Enable ECC cipher-suites by default [hrbz#1185708]

- Split the enabling patch in two for easier maintenance - Remove unused patches rendered obsolete by prior rebase
2015-09-30 11:34:48 -07:00 · 2015-09-30 11:34:48 -07:00 · 82653be6b2
commit 82653be6b2
parent ae64727ebb
5 changed files with 27 additions and 132 deletions
--- a/nss.spec
+++ b/nss.spec
@ -21,7 +21,7 @@ Name:             nss
 Version:          3.20.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          5%{?dist}
+Release:          6%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -96,8 +96,10 @@ Patch55:          skip_stress_TLS_RC4_128_with_MD5.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1009429
 # See https://hg.mozilla.org/projects/nss/raw-rev/dc7bb2f8cc50
 Patch56: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
-# TODO: File a bug usptream
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1205688
 Patch57: rhbz1185708-enable-ecc-ciphers-by-default.patch
+# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
+Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -190,6 +192,7 @@ popd
 pushd nss
 %patch57 -p1 -b .1185708
 popd
+%patch58 -p0 -b .1185708_3des

 #########################################################
 # Higher-level libraries and test tools need access to
@ -803,6 +806,11 @@ fi


 %changelog
+* Wed Sep 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-6
+- Enable ECC cipher-suites by default [hrbz#1185708]
+- Split the enabling patch in two for easier maintenance
+- Remove unused patches rendered obsolete by prior rebase
+
 * Wed Sep 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-5
 - Enable ECC cipher-suites by default [hrbz#1185708]
 - Implement corrections requested in code review
--- a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+++ b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
@ -0,0 +1,14 @@
+diff -up ./nss/lib/ssl/ssl3con.c.1185708_3des ./nss/lib/ssl/ssl3con.c
+--- ./nss/lib/ssl/ssl3con.c.1185708_3des	2015-09-29 16:24:18.717593591 -0700
+++ ./nss/lib/ssl/ssl3con.c	2015-09-29 16:25:22.672879926 -0700
+@@ -101,8 +101,8 @@ static ssl3CipherSuiteCfg cipherSuites[s
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
--- a/rhbz1185708-enable-ecc-ciphers-by-default.patch
+++ b/rhbz1185708-enable-ecc-ciphers-by-default.patch
@ -1,7 +1,7 @@
 diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
 --- a/lib/ssl/ssl3con.c
 +++ b/lib/ssl/ssl3con.c
-@@ -85,29 +85,29 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
+@@ -85,27 +85,27 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
  *
  * Important: See bug 946147 before enabling, reordering, or adding any cipher
  * suites to this list.
@ -23,21 +23,17 @@ diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
 #endif /* NSS_DISABLE_ECC */
 
  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
--- a/scripts-syntax-errors.patch
+++ b/scripts-syntax-errors.patch
@ -1,87 +0,0 @@
-diff --git a/tests/all.sh b/tests/all.sh
--- a/tests/all.sh
-+++ b/tests/all.sh
-@@ -296,17 +296,17 @@ fi
- 
- # NOTE:
- # Since in make at the top level, modutil is the last file
- # created, we check for modutil to know whether the build
- # is complete. If a new file is created after that, the 
- # following test for modutil should check for that instead.
- # Exception: when building softoken only, shlibsign is the
- # last file created.
-if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
-+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
-   LAST_FILE_BUILT=shlibsign
- else
-   LAST_FILE_BUILT=modutil
- fi
- 
- if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then
-     echo "Build Incomplete. Aborting test." >> ${LOGFILE}
-     html_head "Testing Initialization"
-diff --git a/tests/cipher/cipher.sh b/tests/cipher/cipher.sh
--- a/tests/cipher/cipher.sh
-+++ b/tests/cipher/cipher.sh
-@@ -119,17 +119,17 @@ cipher_cleanup()
- }
- 
- ################## main #################################################
- 
- # When building without softoken, bltest isn't built. It was already
- # built and the cipher suite run as part of an nss-softoken build. 
- if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then
-     echo "bltest not built, skipping this test." >> ${LOGFILE}
-    res = 0
-+    res=0
-     html_msg $res $EXP_RET "$TESTNAME"
-     return 0
- fi
- cipher_init
- # Skip cipher_main if this an NSS without softoken build.
- if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then
-     cipher_main
- fi
-diff --git a/tests/common/init.sh b/tests/common/init.sh
--- a/tests/common/init.sh
-+++ b/tests/common/init.sh
-@@ -220,17 +220,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
-     {
- 	
-         html "<TABLE BORDER=1 ${TABLE_ARGS}><TR><TH COLSPAN=3>$*</TH></TR>"
-         html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>" 
-         echo "$SCRIPTNAME: $* ==============================="
-     }
-     html_msg()
-     {
-        if [ "$1" -ne "$2" ] ; then
-+        if [ $1 -ne $2 ] ; then
-             html_failed "$3" "$4"
-         else
-             html_passed "$3" "$4"
-         fi
-     }
-     HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>'
-     HTML_FAILED_CORE='</TD><TD bgcolor=red>Failed Core</TD><TR>'
-     HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>'
-diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh
--- a/tests/dbtests/dbtests.sh
-+++ b/tests/dbtests/dbtests.sh
-@@ -170,7 +170,7 @@ dbtest_main()
- 
-     # skipping the next two tests when user is root,
-     # otherwise they would fail due to rooty powers
-    if [ $UID -ne 0 ] then
-+    if [[ $EUID -ne 0 ]]; then
-       ${BINDIR}/dbtest -d $RONLY_DIR
-     ret=$?
-     if [ $ret -ne 46 ]; then
-@@ -181,7 +181,7 @@ dbtest_main()
-     else
-       html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
-     fi
-    if [ $UID -ne 0 ] then
-+    if [[ $EUID -ne 0 ]]; then
-       ${BINDIR}/certutil -D -n "TestUser" -d .
-     ret=$?
-     if [ $ret -ne 255 ]; then
--- a/tls12.patch
+++ b/tls12.patch
@ -1,36 +0,0 @@
-# HG changeset patch
-# User Martin Thomson <martin.thomson@gmail.com>
-# Date 1413479112 25200
-#      Thu Oct 16 10:05:12 2014 -0700
-# Node ID f7e1c2c652f4c2522a0a5ec232ecebae1983053d
-# Parent  24852c6f89ea7ed2b8f231320d9a0a03bdd706d4
-Bug 1083900 - Updating default maximum version to 1.2
-
-diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
-+++ b/lib/ssl/sslsock.c
-@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = {
-     PR_FALSE    /* enableFallbackSCSV */
- };
- 
- /*
-  * default range of enabled SSL/TLS protocols
-  */
- static SSLVersionRange versions_defaults_stream = {
-     SSL_LIBRARY_VERSION_3_0,
-    SSL_LIBRARY_VERSION_TLS_1_0
-+    SSL_LIBRARY_VERSION_TLS_1_2
- };
- 
- static SSLVersionRange versions_defaults_datagram = {
-     SSL_LIBRARY_VERSION_TLS_1_1,
-    SSL_LIBRARY_VERSION_TLS_1_1
-+    SSL_LIBRARY_VERSION_TLS_1_2
- };
- 
- #define VERSIONS_DEFAULTS(variant) \
-     (variant == ssl_variant_stream ? &versions_defaults_stream : \
-                                      &versions_defaults_datagram)
- 
- sslSessionIDLookupFunc  ssl_sid_lookup;
- sslSessionIDCacheFunc   ssl_sid_cache;