Update to NSS 3.24.0
- Resolves: Bug 1336849 - nss-3.24 is available - Update patches on account of the rebase - Remove unused patches un account of the rebase - Patch pem module to compile with wrning for unitilaized variables treated as errors - Patch to skip some of the gtests as they use private calls and need to statically link with libnssutil.a - TODO: bring this up with the external_tests framework developers upstream
This commit is contained in:
parent
2e6c8d6f71
commit
3648d70a92
2
.gitignore
vendored
2
.gitignore
vendored
@ -10,4 +10,4 @@ TestUser51.cert
|
||||
/nss-pem-20160308.tar.bz2
|
||||
/PayPalRootCA.cert
|
||||
/PayPalICA.cert
|
||||
/nss-3.23.0.tar.gz
|
||||
/nss-3.24.0.tar.gz
|
||||
|
@ -1,149 +0,0 @@
|
||||
--- ./lib/ssl/config.mk.disableSSL2libssl 2016-03-05 09:20:12.712130884 -0800
|
||||
+++ ./lib/ssl/config.mk 2016-03-05 09:24:22.748518581 -0800
|
||||
@@ -2,16 +2,20 @@
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
ifdef NISCC_TEST
|
||||
DEFINES += -DNISCC_TEST
|
||||
endif
|
||||
|
||||
+ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+DEFINES += -DNSS_NO_SSL2_NO_EXPORT
|
||||
+endif
|
||||
+
|
||||
ifdef NSS_NO_PKCS11_BYPASS
|
||||
DEFINES += -DNO_PKCS11_BYPASS
|
||||
else
|
||||
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
|
||||
|
||||
EXTRA_LIBS += \
|
||||
$(CRYPTOLIB) \
|
||||
$(NULL)
|
||||
--- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-03-05 09:20:12.713130866 -0800
|
||||
+++ ./lib/ssl/sslsock.c 2016-03-05 09:32:55.060592007 -0800
|
||||
@@ -707,16 +707,22 @@
|
||||
if (ss->cipherSpecs) {
|
||||
PORT_Free(ss->cipherSpecs);
|
||||
ss->cipherSpecs = NULL;
|
||||
ss->sizeCipherSpecs = 0;
|
||||
}
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_SSL2:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure; /* not allowed */
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (on) {
|
||||
@@ -731,52 +737,67 @@
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
}
|
||||
ss->preferredCipher = NULL;
|
||||
if (ss->cipherSpecs) {
|
||||
PORT_Free(ss->cipherSpecs);
|
||||
ss->cipherSpecs = NULL;
|
||||
ss->sizeCipherSpecs = 0;
|
||||
}
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_NO_CACHE:
|
||||
ss->opt.noCache = on;
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_FDX:
|
||||
if (on && ss->opt.noLocks) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure;
|
||||
}
|
||||
ss->opt.fdx = on;
|
||||
break;
|
||||
|
||||
case SSL_V2_COMPATIBLE_HELLO:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure; /* not allowed */
|
||||
}
|
||||
break;
|
||||
}
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
if (!on) {
|
||||
ss->opt.enableSSL2 = on;
|
||||
}
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_ROLLBACK_DETECTION:
|
||||
ss->opt.detectRollBack = on;
|
||||
break;
|
||||
|
||||
case SSL_NO_STEP_DOWN:
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ if (!on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
ss->opt.noStepDown = on;
|
||||
if (on)
|
||||
SSL_DisableExportCipherSuites(fd);
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
break;
|
||||
|
||||
case SSL_BYPASS_PKCS11:
|
||||
if (ss->handshakeBegun) {
|
||||
PORT_SetError(PR_INVALID_STATE_ERROR);
|
||||
rv = SECFailure;
|
||||
} else {
|
||||
if (PR_FALSE != on) {
|
||||
@@ -1324,16 +1345,32 @@
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* function tells us if the cipher suite is one that we no longer support. */
|
||||
static PRBool
|
||||
ssl_IsRemovedCipherSuite(PRInt32 suite)
|
||||
{
|
||||
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
||||
+ /* both ssl2 and export cipher suites disabled */
|
||||
+ if (SSL_IS_SSL2_CIPHER(suite))
|
||||
+ return PR_TRUE;
|
||||
+ if (SSL_IsExportCipherSuite(suite)) {
|
||||
+ SSLCipherSuiteInfo csdef;
|
||||
+ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
|
||||
+ /* failure to retrieve info, disable */
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ if (csdef.symCipher != ssl_calg_null) {
|
||||
+ /* disable all except NULL ciphersuites */
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
||||
switch (suite) {
|
||||
case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
|
||||
case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
|
||||
case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
|
||||
return PR_TRUE;
|
||||
default:
|
||||
return PR_FALSE;
|
||||
}
|
@ -1,126 +0,0 @@
|
||||
--- ./tests/ssl/ssl.sh.disableSSL2tests 2016-01-29 02:30:10.000000000 -0800
|
||||
+++ ./tests/ssl/ssl.sh 2016-02-06 11:50:26.496668124 -0800
|
||||
@@ -57,19 +57,24 @@ ssl_init()
|
||||
fi
|
||||
|
||||
PORT=${PORT-8443}
|
||||
NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
|
||||
nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
|
||||
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
|
||||
|
||||
# Test case files
|
||||
- SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
|
||||
+ else
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
+ fi
|
||||
SSLAUTH=${QADIR}/ssl/sslauth.txt
|
||||
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
|
||||
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
|
||||
|
||||
#temparary files
|
||||
SERVEROUTFILE=${TMP}/tests_server.$$
|
||||
SERVERPID=${TMP}/tests_pid.$$
|
||||
|
||||
R_SERVERPID=../tests_pid.$$
|
||||
@@ -116,17 +121,21 @@ is_selfserv_alive()
|
||||
if [ "${OS_ARCH}" = "WINNT" ] && \
|
||||
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
|
||||
PID=${SHELL_SERVERPID}
|
||||
else
|
||||
PID=`cat ${SERVERPID}`
|
||||
fi
|
||||
|
||||
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ echo "No server to kill"
|
||||
+ else
|
||||
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
|
||||
+ fi
|
||||
|
||||
echo "selfserv with PID ${PID} found at `date`"
|
||||
}
|
||||
|
||||
########################### wait_for_selfserv ##########################
|
||||
# local shell function to wait until selfserver is running and initialized
|
||||
########################################################################
|
||||
wait_for_selfserv()
|
||||
@@ -139,17 +148,21 @@ wait_for_selfserv()
|
||||
if [ $? -ne 0 ]; then
|
||||
sleep 5
|
||||
echo "retrying to connect to selfserv at `date`"
|
||||
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
|
||||
echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
|
||||
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
|
||||
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ html_passed "Server never started"
|
||||
+ else
|
||||
html_failed "Waiting for Server"
|
||||
+ fi
|
||||
fi
|
||||
fi
|
||||
is_selfserv_alive
|
||||
}
|
||||
|
||||
########################### kill_selfserv ##############################
|
||||
# local shell function to kill the selfserver after the tests are done
|
||||
########################################################################
|
||||
@@ -210,25 +223,26 @@ start_selfserv()
|
||||
ECC_OPTIONS=""
|
||||
fi
|
||||
if [ "$1" = "mixed" ]; then
|
||||
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
|
||||
fi
|
||||
echo "selfserv starting at `date`"
|
||||
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
|
||||
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
|
||||
- echo " $verbose -H 1 &"
|
||||
+ echo " $verbose -H 1 -V ssl3: &"
|
||||
if [ ${fileout} -eq 1 ]; then
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
|
||||
- > ${SERVEROUTFILE} 2>&1 &
|
||||
+ -V ssl3:> ${SERVEROUTFILE} 2>&1 &
|
||||
RET=$?
|
||||
else
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 &
|
||||
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
|
||||
+ -V ssl3: &
|
||||
RET=$?
|
||||
fi
|
||||
|
||||
# The PID $! returned by the MKS or Cygwin shell is not the PID of
|
||||
# the real background process, but rather the PID of a helper
|
||||
# process (sh.exe). MKS's kill command has a bug: invoking kill
|
||||
# on the helper process does not terminate the real background
|
||||
# process. Our workaround has been to have selfserv save its PID
|
||||
@@ -275,16 +289,22 @@ ssl_cov()
|
||||
exec < ${SSLCOV}
|
||||
while read ectype testmax param testname
|
||||
do
|
||||
echo "${testname}" | grep "EXPORT" > /dev/null
|
||||
EXP=$?
|
||||
echo "${testname}" | grep "SSL2" > /dev/null
|
||||
SSL2=$?
|
||||
|
||||
+ # skip export and ssl2 tests when build has disabled SSL2
|
||||
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ echo "exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})"
|
||||
+ continue
|
||||
+ fi
|
||||
+
|
||||
if [ "${SSL2}" -eq 0 ] ; then
|
||||
# We cannot use asynchronous cert verification with SSL2
|
||||
SSL2_FLAGS=-O
|
||||
VMIN="ssl2"
|
||||
else
|
||||
# Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
|
||||
# default in libssl but it is enabled by default in tstclnt; we want
|
||||
# to test the libssl default whenever possible.
|
@ -1,29 +1,42 @@
|
||||
diff -up ./nss/cmd/httpserv/httpserv.c.539183 ./nss/cmd/httpserv/httpserv.c
|
||||
--- ./nss/cmd/httpserv/httpserv.c.539183 2015-11-08 21:12:59.000000000 -0800
|
||||
+++ ./nss/cmd/httpserv/httpserv.c 2015-11-12 13:28:01.574855325 -0800
|
||||
@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSocket error");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
diff -up ./nss/cmd/selfserv/selfserv.c.539183 ./nss/cmd/selfserv/selfserv.c
|
||||
--- ./nss/cmd/selfserv/selfserv.c.539183 2015-11-08 21:12:59.000000000 -0800
|
||||
+++ ./nss/cmd/selfserv/selfserv.c 2015-11-12 13:26:40.498345875 -0800
|
||||
@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port
|
||||
--- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
|
||||
+++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
|
||||
@@ -953,23 +953,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSockett");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
||||
--- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
|
||||
+++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
|
||||
@@ -1711,23 +1711,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
@ -42,3 +55,8 @@ diff -up ./nss/cmd/selfserv/selfserv.c.539183 ./nss/cmd/selfserv/selfserv.c
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
||||
|
15
nss-pem-unitialized-vars.path
Normal file
15
nss-pem-unitialized-vars.path
Normal file
@ -0,0 +1,15 @@
|
||||
diff -up ./lib/ckfw/pem/pinst.c.unitialized_vars ./lib/ckfw/pem/pinst.c
|
||||
--- ./lib/ckfw/pem/pinst.c.unitialized_var 2016-05-21 19:04:24.471221863 -0700
|
||||
+++ ./lib/ckfw/pem/pinst.c 2016-05-21 19:31:07.124298651 -0700
|
||||
@@ -534,9 +534,9 @@ CK_RV
|
||||
AddCertificate(char *certfile, char *keyfile, PRBool cacert,
|
||||
CK_SLOT_ID slotID)
|
||||
{
|
||||
- pemInternalObject *o;
|
||||
+ pemInternalObject *o = NULL;
|
||||
CK_RV error = 0;
|
||||
- int objid, i;
|
||||
+ int objid, i = 0;
|
||||
int nobjs = 0;
|
||||
SECItem **objs = NULL;
|
||||
char *ivstring = NULL;
|
11
nss-skip-util-gtest.patch
Normal file
11
nss-skip-util-gtest.patch
Normal file
@ -0,0 +1,11 @@
|
||||
diff -up ./nss/external_tests/manifest.mn.skip_util_gtest ./nss/external_tests/manifest.mn
|
||||
--- ./nss/external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700
|
||||
+++ ./nss/external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700
|
||||
@@ -8,7 +8,6 @@ DEPTH = ..
|
||||
DIRS = \
|
||||
google_test \
|
||||
der_gtest \
|
||||
- util_gtest \
|
||||
pk11_gtest \
|
||||
ssl_gtest \
|
||||
$(NULL)
|
26
nss.spec
26
nss.spec
@ -18,10 +18,10 @@
|
||||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.23.0
|
||||
Version: 3.24.0
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 9%{?dist}
|
||||
Release: 2.0%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
@ -91,14 +91,13 @@ Patch49: nss-skip-bltest-and-fipstest.patch
|
||||
# headers are older. Such is the case when starting an update with API changes or even private export changes.
|
||||
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
|
||||
Patch50: iquote.patch
|
||||
Patch52: disableSSL2libssl.patch
|
||||
Patch53: disableSSL2tests.patch
|
||||
Patch54: tstclnt-ssl2-off-by-default.patch
|
||||
Patch55: skip_stress_TLS_RC4_128_with_MD5.patch
|
||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
# TODO: file a bug usptream
|
||||
Patch59: nss-check-policy-file.patch
|
||||
Patch60: nss-pem-unitialized-vars.path
|
||||
# Upstream: https://git.fedorahosted.org/cgit/nss-pem.git/commit/
|
||||
Patch61: nss-skip-util-gtest.patch
|
||||
|
||||
|
||||
%description
|
||||
@ -183,15 +182,13 @@ low level services.
|
||||
%patch49 -p0 -b .skipthem
|
||||
%patch50 -p0 -b .iquote
|
||||
pushd nss
|
||||
%patch52 -p1 -b .disableSSL2libssl
|
||||
%patch53 -p1 -b .disableSSL2tests
|
||||
popd
|
||||
%patch54 -p0 -b .ssl2_off
|
||||
%patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
|
||||
%patch58 -p0 -b .1185708_3des
|
||||
pushd nss
|
||||
%patch59 -p1 -b .check_policy_file
|
||||
%patch60 -p1 -b .unitialized_vars
|
||||
popd
|
||||
%patch61 -p0 -b .skip_util_gtest
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
@ -224,6 +221,9 @@ done
|
||||
%{__rm} -rf ./nss/cmd/fipstest
|
||||
%{__rm} -rf ./nss/cmd/rsaperf_low
|
||||
|
||||
######## Remove portions that need to statically link with libnssutil.a
|
||||
%{__rm} -rf ./nss/external_tests/util_gtests
|
||||
|
||||
pushd nss/tests/ssl
|
||||
# Create versions of sslcov.txt and sslstress.txt that disable tests
|
||||
# for SSL2 and EXPORT ciphers.
|
||||
@ -396,9 +396,6 @@ fi
|
||||
|
||||
# Begin -- copied from the build section
|
||||
|
||||
# inform the ssl test scripts that SSL2 is disabled
|
||||
export NSS_NO_SSL2_NO_EXPORT=1
|
||||
|
||||
FREEBL_NO_DEPEND=1
|
||||
export FREEBL_NO_DEPEND
|
||||
|
||||
@ -806,6 +803,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue May 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.0
|
||||
- Rebase to NSS 3.24.0
|
||||
|
||||
* Thu May 12 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-9
|
||||
- Change POLICY_FILE to "nss.config"
|
||||
|
||||
|
@ -1,52 +0,0 @@
|
||||
diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
|
||||
--- ./nss/tests/ssl/sslstress.txt.skip 2015-09-11 21:48:21.763187957 -0700
|
||||
+++ ./nss/tests/ssl/sslstress.txt 2015-09-11 21:50:10.516514535 -0700
|
||||
@@ -8,29 +8,29 @@
|
||||
# Enable return server client Test Case name
|
||||
# ECC value params params
|
||||
# ------- ------ ------ ------ ---------------
|
||||
- noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
|
||||
- noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
|
||||
- noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
|
||||
- noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
|
||||
- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
|
||||
- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
|
||||
- SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
|
||||
+# noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
|
||||
+# noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
|
||||
+# noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
|
||||
+# noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
|
||||
+# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
|
||||
+# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
|
||||
+# SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
|
||||
|
||||
#
|
||||
# add client auth versions here...
|
||||
#
|
||||
- noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
|
||||
- noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
|
||||
- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
|
||||
- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
|
||||
- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
|
||||
- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
|
||||
- SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
|
||||
- SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
|
||||
+# noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
|
||||
+# noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
|
||||
+# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
|
||||
+# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
|
||||
+# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
|
||||
+# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
|
||||
+# SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
|
||||
+# SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
|
||||
|
||||
#
|
||||
# ############################ ECC ciphers ############################
|
2
sources
2
sources
@ -4,4 +4,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db
|
||||
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
|
||||
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
|
||||
4d8e770b105483e365f3327d883dd229 nss-pem-20160308.tar.bz2
|
||||
574488f97390085832299cc3b90814a8 nss-3.23.0.tar.gz
|
||||
2a3ffd2f46b60ecc116ac086343a537a nss-3.24.0.tar.gz
|
||||
|
@ -1,21 +0,0 @@
|
||||
diff -up ./nss/cmd/tstclnt/tstclnt.c.ssl2_off ./nss/cmd/tstclnt/tstclnt.c
|
||||
--- ./nss/cmd/tstclnt/tstclnt.c.ssl2_off 2015-08-07 11:12:13.000000000 -0700
|
||||
+++ ./nss/cmd/tstclnt/tstclnt.c 2015-09-11 20:08:34.771859950 -0700
|
||||
@@ -212,7 +212,7 @@ static void PrintParameterUsage(void)
|
||||
fprintf(stderr,
|
||||
"%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
|
||||
"%-20s All versions are enabled by default.\n"
|
||||
- "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
|
||||
+ "%-20s Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
|
||||
"%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
|
||||
"-V [min]:[max]", "", "", "");
|
||||
fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
|
||||
@@ -911,7 +911,7 @@ int main(int argc, char **argv)
|
||||
int npds;
|
||||
int override = 0;
|
||||
SSLVersionRange enabledVersions;
|
||||
- PRBool enableSSL2 = PR_TRUE;
|
||||
+ PRBool enableSSL2 = PR_FALSE;
|
||||
int bypassPKCS11 = 0;
|
||||
int disableLocking = 0;
|
||||
int useExportPolicy = 0;
|
Loading…
Reference in New Issue
Block a user