From 9b7199b3db56b6cdd2669fef9ec0bfef3d8621b9 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 3 Mar 2015 14:35:20 -0800 Subject: [PATCH] Disable export suites and SSL2 support at build time - Fix syntax errors in various shell scripts - Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites --- disableSSL2libssl.patch | 71 +++++++++++++++++++++++-------------- disableSSL2tests.patch | 32 +++++++++-------- nss.spec | 14 ++++---- scripts-syntax-errors.patch | 2 +- 4 files changed, 71 insertions(+), 48 deletions(-) diff --git a/disableSSL2libssl.patch b/disableSSL2libssl.patch index 38d092a..6286184 100644 --- a/disableSSL2libssl.patch +++ b/disableSSL2libssl.patch @@ -10,8 +10,8 @@ diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk DEFINES += -DNISCC_TEST endif -+ifdef NSS_NO_SSL2 -+DEFINES += -DNSS_NO_SSL2 ++ifdef NSS_NO_SSL2_NO_EXPORT ++DEFINES += -DNSS_NO_SSL2_NO_EXPORT +endif + # Allow build-time configuration of TLS 1.3 (Experimental) @@ -34,7 +34,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c break; case SSL_ENABLE_SSL2: -+#ifdef NSS_NO_SSL2 ++#ifdef NSS_NO_SSL2_NO_EXPORT + if (on) { + PORT_SetError(SSL_ERROR_SSL2_DISABLED); + rv = SECFailure; /* not allowed */ @@ -48,7 +48,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c break; } ss->opt.enableSSL2 = on; -@@ -667,42 +673,50 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh +@@ -667,52 +673,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh ss->opt.v2CompatibleHello = on; } ss->preferredCipher = NULL; @@ -57,7 +57,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c ss->cipherSpecs = NULL; ss->sizeCipherSpecs = 0; } -+#endif /* NSS_NO_SSL2 */ ++#endif /* NSS_NO_SSL2_NO_EXPORT */ break; case SSL_NO_CACHE: @@ -73,7 +73,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c break; case SSL_V2_COMPATIBLE_HELLO: -+#ifdef NSS_NO_SSL2 ++#ifdef NSS_NO_SSL2_NO_EXPORT + if (on) { + PORT_SetError(SSL_ERROR_SSL2_DISABLED); + rv = SECFailure; /* not allowed */ @@ -90,7 +90,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c if (!on) { ss->opt.enableSSL2 = on; } -+#endif /* NSS_NO_SSL2 */ ++#endif /* NSS_NO_SSL2_NO_EXPORT */ break; case SSL_ROLLBACK_DETECTION: @@ -98,26 +98,45 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c break; case SSL_NO_STEP_DOWN: - ss->opt.noStepDown = on; -@@ -1168,17 +1182,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt - - if (rv != SECSuccess) { - return rv; - } - - if (ssl_IsRemovedCipherSuite(which)) { - rv = SECSuccess; - } else if (SSL_IS_SSL2_CIPHER(which)) { -+#ifdef NSS_NO_SSL2 -+ rv = SSL_ERROR_SSL2_DISABLED; ++#ifdef NSS_NO_SSL2_NO_EXPORT ++ if (!on) { ++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); ++ rv = SECFailure; /* not allowed */ ++ } +#else - rv = ssl2_SetPolicy(which, policy); -+#endif /* NSS_NO_SSL2 */ - } else { - rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); + ss->opt.noStepDown = on; + if (on) + SSL_DisableExportCipherSuites(fd); ++#endif /* NSS_NO_SSL2_NO_EXPORT */ + break; + + case SSL_BYPASS_PKCS11: + if (ss->handshakeBegun) { + PORT_SetError(PR_INVALID_STATE_ERROR); + rv = SECFailure; + } else { + if (PR_FALSE != on) { +@@ -1127,16 +1148,23 @@ SSL_OptionSetDefault(PRInt32 which, PRBo } - return rv; + return SECSuccess; } - SECStatus - SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) + /* function tells us if the cipher suite is one that we no longer support. */ + static PRBool + ssl_IsRemovedCipherSuite(PRInt32 suite) + { ++#ifdef NSS_NO_SSL2_NO_EXPORT ++ /* both ssl2 and export cipher suites disabled */ ++ if (SSL_IS_SSL2_CIPHER(suite)) ++ return PR_TRUE; ++ if (SSL_IsExportCipherSuite(suite)) ++ return PR_TRUE; ++#endif /* NSS_NO_SSL2_NO_EXPORT */ + switch (suite) { + case SSL_FORTEZZA_DMS_WITH_NULL_SHA: + case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: + case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: + return PR_TRUE; + default: + return PR_FALSE; + } diff --git a/disableSSL2tests.patch b/disableSSL2tests.patch index d0d9871..4fecca2 100644 --- a/disableSSL2tests.patch +++ b/disableSSL2tests.patch @@ -1,7 +1,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh -@@ -57,18 +57,23 @@ ssl_init() +@@ -57,19 +57,23 @@ ssl_init() fi PORT=${PORT-8443} @@ -11,14 +11,15 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh # Test case files - SSLCOV=${QADIR}/ssl/sslcov.txt -+ SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \ -+ && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \ -+ || ${QADIR}/ssl/sslcov.txt - SSLAUTH=${QADIR}/ssl/sslauth.txt -+ SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \ -+ && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \ -+ || ${QADIR}/ssl/sslstress.txt - SSLSTRESS=${QADIR}/ssl/sslstress.txt +- SSLAUTH=${QADIR}/ssl/sslauth.txt +- SSLSTRESS=${QADIR}/ssl/sslstress.txt ++ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then ++ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt ++ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt ++ else ++ SSLCOV=${QADIR}/ssl/sslcov.txt ++ SSLSTRESS=${QADIR}/ssl/sslstress.txt ++ fi REQUEST_FILE=${QADIR}/ssl/sslreq.dat #temparary files @@ -26,7 +27,8 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh SERVERPID=${TMP}/tests_pid.$$ R_SERVERPID=../tests_pid.$$ -@@ -115,17 +120,21 @@ is_selfserv_alive() + +@@ -115,17 +119,21 @@ is_selfserv_alive() if [ "${OS_ARCH}" = "WINNT" ] && \ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then PID=${SHELL_SERVERPID} @@ -35,7 +37,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh fi echo "kill -0 ${PID} >/dev/null 2>/dev/null" -+ if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then ++ if [[ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then + echo "No server to kill" + else kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" @@ -48,7 +50,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh # local shell function to wait until selfserver is running and initialized ######################################################################## wait_for_selfserv() -@@ -138,17 +147,21 @@ wait_for_selfserv() +@@ -138,17 +146,21 @@ wait_for_selfserv() if [ $? -ne 0 ]; then sleep 5 echo "retrying to connect to selfserv at `date`" @@ -57,7 +59,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} if [ $? -ne 0 ]; then -+ if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then ++ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then + html_passed "Server never started" + else html_failed "Waiting for Server" @@ -70,7 +72,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh ########################### kill_selfserv ############################## # local shell function to kill the selfserver after the tests are done ######################################################################## -@@ -273,16 +286,19 @@ ssl_cov() +@@ -273,16 +285,19 @@ ssl_cov() exec < ${SSLCOV} while read ectype testmax param testname do @@ -80,7 +82,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh SSL2=$? + # skip export and ssl2 tests when build has disabled SSL2 -+ [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue ++ [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue + if [ "${SSL2}" -eq 0 ] ; then # We cannot use asynchronous cert verification with SSL2 diff --git a/nss.spec b/nss.spec index 510d139..bab90b2 100644 --- a/nss.spec +++ b/nss.spec @@ -19,7 +19,7 @@ Summary: Network Security Services Name: nss Version: 3.17.4 -Release: 4%{?dist} +Release: 5%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -92,7 +92,6 @@ Patch49: nss-skip-bltest-and-fipstest.patch Patch50: iquote.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900 Patch51: tls12.patch -# SSL2 support has been disabled downstream in RHEL since RHEL-7.0 Patch52: disableSSL2libssl.patch Patch53: disableSSL2tests.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1128367 @@ -219,8 +218,7 @@ done %build -# uncomment this line when the work is ready -#export NSS_NO_SSL2=1 +export NSS_NO_SSL2_NO_EXPORT=1 NSS_NO_PKCS11_BYPASS=1 export NSS_NO_PKCS11_BYPASS @@ -371,8 +369,7 @@ fi # Begin -- copied from the build section # inform the ssl test scripts that SSL2 is disabled -# uncomment this line when the work is ready -#export NSS_NO_SSL2=1 +export NSS_NO_SSL2_NO_EXPORT=1 FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND @@ -797,6 +794,11 @@ fi %changelog +* Tue Mar 03 2015 Elio Maldonado - 3.17.4-5 +- Disable export suites and SSL2 support at build time +- Fix syntax errors in various shell scripts +- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites + * Sat Feb 21 2015 Till Maas - 3.17.4-4 - Rebuilt for Fedora 23 Change https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code diff --git a/scripts-syntax-errors.patch b/scripts-syntax-errors.patch index aeff0ab..28cfc4a 100644 --- a/scripts-syntax-errors.patch +++ b/scripts-syntax-errors.patch @@ -11,7 +11,7 @@ diff --git a/tests/all.sh b/tests/all.sh # Exception: when building softoken only, shlibsign is the # last file created. -if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then -+if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then ++if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then LAST_FILE_BUILT=shlibsign else LAST_FILE_BUILT=modutil