NSS: Enhance OpenLDAP to support TLSv1.3 protocol with NSS

Resolves: #1435689
This commit is contained in:
Matúš Honěk 2017-03-23 13:43:39 +01:00
parent d0828bee6c
commit 54f6fd1feb
4 changed files with 15 additions and 4 deletions

View File

@ -67,7 +67,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
/* cipher strength */ /* cipher strength */
#define SSL_NULL 0x00000001L #define SSL_NULL 0x00000001L
@@ -240,10 +257,14 @@ typedef struct { @@ -240,10 +257,15 @@ typedef struct {
#define SSL_MEDIUM 0x00000010L #define SSL_MEDIUM 0x00000010L
#define SSL_HIGH 0x00000020L #define SSL_HIGH 0x00000020L
@ -79,6 +79,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
/* OpenSSL treats SSL3 and TLSv1 the same */ /* OpenSSL treats SSL3 and TLSv1 the same */
#define TLS1 SSL3 #define TLS1 SSL3
+#define TLS1_2 0x00000004L +#define TLS1_2 0x00000004L
+#define TLS1_3 0x00000008L
/* Cipher translation */ /* Cipher translation */
static cipher_properties ciphers_def[] = { static cipher_properties ciphers_def[] = {

View File

@ -6,7 +6,7 @@ PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
--- a/libraries/libldap/tls_m.c --- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c
@@ -268,29 +268,104 @@ typedef struct { @@ -268,29 +268,109 @@ typedef struct {
/* Cipher translation */ /* Cipher translation */
static cipher_properties ciphers_def[] = { static cipher_properties ciphers_def[] = {
@ -129,6 +129,11 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+ //{"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, + //{"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+ //{"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, + //{"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+ //{"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, + //{"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ // TLSv1.3
+ {"TLS13-AES-128-GCM-SHA256", 0x1301 /* TLS_AES_128_GCM_SHA256 */, SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_3, SSL_HIGH},
+ {"TLS13-AES-256-GCM-SHA384", 0x1302 /* TLS_AES_256_GCM_SHA384 */, SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_3, SSL_HIGH},
+ {"TLS13-CHACHA20-POLY1305-SHA256", 0x1303 /* TLS_CHACHA20_POLY1305_SHA256 */, SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_3, SSL_HIGH},
}; };
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties)) #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))

View File

@ -69,7 +69,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
} else if (!strcmp(cipher, "3DES")) { } else if (!strcmp(cipher, "3DES")) {
mask |= SSL_3DES; mask |= SSL_3DES;
} else if (!strcmp(cipher, "DES")) { } else if (!strcmp(cipher, "DES")) {
@@ -693,26 +707,67 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) @@ -693,26 +707,69 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_RC2; mask |= SSL_RC2;
} else if (!strcmp(cipher, "MD5")) { } else if (!strcmp(cipher, "MD5")) {
mask |= SSL_MD5; mask |= SSL_MD5;
@ -122,6 +122,8 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
protocol |= TLS1; protocol |= TLS1;
+ } else if (!strcmp(cipher, "TLSv1.2")) { + } else if (!strcmp(cipher, "TLSv1.2")) {
+ protocol |= TLS1_2; + protocol |= TLS1_2;
+ } else if (!strcmp(cipher, "TLSv1.3")) {
+ protocol |= TLS1_3;
} else if (!strcmp(cipher, "HIGH")) { } else if (!strcmp(cipher, "HIGH")) {
strength |= SSL_HIGH; strength |= SSL_HIGH;
} else if (!strcmp(cipher, "MEDIUM")) { } else if (!strcmp(cipher, "MEDIUM")) {

View File

@ -5,7 +5,7 @@
Name: openldap Name: openldap
Version: 2.4.44 Version: 2.4.44
Release: 8%{?dist} Release: 9%{?dist}
Summary: LDAP support libraries Summary: LDAP support libraries
Group: System Environment/Daemons Group: System Environment/Daemons
License: OpenLDAP License: OpenLDAP
@ -548,6 +548,9 @@ exit 0
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Fri Mar 24 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-9
- NSS: Enhance OpenLDAP to support TLSv1.3 protocol with NSS (#1435689)
* Fri Mar 24 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-8 * Fri Mar 24 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-8
- NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435689) - NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435689)