+ tls_hash_sha256, tls_sig_rsa, -+#ifndef NSS_DISABLE_ECC -+ tls_hash_sha256, tls_sig_ecdsa, -+#endif -+ tls_hash_sha256, tls_sig_dsa, -+}; -+static const PRUint8 supported_signature_algorithms_sha384[] = { -+ tls_hash_sha384, tls_sig_rsa, -+#ifndef NSS_DISABLE_ECC -+ tls_hash_sha384, tls_sig_ecdsa, -+#endif -+ tls_hash_sha384, tls_sig_dsa, -+}; -+ - #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ - - -@@ -4904,6 +4925,7 @@ ssl3_ComputeHandshakeHashes(sslSocket * - unsigned int stateLen; - unsigned char stackBuf[1024]; - unsigned char *stateBuf = NULL; -+ SECOidData *hashOid; - - h = ss->ssl3.hs.sha; - stateBuf = PK11_SaveContextAlloc(h, stackBuf, -@@ -4919,9 +4941,25 @@ ssl3_ComputeHandshakeHashes(sslSocket * - rv = SECFailure; - goto tls12_loser; - } -- /* If we ever support ciphersuites where the PRF hash isn't SHA-256 -- * then this will need to be updated. */ -- hashes->hashAlg = ssl_hash_sha256; -+ -+ /* updated in support of ciphersuites where the PRF hash -+ * could be SHA-256 or SHA-384 */ -+ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); -+ if (hashOid == NULL) { -+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); -+ rv = SECFailure; -+ goto tls12_loser; -+ } -+ hashes->hashAlg = hashOid->offset; -+ PORT_Assert(hashes->hashAlg == ssl_hash_sha256 || -+ hashes->hashAlg == ssl_hash_sha384); -+ if (hashes->hashAlg != ssl_hash_sha256 && -+ hashes->hashAlg != ssl_hash_sha384) { -+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); -+ rv = SECFailure; -+ goto tls12_loser; -+ } -+ - rv = SECSuccess; - - tls12_loser: -@@ -7242,7 +7280,7 @@ done: - /* Destroys the backup handshake hash context if we don't need it. Note that - * this function selects the hash algorithm for client authentication - * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash -- * to determine whether to use SHA-1 or SHA-256. */ -+ * to determine whether to use SHA-1, or the PRF hash of the cipher suite. */ - static void - ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, - const SECItem *algorithms) -@@ -7251,9 +7289,12 @@ ssl3_DestroyBackupHandshakeHashIfNotNeed - SSLSignType sigAlg; - PRBool preferSha1; - PRBool supportsSha1 = PR_FALSE; -- PRBool supportsSha256 = PR_FALSE; -+ PRBool supportsHandshakeHash = PR_FALSE; - PRBool needBackupHash = PR_FALSE; - unsigned int i; -+ SECOidData *hashOid; -+ TLSHashAlgorithm suitePRFHash; -+ PRBool suitePRFIs256Or384 = PR_FALSE; - - #ifndef NO_PKCS11_BYPASS - /* Backup handshake hash is not supported in PKCS #11 bypass mode. */ -@@ -7270,20 +7311,35 @@ ssl3_DestroyBackupHandshakeHashIfNotNeed - goto done; - } - -+ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); -+ if (hashOid == NULL) { -+ rv = SECFailure; -+ goto done; -+ } -+ -+ if (hashOid->offset == SEC_OID_SHA256) { -+ suitePRFHash = tls_hash_sha256; -+ suitePRFIs256Or384 = PR_TRUE; -+ } else if (hashOid->offset == SEC_OID_SHA384) { -+ suitePRFHash = tls_hash_sha384; -+ suitePRFIs256Or384 = PR_TRUE; -+ } -+ - /* Determine the server's hash support for that signature algorithm. */ - for (i = 0; i < algorithms->len; i += 2) { - if (algorithms->data[i+1] == sigAlg) { - if (algorithms->data[i] == ssl_hash_sha1) { - supportsSha1 = PR_TRUE; -- } else if (algorithms->data[i] == ssl_hash_sha256) { -- supportsSha256 = PR_TRUE; -+ } else if (suitePRFIs256Or384 && -+ algorithms->data[i] == suitePRFHash) { -+ supportsHandshakeHash = PR_TRUE; - } - } - } - - /* If either the server does not support SHA-256 or the client key prefers - * SHA-1, leave the backup hash. */ -- if (supportsSha1 && (preferSha1 || !supportsSha256)) { -+ if (supportsSha1 && (preferSha1 || !supportsHandshakeHash)) { - needBackupHash = PR_TRUE; - } - -@@ -9548,6 +9604,7 @@ ssl3_SendCertificateRequest(sslSocket *s - int certTypesLength; - PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2]; - unsigned int sigAlgsLength = 0; -+ SECOidData *hashOid; - - SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", - SSL_GETPID(), ss->fd)); -@@ -9575,6 +9632,20 @@ ssl3_SendCertificateRequest(sslSocket *s - certTypes = certificate_types; - certTypesLength = sizeof certificate_types; - -+ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); -+ if (hashOid == NULL) { -+ return SECFailure; /* err set by AppendHandshake. */ -+ } -+ if (hashOid->offset == SEC_OID_SHA256) { -+ sigAlgsLength = sizeof supported_signature_algorithms_sha256; -+ PORT_Memcpy(sigAlgs, supported_signature_algorithms_sha256, sigAlgsLength); -+ } else if (hashOid->offset == SEC_OID_SHA384) { -+ sigAlgsLength = sizeof supported_signature_algorithms_sha384; -+ PORT_Memcpy(sigAlgs, supported_signature_algorithms_sha384, sigAlgsLength); -+ } else { -+ return SECFailure; /* err set by AppendHandshake. */ -+ } -+ - length = 1 + certTypesLength + 2 + calen; - if (isTLS12) { - rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs), diff --git a/SOURCES/dhe-sha384-dss-support.patch b/SOURCES/dhe-sha384-dss-support.patch deleted file mode 100644 index 834c7c1..0000000 --- a/SOURCES/dhe-sha384-dss-support.patch +++ /dev/null @@ -1,975 +0,0 @@ -diff -up ./lib/ssl/ssl3con.c.dhe_and_sha384 ./lib/ssl/ssl3con.c ---- ./lib/ssl/ssl3con.c.dhe_and_sha384 2016-02-14 07:51:49.910312410 -0800 -+++ ./lib/ssl/ssl3con.c 2016-02-14 08:03:31.562277561 -0800 -@@ -68,6 +68,8 @@ static SECStatus ssl3_ComputeHandshakeHa - SSL3Hashes *hashes, - PRUint32 sender); - static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); -+static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); -+static CK_MECHANISM_TYPE ssl3_GetPrfHashMechanism(sslSocket *ss); - - static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, - int maxOutputLen, const unsigned char *input, -@@ -95,23 +97,37 @@ static ssl3CipherSuiteCfg cipherSuites[s - /* cipher_suite policy enabled isPresent */ - - #ifndef NSS_DISABLE_ECC -- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around -- * bug 946147. -- */ -+ /* Ephemeral ECDH */ -+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must be before TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -+ * to workaround bug 946147. -+ */ -+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - #endif /* NSS_DISABLE_ECC */ - -+ /* Ephemeral Finite Field DH */ -+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -@@ -120,17 +136,12 @@ static ssl3CipherSuiteCfg cipherSuites[s - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - - #ifndef NSS_DISABLE_ECC -+ /* Non ephemeral ECDH */ - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -@@ -142,18 +153,19 @@ static ssl3CipherSuiteCfg cipherSuites[s - #endif /* NSS_DISABLE_ECC */ - - /* RSA */ -+ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - - /* 56-bit DES "domestic" cipher suites */ - { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -@@ -292,6 +304,7 @@ static const ssl3BulkCipherDef bulk_ciph - {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, - {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, - {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, -+ {cipher_aes_256_gcm, calg_aes_gcm, 32,32, type_aead, 4, 0,16, 8}, - {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, - }; - -@@ -300,8 +313,8 @@ static const ssl3KEADef kea_defs[] = - /* kea exchKeyType signKeyType is_limited limit tls_keygen ephemeral */ - {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE, PR_FALSE}, - {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}, -- {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}, -- {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE, PR_FALSE}, -+ {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_TRUE}, -+ {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE, PR_TRUE}, - {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}, - {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}, - {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}, -@@ -327,135 +340,149 @@ static const ssl3CipherSuiteDef cipher_s - { - /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */ - -- {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, -- {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa}, -- {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa}, -- {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa}, -- {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export}, -- {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa}, -- {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa}, -+ {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null, 0}, -+ {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa, 0}, -+ {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa, 0}, -+ {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa, prf_256}, -+ {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export, 0}, -+ {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa, 0}, -+ {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa, 0}, - {TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, -- cipher_rc2_40, mac_md5, kea_rsa_export}, -+ cipher_rc2_40, mac_md5, kea_rsa_export, 0}, - #if 0 /* not implemented */ -- {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa}, -+ {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa, 0}, - {TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, -- cipher_des40, mac_sha, kea_rsa_export}, -+ cipher_des40, mac_sha, kea_rsa_export, 0}, - #endif -- {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa}, -- {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa}, -- {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss}, -+ {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa, 0}, -+ {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa, 0}, -+ {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss, 0}, - {TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, -- cipher_3des, mac_sha, kea_dhe_dss}, -- {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss}, -+ cipher_3des, mac_sha, kea_dhe_dss, 0}, -+ {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss, 0}, - #if 0 /* not implemented */ - {TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, -- cipher_des40, mac_sha, kea_dh_dss_export}, -- {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss}, -- {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss}, -+ cipher_des40, mac_sha, kea_dh_dss_export, 0}, -+ {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss, 0}, -+ {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss, 0}, - {TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, -- cipher_des40, mac_sha, kea_dh_rsa_export}, -- {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa}, -- {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa}, -+ cipher_des40, mac_sha, kea_dh_rsa_export, 0}, -+ {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa, 0}, -+ {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa, 0}, - {TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, -- cipher_des40, mac_sha, kea_dh_dss_export}, -+ cipher_des40, mac_sha, kea_dh_dss_export, 0}, - {TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, -- cipher_des40, mac_sha, kea_dh_rsa_export}, -+ cipher_des40, mac_sha, kea_dh_rsa_export, 0}, - #endif -- {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa}, -+ {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa, 0}, - {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, -- cipher_3des, mac_sha, kea_dhe_rsa}, -+ cipher_3des, mac_sha, kea_dhe_rsa, 0}, - #if 0 -- {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export}, -+ {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export, 0}, - {TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA, -- cipher_des40, mac_sha, kea_dh_anon_export}, -- {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon}, -- {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon}, -+ cipher_des40, mac_sha, kea_dh_anon_export, 0}, -+ {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon, 0}, -+ {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon, 0}, - #endif - - - /* New TLS cipher suites */ -- {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa}, -- {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa}, -- {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss}, -- {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa}, -- {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa}, -- {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa}, -- {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa}, -- {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss}, -- {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa}, -- {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa}, -+ {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa, 0}, -+ {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa, prf_256}, -+ {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss, 0}, -+ {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa, 0}, -+ {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa, prf_256}, -+ {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa, 0}, -+ {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa, prf_256}, -+ {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss, 0}, -+ {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa, 0}, -+ {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa, prf_256}, - #if 0 -- {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss}, -- {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa}, -- {TLS_DH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon}, -- {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss}, -- {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa}, -- {TLS_DH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon}, -+ {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss, 0}, -+ {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa, 0}, -+ {TLS_DH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon, 0}, -+ {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss, 0}, -+ {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa, 0}, -+ {TLS_DH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon, 0}, - #endif - -- {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa}, -+ {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa, 0}, - -- {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa}, -+ {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa, 0}, - {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, -- cipher_camellia_128, mac_sha, kea_dhe_dss}, -+ cipher_camellia_128, mac_sha, kea_dhe_dss, 0}, - {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, -- cipher_camellia_128, mac_sha, kea_dhe_rsa}, -- {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa}, -+ cipher_camellia_128, mac_sha, kea_dhe_rsa, 0}, -+ {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa, 0}, - {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, -- cipher_camellia_256, mac_sha, kea_dhe_dss}, -+ cipher_camellia_256, mac_sha, kea_dhe_dss, 0}, - {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, -- cipher_camellia_256, mac_sha, kea_dhe_rsa}, -+ cipher_camellia_256, mac_sha, kea_dhe_rsa, 0}, - - {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, -- cipher_des, mac_sha,kea_rsa_export_1024}, -+ cipher_des, mac_sha,kea_rsa_export_1024, 0}, - {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, -- cipher_rc4_56, mac_sha,kea_rsa_export_1024}, -+ cipher_rc4_56, mac_sha,kea_rsa_export_1024, 0}, - -- {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, -- {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, -+ {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips, 0}, -+ {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips, 0}, - -- {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa}, -- {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, -+ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa, prf_256}, -+ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa, prf_256}, -+#ifndef NSS_DISABLE_ECC - {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, - {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, -- -- {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss}, -- {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss}, -- {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss}, -+ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa, prf_256}, -+ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa, prf_256}, -+ {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_ecdsa, prf_384}, -+ {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa, prf_384}, -+ {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_ecdsa, prf_384}, -+ {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_rsa, prf_384}, -+#endif /* NSS_DISABLE_ECC */ -+ {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_rsa, prf_384}, -+ {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, prf_256}, -+ {TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_dss, prf_384}, -+ {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, prf_256}, -+ {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, prf_256}, -+ {TLS_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_rsa, prf_384}, -+ -+ {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, 0}, -+ {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, 0}, -+ {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, 0}, - - #ifndef NSS_DISABLE_ECC -- {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, -- {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, -- {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}, -- {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa}, -- {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa}, -- -- {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa}, -- {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa}, -- {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa}, -- {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa}, -- {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa}, -- {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa}, -- -- {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa}, -- {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa}, -- {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa}, -- {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa}, -- {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa}, -- -- {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa}, -- {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa}, -- {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa}, -- {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa}, -- {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa}, -- {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa}, -+ {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa, 0}, -+ {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa, 0}, -+ {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa, 0}, -+ {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa, 0}, -+ {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa, 0}, -+ -+ {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa, 0}, -+ {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa, 0}, -+ {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa, 0}, -+ {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa, 0}, -+ {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa, prf_256}, -+ {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa, 0}, -+ -+ {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa, 0}, -+ {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa, 0}, -+ {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa, 0}, -+ {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa, 0}, -+ {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa, 0}, -+ -+ {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa, 0}, -+ {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa, 0}, -+ {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa, 0}, -+ {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa, 0}, -+ {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa, prf_256}, -+ {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa, 0}, - - #if 0 -- {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon}, -- {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon}, -- {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon}, -- {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon}, -- {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon}, -+ {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon, 0}, -+ {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon, 0}, -+ {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon, 0}, -+ {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon, 0}, -+ {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon, 0}, - #endif - #endif /* NSS_DISABLE_ECC */ - }; -@@ -496,6 +523,7 @@ static const SSLCipher2Mech alg2Mech[] = - #define mmech_md5_hmac CKM_MD5_HMAC - #define mmech_sha_hmac CKM_SHA_1_HMAC - #define mmech_sha256_hmac CKM_SHA256_HMAC -+#define mmech_sha384_hmac CKM_SHA384_HMAC - - static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ - /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ -@@ -507,6 +535,7 @@ static const ssl3MACDef mac_defs[] = { / - {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, - {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, - { mac_aead, mmech_invalid, 0, 0 }, -+ {hmac_sha384, mmech_sha384_hmac, 0, SHA384_LENGTH} - }; - - /* indexed by SSL3BulkCipher */ -@@ -655,19 +684,26 @@ ssl3_CipherSuiteAllowedForVersionRange( - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: - case TLS_RSA_WITH_AES_256_CBC_SHA256: - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: -+ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: -+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: - case TLS_RSA_WITH_AES_128_CBC_SHA256: - case TLS_RSA_WITH_AES_128_GCM_SHA256: -+ case TLS_RSA_WITH_AES_256_GCM_SHA384: - case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: - case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: - case TLS_RSA_WITH_NULL_SHA256: - return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2; - - case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: -+ case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: -+ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: -+ case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: - case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: -+ case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: - return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; - - /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and -@@ -2348,6 +2384,9 @@ ssl3_ComputeRecordMAC( - case ssl_hmac_sha256: /* used with TLS */ - hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); - break; -+ case ssl_hmac_sha384: /* used with TLS */ -+ hashObj = HASH_GetRawHashObject(HASH_AlgSHA384); -+ break; - default: - break; - } -@@ -3592,6 +3631,18 @@ ssl3_HandleChangeCipherSpecs(sslSocket * - return SECSuccess; - } - -+static CK_MECHANISM_TYPE -+ssl3_GetPrfHashMechanism(sslSocket *ss) -+{ -+ SSL3PRF prf_alg = ss->ssl3.hs.suite_def->prf_alg; -+ -+ if (prf_alg == 0) -+ return CKM_SHA256; -+ -+ return prf_alg; -+} -+ -+ - /* This method completes the derivation of the MS from the PMS. - ** - ** 1. Derive the MS, if possible, else return an error. -@@ -3682,6 +3733,9 @@ ssl3_ComputeMasterSecretInt(sslSocket *s - CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params; - unsigned int master_params_len; - -+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); -+ PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); -+ PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); - if (isTLS12) { - if(isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH; - else master_derive = CKM_TLS12_MASTER_KEY_DERIVE; -@@ -3709,7 +3763,7 @@ ssl3_ComputeMasterSecretInt(sslSocket *s - master_params.RandomInfo.pServerRandom = sr; - master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; - if (isTLS12) { -- master_params.prfHashMechanism = CKM_SHA256; -+ master_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss); - master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS); - } else { - /* prfHashMechanism is not relevant with this PRF */ -@@ -3845,7 +3899,7 @@ ssl3_DeriveMasterSecret(sslSocket *ss, P - rv = PK11_ExtractKeyValue(pwSpec->master_secret); - if (rv != SECSuccess) { - return rv; -- } -+ } - /* This returns the address of the secItem inside the key struct, - * not a copy or a reference. So, there's no need to free it. - */ -@@ -3954,7 +4008,7 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocke - - if (isTLS12) { - key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; -- key_material_params.prfHashMechanism = CKM_SHA256; -+ key_material_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss); - key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS); - } else if (isTLS) { - key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; -@@ -4032,7 +4086,20 @@ ssl3_InitHandshakeHashes(sslSocket *ss) - if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { - /* If we ever support ciphersuites where the PRF hash isn't SHA-256 - * then this will need to be updated. */ -- ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256); -+ HASH_HashType ht; -+ CK_MECHANISM_TYPE hm; -+ SECOidTag ot; -+ SECOidData *hashOid; -+ -+ hm = ssl3_GetPrfHashMechanism(ss); -+ hashOid = SECOID_FindOIDByMechanism(hm); -+ if (hashOid == NULL) { -+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); -+ return SECFailure; -+ } -+ ot = hashOid->offset; -+ ht = HASH_GetHashTypeByOidTag(ot); -+ ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(ht); - if (!ss->ssl3.hs.sha_obj) { - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); - return SECFailure; -@@ -4055,9 +4122,20 @@ ssl3_InitHandshakeHashes(sslSocket *ss) - * that the master secret will wind up in ... - */ - if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { -- /* If we ever support ciphersuites where the PRF hash isn't SHA-256 -- * then this will need to be updated. */ -- ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256); -+ /* determine the hash from the prf */ -+ const SECOidData *hash_oid; -+ -+ PORT_Assert(ss->ssl3.hs.suite_def); -+ /* Get the PKCS #11 mechanism for the Hash from the cipher suite (prf_alg) -+ * Convert that to the OidTag. We can then use that OidTag to create our -+ * PK11Context */ -+ hash_oid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); -+ PORT_Assert(hash_oid != NULL); -+ if (hash_oid == NULL) { -+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); -+ return SECFailure; -+ } -+ ss->ssl3.hs.sha = PK11_CreateDigestContext(hash_oid->offset); - if (ss->ssl3.hs.sha == NULL) { - ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); - return SECFailure; -@@ -4378,6 +4456,11 @@ ssl3_AppendSignatureAndHashAlgorithm( - sslSocket *ss, const SSLSignatureAndHashAlg* sigAndHash) - { - PRUint8 serialized[2]; -+ unsigned char hashAlg = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg); -+ if (hashAlg == 0) { -+ PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); -+ return SECFailure; -+ } - - serialized[0] = (PRUint8)sigAndHash->hashAlg; - serialized[1] = (PRUint8)sigAndHash->sigAlg; -@@ -4499,6 +4582,7 @@ static const struct { - SECOidTag oid; - } tlsHashOIDMap[] = { - { ssl_hash_sha1, SEC_OID_SHA1 }, -+ { ssl_hash_sha224, SEC_OID_SHA224 }, - { ssl_hash_sha256, SEC_OID_SHA256 }, - { ssl_hash_sha384, SEC_OID_SHA384 }, - { ssl_hash_sha512, SEC_OID_SHA512 } -@@ -4521,6 +4605,23 @@ ssl3_TLSHashAlgorithmToOID(SSLHashType h - return SEC_OID_UNKNOWN; - } - -+/* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm -+ * identifier. If the hash is not recognised, zero is returned. -+ * -+ * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ -+static int -+ssl3_OIDToTLSHashAlgorithm(SECOidTag oid) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { -+ if (oid == tlsHashOIDMap[i].oid) { -+ return tlsHashOIDMap[i].tlsHash; -+ } -+ } -+ return 0; -+} -+ - /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm - * identifier for a given KeyType. */ - static SECStatus -@@ -4843,6 +4944,11 @@ tls12_loser: - unsigned char md5StackBuf[256]; - unsigned char shaStackBuf[512]; - -+ if (!spec->master_secret) { -+ PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); -+ return SECFailure; -+ } -+ - md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf, - sizeof md5StackBuf, &md5StateLen); - if (md5StateBuf == NULL) { -@@ -6568,6 +6674,14 @@ ssl3_HandleServerHello(sslSocket *ss, SS - } - ss->ssl3.hs.compression = (SSLCompressionMethod)temp; - -+ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */ -+ rv = ssl3_InitHandshakeHashes(ss); -+ if (rv != SECSuccess) { -+ desc = internal_error; -+ errCode = PORT_GetError(); -+ goto alert_loser; -+ } -+ - /* Note that if !isTLS and the extra stuff is not extensions, we - * do NOT goto alert_loser. - * There are some old SSL 3.0 implementations that do send stuff -@@ -8287,6 +8401,14 @@ compression_found: - suites.data = NULL; - comps.data = NULL; - -+ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */ -+ rv = ssl3_InitHandshakeHashes(ss); -+ if (rv != SECSuccess) { -+ desc = internal_error; -+ errCode = PORT_GetError(); -+ goto alert_loser; -+ } -+ - ss->sec.send = ssl3_SendApplicationData; - - /* If there are any failures while processing the old sid, -@@ -8857,6 +8979,15 @@ suite_found: - } - - ss->ssl3.hs.compression = ssl_compression_null; -+ -+ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */ -+ rv = ssl3_InitHandshakeHashes(ss); -+ if (rv != SECSuccess) { -+ desc = internal_error; -+ errCode = PORT_GetError(); -+ goto alert_loser; -+ } -+ - ss->sec.send = ssl3_SendApplicationData; - - /* we don't even search for a cache hit here. It's just a miss. */ -@@ -9388,7 +9519,7 @@ ssl3_EncodeCertificateRequestSigAlgs(ssl - /* Note that we don't support a handshake hash with anything other than - * SHA-256, so asking for a signature from clients for something else - * would be inviting disaster. */ -- if (alg->hashAlg == ssl_hash_sha256) { -+ if (alg->hashAlg == ssl_hash_sha256 /* || alg->hashAlg == ssl_hash_sha384*/) { - buf[(*len)++] = (PRUint8)alg->hashAlg; - buf[(*len)++] = (PRUint8)alg->sigAlg; - } -@@ -10841,7 +10972,7 @@ done: - } - - static SECStatus --ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, -+ssl3_ComputeTLSFinished(sslSocket *ss, ssl3CipherSpec *spec, - PRBool isServer, - const SSL3Hashes * hashes, - TLSFinished * tlsFinished) -@@ -10864,7 +10995,7 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec * - if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) { - tls_mac_params.prfMechanism = CKM_TLS_PRF; - } else { -- tls_mac_params.prfMechanism = CKM_SHA256; -+ tls_mac_params.prfMechanism = ssl3_GetPrfHashMechanism(ss); - } - tls_mac_params.ulMacLength = 12; - tls_mac_params.ulServerOrClient = isServer ? 1 : 2; -@@ -11066,7 +11197,7 @@ ssl3_SendFinished(sslSocket *ss, PRInt32 - isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0); - rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender); - if (isTLS && rv == SECSuccess) { -- rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished); -+ rv = ssl3_ComputeTLSFinished(ss, cwSpec, isServer, &hashes, &tlsFinished); - } - ssl_ReleaseSpecReadLock(ss); - if (rv != SECSuccess) { -@@ -11237,7 +11368,7 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O - PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); - return SECFailure; - } -- rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, -+ rv = ssl3_ComputeTLSFinished(ss, ss->ssl3.crSpec, !isServer, - hashes, &tlsFinished); - if (!isServer) - ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished; -diff -up ./lib/ssl/ssl3ecc.c.dhe_and_sha384 ./lib/ssl/ssl3ecc.c ---- ./lib/ssl/ssl3ecc.c.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800 -+++ ./lib/ssl/ssl3ecc.c 2016-02-14 07:51:49.915312514 -0800 -@@ -919,7 +919,9 @@ static const ssl3CipherSuite ecdhe_ecdsa - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, -+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, -+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, - TLS_ECDHE_ECDSA_WITH_NULL_SHA, - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, - 0 /* end of list marker */ -@@ -930,7 +932,9 @@ static const ssl3CipherSuite ecdhe_rsa_s - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, - TLS_ECDHE_RSA_WITH_NULL_SHA, - TLS_ECDHE_RSA_WITH_RC4_128_SHA, - 0 /* end of list marker */ -@@ -945,11 +949,15 @@ static const ssl3CipherSuite ecSuites[] - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_NULL_SHA, - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, -+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, -+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, - TLS_ECDHE_RSA_WITH_NULL_SHA, - TLS_ECDHE_RSA_WITH_RC4_128_SHA, - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, -diff -up ./lib/ssl/ssl3prot.h.dhe_and_sha384 ./lib/ssl/ssl3prot.h ---- ./lib/ssl/ssl3prot.h.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800 -+++ ./lib/ssl/ssl3prot.h 2016-02-14 07:51:49.915312514 -0800 -@@ -217,6 +217,32 @@ typedef struct { - } u; - } SSL3ServerParams; - -+/* This enum reflects HashAlgorithm enum from -+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 -+ * -+ * When updating, be sure to also update ssl3_TLSHashAlgorithmToOID. */ -+typedef enum { -+ tls_hash_md5 = 1, -+ tls_hash_sha1 = 2, -+ tls_hash_sha224 = 3, -+ tls_hash_sha256 = 4, -+ tls_hash_sha384 = 5, -+ tls_hash_sha512 = 6 -+} TLSHashAlgorithm; -+ -+/* This enum reflects SignatureAlgorithm enum from -+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ -+typedef enum { -+ tls_sig_rsa = 1, -+ tls_sig_dsa = 2, -+ tls_sig_ecdsa = 3 -+} TLSSignatureAlgorithm; -+ -+typedef struct { -+ SECOidTag hashAlg; -+ TLSSignatureAlgorithm sigAlg; -+} SSL3SignatureAndHashAlgorithm; -+ - /* SSL3HashesIndividually contains a combination MD5/SHA1 hash, as used in TLS - * prior to 1.2. */ - typedef struct { -diff -up ./lib/ssl/sslenum.c.dhe_and_sha384 ./lib/ssl/sslenum.c ---- ./lib/ssl/sslenum.c.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800 -+++ ./lib/ssl/sslenum.c 2016-02-14 07:51:49.915312514 -0800 -@@ -48,23 +48,37 @@ - */ - const PRUint16 SSL_ImplementedCiphers[] = { - #ifndef NSS_DISABLE_ECC -- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, -- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -+ /* Ephemeral ECDH */ -+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, -+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before - * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147. - */ -- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, -+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, -+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, -- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, -- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, -- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, -- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, -+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, -+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, -+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, -+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, -+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_ECDHE_RSA_WITH_RC4_128_SHA, - #endif /* NSS_DISABLE_ECC */ - -+ /* Ephemeral Finite Field DH */ -+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, -+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, -+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, -+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, -+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, -+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, -+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, -+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, -@@ -73,17 +87,12 @@ const PRUint16 SSL_ImplementedCiphers[] - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, -- TLS_DHE_RSA_WITH_AES_256_CBC_SHA, -- TLS_DHE_DSS_WITH_AES_256_CBC_SHA, -- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, -- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, -- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, -- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, - TLS_DHE_DSS_WITH_RC4_128_SHA, - - #ifndef NSS_DISABLE_ECC -+ /* Non ephemeral ECDH */ - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, -@@ -94,18 +103,20 @@ const PRUint16 SSL_ImplementedCiphers[] - TLS_ECDH_RSA_WITH_RC4_128_SHA, - #endif /* NSS_DISABLE_ECC */ - -+ /* RSA */ -+ TLS_RSA_WITH_AES_256_GCM_SHA384, -+ TLS_RSA_WITH_AES_256_CBC_SHA, -+ TLS_RSA_WITH_AES_256_CBC_SHA256, -+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, - TLS_RSA_WITH_AES_128_GCM_SHA256, - TLS_RSA_WITH_AES_128_CBC_SHA, - TLS_RSA_WITH_AES_128_CBC_SHA256, - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, -- TLS_RSA_WITH_AES_256_CBC_SHA, -- TLS_RSA_WITH_AES_256_CBC_SHA256, -- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, - TLS_RSA_WITH_SEED_CBC_SHA, -- SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, - TLS_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_RSA_WITH_RC4_128_SHA, - TLS_RSA_WITH_RC4_128_MD5, -+ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, - - /* 56-bit DES "domestic" cipher suites */ - TLS_DHE_RSA_WITH_DES_CBC_SHA, -diff -up ./lib/ssl/sslimpl.h.dhe_and_sha384 ./lib/ssl/sslimpl.h ---- ./lib/ssl/sslimpl.h.dhe_and_sha384 2016-02-14 07:51:49.911312431 -0800 -+++ ./lib/ssl/sslimpl.h 2016-02-14 07:51:49.915312514 -0800 -@@ -64,6 +64,7 @@ typedef SSLSignType SSL3SignType; - #define hmac_md5 ssl_hmac_md5 - #define hmac_sha ssl_hmac_sha - #define hmac_sha256 ssl_hmac_sha256 -+#define hmac_sha384 ssl_hmac_sha384 - #define mac_aead ssl_mac_aead - - #define SET_ERROR_CODE /* reminder */ -@@ -300,9 +301,9 @@ typedef struct { - } ssl3CipherSuiteCfg; - - #ifndef NSS_DISABLE_ECC --#define ssl_V3_SUITES_IMPLEMENTED 64 -+#define ssl_V3_SUITES_IMPLEMENTED 71 - #else --#define ssl_V3_SUITES_IMPLEMENTED 40 -+#define ssl_V3_SUITES_IMPLEMENTED 43 - #endif /* NSS_DISABLE_ECC */ - - #define MAX_DTLS_SRTP_CIPHER_SUITES 4 -@@ -486,10 +487,18 @@ typedef enum { - cipher_camellia_256, - cipher_seed, - cipher_aes_128_gcm, -+ cipher_aes_256_gcm, - cipher_missing /* reserved for no such supported cipher */ - /* This enum must match ssl3_cipherName[] in ssl3con.c. */ - } SSL3BulkCipher; - -+/* The TLS PRF definition */ -+typedef enum { -+ prf_null = 0, /* use default prf */ -+ prf_256 = CKM_SHA256, -+ prf_384 = CKM_SHA384 -+} SSL3PRF; -+ - typedef enum { type_stream, type_block, type_aead } CipherType; - - #define MAX_IV_LENGTH 24 -@@ -736,6 +745,7 @@ typedef struct ssl3CipherSuiteDefStr { - SSL3BulkCipher bulk_cipher_alg; - SSL3MACAlgorithm mac_alg; - SSL3KeyExchangeAlgorithm key_exchange_alg; -+ SSL3PRF prf_alg; - } ssl3CipherSuiteDef; - - /* -diff -up ./lib/ssl/sslinfo.c.dhe_and_sha384 ./lib/ssl/sslinfo.c ---- ./lib/ssl/sslinfo.c.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800 -+++ ./lib/ssl/sslinfo.c 2016-02-14 07:51:49.915312514 -0800 -@@ -160,6 +160,7 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc - - #define M_AEAD_128 "AEAD", ssl_mac_aead, 128 - #define M_SHA256 "SHA256", ssl_hmac_sha256, 256 -+#define M_SHA384 "SHA384", ssl_hmac_sha384, 384 - #define M_SHA "SHA1", ssl_mac_sha, 160 - #define M_MD5 "MD5", ssl_mac_md5, 128 - #define M_NULL "NULL", ssl_mac_null, 0 -@@ -242,8 +243,21 @@ static const SSLCipherSuiteInfo suiteInf - {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, }, - {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, - {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, }, -+ -+{0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), S_ECDSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, -+{0,CS(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, -+{0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, }, -+{0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, }, -+ - #endif /* NSS_DISABLE_ECC */ - -+{0,CS(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384), S_DSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, -+{0,CS(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, -+{0,CS(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, -+{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, -+{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, }, -+{0,CS(TLS_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_RSA, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, -+ - /* SSL 2 table */ - {0,CK(SSL_CK_RC4_128_WITH_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, }, - {0,CK(SSL_CK_RC2_128_CBC_WITH_MD5), S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, 0, 0, }, -diff -up ./lib/ssl/sslproto.h.dhe_and_sha384 ./lib/ssl/sslproto.h ---- ./lib/ssl/sslproto.h.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800 -+++ ./lib/ssl/sslproto.h 2016-02-14 07:51:49.916312535 -0800 -@@ -205,8 +205,11 @@ - #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 - - #define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C -+#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D - #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E -+#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F - #define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 -+#define TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3 - - /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client. - * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending -@@ -253,11 +256,15 @@ - #define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019 - - #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 -+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 - #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 -+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 - - #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B -+#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C - #define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D - #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F -+#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 - #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 - - /* Netscape "experimental" cipher suites. */ -diff -up ./lib/ssl/sslsecur.c.dhe_and_sha384 ./lib/ssl/sslsecur.c ---- ./lib/ssl/sslsecur.c.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800 -+++ ./lib/ssl/sslsecur.c 2016-02-14 07:51:49.916312535 -0800 -@@ -808,6 +808,11 @@ ssl_ConfigSecureServer(sslSocket *ss, CE - goto loser; - } - } -+ if (kea == ssl_kea_dh || kea == ssl_kea_rsa) { -+ if (ssl3_SelectDHParams(ss) != SECSuccess) { -+ goto loser; -+ } -+ } - return SECSuccess; - - loser: -diff -up ./lib/ssl/sslt.h.dhe_and_sha384 ./lib/ssl/sslt.h ---- ./lib/ssl/sslt.h.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800 -+++ ./lib/ssl/sslt.h 2016-02-14 07:51:49.916312535 -0800 -@@ -114,7 +114,8 @@ typedef enum { - ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */ - ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */ - ssl_hmac_sha256 = 5, -- ssl_mac_aead = 6 -+ ssl_mac_aead = 6, -+ ssl_hmac_sha384 = 7 - } SSLMACAlgorithm; - - typedef enum { diff --git a/SOURCES/disable-ems-gtests.patch b/SOURCES/disable-ems-gtests.patch index 62ebf74..8824841 100644 --- a/SOURCES/disable-ems-gtests.patch +++ b/SOURCES/disable-ems-gtests.patch @@ -1,154 +1,10 @@ -diff --git a/external_tests/ssl_gtest/ssl_loopback_unittest.cc b/external_tests/ssl_gtest/ssl_loopback_unittest.cc ---- a/external_tests/ssl_gtest/ssl_loopback_unittest.cc -+++ b/external_tests/ssl_gtest/ssl_loopback_unittest.cc -@@ -516,134 +516,16 @@ TEST_P(TlsConnectStream, ShortRead) { - // Read the first tranche. - WAIT_(client_->received_bytes() == 1024, 2000); - ASSERT_EQ(1024U, client_->received_bytes()); - // The second tranche should now immediately be available. - client_->ReadBytes(); - ASSERT_EQ(1200U, client_->received_bytes()); - } - --TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecret) { -- EnableExtendedMasterSecret(); -- Connect(); -- ResetRsa(); -- ExpectResumption(RESUME_SESSIONID); -- EnableExtendedMasterSecret(); -- Connect(); --} -- -- --TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretStaticRSA) { -- DisableDheAndEcdheCiphers(); -- EnableExtendedMasterSecret(); -- Connect(); --} -- --// This test is stream so we can catch the bad_record_mac alert. --TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusCKE) { -- DisableDheAndEcdheCiphers(); -- EnableExtendedMasterSecret(); -- TlsInspectorReplaceHandshakeMessage* inspect = -- new TlsInspectorReplaceHandshakeMessage(kTlsHandshakeClientKeyExchange, -- DataBuffer( -- kBogusClientKeyExchange, -- sizeof(kBogusClientKeyExchange))); -- client_->SetPacketFilter(inspect); -- auto alert_recorder = new TlsAlertRecorder(); -- server_->SetPacketFilter(alert_recorder); -- ConnectExpectFail(); -- EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); -- EXPECT_EQ(kTlsAlertBadRecordMac, alert_recorder->description()); --} -- --// This test is stream so we can catch the bad_record_mac alert. --TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusPMSVersionDetect) { -- DisableDheAndEcdheCiphers(); -- EnableExtendedMasterSecret(); -- client_->SetPacketFilter(new TlsInspectorClientHelloVersionChanger( -- server_)); -- auto alert_recorder = new TlsAlertRecorder(); -- server_->SetPacketFilter(alert_recorder); -- ConnectExpectFail(); -- EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); -- EXPECT_EQ(kTlsAlertBadRecordMac, alert_recorder->description()); --} -- --TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusPMSVersionIgnore) { -- DisableDheAndEcdheCiphers(); -- EnableExtendedMasterSecret(); -- client_->SetPacketFilter(new TlsInspectorClientHelloVersionChanger( -- server_)); -- server_->DisableRollbackDetection(); -- Connect(); --} -- --TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretECDHE) { -- EnableExtendedMasterSecret(); -- Connect(); -- -- ResetRsa(); -- EnableExtendedMasterSecret(); -- ExpectResumption(RESUME_SESSIONID); -- Connect(); --} -- --TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretTicket) { -- ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); -- EnableExtendedMasterSecret(); -- Connect(); -- -- ResetRsa(); -- ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); -- -- EnableExtendedMasterSecret(); -- ExpectResumption(RESUME_TICKET); -- Connect(); --} -- --TEST_P(TlsConnectGeneric, -- ConnectExtendedMasterSecretClientOnly) { -- client_->EnableExtendedMasterSecret(); -- ExpectExtendedMasterSecret(false); -- Connect(); --} -- --TEST_P(TlsConnectGeneric, -- ConnectExtendedMasterSecretServerOnly) { -- server_->EnableExtendedMasterSecret(); -- ExpectExtendedMasterSecret(false); -- Connect(); --} -- --TEST_P(TlsConnectGeneric, -- ConnectExtendedMasterSecretResumeWithout) { -- EnableExtendedMasterSecret(); -- Connect(); -- -- ResetRsa(); -- server_->EnableExtendedMasterSecret(); -- auto alert_recorder = new TlsAlertRecorder(); -- server_->SetPacketFilter(alert_recorder); -- ConnectExpectFail(); -- EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); -- EXPECT_EQ(kTlsAlertHandshakeFailure, alert_recorder->description()); --} -- --TEST_P(TlsConnectGeneric, -- ConnectNormalResumeWithExtendedMasterSecret) { -- ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID); -- ExpectExtendedMasterSecret(false); -- Connect(); -- -- ResetRsa(); -- EnableExtendedMasterSecret(); -- ExpectResumption(RESUME_NONE); -- Connect(); --} -- - INSTANTIATE_TEST_CASE_P(VariantsStream10, TlsConnectGeneric, - ::testing::Combine( - TlsConnectTestBase::kTlsModesStream, - TlsConnectTestBase::kTlsV10)); - INSTANTIATE_TEST_CASE_P(VariantsAll, TlsConnectGeneric, - ::testing::Combine( - TlsConnectTestBase::kTlsModesAll, - TlsConnectTestBase::kTlsV11V12)); -diff --git a/external_tests/ssl_gtest/ssl_prf_unittest.cc b/external_tests/ssl_gtest/ssl_prf_unittest.cc ---- a/external_tests/ssl_gtest/ssl_prf_unittest.cc -+++ b/external_tests/ssl_gtest/ssl_prf_unittest.cc -@@ -201,53 +201,9 @@ TEST_F(TlsPrfTest, ExtendedMsParamErr) { - CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kIncorrectSize, 0); - - // CKM_TLS_PRF && seed length != MD5_LENGTH + SHA1_LENGTH - CheckForError(CKM_TLS_PRF, kIncorrectSize, kPmsSize, 0); - - // !CKM_TLS_PRF && seed length != hash output length +diff -up nss/gtests/pk11_gtest/pk11_prf_unittest.cc.disable_ems_gtests nss/gtests/pk11_gtest/pk11_prf_unittest.cc +--- nss/gtests/pk11_gtest/pk11_prf_unittest.cc.disable_ems_gtests 2017-01-16 10:19:10.073459080 +0100 ++++ nss/gtests/pk11_gtest/pk11_prf_unittest.cc 2017-01-16 10:21:40.408011066 +0100 +@@ -193,37 +193,4 @@ TEST_F(TlsPrfTest, ExtendedMsParamErr) { CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0); } -- + -// Test matrix: -// -// DH RSA @@ -156,40 +12,42 @@ diff --git a/external_tests/ssl_gtest/ssl_prf_unittest.cc b/external_tests/ssl_g -// SHA256 3 4 -TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) { - Init(); -- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, -- CKM_TLS_PRF, -- nullptr, -- kExpectedOutputEmsTlsPrf); +- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_TLS_PRF, +- nullptr, kExpectedOutputEmsTlsPrf); -} - -TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) { - Init(); -- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, -- CKM_TLS_PRF, -- &pms_version_, -- kExpectedOutputEmsTlsPrf); +- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF, +- &pms_version_, kExpectedOutputEmsTlsPrf); - EXPECT_EQ(0, pms_version_.major); - EXPECT_EQ(1, pms_version_.minor); -} - -- -TEST_F(TlsPrfTest, ExtendedMsDhSha256) { - Init(); -- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, -- CKM_SHA256, -- nullptr, -- kExpectedOutputEmsSha256); +- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_SHA256, +- nullptr, kExpectedOutputEmsSha256); -} - -TEST_F(TlsPrfTest, ExtendedMsRsaSha256) { - Init(); -- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, -- CKM_SHA256, -- &pms_version_, -- kExpectedOutputEmsSha256); +- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_SHA256, +- &pms_version_, kExpectedOutputEmsSha256); - EXPECT_EQ(0, pms_version_.major); - EXPECT_EQ(1, pms_version_.minor); -} - } // namespace nss_test -- +diff -up nss/gtests/ssl_gtest/manifest.mn.disable_ems_gtests nss/gtests/ssl_gtest/manifest.mn +--- nss/gtests/ssl_gtest/manifest.mn.disable_ems_gtests 2017-01-16 10:20:33.838983251 +0100 ++++ nss/gtests/ssl_gtest/manifest.mn 2017-01-16 10:20:36.802895453 +0100 +@@ -21,7 +21,6 @@ CPPSRCS = \ + ssl_dhe_unittest.cc \ + ssl_drop_unittest.cc \ + ssl_ecdh_unittest.cc \ +- ssl_ems_unittest.cc \ + ssl_exporter_unittest.cc \ + ssl_extension_unittest.cc \ + ssl_fuzz_unittest.cc \ +diff -up nss/gtests/ssl_gtest/ssl_ems_unittest.cc.disable_ems_gtests nss/gtests/ssl_gtest/ssl_ems_unittest.cc diff --git a/SOURCES/disable-extended-master-secret-with-old-softoken.patch b/SOURCES/disable-extended-master-secret-with-old-softoken.patch index b385819..fdcc416 100644 --- a/SOURCES/disable-extended-master-secret-with-old-softoken.patch +++ b/SOURCES/disable-extended-master-secret-with-old-softoken.patch @@ -1,33 +1,33 @@ -diff -up ./lib/ssl/sslsock.c.disable-ems ./lib/ssl/sslsock.c ---- ./lib/ssl/sslsock.c.disable-ems 2016-02-04 16:49:04.148123592 -0800 -+++ ./lib/ssl/sslsock.c 2016-02-04 16:50:15.483801476 -0800 -@@ -85,6 +85,7 @@ static sslOptions ssl_defaults = { - PR_TRUE, /* reuseServerECDHEKey */ - PR_FALSE, /* enableFallbackSCSV */ - PR_TRUE, /* enableServerDhe */ +diff -up nss/lib/ssl/sslsock.c.disable-ems nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.disable-ems 2017-01-13 17:33:07.226905929 +0100 ++++ nss/lib/ssl/sslsock.c 2017-01-13 17:35:19.175659702 +0100 +@@ -75,6 +75,7 @@ static sslOptions ssl_defaults = { + PR_TRUE, /* reuseServerECDHEKey */ + PR_FALSE, /* enableFallbackSCSV */ + PR_TRUE, /* enableServerDhe */ +/* Keep extended-master-secret disabled until we have a compatible softokn. */ - PR_FALSE /* enableExtendedMS */ - }; + PR_FALSE, /* enableExtendedMS */ + PR_FALSE, /* enableSignedCertTimestamps */ + PR_FALSE, /* requireDHENamedGroups */ +@@ -766,7 +767,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh + break; -@@ -848,7 +849,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh - break; - - case SSL_ENABLE_EXTENDED_MASTER_SECRET: + case SSL_ENABLE_EXTENDED_MASTER_SECRET: +#if 0 +/* No-Op until we have a compatible softokn. */ - ss->opt.enableExtendedMS = on; + ss->opt.enableExtendedMS = on; +#endif - break; + break; - default: -@@ -1192,7 +1203,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo - break; + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: +@@ -1199,7 +1203,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo + break; - case SSL_ENABLE_EXTENDED_MASTER_SECRET: + case SSL_ENABLE_EXTENDED_MASTER_SECRET: +#if 0 +/* No-Op until we have a compatible softokn. */ - ssl_defaults.enableExtendedMS = on; + ssl_defaults.enableExtendedMS = on; +#endif - break; + break; - default: + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: diff --git a/SOURCES/disable-pss.patch b/SOURCES/disable-pss.patch new file mode 100644 index 0000000..1ae9630 --- /dev/null +++ b/SOURCES/disable-pss.patch @@ -0,0 +1,72 @@ +diff -up nss/lib/ssl/ssl3con.c.disable_pss nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.disable_pss 2017-02-17 11:44:34.969825045 +0100 ++++ nss/lib/ssl/ssl3con.c 2017-02-17 11:44:34.973824961 +0100 +@@ -177,9 +177,15 @@ static const SSLSignatureScheme defaultS + ssl_sig_ecdsa_secp384r1_sha384, + ssl_sig_ecdsa_secp521r1_sha512, + ssl_sig_ecdsa_sha1, ++#if 0 ++ /* Disable, while we are waiting for an upstream fix to ++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 ++ * (NSS does not check if token supports RSA-PSS before using it to sign) ++ **/ + ssl_sig_rsa_pss_sha256, + ssl_sig_rsa_pss_sha384, + ssl_sig_rsa_pss_sha512, ++#endif + ssl_sig_rsa_pkcs1_sha256, + ssl_sig_rsa_pkcs1_sha384, + ssl_sig_rsa_pkcs1_sha512, +@@ -4622,9 +4628,16 @@ ssl_IsSupportedSignatureScheme(SSLSignat + case ssl_sig_rsa_pkcs1_sha256: + case ssl_sig_rsa_pkcs1_sha384: + case ssl_sig_rsa_pkcs1_sha512: ++ return PR_TRUE; ++ /* Disable, while we are waiting for an upstream fix to ++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 ++ * (NSS does not check if token supports RSA-PSS before using it to sign) ++ **/ + case ssl_sig_rsa_pss_sha256: + case ssl_sig_rsa_pss_sha384: + case ssl_sig_rsa_pss_sha512: ++ return PR_FALSE; ++ + case ssl_sig_ecdsa_secp256r1_sha256: + case ssl_sig_ecdsa_secp384r1_sha384: + case ssl_sig_ecdsa_secp521r1_sha512: +diff -up nss/lib/ssl/sslcert.c.disable_pss nss/lib/ssl/sslcert.c +--- nss/lib/ssl/sslcert.c.disable_pss 2017-01-30 02:06:08.000000000 +0100 ++++ nss/lib/ssl/sslcert.c 2017-02-17 11:44:34.973824961 +0100 +@@ -399,7 +399,13 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket + PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT); + + if ((data->authType == ssl_auth_rsa_sign && ku_sig) || ++#if 0 ++ /* Disable, while we are waiting for an upstream fix to ++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 ++ * (NSS does not check if token supports RSA-PSS before using it to sign) ++ **/ + (data->authType == ssl_auth_rsa_pss && ku_sig) || ++#endif + (data->authType == ssl_auth_rsa_decrypt && ku_enc)) { + return ssl_ConfigCert(ss, cert, keyPair, data); + } +@@ -416,12 +422,18 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket + return rv; + } + ++#if 0 ++ /* Disable, while we are waiting for an upstream fix to ++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 ++ * (NSS does not check if token supports RSA-PSS before using it to sign) ++ **/ + /* This certificate is RSA, assume that it's also PSS. */ + data->authType = ssl_auth_rsa_pss; + rv = ssl_ConfigCert(ss, cert, keyPair, data); + if (rv != SECSuccess) { + return rv; + } ++#endif + } + + if (ku_enc) { diff --git a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch index 0ee13bb..72c0cb4 100644 --- a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch +++ b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch @@ -1,36 +1,21 @@ -diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c ---- a/lib/pk11wrap/pk11pars.c -+++ b/lib/pk11wrap/pk11pars.c -@@ -159,16 +159,20 @@ SECMOD_CreateModuleEx(const char *librar - if (parameters) { - mod->libraryParams = PORT_ArenaStrdup(mod->arena,parameters); - } - if (config) { - /* XXX: Apply configuration */ - } - mod->internal = NSSUTIL_ArgHasFlag("flags","internal",nssc); - mod->isFIPS = NSSUTIL_ArgHasFlag("flags","FIPS",nssc); +diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c +--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100 ++++ nss/lib/pk11wrap/pk11pars.c 2017-01-13 17:04:52.968903200 +0100 +@@ -672,6 +672,10 @@ SECMOD_CreateModuleEx(const char *librar + + mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc); + mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc); + /* if the system FIPS mode is enabled, force FIPS to be on */ + if (SECMOD_GetSystemFIPSEnabled()) { + mod->isFIPS = PR_TRUE; + } - mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc); - slotParams = NSSUTIL_ArgGetParamValue("slotParams",nssc); - mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams, - &mod->slotInfoCount); - if (slotParams) PORT_Free(slotParams); - /* new field */ - mod->trustOrder = NSSUTIL_ArgReadLong("trustOrder",nssc, - NSSUTIL_DEFAULT_TRUST_ORDER,NULL); -diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c ---- a/lib/pk11wrap/pk11util.c -+++ b/lib/pk11wrap/pk11util.c -@@ -90,16 +90,35 @@ SECMOD_Shutdown() - #endif - if (secmod_PrivateModuleCount) { - PORT_SetError(SEC_ERROR_BUSY); - return SECFailure; - } + mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc); + slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc); + mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams, +diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c +--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100 ++++ nss/lib/pk11wrap/pk11util.c 2017-01-13 17:06:24.171723872 +0100 +@@ -94,6 +94,26 @@ SECMOD_Shutdown() return SECSuccess; } @@ -53,76 +38,42 @@ diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c +#endif + return 0; +} - ++ /* * retrieve the internal module */ - SECMODModule * - SECMOD_GetInternalModule(void) - { - return internalModule; -@@ -412,17 +431,17 @@ SECMOD_DeleteModule(const char *name, in - */ - SECStatus - SECMOD_DeleteInternalModule(const char *name) - { - SECMODModuleList *mlp; +@@ -427,7 +447,7 @@ SECMOD_DeleteInternalModule(const char * SECMODModuleList **mlpp; SECStatus rv = SECFailure; - if (pendingModule) { + if (SECMOD_GetSystemFIPSEnabled() || pendingModule) { - PORT_SetError(SEC_ERROR_MODULE_STUCK); - return rv; - } - if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return rv; + PORT_SetError(SEC_ERROR_MODULE_STUCK); + return rv; } - -@@ -883,17 +902,17 @@ SECMOD_DestroyModuleList(SECMODModuleLis - SECMODModuleList *lp; - - for ( lp = list; lp != NULL; lp = SECMOD_DestroyModuleListElement(lp)) ; - } - +@@ -902,7 +922,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis PRBool SECMOD_CanDeleteInternalModule(void) { -- return (PRBool) (pendingModule == NULL); +- return (PRBool)(pendingModule == NULL); + return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled()); } /* - * check to see if the module has added new slots. PKCS 11 v2.20 allows for - * modules to add new slots, but never remove them. Slots cannot be added - * between a call to C_GetSlotLlist(Flag, NULL, &count) and the subsequent - * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently - * grow on the caller. It is permissible for the slots to increase between -diff --git a/lib/pk11wrap/secmodi.h b/lib/pk11wrap/secmodi.h ---- a/lib/pk11wrap/secmodi.h -+++ b/lib/pk11wrap/secmodi.h -@@ -108,17 +108,22 @@ SECStatus PBE_PK11ParamToAlgid(SECOidTag - PK11SymKey *pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, - CK_MECHANISM_TYPE type, SECItem *param, CK_KEY_TYPE keyType, - int keySize, SECItem *keyId, CK_FLAGS opFlags, - PK11AttrFlags attrFlags, void *wincx); - +diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h +--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100 ++++ nss/lib/pk11wrap/secmodi.h 2017-01-13 17:07:08.897624098 +0100 +@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, - SECItem **param, SECItem *pwd, PRBool faulty3DES); + SECItem **param, SECItem *pwd, PRBool faulty3DES); -- +/* Get the state of the system FIPS mode */ +/* NSS uses this to force FIPS mode if the system bit is on. Applications which + * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or + * from FIPS mode will automatically be told that they can't swith out of FIPS + * mode */ +int SECMOD_GetSystemFIPSEnabled(); - ++ extern void pk11sdr_Init(void); extern void pk11sdr_Shutdown(void); - /* - * Private to pk11wrap. - */ - diff --git a/SOURCES/fix-allowed-sig-alg.patch b/SOURCES/fix-allowed-sig-alg.patch deleted file mode 100644 index ca908b6..0000000 --- a/SOURCES/fix-allowed-sig-alg.patch +++ /dev/null @@ -1,90 +0,0 @@ ---- nss/lib/ssl/ssl3con.prekai 2016-03-23 08:29:25.000000000 -0400 -+++ nss/lib/ssl/ssl3con.c 2016-03-29 15:00:44.457697131 -0400 -@@ -204,6 +204,7 @@ - {ssl_hash_sha512, ssl_sign_ecdsa}, - {ssl_hash_sha1, ssl_sign_ecdsa}, - #endif -+ {ssl_hash_sha384, ssl_sign_dsa}, - {ssl_hash_sha256, ssl_sign_dsa}, - {ssl_hash_sha1, ssl_sign_dsa} - }; -@@ -270,27 +271,6 @@ - ct_DSS_sign, - }; - --/* This block is the contents of the supported_signature_algorithms field of -- * our TLS 1.2 CertificateRequest message, in wire format. See -- * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 -- * -- * We only support TLS 1.2 -- * CertificateVerify messages that use the handshake PRF hash. */ --static const PRUint8 supported_signature_algorithms_sha256[] = { -- tls_hash_sha256, tls_sig_rsa, --#ifndef NSS_DISABLE_ECC -- tls_hash_sha256, tls_sig_ecdsa, --#endif -- tls_hash_sha256, tls_sig_dsa, --}; --static const PRUint8 supported_signature_algorithms_sha384[] = { -- tls_hash_sha384, tls_sig_rsa, --#ifndef NSS_DISABLE_ECC -- tls_hash_sha384, tls_sig_ecdsa, --#endif -- tls_hash_sha384, tls_sig_dsa, --}; -- - #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ - - -@@ -9561,7 +9541,8 @@ - } - - static SECStatus --ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf, -+ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 allowedHashAlg, -+ PRUint8 *buf, - unsigned maxLen, PRUint32 *len) - { - unsigned int i; -@@ -9578,7 +9559,7 @@ - /* Note that we don't support a handshake hash with anything other than - * SHA-256, so asking for a signature from clients for something else - * would be inviting disaster. */ -- if (alg->hashAlg == ssl_hash_sha256 || alg->hashAlg == ssl_hash_sha384) { -+ if (alg->hashAlg == allowedHashAlg) { - buf[(*len)++] = (PRUint8)alg->hashAlg; - buf[(*len)++] = (PRUint8)alg->sigAlg; - } -@@ -9608,6 +9589,7 @@ - PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2]; - unsigned int sigAlgsLength = 0; - SECOidData *hashOid; -+ PRUint8 allowedHashAlg; - - SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", - SSL_GETPID(), ss->fd)); -@@ -9639,19 +9621,19 @@ - if (hashOid == NULL) { - return SECFailure; /* err set by AppendHandshake. */ - } -+ - if (hashOid->offset == SEC_OID_SHA256) { -- sigAlgsLength = sizeof supported_signature_algorithms_sha256; -- PORT_Memcpy(sigAlgs, supported_signature_algorithms_sha256, sigAlgsLength); -+ allowedHashAlg = ssl_hash_sha256; - } else if (hashOid->offset == SEC_OID_SHA384) { -- sigAlgsLength = sizeof supported_signature_algorithms_sha384; -- PORT_Memcpy(sigAlgs, supported_signature_algorithms_sha384, sigAlgsLength); -+ allowedHashAlg = ssl_hash_sha384; - } else { - return SECFailure; /* err set by AppendHandshake. */ - } - - length = 1 + certTypesLength + 2 + calen; - if (isTLS12) { -- rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs), -+ rv = ssl3_EncodeCertificateRequestSigAlgs(ss, allowedHashAlg, -+ sigAlgs, sizeof(sigAlgs), - &sigAlgsLength); - if (rv != SECSuccess) { - return rv; diff --git a/SOURCES/fix-nss-test-filtering.patch b/SOURCES/fix-nss-test-filtering.patch deleted file mode 100644 index 43714d5..0000000 --- a/SOURCES/fix-nss-test-filtering.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/tests/all.sh b/tests/all.sh ---- a/tests/all.sh -+++ b/tests/all.sh -@@ -106,17 +106,18 @@ - ############################## run_tests ############################### - # run test suites defined in TESTS variable, skip scripts defined in - # TESTS_SKIP variable - ######################################################################## - run_tests() - { - for TEST in ${TESTS} - do -- echo "${TESTS_SKIP}" | grep "${TEST}" > /dev/null -+ echo "Checking if ${TEST} should be skipped based on skip list [${TESTS_SKIP}]" -+ echo "${TESTS_SKIP}" | grep -w "${TEST}" > /dev/null - if [ $? -eq 0 ]; then - continue - fi - - SCRIPTNAME=${TEST}.sh - echo "Running tests for ${TEST}" - echo "TIMESTAMP ${TEST} BEGIN: `date`" - (cd ${QADIR}/${TEST}; . ./${SCRIPTNAME} 2>&1) diff --git a/SOURCES/fix-reuse-of-session-cache-entry.patch b/SOURCES/fix-reuse-of-session-cache-entry.patch deleted file mode 100644 index 7262fee..0000000 --- a/SOURCES/fix-reuse-of-session-cache-entry.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/lib/ssl/sslnonce.c b/lib/ssl/sslnonce.c ---- a/lib/ssl/sslnonce.c -+++ b/lib/ssl/sslnonce.c -@@ -279,19 +279,17 @@ ssl_LookupSID(const PRIPv6Addr *addr, PR - (((peerID == NULL) && (sid->peerID == NULL)) || - ((peerID != NULL) && (sid->peerID != NULL) && - PORT_Strcmp(sid->peerID, peerID) == 0)) && - /* is cacheable */ - (sid->version < SSL_LIBRARY_VERSION_3_0 || - sid->u.ssl3.keys.resumable) && - /* server hostname matches. */ - (sid->urlSvrName != NULL) && -- ((0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) || -- ((sid->peerCert != NULL) && (SECSuccess == -- CERT_VerifyCertName(sid->peerCert, urlSvrName))) ) -+ (0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) - ) { - /* Hit */ - sid->lastAccessTime = now; - sid->references++; - break; - } else { - sidp = &sid->next; - } diff --git a/SOURCES/flexible-certverify.patch b/SOURCES/flexible-certverify.patch deleted file mode 100644 index 481a07f..0000000 --- a/SOURCES/flexible-certverify.patch +++ /dev/null @@ -1,1136 +0,0 @@ -diff --git a/external_tests/ssl_gtest/ssl_loopback_unittest.cc b/external_tests/ssl_gtest/ssl_loopback_unittest.cc ---- a/external_tests/ssl_gtest/ssl_loopback_unittest.cc -+++ b/external_tests/ssl_gtest/ssl_loopback_unittest.cc -@@ -318,23 +318,21 @@ TEST_P(TlsConnectPre12, SignatureAlgorit - ResetEcdsa(); - client_->SetSignatureAlgorithms(SignatureEcdsaSha384, - PR_ARRAY_SIZE(SignatureEcdsaSha384)); - server_->SetSignatureAlgorithms(SignatureEcdsaSha256, - PR_ARRAY_SIZE(SignatureEcdsaSha256)); - Connect(); - } - --// The server requests client auth but doesn't offer a SHA-256 option. --// This fails because NSS only uses SHA-256 for handshake transcript hashes. --TEST_P(TlsConnectTls12, RequestClientAuthWithoutSha256) { -+TEST_P(TlsConnectTls12, RequestClientAuthWithSha384) { - server_->SetSignatureAlgorithms(SignatureRsaSha384, - PR_ARRAY_SIZE(SignatureRsaSha384)); - server_->RequestClientAuth(false); -- ConnectExpectFail(); -+ Connect(); - } - - TEST_P(TlsConnectGeneric, ConnectAlpn) { - EnableAlpn(); - Connect(); - client_->CheckAlpn(SSL_NEXT_PROTO_SELECTED, "a"); - server_->CheckAlpn(SSL_NEXT_PROTO_NEGOTIATED, "a"); - } -diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c ---- a/lib/ssl/ssl3con.c -+++ b/lib/ssl/ssl3con.c -@@ -3636,16 +3636,29 @@ ssl3_GetPrfHashMechanism(sslSocket *ss) - SSL3PRF prf_alg = ss->ssl3.hs.suite_def->prf_alg; - - if (prf_alg == 0) - return CKM_SHA256; - - return prf_alg; - } - -+static SSLHashType -+ssl3_GetSuitePrfHash(sslSocket *ss) -+{ -+ switch (ss->ssl3.hs.suite_def->prf_alg) { -+ case CKM_SHA384: -+ return ssl_hash_sha384; -+ case 0: -+ case CKM_SHA256: -+ default: -+ return ssl_hash_sha256; -+ } -+} -+ - - /* This method completes the derivation of the MS from the PMS. - ** - ** 1. Derive the MS, if possible, else return an error. - ** - ** 2. Check the version if |pms_version| is non-zero and if wrong, - ** return an error. - ** -@@ -3813,17 +3826,17 @@ tls_ComputeExtendedMasterSecretInt(sslSo - master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH; - } else { - master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE; - pms_version_ptr = &pms_version; - } - - if (pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { - /* TLS 1.2 */ -- extended_master_params.prfHashMechanism = CKM_SHA256; -+ extended_master_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss); - key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; - } else { - /* TLS < 1.2 */ - extended_master_params.prfHashMechanism = CKM_TLS_PRF; - key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; - } - - extended_master_params.pVersion = pms_version_ptr; -@@ -4071,20 +4084,23 @@ loser: - /* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in - * buffered messages in ss->ssl3.hs.messages. */ - static SECStatus - ssl3_InitHandshakeHashes(sslSocket *ss) - { - SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); - - PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown); -+ if (ss->version == SSL_LIBRARY_VERSION_TLS_1_2) { -+ ss->ssl3.hs.hashType = handshake_hash_record; -+ } else - #ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone); -- if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { -+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { - /* If we ever support ciphersuites where the PRF hash isn't SHA-256 - * then this will need to be updated. */ - HASH_HashType ht; - CK_MECHANISM_TYPE hm; - SECOidTag ot; - SECOidData *hashOid; - - hm = ssl3_GetPrfHashMechanism(ss); -@@ -4112,17 +4128,17 @@ ssl3_InitHandshakeHashes(sslSocket *ss) - #endif - { - PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha); - /* - * note: We should probably lookup an SSL3 slot for these - * handshake hashes in hopes that we wind up with the same slots - * that the master secret will wind up in ... - */ -- if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { -+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { - /* determine the hash from the prf */ - const SECOidData *hash_oid; - - PORT_Assert(ss->ssl3.hs.suite_def); - /* Get the PKCS #11 mechanism for the Hash from the cipher suite (prf_alg) - * Convert that to the OidTag. We can then use that OidTag to create our - * PK11Context */ - hash_oid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); -@@ -4137,38 +4153,16 @@ ssl3_InitHandshakeHashes(sslSocket *ss) - return SECFailure; - } - ss->ssl3.hs.hashType = handshake_hash_single; - - if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); - return SECFailure; - } -- -- /* Create a backup SHA-1 hash for a potential client auth -- * signature. -- * -- * In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the -- * handshake hash function (SHA-256). If the server or the client -- * does not support SHA-256 as a signature hash, we can either -- * maintain a backup SHA-1 handshake hash or buffer all handshake -- * messages. -- */ -- if (!ss->sec.isServer) { -- ss->ssl3.hs.backupHash = PK11_CreateDigestContext(SEC_OID_SHA1); -- if (ss->ssl3.hs.backupHash == NULL) { -- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); -- return SECFailure; -- } -- -- if (PK11_DigestBegin(ss->ssl3.hs.backupHash) != SECSuccess) { -- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); -- return SECFailure; -- } -- } - } else { - /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or - * created successfully. */ - ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5); - if (ss->ssl3.hs.md5 == NULL) { - ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); - return SECFailure; - } -@@ -4187,26 +4181,23 @@ ssl3_InitHandshakeHashes(sslSocket *ss) - } - if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); - return SECFailure; - } - } - } - -- if (ss->ssl3.hs.messages.len > 0) { -- if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf, -- ss->ssl3.hs.messages.len) != -- SECSuccess) { -- return SECFailure; -- } -- PORT_Free(ss->ssl3.hs.messages.buf); -- ss->ssl3.hs.messages.buf = NULL; -- ss->ssl3.hs.messages.len = 0; -- ss->ssl3.hs.messages.space = 0; -+ if (ss->ssl3.hs.hashType != handshake_hash_record && -+ ss->ssl3.hs.messages.len > 0) { -+ if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf, -+ ss->ssl3.hs.messages.len) != SECSuccess) { -+ return SECFailure; -+ } -+ sslBuffer_Clear(&ss->ssl3.hs.messages); - } - - return SECSuccess; - } - - static SECStatus - ssl3_RestartHandshakeHashes(sslSocket *ss) - { -@@ -4237,66 +4228,71 @@ ssl3_RestartHandshakeHashes(sslSocket *s - /* Called from ssl3_InitHandshakeHashes() - ** ssl3_AppendHandshake() - ** ssl3_StartHandshakeHash() - ** ssl3_HandleV2ClientHello() - ** ssl3_HandleHandshakeMessage() - ** Caller must hold the ssl3Handshake lock. - */ - static SECStatus --ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, -- unsigned int l) -+ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, unsigned int l) - { - SECStatus rv = SECSuccess; - - PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); - -- /* We need to buffer the handshake messages until we have established -- * which handshake hash function to use. */ -- if (ss->ssl3.hs.hashType == handshake_hash_unknown) { -- return sslBuffer_Append(&ss->ssl3.hs.messages, b, l); -+ /* With TLS 1.3, and versions TLS.1.1 and older, we keep the hash(es) -+ * always up to date. However, we must initially buffer the handshake -+ * messages, until we know what to do. -+ * If ss->ssl3.hs.hashType != handshake_hash_unknown, -+ * it means we know what to do. We calculate (hash our input), -+ * and we stop appending to the buffer. -+ * -+ * With TLS 1.2, we always append all handshake messages, -+ * and never update the hash, because the hash function we must use for -+ * certificate_verify might be different from the hash function we use -+ * when signing other handshake hashes. */ -+ -+ if (ss->ssl3.hs.hashType == handshake_hash_unknown || -+ ss->ssl3.hs.hashType == handshake_hash_record) { -+ return sslBuffer_Append(&ss->ssl3.hs.messages, b, l); - } - - PRINT_BUF(90, (NULL, "handshake hash input:", b, l)); - - #ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - if (ss->ssl3.hs.hashType == handshake_hash_single) { -- ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l); -- } else { -+ PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); -+ ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l); -+ } else if (ss->ssl3.hs.hashType == handshake_hash_combo) { - MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); - SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); - } - return rv; - } - #endif - if (ss->ssl3.hs.hashType == handshake_hash_single) { -- rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); -- if (rv != SECSuccess) { -- ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); -- return rv; -- } -- if (ss->ssl3.hs.backupHash) { -- rv = PK11_DigestOp(ss->ssl3.hs.backupHash, b, l); -- if (rv != SECSuccess) { -- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); -- return rv; -- } -- } -- } else { -- rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); -- if (rv != SECSuccess) { -- ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); -- return rv; -- } -- rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); -- if (rv != SECSuccess) { -- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); -- return rv; -- } -+ PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); -+ rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); -+ if (rv != SECSuccess) { -+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); -+ return rv; -+ } -+ } else if (ss->ssl3.hs.hashType == handshake_hash_combo) { -+ rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); -+ if (rv != SECSuccess) { -+ ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); -+ return rv; -+ } -+ rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); -+ if (rv != SECSuccess) { -+ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); -+ return rv; -+ } - } - return rv; - } - - /************************************************************************** - * Append Handshake functions. - * All these functions set appropriate error codes. - * Most rely on ssl3_AppendHandshake to set the error code. -@@ -4759,16 +4755,68 @@ ssl3_ConsumeSignatureAndHashAlgorithm(ss - } - return SECSuccess; - } - - /************************************************************************** - * end of Consume Handshake functions. - **************************************************************************/ - -+#ifndef NO_PKCS11_BYPASS -+static SECStatus -+ssl3_ComputeBypassHandshakeHash(unsigned char *buf, unsigned int len, -+ SSLHashType hashAlg, SSL3Hashes *hashes) -+{ -+ const SECHashObject *h_obj = NULL; -+ PRUint64 h_cx[MAX_MAC_CONTEXT_LLONGS]; -+ const SECOidData *hashOid = -+ SECOID_FindOIDByMechanism(ssl3_GetHashMechanismByHashType(hashAlg)); -+ -+ if (hashOid) { -+ h_obj = HASH_GetRawHashObject(HASH_GetHashTypeByOidTag(hashOid->offset)); -+ } -+ if (!h_obj) { -+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); -+ return SECFailure; -+ } -+ h_obj->begin(h_cx); -+ h_obj->update(h_cx, buf, len); -+ h_obj->end(h_cx, hashes->u.raw, &hashes->len, sizeof(hashes->u.raw)); -+ PRINT_BUF(60, (NULL, "HASH: result", hashes->u.raw, hashes->len)); -+ hashes->hashAlg = hashAlg; -+ return SECSuccess; -+} -+#endif -+ -+static SECStatus -+ssl3_ComputePkcs11HandshakeHash(unsigned char *buf, unsigned int len, -+ SSLHashType hashAlg, SSL3Hashes *hashes) -+{ -+ SECStatus rv = SECFailure; -+ PK11Context *hashContext = PK11_CreateDigestContext( -+ ssl3_TLSHashAlgorithmToOID(hashAlg)); -+ -+ if (!hashContext) { -+ return rv; -+ } -+ rv = PK11_DigestBegin(hashContext); -+ if (rv == SECSuccess) { -+ rv = PK11_DigestOp(hashContext, buf, len); -+ } -+ if (rv == SECSuccess) { -+ rv = PK11_DigestFinal(hashContext, hashes->u.raw, &hashes->len, -+ sizeof(hashes->u.raw)); -+ } -+ if (rv == SECSuccess) { -+ hashes->hashAlg = hashAlg; -+ } -+ PK11_DestroyContext(hashContext, PR_TRUE); -+ return rv; -+} -+ - /* Extract the hashes of handshake messages to this point. - * Called from ssl3_SendCertificateVerify - * ssl3_SendFinished - * ssl3_HandleHandshakeMessage - * - * Caller must hold the SSL3HandshakeLock. - * Caller must hold a read or write lock on the Spec R/W lock. - * (There is presently no way to assert on a Read lock.) -@@ -4798,23 +4846,27 @@ ssl3_ComputeHandshakeHashes(sslSocket * - ss->ssl3.hs.hashType == handshake_hash_single) { - /* compute them without PKCS11 */ - PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; - - ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx); - ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len, - sizeof(hashes->u.raw)); - -- PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len)); -- -- /* If we ever support ciphersuites where the PRF hash isn't SHA-256 -- * then this will need to be updated. */ -- hashes->hashAlg = ssl_hash_sha256; -+ PRINT_BUF(60, (NULL, "HASH: result", hashes->u.raw, hashes->len)); -+ -+ hashes->hashAlg = ssl3_GetSuitePrfHash(ss); - rv = SECSuccess; -- } else if (ss->opt.bypassPKCS11) { -+ } else if (ss->opt.bypassPKCS11 && -+ ss->ssl3.hs.hashType == handshake_hash_record) { -+ rv = ssl3_ComputeBypassHandshakeHash(ss->ssl3.hs.messages.buf, -+ ss->ssl3.hs.messages.len, -+ ssl3_GetSuitePrfHash(ss), -+ hashes); -+ } else if (ss->opt.bypassPKCS11) { /* TLS 1.1 or lower */ - /* compute them without PKCS11 */ - PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; - PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; - - #define md5cx ((MD5Context *)md5_cx) - #define shacx ((SHA1Context *)sha_cx) - - MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx); -@@ -4942,16 +4994,21 @@ tls12_loser: - if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); - rv = SECFailure; - } - if (stateBuf != stackBuf) { - PORT_ZFree(stateBuf, stateLen); - } - } -+ } else if (ss->ssl3.hs.hashType == handshake_hash_record) { -+ rv = ssl3_ComputePkcs11HandshakeHash(ss->ssl3.hs.messages.buf, -+ ss->ssl3.hs.messages.len, -+ ssl3_GetSuitePrfHash(ss), -+ hashes); - } else { - /* compute hashes with PKCS11 */ - PK11Context * md5; - PK11Context * sha = NULL; - unsigned char *md5StateBuf = NULL; - unsigned char *shaStateBuf = NULL; - unsigned int md5StateLen, shaStateLen; - unsigned char md5StackBuf[256]; -@@ -5096,41 +5153,16 @@ tls12_loser: - if (shaStateBuf != shaStackBuf) { - PORT_ZFree(shaStateBuf, shaStateLen); - } - } - } - return rv; - } - --static SECStatus --ssl3_ComputeBackupHandshakeHashes(sslSocket * ss, -- SSL3Hashes * hashes) /* output goes here. */ --{ -- SECStatus rv = SECSuccess; -- -- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); -- PORT_Assert( !ss->sec.isServer ); -- PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single ); -- -- rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len, -- sizeof(hashes->u.raw)); -- if (rv != SECSuccess) { -- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); -- rv = SECFailure; -- goto loser; -- } -- hashes->hashAlg = ssl_hash_sha1; -- --loser: -- PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE); -- ss->ssl3.hs.backupHash = NULL; -- return rv; --} -- - /* - * SSL 2 based implementations pass in the initial outbound buffer - * so that the handshake hash can contain the included information. - * - * Called from ssl2_BeginClientHandshake() in sslcon.c - */ - SECStatus - ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length) -@@ -6451,26 +6483,44 @@ ssl3_SendCertificateVerify(sslSocket *ss - - PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); - PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); - - SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", - SSL_GETPID(), ss->fd)); - - ssl_GetSpecReadLock(ss); -- if (ss->ssl3.hs.hashType == handshake_hash_single && -- ss->ssl3.hs.backupHash) { -- rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes); -- PORT_Assert(!ss->ssl3.hs.backupHash); -+ -+ if (ss->ssl3.hs.hashType == handshake_hash_record && -+ ss->ssl3.hs.tls12CertVerifyHash != ssl3_GetSuitePrfHash(ss)) { -+#ifndef NO_PKCS11_BYPASS -+ if (ss->opt.bypassPKCS11) { -+ rv = ssl3_ComputeBypassHandshakeHash(ss->ssl3.hs.messages.buf, -+ ss->ssl3.hs.messages.len, -+ ss->ssl3.hs.tls12CertVerifyHash, -+ &hashes); -+ } else -+#endif -+ { -+ rv = ssl3_ComputePkcs11HandshakeHash(ss->ssl3.hs.messages.buf, -+ ss->ssl3.hs.messages.len, -+ ss->ssl3.hs.tls12CertVerifyHash, -+ &hashes); -+ } -+ if (rv != SECSuccess) { -+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); -+ goto done; -+ } - } else { -- rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); -- } -+ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); -+ } -+ - ssl_ReleaseSpecReadLock(ss); - if (rv != SECSuccess) { -- goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ -+ goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ - } - - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); - isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); - keyType = ss->ssl3.clientPrivateKey->keyType; - rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); - if (rv == SECSuccess) { - PK11SlotInfo * slot; -@@ -7249,88 +7299,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss, - } - - done: - if (pubk) - SECKEY_DestroyPublicKey(pubk); - return rv; - } - --/* Destroys the backup handshake hash context if we don't need it. Note that -- * this function selects the hash algorithm for client authentication -- * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash -- * to determine whether to use SHA-1, or the PRF hash of the cipher suite. */ - static void --ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, -- const SECItem *algorithms) --{ -- SECStatus rv; -- SSLSignType sigAlg; -- PRBool preferSha1; -- PRBool supportsSha1 = PR_FALSE; -- PRBool supportsHandshakeHash = PR_FALSE; -- PRBool needBackupHash = PR_FALSE; -- unsigned int i; -- SECOidData *hashOid; -- TLSHashAlgorithm suitePRFHash; -- PRBool suitePRFIs256Or384 = PR_FALSE; -- --#ifndef NO_PKCS11_BYPASS -- /* Backup handshake hash is not supported in PKCS #11 bypass mode. */ -- if (ss->opt.bypassPKCS11) { -- PORT_Assert(!ss->ssl3.hs.backupHash); -- return; -- } --#endif -- PORT_Assert(ss->ssl3.hs.backupHash); -- -- /* Determine the key's signature algorithm and whether it prefers SHA-1. */ -- rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1); -- if (rv != SECSuccess) { -- goto done; -- } -- -- hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); -- if (hashOid == NULL) { -- rv = SECFailure; -- goto done; -- } -- -- if (hashOid->offset == SEC_OID_SHA256) { -- suitePRFHash = tls_hash_sha256; -- suitePRFIs256Or384 = PR_TRUE; -- } else if (hashOid->offset == SEC_OID_SHA384) { -- suitePRFHash = tls_hash_sha384; -- suitePRFIs256Or384 = PR_TRUE; -- } -- -- /* Determine the server's hash support for that signature algorithm. */ -- for (i = 0; i < algorithms->len; i += 2) { -- if (algorithms->data[i+1] == sigAlg) { -- if (algorithms->data[i] == ssl_hash_sha1) { -- supportsSha1 = PR_TRUE; -- } else if (suitePRFIs256Or384 && -- algorithms->data[i] == suitePRFHash) { -- supportsHandshakeHash = PR_TRUE; -- } -- } -- } -- -- /* If either the server does not support SHA-256 or the client key prefers -- * SHA-1, leave the backup hash. */ -- if (supportsSha1 && (preferSha1 || !supportsHandshakeHash)) { -- needBackupHash = PR_TRUE; -- } -- --done: -- if (!needBackupHash) { -- PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE); -- ss->ssl3.hs.backupHash = NULL; -- } --} -+ssl3_DecideTls12CertVerifyHash(sslSocket *ss, const SECItem *algorithms); - - typedef struct dnameNode { - struct dnameNode *next; - SECItem name; - } dnameNode; - - /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete - * ssl3 Certificate Request message. -@@ -7486,19 +7466,20 @@ ssl3_HandleCertificateRequest(sslSocket - certUsageSSLClient, PR_FALSE); - if (ss->ssl3.clientCertChain == NULL) { - CERT_DestroyCertificate(ss->ssl3.clientCertificate); - ss->ssl3.clientCertificate = NULL; - SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); - ss->ssl3.clientPrivateKey = NULL; - goto send_no_certificate; - } -- if (ss->ssl3.hs.hashType == handshake_hash_single) { -- ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); -- } -+ if (ss->ssl3.hs.hashType == handshake_hash_record || -+ ss->ssl3.hs.hashType == handshake_hash_single) { -+ ssl3_DecideTls12CertVerifyHash(ss, &algorithms); -+ } - break; /* not an error */ - - case SECFailure: - default: - send_no_certificate: - if (isTLS) { - ss->ssl3.sendEmptyCert = PR_TRUE; - } else { -@@ -7639,24 +7620,16 @@ ssl3_SendClientSecondRound(sslSocket *ss - - PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); - PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); - - sendClientCert = !ss->ssl3.sendEmptyCert && - ss->ssl3.clientCertChain != NULL && - ss->ssl3.clientPrivateKey != NULL; - -- if (!sendClientCert && -- ss->ssl3.hs.hashType == handshake_hash_single && -- ss->ssl3.hs.backupHash) { -- /* Don't need the backup handshake hash. */ -- PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE); -- ss->ssl3.hs.backupHash = NULL; -- } -- - /* We must wait for the server's certificate to be authenticated before - * sending the client certificate in order to disclosing the client - * certificate to an attacker that does not have a valid cert for the - * domain we are connecting to. - * - * XXX: We should do the same for the NPN extension, but for that we - * need an option to give the application the ability to leak the NPN - * information to get better performance. -@@ -9415,16 +9388,69 @@ ssl3_PickSignatureHashAlgorithm(sslSocke - } - } - } - - PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); - return SECFailure; - } - -+static void -+ssl3_DecideTls12CertVerifyHash(sslSocket *ss, const SECItem *algorithms) -+{ -+ SECStatus rv; -+ SSLSignType sigAlg; -+ PRBool preferSha1 = PR_FALSE; -+ PRBool supportsSha1 = PR_FALSE; -+ PRBool supportsHandshakeHash = PR_FALSE; -+ unsigned int i; -+ SSLHashType otherHashAlg = ssl_hash_none; -+ -+ /* Determine the key's signature algorithm and whether it prefers SHA-1. */ -+ rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1); -+ if (rv != SECSuccess) { -+ return; -+ } -+ -+ /* Determine the server's hash support for that signature algorithm. */ -+ for (i = 0; i < algorithms->len; i += 2) { -+ if (algorithms->data[i + 1] == sigAlg) { -+ SSLHashType hashAlg = algorithms->data[i]; -+ SECOidTag hashOID; -+ PRUint32 policy; -+ if (hashAlg == ssl_hash_sha1 && -+ ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_3) { -+ /* TLS 1.3 explicitly forbids using SHA-1 with certificate_verify. */ -+ continue; -+ } -+ hashOID = ssl3_TLSHashAlgorithmToOID(hashAlg); -+ if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) && -+ !(policy & NSS_USE_ALG_IN_SSL_KX)) { -+ /* we ignore hashes we don't support */ -+ continue; -+ } -+ if (hashAlg == ssl_hash_sha1) { -+ supportsSha1 = PR_TRUE; -+ } else if (hashAlg == ssl3_GetSuitePrfHash(ss)) { -+ supportsHandshakeHash = PR_TRUE; -+ } -+ if (otherHashAlg == ssl_hash_none) { -+ otherHashAlg = hashAlg; -+ } -+ } -+ } -+ -+ if (supportsSha1 && preferSha1) { -+ ss->ssl3.hs.tls12CertVerifyHash = ssl_hash_sha1; -+ } else if (supportsHandshakeHash) { -+ ss->ssl3.hs.tls12CertVerifyHash = ssl3_GetSuitePrfHash(ss); /* Use suite PRF hash. */ -+ } else { -+ ss->ssl3.hs.tls12CertVerifyHash = otherHashAlg; -+ } -+} - - static SECStatus - ssl3_SendServerKeyExchange(sslSocket *ss) - { - const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; - SECStatus rv = SECFailure; - int length; - PRBool isTLS; -@@ -9534,38 +9560,32 @@ ssl3_SendServerKeyExchange(sslSocket *ss - } - loser: - if (signed_hash.data != NULL) - PORT_Free(signed_hash.data); - return SECFailure; - } - - static SECStatus --ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 allowedHashAlg, -- PRUint8 *buf, -+ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf, - unsigned maxLen, PRUint32 *len) - { - unsigned int i; - - PORT_Assert(maxLen >= ss->ssl3.signatureAlgorithmCount * 2); - if (maxLen < ss->ssl3.signatureAlgorithmCount * 2) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - - *len = 0; - for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { - const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i]; -- /* Note that we don't support a handshake hash with anything other than -- * SHA-256, so asking for a signature from clients for something else -- * would be inviting disaster. */ -- if (alg->hashAlg == allowedHashAlg) { -- buf[(*len)++] = (PRUint8)alg->hashAlg; -- buf[(*len)++] = (PRUint8)alg->sigAlg; -- } -+ buf[(*len)++] = (PRUint8)alg->hashAlg; -+ buf[(*len)++] = (PRUint8)alg->sigAlg; - } - - if (*len == 0) { - PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM); - return SECFailure; - } - return SECSuccess; - } -@@ -9582,17 +9602,16 @@ ssl3_SendCertificateRequest(sslSocket *s - int length; - int i; - int calen = 0; - int nnames = 0; - int certTypesLength; - PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2]; - unsigned int sigAlgsLength = 0; - SECOidData *hashOid; -- PRUint8 allowedHashAlg; - - SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", - SSL_GETPID(), ss->fd)); - - PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); - PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); - - isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); -@@ -9615,27 +9634,19 @@ ssl3_SendCertificateRequest(sslSocket *s - certTypes = certificate_types; - certTypesLength = sizeof certificate_types; - - hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); - if (hashOid == NULL) { - return SECFailure; /* err set by AppendHandshake. */ - } - -- if (hashOid->offset == SEC_OID_SHA256) { -- allowedHashAlg = ssl_hash_sha256; -- } else if (hashOid->offset == SEC_OID_SHA384) { -- allowedHashAlg = ssl_hash_sha384; -- } else { -- return SECFailure; /* err set by AppendHandshake. */ -- } -- - length = 1 + certTypesLength + 2 + calen; - if (isTLS12) { -- rv = ssl3_EncodeCertificateRequestSigAlgs(ss, allowedHashAlg, -+ rv = ssl3_EncodeCertificateRequestSigAlgs(ss, - sigAlgs, sizeof(sigAlgs), - &sigAlgsLength); - if (rv != SECSuccess) { - return rv; - } - length += 2 + sigAlgsLength; - } - -@@ -9696,70 +9707,89 @@ ssl3_SendServerHelloDone(sslSocket *ss) - static SECStatus - ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, - SSL3Hashes *hashes) - { - SECItem signed_hash = {siBuffer, NULL, 0}; - SECStatus rv; - int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; - SSL3AlertDescription desc = handshake_failure; -- PRBool isTLS, isTLS12; -+ PRBool isTLS; - SSLSignatureAndHashAlg sigAndHash; -+ SSL3Hashes localHashes; -+ SSL3Hashes *hashesForVerify = NULL; - - SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", - SSL_GETPID(), ss->fd)); - PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); - PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); - -+ /* TLS 1.3 is handled by tls13_HandleCertificateVerify */ -+ PORT_Assert(ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2); -+ - isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); -- isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); - - if (ss->ssl3.hs.ws != wait_cert_verify) { - desc = unexpected_message; - errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; - goto alert_loser; - } - -- if (!hashes) { -- PORT_Assert(0); -- desc = internal_error; -- errCode = SEC_ERROR_LIBRARY_FAILURE; -- goto alert_loser; -- } -- -- if (isTLS12) { -+ if (ss->ssl3.hs.hashType != handshake_hash_record) { -+ if (!hashes) { -+ PORT_Assert(0); -+ desc = internal_error; -+ errCode = SEC_ERROR_LIBRARY_FAILURE; -+ goto alert_loser; -+ } -+ hashesForVerify = hashes; -+ } else { - rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, - &sigAndHash); - if (rv != SECSuccess) { - goto loser; /* malformed or unsupported. */ - } - rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( - ss, &sigAndHash, ss->sec.peerCert); - if (rv != SECSuccess) { - errCode = PORT_GetError(); - desc = decrypt_error; - goto alert_loser; - } - -- /* We only support CertificateVerify messages that use the handshake -- * hash. */ -- if (sigAndHash.hashAlg != hashes->hashAlg) { -- errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM; -+#ifndef NO_PKCS11_BYPASS -+ if (ss->opt.bypassPKCS11) { -+ rv = ssl3_ComputeBypassHandshakeHash(hashes->u.pointer_to_hash_input.data, -+ hashes->u.pointer_to_hash_input.len, -+ sigAndHash.hashAlg, -+ &localHashes); -+ } else -+#endif -+ { -+ rv = ssl3_ComputePkcs11HandshakeHash(hashes->u.pointer_to_hash_input.data, -+ hashes->u.pointer_to_hash_input.len, -+ sigAndHash.hashAlg, -+ &localHashes); -+ } -+ if (rv == SECSuccess) { -+ hashesForVerify = &localHashes; -+ } else { -+ errCode = SSL_ERROR_DIGEST_FAILURE; - desc = decrypt_error; - goto alert_loser; - } - } - - rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); - if (rv != SECSuccess) { - goto loser; /* malformed. */ - } - - /* XXX verify that the key & kea match */ -- rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, -+ rv = ssl3_VerifySignedHashes(hashesForVerify, ss->sec.peerCert, &signed_hash, - isTLS, ss->pkcs11PinArg); - if (rv != SECSuccess) { - errCode = PORT_GetError(); - desc = isTLS ? decrypt_error : handshake_failure; - goto alert_loser; - } - - signed_hash.data = NULL; -@@ -11638,34 +11668,63 @@ SECStatus - ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) - { - SECStatus rv = SECSuccess; - SSL3HandshakeType type = ss->ssl3.hs.msg_type; - SSL3Hashes hashes; /* computed hashes are put here. */ - SSL3Hashes *hashesPtr = NULL; /* Set when hashes are computed */ - PRUint8 hdr[4]; - PRUint8 dtlsData[8]; -+ PRBool computeHashes = PR_FALSE; - - PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); - PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); - /* - * We have to compute the hashes before we update them with the - * current message. - */ - ssl_GetSpecReadLock(ss); /************************************/ -- if(((type == finished) && (ss->ssl3.hs.ws == wait_finished)) || -- ((type == certificate_verify) && (ss->ssl3.hs.ws == wait_cert_verify))) { -- SSL3Sender sender = (SSL3Sender)0; -- ssl3CipherSpec *rSpec = ss->ssl3.prSpec; -- -- if (type == finished) { -- sender = ss->sec.isServer ? sender_client : sender_server; -- rSpec = ss->ssl3.crSpec; -- } -- rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); -+ -+ if ((type == finished) && (ss->ssl3.hs.ws == wait_finished)) { -+ computeHashes = PR_TRUE; -+ } else if ((type == certificate_verify) && (ss->ssl3.hs.ws == wait_cert_verify)) { -+ if (ss->ssl3.hs.hashType == handshake_hash_record) { -+ /* We cannot compute the hash yet. We must wait until we have -+ * decoded the certificate_verify message in -+ * ssl3_HandleCertificateVerify, which will tell us which -+ * hash function we must use. -+ * -+ * (ssl3_HandleCertificateVerify cannot simply look at the -+ * buffer length itself, because at the time we reach it, -+ * additional handshake messages will have been added to the -+ * buffer, e.g. the certificate_verify message itself.) -+ * -+ * Therefore, we use SSL3Hashes.u.pointer_to_hash_input -+ * to signal the current state of the buffer. -+ * -+ * ssl3_HandleCertificateVerify will detect -+ * hashType == handshake_hash_record -+ * and use that information to calculate the hash. -+ */ -+ hashes.u.pointer_to_hash_input.data = ss->ssl3.hs.messages.buf; -+ hashes.u.pointer_to_hash_input.len = ss->ssl3.hs.messages.len; -+ hashesPtr = &hashes; -+ } else { -+ computeHashes = PR_TRUE; -+ } -+ } -+ if (computeHashes) { -+ SSL3Sender sender = (SSL3Sender)0; -+ ssl3CipherSpec *rSpec = ss->ssl3.prSpec; -+ -+ if (type == finished) { -+ sender = ss->sec.isServer ? sender_client : sender_server; -+ rSpec = ss->ssl3.crSpec; -+ } -+ rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); - if (rv == SECSuccess) { - hashesPtr = &hashes; - } - } - ssl_ReleaseSpecReadLock(ss); /************************************/ - if (rv != SECSuccess) { - return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/ - } -@@ -13080,20 +13139,17 @@ ssl3_DestroySSL3Info(sslSocket *ss) - } - if (ss->ssl3.hs.sha) { - PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); - } - if (ss->ssl3.hs.clientSigAndHash) { - PORT_Free(ss->ssl3.hs.clientSigAndHash); - } - if (ss->ssl3.hs.messages.buf) { -- PORT_Free(ss->ssl3.hs.messages.buf); -- ss->ssl3.hs.messages.buf = NULL; -- ss->ssl3.hs.messages.len = 0; -- ss->ssl3.hs.messages.space = 0; -+ sslBuffer_Clear(&ss->ssl3.hs.messages); - } - - /* free the SSL3Buffer (msg_body) */ - PORT_Free(ss->ssl3.hs.msg_body.buf); - - SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE); - - /* free up the CipherSpecs */ -diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h ---- a/lib/ssl/ssl3prot.h -+++ b/lib/ssl/ssl3prot.h -@@ -254,16 +254,17 @@ typedef struct { - * which, if |hashAlg==ssl_hash_none| is also a SSL3HashesIndividually - * struct. */ - typedef struct { - unsigned int len; - SSLHashType hashAlg; - union { - PRUint8 raw[64]; - SSL3HashesIndividually s; -+ SECItem pointer_to_hash_input; - } u; - } SSL3Hashes; - - typedef struct { - union { - SSL3Opaque anonymous; - SSL3Hashes certified; - } u; -diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h ---- a/lib/ssl/sslimpl.h -+++ b/lib/ssl/sslimpl.h -@@ -847,17 +847,18 @@ typedef struct DTLSQueuedMessageStr { - SSL3ContentType type; /* The message type */ - unsigned char *data; /* The data */ - PRUint16 len; /* The data length */ - } DTLSQueuedMessage; - - typedef enum { - handshake_hash_unknown = 0, - handshake_hash_combo = 1, /* The MD5/SHA-1 combination */ -- handshake_hash_single = 2 /* A single hash */ -+ handshake_hash_single = 2, /* A single hash */ -+ handshake_hash_record - } SSL3HandshakeHashType; - - /* - ** This is the "hs" member of the "ssl3" struct. - ** This entire struct is protected by ssl3HandshakeLock - */ - typedef struct SSL3HandshakeStateStr { - SSL3Random server_random; -@@ -880,22 +881,19 @@ typedef struct SSL3HandshakeStateStr { - * of the freebl _Clone functions, so we need a dedicated function - * pointer for the _Clone function. */ - void (*sha_clone)(void *dest, void *src); - #endif - /* PKCS #11 mode: - * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and - * |sha| for SHA-1. - * TLS 1.2 and later use only |sha|, for SHA-256. */ -- /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup -- * handshake hash for generating client auth signatures. Confusingly, the -- * backup hash function is SHA-1. */ --#define backupHash md5 - PK11Context * md5; - PK11Context * sha; -+ SSLHashType tls12CertVerifyHash; - - const ssl3KEADef * kea_def; - ssl3CipherSuite cipher_suite; - const ssl3CipherSuiteDef *suite_def; - SSLCompressionMethod compression; - sslBuffer msg_body; /* protected by recvBufLock */ - /* partial handshake message from record layer */ - unsigned int header_bytes; -@@ -1452,16 +1450,17 @@ extern SECStatus ssl_SaveWriteData(sslSo - const void* p, unsigned int l); - extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss); - extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss); - extern int ssl_Do1stHandshake(sslSocket *ss); - - extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen); - extern SECStatus sslBuffer_Append(sslBuffer *b, const void * data, - unsigned int len); -+extern void sslBuffer_Clear(sslBuffer *b); - - extern void ssl2_UseClearSendFunc(sslSocket *ss); - extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec); - - extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server); - extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, - const char *peerID, const char *urlSvrName); - extern void ssl_FreeSID(sslSessionID *sid); -diff --git a/lib/ssl/sslsecur.c b/lib/ssl/sslsecur.c ---- a/lib/ssl/sslsecur.c -+++ b/lib/ssl/sslsecur.c -@@ -528,16 +528,27 @@ sslBuffer_Append(sslBuffer *b, const voi - rv = sslBuffer_Grow(b, newLen); - if (rv != SECSuccess) - return rv; - PORT_Memcpy(b->buf + b->len, data, len); - b->len += len; - return SECSuccess; - } - -+void -+sslBuffer_Clear(sslBuffer *b) -+{ -+ if (b->len > 0) { -+ PORT_Free(b->buf); -+ b->buf = NULL; -+ b->len = 0; -+ b->space = 0; -+ } -+} -+ - /* - ** Save away write data that is trying to be written before the security - ** handshake has been completed. When the handshake is completed, we will - ** flush this data out. - ** Caller must hold xmitBufLock - */ - SECStatus - ssl_SaveWriteData(sslSocket *ss, const void *data, unsigned int len) diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch index c032c77..5c1ed4c 100644 --- a/SOURCES/iquote.patch +++ b/SOURCES/iquote.patch @@ -188,9 +188,9 @@ diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile ####################################################################### -diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile ---- ./nss/external_tests/ssl_gtest/Makefile.iquote 2016-02-18 21:51:23.746893964 -0500 -+++ ./nss/external_tests/ssl_gtest/Makefile 2016-02-18 21:52:32.825583479 -0500 +diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile +--- ./nss/gtests/ssl_gtest/Makefile.iquote 2016-02-18 21:51:23.746893964 -0500 ++++ ./nss/gtests/ssl_gtest/Makefile 2016-02-18 21:52:32.825583479 -0500 @@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### diff --git a/SOURCES/moz-1314604.patch b/SOURCES/moz-1314604.patch deleted file mode 100644 index 7d27f67..0000000 --- a/SOURCES/moz-1314604.patch +++ /dev/null @@ -1,115 +0,0 @@ -diff -up ./lib/ssl/ssl3con.c.moz-1314604 ./lib/ssl/ssl3con.c ---- ./lib/ssl/ssl3con.c.moz-1314604 2016-11-07 21:30:40.035272554 +0100 -+++ ./lib/ssl/ssl3con.c 2016-11-07 21:31:14.876273952 +0100 -@@ -6196,6 +6196,7 @@ sendDHClientKeyExchange(sslSocket * ss, - - if (pms == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); -+ rv = SECFailure; - goto loser; - } - -@@ -6939,7 +6940,6 @@ ssl3_HandleServerKeyExchange(sslSocket * - SECItem dh_Ys = {siBuffer, NULL, 0}; - unsigned dh_p_bits; - unsigned dh_g_bits; -- unsigned dh_Ys_bits; - PRInt32 minDH; - - rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length); -@@ -6968,9 +6968,10 @@ ssl3_HandleServerKeyExchange(sslSocket * - if (rv != SECSuccess) { - goto loser; /* malformed. */ - } -- dh_Ys_bits = SECKEY_BigIntegerBitLength(&dh_Ys); -- if (dh_Ys_bits > dh_p_bits || dh_Ys_bits <= 1) -- goto alert_loser; -+ if (!ssl_IsValidDHEShare(&dh_p, &dh_Ys)) { -+ errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; -+ goto alert_loser; -+ } - if (isTLS12) { - rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, - &sigAndHash); -@@ -9906,6 +9907,12 @@ ssl3_HandleDHClientKeyExchange(sslSocket - goto loser; - } - -+ if (!ssl_IsValidDHEShare(&srvrPubKey->u.dh.prime, -+ &clntPubKey.u.dh.publicValue)) { -+ PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); -+ return SECFailure; -+ } -+ - isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); - - if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH; -diff -up ./lib/ssl/sslimpl.h.moz-1314604 ./lib/ssl/sslimpl.h ---- ./lib/ssl/sslimpl.h.moz-1314604 2016-11-07 21:30:40.028272553 +0100 -+++ ./lib/ssl/sslimpl.h 2016-11-07 21:30:40.047272554 +0100 -@@ -1647,6 +1647,7 @@ int ssl3_GatherCompleteHandshake(sslSock - extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss); - - extern SECStatus ssl3_SelectDHParams(sslSocket *ss); -+extern PRBool ssl_IsValidDHEShare(const SECItem *dh_p, const SECItem *dh_Ys); - - #ifndef NSS_DISABLE_ECC - extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss); -diff -up ./lib/ssl/sslsock.c.moz-1314604 ./lib/ssl/sslsock.c ---- ./lib/ssl/sslsock.c.moz-1314604 2016-11-07 21:30:40.040272554 +0100 -+++ ./lib/ssl/sslsock.c 2016-11-07 21:30:40.048272554 +0100 -@@ -1462,6 +1462,54 @@ SSL_DHEGroupPrefSet(PRFileDesc *fd, - return SECSuccess; - } - -+/* This validates dh_Ys against the group prime. */ -+PRBool -+ssl_IsValidDHEShare(const SECItem *dh_p, const SECItem *dh_Ys) -+{ -+ unsigned int size_p = SECKEY_BigIntegerBitLength(dh_p); -+ unsigned int size_y = SECKEY_BigIntegerBitLength(dh_Ys); -+ unsigned int commonPart; -+ int cmp; -+ -+ if (dh_p->len == 0 || dh_Ys->len == 0) { -+ return PR_FALSE; -+ } -+ -+ /* Check that the prime is at least odd. */ -+ if ((dh_p->data[dh_p->len - 1] & 0x01) == 0) { -+ return PR_FALSE; -+ } -+ /* dh_Ys can't be 1, or bigger than dh_p. */ -+ if (size_y <= 1 || size_y > size_p) { -+ return PR_FALSE; -+ } -+ /* If dh_Ys is shorter, then it's definitely smaller than p-1. */ -+ if (size_y < size_p) { -+ return PR_TRUE; -+ } -+ -+ /* Compare the common part of each, minus the final octet. */ -+ commonPart = (size_p + 7) / 8; -+ PORT_Assert(commonPart <= dh_Ys->len); -+ PORT_Assert(commonPart <= dh_p->len); -+ cmp = PORT_Memcmp(dh_Ys->data + dh_Ys->len - commonPart, -+ dh_p->data + dh_p->len - commonPart, commonPart - 1); -+ if (cmp < 0) { -+ return PR_TRUE; -+ } -+ if (cmp > 0) { -+ return PR_FALSE; -+ } -+ -+ /* The last octet of the prime is the only thing that is different and that -+ * has to be two greater than the share, otherwise we have Ys == p - 1, -+ * and that means small subgroups. */ -+ if (dh_Ys->data[dh_Ys->len - 1] >= (dh_p->data[dh_p->len - 1] - 1)) { -+ return PR_FALSE; -+ } -+ -+ return PR_TRUE; -+} - - PRCallOnceType gWeakDHParamsRegisterOnce; - int gWeakDHParamsRegisterError; diff --git a/SOURCES/moz-1320932.patch b/SOURCES/moz-1320932.patch new file mode 100644 index 0000000..8f8602d --- /dev/null +++ b/SOURCES/moz-1320932.patch @@ -0,0 +1,24 @@ +changeset: 12916:6f35dc12506a +branch: wip/dueno/typo-fix +tag: tip +parent: 12913:f2a9e4d85b64 +user: Daiki Ueno +date: Tue Nov 29 14:18:08 2016 +0100 +files: tests/ssl/ssl.sh +description: +Use correct shell conditional for NSS_DISABLE_LIBPKIX check + + +diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh +--- a/tests/ssl/ssl.sh ++++ b/tests/ssl/ssl.sh +@@ -1006,7 +1006,7 @@ ssl_run() + do + case "${SSL_RUN}" in + "stapling") +- if [ -nz "$NSS_DISABLE_LIBPKIX" ]; then ++ if [ -z "$NSS_DISABLE_LIBPKIX" ]; then + ssl_stapling + fi + ;; + diff --git a/SOURCES/nss-3.16-token-init-race.patch b/SOURCES/nss-3.16-token-init-race.patch index 08524b8..f47f13f 100644 --- a/SOURCES/nss-3.16-token-init-race.patch +++ b/SOURCES/nss-3.16-token-init-race.patch @@ -1,9 +1,9 @@ -diff -up ./nss/lib/pk11wrap/dev3hack.c.init-token-race ./nss/lib/pk11wrap/dev3hack.c ---- ./nss/lib/pk11wrap/dev3hack.c.init-token-race 2014-10-24 15:55:55.000000000 -0700 -+++ ./nss/lib/pk11wrap/dev3hack.c 2015-02-18 12:37:03.184120865 -0800 -@@ -245,6 +245,16 @@ nssSlot_Refresh +diff -up nss/lib/pk11wrap/dev3hack.c.init-token-race nss/lib/pk11wrap/dev3hack.c +--- nss/lib/pk11wrap/dev3hack.c.init-token-race 2017-01-13 17:58:55.485868744 +0100 ++++ nss/lib/pk11wrap/dev3hack.c 2017-01-13 18:02:27.126675831 +0100 +@@ -231,6 +231,16 @@ nssSlot_Refresh(NSSSlot *slot) if (slot->token && slot->token->base.name[0] == 0) { - doit = PR_TRUE; + doit = PR_TRUE; } + /* invalidate the session in the nss3slot if we haven't done an init + * token since we noticed that the token->default session is invalid. @@ -16,11 +16,11 @@ diff -up ./nss/lib/pk11wrap/dev3hack.c.init-token-race ./nss/lib/pk11wrap/dev3ha + } + PK11_ExitSlotMonitor(nss3slot); if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) { - return PR_FAILURE; + return PR_FAILURE; } -@@ -252,7 +262,8 @@ nssSlot_Refresh - nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain, - slot->token); +@@ -238,7 +248,8 @@ nssSlot_Refresh(NSSSlot *slot) + nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain, + slot->token); } - return nssToken_Refresh(slot->token); + /* no need to call nssToken_Refresh since PK11_Init has already done so */ @@ -28,45 +28,47 @@ diff -up ./nss/lib/pk11wrap/dev3hack.c.init-token-race ./nss/lib/pk11wrap/dev3ha } NSS_IMPLEMENT PRStatus -diff -up ./nss/lib/pk11wrap/pk11auth.c.init-token-race ./nss/lib/pk11wrap/pk11auth.c ---- ./nss/lib/pk11wrap/pk11auth.c.init-token-race 2014-10-24 15:55:55.000000000 -0700 -+++ ./nss/lib/pk11wrap/pk11auth.c 2015-02-18 12:37:03.184120865 -0800 -@@ -73,7 +73,6 @@ pk11_CheckPassword(PK11SlotInfo *slot, C - (unsigned char *)pw,len); - slot->lastLoginCheck = 0; - mustRetry = PR_FALSE; -- if (!alreadyLocked) PK11_ExitSlotMonitor(slot); - switch (crv) { - /* if we're already logged in, we're good to go */ - case CKR_OK: -@@ -100,7 +99,16 @@ pk11_CheckPassword(PK11SlotInfo *slot, C - break; - } - if (retry++ == 0) { -+ /* we already know the this session is invalid */ -+ slot->session = CK_INVALID_SESSION; -+ /* can't enter PK11_InitToken holding the lock -+ * This is safe because the only places that tries to -+ * hold the slot monitor over this call pass their own -+ * session, which would have failed above. -+ * (session != slot->session) */ -+ PK11_ExitSlotMonitor(slot); - rv = PK11_InitToken(slot,PR_FALSE); -+ PK11_EnterSlotMonitor(slot); - if (rv == SECSuccess) { - if (slot->session != CK_INVALID_SESSION) { - session = slot->session; /* we should have -@@ -118,6 +126,7 @@ pk11_CheckPassword(PK11SlotInfo *slot, C - PORT_SetError(PK11_MapError(crv)); - rv = SECFailure; /* some failure we can't fix by retrying */ - } -+ if (!alreadyLocked) PK11_ExitSlotMonitor(slot); +diff -up nss/lib/pk11wrap/pk11auth.c.init-token-race nss/lib/pk11wrap/pk11auth.c +--- nss/lib/pk11wrap/pk11auth.c.init-token-race 2017-01-13 17:58:55.485868744 +0100 ++++ nss/lib/pk11wrap/pk11auth.c 2017-01-13 18:05:07.650739842 +0100 +@@ -73,8 +73,6 @@ pk11_CheckPassword(PK11SlotInfo *slot, C + (unsigned char *)pw, len); + slot->lastLoginCheck = 0; + mustRetry = PR_FALSE; +- if (!alreadyLocked) +- PK11_ExitSlotMonitor(slot); + switch (crv) { + /* if we're already logged in, we're good to go */ + case CKR_OK: +@@ -101,7 +99,16 @@ pk11_CheckPassword(PK11SlotInfo *slot, C + break; + } + if (retry++ == 0) { ++ /* we already know the this session is invalid */ ++ slot->session = CK_INVALID_SESSION; ++ /* can't enter PK11_InitToken holding the lock ++ * This is safe because the only places that tries to ++ * hold the slot monitor over this call pass their own ++ * session, which would have failed above. ++ * (session != slot->session) */ ++ PK11_ExitSlotMonitor(slot); + rv = PK11_InitToken(slot, PR_FALSE); ++ PK11_EnterSlotMonitor(slot); + if (rv == SECSuccess) { + if (slot->session != CK_INVALID_SESSION) { + session = slot->session; /* we should have +@@ -119,6 +126,8 @@ pk11_CheckPassword(PK11SlotInfo *slot, C + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; /* some failure we can't fix by retrying */ + } ++ if (!alreadyLocked) ++ PK11_ExitSlotMonitor(slot); } while (mustRetry); return rv; } -@@ -455,14 +464,18 @@ done: +@@ -465,14 +474,18 @@ done: slot->lastLoginCheck = 0; - PK11_RestoreROSession(slot,rwsession); + PK11_RestoreROSession(slot, rwsession); if (rv == SECSuccess) { + PK11_EnterSlotMonitor(slot); /* update our view of the world */ @@ -75,80 +77,84 @@ diff -up ./nss/lib/pk11wrap/pk11auth.c.init-token-race ./nss/lib/pk11wrap/pk11au + slot->session = CK_INVALID_SESSION; + } + PK11_ExitSlotMonitor(slot); - PK11_InitToken(slot,PR_TRUE); - if (slot->needLogin) { -- PK11_EnterSlotMonitor(slot); - PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER, - (unsigned char *)userpw,len); - slot->lastLoginCheck = 0; -- PK11_ExitSlotMonitor(slot); - } + PK11_InitToken(slot, PR_TRUE); + if (slot->needLogin) { +- PK11_EnterSlotMonitor(slot); + PK11_GETTAB(slot)->C_Login(slot->session, CKU_USER, + (unsigned char *)userpw, len); + slot->lastLoginCheck = 0; +- PK11_ExitSlotMonitor(slot); + } } return rv; -@@ -506,7 +519,7 @@ PK11_ChangePW(PK11SlotInfo *slot, const - PK11_RestoreROSession(slot,rwsession); +@@ -520,7 +533,7 @@ PK11_ChangePW(PK11SlotInfo *slot, const + PK11_RestoreROSession(slot, rwsession); /* update our view of the world */ -- PK11_InitToken(slot,PR_TRUE); +- PK11_InitToken(slot, PR_TRUE); + /* PK11_InitToken(slot,PR_TRUE); */ return rv; } -diff -up ./nss/lib/pk11wrap/pk11slot.c.init-token-race ./nss/lib/pk11wrap/pk11slot.c ---- ./nss/lib/pk11wrap/pk11slot.c.init-token-race 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/lib/pk11wrap/pk11slot.c 2016-01-12 17:58:34.519114993 -0800 -@@ -1053,6 +1053,7 @@ PK11_ReadMechanismList(PK11SlotInfo *slo +diff -up nss/lib/pk11wrap/pk11slot.c.init-token-race nss/lib/pk11wrap/pk11slot.c +--- nss/lib/pk11wrap/pk11slot.c.init-token-race 2017-01-13 17:58:55.486868720 +0100 ++++ nss/lib/pk11wrap/pk11slot.c 2017-01-13 18:12:50.869381900 +0100 +@@ -1085,6 +1085,7 @@ PK11_ReadMechanismList(PK11SlotInfo *slo CK_ULONG count; CK_RV crv; PRUint32 i; + char mechanismBits[sizeof(slot->mechanismBits)]; if (slot->mechanismList) { - PORT_Free(slot->mechanismList); -@@ -1060,10 +1061,8 @@ PK11_ReadMechanismList(PK11SlotInfo *slo + PORT_Free(slot->mechanismList); +@@ -1092,12 +1093,8 @@ PK11_ReadMechanismList(PK11SlotInfo *slo } slot->mechanismCount = 0; -- if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count); +- if (!slot->isThreadSafe) +- PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, NULL, &count); if (crv != CKR_OK) { -- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - PORT_SetError(PK11_MapError(crv)); - return SECFailure; +- if (!slot->isThreadSafe) +- PK11_ExitSlotMonitor(slot); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } -@@ -1071,12 +1070,10 @@ PK11_ReadMechanismList(PK11SlotInfo *slo +@@ -1105,14 +1102,10 @@ PK11_ReadMechanismList(PK11SlotInfo *slo slot->mechanismList = (CK_MECHANISM_TYPE *) - PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE)); + PORT_Alloc(count * sizeof(CK_MECHANISM_TYPE)); if (slot->mechanismList == NULL) { -- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - return SECFailure; +- if (!slot->isThreadSafe) +- PK11_ExitSlotMonitor(slot); + return SECFailure; } crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, - slot->mechanismList, &count); -- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + slot->mechanismList, &count); +- if (!slot->isThreadSafe) +- PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_Free(slot->mechanismList); - slot->mechanismList = NULL; -@@ -1084,14 +1081,16 @@ PK11_ReadMechanismList(PK11SlotInfo *slo - return SECSuccess; + PORT_Free(slot->mechanismList); + slot->mechanismList = NULL; +@@ -1120,14 +1113,16 @@ PK11_ReadMechanismList(PK11SlotInfo *slo + return SECSuccess; } slot->mechanismCount = count; - PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits)); + PORT_Memset(mechanismBits, 0, sizeof(slot->mechanismBits)); - for (i=0; i < count; i++) { - CK_MECHANISM_TYPE mech = slot->mechanismList[i]; - if (mech < 0x7ff) { -- slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8); + for (i = 0; i < count; i++) { + CK_MECHANISM_TYPE mech = slot->mechanismList[i]; + if (mech < 0x7ff) { +- slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8); + mechanismBits[mech & 0xff] |= 1 << (mech >> 8); - } + } } + PORT_Memcpy(slot->mechanismBits, mechanismBits, + sizeof(slot->mechanismBits)); return SECSuccess; } -@@ -1108,12 +1107,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo +@@ -1144,14 +1139,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo CK_RV crv; SECStatus rv; PRStatus status; @@ -163,19 +169,22 @@ diff -up ./nss/lib/pk11wrap/pk11slot.c.init-token-race ./nss/lib/pk11wrap/pk11sl + } /* set the slot flags to the current token values */ -- if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo); -- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); +- if (!slot->isThreadSafe) +- PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &tokenInfo); +- if (!slot->isThreadSafe) +- PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { + PK11_ExitSlotMonitor(slot); - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } -@@ -1150,7 +1157,10 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo - slot->defRWSession = (PRBool)((!slot->readOnly) && - (tokenInfo.ulMaxSessionCount == 1)); +@@ -1186,8 +1187,10 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo + slot->defRWSession = (PRBool)((!slot->readOnly) && + (tokenInfo.ulMaxSessionCount == 1)); rv = PK11_ReadMechanismList(slot); -- if (rv != SECSuccess) return rv; +- if (rv != SECSuccess) +- return rv; + if (rv != SECSuccess) { + PK11_ExitSlotMonitor(slot); + return rv; @@ -183,52 +192,58 @@ diff -up ./nss/lib/pk11wrap/pk11slot.c.init-token-race ./nss/lib/pk11wrap/pk11sl slot->hasRSAInfo = PR_FALSE; slot->RSAInfoFlags = 0; -@@ -1165,50 +1175,23 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo - slot->maxKeyCount = tokenInfo.ulMaxSessionCount/2; +@@ -1202,56 +1205,23 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo + slot->maxKeyCount = tokenInfo.ulMaxSessionCount / 2; } - /* Make sure our session handle is valid */ - if (slot->session == CK_INVALID_SESSION) { -- /* we know we don't have a valid session, go get one */ -- CK_SESSION_HANDLE session; +- /* we know we don't have a valid session, go get one */ +- CK_SESSION_HANDLE session; - -- /* session should be Readonly, serial */ -- if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); -- crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, +- /* session should be Readonly, serial */ +- if (!slot->isThreadSafe) +- PK11_EnterSlotMonitor(slot); +- crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, + /* we know we don't have a valid session, go get one */ + /* session should be Readonly, serial */ + crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, - (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, - slot,pk11_notify,&session); -- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); -- if (crv != CKR_OK) { -- PORT_SetError(PK11_MapError(crv)); -- return SECFailure; -- } -- slot->session = session; + (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, + slot, pk11_notify, &session); +- if (!slot->isThreadSafe) +- PK11_ExitSlotMonitor(slot); +- if (crv != CKR_OK) { +- PORT_SetError(PK11_MapError(crv)); +- return SECFailure; +- } +- slot->session = session; - } else { -- /* The session we have may be defunct (the token associated with it) -- * has been removed */ -- CK_SESSION_INFO sessionInfo; +- /* The session we have may be defunct (the token associated with it) +- * has been removed */ +- CK_SESSION_INFO sessionInfo; - -- if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); -- crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo); +- if (!slot->isThreadSafe) +- PK11_EnterSlotMonitor(slot); +- crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo); - if (crv == CKR_DEVICE_ERROR) { -- PK11_GETTAB(slot)->C_CloseSession(slot->session); -- crv = CKR_SESSION_CLOSED; -- } -- if ((crv==CKR_SESSION_CLOSED) || (crv==CKR_SESSION_HANDLE_INVALID)) { -- crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID, -- (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, -- slot,pk11_notify,&slot->session); -- if (crv != CKR_OK) { -- PORT_SetError(PK11_MapError(crv)); -- slot->session = CK_INVALID_SESSION; -- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); -- return SECFailure; -- } -- } -- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); +- PK11_GETTAB(slot) +- ->C_CloseSession(slot->session); +- crv = CKR_SESSION_CLOSED; +- } +- if ((crv == CKR_SESSION_CLOSED) || (crv == CKR_SESSION_HANDLE_INVALID)) { +- crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, +- (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, +- slot, pk11_notify, &slot->session); +- if (crv != CKR_OK) { +- PORT_SetError(PK11_MapError(crv)); +- slot->session = CK_INVALID_SESSION; +- if (!slot->isThreadSafe) +- PK11_ExitSlotMonitor(slot); +- return SECFailure; +- } +- } +- if (!slot->isThreadSafe) +- PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PK11_ExitSlotMonitor(slot); + PORT_SetError(PK11_MapError(crv)); @@ -240,66 +255,65 @@ diff -up ./nss/lib/pk11wrap/pk11slot.c.init-token-race ./nss/lib/pk11wrap/pk11sl - if (status != PR_SUCCESS) + if (status != PR_SUCCESS) { + PK11_ExitSlotMonitor(slot); - return SECFailure; + return SECFailure; + } if (!(slot->isInternal) && (slot->hasRandom)) { - /* if this slot has a random number generater, use it to add entropy -@@ -1221,28 +1204,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo - /* if this slot can issue random numbers, get some entropy from - * that random number generater and give it to our internal token. - */ -- PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GenerateRandom - (slot->session,random_bytes, sizeof(random_bytes)); -- PK11_ExitSlotMonitor(slot); - if (crv == CKR_OK) { -- PK11_EnterSlotMonitor(int_slot); - PK11_GETTAB(int_slot)->C_SeedRandom(int_slot->session, - random_bytes, sizeof(random_bytes)); -- PK11_ExitSlotMonitor(int_slot); - } + /* if this slot has a random number generater, use it to add entropy +@@ -1264,28 +1234,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo + /* if this slot can issue random numbers, get some entropy from + * that random number generater and give it to our internal token. + */ +- PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session, random_bytes, sizeof(random_bytes)); +- PK11_ExitSlotMonitor(slot); + if (crv == CKR_OK) { +- PK11_EnterSlotMonitor(int_slot); + PK11_GETTAB(int_slot) + ->C_SeedRandom(int_slot->session, + random_bytes, sizeof(random_bytes)); +- PK11_ExitSlotMonitor(int_slot); + } - /* Now return the favor and send entropy to the token's random - * number generater */ -- PK11_EnterSlotMonitor(int_slot); - crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session, - random_bytes, sizeof(random_bytes)); -- PK11_ExitSlotMonitor(int_slot); - if (crv == CKR_OK) { -- PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, - random_bytes, sizeof(random_bytes)); -- PK11_ExitSlotMonitor(slot); - } - PK11_FreeSlot(int_slot); - } -@@ -1274,6 +1249,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo - PK11_GETTAB(slot)->C_CloseSession(session); - } + /* Now return the favor and send entropy to the token's random + * number generater */ +- PK11_EnterSlotMonitor(int_slot); + crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session, + random_bytes, sizeof(random_bytes)); +- PK11_ExitSlotMonitor(int_slot); + if (crv == CKR_OK) { +- PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, + random_bytes, sizeof(random_bytes)); +- PK11_ExitSlotMonitor(slot); + } + PK11_FreeSlot(int_slot); + } +@@ -1318,6 +1280,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo + ->C_CloseSession(session); + } } + PK11_ExitSlotMonitor(slot); - + return SECSuccess; } -@@ -1387,6 +1363,8 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT +@@ -1433,6 +1396,8 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT } /* if the token is present, initialize it */ if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) { + /* session was initialized to CK_INVALID_SESSION when the slot + * was created */ - rv = PK11_InitToken(slot,PR_TRUE); - /* the only hard failures are on permanent devices, or function - * verify failures... function verify failures are already handled -@@ -1826,10 +1804,15 @@ PK11_DoesMechanism(PK11SlotInfo *slot, C - return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? - PR_TRUE : PR_FALSE; + rv = PK11_InitToken(slot, PR_TRUE); + /* the only hard failures are on permanent devices, or function + * verify failures... function verify failures are already handled +@@ -1888,10 +1853,14 @@ PK11_DoesMechanism(PK11SlotInfo *slot, C + return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? PR_TRUE : PR_FALSE; } -- -+ + + PK11_EnterSlotMonitor(slot); - for (i=0; i < (int) slot->mechanismCount; i++) { -- if (slot->mechanismList[i] == type) return PR_TRUE; + for (i = 0; i < (int)slot->mechanismCount; i++) { +- if (slot->mechanismList[i] == type) +- return PR_TRUE; + if (slot->mechanismList[i] == type) { + PK11_ExitSlotMonitor(slot); + return PR_TRUE; @@ -309,41 +323,41 @@ diff -up ./nss/lib/pk11wrap/pk11slot.c.init-token-race ./nss/lib/pk11wrap/pk11sl return PR_FALSE; } -diff -up ./nss/lib/pk11wrap/pk11util.c.init-token-race ./nss/lib/pk11wrap/pk11util.c ---- ./nss/lib/pk11wrap/pk11util.c.init-token-race 2015-02-18 12:37:03.176120865 -0800 -+++ ./nss/lib/pk11wrap/pk11util.c 2015-02-18 12:39:44.158120658 -0800 -@@ -1560,6 +1560,11 @@ SECMOD_RestartModules(PRBool force) +diff -up nss/lib/pk11wrap/pk11util.c.init-token-race nss/lib/pk11wrap/pk11util.c +--- nss/lib/pk11wrap/pk11util.c.init-token-race 2017-01-13 17:58:55.487868695 +0100 ++++ nss/lib/pk11wrap/pk11util.c 2017-01-13 18:01:21.280291292 +0100 +@@ -1624,6 +1624,11 @@ SECMOD_RestartModules(PRBool force) * older modules require it, and it doesn't hurt (compliant modules * will return CKR_NOT_INITIALIZED */ - (void) PK11_GETTAB(mod)->C_Finalize(NULL); + (void)PK11_GETTAB(mod)->C_Finalize(NULL); + /* finalize clears the session, mark them dead in the + * slot as well */ + for (i=0; i < mod->slotCount; i++) { + mod->slots[i]->session = CK_INVALID_SESSION; + } - /* now initialize the module, this function reinitializes - * a module in place, preserving existing slots (even if they - * no longer exist) */ -@@ -1579,17 +1584,18 @@ SECMOD_RestartModules(PRBool force) - /* get new token sessions, bump the series up so that - * we refresh other old sessions. This will tell much of - * NSS to flush cached handles it may hold as well */ -- rv = PK11_InitToken(mod->slots[i],PR_TRUE); + /* now initialize the module, this function reinitializes + * a module in place, preserving existing slots (even if they + * no longer exist) */ +@@ -1643,17 +1648,18 @@ SECMOD_RestartModules(PRBool force) + /* get new token sessions, bump the series up so that + * we refresh other old sessions. This will tell much of + * NSS to flush cached handles it may hold as well */ +- rv = PK11_InitToken(mod->slots[i], PR_TRUE); + PK11SlotInfo *slot = mod->slots[i]; + rv = PK11_InitToken(slot,PR_TRUE); - /* PK11_InitToken could fail if the slot isn't present. - * If it is present, though, something is wrong and we should - * disable the slot and let the caller know. */ -- if (rv != SECSuccess && PK11_IsPresent(mod->slots[i])) { + /* PK11_InitToken could fail if the slot isn't present. + * If it is present, though, something is wrong and we should + * disable the slot and let the caller know. */ +- if (rv != SECSuccess && PK11_IsPresent(mod->slots[i])) { + if (rv != SECSuccess && PK11_IsPresent(slot)) { - /* save the last error code */ - lastError = PORT_GetError(); - rrv = rv; - /* disable the token */ -- mod->slots[i]->disabled = PR_TRUE; -- mod->slots[i]->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; + /* save the last error code */ + lastError = PORT_GetError(); + rrv = rv; + /* disable the token */ +- mod->slots[i]->disabled = PR_TRUE; +- mod->slots[i]->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; + slot->disabled = PR_TRUE; + slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; - } - } - } + } + } + } diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch index d07ecdd..f5db089 100644 --- a/SOURCES/nss-539183.patch +++ b/SOURCES/nss-539183.patch @@ -1,13 +1,13 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c ---- nss/cmd/httpserv/httpserv.c.539183 2013-05-28 14:43:24.000000000 -0700 -+++ nss/cmd/httpserv/httpserv.c 2013-05-30 22:16:46.685373471 -0700 -@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port - PRNetAddr addr; +--- nss/cmd/httpserv/httpserv.c.539183 2016-08-15 17:58:41.756630037 +0200 ++++ nss/cmd/httpserv/httpserv.c 2016-08-15 18:04:13.559131620 +0200 +@@ -976,13 +976,13 @@ getBoundListenSocket(unsigned short port + PRNetAddr addr; PRSocketOptionData opt; - addr.inet.family = PR_AF_INET; -- addr.inet.ip = PR_INADDR_ANY; -- addr.inet.port = PR_htons(port); +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); + if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { + errExit("PR_SetNetAddr"); + } @@ -15,21 +15,21 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c - listen_sock = PR_NewTCPSocket(); + listen_sock = PR_OpenTCPSocket(PR_AF_INET6); if (listen_sock == NULL) { -- errExit("PR_NewTCPSocket"); +- errExit("PR_NewTCPSocket"); + errExit("PR_OpenTCPSocket error"); } opt.option = PR_SockOpt_Nonblocking; diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c ---- nss/cmd/selfserv/selfserv.c.539183 2013-05-28 14:43:24.000000000 -0700 -+++ nss/cmd/selfserv/selfserv.c 2013-05-30 22:16:46.688373495 -0700 -@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port - PRNetAddr addr; +--- nss/cmd/selfserv/selfserv.c.539183 2016-08-15 17:58:41.756630037 +0200 ++++ nss/cmd/selfserv/selfserv.c 2016-08-15 18:05:11.027487891 +0200 +@@ -1731,13 +1731,13 @@ getBoundListenSocket(unsigned short port + PRNetAddr addr; PRSocketOptionData opt; - addr.inet.family = PR_AF_INET; -- addr.inet.ip = PR_INADDR_ANY; -- addr.inet.port = PR_htons(port); +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); + if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { + errExit("PR_SetNetAddr"); + } @@ -37,7 +37,7 @@ diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c - listen_sock = PR_NewTCPSocket(); + listen_sock = PR_OpenTCPSocket(PR_AF_INET6); if (listen_sock == NULL) { -- errExit("PR_NewTCPSocket"); +- errExit("PR_NewTCPSocket"); + errExit("PR_OpenTCPSocket error"); } diff --git a/SOURCES/nss-disable-chacha20-gtests.patch b/SOURCES/nss-disable-chacha20-gtests.patch new file mode 100644 index 0000000..ff221d3 --- /dev/null +++ b/SOURCES/nss-disable-chacha20-gtests.patch @@ -0,0 +1,140 @@ +diff -up nss/gtests/pk11_gtest/manifest.mn.disable-chacha20 nss/gtests/pk11_gtest/manifest.mn +--- nss/gtests/pk11_gtest/manifest.mn.disable-chacha20 2017-01-30 02:06:08.000000000 +0100 ++++ nss/gtests/pk11_gtest/manifest.mn 2017-02-17 11:40:26.749019359 +0100 +@@ -8,7 +8,6 @@ MODULE = nss + + CPPSRCS = \ + pk11_aeskeywrap_unittest.cc \ +- pk11_chacha20poly1305_unittest.cc \ + pk11_export_unittest.cc \ + pk11_pbkdf2_unittest.cc \ + pk11_prf_unittest.cc \ +diff -up nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc +--- nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable-chacha20 2017-01-30 02:06:08.000000000 +0100 ++++ nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc 2017-02-17 11:40:26.749019359 +0100 +@@ -326,10 +326,7 @@ INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, +- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, +- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, +- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256); ++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384); + INSTANTIATE_CIPHER_TEST_P( + CBC12, All, V12, kDummyNamedGroupParams, kDummySignatureSchemesParams, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, +@@ -361,7 +358,7 @@ INSTANTIATE_CIPHER_TEST_P( + INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13, + ::testing::ValuesIn(kFasterDHEGroups), + ::testing::ValuesIn(kSignatureSchemesParamsArr), +- TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, ++ TLS_AES_128_GCM_SHA256, + TLS_AES_256_GCM_SHA384); + INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13, + ::testing::ValuesIn(kAllDHEGroups), +@@ -446,9 +443,7 @@ static const SecStatusParams kSecStatusT + {SSL_LIBRARY_VERSION_TLS_1_2, TLS_RSA_WITH_AES_128_GCM_SHA256, + "AES-128-GCM", 128}, + {SSL_LIBRARY_VERSION_TLS_1_2, TLS_RSA_WITH_AES_256_GCM_SHA384, +- "AES-256-GCM", 256}, +- {SSL_LIBRARY_VERSION_TLS_1_2, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, +- "ChaCha20-Poly1305", 256}}; ++ "AES-256-GCM", 256}}; + INSTANTIATE_TEST_CASE_P(TestSecurityStatus, SecurityStatusTest, + ::testing::ValuesIn(kSecStatusTestValuesArr)); + +diff -up nss/gtests/ssl_gtest/ssl_drop_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_drop_unittest.cc +--- nss/gtests/ssl_gtest/ssl_drop_unittest.cc.disable-chacha20 2017-01-30 02:06:08.000000000 +0100 ++++ nss/gtests/ssl_gtest/ssl_drop_unittest.cc 2017-02-17 11:41:03.656247032 +0100 +@@ -65,69 +65,4 @@ TEST_P(TlsConnectDatagram, DropServerSec + Connect(); + } + +-static void GetCipherAndLimit(uint16_t version, uint16_t* cipher, +- uint64_t* limit = nullptr) { +- uint64_t l; +- if (!limit) limit = &l; +- +- if (version < SSL_LIBRARY_VERSION_TLS_1_2) { +- *cipher = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA; +- *limit = 0x5aULL << 28; +- } else if (version == SSL_LIBRARY_VERSION_TLS_1_2) { +- *cipher = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256; +- *limit = (1ULL << 48) - 1; +- } else { +- *cipher = TLS_CHACHA20_POLY1305_SHA256; +- *limit = (1ULL << 48) - 1; +- } +-} +- +-// This simulates a huge number of drops on one side. +-TEST_P(TlsConnectDatagram, MissLotsOfPackets) { +- uint16_t cipher; +- uint64_t limit; +- +- GetCipherAndLimit(version_, &cipher, &limit); +- +- EnsureTlsSetup(); +- server_->EnableSingleCipher(cipher); +- Connect(); +- +- // Note that the limit for ChaCha is 2^48-1. +- EXPECT_EQ(SECSuccess, +- SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), limit - 10)); +- SendReceive(); +-} +- +-class TlsConnectDatagram12Plus : public TlsConnectDatagram { +- public: +- TlsConnectDatagram12Plus() : TlsConnectDatagram() {} +-}; +- +-// This simulates missing a window's worth of packets. +-TEST_P(TlsConnectDatagram12Plus, MissAWindow) { +- EnsureTlsSetup(); +- uint16_t cipher; +- GetCipherAndLimit(version_, &cipher); +- server_->EnableSingleCipher(cipher); +- Connect(); +- +- EXPECT_EQ(SECSuccess, SSLInt_AdvanceWriteSeqByAWindow(client_->ssl_fd(), 0)); +- SendReceive(); +-} +- +-TEST_P(TlsConnectDatagram12Plus, MissAWindowAndOne) { +- EnsureTlsSetup(); +- uint16_t cipher; +- GetCipherAndLimit(version_, &cipher); +- server_->EnableSingleCipher(cipher); +- Connect(); +- +- EXPECT_EQ(SECSuccess, SSLInt_AdvanceWriteSeqByAWindow(client_->ssl_fd(), 1)); +- SendReceive(); +-} +- +-INSTANTIATE_TEST_CASE_P(Datagram12Plus, TlsConnectDatagram12Plus, +- TlsConnectTestBase::kTlsV12Plus); +- + } // namespace nss_test +diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc +--- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-chacha20 2017-02-17 11:40:26.747019401 +0100 ++++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-02-17 11:40:26.749019359 +0100 +@@ -50,17 +50,6 @@ TEST_P(TlsConnectGeneric, ConnectEcdhe) + CheckKeys(); + } + +-// If we pick a 256-bit cipher suite and use a P-384 certificate, the server +-// should choose P-384 for key exchange too. Only valid for TLS == 1.2 because +-// we don't have 256-bit ciphers before then and 1.3 doesn't try to couple +-// DHE size to symmetric size. +-TEST_P(TlsConnectTls12, ConnectEcdheP384) { +- Reset(TlsAgent::kServerEcdsa384); +- ConnectWithCipherSuite(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256); +- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_ecdsa, +- ssl_sig_ecdsa_secp256r1_sha256); +-} +- + TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) { + EnsureTlsSetup(); + const std::vector groups = {ssl_grp_ec_secp384r1, diff --git a/SOURCES/nss-disable-chacha20-tests.patch b/SOURCES/nss-disable-chacha20-tests.patch new file mode 100644 index 0000000..8ad0b4f --- /dev/null +++ b/SOURCES/nss-disable-chacha20-tests.patch @@ -0,0 +1,20 @@ +diff -up nss/tests/ssl/sslcov.txt.disable-chacha20 nss/tests/ssl/sslcov.txt +--- nss/tests/ssl/sslcov.txt.disable-chacha20 2017-01-30 02:06:08.000000000 +0100 ++++ nss/tests/ssl/sslcov.txt 2017-02-17 11:40:26.749019359 +0100 +@@ -65,7 +65,7 @@ + noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256 + noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256 + noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256 +- noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ++# noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + # + # ECC ciphers (TLS) + # +@@ -139,5 +139,5 @@ + ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +- ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +- ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ++# ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ++# ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 diff --git a/SOURCES/nss-disable-cipher-suites.patch b/SOURCES/nss-disable-cipher-suites.patch new file mode 100644 index 0000000..f54e4b7 --- /dev/null +++ b/SOURCES/nss-disable-cipher-suites.patch @@ -0,0 +1,27 @@ +diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.disable-cipher-suites 2017-02-20 16:29:09.760163465 +0100 ++++ nss/lib/ssl/ssl3con.c 2017-02-20 16:30:32.948137315 +0100 +@@ -96,7 +96,10 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is disabled by default. ++ * The GCM variant is preferred for new applications. ++ */ ++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +@@ -104,7 +107,10 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is disabled by default. ++ * The GCM variant is preferred for new applications. ++ */ ++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, diff --git a/SOURCES/nss-disable-curve25519-gtests.patch b/SOURCES/nss-disable-curve25519-gtests.patch new file mode 100644 index 0000000..4d1eb35 --- /dev/null +++ b/SOURCES/nss-disable-curve25519-gtests.patch @@ -0,0 +1,24 @@ +diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-curve25519 nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc +--- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-curve25519 2017-02-17 11:35:40.794056778 +0100 ++++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-02-17 11:35:50.905842897 +0100 +@@ -287,20 +287,6 @@ TEST_P(TlsConnectStreamPre13, Configured + ssl_sig_rsa_pss_sha256); + } + +-TEST_P(TlsKeyExchangeTest, Curve25519) { +- Reset(TlsAgent::kServerEcdsa256); +- const std::vector groups = { +- ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp521r1}; +- EnsureKeyShareSetup(); +- ConfigNamedGroups(groups); +- Connect(); +- +- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_ecdsa, +- ssl_sig_ecdsa_secp256r1_sha256); +- const std::vector shares = {ssl_grp_ec_curve25519}; +- CheckKEXDetails(groups, shares); +-} +- + TEST_P(TlsConnectGenericPre13, GroupPreferenceServerPriority) { + EnsureTlsSetup(); + client_->DisableAllCiphers(); diff --git a/SOURCES/nss-disable-curve25519-tests.patch b/SOURCES/nss-disable-curve25519-tests.patch new file mode 100644 index 0000000..bfd9081 --- /dev/null +++ b/SOURCES/nss-disable-curve25519-tests.patch @@ -0,0 +1,10 @@ +--- nss/tests/ec/ectest.sh.disable-curve25519 2017-01-30 02:06:08.000000000 +0100 ++++ nss/tests/ec/ectest.sh 2017-02-17 11:35:24.937392173 +0100 +@@ -46,7 +46,6 @@ ectest_genkeydb_test() + return $? + fi + curves=( \ +- "curve25519" \ + "secp256r1" \ + "secp384r1" \ + "secp521r1" \ diff --git a/SOURCES/nss-disable-curve25519.patch b/SOURCES/nss-disable-curve25519.patch new file mode 100644 index 0000000..e6925af --- /dev/null +++ b/SOURCES/nss-disable-curve25519.patch @@ -0,0 +1,13 @@ +diff -up nss/lib/ssl/sslsock.c.disable-curve25519 nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.disable-curve25519 2017-02-17 11:35:24.922392490 +0100 ++++ nss/lib/ssl/sslsock.c 2017-02-17 11:35:24.936392194 +0100 +@@ -152,7 +152,7 @@ static const PRUint16 srtpCiphers[] = { + const sslNamedGroupDef ssl_named_groups[] = { + /* Note that 256 for 25519 is a lie, but we only use it for checking bit + * security and expect 256 bits there (not 255). */ +- { ssl_grp_ec_curve25519, 256, ssl_kea_ecdh, SEC_OID_CURVE25519, PR_TRUE }, ++ { ssl_grp_ec_curve25519, 256, ssl_kea_ecdh, SEC_OID_CURVE25519, PR_FALSE }, + ECGROUP(secp256r1, 256, SECP256R1, PR_TRUE), + ECGROUP(secp384r1, 384, SECP384R1, PR_TRUE), + ECGROUP(secp521r1, 521, SECP521R1, PR_TRUE), +diff -up nss/tests/ec/ectest.sh.disable-curve25519 nss/tests/ec/ectest.sh diff --git a/SOURCES/nss-disable-pss-gtests.patch b/SOURCES/nss-disable-pss-gtests.patch new file mode 100644 index 0000000..0f090e4 --- /dev/null +++ b/SOURCES/nss-disable-pss-gtests.patch @@ -0,0 +1,156 @@ +diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc +--- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss 2017-02-17 11:45:24.866780893 +0100 ++++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-02-17 11:47:16.774439092 +0100 +@@ -58,7 +58,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3 + server_->ConfigNamedGroups(groups); + Connect(); + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + } + + // This causes a HelloRetryRequest in TLS 1.3. Earlier versions don't care. +@@ -71,7 +71,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3 + server_->ConfigNamedGroups(groups); + Connect(); + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + EXPECT_EQ(version_ == SSL_LIBRARY_VERSION_TLS_1_3, + hrr_capture->buffer().len() != 0); + } +@@ -101,7 +101,7 @@ TEST_P(TlsKeyExchangeTest, P384Priority) + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + + std::vector shares = {ssl_grp_ec_secp384r1}; + CheckKEXDetails(groups, shares); +@@ -118,7 +118,7 @@ TEST_P(TlsKeyExchangeTest, DuplicateGrou + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + + std::vector shares = {ssl_grp_ec_secp384r1}; + std::vector expectedGroups = {ssl_grp_ec_secp384r1, +@@ -136,7 +136,7 @@ TEST_P(TlsKeyExchangeTest, P384PriorityD + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + + if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { + std::vector shares = {ssl_grp_ec_secp384r1}; +@@ -161,7 +161,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + } + + TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) { +@@ -177,7 +177,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + } + + class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter { +@@ -265,7 +265,7 @@ TEST_P(TlsConnectStreamPre13, Configured + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + CheckConnected(); + + // The renegotiation has to use the same preferences as the original session. +@@ -273,7 +273,7 @@ TEST_P(TlsConnectStreamPre13, Configured + client_->StartRenegotiate(); + Handshake(); + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + } + + TEST_P(TlsConnectGenericPre13, GroupPreferenceServerPriority) { +@@ -293,7 +293,7 @@ TEST_P(TlsConnectGenericPre13, GroupPref + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + } + + #ifndef NSS_DISABLE_TLS_1_3 +@@ -312,7 +312,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + const std::vector shares = {ssl_grp_ec_secp256r1}; + CheckKEXDetails(client_groups, shares); + } +@@ -332,7 +332,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + const std::vector shares = {ssl_grp_ec_curve25519}; + CheckKEXDetails(client_groups, shares); + } +@@ -354,7 +354,7 @@ TEST_P(TlsKeyExchangeTest13, EqualPriori + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + const std::vector shares = {ssl_grp_ec_curve25519}; + CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); + } +@@ -376,7 +376,7 @@ TEST_P(TlsKeyExchangeTest13, NotEqualPri + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + const std::vector shares = {ssl_grp_ec_curve25519}; + CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); + } +@@ -398,7 +398,7 @@ TEST_P(TlsKeyExchangeTest13, + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + const std::vector shares = {ssl_grp_ec_curve25519}; + CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); + } +@@ -420,7 +420,7 @@ TEST_P(TlsKeyExchangeTest13, + Connect(); + + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + const std::vector shares = {ssl_grp_ec_curve25519}; + CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); + } +@@ -482,7 +482,7 @@ TEST_P(TlsKeyExchangeTest13, MultipleCli + + // The server would accept 25519 but its preferred group (P256) has to win. + CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, +- ssl_sig_rsa_pss_sha256); ++ ssl_sig_rsa_pkcs1_sha256); + const std::vector shares = {ssl_grp_ec_curve25519, + ssl_grp_ec_secp256r1}; + CheckKEXDetails(client_groups, shares); diff --git a/SOURCES/nss-disable-unsupported-gtests.patch b/SOURCES/nss-disable-unsupported-gtests.patch new file mode 100644 index 0000000..983b8e4 --- /dev/null +++ b/SOURCES/nss-disable-unsupported-gtests.patch @@ -0,0 +1,39 @@ +diff -up nss/gtests/pk11_gtest/pk11_export_unittest.cc.disable_unsupported_gtests nss/gtests/pk11_gtest/pk11_export_unittest.cc +--- nss/gtests/pk11_gtest/pk11_export_unittest.cc.disable_unsupported_gtests 2017-01-30 02:06:08.000000000 +0100 ++++ nss/gtests/pk11_gtest/pk11_export_unittest.cc 2017-02-17 12:02:00.023957459 +0100 +@@ -61,6 +61,4 @@ class Pkcs11ExportTest : public ::testin + + TEST_F(Pkcs11ExportTest, DeriveNonExport) { Derive(false); } + +-TEST_F(Pkcs11ExportTest, DeriveExport) { Derive(true); } +- + } // namespace nss_test +diff -up nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc.disable_unsupported_gtests nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc +--- nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc.disable_unsupported_gtests 2017-02-17 12:09:06.448036028 +0100 ++++ nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc 2017-02-17 12:10:03.479842833 +0100 +@@ -72,25 +72,4 @@ class Pkcs11Pbkdf2Test : public ::testin + } + }; + +-// RFC 6070 +-TEST_F(Pkcs11Pbkdf2Test, DeriveKnown1) { +- std::vector derived = {0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, +- 0x9b, 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, +- 0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c, +- 0xf2, 0xf0, 0x70, 0x38}; +- +- Derive(derived, SEC_OID_HMAC_SHA1); +-} +- +-// https://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors +-TEST_F(Pkcs11Pbkdf2Test, DeriveKnown2) { +- std::vector derived = { +- 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, +- 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, +- 0xbc, 0x18, 0x00, 0x18, 0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd, +- 0x53, 0xe1, 0xc6, 0x35, 0x51, 0x8c, 0x7d, 0xac, 0x47, 0xe9}; +- +- Derive(derived, SEC_OID_HMAC_SHA256); +-} +- + } // namespace nss_test diff --git a/SOURCES/nss-disable-unsupported-tests.patch b/SOURCES/nss-disable-unsupported-tests.patch new file mode 100644 index 0000000..9b57e20 --- /dev/null +++ b/SOURCES/nss-disable-unsupported-tests.patch @@ -0,0 +1,13 @@ +diff -up nss/tests/ec/ectest.sh.disable_unsupported_tests nss/tests/ec/ectest.sh +--- nss/tests/ec/ectest.sh.disable_unsupported_tests 2017-02-17 12:33:08.137805278 +0100 ++++ nss/tests/ec/ectest.sh 2017-02-17 12:43:50.000297523 +0100 +@@ -81,7 +81,8 @@ if [ -f ${BINDIR}/fbectest ]; then + fi + fi + if [ -f ${BINDIR}/pk11ectest ]; then +- PK11_ECTEST_OUT=$(pk11ectest -n -d 2>&1) ++ PK11_ECTEST_OUT=$(pk11ectest -n 2>&1) ++ echo $PK11_ECTEST_OUT + PK11_ECTEST_OUT=`echo $PK11_ECTEST_OUT | grep -i 'not okay\|Assertion failure'` + if [ -n "$PK11_ECTEST_OUT" ] ; then + html_failed "pk11 ec tests" diff --git a/SOURCES/nss-ecpoint-encoding.patch b/SOURCES/nss-ecpoint-encoding.patch new file mode 100644 index 0000000..2577621 --- /dev/null +++ b/SOURCES/nss-ecpoint-encoding.patch @@ -0,0 +1,330 @@ + +# HG changeset patch +# User Kai Engert +# Date 1487329827 -3600 +# Node ID 0050234a859c2aac2cf8cb5092218191300b1901 +# Parent 0e25df041c8fdc8610c6f227084d11eb8ad81149 +Bug 1340103, Introduction of SECKEYECPublicKey.encoding in NSS 3.28 broke ABI, r=rrelyea/mt + +diff --git a/lib/cryptohi/keyi.h b/lib/cryptohi/keyi.h +--- a/lib/cryptohi/keyi.h ++++ b/lib/cryptohi/keyi.h +@@ -12,18 +12,11 @@ SEC_BEGIN_PROTOS + KeyType seckey_GetKeyType(SECOidTag pubKeyOid); + + /* extract the 'encryption' (could be signing) and hash oids from and + * algorithm, key and parameters (parameters is the parameters field + * of a algorithm ID structure (SECAlgorithmID)*/ + SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, + const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg); + +-/* +- * Set the point encoding of a SECKEYPublicKey from the OID. +- * This has to be called on any SECKEYPublicKey holding a SECKEYECPublicKey +- * before it can be used. The encoding is used to dermine the public key size. +- */ +-SECStatus seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey); +- + SEC_END_PROTOS + + #endif /* _KEYHI_H_ */ +diff --git a/lib/cryptohi/keythi.h b/lib/cryptohi/keythi.h +--- a/lib/cryptohi/keythi.h ++++ b/lib/cryptohi/keythi.h +@@ -120,19 +120,19 @@ typedef struct SECKEYDHPublicKeyStr SECK + ** Elliptic curve Public Key structure + ** The PKCS#11 layer needs DER encoding of ANSI X9.62 + ** parameters value + */ + typedef SECItem SECKEYECParams; + + struct SECKEYECPublicKeyStr { + SECKEYECParams DEREncodedParams; +- int size; /* size in bits */ +- SECItem publicValue; /* encoded point */ +- ECPointEncoding encoding; ++ int size; /* size in bits */ ++ SECItem publicValue; /* encoded point */ ++ ECPointEncoding encoding; /* deprecated, ignored */ + }; + typedef struct SECKEYECPublicKeyStr SECKEYECPublicKey; + + /* + ** FORTEZZA Public Key structures + */ + struct SECKEYFortezzaPublicKeyStr { + int KEAversion; +diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c +--- a/lib/cryptohi/seckey.c ++++ b/lib/cryptohi/seckey.c +@@ -542,16 +542,33 @@ seckey_GetKeyType(SECOidTag tag) + + /* Function used to determine what kind of cert we are dealing with. */ + KeyType + CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo *spki) + { + return seckey_GetKeyType(SECOID_GetAlgorithmTag(&spki->algorithm)); + } + ++/* Ensure pubKey contains an OID */ ++static SECStatus ++seckey_HasCurveOID(const SECKEYPublicKey *pubKey) ++{ ++ SECItem oid; ++ SECStatus rv; ++ PORTCheapArenaPool tmpArena; ++ ++ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); ++ /* If we can decode it, an OID is available. */ ++ rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid, ++ SEC_ASN1_GET(SEC_ObjectIDTemplate), ++ &pubKey->u.ec.DEREncodedParams); ++ PORT_DestroyCheapArena(&tmpArena); ++ return rv; ++} ++ + static SECKEYPublicKey * + seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki) + { + SECKEYPublicKey *pubk; + SECItem os, newOs, newParms; + SECStatus rv; + PLArenaPool *arena; + SECOidTag tag; +@@ -634,17 +651,18 @@ seckey_ExtractPublicKey(const CERTSubjec + &spki->algorithm.parameters); + if (rv != SECSuccess) { + break; + } + rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &newOs); + if (rv != SECSuccess) { + break; + } +- rv = seckey_SetPointEncoding(arena, pubk); ++ pubk->u.ec.encoding = ECPoint_Undefined; ++ rv = seckey_HasCurveOID(pubk); + if (rv == SECSuccess) { + return pubk; + } + break; + + default: + PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); + break; +@@ -1157,26 +1175,26 @@ SECKEY_CopyPublicKey(const SECKEYPublicK + rv = SECITEM_CopyItem(arena, ©k->u.dh.base, &pubk->u.dh.base); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, ©k->u.dh.publicValue, + &pubk->u.dh.publicValue); + break; + case ecKey: + copyk->u.ec.size = pubk->u.ec.size; ++ rv = seckey_HasCurveOID(pubk); ++ if (rv != SECSuccess) { ++ break; ++ } + rv = SECITEM_CopyItem(arena, ©k->u.ec.DEREncodedParams, + &pubk->u.ec.DEREncodedParams); + if (rv != SECSuccess) { + break; + } +- rv = seckey_SetPointEncoding(arena, copyk); +- if (rv != SECSuccess) { +- break; +- } +- PORT_Assert(copyk->u.ec.encoding == pubk->u.ec.encoding); ++ copyk->u.ec.encoding = ECPoint_Undefined; + rv = SECITEM_CopyItem(arena, ©k->u.ec.publicValue, + &pubk->u.ec.publicValue); + break; + case nullKey: + return copyk; + default: + PORT_SetError(SEC_ERROR_INVALID_KEY); + rv = SECFailure; +@@ -1938,44 +1956,8 @@ SECKEY_GetECCOid(const SECKEYECParams *p + return 0; + oid.len = params->len - 2; + oid.data = params->data + 2; + if ((oidData = SECOID_FindOID(&oid)) == NULL) + return 0; + + return oidData->offset; + } +- +-/* Set curve encoding in SECKEYECPublicKey in pubKey from OID. +- * If the encoding is not set, determining the key size of EC public keys will +- * fail. +- */ +-SECStatus +-seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey) +-{ +- SECItem oid; +- SECOidTag tag; +- SECStatus rv; +- +- /* decode the OID tag */ +- rv = SEC_QuickDERDecodeItem(arena, &oid, SEC_ASN1_GET(SEC_ObjectIDTemplate), +- &pubKey->u.ec.DEREncodedParams); +- if (rv != SECSuccess) { +- return SECFailure; +- } +- +- tag = SECOID_FindOIDTag(&oid); +- switch (tag) { +- case SEC_OID_CURVE25519: +- pubKey->u.ec.encoding = ECPoint_XOnly; +- break; +- case SEC_OID_SECG_EC_SECP256R1: +- /* fall through */ +- case SEC_OID_SECG_EC_SECP384R1: +- /* fall through */ +- case SEC_OID_SECG_EC_SECP521R1: +- /* fall through */ +- default: +- /* unknown curve, default to uncompressed */ +- pubKey->u.ec.encoding = ECPoint_Uncompressed; +- } +- return SECSuccess; +-} +diff --git a/lib/pk11wrap/pk11akey.c b/lib/pk11wrap/pk11akey.c +--- a/lib/pk11wrap/pk11akey.c ++++ b/lib/pk11wrap/pk11akey.c +@@ -760,22 +760,20 @@ PK11_ExtractPublicKey(PK11SlotInfo *slot + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + + crv = pk11_Attr2SecItem(arena, ecparams, + &pubKey->u.ec.DEREncodedParams); + if (crv != CKR_OK) + break; ++ pubKey->u.ec.encoding = ECPoint_Undefined; + crv = pk11_get_Decoded_ECPoint(arena, + &pubKey->u.ec.DEREncodedParams, value, + &pubKey->u.ec.publicValue); +- if (seckey_SetPointEncoding(arena, pubKey) != SECSuccess) { +- crv |= CKR_GENERAL_ERROR; +- } + break; + case fortezzaKey: + case nullKey: + default: + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + +diff --git a/lib/pk11wrap/pk11skey.c b/lib/pk11wrap/pk11skey.c +--- a/lib/pk11wrap/pk11skey.c ++++ b/lib/pk11wrap/pk11skey.c +@@ -2032,27 +2032,62 @@ PK11_PubDerive(SECKEYPrivateKey *privKey + PORT_SetError(PK11_MapError(crv)); + } + } + + PK11_FreeSymKey(symKey); + return NULL; + } + ++/* Test for curves that are known to use a special encoding. ++ * Extend this function when additional curves are added. */ ++static ECPointEncoding ++pk11_ECGetPubkeyEncoding(const SECKEYPublicKey *pubKey) ++{ ++ SECItem oid; ++ SECStatus rv; ++ PORTCheapArenaPool tmpArena; ++ ECPointEncoding encoding = ECPoint_Undefined; ++ ++ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); ++ ++ /* decode the OID tag */ ++ rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid, ++ SEC_ASN1_GET(SEC_ObjectIDTemplate), ++ &pubKey->u.ec.DEREncodedParams); ++ if (rv == SECSuccess) { ++ SECOidTag tag = SECOID_FindOIDTag(&oid); ++ switch (tag) { ++ case SEC_OID_CURVE25519: ++ encoding = ECPoint_XOnly; ++ break; ++ case SEC_OID_SECG_EC_SECP256R1: ++ case SEC_OID_SECG_EC_SECP384R1: ++ case SEC_OID_SECG_EC_SECP521R1: ++ default: ++ /* unknown curve, default to uncompressed */ ++ encoding = ECPoint_Uncompressed; ++ } ++ } ++ PORT_DestroyCheapArena(&tmpArena); ++ return encoding; ++} ++ + /* Returns the size of the public key, or 0 if there + * is an error. */ + static CK_ULONG + pk11_ECPubKeySize(SECKEYPublicKey *pubKey) + { + SECItem *publicValue = &pubKey->u.ec.publicValue; + +- if (pubKey->u.ec.encoding == ECPoint_XOnly) { ++ ECPointEncoding encoding = pk11_ECGetPubkeyEncoding(pubKey); ++ if (encoding == ECPoint_XOnly) { + return publicValue->len; + } +- if (publicValue->data[0] == 0x04) { ++ if (encoding == ECPoint_Uncompressed) { + /* key encoded in uncompressed form */ + return ((publicValue->len - 1) / 2); + } + /* key encoding not recognized */ + return 0; + } + + static PK11SymKey * +diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c +--- a/lib/ssl/ssl3ecc.c ++++ b/lib/ssl/ssl3ecc.c +@@ -298,17 +298,17 @@ ssl3_HandleECDHClientKeyExchange(sslSock + PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); + PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); + + clntPubKey.keyType = ecKey; + clntPubKey.u.ec.DEREncodedParams.len = + serverKeyPair->pubKey->u.ec.DEREncodedParams.len; + clntPubKey.u.ec.DEREncodedParams.data = + serverKeyPair->pubKey->u.ec.DEREncodedParams.data; +- clntPubKey.u.ec.encoding = serverKeyPair->pubKey->u.ec.encoding; ++ clntPubKey.u.ec.encoding = ECPoint_Undefined; + + rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue, + 1, &b, &length); + if (rv != SECSuccess) { + PORT_SetError(errCode); + return SECFailure; + } + +@@ -382,21 +382,17 @@ ssl_ImportECDHKeyShare(sslSocket *ss, SE + peerKey->keyType = ecKey; + /* Set up the encoded params */ + rv = ssl_NamedGroup2ECParams(peerKey->arena, ecGroup, + &peerKey->u.ec.DEREncodedParams); + if (rv != SECSuccess) { + ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE); + return SECFailure; + } +- if (ecGroup->name == ssl_grp_ec_curve25519) { +- peerKey->u.ec.encoding = ECPoint_XOnly; +- } else { +- peerKey->u.ec.encoding = ECPoint_Uncompressed; +- } ++ peerKey->u.ec.encoding = ECPoint_Undefined; + + /* copy publicValue in peerKey */ + ecPoint.data = b; + ecPoint.len = length; + + rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.ec.publicValue, &ecPoint); + if (rv != SECSuccess) { + return SECFailure; diff --git a/SOURCES/nss-enable-384-cipher-tests.patch b/SOURCES/nss-enable-384-cipher-tests.patch deleted file mode 100644 index 2b8d597..0000000 --- a/SOURCES/nss-enable-384-cipher-tests.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up ./nss/tests/ssl/ssl.sh.384 ./nss/tests/ssl/ssl.sh ---- ./nss/tests/ssl/ssl.sh.384 2016-02-24 19:00:23.135079185 -0500 -+++ ./nss/tests/ssl/ssl.sh 2016-02-24 19:00:41.963720050 -0500 -@@ -93,8 +93,8 @@ ssl_init() - ECC_STRING="" - fi - -- CSHORT="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz" -- CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz" -+ CSHORT="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009D:009E:009F:00A2:00A3cdefgijklmnvyz" -+ CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027:C028:C02B:C02C:C02F:C030:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009D:009E:009F:00A2:00A3cdefgijklmnvyz" - - if [ "${OS_ARCH}" != "WINNT" ]; then - ulimit -n 1000 # make sure we have enough file descriptors diff --git a/SOURCES/nss-enable-cipher-suites.patch b/SOURCES/nss-enable-cipher-suites.patch new file mode 100644 index 0000000..0e6aabd --- /dev/null +++ b/SOURCES/nss-enable-cipher-suites.patch @@ -0,0 +1,39 @@ +diff -up nss/lib/ssl/ssl3con.c.enable-cipher-suites nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.enable-cipher-suites 2017-02-20 16:32:39.464067010 +0100 ++++ nss/lib/ssl/ssl3con.c 2017-02-20 16:37:00.506731989 +0100 +@@ -91,7 +91,7 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi + /* clang-format off */ + static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { + /* cipher_suite policy enabled isPresent */ +- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +@@ -102,7 +102,7 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +@@ -113,7 +113,7 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +@@ -140,7 +140,7 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, diff --git a/SOURCES/nss-fix-client-auth-init-hashes.patch b/SOURCES/nss-fix-client-auth-init-hashes.patch deleted file mode 100644 index f0f60a3..0000000 --- a/SOURCES/nss-fix-client-auth-init-hashes.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -up ./nss/lib/ssl/ssl3con.c.fix_client_auth_crash ./nss/lib/ssl/ssl3con.c ---- ./nss/lib/ssl/ssl3con.c.fix_client_auth_crash 2016-02-24 10:40:56.249523174 -0800 -+++ ./nss/lib/ssl/ssl3con.c 2016-02-24 10:56:24.180107667 -0800 -@@ -6626,12 +6626,14 @@ ssl3_HandleServerHello(sslSocket *ss, SS - ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; - isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); - -+#ifdef notdef - rv = ssl3_InitHandshakeHashes(ss); - if (rv != SECSuccess) { - desc = internal_error; - errCode = PORT_GetError(); - goto alert_loser; - } -+#endif - - rv = ssl3_ConsumeHandshake( - ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); -@@ -8115,12 +8117,14 @@ ssl3_HandleClientHello(sslSocket *ss, SS - } - ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; - -+#ifdef notdef - rv = ssl3_InitHandshakeHashes(ss); - if (rv != SECSuccess) { - desc = internal_error; - errCode = PORT_GetError(); - goto alert_loser; - } -+#endif - - /* grab the client random data. */ - rv = ssl3_ConsumeHandshake( -@@ -8941,12 +8945,14 @@ ssl3_HandleV2ClientHello(sslSocket *ss, - } - ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; - -+#ifdef notdef - rv = ssl3_InitHandshakeHashes(ss); - if (rv != SECSuccess) { - desc = internal_error; - errCode = PORT_GetError(); - goto alert_loser; - } -+#endif - - /* if we get a non-zero SID, just ignore it. */ - if (length != diff --git a/SOURCES/nss-fix-deadlock-squash.patch b/SOURCES/nss-fix-deadlock-squash.patch index 4950f7b..c8222c7 100644 --- a/SOURCES/nss-fix-deadlock-squash.patch +++ b/SOURCES/nss-fix-deadlock-squash.patch @@ -1,45 +1,30 @@ -diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c ---- a/lib/pki/tdcache.c -+++ b/lib/pki/tdcache.c -@@ -379,23 +379,29 @@ nssTrustDomain_UnlockCertCache ( - - struct token_cert_dtor { - NSSToken *token; - nssTDCertificateCache *cache; - NSSCertificate **certs; +diff -up nss/lib/pki/tdcache.c.fix_deadlock nss/lib/pki/tdcache.c +--- nss/lib/pki/tdcache.c.fix_deadlock 2017-01-13 17:10:36.055530248 +0100 ++++ nss/lib/pki/tdcache.c 2017-01-13 17:14:04.015338438 +0100 +@@ -374,13 +374,19 @@ struct token_cert_dtor { PRUint32 numCerts, arrSize; }; +-static void +-remove_token_certs(const void *k, void *v, void *a) +static void cert_iter(const void *k, void *v, void *a) -+{ + { + nssList *certList = (nssList *)a; -+ NSSCertificate *c = (NSSCertificate *)k; + NSSCertificate *c = (NSSCertificate *)k; + nssList_Add(certList, nssCertificate_AddRef(c)); +} + - static void --remove_token_certs(const void *k, void *v, void *a) ++static void +remove_token_certs(NSSCertificate *c, struct token_cert_dtor *dtor) - { -- NSSCertificate *c = (NSSCertificate *)k; ++{ nssPKIObject *object = &c->object; - struct token_cert_dtor *dtor = a; PRUint32 i; + nssPKIObject_AddRef(object); nssPKIObject_Lock(object); - for (i=0; inumInstances; i++) { - if (object->instances[i]->token == dtor->token) { - nssCryptokiObject_Destroy(object->instances[i]); - object->instances[i] = object->instances[object->numInstances-1]; - object->instances[object->numInstances-1] = NULL; - object->numInstances--; -@@ -422,45 +428,83 @@ NSS_IMPLEMENT PRStatus - nssTrustDomain_RemoveTokenCertsFromCache ( - NSSTrustDomain *td, - NSSToken *token - ) - { + for (i = 0; i < object->numInstances; i++) { +@@ -416,6 +422,11 @@ nssTrustDomain_RemoveTokenCertsFromCache NSSCertificate **certs; PRUint32 i, arrSize = 10; struct token_cert_dtor dtor; @@ -50,10 +35,8 @@ diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c + certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize); if (!certs) { - return PR_FAILURE; - } - dtor.cache = td->cache; - dtor.token = token; + return PR_FAILURE; +@@ -425,8 +436,33 @@ nssTrustDomain_RemoveTokenCertsFromCache dtor.certs = certs; dtor.numCerts = 0; dtor.arrSize = arrSize; @@ -63,8 +46,7 @@ diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c + goto loser; + } + /* fetch the list of certs in the cache */ - PZ_Lock(td->cache->lock); -- nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor); ++ PZ_Lock(td->cache->lock); + nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList); + PZ_Unlock(td->cache->lock); + @@ -84,24 +66,22 @@ diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c + certList = NULL; + + /* now remove theose certs attached to this token */ -+ PZ_Lock(td->cache->lock); - for (i=0; iobject.numInstances == 0) { - nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]); - dtor.certs[i] = NULL; /* skip this cert in the second for loop */ - } else { - /* make sure it doesn't disappear on us before we finish */ - nssCertificate_AddRef(dtor.certs[i]); - } + PZ_Lock(td->cache->lock); +- nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor); + for (i = 0; i < dtor.numCerts; i++) { + if (dtor.certs[i]->object.numInstances == 0) { + nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]); +@@ -437,14 +473,22 @@ nssTrustDomain_RemoveTokenCertsFromCache + } } PZ_Unlock(td->cache->lock); + + /* clean up */ - for (i=0; ihashAlg); -- if (hashAlg == 0) { -+ SECOidTag hashAlg = ssl3_TLSHashAlgorithmToOID(sigAndHash->hashAlg); -+ if (hashAlg == SEC_OID_UNKNOWN) { - PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); - return SECFailure; - } diff --git a/SOURCES/nss-map-oid-to-hashalg.patch b/SOURCES/nss-map-oid-to-hashalg.patch deleted file mode 100644 index f056f5c..0000000 --- a/SOURCES/nss-map-oid-to-hashalg.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up ./nss/lib/ssl/ssl3con.c.use_oids ./nss/lib/ssl/ssl3con.c ---- ./nss/lib/ssl/ssl3con.c.use_oids 2016-02-24 12:01:55.488253556 -0800 -+++ ./nss/lib/ssl/ssl3con.c 2016-02-24 12:09:18.099513245 -0800 -@@ -4950,7 +4950,7 @@ ssl3_ComputeHandshakeHashes(sslSocket * - rv = SECFailure; - goto tls12_loser; - } -- hashes->hashAlg = hashOid->offset; -+ hashes->hashAlg = ssl3_OIDToTLSHashAlgorithm(hashOid->offset); - PORT_Assert(hashes->hashAlg == ssl_hash_sha256 || - hashes->hashAlg == ssl_hash_sha384); - if (hashes->hashAlg != ssl_hash_sha256 && -@@ -9581,7 +9581,7 @@ ssl3_EncodeCertificateRequestSigAlgs(ssl - /* Note that we don't support a handshake hash with anything other than - * SHA-256, so asking for a signature from clients for something else - * would be inviting disaster. */ -- if (alg->hashAlg == ssl_hash_sha256 /* || alg->hashAlg == ssl_hash_sha384*/) { -+ if (alg->hashAlg == ssl_hash_sha256 || alg->hashAlg == ssl_hash_sha384) { - buf[(*len)++] = (PRUint8)alg->hashAlg; - buf[(*len)++] = (PRUint8)alg->sigAlg; - } diff --git a/SOURCES/nss-old-pkcs11-num.patch b/SOURCES/nss-old-pkcs11-num.patch index d2b51f7..dbfdf05 100644 --- a/SOURCES/nss-old-pkcs11-num.patch +++ b/SOURCES/nss-old-pkcs11-num.patch @@ -1,14 +1,16 @@ -diff -up ./nss/lib/ssl/ssl3con.c.old_pkcs11_num ./nss/lib/ssl/ssl3con.c ---- ./nss/lib/ssl/ssl3con.c.old_pkcs11_num 2016-02-24 17:53:31.936203961 -0500 -+++ ./nss/lib/ssl/ssl3con.c 2016-02-24 17:54:34.643037802 -0500 -@@ -11075,7 +11075,9 @@ ssl3_ComputeTLSFinished(sslSocket *ss, s +diff -up nss/lib/ssl/ssl3con.c.old_pkcs11_num nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.old_pkcs11_num 2017-01-04 15:24:24.000000000 +0100 ++++ nss/lib/ssl/ssl3con.c 2017-01-16 10:42:14.993429316 +0100 +@@ -11054,8 +11054,10 @@ ssl3_ComputeTLSFinished(sslSocket *ss, s tls_mac_params.ulServerOrClient = isServer ? 1 : 2; param.data = (unsigned char *)&tls_mac_params; param.len = sizeof(tls_mac_params); - prf_context = PK11_CreateContextBySymKey(CKM_TLS_MAC, CKA_SIGN, +- spec->master_secret, ¶m); + /* RHEL 7.2 had the wrong number for CKM_TLS12_MACH instead of CKM_TLS_MAC. In the new scheme that + * number matches with CKM_TLS_KDF, so until softoken gets updated, use CKM_TLS_KDF on RHEL7 */ + prf_context = PK11_CreateContextBySymKey(CKM_TLS_KDF, CKA_SIGN, - spec->master_secret, ¶m); ++ spec->master_secret, ¶m); if (!prf_context) - return SECFailure; + return SECFailure; + diff --git a/SOURCES/nss-prevent-abi-issue.patch b/SOURCES/nss-prevent-abi-issue.patch index afc979f..22df86e 100644 --- a/SOURCES/nss-prevent-abi-issue.patch +++ b/SOURCES/nss-prevent-abi-issue.patch @@ -1,44 +1,24 @@ -diff --git a/lib/ssl/sslinfo.c b/lib/ssl/sslinfo.c ---- a/lib/ssl/sslinfo.c -+++ b/lib/ssl/sslinfo.c -@@ -62,17 +62,17 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh - ssl_ReleaseSpecReadLock(ss); - inf.compressionMethodName = - ssl_GetCompressionMethodName(inf.compressionMethod); - } - if (sid) { - inf.creationTime = sid->creationTime; - inf.lastAccessTime = sid->lastAccessTime; - inf.expirationTime = sid->expirationTime; -- inf.extendedMasterSecretUsed = sid->u.ssl3.keys.extendedMasterSecretUsed; -+ inf.reservedNotSupported = PR_FALSE; - - if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */ - inf.sessionIDLength = SSL2_SESSIONID_BYTES; - memcpy(inf.sessionID, sid->u.ssl2.sessionID, - SSL2_SESSIONID_BYTES); - } else { - unsigned int sidLen = sid->u.ssl3.sessionIDLength; - sidLen = PR_MIN(sidLen, sizeof inf.sessionID); -diff --git a/lib/ssl/sslt.h b/lib/ssl/sslt.h ---- a/lib/ssl/sslt.h -+++ b/lib/ssl/sslt.h -@@ -145,17 +145,17 @@ typedef struct SSLChannelInfoStr { - /* compression method info */ - const char * compressionMethodName; - SSLCompressionMethod compressionMethod; - - /* The following fields are added in NSS 3.21. +diff -up nss/lib/ssl/sslinfo.c.abi_lib nss/lib/ssl/sslinfo.c +--- nss/lib/ssl/sslinfo.c.abi_lib 2016-10-10 16:44:06.661038110 +0200 ++++ nss/lib/ssl/sslinfo.c 2016-10-10 16:44:54.436814398 +0200 +@@ -74,7 +74,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh + inf.creationTime = sid->creationTime; + inf.lastAccessTime = sid->lastAccessTime; + inf.expirationTime = sid->expirationTime; +- inf.extendedMasterSecretUsed = ++ inf.reservedNotSupported = + (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 || + sid->u.ssl3.keys.extendedMasterSecretUsed) + ? PR_TRUE +diff -up nss/lib/ssl/sslt.h.abi_lib nss/lib/ssl/sslt.h +--- nss/lib/ssl/sslt.h.abi_lib 2016-10-03 16:55:58.000000000 +0200 ++++ nss/lib/ssl/sslt.h 2016-10-10 16:44:06.661038110 +0200 +@@ -188,7 +188,7 @@ typedef struct SSLChannelInfoStr { * This field only has meaning in TLS < 1.3 and will be set to * PR_FALSE in TLS 1.3. */ -- PRBool extendedMasterSecretUsed; -+ PRBool reservedNotSupported; /* don't use */ - } SSLChannelInfo; - - /* Preliminary channel info */ - #define ssl_preinfo_version (1U << 0) - #define ssl_preinfo_cipher_suite (1U << 1) - #define ssl_preinfo_all (ssl_preinfo_version|ssl_preinfo_cipher_suite) +- PRBool extendedMasterSecretUsed; ++ PRBool reservedNotSupported; - typedef struct SSLPreliminaryChannelInfoStr { + /* The following fields were added in NSS 3.25. + * This field only has meaning in TLS >= 1.3, and indicates on the diff --git a/SOURCES/nss-remove-bogus-assert.patch b/SOURCES/nss-remove-bogus-assert.patch deleted file mode 100644 index 423b524..0000000 --- a/SOURCES/nss-remove-bogus-assert.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up ./nss/lib/ssl/ssl3con.c.remove_bogus_assert ./nss/lib/ssl/ssl3con.c ---- ./nss/lib/ssl/ssl3con.c.remove_bogus_assert 2016-02-24 16:55:18.430172675 -0500 -+++ ./nss/lib/ssl/ssl3con.c 2016-02-24 16:55:56.000473980 -0500 -@@ -3754,9 +3754,6 @@ ssl3_ComputeMasterSecretInt(sslSocket *s - CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params; - unsigned int master_params_len; - -- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); -- PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); -- PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); - if (isTLS12) { - if(isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH; - else master_derive = CKM_TLS12_MASTER_KEY_DERIVE; diff --git a/SOURCES/nss-reorder-cipher-suites.patch b/SOURCES/nss-reorder-cipher-suites.patch new file mode 100644 index 0000000..f08ca2f --- /dev/null +++ b/SOURCES/nss-reorder-cipher-suites.patch @@ -0,0 +1,242 @@ +diff -up nss/lib/ssl/ssl3con.c.reorder_cipher_suites nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.reorder_cipher_suites 2017-02-15 13:11:24.960624359 +0100 ++++ nss/lib/ssl/ssl3con.c 2017-02-15 13:12:55.378720030 +0100 +@@ -91,83 +91,64 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi + /* clang-format off */ + static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { + /* cipher_suite policy enabled isPresent */ +- /* Special TLS 1.3 suites. */ +- { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, +- { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, +- { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE }, +- +- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around +- * bug 946147. +- */ + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- +- { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- +- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- +- /* RSA */ +- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- +- /* 56-bit DES "domestic" cipher suites */ + { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- +- /* ciphersuites with no encryption */ + { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +@@ -175,6 +156,12 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, ++ { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, ++ { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE }, ++ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, + }; + /* clang-format on */ + +diff -up nss/lib/ssl/sslenum.c.reorder_cipher_suites nss/lib/ssl/sslenum.c +--- nss/lib/ssl/sslenum.c.reorder_cipher_suites 2017-02-15 13:11:35.724397659 +0100 ++++ nss/lib/ssl/sslenum.c 2017-02-15 13:12:26.332331787 +0100 +@@ -55,81 +55,64 @@ + * the third one. + */ + const PRUint16 SSL_ImplementedCiphers[] = { +- TLS_AES_128_GCM_SHA256, +- TLS_CHACHA20_POLY1305_SHA256, +- TLS_AES_256_GCM_SHA384, +- +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, +- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, +- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, +- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before +- * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147. +- */ + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, ++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, ++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, ++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, ++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, ++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, +- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, +- +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, +- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA, +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA, +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, +- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, +- TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, ++ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, ++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, ++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, ++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, ++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, ++ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, ++ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_DSS_WITH_RC4_128_SHA, +- +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, ++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, ++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_ECDSA_WITH_RC4_128_SHA, + TLS_ECDH_RSA_WITH_RC4_128_SHA, +- +- TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, +- TLS_RSA_WITH_AES_128_CBC_SHA, +- TLS_RSA_WITH_AES_128_CBC_SHA256, +- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, ++ TLS_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_RSA_WITH_AES_128_CBC_SHA, ++ TLS_RSA_WITH_AES_128_CBC_SHA256, ++ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS_RSA_WITH_SEED_CBC_SHA, + TLS_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_RC4_128_SHA, + TLS_RSA_WITH_RC4_128_MD5, +- +- /* 56-bit DES "domestic" cipher suites */ + TLS_DHE_RSA_WITH_DES_CBC_SHA, + TLS_DHE_DSS_WITH_DES_CBC_SHA, + TLS_RSA_WITH_DES_CBC_SHA, +- +- /* ciphersuites with no encryption */ + TLS_ECDHE_ECDSA_WITH_NULL_SHA, + TLS_ECDHE_RSA_WITH_NULL_SHA, + TLS_ECDH_RSA_WITH_NULL_SHA, +@@ -137,6 +120,12 @@ const PRUint16 SSL_ImplementedCiphers[] + TLS_RSA_WITH_NULL_SHA, + TLS_RSA_WITH_NULL_SHA256, + TLS_RSA_WITH_NULL_MD5, ++ TLS_AES_128_GCM_SHA256, ++ TLS_CHACHA20_POLY1305_SHA256, ++ TLS_AES_256_GCM_SHA384, ++ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, ++ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, ++ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + + 0 + }; diff --git a/SOURCES/nss-skip-bltest-and-fipstest.patch b/SOURCES/nss-skip-bltest-and-fipstest.patch index 7d2427b..7d55d10 100644 --- a/SOURCES/nss-skip-bltest-and-fipstest.patch +++ b/SOURCES/nss-skip-bltest-and-fipstest.patch @@ -1,17 +1,15 @@ diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile ---- nss/cmd/Makefile.nobltest 2013-05-28 14:43:24.000000000 -0700 -+++ nss/cmd/Makefile 2013-06-15 11:51:11.669655168 -0700 -@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS - DIRS += libpkix - endif - --ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) +--- nss/cmd/Makefile.skipthem 2017-01-13 16:41:04.117486801 +0100 ++++ nss/cmd/Makefile 2017-01-13 16:42:31.396335957 +0100 +@@ -19,7 +19,11 @@ BLTEST_SRCDIR = + ECPERF_SRCDIR = + FREEBL_ECTEST_SRCDIR = + FIPSTEST_SRCDIR = +ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1) - BLTEST_SRCDIR = --FIPSTEST_SRCDIR = --SHLIBSIGN_SRCDIR = -+FIPSTEST_SRCDIR = +SHLIBSIGN_SRCDIR = shlibsign ++else + SHLIBSIGN_SRCDIR = ++endif else BLTEST_SRCDIR = bltest - FIPSTEST_SRCDIR = fipstest + ECPERF_SRCDIR = ecperf diff --git a/SOURCES/nss-skip-util-gtest.patch b/SOURCES/nss-skip-util-gtest.patch new file mode 100644 index 0000000..6c7fb1d --- /dev/null +++ b/SOURCES/nss-skip-util-gtest.patch @@ -0,0 +1,34 @@ +diff -up nss/gtests/manifest.mn.skip-util-gtests nss/gtests/manifest.mn +--- nss/gtests/manifest.mn.skip-util-gtests 2017-01-30 02:06:08.000000000 +0100 ++++ nss/gtests/manifest.mn 2017-02-17 12:55:55.064026636 +0100 +@@ -9,7 +9,6 @@ DIRS = \ + google_test \ + common \ + der_gtest \ +- util_gtest \ + pk11_gtest \ + ssl_gtest \ + nss_bogo_shim \ +diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn +--- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2017-02-17 12:55:55.063026657 +0100 ++++ nss/gtests/ssl_gtest/manifest.mn 2017-02-17 12:55:55.064026636 +0100 +@@ -48,6 +48,6 @@ REQUIRES = nspr nss libdbm gtest + + PROGRAM = ssl_gtest + EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \ +- $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) ++ -lsoftokn3 + + USE_STATIC_LIBS = 1 +diff -up nss/tests/gtests/gtests.sh.skip-util-gtests nss/tests/gtests/gtests.sh +--- nss/tests/gtests/gtests.sh.skip-util-gtests 2017-02-17 12:56:49.434880888 +0100 ++++ nss/tests/gtests/gtests.sh 2017-02-17 12:56:54.677770408 +0100 +@@ -82,7 +82,7 @@ gtest_cleanup() + } + + ################## main ################################################# +-GTESTS="der_gtest pk11_gtest util_gtest" ++GTESTS="der_gtest pk11_gtest" + gtest_init $0 + gtest_start + gtest_cleanup diff --git a/SOURCES/nss-sni-c-v-fix.patch b/SOURCES/nss-sni-c-v-fix.patch index 6cfbb4f..3e2fea2 100644 --- a/SOURCES/nss-sni-c-v-fix.patch +++ b/SOURCES/nss-sni-c-v-fix.patch @@ -1,21 +1,21 @@ -diff -up ./nss/tests/ssl/sslauth.txt.c_v_fix ./nss/tests/ssl/sslauth.txt ---- ./nss/tests/ssl/sslauth.txt.c_v_fix 2016-02-24 19:30:43.630282607 -0500 -+++ ./nss/tests/ssl/sslauth.txt 2016-02-24 19:33:59.848516577 -0500 -@@ -54,13 +54,13 @@ +diff -up ./nss/tests/ssl/sslauth.txt.sni_c_v_fix ./nss/tests/ssl/sslauth.txt +--- ./nss/tests/ssl/sslauth.txt.sni_c_v_fix 2016-08-16 12:48:58.886105082 +0200 ++++ ./nss/tests/ssl/sslauth.txt 2016-08-16 12:51:29.142147183 +0200 +@@ -64,13 +64,13 @@ # # SNI Tests # -- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI -+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI - SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI - SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert +- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI ++ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI + SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert - SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser SSL3 Server hello response without SNI SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions -- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI -+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI - SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI -- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS -+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS - SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS - SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert +- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI ++ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI + SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI +- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS ++ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS + SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS + SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert diff --git a/SOURCES/nss-ssl-delete-duplicates.patch b/SOURCES/nss-ssl-delete-duplicates.patch deleted file mode 100644 index cd92b25..0000000 --- a/SOURCES/nss-ssl-delete-duplicates.patch +++ /dev/null @@ -1,63 +0,0 @@ -diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c ---- a/lib/ssl/ssl3con.c -+++ b/lib/ssl/ssl3con.c -@@ -426,36 +426,30 @@ static const ssl3CipherSuiteDef cipher_s - cipher_rc4_56, mac_sha,kea_rsa_export_1024, 0}, - - {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips, 0}, - {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips, 0}, - - {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa, prf_256}, - {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa, prf_256}, - #ifndef NSS_DISABLE_ECC -- {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, -- {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, - {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa, prf_256}, - {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa, prf_256}, - {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_ecdsa, prf_384}, - {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa, prf_384}, - {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_ecdsa, prf_384}, - {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_rsa, prf_384}, - #endif /* NSS_DISABLE_ECC */ - {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_rsa, prf_384}, - {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, prf_256}, - {TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_dss, prf_384}, - {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, prf_256}, - {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, prf_256}, - {TLS_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_rsa, prf_384}, - -- {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, 0}, -- {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, 0}, -- {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, 0}, -- - #ifndef NSS_DISABLE_ECC - {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa, 0}, - {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa, 0}, - {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa, 0}, - {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa, 0}, - {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa, 0}, - - {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa, 0}, -diff --git a/lib/ssl/sslinfo.c b/lib/ssl/sslinfo.c ---- a/lib/ssl/sslinfo.c -+++ b/lib/ssl/sslinfo.c -@@ -248,19 +248,16 @@ static const SSLCipherSuiteInfo suiteInf - {0,CS(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, - {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, }, - {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, }, - - #endif /* NSS_DISABLE_ECC */ - - {0,CS(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384), S_DSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, - {0,CS(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, --{0,CS(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, --{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, --{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, }, - {0,CS(TLS_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_RSA, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, - - /* SSL 2 table */ - {0,CK(SSL_CK_RC4_128_WITH_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, }, - {0,CK(SSL_CK_RC2_128_CBC_WITH_MD5), S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, 0, 0, }, - {0,CK(SSL_CK_DES_192_EDE3_CBC_WITH_MD5), S_RSA, K_RSA, C_3DES,B_3DES,M_MD5, 0, 0, 0, }, - {0,CK(SSL_CK_DES_64_CBC_WITH_MD5), S_RSA, K_RSA, C_DES, B_DES, M_MD5, 0, 0, 0, }, - {0,CK(SSL_CK_RC4_128_EXPORT40_WITH_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5, 0, 1, 0, }, diff --git a/SOURCES/nss-sslstress-txt-ssl3-lower-value-in-range.patch b/SOURCES/nss-sslstress-txt-ssl3-lower-value-in-range.patch deleted file mode 100644 index c838dae..0000000 --- a/SOURCES/nss-sslstress-txt-ssl3-lower-value-in-range.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up ./nss/tests/ssl/sslstress.txt.ssl3_as_min_value ./nss/tests/ssl/sslstress.txt ---- ./nss/tests/ssl/sslstress.txt.ssl3_as_min_value 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/tests/ssl/sslstress.txt 2016-02-26 11:07:42.036366203 -0800 -@@ -9,9 +9,9 @@ - # ECC value params params - # ------- ------ ------ ------ --------------- - noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5 -- noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5 -- noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 -- noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) -+ noECC 0 _ -c_1000_-C_c_-V_ssl3:ssl3 Stress SSL3 RC4 128 with MD5 -+ noECC 0 _ -c_1000_-C_c_-V_ssl3:_ Stress TLS RC4 128 with MD5 -+ noECC 0 _ -V_ssl3:_-c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) - noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) - noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) - noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) -@@ -22,8 +22,8 @@ - # add client auth versions here... - # - noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth) -- noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) -- noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) -+ noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) -+ noECC 0 -r_-r -c_100_-C_c_-V_ssl3:_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) - noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) - noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) - noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) diff --git a/SOURCES/nss-tests-prevent-abi-issue.patch b/SOURCES/nss-tests-prevent-abi-issue.patch index b6d726f..766f2d7 100644 --- a/SOURCES/nss-tests-prevent-abi-issue.patch +++ b/SOURCES/nss-tests-prevent-abi-issue.patch @@ -1,34 +1,34 @@ -diff -up ./cmd/selfserv/selfserv.c.abi_test ./cmd/selfserv/selfserv.c ---- ./cmd/selfserv/selfserv.c.abi_test 2016-02-22 06:12:27.089047751 -0800 -+++ ./cmd/selfserv/selfserv.c 2016-02-22 06:15:46.969659328 -0800 -@@ -432,7 +432,7 @@ printSecurityInfo(PRFileDesc *fd) - channel.authKeyBits, suite.authAlgorithmName, - channel.keaKeyBits, suite.keaTypeName, - channel.compressionMethodName, -- channel.extendedMasterSecretUsed ? "Yes": "No"); -+ channel.reservedNotSupported ? "Yes": "No"); - } +diff -up nss/cmd/selfserv/selfserv.c.abi_tests nss/cmd/selfserv/selfserv.c +--- nss/cmd/selfserv/selfserv.c.abi_tests 2016-08-16 12:36:23.695996680 +0200 ++++ nss/cmd/selfserv/selfserv.c 2016-08-16 12:39:00.006879649 +0200 +@@ -425,7 +425,7 @@ printSecurityInfo(PRFileDesc *fd) + channel.authKeyBits, suite.authAlgorithmName, + channel.keaKeyBits, suite.keaTypeName, + channel.compressionMethodName, +- channel.extendedMasterSecretUsed ? "Yes" : "No"); ++ channel.reservedNotSupported ? "Yes": "No"); + } } if (verbose) { -diff -up ./cmd/tstclnt/tstclnt.c.abi_test ./cmd/tstclnt/tstclnt.c ---- ./cmd/tstclnt/tstclnt.c.abi_test 2016-02-22 06:16:49.820593866 -0800 -+++ ./cmd/tstclnt/tstclnt.c 2016-02-22 06:18:16.908117535 -0800 -@@ -133,7 +133,7 @@ void printSecurityInfo(PRFileDesc *fd) - channel.authKeyBits, suite.authAlgorithmName, - channel.keaKeyBits, suite.keaTypeName, - channel.compressionMethodName, -- channel.extendedMasterSecretUsed ? "Yes": "No"); -+ channel.reservedNotSupported ? "Yes": "No"); - } +diff -up nss/cmd/tstclnt/tstclnt.c.abi_tests nss/cmd/tstclnt/tstclnt.c +--- nss/cmd/tstclnt/tstclnt.c.abi_tests 2016-08-16 12:36:23.696996653 +0200 ++++ nss/cmd/tstclnt/tstclnt.c 2016-08-16 12:39:24.460235581 +0200 +@@ -129,7 +129,7 @@ printSecurityInfo(PRFileDesc *fd) + channel.authKeyBits, suite.authAlgorithmName, + channel.keaKeyBits, suite.keaTypeName, + channel.compressionMethodName, +- channel.extendedMasterSecretUsed ? "Yes" : "No"); ++ channel.reservedNotSupported ? "Yes": "No"); + } } cert = SSL_RevealCert(fd); -diff -up ./external_tests/ssl_gtest/tls_agent.cc.abi_test ./external_tests/ssl_gtest/tls_agent.cc ---- ./external_tests/ssl_gtest/tls_agent.cc.abi_test 2016-02-22 06:18:56.890439746 -0800 -+++ ./external_tests/ssl_gtest/tls_agent.cc 2016-02-22 06:19:59.264382368 -0800 -@@ -405,7 +405,7 @@ void TlsAgent::EnableExtendedMasterSecre - } - - void TlsAgent::CheckExtendedMasterSecret(bool expected) { +diff -up nss/external_tests/ssl_gtest/tls_agent.cc.abi_tests nss/external_tests/ssl_gtest/tls_agent.cc +--- nss/gtests/ssl_gtest/tls_agent.cc.abi_tests 2016-08-16 12:36:23.696996653 +0200 ++++ nss/gtests/ssl_gtest/tls_agent.cc 2016-08-16 12:39:45.167690174 +0200 +@@ -571,7 +571,7 @@ void TlsAgent::CheckExtendedMasterSecret + if (version() >= SSL_LIBRARY_VERSION_TLS_1_3) { + expected = PR_TRUE; + } - ASSERT_EQ(expected, info_.extendedMasterSecretUsed != PR_FALSE) + ASSERT_EQ(expected, info_.reservedNotSupported != PR_FALSE) << "unexpected extended master secret state for " << name_; diff --git a/SOURCES/nss-tstclnt-optspec.patch b/SOURCES/nss-tstclnt-optspec.patch new file mode 100644 index 0000000..e76dba0 --- /dev/null +++ b/SOURCES/nss-tstclnt-optspec.patch @@ -0,0 +1,21 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1487602422 -3600 +# Mon Feb 20 15:53:42 2017 +0100 +# Branch wip/dueno/tstclnt-optstate +# Node ID ec284d402a5a691e2694fe27d8ab2e95d525f5ab +# Parent ec6b5abc4187459458779d1e90bc8500a011eb3a +tstclnt: use correct option spec for -W + +diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c +--- a/cmd/tstclnt/tstclnt.c ++++ b/cmd/tstclnt/tstclnt.c +@@ -1509,7 +1509,7 @@ main(int argc, char **argv) + /* XXX: 'B' was used in the past but removed in 3.28, + * please leave some time before resuing it. */ + optstate = PL_CreateOptState(argc, argv, +- "46A:CDFGHI:KL:M:OR:STUV:WYZa:bc:d:fgh:m:n:op:qr:st:uvw:z"); ++ "46A:CDFGHI:KL:M:OR:STUV:W:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z"); + while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case '?': diff --git a/SOURCES/p-ignore-setpolicy.patch b/SOURCES/p-ignore-setpolicy.patch index f9564df..7334c80 100644 --- a/SOURCES/p-ignore-setpolicy.patch +++ b/SOURCES/p-ignore-setpolicy.patch @@ -1,17 +1,16 @@ -diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c ---- a/lib/ssl/sslsock.c -+++ b/lib/ssl/sslsock.c -@@ -1364,25 +1364,22 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3 - rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled); - } - return rv; - } - +diff -up nss/lib/ssl/sslsock.c.1026677_ignore_set_policy nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.1026677_ignore_set_policy 2017-01-13 17:10:36.049530395 +0100 ++++ nss/lib/ssl/sslsock.c 2017-01-13 17:10:36.053530297 +0100 +@@ -1391,7 +1391,6 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3 SECStatus NSS_SetDomesticPolicy(void) { -- SECStatus status = SECSuccess; +- SECStatus status = SECSuccess; const PRUint16 *cipher; + SECStatus rv; + PRUint32 policy; +@@ -1403,11 +1402,9 @@ NSS_SetDomesticPolicy(void) + } for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { - status = SSL_SetPolicy(*cipher, SSL_ALLOWED); @@ -24,8 +23,3 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c } SECStatus - NSS_SetExportPolicy(void) - { - return NSS_SetDomesticPolicy(); - } - diff --git a/SOURCES/race.patch b/SOURCES/race.patch index f83a7f9..3ffb787 100644 --- a/SOURCES/race.patch +++ b/SOURCES/race.patch @@ -1,55 +1,43 @@ -diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c ---- a/lib/pk11wrap/pk11util.c -+++ b/lib/pk11wrap/pk11util.c -@@ -1258,53 +1258,62 @@ SECMOD_HasRemovableSlots(SECMODModule *m - return ret; - } - - /* - * helper function to actually create and destroy user defined slots +diff -up nss/lib/pk11wrap/pk11util.c.race nss/lib/pk11wrap/pk11util.c +--- nss/lib/pk11wrap/pk11util.c.race 2017-01-13 17:43:25.829686952 +0100 ++++ nss/lib/pk11wrap/pk11util.c 2017-01-13 17:47:56.374041802 +0100 +@@ -1297,7 +1297,7 @@ SECMOD_HasRemovableSlots(SECMODModule *m */ static SECStatus - secmod_UserDBOp(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass, -- const char *sendSpec) -+ const char *sendSpec, PRBool needlock) + secmod_UserDBOp(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass, +- const char *sendSpec) ++ const char *sendSpec, PRBool needlock) { CK_OBJECT_HANDLE dummy; - CK_ATTRIBUTE template[2] ; - CK_ATTRIBUTE *attrs = template; - CK_RV crv; - - PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++; - PK11_SETATTRS(attrs, CKA_NETSCAPE_MODULE_SPEC , (unsigned char *)sendSpec, - strlen(sendSpec)+1); attrs++; - - PORT_Assert(attrs-template <= 2); + CK_ATTRIBUTE template[2]; +@@ -1312,16 +1312,16 @@ secmod_UserDBOp(PK11SlotInfo *slot, CK_O + PORT_Assert(attrs - template <= 2); - PK11_EnterSlotMonitor(slot); + if (needlock) PK11_EnterSlotMonitor(slot); crv = PK11_CreateNewObject(slot, slot->session, - template, attrs-template, PR_FALSE, &dummy); + template, attrs - template, PR_FALSE, &dummy); - PK11_ExitSlotMonitor(slot); + if (needlock) PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } - return SECMOD_UpdateSlotList(slot->module); + return SECSuccess; } /* - * return true if the selected slot ID is not present or doesn't exist - */ +@@ -1330,11 +1330,20 @@ secmod_UserDBOp(PK11SlotInfo *slot, CK_O static PRBool - secmod_SlotIsEmpty(SECMODModule *mod, CK_SLOT_ID slotID) + secmod_SlotIsEmpty(SECMODModule *mod, CK_SLOT_ID slotID) { - PK11SlotInfo *slot = SECMOD_LookupSlot(mod->moduleID, slotID); + PK11SlotInfo *slot = SECMOD_FindSlotByID(mod, slotID); if (slot) { -- PRBool present = PK11_IsPresent(slot); +- PRBool present = PK11_IsPresent(slot); + CK_SLOT_INFO slotInfo; + CK_RV crv; + /* check if the slot is present, skip any slot reinit stuff, @@ -58,63 +46,52 @@ diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c + * holding the module refLock, which is the same as the slot + * sessionLock if the module isn't thread safe. */ + crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo); - PK11_FreeSlot(slot); -- if (present) { + PK11_FreeSlot(slot); +- if (present) { + if ((crv == CKR_OK) && + ((slotInfo.flags & CKF_TOKEN_PRESENT) == CKF_TOKEN_PRESENT)) { + /* slot is present, so it's not empty */ - return PR_FALSE; - } + return PR_FALSE; + } } - /* it doesn't exist or isn't present, it's available */ - return PR_TRUE; - } - - /* -@@ -1350,52 +1359,67 @@ PK11SlotInfo * - SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec) - { - CK_SLOT_ID slotID = 0; - PK11SlotInfo *slot; - char *escSpec; +@@ -1390,24 +1399,29 @@ SECMOD_OpenNewSlot(SECMODModule *mod, co char *sendSpec; SECStatus rv; + PZ_Lock(mod->refLock); /* don't reuse a slot on the fly */ slotID = secmod_FindFreeSlot(mod); - if (slotID == (CK_SLOT_ID) -1) { + if (slotID == (CK_SLOT_ID)-1) { + PZ_Unlock(mod->refLock); - return NULL; + return NULL; } if (mod->slotCount == 0) { + PZ_Unlock(mod->refLock); - return NULL; + return NULL; } /* just grab the first slot in the module, any present slot should work */ slot = PK11_ReferenceSlot(mod->slots[0]); if (slot == NULL) { + PZ_Unlock(mod->refLock); - return NULL; + return NULL; } /* we've found the slot, now build the moduleSpec */ escSpec = NSSUTIL_DoubleEscape(moduleSpec, '>', ']'); if (escSpec == NULL) { + PZ_Unlock(mod->refLock); - PK11_FreeSlot(slot); - return NULL; + PK11_FreeSlot(slot); + return NULL; } - sendSpec = PR_smprintf("tokens=[0x%x=<%s>]", slotID, escSpec); - PORT_Free(escSpec); +@@ -1416,16 +1430,26 @@ SECMOD_OpenNewSlot(SECMODModule *mod, co if (sendSpec == NULL) { - /* PR_smprintf does not set SEC_ERROR_NO_MEMORY on failure. */ + /* PR_smprintf does not set SEC_ERROR_NO_MEMORY on failure. */ + PZ_Unlock(mod->refLock); - PK11_FreeSlot(slot); - PORT_SetError(SEC_ERROR_NO_MEMORY); - return NULL; + PK11_FreeSlot(slot); + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } - rv = secmod_UserDBOp(slot, CKO_NETSCAPE_NEWSLOT, sendSpec); + rv = secmod_UserDBOp(slot, CKO_NETSCAPE_NEWSLOT, sendSpec, @@ -126,7 +103,7 @@ diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c PR_smprintf_free(sendSpec); PK11_FreeSlot(slot); if (rv != SECSuccess) { - return NULL; + return NULL; } + rv = SECMOD_UpdateSlotList(mod); /* don't call holding the mod->reflock */ + if (rv != SECSuccess) { @@ -135,27 +112,12 @@ diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c slot = SECMOD_FindSlotByID(mod, slotID); if (slot) { - /* if we are in the delay period for the "isPresent" call, reset - * the delay since we know things have probably changed... */ - if (slot->nssToken && slot->nssToken->slot) { - nssSlot_ResetDelay(slot->nssToken->slot); - } -@@ -1488,17 +1512,17 @@ SECMOD_CloseUserDB(PK11SlotInfo *slot) - char *sendSpec; - - sendSpec = PR_smprintf("tokens=[0x%x=<>]", slot->slotID); - if (sendSpec == NULL) { - /* PR_smprintf does not set no memory error */ - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; +@@ -1558,7 +1582,7 @@ SECMOD_CloseUserDB(PK11SlotInfo *slot) + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; } - rv = secmod_UserDBOp(slot, CKO_NETSCAPE_DELSLOT, sendSpec); + rv = secmod_UserDBOp(slot, CKO_NETSCAPE_DELSLOT, sendSpec, PR_TRUE); PR_smprintf_free(sendSpec); /* if we are in the delay period for the "isPresent" call, reset * the delay since we know things have probably changed... */ - if (slot->nssToken && slot->nssToken->slot) { - nssSlot_ResetDelay(slot->nssToken->slot); - /* force the slot info structures to properly reset */ - (void)PK11_IsPresent(slot); - } diff --git a/SOURCES/renegotiate-transitional.patch b/SOURCES/renegotiate-transitional.patch index c55a1a2..ca92f83 100644 --- a/SOURCES/renegotiate-transitional.patch +++ b/SOURCES/renegotiate-transitional.patch @@ -1,12 +1,12 @@ diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.transitional 2013-05-30 22:10:54.882675807 -0700 -+++ nss/lib/ssl/sslsock.c 2013-05-30 22:12:11.909260024 -0700 -@@ -149,7 +149,7 @@ static sslOptions ssl_defaults = { - PR_FALSE, /* noLocks */ - PR_FALSE, /* enableSessionTickets */ - PR_FALSE, /* enableDeflate */ -- 2, /* enableRenegotiation (default: requires extension) */ -+ 3, /* enableRenegotiation (default: transitional) */ - PR_FALSE, /* requireSafeNegotiation */ - PR_FALSE, /* enableFalseStart */ - PR_TRUE, /* cbcRandomIV */ +--- nss/lib/ssl/sslsock.c.transitional 2016-08-15 17:57:58.146879056 +0200 ++++ nss/lib/ssl/sslsock.c 2016-08-15 17:58:02.365758224 +0200 +@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = { + PR_FALSE, /* noLocks */ + PR_FALSE, /* enableSessionTickets */ + PR_FALSE, /* enableDeflate */ +- 2, /* enableRenegotiation (default: requires extension) */ ++ 3, /* enableRenegotiation (default: transitional) */ + PR_FALSE, /* requireSafeNegotiation */ + PR_FALSE, /* enableFalseStart */ + PR_TRUE, /* cbcRandomIV */ diff --git a/SOURCES/rh1238290.patch b/SOURCES/rh1238290.patch deleted file mode 100644 index 49a9b5d..0000000 --- a/SOURCES/rh1238290.patch +++ /dev/null @@ -1,25 +0,0 @@ ---- ./lib/cryptohi/seckey.c.1238290 2015-11-08 21:12:59.000000000 -0800 -+++ ./lib/cryptohi/seckey.c 2016-02-16 10:07:20.956930721 -0800 -@@ -993,20 +993,20 @@ - } - - /* interpret modulus length as key strength */ - switch (pubk->keyType) { - case rsaKey: - bitSize = SECKEY_BigIntegerBitLength(&pubk->u.rsa.modulus); - break; - case dsaKey: -- bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dsa.publicValue); -+ bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dsa.params.prime); - break; - case dhKey: -- bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dh.publicValue); -+ bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dh.prime); - break; - case ecKey: - bitSize = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams); - break; - default: - PORT_SetError(SEC_ERROR_INVALID_KEY); - break; - } diff --git a/SOURCES/ssl-server-min-key-sizes.patch b/SOURCES/ssl-server-min-key-sizes.patch index fbb4215..e66e8cb 100644 --- a/SOURCES/ssl-server-min-key-sizes.patch +++ b/SOURCES/ssl-server-min-key-sizes.patch @@ -1,84 +1,22 @@ -diff --git a/lib/nss/nssoptions.h b/lib/nss/nssoptions.h ---- a/lib/nss/nssoptions.h -+++ b/lib/nss/nssoptions.h -@@ -11,11 +11,11 @@ - * file into NSS proper */ - - /* The minimum server key sizes accepted by the clients. - * Not 1024 to be conservative. */ - #define SSL_RSA_MIN_MODULUS_BITS 1023 +diff -up nss/lib/nss/nssoptions.h.min_key_sizes nss/lib/nss/nssoptions.h +--- nss/lib/nss/nssoptions.h.min_key_sizes 2017-02-20 16:42:23.456894585 +0100 ++++ nss/lib/nss/nssoptions.h 2017-02-20 16:43:02.687942525 +0100 +@@ -16,5 +16,5 @@ /* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be * only 1023 bits and similar. We don't have good data on whether this * happens because NSS used to count bit lengths incorrectly. */ -#define SSL_DH_MIN_P_BITS 1023 +#define SSL_DH_MIN_P_BITS 768 #define SSL_DSA_MIN_P_BITS 1023 - -diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c ---- a/lib/ssl/ssl3con.c -+++ b/lib/ssl/ssl3con.c -@@ -6950,17 +6950,17 @@ ssl3_HandleServerKeyExchange(sslSocket * - goto loser; /* malformed. */ - } - - rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH); - if (rv != SECSuccess) { - minDH = SSL_DH_MIN_P_BITS; - } - dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p); -- if (dh_p_bits < minDH) { -+ if (dh_p_bits < SSL_DH_MIN_P_BITS) { - errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; - goto alert_loser; - } - rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length); - if (rv != SECSuccess) { - goto loser; /* malformed. */ - } - /* Abort if dh_g is 0, 1, or obviously too big. */ -diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h ---- a/lib/ssl/sslimpl.h -+++ b/lib/ssl/sslimpl.h -@@ -24,16 +24,17 @@ - #include "nssilock.h" - #include "pkcs11t.h" - #if defined(XP_UNIX) || defined(XP_BEOS) - #include "unistd.h" - #endif - #include "nssrwlk.h" - #include "prthread.h" - #include "prclist.h" -+#include "nssoptions.h" /* defines SSL_DH_MIN_P_BITS 768 */ - - #include "sslt.h" /* for some formerly private types, now public */ - - /* to make some of these old enums public without namespace pollution, - ** it was necessary to prepend ssl_ to the names. - ** These #defines preserve compatibility with the old code here in libssl. - */ - typedef SSLKEAType SSL3KEAType; -@@ -149,16 +150,24 @@ typedef enum { SSLAppOpRead = 0, - #define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000 - - #ifndef BPB - #define BPB 8 /* Bits Per Byte */ - #endif - - #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ - -+/* The minimum server key sizes accepted by the clients. -+ * Not 1024 to be conservative. */ -+#define SSL_RSA_MIN_MODULUS_BITS 1023 -+/* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be -+ * only 1023 bits and similar. We don't have good data on whether this -+ * happens because NSS used to count bit lengths incorrectly. */ -+#define SSL_DSA_MIN_P_BITS 1023 -+ - #define INITIAL_DTLS_TIMEOUT_MS 1000 /* Default value from RFC 4347 = 1s*/ - #define MAX_DTLS_TIMEOUT_MS 60000 /* 1 minute */ - #define DTLS_FINISHED_TIMER_MS 120000 /* Time to wait in FINISHED state */ - - typedef struct sslBufferStr sslBuffer; - typedef struct sslConnectInfoStr sslConnectInfo; - typedef struct sslGatherStr sslGather; - typedef struct sslSecurityInfoStr sslSecurityInfo; +diff -up nss/lib/ssl/ssl3con.c.min_key_sizes nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.min_key_sizes 2017-02-20 16:42:23.459894513 +0100 ++++ nss/lib/ssl/ssl3con.c 2017-02-20 16:43:42.744970411 +0100 +@@ -7093,7 +7093,7 @@ ssl_HandleDHServerKeyExchange(sslSocket + minDH = SSL_DH_MIN_P_BITS; + } + dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p); +- if (dh_p_bits < minDH) { ++ if (dh_p_bits < SSL_DH_MIN_P_BITS) { + errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; + goto alert_loser; + } diff --git a/SOURCES/sslauth-no-v2.patch b/SOURCES/sslauth-no-v2.patch deleted file mode 100644 index 3aab27a..0000000 --- a/SOURCES/sslauth-no-v2.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff --git a/tests/ssl/sslauth.txt b/tests/ssl/sslauth.txt ---- a/tests/ssl/sslauth.txt -+++ b/tests/ssl/sslauth.txt -@@ -3,28 +3,28 @@ - # file, You can obtain one at http://mozilla.org/MPL/2.0/. - # - # This file defines the tests for client auth. - # - # expected - # Enable return server client Test Case name - # ECC value params params - # ------- ------ ------ ------ --------------- -- noECC 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth) -- noECC 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password) -- noECC 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth) -- noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth) -- noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password) -- noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth) -- noECC 0 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) -- noECC 0 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) -- noECC 0 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) -- noECC 254 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth) -- noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) -- noECC 0 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth) -+ noECC 0 -r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth (client does not provide auth) -+ noECC 0 -r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth (bad password) -+ noECC 0 -r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth (client auth) -+ noECC 254 -r_-r -V_ssl3:_-w_nss_-n_none TLS Require client auth (client does not provide auth) -+ noECC 254 -r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Require client auth (bad password) -+ noECC 0 -r_-r -V_ssl3:_-w_nss_-n_TestUser_ TLS Require client auth (client auth) -+ noECC 0 -r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) -+ noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) -+ noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) -+ noECC 254 -r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth) -+ noECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) -+ noECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth) - noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth) - noECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password) - noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth) - noECC 1 -r_-r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth) - noECC 1 -r_-r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password) - noECC 0 -r_-r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Require client auth on 2nd hs (client auth) - noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Request don't require client auth on 2nd hs (client does not provide auth) - noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Request don't require client auth on 2nd hs (bad password) -@@ -36,24 +36,24 @@ - noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) - noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) - noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth) - noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) - noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) - # - # Use EC cert for client authentication - # -- ECC 0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password) -- ECC 0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth) -- ECC 254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password) -- ECC 0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth) -- ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password) -- ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth) -- ECC 254 -r_-r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password) -- ECC 0 -r_-r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth) -+ ECC 0 -r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password) -+ ECC 0 -r -V_ssl3:_-w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth) -+ ECC 254 -r_-r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password) -+ ECC 0 -r_-r -V_ssl3:_-w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth) -+ ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password) -+ ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth) -+ ECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password) -+ ECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth) - ECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password) - ECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth) - ECC 1 -r_-r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password) - ECC 0 -r_-r_-r_-r -V_ssl3:_-w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth) - ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (bad password) - ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth) - ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password) - ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth) diff --git a/SOURCES/tests-extra.patch b/SOURCES/tests-extra.patch deleted file mode 100644 index 662a2fb..0000000 --- a/SOURCES/tests-extra.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -up ./tests/ssl/sslcov.txt.extra ./tests/ssl/sslcov.txt ---- ./tests/ssl/sslcov.txt.extra 2016-02-18 19:03:02.168464819 -0500 -+++ ./tests/ssl/sslcov.txt 2016-02-18 19:07:07.831906435 -0500 -@@ -35,6 +35,9 @@ - noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA - noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA - noECC SSL3 z SSL3_RSA_WITH_NULL_SHA -+ noECC TLS12 :009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -+ noECC TLS12 :00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 -+ noECC TLS12 :009D TLS_RSA_WITH_AES_256_GCM_SHA384 - # noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - # noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - # -@@ -167,6 +170,10 @@ - ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA - ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA - ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -+ ECC TLS12 :C024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -+ ECC TLS12 :C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -+ ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384 - ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -+ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA384 -diff -up ./tests/ssl/ssl.sh.extra ./tests/ssl/ssl.sh -diff -up ./tests/ssl/sslstress.txt.extra ./tests/ssl/sslstress.txt diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 8ac83a5..7c243ed 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,6 +1,6 @@ -%global nspr_version 4.11.0 -%global nss_util_version 3.21.0 -%global nss_util_build -2.2 +%global nspr_version 4.13.1 +%global nss_util_version 3.28.2 +%global nss_util_build -1.1 # adjust to the version that gets submitted for FIPS validation %global nss_softokn_fips_version 3.16.2 %global nss_softokn_version 3.16.2.3 @@ -26,8 +26,8 @@ Summary: Network Security Services Name: nss -Version: 3.21.3 -Release: 2%{?dist} +Version: 3.28.2 +Release: 1.6%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -51,8 +51,11 @@ BuildRequires: gawk BuildRequires: psmisc BuildRequires: perl -%{!?nss_ckbi_suffix:%define full_nss_version %{version}} -%{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}} +%if %{defined nss_ckbi_suffix} +%define full_nss_version %{version}%{nss_ckbi_suffix} +%else +%define full_nss_version %{version} +%endif Source0: %{name}-%{full_nss_version}.tar.gz Source1: nss.pc.in @@ -110,7 +113,6 @@ Patch50: iquote.patch Patch51: pem-compile-with-Werror.patch Patch52: Bug-1001841-disable-sslv2-libssl.patch Patch53: Bug-1001841-disable-sslv2-tests.patch -Patch54: sslauth-no-v2.patch Patch55: enable-fips-when-system-is-in-fips-mode.patch # rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677 Patch56: p-ignore-setpolicy.patch @@ -122,47 +124,36 @@ Patch74: race.patch Patch94: nss-3.16-token-init-race.patch Patch99: ssl-server-min-key-sizes.patch Patch100: fix-min-library-version-in-SSLVersionRange.patch -# Add support for sha384 tls cipher suites, dss cipher suites, and -# server-side dhe key exchange -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=102794 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455 -Patch101: dhe-sha384-dss-support.patch -# TODO: From upstream review: For the client authentication case, should -# probably drop our hack of swapping between sha256 and sha384 and plan -# on implementing the fix we already have a patch for. What is that fix? -Patch102: client_auth_for_sha384_prf_support.patch -Patch103: nss-fix-client-auth-init-hashes.patch -Patch104: nss-map-oid-to-hashalg.patch -Patch105: nss-remove-bogus-assert.patch Patch106: nss-old-pkcs11-num.patch -Patch107: nss-enable-384-cipher-tests.patch Patch108: nss-sni-c-v-fix.patch -Patch109: nss-fix-signature-and-hash.patch -Patch110: nss-sslstress-txt-ssl3-lower-value-in-range.patch - -# Enable by default two additional ciphers and fix order of two tables -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1211403 -Patch112: rh1238290.patch # Local: keep as long nss-softokn lacks support Patch113: disable-extended-master-secret-with-old-softoken.patch -# extra tests needed -Patch114: tests-extra.patch Patch115: nss-prevent-abi-issue.patch Patch116: nss-tests-prevent-abi-issue.patch -Patch117: fix-nss-test-filtering.patch -Patch118: fix-allowed-sig-alg.patch -Patch119: nss-ssl-delete-duplicates.patch -Patch120: fix-reuse-of-session-cache-entry.patch -Patch121: flexible-certverify.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1298692 Patch122: disable-ems-gtests.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1317691 -Patch123: call-restartmodules-in-nssinit.patch -# CVE-2016-8635 -Patch124: moz-1314604.patch +Patch123: nss-skip-util-gtest.patch +# Disable X25519 and ChaCha20, until nss-softokn is rebased +Patch124: nss-disable-curve25519.patch +Patch126: nss-reorder-cipher-suites.patch +Patch127: nss-disable-cipher-suites.patch +Patch128: nss-enable-cipher-suites.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1320932 +Patch129: moz-1320932.patch +# Disable RSA-PSS until we get a new nss-softokn (taken from RHEL-6 +# for rhbz#1390161) +Patch130: disable-pss.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1340103 +Patch131: nss-ecpoint-encoding.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1341054 +Patch132: nss-tstclnt-optspec.patch +Patch200: nss-disable-curve25519-gtests.patch +Patch201: nss-disable-curve25519-tests.patch +Patch202: nss-disable-chacha20-gtests.patch +Patch203: nss-disable-chacha20-tests.patch +Patch204: nss-disable-pss-gtests.patch +Patch205: nss-disable-unsupported-gtests.patch +Patch206: nss-disable-unsupported-tests.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -245,9 +236,6 @@ low level services. %patch3 -p0 -b .transitional %patch6 -p0 -b .libpem %patch16 -p0 -b .539183 -pushd nss -%patch18 -p1 -b .646045 -popd # link pem against buildroot's freebl, essential when mixing and matching %patch25 -p0 -b .systemfreebl %patch40 -p0 -b .noocsptest @@ -258,39 +246,37 @@ popd pushd nss %patch52 -p1 -b .disableSSL2libssl %patch53 -p1 -b .disableSSL2tests -%patch54 -p1 -b .sslauth-no-v2 %patch55 -p1 -b .852023_enable_fips_when_in_fips_mode %patch56 -p1 -b .1026677_ignore_set_policy %patch62 -p1 -b .fix_deadlock %patch99 -p1 -b .min_key_sizes %patch100 -p0 -b .1171318 -%patch101 -p1 -b .dhe_and_sha384 -%patch102 -p1 -b .client_auth_prf -%patch112 -p1 -b .1238290 %patch113 -p1 -b .disable-ems -%patch114 -p1 -b .extra %patch115 -p1 -b .abi_lib %patch116 -p1 -b .abi_tests -%patch117 -p1 -b .test-filtering %patch74 -p1 -b .race popd %patch94 -p0 -b .init-token-race -%patch103 -p0 -b .fix_client_auth_crash -%patch104 -p0 -b .use_oids -%patch105 -p0 -b .remove_bogus_assert %patch106 -p0 -b .old_pkcs11_num -%patch107 -p0 -b .enable_384_cipher_tests %patch108 -p0 -b .sni_c_v_fix -%patch109 -p0 -b .fix_signature_and_hash -%patch110 -p0 -b .no_ssl2 pushd nss -%patch118 -p1 -b .allowed-sig-alg -%patch119 -p1 -b .delete_duplicates -%patch120 -p1 -b .session_cache -%patch121 -p1 -b .flexible_certverify %patch122 -p1 -b .disable_ems_gtests -%patch123 -p1 -b .restartmodules_in_init -%patch124 -p1 -b .moz-1314604 +%patch123 -p1 -b .skip-util-gtests +%patch124 -p1 -b .disable-curve25519 +%patch126 -p1 -b .reorder-cipher-suites +%patch127 -p1 -b .disable-cipher-suites +%patch128 -p1 -b .enable-cipher-suites +%patch129 -p1 -b .fix_ssl_sh_typo +%patch130 -p1 -b .disable_pss +%patch131 -p1 -b .ecpoint-encoding +%patch132 -p1 -b .tstclnt-optspec +%patch200 -p1 -b .disable-curve25519-gtests +%patch201 -p1 -b .disable-curve25519-tests +%patch202 -p1 -b .disable-chacha20-gtests +%patch203 -p1 -b .disable-chacha20-tests +%patch204 -p1 -b .disable-pss-gtests +%patch205 -p1 -b .disable-unsupported-gtests +%patch206 -p1 -b .disable-unsupported-tests popd ######################################################### @@ -335,9 +321,6 @@ popd export NSS_NO_SSL2=1 -NSS_NO_PKCS11_BYPASS=1 -export NSS_NO_PKCS11_BYPASS - FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND @@ -345,11 +328,12 @@ export FREEBL_NO_DEPEND export BUILD_OPT=1 # Uncomment to disable optimizations -#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` -#export RPM_OPT_FLAGS +# RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g' -e 's/ -Wp,-D_FORTIFY_SOURCE=2//g'` +# export RPM_OPT_FLAGS # Generate symbolic info for debuggers XCFLAGS=$RPM_OPT_FLAGS + export XCFLAGS PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 @@ -387,6 +371,8 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1 NSS_USE_SYSTEM_SQLITE=1 export NSS_USE_SYSTEM_SQLITE +export NSS_ALLOW_SSLKEYLOGFILE=1 + %ifnarch noarch %if 0%{__isa_bits} == 64 USE_64=1 @@ -398,12 +384,6 @@ export USE_64 export IN_TREE_FREEBL_HEADERS_FIRST=1 ##### phase 2: build the rest of nss -# nss supports pluggable ecc -NSS_ENABLE_ECC=1 -export NSS_ENABLE_ECC -NSS_ECC_MORE_THAN_SUITE_B=1 -export NSS_ECC_MORE_THAN_SUITE_B - export NSS_BLTEST_NOT_AVAILABLE=1 %{__make} -C ./nss/coreconf %{__make} -C ./nss/lib/dbm @@ -556,7 +536,7 @@ pushd ./nss/tests/ # don't need to run all the tests when testing packaging # nss_cycles: standard pkix upgradedb sharedb -%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ssl_gtests" +%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr # nss_ssl_run: cov auth stress # @@ -883,6 +863,54 @@ fi %changelog +* Mon Feb 20 2017 Daiki Ueno - 3.28.2-1.6 +- Restore ssl-server-min-key-sizes.patch +- Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default +- Enable 4 AES_256_GCM_SHA384 ciphersuites, enabled by the downstream + patch in the previous release +- Fix crash with tstclnt -W + +* Fri Feb 17 2017 Daiki Ueno - 3.28.2-1.5 +- Always enable gtests for supported features +- Prevent ABI incompatibilty of SECKEYECPublicKey + +* Thu Feb 16 2017 Daiki Ueno - 3.28.2-1.4 +- Add patch to fix bash syntax error in tests/ssl.sh +- Build with support for SSLKEYLOGFILE +- Disable the use of RSA-PSS with SSL/TLS + +* Wed Feb 15 2017 Daiki Ueno - 3.28.2-1.3 +- Remove %%nss_cycles setting, which was also mistakenly added + +* Wed Feb 15 2017 Daiki Ueno - 3.28.2-1.2 +- Reorder cipher suites for compatibility +- Re-enable BUILD_OPT, mistakenly disabled in the previous build + +* Mon Feb 13 2017 Daiki Ueno - 3.28.2-1.1 +- Remove mistakenly added R: nss-pem + +* Fri Feb 10 2017 Daiki Ueno - 3.28.2-1.0 +- Rebase to NSS 3.28.2 +- Remove NSS_ENABLE_ECC and NSS_ECC_MORE_THAN_SUITE_B setting, which + is no-op now +- Enable gtests when requested +- Remove nss-646045.patch and fix-nss-test-filtering.patch, which are + not necessary +- Remove sslauth-no-v2.patch and + nss-sslstress-txt-ssl3-lower-value-in-range.patch, as SSLv2 is + already disabled in upstream +- Remove ssl-server-min-key-sizes.patch, as we decided to support DH + key size greater than 1023 bits +- Remove local patches for SHA384 cipher suites (now supported in + upstream): dhe-sha384-dss-support.patch, + client_auth_for_sha384_prf_support.patch, + nss-fix-client-auth-init-hashes.patch, nss-map-oid-to-hashalg.patch, + nss-enable-384-cipher-tests.patch, nss-fix-signature-and-hash.patch, + fix-allowed-sig-alg.patch, tests-extra.patch +- Remove upstreamed patches: rh1238290.patch, + fix-reuse-of-session-cache-entry.patch, flexible-certverify.patch, + call-restartmodules-in-nssinit.patch + * Tue Nov 08 2016 Kai Engert - 3.21.3-2 - Mozilla #1314604 / Red Hat CVE-2016-8635