diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch index 6ed54ef..6690a46 100644 --- a/SOURCES/Bug-1001841-disable-sslv2-tests.patch +++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch @@ -92,200 +92,3 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by # default in libssl but it is enabled by default in tstclnt; we want # to test the libssl default whenever possible. -diff --git a/tests/ssl/sslcov.noSSL2orExport.txt b/tests/ssl/sslcov.noSSL2orExport.txt -new file mode 100644 ---- /dev/null -+++ b/tests/ssl/sslcov.noSSL2orExport.txt -@@ -0,0 +1,134 @@ -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, You can obtain one at http://mozilla.org/MPL/2.0/. -+# -+# This file enables test coverage of the various SSL ciphers -+# -+# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We -+# mix up the enable functions so we can tests boths paths. -+# -+# Enable Enable Cipher Test Name -+# EC TLS -+# -+# -+ noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5 -+ noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA -+ noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA -+ noECC SSL3 i SSL3_RSA_WITH_NULL_MD5 -+ noECC SSL3 j SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA -+ noECC SSL3 k SSL3_RSA_FIPS_WITH_DES_CBC_SHA -+ noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA -+ noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA -+ noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA -+ noECC SSL3 z SSL3_RSA_WITH_NULL_SHA -+# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA -+# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA -+# -+ noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5 -+ noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA -+ noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA -+ noECC TLS10 i TLS_RSA_WITH_NULL_MD5 -+ noECC TLS10 j TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA -+ noECC TLS10 k TLS_RSA_FIPS_WITH_DES_CBC_SHA -+ noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA -+ noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA -+ noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA -+ noECC TLS10 z TLS_RSA_WITH_NULL_SHA -+# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA -+# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA -+# -+# -+ noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5 -+ noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA -+ noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA -+ noECC TLS11 i TLS11_RSA_WITH_NULL_MD5 -+ noECC TLS11 j TLS11_RSA_FIPS_WITH_3DES_EDE_CBC_SHA -+ noECC TLS11 k TLS11_RSA_FIPS_WITH_DES_CBC_SHA -+ noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA -+ noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA -+ noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA -+ noECC TLS11 z TLS11_RSA_WITH_NULL_SHA -+# -+ noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5 -+ noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA -+ noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA -+ noECC TLS12 i TLS12_RSA_WITH_NULL_MD5 -+ noECC TLS12 j TLS12_RSA_FIPS_WITH_3DES_EDE_CBC_SHA -+ noECC TLS12 k TLS12_RSA_FIPS_WITH_DES_CBC_SHA -+ noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA -+ noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA -+ noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA -+ noECC TLS12 z TLS12_RSA_WITH_NULL_SHA -+ noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256 -+ noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256 -+ noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256 -+ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256 -+# -+# ECC ciphers (TLS) -+# -+ ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA -+ ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA -+ ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA -+ ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA -+ ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA -+ ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA -+ ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA -+ ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA -+ ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA -+ ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -+# -+ ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA -+ ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA -+ ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA -+ ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA -+ ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA -+ ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA -+ ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA -+ ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA -+ ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA -+ ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA -+# -+ ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA -+ ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA -+ ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA -+ ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA -+ ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA -+ ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA -+ ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA -+ ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA -+ ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA -+ ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA -+ ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -+ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -+ ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -+ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -diff --git a/tests/ssl/sslstress.noSSL2orExport.txt b/tests/ssl/sslstress.noSSL2orExport.txt -new file mode 100644 ---- /dev/null -+++ b/tests/ssl/sslstress.noSSL2orExport.txt -@@ -0,0 +1,53 @@ -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, You can obtain one at http://mozilla.org/MPL/2.0/. -+# -+# This file defines the stress tests for SSL/TLS. -+# -+# expected -+# Enable return server client Test Case name -+# ECC value params params -+# ------- ------ ------ ------ --------------- -+ noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5 -+ noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 -+ noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) -+ noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) -+ noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) -+ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) -+ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) -+ SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) -+ -+# -+# add client auth versions here... -+# -+ noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) -+ noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) -+ noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) -+ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) -+ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) -+ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) -+ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) -+ SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) -+ SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) -+ -+# -+# ############################ ECC ciphers ############################ -+# -+ ECC 0 -c_:C009 -V_ssl3:_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse) -+ ECC 0 -c_:C023 -V_ssl3:_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse) -+ ECC 0 -c_:C02B -V_ssl3:_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse) -+ ECC 0 -c_:C004 -V_ssl3:_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse) -+ ECC 0 -c_:C00E -V_ssl3:_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) -+ ECC 0 -c_:C013 -V_ssl3:_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA -+ ECC 0 -c_:C027 -V_ssl3:_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256 -+ ECC 0 -c_:C02F -V_ssl3:_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM -+ ECC 0 -c_:C004_-u -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket) -+# -+# add client auth versions here... -+# -+ ECC 0 -r_-r_-c_:C009 -V_ssl3:_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth) -+ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth) -+ ECC 0 -r_-r_-c_:C004 -V_ssl3:_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth) -+ ECC 0 -r_-r_-c_:C00E -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) -+ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth) -+ ECC 0 -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth) diff --git a/SOURCES/dhe-sha384-dss-support.patch b/SOURCES/dhe-sha384-dss-support.patch new file mode 100644 index 0000000..3474df4 --- /dev/null +++ b/SOURCES/dhe-sha384-dss-support.patch @@ -0,0 +1,3215 @@ +diff -up ./cmd/certutil/keystuff.c.dhe_and_sha384 ./cmd/certutil/keystuff.c +--- ./cmd/certutil/keystuff.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./cmd/certutil/keystuff.c 2015-06-24 23:06:00.450872604 +0200 +@@ -133,64 +133,92 @@ UpdateRNG(void) + } + + static const unsigned char P[] = { 0, +- 0x98, 0xef, 0x3a, 0xae, 0x70, 0x98, 0x9b, 0x44, +- 0xdb, 0x35, 0x86, 0xc1, 0xb6, 0xc2, 0x47, 0x7c, +- 0xb4, 0xff, 0x99, 0xe8, 0xae, 0x44, 0xf2, 0xeb, +- 0xc3, 0xbe, 0x23, 0x0f, 0x65, 0xd0, 0x4c, 0x04, +- 0x82, 0x90, 0xa7, 0x9d, 0x4a, 0xc8, 0x93, 0x7f, +- 0x41, 0xdf, 0xf8, 0x80, 0x6b, 0x0b, 0x68, 0x7f, +- 0xaf, 0xe4, 0xa8, 0xb5, 0xb2, 0x99, 0xc3, 0x69, +- 0xfb, 0x3f, 0xe7, 0x1b, 0xd0, 0x0f, 0xa9, 0x7a, +- 0x4a, 0x04, 0xbf, 0x50, 0x9e, 0x22, 0x33, 0xb8, +- 0x89, 0x53, 0x24, 0x10, 0xf9, 0x68, 0x77, 0xad, +- 0xaf, 0x10, 0x68, 0xb8, 0xd3, 0x68, 0x5d, 0xa3, +- 0xc3, 0xeb, 0x72, 0x3b, 0xa0, 0x0b, 0x73, 0x65, +- 0xc5, 0xd1, 0xfa, 0x8c, 0xc0, 0x7d, 0xaa, 0x52, +- 0x29, 0x34, 0x44, 0x01, 0xbf, 0x12, 0x25, 0xfe, +- 0x18, 0x0a, 0xc8, 0x3f, 0xc1, 0x60, 0x48, 0xdb, +- 0xad, 0x93, 0xb6, 0x61, 0x67, 0xd7, 0xa8, 0x2d }; ++ 0xc6, 0x2a, 0x47, 0x73, 0xea, 0x78, 0xfa, 0x65, ++ 0x47, 0x69, 0x39, 0x10, 0x08, 0x55, 0x6a, 0xdd, ++ 0xbf, 0x77, 0xe1, 0x9a, 0x69, 0x73, 0xba, 0x66, ++ 0x37, 0x08, 0x93, 0x9e, 0xdb, 0x5d, 0x01, 0x08, ++ 0xb8, 0x3a, 0x73, 0xe9, 0x85, 0x5f, 0xa7, 0x2b, ++ 0x63, 0x7f, 0xd0, 0xc6, 0x4c, 0xdc, 0xfc, 0x8b, ++ 0xa6, 0x03, 0xc9, 0x9c, 0x80, 0x5e, 0xec, 0xc6, ++ 0x21, 0x23, 0xf7, 0x8e, 0xa4, 0x7b, 0x77, 0x83, ++ 0x02, 0x44, 0xf8, 0x05, 0xd7, 0x36, 0x52, 0x13, ++ 0x57, 0x78, 0x97, 0xf3, 0x7b, 0xcf, 0x1f, 0xc9, ++ 0x2a, 0xa4, 0x71, 0x9d, 0xa8, 0xd8, 0x5d, 0xc5, ++ 0x3b, 0x64, 0x3a, 0x72, 0x60, 0x62, 0xb0, 0xb8, ++ 0xf3, 0xb1, 0xe7, 0xb9, 0x76, 0xdf, 0x74, 0xbe, ++ 0x87, 0x6a, 0xd2, 0xf1, 0xa9, 0x44, 0x8b, 0x63, ++ 0x76, 0x4f, 0x5d, 0x21, 0x63, 0xb5, 0x4f, 0x3c, ++ 0x7b, 0x61, 0xb2, 0xf3, 0xea, 0xc5, 0xd8, 0xef, ++ 0x30, 0x50, 0x59, 0x33, 0x61, 0xc0, 0xf3, 0x6e, ++ 0x21, 0xcf, 0x15, 0x35, 0x4a, 0x87, 0x2b, 0xc3, ++ 0xf6, 0x5a, 0x1f, 0x24, 0x22, 0xc5, 0xeb, 0x47, ++ 0x34, 0x4a, 0x1b, 0xb5, 0x2e, 0x71, 0x52, 0x8f, ++ 0x2d, 0x7d, 0xa9, 0x96, 0x8a, 0x7c, 0x61, 0xdb, ++ 0xc0, 0xdc, 0xf1, 0xca, 0x28, 0x69, 0x1c, 0x97, ++ 0xad, 0xea, 0x0d, 0x9e, 0x02, 0xe6, 0xe5, 0x7d, ++ 0xad, 0xe0, 0x42, 0x91, 0x4d, 0xfa, 0xe2, 0x81, ++ 0x16, 0x2b, 0xc2, 0x96, 0x3b, 0x32, 0x8c, 0x20, ++ 0x69, 0x8b, 0x5b, 0x17, 0x3c, 0xf9, 0x13, 0x6c, ++ 0x98, 0x27, 0x1c, 0xca, 0xcf, 0x33, 0xaa, 0x93, ++ 0x21, 0xaf, 0x17, 0x6e, 0x5e, 0x00, 0x37, 0xd9, ++ 0x34, 0x8a, 0x47, 0xd2, 0x1c, 0x67, 0x32, 0x60, ++ 0xb6, 0xc7, 0xb0, 0xfd, 0x32, 0x90, 0x93, 0x32, ++ 0xaa, 0x11, 0xba, 0x23, 0x19, 0x39, 0x6a, 0x42, ++ 0x7c, 0x1f, 0xb7, 0x28, 0xdb, 0x64, 0xad, 0xd9 }; + static const unsigned char Q[] = { 0, +- 0xb5, 0xb0, 0x84, 0x8b, 0x44, 0x29, 0xf6, 0x33, +- 0x59, 0xa1, 0x3c, 0xbe, 0xd2, 0x7f, 0x35, 0xa1, +- 0x76, 0x27, 0x03, 0x81 }; ++ 0xe6, 0xa3, 0xc9, 0xc6, 0x51, 0x92, 0x8b, 0xb3, ++ 0x98, 0x8f, 0x97, 0xb8, 0x31, 0x0d, 0x4a, 0x03, ++ 0x1e, 0xba, 0x4e, 0xe6, 0xc8, 0x90, 0x98, 0x1d, ++ 0x3a, 0x95, 0xf4, 0xf1 }; + static const unsigned char G[] = { +- 0x04, 0x0e, 0x83, 0x69, 0xf1, 0xcd, 0x7d, 0xe5, +- 0x0c, 0x78, 0x93, 0xd6, 0x49, 0x6f, 0x00, 0x04, +- 0x4e, 0x0e, 0x6c, 0x37, 0xaa, 0x38, 0x22, 0x47, +- 0xd2, 0x58, 0xec, 0x83, 0x12, 0x95, 0xf9, 0x9c, +- 0xf1, 0xf4, 0x27, 0xff, 0xd7, 0x99, 0x57, 0x35, +- 0xc6, 0x64, 0x4c, 0xc0, 0x47, 0x12, 0x31, 0x50, +- 0x82, 0x3c, 0x2a, 0x07, 0x03, 0x01, 0xef, 0x30, +- 0x09, 0x89, 0x82, 0x41, 0x76, 0x71, 0xda, 0x9e, +- 0x57, 0x8b, 0x76, 0x38, 0x37, 0x5f, 0xa5, 0xcd, +- 0x32, 0x84, 0x45, 0x8d, 0x4c, 0x17, 0x54, 0x2b, +- 0x5d, 0xc2, 0x6b, 0xba, 0x3e, 0xa0, 0x7b, 0x95, +- 0xd7, 0x00, 0x42, 0xf7, 0x08, 0xb8, 0x83, 0x87, +- 0x60, 0xe1, 0xe5, 0xf4, 0x1a, 0x54, 0xc2, 0x20, +- 0xda, 0x38, 0x3a, 0xd1, 0xb6, 0x10, 0xf4, 0xcb, +- 0x35, 0xda, 0x97, 0x92, 0x87, 0xd6, 0xa5, 0x37, +- 0x62, 0xb4, 0x93, 0x4a, 0x15, 0x21, 0xa5, 0x10 }; ++ 0x70, 0x32, 0x58, 0x5d, 0xb3, 0xbf, 0xc3, 0x62, ++ 0x63, 0x0b, 0xf8, 0xa5, 0xe1, 0xed, 0xeb, 0x79, ++ 0xac, 0x18, 0x41, 0x64, 0xb3, 0xda, 0x4c, 0xa7, ++ 0x92, 0x63, 0xb1, 0x33, 0x7c, 0xcb, 0x43, 0xdc, ++ 0x1f, 0x38, 0x63, 0x5e, 0x0e, 0x6d, 0x45, 0xd1, ++ 0xc9, 0x67, 0xf3, 0xcf, 0x3d, 0x2d, 0x16, 0x4e, ++ 0x92, 0x16, 0x06, 0x59, 0x29, 0x89, 0x6f, 0x54, ++ 0xff, 0xc5, 0x71, 0xc8, 0x3a, 0x95, 0x84, 0xb6, ++ 0x7e, 0x7b, 0x1e, 0x8b, 0x47, 0x9d, 0x7a, 0x3a, ++ 0x36, 0x9b, 0x70, 0x2f, 0xd1, 0xbd, 0xef, 0xe8, ++ 0x3a, 0x41, 0xd4, 0xf3, 0x1f, 0x81, 0xc7, 0x1f, ++ 0x96, 0x7c, 0x30, 0xab, 0xf4, 0x7a, 0xac, 0x93, ++ 0xed, 0x6f, 0x67, 0xb0, 0xc9, 0x5b, 0xf3, 0x83, ++ 0x9d, 0xa0, 0xd7, 0xb9, 0x01, 0xed, 0x28, 0xae, ++ 0x1c, 0x6e, 0x2e, 0x48, 0xac, 0x9f, 0x7d, 0xf3, ++ 0x00, 0x48, 0xee, 0x0e, 0xfb, 0x7e, 0x5e, 0xcb, ++ 0xf5, 0x39, 0xd8, 0x92, 0x90, 0x61, 0x2d, 0x1e, ++ 0x3c, 0xd3, 0x55, 0x0d, 0x34, 0xd1, 0x81, 0xc4, ++ 0x89, 0xea, 0x94, 0x2b, 0x56, 0x33, 0x73, 0x58, ++ 0x48, 0xbf, 0x23, 0x72, 0x19, 0x5f, 0x19, 0xac, ++ 0xff, 0x09, 0xc8, 0xcd, 0xab, 0x71, 0xef, 0x9e, ++ 0x20, 0xfd, 0xe3, 0xb8, 0x27, 0x9e, 0x65, 0xb1, ++ 0x85, 0xcd, 0x88, 0xfe, 0xd4, 0xd7, 0x64, 0x4d, ++ 0xe1, 0xe8, 0xa6, 0xe5, 0x96, 0xc8, 0x5d, 0x9c, ++ 0xc6, 0x70, 0x6b, 0xba, 0x77, 0x4e, 0x90, 0x4a, ++ 0xb0, 0x96, 0xc5, 0xa0, 0x9e, 0x2c, 0x01, 0x03, ++ 0xbe, 0xbd, 0x71, 0xba, 0x0a, 0x6f, 0x9f, 0xe5, ++ 0xdb, 0x04, 0x08, 0xf2, 0x9e, 0x0f, 0x1b, 0xac, ++ 0xcd, 0xbb, 0x65, 0x12, 0xcf, 0x77, 0xc9, 0x7d, ++ 0xbe, 0x94, 0x4b, 0x9c, 0x5b, 0xde, 0x0d, 0xfa, ++ 0x57, 0xdd, 0x77, 0x32, 0xf0, 0x5b, 0x34, 0xfd, ++ 0x19, 0x95, 0x33, 0x60, 0x87, 0xe2, 0xa2, 0xf4 }; + +-/* h: +- * 4a:76:30:89:eb:e1:81:7c:99:0b:39:7f:95:4a:65:72: +- * c6:b4:05:92:48:6c:3c:b2:7e:e7:39:f3:92:7d:c1:3f: +- * bf:e1:fd:b3:4a:46:3e:ce:29:80:e3:d6:f4:59:c6:92: +- * 16:2b:0e:d7:d6:bb:ef:94:36:31:c2:66:46:c5:4a:77: +- * aa:95:84:ef:99:7e:e3:9c:d9:a0:32:42:09:b6:4e:d0: +- * b3:c8:5e:06:df:a1:ac:4d:2d:f9:08:c2:cb:4b:a4:42: +- * db:8a:5b:de:25:6e:2b:5b:ca:00:75:2c:57:00:18:aa: +- * 68:59:a1:94:03:07:94:78:38:bc:f8:7c:1e:1c:a3:2e +- * SEED: +- * b5:44:66:c9:0f:f1:ca:1c:95:45:ce:90:74:89:14:f2: +- * 13:3e:23:5a:b0:6a:bf:86:ad:cb:a0:7d:ce:3b:c8:16: +- * 7f:2d:a2:1a:cb:33:7d:c1:e7:d7:07:aa:1b:a2:d7:89: +- * f5:a4:db:f7:8b:50:00:cd:b4:7d:25:81:3f:f8:a8:dd: +- * 6c:46:e5:77:b5:60:7e:75:79:b8:99:57:c1:c4:f3:f7: +- * 17:ca:43:00:b8:33:b6:06:8f:4d:91:ed:23:a5:66:1b: +- * ef:14:d7:bc:21:2b:82:d8:ab:fa:fd:a7:c3:4d:bf:52: +- * af:8e:57:59:61:1a:4e:65:c6:90:d6:a6:ff:0b:15:b1 +- * g: 1024 +- * counter: 1003 ++ ++/* P, Q, G have been generated using the NSS makepqg utility: ++ * makepqg -l 2048 -g 224 -r ++ * (see also: bug 1170322) ++ * ++ * h: 1 (0x1) ++ * SEED: ++ * d2:0b:c5:63:1b:af:dc:36:b7:7c:b9:3e:36:01:a0:8f: ++ * 0e:be:d0:38:e4:78:d5:3c:7c:9e:a9:9a:d2:0b:c5:63: ++ * 1b:af:dc:36:b7:7c:b9:3e:36:01:a0:8f:0e:be:d0:38: ++ * e4:78:d5:3c:7c:9e:c7:70:d2:0b:c5:63:1b:af:dc:36: ++ * b7:7c:b9:3e:36:01:a0:8f:0e:be:d0:38:e4:78:d5:3c: ++ * 7c:9e:aa:3e ++ * g: 672 ++ * counter: 0 + */ + + static const SECKEYPQGParams default_pqg_params = { +diff -up ./cmd/selfserv/selfserv.c.dhe_and_sha384 ./cmd/selfserv/selfserv.c +--- ./cmd/selfserv/selfserv.c.dhe_and_sha384 2015-06-24 23:06:00.423873110 +0200 ++++ ./cmd/selfserv/selfserv.c 2015-06-24 23:06:00.453872547 +0200 +@@ -119,16 +119,16 @@ const int ssl3CipherSuites[] = { + TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ + TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ + TLS_RSA_WITH_RC4_128_SHA, /* n */ +- -1, /* TLS_DHE_DSS_WITH_RC4_128_SHA, * o */ +- -1, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, * p */ +- -1, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, * q */ +- -1, /* TLS_DHE_RSA_WITH_DES_CBC_SHA, * r */ +- -1, /* TLS_DHE_DSS_WITH_DES_CBC_SHA, * s */ +- -1, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA, * t */ +- -1, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA, * u */ ++ TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */ ++ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ ++ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ ++ TLS_DHE_RSA_WITH_DES_CBC_SHA, /* r */ ++ TLS_DHE_DSS_WITH_DES_CBC_SHA, /* s */ ++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* t */ ++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* u */ + TLS_RSA_WITH_AES_128_CBC_SHA, /* v */ +- -1, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA, * w */ +- -1, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA, * x */ ++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* w */ ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* x */ + TLS_RSA_WITH_AES_256_CBC_SHA, /* y */ + TLS_RSA_WITH_NULL_SHA, /* z */ + 0 +@@ -141,6 +141,9 @@ static PRBool noDelay; + static int requestCert; + static int verbose; + static SECItem bigBuf; ++static int configureDHE = -1; /* -1: don't configure, 0 disable, >=1 enable*/ ++static int configureReuseECDHE = -1; /* -1: don't configure, 0 refresh, >=1 reuse*/ ++static int configureWeakDHE = -1; /* -1: don't configure, 0 disable, >=1 enable*/ + + static PRThread * acceptorThread; + +@@ -160,11 +163,12 @@ PrintUsageHeader(const char *progName) + " [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n" + " [-V [min-version]:[max-version]] [-a sni_name]\n" + " [ T ] [-A ca]\n" ++" [-C SSLCacheEntries] [-S dsa_nickname]" + #ifndef NSS_DISABLE_ECC +-" [-C SSLCacheEntries] [-e ec_nickname]\n" +-#else +-" [-C SSLCacheEntries]\n" ++ " [-e ec_nickname]" + #endif /* NSS_DISABLE_ECC */ ++"\n" ++" -U [0|1] -H [0|1] -W [0|1]\n" + ,progName); + } + +@@ -216,6 +220,9 @@ PrintParameterUsage() + " good, revoked, unknown, failure, badsig, corrupted\n" + " ocsp: fetch from external OCSP server using AIA, or none\n" + "-A Nickname of a CA used to sign a stapled cert status\n" ++"-U override default ECDHE ephemeral key reuse, 0: refresh, 1: reuse\n" ++"-H override default DHE server support, 0: disable, 1: enable\n" ++"-W override default DHE server weak parameters support, 0: disable, 1: enable\n" + "-c Restrict ciphers\n" + "-Y prints cipher values allowed for parameter -c and exits\n" + , stderr); +@@ -252,7 +259,16 @@ PrintCipherUsage(const char *progName) + "l SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n" + "m SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n" + "n SSL3 RSA WITH RC4 128 SHA\n" ++"o TLS_DHE_DSS_WITH_RC4_128_SHA\n" ++"p TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA\n" ++"q TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA\n" ++"r TLS_DHE_RSA_WITH_DES_CBC_SHA\n" ++"s TLS_DHE_DSS_WITH_DES_CBC_SHA\n" ++"t TLS_DHE_DSS_WITH_AES_128_CBC_SHA\n" ++"u TLS_DHE_RSA_WITH_AES_128_CBC_SHA\n" + "v SSL3 RSA WITH AES 128 CBC SHA\n" ++"w TLS_DHE_DSS_WITH_AES_256_CBC_SHA\n" ++"x TLS_DHE_RSA_WITH_AES_256_CBC_SHA\n" + "y SSL3 RSA WITH AES 256 CBC SHA\n" + "z SSL3 RSA WITH NULL SHA\n" + "\n" +@@ -1909,6 +1925,18 @@ server_main( + } + } + ++ if (configureDHE > -1) { ++ rv = SSL_OptionSet(model_sock, SSL_ENABLE_SERVER_DHE, (configureDHE > 0)); ++ } ++ ++ if (configureReuseECDHE > -1) { ++ rv = SSL_OptionSet(model_sock, SSL_REUSE_SERVER_ECDHE_KEY, (configureReuseECDHE > 0)); ++ } ++ ++ if (configureWeakDHE > -1) { ++ rv = SSL_EnableWeakDHEPrimeGroup(model_sock, (configureWeakDHE > 0)); ++ } ++ + for (kea = kt_rsa; kea < kt_kea_size; kea++) { + if (cert[kea] != NULL) { + secStatus = SSL_ConfigSecureServer(model_sock, +@@ -2140,6 +2168,7 @@ main(int argc, char **argv) + #ifndef NSS_DISABLE_ECC + char * ecNickName = NULL; + #endif ++ char * dsaNickName = NULL; + const char * fileName = NULL; + char * cipherString= NULL; + const char * dir = "."; +@@ -2184,7 +2213,7 @@ main(int argc, char **argv) + ** numbers, then capital letters, then lower case, alphabetical. + */ + optstate = PL_CreateOptState(argc, argv, +- "2:A:BC:DEL:M:NP:RT:V:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz"); ++ "2:A:BC:DEH:L:M:NP:RS:T:U:V:W:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + ++optionsFound; + switch(optstate->option) { +@@ -2198,6 +2227,7 @@ main(int argc, char **argv) + + case 'D': noDelay = PR_TRUE; break; + case 'E': disableStepDown = PR_TRUE; break; ++ case 'H': configureDHE = (PORT_Atoi(optstate->value) != 0); break; + + case 'I': /* reserved for OCSP multi-stapling */ break; + +@@ -2221,6 +2251,8 @@ main(int argc, char **argv) + + case 'R': disableRollBack = PR_TRUE; break; + ++ case 'S': dsaNickName = PORT_Strdup(optstate->value); break; ++ + case 'T': + if (enableOCSPStapling(optstate->value) != SECSuccess) { + fprintf(stderr, "Invalid OCSP stapling mode.\n"); +@@ -2229,6 +2261,8 @@ main(int argc, char **argv) + } + break; + ++ case 'U': configureReuseECDHE = (PORT_Atoi(optstate->value) != 0); break; ++ + case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value, + enabledVersions, enableSSL2, + &enabledVersions, &enableSSL2) != SECSuccess) { +@@ -2236,6 +2270,8 @@ main(int argc, char **argv) + } + break; + ++ case 'W': configureWeakDHE = (PORT_Atoi(optstate->value) != 0); break; ++ + case 'Y': PrintCipherUsage(progName); exit(0); break; + + case 'a': if (virtServerNameIndex >= MAX_VIRT_SERVER_NAME_ARRAY_INDEX) { +@@ -2366,6 +2402,7 @@ main(int argc, char **argv) + } + + if ((nickName == NULL) ++ && (dsaNickName == NULL) + #ifndef NSS_DISABLE_ECC + && (ecNickName == NULL) + #endif +@@ -2597,6 +2634,33 @@ main(int argc, char **argv) + setupCertStatus(certStatusArena, ocspStaplingMode, cert[kt_rsa], kt_rsa, + &pwdata); + } ++ if (dsaNickName) { ++ /* Investigate if ssl_kea_dh should be changed to ssl_auth_dsa. ++ * See bug 102794.*/ ++ cert[ssl_kea_dh] = PK11_FindCertFromNickname(dsaNickName, &pwdata); ++ if (cert[ssl_kea_dh] == NULL) { ++ fprintf(stderr, "selfserv: Can't find certificate %s\n", dsaNickName); ++ exit(12); ++ } ++ privKey[ssl_kea_dh] = PK11_FindKeyByAnyCert(cert[ssl_kea_dh], &pwdata); ++ if (privKey[ssl_kea_dh] == NULL) { ++ fprintf(stderr, "selfserv: Can't find Private Key for cert %s\n", ++ dsaNickName); ++ exit(11); ++ } ++ if (testbypass) { ++ PRBool bypassOK; ++ if (SSL_CanBypass(cert[ssl_kea_dh], privKey[ssl_kea_dh], protos, cipherlist, ++ nciphers, &bypassOK, &pwdata) != SECSuccess) { ++ SECU_PrintError(progName, "Bypass test failed %s\n", nickName); ++ exit(14); ++ } ++ fprintf(stderr, "selfserv: %s can%s bypass\n", nickName, ++ bypassOK ? "" : "not"); ++ } ++ setupCertStatus(certStatusArena, ocspStaplingMode, cert[ssl_kea_dh], ssl_kea_dh, ++ &pwdata); ++ } + #ifndef NSS_DISABLE_ECC + if (ecNickName) { + cert[kt_ecdh] = PK11_FindCertFromNickname(ecNickName, &pwdata); +@@ -2629,6 +2693,13 @@ main(int argc, char **argv) + if (testbypass) + goto cleanup; + ++ if (configureWeakDHE > 0) { ++ fprintf(stderr, "selfserv: Creating dynamic weak DH parameters\n"); ++ rv = SSL_EnableWeakDHEPrimeGroup(NULL, PR_TRUE); ++ fprintf(stderr, "selfserv: Done creating dynamic weak DH parameters\n"); ++ } ++ ++ + /* allocate the array of thread slots, and launch the worker threads. */ + rv = launch_threads(&jobLoop, 0, 0, requestCert, useLocalThreads); + +diff -up ./cmd/tstclnt/tstclnt.c.dhe_and_sha384 ./cmd/tstclnt/tstclnt.c +--- ./cmd/tstclnt/tstclnt.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./cmd/tstclnt/tstclnt.c 2015-06-24 23:06:00.454872529 +0200 +@@ -212,7 +212,7 @@ static void PrintParameterUsage(void) + fprintf(stderr, + "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n" + "%-20s All versions are enabled by default.\n" +- "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n" ++ "%-20s Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n" + "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n", + "-V [min]:[max]", "", "", ""); + fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K"); +@@ -911,7 +911,7 @@ int main(int argc, char **argv) + int npds; + int override = 0; + SSLVersionRange enabledVersions; +- PRBool enableSSL2 = PR_TRUE; ++ PRBool enableSSL2 = PR_FALSE; + int bypassPKCS11 = 0; + int disableLocking = 0; + int useExportPolicy = 0; +diff -up ./lib/ssl/dhe-param.c.dhe_and_sha384 ./lib/ssl/dhe-param.c +--- ./lib/ssl/dhe-param.c.dhe_and_sha384 2015-06-24 23:06:00.454872529 +0200 ++++ ./lib/ssl/dhe-param.c 2015-06-24 23:06:00.454872529 +0200 +@@ -0,0 +1,413 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++static const unsigned char ff_dhe_g2[] = { 2 }; ++ ++static const unsigned char ff_dhe_2048_p[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, ++ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, ++ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, ++ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, ++ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, ++ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, ++ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, ++ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, ++ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, ++ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, ++ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, ++ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, ++ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, ++ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, ++ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, ++ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, ++ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, ++ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, ++ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, ++ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, ++ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, ++ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, ++ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, ++ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, ++ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, ++ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, ++ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, ++ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, ++ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, ++ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++}; ++ ++static const ssl3DHParams ff_dhe_2048 = { ++ { siBuffer, (unsigned char *)ff_dhe_2048_p, sizeof(ff_dhe_2048_p) }, ++ { siBuffer, (unsigned char *)ff_dhe_g2, sizeof(ff_dhe_g2) }, ++}; ++ ++static const unsigned char ff_dhe_3072_p[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, ++ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, ++ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, ++ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, ++ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, ++ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, ++ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, ++ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, ++ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, ++ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, ++ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, ++ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, ++ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, ++ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, ++ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, ++ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, ++ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, ++ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, ++ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, ++ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, ++ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, ++ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, ++ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, ++ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, ++ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, ++ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, ++ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, ++ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, ++ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, ++ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, ++ 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, ++ 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, ++ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, ++ 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, ++ 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, ++ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, ++ 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, ++ 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, ++ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, ++ 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, ++ 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, ++ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, ++ 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, ++ 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, ++ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, ++ 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0xC6, 0x2E, 0x37, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++}; ++ ++static const ssl3DHParams ff_dhe_3072 = { ++ { siBuffer, (unsigned char *)ff_dhe_3072_p, sizeof(ff_dhe_3072_p) }, ++ { siBuffer, (unsigned char *)ff_dhe_g2, sizeof(ff_dhe_g2) }, ++}; ++ ++static const unsigned char ff_dhe_4096_p[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, ++ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, ++ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, ++ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, ++ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, ++ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, ++ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, ++ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, ++ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, ++ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, ++ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, ++ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, ++ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, ++ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, ++ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, ++ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, ++ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, ++ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, ++ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, ++ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, ++ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, ++ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, ++ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, ++ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, ++ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, ++ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, ++ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, ++ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, ++ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, ++ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, ++ 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, ++ 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, ++ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, ++ 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, ++ 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, ++ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, ++ 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, ++ 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, ++ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, ++ 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, ++ 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, ++ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, ++ 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, ++ 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, ++ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, ++ 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, ++ 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, ++ 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, ++ 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, ++ 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, ++ 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, ++ 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, ++ 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, ++ 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, ++ 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, ++ 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, ++ 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, ++ 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, ++ 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, ++ 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, ++ 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, ++ 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++}; ++ ++static const ssl3DHParams ff_dhe_4096 = { ++ { siBuffer, (unsigned char *)ff_dhe_4096_p, sizeof(ff_dhe_4096_p) }, ++ { siBuffer, (unsigned char *)ff_dhe_g2, sizeof(ff_dhe_g2) }, ++}; ++ ++static const unsigned char ff_dhe_6144_p[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, ++ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, ++ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, ++ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, ++ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, ++ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, ++ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, ++ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, ++ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, ++ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, ++ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, ++ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, ++ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, ++ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, ++ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, ++ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, ++ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, ++ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, ++ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, ++ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, ++ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, ++ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, ++ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, ++ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, ++ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, ++ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, ++ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, ++ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, ++ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, ++ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, ++ 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, ++ 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, ++ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, ++ 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, ++ 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, ++ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, ++ 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, ++ 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, ++ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, ++ 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, ++ 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, ++ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, ++ 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, ++ 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, ++ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, ++ 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, ++ 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, ++ 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, ++ 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, ++ 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, ++ 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, ++ 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, ++ 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, ++ 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, ++ 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, ++ 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, ++ 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, ++ 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, ++ 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, ++ 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, ++ 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, ++ 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, ++ 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, ++ 0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, ++ 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, ++ 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, ++ 0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, ++ 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, ++ 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, ++ 0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, ++ 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, ++ 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, ++ 0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, ++ 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, ++ 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, ++ 0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, ++ 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, ++ 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, ++ 0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, ++ 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, ++ 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, ++ 0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, ++ 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, ++ 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, ++ 0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, ++ 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, ++ 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, ++ 0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, ++ 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, ++ 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, ++ 0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, ++ 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, ++ 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, ++ 0xA4, 0x0E, 0x32, 0x9C, 0xD0, 0xE4, 0x0E, 0x65, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++}; ++ ++static const ssl3DHParams ff_dhe_6144 = { ++ { siBuffer, (unsigned char *)ff_dhe_6144_p, sizeof(ff_dhe_6144_p) }, ++ { siBuffer, (unsigned char *)ff_dhe_g2, sizeof(ff_dhe_g2) }, ++}; ++ ++static const unsigned char ff_dhe_8192_p[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, ++ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, ++ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, ++ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, ++ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, ++ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, ++ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, ++ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, ++ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, ++ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, ++ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, ++ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, ++ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, ++ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, ++ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, ++ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, ++ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, ++ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, ++ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, ++ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, ++ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, ++ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, ++ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, ++ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, ++ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, ++ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, ++ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, ++ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, ++ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, ++ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, ++ 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, ++ 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, ++ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, ++ 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, ++ 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, ++ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, ++ 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, ++ 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, ++ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, ++ 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, ++ 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, ++ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, ++ 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, ++ 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, ++ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, ++ 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, ++ 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, ++ 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, ++ 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, ++ 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, ++ 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, ++ 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, ++ 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, ++ 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, ++ 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, ++ 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, ++ 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, ++ 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, ++ 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, ++ 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, ++ 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, ++ 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, ++ 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, ++ 0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, ++ 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, ++ 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, ++ 0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, ++ 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, ++ 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, ++ 0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, ++ 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, ++ 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, ++ 0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, ++ 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, ++ 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, ++ 0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, ++ 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, ++ 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, ++ 0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, ++ 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, ++ 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, ++ 0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, ++ 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, ++ 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, ++ 0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, ++ 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, ++ 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, ++ 0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, ++ 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, ++ 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, ++ 0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, ++ 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, ++ 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, ++ 0xA4, 0x0E, 0x32, 0x9C, 0xCF, 0xF4, 0x6A, 0xAA, ++ 0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38, ++ 0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64, ++ 0xFD, 0xB2, 0x3F, 0xCE, 0xC9, 0x50, 0x9D, 0x43, ++ 0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E, ++ 0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF, ++ 0x86, 0xB6, 0x31, 0x42, 0xA3, 0xAB, 0x88, 0x29, ++ 0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65, ++ 0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02, ++ 0x29, 0x38, 0x88, 0x39, 0xD2, 0xAF, 0x05, 0xE4, ++ 0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82, ++ 0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C, ++ 0x59, 0x16, 0x0C, 0xC0, 0x46, 0xFD, 0x82, 0x51, ++ 0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22, ++ 0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74, ++ 0x51, 0xA8, 0xA9, 0x31, 0x09, 0x70, 0x3F, 0xEE, ++ 0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C, ++ 0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC, ++ 0x99, 0xE9, 0xE3, 0x16, 0x50, 0xC1, 0x21, 0x7B, ++ 0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9, ++ 0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0, ++ 0xA1, 0xFE, 0x30, 0x75, 0xA5, 0x77, 0xE2, 0x31, ++ 0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57, ++ 0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8, ++ 0xB6, 0x85, 0x5D, 0xFE, 0x72, 0xB0, 0xA6, 0x6E, ++ 0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30, ++ 0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E, ++ 0x2F, 0x74, 0x1E, 0xF8, 0xC1, 0xFE, 0x86, 0xFE, ++ 0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D, ++ 0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D, ++ 0x08, 0x22, 0xE5, 0x06, 0xA9, 0xF4, 0x61, 0x4E, ++ 0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C, ++ 0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++}; ++ ++static const ssl3DHParams ff_dhe_8192 = { ++ { siBuffer, (unsigned char *)ff_dhe_8192_p, sizeof(ff_dhe_8192_p) }, ++ { siBuffer, (unsigned char *)ff_dhe_g2, sizeof(ff_dhe_g2) }, ++}; +diff -up ./lib/ssl/ssl3con.c.dhe_and_sha384 ./lib/ssl/ssl3con.c +--- ./lib/ssl/ssl3con.c.dhe_and_sha384 2015-06-24 23:06:00.448872641 +0200 ++++ ./lib/ssl/ssl3con.c 2015-06-24 23:06:00.456872491 +0200 +@@ -91,7 +91,11 @@ static ssl3CipherSuiteCfg cipherSuites[s + + #ifndef NSS_DISABLE_ECC + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around + * bug 946147. + */ +@@ -108,14 +112,19 @@ static ssl3CipherSuiteCfg cipherSuites[s + #endif /* NSS_DISABLE_ECC */ + + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +@@ -134,6 +143,7 @@ static ssl3CipherSuiteCfg cipherSuites[s + #endif /* NSS_DISABLE_ECC */ + + /* RSA */ ++ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +@@ -281,6 +291,7 @@ static const ssl3BulkCipherDef bulk_ciph + {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, + {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, + {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, ++ {cipher_aes_256_gcm, calg_aes_gcm, 32,32, type_aead, 4, 0,16, 8}, + {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, + }; + +@@ -316,131 +327,145 @@ static const ssl3CipherSuiteDef cipher_s + { + /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */ + +- {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, +- {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa}, +- {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa}, +- {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa}, +- {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export}, +- {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa}, +- {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa}, ++ {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null, 0}, ++ {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa, 0}, ++ {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa, 0}, ++ {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa, prf_256}, ++ {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export, 0}, ++ {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa, 0}, ++ {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa, 0}, + {TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, +- cipher_rc2_40, mac_md5, kea_rsa_export}, ++ cipher_rc2_40, mac_md5, kea_rsa_export, 0}, + #if 0 /* not implemented */ +- {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa}, ++ {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa, 0}, + {TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, +- cipher_des40, mac_sha, kea_rsa_export}, ++ cipher_des40, mac_sha, kea_rsa_export, 0}, + #endif +- {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa}, +- {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa}, +- {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss}, ++ {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa, 0}, ++ {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa, 0}, ++ {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss, 0}, + {TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, +- cipher_3des, mac_sha, kea_dhe_dss}, +- {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss}, ++ cipher_3des, mac_sha, kea_dhe_dss, 0}, ++ {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss, 0}, + #if 0 /* not implemented */ + {TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, +- cipher_des40, mac_sha, kea_dh_dss_export}, +- {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss}, +- {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss}, ++ cipher_des40, mac_sha, kea_dh_dss_export, 0}, ++ {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss, 0}, ++ {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss, 0}, + {TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, +- cipher_des40, mac_sha, kea_dh_rsa_export}, +- {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa}, +- {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa}, ++ cipher_des40, mac_sha, kea_dh_rsa_export, 0}, ++ {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa, 0}, ++ {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa, 0}, + {TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, +- cipher_des40, mac_sha, kea_dh_dss_export}, ++ cipher_des40, mac_sha, kea_dh_dss_export, 0}, + {TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, +- cipher_des40, mac_sha, kea_dh_rsa_export}, ++ cipher_des40, mac_sha, kea_dh_rsa_export, 0}, + #endif +- {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa}, ++ {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa, 0}, + {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, +- cipher_3des, mac_sha, kea_dhe_rsa}, ++ cipher_3des, mac_sha, kea_dhe_rsa, 0}, + #if 0 +- {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export}, ++ {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export, 0}, + {TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA, +- cipher_des40, mac_sha, kea_dh_anon_export}, +- {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon}, +- {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon}, ++ cipher_des40, mac_sha, kea_dh_anon_export, 0}, ++ {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon, 0}, ++ {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon, 0}, + #endif + + + /* New TLS cipher suites */ +- {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa}, +- {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa}, +- {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss}, +- {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa}, +- {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa}, +- {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa}, +- {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa}, +- {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss}, +- {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa}, +- {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa}, ++ {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa, 0}, ++ {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa, prf_256}, ++ {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss, 0}, ++ {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa, 0}, ++ {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa, prf_256}, ++ {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa, 0}, ++ {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa, prf_256}, ++ {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss, 0}, ++ {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa, 0}, ++ {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa, prf_256}, + #if 0 +- {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss}, +- {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa}, +- {TLS_DH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon}, +- {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss}, +- {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa}, +- {TLS_DH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon}, ++ {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss, 0}, ++ {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa, 0}, ++ {TLS_DH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon, 0}, ++ {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss, 0}, ++ {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa, 0}, ++ {TLS_DH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon, 0}, + #endif + +- {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa}, ++ {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa, 0}, + +- {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa}, ++ {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa, 0}, + {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, +- cipher_camellia_128, mac_sha, kea_dhe_dss}, ++ cipher_camellia_128, mac_sha, kea_dhe_dss, 0}, + {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, +- cipher_camellia_128, mac_sha, kea_dhe_rsa}, +- {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa}, ++ cipher_camellia_128, mac_sha, kea_dhe_rsa, 0}, ++ {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa, 0}, + {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, +- cipher_camellia_256, mac_sha, kea_dhe_dss}, ++ cipher_camellia_256, mac_sha, kea_dhe_dss, 0}, + {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, +- cipher_camellia_256, mac_sha, kea_dhe_rsa}, ++ cipher_camellia_256, mac_sha, kea_dhe_rsa, 0}, + + {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, +- cipher_des, mac_sha,kea_rsa_export_1024}, ++ cipher_des, mac_sha,kea_rsa_export_1024, 0}, + {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, +- cipher_rc4_56, mac_sha,kea_rsa_export_1024}, ++ cipher_rc4_56, mac_sha,kea_rsa_export_1024, 0}, + +- {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, +- {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, ++ {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips, 0}, ++ {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips, 0}, + +- {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa}, +- {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, ++ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa, prf_256}, ++ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa, prf_256}, ++#ifndef NSS_DISABLE_ECC + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, ++ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa, prf_256}, ++ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa, prf_256}, ++ {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_ecdsa, prf_384}, ++ {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa, prf_384}, ++ {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_ecdsa, prf_384}, ++ {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_rsa, prf_384}, ++#endif /* NSS_DISABLE_ECC */ ++ {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_rsa, prf_384}, ++ {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, prf_256}, ++ {TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_dss, prf_384}, ++ {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, prf_256}, ++ {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, prf_256}, ++ {TLS_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_rsa, prf_384}, + + #ifndef NSS_DISABLE_ECC +- {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, +- {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, +- {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}, +- {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa}, +- {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa}, +- +- {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa}, +- {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa}, +- {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa}, +- {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa}, +- {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa}, +- {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa}, +- +- {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa}, +- {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa}, +- {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa}, +- {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa}, +- {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa}, +- +- {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa}, +- {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa}, +- {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa}, +- {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa}, +- {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa}, +- {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa}, ++ {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa, 0}, ++ {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa, 0}, ++ {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa, 0}, ++ {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa, 0}, ++ {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa, 0}, ++ ++ {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa, 0}, ++ {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa, 0}, ++ {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa, 0}, ++ {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa, 0}, ++ {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa, prf_256}, ++ {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa, 0}, ++ ++ {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa, 0}, ++ {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa, 0}, ++ {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa, 0}, ++ {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa, 0}, ++ {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa, 0}, ++ ++ {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa, 0}, ++ {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa, 0}, ++ {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa, 0}, ++ {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa, 0}, ++ {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa, prf_256}, ++ {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa, 0}, + + #if 0 +- {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon}, +- {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon}, +- {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon}, +- {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon}, +- {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon}, ++ {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon, 0}, ++ {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon, 0}, ++ {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon, 0}, ++ {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon, 0}, ++ {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon, 0}, + #endif + #endif /* NSS_DISABLE_ECC */ + }; +@@ -481,6 +506,7 @@ static const SSLCipher2Mech alg2Mech[] = + #define mmech_md5_hmac CKM_MD5_HMAC + #define mmech_sha_hmac CKM_SHA_1_HMAC + #define mmech_sha256_hmac CKM_SHA256_HMAC ++#define mmech_sha384_hmac CKM_SHA384_HMAC + + static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ + /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ +@@ -492,6 +518,7 @@ static const ssl3MACDef mac_defs[] = { / + {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, + {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, + { mac_aead, mmech_invalid, 0, 0 }, ++ {hmac_sha384, mmech_sha384_hmac, 0, SHA384_LENGTH} + }; + + /* indexed by SSL3BulkCipher */ +@@ -640,16 +667,26 @@ ssl3_CipherSuiteAllowedForVersionRange( + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: + case TLS_RSA_WITH_AES_256_CBC_SHA256: + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: ++ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: ++ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: + case TLS_RSA_WITH_AES_128_CBC_SHA256: + case TLS_RSA_WITH_AES_128_GCM_SHA256: ++ case TLS_RSA_WITH_AES_256_GCM_SHA384: ++ case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: ++ case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: + case TLS_RSA_WITH_NULL_SHA256: + return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2; + + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: ++ case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: ++ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: ++ case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: ++ case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: ++ case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: + return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; + + /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and +@@ -772,16 +809,11 @@ ssl3_config_match_init(sslSocket *ss) + * that the server uses an RSA cert for (EC)DHE-RSA. + */ + switch (cipher_def->key_exchange_alg) { ++ case kea_dhe_dss: ++ svrAuth = ss->serverCerts + ssl_kea_dh; ++ break; + case kea_ecdhe_rsa: +-#if NSS_SERVER_DHE_IMPLEMENTED +- /* XXX NSS does not yet implement the server side of _DHE_ +- * cipher suites. Correcting the computation for svrAuth, +- * as the case below does, causes NSS SSL servers to begin to +- * negotiate cipher suites they do not implement. So, until +- * server side _DHE_ is implemented, keep this disabled. +- */ + case kea_dhe_rsa: +-#endif + svrAuth = ss->serverCerts + kt_rsa; + break; + case kea_ecdh_ecdsa: +@@ -793,6 +825,8 @@ ssl3_config_match_init(sslSocket *ss) + * simultaneously. For now, both of them use + * whatever is in the certificate slot for kt_ecdh + */ ++ case kea_dhe_dss_export: ++ case kea_dhe_rsa_export: + default: + svrAuth = ss->serverCerts + exchKeyType; + break; +@@ -829,11 +863,22 @@ ssl3_config_match_init(sslSocket *ss) + * cipher suite. */ + static PRBool + config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled, +- const SSLVersionRange *vrange) ++ const SSLVersionRange *vrange, const sslSocket *ss) + { ++ const ssl3CipherSuiteDef *cipher_def; ++ + PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); + if (policy == SSL_NOT_ALLOWED || !enabled) +- return PR_FALSE; ++ return PR_FALSE; ++ ++ cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); ++ PORT_Assert(cipher_def != NULL); ++ ++ PORT_Assert(ss != NULL); ++ if (ss->sec.isServer && !ss->opt.enableServerDhe && ++ kea_defs[cipher_def->key_exchange_alg].exchKeyType == ssl_kea_dh) ++ return PR_FALSE; ++ + return (PRBool)(suite->enabled && + suite->isPresent && + suite->policy != SSL_NOT_ALLOWED && +@@ -854,7 +899,7 @@ count_cipher_suites(sslSocket *ss, int p + return 0; + } + for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { +- if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange)) ++ if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange, ss)) + count++; + } + if (count <= 0) { +@@ -2321,6 +2366,9 @@ ssl3_ComputeRecordMAC( + case ssl_hmac_sha256: /* used with TLS */ + hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); + break; ++ case ssl_hmac_sha384: /* used with TLS */ ++ hashObj = HASH_GetRawHashObject(HASH_AlgSHA384); ++ break; + default: + break; + } +@@ -3563,6 +3611,17 @@ ssl3_HandleChangeCipherSpecs(sslSocket * + return SECSuccess; + } + ++static CK_MECHANISM_TYPE ++ssl3_GetPrfHashMechanism(sslSocket *ss) ++{ ++ SSL3PRF prf_alg = ss->ssl3.hs.suite_def->prf_alg; ++ ++ if (prf_alg == 0) ++ return CKM_SHA256; ++ ++ return prf_alg; ++} ++ + /* This method uses PKCS11 to derive the MS from the PMS, where PMS + ** is a PKCS11 symkey. This is used in all cases except the + ** "triple bypass" with RSA key exchange. +@@ -3592,15 +3651,17 @@ ssl3_DeriveMasterSecret(sslSocket *ss, P + SECItem params; + CK_FLAGS keyFlags; + CK_VERSION pms_version; +- CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; ++ /* master_params may be used as a CK_SSL3_MASTER_KEY_DERIVE_PARAMS */ ++ CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params; ++ unsigned int master_params_len; + + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); + PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); + PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); + if (isTLS12) { +- if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256; +- else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256; +- key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; ++ if(isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH; ++ else master_derive = CKM_TLS12_MASTER_KEY_DERIVE; ++ key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; + keyFlags = CKF_SIGN | CKF_VERIFY; + } else if (isTLS) { + if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; +@@ -3624,6 +3685,12 @@ ssl3_DeriveMasterSecret(sslSocket *ss, P + master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; + master_params.RandomInfo.pServerRandom = sr; + master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; ++ if (isTLS12) { ++ master_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss); ++ master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS); ++ } else { ++ master_params_len = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS); ++ } + + params.data = (unsigned char *) &master_params; + params.len = sizeof master_params; +@@ -3756,7 +3823,9 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocke + PK11SymKey * symKey = NULL; + void * pwArg = ss->pkcs11PinArg; + int keySize; +- CK_SSL3_KEY_MAT_PARAMS key_material_params; ++ CK_TLS12_KEY_MAT_PARAMS key_material_params; /* may be used as a ++ * CK_SSL3_KEY_MAT_PARAMS */ ++ unsigned int key_material_params_len; + CK_SSL3_KEY_MAT_OUT returnedKeys; + CK_MECHANISM_TYPE key_derive; + CK_MECHANISM_TYPE bulk_mechanism; +@@ -3810,17 +3879,21 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocke + PORT_Assert( alg2Mech[calg].calg == calg); + bulk_mechanism = alg2Mech[calg].cmech; + +- params.data = (unsigned char *)&key_material_params; +- params.len = sizeof(key_material_params); +- + if (isTLS12) { +- key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; ++ key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; ++ key_material_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss); ++ key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS); + } else if (isTLS) { + key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; ++ key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS); + } else { + key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; ++ key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS); + } + ++ params.data = (unsigned char *)&key_material_params; ++ params.len = key_material_params_len; ++ + /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and + * DERIVE by DEFAULT */ + symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms, +@@ -3883,9 +3956,9 @@ ssl3_InitHandshakeHashes(sslSocket *ss) + #ifndef NO_PKCS11_BYPASS + if (ss->opt.bypassPKCS11) { + PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone); ++ /* If we ever support ciphersuites where the PRF hash isn't SHA-256 ++ * then this will need to be updated. */ + if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { +- /* If we ever support ciphersuites where the PRF hash isn't SHA-256 +- * then this will need to be updated. */ + ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256); + if (!ss->ssl3.hs.sha_obj) { + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); +@@ -3909,9 +3982,19 @@ ssl3_InitHandshakeHashes(sslSocket *ss) + * that the master secret will wind up in ... + */ + if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { +- /* If we ever support ciphersuites where the PRF hash isn't SHA-256 +- * then this will need to be updated. */ +- ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256); ++ /* determine the hash from the prf */ ++ const SECOidData *hash_oid; ++ ++ PORT_Assert(ss->ssl3.hs.suite_def); ++ /* Get the PKCS #11 mechanism for the Hash from the cipher suite (prf_alg) ++ * Convert that to the OidTag. ++ * We can then use that OidTag to create our PK11Context */ ++ hash_oid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); ++ if (hash_oid == NULL) { ++ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); ++ return SECFailure; ++ } ++ ss->ssl3.hs.sha = PK11_CreateDigestContext(hash_oid->offset); + if (ss->ssl3.hs.sha == NULL) { + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); + return SECFailure; +@@ -5279,7 +5362,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo + } + for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { + ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; +- if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) { ++ if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange, ss)) { + actual_count++; + if (actual_count > num_suites) { + if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); } +@@ -6305,13 +6388,6 @@ ssl3_HandleServerHello(sslSocket *ss, SS + } + isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); + +- rv = ssl3_InitHandshakeHashes(ss); +- if (rv != SECSuccess) { +- desc = internal_error; +- errCode = PORT_GetError(); +- goto alert_loser; +- } +- + rv = ssl3_ConsumeHandshake( + ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); + if (rv != SECSuccess) { +@@ -6338,7 +6414,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS + ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; + if (temp == suite->cipher_suite) { + SSLVersionRange vrange = {ss->version, ss->version}; +- if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { ++ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) { + /* config_match already checks whether the cipher suite is + * acceptable for the version, but the check is repeated here + * in order to give a more precise error code. */ +@@ -6390,6 +6466,14 @@ ssl3_HandleServerHello(sslSocket *ss, SS + } + ss->ssl3.hs.compression = (SSLCompressionMethod)temp; + ++ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */ ++ rv = ssl3_InitHandshakeHashes(ss); ++ if (rv != SECSuccess) { ++ desc = internal_error; ++ errCode = PORT_GetError(); ++ goto alert_loser; ++ } ++ + /* Note that if !isTLS and the extra stuff is not extensions, we + * do NOT goto alert_loser. + * There are some old SSL 3.0 implementations that do send stuff +@@ -7609,6 +7693,22 @@ ssl3_SendServerHelloSequence(sslSocket * + /* An empty TLS Renegotiation Info (RI) extension */ + static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00}; + ++static PRBool ++ssl3_KEAAllowsSessionTicket(SSL3KeyExchangeAlgorithm kea) ++{ ++ switch (kea) { ++ case kea_dhe_dss: ++ case kea_dhe_dss_export: ++ case kea_dh_dss_export: ++ case kea_dh_dss: ++ /* TODO: Fix session tickets for DSS. The server code rejects the ++ * session ticket received from the client. Bug 1174677 */ ++ return PR_FALSE; ++ default: ++ return PR_TRUE; ++ }; ++} ++ + /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete + * ssl3 Client Hello message. + * Caller must hold Handshake and RecvBuf locks. +@@ -7631,6 +7731,7 @@ ssl3_HandleClientHello(sslSocket *ss, SS + SECItem comps = {siBuffer, NULL, 0}; + PRBool haveSpecWriteLock = PR_FALSE; + PRBool haveXmitBufLock = PR_FALSE; ++ PRBool canOfferSessionTicket = PR_FALSE; + + SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", + SSL_GETPID(), ss->fd)); +@@ -7704,13 +7805,6 @@ ssl3_HandleClientHello(sslSocket *ss, SS + goto alert_loser; + } + +- rv = ssl3_InitHandshakeHashes(ss); +- if (rv != SECSuccess) { +- desc = internal_error; +- errCode = PORT_GetError(); +- goto alert_loser; +- } +- + /* grab the client random data. */ + rv = ssl3_ConsumeHandshake( + ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); +@@ -7870,8 +7964,7 @@ ssl3_HandleClientHello(sslSocket *ss, SS + * resuming.) + */ + if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) { +- ssl3_RegisterServerHelloExtensionSender(ss, +- ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn); ++ canOfferSessionTicket = PR_TRUE; + } + + if (sid != NULL) { +@@ -7950,7 +8043,7 @@ ssl3_HandleClientHello(sslSocket *ss, SS + * The product policy won't change during the process lifetime. + * Implemented ("isPresent") shouldn't change for servers. + */ +- if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) ++ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) + break; + #else + if (!suite->enabled) +@@ -7999,7 +8092,7 @@ ssl3_HandleClientHello(sslSocket *ss, SS + for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { + ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; + SSLVersionRange vrange = {ss->version, ss->version}; +- if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { ++ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) { + continue; + } + for (i = 0; i + 1 < suites.len; i += 2) { +@@ -8016,6 +8109,15 @@ ssl3_HandleClientHello(sslSocket *ss, SS + goto alert_loser; + + suite_found: ++ if (canOfferSessionTicket) ++ canOfferSessionTicket = ssl3_KEAAllowsSessionTicket( ++ ss->ssl3.hs.suite_def->key_exchange_alg); ++ ++ if (canOfferSessionTicket) { ++ ssl3_RegisterServerHelloExtensionSender(ss, ++ ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn); ++ } ++ + /* Select a compression algorithm. */ + for (i = 0; i < comps.len; i++) { + if (!compressionEnabled(ss, comps.data[i])) +@@ -8036,6 +8138,14 @@ compression_found: + suites.data = NULL; + comps.data = NULL; + ++ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */ ++ rv = ssl3_InitHandshakeHashes(ss); ++ if (rv != SECSuccess) { ++ desc = internal_error; ++ errCode = PORT_GetError(); ++ goto alert_loser; ++ } ++ + ss->sec.send = ssl3_SendApplicationData; + + /* If there are any failures while processing the old sid, +@@ -8479,13 +8589,6 @@ ssl3_HandleV2ClientHello(sslSocket *ss, + goto alert_loser; + } + +- rv = ssl3_InitHandshakeHashes(ss); +- if (rv != SECSuccess) { +- desc = internal_error; +- errCode = PORT_GetError(); +- goto alert_loser; +- } +- + /* if we get a non-zero SID, just ignore it. */ + if (length != + SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) { +@@ -8533,7 +8636,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, + for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { + ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; + SSLVersionRange vrange = {ss->version, ss->version}; +- if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { ++ if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) { + continue; + } + for (i = 0; i+2 < suite_length; i += 3) { +@@ -8572,6 +8675,15 @@ suite_found: + } + + ss->ssl3.hs.compression = ssl_compression_null; ++ ++ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */ ++ rv = ssl3_InitHandshakeHashes(ss); ++ if (rv != SECSuccess) { ++ desc = internal_error; ++ errCode = PORT_GetError(); ++ goto alert_loser; ++ } ++ + ss->sec.send = ssl3_SendApplicationData; + + /* we don't even search for a cache hit here. It's just a miss. */ +@@ -8732,6 +8844,154 @@ ssl3_SendServerHello(sslSocket *ss) + return SECSuccess; + } + ++static SECStatus ++ssl3_PickSignatureHashAlgorithm(sslSocket *ss, ++ SSL3SignatureAndHashAlgorithm* out); ++ ++static SECStatus ++ssl3_SendDHServerKeyExchange(sslSocket *ss) ++{ ++ const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; ++ SECStatus rv = SECFailure; ++ int length; ++ PRBool isTLS; ++ SECItem signed_hash = {siBuffer, NULL, 0}; ++ SSL3Hashes hashes; ++ SSL3SignatureAndHashAlgorithm sigAndHash; ++ SECKEYDHParams dhParam; ++ ++ ssl3KeyPair *keyPair = NULL; ++ SECKEYPublicKey *pubKey = NULL; /* Ephemeral DH key */ ++ SECKEYPrivateKey *privKey = NULL; /* Ephemeral DH key */ ++ int certIndex = -1; ++ ++ if (kea_def->kea != kea_dhe_dss && kea_def->kea != kea_dhe_rsa) { ++ /* TODO: Support DH_anon. It might be sufficient to drop the signature. ++ See bug 1170510. */ ++ PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); ++ return SECFailure; ++ } ++ ++ dhParam.prime.data = ss->dheParams->prime.data; ++ dhParam.prime.len = ss->dheParams->prime.len; ++ dhParam.base.data = ss->dheParams->base.data; ++ dhParam.base.len = ss->dheParams->base.len; ++ ++ PRINT_BUF(60, (NULL, "Server DH p", dhParam.prime.data, ++ dhParam.prime.len)); ++ PRINT_BUF(60, (NULL, "Server DH g", dhParam.base.data, ++ dhParam.base.len)); ++ ++ /* Generate ephemeral DH keypair */ ++ privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL); ++ if (!privKey || !pubKey) { ++ ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); ++ rv = SECFailure; ++ goto loser; ++ } ++ ++ keyPair = ssl3_NewKeyPair(privKey, pubKey); ++ if (!keyPair) { ++ ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); ++ goto loser; ++ } ++ ++ PRINT_BUF(50, (ss, "DH public value:", ++ pubKey->u.dh.publicValue.data, ++ pubKey->u.dh.publicValue.len)); ++ ++ if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) { ++ ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); ++ goto loser; ++ } ++ ++ rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, ++ pubKey->u.dh.prime, ++ pubKey->u.dh.base, ++ pubKey->u.dh.publicValue, ++ &ss->ssl3.hs.client_random, ++ &ss->ssl3.hs.server_random, ++ &hashes, ss->opt.bypassPKCS11); ++ if (rv != SECSuccess) { ++ ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); ++ goto loser; ++ } ++ ++ /* It has been suggested to test kea_def->signKeyType instead, and to use ++ * ssl_auth_* instead. Investigate what to do. See bug 102794. */ ++ if (kea_def->kea == kea_dhe_rsa) ++ certIndex = ssl_kea_rsa; ++ else ++ certIndex = ssl_kea_dh; ++ ++ isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); ++ rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY, ++ &signed_hash, isTLS); ++ if (rv != SECSuccess) { ++ goto loser; /* ssl3_SignHashes has set err. */ ++ } ++ if (signed_hash.data == NULL) { ++ PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); ++ goto loser; ++ } ++ length = 2 + pubKey->u.dh.prime.len + ++ 2 + pubKey->u.dh.base.len + ++ 2 + pubKey->u.dh.publicValue.len + ++ 2 + signed_hash.len; ++ ++ if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { ++ length += 2; ++ } ++ ++ rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); ++ if (rv != SECSuccess) { ++ goto loser; /* err set by AppendHandshake. */ ++ } ++ ++ rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.prime.data, ++ pubKey->u.dh.prime.len, 2); ++ if (rv != SECSuccess) { ++ goto loser; /* err set by AppendHandshake. */ ++ } ++ ++ rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.base.data, ++ pubKey->u.dh.base.len, 2); ++ if (rv != SECSuccess) { ++ goto loser; /* err set by AppendHandshake. */ ++ } ++ ++ rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.publicValue.data, ++ pubKey->u.dh.publicValue.len, 2); ++ if (rv != SECSuccess) { ++ goto loser; /* err set by AppendHandshake. */ ++ } ++ ++ if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { ++ rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); ++ if (rv != SECSuccess) { ++ goto loser; /* err set by AppendHandshake. */ ++ } ++ } ++ ++ rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, ++ signed_hash.len, 2); ++ if (rv != SECSuccess) { ++ goto loser; /* err set by AppendHandshake. */ ++ } ++ PORT_Free(signed_hash.data); ++ ss->dheKeyPair = keyPair; ++ return SECSuccess; ++ ++loser: ++ if (signed_hash.data) ++ PORT_Free(signed_hash.data); ++ if (privKey) ++ SECKEY_DestroyPrivateKey(privKey); ++ if (pubKey) ++ SECKEY_DestroyPublicKey(pubKey); ++ return SECFailure; ++} ++ + /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing + * elements of the handshake. (The negotiated cipher suite determines the + * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always +@@ -8906,6 +9166,11 @@ ssl3_SendServerKeyExchange(sslSocket *ss + PORT_Free(signed_hash.data); + return SECSuccess; + ++ case ssl_kea_dh: { ++ rv = ssl3_SendDHServerKeyExchange(ss); ++ return rv; ++ } ++ + #ifndef NSS_DISABLE_ECC + case kt_ecdh: { + rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash); +@@ -8913,7 +9178,6 @@ ssl3_SendServerKeyExchange(sslSocket *ss + } + #endif /* NSS_DISABLE_ECC */ + +- case kt_dh: + case kt_null: + default: + PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); +@@ -9322,6 +9586,59 @@ double_bypass: + return SECSuccess; + } + ++static SECStatus ++ssl3_HandleDHClientKeyExchange(sslSocket *ss, ++ SSL3Opaque *b, ++ PRUint32 length, ++ SECKEYPublicKey *srvrPubKey, ++ SECKEYPrivateKey *serverKey) ++{ ++ PK11SymKey *pms; ++ SECStatus rv; ++ SECKEYPublicKey clntPubKey; ++ CK_MECHANISM_TYPE target; ++ PRBool isTLS; ++ ++ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); ++ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); ++ PORT_Assert( srvrPubKey ); ++ ++ clntPubKey.keyType = dhKey; ++ clntPubKey.u.dh.prime.len = srvrPubKey->u.dh.prime.len; ++ clntPubKey.u.dh.prime.data = srvrPubKey->u.dh.prime.data; ++ clntPubKey.u.dh.base.len = srvrPubKey->u.dh.base.len; ++ clntPubKey.u.dh.base.data = srvrPubKey->u.dh.base.data; ++ ++ rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.dh.publicValue, ++ 2, &b, &length); ++ if (rv != SECSuccess) { ++ goto loser; ++ } ++ ++ isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); ++ ++ if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH; ++ else target = CKM_SSL3_MASTER_KEY_DERIVE_DH; ++ ++ /* Determine the PMS */ ++ pms = PK11_PubDerive(serverKey, &clntPubKey, PR_FALSE, NULL, NULL, ++ CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL); ++ if (pms == NULL) { ++ ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); ++ goto loser; ++ } ++ ++ rv = ssl3_InitPendingCipherSpec(ss, pms); ++ PK11_FreeSymKey(pms); pms = NULL; ++ ++loser: ++ if (ss->dheKeyPair) { ++ ssl3_FreeKeyPair(ss->dheKeyPair); ++ ss->dheKeyPair = NULL; ++ } ++ return rv; ++} ++ + + /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete + * ssl3 ClientKeyExchange message from the remote client +@@ -9334,9 +9651,7 @@ ssl3_HandleClientKeyExchange(sslSocket * + SECStatus rv; + const ssl3KEADef *kea_def; + ssl3KeyPair *serverKeyPair = NULL; +-#ifndef NSS_DISABLE_ECC + SECKEYPublicKey *serverPubKey = NULL; +-#endif /* NSS_DISABLE_ECC */ + + SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake", + SSL_GETPID(), ss->fd)); +@@ -9366,6 +9681,16 @@ ssl3_HandleClientKeyExchange(sslSocket * + ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB; + } else + skip: ++ if (kea_def->kea == kea_dhe_dss || ++ kea_def->kea == kea_dhe_rsa) { ++ if (ss->dheKeyPair) { ++ serverKeyPair = ss->dheKeyPair; ++ if (serverKeyPair->pubKey) { ++ ss->sec.keaKeyBits = ++ SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey); ++ } ++ } ++ } else + #ifndef NSS_DISABLE_ECC + /* XXX Using SSLKEAType to index server certifiates + * does not work for (EC)DHE ciphers. Until we have +@@ -9411,6 +9736,21 @@ skip: + } + break; + ++ case ssl_kea_dh: ++ if (ss->dheKeyPair && ss->dheKeyPair->pubKey) { ++ serverPubKey = ss->dheKeyPair->pubKey; ++ } ++ if (!serverPubKey) { ++ PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); ++ return SECFailure; ++ } ++ rv = ssl3_HandleDHClientKeyExchange(ss, b, length, ++ serverPubKey, serverKey); ++ if (rv != SECSuccess) { ++ SSL3_SendAlert(ss, alert_fatal, handshake_failure); ++ return SECFailure; /* error code set */ ++ } ++ break; + + #ifndef NSS_DISABLE_ECC + case kt_ecdh: +@@ -10181,21 +10521,39 @@ done: + } + + static SECStatus +-ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, ++ssl3_ComputeTLSFinished(sslSocket *ss, ++ ssl3CipherSpec *spec, + PRBool isServer, + const SSL3Hashes * hashes, + TLSFinished * tlsFinished) + { +- const char * label; +- unsigned int len; +- SECStatus rv; +- +- label = isServer ? "server finished" : "client finished"; +- len = 15; +- +- rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw, +- hashes->len, tlsFinished->verify_data, +- sizeof tlsFinished->verify_data); ++ SECStatus rv; ++ CK_TLS12_MAC_PARAMS tls12_mac_params; ++ SECItem param = {siBuffer, NULL, 0}; ++ PK11Context *prf_context; ++ unsigned int retLen; ++ ++ if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) { ++ tls12_mac_params.prfHashMechanism = CKM_TLS_PRF; ++ } else { ++ tls12_mac_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss); ++ } ++ tls12_mac_params.ulMacLength = 12; ++ tls12_mac_params.ulServerOrClient = isServer ? 1 : 2; ++ param.data = (unsigned char *)&tls12_mac_params; ++ param.len = sizeof(tls12_mac_params); ++ prf_context = PK11_CreateContextBySymKey(CKM_TLS12_MAC, CKA_SIGN, ++ spec->master_secret, ¶m); ++ if (!prf_context) ++ return SECFailure; ++ ++ rv = PK11_DigestBegin(prf_context); ++ rv |= PK11_DigestOp(prf_context, hashes->u.raw, hashes->len); ++ rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, &retLen, ++ sizeof tlsFinished->verify_data); ++ PORT_Assert(rv != SECSuccess || retLen == sizeof tlsFinished->verify_data); ++ ++ PK11_DestroyContext(prf_context, PR_TRUE); + + return rv; + } +@@ -10380,7 +10738,7 @@ ssl3_SendFinished(sslSocket *ss, PRInt32 + isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0); + rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender); + if (isTLS && rv == SECSuccess) { +- rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished); ++ rv = ssl3_ComputeTLSFinished(ss, cwSpec, isServer, &hashes, &tlsFinished); + } + ssl_ReleaseSpecReadLock(ss); + if (rv != SECSuccess) { +@@ -10544,7 +10902,7 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O + PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); + return SECFailure; + } +- rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, ++ rv = ssl3_ComputeTLSFinished(ss, ss->ssl3.crSpec, !isServer, + hashes, &tlsFinished); + if (!isServer) + ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished; +@@ -10590,7 +10948,8 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O + * ServerHello message.) + */ + if (isServer && !ss->ssl3.hs.isResuming && +- ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) { ++ ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && ++ ssl3_KEAAllowsSessionTicket(ss->ssl3.hs.suite_def->key_exchange_alg)) { + /* RFC 5077 Section 3.3: "In the case of a full handshake, the + * server MUST verify the client's Finished message before sending + * the ticket." Presumably, this also means that the client's +@@ -10638,7 +10997,8 @@ xmit_loser: + return rv; + } + +- if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { ++ if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || ++ ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { + effectiveExchKeyType = kt_rsa; + } else { + effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; +@@ -11856,8 +12216,6 @@ ssl3_FreeKeyPair(ssl3KeyPair * keyPair) + } + } + +- +- + /* + * Creates the public and private RSA keys for SSL Step down. + * Called from SSL_ConfigSecureServer in sslsecur.c +@@ -11889,7 +12247,6 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss + return rv; + } + +- + /* record the export policy for this cipher suite */ + SECStatus + ssl3_SetPolicy(ssl3CipherSuite which, int policy) +@@ -12022,7 +12379,7 @@ ssl3_ConstructV2CipherSpecsHack(sslSocke + /* ssl3_config_match_init was called by the caller of this function. */ + for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { + ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; +- if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) { ++ if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange, ss)) { + if (cs != NULL) { + *cs++ = 0x00; + *cs++ = (suite->cipher_suite >> 8) & 0xFF; +@@ -12147,6 +12504,10 @@ ssl3_DestroySSL3Info(sslSocket *ss) + } + } + ++ if (ss->ssl3.dheGroups) { ++ PORT_Free(ss->ssl3.dheGroups); ++ } ++ + ss->ssl3.initialized = PR_FALSE; + + SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); +diff -up ./lib/ssl/ssl3ecc.c.dhe_and_sha384 ./lib/ssl/ssl3ecc.c +--- ./lib/ssl/ssl3ecc.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./lib/ssl/ssl3ecc.c 2015-06-24 23:09:45.987637456 +0200 +@@ -297,7 +297,7 @@ ssl3_SendECDHClientKeyExchange(sslSocket + pubKey->u.ec.publicValue.len)); + + if (isTLS12) { +- target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256; ++ target = CKM_TLS12_MASTER_KEY_DERIVE_DH; + } else if (isTLS) { + target = CKM_TLS_MASTER_KEY_DERIVE_DH; + } else { +@@ -388,7 +388,7 @@ ssl3_HandleECDHClientKeyExchange(sslSock + isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); + + if (isTLS12) { +- target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256; ++ target = CKM_TLS12_MASTER_KEY_DERIVE_DH; + } else if (isTLS) { + target = CKM_TLS_MASTER_KEY_DERIVE_DH; + } else { +@@ -914,7 +914,9 @@ static const ssl3CipherSuite ecdhe_ecdsa + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, ++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_NULL_SHA, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + 0 /* end of list marker */ +@@ -925,7 +927,9 @@ static const ssl3CipherSuite ecdhe_rsa_s + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, ++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_NULL_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, + 0 /* end of list marker */ +@@ -940,11 +944,15 @@ static const ssl3CipherSuite ecSuites[] + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_NULL_SHA, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, ++ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, ++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_NULL_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, +diff -up ./lib/ssl/ssl3ext.c.dhe_and_sha384 ./lib/ssl/ssl3ext.c +--- ./lib/ssl/ssl3ext.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./lib/ssl/ssl3ext.c 2015-06-24 23:06:00.457872472 +0200 +@@ -1125,7 +1125,8 @@ ssl3_SendNewSessionTicket(sslSocket *ss) + sslSessionID sid; + PORT_Memset(&sid, 0, sizeof(sslSessionID)); + +- if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { ++ if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || ++ ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { + effectiveExchKeyType = kt_rsa; + } else { + effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; +diff -up ./lib/ssl/ssl.def.dhe_and_sha384 ./lib/ssl/ssl.def +--- ./lib/ssl/ssl.def.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./lib/ssl/ssl.def 2015-06-24 23:06:00.454872529 +0200 +@@ -171,3 +171,13 @@ SSL_SetCanFalseStartCallback; + ;+ local: + ;+*; + ;+}; ++;+NSS_3.20 { # NSS 3.20 release ++;+ global: ++;+# If the 3.20 release includes any additional functions ++;+# besides SSL_DHEGroupPrefSet and SSL_EnableWeakDHEPrimeGroup ++;+# they should be labeled as NSS_3.20a ++SSL_DHEGroupPrefSet; ++SSL_EnableWeakDHEPrimeGroup; ++;+ local: ++;+*; ++;+}; +diff -up ./lib/ssl/sslenum.c.dhe_and_sha384 ./lib/ssl/sslenum.c +--- ./lib/ssl/sslenum.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./lib/ssl/sslenum.c 2015-06-24 23:06:00.457872472 +0200 +@@ -49,7 +49,11 @@ + const PRUint16 SSL_ImplementedCiphers[] = { + #ifndef NSS_DISABLE_ECC + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, ++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, ++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before + * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147. + */ +@@ -66,14 +70,19 @@ const PRUint16 SSL_ImplementedCiphers[] + #endif /* NSS_DISABLE_ECC */ + + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, ++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, ++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, ++ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, ++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, +@@ -91,6 +100,7 @@ const PRUint16 SSL_ImplementedCiphers[] + TLS_ECDH_RSA_WITH_RC4_128_SHA, + #endif /* NSS_DISABLE_ECC */ + ++ TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA256, +diff -up ./lib/ssl/ssl.h.dhe_and_sha384 ./lib/ssl/ssl.h +--- ./lib/ssl/ssl.h.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./lib/ssl/ssl.h 2015-06-24 23:06:00.454872529 +0200 +@@ -185,12 +185,17 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF + /* SSL_REUSE_SERVER_ECDHE_KEY controls whether the ECDHE server key is + * reused for multiple handshakes or generated each time. + * SSL_REUSE_SERVER_ECDHE_KEY is currently enabled by default. ++ * This socket option is for ECDHE, only. It is unrelated to DHE. + */ + #define SSL_REUSE_SERVER_ECDHE_KEY 27 + + #define SSL_ENABLE_FALLBACK_SCSV 28 /* Send fallback SCSV in + * handshakes. */ + ++/* SSL_ENABLE_SERVER_DHE controls whether DHE is enabled for the server socket. ++ */ ++#define SSL_ENABLE_SERVER_DHE 29 ++ + #ifdef SSL_DEPRECATED_FUNCTION + /* Old deprecated function names */ + SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on); +@@ -292,6 +297,46 @@ SSL_IMPORT SECStatus SSL_CipherPrefGetDe + SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); + SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); + ++/* SSL_DHEGroupPrefSet is used to configure the set of allowed/enabled DHE group ++** parameters that can be used by NSS for the given server socket. ++** The first item in the array is used as the default group, if no other ++** selection criteria can be used by NSS. ++** The set is provided as an array of identifiers as defined by SSLDHEGroupType. ++** If more than one group identifier is provided, NSS will select the one to use. ++** For example, a TLS extension sent by the client might indicate a preference. ++*/ ++SSL_IMPORT SECStatus SSL_DHEGroupPrefSet(PRFileDesc *fd, ++ SSLDHEGroupType *groups, ++ PRUint16 num_groups); ++ ++/* Enable the use of a DHE group that's smaller than the library default, ++** for backwards compatibility reasons. The DH parameters will be created ++** at the time this function is called, which might take a very long time. ++** The function will block until generation is completed. ++** The intention is to enforce that fresh and safe parameters are generated ++** each time a process is started. ++** At the time this API was initially implemented, the API will enable the ++** use of 1024 bit DHE parameters. This value might get increased in future ++** versions of NSS. ++** ++** It is allowed to call this API will a NULL value for parameter fd, ++** which will prepare the global parameters that NSS will reuse for the remainder ++** of the process lifetime. This can be used early after startup of a process, ++** to avoid a delay when handling incoming client connections. ++** This preparation with a NULL for parameter fd will NOT enable the weak group ++** on sockets. The function needs to be called again for every socket that ++** should use the weak group. ++** ++** It is allowed to use this API in combination with the SSL_DHEGroupPrefSet API. ++** If both APIs have been called, the weakest group will be used, ++** unless it is certain that the client supports larger group parameters. ++** The weak group will be used as the default group, overriding the preference ++** for the first group potentially set with a call to SSL_DHEGroupPrefSet ++** (The first group set using SSL_DHEGroupPrefSet will still be enabled, but ++** it's no longer the default group.) ++*/ ++SSL_IMPORT SECStatus SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled); ++ + /* SSL Version Range API + ** + ** This API should be used to control SSL 3.0 & TLS support instead of the +diff -up ./lib/ssl/sslimpl.h.dhe_and_sha384 ./lib/ssl/sslimpl.h +--- ./lib/ssl/sslimpl.h.dhe_and_sha384 2015-06-24 23:06:00.449872622 +0200 ++++ ./lib/ssl/sslimpl.h 2015-06-24 23:06:00.457872472 +0200 +@@ -62,6 +62,7 @@ typedef SSLSignType SSL3SignType; + #define hmac_md5 ssl_hmac_md5 + #define hmac_sha ssl_hmac_sha + #define hmac_sha256 ssl_hmac_sha256 ++#define hmac_sha384 ssl_hmac_sha384 + #define mac_aead ssl_mac_aead + + #define SET_ERROR_CODE /* reminder */ +@@ -179,6 +180,7 @@ typedef struct ssl3CertNodeStr + typedef struct ssl3BulkCipherDefStr ssl3BulkCipherDef; + typedef struct ssl3MACDefStr ssl3MACDef; + typedef struct ssl3KeyPairStr ssl3KeyPair; ++typedef struct ssl3DHParamsStr ssl3DHParams; + + struct ssl3CertNodeStr { + struct ssl3CertNodeStr *next; +@@ -298,9 +300,9 @@ typedef struct { + } ssl3CipherSuiteCfg; + + #ifndef NSS_DISABLE_ECC +-#define ssl_V3_SUITES_IMPLEMENTED 61 ++#define ssl_V3_SUITES_IMPLEMENTED 71 + #else +-#define ssl_V3_SUITES_IMPLEMENTED 37 ++#define ssl_V3_SUITES_IMPLEMENTED 43 + #endif /* NSS_DISABLE_ECC */ + + #define MAX_DTLS_SRTP_CIPHER_SUITES 4 +@@ -337,6 +339,7 @@ typedef struct sslOptionsStr { + unsigned int enableALPN : 1; /* 27 */ + unsigned int reuseServerECDHEKey : 1; /* 28 */ + unsigned int enableFallbackSCSV : 1; /* 29 */ ++ unsigned int enableServerDhe : 1; /* 30 */ + } sslOptions; + + typedef enum { sslHandshakingUndetermined = 0, +@@ -476,10 +479,18 @@ typedef enum { + cipher_camellia_256, + cipher_seed, + cipher_aes_128_gcm, ++ cipher_aes_256_gcm, + cipher_missing /* reserved for no such supported cipher */ + /* This enum must match ssl3_cipherName[] in ssl3con.c. */ + } SSL3BulkCipher; + ++/* The TLS PRF definition */ ++typedef enum { ++ prf_null = 0, /* use default prf */ ++ prf_256 = CKM_SHA256, ++ prf_384 = CKM_SHA384 ++} SSL3PRF; ++ + typedef enum { type_stream, type_block, type_aead } CipherType; + + #define MAX_IV_LENGTH 24 +@@ -725,6 +736,7 @@ typedef struct ssl3CipherSuiteDefStr { + SSL3BulkCipher bulk_cipher_alg; + SSL3MACAlgorithm mac_alg; + SSL3KeyExchangeAlgorithm key_exchange_alg; ++ SSL3PRF prf_alg; + } ssl3CipherSuiteDef; + + /* +@@ -997,6 +1009,9 @@ struct ssl3StateStr { + PRUint16 dtlsSRTPCipherCount; + PRUint16 dtlsSRTPCipherSuite; /* 0 if not selected */ + PRBool fatalAlertSent; ++ PRUint16 numDHEGroups; /* used by server */ ++ SSLDHEGroupType * dheGroups; /* used by server */ ++ PRBool dheWeakGroupEnabled; /* used by server */ + }; + + #define DTLS_MAX_MTU 1500 /* Ethernet MTU but without subtracting the +@@ -1016,6 +1031,11 @@ struct ssl3KeyPairStr { + PRInt32 refCount; /* use PR_Atomic calls for this. */ + }; + ++struct ssl3DHParamsStr { ++ SECItem prime; /* p */ ++ SECItem base; /* g */ ++}; ++ + typedef struct SSLWrappedSymWrappingKeyStr { + SSL3Opaque wrappedSymmetricWrappingkey[512]; + CK_MECHANISM_TYPE symWrapMechanism; +@@ -1224,6 +1244,9 @@ const unsigned char * preferredCipher; + + ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */ + ++ const ssl3DHParams *dheParams; /* DHE param */ ++ ssl3KeyPair * dheKeyPair; /* DHE keys */ ++ + /* Callbacks */ + SSLAuthCertificate authCertificate; + void *authCertificateArg; +@@ -1616,6 +1639,8 @@ int ssl3_GatherCompleteHandshake(sslSock + */ + extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss); + ++extern SECStatus ssl3_SelectDHParams(sslSocket *ss); ++ + #ifndef NSS_DISABLE_ECC + extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss); + extern PRBool ssl3_IsECCEnabled(sslSocket *ss); +diff -up ./lib/ssl/sslinfo.c.dhe_and_sha384 ./lib/ssl/sslinfo.c +--- ./lib/ssl/sslinfo.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./lib/ssl/sslinfo.c 2015-06-24 23:06:00.457872472 +0200 +@@ -122,6 +122,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh + + #define M_AEAD_128 "AEAD", ssl_mac_aead, 128 + #define M_SHA256 "SHA256", ssl_hmac_sha256, 256 ++#define M_SHA384 "SHA384", ssl_hmac_sha384, 384 + #define M_SHA "SHA1", ssl_mac_sha, 160 + #define M_MD5 "MD5", ssl_mac_md5, 128 + #define M_NULL "NULL", ssl_mac_null, 0 +@@ -135,6 +136,7 @@ static const SSLCipherSuiteInfo suiteInf + {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, }, + {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_DHE, C_AES, B_256, M_SHA, 1, 0, 0, }, + {0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA), S_DSA, K_DHE, C_AES, B_256, M_SHA, 1, 0, 0, }, ++{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, }, + {0,CS(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, }, + {0,CS(TLS_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_RSA, C_AES, B_256, M_SHA256, 1, 0, 0, }, + {0,CS(TLS_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_RSA, C_AES, B_256, M_SHA, 1, 0, 0, }, +@@ -145,7 +147,9 @@ static const SSLCipherSuiteInfo suiteInf + {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, + {0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, + {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, ++{0,CS(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, + {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, ++{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, + {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA, 1, 0, 0, }, + {0,CS(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, }, + {0,CS(TLS_RSA_WITH_RC4_128_SHA), S_RSA, K_RSA, C_RC4, B_128, M_SHA, 0, 0, 0, }, +@@ -201,8 +205,21 @@ static const SSLCipherSuiteInfo suiteInf + {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, }, + {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, + {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, }, ++ ++{0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), S_ECDSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, ++{0,CS(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, ++{0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, }, ++{0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, }, ++ + #endif /* NSS_DISABLE_ECC */ + ++{0,CS(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384), S_DSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, ++{0,CS(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, ++{0,CS(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, ++{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, ++{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, }, ++{0,CS(TLS_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_RSA, C_AESGCM, B_256, M_SHA384, 1, 0, 0, }, ++ + /* SSL 2 table */ + {0,CK(SSL_CK_RC4_128_WITH_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, }, + {0,CK(SSL_CK_RC2_128_CBC_WITH_MD5), S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, 0, 0, }, +diff -up ./lib/ssl/sslproto.h.dhe_and_sha384 ./lib/ssl/sslproto.h +--- ./lib/ssl/sslproto.h.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./lib/ssl/sslproto.h 2015-06-24 23:06:00.457872472 +0200 +@@ -177,6 +177,7 @@ + #define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C + #define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D + ++#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 + #define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041 + #define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042 + #define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0043 +@@ -191,6 +192,7 @@ + #define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x0065 + #define TLS_DHE_DSS_WITH_RC4_128_SHA 0x0066 + #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 ++#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A + #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B + + #define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084 +@@ -203,8 +205,11 @@ + #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 + + #define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C ++#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D + #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E ++#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F + #define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 ++#define TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3 + + /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client. + * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending +@@ -251,11 +256,15 @@ + #define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019 + + #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 ++#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 + #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 ++#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 + + #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B ++#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C + #define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D + #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F ++#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 + #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 + + /* Netscape "experimental" cipher suites. */ +diff -up ./lib/ssl/sslsecur.c.dhe_and_sha384 ./lib/ssl/sslsecur.c +--- ./lib/ssl/sslsecur.c.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./lib/ssl/sslsecur.c 2015-06-24 23:06:00.457872472 +0200 +@@ -693,6 +693,7 @@ NSS_FindCertKEAType(CERTCertificate * ce + case SEC_OID_PKCS1_RSA_ENCRYPTION: + keaType = kt_rsa; + break; ++ case SEC_OID_ANSIX9_DSA_SIGNATURE: /* hah, signature, not a key? */ + case SEC_OID_X942_DIFFIE_HELMAN_KEY: + keaType = kt_dh; + break; +@@ -789,6 +790,11 @@ ssl_ConfigSecureServer(sslSocket *ss, CE + goto loser; + } + } ++ if (kea == ssl_kea_dh || kea == ssl_kea_rsa) { ++ if (ssl3_SelectDHParams(ss) != SECSuccess) { ++ goto loser; ++ } ++ } + return SECSuccess; + + loser: +diff -up ./lib/ssl/sslsock.c.dhe_and_sha384 ./lib/ssl/sslsock.c +--- ./lib/ssl/sslsock.c.dhe_and_sha384 2015-06-24 23:06:00.446872679 +0200 ++++ ./lib/ssl/sslsock.c 2015-06-24 23:06:00.458872453 +0200 +@@ -18,6 +18,7 @@ + #include "blapi.h" + #endif + #include "nss.h" ++#include "pk11pqg.h" + + #define SET_ERROR_CODE /* reminder */ + +@@ -82,7 +83,8 @@ static sslOptions ssl_defaults = { + PR_TRUE, /* enableNPN */ + PR_FALSE, /* enableALPN */ + PR_TRUE, /* reuseServerECDHEKey */ +- PR_FALSE /* enableFallbackSCSV */ ++ PR_FALSE, /* enableFallbackSCSV */ ++ PR_FALSE, /* enableServerDhe */ + }; + + /* +@@ -225,6 +227,20 @@ ssl_DupSocket(sslSocket *os) + sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount); + ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount; + ++ ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled; ++ ss->ssl3.numDHEGroups = os->ssl3.numDHEGroups; ++ if (os->ssl3.dheGroups) { ++ ss->ssl3.dheGroups = PORT_NewArray(SSLDHEGroupType, ++ os->ssl3.numDHEGroups); ++ if (!ss->ssl3.dheGroups) { ++ goto loser; ++ } ++ PORT_Memcpy(ss->ssl3.dheGroups, os->ssl3.dheGroups, ++ sizeof(SSLDHEGroupType) * os->ssl3.numDHEGroups); ++ } else { ++ ss->ssl3.dheGroups = NULL; ++ } ++ + if (os->cipherSpecs) { + ss->cipherSpecs = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs); + if (ss->cipherSpecs) +@@ -267,6 +283,10 @@ ssl_DupSocket(sslSocket *os) + ssl3_GetKeyPairRef(os->stepDownKeyPair); + ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : + ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair); ++ ss->dheKeyPair = !os->dheKeyPair ? NULL : ++ ssl3_GetKeyPairRef(os->dheKeyPair); ++ ss->dheParams = os->dheParams; ++ + /* + * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. + * XXX We should detect this, and not just march on with NULL pointers. +@@ -384,6 +404,10 @@ ssl_DestroySocketContents(sslSocket *ss) + ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); + ss->ephemeralECDHKeyPair = NULL; + } ++ if (ss->dheKeyPair) { ++ ssl3_FreeKeyPair(ss->dheKeyPair); ++ ss->dheKeyPair = NULL; ++ } + SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); + PORT_Assert(!ss->xtnData.sniNameArr); + if (ss->xtnData.sniNameArr) { +@@ -815,6 +839,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh + ss->opt.enableFallbackSCSV = on; + break; + ++ case SSL_ENABLE_SERVER_DHE: ++ ss->opt.enableServerDhe = on; ++ break; ++ + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; +@@ -890,6 +918,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh + case SSL_REUSE_SERVER_ECDHE_KEY: + on = ss->opt.reuseServerECDHEKey; break; + case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break; ++ case SSL_ENABLE_SERVER_DHE: on = ss->opt.enableServerDhe; break; + + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); +@@ -959,6 +988,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo + case SSL_ENABLE_FALLBACK_SCSV: + on = ssl_defaults.enableFallbackSCSV; + break; ++ case SSL_ENABLE_SERVER_DHE: ++ on = ssl_defaults.enableServerDhe; ++ break; + + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); +@@ -1142,6 +1174,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo + ssl_defaults.enableFallbackSCSV = on; + break; + ++ case SSL_ENABLE_SERVER_DHE: ++ ssl_defaults.enableServerDhe = on; ++ break; ++ + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; +@@ -1365,7 +1401,204 @@ NSS_SetFrancePolicy(void) + return NSS_SetDomesticPolicy(); + } + ++SECStatus ++SSL_DHEGroupPrefSet(PRFileDesc *fd, ++ SSLDHEGroupType *groups, ++ PRUint16 num_groups) ++{ ++ sslSocket *ss; ++ ++ if ((num_groups && !groups) || (!num_groups && groups)) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return SECFailure; ++ } ++ ++ ss = ssl_FindSocket(fd); ++ if (!ss) { ++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd)); ++ return SECFailure; ++ } ++ ++ if (ss->ssl3.dheGroups) { ++ PORT_Free(ss->ssl3.dheGroups); ++ ss->ssl3.dheGroups = NULL; ++ ss->ssl3.numDHEGroups = 0; ++ } ++ ++ if (groups) { ++ ss->ssl3.dheGroups = PORT_NewArray(SSLDHEGroupType, num_groups); ++ if (!ss->ssl3.dheGroups) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ return SECFailure; ++ } ++ PORT_Memcpy(ss->ssl3.dheGroups, groups, ++ sizeof(SSLDHEGroupType) * num_groups); ++ } ++ return SECSuccess; ++} ++ ++ ++PRCallOnceType gWeakDHParamsRegisterOnce; ++int gWeakDHParamsRegisterError; ++ ++PRCallOnceType gWeakDHParamsOnce; ++int gWeakDHParamsError; ++/* As our code allocates type PQGParams, we'll keep it around, ++ * even though we only make use of it's parameters through gWeakDHParam. */ ++static PQGParams *gWeakParamsPQG; ++static ssl3DHParams *gWeakDHParams; ++ ++static PRStatus ++ssl3_CreateWeakDHParams() ++{ ++ PQGVerify *vfy; ++ SECStatus rv, passed; ++ ++ PORT_Assert(!gWeakDHParams && !gWeakParamsPQG); ++ ++ rv = PK11_PQG_ParamGenV2(1024, 160, 64 /*maximum seed that will work*/, ++ &gWeakParamsPQG, &vfy); ++ if (rv != SECSuccess) { ++ gWeakDHParamsError = PORT_GetError(); ++ return PR_FAILURE; ++ } ++ ++ rv = PK11_PQG_VerifyParams(gWeakParamsPQG, vfy, &passed); ++ if (rv != SECSuccess || passed != SECSuccess) { ++ SSL_DBG(("%d: PK11_PQG_VerifyParams failed in ssl3_CreateWeakDHParams", ++ SSL_GETPID())); ++ gWeakDHParamsError = PORT_GetError(); ++ return PR_FAILURE; ++ } ++ ++ gWeakDHParams = PORT_ArenaNew(gWeakParamsPQG->arena, ssl3DHParams); ++ if (!gWeakDHParams) { ++ gWeakDHParamsError = PORT_GetError(); ++ return PR_FAILURE; ++ } ++ ++ gWeakDHParams->prime.data = gWeakParamsPQG->prime.data; ++ gWeakDHParams->prime.len = gWeakParamsPQG->prime.len; ++ gWeakDHParams->base.data = gWeakParamsPQG->base.data; ++ gWeakDHParams->base.len = gWeakParamsPQG->base.len; ++ ++ PK11_PQG_DestroyVerify(vfy); ++ return PR_SUCCESS; ++} ++ ++static SECStatus ++ssl3_WeakDHParamsShutdown(void *appData, void *nssData) ++{ ++ if (gWeakParamsPQG) { ++ PK11_PQG_DestroyParams(gWeakParamsPQG); ++ gWeakParamsPQG = NULL; ++ gWeakDHParams = NULL; ++ } ++ return SECSuccess; ++} ++ ++static PRStatus ++ssl3_WeakDHParamsRegisterShutdown(void) ++{ ++ SECStatus rv; ++ rv = NSS_RegisterShutdown(ssl3_WeakDHParamsShutdown, NULL); ++ if (rv != SECSuccess) { ++ gWeakDHParamsRegisterError = PORT_GetError(); ++ } ++ return (PRStatus)rv; ++} ++ ++/* global init strategy inspired by ssl3_CreateECDHEphemeralKeys */ ++SECStatus ++SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled) ++{ ++ sslSocket *ss; ++ PRStatus status; ++ ++ if (enabled) { ++ status = PR_CallOnce(&gWeakDHParamsRegisterOnce, ++ ssl3_WeakDHParamsRegisterShutdown); ++ if (status != PR_SUCCESS) { ++ PORT_SetError(gWeakDHParamsRegisterError); ++ return SECFailure; ++ } ++ ++ status = PR_CallOnce(&gWeakDHParamsOnce, ssl3_CreateWeakDHParams); ++ if (status != PR_SUCCESS) { ++ PORT_SetError(gWeakDHParamsError); ++ return SECFailure; ++ } ++ } ++ ++ if (!fd) ++ return SECSuccess; ++ ++ ss = ssl_FindSocket(fd); ++ if (!ss) { ++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd)); ++ return SECFailure; ++ } ++ ++ ss->ssl3.dheWeakGroupEnabled = enabled; ++ return SECSuccess; ++} ++ ++#include "dhe-param.c" ++ ++static const SSLDHEGroupType ssl_default_dhe_groups[] = { ++ ssl_ff_dhe_2048_group ++}; ++ ++/* Keep this array synchronized with the index definitions in SSLDHEGroupType */ ++static const ssl3DHParams *all_ssl3DHParams[] = { ++ NULL, /* ssl_dhe_group_none */ ++ &ff_dhe_2048, ++ &ff_dhe_3072, ++ &ff_dhe_4096, ++ &ff_dhe_6144, ++ &ff_dhe_8192, ++}; ++ ++static SSLDHEGroupType ++selectDHEGroup(sslSocket *ss, const SSLDHEGroupType *groups, PRUint16 num_groups) ++{ ++ if (!groups || !num_groups) ++ return ssl_dhe_group_none; ++ ++ /* We don't have automatic group parameter selection yet ++ * (potentially) based on socket parameters, e.g. key sizes. ++ * For now, we return the first available group from the allowed list. */ ++ return groups[0]; ++} ++ ++/* Ensure DH parameters have been selected */ ++SECStatus ++ssl3_SelectDHParams(sslSocket *ss) ++{ ++ SSLDHEGroupType selectedGroup = ssl_dhe_group_none; ++ ++ if (ss->ssl3.dheWeakGroupEnabled) { ++ ss->dheParams = gWeakDHParams; ++ } else { ++ if (ss->ssl3.dheGroups) { ++ selectedGroup = selectDHEGroup(ss, ss->ssl3.dheGroups, ++ ss->ssl3.numDHEGroups); ++ } else { ++ size_t number_of_default_groups = PR_ARRAY_SIZE(ssl_default_dhe_groups); ++ selectedGroup = selectDHEGroup(ss, ssl_default_dhe_groups, ++ number_of_default_groups); ++ } ++ ++ if (selectedGroup == ssl_dhe_group_none || ++ selectedGroup >= ssl_dhe_group_max) { ++ return SECFailure; ++ } ++ ++ ss->dheParams = all_ssl3DHParams[selectedGroup]; ++ } + ++ return SECSuccess; ++} + + /* LOCKS ??? XXX */ + static PRFileDesc * +@@ -2992,6 +3225,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto + ss->certStatusArray[i] = NULL; + } + ss->stepDownKeyPair = NULL; ++ ++ ss->dheParams = NULL; ++ ss->dheKeyPair = NULL; ++ + ss->dbHandle = CERT_GetDefaultCertDB(); + + /* Provide default implementation of hooks */ +diff -up ./lib/ssl/sslt.h.dhe_and_sha384 ./lib/ssl/sslt.h +--- ./lib/ssl/sslt.h.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./lib/ssl/sslt.h 2015-06-24 23:06:00.458872453 +0200 +@@ -91,7 +91,8 @@ typedef enum { + ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */ + ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */ + ssl_hmac_sha256 = 5, +- ssl_mac_aead = 6 ++ ssl_mac_aead = 6, ++ ssl_hmac_sha384 = 7 + } SSLMACAlgorithm; + + typedef enum { +@@ -197,4 +198,14 @@ typedef enum { + + #define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */ + ++typedef enum { ++ ssl_dhe_group_none = 0, ++ ssl_ff_dhe_2048_group = 1, ++ ssl_ff_dhe_3072_group = 2, ++ ssl_ff_dhe_4096_group = 3, ++ ssl_ff_dhe_6144_group = 4, ++ ssl_ff_dhe_8192_group = 5, ++ ssl_dhe_group_max ++} SSLDHEGroupType; ++ + #endif /* __sslt_h_ */ +diff -up ./tests/cert/cert.sh.dhe_and_sha384 ./tests/cert/cert.sh +--- ./tests/cert/cert.sh.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./tests/cert/cert.sh 2015-06-24 23:06:00.458872453 +0200 +@@ -292,6 +292,14 @@ cert_create_cert() + return $RET + fi + ++ CU_ACTION="Import DSA Root CA for $CERTNAME" ++ certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \ ++ -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1 ++ if [ "$RET" -ne 0 ]; then ++ return $RET ++ fi ++ ++ + if [ -z "$NSS_DISABLE_ECC" ] ; then + CU_ACTION="Import EC Root CA for $CERTNAME" + certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ +@@ -338,6 +346,60 @@ cert_add_cert() + cert_log "SUCCESS: $CERTNAME's Cert Created" + + # ++# Generate and add DSA cert ++# ++ CU_ACTION="Generate DSA Cert Request for $CERTNAME" ++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" ++ certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -z "${R_NOISE_FILE}" -o req 2>&1 ++ if [ "$RET" -ne 0 ]; then ++ return $RET ++ fi ++ ++ CU_ACTION="Sign ${CERTNAME}'s DSA Request" ++ certu -C -c "TestCA-dsa" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ ++ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" "$1" 2>&1 ++ if [ "$RET" -ne 0 ]; then ++ return $RET ++ fi ++ ++ CU_ACTION="Import $CERTNAME's DSA Cert" ++ certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ ++ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 ++ if [ "$RET" -ne 0 ]; then ++ return $RET ++ fi ++ cert_log "SUCCESS: $CERTNAME's DSA Cert Created" ++ ++# Generate DSA certificate signed with RSA ++ CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME" ++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" ++ certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -z "${R_NOISE_FILE}" -o req 2>&1 ++ if [ "$RET" -ne 0 ]; then ++ return $RET ++ fi ++ ++ CU_ACTION="Sign ${CERTNAME}'s DSA Request with RSA" ++# Avoid conflicting serial numbers with TestCA issuer by keeping ++# this set far away. A smaller number risks colliding with the ++# extended ssl user certificates. ++ NEWSERIAL=`expr ${CERTSERIAL} + 20000` ++ certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ ++ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" "$1" 2>&1 ++ if [ "$RET" -ne 0 ]; then ++ return $RET ++ fi ++ ++ CU_ACTION="Import $CERTNAME's mixed DSA Cert" ++ certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ ++ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 ++ if [ "$RET" -ne 0 ]; then ++ return $RET ++ fi ++ cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created" ++ ++# + # Generate and add EC cert + # + if [ -z "$NSS_DISABLE_ECC" ] ; then +@@ -430,6 +492,34 @@ cert_all_CA() + # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last + # in the chain + ++ ++# ++# Create DSA version of TestCA ++ ALL_CU_SUBJECT="CN=NSS Test CA (DSA), O=BOGUS NSS, L=Mountain View, ST=California, C=US" ++ cert_dsa_CA $CADIR TestCA-dsa -x "CTu,CTu,CTu" ${D_CA} "1" ++# ++# Create DSA versions of the intermediate CA certs ++ ALL_CU_SUBJECT="CN=NSS Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" ++ cert_dsa_CA $SERVER_CADIR serverCA-dsa -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ++ ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" ++ cert_dsa_CA $SERVER_CADIR chain-1-serverCA-dsa "-c serverCA-dsa" "u,u,u" ${D_SERVER_CA} "3" ++ ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" ++ cert_dsa_CA $SERVER_CADIR chain-2-serverCA-dsa "-c chain-1-serverCA-dsa" "u,u,u" ${D_SERVER_CA} "4" ++ ++ ALL_CU_SUBJECT="CN=NSS Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" ++ cert_dsa_CA $CLIENT_CADIR clientCA-dsa -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ++ ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" ++ cert_dsa_CA $CLIENT_CADIR chain-1-clientCA-dsa "-c clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "6" ++ ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" ++ cert_dsa_CA $CLIENT_CADIR chain-2-clientCA-dsa "-c chain-1-clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "7" ++ ++ rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert ++# dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last ++# in the chain ++ ++ ++ ++ + if [ -z "$NSS_DISABLE_ECC" ] ; then + # + # Create EC version of TestCA +@@ -540,6 +630,76 @@ CERTSCRIPT + cp root.cert ${NICKNAME}.ca.cert + } + ++ ++ ++ ++ ++################################ cert_dsa_CA ############################# ++# local shell function to build the Temp. Certificate Authority (CA) ++# used for testing purposes, creating a CA Certificate and a root cert ++# This is the ECC version of cert_CA. ++########################################################################## ++cert_dsa_CA() ++{ ++ CUR_CADIR=$1 ++ NICKNAME=$2 ++ SIGNER=$3 ++ TRUSTARG=$4 ++ DOMAIN=$5 ++ CERTSERIAL=$6 ++ ++ echo "$SCRIPTNAME: Creating an DSA CA Certificate $NICKNAME ==========================" ++ ++ if [ ! -d "${CUR_CADIR}" ]; then ++ mkdir -p "${CUR_CADIR}" ++ fi ++ cd ${CUR_CADIR} ++ pwd ++ ++ LPROFILE=. ++ if [ -n "${MULTIACCESS_DBM}" ]; then ++ LPROFILE="multiaccess:${DOMAIN}" ++ fi ++ ++ ################# Creating an DSA CA Cert ############################### ++ # ++ CU_ACTION="Creating DSA CA Cert $NICKNAME " ++ CU_SUBJECT=$ALL_CU_SUBJECT ++ certu -S -n $NICKNAME -k dsa -t $TRUSTARG -v 600 $SIGNER \ ++ -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ ++ -m $CERTSERIAL 2>&1 <&1 + ++# ++# Repeat the above for DSA certs ++# ++ CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)" ++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" ++ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ ++ -z "${R_NOISE_FILE}" -o req 2>&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)" ++ cp ${CERTDIR}/req ${SERVER_CADIR} ++ certu -C -c "chain-2-serverCA-dsa" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ ++ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1 ++ ++ CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)" ++ certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ ++ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 ++ ++ CU_ACTION="Import Client DSA Root CA -t T,, for $CERTNAME (ext.)" ++ certu -A -n "clientCA-dsa" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ ++ -i "${CLIENT_CADIR}/clientCA-dsa.ca.cert" 2>&1 ++# ++# done with DSA certs ++# ++# Repeat again for mixed DSA certs ++# ++ CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)" ++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" ++ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ ++ -z "${R_NOISE_FILE}" -o req 2>&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)" ++ cp ${CERTDIR}/req ${SERVER_CADIR} ++ certu -C -c "chain-2-serverCA" -m 202 -v 60 -d "${P_SERVER_CADIR}" \ ++ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1 ++ ++ CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)" ++ certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ ++ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 ++ ++# CU_ACTION="Import Client mixed DSA Root CA -t T,, for $CERTNAME (ext.)" ++# certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \ ++# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \ ++# 2>&1 ++ + if [ -z "$NSS_DISABLE_ECC" ] ; then + # + # Repeat the above for EC certs +@@ -794,7 +998,7 @@ cert_extended_ssl() + for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ; + do + N=`basename $CA | sed -e "s/.ca.cert//"` +- if [ $N = "serverCA" -o $N = "serverCA-ec" ] ; then ++ if [ $N = "serverCA" -o $N = "serverCA-ec" -o $N = "serverCA-dsa" ] ; then + T="-t C,C,C" + else + T="-t u,u,u" +@@ -830,6 +1034,53 @@ cert_extended_ssl() + certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ + -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1 + ++# ++# Repeat the above for DSA certs ++# ++ CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)" ++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" ++ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ ++ -z "${R_NOISE_FILE}" -o req 2>&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)" ++ cp ${CERTDIR}/req ${CLIENT_CADIR} ++ certu -C -c "chain-2-clientCA-dsa" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ ++ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1 ++ ++ CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)" ++ certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ ++ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 ++ ++ CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)" ++ certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \ ++ -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1 ++# ++# done with DSA certs ++# ++# ++# Repeat the above for mixed DSA certs ++# ++ CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)" ++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" ++ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ ++ -z "${R_NOISE_FILE}" -o req 2>&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)" ++ cp ${CERTDIR}/req ${CLIENT_CADIR} ++ certu -C -c "chain-2-clientCA" -m 302 -v 60 -d "${P_CLIENT_CADIR}" \ ++ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1 ++ ++ CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)" ++ certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ ++ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 ++ ++# CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)" ++# certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \ ++# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1 ++# ++# done with mixed DSA certs ++# ++ + if [ -z "$NSS_DISABLE_ECC" ] ; then + # + # Repeat the above for EC certs +@@ -883,7 +1134,7 @@ cert_extended_ssl() + for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ; + do + N=`basename $CA | sed -e "s/.ca.cert//"` +- if [ $N = "clientCA" -o $N = "clientCA-ec" ] ; then ++ if [ $N = "clientCA" -o $N = "clientCA-ec" -o $N = "clientCA-dsa" ] ; then + T="-t T,C,C" + else + T="-t u,u,u" +@@ -920,6 +1171,10 @@ cert_ssl() + cert_add_cert + CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC" + certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" ++ ++ CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC" ++ certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" ++ + if [ -z "$NSS_DISABLE_ECC" ] ; then + CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC" + certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" +@@ -1467,6 +1722,24 @@ EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_1}_or + ++ ++ CU_ACTION="Generating CRL (DSA) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-dsa authority" ++ ++# Until Bug 292285 is resolved, do not encode x400 Addresses. After ++# the bug is resolved, reintroduce "x400Address:x400Address" within ++# addext issuerAltNames ... ++ crlu -q -d $CADIR -G -n "TestCA-dsa" -f ${R_PWFILE} \ ++ -o ${CRL_FILE_GRP_1}_or-dsa < ${SERVEROUTFILE} 2>&1 & + RET=$? + else + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ +- ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose & ++ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 & + RET=$? + fi + +diff -up ./tests/ssl/sslstress.txt.dhe_and_sha384 ./tests/ssl/sslstress.txt +--- ./tests/ssl/sslstress.txt.dhe_and_sha384 2015-05-28 19:50:45.000000000 +0200 ++++ ./tests/ssl/sslstress.txt 2015-06-24 23:06:00.459872435 +0200 +@@ -44,6 +44,7 @@ + ECC 0 -c_:C027 -V_ssl3:_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256 + ECC 0 -c_:C02F -V_ssl3:_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM + ECC 0 -c_:C004_-u -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket) ++ ECC 0 -c_:C009_-u -V_ssl3:_-c_100_-C_:C009_-u Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (session ticket) + # + # add client auth versions here... + # +@@ -53,3 +54,33 @@ + ECC 0 -r_-r_-c_:C00E -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth) + ECC 0 -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth) ++ ++# ++# ############################ DHE ciphers ############################ ++# ++ noECC 0 -c_:0016 -V_ssl3:_-c_100_-C_:0016_-N Stress TLS DHE_RSA_WITH_3DES_EDE_CBC_SHA (no reuse) ++ noECC 0 -c_:0033 -V_ssl3:_-c_1000_-C_:0033 Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA ++ ++ ++ noECC 0 -c_:0039 -V_ssl3:_-c_100_-C_:0039_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA (no reuse) ++ noECC 0 -c_:0040 -V_ssl3:_-c_100_-C_:0040_-N Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA256 (no reuse) ++ ++# noECC 0 -c_:0038_-u -V_ssl3:_-c_1000_-C_:0038_-u Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (session ticket) ++# use the above session ticket test, once session tickets with DHE_DSS are working ++ noECC 0 -c_:0038 -V_ssl3:_-c_1000_-C_:0038_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (no reuse) ++ ++# noECC 0 -c_:006A -V_ssl3:_-c_1000_-C_:006A Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 ++# use the above reuse test, once the session cache with DHE_DSS is working ++ noECC 0 -c_:006A -V_ssl3:_-c_1000_-C_:006A_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 (no reuse ++ ++ noECC 0 -c_:006B -V_ssl3:_-c_100_-C_:006B_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA256 (no reuse) ++ noECC 0 -c_:009E -V_ssl3:_-c_100_-C_:009E_-N Stress TLS DHE_RSA_WITH_AES_128_GCM_SHA256 (no reuse) ++# ++# add client auth versions here... ++# ++ noECC 0 -r_-r_-c_:0032 -V_ssl3:_-c_100_-C_:0032_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA (no reuse, client auth) ++ noECC 0 -r_-r_-c_:0067 -V_ssl3:_-c_1000_-C_:0067_-n_TestUser-dsamixed Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA256 (client auth) ++ ++# noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:_-c_1000_-C_:00A2_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth) ++# use the above session ticket test, once session tickets with DHE_DSS are working ++ noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:_-c_1000_-C_:00A2_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (no reuse, client auth) diff --git a/SOURCES/prfnonsha256.patch b/SOURCES/prfnonsha256.patch new file mode 100644 index 0000000..0f40bd7 --- /dev/null +++ b/SOURCES/prfnonsha256.patch @@ -0,0 +1,80 @@ +diff -up ./lib/ssl/ssl3con.c.prfnonsha256 ./lib/ssl/ssl3con.c +--- ./lib/ssl/ssl3con.c.prfnonsha256 2015-06-24 23:06:00.456872491 +0200 ++++ ./lib/ssl/ssl3con.c 2015-06-26 01:11:50.986824797 +0200 +@@ -3959,7 +3959,20 @@ ssl3_InitHandshakeHashes(sslSocket *ss) + /* If we ever support ciphersuites where the PRF hash isn't SHA-256 + * then this will need to be updated. */ + if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { +- ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256); ++ HASH_HashType ht; ++ CK_MECHANISM_TYPE hm; ++ SECOidTag ot; ++ SECOidData *hashOid; ++ ++ hm = ssl3_GetPrfHashMechanism(ss); ++ hashOid = SECOID_FindOIDByMechanism(hm); ++ if (hashOid == NULL) { ++ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); ++ return SECFailure; ++ } ++ ot = hashOid->offset; ++ ht = HASH_GetHashTypeByOidTag(ot); ++ ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(ht); + if (!ss->ssl3.hs.sha_obj) { + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); + return SECFailure; +@@ -4601,6 +4614,7 @@ ssl3_ComputeHandshakeHashes(sslSocket * + ss->ssl3.hs.hashType == handshake_hash_single) { + /* compute them without PKCS11 */ + PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; ++ SECOidData *hashOid; + + if (!spec->msItem.data) { + PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); +@@ -4611,11 +4625,15 @@ ssl3_ComputeHandshakeHashes(sslSocket * + ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len, + sizeof(hashes->u.raw)); + +- PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len)); ++ PRINT_BUF(60, (NULL, "Hash: result", hashes->u.raw, hashes->len)); ++ ++ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); ++ if (hashOid == NULL) { ++ PORT_SetError(SSL_ERROR_DIGEST_FAILURE); ++ return SECFailure; ++ } ++ hashes->hashAlg = hashOid->offset; + +- /* If we ever support ciphersuites where the PRF hash isn't SHA-256 +- * then this will need to be updated. */ +- hashes->hashAlg = SEC_OID_SHA256; + rv = SECSuccess; + } else if (ss->opt.bypassPKCS11) { + /* compute them without PKCS11 */ +@@ -4708,6 +4726,7 @@ ssl3_ComputeHandshakeHashes(sslSocket * + unsigned int stateLen; + unsigned char stackBuf[1024]; + unsigned char *stateBuf = NULL; ++ SECOidData *hashOid; + + if (!spec->master_secret) { + PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); +@@ -4728,9 +4747,15 @@ ssl3_ComputeHandshakeHashes(sslSocket * + rv = SECFailure; + goto tls12_loser; + } +- /* If we ever support ciphersuites where the PRF hash isn't SHA-256 +- * then this will need to be updated. */ +- hashes->hashAlg = SEC_OID_SHA256; ++ ++ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); ++ if (hashOid == NULL) { ++ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); ++ rv = SECFailure; ++ goto tls12_loser; ++ } ++ hashes->hashAlg = hashOid->offset; ++ + rv = SECSuccess; + + tls12_loser: diff --git a/SOURCES/sha384-client-verify.patch b/SOURCES/sha384-client-verify.patch new file mode 100644 index 0000000..95dfbd2 --- /dev/null +++ b/SOURCES/sha384-client-verify.patch @@ -0,0 +1,399 @@ +diff --git a/cmd/strsclnt/strsclnt.c b/cmd/strsclnt/strsclnt.c +--- a/cmd/strsclnt/strsclnt.c ++++ b/cmd/strsclnt/strsclnt.c +@@ -117,17 +117,17 @@ static int active_threads = 8; /* number + ** connect */ + static PRInt32 numUsed; + /* end of variables protected by threadLock */ + + static SSL3Statistics * ssl3stats; + + static int failed_already = 0; + static SSLVersionRange enabledVersions; +-static PRBool enableSSL2 = PR_TRUE; ++static PRBool enableSSL2 = PR_FALSE; + static PRBool bypassPKCS11 = PR_FALSE; + static PRBool disableLocking = PR_FALSE; + static PRBool ignoreErrors = PR_FALSE; + static PRBool enableSessionTickets = PR_FALSE; + static PRBool enableCompression = PR_FALSE; + static PRBool enableFalseStart = PR_FALSE; + static PRBool enableCertStatus = PR_FALSE; + +@@ -158,17 +158,17 @@ Usage(const char *progName) + " 2 -o's mean skip server certificate validation altogether.\n" + " -D means no TCP delays\n" + " -q means quit when server gone (timeout rather than retry forever)\n" + " -s means disable SSL socket locking\n" + " -N means no session reuse\n" + " -P means do a specified percentage of full handshakes (0-100)\n" + " -V [min]:[max] restricts the set of enabled SSL/TLS protocols versions.\n" + " All versions are enabled by default.\n" +- " Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n" ++ " Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n" + " Example: \"-V ssl3:\" enables SSL 3 and newer.\n" + " -U means enable throttling up threads\n" + " -B bypasses the PKCS11 layer for SSL encryption and MACing\n" + " -T enable the cert_status extension (OCSP stapling)\n" + " -u enable TLS Session Ticket extension\n" + " -z enable compression\n" + " -g enable false start\n", + progName); +diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c +--- a/lib/ssl/ssl3con.c ++++ b/lib/ssl/ssl3con.c +@@ -242,25 +242,32 @@ static const /*SSL3ClientCertificateType + #endif /* NSS_DISABLE_ECC */ + ct_DSS_sign, + }; + + /* This block is the contents of the supported_signature_algorithms field of + * our TLS 1.2 CertificateRequest message, in wire format. See + * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 + * +- * This block contains only sha256 entries because we only support TLS 1.2 +- * CertificateVerify messages that use the handshake hash. */ +-static const PRUint8 supported_signature_algorithms[] = { ++ * We only support TLS 1.2 ++ * CertificateVerify messages that use the handshake PRF hash. */ ++static const PRUint8 supported_signature_algorithms_sha256[] = { + tls_hash_sha256, tls_sig_rsa, + #ifndef NSS_DISABLE_ECC + tls_hash_sha256, tls_sig_ecdsa, + #endif + tls_hash_sha256, tls_sig_dsa, + }; ++static const PRUint8 supported_signature_algorithms_sha384[] = { ++ tls_hash_sha384, tls_sig_rsa, ++#ifndef NSS_DISABLE_ECC ++ tls_hash_sha384, tls_sig_ecdsa, ++#endif ++ tls_hash_sha384, tls_sig_dsa, ++}; + + #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ + + + /* This global item is used only in servers. It is is initialized by + ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). + */ + CERTDistNames *ssl3_server_ca_list = NULL; +@@ -4018,17 +4025,18 @@ ssl3_InitHandshakeHashes(sslSocket *ss) + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); + return SECFailure; + } + + /* Create a backup SHA-1 hash for a potential client auth + * signature. + * + * In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the +- * handshake hash function (SHA-256). If the server or the client ++ * handshake PRF hash function (either SHA-256 or SHA384). ++ * If the server or the client + * does not support SHA-256 as a signature hash, we can either + * maintain a backup SHA-1 handshake hash or buffer all handshake + * messages. + */ + if (!ss->sec.isServer) { + ss->ssl3.hs.backupHash = PK11_CreateDigestContext(SEC_OID_SHA1); + if (ss->ssl3.hs.backupHash == NULL) { + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); +@@ -4750,16 +4758,24 @@ ssl3_ComputeHandshakeHashes(sslSocket * + + hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); + if (hashOid == NULL) { + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); + rv = SECFailure; + goto tls12_loser; + } + hashes->hashAlg = hashOid->offset; ++ PORT_Assert(hashes->hashAlg == SEC_OID_SHA256 || ++ hashes->hashAlg == SEC_OID_SHA384); ++ if (hashes->hashAlg != SEC_OID_SHA256 && ++ hashes->hashAlg != SEC_OID_SHA384) { ++ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); ++ rv = SECFailure; ++ goto tls12_loser; ++ } + + rv = SECSuccess; + + tls12_loser: + if (stateBuf) { + if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) { + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); + rv = SECFailure; +@@ -7015,58 +7031,76 @@ done: + if (pubk) + SECKEY_DestroyPublicKey(pubk); + return rv; + } + + /* Destroys the backup handshake hash context if we don't need it. Note that + * this function selects the hash algorithm for client authentication + * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash +- * to determine whether to use SHA-1 or SHA-256. */ ++ * to determine whether to use SHA-1, or the PRF hash of the cipher suite. */ + static void + ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, + const SECItem *algorithms) + { + SECStatus rv; + TLSSignatureAlgorithm sigAlg; + PRBool preferSha1; + PRBool supportsSha1 = PR_FALSE; +- PRBool supportsSha256 = PR_FALSE; ++ PRBool supportsHandshakeHash = PR_FALSE; + PRBool needBackupHash = PR_FALSE; + unsigned int i; ++ SECOidData *hashOid; ++ TLSHashAlgoritm suitePRFHash; ++ PRBool suitePRFIs256Or384 = PR_FALSE; + + #ifndef NO_PKCS11_BYPASS + /* Backup handshake hash is not supported in PKCS #11 bypass mode. */ + if (ss->opt.bypassPKCS11) { + PORT_Assert(!ss->ssl3.hs.backupHash); + return; + } + #endif + PORT_Assert(ss->ssl3.hs.backupHash); + + /* Determine the key's signature algorithm and whether it prefers SHA-1. */ + rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1); + if (rv != SECSuccess) { + goto done; + } + ++ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); ++ if (hashOid == NULL) { ++ rv = SECFailure; ++ goto done; ++ } ++ ++ if (hashOid->offset == SEC_OID_SHA256) { ++ suitePRFHash = tls_hash_sha256; ++ suitePRFIs256Or384 = PR_TRUE; ++ } else if (hashOid->offset == SEC_OID_SHA384) { ++ suitePRFHash = tls_hash_sha384; ++ suitePRFIs256Or384 = PR_TRUE; ++ } ++ + /* Determine the server's hash support for that signature algorithm. */ + for (i = 0; i < algorithms->len; i += 2) { + if (algorithms->data[i+1] == sigAlg) { + if (algorithms->data[i] == tls_hash_sha1) { + supportsSha1 = PR_TRUE; +- } else if (algorithms->data[i] == tls_hash_sha256) { +- supportsSha256 = PR_TRUE; +- } +- } +- } +- +- /* If either the server does not support SHA-256 or the client key prefers +- * SHA-1, leave the backup hash. */ +- if (supportsSha1 && (preferSha1 || !supportsSha256)) { ++ } else if (suitePRFIs256Or384 && ++ algorithms->data[i] == suitePRFHash) { ++ supportsHandshakeHash = PR_TRUE; ++ } ++ } ++ } ++ ++ /* If either the server does not support SHA-256/384, or the client key ++ * prefers SHA-1, leave the backup hash. */ ++ if (supportsSha1 && (preferSha1 || !supportsHandshakeHash)) { + needBackupHash = PR_TRUE; + } + + done: + if (!needBackupHash) { + PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE); + ss->ssl3.hs.backupHash = NULL; + } +@@ -9226,16 +9260,17 @@ ssl3_SendCertificateRequest(sslSocket *s + SECItem * names = NULL; + SECStatus rv; + int length; + int i; + int calen = 0; + int nnames = 0; + int certTypesLength; + int sigAlgsLength; ++ SECOidData *hashOid; + + SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", + SSL_GETPID(), ss->fd)); + + PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); + + isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); +@@ -9252,18 +9287,30 @@ ssl3_SendCertificateRequest(sslSocket *s + } + + for (i = 0, name = names; i < nnames; i++, name++) { + calen += 2 + name->len; + } + + certTypes = certificate_types; + certTypesLength = sizeof certificate_types; +- sigAlgs = supported_signature_algorithms; +- sigAlgsLength = sizeof supported_signature_algorithms; ++ ++ hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); ++ if (hashOid == NULL) { ++ return SECFailure; /* err set by AppendHandshake. */ ++ } ++ if (hashOid->offset == SEC_OID_SHA256) { ++ sigAlgs = supported_signature_algorithms_sha256; ++ sigAlgsLength = sizeof supported_signature_algorithms_sha256; ++ } else if (hashOid->offset == SEC_OID_SHA384) { ++ sigAlgs = supported_signature_algorithms_sha384; ++ sigAlgsLength = sizeof supported_signature_algorithms_sha384; ++ } else { ++ return SECFailure; /* err set by AppendHandshake. */ ++ } + + length = 1 + certTypesLength + 2 + calen; + if (isTLS12) { + length += 2 + sigAlgsLength; + } + + rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); + if (rv != SECSuccess) { +diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h +--- a/lib/ssl/ssl3prot.h ++++ b/lib/ssl/ssl3prot.h +@@ -216,24 +216,24 @@ typedef struct { + SSL3ServerRSAParams rsa; + } u; + } SSL3ServerParams; + + /* This enum reflects HashAlgorithm enum from + * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 + * + * When updating, be sure to also update ssl3_TLSHashAlgorithmToOID. */ +-enum { ++typedef enum { + tls_hash_md5 = 1, + tls_hash_sha1 = 2, + tls_hash_sha224 = 3, + tls_hash_sha256 = 4, + tls_hash_sha384 = 5, + tls_hash_sha512 = 6 +-}; ++} TLSHashAlgoritm; + + /* This enum reflects SignatureAlgorithm enum from + * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ + typedef enum { + tls_sig_rsa = 1, + tls_sig_dsa = 2, + tls_sig_ecdsa = 3 + } TLSSignatureAlgorithm; +diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh +--- a/tests/ssl/ssl.sh ++++ b/tests/ssl/ssl.sh +@@ -64,16 +64,17 @@ ssl_init() + # Test case files + if [ "${NSS_NO_SSL2}" = "1" ]; then + SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt + SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt + else + SSLCOV=${QADIR}/ssl/sslcov.txt + SSLSTRESS=${QADIR}/ssl/sslstress.txt + fi ++ SSLAUTH=${QADIR}/ssl/sslauth.txt + REQUEST_FILE=${QADIR}/ssl/sslreq.dat + + #temparary files + SERVEROUTFILE=${TMP}/tests_server.$$ + SERVERPID=${TMP}/tests_pid.$$ + + R_SERVERPID=../tests_pid.$$ + +@@ -87,18 +88,18 @@ ssl_init() + NORM_EXT="" + + if [ -z "$NSS_DISABLE_ECC" ] ; then + ECC_STRING=" - with ECC" + else + ECC_STRING="" + fi + +- CSHORT="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz" +- CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz" ++ CSHORT="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009D:009E:009F:00A2:00A3cdefgijklmnvyz" ++ CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027:C028:C02B:C02C:C02F:C030:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009D:009E:009F:00A2:00A3cdefgijklmnvyz" + + if [ "${OS_ARCH}" != "WINNT" ]; then + ulimit -n 1000 # make sure we have enough file descriptors + fi + + cd ${CLIENTDIR} + } + +@@ -119,17 +120,17 @@ is_selfserv_alive() + if [ "${OS_ARCH}" = "WINNT" ] && \ + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then + PID=${SHELL_SERVERPID} + else + PID=`cat ${SERVERPID}` + fi + + echo "kill -0 ${PID} >/dev/null 2>/dev/null" +- if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then ++ if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then + echo "No server to kill" + else + kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" + fi + + echo "selfserv with PID ${PID} found at `date`" + } + +@@ -221,25 +222,26 @@ start_selfserv() + ECC_OPTIONS="" + fi + if [ "$1" = "mixed" ]; then + ECC_OPTIONS="-e ${HOSTADDR}-ecmixed" + fi + echo "selfserv starting at `date`" + echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" + echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\" +- echo " $verbose -H 1 &" ++ echo " $verbose -H 1 -V ssl3: &" + if [ ${fileout} -eq 1 ]; then + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \ +- > ${SERVEROUTFILE} 2>&1 & ++ -V ssl3:> ${SERVEROUTFILE} 2>&1 & + RET=$? + else + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ +- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 & ++ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \ ++ -V ssl3: & + RET=$? + fi + + # The PID $! returned by the MKS or Cygwin shell is not the PID of + # the real background process, but rather the PID of a helper + # process (sh.exe). MKS's kill command has a bug: invoking kill + # on the helper process does not terminate the real background + # process. Our workaround has been to have selfserv save its PID +diff --git a/tests/ssl/sslcov.txt b/tests/ssl/sslcov.txt +--- a/tests/ssl/sslcov.txt ++++ b/tests/ssl/sslcov.txt +@@ -171,9 +171,9 @@ + ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + ECC TLS12 :C024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + ECC TLS12 :C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384 + ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +- ECC TLS12 :0030 TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA384 ++ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA384 diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 6447fc5..550c56c 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -3,7 +3,7 @@ # adjust to the version that gets submitted for FIPS validation %global nss_softokn_fips_version 3.16.2 %global nss_softokn_version 3.16.2.3 -%global required_softokn_build_version -9 +%global required_softokn_build_version -11 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" @@ -23,7 +23,7 @@ Summary: Network Security Services Name: nss Version: 3.19.1 -Release: 3%{?dist} +Release: 5%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -105,6 +105,13 @@ Patch56: p-ignore-setpolicy.patch # Patch to keep the TLS protocol versions that are enabled by default Patch98: nss-revert-tls-version-defaults.patch Patch99: ssl-server-min-key-sizes.patch +# Add support for sha384 tls cipher suites, dss ciper suites, and +# server-side dhe key exchange +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=102794 +# TODO: File upstream bug for sha384 tls cipher suites support +Patch101: dhe-sha384-dss-support.patch +Patch102: prfnonsha256.patch +Patch103: sha384-client-verify.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -204,6 +211,11 @@ popd %patch56 -p0 -b .1026677 %patch98 -p0 -b .keep_tls_default %patch99 -p0 -b .min_key_sizes +pushd nss +%patch101 -p1 -b .dhe_and_sha384 +%patch102 -p1 -b .prfnonsha256 +%patch103 -p1 -b .sha384_client_verify +popd ######################################################### # Higher-level libraries and test tools need access to @@ -232,6 +244,13 @@ done %{__rm} -rf ./nss/cmd/fipstest %{__rm} -rf ./nss/cmd/rsaperf_low +pushd nss/tests/ssl +# Create versions of sslcov.txt and sslstress.txt that disable tests +# for SSL2 and EXPORT ciphers. +cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslcov.noSSL2orExport.txt +cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslstress.noSSL2orExport.txt +popd + %build export NSS_NO_SSL2=1 @@ -784,6 +803,16 @@ fi %changelog +* Mon Jun 29 2015 Kai Engert - 3.19.1-5 +- Incremental patches to fix SSL/TLS test suite execution, + fix the earlier SHA384 patch, and inform clients to use SHA384 with + certificate_verify if required by NSS. + +* Thu Jun 18 2015 Elio Maldonado - 3.19.1-4 +- Add support for sha384 tls cipher suites +- Add support for server-side hde key exchange +- Add support for DSS+SHA256 ciphersuites + * Wed Jun 10 2015 Elio Maldonado - 3.19.1-3 - Reenable a patch that had been mistakenly disabled - Resolves: Bug 1224451