--- ./lib/ssl/config.mk.disableSSL2libssl 2016-03-05 09:20:12.712130884 -0800 +++ ./lib/ssl/config.mk 2016-03-05 09:24:22.748518581 -0800 @@ -2,16 +2,20 @@ # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. ifdef NISCC_TEST DEFINES += -DNISCC_TEST endif +ifdef NSS_NO_SSL2_NO_EXPORT +DEFINES += -DNSS_NO_SSL2_NO_EXPORT +endif + ifdef NSS_NO_PKCS11_BYPASS DEFINES += -DNO_PKCS11_BYPASS else CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) EXTRA_LIBS += \ $(CRYPTOLIB) \ $(NULL) --- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-03-05 09:20:12.713130866 -0800 +++ ./lib/ssl/sslsock.c 2016-03-05 09:32:55.060592007 -0800 @@ -707,16 +707,22 @@ if (ss->cipherSpecs) { PORT_Free(ss->cipherSpecs); ss->cipherSpecs = NULL; ss->sizeCipherSpecs = 0; } break; case SSL_ENABLE_SSL2: +#ifdef NSS_NO_SSL2_NO_EXPORT + if (on) { + PORT_SetError(SSL_ERROR_SSL2_DISABLED); + rv = SECFailure; /* not allowed */ + } +#else if (IS_DTLS(ss)) { if (on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; /* not allowed */ } break; } if (on) { @@ -731,52 +737,67 @@ ss->opt.v2CompatibleHello = on; } ss->preferredCipher = NULL; if (ss->cipherSpecs) { PORT_Free(ss->cipherSpecs); ss->cipherSpecs = NULL; ss->sizeCipherSpecs = 0; } +#endif /* NSS_NO_SSL2_NO_EXPORT */ break; case SSL_NO_CACHE: ss->opt.noCache = on; break; case SSL_ENABLE_FDX: if (on && ss->opt.noLocks) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } ss->opt.fdx = on; break; case SSL_V2_COMPATIBLE_HELLO: +#ifdef NSS_NO_SSL2_NO_EXPORT + if (on) { + PORT_SetError(SSL_ERROR_SSL2_DISABLED); + rv = SECFailure; /* not allowed */ + } +#else if (IS_DTLS(ss)) { if (on) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; /* not allowed */ } break; } ss->opt.v2CompatibleHello = on; if (!on) { ss->opt.enableSSL2 = on; } +#endif /* NSS_NO_SSL2_NO_EXPORT */ break; case SSL_ROLLBACK_DETECTION: ss->opt.detectRollBack = on; break; case SSL_NO_STEP_DOWN: +#ifdef NSS_NO_SSL2_NO_EXPORT + if (!on) { + PORT_SetError(SSL_ERROR_SSL2_DISABLED); + rv = SECFailure; /* not allowed */ + } +#else ss->opt.noStepDown = on; if (on) SSL_DisableExportCipherSuites(fd); +#endif /* NSS_NO_SSL2_NO_EXPORT */ break; case SSL_BYPASS_PKCS11: if (ss->handshakeBegun) { PORT_SetError(PR_INVALID_STATE_ERROR); rv = SECFailure; } else { if (PR_FALSE != on) { @@ -1324,16 +1345,32 @@ } return SECSuccess; } /* function tells us if the cipher suite is one that we no longer support. */ static PRBool ssl_IsRemovedCipherSuite(PRInt32 suite) { +#ifdef NSS_NO_SSL2_NO_EXPORT + /* both ssl2 and export cipher suites disabled */ + if (SSL_IS_SSL2_CIPHER(suite)) + return PR_TRUE; + if (SSL_IsExportCipherSuite(suite)) { + SSLCipherSuiteInfo csdef; + if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) { + /* failure to retrieve info, disable */ + return PR_TRUE; + } + if (csdef.symCipher != ssl_calg_null) { + /* disable all except NULL ciphersuites */ + return PR_TRUE; + } + } +#endif /* NSS_NO_SSL2_NO_EXPORT */ switch (suite) { case SSL_FORTEZZA_DMS_WITH_NULL_SHA: case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: return PR_TRUE; default: return PR_FALSE; }