150 lines
4.5 KiB
Diff
150 lines
4.5 KiB
Diff
--- ./lib/ssl/config.mk.disableSSL2libssl 2016-03-05 09:20:12.712130884 -0800
|
|
+++ ./lib/ssl/config.mk 2016-03-05 09:24:22.748518581 -0800
|
|
@@ -2,16 +2,20 @@
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
ifdef NISCC_TEST
|
|
DEFINES += -DNISCC_TEST
|
|
endif
|
|
|
|
+ifdef NSS_NO_SSL2_NO_EXPORT
|
|
+DEFINES += -DNSS_NO_SSL2_NO_EXPORT
|
|
+endif
|
|
+
|
|
ifdef NSS_NO_PKCS11_BYPASS
|
|
DEFINES += -DNO_PKCS11_BYPASS
|
|
else
|
|
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
|
|
|
|
EXTRA_LIBS += \
|
|
$(CRYPTOLIB) \
|
|
$(NULL)
|
|
--- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-03-05 09:20:12.713130866 -0800
|
|
+++ ./lib/ssl/sslsock.c 2016-03-05 09:32:55.060592007 -0800
|
|
@@ -707,16 +707,22 @@
|
|
if (ss->cipherSpecs) {
|
|
PORT_Free(ss->cipherSpecs);
|
|
ss->cipherSpecs = NULL;
|
|
ss->sizeCipherSpecs = 0;
|
|
}
|
|
break;
|
|
|
|
case SSL_ENABLE_SSL2:
|
|
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
|
+ if (on) {
|
|
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
|
+ rv = SECFailure; /* not allowed */
|
|
+ }
|
|
+#else
|
|
if (IS_DTLS(ss)) {
|
|
if (on) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
rv = SECFailure; /* not allowed */
|
|
}
|
|
break;
|
|
}
|
|
if (on) {
|
|
@@ -731,52 +737,67 @@
|
|
ss->opt.v2CompatibleHello = on;
|
|
}
|
|
ss->preferredCipher = NULL;
|
|
if (ss->cipherSpecs) {
|
|
PORT_Free(ss->cipherSpecs);
|
|
ss->cipherSpecs = NULL;
|
|
ss->sizeCipherSpecs = 0;
|
|
}
|
|
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
|
break;
|
|
|
|
case SSL_NO_CACHE:
|
|
ss->opt.noCache = on;
|
|
break;
|
|
|
|
case SSL_ENABLE_FDX:
|
|
if (on && ss->opt.noLocks) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
rv = SECFailure;
|
|
}
|
|
ss->opt.fdx = on;
|
|
break;
|
|
|
|
case SSL_V2_COMPATIBLE_HELLO:
|
|
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
|
+ if (on) {
|
|
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
|
+ rv = SECFailure; /* not allowed */
|
|
+ }
|
|
+#else
|
|
if (IS_DTLS(ss)) {
|
|
if (on) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
rv = SECFailure; /* not allowed */
|
|
}
|
|
break;
|
|
}
|
|
ss->opt.v2CompatibleHello = on;
|
|
if (!on) {
|
|
ss->opt.enableSSL2 = on;
|
|
}
|
|
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
|
break;
|
|
|
|
case SSL_ROLLBACK_DETECTION:
|
|
ss->opt.detectRollBack = on;
|
|
break;
|
|
|
|
case SSL_NO_STEP_DOWN:
|
|
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
|
+ if (!on) {
|
|
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
|
+ rv = SECFailure; /* not allowed */
|
|
+ }
|
|
+#else
|
|
ss->opt.noStepDown = on;
|
|
if (on)
|
|
SSL_DisableExportCipherSuites(fd);
|
|
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
|
break;
|
|
|
|
case SSL_BYPASS_PKCS11:
|
|
if (ss->handshakeBegun) {
|
|
PORT_SetError(PR_INVALID_STATE_ERROR);
|
|
rv = SECFailure;
|
|
} else {
|
|
if (PR_FALSE != on) {
|
|
@@ -1324,16 +1345,32 @@
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
/* function tells us if the cipher suite is one that we no longer support. */
|
|
static PRBool
|
|
ssl_IsRemovedCipherSuite(PRInt32 suite)
|
|
{
|
|
+#ifdef NSS_NO_SSL2_NO_EXPORT
|
|
+ /* both ssl2 and export cipher suites disabled */
|
|
+ if (SSL_IS_SSL2_CIPHER(suite))
|
|
+ return PR_TRUE;
|
|
+ if (SSL_IsExportCipherSuite(suite)) {
|
|
+ SSLCipherSuiteInfo csdef;
|
|
+ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
|
|
+ /* failure to retrieve info, disable */
|
|
+ return PR_TRUE;
|
|
+ }
|
|
+ if (csdef.symCipher != ssl_calg_null) {
|
|
+ /* disable all except NULL ciphersuites */
|
|
+ return PR_TRUE;
|
|
+ }
|
|
+ }
|
|
+#endif /* NSS_NO_SSL2_NO_EXPORT */
|
|
switch (suite) {
|
|
case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
|
|
case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
|
|
case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
|
|
return PR_TRUE;
|
|
default:
|
|
return PR_FALSE;
|
|
}
|