diff --git a/.gitignore b/.gitignore
index 67272da..1d16491 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,7 +9,7 @@ SOURCES/cert8.db.xml
SOURCES/cert9.db.xml
SOURCES/key3.db.xml
SOURCES/key4.db.xml
-SOURCES/nss-3.21.3.tar.gz
+SOURCES/nss-3.28.2.tar.gz
SOURCES/nss-config.xml
SOURCES/nss-pem-20140125.tar.bz2
SOURCES/secmod.db.xml
diff --git a/.nss.metadata b/.nss.metadata
index e8b243f..bb1ad7d 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -1,4 +1,4 @@
-86cf4eb313dda4bd86a6d096ecc5aee07ee5e124 SOURCES/PayPalEE.cert
+83025bf9062b026aae49ef8775c6432507159bca SOURCES/PayPalEE.cert
a031c46782e6e6c662c2c87c76da9aa62ccabd8e SOURCES/PayPalICA.cert
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
@@ -9,7 +9,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
-b6e2612dbf78a04cac2a81784143e918ed03aea7 SOURCES/nss-3.21.3.tar.gz
+4f972f53cef8f87416a12199863e1ec043f0050d SOURCES/nss-3.28.2.tar.gz
2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2
ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
index fd29f44..527b312 100644
--- a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
+++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
@@ -1,151 +1,26 @@
-diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
---- a/lib/ssl/config.mk
-+++ b/lib/ssl/config.mk
-@@ -7,16 +7,20 @@ ifdef NISCC_TEST
- DEFINES += -DNISCC_TEST
+diff -up nss/lib/ssl/config.mk.disableSSL2libssl nss/lib/ssl/config.mk
+--- nss/lib/ssl/config.mk.disableSSL2libssl 2017-01-04 15:24:24.000000000 +0100
++++ nss/lib/ssl/config.mk 2017-01-16 10:53:47.629894929 +0100
+@@ -69,3 +69,8 @@ endif
+ ifdef NSS_DISABLE_TLS_1_3
+ DEFINES += -DNSS_DISABLE_TLS_1_3
endif
-
- # Allow build-time configuration of TLS 1.3 (Experimental)
- ifdef NSS_ENABLE_TLS_1_3
- DEFINES += -DNSS_ENABLE_TLS_1_3
- endif
-
++
+ifdef NSS_NO_SSL2
+DEFINES += -DNSS_NO_SSL2
+endif
+
- ifdef NSS_NO_PKCS11_BYPASS
- DEFINES += -DNO_PKCS11_BYPASS
- else
- CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-
- EXTRA_LIBS += \
- $(CRYPTOLIB) \
- $(NULL)
-diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
---- a/lib/ssl/sslsock.c
-+++ b/lib/ssl/sslsock.c
-@@ -678,16 +678,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- if (ss->cipherSpecs) {
- PORT_Free(ss->cipherSpecs);
- ss->cipherSpecs = NULL;
- ss->sizeCipherSpecs = 0;
- }
- break;
-
- case SSL_ENABLE_SSL2:
-+#ifdef NSS_NO_SSL2
-+ if (on) {
-+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
-+ rv = SECFailure; /* not allowed */
-+ }
-+#else
- if (IS_DTLS(ss)) {
- if (on) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure; /* not allowed */
- }
- break;
- }
- ss->opt.enableSSL2 = on;
-@@ -695,52 +701,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- ss->opt.v2CompatibleHello = on;
- }
- ss->preferredCipher = NULL;
- if (ss->cipherSpecs) {
- PORT_Free(ss->cipherSpecs);
- ss->cipherSpecs = NULL;
- ss->sizeCipherSpecs = 0;
- }
-+#endif /* NSS_NO_SSL2 */
- break;
-
- case SSL_NO_CACHE:
- ss->opt.noCache = on;
- break;
-
- case SSL_ENABLE_FDX:
- if (on && ss->opt.noLocks) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure;
- }
- ss->opt.fdx = on;
- break;
-
- case SSL_V2_COMPATIBLE_HELLO:
-+#ifdef NSS_NO_SSL2
-+ if (on) {
-+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
-+ rv = SECFailure; /* not allowed */
-+ }
-+#else
- if (IS_DTLS(ss)) {
- if (on) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure; /* not allowed */
- }
- break;
- }
- ss->opt.v2CompatibleHello = on;
- if (!on) {
- ss->opt.enableSSL2 = on;
- }
-+#endif /* NSS_NO_SSL2 */
- break;
-
- case SSL_ROLLBACK_DETECTION:
- ss->opt.detectRollBack = on;
- break;
-
- case SSL_NO_STEP_DOWN:
-+#ifdef NSS_NO_SSL2
-+ if (!on) {
-+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
-+ rv = SECFailure; /* not allowed */
-+ }
-+#else
- ss->opt.noStepDown = on;
- if (on)
- SSL_DisableExportCipherSuites(fd);
-+#endif /* NSS_NO_SSL2 */
- break;
-
- case SSL_BYPASS_PKCS11:
- if (ss->handshakeBegun) {
- PORT_SetError(PR_INVALID_STATE_ERROR);
- rv = SECFailure;
- } else {
- if (PR_FALSE != on) {
-@@ -1180,16 +1201,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
- }
- return SECSuccess;
- }
-
- /* function tells us if the cipher suite is one that we no longer support. */
+diff -up nss/lib/ssl/sslsock.c.disableSSL2libssl nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.disableSSL2libssl 2017-01-16 10:53:47.615895344 +0100
++++ nss/lib/ssl/sslsock.c 2017-01-16 10:54:16.088051233 +0100
+@@ -1221,6 +1221,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
static PRBool
ssl_IsRemovedCipherSuite(PRInt32 suite)
{
+#ifdef NSS_NO_SSL2
-+ /* both ssl2 and export cipher suites disabled */
+ if (SSL_IS_SSL2_CIPHER(suite))
+ return PR_TRUE;
-+ if (SSL_IsExportCipherSuite(suite)) {
-+ SSLCipherSuiteInfo csdef;
-+ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
-+ /* failure to retrieve info, disable */
-+ return PR_TRUE;
-+ }
-+ if (csdef.symCipher != ssl_calg_null) {
-+ /* disable all except NULL ciphersuites */
-+ return PR_TRUE;
-+ }
-+ }
-+#endif /* NSS_NO_SSL2_NO_EXPORT */
++#endif /* NSS_NO_SSL2 */
switch (suite) {
- case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
- case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
- case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
- return PR_TRUE;
- default:
- return PR_FALSE;
- }
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+ case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
index 4479ab1..3defed5 100644
--- a/SOURCES/Bug-1001841-disable-sslv2-tests.patch
+++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -1,11 +1,10 @@
-diff -up ./tests/ssl/ssl.sh.disableSSL2tests ./tests/ssl/ssl.sh
---- ./tests/ssl/ssl.sh.disableSSL2tests 2015-11-08 21:12:59.000000000 -0800
-+++ ./tests/ssl/ssl.sh 2016-02-19 21:36:48.900345950 -0800
-@@ -62,9 +62,14 @@ ssl_init()
- NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
+diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh
+--- nss/tests/ssl/ssl.sh.disableSSL2tests 2017-01-04 15:24:24.000000000 +0100
++++ nss/tests/ssl/ssl.sh 2017-01-13 16:51:20.759277059 +0100
+@@ -63,8 +63,14 @@ ssl_init()
# Test case files
-- SSLCOV=${QADIR}/ssl/sslcov.txt
+ SSLCOV=${QADIR}/ssl/sslcov.txt
+ if [ "${NSS_NO_SSL2}" = "1" ]; then
+ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
+ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
@@ -15,13 +14,13 @@ diff -up ./tests/ssl/ssl.sh.disableSSL2tests ./tests/ssl/ssl.sh
+ fi
SSLAUTH=${QADIR}/ssl/sslauth.txt
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
- #temparary files
-@@ -120,7 +125,11 @@ is_selfserv_alive()
+@@ -129,7 +135,11 @@ is_selfserv_alive()
fi
- echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
+ echo "No server to kill"
+ else
@@ -30,9 +29,9 @@ diff -up ./tests/ssl/ssl.sh.disableSSL2tests ./tests/ssl/ssl.sh
echo "selfserv with PID ${PID} found at `date`"
}
-@@ -143,7 +152,11 @@ wait_for_selfserv()
+@@ -153,7 +163,11 @@ wait_for_selfserv()
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
- -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
+ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
if [ $? -ne 0 ]; then
+ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
+ html_passed "Server never started"
@@ -42,45 +41,25 @@ diff -up ./tests/ssl/ssl.sh.disableSSL2tests ./tests/ssl/ssl.sh
fi
fi
is_selfserv_alive
-@@ -214,15 +227,16 @@ start_selfserv()
- echo "selfserv starting at `date`"
- echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
- echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
-- echo " $verbose -H 1 &"
-+ echo " $verbose -H 1 -V ssl3: &"
- if [ ${fileout} -eq 1 ]; then
- ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
-- > ${SERVEROUTFILE} 2>&1 &
-+ -V ssl3:> ${SERVEROUTFILE} 2>&1 &
- RET=$?
- else
- ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
-- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 &
-+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
-+ -V ssl3: &
- RET=$?
- fi
-
-@@ -269,7 +283,7 @@ ssl_cov()
+@@ -272,7 +286,7 @@ ssl_cov()
start_selfserv # Launch the server
- VMIN="ssl2"
+ VMIN="ssl3"
- VMAX="tls1.1"
+ VMAX="tls1.2"
-
+
exec < ${SSLCOV}
while read ectype testmax param testname
-@@ -279,6 +293,12 @@ ssl_cov()
- echo "${testname}" | grep "SSL2" > /dev/null
- SSL2=$?
+@@ -280,6 +294,12 @@ ssl_cov()
+ echo "${testname}" | grep "EXPORT" > /dev/null
+ EXP=$?
-+ # skip export and ssl2 tests when build has disabled SSL2
-+ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
-+ echo "exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})"
++ # skip export tests
++ if [ ${EXP} -eq 0 ]; then
++ echo "export test skipped"
+ continue
+ fi
+
- if [ "${SSL2}" -eq 0 ] ; then
- # We cannot use asynchronous cert verification with SSL2
- SSL2_FLAGS=-O
+ if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
diff --git a/SOURCES/call-restartmodules-in-nssinit.patch b/SOURCES/call-restartmodules-in-nssinit.patch
deleted file mode 100644
index 6a72aa8..0000000
--- a/SOURCES/call-restartmodules-in-nssinit.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
---- a/lib/nss/nssinit.c
-+++ b/lib/nss/nssinit.c
-@@ -621,16 +621,31 @@ nss_Init(const char *configdir, const ch
- initParams->minPWLen);
- if (configStrings == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- goto loser;
- }
- configName = initParams->libraryDescription;
- passwordRequired = initParams->passwordRequired;
- }
-+
-+ /* If we're NSS_ContextInit, we're probably a library. It could be
-+ * possible that the application initialized NSS then forked(). The
-+ * library would have no knowledge of that. If we call
-+ * SECMOD_RestartModules() here, we will be able to continue on with
-+ * NSS as normal. SECMOD_RestartModules() does have the side affect
-+ * of losing all our PKCS #11 objects in the new process, but only if
-+ * the module needs to be reinited. If it needs to be reinit those
-+ * objects are inaccessible anyway, it it's always save to call
-+ * SECMOD_RestartModules(PR_FALSE).
-+ */
-+ /* NOTE: We could call SECMOD_Init() here, but if we aren't already
-+ * inited, then there's no modules to restart, so SECMOD_RestartModules
-+ * will return immediately */
-+ SECMOD_RestartModules(PR_FALSE);
- } else {
- configStrings = pk11_config_strings;
- configName = pk11_config_name;
- passwordRequired = pk11_password_required;
- }
-
- /* Skip the module init if we are already initted and we are trying
- * to init with noCertDB and noModDB */
diff --git a/SOURCES/client_auth_for_sha384_prf_support.patch b/SOURCES/client_auth_for_sha384_prf_support.patch
deleted file mode 100644
index de0d1aa..0000000
--- a/SOURCES/client_auth_for_sha384_prf_support.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-diff -up ./lib/ssl/ssl3con.c.client_auth_prf ./lib/ssl/ssl3con.c
---- ./lib/ssl/ssl3con.c.client_auth_prf 2016-02-14 09:14:32.821182333 -0800
-+++ ./lib/ssl/ssl3con.c 2016-02-14 09:52:47.506071502 -0800
-@@ -270,6 +270,27 @@ static const /*SSL3ClientCertificateType
- ct_DSS_sign,
- };
-
-+/* This block is the contents of the supported_signature_algorithms field of
-+ * our TLS 1.2 CertificateRequest message, in wire format. See
-+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
-+ *
-+ * We only support TLS 1.2
-+ * CertificateVerify messages that use the handshake PRF hash. */
-+static const PRUint8 supported_signature_algorithms_sha256[] = {
-+ tls_hash_sha256, tls_sig_rsa,
-+#ifndef NSS_DISABLE_ECC
-+ tls_hash_sha256, tls_sig_ecdsa,
-+#endif
-+ tls_hash_sha256, tls_sig_dsa,
-+};
-+static const PRUint8 supported_signature_algorithms_sha384[] = {
-+ tls_hash_sha384, tls_sig_rsa,
-+#ifndef NSS_DISABLE_ECC
-+ tls_hash_sha384, tls_sig_ecdsa,
-+#endif
-+ tls_hash_sha384, tls_sig_dsa,
-+};
-+
- #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
-
-
-@@ -4904,6 +4925,7 @@ ssl3_ComputeHandshakeHashes(sslSocket *
- unsigned int stateLen;
- unsigned char stackBuf[1024];
- unsigned char *stateBuf = NULL;
-+ SECOidData *hashOid;
-
- h = ss->ssl3.hs.sha;
- stateBuf = PK11_SaveContextAlloc(h, stackBuf,
-@@ -4919,9 +4941,25 @@ ssl3_ComputeHandshakeHashes(sslSocket *
- rv = SECFailure;
- goto tls12_loser;
- }
-- /* If we ever support ciphersuites where the PRF hash isn't SHA-256
-- * then this will need to be updated. */
-- hashes->hashAlg = ssl_hash_sha256;
-+
-+ /* updated in support of ciphersuites where the PRF hash
-+ * could be SHA-256 or SHA-384 */
-+ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
-+ if (hashOid == NULL) {
-+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-+ rv = SECFailure;
-+ goto tls12_loser;
-+ }
-+ hashes->hashAlg = hashOid->offset;
-+ PORT_Assert(hashes->hashAlg == ssl_hash_sha256 ||
-+ hashes->hashAlg == ssl_hash_sha384);
-+ if (hashes->hashAlg != ssl_hash_sha256 &&
-+ hashes->hashAlg != ssl_hash_sha384) {
-+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-+ rv = SECFailure;
-+ goto tls12_loser;
-+ }
-+
- rv = SECSuccess;
-
- tls12_loser:
-@@ -7242,7 +7280,7 @@ done:
- /* Destroys the backup handshake hash context if we don't need it. Note that
- * this function selects the hash algorithm for client authentication
- * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
-- * to determine whether to use SHA-1 or SHA-256. */
-+ * to determine whether to use SHA-1, or the PRF hash of the cipher suite. */
- static void
- ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
- const SECItem *algorithms)
-@@ -7251,9 +7289,12 @@ ssl3_DestroyBackupHandshakeHashIfNotNeed
- SSLSignType sigAlg;
- PRBool preferSha1;
- PRBool supportsSha1 = PR_FALSE;
-- PRBool supportsSha256 = PR_FALSE;
-+ PRBool supportsHandshakeHash = PR_FALSE;
- PRBool needBackupHash = PR_FALSE;
- unsigned int i;
-+ SECOidData *hashOid;
-+ TLSHashAlgorithm suitePRFHash;
-+ PRBool suitePRFIs256Or384 = PR_FALSE;
-
- #ifndef NO_PKCS11_BYPASS
- /* Backup handshake hash is not supported in PKCS #11 bypass mode. */
-@@ -7270,20 +7311,35 @@ ssl3_DestroyBackupHandshakeHashIfNotNeed
- goto done;
- }
-
-+ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
-+ if (hashOid == NULL) {
-+ rv = SECFailure;
-+ goto done;
-+ }
-+
-+ if (hashOid->offset == SEC_OID_SHA256) {
-+ suitePRFHash = tls_hash_sha256;
-+ suitePRFIs256Or384 = PR_TRUE;
-+ } else if (hashOid->offset == SEC_OID_SHA384) {
-+ suitePRFHash = tls_hash_sha384;
-+ suitePRFIs256Or384 = PR_TRUE;
-+ }
-+
- /* Determine the server's hash support for that signature algorithm. */
- for (i = 0; i < algorithms->len; i += 2) {
- if (algorithms->data[i+1] == sigAlg) {
- if (algorithms->data[i] == ssl_hash_sha1) {
- supportsSha1 = PR_TRUE;
-- } else if (algorithms->data[i] == ssl_hash_sha256) {
-- supportsSha256 = PR_TRUE;
-+ } else if (suitePRFIs256Or384 &&
-+ algorithms->data[i] == suitePRFHash) {
-+ supportsHandshakeHash = PR_TRUE;
- }
- }
- }
-
- /* If either the server does not support SHA-256 or the client key prefers
- * SHA-1, leave the backup hash. */
-- if (supportsSha1 && (preferSha1 || !supportsSha256)) {
-+ if (supportsSha1 && (preferSha1 || !supportsHandshakeHash)) {
- needBackupHash = PR_TRUE;
- }
-
-@@ -9548,6 +9604,7 @@ ssl3_SendCertificateRequest(sslSocket *s
- int certTypesLength;
- PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2];
- unsigned int sigAlgsLength = 0;
-+ SECOidData *hashOid;
-
- SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
- SSL_GETPID(), ss->fd));
-@@ -9575,6 +9632,20 @@ ssl3_SendCertificateRequest(sslSocket *s
- certTypes = certificate_types;
- certTypesLength = sizeof certificate_types;
-
-+ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
-+ if (hashOid == NULL) {
-+ return SECFailure; /* err set by AppendHandshake. */
-+ }
-+ if (hashOid->offset == SEC_OID_SHA256) {
-+ sigAlgsLength = sizeof supported_signature_algorithms_sha256;
-+ PORT_Memcpy(sigAlgs, supported_signature_algorithms_sha256, sigAlgsLength);
-+ } else if (hashOid->offset == SEC_OID_SHA384) {
-+ sigAlgsLength = sizeof supported_signature_algorithms_sha384;
-+ PORT_Memcpy(sigAlgs, supported_signature_algorithms_sha384, sigAlgsLength);
-+ } else {
-+ return SECFailure; /* err set by AppendHandshake. */
-+ }
-+
- length = 1 + certTypesLength + 2 + calen;
- if (isTLS12) {
- rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs),
diff --git a/SOURCES/dhe-sha384-dss-support.patch b/SOURCES/dhe-sha384-dss-support.patch
deleted file mode 100644
index 834c7c1..0000000
--- a/SOURCES/dhe-sha384-dss-support.patch
+++ /dev/null
@@ -1,975 +0,0 @@
-diff -up ./lib/ssl/ssl3con.c.dhe_and_sha384 ./lib/ssl/ssl3con.c
---- ./lib/ssl/ssl3con.c.dhe_and_sha384 2016-02-14 07:51:49.910312410 -0800
-+++ ./lib/ssl/ssl3con.c 2016-02-14 08:03:31.562277561 -0800
-@@ -68,6 +68,8 @@ static SECStatus ssl3_ComputeHandshakeHa
- SSL3Hashes *hashes,
- PRUint32 sender);
- static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
-+static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid);
-+static CK_MECHANISM_TYPE ssl3_GetPrfHashMechanism(sslSocket *ss);
-
- static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
- int maxOutputLen, const unsigned char *input,
-@@ -95,23 +97,37 @@ static ssl3CipherSuiteCfg cipherSuites[s
- /* cipher_suite policy enabled isPresent */
-
- #ifndef NSS_DISABLE_ECC
-- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
-- * bug 946147.
-- */
-+ /* Ephemeral ECDH */
-+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must be before TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-+ * to workaround bug 946147.
-+ */
-+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- #endif /* NSS_DISABLE_ECC */
-
-+ /* Ephemeral Finite Field DH */
-+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-@@ -120,17 +136,12 @@ static ssl3CipherSuiteCfg cipherSuites[s
- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-
- #ifndef NSS_DISABLE_ECC
-+ /* Non ephemeral ECDH */
- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-@@ -142,18 +153,19 @@ static ssl3CipherSuiteCfg cipherSuites[s
- #endif /* NSS_DISABLE_ECC */
-
- /* RSA */
-+ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-
- /* 56-bit DES "domestic" cipher suites */
- { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-@@ -292,6 +304,7 @@ static const ssl3BulkCipherDef bulk_ciph
- {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0},
- {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0},
- {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8},
-+ {cipher_aes_256_gcm, calg_aes_gcm, 32,32, type_aead, 4, 0,16, 8},
- {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
- };
-
-@@ -300,8 +313,8 @@ static const ssl3KEADef kea_defs[] =
- /* kea exchKeyType signKeyType is_limited limit tls_keygen ephemeral */
- {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE, PR_FALSE},
- {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE},
-- {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_FALSE},
-- {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE, PR_FALSE},
-+ {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_TRUE},
-+ {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE, PR_TRUE},
- {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE, PR_FALSE},
- {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE, PR_FALSE},
- {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE},
-@@ -327,135 +340,149 @@ static const ssl3CipherSuiteDef cipher_s
- {
- /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */
-
-- {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null},
-- {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa},
-- {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa},
-- {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa},
-- {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
-- {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa},
-- {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa},
-+ {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null, 0},
-+ {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa, 0},
-+ {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa, 0},
-+ {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa, prf_256},
-+ {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export, 0},
-+ {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa, 0},
-+ {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa, 0},
- {TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-- cipher_rc2_40, mac_md5, kea_rsa_export},
-+ cipher_rc2_40, mac_md5, kea_rsa_export, 0},
- #if 0 /* not implemented */
-- {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa},
-+ {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa, 0},
- {TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
-- cipher_des40, mac_sha, kea_rsa_export},
-+ cipher_des40, mac_sha, kea_rsa_export, 0},
- #endif
-- {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa},
-- {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa},
-- {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss},
-+ {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa, 0},
-+ {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa, 0},
-+ {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss, 0},
- {TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-- cipher_3des, mac_sha, kea_dhe_dss},
-- {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss},
-+ cipher_3des, mac_sha, kea_dhe_dss, 0},
-+ {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss, 0},
- #if 0 /* not implemented */
- {TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-- cipher_des40, mac_sha, kea_dh_dss_export},
-- {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss},
-- {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss},
-+ cipher_des40, mac_sha, kea_dh_dss_export, 0},
-+ {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss, 0},
-+ {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss, 0},
- {TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-- cipher_des40, mac_sha, kea_dh_rsa_export},
-- {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa},
-- {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa},
-+ cipher_des40, mac_sha, kea_dh_rsa_export, 0},
-+ {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa, 0},
-+ {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa, 0},
- {TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-- cipher_des40, mac_sha, kea_dh_dss_export},
-+ cipher_des40, mac_sha, kea_dh_dss_export, 0},
- {TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-- cipher_des40, mac_sha, kea_dh_rsa_export},
-+ cipher_des40, mac_sha, kea_dh_rsa_export, 0},
- #endif
-- {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa},
-+ {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa, 0},
- {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-- cipher_3des, mac_sha, kea_dhe_rsa},
-+ cipher_3des, mac_sha, kea_dhe_rsa, 0},
- #if 0
-- {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
-+ {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export, 0},
- {TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
-- cipher_des40, mac_sha, kea_dh_anon_export},
-- {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon},
-- {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon},
-+ cipher_des40, mac_sha, kea_dh_anon_export, 0},
-+ {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon, 0},
-+ {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon, 0},
- #endif
-
-
- /* New TLS cipher suites */
-- {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa},
-- {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa},
-- {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss},
-- {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa},
-- {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa},
-- {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa},
-- {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa},
-- {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss},
-- {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa},
-- {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa},
-+ {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa, 0},
-+ {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa, prf_256},
-+ {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss, 0},
-+ {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa, 0},
-+ {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa, prf_256},
-+ {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa, 0},
-+ {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa, prf_256},
-+ {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss, 0},
-+ {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa, 0},
-+ {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa, prf_256},
- #if 0
-- {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss},
-- {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa},
-- {TLS_DH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon},
-- {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss},
-- {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa},
-- {TLS_DH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon},
-+ {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss, 0},
-+ {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa, 0},
-+ {TLS_DH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon, 0},
-+ {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss, 0},
-+ {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa, 0},
-+ {TLS_DH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon, 0},
- #endif
-
-- {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa},
-+ {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa, 0},
-
-- {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
-+ {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa, 0},
- {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
-- cipher_camellia_128, mac_sha, kea_dhe_dss},
-+ cipher_camellia_128, mac_sha, kea_dhe_dss, 0},
- {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
-- cipher_camellia_128, mac_sha, kea_dhe_rsa},
-- {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa},
-+ cipher_camellia_128, mac_sha, kea_dhe_rsa, 0},
-+ {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa, 0},
- {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
-- cipher_camellia_256, mac_sha, kea_dhe_dss},
-+ cipher_camellia_256, mac_sha, kea_dhe_dss, 0},
- {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-- cipher_camellia_256, mac_sha, kea_dhe_rsa},
-+ cipher_camellia_256, mac_sha, kea_dhe_rsa, 0},
-
- {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-- cipher_des, mac_sha,kea_rsa_export_1024},
-+ cipher_des, mac_sha,kea_rsa_export_1024, 0},
- {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-- cipher_rc4_56, mac_sha,kea_rsa_export_1024},
-+ cipher_rc4_56, mac_sha,kea_rsa_export_1024, 0},
-
-- {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
-- {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
-+ {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips, 0},
-+ {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips, 0},
-
-- {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
-- {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
-+ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa, prf_256},
-+ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa, prf_256},
-+#ifndef NSS_DISABLE_ECC
- {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
- {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
--
-- {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss},
-- {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss},
-- {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss},
-+ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa, prf_256},
-+ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa, prf_256},
-+ {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_ecdsa, prf_384},
-+ {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa, prf_384},
-+ {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_ecdsa, prf_384},
-+ {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_rsa, prf_384},
-+#endif /* NSS_DISABLE_ECC */
-+ {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_rsa, prf_384},
-+ {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, prf_256},
-+ {TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_dss, prf_384},
-+ {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, prf_256},
-+ {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, prf_256},
-+ {TLS_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_rsa, prf_384},
-+
-+ {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, 0},
-+ {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, 0},
-+ {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, 0},
-
- #ifndef NSS_DISABLE_ECC
-- {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
-- {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa},
-- {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
-- {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
-- {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
--
-- {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa},
-- {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
-- {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa},
-- {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa},
-- {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa},
-- {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa},
--
-- {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa},
-- {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa},
-- {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa},
-- {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa},
-- {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa},
--
-- {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa},
-- {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa},
-- {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa},
-- {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa},
-- {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa},
-- {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa},
-+ {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa, 0},
-+ {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa, 0},
-+ {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa, 0},
-+ {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa, 0},
-+ {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa, 0},
-+
-+ {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa, 0},
-+ {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa, 0},
-+ {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa, 0},
-+ {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa, 0},
-+ {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa, prf_256},
-+ {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa, 0},
-+
-+ {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa, 0},
-+ {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa, 0},
-+ {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa, 0},
-+ {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa, 0},
-+ {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa, 0},
-+
-+ {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa, 0},
-+ {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa, 0},
-+ {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa, 0},
-+ {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa, 0},
-+ {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa, prf_256},
-+ {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa, 0},
-
- #if 0
-- {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon},
-- {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon},
-- {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon},
-- {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon},
-- {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon},
-+ {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon, 0},
-+ {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon, 0},
-+ {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon, 0},
-+ {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon, 0},
-+ {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon, 0},
- #endif
- #endif /* NSS_DISABLE_ECC */
- };
-@@ -496,6 +523,7 @@ static const SSLCipher2Mech alg2Mech[] =
- #define mmech_md5_hmac CKM_MD5_HMAC
- #define mmech_sha_hmac CKM_SHA_1_HMAC
- #define mmech_sha256_hmac CKM_SHA256_HMAC
-+#define mmech_sha384_hmac CKM_SHA384_HMAC
-
- static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
- /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
-@@ -507,6 +535,7 @@ static const ssl3MACDef mac_defs[] = { /
- {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
- {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
- { mac_aead, mmech_invalid, 0, 0 },
-+ {hmac_sha384, mmech_sha384_hmac, 0, SHA384_LENGTH}
- };
-
- /* indexed by SSL3BulkCipher */
-@@ -655,19 +684,26 @@ ssl3_CipherSuiteAllowedForVersionRange(
- case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
- case TLS_RSA_WITH_AES_256_CBC_SHA256:
- case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
-+ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
- case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
-+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
- case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
- case TLS_RSA_WITH_AES_128_CBC_SHA256:
- case TLS_RSA_WITH_AES_128_GCM_SHA256:
-+ case TLS_RSA_WITH_AES_256_GCM_SHA384:
- case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
- case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
- case TLS_RSA_WITH_NULL_SHA256:
- return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2;
-
- case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
-+ case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
- case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
-+ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
- case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
-+ case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
- case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
-+ case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
- return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
-
- /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and
-@@ -2348,6 +2384,9 @@ ssl3_ComputeRecordMAC(
- case ssl_hmac_sha256: /* used with TLS */
- hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
- break;
-+ case ssl_hmac_sha384: /* used with TLS */
-+ hashObj = HASH_GetRawHashObject(HASH_AlgSHA384);
-+ break;
- default:
- break;
- }
-@@ -3592,6 +3631,18 @@ ssl3_HandleChangeCipherSpecs(sslSocket *
- return SECSuccess;
- }
-
-+static CK_MECHANISM_TYPE
-+ssl3_GetPrfHashMechanism(sslSocket *ss)
-+{
-+ SSL3PRF prf_alg = ss->ssl3.hs.suite_def->prf_alg;
-+
-+ if (prf_alg == 0)
-+ return CKM_SHA256;
-+
-+ return prf_alg;
-+}
-+
-+
- /* This method completes the derivation of the MS from the PMS.
- **
- ** 1. Derive the MS, if possible, else return an error.
-@@ -3682,6 +3733,9 @@ ssl3_ComputeMasterSecretInt(sslSocket *s
- CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
- unsigned int master_params_len;
-
-+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-+ PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
-+ PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
- if (isTLS12) {
- if(isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
- else master_derive = CKM_TLS12_MASTER_KEY_DERIVE;
-@@ -3709,7 +3763,7 @@ ssl3_ComputeMasterSecretInt(sslSocket *s
- master_params.RandomInfo.pServerRandom = sr;
- master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
- if (isTLS12) {
-- master_params.prfHashMechanism = CKM_SHA256;
-+ master_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss);
- master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS);
- } else {
- /* prfHashMechanism is not relevant with this PRF */
-@@ -3845,7 +3899,7 @@ ssl3_DeriveMasterSecret(sslSocket *ss, P
- rv = PK11_ExtractKeyValue(pwSpec->master_secret);
- if (rv != SECSuccess) {
- return rv;
-- }
-+ }
- /* This returns the address of the secItem inside the key struct,
- * not a copy or a reference. So, there's no need to free it.
- */
-@@ -3954,7 +4008,7 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocke
-
- if (isTLS12) {
- key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE;
-- key_material_params.prfHashMechanism = CKM_SHA256;
-+ key_material_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss);
- key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS);
- } else if (isTLS) {
- key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
-@@ -4032,7 +4086,20 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
- if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
- /* If we ever support ciphersuites where the PRF hash isn't SHA-256
- * then this will need to be updated. */
-- ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
-+ HASH_HashType ht;
-+ CK_MECHANISM_TYPE hm;
-+ SECOidTag ot;
-+ SECOidData *hashOid;
-+
-+ hm = ssl3_GetPrfHashMechanism(ss);
-+ hashOid = SECOID_FindOIDByMechanism(hm);
-+ if (hashOid == NULL) {
-+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-+ return SECFailure;
-+ }
-+ ot = hashOid->offset;
-+ ht = HASH_GetHashTypeByOidTag(ot);
-+ ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(ht);
- if (!ss->ssl3.hs.sha_obj) {
- ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
- return SECFailure;
-@@ -4055,9 +4122,20 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
- * that the master secret will wind up in ...
- */
- if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
-- /* If we ever support ciphersuites where the PRF hash isn't SHA-256
-- * then this will need to be updated. */
-- ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256);
-+ /* determine the hash from the prf */
-+ const SECOidData *hash_oid;
-+
-+ PORT_Assert(ss->ssl3.hs.suite_def);
-+ /* Get the PKCS #11 mechanism for the Hash from the cipher suite (prf_alg)
-+ * Convert that to the OidTag. We can then use that OidTag to create our
-+ * PK11Context */
-+ hash_oid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
-+ PORT_Assert(hash_oid != NULL);
-+ if (hash_oid == NULL) {
-+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-+ return SECFailure;
-+ }
-+ ss->ssl3.hs.sha = PK11_CreateDigestContext(hash_oid->offset);
- if (ss->ssl3.hs.sha == NULL) {
- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
- return SECFailure;
-@@ -4378,6 +4456,11 @@ ssl3_AppendSignatureAndHashAlgorithm(
- sslSocket *ss, const SSLSignatureAndHashAlg* sigAndHash)
- {
- PRUint8 serialized[2];
-+ unsigned char hashAlg = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg);
-+ if (hashAlg == 0) {
-+ PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
-+ return SECFailure;
-+ }
-
- serialized[0] = (PRUint8)sigAndHash->hashAlg;
- serialized[1] = (PRUint8)sigAndHash->sigAlg;
-@@ -4499,6 +4582,7 @@ static const struct {
- SECOidTag oid;
- } tlsHashOIDMap[] = {
- { ssl_hash_sha1, SEC_OID_SHA1 },
-+ { ssl_hash_sha224, SEC_OID_SHA224 },
- { ssl_hash_sha256, SEC_OID_SHA256 },
- { ssl_hash_sha384, SEC_OID_SHA384 },
- { ssl_hash_sha512, SEC_OID_SHA512 }
-@@ -4521,6 +4605,23 @@ ssl3_TLSHashAlgorithmToOID(SSLHashType h
- return SEC_OID_UNKNOWN;
- }
-
-+/* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm
-+ * identifier. If the hash is not recognised, zero is returned.
-+ *
-+ * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
-+static int
-+ssl3_OIDToTLSHashAlgorithm(SECOidTag oid)
-+{
-+ unsigned int i;
-+
-+ for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
-+ if (oid == tlsHashOIDMap[i].oid) {
-+ return tlsHashOIDMap[i].tlsHash;
-+ }
-+ }
-+ return 0;
-+}
-+
- /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm
- * identifier for a given KeyType. */
- static SECStatus
-@@ -4843,6 +4944,11 @@ tls12_loser:
- unsigned char md5StackBuf[256];
- unsigned char shaStackBuf[512];
-
-+ if (!spec->master_secret) {
-+ PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
-+ return SECFailure;
-+ }
-+
- md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf,
- sizeof md5StackBuf, &md5StateLen);
- if (md5StateBuf == NULL) {
-@@ -6568,6 +6674,14 @@ ssl3_HandleServerHello(sslSocket *ss, SS
- }
- ss->ssl3.hs.compression = (SSLCompressionMethod)temp;
-
-+ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */
-+ rv = ssl3_InitHandshakeHashes(ss);
-+ if (rv != SECSuccess) {
-+ desc = internal_error;
-+ errCode = PORT_GetError();
-+ goto alert_loser;
-+ }
-+
- /* Note that if !isTLS and the extra stuff is not extensions, we
- * do NOT goto alert_loser.
- * There are some old SSL 3.0 implementations that do send stuff
-@@ -8287,6 +8401,14 @@ compression_found:
- suites.data = NULL;
- comps.data = NULL;
-
-+ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */
-+ rv = ssl3_InitHandshakeHashes(ss);
-+ if (rv != SECSuccess) {
-+ desc = internal_error;
-+ errCode = PORT_GetError();
-+ goto alert_loser;
-+ }
-+
- ss->sec.send = ssl3_SendApplicationData;
-
- /* If there are any failures while processing the old sid,
-@@ -8857,6 +8979,15 @@ suite_found:
- }
-
- ss->ssl3.hs.compression = ssl_compression_null;
-+
-+ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */
-+ rv = ssl3_InitHandshakeHashes(ss);
-+ if (rv != SECSuccess) {
-+ desc = internal_error;
-+ errCode = PORT_GetError();
-+ goto alert_loser;
-+ }
-+
- ss->sec.send = ssl3_SendApplicationData;
-
- /* we don't even search for a cache hit here. It's just a miss. */
-@@ -9388,7 +9519,7 @@ ssl3_EncodeCertificateRequestSigAlgs(ssl
- /* Note that we don't support a handshake hash with anything other than
- * SHA-256, so asking for a signature from clients for something else
- * would be inviting disaster. */
-- if (alg->hashAlg == ssl_hash_sha256) {
-+ if (alg->hashAlg == ssl_hash_sha256 /* || alg->hashAlg == ssl_hash_sha384*/) {
- buf[(*len)++] = (PRUint8)alg->hashAlg;
- buf[(*len)++] = (PRUint8)alg->sigAlg;
- }
-@@ -10841,7 +10972,7 @@ done:
- }
-
- static SECStatus
--ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
-+ssl3_ComputeTLSFinished(sslSocket *ss, ssl3CipherSpec *spec,
- PRBool isServer,
- const SSL3Hashes * hashes,
- TLSFinished * tlsFinished)
-@@ -10864,7 +10995,7 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *
- if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) {
- tls_mac_params.prfMechanism = CKM_TLS_PRF;
- } else {
-- tls_mac_params.prfMechanism = CKM_SHA256;
-+ tls_mac_params.prfMechanism = ssl3_GetPrfHashMechanism(ss);
- }
- tls_mac_params.ulMacLength = 12;
- tls_mac_params.ulServerOrClient = isServer ? 1 : 2;
-@@ -11066,7 +11197,7 @@ ssl3_SendFinished(sslSocket *ss, PRInt32
- isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
- rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
- if (isTLS && rv == SECSuccess) {
-- rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
-+ rv = ssl3_ComputeTLSFinished(ss, cwSpec, isServer, &hashes, &tlsFinished);
- }
- ssl_ReleaseSpecReadLock(ss);
- if (rv != SECSuccess) {
-@@ -11237,7 +11368,7 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O
- PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
- return SECFailure;
- }
-- rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer,
-+ rv = ssl3_ComputeTLSFinished(ss, ss->ssl3.crSpec, !isServer,
- hashes, &tlsFinished);
- if (!isServer)
- ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
-diff -up ./lib/ssl/ssl3ecc.c.dhe_and_sha384 ./lib/ssl/ssl3ecc.c
---- ./lib/ssl/ssl3ecc.c.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800
-+++ ./lib/ssl/ssl3ecc.c 2016-02-14 07:51:49.915312514 -0800
-@@ -919,7 +919,9 @@ static const ssl3CipherSuite ecdhe_ecdsa
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
- TLS_ECDHE_ECDSA_WITH_NULL_SHA,
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
- 0 /* end of list marker */
-@@ -930,7 +932,9 @@ static const ssl3CipherSuite ecdhe_rsa_s
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
- TLS_ECDHE_RSA_WITH_NULL_SHA,
- TLS_ECDHE_RSA_WITH_RC4_128_SHA,
- 0 /* end of list marker */
-@@ -945,11 +949,15 @@ static const ssl3CipherSuite ecSuites[]
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- TLS_ECDHE_ECDSA_WITH_NULL_SHA,
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
-+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
- TLS_ECDHE_RSA_WITH_NULL_SHA,
- TLS_ECDHE_RSA_WITH_RC4_128_SHA,
- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-diff -up ./lib/ssl/ssl3prot.h.dhe_and_sha384 ./lib/ssl/ssl3prot.h
---- ./lib/ssl/ssl3prot.h.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800
-+++ ./lib/ssl/ssl3prot.h 2016-02-14 07:51:49.915312514 -0800
-@@ -217,6 +217,32 @@ typedef struct {
- } u;
- } SSL3ServerParams;
-
-+/* This enum reflects HashAlgorithm enum from
-+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
-+ *
-+ * When updating, be sure to also update ssl3_TLSHashAlgorithmToOID. */
-+typedef enum {
-+ tls_hash_md5 = 1,
-+ tls_hash_sha1 = 2,
-+ tls_hash_sha224 = 3,
-+ tls_hash_sha256 = 4,
-+ tls_hash_sha384 = 5,
-+ tls_hash_sha512 = 6
-+} TLSHashAlgorithm;
-+
-+/* This enum reflects SignatureAlgorithm enum from
-+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
-+typedef enum {
-+ tls_sig_rsa = 1,
-+ tls_sig_dsa = 2,
-+ tls_sig_ecdsa = 3
-+} TLSSignatureAlgorithm;
-+
-+typedef struct {
-+ SECOidTag hashAlg;
-+ TLSSignatureAlgorithm sigAlg;
-+} SSL3SignatureAndHashAlgorithm;
-+
- /* SSL3HashesIndividually contains a combination MD5/SHA1 hash, as used in TLS
- * prior to 1.2. */
- typedef struct {
-diff -up ./lib/ssl/sslenum.c.dhe_and_sha384 ./lib/ssl/sslenum.c
---- ./lib/ssl/sslenum.c.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800
-+++ ./lib/ssl/sslenum.c 2016-02-14 07:51:49.915312514 -0800
-@@ -48,23 +48,37 @@
- */
- const PRUint16 SSL_ImplementedCiphers[] = {
- #ifndef NSS_DISABLE_ECC
-- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-+ /* Ephemeral ECDH */
-+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
- * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
- */
-- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
-+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
-- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
-+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
- TLS_ECDHE_RSA_WITH_RC4_128_SHA,
- #endif /* NSS_DISABLE_ECC */
-
-+ /* Ephemeral Finite Field DH */
-+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
-+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
-+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
-+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
-+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
-+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-@@ -73,17 +87,12 @@ const PRUint16 SSL_ImplementedCiphers[]
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
- TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
-- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
-- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
-- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
-- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
- TLS_DHE_DSS_WITH_RC4_128_SHA,
-
- #ifndef NSS_DISABLE_ECC
-+ /* Non ephemeral ECDH */
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
-@@ -94,18 +103,20 @@ const PRUint16 SSL_ImplementedCiphers[]
- TLS_ECDH_RSA_WITH_RC4_128_SHA,
- #endif /* NSS_DISABLE_ECC */
-
-+ /* RSA */
-+ TLS_RSA_WITH_AES_256_GCM_SHA384,
-+ TLS_RSA_WITH_AES_256_CBC_SHA,
-+ TLS_RSA_WITH_AES_256_CBC_SHA256,
-+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
- TLS_RSA_WITH_AES_128_GCM_SHA256,
- TLS_RSA_WITH_AES_128_CBC_SHA,
- TLS_RSA_WITH_AES_128_CBC_SHA256,
- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
-- TLS_RSA_WITH_AES_256_CBC_SHA,
-- TLS_RSA_WITH_AES_256_CBC_SHA256,
-- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
- TLS_RSA_WITH_SEED_CBC_SHA,
-- SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
- TLS_RSA_WITH_3DES_EDE_CBC_SHA,
- TLS_RSA_WITH_RC4_128_SHA,
- TLS_RSA_WITH_RC4_128_MD5,
-+ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
-
- /* 56-bit DES "domestic" cipher suites */
- TLS_DHE_RSA_WITH_DES_CBC_SHA,
-diff -up ./lib/ssl/sslimpl.h.dhe_and_sha384 ./lib/ssl/sslimpl.h
---- ./lib/ssl/sslimpl.h.dhe_and_sha384 2016-02-14 07:51:49.911312431 -0800
-+++ ./lib/ssl/sslimpl.h 2016-02-14 07:51:49.915312514 -0800
-@@ -64,6 +64,7 @@ typedef SSLSignType SSL3SignType;
- #define hmac_md5 ssl_hmac_md5
- #define hmac_sha ssl_hmac_sha
- #define hmac_sha256 ssl_hmac_sha256
-+#define hmac_sha384 ssl_hmac_sha384
- #define mac_aead ssl_mac_aead
-
- #define SET_ERROR_CODE /* reminder */
-@@ -300,9 +301,9 @@ typedef struct {
- } ssl3CipherSuiteCfg;
-
- #ifndef NSS_DISABLE_ECC
--#define ssl_V3_SUITES_IMPLEMENTED 64
-+#define ssl_V3_SUITES_IMPLEMENTED 71
- #else
--#define ssl_V3_SUITES_IMPLEMENTED 40
-+#define ssl_V3_SUITES_IMPLEMENTED 43
- #endif /* NSS_DISABLE_ECC */
-
- #define MAX_DTLS_SRTP_CIPHER_SUITES 4
-@@ -486,10 +487,18 @@ typedef enum {
- cipher_camellia_256,
- cipher_seed,
- cipher_aes_128_gcm,
-+ cipher_aes_256_gcm,
- cipher_missing /* reserved for no such supported cipher */
- /* This enum must match ssl3_cipherName[] in ssl3con.c. */
- } SSL3BulkCipher;
-
-+/* The TLS PRF definition */
-+typedef enum {
-+ prf_null = 0, /* use default prf */
-+ prf_256 = CKM_SHA256,
-+ prf_384 = CKM_SHA384
-+} SSL3PRF;
-+
- typedef enum { type_stream, type_block, type_aead } CipherType;
-
- #define MAX_IV_LENGTH 24
-@@ -736,6 +745,7 @@ typedef struct ssl3CipherSuiteDefStr {
- SSL3BulkCipher bulk_cipher_alg;
- SSL3MACAlgorithm mac_alg;
- SSL3KeyExchangeAlgorithm key_exchange_alg;
-+ SSL3PRF prf_alg;
- } ssl3CipherSuiteDef;
-
- /*
-diff -up ./lib/ssl/sslinfo.c.dhe_and_sha384 ./lib/ssl/sslinfo.c
---- ./lib/ssl/sslinfo.c.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800
-+++ ./lib/ssl/sslinfo.c 2016-02-14 07:51:49.915312514 -0800
-@@ -160,6 +160,7 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc
-
- #define M_AEAD_128 "AEAD", ssl_mac_aead, 128
- #define M_SHA256 "SHA256", ssl_hmac_sha256, 256
-+#define M_SHA384 "SHA384", ssl_hmac_sha384, 384
- #define M_SHA "SHA1", ssl_mac_sha, 160
- #define M_MD5 "MD5", ssl_mac_md5, 128
- #define M_NULL "NULL", ssl_mac_null, 0
-@@ -242,8 +243,21 @@ static const SSLCipherSuiteInfo suiteInf
- {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
- {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
- {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, },
-+
-+{0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), S_ECDSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
-+{0,CS(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
-+{0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, },
-+{0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, },
-+
- #endif /* NSS_DISABLE_ECC */
-
-+{0,CS(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384), S_DSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
-+{0,CS(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
-+{0,CS(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
-+{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
-+{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, },
-+{0,CS(TLS_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_RSA, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
-+
- /* SSL 2 table */
- {0,CK(SSL_CK_RC4_128_WITH_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
- {0,CK(SSL_CK_RC2_128_CBC_WITH_MD5), S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, 0, 0, },
-diff -up ./lib/ssl/sslproto.h.dhe_and_sha384 ./lib/ssl/sslproto.h
---- ./lib/ssl/sslproto.h.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800
-+++ ./lib/ssl/sslproto.h 2016-02-14 07:51:49.916312535 -0800
-@@ -205,8 +205,11 @@
- #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096
-
- #define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
-+#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D
- #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
-+#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F
- #define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2
-+#define TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3
-
- /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client.
- * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending
-@@ -253,11 +256,15 @@
- #define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019
-
- #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
-+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
- #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
-+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028
-
- #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
-+#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
- #define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
- #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
-+#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030
- #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
-
- /* Netscape "experimental" cipher suites. */
-diff -up ./lib/ssl/sslsecur.c.dhe_and_sha384 ./lib/ssl/sslsecur.c
---- ./lib/ssl/sslsecur.c.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800
-+++ ./lib/ssl/sslsecur.c 2016-02-14 07:51:49.916312535 -0800
-@@ -808,6 +808,11 @@ ssl_ConfigSecureServer(sslSocket *ss, CE
- goto loser;
- }
- }
-+ if (kea == ssl_kea_dh || kea == ssl_kea_rsa) {
-+ if (ssl3_SelectDHParams(ss) != SECSuccess) {
-+ goto loser;
-+ }
-+ }
- return SECSuccess;
-
- loser:
-diff -up ./lib/ssl/sslt.h.dhe_and_sha384 ./lib/ssl/sslt.h
---- ./lib/ssl/sslt.h.dhe_and_sha384 2015-11-08 21:12:59.000000000 -0800
-+++ ./lib/ssl/sslt.h 2016-02-14 07:51:49.916312535 -0800
-@@ -114,7 +114,8 @@ typedef enum {
- ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */
- ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */
- ssl_hmac_sha256 = 5,
-- ssl_mac_aead = 6
-+ ssl_mac_aead = 6,
-+ ssl_hmac_sha384 = 7
- } SSLMACAlgorithm;
-
- typedef enum {
diff --git a/SOURCES/disable-ems-gtests.patch b/SOURCES/disable-ems-gtests.patch
index 62ebf74..8824841 100644
--- a/SOURCES/disable-ems-gtests.patch
+++ b/SOURCES/disable-ems-gtests.patch
@@ -1,154 +1,10 @@
-diff --git a/external_tests/ssl_gtest/ssl_loopback_unittest.cc b/external_tests/ssl_gtest/ssl_loopback_unittest.cc
---- a/external_tests/ssl_gtest/ssl_loopback_unittest.cc
-+++ b/external_tests/ssl_gtest/ssl_loopback_unittest.cc
-@@ -516,134 +516,16 @@ TEST_P(TlsConnectStream, ShortRead) {
- // Read the first tranche.
- WAIT_(client_->received_bytes() == 1024, 2000);
- ASSERT_EQ(1024U, client_->received_bytes());
- // The second tranche should now immediately be available.
- client_->ReadBytes();
- ASSERT_EQ(1200U, client_->received_bytes());
- }
-
--TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecret) {
-- EnableExtendedMasterSecret();
-- Connect();
-- ResetRsa();
-- ExpectResumption(RESUME_SESSIONID);
-- EnableExtendedMasterSecret();
-- Connect();
--}
--
--
--TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretStaticRSA) {
-- DisableDheAndEcdheCiphers();
-- EnableExtendedMasterSecret();
-- Connect();
--}
--
--// This test is stream so we can catch the bad_record_mac alert.
--TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusCKE) {
-- DisableDheAndEcdheCiphers();
-- EnableExtendedMasterSecret();
-- TlsInspectorReplaceHandshakeMessage* inspect =
-- new TlsInspectorReplaceHandshakeMessage(kTlsHandshakeClientKeyExchange,
-- DataBuffer(
-- kBogusClientKeyExchange,
-- sizeof(kBogusClientKeyExchange)));
-- client_->SetPacketFilter(inspect);
-- auto alert_recorder = new TlsAlertRecorder();
-- server_->SetPacketFilter(alert_recorder);
-- ConnectExpectFail();
-- EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
-- EXPECT_EQ(kTlsAlertBadRecordMac, alert_recorder->description());
--}
--
--// This test is stream so we can catch the bad_record_mac alert.
--TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusPMSVersionDetect) {
-- DisableDheAndEcdheCiphers();
-- EnableExtendedMasterSecret();
-- client_->SetPacketFilter(new TlsInspectorClientHelloVersionChanger(
-- server_));
-- auto alert_recorder = new TlsAlertRecorder();
-- server_->SetPacketFilter(alert_recorder);
-- ConnectExpectFail();
-- EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
-- EXPECT_EQ(kTlsAlertBadRecordMac, alert_recorder->description());
--}
--
--TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusPMSVersionIgnore) {
-- DisableDheAndEcdheCiphers();
-- EnableExtendedMasterSecret();
-- client_->SetPacketFilter(new TlsInspectorClientHelloVersionChanger(
-- server_));
-- server_->DisableRollbackDetection();
-- Connect();
--}
--
--TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretECDHE) {
-- EnableExtendedMasterSecret();
-- Connect();
--
-- ResetRsa();
-- EnableExtendedMasterSecret();
-- ExpectResumption(RESUME_SESSIONID);
-- Connect();
--}
--
--TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretTicket) {
-- ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
-- EnableExtendedMasterSecret();
-- Connect();
--
-- ResetRsa();
-- ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
--
-- EnableExtendedMasterSecret();
-- ExpectResumption(RESUME_TICKET);
-- Connect();
--}
--
--TEST_P(TlsConnectGeneric,
-- ConnectExtendedMasterSecretClientOnly) {
-- client_->EnableExtendedMasterSecret();
-- ExpectExtendedMasterSecret(false);
-- Connect();
--}
--
--TEST_P(TlsConnectGeneric,
-- ConnectExtendedMasterSecretServerOnly) {
-- server_->EnableExtendedMasterSecret();
-- ExpectExtendedMasterSecret(false);
-- Connect();
--}
--
--TEST_P(TlsConnectGeneric,
-- ConnectExtendedMasterSecretResumeWithout) {
-- EnableExtendedMasterSecret();
-- Connect();
--
-- ResetRsa();
-- server_->EnableExtendedMasterSecret();
-- auto alert_recorder = new TlsAlertRecorder();
-- server_->SetPacketFilter(alert_recorder);
-- ConnectExpectFail();
-- EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
-- EXPECT_EQ(kTlsAlertHandshakeFailure, alert_recorder->description());
--}
--
--TEST_P(TlsConnectGeneric,
-- ConnectNormalResumeWithExtendedMasterSecret) {
-- ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
-- ExpectExtendedMasterSecret(false);
-- Connect();
--
-- ResetRsa();
-- EnableExtendedMasterSecret();
-- ExpectResumption(RESUME_NONE);
-- Connect();
--}
--
- INSTANTIATE_TEST_CASE_P(VariantsStream10, TlsConnectGeneric,
- ::testing::Combine(
- TlsConnectTestBase::kTlsModesStream,
- TlsConnectTestBase::kTlsV10));
- INSTANTIATE_TEST_CASE_P(VariantsAll, TlsConnectGeneric,
- ::testing::Combine(
- TlsConnectTestBase::kTlsModesAll,
- TlsConnectTestBase::kTlsV11V12));
-diff --git a/external_tests/ssl_gtest/ssl_prf_unittest.cc b/external_tests/ssl_gtest/ssl_prf_unittest.cc
---- a/external_tests/ssl_gtest/ssl_prf_unittest.cc
-+++ b/external_tests/ssl_gtest/ssl_prf_unittest.cc
-@@ -201,53 +201,9 @@ TEST_F(TlsPrfTest, ExtendedMsParamErr) {
- CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kIncorrectSize, 0);
-
- // CKM_TLS_PRF && seed length != MD5_LENGTH + SHA1_LENGTH
- CheckForError(CKM_TLS_PRF, kIncorrectSize, kPmsSize, 0);
-
- // !CKM_TLS_PRF && seed length != hash output length
+diff -up nss/gtests/pk11_gtest/pk11_prf_unittest.cc.disable_ems_gtests nss/gtests/pk11_gtest/pk11_prf_unittest.cc
+--- nss/gtests/pk11_gtest/pk11_prf_unittest.cc.disable_ems_gtests 2017-01-16 10:19:10.073459080 +0100
++++ nss/gtests/pk11_gtest/pk11_prf_unittest.cc 2017-01-16 10:21:40.408011066 +0100
+@@ -193,37 +193,4 @@ TEST_F(TlsPrfTest, ExtendedMsParamErr) {
CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0);
}
--
+
-// Test matrix:
-//
-// DH RSA
@@ -156,40 +12,42 @@ diff --git a/external_tests/ssl_gtest/ssl_prf_unittest.cc b/external_tests/ssl_g
-// SHA256 3 4
-TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) {
- Init();
-- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
-- CKM_TLS_PRF,
-- nullptr,
-- kExpectedOutputEmsTlsPrf);
+- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_TLS_PRF,
+- nullptr, kExpectedOutputEmsTlsPrf);
-}
-
-TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) {
- Init();
-- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
-- CKM_TLS_PRF,
-- &pms_version_,
-- kExpectedOutputEmsTlsPrf);
+- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF,
+- &pms_version_, kExpectedOutputEmsTlsPrf);
- EXPECT_EQ(0, pms_version_.major);
- EXPECT_EQ(1, pms_version_.minor);
-}
-
--
-TEST_F(TlsPrfTest, ExtendedMsDhSha256) {
- Init();
-- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
-- CKM_SHA256,
-- nullptr,
-- kExpectedOutputEmsSha256);
+- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_SHA256,
+- nullptr, kExpectedOutputEmsSha256);
-}
-
-TEST_F(TlsPrfTest, ExtendedMsRsaSha256) {
- Init();
-- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
-- CKM_SHA256,
-- &pms_version_,
-- kExpectedOutputEmsSha256);
+- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_SHA256,
+- &pms_version_, kExpectedOutputEmsSha256);
- EXPECT_EQ(0, pms_version_.major);
- EXPECT_EQ(1, pms_version_.minor);
-}
-
} // namespace nss_test
--
+diff -up nss/gtests/ssl_gtest/manifest.mn.disable_ems_gtests nss/gtests/ssl_gtest/manifest.mn
+--- nss/gtests/ssl_gtest/manifest.mn.disable_ems_gtests 2017-01-16 10:20:33.838983251 +0100
++++ nss/gtests/ssl_gtest/manifest.mn 2017-01-16 10:20:36.802895453 +0100
+@@ -21,7 +21,6 @@ CPPSRCS = \
+ ssl_dhe_unittest.cc \
+ ssl_drop_unittest.cc \
+ ssl_ecdh_unittest.cc \
+- ssl_ems_unittest.cc \
+ ssl_exporter_unittest.cc \
+ ssl_extension_unittest.cc \
+ ssl_fuzz_unittest.cc \
+diff -up nss/gtests/ssl_gtest/ssl_ems_unittest.cc.disable_ems_gtests nss/gtests/ssl_gtest/ssl_ems_unittest.cc
diff --git a/SOURCES/disable-extended-master-secret-with-old-softoken.patch b/SOURCES/disable-extended-master-secret-with-old-softoken.patch
index b385819..fdcc416 100644
--- a/SOURCES/disable-extended-master-secret-with-old-softoken.patch
+++ b/SOURCES/disable-extended-master-secret-with-old-softoken.patch
@@ -1,33 +1,33 @@
-diff -up ./lib/ssl/sslsock.c.disable-ems ./lib/ssl/sslsock.c
---- ./lib/ssl/sslsock.c.disable-ems 2016-02-04 16:49:04.148123592 -0800
-+++ ./lib/ssl/sslsock.c 2016-02-04 16:50:15.483801476 -0800
-@@ -85,6 +85,7 @@ static sslOptions ssl_defaults = {
- PR_TRUE, /* reuseServerECDHEKey */
- PR_FALSE, /* enableFallbackSCSV */
- PR_TRUE, /* enableServerDhe */
+diff -up nss/lib/ssl/sslsock.c.disable-ems nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.disable-ems 2017-01-13 17:33:07.226905929 +0100
++++ nss/lib/ssl/sslsock.c 2017-01-13 17:35:19.175659702 +0100
+@@ -75,6 +75,7 @@ static sslOptions ssl_defaults = {
+ PR_TRUE, /* reuseServerECDHEKey */
+ PR_FALSE, /* enableFallbackSCSV */
+ PR_TRUE, /* enableServerDhe */
+/* Keep extended-master-secret disabled until we have a compatible softokn. */
- PR_FALSE /* enableExtendedMS */
- };
+ PR_FALSE, /* enableExtendedMS */
+ PR_FALSE, /* enableSignedCertTimestamps */
+ PR_FALSE, /* requireDHENamedGroups */
+@@ -766,7 +767,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ break;
-@@ -848,7 +849,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- break;
-
- case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+ case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+#if 0
+/* No-Op until we have a compatible softokn. */
- ss->opt.enableExtendedMS = on;
+ ss->opt.enableExtendedMS = on;
+#endif
- break;
+ break;
- default:
-@@ -1192,7 +1203,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
- break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+@@ -1199,7 +1203,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+ break;
- case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+ case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+#if 0
+/* No-Op until we have a compatible softokn. */
- ssl_defaults.enableExtendedMS = on;
+ ssl_defaults.enableExtendedMS = on;
+#endif
- break;
+ break;
- default:
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
diff --git a/SOURCES/disable-pss.patch b/SOURCES/disable-pss.patch
new file mode 100644
index 0000000..1ae9630
--- /dev/null
+++ b/SOURCES/disable-pss.patch
@@ -0,0 +1,72 @@
+diff -up nss/lib/ssl/ssl3con.c.disable_pss nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.disable_pss 2017-02-17 11:44:34.969825045 +0100
++++ nss/lib/ssl/ssl3con.c 2017-02-17 11:44:34.973824961 +0100
+@@ -177,9 +177,15 @@ static const SSLSignatureScheme defaultS
+ ssl_sig_ecdsa_secp384r1_sha384,
+ ssl_sig_ecdsa_secp521r1_sha512,
+ ssl_sig_ecdsa_sha1,
++#if 0
++ /* Disable, while we are waiting for an upstream fix to
++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
++ * (NSS does not check if token supports RSA-PSS before using it to sign)
++ **/
+ ssl_sig_rsa_pss_sha256,
+ ssl_sig_rsa_pss_sha384,
+ ssl_sig_rsa_pss_sha512,
++#endif
+ ssl_sig_rsa_pkcs1_sha256,
+ ssl_sig_rsa_pkcs1_sha384,
+ ssl_sig_rsa_pkcs1_sha512,
+@@ -4622,9 +4628,16 @@ ssl_IsSupportedSignatureScheme(SSLSignat
+ case ssl_sig_rsa_pkcs1_sha256:
+ case ssl_sig_rsa_pkcs1_sha384:
+ case ssl_sig_rsa_pkcs1_sha512:
++ return PR_TRUE;
++ /* Disable, while we are waiting for an upstream fix to
++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
++ * (NSS does not check if token supports RSA-PSS before using it to sign)
++ **/
+ case ssl_sig_rsa_pss_sha256:
+ case ssl_sig_rsa_pss_sha384:
+ case ssl_sig_rsa_pss_sha512:
++ return PR_FALSE;
++
+ case ssl_sig_ecdsa_secp256r1_sha256:
+ case ssl_sig_ecdsa_secp384r1_sha384:
+ case ssl_sig_ecdsa_secp521r1_sha512:
+diff -up nss/lib/ssl/sslcert.c.disable_pss nss/lib/ssl/sslcert.c
+--- nss/lib/ssl/sslcert.c.disable_pss 2017-01-30 02:06:08.000000000 +0100
++++ nss/lib/ssl/sslcert.c 2017-02-17 11:44:34.973824961 +0100
+@@ -399,7 +399,13 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket
+ PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT);
+
+ if ((data->authType == ssl_auth_rsa_sign && ku_sig) ||
++#if 0
++ /* Disable, while we are waiting for an upstream fix to
++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
++ * (NSS does not check if token supports RSA-PSS before using it to sign)
++ **/
+ (data->authType == ssl_auth_rsa_pss && ku_sig) ||
++#endif
+ (data->authType == ssl_auth_rsa_decrypt && ku_enc)) {
+ return ssl_ConfigCert(ss, cert, keyPair, data);
+ }
+@@ -416,12 +422,18 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket
+ return rv;
+ }
+
++#if 0
++ /* Disable, while we are waiting for an upstream fix to
++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
++ * (NSS does not check if token supports RSA-PSS before using it to sign)
++ **/
+ /* This certificate is RSA, assume that it's also PSS. */
+ data->authType = ssl_auth_rsa_pss;
+ rv = ssl_ConfigCert(ss, cert, keyPair, data);
+ if (rv != SECSuccess) {
+ return rv;
+ }
++#endif
+ }
+
+ if (ku_enc) {
diff --git a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch
index 0ee13bb..72c0cb4 100644
--- a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch
+++ b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch
@@ -1,36 +1,21 @@
-diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
---- a/lib/pk11wrap/pk11pars.c
-+++ b/lib/pk11wrap/pk11pars.c
-@@ -159,16 +159,20 @@ SECMOD_CreateModuleEx(const char *librar
- if (parameters) {
- mod->libraryParams = PORT_ArenaStrdup(mod->arena,parameters);
- }
- if (config) {
- /* XXX: Apply configuration */
- }
- mod->internal = NSSUTIL_ArgHasFlag("flags","internal",nssc);
- mod->isFIPS = NSSUTIL_ArgHasFlag("flags","FIPS",nssc);
+diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c
+--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100
++++ nss/lib/pk11wrap/pk11pars.c 2017-01-13 17:04:52.968903200 +0100
+@@ -672,6 +672,10 @@ SECMOD_CreateModuleEx(const char *librar
+
+ mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
+ mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
+ /* if the system FIPS mode is enabled, force FIPS to be on */
+ if (SECMOD_GetSystemFIPSEnabled()) {
+ mod->isFIPS = PR_TRUE;
+ }
- mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc);
- slotParams = NSSUTIL_ArgGetParamValue("slotParams",nssc);
- mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams,
- &mod->slotInfoCount);
- if (slotParams) PORT_Free(slotParams);
- /* new field */
- mod->trustOrder = NSSUTIL_ArgReadLong("trustOrder",nssc,
- NSSUTIL_DEFAULT_TRUST_ORDER,NULL);
-diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c
---- a/lib/pk11wrap/pk11util.c
-+++ b/lib/pk11wrap/pk11util.c
-@@ -90,16 +90,35 @@ SECMOD_Shutdown()
- #endif
- if (secmod_PrivateModuleCount) {
- PORT_SetError(SEC_ERROR_BUSY);
- return SECFailure;
- }
+ mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
+ slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
+ mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
+diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c
+--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100
++++ nss/lib/pk11wrap/pk11util.c 2017-01-13 17:06:24.171723872 +0100
+@@ -94,6 +94,26 @@ SECMOD_Shutdown()
return SECSuccess;
}
@@ -53,76 +38,42 @@ diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c
+#endif
+ return 0;
+}
-
++
/*
* retrieve the internal module
*/
- SECMODModule *
- SECMOD_GetInternalModule(void)
- {
- return internalModule;
-@@ -412,17 +431,17 @@ SECMOD_DeleteModule(const char *name, in
- */
- SECStatus
- SECMOD_DeleteInternalModule(const char *name)
- {
- SECMODModuleList *mlp;
+@@ -427,7 +447,7 @@ SECMOD_DeleteInternalModule(const char *
SECMODModuleList **mlpp;
SECStatus rv = SECFailure;
- if (pendingModule) {
+ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
- PORT_SetError(SEC_ERROR_MODULE_STUCK);
- return rv;
- }
- if (!moduleLock) {
- PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
- return rv;
+ PORT_SetError(SEC_ERROR_MODULE_STUCK);
+ return rv;
}
-
-@@ -883,17 +902,17 @@ SECMOD_DestroyModuleList(SECMODModuleLis
- SECMODModuleList *lp;
-
- for ( lp = list; lp != NULL; lp = SECMOD_DestroyModuleListElement(lp)) ;
- }
-
+@@ -902,7 +922,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis
PRBool
SECMOD_CanDeleteInternalModule(void)
{
-- return (PRBool) (pendingModule == NULL);
+- return (PRBool)(pendingModule == NULL);
+ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
}
/*
- * check to see if the module has added new slots. PKCS 11 v2.20 allows for
- * modules to add new slots, but never remove them. Slots cannot be added
- * between a call to C_GetSlotLlist(Flag, NULL, &count) and the subsequent
- * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently
- * grow on the caller. It is permissible for the slots to increase between
-diff --git a/lib/pk11wrap/secmodi.h b/lib/pk11wrap/secmodi.h
---- a/lib/pk11wrap/secmodi.h
-+++ b/lib/pk11wrap/secmodi.h
-@@ -108,17 +108,22 @@ SECStatus PBE_PK11ParamToAlgid(SECOidTag
- PK11SymKey *pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot,
- CK_MECHANISM_TYPE type, SECItem *param, CK_KEY_TYPE keyType,
- int keySize, SECItem *keyId, CK_FLAGS opFlags,
- PK11AttrFlags attrFlags, void *wincx);
-
+diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h
+--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100
++++ nss/lib/pk11wrap/secmodi.h 2017-01-13 17:07:08.897624098 +0100
+@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
- SECItem **param, SECItem *pwd, PRBool faulty3DES);
+ SECItem **param, SECItem *pwd, PRBool faulty3DES);
--
+/* Get the state of the system FIPS mode */
+/* NSS uses this to force FIPS mode if the system bit is on. Applications which
+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
+ * from FIPS mode will automatically be told that they can't swith out of FIPS
+ * mode */
+int SECMOD_GetSystemFIPSEnabled();
-
++
extern void pk11sdr_Init(void);
extern void pk11sdr_Shutdown(void);
- /*
- * Private to pk11wrap.
- */
-
diff --git a/SOURCES/fix-allowed-sig-alg.patch b/SOURCES/fix-allowed-sig-alg.patch
deleted file mode 100644
index ca908b6..0000000
--- a/SOURCES/fix-allowed-sig-alg.patch
+++ /dev/null
@@ -1,90 +0,0 @@
---- nss/lib/ssl/ssl3con.prekai 2016-03-23 08:29:25.000000000 -0400
-+++ nss/lib/ssl/ssl3con.c 2016-03-29 15:00:44.457697131 -0400
-@@ -204,6 +204,7 @@
- {ssl_hash_sha512, ssl_sign_ecdsa},
- {ssl_hash_sha1, ssl_sign_ecdsa},
- #endif
-+ {ssl_hash_sha384, ssl_sign_dsa},
- {ssl_hash_sha256, ssl_sign_dsa},
- {ssl_hash_sha1, ssl_sign_dsa}
- };
-@@ -270,27 +271,6 @@
- ct_DSS_sign,
- };
-
--/* This block is the contents of the supported_signature_algorithms field of
-- * our TLS 1.2 CertificateRequest message, in wire format. See
-- * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
-- *
-- * We only support TLS 1.2
-- * CertificateVerify messages that use the handshake PRF hash. */
--static const PRUint8 supported_signature_algorithms_sha256[] = {
-- tls_hash_sha256, tls_sig_rsa,
--#ifndef NSS_DISABLE_ECC
-- tls_hash_sha256, tls_sig_ecdsa,
--#endif
-- tls_hash_sha256, tls_sig_dsa,
--};
--static const PRUint8 supported_signature_algorithms_sha384[] = {
-- tls_hash_sha384, tls_sig_rsa,
--#ifndef NSS_DISABLE_ECC
-- tls_hash_sha384, tls_sig_ecdsa,
--#endif
-- tls_hash_sha384, tls_sig_dsa,
--};
--
- #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
-
-
-@@ -9561,7 +9541,8 @@
- }
-
- static SECStatus
--ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf,
-+ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 allowedHashAlg,
-+ PRUint8 *buf,
- unsigned maxLen, PRUint32 *len)
- {
- unsigned int i;
-@@ -9578,7 +9559,7 @@
- /* Note that we don't support a handshake hash with anything other than
- * SHA-256, so asking for a signature from clients for something else
- * would be inviting disaster. */
-- if (alg->hashAlg == ssl_hash_sha256 || alg->hashAlg == ssl_hash_sha384) {
-+ if (alg->hashAlg == allowedHashAlg) {
- buf[(*len)++] = (PRUint8)alg->hashAlg;
- buf[(*len)++] = (PRUint8)alg->sigAlg;
- }
-@@ -9608,6 +9589,7 @@
- PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2];
- unsigned int sigAlgsLength = 0;
- SECOidData *hashOid;
-+ PRUint8 allowedHashAlg;
-
- SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
- SSL_GETPID(), ss->fd));
-@@ -9639,19 +9621,19 @@
- if (hashOid == NULL) {
- return SECFailure; /* err set by AppendHandshake. */
- }
-+
- if (hashOid->offset == SEC_OID_SHA256) {
-- sigAlgsLength = sizeof supported_signature_algorithms_sha256;
-- PORT_Memcpy(sigAlgs, supported_signature_algorithms_sha256, sigAlgsLength);
-+ allowedHashAlg = ssl_hash_sha256;
- } else if (hashOid->offset == SEC_OID_SHA384) {
-- sigAlgsLength = sizeof supported_signature_algorithms_sha384;
-- PORT_Memcpy(sigAlgs, supported_signature_algorithms_sha384, sigAlgsLength);
-+ allowedHashAlg = ssl_hash_sha384;
- } else {
- return SECFailure; /* err set by AppendHandshake. */
- }
-
- length = 1 + certTypesLength + 2 + calen;
- if (isTLS12) {
-- rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs),
-+ rv = ssl3_EncodeCertificateRequestSigAlgs(ss, allowedHashAlg,
-+ sigAlgs, sizeof(sigAlgs),
- &sigAlgsLength);
- if (rv != SECSuccess) {
- return rv;
diff --git a/SOURCES/fix-nss-test-filtering.patch b/SOURCES/fix-nss-test-filtering.patch
deleted file mode 100644
index 43714d5..0000000
--- a/SOURCES/fix-nss-test-filtering.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff --git a/tests/all.sh b/tests/all.sh
---- a/tests/all.sh
-+++ b/tests/all.sh
-@@ -106,17 +106,18 @@
- ############################## run_tests ###############################
- # run test suites defined in TESTS variable, skip scripts defined in
- # TESTS_SKIP variable
- ########################################################################
- run_tests()
- {
- for TEST in ${TESTS}
- do
-- echo "${TESTS_SKIP}" | grep "${TEST}" > /dev/null
-+ echo "Checking if ${TEST} should be skipped based on skip list [${TESTS_SKIP}]"
-+ echo "${TESTS_SKIP}" | grep -w "${TEST}" > /dev/null
- if [ $? -eq 0 ]; then
- continue
- fi
-
- SCRIPTNAME=${TEST}.sh
- echo "Running tests for ${TEST}"
- echo "TIMESTAMP ${TEST} BEGIN: `date`"
- (cd ${QADIR}/${TEST}; . ./${SCRIPTNAME} 2>&1)
diff --git a/SOURCES/fix-reuse-of-session-cache-entry.patch b/SOURCES/fix-reuse-of-session-cache-entry.patch
deleted file mode 100644
index 7262fee..0000000
--- a/SOURCES/fix-reuse-of-session-cache-entry.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff --git a/lib/ssl/sslnonce.c b/lib/ssl/sslnonce.c
---- a/lib/ssl/sslnonce.c
-+++ b/lib/ssl/sslnonce.c
-@@ -279,19 +279,17 @@ ssl_LookupSID(const PRIPv6Addr *addr, PR
- (((peerID == NULL) && (sid->peerID == NULL)) ||
- ((peerID != NULL) && (sid->peerID != NULL) &&
- PORT_Strcmp(sid->peerID, peerID) == 0)) &&
- /* is cacheable */
- (sid->version < SSL_LIBRARY_VERSION_3_0 ||
- sid->u.ssl3.keys.resumable) &&
- /* server hostname matches. */
- (sid->urlSvrName != NULL) &&
-- ((0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) ||
-- ((sid->peerCert != NULL) && (SECSuccess ==
-- CERT_VerifyCertName(sid->peerCert, urlSvrName))) )
-+ (0 == PORT_Strcmp(urlSvrName, sid->urlSvrName))
- ) {
- /* Hit */
- sid->lastAccessTime = now;
- sid->references++;
- break;
- } else {
- sidp = &sid->next;
- }
diff --git a/SOURCES/flexible-certverify.patch b/SOURCES/flexible-certverify.patch
deleted file mode 100644
index 481a07f..0000000
--- a/SOURCES/flexible-certverify.patch
+++ /dev/null
@@ -1,1136 +0,0 @@
-diff --git a/external_tests/ssl_gtest/ssl_loopback_unittest.cc b/external_tests/ssl_gtest/ssl_loopback_unittest.cc
---- a/external_tests/ssl_gtest/ssl_loopback_unittest.cc
-+++ b/external_tests/ssl_gtest/ssl_loopback_unittest.cc
-@@ -318,23 +318,21 @@ TEST_P(TlsConnectPre12, SignatureAlgorit
- ResetEcdsa();
- client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
- PR_ARRAY_SIZE(SignatureEcdsaSha384));
- server_->SetSignatureAlgorithms(SignatureEcdsaSha256,
- PR_ARRAY_SIZE(SignatureEcdsaSha256));
- Connect();
- }
-
--// The server requests client auth but doesn't offer a SHA-256 option.
--// This fails because NSS only uses SHA-256 for handshake transcript hashes.
--TEST_P(TlsConnectTls12, RequestClientAuthWithoutSha256) {
-+TEST_P(TlsConnectTls12, RequestClientAuthWithSha384) {
- server_->SetSignatureAlgorithms(SignatureRsaSha384,
- PR_ARRAY_SIZE(SignatureRsaSha384));
- server_->RequestClientAuth(false);
-- ConnectExpectFail();
-+ Connect();
- }
-
- TEST_P(TlsConnectGeneric, ConnectAlpn) {
- EnableAlpn();
- Connect();
- client_->CheckAlpn(SSL_NEXT_PROTO_SELECTED, "a");
- server_->CheckAlpn(SSL_NEXT_PROTO_NEGOTIATED, "a");
- }
-diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
---- a/lib/ssl/ssl3con.c
-+++ b/lib/ssl/ssl3con.c
-@@ -3636,16 +3636,29 @@ ssl3_GetPrfHashMechanism(sslSocket *ss)
- SSL3PRF prf_alg = ss->ssl3.hs.suite_def->prf_alg;
-
- if (prf_alg == 0)
- return CKM_SHA256;
-
- return prf_alg;
- }
-
-+static SSLHashType
-+ssl3_GetSuitePrfHash(sslSocket *ss)
-+{
-+ switch (ss->ssl3.hs.suite_def->prf_alg) {
-+ case CKM_SHA384:
-+ return ssl_hash_sha384;
-+ case 0:
-+ case CKM_SHA256:
-+ default:
-+ return ssl_hash_sha256;
-+ }
-+}
-+
-
- /* This method completes the derivation of the MS from the PMS.
- **
- ** 1. Derive the MS, if possible, else return an error.
- **
- ** 2. Check the version if |pms_version| is non-zero and if wrong,
- ** return an error.
- **
-@@ -3813,17 +3826,17 @@ tls_ComputeExtendedMasterSecretInt(sslSo
- master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH;
- } else {
- master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE;
- pms_version_ptr = &pms_version;
- }
-
- if (pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
- /* TLS 1.2 */
-- extended_master_params.prfHashMechanism = CKM_SHA256;
-+ extended_master_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss);
- key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE;
- } else {
- /* TLS < 1.2 */
- extended_master_params.prfHashMechanism = CKM_TLS_PRF;
- key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
- }
-
- extended_master_params.pVersion = pms_version_ptr;
-@@ -4071,20 +4084,23 @@ loser:
- /* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in
- * buffered messages in ss->ssl3.hs.messages. */
- static SECStatus
- ssl3_InitHandshakeHashes(sslSocket *ss)
- {
- SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
-
- PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown);
-+ if (ss->version == SSL_LIBRARY_VERSION_TLS_1_2) {
-+ ss->ssl3.hs.hashType = handshake_hash_record;
-+ } else
- #ifndef NO_PKCS11_BYPASS
- if (ss->opt.bypassPKCS11) {
- PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone);
-- if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
-+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
- /* If we ever support ciphersuites where the PRF hash isn't SHA-256
- * then this will need to be updated. */
- HASH_HashType ht;
- CK_MECHANISM_TYPE hm;
- SECOidTag ot;
- SECOidData *hashOid;
-
- hm = ssl3_GetPrfHashMechanism(ss);
-@@ -4112,17 +4128,17 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
- #endif
- {
- PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha);
- /*
- * note: We should probably lookup an SSL3 slot for these
- * handshake hashes in hopes that we wind up with the same slots
- * that the master secret will wind up in ...
- */
-- if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
-+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
- /* determine the hash from the prf */
- const SECOidData *hash_oid;
-
- PORT_Assert(ss->ssl3.hs.suite_def);
- /* Get the PKCS #11 mechanism for the Hash from the cipher suite (prf_alg)
- * Convert that to the OidTag. We can then use that OidTag to create our
- * PK11Context */
- hash_oid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
-@@ -4137,38 +4153,16 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
- return SECFailure;
- }
- ss->ssl3.hs.hashType = handshake_hash_single;
-
- if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
- ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
- return SECFailure;
- }
--
-- /* Create a backup SHA-1 hash for a potential client auth
-- * signature.
-- *
-- * In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the
-- * handshake hash function (SHA-256). If the server or the client
-- * does not support SHA-256 as a signature hash, we can either
-- * maintain a backup SHA-1 handshake hash or buffer all handshake
-- * messages.
-- */
-- if (!ss->sec.isServer) {
-- ss->ssl3.hs.backupHash = PK11_CreateDigestContext(SEC_OID_SHA1);
-- if (ss->ssl3.hs.backupHash == NULL) {
-- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-- return SECFailure;
-- }
--
-- if (PK11_DigestBegin(ss->ssl3.hs.backupHash) != SECSuccess) {
-- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-- return SECFailure;
-- }
-- }
- } else {
- /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
- * created successfully. */
- ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5);
- if (ss->ssl3.hs.md5 == NULL) {
- ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
- return SECFailure;
- }
-@@ -4187,26 +4181,23 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
- }
- if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
- return SECFailure;
- }
- }
- }
-
-- if (ss->ssl3.hs.messages.len > 0) {
-- if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf,
-- ss->ssl3.hs.messages.len) !=
-- SECSuccess) {
-- return SECFailure;
-- }
-- PORT_Free(ss->ssl3.hs.messages.buf);
-- ss->ssl3.hs.messages.buf = NULL;
-- ss->ssl3.hs.messages.len = 0;
-- ss->ssl3.hs.messages.space = 0;
-+ if (ss->ssl3.hs.hashType != handshake_hash_record &&
-+ ss->ssl3.hs.messages.len > 0) {
-+ if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf,
-+ ss->ssl3.hs.messages.len) != SECSuccess) {
-+ return SECFailure;
-+ }
-+ sslBuffer_Clear(&ss->ssl3.hs.messages);
- }
-
- return SECSuccess;
- }
-
- static SECStatus
- ssl3_RestartHandshakeHashes(sslSocket *ss)
- {
-@@ -4237,66 +4228,71 @@ ssl3_RestartHandshakeHashes(sslSocket *s
- /* Called from ssl3_InitHandshakeHashes()
- ** ssl3_AppendHandshake()
- ** ssl3_StartHandshakeHash()
- ** ssl3_HandleV2ClientHello()
- ** ssl3_HandleHandshakeMessage()
- ** Caller must hold the ssl3Handshake lock.
- */
- static SECStatus
--ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b,
-- unsigned int l)
-+ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, unsigned int l)
- {
- SECStatus rv = SECSuccess;
-
- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-- /* We need to buffer the handshake messages until we have established
-- * which handshake hash function to use. */
-- if (ss->ssl3.hs.hashType == handshake_hash_unknown) {
-- return sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
-+ /* With TLS 1.3, and versions TLS.1.1 and older, we keep the hash(es)
-+ * always up to date. However, we must initially buffer the handshake
-+ * messages, until we know what to do.
-+ * If ss->ssl3.hs.hashType != handshake_hash_unknown,
-+ * it means we know what to do. We calculate (hash our input),
-+ * and we stop appending to the buffer.
-+ *
-+ * With TLS 1.2, we always append all handshake messages,
-+ * and never update the hash, because the hash function we must use for
-+ * certificate_verify might be different from the hash function we use
-+ * when signing other handshake hashes. */
-+
-+ if (ss->ssl3.hs.hashType == handshake_hash_unknown ||
-+ ss->ssl3.hs.hashType == handshake_hash_record) {
-+ return sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
- }
-
- PRINT_BUF(90, (NULL, "handshake hash input:", b, l));
-
- #ifndef NO_PKCS11_BYPASS
- if (ss->opt.bypassPKCS11) {
- if (ss->ssl3.hs.hashType == handshake_hash_single) {
-- ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l);
-- } else {
-+ PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
-+ ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l);
-+ } else if (ss->ssl3.hs.hashType == handshake_hash_combo) {
- MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
- SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
- }
- return rv;
- }
- #endif
- if (ss->ssl3.hs.hashType == handshake_hash_single) {
-- rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
-- if (rv != SECSuccess) {
-- ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-- return rv;
-- }
-- if (ss->ssl3.hs.backupHash) {
-- rv = PK11_DigestOp(ss->ssl3.hs.backupHash, b, l);
-- if (rv != SECSuccess) {
-- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-- return rv;
-- }
-- }
-- } else {
-- rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
-- if (rv != SECSuccess) {
-- ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-- return rv;
-- }
-- rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
-- if (rv != SECSuccess) {
-- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-- return rv;
-- }
-+ PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
-+ rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
-+ if (rv != SECSuccess) {
-+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-+ return rv;
-+ }
-+ } else if (ss->ssl3.hs.hashType == handshake_hash_combo) {
-+ rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
-+ if (rv != SECSuccess) {
-+ ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-+ return rv;
-+ }
-+ rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
-+ if (rv != SECSuccess) {
-+ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-+ return rv;
-+ }
- }
- return rv;
- }
-
- /**************************************************************************
- * Append Handshake functions.
- * All these functions set appropriate error codes.
- * Most rely on ssl3_AppendHandshake to set the error code.
-@@ -4759,16 +4755,68 @@ ssl3_ConsumeSignatureAndHashAlgorithm(ss
- }
- return SECSuccess;
- }
-
- /**************************************************************************
- * end of Consume Handshake functions.
- **************************************************************************/
-
-+#ifndef NO_PKCS11_BYPASS
-+static SECStatus
-+ssl3_ComputeBypassHandshakeHash(unsigned char *buf, unsigned int len,
-+ SSLHashType hashAlg, SSL3Hashes *hashes)
-+{
-+ const SECHashObject *h_obj = NULL;
-+ PRUint64 h_cx[MAX_MAC_CONTEXT_LLONGS];
-+ const SECOidData *hashOid =
-+ SECOID_FindOIDByMechanism(ssl3_GetHashMechanismByHashType(hashAlg));
-+
-+ if (hashOid) {
-+ h_obj = HASH_GetRawHashObject(HASH_GetHashTypeByOidTag(hashOid->offset));
-+ }
-+ if (!h_obj) {
-+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-+ return SECFailure;
-+ }
-+ h_obj->begin(h_cx);
-+ h_obj->update(h_cx, buf, len);
-+ h_obj->end(h_cx, hashes->u.raw, &hashes->len, sizeof(hashes->u.raw));
-+ PRINT_BUF(60, (NULL, "HASH: result", hashes->u.raw, hashes->len));
-+ hashes->hashAlg = hashAlg;
-+ return SECSuccess;
-+}
-+#endif
-+
-+static SECStatus
-+ssl3_ComputePkcs11HandshakeHash(unsigned char *buf, unsigned int len,
-+ SSLHashType hashAlg, SSL3Hashes *hashes)
-+{
-+ SECStatus rv = SECFailure;
-+ PK11Context *hashContext = PK11_CreateDigestContext(
-+ ssl3_TLSHashAlgorithmToOID(hashAlg));
-+
-+ if (!hashContext) {
-+ return rv;
-+ }
-+ rv = PK11_DigestBegin(hashContext);
-+ if (rv == SECSuccess) {
-+ rv = PK11_DigestOp(hashContext, buf, len);
-+ }
-+ if (rv == SECSuccess) {
-+ rv = PK11_DigestFinal(hashContext, hashes->u.raw, &hashes->len,
-+ sizeof(hashes->u.raw));
-+ }
-+ if (rv == SECSuccess) {
-+ hashes->hashAlg = hashAlg;
-+ }
-+ PK11_DestroyContext(hashContext, PR_TRUE);
-+ return rv;
-+}
-+
- /* Extract the hashes of handshake messages to this point.
- * Called from ssl3_SendCertificateVerify
- * ssl3_SendFinished
- * ssl3_HandleHandshakeMessage
- *
- * Caller must hold the SSL3HandshakeLock.
- * Caller must hold a read or write lock on the Spec R/W lock.
- * (There is presently no way to assert on a Read lock.)
-@@ -4798,23 +4846,27 @@ ssl3_ComputeHandshakeHashes(sslSocket *
- ss->ssl3.hs.hashType == handshake_hash_single) {
- /* compute them without PKCS11 */
- PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
-
- ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx);
- ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len,
- sizeof(hashes->u.raw));
-
-- PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len));
--
-- /* If we ever support ciphersuites where the PRF hash isn't SHA-256
-- * then this will need to be updated. */
-- hashes->hashAlg = ssl_hash_sha256;
-+ PRINT_BUF(60, (NULL, "HASH: result", hashes->u.raw, hashes->len));
-+
-+ hashes->hashAlg = ssl3_GetSuitePrfHash(ss);
- rv = SECSuccess;
-- } else if (ss->opt.bypassPKCS11) {
-+ } else if (ss->opt.bypassPKCS11 &&
-+ ss->ssl3.hs.hashType == handshake_hash_record) {
-+ rv = ssl3_ComputeBypassHandshakeHash(ss->ssl3.hs.messages.buf,
-+ ss->ssl3.hs.messages.len,
-+ ssl3_GetSuitePrfHash(ss),
-+ hashes);
-+ } else if (ss->opt.bypassPKCS11) { /* TLS 1.1 or lower */
- /* compute them without PKCS11 */
- PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
- PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
-
- #define md5cx ((MD5Context *)md5_cx)
- #define shacx ((SHA1Context *)sha_cx)
-
- MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx);
-@@ -4942,16 +4994,21 @@ tls12_loser:
- if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) {
- ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
- rv = SECFailure;
- }
- if (stateBuf != stackBuf) {
- PORT_ZFree(stateBuf, stateLen);
- }
- }
-+ } else if (ss->ssl3.hs.hashType == handshake_hash_record) {
-+ rv = ssl3_ComputePkcs11HandshakeHash(ss->ssl3.hs.messages.buf,
-+ ss->ssl3.hs.messages.len,
-+ ssl3_GetSuitePrfHash(ss),
-+ hashes);
- } else {
- /* compute hashes with PKCS11 */
- PK11Context * md5;
- PK11Context * sha = NULL;
- unsigned char *md5StateBuf = NULL;
- unsigned char *shaStateBuf = NULL;
- unsigned int md5StateLen, shaStateLen;
- unsigned char md5StackBuf[256];
-@@ -5096,41 +5153,16 @@ tls12_loser:
- if (shaStateBuf != shaStackBuf) {
- PORT_ZFree(shaStateBuf, shaStateLen);
- }
- }
- }
- return rv;
- }
-
--static SECStatus
--ssl3_ComputeBackupHandshakeHashes(sslSocket * ss,
-- SSL3Hashes * hashes) /* output goes here. */
--{
-- SECStatus rv = SECSuccess;
--
-- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-- PORT_Assert( !ss->sec.isServer );
-- PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single );
--
-- rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len,
-- sizeof(hashes->u.raw));
-- if (rv != SECSuccess) {
-- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-- rv = SECFailure;
-- goto loser;
-- }
-- hashes->hashAlg = ssl_hash_sha1;
--
--loser:
-- PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
-- ss->ssl3.hs.backupHash = NULL;
-- return rv;
--}
--
- /*
- * SSL 2 based implementations pass in the initial outbound buffer
- * so that the handshake hash can contain the included information.
- *
- * Called from ssl2_BeginClientHandshake() in sslcon.c
- */
- SECStatus
- ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
-@@ -6451,26 +6483,44 @@ ssl3_SendCertificateVerify(sslSocket *ss
-
- PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
- SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
- SSL_GETPID(), ss->fd));
-
- ssl_GetSpecReadLock(ss);
-- if (ss->ssl3.hs.hashType == handshake_hash_single &&
-- ss->ssl3.hs.backupHash) {
-- rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes);
-- PORT_Assert(!ss->ssl3.hs.backupHash);
-+
-+ if (ss->ssl3.hs.hashType == handshake_hash_record &&
-+ ss->ssl3.hs.tls12CertVerifyHash != ssl3_GetSuitePrfHash(ss)) {
-+#ifndef NO_PKCS11_BYPASS
-+ if (ss->opt.bypassPKCS11) {
-+ rv = ssl3_ComputeBypassHandshakeHash(ss->ssl3.hs.messages.buf,
-+ ss->ssl3.hs.messages.len,
-+ ss->ssl3.hs.tls12CertVerifyHash,
-+ &hashes);
-+ } else
-+#endif
-+ {
-+ rv = ssl3_ComputePkcs11HandshakeHash(ss->ssl3.hs.messages.buf,
-+ ss->ssl3.hs.messages.len,
-+ ss->ssl3.hs.tls12CertVerifyHash,
-+ &hashes);
-+ }
-+ if (rv != SECSuccess) {
-+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-+ goto done;
-+ }
- } else {
-- rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
-- }
-+ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
-+ }
-+
- ssl_ReleaseSpecReadLock(ss);
- if (rv != SECSuccess) {
-- goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
-+ goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
- }
-
- isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
- isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
- keyType = ss->ssl3.clientPrivateKey->keyType;
- rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
- if (rv == SECSuccess) {
- PK11SlotInfo * slot;
-@@ -7249,88 +7299,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss,
- }
-
- done:
- if (pubk)
- SECKEY_DestroyPublicKey(pubk);
- return rv;
- }
-
--/* Destroys the backup handshake hash context if we don't need it. Note that
-- * this function selects the hash algorithm for client authentication
-- * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
-- * to determine whether to use SHA-1, or the PRF hash of the cipher suite. */
- static void
--ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
-- const SECItem *algorithms)
--{
-- SECStatus rv;
-- SSLSignType sigAlg;
-- PRBool preferSha1;
-- PRBool supportsSha1 = PR_FALSE;
-- PRBool supportsHandshakeHash = PR_FALSE;
-- PRBool needBackupHash = PR_FALSE;
-- unsigned int i;
-- SECOidData *hashOid;
-- TLSHashAlgorithm suitePRFHash;
-- PRBool suitePRFIs256Or384 = PR_FALSE;
--
--#ifndef NO_PKCS11_BYPASS
-- /* Backup handshake hash is not supported in PKCS #11 bypass mode. */
-- if (ss->opt.bypassPKCS11) {
-- PORT_Assert(!ss->ssl3.hs.backupHash);
-- return;
-- }
--#endif
-- PORT_Assert(ss->ssl3.hs.backupHash);
--
-- /* Determine the key's signature algorithm and whether it prefers SHA-1. */
-- rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
-- if (rv != SECSuccess) {
-- goto done;
-- }
--
-- hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
-- if (hashOid == NULL) {
-- rv = SECFailure;
-- goto done;
-- }
--
-- if (hashOid->offset == SEC_OID_SHA256) {
-- suitePRFHash = tls_hash_sha256;
-- suitePRFIs256Or384 = PR_TRUE;
-- } else if (hashOid->offset == SEC_OID_SHA384) {
-- suitePRFHash = tls_hash_sha384;
-- suitePRFIs256Or384 = PR_TRUE;
-- }
--
-- /* Determine the server's hash support for that signature algorithm. */
-- for (i = 0; i < algorithms->len; i += 2) {
-- if (algorithms->data[i+1] == sigAlg) {
-- if (algorithms->data[i] == ssl_hash_sha1) {
-- supportsSha1 = PR_TRUE;
-- } else if (suitePRFIs256Or384 &&
-- algorithms->data[i] == suitePRFHash) {
-- supportsHandshakeHash = PR_TRUE;
-- }
-- }
-- }
--
-- /* If either the server does not support SHA-256 or the client key prefers
-- * SHA-1, leave the backup hash. */
-- if (supportsSha1 && (preferSha1 || !supportsHandshakeHash)) {
-- needBackupHash = PR_TRUE;
-- }
--
--done:
-- if (!needBackupHash) {
-- PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
-- ss->ssl3.hs.backupHash = NULL;
-- }
--}
-+ssl3_DecideTls12CertVerifyHash(sslSocket *ss, const SECItem *algorithms);
-
- typedef struct dnameNode {
- struct dnameNode *next;
- SECItem name;
- } dnameNode;
-
- /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Certificate Request message.
-@@ -7486,19 +7466,20 @@ ssl3_HandleCertificateRequest(sslSocket
- certUsageSSLClient, PR_FALSE);
- if (ss->ssl3.clientCertChain == NULL) {
- CERT_DestroyCertificate(ss->ssl3.clientCertificate);
- ss->ssl3.clientCertificate = NULL;
- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
- ss->ssl3.clientPrivateKey = NULL;
- goto send_no_certificate;
- }
-- if (ss->ssl3.hs.hashType == handshake_hash_single) {
-- ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
-- }
-+ if (ss->ssl3.hs.hashType == handshake_hash_record ||
-+ ss->ssl3.hs.hashType == handshake_hash_single) {
-+ ssl3_DecideTls12CertVerifyHash(ss, &algorithms);
-+ }
- break; /* not an error */
-
- case SECFailure:
- default:
- send_no_certificate:
- if (isTLS) {
- ss->ssl3.sendEmptyCert = PR_TRUE;
- } else {
-@@ -7639,24 +7620,16 @@ ssl3_SendClientSecondRound(sslSocket *ss
-
- PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
- sendClientCert = !ss->ssl3.sendEmptyCert &&
- ss->ssl3.clientCertChain != NULL &&
- ss->ssl3.clientPrivateKey != NULL;
-
-- if (!sendClientCert &&
-- ss->ssl3.hs.hashType == handshake_hash_single &&
-- ss->ssl3.hs.backupHash) {
-- /* Don't need the backup handshake hash. */
-- PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
-- ss->ssl3.hs.backupHash = NULL;
-- }
--
- /* We must wait for the server's certificate to be authenticated before
- * sending the client certificate in order to disclosing the client
- * certificate to an attacker that does not have a valid cert for the
- * domain we are connecting to.
- *
- * XXX: We should do the same for the NPN extension, but for that we
- * need an option to give the application the ability to leak the NPN
- * information to get better performance.
-@@ -9415,16 +9388,69 @@ ssl3_PickSignatureHashAlgorithm(sslSocke
- }
- }
- }
-
- PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
- return SECFailure;
- }
-
-+static void
-+ssl3_DecideTls12CertVerifyHash(sslSocket *ss, const SECItem *algorithms)
-+{
-+ SECStatus rv;
-+ SSLSignType sigAlg;
-+ PRBool preferSha1 = PR_FALSE;
-+ PRBool supportsSha1 = PR_FALSE;
-+ PRBool supportsHandshakeHash = PR_FALSE;
-+ unsigned int i;
-+ SSLHashType otherHashAlg = ssl_hash_none;
-+
-+ /* Determine the key's signature algorithm and whether it prefers SHA-1. */
-+ rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
-+ if (rv != SECSuccess) {
-+ return;
-+ }
-+
-+ /* Determine the server's hash support for that signature algorithm. */
-+ for (i = 0; i < algorithms->len; i += 2) {
-+ if (algorithms->data[i + 1] == sigAlg) {
-+ SSLHashType hashAlg = algorithms->data[i];
-+ SECOidTag hashOID;
-+ PRUint32 policy;
-+ if (hashAlg == ssl_hash_sha1 &&
-+ ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
-+ /* TLS 1.3 explicitly forbids using SHA-1 with certificate_verify. */
-+ continue;
-+ }
-+ hashOID = ssl3_TLSHashAlgorithmToOID(hashAlg);
-+ if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
-+ !(policy & NSS_USE_ALG_IN_SSL_KX)) {
-+ /* we ignore hashes we don't support */
-+ continue;
-+ }
-+ if (hashAlg == ssl_hash_sha1) {
-+ supportsSha1 = PR_TRUE;
-+ } else if (hashAlg == ssl3_GetSuitePrfHash(ss)) {
-+ supportsHandshakeHash = PR_TRUE;
-+ }
-+ if (otherHashAlg == ssl_hash_none) {
-+ otherHashAlg = hashAlg;
-+ }
-+ }
-+ }
-+
-+ if (supportsSha1 && preferSha1) {
-+ ss->ssl3.hs.tls12CertVerifyHash = ssl_hash_sha1;
-+ } else if (supportsHandshakeHash) {
-+ ss->ssl3.hs.tls12CertVerifyHash = ssl3_GetSuitePrfHash(ss); /* Use suite PRF hash. */
-+ } else {
-+ ss->ssl3.hs.tls12CertVerifyHash = otherHashAlg;
-+ }
-+}
-
- static SECStatus
- ssl3_SendServerKeyExchange(sslSocket *ss)
- {
- const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
- SECStatus rv = SECFailure;
- int length;
- PRBool isTLS;
-@@ -9534,38 +9560,32 @@ ssl3_SendServerKeyExchange(sslSocket *ss
- }
- loser:
- if (signed_hash.data != NULL)
- PORT_Free(signed_hash.data);
- return SECFailure;
- }
-
- static SECStatus
--ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 allowedHashAlg,
-- PRUint8 *buf,
-+ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf,
- unsigned maxLen, PRUint32 *len)
- {
- unsigned int i;
-
- PORT_Assert(maxLen >= ss->ssl3.signatureAlgorithmCount * 2);
- if (maxLen < ss->ssl3.signatureAlgorithmCount * 2) {
- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
- return SECFailure;
- }
-
- *len = 0;
- for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) {
- const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i];
-- /* Note that we don't support a handshake hash with anything other than
-- * SHA-256, so asking for a signature from clients for something else
-- * would be inviting disaster. */
-- if (alg->hashAlg == allowedHashAlg) {
-- buf[(*len)++] = (PRUint8)alg->hashAlg;
-- buf[(*len)++] = (PRUint8)alg->sigAlg;
-- }
-+ buf[(*len)++] = (PRUint8)alg->hashAlg;
-+ buf[(*len)++] = (PRUint8)alg->sigAlg;
- }
-
- if (*len == 0) {
- PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
- return SECFailure;
- }
- return SECSuccess;
- }
-@@ -9582,17 +9602,16 @@ ssl3_SendCertificateRequest(sslSocket *s
- int length;
- int i;
- int calen = 0;
- int nnames = 0;
- int certTypesLength;
- PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2];
- unsigned int sigAlgsLength = 0;
- SECOidData *hashOid;
-- PRUint8 allowedHashAlg;
-
- SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
- SSL_GETPID(), ss->fd));
-
- PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
- isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
-@@ -9615,27 +9634,19 @@ ssl3_SendCertificateRequest(sslSocket *s
- certTypes = certificate_types;
- certTypesLength = sizeof certificate_types;
-
- hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
- if (hashOid == NULL) {
- return SECFailure; /* err set by AppendHandshake. */
- }
-
-- if (hashOid->offset == SEC_OID_SHA256) {
-- allowedHashAlg = ssl_hash_sha256;
-- } else if (hashOid->offset == SEC_OID_SHA384) {
-- allowedHashAlg = ssl_hash_sha384;
-- } else {
-- return SECFailure; /* err set by AppendHandshake. */
-- }
--
- length = 1 + certTypesLength + 2 + calen;
- if (isTLS12) {
-- rv = ssl3_EncodeCertificateRequestSigAlgs(ss, allowedHashAlg,
-+ rv = ssl3_EncodeCertificateRequestSigAlgs(ss,
- sigAlgs, sizeof(sigAlgs),
- &sigAlgsLength);
- if (rv != SECSuccess) {
- return rv;
- }
- length += 2 + sigAlgsLength;
- }
-
-@@ -9696,70 +9707,89 @@ ssl3_SendServerHelloDone(sslSocket *ss)
- static SECStatus
- ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
- SSL3Hashes *hashes)
- {
- SECItem signed_hash = {siBuffer, NULL, 0};
- SECStatus rv;
- int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
- SSL3AlertDescription desc = handshake_failure;
-- PRBool isTLS, isTLS12;
-+ PRBool isTLS;
- SSLSignatureAndHashAlg sigAndHash;
-+ SSL3Hashes localHashes;
-+ SSL3Hashes *hashesForVerify = NULL;
-
- SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
- SSL_GETPID(), ss->fd));
- PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-+ /* TLS 1.3 is handled by tls13_HandleCertificateVerify */
-+ PORT_Assert(ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2);
-+
- isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
-- isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
-
- if (ss->ssl3.hs.ws != wait_cert_verify) {
- desc = unexpected_message;
- errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
- goto alert_loser;
- }
-
-- if (!hashes) {
-- PORT_Assert(0);
-- desc = internal_error;
-- errCode = SEC_ERROR_LIBRARY_FAILURE;
-- goto alert_loser;
-- }
--
-- if (isTLS12) {
-+ if (ss->ssl3.hs.hashType != handshake_hash_record) {
-+ if (!hashes) {
-+ PORT_Assert(0);
-+ desc = internal_error;
-+ errCode = SEC_ERROR_LIBRARY_FAILURE;
-+ goto alert_loser;
-+ }
-+ hashesForVerify = hashes;
-+ } else {
- rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
- &sigAndHash);
- if (rv != SECSuccess) {
- goto loser; /* malformed or unsupported. */
- }
- rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
- ss, &sigAndHash, ss->sec.peerCert);
- if (rv != SECSuccess) {
- errCode = PORT_GetError();
- desc = decrypt_error;
- goto alert_loser;
- }
-
-- /* We only support CertificateVerify messages that use the handshake
-- * hash. */
-- if (sigAndHash.hashAlg != hashes->hashAlg) {
-- errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM;
-+#ifndef NO_PKCS11_BYPASS
-+ if (ss->opt.bypassPKCS11) {
-+ rv = ssl3_ComputeBypassHandshakeHash(hashes->u.pointer_to_hash_input.data,
-+ hashes->u.pointer_to_hash_input.len,
-+ sigAndHash.hashAlg,
-+ &localHashes);
-+ } else
-+#endif
-+ {
-+ rv = ssl3_ComputePkcs11HandshakeHash(hashes->u.pointer_to_hash_input.data,
-+ hashes->u.pointer_to_hash_input.len,
-+ sigAndHash.hashAlg,
-+ &localHashes);
-+ }
-+ if (rv == SECSuccess) {
-+ hashesForVerify = &localHashes;
-+ } else {
-+ errCode = SSL_ERROR_DIGEST_FAILURE;
- desc = decrypt_error;
- goto alert_loser;
- }
- }
-
- rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
- if (rv != SECSuccess) {
- goto loser; /* malformed. */
- }
-
- /* XXX verify that the key & kea match */
-- rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
-+ rv = ssl3_VerifySignedHashes(hashesForVerify, ss->sec.peerCert, &signed_hash,
- isTLS, ss->pkcs11PinArg);
- if (rv != SECSuccess) {
- errCode = PORT_GetError();
- desc = isTLS ? decrypt_error : handshake_failure;
- goto alert_loser;
- }
-
- signed_hash.data = NULL;
-@@ -11638,34 +11668,63 @@ SECStatus
- ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
- {
- SECStatus rv = SECSuccess;
- SSL3HandshakeType type = ss->ssl3.hs.msg_type;
- SSL3Hashes hashes; /* computed hashes are put here. */
- SSL3Hashes *hashesPtr = NULL; /* Set when hashes are computed */
- PRUint8 hdr[4];
- PRUint8 dtlsData[8];
-+ PRBool computeHashes = PR_FALSE;
-
- PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
- /*
- * We have to compute the hashes before we update them with the
- * current message.
- */
- ssl_GetSpecReadLock(ss); /************************************/
-- if(((type == finished) && (ss->ssl3.hs.ws == wait_finished)) ||
-- ((type == certificate_verify) && (ss->ssl3.hs.ws == wait_cert_verify))) {
-- SSL3Sender sender = (SSL3Sender)0;
-- ssl3CipherSpec *rSpec = ss->ssl3.prSpec;
--
-- if (type == finished) {
-- sender = ss->sec.isServer ? sender_client : sender_server;
-- rSpec = ss->ssl3.crSpec;
-- }
-- rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
-+
-+ if ((type == finished) && (ss->ssl3.hs.ws == wait_finished)) {
-+ computeHashes = PR_TRUE;
-+ } else if ((type == certificate_verify) && (ss->ssl3.hs.ws == wait_cert_verify)) {
-+ if (ss->ssl3.hs.hashType == handshake_hash_record) {
-+ /* We cannot compute the hash yet. We must wait until we have
-+ * decoded the certificate_verify message in
-+ * ssl3_HandleCertificateVerify, which will tell us which
-+ * hash function we must use.
-+ *
-+ * (ssl3_HandleCertificateVerify cannot simply look at the
-+ * buffer length itself, because at the time we reach it,
-+ * additional handshake messages will have been added to the
-+ * buffer, e.g. the certificate_verify message itself.)
-+ *
-+ * Therefore, we use SSL3Hashes.u.pointer_to_hash_input
-+ * to signal the current state of the buffer.
-+ *
-+ * ssl3_HandleCertificateVerify will detect
-+ * hashType == handshake_hash_record
-+ * and use that information to calculate the hash.
-+ */
-+ hashes.u.pointer_to_hash_input.data = ss->ssl3.hs.messages.buf;
-+ hashes.u.pointer_to_hash_input.len = ss->ssl3.hs.messages.len;
-+ hashesPtr = &hashes;
-+ } else {
-+ computeHashes = PR_TRUE;
-+ }
-+ }
-+ if (computeHashes) {
-+ SSL3Sender sender = (SSL3Sender)0;
-+ ssl3CipherSpec *rSpec = ss->ssl3.prSpec;
-+
-+ if (type == finished) {
-+ sender = ss->sec.isServer ? sender_client : sender_server;
-+ rSpec = ss->ssl3.crSpec;
-+ }
-+ rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
- if (rv == SECSuccess) {
- hashesPtr = &hashes;
- }
- }
- ssl_ReleaseSpecReadLock(ss); /************************************/
- if (rv != SECSuccess) {
- return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/
- }
-@@ -13080,20 +13139,17 @@ ssl3_DestroySSL3Info(sslSocket *ss)
- }
- if (ss->ssl3.hs.sha) {
- PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
- }
- if (ss->ssl3.hs.clientSigAndHash) {
- PORT_Free(ss->ssl3.hs.clientSigAndHash);
- }
- if (ss->ssl3.hs.messages.buf) {
-- PORT_Free(ss->ssl3.hs.messages.buf);
-- ss->ssl3.hs.messages.buf = NULL;
-- ss->ssl3.hs.messages.len = 0;
-- ss->ssl3.hs.messages.space = 0;
-+ sslBuffer_Clear(&ss->ssl3.hs.messages);
- }
-
- /* free the SSL3Buffer (msg_body) */
- PORT_Free(ss->ssl3.hs.msg_body.buf);
-
- SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
-
- /* free up the CipherSpecs */
-diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h
---- a/lib/ssl/ssl3prot.h
-+++ b/lib/ssl/ssl3prot.h
-@@ -254,16 +254,17 @@ typedef struct {
- * which, if |hashAlg==ssl_hash_none| is also a SSL3HashesIndividually
- * struct. */
- typedef struct {
- unsigned int len;
- SSLHashType hashAlg;
- union {
- PRUint8 raw[64];
- SSL3HashesIndividually s;
-+ SECItem pointer_to_hash_input;
- } u;
- } SSL3Hashes;
-
- typedef struct {
- union {
- SSL3Opaque anonymous;
- SSL3Hashes certified;
- } u;
-diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h
---- a/lib/ssl/sslimpl.h
-+++ b/lib/ssl/sslimpl.h
-@@ -847,17 +847,18 @@ typedef struct DTLSQueuedMessageStr {
- SSL3ContentType type; /* The message type */
- unsigned char *data; /* The data */
- PRUint16 len; /* The data length */
- } DTLSQueuedMessage;
-
- typedef enum {
- handshake_hash_unknown = 0,
- handshake_hash_combo = 1, /* The MD5/SHA-1 combination */
-- handshake_hash_single = 2 /* A single hash */
-+ handshake_hash_single = 2, /* A single hash */
-+ handshake_hash_record
- } SSL3HandshakeHashType;
-
- /*
- ** This is the "hs" member of the "ssl3" struct.
- ** This entire struct is protected by ssl3HandshakeLock
- */
- typedef struct SSL3HandshakeStateStr {
- SSL3Random server_random;
-@@ -880,22 +881,19 @@ typedef struct SSL3HandshakeStateStr {
- * of the freebl <HASH>_Clone functions, so we need a dedicated function
- * pointer for the <HASH>_Clone function. */
- void (*sha_clone)(void *dest, void *src);
- #endif
- /* PKCS #11 mode:
- * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and
- * |sha| for SHA-1.
- * TLS 1.2 and later use only |sha|, for SHA-256. */
-- /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup
-- * handshake hash for generating client auth signatures. Confusingly, the
-- * backup hash function is SHA-1. */
--#define backupHash md5
- PK11Context * md5;
- PK11Context * sha;
-+ SSLHashType tls12CertVerifyHash;
-
- const ssl3KEADef * kea_def;
- ssl3CipherSuite cipher_suite;
- const ssl3CipherSuiteDef *suite_def;
- SSLCompressionMethod compression;
- sslBuffer msg_body; /* protected by recvBufLock */
- /* partial handshake message from record layer */
- unsigned int header_bytes;
-@@ -1452,16 +1450,17 @@ extern SECStatus ssl_SaveWriteData(sslSo
- const void* p, unsigned int l);
- extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss);
- extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss);
- extern int ssl_Do1stHandshake(sslSocket *ss);
-
- extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen);
- extern SECStatus sslBuffer_Append(sslBuffer *b, const void * data,
- unsigned int len);
-+extern void sslBuffer_Clear(sslBuffer *b);
-
- extern void ssl2_UseClearSendFunc(sslSocket *ss);
- extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
-
- extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server);
- extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port,
- const char *peerID, const char *urlSvrName);
- extern void ssl_FreeSID(sslSessionID *sid);
-diff --git a/lib/ssl/sslsecur.c b/lib/ssl/sslsecur.c
---- a/lib/ssl/sslsecur.c
-+++ b/lib/ssl/sslsecur.c
-@@ -528,16 +528,27 @@ sslBuffer_Append(sslBuffer *b, const voi
- rv = sslBuffer_Grow(b, newLen);
- if (rv != SECSuccess)
- return rv;
- PORT_Memcpy(b->buf + b->len, data, len);
- b->len += len;
- return SECSuccess;
- }
-
-+void
-+sslBuffer_Clear(sslBuffer *b)
-+{
-+ if (b->len > 0) {
-+ PORT_Free(b->buf);
-+ b->buf = NULL;
-+ b->len = 0;
-+ b->space = 0;
-+ }
-+}
-+
- /*
- ** Save away write data that is trying to be written before the security
- ** handshake has been completed. When the handshake is completed, we will
- ** flush this data out.
- ** Caller must hold xmitBufLock
- */
- SECStatus
- ssl_SaveWriteData(sslSocket *ss, const void *data, unsigned int len)
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
index c032c77..5c1ed4c 100644
--- a/SOURCES/iquote.patch
+++ b/SOURCES/iquote.patch
@@ -188,9 +188,9 @@ diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
#######################################################################
-diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile
---- ./nss/external_tests/ssl_gtest/Makefile.iquote 2016-02-18 21:51:23.746893964 -0500
-+++ ./nss/external_tests/ssl_gtest/Makefile 2016-02-18 21:52:32.825583479 -0500
+diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
+--- ./nss/gtests/ssl_gtest/Makefile.iquote 2016-02-18 21:51:23.746893964 -0500
++++ ./nss/gtests/ssl_gtest/Makefile 2016-02-18 21:52:32.825583479 -0500
@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
diff --git a/SOURCES/moz-1314604.patch b/SOURCES/moz-1314604.patch
deleted file mode 100644
index 7d27f67..0000000
--- a/SOURCES/moz-1314604.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-diff -up ./lib/ssl/ssl3con.c.moz-1314604 ./lib/ssl/ssl3con.c
---- ./lib/ssl/ssl3con.c.moz-1314604 2016-11-07 21:30:40.035272554 +0100
-+++ ./lib/ssl/ssl3con.c 2016-11-07 21:31:14.876273952 +0100
-@@ -6196,6 +6196,7 @@ sendDHClientKeyExchange(sslSocket * ss,
-
- if (pms == NULL) {
- ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-+ rv = SECFailure;
- goto loser;
- }
-
-@@ -6939,7 +6940,6 @@ ssl3_HandleServerKeyExchange(sslSocket *
- SECItem dh_Ys = {siBuffer, NULL, 0};
- unsigned dh_p_bits;
- unsigned dh_g_bits;
-- unsigned dh_Ys_bits;
- PRInt32 minDH;
-
- rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
-@@ -6968,9 +6968,10 @@ ssl3_HandleServerKeyExchange(sslSocket *
- if (rv != SECSuccess) {
- goto loser; /* malformed. */
- }
-- dh_Ys_bits = SECKEY_BigIntegerBitLength(&dh_Ys);
-- if (dh_Ys_bits > dh_p_bits || dh_Ys_bits <= 1)
-- goto alert_loser;
-+ if (!ssl_IsValidDHEShare(&dh_p, &dh_Ys)) {
-+ errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
-+ goto alert_loser;
-+ }
- if (isTLS12) {
- rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
- &sigAndHash);
-@@ -9906,6 +9907,12 @@ ssl3_HandleDHClientKeyExchange(sslSocket
- goto loser;
- }
-
-+ if (!ssl_IsValidDHEShare(&srvrPubKey->u.dh.prime,
-+ &clntPubKey.u.dh.publicValue)) {
-+ PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-+ return SECFailure;
-+ }
-+
- isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
-
- if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
-diff -up ./lib/ssl/sslimpl.h.moz-1314604 ./lib/ssl/sslimpl.h
---- ./lib/ssl/sslimpl.h.moz-1314604 2016-11-07 21:30:40.028272553 +0100
-+++ ./lib/ssl/sslimpl.h 2016-11-07 21:30:40.047272554 +0100
-@@ -1647,6 +1647,7 @@ int ssl3_GatherCompleteHandshake(sslSock
- extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
-
- extern SECStatus ssl3_SelectDHParams(sslSocket *ss);
-+extern PRBool ssl_IsValidDHEShare(const SECItem *dh_p, const SECItem *dh_Ys);
-
- #ifndef NSS_DISABLE_ECC
- extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
-diff -up ./lib/ssl/sslsock.c.moz-1314604 ./lib/ssl/sslsock.c
---- ./lib/ssl/sslsock.c.moz-1314604 2016-11-07 21:30:40.040272554 +0100
-+++ ./lib/ssl/sslsock.c 2016-11-07 21:30:40.048272554 +0100
-@@ -1462,6 +1462,54 @@ SSL_DHEGroupPrefSet(PRFileDesc *fd,
- return SECSuccess;
- }
-
-+/* This validates dh_Ys against the group prime. */
-+PRBool
-+ssl_IsValidDHEShare(const SECItem *dh_p, const SECItem *dh_Ys)
-+{
-+ unsigned int size_p = SECKEY_BigIntegerBitLength(dh_p);
-+ unsigned int size_y = SECKEY_BigIntegerBitLength(dh_Ys);
-+ unsigned int commonPart;
-+ int cmp;
-+
-+ if (dh_p->len == 0 || dh_Ys->len == 0) {
-+ return PR_FALSE;
-+ }
-+
-+ /* Check that the prime is at least odd. */
-+ if ((dh_p->data[dh_p->len - 1] & 0x01) == 0) {
-+ return PR_FALSE;
-+ }
-+ /* dh_Ys can't be 1, or bigger than dh_p. */
-+ if (size_y <= 1 || size_y > size_p) {
-+ return PR_FALSE;
-+ }
-+ /* If dh_Ys is shorter, then it's definitely smaller than p-1. */
-+ if (size_y < size_p) {
-+ return PR_TRUE;
-+ }
-+
-+ /* Compare the common part of each, minus the final octet. */
-+ commonPart = (size_p + 7) / 8;
-+ PORT_Assert(commonPart <= dh_Ys->len);
-+ PORT_Assert(commonPart <= dh_p->len);
-+ cmp = PORT_Memcmp(dh_Ys->data + dh_Ys->len - commonPart,
-+ dh_p->data + dh_p->len - commonPart, commonPart - 1);
-+ if (cmp < 0) {
-+ return PR_TRUE;
-+ }
-+ if (cmp > 0) {
-+ return PR_FALSE;
-+ }
-+
-+ /* The last octet of the prime is the only thing that is different and that
-+ * has to be two greater than the share, otherwise we have Ys == p - 1,
-+ * and that means small subgroups. */
-+ if (dh_Ys->data[dh_Ys->len - 1] >= (dh_p->data[dh_p->len - 1] - 1)) {
-+ return PR_FALSE;
-+ }
-+
-+ return PR_TRUE;
-+}
-
- PRCallOnceType gWeakDHParamsRegisterOnce;
- int gWeakDHParamsRegisterError;
diff --git a/SOURCES/moz-1320932.patch b/SOURCES/moz-1320932.patch
new file mode 100644
index 0000000..8f8602d
--- /dev/null
+++ b/SOURCES/moz-1320932.patch
@@ -0,0 +1,24 @@
+changeset: 12916:6f35dc12506a
+branch: wip/dueno/typo-fix
+tag: tip
+parent: 12913:f2a9e4d85b64
+user: Daiki Ueno <dueno@redhat.com>
+date: Tue Nov 29 14:18:08 2016 +0100
+files: tests/ssl/ssl.sh
+description:
+Use correct shell conditional for NSS_DISABLE_LIBPKIX check
+
+
+diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
+--- a/tests/ssl/ssl.sh
++++ b/tests/ssl/ssl.sh
+@@ -1006,7 +1006,7 @@ ssl_run()
+ do
+ case "${SSL_RUN}" in
+ "stapling")
+- if [ -nz "$NSS_DISABLE_LIBPKIX" ]; then
++ if [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+ ssl_stapling
+ fi
+ ;;
+
diff --git a/SOURCES/nss-3.16-token-init-race.patch b/SOURCES/nss-3.16-token-init-race.patch
index 08524b8..f47f13f 100644
--- a/SOURCES/nss-3.16-token-init-race.patch
+++ b/SOURCES/nss-3.16-token-init-race.patch
@@ -1,9 +1,9 @@
-diff -up ./nss/lib/pk11wrap/dev3hack.c.init-token-race ./nss/lib/pk11wrap/dev3hack.c
---- ./nss/lib/pk11wrap/dev3hack.c.init-token-race 2014-10-24 15:55:55.000000000 -0700
-+++ ./nss/lib/pk11wrap/dev3hack.c 2015-02-18 12:37:03.184120865 -0800
-@@ -245,6 +245,16 @@ nssSlot_Refresh
+diff -up nss/lib/pk11wrap/dev3hack.c.init-token-race nss/lib/pk11wrap/dev3hack.c
+--- nss/lib/pk11wrap/dev3hack.c.init-token-race 2017-01-13 17:58:55.485868744 +0100
++++ nss/lib/pk11wrap/dev3hack.c 2017-01-13 18:02:27.126675831 +0100
+@@ -231,6 +231,16 @@ nssSlot_Refresh(NSSSlot *slot)
if (slot->token && slot->token->base.name[0] == 0) {
- doit = PR_TRUE;
+ doit = PR_TRUE;
}
+ /* invalidate the session in the nss3slot if we haven't done an init
+ * token since we noticed that the token->default session is invalid.
@@ -16,11 +16,11 @@ diff -up ./nss/lib/pk11wrap/dev3hack.c.init-token-race ./nss/lib/pk11wrap/dev3ha
+ }
+ PK11_ExitSlotMonitor(nss3slot);
if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) {
- return PR_FAILURE;
+ return PR_FAILURE;
}
-@@ -252,7 +262,8 @@ nssSlot_Refresh
- nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain,
- slot->token);
+@@ -238,7 +248,8 @@ nssSlot_Refresh(NSSSlot *slot)
+ nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain,
+ slot->token);
}
- return nssToken_Refresh(slot->token);
+ /* no need to call nssToken_Refresh since PK11_Init has already done so */
@@ -28,45 +28,47 @@ diff -up ./nss/lib/pk11wrap/dev3hack.c.init-token-race ./nss/lib/pk11wrap/dev3ha
}
NSS_IMPLEMENT PRStatus
-diff -up ./nss/lib/pk11wrap/pk11auth.c.init-token-race ./nss/lib/pk11wrap/pk11auth.c
---- ./nss/lib/pk11wrap/pk11auth.c.init-token-race 2014-10-24 15:55:55.000000000 -0700
-+++ ./nss/lib/pk11wrap/pk11auth.c 2015-02-18 12:37:03.184120865 -0800
-@@ -73,7 +73,6 @@ pk11_CheckPassword(PK11SlotInfo *slot, C
- (unsigned char *)pw,len);
- slot->lastLoginCheck = 0;
- mustRetry = PR_FALSE;
-- if (!alreadyLocked) PK11_ExitSlotMonitor(slot);
- switch (crv) {
- /* if we're already logged in, we're good to go */
- case CKR_OK:
-@@ -100,7 +99,16 @@ pk11_CheckPassword(PK11SlotInfo *slot, C
- break;
- }
- if (retry++ == 0) {
-+ /* we already know the this session is invalid */
-+ slot->session = CK_INVALID_SESSION;
-+ /* can't enter PK11_InitToken holding the lock
-+ * This is safe because the only places that tries to
-+ * hold the slot monitor over this call pass their own
-+ * session, which would have failed above.
-+ * (session != slot->session) */
-+ PK11_ExitSlotMonitor(slot);
- rv = PK11_InitToken(slot,PR_FALSE);
-+ PK11_EnterSlotMonitor(slot);
- if (rv == SECSuccess) {
- if (slot->session != CK_INVALID_SESSION) {
- session = slot->session; /* we should have
-@@ -118,6 +126,7 @@ pk11_CheckPassword(PK11SlotInfo *slot, C
- PORT_SetError(PK11_MapError(crv));
- rv = SECFailure; /* some failure we can't fix by retrying */
- }
-+ if (!alreadyLocked) PK11_ExitSlotMonitor(slot);
+diff -up nss/lib/pk11wrap/pk11auth.c.init-token-race nss/lib/pk11wrap/pk11auth.c
+--- nss/lib/pk11wrap/pk11auth.c.init-token-race 2017-01-13 17:58:55.485868744 +0100
++++ nss/lib/pk11wrap/pk11auth.c 2017-01-13 18:05:07.650739842 +0100
+@@ -73,8 +73,6 @@ pk11_CheckPassword(PK11SlotInfo *slot, C
+ (unsigned char *)pw, len);
+ slot->lastLoginCheck = 0;
+ mustRetry = PR_FALSE;
+- if (!alreadyLocked)
+- PK11_ExitSlotMonitor(slot);
+ switch (crv) {
+ /* if we're already logged in, we're good to go */
+ case CKR_OK:
+@@ -101,7 +99,16 @@ pk11_CheckPassword(PK11SlotInfo *slot, C
+ break;
+ }
+ if (retry++ == 0) {
++ /* we already know the this session is invalid */
++ slot->session = CK_INVALID_SESSION;
++ /* can't enter PK11_InitToken holding the lock
++ * This is safe because the only places that tries to
++ * hold the slot monitor over this call pass their own
++ * session, which would have failed above.
++ * (session != slot->session) */
++ PK11_ExitSlotMonitor(slot);
+ rv = PK11_InitToken(slot, PR_FALSE);
++ PK11_EnterSlotMonitor(slot);
+ if (rv == SECSuccess) {
+ if (slot->session != CK_INVALID_SESSION) {
+ session = slot->session; /* we should have
+@@ -119,6 +126,8 @@ pk11_CheckPassword(PK11SlotInfo *slot, C
+ PORT_SetError(PK11_MapError(crv));
+ rv = SECFailure; /* some failure we can't fix by retrying */
+ }
++ if (!alreadyLocked)
++ PK11_ExitSlotMonitor(slot);
} while (mustRetry);
return rv;
}
-@@ -455,14 +464,18 @@ done:
+@@ -465,14 +474,18 @@ done:
slot->lastLoginCheck = 0;
- PK11_RestoreROSession(slot,rwsession);
+ PK11_RestoreROSession(slot, rwsession);
if (rv == SECSuccess) {
+ PK11_EnterSlotMonitor(slot);
/* update our view of the world */
@@ -75,80 +77,84 @@ diff -up ./nss/lib/pk11wrap/pk11auth.c.init-token-race ./nss/lib/pk11wrap/pk11au
+ slot->session = CK_INVALID_SESSION;
+ }
+ PK11_ExitSlotMonitor(slot);
- PK11_InitToken(slot,PR_TRUE);
- if (slot->needLogin) {
-- PK11_EnterSlotMonitor(slot);
- PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
- (unsigned char *)userpw,len);
- slot->lastLoginCheck = 0;
-- PK11_ExitSlotMonitor(slot);
- }
+ PK11_InitToken(slot, PR_TRUE);
+ if (slot->needLogin) {
+- PK11_EnterSlotMonitor(slot);
+ PK11_GETTAB(slot)->C_Login(slot->session, CKU_USER,
+ (unsigned char *)userpw, len);
+ slot->lastLoginCheck = 0;
+- PK11_ExitSlotMonitor(slot);
+ }
}
return rv;
-@@ -506,7 +519,7 @@ PK11_ChangePW(PK11SlotInfo *slot, const
- PK11_RestoreROSession(slot,rwsession);
+@@ -520,7 +533,7 @@ PK11_ChangePW(PK11SlotInfo *slot, const
+ PK11_RestoreROSession(slot, rwsession);
/* update our view of the world */
-- PK11_InitToken(slot,PR_TRUE);
+- PK11_InitToken(slot, PR_TRUE);
+ /* PK11_InitToken(slot,PR_TRUE); */
return rv;
}
-diff -up ./nss/lib/pk11wrap/pk11slot.c.init-token-race ./nss/lib/pk11wrap/pk11slot.c
---- ./nss/lib/pk11wrap/pk11slot.c.init-token-race 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/lib/pk11wrap/pk11slot.c 2016-01-12 17:58:34.519114993 -0800
-@@ -1053,6 +1053,7 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
+diff -up nss/lib/pk11wrap/pk11slot.c.init-token-race nss/lib/pk11wrap/pk11slot.c
+--- nss/lib/pk11wrap/pk11slot.c.init-token-race 2017-01-13 17:58:55.486868720 +0100
++++ nss/lib/pk11wrap/pk11slot.c 2017-01-13 18:12:50.869381900 +0100
+@@ -1085,6 +1085,7 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
CK_ULONG count;
CK_RV crv;
PRUint32 i;
+ char mechanismBits[sizeof(slot->mechanismBits)];
if (slot->mechanismList) {
- PORT_Free(slot->mechanismList);
-@@ -1060,10 +1061,8 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
+ PORT_Free(slot->mechanismList);
+@@ -1092,12 +1093,8 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
}
slot->mechanismCount = 0;
-- if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
- crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count);
+- if (!slot->isThreadSafe)
+- PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, NULL, &count);
if (crv != CKR_OK) {
-- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
- PORT_SetError(PK11_MapError(crv));
- return SECFailure;
+- if (!slot->isThreadSafe)
+- PK11_ExitSlotMonitor(slot);
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
}
-@@ -1071,12 +1070,10 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
+@@ -1105,14 +1102,10 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
slot->mechanismList = (CK_MECHANISM_TYPE *)
- PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE));
+ PORT_Alloc(count * sizeof(CK_MECHANISM_TYPE));
if (slot->mechanismList == NULL) {
-- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
- return SECFailure;
+- if (!slot->isThreadSafe)
+- PK11_ExitSlotMonitor(slot);
+ return SECFailure;
}
crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,
- slot->mechanismList, &count);
-- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ slot->mechanismList, &count);
+- if (!slot->isThreadSafe)
+- PK11_ExitSlotMonitor(slot);
if (crv != CKR_OK) {
- PORT_Free(slot->mechanismList);
- slot->mechanismList = NULL;
-@@ -1084,14 +1081,16 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
- return SECSuccess;
+ PORT_Free(slot->mechanismList);
+ slot->mechanismList = NULL;
+@@ -1120,14 +1113,16 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
+ return SECSuccess;
}
slot->mechanismCount = count;
- PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits));
+ PORT_Memset(mechanismBits, 0, sizeof(slot->mechanismBits));
- for (i=0; i < count; i++) {
- CK_MECHANISM_TYPE mech = slot->mechanismList[i];
- if (mech < 0x7ff) {
-- slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8);
+ for (i = 0; i < count; i++) {
+ CK_MECHANISM_TYPE mech = slot->mechanismList[i];
+ if (mech < 0x7ff) {
+- slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8);
+ mechanismBits[mech & 0xff] |= 1 << (mech >> 8);
- }
+ }
}
+ PORT_Memcpy(slot->mechanismBits, mechanismBits,
+ sizeof(slot->mechanismBits));
return SECSuccess;
}
-@@ -1108,12 +1107,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
+@@ -1144,14 +1139,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
CK_RV crv;
SECStatus rv;
PRStatus status;
@@ -163,19 +169,22 @@ diff -up ./nss/lib/pk11wrap/pk11slot.c.init-token-race ./nss/lib/pk11wrap/pk11sl
+ }
/* set the slot flags to the current token values */
-- if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
- crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo);
-- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+- if (!slot->isThreadSafe)
+- PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &tokenInfo);
+- if (!slot->isThreadSafe)
+- PK11_ExitSlotMonitor(slot);
if (crv != CKR_OK) {
+ PK11_ExitSlotMonitor(slot);
- PORT_SetError(PK11_MapError(crv));
- return SECFailure;
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
}
-@@ -1150,7 +1157,10 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
- slot->defRWSession = (PRBool)((!slot->readOnly) &&
- (tokenInfo.ulMaxSessionCount == 1));
+@@ -1186,8 +1187,10 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
+ slot->defRWSession = (PRBool)((!slot->readOnly) &&
+ (tokenInfo.ulMaxSessionCount == 1));
rv = PK11_ReadMechanismList(slot);
-- if (rv != SECSuccess) return rv;
+- if (rv != SECSuccess)
+- return rv;
+ if (rv != SECSuccess) {
+ PK11_ExitSlotMonitor(slot);
+ return rv;
@@ -183,52 +192,58 @@ diff -up ./nss/lib/pk11wrap/pk11slot.c.init-token-race ./nss/lib/pk11wrap/pk11sl
slot->hasRSAInfo = PR_FALSE;
slot->RSAInfoFlags = 0;
-@@ -1165,50 +1175,23 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
- slot->maxKeyCount = tokenInfo.ulMaxSessionCount/2;
+@@ -1202,56 +1205,23 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
+ slot->maxKeyCount = tokenInfo.ulMaxSessionCount / 2;
}
- /* Make sure our session handle is valid */
- if (slot->session == CK_INVALID_SESSION) {
-- /* we know we don't have a valid session, go get one */
-- CK_SESSION_HANDLE session;
+- /* we know we don't have a valid session, go get one */
+- CK_SESSION_HANDLE session;
-
-- /* session should be Readonly, serial */
-- if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-- crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+- /* session should be Readonly, serial */
+- if (!slot->isThreadSafe)
+- PK11_EnterSlotMonitor(slot);
+- crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+ /* we know we don't have a valid session, go get one */
+ /* session should be Readonly, serial */
+ crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
- (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
- slot,pk11_notify,&session);
-- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-- if (crv != CKR_OK) {
-- PORT_SetError(PK11_MapError(crv));
-- return SECFailure;
-- }
-- slot->session = session;
+ (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
+ slot, pk11_notify, &session);
+- if (!slot->isThreadSafe)
+- PK11_ExitSlotMonitor(slot);
+- if (crv != CKR_OK) {
+- PORT_SetError(PK11_MapError(crv));
+- return SECFailure;
+- }
+- slot->session = session;
- } else {
-- /* The session we have may be defunct (the token associated with it)
-- * has been removed */
-- CK_SESSION_INFO sessionInfo;
+- /* The session we have may be defunct (the token associated with it)
+- * has been removed */
+- CK_SESSION_INFO sessionInfo;
-
-- if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-- crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
+- if (!slot->isThreadSafe)
+- PK11_EnterSlotMonitor(slot);
+- crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo);
- if (crv == CKR_DEVICE_ERROR) {
-- PK11_GETTAB(slot)->C_CloseSession(slot->session);
-- crv = CKR_SESSION_CLOSED;
-- }
-- if ((crv==CKR_SESSION_CLOSED) || (crv==CKR_SESSION_HANDLE_INVALID)) {
-- crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
-- (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
-- slot,pk11_notify,&slot->session);
-- if (crv != CKR_OK) {
-- PORT_SetError(PK11_MapError(crv));
-- slot->session = CK_INVALID_SESSION;
-- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-- return SECFailure;
-- }
-- }
-- if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+- PK11_GETTAB(slot)
+- ->C_CloseSession(slot->session);
+- crv = CKR_SESSION_CLOSED;
+- }
+- if ((crv == CKR_SESSION_CLOSED) || (crv == CKR_SESSION_HANDLE_INVALID)) {
+- crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+- (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
+- slot, pk11_notify, &slot->session);
+- if (crv != CKR_OK) {
+- PORT_SetError(PK11_MapError(crv));
+- slot->session = CK_INVALID_SESSION;
+- if (!slot->isThreadSafe)
+- PK11_ExitSlotMonitor(slot);
+- return SECFailure;
+- }
+- }
+- if (!slot->isThreadSafe)
+- PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PK11_ExitSlotMonitor(slot);
+ PORT_SetError(PK11_MapError(crv));
@@ -240,66 +255,65 @@ diff -up ./nss/lib/pk11wrap/pk11slot.c.init-token-race ./nss/lib/pk11wrap/pk11sl
- if (status != PR_SUCCESS)
+ if (status != PR_SUCCESS) {
+ PK11_ExitSlotMonitor(slot);
- return SECFailure;
+ return SECFailure;
+ }
if (!(slot->isInternal) && (slot->hasRandom)) {
- /* if this slot has a random number generater, use it to add entropy
-@@ -1221,28 +1204,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
- /* if this slot can issue random numbers, get some entropy from
- * that random number generater and give it to our internal token.
- */
-- PK11_EnterSlotMonitor(slot);
- crv = PK11_GETTAB(slot)->C_GenerateRandom
- (slot->session,random_bytes, sizeof(random_bytes));
-- PK11_ExitSlotMonitor(slot);
- if (crv == CKR_OK) {
-- PK11_EnterSlotMonitor(int_slot);
- PK11_GETTAB(int_slot)->C_SeedRandom(int_slot->session,
- random_bytes, sizeof(random_bytes));
-- PK11_ExitSlotMonitor(int_slot);
- }
+ /* if this slot has a random number generater, use it to add entropy
+@@ -1264,28 +1234,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
+ /* if this slot can issue random numbers, get some entropy from
+ * that random number generater and give it to our internal token.
+ */
+- PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session, random_bytes, sizeof(random_bytes));
+- PK11_ExitSlotMonitor(slot);
+ if (crv == CKR_OK) {
+- PK11_EnterSlotMonitor(int_slot);
+ PK11_GETTAB(int_slot)
+ ->C_SeedRandom(int_slot->session,
+ random_bytes, sizeof(random_bytes));
+- PK11_ExitSlotMonitor(int_slot);
+ }
- /* Now return the favor and send entropy to the token's random
- * number generater */
-- PK11_EnterSlotMonitor(int_slot);
- crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session,
- random_bytes, sizeof(random_bytes));
-- PK11_ExitSlotMonitor(int_slot);
- if (crv == CKR_OK) {
-- PK11_EnterSlotMonitor(slot);
- crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session,
- random_bytes, sizeof(random_bytes));
-- PK11_ExitSlotMonitor(slot);
- }
- PK11_FreeSlot(int_slot);
- }
-@@ -1274,6 +1249,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
- PK11_GETTAB(slot)->C_CloseSession(session);
- }
+ /* Now return the favor and send entropy to the token's random
+ * number generater */
+- PK11_EnterSlotMonitor(int_slot);
+ crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session,
+ random_bytes, sizeof(random_bytes));
+- PK11_ExitSlotMonitor(int_slot);
+ if (crv == CKR_OK) {
+- PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session,
+ random_bytes, sizeof(random_bytes));
+- PK11_ExitSlotMonitor(slot);
+ }
+ PK11_FreeSlot(int_slot);
+ }
+@@ -1318,6 +1280,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
+ ->C_CloseSession(session);
+ }
}
+ PK11_ExitSlotMonitor(slot);
-
+
return SECSuccess;
}
-@@ -1387,6 +1363,8 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
+@@ -1433,6 +1396,8 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
}
/* if the token is present, initialize it */
if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) {
+ /* session was initialized to CK_INVALID_SESSION when the slot
+ * was created */
- rv = PK11_InitToken(slot,PR_TRUE);
- /* the only hard failures are on permanent devices, or function
- * verify failures... function verify failures are already handled
-@@ -1826,10 +1804,15 @@ PK11_DoesMechanism(PK11SlotInfo *slot, C
- return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ?
- PR_TRUE : PR_FALSE;
+ rv = PK11_InitToken(slot, PR_TRUE);
+ /* the only hard failures are on permanent devices, or function
+ * verify failures... function verify failures are already handled
+@@ -1888,10 +1853,14 @@ PK11_DoesMechanism(PK11SlotInfo *slot, C
+ return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? PR_TRUE : PR_FALSE;
}
--
-+
+
+ PK11_EnterSlotMonitor(slot);
- for (i=0; i < (int) slot->mechanismCount; i++) {
-- if (slot->mechanismList[i] == type) return PR_TRUE;
+ for (i = 0; i < (int)slot->mechanismCount; i++) {
+- if (slot->mechanismList[i] == type)
+- return PR_TRUE;
+ if (slot->mechanismList[i] == type) {
+ PK11_ExitSlotMonitor(slot);
+ return PR_TRUE;
@@ -309,41 +323,41 @@ diff -up ./nss/lib/pk11wrap/pk11slot.c.init-token-race ./nss/lib/pk11wrap/pk11sl
return PR_FALSE;
}
-diff -up ./nss/lib/pk11wrap/pk11util.c.init-token-race ./nss/lib/pk11wrap/pk11util.c
---- ./nss/lib/pk11wrap/pk11util.c.init-token-race 2015-02-18 12:37:03.176120865 -0800
-+++ ./nss/lib/pk11wrap/pk11util.c 2015-02-18 12:39:44.158120658 -0800
-@@ -1560,6 +1560,11 @@ SECMOD_RestartModules(PRBool force)
+diff -up nss/lib/pk11wrap/pk11util.c.init-token-race nss/lib/pk11wrap/pk11util.c
+--- nss/lib/pk11wrap/pk11util.c.init-token-race 2017-01-13 17:58:55.487868695 +0100
++++ nss/lib/pk11wrap/pk11util.c 2017-01-13 18:01:21.280291292 +0100
+@@ -1624,6 +1624,11 @@ SECMOD_RestartModules(PRBool force)
* older modules require it, and it doesn't hurt (compliant modules
* will return CKR_NOT_INITIALIZED */
- (void) PK11_GETTAB(mod)->C_Finalize(NULL);
+ (void)PK11_GETTAB(mod)->C_Finalize(NULL);
+ /* finalize clears the session, mark them dead in the
+ * slot as well */
+ for (i=0; i < mod->slotCount; i++) {
+ mod->slots[i]->session = CK_INVALID_SESSION;
+ }
- /* now initialize the module, this function reinitializes
- * a module in place, preserving existing slots (even if they
- * no longer exist) */
-@@ -1579,17 +1584,18 @@ SECMOD_RestartModules(PRBool force)
- /* get new token sessions, bump the series up so that
- * we refresh other old sessions. This will tell much of
- * NSS to flush cached handles it may hold as well */
-- rv = PK11_InitToken(mod->slots[i],PR_TRUE);
+ /* now initialize the module, this function reinitializes
+ * a module in place, preserving existing slots (even if they
+ * no longer exist) */
+@@ -1643,17 +1648,18 @@ SECMOD_RestartModules(PRBool force)
+ /* get new token sessions, bump the series up so that
+ * we refresh other old sessions. This will tell much of
+ * NSS to flush cached handles it may hold as well */
+- rv = PK11_InitToken(mod->slots[i], PR_TRUE);
+ PK11SlotInfo *slot = mod->slots[i];
+ rv = PK11_InitToken(slot,PR_TRUE);
- /* PK11_InitToken could fail if the slot isn't present.
- * If it is present, though, something is wrong and we should
- * disable the slot and let the caller know. */
-- if (rv != SECSuccess && PK11_IsPresent(mod->slots[i])) {
+ /* PK11_InitToken could fail if the slot isn't present.
+ * If it is present, though, something is wrong and we should
+ * disable the slot and let the caller know. */
+- if (rv != SECSuccess && PK11_IsPresent(mod->slots[i])) {
+ if (rv != SECSuccess && PK11_IsPresent(slot)) {
- /* save the last error code */
- lastError = PORT_GetError();
- rrv = rv;
- /* disable the token */
-- mod->slots[i]->disabled = PR_TRUE;
-- mod->slots[i]->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
+ /* save the last error code */
+ lastError = PORT_GetError();
+ rrv = rv;
+ /* disable the token */
+- mod->slots[i]->disabled = PR_TRUE;
+- mod->slots[i]->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
+ slot->disabled = PR_TRUE;
+ slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
- }
- }
- }
+ }
+ }
+ }
diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch
index d07ecdd..f5db089 100644
--- a/SOURCES/nss-539183.patch
+++ b/SOURCES/nss-539183.patch
@@ -1,13 +1,13 @@
diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
---- nss/cmd/httpserv/httpserv.c.539183 2013-05-28 14:43:24.000000000 -0700
-+++ nss/cmd/httpserv/httpserv.c 2013-05-30 22:16:46.685373471 -0700
-@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port
- PRNetAddr addr;
+--- nss/cmd/httpserv/httpserv.c.539183 2016-08-15 17:58:41.756630037 +0200
++++ nss/cmd/httpserv/httpserv.c 2016-08-15 18:04:13.559131620 +0200
+@@ -976,13 +976,13 @@ getBoundListenSocket(unsigned short port
+ PRNetAddr addr;
PRSocketOptionData opt;
- addr.inet.family = PR_AF_INET;
-- addr.inet.ip = PR_INADDR_ANY;
-- addr.inet.port = PR_htons(port);
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ }
@@ -15,21 +15,21 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
- listen_sock = PR_NewTCPSocket();
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
-- errExit("PR_NewTCPSocket");
+- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSocket error");
}
opt.option = PR_SockOpt_Nonblocking;
diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
---- nss/cmd/selfserv/selfserv.c.539183 2013-05-28 14:43:24.000000000 -0700
-+++ nss/cmd/selfserv/selfserv.c 2013-05-30 22:16:46.688373495 -0700
-@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port
- PRNetAddr addr;
+--- nss/cmd/selfserv/selfserv.c.539183 2016-08-15 17:58:41.756630037 +0200
++++ nss/cmd/selfserv/selfserv.c 2016-08-15 18:05:11.027487891 +0200
+@@ -1731,13 +1731,13 @@ getBoundListenSocket(unsigned short port
+ PRNetAddr addr;
PRSocketOptionData opt;
- addr.inet.family = PR_AF_INET;
-- addr.inet.ip = PR_INADDR_ANY;
-- addr.inet.port = PR_htons(port);
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ }
@@ -37,7 +37,7 @@ diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
- listen_sock = PR_NewTCPSocket();
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
-- errExit("PR_NewTCPSocket");
+- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSocket error");
}
diff --git a/SOURCES/nss-disable-chacha20-gtests.patch b/SOURCES/nss-disable-chacha20-gtests.patch
new file mode 100644
index 0000000..ff221d3
--- /dev/null
+++ b/SOURCES/nss-disable-chacha20-gtests.patch
@@ -0,0 +1,140 @@
+diff -up nss/gtests/pk11_gtest/manifest.mn.disable-chacha20 nss/gtests/pk11_gtest/manifest.mn
+--- nss/gtests/pk11_gtest/manifest.mn.disable-chacha20 2017-01-30 02:06:08.000000000 +0100
++++ nss/gtests/pk11_gtest/manifest.mn 2017-02-17 11:40:26.749019359 +0100
+@@ -8,7 +8,6 @@ MODULE = nss
+
+ CPPSRCS = \
+ pk11_aeskeywrap_unittest.cc \
+- pk11_chacha20poly1305_unittest.cc \
+ pk11_export_unittest.cc \
+ pk11_pbkdf2_unittest.cc \
+ pk11_prf_unittest.cc \
+diff -up nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable-chacha20 2017-01-30 02:06:08.000000000 +0100
++++ nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc 2017-02-17 11:40:26.749019359 +0100
+@@ -326,10 +326,7 @@ INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384);
+ INSTANTIATE_CIPHER_TEST_P(
+ CBC12, All, V12, kDummyNamedGroupParams, kDummySignatureSchemesParams,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
+@@ -361,7 +358,7 @@ INSTANTIATE_CIPHER_TEST_P(
+ INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
+ ::testing::ValuesIn(kFasterDHEGroups),
+ ::testing::ValuesIn(kSignatureSchemesParamsArr),
+- TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
++ TLS_AES_128_GCM_SHA256,
+ TLS_AES_256_GCM_SHA384);
+ INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13,
+ ::testing::ValuesIn(kAllDHEGroups),
+@@ -446,9 +443,7 @@ static const SecStatusParams kSecStatusT
+ {SSL_LIBRARY_VERSION_TLS_1_2, TLS_RSA_WITH_AES_128_GCM_SHA256,
+ "AES-128-GCM", 128},
+ {SSL_LIBRARY_VERSION_TLS_1_2, TLS_RSA_WITH_AES_256_GCM_SHA384,
+- "AES-256-GCM", 256},
+- {SSL_LIBRARY_VERSION_TLS_1_2, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+- "ChaCha20-Poly1305", 256}};
++ "AES-256-GCM", 256}};
+ INSTANTIATE_TEST_CASE_P(TestSecurityStatus, SecurityStatusTest,
+ ::testing::ValuesIn(kSecStatusTestValuesArr));
+
+diff -up nss/gtests/ssl_gtest/ssl_drop_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_drop_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_drop_unittest.cc.disable-chacha20 2017-01-30 02:06:08.000000000 +0100
++++ nss/gtests/ssl_gtest/ssl_drop_unittest.cc 2017-02-17 11:41:03.656247032 +0100
+@@ -65,69 +65,4 @@ TEST_P(TlsConnectDatagram, DropServerSec
+ Connect();
+ }
+
+-static void GetCipherAndLimit(uint16_t version, uint16_t* cipher,
+- uint64_t* limit = nullptr) {
+- uint64_t l;
+- if (!limit) limit = &l;
+-
+- if (version < SSL_LIBRARY_VERSION_TLS_1_2) {
+- *cipher = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
+- *limit = 0x5aULL << 28;
+- } else if (version == SSL_LIBRARY_VERSION_TLS_1_2) {
+- *cipher = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
+- *limit = (1ULL << 48) - 1;
+- } else {
+- *cipher = TLS_CHACHA20_POLY1305_SHA256;
+- *limit = (1ULL << 48) - 1;
+- }
+-}
+-
+-// This simulates a huge number of drops on one side.
+-TEST_P(TlsConnectDatagram, MissLotsOfPackets) {
+- uint16_t cipher;
+- uint64_t limit;
+-
+- GetCipherAndLimit(version_, &cipher, &limit);
+-
+- EnsureTlsSetup();
+- server_->EnableSingleCipher(cipher);
+- Connect();
+-
+- // Note that the limit for ChaCha is 2^48-1.
+- EXPECT_EQ(SECSuccess,
+- SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), limit - 10));
+- SendReceive();
+-}
+-
+-class TlsConnectDatagram12Plus : public TlsConnectDatagram {
+- public:
+- TlsConnectDatagram12Plus() : TlsConnectDatagram() {}
+-};
+-
+-// This simulates missing a window's worth of packets.
+-TEST_P(TlsConnectDatagram12Plus, MissAWindow) {
+- EnsureTlsSetup();
+- uint16_t cipher;
+- GetCipherAndLimit(version_, &cipher);
+- server_->EnableSingleCipher(cipher);
+- Connect();
+-
+- EXPECT_EQ(SECSuccess, SSLInt_AdvanceWriteSeqByAWindow(client_->ssl_fd(), 0));
+- SendReceive();
+-}
+-
+-TEST_P(TlsConnectDatagram12Plus, MissAWindowAndOne) {
+- EnsureTlsSetup();
+- uint16_t cipher;
+- GetCipherAndLimit(version_, &cipher);
+- server_->EnableSingleCipher(cipher);
+- Connect();
+-
+- EXPECT_EQ(SECSuccess, SSLInt_AdvanceWriteSeqByAWindow(client_->ssl_fd(), 1));
+- SendReceive();
+-}
+-
+-INSTANTIATE_TEST_CASE_P(Datagram12Plus, TlsConnectDatagram12Plus,
+- TlsConnectTestBase::kTlsV12Plus);
+-
+ } // namespace nss_test
+diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-chacha20 2017-02-17 11:40:26.747019401 +0100
++++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-02-17 11:40:26.749019359 +0100
+@@ -50,17 +50,6 @@ TEST_P(TlsConnectGeneric, ConnectEcdhe)
+ CheckKeys();
+ }
+
+-// If we pick a 256-bit cipher suite and use a P-384 certificate, the server
+-// should choose P-384 for key exchange too. Only valid for TLS == 1.2 because
+-// we don't have 256-bit ciphers before then and 1.3 doesn't try to couple
+-// DHE size to symmetric size.
+-TEST_P(TlsConnectTls12, ConnectEcdheP384) {
+- Reset(TlsAgent::kServerEcdsa384);
+- ConnectWithCipherSuite(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
+- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_ecdsa,
+- ssl_sig_ecdsa_secp256r1_sha256);
+-}
+-
+ TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) {
+ EnsureTlsSetup();
+ const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1,
diff --git a/SOURCES/nss-disable-chacha20-tests.patch b/SOURCES/nss-disable-chacha20-tests.patch
new file mode 100644
index 0000000..8ad0b4f
--- /dev/null
+++ b/SOURCES/nss-disable-chacha20-tests.patch
@@ -0,0 +1,20 @@
+diff -up nss/tests/ssl/sslcov.txt.disable-chacha20 nss/tests/ssl/sslcov.txt
+--- nss/tests/ssl/sslcov.txt.disable-chacha20 2017-01-30 02:06:08.000000000 +0100
++++ nss/tests/ssl/sslcov.txt 2017-02-17 11:40:26.749019359 +0100
+@@ -65,7 +65,7 @@
+ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256
+ noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
+ noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256
+- noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
++# noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ #
+ # ECC ciphers (TLS)
+ #
+@@ -139,5 +139,5 @@
+ ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+- ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
++# ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
++# ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
diff --git a/SOURCES/nss-disable-cipher-suites.patch b/SOURCES/nss-disable-cipher-suites.patch
new file mode 100644
index 0000000..f54e4b7
--- /dev/null
+++ b/SOURCES/nss-disable-cipher-suites.patch
@@ -0,0 +1,27 @@
+diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.disable-cipher-suites 2017-02-20 16:29:09.760163465 +0100
++++ nss/lib/ssl/ssl3con.c 2017-02-20 16:30:32.948137315 +0100
+@@ -96,7 +96,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is disabled by default.
++ * The GCM variant is preferred for new applications.
++ */
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -104,7 +107,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is disabled by default.
++ * The GCM variant is preferred for new applications.
++ */
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
diff --git a/SOURCES/nss-disable-curve25519-gtests.patch b/SOURCES/nss-disable-curve25519-gtests.patch
new file mode 100644
index 0000000..4d1eb35
--- /dev/null
+++ b/SOURCES/nss-disable-curve25519-gtests.patch
@@ -0,0 +1,24 @@
+diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-curve25519 nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-curve25519 2017-02-17 11:35:40.794056778 +0100
++++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-02-17 11:35:50.905842897 +0100
+@@ -287,20 +287,6 @@ TEST_P(TlsConnectStreamPre13, Configured
+ ssl_sig_rsa_pss_sha256);
+ }
+
+-TEST_P(TlsKeyExchangeTest, Curve25519) {
+- Reset(TlsAgent::kServerEcdsa256);
+- const std::vector<SSLNamedGroup> groups = {
+- ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp521r1};
+- EnsureKeyShareSetup();
+- ConfigNamedGroups(groups);
+- Connect();
+-
+- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_ecdsa,
+- ssl_sig_ecdsa_secp256r1_sha256);
+- const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
+- CheckKEXDetails(groups, shares);
+-}
+-
+ TEST_P(TlsConnectGenericPre13, GroupPreferenceServerPriority) {
+ EnsureTlsSetup();
+ client_->DisableAllCiphers();
diff --git a/SOURCES/nss-disable-curve25519-tests.patch b/SOURCES/nss-disable-curve25519-tests.patch
new file mode 100644
index 0000000..bfd9081
--- /dev/null
+++ b/SOURCES/nss-disable-curve25519-tests.patch
@@ -0,0 +1,10 @@
+--- nss/tests/ec/ectest.sh.disable-curve25519 2017-01-30 02:06:08.000000000 +0100
++++ nss/tests/ec/ectest.sh 2017-02-17 11:35:24.937392173 +0100
+@@ -46,7 +46,6 @@ ectest_genkeydb_test()
+ return $?
+ fi
+ curves=( \
+- "curve25519" \
+ "secp256r1" \
+ "secp384r1" \
+ "secp521r1" \
diff --git a/SOURCES/nss-disable-curve25519.patch b/SOURCES/nss-disable-curve25519.patch
new file mode 100644
index 0000000..e6925af
--- /dev/null
+++ b/SOURCES/nss-disable-curve25519.patch
@@ -0,0 +1,13 @@
+diff -up nss/lib/ssl/sslsock.c.disable-curve25519 nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.disable-curve25519 2017-02-17 11:35:24.922392490 +0100
++++ nss/lib/ssl/sslsock.c 2017-02-17 11:35:24.936392194 +0100
+@@ -152,7 +152,7 @@ static const PRUint16 srtpCiphers[] = {
+ const sslNamedGroupDef ssl_named_groups[] = {
+ /* Note that 256 for 25519 is a lie, but we only use it for checking bit
+ * security and expect 256 bits there (not 255). */
+- { ssl_grp_ec_curve25519, 256, ssl_kea_ecdh, SEC_OID_CURVE25519, PR_TRUE },
++ { ssl_grp_ec_curve25519, 256, ssl_kea_ecdh, SEC_OID_CURVE25519, PR_FALSE },
+ ECGROUP(secp256r1, 256, SECP256R1, PR_TRUE),
+ ECGROUP(secp384r1, 384, SECP384R1, PR_TRUE),
+ ECGROUP(secp521r1, 521, SECP521R1, PR_TRUE),
+diff -up nss/tests/ec/ectest.sh.disable-curve25519 nss/tests/ec/ectest.sh
diff --git a/SOURCES/nss-disable-pss-gtests.patch b/SOURCES/nss-disable-pss-gtests.patch
new file mode 100644
index 0000000..0f090e4
--- /dev/null
+++ b/SOURCES/nss-disable-pss-gtests.patch
@@ -0,0 +1,156 @@
+diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss 2017-02-17 11:45:24.866780893 +0100
++++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-02-17 11:47:16.774439092 +0100
+@@ -58,7 +58,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3
+ server_->ConfigNamedGroups(groups);
+ Connect();
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ }
+
+ // This causes a HelloRetryRequest in TLS 1.3. Earlier versions don't care.
+@@ -71,7 +71,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3
+ server_->ConfigNamedGroups(groups);
+ Connect();
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ EXPECT_EQ(version_ == SSL_LIBRARY_VERSION_TLS_1_3,
+ hrr_capture->buffer().len() != 0);
+ }
+@@ -101,7 +101,7 @@ TEST_P(TlsKeyExchangeTest, P384Priority)
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+
+ std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
+ CheckKEXDetails(groups, shares);
+@@ -118,7 +118,7 @@ TEST_P(TlsKeyExchangeTest, DuplicateGrou
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+
+ std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
+ std::vector<SSLNamedGroup> expectedGroups = {ssl_grp_ec_secp384r1,
+@@ -136,7 +136,7 @@ TEST_P(TlsKeyExchangeTest, P384PriorityD
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+
+ if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
+@@ -161,7 +161,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ }
+
+ TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) {
+@@ -177,7 +177,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ }
+
+ class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter {
+@@ -265,7 +265,7 @@ TEST_P(TlsConnectStreamPre13, Configured
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ CheckConnected();
+
+ // The renegotiation has to use the same preferences as the original session.
+@@ -273,7 +273,7 @@ TEST_P(TlsConnectStreamPre13, Configured
+ client_->StartRenegotiate();
+ Handshake();
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ }
+
+ TEST_P(TlsConnectGenericPre13, GroupPreferenceServerPriority) {
+@@ -293,7 +293,7 @@ TEST_P(TlsConnectGenericPre13, GroupPref
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ }
+
+ #ifndef NSS_DISABLE_TLS_1_3
+@@ -312,7 +312,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp256r1};
+ CheckKEXDetails(client_groups, shares);
+ }
+@@ -332,7 +332,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
+ CheckKEXDetails(client_groups, shares);
+ }
+@@ -354,7 +354,7 @@ TEST_P(TlsKeyExchangeTest13, EqualPriori
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
+ CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
+ }
+@@ -376,7 +376,7 @@ TEST_P(TlsKeyExchangeTest13, NotEqualPri
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
+ CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
+ }
+@@ -398,7 +398,7 @@ TEST_P(TlsKeyExchangeTest13,
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
+ CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
+ }
+@@ -420,7 +420,7 @@ TEST_P(TlsKeyExchangeTest13,
+ Connect();
+
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
+ CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
+ }
+@@ -482,7 +482,7 @@ TEST_P(TlsKeyExchangeTest13, MultipleCli
+
+ // The server would accept 25519 but its preferred group (P256) has to win.
+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
+- ssl_sig_rsa_pss_sha256);
++ ssl_sig_rsa_pkcs1_sha256);
+ const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519,
+ ssl_grp_ec_secp256r1};
+ CheckKEXDetails(client_groups, shares);
diff --git a/SOURCES/nss-disable-unsupported-gtests.patch b/SOURCES/nss-disable-unsupported-gtests.patch
new file mode 100644
index 0000000..983b8e4
--- /dev/null
+++ b/SOURCES/nss-disable-unsupported-gtests.patch
@@ -0,0 +1,39 @@
+diff -up nss/gtests/pk11_gtest/pk11_export_unittest.cc.disable_unsupported_gtests nss/gtests/pk11_gtest/pk11_export_unittest.cc
+--- nss/gtests/pk11_gtest/pk11_export_unittest.cc.disable_unsupported_gtests 2017-01-30 02:06:08.000000000 +0100
++++ nss/gtests/pk11_gtest/pk11_export_unittest.cc 2017-02-17 12:02:00.023957459 +0100
+@@ -61,6 +61,4 @@ class Pkcs11ExportTest : public ::testin
+
+ TEST_F(Pkcs11ExportTest, DeriveNonExport) { Derive(false); }
+
+-TEST_F(Pkcs11ExportTest, DeriveExport) { Derive(true); }
+-
+ } // namespace nss_test
+diff -up nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc.disable_unsupported_gtests nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
+--- nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc.disable_unsupported_gtests 2017-02-17 12:09:06.448036028 +0100
++++ nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc 2017-02-17 12:10:03.479842833 +0100
+@@ -72,25 +72,4 @@ class Pkcs11Pbkdf2Test : public ::testin
+ }
+ };
+
+-// RFC 6070 <http://tools.ietf.org/html/rfc6070>
+-TEST_F(Pkcs11Pbkdf2Test, DeriveKnown1) {
+- std::vector<uint8_t> derived = {0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84,
+- 0x9b, 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0,
+- 0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c,
+- 0xf2, 0xf0, 0x70, 0x38};
+-
+- Derive(derived, SEC_OID_HMAC_SHA1);
+-}
+-
+-// https://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors
+-TEST_F(Pkcs11Pbkdf2Test, DeriveKnown2) {
+- std::vector<uint8_t> derived = {
+- 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8,
+- 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e,
+- 0xbc, 0x18, 0x00, 0x18, 0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd,
+- 0x53, 0xe1, 0xc6, 0x35, 0x51, 0x8c, 0x7d, 0xac, 0x47, 0xe9};
+-
+- Derive(derived, SEC_OID_HMAC_SHA256);
+-}
+-
+ } // namespace nss_test
diff --git a/SOURCES/nss-disable-unsupported-tests.patch b/SOURCES/nss-disable-unsupported-tests.patch
new file mode 100644
index 0000000..9b57e20
--- /dev/null
+++ b/SOURCES/nss-disable-unsupported-tests.patch
@@ -0,0 +1,13 @@
+diff -up nss/tests/ec/ectest.sh.disable_unsupported_tests nss/tests/ec/ectest.sh
+--- nss/tests/ec/ectest.sh.disable_unsupported_tests 2017-02-17 12:33:08.137805278 +0100
++++ nss/tests/ec/ectest.sh 2017-02-17 12:43:50.000297523 +0100
+@@ -81,7 +81,8 @@ if [ -f ${BINDIR}/fbectest ]; then
+ fi
+ fi
+ if [ -f ${BINDIR}/pk11ectest ]; then
+- PK11_ECTEST_OUT=$(pk11ectest -n -d 2>&1)
++ PK11_ECTEST_OUT=$(pk11ectest -n 2>&1)
++ echo $PK11_ECTEST_OUT
+ PK11_ECTEST_OUT=`echo $PK11_ECTEST_OUT | grep -i 'not okay\|Assertion failure'`
+ if [ -n "$PK11_ECTEST_OUT" ] ; then
+ html_failed "pk11 ec tests"
diff --git a/SOURCES/nss-ecpoint-encoding.patch b/SOURCES/nss-ecpoint-encoding.patch
new file mode 100644
index 0000000..2577621
--- /dev/null
+++ b/SOURCES/nss-ecpoint-encoding.patch
@@ -0,0 +1,330 @@
+
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1487329827 -3600
+# Node ID 0050234a859c2aac2cf8cb5092218191300b1901
+# Parent 0e25df041c8fdc8610c6f227084d11eb8ad81149
+Bug 1340103, Introduction of SECKEYECPublicKey.encoding in NSS 3.28 broke ABI, r=rrelyea/mt
+
+diff --git a/lib/cryptohi/keyi.h b/lib/cryptohi/keyi.h
+--- a/lib/cryptohi/keyi.h
++++ b/lib/cryptohi/keyi.h
+@@ -12,18 +12,11 @@ SEC_BEGIN_PROTOS
+ KeyType seckey_GetKeyType(SECOidTag pubKeyOid);
+
+ /* extract the 'encryption' (could be signing) and hash oids from and
+ * algorithm, key and parameters (parameters is the parameters field
+ * of a algorithm ID structure (SECAlgorithmID)*/
+ SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
+ const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg);
+
+-/*
+- * Set the point encoding of a SECKEYPublicKey from the OID.
+- * This has to be called on any SECKEYPublicKey holding a SECKEYECPublicKey
+- * before it can be used. The encoding is used to dermine the public key size.
+- */
+-SECStatus seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey);
+-
+ SEC_END_PROTOS
+
+ #endif /* _KEYHI_H_ */
+diff --git a/lib/cryptohi/keythi.h b/lib/cryptohi/keythi.h
+--- a/lib/cryptohi/keythi.h
++++ b/lib/cryptohi/keythi.h
+@@ -120,19 +120,19 @@ typedef struct SECKEYDHPublicKeyStr SECK
+ ** Elliptic curve Public Key structure
+ ** The PKCS#11 layer needs DER encoding of ANSI X9.62
+ ** parameters value
+ */
+ typedef SECItem SECKEYECParams;
+
+ struct SECKEYECPublicKeyStr {
+ SECKEYECParams DEREncodedParams;
+- int size; /* size in bits */
+- SECItem publicValue; /* encoded point */
+- ECPointEncoding encoding;
++ int size; /* size in bits */
++ SECItem publicValue; /* encoded point */
++ ECPointEncoding encoding; /* deprecated, ignored */
+ };
+ typedef struct SECKEYECPublicKeyStr SECKEYECPublicKey;
+
+ /*
+ ** FORTEZZA Public Key structures
+ */
+ struct SECKEYFortezzaPublicKeyStr {
+ int KEAversion;
+diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
+--- a/lib/cryptohi/seckey.c
++++ b/lib/cryptohi/seckey.c
+@@ -542,16 +542,33 @@ seckey_GetKeyType(SECOidTag tag)
+
+ /* Function used to determine what kind of cert we are dealing with. */
+ KeyType
+ CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo *spki)
+ {
+ return seckey_GetKeyType(SECOID_GetAlgorithmTag(&spki->algorithm));
+ }
+
++/* Ensure pubKey contains an OID */
++static SECStatus
++seckey_HasCurveOID(const SECKEYPublicKey *pubKey)
++{
++ SECItem oid;
++ SECStatus rv;
++ PORTCheapArenaPool tmpArena;
++
++ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
++ /* If we can decode it, an OID is available. */
++ rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid,
++ SEC_ASN1_GET(SEC_ObjectIDTemplate),
++ &pubKey->u.ec.DEREncodedParams);
++ PORT_DestroyCheapArena(&tmpArena);
++ return rv;
++}
++
+ static SECKEYPublicKey *
+ seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki)
+ {
+ SECKEYPublicKey *pubk;
+ SECItem os, newOs, newParms;
+ SECStatus rv;
+ PLArenaPool *arena;
+ SECOidTag tag;
+@@ -634,17 +651,18 @@ seckey_ExtractPublicKey(const CERTSubjec
+ &spki->algorithm.parameters);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &newOs);
+ if (rv != SECSuccess) {
+ break;
+ }
+- rv = seckey_SetPointEncoding(arena, pubk);
++ pubk->u.ec.encoding = ECPoint_Undefined;
++ rv = seckey_HasCurveOID(pubk);
+ if (rv == SECSuccess) {
+ return pubk;
+ }
+ break;
+
+ default:
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+ break;
+@@ -1157,26 +1175,26 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
+ rv = SECITEM_CopyItem(arena, ©k->u.dh.base, &pubk->u.dh.base);
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(arena, ©k->u.dh.publicValue,
+ &pubk->u.dh.publicValue);
+ break;
+ case ecKey:
+ copyk->u.ec.size = pubk->u.ec.size;
++ rv = seckey_HasCurveOID(pubk);
++ if (rv != SECSuccess) {
++ break;
++ }
+ rv = SECITEM_CopyItem(arena, ©k->u.ec.DEREncodedParams,
+ &pubk->u.ec.DEREncodedParams);
+ if (rv != SECSuccess) {
+ break;
+ }
+- rv = seckey_SetPointEncoding(arena, copyk);
+- if (rv != SECSuccess) {
+- break;
+- }
+- PORT_Assert(copyk->u.ec.encoding == pubk->u.ec.encoding);
++ copyk->u.ec.encoding = ECPoint_Undefined;
+ rv = SECITEM_CopyItem(arena, ©k->u.ec.publicValue,
+ &pubk->u.ec.publicValue);
+ break;
+ case nullKey:
+ return copyk;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ rv = SECFailure;
+@@ -1938,44 +1956,8 @@ SECKEY_GetECCOid(const SECKEYECParams *p
+ return 0;
+ oid.len = params->len - 2;
+ oid.data = params->data + 2;
+ if ((oidData = SECOID_FindOID(&oid)) == NULL)
+ return 0;
+
+ return oidData->offset;
+ }
+-
+-/* Set curve encoding in SECKEYECPublicKey in pubKey from OID.
+- * If the encoding is not set, determining the key size of EC public keys will
+- * fail.
+- */
+-SECStatus
+-seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey)
+-{
+- SECItem oid;
+- SECOidTag tag;
+- SECStatus rv;
+-
+- /* decode the OID tag */
+- rv = SEC_QuickDERDecodeItem(arena, &oid, SEC_ASN1_GET(SEC_ObjectIDTemplate),
+- &pubKey->u.ec.DEREncodedParams);
+- if (rv != SECSuccess) {
+- return SECFailure;
+- }
+-
+- tag = SECOID_FindOIDTag(&oid);
+- switch (tag) {
+- case SEC_OID_CURVE25519:
+- pubKey->u.ec.encoding = ECPoint_XOnly;
+- break;
+- case SEC_OID_SECG_EC_SECP256R1:
+- /* fall through */
+- case SEC_OID_SECG_EC_SECP384R1:
+- /* fall through */
+- case SEC_OID_SECG_EC_SECP521R1:
+- /* fall through */
+- default:
+- /* unknown curve, default to uncompressed */
+- pubKey->u.ec.encoding = ECPoint_Uncompressed;
+- }
+- return SECSuccess;
+-}
+diff --git a/lib/pk11wrap/pk11akey.c b/lib/pk11wrap/pk11akey.c
+--- a/lib/pk11wrap/pk11akey.c
++++ b/lib/pk11wrap/pk11akey.c
+@@ -760,22 +760,20 @@ PK11_ExtractPublicKey(PK11SlotInfo *slot
+ crv = CKR_OBJECT_HANDLE_INVALID;
+ break;
+ }
+
+ crv = pk11_Attr2SecItem(arena, ecparams,
+ &pubKey->u.ec.DEREncodedParams);
+ if (crv != CKR_OK)
+ break;
++ pubKey->u.ec.encoding = ECPoint_Undefined;
+ crv = pk11_get_Decoded_ECPoint(arena,
+ &pubKey->u.ec.DEREncodedParams, value,
+ &pubKey->u.ec.publicValue);
+- if (seckey_SetPointEncoding(arena, pubKey) != SECSuccess) {
+- crv |= CKR_GENERAL_ERROR;
+- }
+ break;
+ case fortezzaKey:
+ case nullKey:
+ default:
+ crv = CKR_OBJECT_HANDLE_INVALID;
+ break;
+ }
+
+diff --git a/lib/pk11wrap/pk11skey.c b/lib/pk11wrap/pk11skey.c
+--- a/lib/pk11wrap/pk11skey.c
++++ b/lib/pk11wrap/pk11skey.c
+@@ -2032,27 +2032,62 @@ PK11_PubDerive(SECKEYPrivateKey *privKey
+ PORT_SetError(PK11_MapError(crv));
+ }
+ }
+
+ PK11_FreeSymKey(symKey);
+ return NULL;
+ }
+
++/* Test for curves that are known to use a special encoding.
++ * Extend this function when additional curves are added. */
++static ECPointEncoding
++pk11_ECGetPubkeyEncoding(const SECKEYPublicKey *pubKey)
++{
++ SECItem oid;
++ SECStatus rv;
++ PORTCheapArenaPool tmpArena;
++ ECPointEncoding encoding = ECPoint_Undefined;
++
++ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
++
++ /* decode the OID tag */
++ rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid,
++ SEC_ASN1_GET(SEC_ObjectIDTemplate),
++ &pubKey->u.ec.DEREncodedParams);
++ if (rv == SECSuccess) {
++ SECOidTag tag = SECOID_FindOIDTag(&oid);
++ switch (tag) {
++ case SEC_OID_CURVE25519:
++ encoding = ECPoint_XOnly;
++ break;
++ case SEC_OID_SECG_EC_SECP256R1:
++ case SEC_OID_SECG_EC_SECP384R1:
++ case SEC_OID_SECG_EC_SECP521R1:
++ default:
++ /* unknown curve, default to uncompressed */
++ encoding = ECPoint_Uncompressed;
++ }
++ }
++ PORT_DestroyCheapArena(&tmpArena);
++ return encoding;
++}
++
+ /* Returns the size of the public key, or 0 if there
+ * is an error. */
+ static CK_ULONG
+ pk11_ECPubKeySize(SECKEYPublicKey *pubKey)
+ {
+ SECItem *publicValue = &pubKey->u.ec.publicValue;
+
+- if (pubKey->u.ec.encoding == ECPoint_XOnly) {
++ ECPointEncoding encoding = pk11_ECGetPubkeyEncoding(pubKey);
++ if (encoding == ECPoint_XOnly) {
+ return publicValue->len;
+ }
+- if (publicValue->data[0] == 0x04) {
++ if (encoding == ECPoint_Uncompressed) {
+ /* key encoded in uncompressed form */
+ return ((publicValue->len - 1) / 2);
+ }
+ /* key encoding not recognized */
+ return 0;
+ }
+
+ static PK11SymKey *
+diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c
+--- a/lib/ssl/ssl3ecc.c
++++ b/lib/ssl/ssl3ecc.c
+@@ -298,17 +298,17 @@ ssl3_HandleECDHClientKeyExchange(sslSock
+ PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
+ PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+ clntPubKey.keyType = ecKey;
+ clntPubKey.u.ec.DEREncodedParams.len =
+ serverKeyPair->pubKey->u.ec.DEREncodedParams.len;
+ clntPubKey.u.ec.DEREncodedParams.data =
+ serverKeyPair->pubKey->u.ec.DEREncodedParams.data;
+- clntPubKey.u.ec.encoding = serverKeyPair->pubKey->u.ec.encoding;
++ clntPubKey.u.ec.encoding = ECPoint_Undefined;
+
+ rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue,
+ 1, &b, &length);
+ if (rv != SECSuccess) {
+ PORT_SetError(errCode);
+ return SECFailure;
+ }
+
+@@ -382,21 +382,17 @@ ssl_ImportECDHKeyShare(sslSocket *ss, SE
+ peerKey->keyType = ecKey;
+ /* Set up the encoded params */
+ rv = ssl_NamedGroup2ECParams(peerKey->arena, ecGroup,
+ &peerKey->u.ec.DEREncodedParams);
+ if (rv != SECSuccess) {
+ ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE);
+ return SECFailure;
+ }
+- if (ecGroup->name == ssl_grp_ec_curve25519) {
+- peerKey->u.ec.encoding = ECPoint_XOnly;
+- } else {
+- peerKey->u.ec.encoding = ECPoint_Uncompressed;
+- }
++ peerKey->u.ec.encoding = ECPoint_Undefined;
+
+ /* copy publicValue in peerKey */
+ ecPoint.data = b;
+ ecPoint.len = length;
+
+ rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.ec.publicValue, &ecPoint);
+ if (rv != SECSuccess) {
+ return SECFailure;
diff --git a/SOURCES/nss-enable-384-cipher-tests.patch b/SOURCES/nss-enable-384-cipher-tests.patch
deleted file mode 100644
index 2b8d597..0000000
--- a/SOURCES/nss-enable-384-cipher-tests.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -up ./nss/tests/ssl/ssl.sh.384 ./nss/tests/ssl/ssl.sh
---- ./nss/tests/ssl/ssl.sh.384 2016-02-24 19:00:23.135079185 -0500
-+++ ./nss/tests/ssl/ssl.sh 2016-02-24 19:00:41.963720050 -0500
-@@ -93,8 +93,8 @@ ssl_init()
- ECC_STRING=""
- fi
-
-- CSHORT="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
-- CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
-+ CSHORT="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009D:009E:009F:00A2:00A3cdefgijklmnvyz"
-+ CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027:C028:C02B:C02C:C02F:C030:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009D:009E:009F:00A2:00A3cdefgijklmnvyz"
-
- if [ "${OS_ARCH}" != "WINNT" ]; then
- ulimit -n 1000 # make sure we have enough file descriptors
diff --git a/SOURCES/nss-enable-cipher-suites.patch b/SOURCES/nss-enable-cipher-suites.patch
new file mode 100644
index 0000000..0e6aabd
--- /dev/null
+++ b/SOURCES/nss-enable-cipher-suites.patch
@@ -0,0 +1,39 @@
+diff -up nss/lib/ssl/ssl3con.c.enable-cipher-suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.enable-cipher-suites 2017-02-20 16:32:39.464067010 +0100
++++ nss/lib/ssl/ssl3con.c 2017-02-20 16:37:00.506731989 +0100
+@@ -91,7 +91,7 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi
+ /* clang-format off */
+ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+ /* cipher_suite policy enabled isPresent */
+- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -102,7 +102,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -113,7 +113,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -140,7 +140,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
diff --git a/SOURCES/nss-fix-client-auth-init-hashes.patch b/SOURCES/nss-fix-client-auth-init-hashes.patch
deleted file mode 100644
index f0f60a3..0000000
--- a/SOURCES/nss-fix-client-auth-init-hashes.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-diff -up ./nss/lib/ssl/ssl3con.c.fix_client_auth_crash ./nss/lib/ssl/ssl3con.c
---- ./nss/lib/ssl/ssl3con.c.fix_client_auth_crash 2016-02-24 10:40:56.249523174 -0800
-+++ ./nss/lib/ssl/ssl3con.c 2016-02-24 10:56:24.180107667 -0800
-@@ -6626,12 +6626,14 @@ ssl3_HandleServerHello(sslSocket *ss, SS
- ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
- isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
-
-+#ifdef notdef
- rv = ssl3_InitHandshakeHashes(ss);
- if (rv != SECSuccess) {
- desc = internal_error;
- errCode = PORT_GetError();
- goto alert_loser;
- }
-+#endif
-
- rv = ssl3_ConsumeHandshake(
- ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
-@@ -8115,12 +8117,14 @@ ssl3_HandleClientHello(sslSocket *ss, SS
- }
- ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
-
-+#ifdef notdef
- rv = ssl3_InitHandshakeHashes(ss);
- if (rv != SECSuccess) {
- desc = internal_error;
- errCode = PORT_GetError();
- goto alert_loser;
- }
-+#endif
-
- /* grab the client random data. */
- rv = ssl3_ConsumeHandshake(
-@@ -8941,12 +8945,14 @@ ssl3_HandleV2ClientHello(sslSocket *ss,
- }
- ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
-
-+#ifdef notdef
- rv = ssl3_InitHandshakeHashes(ss);
- if (rv != SECSuccess) {
- desc = internal_error;
- errCode = PORT_GetError();
- goto alert_loser;
- }
-+#endif
-
- /* if we get a non-zero SID, just ignore it. */
- if (length !=
diff --git a/SOURCES/nss-fix-deadlock-squash.patch b/SOURCES/nss-fix-deadlock-squash.patch
index 4950f7b..c8222c7 100644
--- a/SOURCES/nss-fix-deadlock-squash.patch
+++ b/SOURCES/nss-fix-deadlock-squash.patch
@@ -1,45 +1,30 @@
-diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c
---- a/lib/pki/tdcache.c
-+++ b/lib/pki/tdcache.c
-@@ -379,23 +379,29 @@ nssTrustDomain_UnlockCertCache (
-
- struct token_cert_dtor {
- NSSToken *token;
- nssTDCertificateCache *cache;
- NSSCertificate **certs;
+diff -up nss/lib/pki/tdcache.c.fix_deadlock nss/lib/pki/tdcache.c
+--- nss/lib/pki/tdcache.c.fix_deadlock 2017-01-13 17:10:36.055530248 +0100
++++ nss/lib/pki/tdcache.c 2017-01-13 17:14:04.015338438 +0100
+@@ -374,13 +374,19 @@ struct token_cert_dtor {
PRUint32 numCerts, arrSize;
};
+-static void
+-remove_token_certs(const void *k, void *v, void *a)
+static void cert_iter(const void *k, void *v, void *a)
-+{
+ {
+ nssList *certList = (nssList *)a;
-+ NSSCertificate *c = (NSSCertificate *)k;
+ NSSCertificate *c = (NSSCertificate *)k;
+ nssList_Add(certList, nssCertificate_AddRef(c));
+}
+
- static void
--remove_token_certs(const void *k, void *v, void *a)
++static void
+remove_token_certs(NSSCertificate *c, struct token_cert_dtor *dtor)
- {
-- NSSCertificate *c = (NSSCertificate *)k;
++{
nssPKIObject *object = &c->object;
- struct token_cert_dtor *dtor = a;
PRUint32 i;
+
nssPKIObject_AddRef(object);
nssPKIObject_Lock(object);
- for (i=0; i<object->numInstances; i++) {
- if (object->instances[i]->token == dtor->token) {
- nssCryptokiObject_Destroy(object->instances[i]);
- object->instances[i] = object->instances[object->numInstances-1];
- object->instances[object->numInstances-1] = NULL;
- object->numInstances--;
-@@ -422,45 +428,83 @@ NSS_IMPLEMENT PRStatus
- nssTrustDomain_RemoveTokenCertsFromCache (
- NSSTrustDomain *td,
- NSSToken *token
- )
- {
+ for (i = 0; i < object->numInstances; i++) {
+@@ -416,6 +422,11 @@ nssTrustDomain_RemoveTokenCertsFromCache
NSSCertificate **certs;
PRUint32 i, arrSize = 10;
struct token_cert_dtor dtor;
@@ -50,10 +35,8 @@ diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c
+
certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize);
if (!certs) {
- return PR_FAILURE;
- }
- dtor.cache = td->cache;
- dtor.token = token;
+ return PR_FAILURE;
+@@ -425,8 +436,33 @@ nssTrustDomain_RemoveTokenCertsFromCache
dtor.certs = certs;
dtor.numCerts = 0;
dtor.arrSize = arrSize;
@@ -63,8 +46,7 @@ diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c
+ goto loser;
+ }
+ /* fetch the list of certs in the cache */
- PZ_Lock(td->cache->lock);
-- nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor);
++ PZ_Lock(td->cache->lock);
+ nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList);
+ PZ_Unlock(td->cache->lock);
+
@@ -84,24 +66,22 @@ diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c
+ certList = NULL;
+
+ /* now remove theose certs attached to this token */
-+ PZ_Lock(td->cache->lock);
- for (i=0; i<dtor.numCerts; i++) {
- if (dtor.certs[i]->object.numInstances == 0) {
- nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
- dtor.certs[i] = NULL; /* skip this cert in the second for loop */
- } else {
- /* make sure it doesn't disappear on us before we finish */
- nssCertificate_AddRef(dtor.certs[i]);
- }
+ PZ_Lock(td->cache->lock);
+- nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor);
+ for (i = 0; i < dtor.numCerts; i++) {
+ if (dtor.certs[i]->object.numInstances == 0) {
+ nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
+@@ -437,14 +473,22 @@ nssTrustDomain_RemoveTokenCertsFromCache
+ }
}
PZ_Unlock(td->cache->lock);
+
+ /* clean up */
- for (i=0; i<dtor.numCerts; i++) {
- if (dtor.certs[i]) {
- STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
- nssCertificate_Destroy(dtor.certs[i]);
- }
+ for (i = 0; i < dtor.numCerts; i++) {
+ if (dtor.certs[i]) {
+ STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
+ nssCertificate_Destroy(dtor.certs[i]);
+ }
}
+
+ nspr_rv = PR_SUCCESS;
@@ -115,21 +95,12 @@ diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c
}
NSS_IMPLEMENT PRStatus
- nssTrustDomain_UpdateCachedTokenCerts (
- NSSTrustDomain *td,
- NSSToken *token
- )
- {
-@@ -1073,23 +1117,16 @@ nssTrustDomain_GetCertByDERFromCache (
- #endif
- rvCert = nssTrustDomain_GetCertForIssuerAndSNFromCache(td,
- &issuer, &serial);
- PORT_Free(issuer.data);
- PORT_Free(serial.data);
+@@ -1058,14 +1102,6 @@ nssTrustDomain_GetCertByDERFromCache(
return rvCert;
}
--static void cert_iter(const void *k, void *v, void *a)
+-static void
+-cert_iter(const void *k, void *v, void *a)
-{
- nssList *certList = (nssList *)a;
- NSSCertificate *c = (NSSCertificate *)k;
@@ -137,10 +108,5 @@ diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c
-}
-
NSS_EXTERN NSSCertificate **
- nssTrustDomain_GetCertsFromCache (
- NSSTrustDomain *td,
- nssList *certListOpt
- )
- {
- NSSCertificate **rvArray = NULL;
- nssList *certList;
+ nssTrustDomain_GetCertsFromCache(
+ NSSTrustDomain *td,
diff --git a/SOURCES/nss-fix-signature-and-hash.patch b/SOURCES/nss-fix-signature-and-hash.patch
deleted file mode 100644
index 91adf5a..0000000
--- a/SOURCES/nss-fix-signature-and-hash.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -up ./nss/lib/ssl/ssl3con.c.fixSignatureAndHash ./nss/lib/ssl/ssl3con.c
---- ./nss/lib/ssl/ssl3con.c.fixSignatureAndHash 2016-02-24 20:06:36.697164368 -0500
-+++ ./nss/lib/ssl/ssl3con.c 2016-02-24 20:09:19.690055466 -0500
-@@ -4474,8 +4474,8 @@ ssl3_AppendSignatureAndHashAlgorithm(
- sslSocket *ss, const SSLSignatureAndHashAlg* sigAndHash)
- {
- PRUint8 serialized[2];
-- unsigned char hashAlg = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg);
-- if (hashAlg == 0) {
-+ SECOidTag hashAlg = ssl3_TLSHashAlgorithmToOID(sigAndHash->hashAlg);
-+ if (hashAlg == SEC_OID_UNKNOWN) {
- PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
- return SECFailure;
- }
diff --git a/SOURCES/nss-map-oid-to-hashalg.patch b/SOURCES/nss-map-oid-to-hashalg.patch
deleted file mode 100644
index f056f5c..0000000
--- a/SOURCES/nss-map-oid-to-hashalg.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff -up ./nss/lib/ssl/ssl3con.c.use_oids ./nss/lib/ssl/ssl3con.c
---- ./nss/lib/ssl/ssl3con.c.use_oids 2016-02-24 12:01:55.488253556 -0800
-+++ ./nss/lib/ssl/ssl3con.c 2016-02-24 12:09:18.099513245 -0800
-@@ -4950,7 +4950,7 @@ ssl3_ComputeHandshakeHashes(sslSocket *
- rv = SECFailure;
- goto tls12_loser;
- }
-- hashes->hashAlg = hashOid->offset;
-+ hashes->hashAlg = ssl3_OIDToTLSHashAlgorithm(hashOid->offset);
- PORT_Assert(hashes->hashAlg == ssl_hash_sha256 ||
- hashes->hashAlg == ssl_hash_sha384);
- if (hashes->hashAlg != ssl_hash_sha256 &&
-@@ -9581,7 +9581,7 @@ ssl3_EncodeCertificateRequestSigAlgs(ssl
- /* Note that we don't support a handshake hash with anything other than
- * SHA-256, so asking for a signature from clients for something else
- * would be inviting disaster. */
-- if (alg->hashAlg == ssl_hash_sha256 /* || alg->hashAlg == ssl_hash_sha384*/) {
-+ if (alg->hashAlg == ssl_hash_sha256 || alg->hashAlg == ssl_hash_sha384) {
- buf[(*len)++] = (PRUint8)alg->hashAlg;
- buf[(*len)++] = (PRUint8)alg->sigAlg;
- }
diff --git a/SOURCES/nss-old-pkcs11-num.patch b/SOURCES/nss-old-pkcs11-num.patch
index d2b51f7..dbfdf05 100644
--- a/SOURCES/nss-old-pkcs11-num.patch
+++ b/SOURCES/nss-old-pkcs11-num.patch
@@ -1,14 +1,16 @@
-diff -up ./nss/lib/ssl/ssl3con.c.old_pkcs11_num ./nss/lib/ssl/ssl3con.c
---- ./nss/lib/ssl/ssl3con.c.old_pkcs11_num 2016-02-24 17:53:31.936203961 -0500
-+++ ./nss/lib/ssl/ssl3con.c 2016-02-24 17:54:34.643037802 -0500
-@@ -11075,7 +11075,9 @@ ssl3_ComputeTLSFinished(sslSocket *ss, s
+diff -up nss/lib/ssl/ssl3con.c.old_pkcs11_num nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.old_pkcs11_num 2017-01-04 15:24:24.000000000 +0100
++++ nss/lib/ssl/ssl3con.c 2017-01-16 10:42:14.993429316 +0100
+@@ -11054,8 +11054,10 @@ ssl3_ComputeTLSFinished(sslSocket *ss, s
tls_mac_params.ulServerOrClient = isServer ? 1 : 2;
param.data = (unsigned char *)&tls_mac_params;
param.len = sizeof(tls_mac_params);
- prf_context = PK11_CreateContextBySymKey(CKM_TLS_MAC, CKA_SIGN,
+- spec->master_secret, ¶m);
+ /* RHEL 7.2 had the wrong number for CKM_TLS12_MACH instead of CKM_TLS_MAC. In the new scheme that
+ * number matches with CKM_TLS_KDF, so until softoken gets updated, use CKM_TLS_KDF on RHEL7 */
+ prf_context = PK11_CreateContextBySymKey(CKM_TLS_KDF, CKA_SIGN,
- spec->master_secret, ¶m);
++ spec->master_secret, ¶m);
if (!prf_context)
- return SECFailure;
+ return SECFailure;
+
diff --git a/SOURCES/nss-prevent-abi-issue.patch b/SOURCES/nss-prevent-abi-issue.patch
index afc979f..22df86e 100644
--- a/SOURCES/nss-prevent-abi-issue.patch
+++ b/SOURCES/nss-prevent-abi-issue.patch
@@ -1,44 +1,24 @@
-diff --git a/lib/ssl/sslinfo.c b/lib/ssl/sslinfo.c
---- a/lib/ssl/sslinfo.c
-+++ b/lib/ssl/sslinfo.c
-@@ -62,17 +62,17 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh
- ssl_ReleaseSpecReadLock(ss);
- inf.compressionMethodName =
- ssl_GetCompressionMethodName(inf.compressionMethod);
- }
- if (sid) {
- inf.creationTime = sid->creationTime;
- inf.lastAccessTime = sid->lastAccessTime;
- inf.expirationTime = sid->expirationTime;
-- inf.extendedMasterSecretUsed = sid->u.ssl3.keys.extendedMasterSecretUsed;
-+ inf.reservedNotSupported = PR_FALSE;
-
- if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */
- inf.sessionIDLength = SSL2_SESSIONID_BYTES;
- memcpy(inf.sessionID, sid->u.ssl2.sessionID,
- SSL2_SESSIONID_BYTES);
- } else {
- unsigned int sidLen = sid->u.ssl3.sessionIDLength;
- sidLen = PR_MIN(sidLen, sizeof inf.sessionID);
-diff --git a/lib/ssl/sslt.h b/lib/ssl/sslt.h
---- a/lib/ssl/sslt.h
-+++ b/lib/ssl/sslt.h
-@@ -145,17 +145,17 @@ typedef struct SSLChannelInfoStr {
- /* compression method info */
- const char * compressionMethodName;
- SSLCompressionMethod compressionMethod;
-
- /* The following fields are added in NSS 3.21.
+diff -up nss/lib/ssl/sslinfo.c.abi_lib nss/lib/ssl/sslinfo.c
+--- nss/lib/ssl/sslinfo.c.abi_lib 2016-10-10 16:44:06.661038110 +0200
++++ nss/lib/ssl/sslinfo.c 2016-10-10 16:44:54.436814398 +0200
+@@ -74,7 +74,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh
+ inf.creationTime = sid->creationTime;
+ inf.lastAccessTime = sid->lastAccessTime;
+ inf.expirationTime = sid->expirationTime;
+- inf.extendedMasterSecretUsed =
++ inf.reservedNotSupported =
+ (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 ||
+ sid->u.ssl3.keys.extendedMasterSecretUsed)
+ ? PR_TRUE
+diff -up nss/lib/ssl/sslt.h.abi_lib nss/lib/ssl/sslt.h
+--- nss/lib/ssl/sslt.h.abi_lib 2016-10-03 16:55:58.000000000 +0200
++++ nss/lib/ssl/sslt.h 2016-10-10 16:44:06.661038110 +0200
+@@ -188,7 +188,7 @@ typedef struct SSLChannelInfoStr {
* This field only has meaning in TLS < 1.3 and will be set to
* PR_FALSE in TLS 1.3.
*/
-- PRBool extendedMasterSecretUsed;
-+ PRBool reservedNotSupported; /* don't use */
- } SSLChannelInfo;
-
- /* Preliminary channel info */
- #define ssl_preinfo_version (1U << 0)
- #define ssl_preinfo_cipher_suite (1U << 1)
- #define ssl_preinfo_all (ssl_preinfo_version|ssl_preinfo_cipher_suite)
+- PRBool extendedMasterSecretUsed;
++ PRBool reservedNotSupported;
- typedef struct SSLPreliminaryChannelInfoStr {
+ /* The following fields were added in NSS 3.25.
+ * This field only has meaning in TLS >= 1.3, and indicates on the
diff --git a/SOURCES/nss-remove-bogus-assert.patch b/SOURCES/nss-remove-bogus-assert.patch
deleted file mode 100644
index 423b524..0000000
--- a/SOURCES/nss-remove-bogus-assert.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -up ./nss/lib/ssl/ssl3con.c.remove_bogus_assert ./nss/lib/ssl/ssl3con.c
---- ./nss/lib/ssl/ssl3con.c.remove_bogus_assert 2016-02-24 16:55:18.430172675 -0500
-+++ ./nss/lib/ssl/ssl3con.c 2016-02-24 16:55:56.000473980 -0500
-@@ -3754,9 +3754,6 @@ ssl3_ComputeMasterSecretInt(sslSocket *s
- CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
- unsigned int master_params_len;
-
-- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-- PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
-- PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
- if (isTLS12) {
- if(isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
- else master_derive = CKM_TLS12_MASTER_KEY_DERIVE;
diff --git a/SOURCES/nss-reorder-cipher-suites.patch b/SOURCES/nss-reorder-cipher-suites.patch
new file mode 100644
index 0000000..f08ca2f
--- /dev/null
+++ b/SOURCES/nss-reorder-cipher-suites.patch
@@ -0,0 +1,242 @@
+diff -up nss/lib/ssl/ssl3con.c.reorder_cipher_suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.reorder_cipher_suites 2017-02-15 13:11:24.960624359 +0100
++++ nss/lib/ssl/ssl3con.c 2017-02-15 13:12:55.378720030 +0100
+@@ -91,83 +91,64 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi
+ /* clang-format off */
+ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+ /* cipher_suite policy enabled isPresent */
+- /* Special TLS 1.3 suites. */
+- { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+- { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+- { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+-
+- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+- * bug 946147.
+- */
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+- { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+- /* RSA */
+- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+-
+- /* 56-bit DES "domestic" cipher suites */
+ { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+- /* ciphersuites with no encryption */
+ { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -175,6 +156,12 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
++ { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
++ { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE },
++ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE},
+ };
+ /* clang-format on */
+
+diff -up nss/lib/ssl/sslenum.c.reorder_cipher_suites nss/lib/ssl/sslenum.c
+--- nss/lib/ssl/sslenum.c.reorder_cipher_suites 2017-02-15 13:11:35.724397659 +0100
++++ nss/lib/ssl/sslenum.c 2017-02-15 13:12:26.332331787 +0100
+@@ -55,81 +55,64 @@
+ * the third one.
+ */
+ const PRUint16 SSL_ImplementedCiphers[] = {
+- TLS_AES_128_GCM_SHA256,
+- TLS_CHACHA20_POLY1305_SHA256,
+- TLS_AES_256_GCM_SHA384,
+-
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
+- * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
+- */
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+-
+- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+- TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
++ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
++ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_RC4_128_SHA,
+-
+- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDH_RSA_WITH_RC4_128_SHA,
+-
+- TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+- TLS_RSA_WITH_AES_128_CBC_SHA,
+- TLS_RSA_WITH_AES_128_CBC_SHA256,
+- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
++ TLS_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_RSA_WITH_AES_128_CBC_SHA,
++ TLS_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_RSA_WITH_SEED_CBC_SHA,
+ TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_RSA_WITH_RC4_128_SHA,
+ TLS_RSA_WITH_RC4_128_MD5,
+-
+- /* 56-bit DES "domestic" cipher suites */
+ TLS_DHE_RSA_WITH_DES_CBC_SHA,
+ TLS_DHE_DSS_WITH_DES_CBC_SHA,
+ TLS_RSA_WITH_DES_CBC_SHA,
+-
+- /* ciphersuites with no encryption */
+ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+ TLS_ECDHE_RSA_WITH_NULL_SHA,
+ TLS_ECDH_RSA_WITH_NULL_SHA,
+@@ -137,6 +120,12 @@ const PRUint16 SSL_ImplementedCiphers[]
+ TLS_RSA_WITH_NULL_SHA,
+ TLS_RSA_WITH_NULL_SHA256,
+ TLS_RSA_WITH_NULL_MD5,
++ TLS_AES_128_GCM_SHA256,
++ TLS_CHACHA20_POLY1305_SHA256,
++ TLS_AES_256_GCM_SHA384,
++ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
++ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
++ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+
+ 0
+ };
diff --git a/SOURCES/nss-skip-bltest-and-fipstest.patch b/SOURCES/nss-skip-bltest-and-fipstest.patch
index 7d2427b..7d55d10 100644
--- a/SOURCES/nss-skip-bltest-and-fipstest.patch
+++ b/SOURCES/nss-skip-bltest-and-fipstest.patch
@@ -1,17 +1,15 @@
diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile
---- nss/cmd/Makefile.nobltest 2013-05-28 14:43:24.000000000 -0700
-+++ nss/cmd/Makefile 2013-06-15 11:51:11.669655168 -0700
-@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS
- DIRS += libpkix
- endif
-
--ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+--- nss/cmd/Makefile.skipthem 2017-01-13 16:41:04.117486801 +0100
++++ nss/cmd/Makefile 2017-01-13 16:42:31.396335957 +0100
+@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
+ ECPERF_SRCDIR =
+ FREEBL_ECTEST_SRCDIR =
+ FIPSTEST_SRCDIR =
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
- BLTEST_SRCDIR =
--FIPSTEST_SRCDIR =
--SHLIBSIGN_SRCDIR =
-+FIPSTEST_SRCDIR =
+SHLIBSIGN_SRCDIR = shlibsign
++else
+ SHLIBSIGN_SRCDIR =
++endif
else
BLTEST_SRCDIR = bltest
- FIPSTEST_SRCDIR = fipstest
+ ECPERF_SRCDIR = ecperf
diff --git a/SOURCES/nss-skip-util-gtest.patch b/SOURCES/nss-skip-util-gtest.patch
new file mode 100644
index 0000000..6c7fb1d
--- /dev/null
+++ b/SOURCES/nss-skip-util-gtest.patch
@@ -0,0 +1,34 @@
+diff -up nss/gtests/manifest.mn.skip-util-gtests nss/gtests/manifest.mn
+--- nss/gtests/manifest.mn.skip-util-gtests 2017-01-30 02:06:08.000000000 +0100
++++ nss/gtests/manifest.mn 2017-02-17 12:55:55.064026636 +0100
+@@ -9,7 +9,6 @@ DIRS = \
+ google_test \
+ common \
+ der_gtest \
+- util_gtest \
+ pk11_gtest \
+ ssl_gtest \
+ nss_bogo_shim \
+diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn
+--- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2017-02-17 12:55:55.063026657 +0100
++++ nss/gtests/ssl_gtest/manifest.mn 2017-02-17 12:55:55.064026636 +0100
+@@ -48,6 +48,6 @@ REQUIRES = nspr nss libdbm gtest
+
+ PROGRAM = ssl_gtest
+ EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
+- $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX)
++ -lsoftokn3
+
+ USE_STATIC_LIBS = 1
+diff -up nss/tests/gtests/gtests.sh.skip-util-gtests nss/tests/gtests/gtests.sh
+--- nss/tests/gtests/gtests.sh.skip-util-gtests 2017-02-17 12:56:49.434880888 +0100
++++ nss/tests/gtests/gtests.sh 2017-02-17 12:56:54.677770408 +0100
+@@ -82,7 +82,7 @@ gtest_cleanup()
+ }
+
+ ################## main #################################################
+-GTESTS="der_gtest pk11_gtest util_gtest"
++GTESTS="der_gtest pk11_gtest"
+ gtest_init $0
+ gtest_start
+ gtest_cleanup
diff --git a/SOURCES/nss-sni-c-v-fix.patch b/SOURCES/nss-sni-c-v-fix.patch
index 6cfbb4f..3e2fea2 100644
--- a/SOURCES/nss-sni-c-v-fix.patch
+++ b/SOURCES/nss-sni-c-v-fix.patch
@@ -1,21 +1,21 @@
-diff -up ./nss/tests/ssl/sslauth.txt.c_v_fix ./nss/tests/ssl/sslauth.txt
---- ./nss/tests/ssl/sslauth.txt.c_v_fix 2016-02-24 19:30:43.630282607 -0500
-+++ ./nss/tests/ssl/sslauth.txt 2016-02-24 19:33:59.848516577 -0500
-@@ -54,13 +54,13 @@
+diff -up ./nss/tests/ssl/sslauth.txt.sni_c_v_fix ./nss/tests/ssl/sslauth.txt
+--- ./nss/tests/ssl/sslauth.txt.sni_c_v_fix 2016-08-16 12:48:58.886105082 +0200
++++ ./nss/tests/ssl/sslauth.txt 2016-08-16 12:51:29.142147183 +0200
+@@ -64,13 +64,13 @@
#
# SNI Tests
#
-- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
-+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI
- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
- SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
++ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser SSL3 Server hello response without SNI
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
-- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
-+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI
- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
-- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
-+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
++ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
++ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
diff --git a/SOURCES/nss-ssl-delete-duplicates.patch b/SOURCES/nss-ssl-delete-duplicates.patch
deleted file mode 100644
index cd92b25..0000000
--- a/SOURCES/nss-ssl-delete-duplicates.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
---- a/lib/ssl/ssl3con.c
-+++ b/lib/ssl/ssl3con.c
-@@ -426,36 +426,30 @@ static const ssl3CipherSuiteDef cipher_s
- cipher_rc4_56, mac_sha,kea_rsa_export_1024, 0},
-
- {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips, 0},
- {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips, 0},
-
- {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa, prf_256},
- {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa, prf_256},
- #ifndef NSS_DISABLE_ECC
-- {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
-- {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
- {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa, prf_256},
- {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa, prf_256},
- {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_ecdsa, prf_384},
- {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa, prf_384},
- {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_ecdsa, prf_384},
- {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_rsa, prf_384},
- #endif /* NSS_DISABLE_ECC */
- {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_rsa, prf_384},
- {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, prf_256},
- {TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_dss, prf_384},
- {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, prf_256},
- {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, prf_256},
- {TLS_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_rsa, prf_384},
-
-- {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, 0},
-- {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, 0},
-- {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, 0},
--
- #ifndef NSS_DISABLE_ECC
- {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa, 0},
- {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa, 0},
- {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa, 0},
- {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa, 0},
- {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa, 0},
-
- {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa, 0},
-diff --git a/lib/ssl/sslinfo.c b/lib/ssl/sslinfo.c
---- a/lib/ssl/sslinfo.c
-+++ b/lib/ssl/sslinfo.c
-@@ -248,19 +248,16 @@ static const SSLCipherSuiteInfo suiteInf
- {0,CS(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
- {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, },
- {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, },
-
- #endif /* NSS_DISABLE_ECC */
-
- {0,CS(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384), S_DSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
- {0,CS(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
--{0,CS(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
--{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
--{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, },
- {0,CS(TLS_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_RSA, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
-
- /* SSL 2 table */
- {0,CK(SSL_CK_RC4_128_WITH_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
- {0,CK(SSL_CK_RC2_128_CBC_WITH_MD5), S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, 0, 0, },
- {0,CK(SSL_CK_DES_192_EDE3_CBC_WITH_MD5), S_RSA, K_RSA, C_3DES,B_3DES,M_MD5, 0, 0, 0, },
- {0,CK(SSL_CK_DES_64_CBC_WITH_MD5), S_RSA, K_RSA, C_DES, B_DES, M_MD5, 0, 0, 0, },
- {0,CK(SSL_CK_RC4_128_EXPORT40_WITH_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5, 0, 1, 0, },
diff --git a/SOURCES/nss-sslstress-txt-ssl3-lower-value-in-range.patch b/SOURCES/nss-sslstress-txt-ssl3-lower-value-in-range.patch
deleted file mode 100644
index c838dae..0000000
--- a/SOURCES/nss-sslstress-txt-ssl3-lower-value-in-range.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff -up ./nss/tests/ssl/sslstress.txt.ssl3_as_min_value ./nss/tests/ssl/sslstress.txt
---- ./nss/tests/ssl/sslstress.txt.ssl3_as_min_value 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/tests/ssl/sslstress.txt 2016-02-26 11:07:42.036366203 -0800
-@@ -9,9 +9,9 @@
- # ECC value params params
- # ------- ------ ------ ------ ---------------
- noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
-- noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
-- noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
-- noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
-+ noECC 0 _ -c_1000_-C_c_-V_ssl3:ssl3 Stress SSL3 RC4 128 with MD5
-+ noECC 0 _ -c_1000_-C_c_-V_ssl3:_ Stress TLS RC4 128 with MD5
-+ noECC 0 _ -V_ssl3:_-c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
- noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
- noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
-@@ -22,8 +22,8 @@
- # add client auth versions here...
- #
- noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
-- noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
-- noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
-+ noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
-+ noECC 0 -r_-r -c_100_-C_c_-V_ssl3:_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
- noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
diff --git a/SOURCES/nss-tests-prevent-abi-issue.patch b/SOURCES/nss-tests-prevent-abi-issue.patch
index b6d726f..766f2d7 100644
--- a/SOURCES/nss-tests-prevent-abi-issue.patch
+++ b/SOURCES/nss-tests-prevent-abi-issue.patch
@@ -1,34 +1,34 @@
-diff -up ./cmd/selfserv/selfserv.c.abi_test ./cmd/selfserv/selfserv.c
---- ./cmd/selfserv/selfserv.c.abi_test 2016-02-22 06:12:27.089047751 -0800
-+++ ./cmd/selfserv/selfserv.c 2016-02-22 06:15:46.969659328 -0800
-@@ -432,7 +432,7 @@ printSecurityInfo(PRFileDesc *fd)
- channel.authKeyBits, suite.authAlgorithmName,
- channel.keaKeyBits, suite.keaTypeName,
- channel.compressionMethodName,
-- channel.extendedMasterSecretUsed ? "Yes": "No");
-+ channel.reservedNotSupported ? "Yes": "No");
- }
+diff -up nss/cmd/selfserv/selfserv.c.abi_tests nss/cmd/selfserv/selfserv.c
+--- nss/cmd/selfserv/selfserv.c.abi_tests 2016-08-16 12:36:23.695996680 +0200
++++ nss/cmd/selfserv/selfserv.c 2016-08-16 12:39:00.006879649 +0200
+@@ -425,7 +425,7 @@ printSecurityInfo(PRFileDesc *fd)
+ channel.authKeyBits, suite.authAlgorithmName,
+ channel.keaKeyBits, suite.keaTypeName,
+ channel.compressionMethodName,
+- channel.extendedMasterSecretUsed ? "Yes" : "No");
++ channel.reservedNotSupported ? "Yes": "No");
+ }
}
if (verbose) {
-diff -up ./cmd/tstclnt/tstclnt.c.abi_test ./cmd/tstclnt/tstclnt.c
---- ./cmd/tstclnt/tstclnt.c.abi_test 2016-02-22 06:16:49.820593866 -0800
-+++ ./cmd/tstclnt/tstclnt.c 2016-02-22 06:18:16.908117535 -0800
-@@ -133,7 +133,7 @@ void printSecurityInfo(PRFileDesc *fd)
- channel.authKeyBits, suite.authAlgorithmName,
- channel.keaKeyBits, suite.keaTypeName,
- channel.compressionMethodName,
-- channel.extendedMasterSecretUsed ? "Yes": "No");
-+ channel.reservedNotSupported ? "Yes": "No");
- }
+diff -up nss/cmd/tstclnt/tstclnt.c.abi_tests nss/cmd/tstclnt/tstclnt.c
+--- nss/cmd/tstclnt/tstclnt.c.abi_tests 2016-08-16 12:36:23.696996653 +0200
++++ nss/cmd/tstclnt/tstclnt.c 2016-08-16 12:39:24.460235581 +0200
+@@ -129,7 +129,7 @@ printSecurityInfo(PRFileDesc *fd)
+ channel.authKeyBits, suite.authAlgorithmName,
+ channel.keaKeyBits, suite.keaTypeName,
+ channel.compressionMethodName,
+- channel.extendedMasterSecretUsed ? "Yes" : "No");
++ channel.reservedNotSupported ? "Yes": "No");
+ }
}
cert = SSL_RevealCert(fd);
-diff -up ./external_tests/ssl_gtest/tls_agent.cc.abi_test ./external_tests/ssl_gtest/tls_agent.cc
---- ./external_tests/ssl_gtest/tls_agent.cc.abi_test 2016-02-22 06:18:56.890439746 -0800
-+++ ./external_tests/ssl_gtest/tls_agent.cc 2016-02-22 06:19:59.264382368 -0800
-@@ -405,7 +405,7 @@ void TlsAgent::EnableExtendedMasterSecre
- }
-
- void TlsAgent::CheckExtendedMasterSecret(bool expected) {
+diff -up nss/external_tests/ssl_gtest/tls_agent.cc.abi_tests nss/external_tests/ssl_gtest/tls_agent.cc
+--- nss/gtests/ssl_gtest/tls_agent.cc.abi_tests 2016-08-16 12:36:23.696996653 +0200
++++ nss/gtests/ssl_gtest/tls_agent.cc 2016-08-16 12:39:45.167690174 +0200
+@@ -571,7 +571,7 @@ void TlsAgent::CheckExtendedMasterSecret
+ if (version() >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ expected = PR_TRUE;
+ }
- ASSERT_EQ(expected, info_.extendedMasterSecretUsed != PR_FALSE)
+ ASSERT_EQ(expected, info_.reservedNotSupported != PR_FALSE)
<< "unexpected extended master secret state for " << name_;
diff --git a/SOURCES/nss-tstclnt-optspec.patch b/SOURCES/nss-tstclnt-optspec.patch
new file mode 100644
index 0000000..e76dba0
--- /dev/null
+++ b/SOURCES/nss-tstclnt-optspec.patch
@@ -0,0 +1,21 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1487602422 -3600
+# Mon Feb 20 15:53:42 2017 +0100
+# Branch wip/dueno/tstclnt-optstate
+# Node ID ec284d402a5a691e2694fe27d8ab2e95d525f5ab
+# Parent ec6b5abc4187459458779d1e90bc8500a011eb3a
+tstclnt: use correct option spec for -W
+
+diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
+--- a/cmd/tstclnt/tstclnt.c
++++ b/cmd/tstclnt/tstclnt.c
+@@ -1509,7 +1509,7 @@ main(int argc, char **argv)
+ /* XXX: 'B' was used in the past but removed in 3.28,
+ * please leave some time before resuing it. */
+ optstate = PL_CreateOptState(argc, argv,
+- "46A:CDFGHI:KL:M:OR:STUV:WYZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
++ "46A:CDFGHI:KL:M:OR:STUV:W:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
+ while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+ switch (optstate->option) {
+ case '?':
diff --git a/SOURCES/p-ignore-setpolicy.patch b/SOURCES/p-ignore-setpolicy.patch
index f9564df..7334c80 100644
--- a/SOURCES/p-ignore-setpolicy.patch
+++ b/SOURCES/p-ignore-setpolicy.patch
@@ -1,17 +1,16 @@
-diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
---- a/lib/ssl/sslsock.c
-+++ b/lib/ssl/sslsock.c
-@@ -1364,25 +1364,22 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3
- rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
- }
- return rv;
- }
-
+diff -up nss/lib/ssl/sslsock.c.1026677_ignore_set_policy nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.1026677_ignore_set_policy 2017-01-13 17:10:36.049530395 +0100
++++ nss/lib/ssl/sslsock.c 2017-01-13 17:10:36.053530297 +0100
+@@ -1391,7 +1391,6 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3
SECStatus
NSS_SetDomesticPolicy(void)
{
-- SECStatus status = SECSuccess;
+- SECStatus status = SECSuccess;
const PRUint16 *cipher;
+ SECStatus rv;
+ PRUint32 policy;
+@@ -1403,11 +1402,9 @@ NSS_SetDomesticPolicy(void)
+ }
for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) {
- status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
@@ -24,8 +23,3 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
}
SECStatus
- NSS_SetExportPolicy(void)
- {
- return NSS_SetDomesticPolicy();
- }
-
diff --git a/SOURCES/race.patch b/SOURCES/race.patch
index f83a7f9..3ffb787 100644
--- a/SOURCES/race.patch
+++ b/SOURCES/race.patch
@@ -1,55 +1,43 @@
-diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c
---- a/lib/pk11wrap/pk11util.c
-+++ b/lib/pk11wrap/pk11util.c
-@@ -1258,53 +1258,62 @@ SECMOD_HasRemovableSlots(SECMODModule *m
- return ret;
- }
-
- /*
- * helper function to actually create and destroy user defined slots
+diff -up nss/lib/pk11wrap/pk11util.c.race nss/lib/pk11wrap/pk11util.c
+--- nss/lib/pk11wrap/pk11util.c.race 2017-01-13 17:43:25.829686952 +0100
++++ nss/lib/pk11wrap/pk11util.c 2017-01-13 17:47:56.374041802 +0100
+@@ -1297,7 +1297,7 @@ SECMOD_HasRemovableSlots(SECMODModule *m
*/
static SECStatus
- secmod_UserDBOp(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass,
-- const char *sendSpec)
-+ const char *sendSpec, PRBool needlock)
+ secmod_UserDBOp(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass,
+- const char *sendSpec)
++ const char *sendSpec, PRBool needlock)
{
CK_OBJECT_HANDLE dummy;
- CK_ATTRIBUTE template[2] ;
- CK_ATTRIBUTE *attrs = template;
- CK_RV crv;
-
- PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++;
- PK11_SETATTRS(attrs, CKA_NETSCAPE_MODULE_SPEC , (unsigned char *)sendSpec,
- strlen(sendSpec)+1); attrs++;
-
- PORT_Assert(attrs-template <= 2);
+ CK_ATTRIBUTE template[2];
+@@ -1312,16 +1312,16 @@ secmod_UserDBOp(PK11SlotInfo *slot, CK_O
+ PORT_Assert(attrs - template <= 2);
- PK11_EnterSlotMonitor(slot);
+ if (needlock) PK11_EnterSlotMonitor(slot);
crv = PK11_CreateNewObject(slot, slot->session,
- template, attrs-template, PR_FALSE, &dummy);
+ template, attrs - template, PR_FALSE, &dummy);
- PK11_ExitSlotMonitor(slot);
+ if (needlock) PK11_ExitSlotMonitor(slot);
if (crv != CKR_OK) {
- PORT_SetError(PK11_MapError(crv));
- return SECFailure;
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
}
- return SECMOD_UpdateSlotList(slot->module);
+ return SECSuccess;
}
/*
- * return true if the selected slot ID is not present or doesn't exist
- */
+@@ -1330,11 +1330,20 @@ secmod_UserDBOp(PK11SlotInfo *slot, CK_O
static PRBool
- secmod_SlotIsEmpty(SECMODModule *mod, CK_SLOT_ID slotID)
+ secmod_SlotIsEmpty(SECMODModule *mod, CK_SLOT_ID slotID)
{
- PK11SlotInfo *slot = SECMOD_LookupSlot(mod->moduleID, slotID);
+ PK11SlotInfo *slot = SECMOD_FindSlotByID(mod, slotID);
if (slot) {
-- PRBool present = PK11_IsPresent(slot);
+- PRBool present = PK11_IsPresent(slot);
+ CK_SLOT_INFO slotInfo;
+ CK_RV crv;
+ /* check if the slot is present, skip any slot reinit stuff,
@@ -58,63 +46,52 @@ diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c
+ * holding the module refLock, which is the same as the slot
+ * sessionLock if the module isn't thread safe. */
+ crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo);
- PK11_FreeSlot(slot);
-- if (present) {
+ PK11_FreeSlot(slot);
+- if (present) {
+ if ((crv == CKR_OK) &&
+ ((slotInfo.flags & CKF_TOKEN_PRESENT) == CKF_TOKEN_PRESENT)) {
+ /* slot is present, so it's not empty */
- return PR_FALSE;
- }
+ return PR_FALSE;
+ }
}
- /* it doesn't exist or isn't present, it's available */
- return PR_TRUE;
- }
-
- /*
-@@ -1350,52 +1359,67 @@ PK11SlotInfo *
- SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec)
- {
- CK_SLOT_ID slotID = 0;
- PK11SlotInfo *slot;
- char *escSpec;
+@@ -1390,24 +1399,29 @@ SECMOD_OpenNewSlot(SECMODModule *mod, co
char *sendSpec;
SECStatus rv;
+ PZ_Lock(mod->refLock); /* don't reuse a slot on the fly */
slotID = secmod_FindFreeSlot(mod);
- if (slotID == (CK_SLOT_ID) -1) {
+ if (slotID == (CK_SLOT_ID)-1) {
+ PZ_Unlock(mod->refLock);
- return NULL;
+ return NULL;
}
if (mod->slotCount == 0) {
+ PZ_Unlock(mod->refLock);
- return NULL;
+ return NULL;
}
/* just grab the first slot in the module, any present slot should work */
slot = PK11_ReferenceSlot(mod->slots[0]);
if (slot == NULL) {
+ PZ_Unlock(mod->refLock);
- return NULL;
+ return NULL;
}
/* we've found the slot, now build the moduleSpec */
escSpec = NSSUTIL_DoubleEscape(moduleSpec, '>', ']');
if (escSpec == NULL) {
+ PZ_Unlock(mod->refLock);
- PK11_FreeSlot(slot);
- return NULL;
+ PK11_FreeSlot(slot);
+ return NULL;
}
- sendSpec = PR_smprintf("tokens=[0x%x=<%s>]", slotID, escSpec);
- PORT_Free(escSpec);
+@@ -1416,16 +1430,26 @@ SECMOD_OpenNewSlot(SECMODModule *mod, co
if (sendSpec == NULL) {
- /* PR_smprintf does not set SEC_ERROR_NO_MEMORY on failure. */
+ /* PR_smprintf does not set SEC_ERROR_NO_MEMORY on failure. */
+ PZ_Unlock(mod->refLock);
- PK11_FreeSlot(slot);
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return NULL;
+ PK11_FreeSlot(slot);
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return NULL;
}
- rv = secmod_UserDBOp(slot, CKO_NETSCAPE_NEWSLOT, sendSpec);
+ rv = secmod_UserDBOp(slot, CKO_NETSCAPE_NEWSLOT, sendSpec,
@@ -126,7 +103,7 @@ diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c
PR_smprintf_free(sendSpec);
PK11_FreeSlot(slot);
if (rv != SECSuccess) {
- return NULL;
+ return NULL;
}
+ rv = SECMOD_UpdateSlotList(mod); /* don't call holding the mod->reflock */
+ if (rv != SECSuccess) {
@@ -135,27 +112,12 @@ diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c
slot = SECMOD_FindSlotByID(mod, slotID);
if (slot) {
- /* if we are in the delay period for the "isPresent" call, reset
- * the delay since we know things have probably changed... */
- if (slot->nssToken && slot->nssToken->slot) {
- nssSlot_ResetDelay(slot->nssToken->slot);
- }
-@@ -1488,17 +1512,17 @@ SECMOD_CloseUserDB(PK11SlotInfo *slot)
- char *sendSpec;
-
- sendSpec = PR_smprintf("tokens=[0x%x=<>]", slot->slotID);
- if (sendSpec == NULL) {
- /* PR_smprintf does not set no memory error */
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
+@@ -1558,7 +1582,7 @@ SECMOD_CloseUserDB(PK11SlotInfo *slot)
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
}
- rv = secmod_UserDBOp(slot, CKO_NETSCAPE_DELSLOT, sendSpec);
+ rv = secmod_UserDBOp(slot, CKO_NETSCAPE_DELSLOT, sendSpec, PR_TRUE);
PR_smprintf_free(sendSpec);
/* if we are in the delay period for the "isPresent" call, reset
* the delay since we know things have probably changed... */
- if (slot->nssToken && slot->nssToken->slot) {
- nssSlot_ResetDelay(slot->nssToken->slot);
- /* force the slot info structures to properly reset */
- (void)PK11_IsPresent(slot);
- }
diff --git a/SOURCES/renegotiate-transitional.patch b/SOURCES/renegotiate-transitional.patch
index c55a1a2..ca92f83 100644
--- a/SOURCES/renegotiate-transitional.patch
+++ b/SOURCES/renegotiate-transitional.patch
@@ -1,12 +1,12 @@
diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
---- nss/lib/ssl/sslsock.c.transitional 2013-05-30 22:10:54.882675807 -0700
-+++ nss/lib/ssl/sslsock.c 2013-05-30 22:12:11.909260024 -0700
-@@ -149,7 +149,7 @@ static sslOptions ssl_defaults = {
- PR_FALSE, /* noLocks */
- PR_FALSE, /* enableSessionTickets */
- PR_FALSE, /* enableDeflate */
-- 2, /* enableRenegotiation (default: requires extension) */
-+ 3, /* enableRenegotiation (default: transitional) */
- PR_FALSE, /* requireSafeNegotiation */
- PR_FALSE, /* enableFalseStart */
- PR_TRUE, /* cbcRandomIV */
+--- nss/lib/ssl/sslsock.c.transitional 2016-08-15 17:57:58.146879056 +0200
++++ nss/lib/ssl/sslsock.c 2016-08-15 17:58:02.365758224 +0200
+@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
+ PR_FALSE, /* noLocks */
+ PR_FALSE, /* enableSessionTickets */
+ PR_FALSE, /* enableDeflate */
+- 2, /* enableRenegotiation (default: requires extension) */
++ 3, /* enableRenegotiation (default: transitional) */
+ PR_FALSE, /* requireSafeNegotiation */
+ PR_FALSE, /* enableFalseStart */
+ PR_TRUE, /* cbcRandomIV */
diff --git a/SOURCES/rh1238290.patch b/SOURCES/rh1238290.patch
deleted file mode 100644
index 49a9b5d..0000000
--- a/SOURCES/rh1238290.patch
+++ /dev/null
@@ -1,25 +0,0 @@
---- ./lib/cryptohi/seckey.c.1238290 2015-11-08 21:12:59.000000000 -0800
-+++ ./lib/cryptohi/seckey.c 2016-02-16 10:07:20.956930721 -0800
-@@ -993,20 +993,20 @@
- }
-
- /* interpret modulus length as key strength */
- switch (pubk->keyType) {
- case rsaKey:
- bitSize = SECKEY_BigIntegerBitLength(&pubk->u.rsa.modulus);
- break;
- case dsaKey:
-- bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dsa.publicValue);
-+ bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dsa.params.prime);
- break;
- case dhKey:
-- bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dh.publicValue);
-+ bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dh.prime);
- break;
- case ecKey:
- bitSize = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
- break;
- default:
- PORT_SetError(SEC_ERROR_INVALID_KEY);
- break;
- }
diff --git a/SOURCES/ssl-server-min-key-sizes.patch b/SOURCES/ssl-server-min-key-sizes.patch
index fbb4215..e66e8cb 100644
--- a/SOURCES/ssl-server-min-key-sizes.patch
+++ b/SOURCES/ssl-server-min-key-sizes.patch
@@ -1,84 +1,22 @@
-diff --git a/lib/nss/nssoptions.h b/lib/nss/nssoptions.h
---- a/lib/nss/nssoptions.h
-+++ b/lib/nss/nssoptions.h
-@@ -11,11 +11,11 @@
- * file into NSS proper */
-
- /* The minimum server key sizes accepted by the clients.
- * Not 1024 to be conservative. */
- #define SSL_RSA_MIN_MODULUS_BITS 1023
+diff -up nss/lib/nss/nssoptions.h.min_key_sizes nss/lib/nss/nssoptions.h
+--- nss/lib/nss/nssoptions.h.min_key_sizes 2017-02-20 16:42:23.456894585 +0100
++++ nss/lib/nss/nssoptions.h 2017-02-20 16:43:02.687942525 +0100
+@@ -16,5 +16,5 @@
/* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
* only 1023 bits and similar. We don't have good data on whether this
* happens because NSS used to count bit lengths incorrectly. */
-#define SSL_DH_MIN_P_BITS 1023
+#define SSL_DH_MIN_P_BITS 768
#define SSL_DSA_MIN_P_BITS 1023
-
-diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
---- a/lib/ssl/ssl3con.c
-+++ b/lib/ssl/ssl3con.c
-@@ -6950,17 +6950,17 @@ ssl3_HandleServerKeyExchange(sslSocket *
- goto loser; /* malformed. */
- }
-
- rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
- if (rv != SECSuccess) {
- minDH = SSL_DH_MIN_P_BITS;
- }
- dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p);
-- if (dh_p_bits < minDH) {
-+ if (dh_p_bits < SSL_DH_MIN_P_BITS) {
- errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
- goto alert_loser;
- }
- rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
- if (rv != SECSuccess) {
- goto loser; /* malformed. */
- }
- /* Abort if dh_g is 0, 1, or obviously too big. */
-diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h
---- a/lib/ssl/sslimpl.h
-+++ b/lib/ssl/sslimpl.h
-@@ -24,16 +24,17 @@
- #include "nssilock.h"
- #include "pkcs11t.h"
- #if defined(XP_UNIX) || defined(XP_BEOS)
- #include "unistd.h"
- #endif
- #include "nssrwlk.h"
- #include "prthread.h"
- #include "prclist.h"
-+#include "nssoptions.h" /* defines SSL_DH_MIN_P_BITS 768 */
-
- #include "sslt.h" /* for some formerly private types, now public */
-
- /* to make some of these old enums public without namespace pollution,
- ** it was necessary to prepend ssl_ to the names.
- ** These #defines preserve compatibility with the old code here in libssl.
- */
- typedef SSLKEAType SSL3KEAType;
-@@ -149,16 +150,24 @@ typedef enum { SSLAppOpRead = 0,
- #define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000
-
- #ifndef BPB
- #define BPB 8 /* Bits Per Byte */
- #endif
-
- #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
-
-+/* The minimum server key sizes accepted by the clients.
-+ * Not 1024 to be conservative. */
-+#define SSL_RSA_MIN_MODULUS_BITS 1023
-+/* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
-+ * only 1023 bits and similar. We don't have good data on whether this
-+ * happens because NSS used to count bit lengths incorrectly. */
-+#define SSL_DSA_MIN_P_BITS 1023
-+
- #define INITIAL_DTLS_TIMEOUT_MS 1000 /* Default value from RFC 4347 = 1s*/
- #define MAX_DTLS_TIMEOUT_MS 60000 /* 1 minute */
- #define DTLS_FINISHED_TIMER_MS 120000 /* Time to wait in FINISHED state */
-
- typedef struct sslBufferStr sslBuffer;
- typedef struct sslConnectInfoStr sslConnectInfo;
- typedef struct sslGatherStr sslGather;
- typedef struct sslSecurityInfoStr sslSecurityInfo;
+diff -up nss/lib/ssl/ssl3con.c.min_key_sizes nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.min_key_sizes 2017-02-20 16:42:23.459894513 +0100
++++ nss/lib/ssl/ssl3con.c 2017-02-20 16:43:42.744970411 +0100
+@@ -7093,7 +7093,7 @@ ssl_HandleDHServerKeyExchange(sslSocket
+ minDH = SSL_DH_MIN_P_BITS;
+ }
+ dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p);
+- if (dh_p_bits < minDH) {
++ if (dh_p_bits < SSL_DH_MIN_P_BITS) {
+ errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
+ goto alert_loser;
+ }
diff --git a/SOURCES/sslauth-no-v2.patch b/SOURCES/sslauth-no-v2.patch
deleted file mode 100644
index 3aab27a..0000000
--- a/SOURCES/sslauth-no-v2.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-diff --git a/tests/ssl/sslauth.txt b/tests/ssl/sslauth.txt
---- a/tests/ssl/sslauth.txt
-+++ b/tests/ssl/sslauth.txt
-@@ -3,28 +3,28 @@
- # file, You can obtain one at http://mozilla.org/MPL/2.0/.
- #
- # This file defines the tests for client auth.
- #
- # expected
- # Enable return server client Test Case name
- # ECC value params params
- # ------- ------ ------ ------ ---------------
-- noECC 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth)
-- noECC 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
-- noECC 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth)
-- noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
-- noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
-- noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth)
-- noECC 0 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
-- noECC 0 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
-- noECC 0 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
-- noECC 254 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
-- noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
-- noECC 0 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
-+ noECC 0 -r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth (client does not provide auth)
-+ noECC 0 -r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
-+ noECC 0 -r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth (client auth)
-+ noECC 254 -r_-r -V_ssl3:_-w_nss_-n_none TLS Require client auth (client does not provide auth)
-+ noECC 254 -r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Require client auth (bad password)
-+ noECC 0 -r_-r -V_ssl3:_-w_nss_-n_TestUser_ TLS Require client auth (client auth)
-+ noECC 0 -r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
-+ noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
-+ noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
-+ noECC 254 -r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
-+ noECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
-+ noECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
- noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
- noECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
- noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
- noECC 1 -r_-r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth)
- noECC 1 -r_-r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password)
- noECC 0 -r_-r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Require client auth on 2nd hs (client auth)
- noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Request don't require client auth on 2nd hs (client does not provide auth)
- noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Request don't require client auth on 2nd hs (bad password)
-@@ -36,24 +36,24 @@
- noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
- noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
- noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
- noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
- noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
- #
- # Use EC cert for client authentication
- #
-- ECC 0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password)
-- ECC 0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth)
-- ECC 254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
-- ECC 0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth)
-- ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password)
-- ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth)
-- ECC 254 -r_-r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
-- ECC 0 -r_-r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth)
-+ ECC 0 -r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password)
-+ ECC 0 -r -V_ssl3:_-w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth)
-+ ECC 254 -r_-r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
-+ ECC 0 -r_-r -V_ssl3:_-w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth)
-+ ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password)
-+ ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth)
-+ ECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
-+ ECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth)
- ECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password)
- ECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth)
- ECC 1 -r_-r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password)
- ECC 0 -r_-r_-r_-r -V_ssl3:_-w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth)
- ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (bad password)
- ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
- ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
- ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
diff --git a/SOURCES/tests-extra.patch b/SOURCES/tests-extra.patch
deleted file mode 100644
index 662a2fb..0000000
--- a/SOURCES/tests-extra.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff -up ./tests/ssl/sslcov.txt.extra ./tests/ssl/sslcov.txt
---- ./tests/ssl/sslcov.txt.extra 2016-02-18 19:03:02.168464819 -0500
-+++ ./tests/ssl/sslcov.txt 2016-02-18 19:07:07.831906435 -0500
-@@ -35,6 +35,9 @@
- noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA
- noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA
- noECC SSL3 z SSL3_RSA_WITH_NULL_SHA
-+ noECC TLS12 :009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-+ noECC TLS12 :00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
-+ noECC TLS12 :009D TLS_RSA_WITH_AES_256_GCM_SHA384
- # noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- # noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- #
-@@ -167,6 +170,10 @@
- ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA
- ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA
- ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-+ ECC TLS12 :C024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-+ ECC TLS12 :C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-+ ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384
- ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-+ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA384
-diff -up ./tests/ssl/ssl.sh.extra ./tests/ssl/ssl.sh
-diff -up ./tests/ssl/sslstress.txt.extra ./tests/ssl/sslstress.txt
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 8ac83a5..7c243ed 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,6 +1,6 @@
-%global nspr_version 4.11.0
-%global nss_util_version 3.21.0
-%global nss_util_build -2.2
+%global nspr_version 4.13.1
+%global nss_util_version 3.28.2
+%global nss_util_build -1.1
# adjust to the version that gets submitted for FIPS validation
%global nss_softokn_fips_version 3.16.2
%global nss_softokn_version 3.16.2.3
@@ -26,8 +26,8 @@
Summary: Network Security Services
Name: nss
-Version: 3.21.3
-Release: 2%{?dist}
+Version: 3.28.2
+Release: 1.6%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -51,8 +51,11 @@ BuildRequires: gawk
BuildRequires: psmisc
BuildRequires: perl
-%{!?nss_ckbi_suffix:%define full_nss_version %{version}}
-%{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}}
+%if %{defined nss_ckbi_suffix}
+%define full_nss_version %{version}%{nss_ckbi_suffix}
+%else
+%define full_nss_version %{version}
+%endif
Source0: %{name}-%{full_nss_version}.tar.gz
Source1: nss.pc.in
@@ -110,7 +113,6 @@ Patch50: iquote.patch
Patch51: pem-compile-with-Werror.patch
Patch52: Bug-1001841-disable-sslv2-libssl.patch
Patch53: Bug-1001841-disable-sslv2-tests.patch
-Patch54: sslauth-no-v2.patch
Patch55: enable-fips-when-system-is-in-fips-mode.patch
# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
Patch56: p-ignore-setpolicy.patch
@@ -122,47 +124,36 @@ Patch74: race.patch
Patch94: nss-3.16-token-init-race.patch
Patch99: ssl-server-min-key-sizes.patch
Patch100: fix-min-library-version-in-SSLVersionRange.patch
-# Add support for sha384 tls cipher suites, dss cipher suites, and
-# server-side dhe key exchange
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=102794
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
-Patch101: dhe-sha384-dss-support.patch
-# TODO: From upstream review: For the client authentication case, should
-# probably drop our hack of swapping between sha256 and sha384 and plan
-# on implementing the fix we already have a patch for. What is that fix?
-Patch102: client_auth_for_sha384_prf_support.patch
-Patch103: nss-fix-client-auth-init-hashes.patch
-Patch104: nss-map-oid-to-hashalg.patch
-Patch105: nss-remove-bogus-assert.patch
Patch106: nss-old-pkcs11-num.patch
-Patch107: nss-enable-384-cipher-tests.patch
Patch108: nss-sni-c-v-fix.patch
-Patch109: nss-fix-signature-and-hash.patch
-Patch110: nss-sslstress-txt-ssl3-lower-value-in-range.patch
-
-# Enable by default two additional ciphers and fix order of two tables
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1211403
-Patch112: rh1238290.patch
# Local: keep as long nss-softokn lacks support
Patch113: disable-extended-master-secret-with-old-softoken.patch
-# extra tests needed
-Patch114: tests-extra.patch
Patch115: nss-prevent-abi-issue.patch
Patch116: nss-tests-prevent-abi-issue.patch
-Patch117: fix-nss-test-filtering.patch
-Patch118: fix-allowed-sig-alg.patch
-Patch119: nss-ssl-delete-duplicates.patch
-Patch120: fix-reuse-of-session-cache-entry.patch
-Patch121: flexible-certverify.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1298692
Patch122: disable-ems-gtests.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1317691
-Patch123: call-restartmodules-in-nssinit.patch
-# CVE-2016-8635
-Patch124: moz-1314604.patch
+Patch123: nss-skip-util-gtest.patch
+# Disable X25519 and ChaCha20, until nss-softokn is rebased
+Patch124: nss-disable-curve25519.patch
+Patch126: nss-reorder-cipher-suites.patch
+Patch127: nss-disable-cipher-suites.patch
+Patch128: nss-enable-cipher-suites.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1320932
+Patch129: moz-1320932.patch
+# Disable RSA-PSS until we get a new nss-softokn (taken from RHEL-6
+# for rhbz#1390161)
+Patch130: disable-pss.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1340103
+Patch131: nss-ecpoint-encoding.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1341054
+Patch132: nss-tstclnt-optspec.patch
+Patch200: nss-disable-curve25519-gtests.patch
+Patch201: nss-disable-curve25519-tests.patch
+Patch202: nss-disable-chacha20-gtests.patch
+Patch203: nss-disable-chacha20-tests.patch
+Patch204: nss-disable-pss-gtests.patch
+Patch205: nss-disable-unsupported-gtests.patch
+Patch206: nss-disable-unsupported-tests.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -245,9 +236,6 @@ low level services.
%patch3 -p0 -b .transitional
%patch6 -p0 -b .libpem
%patch16 -p0 -b .539183
-pushd nss
-%patch18 -p1 -b .646045
-popd
# link pem against buildroot's freebl, essential when mixing and matching
%patch25 -p0 -b .systemfreebl
%patch40 -p0 -b .noocsptest
@@ -258,39 +246,37 @@ popd
pushd nss
%patch52 -p1 -b .disableSSL2libssl
%patch53 -p1 -b .disableSSL2tests
-%patch54 -p1 -b .sslauth-no-v2
%patch55 -p1 -b .852023_enable_fips_when_in_fips_mode
%patch56 -p1 -b .1026677_ignore_set_policy
%patch62 -p1 -b .fix_deadlock
%patch99 -p1 -b .min_key_sizes
%patch100 -p0 -b .1171318
-%patch101 -p1 -b .dhe_and_sha384
-%patch102 -p1 -b .client_auth_prf
-%patch112 -p1 -b .1238290
%patch113 -p1 -b .disable-ems
-%patch114 -p1 -b .extra
%patch115 -p1 -b .abi_lib
%patch116 -p1 -b .abi_tests
-%patch117 -p1 -b .test-filtering
%patch74 -p1 -b .race
popd
%patch94 -p0 -b .init-token-race
-%patch103 -p0 -b .fix_client_auth_crash
-%patch104 -p0 -b .use_oids
-%patch105 -p0 -b .remove_bogus_assert
%patch106 -p0 -b .old_pkcs11_num
-%patch107 -p0 -b .enable_384_cipher_tests
%patch108 -p0 -b .sni_c_v_fix
-%patch109 -p0 -b .fix_signature_and_hash
-%patch110 -p0 -b .no_ssl2
pushd nss
-%patch118 -p1 -b .allowed-sig-alg
-%patch119 -p1 -b .delete_duplicates
-%patch120 -p1 -b .session_cache
-%patch121 -p1 -b .flexible_certverify
%patch122 -p1 -b .disable_ems_gtests
-%patch123 -p1 -b .restartmodules_in_init
-%patch124 -p1 -b .moz-1314604
+%patch123 -p1 -b .skip-util-gtests
+%patch124 -p1 -b .disable-curve25519
+%patch126 -p1 -b .reorder-cipher-suites
+%patch127 -p1 -b .disable-cipher-suites
+%patch128 -p1 -b .enable-cipher-suites
+%patch129 -p1 -b .fix_ssl_sh_typo
+%patch130 -p1 -b .disable_pss
+%patch131 -p1 -b .ecpoint-encoding
+%patch132 -p1 -b .tstclnt-optspec
+%patch200 -p1 -b .disable-curve25519-gtests
+%patch201 -p1 -b .disable-curve25519-tests
+%patch202 -p1 -b .disable-chacha20-gtests
+%patch203 -p1 -b .disable-chacha20-tests
+%patch204 -p1 -b .disable-pss-gtests
+%patch205 -p1 -b .disable-unsupported-gtests
+%patch206 -p1 -b .disable-unsupported-tests
popd
#########################################################
@@ -335,9 +321,6 @@ popd
export NSS_NO_SSL2=1
-NSS_NO_PKCS11_BYPASS=1
-export NSS_NO_PKCS11_BYPASS
-
FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
@@ -345,11 +328,12 @@ export FREEBL_NO_DEPEND
export BUILD_OPT=1
# Uncomment to disable optimizations
-#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
-#export RPM_OPT_FLAGS
+# RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g' -e 's/ -Wp,-D_FORTIFY_SOURCE=2//g'`
+# export RPM_OPT_FLAGS
# Generate symbolic info for debuggers
XCFLAGS=$RPM_OPT_FLAGS
+
export XCFLAGS
PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
@@ -387,6 +371,8 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1
NSS_USE_SYSTEM_SQLITE=1
export NSS_USE_SYSTEM_SQLITE
+export NSS_ALLOW_SSLKEYLOGFILE=1
+
%ifnarch noarch
%if 0%{__isa_bits} == 64
USE_64=1
@@ -398,12 +384,6 @@ export USE_64
export IN_TREE_FREEBL_HEADERS_FIRST=1
##### phase 2: build the rest of nss
-# nss supports pluggable ecc
-NSS_ENABLE_ECC=1
-export NSS_ENABLE_ECC
-NSS_ECC_MORE_THAN_SUITE_B=1
-export NSS_ECC_MORE_THAN_SUITE_B
-
export NSS_BLTEST_NOT_AVAILABLE=1
%{__make} -C ./nss/coreconf
%{__make} -C ./nss/lib/dbm
@@ -556,7 +536,7 @@ pushd ./nss/tests/
# don't need to run all the tests when testing packaging
# nss_cycles: standard pkix upgradedb sharedb
-%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ssl_gtests"
+%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
# nss_ssl_run: cov auth stress
#
@@ -883,6 +863,54 @@ fi
%changelog
+* Mon Feb 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.6
+- Restore ssl-server-min-key-sizes.patch
+- Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default
+- Enable 4 AES_256_GCM_SHA384 ciphersuites, enabled by the downstream
+ patch in the previous release
+- Fix crash with tstclnt -W
+
+* Fri Feb 17 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.5
+- Always enable gtests for supported features
+- Prevent ABI incompatibilty of SECKEYECPublicKey
+
+* Thu Feb 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.4
+- Add patch to fix bash syntax error in tests/ssl.sh
+- Build with support for SSLKEYLOGFILE
+- Disable the use of RSA-PSS with SSL/TLS
+
+* Wed Feb 15 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.3
+- Remove %%nss_cycles setting, which was also mistakenly added
+
+* Wed Feb 15 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.2
+- Reorder cipher suites for compatibility
+- Re-enable BUILD_OPT, mistakenly disabled in the previous build
+
+* Mon Feb 13 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.1
+- Remove mistakenly added R: nss-pem
+
+* Fri Feb 10 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.0
+- Rebase to NSS 3.28.2
+- Remove NSS_ENABLE_ECC and NSS_ECC_MORE_THAN_SUITE_B setting, which
+ is no-op now
+- Enable gtests when requested
+- Remove nss-646045.patch and fix-nss-test-filtering.patch, which are
+ not necessary
+- Remove sslauth-no-v2.patch and
+ nss-sslstress-txt-ssl3-lower-value-in-range.patch, as SSLv2 is
+ already disabled in upstream
+- Remove ssl-server-min-key-sizes.patch, as we decided to support DH
+ key size greater than 1023 bits
+- Remove local patches for SHA384 cipher suites (now supported in
+ upstream): dhe-sha384-dss-support.patch,
+ client_auth_for_sha384_prf_support.patch,
+ nss-fix-client-auth-init-hashes.patch, nss-map-oid-to-hashalg.patch,
+ nss-enable-384-cipher-tests.patch, nss-fix-signature-and-hash.patch,
+ fix-allowed-sig-alg.patch, tests-extra.patch
+- Remove upstreamed patches: rh1238290.patch,
+ fix-reuse-of-session-cache-entry.patch, flexible-certverify.patch,
+ call-restartmodules-in-nssinit.patch
+
* Tue Nov 08 2016 Kai Engert <kaie@redhat.com> - 3.21.3-2
- Mozilla #1314604 / Red Hat CVE-2016-8635