diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
index 6ed54ef..6690a46 100644
--- a/SOURCES/Bug-1001841-disable-sslv2-tests.patch
+++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -92,200 +92,3 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
# Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
# default in libssl but it is enabled by default in tstclnt; we want
# to test the libssl default whenever possible.
-diff --git a/tests/ssl/sslcov.noSSL2orExport.txt b/tests/ssl/sslcov.noSSL2orExport.txt
-new file mode 100644
---- /dev/null
-+++ b/tests/ssl/sslcov.noSSL2orExport.txt
-@@ -0,0 +1,134 @@
-+# This Source Code Form is subject to the terms of the Mozilla Public
-+# License, v. 2.0. If a copy of the MPL was not distributed with this
-+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-+#
-+# This file enables test coverage of the various SSL ciphers
-+#
-+# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We
-+# mix up the enable functions so we can tests boths paths.
-+#
-+# Enable Enable Cipher Test Name
-+# EC TLS
-+#
-+#
-+ noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5
-+ noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA
-+ noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA
-+ noECC SSL3 i SSL3_RSA_WITH_NULL_MD5
-+ noECC SSL3 j SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
-+ noECC SSL3 k SSL3_RSA_FIPS_WITH_DES_CBC_SHA
-+ noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA
-+ noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA
-+ noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA
-+ noECC SSL3 z SSL3_RSA_WITH_NULL_SHA
-+# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
-+# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
-+#
-+ noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5
-+ noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA
-+ noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA
-+ noECC TLS10 i TLS_RSA_WITH_NULL_MD5
-+ noECC TLS10 j TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
-+ noECC TLS10 k TLS_RSA_FIPS_WITH_DES_CBC_SHA
-+ noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA
-+ noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA
-+ noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA
-+ noECC TLS10 z TLS_RSA_WITH_NULL_SHA
-+# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
-+# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
-+#
-+#
-+ noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5
-+ noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA
-+ noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA
-+ noECC TLS11 i TLS11_RSA_WITH_NULL_MD5
-+ noECC TLS11 j TLS11_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
-+ noECC TLS11 k TLS11_RSA_FIPS_WITH_DES_CBC_SHA
-+ noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA
-+ noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA
-+ noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA
-+ noECC TLS11 z TLS11_RSA_WITH_NULL_SHA
-+#
-+ noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5
-+ noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA
-+ noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA
-+ noECC TLS12 i TLS12_RSA_WITH_NULL_MD5
-+ noECC TLS12 j TLS12_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
-+ noECC TLS12 k TLS12_RSA_FIPS_WITH_DES_CBC_SHA
-+ noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA
-+ noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA
-+ noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA
-+ noECC TLS12 z TLS12_RSA_WITH_NULL_SHA
-+ noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256
-+ noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256
-+ noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256
-+ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256
-+#
-+# ECC ciphers (TLS)
-+#
-+ ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA
-+ ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
-+ ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
-+ ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
-+ ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA
-+ ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
-+ ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-+ ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-+ ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA
-+ ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA
-+ ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
-+ ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
-+ ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA
-+ ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA
-+ ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-+ ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-+#
-+ ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA
-+ ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA
-+ ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA
-+ ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA
-+ ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA
-+ ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA
-+ ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-+ ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-+ ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA
-+ ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA
-+ ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA
-+ ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA
-+ ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA
-+ ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA
-+ ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA
-+ ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA
-+#
-+ ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA
-+ ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA
-+ ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA
-+ ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA
-+ ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA
-+ ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA
-+ ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-+ ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-+ ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA
-+ ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA
-+ ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA
-+ ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA
-+ ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA
-+ ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA
-+ ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-+ ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA
-+ ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA
-+ ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-+ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-+ ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-+ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-diff --git a/tests/ssl/sslstress.noSSL2orExport.txt b/tests/ssl/sslstress.noSSL2orExport.txt
-new file mode 100644
---- /dev/null
-+++ b/tests/ssl/sslstress.noSSL2orExport.txt
-@@ -0,0 +1,53 @@
-+# This Source Code Form is subject to the terms of the Mozilla Public
-+# License, v. 2.0. If a copy of the MPL was not distributed with this
-+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-+#
-+# This file defines the stress tests for SSL/TLS.
-+#
-+# expected
-+# Enable return server client Test Case name
-+# ECC value params params
-+# ------- ------ ------ ------ ---------------
-+ noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
-+ noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
-+ noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
-+ noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
-+ noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
-+ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
-+ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
-+ SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
-+
-+#
-+# add client auth versions here...
-+#
-+ noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
-+ noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
-+ noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
-+ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
-+ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
-+ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
-+ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
-+ SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
-+ SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
-+
-+#
-+# ############################ ECC ciphers ############################
-+#
-+ ECC 0 -c_:C009 -V_ssl3:_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
-+ ECC 0 -c_:C023 -V_ssl3:_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse)
-+ ECC 0 -c_:C02B -V_ssl3:_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse)
-+ ECC 0 -c_:C004 -V_ssl3:_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse)
-+ ECC 0 -c_:C00E -V_ssl3:_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
-+ ECC 0 -c_:C013 -V_ssl3:_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA
-+ ECC 0 -c_:C027 -V_ssl3:_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256
-+ ECC 0 -c_:C02F -V_ssl3:_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM
-+ ECC 0 -c_:C004_-u -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket)
-+#
-+# add client auth versions here...
-+#
-+ ECC 0 -r_-r_-c_:C009 -V_ssl3:_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth)
-+ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth)
-+ ECC 0 -r_-r_-c_:C004 -V_ssl3:_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth)
-+ ECC 0 -r_-r_-c_:C00E -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
-+ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth)
-+ ECC 0 -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth)
diff --git a/SOURCES/dhe-sha384-dss-support.patch b/SOURCES/dhe-sha384-dss-support.patch
new file mode 100644
index 0000000..3474df4
--- /dev/null
+++ b/SOURCES/dhe-sha384-dss-support.patch
@@ -0,0 +1,3215 @@
+diff -up ./cmd/certutil/keystuff.c.dhe_and_sha384 ./cmd/certutil/keystuff.c
+--- ./cmd/certutil/keystuff.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./cmd/certutil/keystuff.c 2015-06-24 23:06:00.450872604 +0200
+@@ -133,64 +133,92 @@ UpdateRNG(void)
+ }
+
+ static const unsigned char P[] = { 0,
+- 0x98, 0xef, 0x3a, 0xae, 0x70, 0x98, 0x9b, 0x44,
+- 0xdb, 0x35, 0x86, 0xc1, 0xb6, 0xc2, 0x47, 0x7c,
+- 0xb4, 0xff, 0x99, 0xe8, 0xae, 0x44, 0xf2, 0xeb,
+- 0xc3, 0xbe, 0x23, 0x0f, 0x65, 0xd0, 0x4c, 0x04,
+- 0x82, 0x90, 0xa7, 0x9d, 0x4a, 0xc8, 0x93, 0x7f,
+- 0x41, 0xdf, 0xf8, 0x80, 0x6b, 0x0b, 0x68, 0x7f,
+- 0xaf, 0xe4, 0xa8, 0xb5, 0xb2, 0x99, 0xc3, 0x69,
+- 0xfb, 0x3f, 0xe7, 0x1b, 0xd0, 0x0f, 0xa9, 0x7a,
+- 0x4a, 0x04, 0xbf, 0x50, 0x9e, 0x22, 0x33, 0xb8,
+- 0x89, 0x53, 0x24, 0x10, 0xf9, 0x68, 0x77, 0xad,
+- 0xaf, 0x10, 0x68, 0xb8, 0xd3, 0x68, 0x5d, 0xa3,
+- 0xc3, 0xeb, 0x72, 0x3b, 0xa0, 0x0b, 0x73, 0x65,
+- 0xc5, 0xd1, 0xfa, 0x8c, 0xc0, 0x7d, 0xaa, 0x52,
+- 0x29, 0x34, 0x44, 0x01, 0xbf, 0x12, 0x25, 0xfe,
+- 0x18, 0x0a, 0xc8, 0x3f, 0xc1, 0x60, 0x48, 0xdb,
+- 0xad, 0x93, 0xb6, 0x61, 0x67, 0xd7, 0xa8, 0x2d };
++ 0xc6, 0x2a, 0x47, 0x73, 0xea, 0x78, 0xfa, 0x65,
++ 0x47, 0x69, 0x39, 0x10, 0x08, 0x55, 0x6a, 0xdd,
++ 0xbf, 0x77, 0xe1, 0x9a, 0x69, 0x73, 0xba, 0x66,
++ 0x37, 0x08, 0x93, 0x9e, 0xdb, 0x5d, 0x01, 0x08,
++ 0xb8, 0x3a, 0x73, 0xe9, 0x85, 0x5f, 0xa7, 0x2b,
++ 0x63, 0x7f, 0xd0, 0xc6, 0x4c, 0xdc, 0xfc, 0x8b,
++ 0xa6, 0x03, 0xc9, 0x9c, 0x80, 0x5e, 0xec, 0xc6,
++ 0x21, 0x23, 0xf7, 0x8e, 0xa4, 0x7b, 0x77, 0x83,
++ 0x02, 0x44, 0xf8, 0x05, 0xd7, 0x36, 0x52, 0x13,
++ 0x57, 0x78, 0x97, 0xf3, 0x7b, 0xcf, 0x1f, 0xc9,
++ 0x2a, 0xa4, 0x71, 0x9d, 0xa8, 0xd8, 0x5d, 0xc5,
++ 0x3b, 0x64, 0x3a, 0x72, 0x60, 0x62, 0xb0, 0xb8,
++ 0xf3, 0xb1, 0xe7, 0xb9, 0x76, 0xdf, 0x74, 0xbe,
++ 0x87, 0x6a, 0xd2, 0xf1, 0xa9, 0x44, 0x8b, 0x63,
++ 0x76, 0x4f, 0x5d, 0x21, 0x63, 0xb5, 0x4f, 0x3c,
++ 0x7b, 0x61, 0xb2, 0xf3, 0xea, 0xc5, 0xd8, 0xef,
++ 0x30, 0x50, 0x59, 0x33, 0x61, 0xc0, 0xf3, 0x6e,
++ 0x21, 0xcf, 0x15, 0x35, 0x4a, 0x87, 0x2b, 0xc3,
++ 0xf6, 0x5a, 0x1f, 0x24, 0x22, 0xc5, 0xeb, 0x47,
++ 0x34, 0x4a, 0x1b, 0xb5, 0x2e, 0x71, 0x52, 0x8f,
++ 0x2d, 0x7d, 0xa9, 0x96, 0x8a, 0x7c, 0x61, 0xdb,
++ 0xc0, 0xdc, 0xf1, 0xca, 0x28, 0x69, 0x1c, 0x97,
++ 0xad, 0xea, 0x0d, 0x9e, 0x02, 0xe6, 0xe5, 0x7d,
++ 0xad, 0xe0, 0x42, 0x91, 0x4d, 0xfa, 0xe2, 0x81,
++ 0x16, 0x2b, 0xc2, 0x96, 0x3b, 0x32, 0x8c, 0x20,
++ 0x69, 0x8b, 0x5b, 0x17, 0x3c, 0xf9, 0x13, 0x6c,
++ 0x98, 0x27, 0x1c, 0xca, 0xcf, 0x33, 0xaa, 0x93,
++ 0x21, 0xaf, 0x17, 0x6e, 0x5e, 0x00, 0x37, 0xd9,
++ 0x34, 0x8a, 0x47, 0xd2, 0x1c, 0x67, 0x32, 0x60,
++ 0xb6, 0xc7, 0xb0, 0xfd, 0x32, 0x90, 0x93, 0x32,
++ 0xaa, 0x11, 0xba, 0x23, 0x19, 0x39, 0x6a, 0x42,
++ 0x7c, 0x1f, 0xb7, 0x28, 0xdb, 0x64, 0xad, 0xd9 };
+ static const unsigned char Q[] = { 0,
+- 0xb5, 0xb0, 0x84, 0x8b, 0x44, 0x29, 0xf6, 0x33,
+- 0x59, 0xa1, 0x3c, 0xbe, 0xd2, 0x7f, 0x35, 0xa1,
+- 0x76, 0x27, 0x03, 0x81 };
++ 0xe6, 0xa3, 0xc9, 0xc6, 0x51, 0x92, 0x8b, 0xb3,
++ 0x98, 0x8f, 0x97, 0xb8, 0x31, 0x0d, 0x4a, 0x03,
++ 0x1e, 0xba, 0x4e, 0xe6, 0xc8, 0x90, 0x98, 0x1d,
++ 0x3a, 0x95, 0xf4, 0xf1 };
+ static const unsigned char G[] = {
+- 0x04, 0x0e, 0x83, 0x69, 0xf1, 0xcd, 0x7d, 0xe5,
+- 0x0c, 0x78, 0x93, 0xd6, 0x49, 0x6f, 0x00, 0x04,
+- 0x4e, 0x0e, 0x6c, 0x37, 0xaa, 0x38, 0x22, 0x47,
+- 0xd2, 0x58, 0xec, 0x83, 0x12, 0x95, 0xf9, 0x9c,
+- 0xf1, 0xf4, 0x27, 0xff, 0xd7, 0x99, 0x57, 0x35,
+- 0xc6, 0x64, 0x4c, 0xc0, 0x47, 0x12, 0x31, 0x50,
+- 0x82, 0x3c, 0x2a, 0x07, 0x03, 0x01, 0xef, 0x30,
+- 0x09, 0x89, 0x82, 0x41, 0x76, 0x71, 0xda, 0x9e,
+- 0x57, 0x8b, 0x76, 0x38, 0x37, 0x5f, 0xa5, 0xcd,
+- 0x32, 0x84, 0x45, 0x8d, 0x4c, 0x17, 0x54, 0x2b,
+- 0x5d, 0xc2, 0x6b, 0xba, 0x3e, 0xa0, 0x7b, 0x95,
+- 0xd7, 0x00, 0x42, 0xf7, 0x08, 0xb8, 0x83, 0x87,
+- 0x60, 0xe1, 0xe5, 0xf4, 0x1a, 0x54, 0xc2, 0x20,
+- 0xda, 0x38, 0x3a, 0xd1, 0xb6, 0x10, 0xf4, 0xcb,
+- 0x35, 0xda, 0x97, 0x92, 0x87, 0xd6, 0xa5, 0x37,
+- 0x62, 0xb4, 0x93, 0x4a, 0x15, 0x21, 0xa5, 0x10 };
++ 0x70, 0x32, 0x58, 0x5d, 0xb3, 0xbf, 0xc3, 0x62,
++ 0x63, 0x0b, 0xf8, 0xa5, 0xe1, 0xed, 0xeb, 0x79,
++ 0xac, 0x18, 0x41, 0x64, 0xb3, 0xda, 0x4c, 0xa7,
++ 0x92, 0x63, 0xb1, 0x33, 0x7c, 0xcb, 0x43, 0xdc,
++ 0x1f, 0x38, 0x63, 0x5e, 0x0e, 0x6d, 0x45, 0xd1,
++ 0xc9, 0x67, 0xf3, 0xcf, 0x3d, 0x2d, 0x16, 0x4e,
++ 0x92, 0x16, 0x06, 0x59, 0x29, 0x89, 0x6f, 0x54,
++ 0xff, 0xc5, 0x71, 0xc8, 0x3a, 0x95, 0x84, 0xb6,
++ 0x7e, 0x7b, 0x1e, 0x8b, 0x47, 0x9d, 0x7a, 0x3a,
++ 0x36, 0x9b, 0x70, 0x2f, 0xd1, 0xbd, 0xef, 0xe8,
++ 0x3a, 0x41, 0xd4, 0xf3, 0x1f, 0x81, 0xc7, 0x1f,
++ 0x96, 0x7c, 0x30, 0xab, 0xf4, 0x7a, 0xac, 0x93,
++ 0xed, 0x6f, 0x67, 0xb0, 0xc9, 0x5b, 0xf3, 0x83,
++ 0x9d, 0xa0, 0xd7, 0xb9, 0x01, 0xed, 0x28, 0xae,
++ 0x1c, 0x6e, 0x2e, 0x48, 0xac, 0x9f, 0x7d, 0xf3,
++ 0x00, 0x48, 0xee, 0x0e, 0xfb, 0x7e, 0x5e, 0xcb,
++ 0xf5, 0x39, 0xd8, 0x92, 0x90, 0x61, 0x2d, 0x1e,
++ 0x3c, 0xd3, 0x55, 0x0d, 0x34, 0xd1, 0x81, 0xc4,
++ 0x89, 0xea, 0x94, 0x2b, 0x56, 0x33, 0x73, 0x58,
++ 0x48, 0xbf, 0x23, 0x72, 0x19, 0x5f, 0x19, 0xac,
++ 0xff, 0x09, 0xc8, 0xcd, 0xab, 0x71, 0xef, 0x9e,
++ 0x20, 0xfd, 0xe3, 0xb8, 0x27, 0x9e, 0x65, 0xb1,
++ 0x85, 0xcd, 0x88, 0xfe, 0xd4, 0xd7, 0x64, 0x4d,
++ 0xe1, 0xe8, 0xa6, 0xe5, 0x96, 0xc8, 0x5d, 0x9c,
++ 0xc6, 0x70, 0x6b, 0xba, 0x77, 0x4e, 0x90, 0x4a,
++ 0xb0, 0x96, 0xc5, 0xa0, 0x9e, 0x2c, 0x01, 0x03,
++ 0xbe, 0xbd, 0x71, 0xba, 0x0a, 0x6f, 0x9f, 0xe5,
++ 0xdb, 0x04, 0x08, 0xf2, 0x9e, 0x0f, 0x1b, 0xac,
++ 0xcd, 0xbb, 0x65, 0x12, 0xcf, 0x77, 0xc9, 0x7d,
++ 0xbe, 0x94, 0x4b, 0x9c, 0x5b, 0xde, 0x0d, 0xfa,
++ 0x57, 0xdd, 0x77, 0x32, 0xf0, 0x5b, 0x34, 0xfd,
++ 0x19, 0x95, 0x33, 0x60, 0x87, 0xe2, 0xa2, 0xf4 };
+
+-/* h:
+- * 4a:76:30:89:eb:e1:81:7c:99:0b:39:7f:95:4a:65:72:
+- * c6:b4:05:92:48:6c:3c:b2:7e:e7:39:f3:92:7d:c1:3f:
+- * bf:e1:fd:b3:4a:46:3e:ce:29:80:e3:d6:f4:59:c6:92:
+- * 16:2b:0e:d7:d6:bb:ef:94:36:31:c2:66:46:c5:4a:77:
+- * aa:95:84:ef:99:7e:e3:9c:d9:a0:32:42:09:b6:4e:d0:
+- * b3:c8:5e:06:df:a1:ac:4d:2d:f9:08:c2:cb:4b:a4:42:
+- * db:8a:5b:de:25:6e:2b:5b:ca:00:75:2c:57:00:18:aa:
+- * 68:59:a1:94:03:07:94:78:38:bc:f8:7c:1e:1c:a3:2e
+- * SEED:
+- * b5:44:66:c9:0f:f1:ca:1c:95:45:ce:90:74:89:14:f2:
+- * 13:3e:23:5a:b0:6a:bf:86:ad:cb:a0:7d:ce:3b:c8:16:
+- * 7f:2d:a2:1a:cb:33:7d:c1:e7:d7:07:aa:1b:a2:d7:89:
+- * f5:a4:db:f7:8b:50:00:cd:b4:7d:25:81:3f:f8:a8:dd:
+- * 6c:46:e5:77:b5:60:7e:75:79:b8:99:57:c1:c4:f3:f7:
+- * 17:ca:43:00:b8:33:b6:06:8f:4d:91:ed:23:a5:66:1b:
+- * ef:14:d7:bc:21:2b:82:d8:ab:fa:fd:a7:c3:4d:bf:52:
+- * af:8e:57:59:61:1a:4e:65:c6:90:d6:a6:ff:0b:15:b1
+- * g: 1024
+- * counter: 1003
++
++/* P, Q, G have been generated using the NSS makepqg utility:
++ * makepqg -l 2048 -g 224 -r
++ * (see also: bug 1170322)
++ *
++ * h: 1 (0x1)
++ * SEED:
++ * d2:0b:c5:63:1b:af:dc:36:b7:7c:b9:3e:36:01:a0:8f:
++ * 0e:be:d0:38:e4:78:d5:3c:7c:9e:a9:9a:d2:0b:c5:63:
++ * 1b:af:dc:36:b7:7c:b9:3e:36:01:a0:8f:0e:be:d0:38:
++ * e4:78:d5:3c:7c:9e:c7:70:d2:0b:c5:63:1b:af:dc:36:
++ * b7:7c:b9:3e:36:01:a0:8f:0e:be:d0:38:e4:78:d5:3c:
++ * 7c:9e:aa:3e
++ * g: 672
++ * counter: 0
+ */
+
+ static const SECKEYPQGParams default_pqg_params = {
+diff -up ./cmd/selfserv/selfserv.c.dhe_and_sha384 ./cmd/selfserv/selfserv.c
+--- ./cmd/selfserv/selfserv.c.dhe_and_sha384 2015-06-24 23:06:00.423873110 +0200
++++ ./cmd/selfserv/selfserv.c 2015-06-24 23:06:00.453872547 +0200
+@@ -119,16 +119,16 @@ const int ssl3CipherSuites[] = {
+ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */
+ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */
+ TLS_RSA_WITH_RC4_128_SHA, /* n */
+- -1, /* TLS_DHE_DSS_WITH_RC4_128_SHA, * o */
+- -1, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, * p */
+- -1, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, * q */
+- -1, /* TLS_DHE_RSA_WITH_DES_CBC_SHA, * r */
+- -1, /* TLS_DHE_DSS_WITH_DES_CBC_SHA, * s */
+- -1, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA, * t */
+- -1, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA, * u */
++ TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */
++ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */
++ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */
++ TLS_DHE_RSA_WITH_DES_CBC_SHA, /* r */
++ TLS_DHE_DSS_WITH_DES_CBC_SHA, /* s */
++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* t */
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* u */
+ TLS_RSA_WITH_AES_128_CBC_SHA, /* v */
+- -1, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA, * w */
+- -1, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA, * x */
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* w */
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* x */
+ TLS_RSA_WITH_AES_256_CBC_SHA, /* y */
+ TLS_RSA_WITH_NULL_SHA, /* z */
+ 0
+@@ -141,6 +141,9 @@ static PRBool noDelay;
+ static int requestCert;
+ static int verbose;
+ static SECItem bigBuf;
++static int configureDHE = -1; /* -1: don't configure, 0 disable, >=1 enable*/
++static int configureReuseECDHE = -1; /* -1: don't configure, 0 refresh, >=1 reuse*/
++static int configureWeakDHE = -1; /* -1: don't configure, 0 disable, >=1 enable*/
+
+ static PRThread * acceptorThread;
+
+@@ -160,11 +163,12 @@ PrintUsageHeader(const char *progName)
+ " [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
+ " [-V [min-version]:[max-version]] [-a sni_name]\n"
+ " [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
++" [-C SSLCacheEntries] [-S dsa_nickname]"
+ #ifndef NSS_DISABLE_ECC
+-" [-C SSLCacheEntries] [-e ec_nickname]\n"
+-#else
+-" [-C SSLCacheEntries]\n"
++ " [-e ec_nickname]"
+ #endif /* NSS_DISABLE_ECC */
++"\n"
++" -U [0|1] -H [0|1] -W [0|1]\n"
+ ,progName);
+ }
+
+@@ -216,6 +220,9 @@ PrintParameterUsage()
+ " good, revoked, unknown, failure, badsig, corrupted\n"
+ " ocsp: fetch from external OCSP server using AIA, or none\n"
+ "-A <ca> Nickname of a CA used to sign a stapled cert status\n"
++"-U override default ECDHE ephemeral key reuse, 0: refresh, 1: reuse\n"
++"-H override default DHE server support, 0: disable, 1: enable\n"
++"-W override default DHE server weak parameters support, 0: disable, 1: enable\n"
+ "-c Restrict ciphers\n"
+ "-Y prints cipher values allowed for parameter -c and exits\n"
+ , stderr);
+@@ -252,7 +259,16 @@ PrintCipherUsage(const char *progName)
+ "l SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n"
+ "m SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n"
+ "n SSL3 RSA WITH RC4 128 SHA\n"
++"o TLS_DHE_DSS_WITH_RC4_128_SHA\n"
++"p TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA\n"
++"q TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA\n"
++"r TLS_DHE_RSA_WITH_DES_CBC_SHA\n"
++"s TLS_DHE_DSS_WITH_DES_CBC_SHA\n"
++"t TLS_DHE_DSS_WITH_AES_128_CBC_SHA\n"
++"u TLS_DHE_RSA_WITH_AES_128_CBC_SHA\n"
+ "v SSL3 RSA WITH AES 128 CBC SHA\n"
++"w TLS_DHE_DSS_WITH_AES_256_CBC_SHA\n"
++"x TLS_DHE_RSA_WITH_AES_256_CBC_SHA\n"
+ "y SSL3 RSA WITH AES 256 CBC SHA\n"
+ "z SSL3 RSA WITH NULL SHA\n"
+ "\n"
+@@ -1909,6 +1925,18 @@ server_main(
+ }
+ }
+
++ if (configureDHE > -1) {
++ rv = SSL_OptionSet(model_sock, SSL_ENABLE_SERVER_DHE, (configureDHE > 0));
++ }
++
++ if (configureReuseECDHE > -1) {
++ rv = SSL_OptionSet(model_sock, SSL_REUSE_SERVER_ECDHE_KEY, (configureReuseECDHE > 0));
++ }
++
++ if (configureWeakDHE > -1) {
++ rv = SSL_EnableWeakDHEPrimeGroup(model_sock, (configureWeakDHE > 0));
++ }
++
+ for (kea = kt_rsa; kea < kt_kea_size; kea++) {
+ if (cert[kea] != NULL) {
+ secStatus = SSL_ConfigSecureServer(model_sock,
+@@ -2140,6 +2168,7 @@ main(int argc, char **argv)
+ #ifndef NSS_DISABLE_ECC
+ char * ecNickName = NULL;
+ #endif
++ char * dsaNickName = NULL;
+ const char * fileName = NULL;
+ char * cipherString= NULL;
+ const char * dir = ".";
+@@ -2184,7 +2213,7 @@ main(int argc, char **argv)
+ ** numbers, then capital letters, then lower case, alphabetical.
+ */
+ optstate = PL_CreateOptState(argc, argv,
+- "2:A:BC:DEL:M:NP:RT:V:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz");
++ "2:A:BC:DEH:L:M:NP:RS:T:U:V:W:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz");
+ while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+ ++optionsFound;
+ switch(optstate->option) {
+@@ -2198,6 +2227,7 @@ main(int argc, char **argv)
+
+ case 'D': noDelay = PR_TRUE; break;
+ case 'E': disableStepDown = PR_TRUE; break;
++ case 'H': configureDHE = (PORT_Atoi(optstate->value) != 0); break;
+
+ case 'I': /* reserved for OCSP multi-stapling */ break;
+
+@@ -2221,6 +2251,8 @@ main(int argc, char **argv)
+
+ case 'R': disableRollBack = PR_TRUE; break;
+
++ case 'S': dsaNickName = PORT_Strdup(optstate->value); break;
++
+ case 'T':
+ if (enableOCSPStapling(optstate->value) != SECSuccess) {
+ fprintf(stderr, "Invalid OCSP stapling mode.\n");
+@@ -2229,6 +2261,8 @@ main(int argc, char **argv)
+ }
+ break;
+
++ case 'U': configureReuseECDHE = (PORT_Atoi(optstate->value) != 0); break;
++
+ case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value,
+ enabledVersions, enableSSL2,
+ &enabledVersions, &enableSSL2) != SECSuccess) {
+@@ -2236,6 +2270,8 @@ main(int argc, char **argv)
+ }
+ break;
+
++ case 'W': configureWeakDHE = (PORT_Atoi(optstate->value) != 0); break;
++
+ case 'Y': PrintCipherUsage(progName); exit(0); break;
+
+ case 'a': if (virtServerNameIndex >= MAX_VIRT_SERVER_NAME_ARRAY_INDEX) {
+@@ -2366,6 +2402,7 @@ main(int argc, char **argv)
+ }
+
+ if ((nickName == NULL)
++ && (dsaNickName == NULL)
+ #ifndef NSS_DISABLE_ECC
+ && (ecNickName == NULL)
+ #endif
+@@ -2597,6 +2634,33 @@ main(int argc, char **argv)
+ setupCertStatus(certStatusArena, ocspStaplingMode, cert[kt_rsa], kt_rsa,
+ &pwdata);
+ }
++ if (dsaNickName) {
++ /* Investigate if ssl_kea_dh should be changed to ssl_auth_dsa.
++ * See bug 102794.*/
++ cert[ssl_kea_dh] = PK11_FindCertFromNickname(dsaNickName, &pwdata);
++ if (cert[ssl_kea_dh] == NULL) {
++ fprintf(stderr, "selfserv: Can't find certificate %s\n", dsaNickName);
++ exit(12);
++ }
++ privKey[ssl_kea_dh] = PK11_FindKeyByAnyCert(cert[ssl_kea_dh], &pwdata);
++ if (privKey[ssl_kea_dh] == NULL) {
++ fprintf(stderr, "selfserv: Can't find Private Key for cert %s\n",
++ dsaNickName);
++ exit(11);
++ }
++ if (testbypass) {
++ PRBool bypassOK;
++ if (SSL_CanBypass(cert[ssl_kea_dh], privKey[ssl_kea_dh], protos, cipherlist,
++ nciphers, &bypassOK, &pwdata) != SECSuccess) {
++ SECU_PrintError(progName, "Bypass test failed %s\n", nickName);
++ exit(14);
++ }
++ fprintf(stderr, "selfserv: %s can%s bypass\n", nickName,
++ bypassOK ? "" : "not");
++ }
++ setupCertStatus(certStatusArena, ocspStaplingMode, cert[ssl_kea_dh], ssl_kea_dh,
++ &pwdata);
++ }
+ #ifndef NSS_DISABLE_ECC
+ if (ecNickName) {
+ cert[kt_ecdh] = PK11_FindCertFromNickname(ecNickName, &pwdata);
+@@ -2629,6 +2693,13 @@ main(int argc, char **argv)
+ if (testbypass)
+ goto cleanup;
+
++ if (configureWeakDHE > 0) {
++ fprintf(stderr, "selfserv: Creating dynamic weak DH parameters\n");
++ rv = SSL_EnableWeakDHEPrimeGroup(NULL, PR_TRUE);
++ fprintf(stderr, "selfserv: Done creating dynamic weak DH parameters\n");
++ }
++
++
+ /* allocate the array of thread slots, and launch the worker threads. */
+ rv = launch_threads(&jobLoop, 0, 0, requestCert, useLocalThreads);
+
+diff -up ./cmd/tstclnt/tstclnt.c.dhe_and_sha384 ./cmd/tstclnt/tstclnt.c
+--- ./cmd/tstclnt/tstclnt.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./cmd/tstclnt/tstclnt.c 2015-06-24 23:06:00.454872529 +0200
+@@ -212,7 +212,7 @@ static void PrintParameterUsage(void)
+ fprintf(stderr,
+ "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
+ "%-20s All versions are enabled by default.\n"
+- "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
++ "%-20s Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
+ "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
+ "-V [min]:[max]", "", "", "");
+ fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
+@@ -911,7 +911,7 @@ int main(int argc, char **argv)
+ int npds;
+ int override = 0;
+ SSLVersionRange enabledVersions;
+- PRBool enableSSL2 = PR_TRUE;
++ PRBool enableSSL2 = PR_FALSE;
+ int bypassPKCS11 = 0;
+ int disableLocking = 0;
+ int useExportPolicy = 0;
+diff -up ./lib/ssl/dhe-param.c.dhe_and_sha384 ./lib/ssl/dhe-param.c
+--- ./lib/ssl/dhe-param.c.dhe_and_sha384 2015-06-24 23:06:00.454872529 +0200
++++ ./lib/ssl/dhe-param.c 2015-06-24 23:06:00.454872529 +0200
+@@ -0,0 +1,413 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++static const unsigned char ff_dhe_g2[] = { 2 };
++
++static const unsigned char ff_dhe_2048_p[] = {
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
++ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
++ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
++ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
++ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
++ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
++ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
++ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
++ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
++ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
++ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
++ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
++ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
++ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
++ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
++ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
++ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
++ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
++ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
++ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
++ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
++ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
++ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
++ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
++ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
++ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
++ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
++ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
++ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
++ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97,
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++};
++
++static const ssl3DHParams ff_dhe_2048 = {
++ { siBuffer, (unsigned char *)ff_dhe_2048_p, sizeof(ff_dhe_2048_p) },
++ { siBuffer, (unsigned char *)ff_dhe_g2, sizeof(ff_dhe_g2) },
++};
++
++static const unsigned char ff_dhe_3072_p[] = {
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
++ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
++ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
++ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
++ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
++ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
++ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
++ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
++ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
++ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
++ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
++ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
++ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
++ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
++ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
++ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
++ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
++ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
++ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
++ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
++ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
++ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
++ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
++ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
++ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
++ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
++ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
++ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
++ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
++ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC,
++ 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B,
++ 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
++ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07,
++ 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE,
++ 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
++ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70,
++ 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44,
++ 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
++ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF,
++ 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E,
++ 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
++ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA,
++ 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E,
++ 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
++ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C,
++ 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0xC6, 0x2E, 0x37,
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++};
++
++static const ssl3DHParams ff_dhe_3072 = {
++ { siBuffer, (unsigned char *)ff_dhe_3072_p, sizeof(ff_dhe_3072_p) },
++ { siBuffer, (unsigned char *)ff_dhe_g2, sizeof(ff_dhe_g2) },
++};
++
++static const unsigned char ff_dhe_4096_p[] = {
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
++ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
++ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
++ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
++ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
++ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
++ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
++ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
++ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
++ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
++ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
++ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
++ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
++ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
++ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
++ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
++ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
++ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
++ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
++ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
++ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
++ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
++ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
++ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
++ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
++ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
++ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
++ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
++ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
++ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC,
++ 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B,
++ 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
++ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07,
++ 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE,
++ 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
++ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70,
++ 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44,
++ 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
++ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF,
++ 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E,
++ 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
++ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA,
++ 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E,
++ 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
++ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C,
++ 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1,
++ 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB,
++ 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6,
++ 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18,
++ 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04,
++ 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A,
++ 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A,
++ 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32,
++ 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4,
++ 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38,
++ 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A,
++ 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C,
++ 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC,
++ 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF,
++ 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B,
++ 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1,
++ 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A,
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++};
++
++static const ssl3DHParams ff_dhe_4096 = {
++ { siBuffer, (unsigned char *)ff_dhe_4096_p, sizeof(ff_dhe_4096_p) },
++ { siBuffer, (unsigned char *)ff_dhe_g2, sizeof(ff_dhe_g2) },
++};
++
++static const unsigned char ff_dhe_6144_p[] = {
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
++ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
++ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
++ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
++ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
++ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
++ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
++ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
++ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
++ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
++ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
++ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
++ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
++ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
++ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
++ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
++ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
++ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
++ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
++ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
++ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
++ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
++ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
++ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
++ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
++ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
++ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
++ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
++ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
++ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC,
++ 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B,
++ 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
++ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07,
++ 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE,
++ 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
++ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70,
++ 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44,
++ 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
++ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF,
++ 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E,
++ 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
++ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA,
++ 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E,
++ 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
++ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C,
++ 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1,
++ 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB,
++ 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6,
++ 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18,
++ 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04,
++ 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A,
++ 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A,
++ 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32,
++ 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4,
++ 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38,
++ 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A,
++ 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C,
++ 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC,
++ 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF,
++ 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B,
++ 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1,
++ 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02,
++ 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A,
++ 0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A,
++ 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6,
++ 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8,
++ 0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C,
++ 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A,
++ 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71,
++ 0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F,
++ 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77,
++ 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10,
++ 0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8,
++ 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3,
++ 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E,
++ 0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3,
++ 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4,
++ 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1,
++ 0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92,
++ 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6,
++ 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82,
++ 0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE,
++ 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C,
++ 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E,
++ 0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46,
++ 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A,
++ 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17,
++ 0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03,
++ 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04,
++ 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6,
++ 0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69,
++ 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1,
++ 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4,
++ 0xA4, 0x0E, 0x32, 0x9C, 0xD0, 0xE4, 0x0E, 0x65,
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++};
++
++static const ssl3DHParams ff_dhe_6144 = {
++ { siBuffer, (unsigned char *)ff_dhe_6144_p, sizeof(ff_dhe_6144_p) },
++ { siBuffer, (unsigned char *)ff_dhe_g2, sizeof(ff_dhe_g2) },
++};
++
++static const unsigned char ff_dhe_8192_p[] = {
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
++ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
++ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
++ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
++ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
++ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
++ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
++ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
++ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
++ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
++ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
++ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
++ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
++ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
++ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
++ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
++ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
++ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
++ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
++ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
++ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
++ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
++ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
++ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
++ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
++ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
++ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
++ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
++ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
++ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC,
++ 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B,
++ 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
++ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07,
++ 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE,
++ 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
++ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70,
++ 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44,
++ 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
++ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF,
++ 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E,
++ 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
++ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA,
++ 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E,
++ 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
++ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C,
++ 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1,
++ 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB,
++ 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6,
++ 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18,
++ 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04,
++ 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A,
++ 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A,
++ 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32,
++ 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4,
++ 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38,
++ 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A,
++ 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C,
++ 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC,
++ 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF,
++ 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B,
++ 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1,
++ 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02,
++ 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A,
++ 0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A,
++ 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6,
++ 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8,
++ 0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C,
++ 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A,
++ 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71,
++ 0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F,
++ 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77,
++ 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10,
++ 0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8,
++ 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3,
++ 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E,
++ 0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3,
++ 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4,
++ 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1,
++ 0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92,
++ 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6,
++ 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82,
++ 0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE,
++ 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C,
++ 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E,
++ 0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46,
++ 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A,
++ 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17,
++ 0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03,
++ 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04,
++ 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6,
++ 0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69,
++ 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1,
++ 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4,
++ 0xA4, 0x0E, 0x32, 0x9C, 0xCF, 0xF4, 0x6A, 0xAA,
++ 0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38,
++ 0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64,
++ 0xFD, 0xB2, 0x3F, 0xCE, 0xC9, 0x50, 0x9D, 0x43,
++ 0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E,
++ 0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF,
++ 0x86, 0xB6, 0x31, 0x42, 0xA3, 0xAB, 0x88, 0x29,
++ 0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65,
++ 0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02,
++ 0x29, 0x38, 0x88, 0x39, 0xD2, 0xAF, 0x05, 0xE4,
++ 0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82,
++ 0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C,
++ 0x59, 0x16, 0x0C, 0xC0, 0x46, 0xFD, 0x82, 0x51,
++ 0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22,
++ 0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74,
++ 0x51, 0xA8, 0xA9, 0x31, 0x09, 0x70, 0x3F, 0xEE,
++ 0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C,
++ 0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC,
++ 0x99, 0xE9, 0xE3, 0x16, 0x50, 0xC1, 0x21, 0x7B,
++ 0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9,
++ 0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0,
++ 0xA1, 0xFE, 0x30, 0x75, 0xA5, 0x77, 0xE2, 0x31,
++ 0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57,
++ 0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8,
++ 0xB6, 0x85, 0x5D, 0xFE, 0x72, 0xB0, 0xA6, 0x6E,
++ 0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30,
++ 0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E,
++ 0x2F, 0x74, 0x1E, 0xF8, 0xC1, 0xFE, 0x86, 0xFE,
++ 0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D,
++ 0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D,
++ 0x08, 0x22, 0xE5, 0x06, 0xA9, 0xF4, 0x61, 0x4E,
++ 0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C,
++ 0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C,
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++};
++
++static const ssl3DHParams ff_dhe_8192 = {
++ { siBuffer, (unsigned char *)ff_dhe_8192_p, sizeof(ff_dhe_8192_p) },
++ { siBuffer, (unsigned char *)ff_dhe_g2, sizeof(ff_dhe_g2) },
++};
+diff -up ./lib/ssl/ssl3con.c.dhe_and_sha384 ./lib/ssl/ssl3con.c
+--- ./lib/ssl/ssl3con.c.dhe_and_sha384 2015-06-24 23:06:00.448872641 +0200
++++ ./lib/ssl/ssl3con.c 2015-06-24 23:06:00.456872491 +0200
+@@ -91,7 +91,11 @@ static ssl3CipherSuiteCfg cipherSuites[s
+
+ #ifndef NSS_DISABLE_ECC
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+ * bug 946147.
+ */
+@@ -108,14 +112,19 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ #endif /* NSS_DISABLE_ECC */
+
+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -134,6 +143,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ #endif /* NSS_DISABLE_ECC */
+
+ /* RSA */
++ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -281,6 +291,7 @@ static const ssl3BulkCipherDef bulk_ciph
+ {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0},
+ {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0},
+ {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8},
++ {cipher_aes_256_gcm, calg_aes_gcm, 32,32, type_aead, 4, 0,16, 8},
+ {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
+ };
+
+@@ -316,131 +327,145 @@ static const ssl3CipherSuiteDef cipher_s
+ {
+ /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */
+
+- {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null},
+- {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa},
+- {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa},
+- {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa},
+- {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
+- {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa},
+- {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa},
++ {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null, 0},
++ {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa, 0},
++ {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa, 0},
++ {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa, prf_256},
++ {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export, 0},
++ {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa, 0},
++ {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa, 0},
+ {TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+- cipher_rc2_40, mac_md5, kea_rsa_export},
++ cipher_rc2_40, mac_md5, kea_rsa_export, 0},
+ #if 0 /* not implemented */
+- {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa},
++ {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa, 0},
+ {TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
+- cipher_des40, mac_sha, kea_rsa_export},
++ cipher_des40, mac_sha, kea_rsa_export, 0},
+ #endif
+- {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa},
+- {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa},
+- {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss},
++ {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa, 0},
++ {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa, 0},
++ {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss, 0},
+ {TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+- cipher_3des, mac_sha, kea_dhe_dss},
+- {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss},
++ cipher_3des, mac_sha, kea_dhe_dss, 0},
++ {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss, 0},
+ #if 0 /* not implemented */
+ {TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+- cipher_des40, mac_sha, kea_dh_dss_export},
+- {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss},
+- {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss},
++ cipher_des40, mac_sha, kea_dh_dss_export, 0},
++ {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss, 0},
++ {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss, 0},
+ {TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+- cipher_des40, mac_sha, kea_dh_rsa_export},
+- {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa},
+- {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa},
++ cipher_des40, mac_sha, kea_dh_rsa_export, 0},
++ {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa, 0},
++ {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa, 0},
+ {TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+- cipher_des40, mac_sha, kea_dh_dss_export},
++ cipher_des40, mac_sha, kea_dh_dss_export, 0},
+ {TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+- cipher_des40, mac_sha, kea_dh_rsa_export},
++ cipher_des40, mac_sha, kea_dh_rsa_export, 0},
+ #endif
+- {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa},
++ {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa, 0},
+ {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+- cipher_3des, mac_sha, kea_dhe_rsa},
++ cipher_3des, mac_sha, kea_dhe_rsa, 0},
+ #if 0
+- {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
++ {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export, 0},
+ {TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
+- cipher_des40, mac_sha, kea_dh_anon_export},
+- {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon},
+- {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon},
++ cipher_des40, mac_sha, kea_dh_anon_export, 0},
++ {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon, 0},
++ {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon, 0},
+ #endif
+
+
+ /* New TLS cipher suites */
+- {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa},
+- {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa},
+- {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss},
+- {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa},
+- {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa},
+- {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa},
+- {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa},
+- {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss},
+- {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa},
+- {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa},
++ {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa, 0},
++ {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa, prf_256},
++ {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss, 0},
++ {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa, 0},
++ {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa, prf_256},
++ {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa, 0},
++ {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa, prf_256},
++ {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss, 0},
++ {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa, 0},
++ {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa, prf_256},
+ #if 0
+- {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss},
+- {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa},
+- {TLS_DH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon},
+- {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss},
+- {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa},
+- {TLS_DH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon},
++ {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss, 0},
++ {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa, 0},
++ {TLS_DH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon, 0},
++ {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss, 0},
++ {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa, 0},
++ {TLS_DH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon, 0},
+ #endif
+
+- {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa},
++ {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa, 0},
+
+- {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
++ {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa, 0},
+ {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+- cipher_camellia_128, mac_sha, kea_dhe_dss},
++ cipher_camellia_128, mac_sha, kea_dhe_dss, 0},
+ {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+- cipher_camellia_128, mac_sha, kea_dhe_rsa},
+- {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa},
++ cipher_camellia_128, mac_sha, kea_dhe_rsa, 0},
++ {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa, 0},
+ {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+- cipher_camellia_256, mac_sha, kea_dhe_dss},
++ cipher_camellia_256, mac_sha, kea_dhe_dss, 0},
+ {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+- cipher_camellia_256, mac_sha, kea_dhe_rsa},
++ cipher_camellia_256, mac_sha, kea_dhe_rsa, 0},
+
+ {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+- cipher_des, mac_sha,kea_rsa_export_1024},
++ cipher_des, mac_sha,kea_rsa_export_1024, 0},
+ {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
+- cipher_rc4_56, mac_sha,kea_rsa_export_1024},
++ cipher_rc4_56, mac_sha,kea_rsa_export_1024, 0},
+
+- {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
+- {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
++ {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips, 0},
++ {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips, 0},
+
+- {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
+- {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
++ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa, prf_256},
++ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa, prf_256},
++#ifndef NSS_DISABLE_ECC
+ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
+ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
++ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa, prf_256},
++ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa, prf_256},
++ {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_ecdsa, prf_384},
++ {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa, prf_384},
++ {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_ecdsa, prf_384},
++ {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_rsa, prf_384},
++#endif /* NSS_DISABLE_ECC */
++ {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_rsa, prf_384},
++ {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, prf_256},
++ {TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_dss, prf_384},
++ {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, prf_256},
++ {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, prf_256},
++ {TLS_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_rsa, prf_384},
+
+ #ifndef NSS_DISABLE_ECC
+- {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
+- {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa},
+- {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
+- {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
+- {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
+-
+- {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa},
+- {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
+- {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa},
+- {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa},
+- {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa},
+- {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa},
+-
+- {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa},
+- {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa},
+- {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa},
+- {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa},
+- {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa},
+-
+- {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa},
+- {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa},
+- {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa},
+- {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa},
+- {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa},
+- {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa},
++ {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa, 0},
++ {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa, 0},
++ {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa, 0},
++ {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa, 0},
++ {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa, 0},
++
++ {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa, 0},
++ {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa, 0},
++ {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa, 0},
++ {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa, 0},
++ {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa, prf_256},
++ {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa, 0},
++
++ {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa, 0},
++ {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa, 0},
++ {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa, 0},
++ {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa, 0},
++ {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa, 0},
++
++ {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa, 0},
++ {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa, 0},
++ {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa, 0},
++ {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa, 0},
++ {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa, prf_256},
++ {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa, 0},
+
+ #if 0
+- {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon},
+- {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon},
+- {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon},
+- {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon},
+- {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon},
++ {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon, 0},
++ {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon, 0},
++ {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon, 0},
++ {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon, 0},
++ {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon, 0},
+ #endif
+ #endif /* NSS_DISABLE_ECC */
+ };
+@@ -481,6 +506,7 @@ static const SSLCipher2Mech alg2Mech[] =
+ #define mmech_md5_hmac CKM_MD5_HMAC
+ #define mmech_sha_hmac CKM_SHA_1_HMAC
+ #define mmech_sha256_hmac CKM_SHA256_HMAC
++#define mmech_sha384_hmac CKM_SHA384_HMAC
+
+ static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
+ /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
+@@ -492,6 +518,7 @@ static const ssl3MACDef mac_defs[] = { /
+ {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
+ {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
+ { mac_aead, mmech_invalid, 0, 0 },
++ {hmac_sha384, mmech_sha384_hmac, 0, SHA384_LENGTH}
+ };
+
+ /* indexed by SSL3BulkCipher */
+@@ -640,16 +667,26 @@ ssl3_CipherSuiteAllowedForVersionRange(
+ case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
+ case TLS_RSA_WITH_AES_256_CBC_SHA256:
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
++ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
++ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
+ case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
+ case TLS_RSA_WITH_AES_128_CBC_SHA256:
+ case TLS_RSA_WITH_AES_128_GCM_SHA256:
++ case TLS_RSA_WITH_AES_256_GCM_SHA384:
++ case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
++ case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
+ case TLS_RSA_WITH_NULL_SHA256:
+ return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2;
+
+ case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
++ case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
+ case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
++ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
+ case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
++ case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
++ case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
++ case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
+ return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
+
+ /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and
+@@ -772,16 +809,11 @@ ssl3_config_match_init(sslSocket *ss)
+ * that the server uses an RSA cert for (EC)DHE-RSA.
+ */
+ switch (cipher_def->key_exchange_alg) {
++ case kea_dhe_dss:
++ svrAuth = ss->serverCerts + ssl_kea_dh;
++ break;
+ case kea_ecdhe_rsa:
+-#if NSS_SERVER_DHE_IMPLEMENTED
+- /* XXX NSS does not yet implement the server side of _DHE_
+- * cipher suites. Correcting the computation for svrAuth,
+- * as the case below does, causes NSS SSL servers to begin to
+- * negotiate cipher suites they do not implement. So, until
+- * server side _DHE_ is implemented, keep this disabled.
+- */
+ case kea_dhe_rsa:
+-#endif
+ svrAuth = ss->serverCerts + kt_rsa;
+ break;
+ case kea_ecdh_ecdsa:
+@@ -793,6 +825,8 @@ ssl3_config_match_init(sslSocket *ss)
+ * simultaneously. For now, both of them use
+ * whatever is in the certificate slot for kt_ecdh
+ */
++ case kea_dhe_dss_export:
++ case kea_dhe_rsa_export:
+ default:
+ svrAuth = ss->serverCerts + exchKeyType;
+ break;
+@@ -829,11 +863,22 @@ ssl3_config_match_init(sslSocket *ss)
+ * cipher suite. */
+ static PRBool
+ config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled,
+- const SSLVersionRange *vrange)
++ const SSLVersionRange *vrange, const sslSocket *ss)
+ {
++ const ssl3CipherSuiteDef *cipher_def;
++
+ PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
+ if (policy == SSL_NOT_ALLOWED || !enabled)
+- return PR_FALSE;
++ return PR_FALSE;
++
++ cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
++ PORT_Assert(cipher_def != NULL);
++
++ PORT_Assert(ss != NULL);
++ if (ss->sec.isServer && !ss->opt.enableServerDhe &&
++ kea_defs[cipher_def->key_exchange_alg].exchKeyType == ssl_kea_dh)
++ return PR_FALSE;
++
+ return (PRBool)(suite->enabled &&
+ suite->isPresent &&
+ suite->policy != SSL_NOT_ALLOWED &&
+@@ -854,7 +899,7 @@ count_cipher_suites(sslSocket *ss, int p
+ return 0;
+ }
+ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+- if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange))
++ if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange, ss))
+ count++;
+ }
+ if (count <= 0) {
+@@ -2321,6 +2366,9 @@ ssl3_ComputeRecordMAC(
+ case ssl_hmac_sha256: /* used with TLS */
+ hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
+ break;
++ case ssl_hmac_sha384: /* used with TLS */
++ hashObj = HASH_GetRawHashObject(HASH_AlgSHA384);
++ break;
+ default:
+ break;
+ }
+@@ -3563,6 +3611,17 @@ ssl3_HandleChangeCipherSpecs(sslSocket *
+ return SECSuccess;
+ }
+
++static CK_MECHANISM_TYPE
++ssl3_GetPrfHashMechanism(sslSocket *ss)
++{
++ SSL3PRF prf_alg = ss->ssl3.hs.suite_def->prf_alg;
++
++ if (prf_alg == 0)
++ return CKM_SHA256;
++
++ return prf_alg;
++}
++
+ /* This method uses PKCS11 to derive the MS from the PMS, where PMS
+ ** is a PKCS11 symkey. This is used in all cases except the
+ ** "triple bypass" with RSA key exchange.
+@@ -3592,15 +3651,17 @@ ssl3_DeriveMasterSecret(sslSocket *ss, P
+ SECItem params;
+ CK_FLAGS keyFlags;
+ CK_VERSION pms_version;
+- CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
++ /* master_params may be used as a CK_SSL3_MASTER_KEY_DERIVE_PARAMS */
++ CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
++ unsigned int master_params_len;
+
+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+ PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
+ PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
+ if (isTLS12) {
+- if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
+- else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
+- key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
++ if(isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
++ else master_derive = CKM_TLS12_MASTER_KEY_DERIVE;
++ key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE;
+ keyFlags = CKF_SIGN | CKF_VERIFY;
+ } else if (isTLS) {
+ if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
+@@ -3624,6 +3685,12 @@ ssl3_DeriveMasterSecret(sslSocket *ss, P
+ master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
+ master_params.RandomInfo.pServerRandom = sr;
+ master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
++ if (isTLS12) {
++ master_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss);
++ master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS);
++ } else {
++ master_params_len = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);
++ }
+
+ params.data = (unsigned char *) &master_params;
+ params.len = sizeof master_params;
+@@ -3756,7 +3823,9 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocke
+ PK11SymKey * symKey = NULL;
+ void * pwArg = ss->pkcs11PinArg;
+ int keySize;
+- CK_SSL3_KEY_MAT_PARAMS key_material_params;
++ CK_TLS12_KEY_MAT_PARAMS key_material_params; /* may be used as a
++ * CK_SSL3_KEY_MAT_PARAMS */
++ unsigned int key_material_params_len;
+ CK_SSL3_KEY_MAT_OUT returnedKeys;
+ CK_MECHANISM_TYPE key_derive;
+ CK_MECHANISM_TYPE bulk_mechanism;
+@@ -3810,17 +3879,21 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocke
+ PORT_Assert( alg2Mech[calg].calg == calg);
+ bulk_mechanism = alg2Mech[calg].cmech;
+
+- params.data = (unsigned char *)&key_material_params;
+- params.len = sizeof(key_material_params);
+-
+ if (isTLS12) {
+- key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
++ key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE;
++ key_material_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss);
++ key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS);
+ } else if (isTLS) {
+ key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
++ key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS);
+ } else {
+ key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
++ key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS);
+ }
+
++ params.data = (unsigned char *)&key_material_params;
++ params.len = key_material_params_len;
++
+ /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
+ * DERIVE by DEFAULT */
+ symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms,
+@@ -3883,9 +3956,9 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
+ #ifndef NO_PKCS11_BYPASS
+ if (ss->opt.bypassPKCS11) {
+ PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone);
++ /* If we ever support ciphersuites where the PRF hash isn't SHA-256
++ * then this will need to be updated. */
+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+- /* If we ever support ciphersuites where the PRF hash isn't SHA-256
+- * then this will need to be updated. */
+ ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
+ if (!ss->ssl3.hs.sha_obj) {
+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+@@ -3909,9 +3982,19 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
+ * that the master secret will wind up in ...
+ */
+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+- /* If we ever support ciphersuites where the PRF hash isn't SHA-256
+- * then this will need to be updated. */
+- ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256);
++ /* determine the hash from the prf */
++ const SECOidData *hash_oid;
++
++ PORT_Assert(ss->ssl3.hs.suite_def);
++ /* Get the PKCS #11 mechanism for the Hash from the cipher suite (prf_alg)
++ * Convert that to the OidTag.
++ * We can then use that OidTag to create our PK11Context */
++ hash_oid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
++ if (hash_oid == NULL) {
++ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
++ return SECFailure;
++ }
++ ss->ssl3.hs.sha = PK11_CreateDigestContext(hash_oid->offset);
+ if (ss->ssl3.hs.sha == NULL) {
+ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+ return SECFailure;
+@@ -5279,7 +5362,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
+ }
+ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+- if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
++ if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange, ss)) {
+ actual_count++;
+ if (actual_count > num_suites) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+@@ -6305,13 +6388,6 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+ }
+ isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
+
+- rv = ssl3_InitHandshakeHashes(ss);
+- if (rv != SECSuccess) {
+- desc = internal_error;
+- errCode = PORT_GetError();
+- goto alert_loser;
+- }
+-
+ rv = ssl3_ConsumeHandshake(
+ ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
+ if (rv != SECSuccess) {
+@@ -6338,7 +6414,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+ if (temp == suite->cipher_suite) {
+ SSLVersionRange vrange = {ss->version, ss->version};
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
++ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) {
+ /* config_match already checks whether the cipher suite is
+ * acceptable for the version, but the check is repeated here
+ * in order to give a more precise error code. */
+@@ -6390,6 +6466,14 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+ }
+ ss->ssl3.hs.compression = (SSLCompressionMethod)temp;
+
++ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */
++ rv = ssl3_InitHandshakeHashes(ss);
++ if (rv != SECSuccess) {
++ desc = internal_error;
++ errCode = PORT_GetError();
++ goto alert_loser;
++ }
++
+ /* Note that if !isTLS and the extra stuff is not extensions, we
+ * do NOT goto alert_loser.
+ * There are some old SSL 3.0 implementations that do send stuff
+@@ -7609,6 +7693,22 @@ ssl3_SendServerHelloSequence(sslSocket *
+ /* An empty TLS Renegotiation Info (RI) extension */
+ static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00};
+
++static PRBool
++ssl3_KEAAllowsSessionTicket(SSL3KeyExchangeAlgorithm kea)
++{
++ switch (kea) {
++ case kea_dhe_dss:
++ case kea_dhe_dss_export:
++ case kea_dh_dss_export:
++ case kea_dh_dss:
++ /* TODO: Fix session tickets for DSS. The server code rejects the
++ * session ticket received from the client. Bug 1174677 */
++ return PR_FALSE;
++ default:
++ return PR_TRUE;
++ };
++}
++
+ /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Client Hello message.
+ * Caller must hold Handshake and RecvBuf locks.
+@@ -7631,6 +7731,7 @@ ssl3_HandleClientHello(sslSocket *ss, SS
+ SECItem comps = {siBuffer, NULL, 0};
+ PRBool haveSpecWriteLock = PR_FALSE;
+ PRBool haveXmitBufLock = PR_FALSE;
++ PRBool canOfferSessionTicket = PR_FALSE;
+
+ SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
+ SSL_GETPID(), ss->fd));
+@@ -7704,13 +7805,6 @@ ssl3_HandleClientHello(sslSocket *ss, SS
+ goto alert_loser;
+ }
+
+- rv = ssl3_InitHandshakeHashes(ss);
+- if (rv != SECSuccess) {
+- desc = internal_error;
+- errCode = PORT_GetError();
+- goto alert_loser;
+- }
+-
+ /* grab the client random data. */
+ rv = ssl3_ConsumeHandshake(
+ ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
+@@ -7870,8 +7964,7 @@ ssl3_HandleClientHello(sslSocket *ss, SS
+ * resuming.)
+ */
+ if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) {
+- ssl3_RegisterServerHelloExtensionSender(ss,
+- ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn);
++ canOfferSessionTicket = PR_TRUE;
+ }
+
+ if (sid != NULL) {
+@@ -7950,7 +8043,7 @@ ssl3_HandleClientHello(sslSocket *ss, SS
+ * The product policy won't change during the process lifetime.
+ * Implemented ("isPresent") shouldn't change for servers.
+ */
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange))
++ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss))
+ break;
+ #else
+ if (!suite->enabled)
+@@ -7999,7 +8092,7 @@ ssl3_HandleClientHello(sslSocket *ss, SS
+ for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+ SSLVersionRange vrange = {ss->version, ss->version};
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
++ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) {
+ continue;
+ }
+ for (i = 0; i + 1 < suites.len; i += 2) {
+@@ -8016,6 +8109,15 @@ ssl3_HandleClientHello(sslSocket *ss, SS
+ goto alert_loser;
+
+ suite_found:
++ if (canOfferSessionTicket)
++ canOfferSessionTicket = ssl3_KEAAllowsSessionTicket(
++ ss->ssl3.hs.suite_def->key_exchange_alg);
++
++ if (canOfferSessionTicket) {
++ ssl3_RegisterServerHelloExtensionSender(ss,
++ ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn);
++ }
++
+ /* Select a compression algorithm. */
+ for (i = 0; i < comps.len; i++) {
+ if (!compressionEnabled(ss, comps.data[i]))
+@@ -8036,6 +8138,14 @@ compression_found:
+ suites.data = NULL;
+ comps.data = NULL;
+
++ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */
++ rv = ssl3_InitHandshakeHashes(ss);
++ if (rv != SECSuccess) {
++ desc = internal_error;
++ errCode = PORT_GetError();
++ goto alert_loser;
++ }
++
+ ss->sec.send = ssl3_SendApplicationData;
+
+ /* If there are any failures while processing the old sid,
+@@ -8479,13 +8589,6 @@ ssl3_HandleV2ClientHello(sslSocket *ss,
+ goto alert_loser;
+ }
+
+- rv = ssl3_InitHandshakeHashes(ss);
+- if (rv != SECSuccess) {
+- desc = internal_error;
+- errCode = PORT_GetError();
+- goto alert_loser;
+- }
+-
+ /* if we get a non-zero SID, just ignore it. */
+ if (length !=
+ SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
+@@ -8533,7 +8636,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss,
+ for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+ SSLVersionRange vrange = {ss->version, ss->version};
+- if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
++ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) {
+ continue;
+ }
+ for (i = 0; i+2 < suite_length; i += 3) {
+@@ -8572,6 +8675,15 @@ suite_found:
+ }
+
+ ss->ssl3.hs.compression = ssl_compression_null;
++
++ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */
++ rv = ssl3_InitHandshakeHashes(ss);
++ if (rv != SECSuccess) {
++ desc = internal_error;
++ errCode = PORT_GetError();
++ goto alert_loser;
++ }
++
+ ss->sec.send = ssl3_SendApplicationData;
+
+ /* we don't even search for a cache hit here. It's just a miss. */
+@@ -8732,6 +8844,154 @@ ssl3_SendServerHello(sslSocket *ss)
+ return SECSuccess;
+ }
+
++static SECStatus
++ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
++ SSL3SignatureAndHashAlgorithm* out);
++
++static SECStatus
++ssl3_SendDHServerKeyExchange(sslSocket *ss)
++{
++ const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
++ SECStatus rv = SECFailure;
++ int length;
++ PRBool isTLS;
++ SECItem signed_hash = {siBuffer, NULL, 0};
++ SSL3Hashes hashes;
++ SSL3SignatureAndHashAlgorithm sigAndHash;
++ SECKEYDHParams dhParam;
++
++ ssl3KeyPair *keyPair = NULL;
++ SECKEYPublicKey *pubKey = NULL; /* Ephemeral DH key */
++ SECKEYPrivateKey *privKey = NULL; /* Ephemeral DH key */
++ int certIndex = -1;
++
++ if (kea_def->kea != kea_dhe_dss && kea_def->kea != kea_dhe_rsa) {
++ /* TODO: Support DH_anon. It might be sufficient to drop the signature.
++ See bug 1170510. */
++ PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
++ return SECFailure;
++ }
++
++ dhParam.prime.data = ss->dheParams->prime.data;
++ dhParam.prime.len = ss->dheParams->prime.len;
++ dhParam.base.data = ss->dheParams->base.data;
++ dhParam.base.len = ss->dheParams->base.len;
++
++ PRINT_BUF(60, (NULL, "Server DH p", dhParam.prime.data,
++ dhParam.prime.len));
++ PRINT_BUF(60, (NULL, "Server DH g", dhParam.base.data,
++ dhParam.base.len));
++
++ /* Generate ephemeral DH keypair */
++ privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL);
++ if (!privKey || !pubKey) {
++ ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
++ rv = SECFailure;
++ goto loser;
++ }
++
++ keyPair = ssl3_NewKeyPair(privKey, pubKey);
++ if (!keyPair) {
++ ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
++ goto loser;
++ }
++
++ PRINT_BUF(50, (ss, "DH public value:",
++ pubKey->u.dh.publicValue.data,
++ pubKey->u.dh.publicValue.len));
++
++ if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) {
++ ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
++ goto loser;
++ }
++
++ rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg,
++ pubKey->u.dh.prime,
++ pubKey->u.dh.base,
++ pubKey->u.dh.publicValue,
++ &ss->ssl3.hs.client_random,
++ &ss->ssl3.hs.server_random,
++ &hashes, ss->opt.bypassPKCS11);
++ if (rv != SECSuccess) {
++ ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
++ goto loser;
++ }
++
++ /* It has been suggested to test kea_def->signKeyType instead, and to use
++ * ssl_auth_* instead. Investigate what to do. See bug 102794. */
++ if (kea_def->kea == kea_dhe_rsa)
++ certIndex = ssl_kea_rsa;
++ else
++ certIndex = ssl_kea_dh;
++
++ isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
++ rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY,
++ &signed_hash, isTLS);
++ if (rv != SECSuccess) {
++ goto loser; /* ssl3_SignHashes has set err. */
++ }
++ if (signed_hash.data == NULL) {
++ PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
++ goto loser;
++ }
++ length = 2 + pubKey->u.dh.prime.len +
++ 2 + pubKey->u.dh.base.len +
++ 2 + pubKey->u.dh.publicValue.len +
++ 2 + signed_hash.len;
++
++ if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
++ length += 2;
++ }
++
++ rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
++ if (rv != SECSuccess) {
++ goto loser; /* err set by AppendHandshake. */
++ }
++
++ rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.prime.data,
++ pubKey->u.dh.prime.len, 2);
++ if (rv != SECSuccess) {
++ goto loser; /* err set by AppendHandshake. */
++ }
++
++ rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.base.data,
++ pubKey->u.dh.base.len, 2);
++ if (rv != SECSuccess) {
++ goto loser; /* err set by AppendHandshake. */
++ }
++
++ rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.publicValue.data,
++ pubKey->u.dh.publicValue.len, 2);
++ if (rv != SECSuccess) {
++ goto loser; /* err set by AppendHandshake. */
++ }
++
++ if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
++ rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
++ if (rv != SECSuccess) {
++ goto loser; /* err set by AppendHandshake. */
++ }
++ }
++
++ rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
++ signed_hash.len, 2);
++ if (rv != SECSuccess) {
++ goto loser; /* err set by AppendHandshake. */
++ }
++ PORT_Free(signed_hash.data);
++ ss->dheKeyPair = keyPair;
++ return SECSuccess;
++
++loser:
++ if (signed_hash.data)
++ PORT_Free(signed_hash.data);
++ if (privKey)
++ SECKEY_DestroyPrivateKey(privKey);
++ if (pubKey)
++ SECKEY_DestroyPublicKey(pubKey);
++ return SECFailure;
++}
++
+ /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing
+ * elements of the handshake. (The negotiated cipher suite determines the
+ * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always
+@@ -8906,6 +9166,11 @@ ssl3_SendServerKeyExchange(sslSocket *ss
+ PORT_Free(signed_hash.data);
+ return SECSuccess;
+
++ case ssl_kea_dh: {
++ rv = ssl3_SendDHServerKeyExchange(ss);
++ return rv;
++ }
++
+ #ifndef NSS_DISABLE_ECC
+ case kt_ecdh: {
+ rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash);
+@@ -8913,7 +9178,6 @@ ssl3_SendServerKeyExchange(sslSocket *ss
+ }
+ #endif /* NSS_DISABLE_ECC */
+
+- case kt_dh:
+ case kt_null:
+ default:
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+@@ -9322,6 +9586,59 @@ double_bypass:
+ return SECSuccess;
+ }
+
++static SECStatus
++ssl3_HandleDHClientKeyExchange(sslSocket *ss,
++ SSL3Opaque *b,
++ PRUint32 length,
++ SECKEYPublicKey *srvrPubKey,
++ SECKEYPrivateKey *serverKey)
++{
++ PK11SymKey *pms;
++ SECStatus rv;
++ SECKEYPublicKey clntPubKey;
++ CK_MECHANISM_TYPE target;
++ PRBool isTLS;
++
++ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
++ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
++ PORT_Assert( srvrPubKey );
++
++ clntPubKey.keyType = dhKey;
++ clntPubKey.u.dh.prime.len = srvrPubKey->u.dh.prime.len;
++ clntPubKey.u.dh.prime.data = srvrPubKey->u.dh.prime.data;
++ clntPubKey.u.dh.base.len = srvrPubKey->u.dh.base.len;
++ clntPubKey.u.dh.base.data = srvrPubKey->u.dh.base.data;
++
++ rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.dh.publicValue,
++ 2, &b, &length);
++ if (rv != SECSuccess) {
++ goto loser;
++ }
++
++ isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
++
++ if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
++ else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
++
++ /* Determine the PMS */
++ pms = PK11_PubDerive(serverKey, &clntPubKey, PR_FALSE, NULL, NULL,
++ CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
++ if (pms == NULL) {
++ ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
++ goto loser;
++ }
++
++ rv = ssl3_InitPendingCipherSpec(ss, pms);
++ PK11_FreeSymKey(pms); pms = NULL;
++
++loser:
++ if (ss->dheKeyPair) {
++ ssl3_FreeKeyPair(ss->dheKeyPair);
++ ss->dheKeyPair = NULL;
++ }
++ return rv;
++}
++
+
+ /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 ClientKeyExchange message from the remote client
+@@ -9334,9 +9651,7 @@ ssl3_HandleClientKeyExchange(sslSocket *
+ SECStatus rv;
+ const ssl3KEADef *kea_def;
+ ssl3KeyPair *serverKeyPair = NULL;
+-#ifndef NSS_DISABLE_ECC
+ SECKEYPublicKey *serverPubKey = NULL;
+-#endif /* NSS_DISABLE_ECC */
+
+ SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
+ SSL_GETPID(), ss->fd));
+@@ -9366,6 +9681,16 @@ ssl3_HandleClientKeyExchange(sslSocket *
+ ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
+ } else
+ skip:
++ if (kea_def->kea == kea_dhe_dss ||
++ kea_def->kea == kea_dhe_rsa) {
++ if (ss->dheKeyPair) {
++ serverKeyPair = ss->dheKeyPair;
++ if (serverKeyPair->pubKey) {
++ ss->sec.keaKeyBits =
++ SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey);
++ }
++ }
++ } else
+ #ifndef NSS_DISABLE_ECC
+ /* XXX Using SSLKEAType to index server certifiates
+ * does not work for (EC)DHE ciphers. Until we have
+@@ -9411,6 +9736,21 @@ skip:
+ }
+ break;
+
++ case ssl_kea_dh:
++ if (ss->dheKeyPair && ss->dheKeyPair->pubKey) {
++ serverPubKey = ss->dheKeyPair->pubKey;
++ }
++ if (!serverPubKey) {
++ PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
++ return SECFailure;
++ }
++ rv = ssl3_HandleDHClientKeyExchange(ss, b, length,
++ serverPubKey, serverKey);
++ if (rv != SECSuccess) {
++ SSL3_SendAlert(ss, alert_fatal, handshake_failure);
++ return SECFailure; /* error code set */
++ }
++ break;
+
+ #ifndef NSS_DISABLE_ECC
+ case kt_ecdh:
+@@ -10181,21 +10521,39 @@ done:
+ }
+
+ static SECStatus
+-ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
++ssl3_ComputeTLSFinished(sslSocket *ss,
++ ssl3CipherSpec *spec,
+ PRBool isServer,
+ const SSL3Hashes * hashes,
+ TLSFinished * tlsFinished)
+ {
+- const char * label;
+- unsigned int len;
+- SECStatus rv;
+-
+- label = isServer ? "server finished" : "client finished";
+- len = 15;
+-
+- rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
+- hashes->len, tlsFinished->verify_data,
+- sizeof tlsFinished->verify_data);
++ SECStatus rv;
++ CK_TLS12_MAC_PARAMS tls12_mac_params;
++ SECItem param = {siBuffer, NULL, 0};
++ PK11Context *prf_context;
++ unsigned int retLen;
++
++ if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) {
++ tls12_mac_params.prfHashMechanism = CKM_TLS_PRF;
++ } else {
++ tls12_mac_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss);
++ }
++ tls12_mac_params.ulMacLength = 12;
++ tls12_mac_params.ulServerOrClient = isServer ? 1 : 2;
++ param.data = (unsigned char *)&tls12_mac_params;
++ param.len = sizeof(tls12_mac_params);
++ prf_context = PK11_CreateContextBySymKey(CKM_TLS12_MAC, CKA_SIGN,
++ spec->master_secret, ¶m);
++ if (!prf_context)
++ return SECFailure;
++
++ rv = PK11_DigestBegin(prf_context);
++ rv |= PK11_DigestOp(prf_context, hashes->u.raw, hashes->len);
++ rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, &retLen,
++ sizeof tlsFinished->verify_data);
++ PORT_Assert(rv != SECSuccess || retLen == sizeof tlsFinished->verify_data);
++
++ PK11_DestroyContext(prf_context, PR_TRUE);
+
+ return rv;
+ }
+@@ -10380,7 +10738,7 @@ ssl3_SendFinished(sslSocket *ss, PRInt32
+ isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
+ rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
+ if (isTLS && rv == SECSuccess) {
+- rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
++ rv = ssl3_ComputeTLSFinished(ss, cwSpec, isServer, &hashes, &tlsFinished);
+ }
+ ssl_ReleaseSpecReadLock(ss);
+ if (rv != SECSuccess) {
+@@ -10544,7 +10902,7 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
+ return SECFailure;
+ }
+- rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer,
++ rv = ssl3_ComputeTLSFinished(ss, ss->ssl3.crSpec, !isServer,
+ hashes, &tlsFinished);
+ if (!isServer)
+ ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
+@@ -10590,7 +10948,8 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O
+ * ServerHello message.)
+ */
+ if (isServer && !ss->ssl3.hs.isResuming &&
+- ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) {
++ ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) &&
++ ssl3_KEAAllowsSessionTicket(ss->ssl3.hs.suite_def->key_exchange_alg)) {
+ /* RFC 5077 Section 3.3: "In the case of a full handshake, the
+ * server MUST verify the client's Finished message before sending
+ * the ticket." Presumably, this also means that the client's
+@@ -10638,7 +10997,8 @@ xmit_loser:
+ return rv;
+ }
+
+- if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
++ if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
++ ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) {
+ effectiveExchKeyType = kt_rsa;
+ } else {
+ effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
+@@ -11856,8 +12216,6 @@ ssl3_FreeKeyPair(ssl3KeyPair * keyPair)
+ }
+ }
+
+-
+-
+ /*
+ * Creates the public and private RSA keys for SSL Step down.
+ * Called from SSL_ConfigSecureServer in sslsecur.c
+@@ -11889,7 +12247,6 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss
+ return rv;
+ }
+
+-
+ /* record the export policy for this cipher suite */
+ SECStatus
+ ssl3_SetPolicy(ssl3CipherSuite which, int policy)
+@@ -12022,7 +12379,7 @@ ssl3_ConstructV2CipherSpecsHack(sslSocke
+ /* ssl3_config_match_init was called by the caller of this function. */
+ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+ ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+- if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) {
++ if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange, ss)) {
+ if (cs != NULL) {
+ *cs++ = 0x00;
+ *cs++ = (suite->cipher_suite >> 8) & 0xFF;
+@@ -12147,6 +12504,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+ }
+ }
+
++ if (ss->ssl3.dheGroups) {
++ PORT_Free(ss->ssl3.dheGroups);
++ }
++
+ ss->ssl3.initialized = PR_FALSE;
+
+ SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
+diff -up ./lib/ssl/ssl3ecc.c.dhe_and_sha384 ./lib/ssl/ssl3ecc.c
+--- ./lib/ssl/ssl3ecc.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./lib/ssl/ssl3ecc.c 2015-06-24 23:09:45.987637456 +0200
+@@ -297,7 +297,7 @@ ssl3_SendECDHClientKeyExchange(sslSocket
+ pubKey->u.ec.publicValue.len));
+
+ if (isTLS12) {
+- target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
++ target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
+ } else if (isTLS) {
+ target = CKM_TLS_MASTER_KEY_DERIVE_DH;
+ } else {
+@@ -388,7 +388,7 @@ ssl3_HandleECDHClientKeyExchange(sslSock
+ isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
+
+ if (isTLS12) {
+- target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
++ target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
+ } else if (isTLS) {
+ target = CKM_TLS_MASTER_KEY_DERIVE_DH;
+ } else {
+@@ -914,7 +914,9 @@ static const ssl3CipherSuite ecdhe_ecdsa
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ 0 /* end of list marker */
+@@ -925,7 +927,9 @@ static const ssl3CipherSuite ecdhe_rsa_s
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_RSA_WITH_NULL_SHA,
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+ 0 /* end of list marker */
+@@ -940,11 +944,15 @@ static const ssl3CipherSuite ecSuites[]
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
++ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_RSA_WITH_NULL_SHA,
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+diff -up ./lib/ssl/ssl3ext.c.dhe_and_sha384 ./lib/ssl/ssl3ext.c
+--- ./lib/ssl/ssl3ext.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./lib/ssl/ssl3ext.c 2015-06-24 23:06:00.457872472 +0200
+@@ -1125,7 +1125,8 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
+ sslSessionID sid;
+ PORT_Memset(&sid, 0, sizeof(sslSessionID));
+
+- if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
++ if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
++ ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) {
+ effectiveExchKeyType = kt_rsa;
+ } else {
+ effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
+diff -up ./lib/ssl/ssl.def.dhe_and_sha384 ./lib/ssl/ssl.def
+--- ./lib/ssl/ssl.def.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./lib/ssl/ssl.def 2015-06-24 23:06:00.454872529 +0200
+@@ -171,3 +171,13 @@ SSL_SetCanFalseStartCallback;
+ ;+ local:
+ ;+*;
+ ;+};
++;+NSS_3.20 { # NSS 3.20 release
++;+ global:
++;+# If the 3.20 release includes any additional functions
++;+# besides SSL_DHEGroupPrefSet and SSL_EnableWeakDHEPrimeGroup
++;+# they should be labeled as NSS_3.20a
++SSL_DHEGroupPrefSet;
++SSL_EnableWeakDHEPrimeGroup;
++;+ local:
++;+*;
++;+};
+diff -up ./lib/ssl/sslenum.c.dhe_and_sha384 ./lib/ssl/sslenum.c
+--- ./lib/ssl/sslenum.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./lib/ssl/sslenum.c 2015-06-24 23:06:00.457872472 +0200
+@@ -49,7 +49,11 @@
+ const PRUint16 SSL_ImplementedCiphers[] = {
+ #ifndef NSS_DISABLE_ECC
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
+ * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
+ */
+@@ -66,14 +70,19 @@ const PRUint16 SSL_ImplementedCiphers[]
+ #endif /* NSS_DISABLE_ECC */
+
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
++ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+@@ -91,6 +100,7 @@ const PRUint16 SSL_ImplementedCiphers[]
+ TLS_ECDH_RSA_WITH_RC4_128_SHA,
+ #endif /* NSS_DISABLE_ECC */
+
++ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+ TLS_RSA_WITH_AES_128_CBC_SHA256,
+diff -up ./lib/ssl/ssl.h.dhe_and_sha384 ./lib/ssl/ssl.h
+--- ./lib/ssl/ssl.h.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./lib/ssl/ssl.h 2015-06-24 23:06:00.454872529 +0200
+@@ -185,12 +185,17 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
+ /* SSL_REUSE_SERVER_ECDHE_KEY controls whether the ECDHE server key is
+ * reused for multiple handshakes or generated each time.
+ * SSL_REUSE_SERVER_ECDHE_KEY is currently enabled by default.
++ * This socket option is for ECDHE, only. It is unrelated to DHE.
+ */
+ #define SSL_REUSE_SERVER_ECDHE_KEY 27
+
+ #define SSL_ENABLE_FALLBACK_SCSV 28 /* Send fallback SCSV in
+ * handshakes. */
+
++/* SSL_ENABLE_SERVER_DHE controls whether DHE is enabled for the server socket.
++ */
++#define SSL_ENABLE_SERVER_DHE 29
++
+ #ifdef SSL_DEPRECATED_FUNCTION
+ /* Old deprecated function names */
+ SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on);
+@@ -292,6 +297,46 @@ SSL_IMPORT SECStatus SSL_CipherPrefGetDe
+ SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy);
+ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
+
++/* SSL_DHEGroupPrefSet is used to configure the set of allowed/enabled DHE group
++** parameters that can be used by NSS for the given server socket.
++** The first item in the array is used as the default group, if no other
++** selection criteria can be used by NSS.
++** The set is provided as an array of identifiers as defined by SSLDHEGroupType.
++** If more than one group identifier is provided, NSS will select the one to use.
++** For example, a TLS extension sent by the client might indicate a preference.
++*/
++SSL_IMPORT SECStatus SSL_DHEGroupPrefSet(PRFileDesc *fd,
++ SSLDHEGroupType *groups,
++ PRUint16 num_groups);
++
++/* Enable the use of a DHE group that's smaller than the library default,
++** for backwards compatibility reasons. The DH parameters will be created
++** at the time this function is called, which might take a very long time.
++** The function will block until generation is completed.
++** The intention is to enforce that fresh and safe parameters are generated
++** each time a process is started.
++** At the time this API was initially implemented, the API will enable the
++** use of 1024 bit DHE parameters. This value might get increased in future
++** versions of NSS.
++**
++** It is allowed to call this API will a NULL value for parameter fd,
++** which will prepare the global parameters that NSS will reuse for the remainder
++** of the process lifetime. This can be used early after startup of a process,
++** to avoid a delay when handling incoming client connections.
++** This preparation with a NULL for parameter fd will NOT enable the weak group
++** on sockets. The function needs to be called again for every socket that
++** should use the weak group.
++**
++** It is allowed to use this API in combination with the SSL_DHEGroupPrefSet API.
++** If both APIs have been called, the weakest group will be used,
++** unless it is certain that the client supports larger group parameters.
++** The weak group will be used as the default group, overriding the preference
++** for the first group potentially set with a call to SSL_DHEGroupPrefSet
++** (The first group set using SSL_DHEGroupPrefSet will still be enabled, but
++** it's no longer the default group.)
++*/
++SSL_IMPORT SECStatus SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled);
++
+ /* SSL Version Range API
+ **
+ ** This API should be used to control SSL 3.0 & TLS support instead of the
+diff -up ./lib/ssl/sslimpl.h.dhe_and_sha384 ./lib/ssl/sslimpl.h
+--- ./lib/ssl/sslimpl.h.dhe_and_sha384 2015-06-24 23:06:00.449872622 +0200
++++ ./lib/ssl/sslimpl.h 2015-06-24 23:06:00.457872472 +0200
+@@ -62,6 +62,7 @@ typedef SSLSignType SSL3SignType;
+ #define hmac_md5 ssl_hmac_md5
+ #define hmac_sha ssl_hmac_sha
+ #define hmac_sha256 ssl_hmac_sha256
++#define hmac_sha384 ssl_hmac_sha384
+ #define mac_aead ssl_mac_aead
+
+ #define SET_ERROR_CODE /* reminder */
+@@ -179,6 +180,7 @@ typedef struct ssl3CertNodeStr
+ typedef struct ssl3BulkCipherDefStr ssl3BulkCipherDef;
+ typedef struct ssl3MACDefStr ssl3MACDef;
+ typedef struct ssl3KeyPairStr ssl3KeyPair;
++typedef struct ssl3DHParamsStr ssl3DHParams;
+
+ struct ssl3CertNodeStr {
+ struct ssl3CertNodeStr *next;
+@@ -298,9 +300,9 @@ typedef struct {
+ } ssl3CipherSuiteCfg;
+
+ #ifndef NSS_DISABLE_ECC
+-#define ssl_V3_SUITES_IMPLEMENTED 61
++#define ssl_V3_SUITES_IMPLEMENTED 71
+ #else
+-#define ssl_V3_SUITES_IMPLEMENTED 37
++#define ssl_V3_SUITES_IMPLEMENTED 43
+ #endif /* NSS_DISABLE_ECC */
+
+ #define MAX_DTLS_SRTP_CIPHER_SUITES 4
+@@ -337,6 +339,7 @@ typedef struct sslOptionsStr {
+ unsigned int enableALPN : 1; /* 27 */
+ unsigned int reuseServerECDHEKey : 1; /* 28 */
+ unsigned int enableFallbackSCSV : 1; /* 29 */
++ unsigned int enableServerDhe : 1; /* 30 */
+ } sslOptions;
+
+ typedef enum { sslHandshakingUndetermined = 0,
+@@ -476,10 +479,18 @@ typedef enum {
+ cipher_camellia_256,
+ cipher_seed,
+ cipher_aes_128_gcm,
++ cipher_aes_256_gcm,
+ cipher_missing /* reserved for no such supported cipher */
+ /* This enum must match ssl3_cipherName[] in ssl3con.c. */
+ } SSL3BulkCipher;
+
++/* The TLS PRF definition */
++typedef enum {
++ prf_null = 0, /* use default prf */
++ prf_256 = CKM_SHA256,
++ prf_384 = CKM_SHA384
++} SSL3PRF;
++
+ typedef enum { type_stream, type_block, type_aead } CipherType;
+
+ #define MAX_IV_LENGTH 24
+@@ -725,6 +736,7 @@ typedef struct ssl3CipherSuiteDefStr {
+ SSL3BulkCipher bulk_cipher_alg;
+ SSL3MACAlgorithm mac_alg;
+ SSL3KeyExchangeAlgorithm key_exchange_alg;
++ SSL3PRF prf_alg;
+ } ssl3CipherSuiteDef;
+
+ /*
+@@ -997,6 +1009,9 @@ struct ssl3StateStr {
+ PRUint16 dtlsSRTPCipherCount;
+ PRUint16 dtlsSRTPCipherSuite; /* 0 if not selected */
+ PRBool fatalAlertSent;
++ PRUint16 numDHEGroups; /* used by server */
++ SSLDHEGroupType * dheGroups; /* used by server */
++ PRBool dheWeakGroupEnabled; /* used by server */
+ };
+
+ #define DTLS_MAX_MTU 1500 /* Ethernet MTU but without subtracting the
+@@ -1016,6 +1031,11 @@ struct ssl3KeyPairStr {
+ PRInt32 refCount; /* use PR_Atomic calls for this. */
+ };
+
++struct ssl3DHParamsStr {
++ SECItem prime; /* p */
++ SECItem base; /* g */
++};
++
+ typedef struct SSLWrappedSymWrappingKeyStr {
+ SSL3Opaque wrappedSymmetricWrappingkey[512];
+ CK_MECHANISM_TYPE symWrapMechanism;
+@@ -1224,6 +1244,9 @@ const unsigned char * preferredCipher;
+
+ ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */
+
++ const ssl3DHParams *dheParams; /* DHE param */
++ ssl3KeyPair * dheKeyPair; /* DHE keys */
++
+ /* Callbacks */
+ SSLAuthCertificate authCertificate;
+ void *authCertificateArg;
+@@ -1616,6 +1639,8 @@ int ssl3_GatherCompleteHandshake(sslSock
+ */
+ extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
+
++extern SECStatus ssl3_SelectDHParams(sslSocket *ss);
++
+ #ifndef NSS_DISABLE_ECC
+ extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
+ extern PRBool ssl3_IsECCEnabled(sslSocket *ss);
+diff -up ./lib/ssl/sslinfo.c.dhe_and_sha384 ./lib/ssl/sslinfo.c
+--- ./lib/ssl/sslinfo.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./lib/ssl/sslinfo.c 2015-06-24 23:06:00.457872472 +0200
+@@ -122,6 +122,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh
+
+ #define M_AEAD_128 "AEAD", ssl_mac_aead, 128
+ #define M_SHA256 "SHA256", ssl_hmac_sha256, 256
++#define M_SHA384 "SHA384", ssl_hmac_sha384, 384
+ #define M_SHA "SHA1", ssl_mac_sha, 160
+ #define M_MD5 "MD5", ssl_mac_md5, 128
+ #define M_NULL "NULL", ssl_mac_null, 0
+@@ -135,6 +136,7 @@ static const SSLCipherSuiteInfo suiteInf
+ {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, },
+ {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_DHE, C_AES, B_256, M_SHA, 1, 0, 0, },
+ {0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA), S_DSA, K_DHE, C_AES, B_256, M_SHA, 1, 0, 0, },
++{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, },
+ {0,CS(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
+ {0,CS(TLS_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_RSA, C_AES, B_256, M_SHA256, 1, 0, 0, },
+ {0,CS(TLS_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_RSA, C_AES, B_256, M_SHA, 1, 0, 0, },
+@@ -145,7 +147,9 @@ static const SSLCipherSuiteInfo suiteInf
+ {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
+ {0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
+ {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
++{0,CS(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
+ {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
++{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
+ {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA, 1, 0, 0, },
+ {0,CS(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
+ {0,CS(TLS_RSA_WITH_RC4_128_SHA), S_RSA, K_RSA, C_RC4, B_128, M_SHA, 0, 0, 0, },
+@@ -201,8 +205,21 @@ static const SSLCipherSuiteInfo suiteInf
+ {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
+ {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
+ {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, },
++
++{0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), S_ECDSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
++{0,CS(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
++{0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, },
++{0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, },
++
+ #endif /* NSS_DISABLE_ECC */
+
++{0,CS(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384), S_DSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
++{0,CS(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
++{0,CS(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
++{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
++{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, },
++{0,CS(TLS_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_RSA, C_AESGCM, B_256, M_SHA384, 1, 0, 0, },
++
+ /* SSL 2 table */
+ {0,CK(SSL_CK_RC4_128_WITH_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
+ {0,CK(SSL_CK_RC2_128_CBC_WITH_MD5), S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, 0, 0, },
+diff -up ./lib/ssl/sslproto.h.dhe_and_sha384 ./lib/ssl/sslproto.h
+--- ./lib/ssl/sslproto.h.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./lib/ssl/sslproto.h 2015-06-24 23:06:00.457872472 +0200
+@@ -177,6 +177,7 @@
+ #define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C
+ #define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D
+
++#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040
+ #define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041
+ #define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042
+ #define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0043
+@@ -191,6 +192,7 @@
+ #define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x0065
+ #define TLS_DHE_DSS_WITH_RC4_128_SHA 0x0066
+ #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067
++#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A
+ #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B
+
+ #define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084
+@@ -203,8 +205,11 @@
+ #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096
+
+ #define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
++#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D
+ #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
++#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F
+ #define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2
++#define TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3
+
+ /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client.
+ * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending
+@@ -251,11 +256,15 @@
+ #define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019
+
+ #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
++#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
+ #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
++#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028
+
+ #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
++#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
+ #define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
+ #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
++#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030
+ #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
+
+ /* Netscape "experimental" cipher suites. */
+diff -up ./lib/ssl/sslsecur.c.dhe_and_sha384 ./lib/ssl/sslsecur.c
+--- ./lib/ssl/sslsecur.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./lib/ssl/sslsecur.c 2015-06-24 23:06:00.457872472 +0200
+@@ -693,6 +693,7 @@ NSS_FindCertKEAType(CERTCertificate * ce
+ case SEC_OID_PKCS1_RSA_ENCRYPTION:
+ keaType = kt_rsa;
+ break;
++ case SEC_OID_ANSIX9_DSA_SIGNATURE: /* hah, signature, not a key? */
+ case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+ keaType = kt_dh;
+ break;
+@@ -789,6 +790,11 @@ ssl_ConfigSecureServer(sslSocket *ss, CE
+ goto loser;
+ }
+ }
++ if (kea == ssl_kea_dh || kea == ssl_kea_rsa) {
++ if (ssl3_SelectDHParams(ss) != SECSuccess) {
++ goto loser;
++ }
++ }
+ return SECSuccess;
+
+ loser:
+diff -up ./lib/ssl/sslsock.c.dhe_and_sha384 ./lib/ssl/sslsock.c
+--- ./lib/ssl/sslsock.c.dhe_and_sha384 2015-06-24 23:06:00.446872679 +0200
++++ ./lib/ssl/sslsock.c 2015-06-24 23:06:00.458872453 +0200
+@@ -18,6 +18,7 @@
+ #include "blapi.h"
+ #endif
+ #include "nss.h"
++#include "pk11pqg.h"
+
+ #define SET_ERROR_CODE /* reminder */
+
+@@ -82,7 +83,8 @@ static sslOptions ssl_defaults = {
+ PR_TRUE, /* enableNPN */
+ PR_FALSE, /* enableALPN */
+ PR_TRUE, /* reuseServerECDHEKey */
+- PR_FALSE /* enableFallbackSCSV */
++ PR_FALSE, /* enableFallbackSCSV */
++ PR_FALSE, /* enableServerDhe */
+ };
+
+ /*
+@@ -225,6 +227,20 @@ ssl_DupSocket(sslSocket *os)
+ sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount);
+ ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount;
+
++ ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled;
++ ss->ssl3.numDHEGroups = os->ssl3.numDHEGroups;
++ if (os->ssl3.dheGroups) {
++ ss->ssl3.dheGroups = PORT_NewArray(SSLDHEGroupType,
++ os->ssl3.numDHEGroups);
++ if (!ss->ssl3.dheGroups) {
++ goto loser;
++ }
++ PORT_Memcpy(ss->ssl3.dheGroups, os->ssl3.dheGroups,
++ sizeof(SSLDHEGroupType) * os->ssl3.numDHEGroups);
++ } else {
++ ss->ssl3.dheGroups = NULL;
++ }
++
+ if (os->cipherSpecs) {
+ ss->cipherSpecs = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
+ if (ss->cipherSpecs)
+@@ -267,6 +283,10 @@ ssl_DupSocket(sslSocket *os)
+ ssl3_GetKeyPairRef(os->stepDownKeyPair);
+ ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL :
+ ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair);
++ ss->dheKeyPair = !os->dheKeyPair ? NULL :
++ ssl3_GetKeyPairRef(os->dheKeyPair);
++ ss->dheParams = os->dheParams;
++
+ /*
+ * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
+ * XXX We should detect this, and not just march on with NULL pointers.
+@@ -384,6 +404,10 @@ ssl_DestroySocketContents(sslSocket *ss)
+ ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
+ ss->ephemeralECDHKeyPair = NULL;
+ }
++ if (ss->dheKeyPair) {
++ ssl3_FreeKeyPair(ss->dheKeyPair);
++ ss->dheKeyPair = NULL;
++ }
+ SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE);
+ PORT_Assert(!ss->xtnData.sniNameArr);
+ if (ss->xtnData.sniNameArr) {
+@@ -815,6 +839,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ ss->opt.enableFallbackSCSV = on;
+ break;
+
++ case SSL_ENABLE_SERVER_DHE:
++ ss->opt.enableServerDhe = on;
++ break;
++
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
+@@ -890,6 +918,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
+ case SSL_REUSE_SERVER_ECDHE_KEY:
+ on = ss->opt.reuseServerECDHEKey; break;
+ case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break;
++ case SSL_ENABLE_SERVER_DHE: on = ss->opt.enableServerDhe; break;
+
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -959,6 +988,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
+ case SSL_ENABLE_FALLBACK_SCSV:
+ on = ssl_defaults.enableFallbackSCSV;
+ break;
++ case SSL_ENABLE_SERVER_DHE:
++ on = ssl_defaults.enableServerDhe;
++ break;
+
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -1142,6 +1174,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+ ssl_defaults.enableFallbackSCSV = on;
+ break;
+
++ case SSL_ENABLE_SERVER_DHE:
++ ssl_defaults.enableServerDhe = on;
++ break;
++
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+@@ -1365,7 +1401,204 @@ NSS_SetFrancePolicy(void)
+ return NSS_SetDomesticPolicy();
+ }
+
++SECStatus
++SSL_DHEGroupPrefSet(PRFileDesc *fd,
++ SSLDHEGroupType *groups,
++ PRUint16 num_groups)
++{
++ sslSocket *ss;
++
++ if ((num_groups && !groups) || (!num_groups && groups)) {
++ PORT_SetError(SEC_ERROR_INVALID_ARGS);
++ return SECFailure;
++ }
++
++ ss = ssl_FindSocket(fd);
++ if (!ss) {
++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd));
++ return SECFailure;
++ }
++
++ if (ss->ssl3.dheGroups) {
++ PORT_Free(ss->ssl3.dheGroups);
++ ss->ssl3.dheGroups = NULL;
++ ss->ssl3.numDHEGroups = 0;
++ }
++
++ if (groups) {
++ ss->ssl3.dheGroups = PORT_NewArray(SSLDHEGroupType, num_groups);
++ if (!ss->ssl3.dheGroups) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++ PORT_Memcpy(ss->ssl3.dheGroups, groups,
++ sizeof(SSLDHEGroupType) * num_groups);
++ }
++ return SECSuccess;
++}
++
++
++PRCallOnceType gWeakDHParamsRegisterOnce;
++int gWeakDHParamsRegisterError;
++
++PRCallOnceType gWeakDHParamsOnce;
++int gWeakDHParamsError;
++/* As our code allocates type PQGParams, we'll keep it around,
++ * even though we only make use of it's parameters through gWeakDHParam. */
++static PQGParams *gWeakParamsPQG;
++static ssl3DHParams *gWeakDHParams;
++
++static PRStatus
++ssl3_CreateWeakDHParams()
++{
++ PQGVerify *vfy;
++ SECStatus rv, passed;
++
++ PORT_Assert(!gWeakDHParams && !gWeakParamsPQG);
++
++ rv = PK11_PQG_ParamGenV2(1024, 160, 64 /*maximum seed that will work*/,
++ &gWeakParamsPQG, &vfy);
++ if (rv != SECSuccess) {
++ gWeakDHParamsError = PORT_GetError();
++ return PR_FAILURE;
++ }
++
++ rv = PK11_PQG_VerifyParams(gWeakParamsPQG, vfy, &passed);
++ if (rv != SECSuccess || passed != SECSuccess) {
++ SSL_DBG(("%d: PK11_PQG_VerifyParams failed in ssl3_CreateWeakDHParams",
++ SSL_GETPID()));
++ gWeakDHParamsError = PORT_GetError();
++ return PR_FAILURE;
++ }
++
++ gWeakDHParams = PORT_ArenaNew(gWeakParamsPQG->arena, ssl3DHParams);
++ if (!gWeakDHParams) {
++ gWeakDHParamsError = PORT_GetError();
++ return PR_FAILURE;
++ }
++
++ gWeakDHParams->prime.data = gWeakParamsPQG->prime.data;
++ gWeakDHParams->prime.len = gWeakParamsPQG->prime.len;
++ gWeakDHParams->base.data = gWeakParamsPQG->base.data;
++ gWeakDHParams->base.len = gWeakParamsPQG->base.len;
++
++ PK11_PQG_DestroyVerify(vfy);
++ return PR_SUCCESS;
++}
++
++static SECStatus
++ssl3_WeakDHParamsShutdown(void *appData, void *nssData)
++{
++ if (gWeakParamsPQG) {
++ PK11_PQG_DestroyParams(gWeakParamsPQG);
++ gWeakParamsPQG = NULL;
++ gWeakDHParams = NULL;
++ }
++ return SECSuccess;
++}
++
++static PRStatus
++ssl3_WeakDHParamsRegisterShutdown(void)
++{
++ SECStatus rv;
++ rv = NSS_RegisterShutdown(ssl3_WeakDHParamsShutdown, NULL);
++ if (rv != SECSuccess) {
++ gWeakDHParamsRegisterError = PORT_GetError();
++ }
++ return (PRStatus)rv;
++}
++
++/* global init strategy inspired by ssl3_CreateECDHEphemeralKeys */
++SECStatus
++SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled)
++{
++ sslSocket *ss;
++ PRStatus status;
++
++ if (enabled) {
++ status = PR_CallOnce(&gWeakDHParamsRegisterOnce,
++ ssl3_WeakDHParamsRegisterShutdown);
++ if (status != PR_SUCCESS) {
++ PORT_SetError(gWeakDHParamsRegisterError);
++ return SECFailure;
++ }
++
++ status = PR_CallOnce(&gWeakDHParamsOnce, ssl3_CreateWeakDHParams);
++ if (status != PR_SUCCESS) {
++ PORT_SetError(gWeakDHParamsError);
++ return SECFailure;
++ }
++ }
++
++ if (!fd)
++ return SECSuccess;
++
++ ss = ssl_FindSocket(fd);
++ if (!ss) {
++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd));
++ return SECFailure;
++ }
++
++ ss->ssl3.dheWeakGroupEnabled = enabled;
++ return SECSuccess;
++}
++
++#include "dhe-param.c"
++
++static const SSLDHEGroupType ssl_default_dhe_groups[] = {
++ ssl_ff_dhe_2048_group
++};
++
++/* Keep this array synchronized with the index definitions in SSLDHEGroupType */
++static const ssl3DHParams *all_ssl3DHParams[] = {
++ NULL, /* ssl_dhe_group_none */
++ &ff_dhe_2048,
++ &ff_dhe_3072,
++ &ff_dhe_4096,
++ &ff_dhe_6144,
++ &ff_dhe_8192,
++};
++
++static SSLDHEGroupType
++selectDHEGroup(sslSocket *ss, const SSLDHEGroupType *groups, PRUint16 num_groups)
++{
++ if (!groups || !num_groups)
++ return ssl_dhe_group_none;
++
++ /* We don't have automatic group parameter selection yet
++ * (potentially) based on socket parameters, e.g. key sizes.
++ * For now, we return the first available group from the allowed list. */
++ return groups[0];
++}
++
++/* Ensure DH parameters have been selected */
++SECStatus
++ssl3_SelectDHParams(sslSocket *ss)
++{
++ SSLDHEGroupType selectedGroup = ssl_dhe_group_none;
++
++ if (ss->ssl3.dheWeakGroupEnabled) {
++ ss->dheParams = gWeakDHParams;
++ } else {
++ if (ss->ssl3.dheGroups) {
++ selectedGroup = selectDHEGroup(ss, ss->ssl3.dheGroups,
++ ss->ssl3.numDHEGroups);
++ } else {
++ size_t number_of_default_groups = PR_ARRAY_SIZE(ssl_default_dhe_groups);
++ selectedGroup = selectDHEGroup(ss, ssl_default_dhe_groups,
++ number_of_default_groups);
++ }
++
++ if (selectedGroup == ssl_dhe_group_none ||
++ selectedGroup >= ssl_dhe_group_max) {
++ return SECFailure;
++ }
++
++ ss->dheParams = all_ssl3DHParams[selectedGroup];
++ }
+
++ return SECSuccess;
++}
+
+ /* LOCKS ??? XXX */
+ static PRFileDesc *
+@@ -2992,6 +3225,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
+ ss->certStatusArray[i] = NULL;
+ }
+ ss->stepDownKeyPair = NULL;
++
++ ss->dheParams = NULL;
++ ss->dheKeyPair = NULL;
++
+ ss->dbHandle = CERT_GetDefaultCertDB();
+
+ /* Provide default implementation of hooks */
+diff -up ./lib/ssl/sslt.h.dhe_and_sha384 ./lib/ssl/sslt.h
+--- ./lib/ssl/sslt.h.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./lib/ssl/sslt.h 2015-06-24 23:06:00.458872453 +0200
+@@ -91,7 +91,8 @@ typedef enum {
+ ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */
+ ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */
+ ssl_hmac_sha256 = 5,
+- ssl_mac_aead = 6
++ ssl_mac_aead = 6,
++ ssl_hmac_sha384 = 7
+ } SSLMACAlgorithm;
+
+ typedef enum {
+@@ -197,4 +198,14 @@ typedef enum {
+
+ #define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */
+
++typedef enum {
++ ssl_dhe_group_none = 0,
++ ssl_ff_dhe_2048_group = 1,
++ ssl_ff_dhe_3072_group = 2,
++ ssl_ff_dhe_4096_group = 3,
++ ssl_ff_dhe_6144_group = 4,
++ ssl_ff_dhe_8192_group = 5,
++ ssl_dhe_group_max
++} SSLDHEGroupType;
++
+ #endif /* __sslt_h_ */
+diff -up ./tests/cert/cert.sh.dhe_and_sha384 ./tests/cert/cert.sh
+--- ./tests/cert/cert.sh.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./tests/cert/cert.sh 2015-06-24 23:06:00.458872453 +0200
+@@ -292,6 +292,14 @@ cert_create_cert()
+ return $RET
+ fi
+
++ CU_ACTION="Import DSA Root CA for $CERTNAME"
++ certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \
++ -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1
++ if [ "$RET" -ne 0 ]; then
++ return $RET
++ fi
++
++
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Import EC Root CA for $CERTNAME"
+ certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
+@@ -338,6 +346,60 @@ cert_add_cert()
+ cert_log "SUCCESS: $CERTNAME's Cert Created"
+
+ #
++# Generate and add DSA cert
++#
++ CU_ACTION="Generate DSA Cert Request for $CERTNAME"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -z "${R_NOISE_FILE}" -o req 2>&1
++ if [ "$RET" -ne 0 ]; then
++ return $RET
++ fi
++
++ CU_ACTION="Sign ${CERTNAME}'s DSA Request"
++ certu -C -c "TestCA-dsa" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
++ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" "$1" 2>&1
++ if [ "$RET" -ne 0 ]; then
++ return $RET
++ fi
++
++ CU_ACTION="Import $CERTNAME's DSA Cert"
++ certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \
++ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1
++ if [ "$RET" -ne 0 ]; then
++ return $RET
++ fi
++ cert_log "SUCCESS: $CERTNAME's DSA Cert Created"
++
++# Generate DSA certificate signed with RSA
++ CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -z "${R_NOISE_FILE}" -o req 2>&1
++ if [ "$RET" -ne 0 ]; then
++ return $RET
++ fi
++
++ CU_ACTION="Sign ${CERTNAME}'s DSA Request with RSA"
++# Avoid conflicting serial numbers with TestCA issuer by keeping
++# this set far away. A smaller number risks colliding with the
++# extended ssl user certificates.
++ NEWSERIAL=`expr ${CERTSERIAL} + 20000`
++ certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
++ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" "$1" 2>&1
++ if [ "$RET" -ne 0 ]; then
++ return $RET
++ fi
++
++ CU_ACTION="Import $CERTNAME's mixed DSA Cert"
++ certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
++ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
++ if [ "$RET" -ne 0 ]; then
++ return $RET
++ fi
++ cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created"
++
++#
+ # Generate and add EC cert
+ #
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+@@ -430,6 +492,34 @@ cert_all_CA()
+ # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
+ # in the chain
+
++
++#
++# Create DSA version of TestCA
++ ALL_CU_SUBJECT="CN=NSS Test CA (DSA), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ cert_dsa_CA $CADIR TestCA-dsa -x "CTu,CTu,CTu" ${D_CA} "1"
++#
++# Create DSA versions of the intermediate CA certs
++ ALL_CU_SUBJECT="CN=NSS Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
++ cert_dsa_CA $SERVER_CADIR serverCA-dsa -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
++ ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
++ cert_dsa_CA $SERVER_CADIR chain-1-serverCA-dsa "-c serverCA-dsa" "u,u,u" ${D_SERVER_CA} "3"
++ ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
++ cert_dsa_CA $SERVER_CADIR chain-2-serverCA-dsa "-c chain-1-serverCA-dsa" "u,u,u" ${D_SERVER_CA} "4"
++
++ ALL_CU_SUBJECT="CN=NSS Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
++ cert_dsa_CA $CLIENT_CADIR clientCA-dsa -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
++ ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
++ cert_dsa_CA $CLIENT_CADIR chain-1-clientCA-dsa "-c clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "6"
++ ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
++ cert_dsa_CA $CLIENT_CADIR chain-2-clientCA-dsa "-c chain-1-clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "7"
++
++ rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert
++# dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
++# in the chain
++
++
++
++
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ #
+ # Create EC version of TestCA
+@@ -540,6 +630,76 @@ CERTSCRIPT
+ cp root.cert ${NICKNAME}.ca.cert
+ }
+
++
++
++
++
++################################ cert_dsa_CA #############################
++# local shell function to build the Temp. Certificate Authority (CA)
++# used for testing purposes, creating a CA Certificate and a root cert
++# This is the ECC version of cert_CA.
++##########################################################################
++cert_dsa_CA()
++{
++ CUR_CADIR=$1
++ NICKNAME=$2
++ SIGNER=$3
++ TRUSTARG=$4
++ DOMAIN=$5
++ CERTSERIAL=$6
++
++ echo "$SCRIPTNAME: Creating an DSA CA Certificate $NICKNAME =========================="
++
++ if [ ! -d "${CUR_CADIR}" ]; then
++ mkdir -p "${CUR_CADIR}"
++ fi
++ cd ${CUR_CADIR}
++ pwd
++
++ LPROFILE=.
++ if [ -n "${MULTIACCESS_DBM}" ]; then
++ LPROFILE="multiaccess:${DOMAIN}"
++ fi
++
++ ################# Creating an DSA CA Cert ###############################
++ #
++ CU_ACTION="Creating DSA CA Cert $NICKNAME "
++ CU_SUBJECT=$ALL_CU_SUBJECT
++ certu -S -n $NICKNAME -k dsa -t $TRUSTARG -v 600 $SIGNER \
++ -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
++ -m $CERTSERIAL 2>&1 <<CERTSCRIPT
++5
++6
++9
++n
++y
++-1
++n
++5
++6
++7
++9
++n
++CERTSCRIPT
++
++ if [ "$RET" -ne 0 ]; then
++ echo "return value is $RET"
++ Exit 6 "Fatal - failed to create DSA CA cert"
++ fi
++
++ ################# Exporting DSA Root Cert ###############################
++ #
++ CU_ACTION="Exporting DSA Root Cert"
++ certu -L -n $NICKNAME -r -d ${LPROFILE} -o dsaroot.cert
++ if [ "$RET" -ne 0 ]; then
++ Exit 7 "Fatal - failed to export dsa root cert"
++ fi
++ cp dsaroot.cert ${NICKNAME}.ca.cert
++}
++
++
++
++
+ ################################ cert_ec_CA ##############################
+ # local shell function to build the Temp. Certificate Authority (CA)
+ # used for testing purposes, creating a CA Certificate and a root cert
+@@ -742,6 +902,50 @@ cert_extended_ssl()
+ certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+ -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
+
++#
++# Repeat the above for DSA certs
++#
++ CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
++ -z "${R_NOISE_FILE}" -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)"
++ cp ${CERTDIR}/req ${SERVER_CADIR}
++ certu -C -c "chain-2-serverCA-dsa" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
++ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1
++
++ CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)"
++ certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \
++ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1
++
++ CU_ACTION="Import Client DSA Root CA -t T,, for $CERTNAME (ext.)"
++ certu -A -n "clientCA-dsa" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
++ -i "${CLIENT_CADIR}/clientCA-dsa.ca.cert" 2>&1
++#
++# done with DSA certs
++#
++# Repeat again for mixed DSA certs
++#
++ CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
++ -z "${R_NOISE_FILE}" -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)"
++ cp ${CERTDIR}/req ${SERVER_CADIR}
++ certu -C -c "chain-2-serverCA" -m 202 -v 60 -d "${P_SERVER_CADIR}" \
++ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1
++
++ CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)"
++ certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
++ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
++
++# CU_ACTION="Import Client mixed DSA Root CA -t T,, for $CERTNAME (ext.)"
++# certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \
++# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
++# 2>&1
++
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ #
+ # Repeat the above for EC certs
+@@ -794,7 +998,7 @@ cert_extended_ssl()
+ for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
+ do
+ N=`basename $CA | sed -e "s/.ca.cert//"`
+- if [ $N = "serverCA" -o $N = "serverCA-ec" ] ; then
++ if [ $N = "serverCA" -o $N = "serverCA-ec" -o $N = "serverCA-dsa" ] ; then
+ T="-t C,C,C"
+ else
+ T="-t u,u,u"
+@@ -830,6 +1034,53 @@ cert_extended_ssl()
+ certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+ -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
+
++#
++# Repeat the above for DSA certs
++#
++ CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
++ -z "${R_NOISE_FILE}" -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)"
++ cp ${CERTDIR}/req ${CLIENT_CADIR}
++ certu -C -c "chain-2-clientCA-dsa" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
++ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1
++
++ CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)"
++ certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \
++ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1
++
++ CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)"
++ certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \
++ -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1
++#
++# done with DSA certs
++#
++#
++# Repeat the above for mixed DSA certs
++#
++ CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
++ -z "${R_NOISE_FILE}" -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)"
++ cp ${CERTDIR}/req ${CLIENT_CADIR}
++ certu -C -c "chain-2-clientCA" -m 302 -v 60 -d "${P_CLIENT_CADIR}" \
++ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1
++
++ CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)"
++ certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
++ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
++
++# CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)"
++# certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \
++# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1
++#
++# done with mixed DSA certs
++#
++
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ #
+ # Repeat the above for EC certs
+@@ -883,7 +1134,7 @@ cert_extended_ssl()
+ for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
+ do
+ N=`basename $CA | sed -e "s/.ca.cert//"`
+- if [ $N = "clientCA" -o $N = "clientCA-ec" ] ; then
++ if [ $N = "clientCA" -o $N = "clientCA-ec" -o $N = "clientCA-dsa" ] ; then
+ T="-t T,C,C"
+ else
+ T="-t u,u,u"
+@@ -920,6 +1171,10 @@ cert_ssl()
+ cert_add_cert
+ CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
+ certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
++
++ CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC"
++ certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
++
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
+ certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+@@ -1467,6 +1722,24 @@ EOF_CRLINI
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_1}_or
+
++
++ CU_ACTION="Generating CRL (DSA) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-dsa authority"
++
++# Until Bug 292285 is resolved, do not encode x400 Addresses. After
++# the bug is resolved, reintroduce "x400Address:x400Address" within
++# addext issuerAltNames ...
++ crlu -q -d $CADIR -G -n "TestCA-dsa" -f ${R_PWFILE} \
++ -o ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI
++update=$CRLUPDATE
++addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
++addext reasonCode 0 4
++addext issuerAltNames 0 "rfc822Name:ca-dsaemail@ca.com|dnsName:ca-dsa.com|directoryName:CN=NSS Test CA (DSA),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-dsa.com|ipAddress:192.168.0.1|registerID=reg CA (DSA)"
++EOF_CRLINI
++ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
++ chmod 600 ${CRL_FILE_GRP_1}_or-dsa
++
++
++
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
+
+@@ -1500,6 +1773,19 @@ EOF_CRLINI
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_1}_or1
+ TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
++
++
++ CU_ACTION="Modify CRL (DSA) by adding one more cert"
++ crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1-dsa \
++ -i ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI
++update=$CRLUPDATE
++addcert ${CRL_GRP_END} $CRL_GRP_DATE
++EOF_CRLINI
++ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
++ chmod 600 ${CRL_FILE_GRP_1}_or1-dsa
++ TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa"
++
++
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Modify CRL (ECC) by adding one more cert"
+ crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
+@@ -1524,6 +1810,21 @@ rmcert ${UNREVOKED_CERT_GRP_1}
+ EOF_CRLINI
+ chmod 600 ${CRL_FILE_GRP_1}
+ TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
++
++
++ CU_ACTION="Modify CRL (DSA) by removing one cert"
++ sleep 2
++ CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
++ crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
++ -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
++update=$CRLUPDATE
++rmcert ${UNREVOKED_CERT_GRP_1}
++EOF_CRLINI
++ chmod 600 ${CRL_FILE_GRP_1}
++ TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-dsa"
++
++
++
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Modify CRL (ECC) by removing one cert"
+ crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
+diff -up ./tests/ssl/sslcov.txt.dhe_and_sha384 ./tests/ssl/sslcov.txt
+--- ./tests/ssl/sslcov.txt.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./tests/ssl/sslcov.txt 2015-06-24 23:06:00.459872435 +0200
+@@ -35,6 +35,9 @@
+ noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA
+ noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA
+ noECC SSL3 z SSL3_RSA_WITH_NULL_SHA
++ noECC TLS12 :009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
++ noECC TLS12 :00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
++ noECC TLS12 :009D TLS_RSA_WITH_AES_256_GCM_SHA384
+ # noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+ # noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ #
+@@ -86,10 +89,21 @@
+ noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA
+ noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA
+ noECC TLS12 z TLS12_RSA_WITH_NULL_SHA
++ noECC TLS12 :0016 TLS12_DHE_RSA_WITH_3DES_EDE_CBC_SHA
++ noECC TLS12 :0032 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA
++ noECC TLS12 :0033 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA
++ noECC TLS12 :0038 TLS12_DHE_DSS_WITH_AES_256_CBC_SHA
++ noECC TLS12 :0039 TLS12_DHE_RSA_WITH_AES_256_CBC_SHA
+ noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256
+ noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256
+ noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256
++ noECC TLS12 :0040 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA256
++ noECC TLS12 :0067 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA256
++ noECC TLS12 :006A TLS12_DHE_DSS_WITH_AES_256_CBC_SHA256
++ noECC TLS12 :006B TLS12_DHE_RSA_WITH_AES_256_CBC_SHA256
+ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256
++ noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
++ noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256
+ #
+ # ECC ciphers (TLS)
+ #
+@@ -156,6 +170,10 @@
+ ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
++ ECC TLS12 :C024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
++ ECC TLS12 :C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
++ ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384
+ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
++ ECC TLS12 :0030 TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA384
+diff -up ./tests/ssl/ssl.sh.dhe_and_sha384 ./tests/ssl/ssl.sh
+--- ./tests/ssl/ssl.sh.dhe_and_sha384 2015-06-24 23:06:00.442872754 +0200
++++ ./tests/ssl/ssl.sh 2015-06-24 23:06:00.459872435 +0200
+@@ -92,8 +92,8 @@ ssl_init()
+ ECC_STRING=""
+ fi
+
+- CSHORT="-c ABCDEF:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
+- CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
++ CSHORT="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
++ CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
+
+ if [ "${OS_ARCH}" != "WINNT" ]; then
+ ulimit -n 1000 # make sure we have enough file descriptors
+@@ -225,15 +225,16 @@ start_selfserv()
+ fi
+ echo "selfserv starting at `date`"
+ echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
+- echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
++ echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
++ echo " $verbose -H 1 &"
+ if [ ${fileout} -eq 1 ]; then
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+- ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
++ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
+ > ${SERVEROUTFILE} 2>&1 &
+ RET=$?
+ else
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+- ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
++ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 &
+ RET=$?
+ fi
+
+diff -up ./tests/ssl/sslstress.txt.dhe_and_sha384 ./tests/ssl/sslstress.txt
+--- ./tests/ssl/sslstress.txt.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200
++++ ./tests/ssl/sslstress.txt 2015-06-24 23:06:00.459872435 +0200
+@@ -44,6 +44,7 @@
+ ECC 0 -c_:C027 -V_ssl3:_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256
+ ECC 0 -c_:C02F -V_ssl3:_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM
+ ECC 0 -c_:C004_-u -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket)
++ ECC 0 -c_:C009_-u -V_ssl3:_-c_100_-C_:C009_-u Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (session ticket)
+ #
+ # add client auth versions here...
+ #
+@@ -53,3 +54,33 @@
+ ECC 0 -r_-r_-c_:C00E -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
+ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth)
+ ECC 0 -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth)
++
++#
++# ############################ DHE ciphers ############################
++#
++ noECC 0 -c_:0016 -V_ssl3:_-c_100_-C_:0016_-N Stress TLS DHE_RSA_WITH_3DES_EDE_CBC_SHA (no reuse)
++ noECC 0 -c_:0033 -V_ssl3:_-c_1000_-C_:0033 Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA
++
++
++ noECC 0 -c_:0039 -V_ssl3:_-c_100_-C_:0039_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA (no reuse)
++ noECC 0 -c_:0040 -V_ssl3:_-c_100_-C_:0040_-N Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA256 (no reuse)
++
++# noECC 0 -c_:0038_-u -V_ssl3:_-c_1000_-C_:0038_-u Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (session ticket)
++# use the above session ticket test, once session tickets with DHE_DSS are working
++ noECC 0 -c_:0038 -V_ssl3:_-c_1000_-C_:0038_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (no reuse)
++
++# noECC 0 -c_:006A -V_ssl3:_-c_1000_-C_:006A Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256
++# use the above reuse test, once the session cache with DHE_DSS is working
++ noECC 0 -c_:006A -V_ssl3:_-c_1000_-C_:006A_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 (no reuse
++
++ noECC 0 -c_:006B -V_ssl3:_-c_100_-C_:006B_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA256 (no reuse)
++ noECC 0 -c_:009E -V_ssl3:_-c_100_-C_:009E_-N Stress TLS DHE_RSA_WITH_AES_128_GCM_SHA256 (no reuse)
++#
++# add client auth versions here...
++#
++ noECC 0 -r_-r_-c_:0032 -V_ssl3:_-c_100_-C_:0032_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA (no reuse, client auth)
++ noECC 0 -r_-r_-c_:0067 -V_ssl3:_-c_1000_-C_:0067_-n_TestUser-dsamixed Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA256 (client auth)
++
++# noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:_-c_1000_-C_:00A2_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth)
++# use the above session ticket test, once session tickets with DHE_DSS are working
++ noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:_-c_1000_-C_:00A2_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (no reuse, client auth)
diff --git a/SOURCES/prfnonsha256.patch b/SOURCES/prfnonsha256.patch
new file mode 100644
index 0000000..0f40bd7
--- /dev/null
+++ b/SOURCES/prfnonsha256.patch
@@ -0,0 +1,80 @@
+diff -up ./lib/ssl/ssl3con.c.prfnonsha256 ./lib/ssl/ssl3con.c
+--- ./lib/ssl/ssl3con.c.prfnonsha256 2015-06-24 23:06:00.456872491 +0200
++++ ./lib/ssl/ssl3con.c 2015-06-26 01:11:50.986824797 +0200
+@@ -3959,7 +3959,20 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
+ /* If we ever support ciphersuites where the PRF hash isn't SHA-256
+ * then this will need to be updated. */
+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+- ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
++ HASH_HashType ht;
++ CK_MECHANISM_TYPE hm;
++ SECOidTag ot;
++ SECOidData *hashOid;
++
++ hm = ssl3_GetPrfHashMechanism(ss);
++ hashOid = SECOID_FindOIDByMechanism(hm);
++ if (hashOid == NULL) {
++ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
++ return SECFailure;
++ }
++ ot = hashOid->offset;
++ ht = HASH_GetHashTypeByOidTag(ot);
++ ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(ht);
+ if (!ss->ssl3.hs.sha_obj) {
+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+ return SECFailure;
+@@ -4601,6 +4614,7 @@ ssl3_ComputeHandshakeHashes(sslSocket *
+ ss->ssl3.hs.hashType == handshake_hash_single) {
+ /* compute them without PKCS11 */
+ PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
++ SECOidData *hashOid;
+
+ if (!spec->msItem.data) {
+ PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
+@@ -4611,11 +4625,15 @@ ssl3_ComputeHandshakeHashes(sslSocket *
+ ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len,
+ sizeof(hashes->u.raw));
+
+- PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len));
++ PRINT_BUF(60, (NULL, "Hash: result", hashes->u.raw, hashes->len));
++
++ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
++ if (hashOid == NULL) {
++ PORT_SetError(SSL_ERROR_DIGEST_FAILURE);
++ return SECFailure;
++ }
++ hashes->hashAlg = hashOid->offset;
+
+- /* If we ever support ciphersuites where the PRF hash isn't SHA-256
+- * then this will need to be updated. */
+- hashes->hashAlg = SEC_OID_SHA256;
+ rv = SECSuccess;
+ } else if (ss->opt.bypassPKCS11) {
+ /* compute them without PKCS11 */
+@@ -4708,6 +4726,7 @@ ssl3_ComputeHandshakeHashes(sslSocket *
+ unsigned int stateLen;
+ unsigned char stackBuf[1024];
+ unsigned char *stateBuf = NULL;
++ SECOidData *hashOid;
+
+ if (!spec->master_secret) {
+ PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
+@@ -4728,9 +4747,15 @@ ssl3_ComputeHandshakeHashes(sslSocket *
+ rv = SECFailure;
+ goto tls12_loser;
+ }
+- /* If we ever support ciphersuites where the PRF hash isn't SHA-256
+- * then this will need to be updated. */
+- hashes->hashAlg = SEC_OID_SHA256;
++
++ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
++ if (hashOid == NULL) {
++ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
++ rv = SECFailure;
++ goto tls12_loser;
++ }
++ hashes->hashAlg = hashOid->offset;
++
+ rv = SECSuccess;
+
+ tls12_loser:
diff --git a/SOURCES/sha384-client-verify.patch b/SOURCES/sha384-client-verify.patch
new file mode 100644
index 0000000..95dfbd2
--- /dev/null
+++ b/SOURCES/sha384-client-verify.patch
@@ -0,0 +1,399 @@
+diff --git a/cmd/strsclnt/strsclnt.c b/cmd/strsclnt/strsclnt.c
+--- a/cmd/strsclnt/strsclnt.c
++++ b/cmd/strsclnt/strsclnt.c
+@@ -117,17 +117,17 @@ static int active_threads = 8; /* number
+ ** connect */
+ static PRInt32 numUsed;
+ /* end of variables protected by threadLock */
+
+ static SSL3Statistics * ssl3stats;
+
+ static int failed_already = 0;
+ static SSLVersionRange enabledVersions;
+-static PRBool enableSSL2 = PR_TRUE;
++static PRBool enableSSL2 = PR_FALSE;
+ static PRBool bypassPKCS11 = PR_FALSE;
+ static PRBool disableLocking = PR_FALSE;
+ static PRBool ignoreErrors = PR_FALSE;
+ static PRBool enableSessionTickets = PR_FALSE;
+ static PRBool enableCompression = PR_FALSE;
+ static PRBool enableFalseStart = PR_FALSE;
+ static PRBool enableCertStatus = PR_FALSE;
+
+@@ -158,17 +158,17 @@ Usage(const char *progName)
+ " 2 -o's mean skip server certificate validation altogether.\n"
+ " -D means no TCP delays\n"
+ " -q means quit when server gone (timeout rather than retry forever)\n"
+ " -s means disable SSL socket locking\n"
+ " -N means no session reuse\n"
+ " -P means do a specified percentage of full handshakes (0-100)\n"
+ " -V [min]:[max] restricts the set of enabled SSL/TLS protocols versions.\n"
+ " All versions are enabled by default.\n"
+- " Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
++ " Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
+ " Example: \"-V ssl3:\" enables SSL 3 and newer.\n"
+ " -U means enable throttling up threads\n"
+ " -B bypasses the PKCS11 layer for SSL encryption and MACing\n"
+ " -T enable the cert_status extension (OCSP stapling)\n"
+ " -u enable TLS Session Ticket extension\n"
+ " -z enable compression\n"
+ " -g enable false start\n",
+ progName);
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -242,25 +242,32 @@ static const /*SSL3ClientCertificateType
+ #endif /* NSS_DISABLE_ECC */
+ ct_DSS_sign,
+ };
+
+ /* This block is the contents of the supported_signature_algorithms field of
+ * our TLS 1.2 CertificateRequest message, in wire format. See
+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
+ *
+- * This block contains only sha256 entries because we only support TLS 1.2
+- * CertificateVerify messages that use the handshake hash. */
+-static const PRUint8 supported_signature_algorithms[] = {
++ * We only support TLS 1.2
++ * CertificateVerify messages that use the handshake PRF hash. */
++static const PRUint8 supported_signature_algorithms_sha256[] = {
+ tls_hash_sha256, tls_sig_rsa,
+ #ifndef NSS_DISABLE_ECC
+ tls_hash_sha256, tls_sig_ecdsa,
+ #endif
+ tls_hash_sha256, tls_sig_dsa,
+ };
++static const PRUint8 supported_signature_algorithms_sha384[] = {
++ tls_hash_sha384, tls_sig_rsa,
++#ifndef NSS_DISABLE_ECC
++ tls_hash_sha384, tls_sig_ecdsa,
++#endif
++ tls_hash_sha384, tls_sig_dsa,
++};
+
+ #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
+
+
+ /* This global item is used only in servers. It is is initialized by
+ ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
+ */
+ CERTDistNames *ssl3_server_ca_list = NULL;
+@@ -4018,17 +4025,18 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+ return SECFailure;
+ }
+
+ /* Create a backup SHA-1 hash for a potential client auth
+ * signature.
+ *
+ * In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the
+- * handshake hash function (SHA-256). If the server or the client
++ * handshake PRF hash function (either SHA-256 or SHA384).
++ * If the server or the client
+ * does not support SHA-256 as a signature hash, we can either
+ * maintain a backup SHA-1 handshake hash or buffer all handshake
+ * messages.
+ */
+ if (!ss->sec.isServer) {
+ ss->ssl3.hs.backupHash = PK11_CreateDigestContext(SEC_OID_SHA1);
+ if (ss->ssl3.hs.backupHash == NULL) {
+ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+@@ -4750,16 +4758,24 @@ ssl3_ComputeHandshakeHashes(sslSocket *
+
+ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
+ if (hashOid == NULL) {
+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+ rv = SECFailure;
+ goto tls12_loser;
+ }
+ hashes->hashAlg = hashOid->offset;
++ PORT_Assert(hashes->hashAlg == SEC_OID_SHA256 ||
++ hashes->hashAlg == SEC_OID_SHA384);
++ if (hashes->hashAlg != SEC_OID_SHA256 &&
++ hashes->hashAlg != SEC_OID_SHA384) {
++ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
++ rv = SECFailure;
++ goto tls12_loser;
++ }
+
+ rv = SECSuccess;
+
+ tls12_loser:
+ if (stateBuf) {
+ if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) {
+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+ rv = SECFailure;
+@@ -7015,58 +7031,76 @@ done:
+ if (pubk)
+ SECKEY_DestroyPublicKey(pubk);
+ return rv;
+ }
+
+ /* Destroys the backup handshake hash context if we don't need it. Note that
+ * this function selects the hash algorithm for client authentication
+ * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
+- * to determine whether to use SHA-1 or SHA-256. */
++ * to determine whether to use SHA-1, or the PRF hash of the cipher suite. */
+ static void
+ ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
+ const SECItem *algorithms)
+ {
+ SECStatus rv;
+ TLSSignatureAlgorithm sigAlg;
+ PRBool preferSha1;
+ PRBool supportsSha1 = PR_FALSE;
+- PRBool supportsSha256 = PR_FALSE;
++ PRBool supportsHandshakeHash = PR_FALSE;
+ PRBool needBackupHash = PR_FALSE;
+ unsigned int i;
++ SECOidData *hashOid;
++ TLSHashAlgoritm suitePRFHash;
++ PRBool suitePRFIs256Or384 = PR_FALSE;
+
+ #ifndef NO_PKCS11_BYPASS
+ /* Backup handshake hash is not supported in PKCS #11 bypass mode. */
+ if (ss->opt.bypassPKCS11) {
+ PORT_Assert(!ss->ssl3.hs.backupHash);
+ return;
+ }
+ #endif
+ PORT_Assert(ss->ssl3.hs.backupHash);
+
+ /* Determine the key's signature algorithm and whether it prefers SHA-1. */
+ rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
+ if (rv != SECSuccess) {
+ goto done;
+ }
+
++ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
++ if (hashOid == NULL) {
++ rv = SECFailure;
++ goto done;
++ }
++
++ if (hashOid->offset == SEC_OID_SHA256) {
++ suitePRFHash = tls_hash_sha256;
++ suitePRFIs256Or384 = PR_TRUE;
++ } else if (hashOid->offset == SEC_OID_SHA384) {
++ suitePRFHash = tls_hash_sha384;
++ suitePRFIs256Or384 = PR_TRUE;
++ }
++
+ /* Determine the server's hash support for that signature algorithm. */
+ for (i = 0; i < algorithms->len; i += 2) {
+ if (algorithms->data[i+1] == sigAlg) {
+ if (algorithms->data[i] == tls_hash_sha1) {
+ supportsSha1 = PR_TRUE;
+- } else if (algorithms->data[i] == tls_hash_sha256) {
+- supportsSha256 = PR_TRUE;
+- }
+- }
+- }
+-
+- /* If either the server does not support SHA-256 or the client key prefers
+- * SHA-1, leave the backup hash. */
+- if (supportsSha1 && (preferSha1 || !supportsSha256)) {
++ } else if (suitePRFIs256Or384 &&
++ algorithms->data[i] == suitePRFHash) {
++ supportsHandshakeHash = PR_TRUE;
++ }
++ }
++ }
++
++ /* If either the server does not support SHA-256/384, or the client key
++ * prefers SHA-1, leave the backup hash. */
++ if (supportsSha1 && (preferSha1 || !supportsHandshakeHash)) {
+ needBackupHash = PR_TRUE;
+ }
+
+ done:
+ if (!needBackupHash) {
+ PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
+ ss->ssl3.hs.backupHash = NULL;
+ }
+@@ -9226,16 +9260,17 @@ ssl3_SendCertificateRequest(sslSocket *s
+ SECItem * names = NULL;
+ SECStatus rv;
+ int length;
+ int i;
+ int calen = 0;
+ int nnames = 0;
+ int certTypesLength;
+ int sigAlgsLength;
++ SECOidData *hashOid;
+
+ SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
+ SSL_GETPID(), ss->fd));
+
+ PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+ isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
+@@ -9252,18 +9287,30 @@ ssl3_SendCertificateRequest(sslSocket *s
+ }
+
+ for (i = 0, name = names; i < nnames; i++, name++) {
+ calen += 2 + name->len;
+ }
+
+ certTypes = certificate_types;
+ certTypesLength = sizeof certificate_types;
+- sigAlgs = supported_signature_algorithms;
+- sigAlgsLength = sizeof supported_signature_algorithms;
++
++ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
++ if (hashOid == NULL) {
++ return SECFailure; /* err set by AppendHandshake. */
++ }
++ if (hashOid->offset == SEC_OID_SHA256) {
++ sigAlgs = supported_signature_algorithms_sha256;
++ sigAlgsLength = sizeof supported_signature_algorithms_sha256;
++ } else if (hashOid->offset == SEC_OID_SHA384) {
++ sigAlgs = supported_signature_algorithms_sha384;
++ sigAlgsLength = sizeof supported_signature_algorithms_sha384;
++ } else {
++ return SECFailure; /* err set by AppendHandshake. */
++ }
+
+ length = 1 + certTypesLength + 2 + calen;
+ if (isTLS12) {
+ length += 2 + sigAlgsLength;
+ }
+
+ rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
+ if (rv != SECSuccess) {
+diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h
+--- a/lib/ssl/ssl3prot.h
++++ b/lib/ssl/ssl3prot.h
+@@ -216,24 +216,24 @@ typedef struct {
+ SSL3ServerRSAParams rsa;
+ } u;
+ } SSL3ServerParams;
+
+ /* This enum reflects HashAlgorithm enum from
+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
+ *
+ * When updating, be sure to also update ssl3_TLSHashAlgorithmToOID. */
+-enum {
++typedef enum {
+ tls_hash_md5 = 1,
+ tls_hash_sha1 = 2,
+ tls_hash_sha224 = 3,
+ tls_hash_sha256 = 4,
+ tls_hash_sha384 = 5,
+ tls_hash_sha512 = 6
+-};
++} TLSHashAlgoritm;
+
+ /* This enum reflects SignatureAlgorithm enum from
+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+ typedef enum {
+ tls_sig_rsa = 1,
+ tls_sig_dsa = 2,
+ tls_sig_ecdsa = 3
+ } TLSSignatureAlgorithm;
+diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
+--- a/tests/ssl/ssl.sh
++++ b/tests/ssl/ssl.sh
+@@ -64,16 +64,17 @@ ssl_init()
+ # Test case files
+ if [ "${NSS_NO_SSL2}" = "1" ]; then
+ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
+ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
+ else
+ SSLCOV=${QADIR}/ssl/sslcov.txt
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ fi
++ SSLAUTH=${QADIR}/ssl/sslauth.txt
+ REQUEST_FILE=${QADIR}/ssl/sslreq.dat
+
+ #temparary files
+ SERVEROUTFILE=${TMP}/tests_server.$$
+ SERVERPID=${TMP}/tests_pid.$$
+
+ R_SERVERPID=../tests_pid.$$
+
+@@ -87,18 +88,18 @@ ssl_init()
+ NORM_EXT=""
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ ECC_STRING=" - with ECC"
+ else
+ ECC_STRING=""
+ fi
+
+- CSHORT="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
+- CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
++ CSHORT="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009D:009E:009F:00A2:00A3cdefgijklmnvyz"
++ CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027:C028:C02B:C02C:C02F:C030:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009D:009E:009F:00A2:00A3cdefgijklmnvyz"
+
+ if [ "${OS_ARCH}" != "WINNT" ]; then
+ ulimit -n 1000 # make sure we have enough file descriptors
+ fi
+
+ cd ${CLIENTDIR}
+ }
+
+@@ -119,17 +120,17 @@ is_selfserv_alive()
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_SERVERPID}
+ else
+ PID=`cat ${SERVERPID}`
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+- if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then
++ if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
+ echo "No server to kill"
+ else
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
+ fi
+
+ echo "selfserv with PID ${PID} found at `date`"
+ }
+
+@@ -221,25 +222,26 @@ start_selfserv()
+ ECC_OPTIONS=""
+ fi
+ if [ "$1" = "mixed" ]; then
+ ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
+ fi
+ echo "selfserv starting at `date`"
+ echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
+ echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
+- echo " $verbose -H 1 &"
++ echo " $verbose -H 1 -V ssl3: &"
+ if [ ${fileout} -eq 1 ]; then
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
+- > ${SERVEROUTFILE} 2>&1 &
++ -V ssl3:> ${SERVEROUTFILE} 2>&1 &
+ RET=$?
+ else
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 &
++ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
++ -V ssl3: &
+ RET=$?
+ fi
+
+ # The PID $! returned by the MKS or Cygwin shell is not the PID of
+ # the real background process, but rather the PID of a helper
+ # process (sh.exe). MKS's kill command has a bug: invoking kill
+ # on the helper process does not terminate the real background
+ # process. Our workaround has been to have selfserv save its PID
+diff --git a/tests/ssl/sslcov.txt b/tests/ssl/sslcov.txt
+--- a/tests/ssl/sslcov.txt
++++ b/tests/ssl/sslcov.txt
+@@ -171,9 +171,9 @@
+ ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ ECC TLS12 :C024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ ECC TLS12 :C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384
+ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- ECC TLS12 :0030 TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA384
++ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA384
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 6447fc5..550c56c 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -3,7 +3,7 @@
# adjust to the version that gets submitted for FIPS validation
%global nss_softokn_fips_version 3.16.2
%global nss_softokn_version 3.16.2.3
-%global required_softokn_build_version -9
+%global required_softokn_build_version -11
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -23,7 +23,7 @@
Summary: Network Security Services
Name: nss
Version: 3.19.1
-Release: 3%{?dist}
+Release: 5%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -105,6 +105,13 @@ Patch56: p-ignore-setpolicy.patch
# Patch to keep the TLS protocol versions that are enabled by default
Patch98: nss-revert-tls-version-defaults.patch
Patch99: ssl-server-min-key-sizes.patch
+# Add support for sha384 tls cipher suites, dss ciper suites, and
+# server-side dhe key exchange
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=102794
+# TODO: File upstream bug for sha384 tls cipher suites support
+Patch101: dhe-sha384-dss-support.patch
+Patch102: prfnonsha256.patch
+Patch103: sha384-client-verify.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -204,6 +211,11 @@ popd
%patch56 -p0 -b .1026677
%patch98 -p0 -b .keep_tls_default
%patch99 -p0 -b .min_key_sizes
+pushd nss
+%patch101 -p1 -b .dhe_and_sha384
+%patch102 -p1 -b .prfnonsha256
+%patch103 -p1 -b .sha384_client_verify
+popd
#########################################################
# Higher-level libraries and test tools need access to
@@ -232,6 +244,13 @@ done
%{__rm} -rf ./nss/cmd/fipstest
%{__rm} -rf ./nss/cmd/rsaperf_low
+pushd nss/tests/ssl
+# Create versions of sslcov.txt and sslstress.txt that disable tests
+# for SSL2 and EXPORT ciphers.
+cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslcov.noSSL2orExport.txt
+cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslstress.noSSL2orExport.txt
+popd
+
%build
export NSS_NO_SSL2=1
@@ -784,6 +803,16 @@ fi
%changelog
+* Mon Jun 29 2015 Kai Engert <kaie@redhat.com> - 3.19.1-5
+- Incremental patches to fix SSL/TLS test suite execution,
+ fix the earlier SHA384 patch, and inform clients to use SHA384 with
+ certificate_verify if required by NSS.
+
+* Thu Jun 18 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-4
+- Add support for sha384 tls cipher suites
+- Add support for server-side hde key exchange
+- Add support for DSS+SHA256 ciphersuites
+
* Wed Jun 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-3
- Reenable a patch that had been mistakenly disabled
- Resolves: Bug 1224451