NSS: Rearrange ciphers-, parsing-, and protocol-related patches
In addition, remove (or better, do not include anymore) unused
variables *variant* and *range* that were forgotten to be
removed when landing patch openldap-nss-protocol-version-new-api.patch
in commit 9e30b98
.
Related: #1435689
This commit is contained in:
parent
0cc5bf7254
commit
d0828bee6c
@ -6,31 +6,51 @@ PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -210,27 +210,37 @@ typedef struct {
|
||||
@@ -210,27 +210,44 @@ typedef struct {
|
||||
int num; /* The cipher id */
|
||||
int attr; /* cipher attributes: algorithms, etc */
|
||||
int version; /* protocol version valid for this cipher */
|
||||
- int bits; /* bits of strength */
|
||||
- int alg_bits; /* bits of the algorithm */
|
||||
int strength; /* LOW, MEDIUM, HIGH */
|
||||
int enabled; /* Enabled by default? */
|
||||
} cipher_properties;
|
||||
|
||||
/* cipher attributes */
|
||||
#define SSL_kRSA 0x00000001L
|
||||
#define SSL_aRSA 0x00000002L
|
||||
-#define SSL_kRSA 0x00000001L
|
||||
-#define SSL_aRSA 0x00000002L
|
||||
-#define SSL_aDSS 0x00000004L
|
||||
-#define SSL_DSS SSL_aDSS
|
||||
-#define SSL_eNULL 0x00000008L
|
||||
-#define SSL_DES 0x00000010L
|
||||
-#define SSL_3DES 0x00000020L
|
||||
-#define SSL_RC4 0x00000040L
|
||||
-#define SSL_RC2 0x00000080L
|
||||
-#define SSL_AES 0x00000100L
|
||||
-#define SSL_MD5 0x00000200L
|
||||
-#define SSL_SHA1 0x00000400L
|
||||
-#define SSL_SHA SSL_SHA1
|
||||
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
|
||||
#define SSL_aDSA 0x00000004L
|
||||
#define SSL_DSA SSL_aDSA
|
||||
#define SSL_eNULL 0x00000008L
|
||||
#define SSL_DES 0x00000010L
|
||||
#define SSL_3DES 0x00000020L
|
||||
#define SSL_RC4 0x00000040L
|
||||
#define SSL_RC2 0x00000080L
|
||||
#define SSL_AES128 0x00000100L
|
||||
#define SSL_AES256 0x00000200L
|
||||
-#define SSL_AES (SSL_AES128|SSL_AES256)
|
||||
#define SSL_MD5 0x00000400L
|
||||
#define SSL_SHA1 0x00000800L
|
||||
#define SSL_kEDH 0x00001000L
|
||||
#define SSL_CAMELLIA128 0x00002000L
|
||||
#define SSL_CAMELLIA256 0x00004000L
|
||||
-#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
|
||||
#define SSL_SEED 0x00008000L
|
||||
#define SSL_kECDH 0x00010000L
|
||||
#define SSL_kECDHE 0x00020000L
|
||||
#define SSL_aECDSA 0x00040000L
|
||||
+#define SSL_kRSA 0x00000001L
|
||||
+#define SSL_aRSA 0x00000002L
|
||||
+#define SSL_aDSA 0x00000004L
|
||||
+#define SSL_DSA SSL_aDSA
|
||||
+#define SSL_eNULL 0x00000008L
|
||||
+#define SSL_DES 0x00000010L
|
||||
+#define SSL_3DES 0x00000020L
|
||||
+#define SSL_RC4 0x00000040L
|
||||
+#define SSL_RC2 0x00000080L
|
||||
+#define SSL_AES128 0x00000100L
|
||||
+#define SSL_AES256 0x00000200L
|
||||
+#define SSL_MD5 0x00000400L
|
||||
+#define SSL_SHA1 0x00000800L
|
||||
+#define SSL_kEDH 0x00001000L
|
||||
+#define SSL_CAMELLIA128 0x00002000L
|
||||
+#define SSL_CAMELLIA256 0x00004000L
|
||||
+#define SSL_SEED 0x00008000L
|
||||
+#define SSL_kECDH 0x00010000L
|
||||
+#define SSL_kECDHE 0x00020000L
|
||||
+#define SSL_aECDSA 0x00040000L
|
||||
+#define SSL_SHA256 0x00080000L
|
||||
+#define SSL_SHA384 0x00100000L
|
||||
+#define SSL_kEECDH 0x00200000L
|
||||
@ -47,7 +67,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
|
||||
/* cipher strength */
|
||||
#define SSL_NULL 0x00000001L
|
||||
@@ -237,10 +251,14 @@ typedef struct {
|
||||
@@ -240,10 +257,14 @@ typedef struct {
|
||||
#define SSL_MEDIUM 0x00000010L
|
||||
#define SSL_HIGH 0x00000020L
|
||||
|
||||
@ -62,3 +82,13 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
|
||||
/* Cipher translation */
|
||||
static cipher_properties ciphers_def[] = {
|
||||
--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200
|
||||
+++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100
|
||||
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
|
||||
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
|
||||
|
||||
/* OpenLDAP SASL options */
|
||||
#define LDAP_OPT_X_SASL_MECH 0x6100
|
||||
|
@ -6,41 +6,37 @@ PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -255,69 +255,103 @@ typedef struct {
|
||||
@@ -268,29 +268,104 @@ typedef struct {
|
||||
|
||||
/* Cipher translation */
|
||||
static cipher_properties ciphers_def[] = {
|
||||
|
||||
- /*
|
||||
- * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
|
||||
- */
|
||||
- /* SSL 2 ciphers */
|
||||
- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
|
||||
- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
||||
- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
||||
-
|
||||
/* SSLv2 ciphers */
|
||||
- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW, SSL_NOT_ALLOWED},
|
||||
- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH, SSL_NOT_ALLOWED},
|
||||
- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
|
||||
- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
|
||||
- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
|
||||
- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
|
||||
- /* SSL3 ciphers */
|
||||
- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
|
||||
- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
||||
- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
|
||||
- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+
|
||||
+ /* SSLv2 ciphers */
|
||||
+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW},
|
||||
+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH},
|
||||
+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM},
|
||||
+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM},
|
||||
+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40},
|
||||
+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40},
|
||||
|
||||
/* SSLv3 ciphers */
|
||||
- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
|
||||
- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
|
||||
- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
|
||||
- {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
|
||||
- {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
|
||||
- {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
|
||||
+
|
||||
+ /* SSLv3 ciphers */
|
||||
+ {"NULL-MD5", TLS_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL}, /* SSL_RSA_WITH_NULL_MD5 */
|
||||
+ {"NULL-SHA", TLS_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL}, /* SSL_RSA_WITH_NULL_SHA */
|
||||
+ {"DES-CBC-SHA", TLS_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, /* SSL_RSA_WITH_DES_CBC_SHA */
|
||||
@ -55,42 +51,10 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
+ {"EDH-DSS-DES-CBC3-SHA", TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, /* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
|
||||
|
||||
/* TLSv1 ciphers */
|
||||
- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
|
||||
- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
|
||||
- {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
- {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
- {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
- {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
- {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
||||
- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
||||
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56},
|
||||
+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56},
|
||||
+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM},
|
||||
|
@ -6,7 +6,7 @@ PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -597,10 +597,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
@@ -617,10 +617,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
while ((*cipher) && (isspace(*cipher)))
|
||||
++cipher;
|
||||
|
||||
@ -22,7 +22,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
cipher++;
|
||||
break;
|
||||
case '-': /* Subtract something */
|
||||
@@ -611,8 +613,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
@@ -631,8 +633,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
action = -1;
|
||||
cipher++;
|
||||
break;
|
||||
@ -33,7 +33,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -646,7 +648,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
@@ -666,7 +668,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
}
|
||||
} else {
|
||||
int mask = 0;
|
||||
@ -44,7 +44,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
int protocol = 0;
|
||||
char *c;
|
||||
|
||||
@@ -657,16 +662,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
@@ -677,12 +682,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
*c++ = '\0';
|
||||
}
|
||||
|
||||
@ -57,10 +57,10 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
+ negative_mask |= SSL_kECDH;
|
||||
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
|
||||
mask |= SSL_eNULL;
|
||||
} else if (!strcmp(cipher, "AES128")) {
|
||||
mask |= SSL_AES128;
|
||||
} else if (!strcmp(cipher, "AES256")) {
|
||||
mask |= SSL_AES256;
|
||||
+ } else if (!strcmp(cipher, "AES128")) {
|
||||
+ mask |= SSL_AES128;
|
||||
+ } else if (!strcmp(cipher, "AES256")) {
|
||||
+ mask |= SSL_AES256;
|
||||
+ } else if (!strcmp(cipher, "AESGCM")) {
|
||||
+ mask |= SSL_AESGCM;
|
||||
} else if (!strcmp(cipher, "AES")) {
|
||||
@ -69,7 +69,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
} else if (!strcmp(cipher, "3DES")) {
|
||||
mask |= SSL_3DES;
|
||||
} else if (!strcmp(cipher, "DES")) {
|
||||
@@ -673,44 +687,67 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
@@ -693,26 +707,67 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
mask |= SSL_RC2;
|
||||
} else if (!strcmp(cipher, "MD5")) {
|
||||
mask |= SSL_MD5;
|
||||
@ -79,29 +79,18 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
+ mask |= SSL_SHA384;
|
||||
} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
|
||||
mask |= SSL_SHA1;
|
||||
- } else if (!strcmp(cipher, "EDH")) {
|
||||
- mask |= SSL_kEDH;
|
||||
- } else if (!strcmp(cipher, "DSS")) {
|
||||
- mask |= SSL_aDSA;
|
||||
+ } else if ((!strcmp(cipher, "EDH")) || (!strcmp(cipher, "DH"))) {
|
||||
+ mask |= SSL_kEDH;
|
||||
+ } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) {
|
||||
+ mask |= SSL_aDSA;
|
||||
} else if (!strcmp(cipher, "CAMELLIA128")) {
|
||||
mask |= SSL_CAMELLIA128;
|
||||
} else if (!strcmp(cipher, "CAMELLIA256")) {
|
||||
mask |= SSL_CAMELLIA256;
|
||||
} else if (!strcmp(cipher, "CAMELLIA")) {
|
||||
- mask |= SSL_CAMELLIA;
|
||||
+ } else if (!strcmp(cipher, "CAMELLIA128")) {
|
||||
+ mask |= SSL_CAMELLIA128;
|
||||
+ } else if (!strcmp(cipher, "CAMELLIA256")) {
|
||||
+ mask |= SSL_CAMELLIA256;
|
||||
+ } else if (!strcmp(cipher, "CAMELLIA")) {
|
||||
+ multi_mask |= SSL_CAMELLIA;
|
||||
} else if (!strcmp(cipher, "SEED")) {
|
||||
mask |= SSL_SEED;
|
||||
- } else if (!strcmp(cipher, "ECDH")) {
|
||||
- mask |= SSL_kECDH;
|
||||
- } else if (!strcmp(cipher, "ECDHE")) {
|
||||
- mask |= SSL_kECDHE;
|
||||
- } else if (!strcmp(cipher, "ECDSA")) {
|
||||
- mask |= SSL_aECDSA;
|
||||
+ } else if (!strcmp(cipher, "SEED")) {
|
||||
+ mask |= SSL_SEED;
|
||||
+ } else if (!strcmp(cipher, "kECDHe")) {
|
||||
+ mask |= SSL_kECDH|SSL_aECDSA;
|
||||
+ } else if (!strcmp(cipher, "kECDHr")) {
|
||||
@ -150,7 +139,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
}
|
||||
|
||||
if (c)
|
||||
@@ -700,23 +751,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
@@ -720,23 +775,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
|
||||
} /* while */
|
||||
|
||||
|
@ -10,23 +10,6 @@ RHBZ: #1375432
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -2019,16 +2019,6 @@ tlsm_deferred_init( void *arg )
|
||||
}
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Set the SSL version range. MozNSS SSL versions are the same as openldap's:
|
||||
- *
|
||||
- * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
|
||||
- */
|
||||
- SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
|
||||
- range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
|
||||
- variant = ssl_variant_stream;
|
||||
- SSL_VersionRangeSetDefault(variant, &range);
|
||||
-
|
||||
NSS_SetDomesticPolicy();
|
||||
|
||||
PK11_SetPasswordFunc( tlsm_pin_prompt );
|
||||
@@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg )
|
||||
0, 0, 0 );
|
||||
return -1;
|
||||
|
@ -1,193 +0,0 @@
|
||||
MozNSS: update list of supported cipher suites
|
||||
|
||||
The updated list includes all ciphers implemented in Mozilla NSS 3.13.15
|
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
Upstream ITS: #7374
|
||||
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
index 1422ce2..5e49fc5 100644
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -211,27 +211,34 @@ typedef struct {
|
||||
int num; /* The cipher id */
|
||||
int attr; /* cipher attributes: algorithms, etc */
|
||||
int version; /* protocol version valid for this cipher */
|
||||
- int bits; /* bits of strength */
|
||||
- int alg_bits; /* bits of the algorithm */
|
||||
int strength; /* LOW, MEDIUM, HIGH */
|
||||
int enabled; /* Enabled by default? */
|
||||
} cipher_properties;
|
||||
|
||||
/* cipher attributes */
|
||||
-#define SSL_kRSA 0x00000001L
|
||||
-#define SSL_aRSA 0x00000002L
|
||||
-#define SSL_aDSS 0x00000004L
|
||||
-#define SSL_DSS SSL_aDSS
|
||||
-#define SSL_eNULL 0x00000008L
|
||||
-#define SSL_DES 0x00000010L
|
||||
-#define SSL_3DES 0x00000020L
|
||||
-#define SSL_RC4 0x00000040L
|
||||
-#define SSL_RC2 0x00000080L
|
||||
-#define SSL_AES 0x00000100L
|
||||
-#define SSL_MD5 0x00000200L
|
||||
-#define SSL_SHA1 0x00000400L
|
||||
-#define SSL_SHA SSL_SHA1
|
||||
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
|
||||
+#define SSL_kRSA 0x00000001L
|
||||
+#define SSL_aRSA 0x00000002L
|
||||
+#define SSL_RSA (SSL_kRSA|SSL_aRSA)
|
||||
+#define SSL_aDSA 0x00000004L
|
||||
+#define SSL_DSA SSL_aDSA
|
||||
+#define SSL_eNULL 0x00000008L
|
||||
+#define SSL_DES 0x00000010L
|
||||
+#define SSL_3DES 0x00000020L
|
||||
+#define SSL_RC4 0x00000040L
|
||||
+#define SSL_RC2 0x00000080L
|
||||
+#define SSL_AES128 0x00000100L
|
||||
+#define SSL_AES256 0x00000200L
|
||||
+#define SSL_AES (SSL_AES128|SSL_AES256)
|
||||
+#define SSL_MD5 0x00000400L
|
||||
+#define SSL_SHA1 0x00000800L
|
||||
+#define SSL_kEDH 0x00001000L
|
||||
+#define SSL_CAMELLIA128 0x00002000L
|
||||
+#define SSL_CAMELLIA256 0x00004000L
|
||||
+#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
|
||||
+#define SSL_SEED 0x00008000L
|
||||
+#define SSL_kECDH 0x00010000L
|
||||
+#define SSL_kECDHE 0x00020000L
|
||||
+#define SSL_aECDSA 0x00040000L
|
||||
|
||||
/* cipher strength */
|
||||
#define SSL_NULL 0x00000001L
|
||||
@@ -248,29 +255,70 @@ typedef struct {
|
||||
|
||||
/* Cipher translation */
|
||||
static cipher_properties ciphers_def[] = {
|
||||
- /* SSL 2 ciphers */
|
||||
- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
|
||||
- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
||||
- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
||||
-
|
||||
- /* SSL3 ciphers */
|
||||
- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
|
||||
- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
||||
- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
|
||||
- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+
|
||||
+ /*
|
||||
+ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
|
||||
+ */
|
||||
+
|
||||
+ /* SSLv2 ciphers */
|
||||
+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW, SSL_NOT_ALLOWED},
|
||||
+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH, SSL_NOT_ALLOWED},
|
||||
+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
|
||||
+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
|
||||
+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
|
||||
+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
|
||||
+
|
||||
+ /* SSLv3 ciphers */
|
||||
+ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
|
||||
+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
|
||||
+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
|
||||
+ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
|
||||
+ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
|
||||
+ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
|
||||
|
||||
/* TLSv1 ciphers */
|
||||
- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
||||
- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
||||
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
|
||||
+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
|
||||
+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
};
|
||||
|
||||
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
|
||||
@@ -577,6 +625,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
mask |= SSL_RSA;
|
||||
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
|
||||
mask |= SSL_eNULL;
|
||||
+ } else if (!strcmp(cipher, "AES128")) {
|
||||
+ mask |= SSL_AES128;
|
||||
+ } else if (!strcmp(cipher, "AES256")) {
|
||||
+ mask |= SSL_AES256;
|
||||
} else if (!strcmp(cipher, "AES")) {
|
||||
mask |= SSL_AES;
|
||||
} else if (!strcmp(cipher, "3DES")) {
|
||||
@@ -591,6 +643,24 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
mask |= SSL_MD5;
|
||||
} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
|
||||
mask |= SSL_SHA1;
|
||||
+ } else if (!strcmp(cipher, "EDH")) {
|
||||
+ mask |= SSL_kEDH;
|
||||
+ } else if (!strcmp(cipher, "DSS")) {
|
||||
+ mask |= SSL_aDSA;
|
||||
+ } else if (!strcmp(cipher, "CAMELLIA128")) {
|
||||
+ mask |= SSL_CAMELLIA128;
|
||||
+ } else if (!strcmp(cipher, "CAMELLIA256")) {
|
||||
+ mask |= SSL_CAMELLIA256;
|
||||
+ } else if (!strcmp(cipher, "CAMELLIA")) {
|
||||
+ mask |= SSL_CAMELLIA;
|
||||
+ } else if (!strcmp(cipher, "SEED")) {
|
||||
+ mask |= SSL_SEED;
|
||||
+ } else if (!strcmp(cipher, "ECDH")) {
|
||||
+ mask |= SSL_kECDH;
|
||||
+ } else if (!strcmp(cipher, "ECDHE")) {
|
||||
+ mask |= SSL_kECDHE;
|
||||
+ } else if (!strcmp(cipher, "ECDSA")) {
|
||||
+ mask |= SSL_aECDSA;
|
||||
} else if (!strcmp(cipher, "SSLv2")) {
|
||||
protocol |= SSL2;
|
||||
} else if (!strcmp(cipher, "SSLv3")) {
|
||||
--
|
||||
1.7.11.4
|
||||
|
@ -1,54 +0,0 @@
|
||||
Support TLSv1 and later.
|
||||
|
||||
Author: Mark Reynolds <mreynolds@redhat.com>
|
||||
Backported-by: Jan Synacek <jsynacek@redhat.com>
|
||||
Upstream ITS: #7979
|
||||
Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
|
||||
|
||||
--- openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:02:39.489493061 +0100
|
||||
+++ openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:23:07.239463097 +0100
|
||||
@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD
|
||||
case SSL_ERROR_BAD_CERT_DOMAIN:
|
||||
break;
|
||||
default:
|
||||
- success = SECFailure;
|
||||
+ success = SECFailure;
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg )
|
||||
NSSInitContext *initctx = NULL;
|
||||
PK11SlotInfo *certdb_slot = NULL;
|
||||
#endif
|
||||
+ SSLVersionRange range;
|
||||
+ SSLProtocolVariant variant;
|
||||
SECStatus rc;
|
||||
int done = 0;
|
||||
|
||||
@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg )
|
||||
}
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Set the SSL version range. MozNSS SSL versions are the same as openldap's:
|
||||
+ *
|
||||
+ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
|
||||
+ */
|
||||
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
|
||||
+ range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
|
||||
+ variant = ssl_variant_stream;
|
||||
+ SSL_VersionRangeSetDefault(variant, &range);
|
||||
+
|
||||
NSS_SetDomesticPolicy();
|
||||
|
||||
PK11_SetPasswordFunc( tlsm_pin_prompt );
|
||||
--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200
|
||||
+++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100
|
||||
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
|
||||
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
|
||||
|
||||
/* OpenLDAP SASL options */
|
||||
#define LDAP_OPT_X_SASL_MECH 0x6100
|
@ -5,7 +5,7 @@
|
||||
|
||||
Name: openldap
|
||||
Version: 2.4.44
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}
|
||||
Summary: LDAP support libraries
|
||||
Group: System Environment/Daemons
|
||||
License: OpenLDAP
|
||||
@ -29,7 +29,6 @@ Patch3: openldap-smbk5pwd-overlay.patch
|
||||
Patch4: openldap-man-sasl-nocanon.patch
|
||||
Patch5: openldap-ai-addrconfig.patch
|
||||
# nss patches, unlikely to ever get upstreamed
|
||||
Patch11: openldap-nss-update-list-of-ciphers.patch
|
||||
Patch12: openldap-tls-no-reuse-of-tls_session.patch
|
||||
Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch
|
||||
Patch14: openldap-nss-ignore-certdb-type-prefix.patch
|
||||
@ -44,8 +43,6 @@ Patch17: openldap-allop-overlay.patch
|
||||
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
|
||||
# ldapi sasl fix pending upstream inclusion
|
||||
Patch20: openldap-ldapi-sasl.patch
|
||||
# TLSv1 support, already included upstream
|
||||
Patch21: openldap-support-tlsv1-and-later.patch
|
||||
Patch22: openldap-nss-protocol-version-new-api.patch
|
||||
|
||||
Patch50: openldap-nss-cipher-attributes.patch
|
||||
@ -145,7 +142,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
@ -154,7 +150,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
|
||||
%patch17 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
|
||||
%patch50 -p1
|
||||
@ -553,6 +548,9 @@ exit 0
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Fri Mar 24 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-8
|
||||
- NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435689)
|
||||
|
||||
* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-7
|
||||
- NSS: Update list of ciphers (#1387868)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user