rpms/nss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Disable export suites and SSL2 support at build time

Browse Source 
- Fix syntax errors in various shell scripts
- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
This commit is contained in:
Elio Maldonado 2015-03-03 14:35:20 -08:00
parent fa80ce0efb
commit 9b7199b3db
4 changed files with 71 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
disableSSL2libssl.patch
View File

@ -10,8 +10,8 @@ diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
DEFINES += -DNISCC_TEST DEFINES += -DNISCC_TEST
endif endif
+ifdef NSS_NO_SSL2 +ifdef NSS_NO_SSL2_NO_EXPORT
+DEFINES += -DNSS_NO_SSL2 +DEFINES += -DNSS_NO_SSL2_NO_EXPORT
+endif +endif
+ +
# Allow build-time configuration of TLS 1.3 (Experimental) # Allow build-time configuration of TLS 1.3 (Experimental)
@ -34,7 +34,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
break; break;
case SSL_ENABLE_SSL2: case SSL_ENABLE_SSL2:
+#ifdef NSS_NO_SSL2 +#ifdef NSS_NO_SSL2_NO_EXPORT
+ if (on) { + if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); + PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */ + rv = SECFailure; /* not allowed */
@ -48,7 +48,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
break; break;
} }
ss->opt.enableSSL2 = on; ss->opt.enableSSL2 = on;
@@ -667,42 +673,50 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh @@ -667,52 +673,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
ss->opt.v2CompatibleHello = on; ss->opt.v2CompatibleHello = on;
} }
ss->preferredCipher = NULL; ss->preferredCipher = NULL;
@ -57,7 +57,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
ss->cipherSpecs = NULL; ss->cipherSpecs = NULL;
ss->sizeCipherSpecs = 0; ss->sizeCipherSpecs = 0;
} }
+#endif /* NSS_NO_SSL2 */ +#endif /* NSS_NO_SSL2_NO_EXPORT */
break; break;
case SSL_NO_CACHE: case SSL_NO_CACHE:
@ -73,7 +73,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
break; break;
case SSL_V2_COMPATIBLE_HELLO: case SSL_V2_COMPATIBLE_HELLO:
+#ifdef NSS_NO_SSL2 +#ifdef NSS_NO_SSL2_NO_EXPORT
+ if (on) { + if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); + PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */ + rv = SECFailure; /* not allowed */
@ -90,7 +90,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
if (!on) { if (!on) {
ss->opt.enableSSL2 = on; ss->opt.enableSSL2 = on;
} }
+#endif /* NSS_NO_SSL2 */ +#endif /* NSS_NO_SSL2_NO_EXPORT */
break; break;
case SSL_ROLLBACK_DETECTION: case SSL_ROLLBACK_DETECTION:
@ -98,26 +98,45 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
break; break;
case SSL_NO_STEP_DOWN: case SSL_NO_STEP_DOWN:
ss->opt.noStepDown = on; +#ifdef NSS_NO_SSL2_NO_EXPORT
@@ -1168,17 +1182,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt + if (!on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
if (rv != SECSuccess) { + rv = SECFailure; /* not allowed */
return rv; + }
}
if (ssl_IsRemovedCipherSuite(which)) {
rv = SECSuccess;
} else if (SSL_IS_SSL2_CIPHER(which)) {
+#ifdef NSS_NO_SSL2
+ rv = SSL_ERROR_SSL2_DISABLED;
+#else +#else
rv = ssl2_SetPolicy(which, policy); ss->opt.noStepDown = on;
+#endif /* NSS_NO_SSL2 */ if (on)
} else { SSL_DisableExportCipherSuites(fd);
rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); +#endif /* NSS_NO_SSL2_NO_EXPORT */
break;
case SSL_BYPASS_PKCS11:
if (ss->handshakeBegun) {
PORT_SetError(PR_INVALID_STATE_ERROR);
rv = SECFailure;
} else {
if (PR_FALSE != on) {
@@ -1127,16 +1148,23 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
} }
return rv; return SECSuccess;
} }
SECStatus /* function tells us if the cipher suite is one that we no longer support. */
SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) static PRBool
ssl_IsRemovedCipherSuite(PRInt32 suite)
{
+#ifdef NSS_NO_SSL2_NO_EXPORT
+ /* both ssl2 and export cipher suites disabled */
+ if (SSL_IS_SSL2_CIPHER(suite))
+ return PR_TRUE;
+ if (SSL_IsExportCipherSuite(suite))
+ return PR_TRUE;
+#endif /* NSS_NO_SSL2_NO_EXPORT */
switch (suite) {
case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
return PR_TRUE;
default:
return PR_FALSE;
}

32
disableSSL2tests.patch
View File

@ -1,7 +1,7 @@
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
--- a/tests/ssl/ssl.sh --- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh
@@ -57,18 +57,23 @@ ssl_init() @@ -57,19 +57,23 @@ ssl_init()
fi fi
PORT=${PORT-8443} PORT=${PORT-8443}
@ -11,14 +11,15 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
# Test case files # Test case files
- SSLCOV=${QADIR}/ssl/sslcov.txt - SSLCOV=${QADIR}/ssl/sslcov.txt
+ SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \ - SSLAUTH=${QADIR}/ssl/sslauth.txt
+ && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \ - SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ || ${QADIR}/ssl/sslcov.txt + if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then
SSLAUTH=${QADIR}/ssl/sslauth.txt + SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
+ SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \ + SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
+ && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \ + else
+ || ${QADIR}/ssl/sslstress.txt + SSLCOV=${QADIR}/ssl/sslcov.txt
SSLSTRESS=${QADIR}/ssl/sslstress.txt + SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ fi
REQUEST_FILE=${QADIR}/ssl/sslreq.dat REQUEST_FILE=${QADIR}/ssl/sslreq.dat
#temparary files #temparary files
@ -26,7 +27,8 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
SERVERPID=${TMP}/tests_pid.$$ SERVERPID=${TMP}/tests_pid.$$
R_SERVERPID=../tests_pid.$$ R_SERVERPID=../tests_pid.$$
@@ -115,17 +120,21 @@ is_selfserv_alive()
@@ -115,17 +119,21 @@ is_selfserv_alive()
if [ "${OS_ARCH}" = "WINNT" ] && \ if [ "${OS_ARCH}" = "WINNT" ] && \
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
PID=${SHELL_SERVERPID} PID=${SHELL_SERVERPID}
@ -35,7 +37,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
fi fi
echo "kill -0 ${PID} >/dev/null 2>/dev/null" echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then + if [[ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then
+ echo "No server to kill" + echo "No server to kill"
+ else + else
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
@ -48,7 +50,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
# local shell function to wait until selfserver is running and initialized # local shell function to wait until selfserver is running and initialized
######################################################################## ########################################################################
wait_for_selfserv() wait_for_selfserv()
@@ -138,17 +147,21 @@ wait_for_selfserv() @@ -138,17 +146,21 @@ wait_for_selfserv()
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
sleep 5 sleep 5
echo "retrying to connect to selfserv at `date`" echo "retrying to connect to selfserv at `date`"
@ -57,7 +59,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
+ if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then + if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
+ html_passed "Server never started" + html_passed "Server never started"
+ else + else
html_failed "Waiting for Server" html_failed "Waiting for Server"
@ -70,7 +72,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
########################### kill_selfserv ############################## ########################### kill_selfserv ##############################
# local shell function to kill the selfserver after the tests are done # local shell function to kill the selfserver after the tests are done
######################################################################## ########################################################################
@@ -273,16 +286,19 @@ ssl_cov() @@ -273,16 +285,19 @@ ssl_cov()
exec < ${SSLCOV} exec < ${SSLCOV}
while read ectype testmax param testname while read ectype testmax param testname
do do
@ -80,7 +82,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
SSL2=$? SSL2=$?
+ # skip export and ssl2 tests when build has disabled SSL2 + # skip export and ssl2 tests when build has disabled SSL2
+ [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue + [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
+ +
if [ "${SSL2}" -eq 0 ] ; then if [ "${SSL2}" -eq 0 ] ; then
# We cannot use asynchronous cert verification with SSL2 # We cannot use asynchronous cert verification with SSL2

14
nss.spec
View File

@ -19,7 +19,7 @@
Summary: Network Security Services Summary: Network Security Services
Name: nss Name: nss
Version: 3.17.4 Version: 3.17.4
Release: 4%{?dist} Release: 5%{?dist}
License: MPLv2.0 License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries Group: System Environment/Libraries
@ -92,7 +92,6 @@ Patch49: nss-skip-bltest-and-fipstest.patch
Patch50: iquote.patch Patch50: iquote.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900
Patch51: tls12.patch Patch51: tls12.patch
# SSL2 support has been disabled downstream in RHEL since RHEL-7.0
Patch52: disableSSL2libssl.patch Patch52: disableSSL2libssl.patch
Patch53: disableSSL2tests.patch Patch53: disableSSL2tests.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1128367 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1128367
@ -219,8 +218,7 @@ done
%build %build
# uncomment this line when the work is ready export NSS_NO_SSL2_NO_EXPORT=1
#export NSS_NO_SSL2=1
NSS_NO_PKCS11_BYPASS=1 NSS_NO_PKCS11_BYPASS=1
export NSS_NO_PKCS11_BYPASS export NSS_NO_PKCS11_BYPASS
@ -371,8 +369,7 @@ fi
# Begin -- copied from the build section # Begin -- copied from the build section
# inform the ssl test scripts that SSL2 is disabled # inform the ssl test scripts that SSL2 is disabled
# uncomment this line when the work is ready export NSS_NO_SSL2_NO_EXPORT=1
#export NSS_NO_SSL2=1
FREEBL_NO_DEPEND=1 FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND export FREEBL_NO_DEPEND
@ -797,6 +794,11 @@ fi
%changelog %changelog
* Tue Mar 03 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-5
- Disable export suites and SSL2 support at build time
- Fix syntax errors in various shell scripts
- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 3.17.4-4 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 3.17.4-4
- Rebuilt for Fedora 23 Change - Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code

2
scripts-syntax-errors.patch
View File

@ -11,7 +11,7 @@ diff --git a/tests/all.sh b/tests/all.sh
# Exception: when building softoken only, shlibsign is the # Exception: when building softoken only, shlibsign is the
# last file created. # last file created.
-if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then -if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
+if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then +if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
LAST_FILE_BUILT=shlibsign LAST_FILE_BUILT=shlibsign
else else
LAST_FILE_BUILT=modutil LAST_FILE_BUILT=modutil