basebuilder_pel7ppc64bebuilder0
6 years ago
53 changed files with 2529 additions and 155 deletions
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
diff -up nss/lib/ssl/config.mk.disableSSL2libssl nss/lib/ssl/config.mk |
||||
--- nss/lib/ssl/config.mk.disableSSL2libssl 2017-01-04 15:24:24.000000000 +0100 |
||||
+++ nss/lib/ssl/config.mk 2017-01-16 10:53:47.629894929 +0100 |
||||
@@ -69,3 +69,8 @@ endif |
||||
ifdef NSS_DISABLE_TLS_1_3 |
||||
DEFINES += -DNSS_DISABLE_TLS_1_3 |
||||
endif |
||||
+ |
||||
+ifdef NSS_NO_SSL2 |
||||
+DEFINES += -DNSS_NO_SSL2 |
||||
+endif |
||||
+ |
||||
diff -up nss/lib/ssl/sslsock.c.disableSSL2libssl nss/lib/ssl/sslsock.c |
||||
--- nss/lib/ssl/sslsock.c.disableSSL2libssl 2017-01-16 10:53:47.615895344 +0100 |
||||
+++ nss/lib/ssl/sslsock.c 2017-01-16 10:54:16.088051233 +0100 |
||||
@@ -1221,6 +1221,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo |
||||
static PRBool |
||||
ssl_IsRemovedCipherSuite(PRInt32 suite) |
||||
{ |
||||
+#ifdef NSS_NO_SSL2 |
||||
+ if (SSL_IS_SSL2_CIPHER(suite)) |
||||
+ return PR_TRUE; |
||||
+#endif /* NSS_NO_SSL2 */ |
||||
switch (suite) { |
||||
case SSL_FORTEZZA_DMS_WITH_NULL_SHA: |
||||
case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: |
||||
@ -0,0 +1,66 @@
@@ -0,0 +1,66 @@
|
||||
diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh |
||||
--- nss/tests/ssl/ssl.sh.disableSSL2tests 2018-03-05 16:58:32.000000000 +0100 |
||||
+++ nss/tests/ssl/ssl.sh 2018-03-09 17:24:07.047568191 +0100 |
||||
@@ -68,9 +68,14 @@ ssl_init() |
||||
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} |
||||
|
||||
# Test case files |
||||
- SSLCOV=${QADIR}/ssl/sslcov.txt |
||||
+ if [ "${NSS_NO_SSL2}" = "1" ]; then |
||||
+ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt |
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt |
||||
+ else |
||||
+ SSLCOV=${QADIR}/ssl/sslcov.txt |
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt |
||||
+ fi |
||||
SSLAUTH=${QADIR}/ssl/sslauth.txt |
||||
- SSLSTRESS=${QADIR}/ssl/sslstress.txt |
||||
SSLPOLICY=${QADIR}/ssl/sslpolicy.txt |
||||
REQUEST_FILE=${QADIR}/ssl/sslreq.dat |
||||
|
||||
@@ -128,7 +133,11 @@ is_selfserv_alive() |
||||
fi |
||||
|
||||
echo "kill -0 ${PID} >/dev/null 2>/dev/null" |
||||
+ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then |
||||
+ echo "No server to kill" |
||||
+ else |
||||
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" |
||||
+ fi |
||||
|
||||
echo "selfserv with PID ${PID} found at `date`" |
||||
} |
||||
@@ -152,7 +161,11 @@ wait_for_selfserv() |
||||
${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ |
||||
-d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} |
||||
if [ $? -ne 0 ]; then |
||||
+ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then |
||||
+ html_passed "Server never started" |
||||
+ else |
||||
html_failed "Waiting for Server" |
||||
+ fi |
||||
fi |
||||
fi |
||||
is_selfserv_alive |
||||
@@ -275,7 +288,7 @@ ssl_cov() |
||||
start_selfserv # Launch the server |
||||
|
||||
VMIN="ssl3" |
||||
- VMAX="tls1.1" |
||||
+ VMAX="tls1.2" |
||||
|
||||
ignore_blank_lines ${SSLCOV} | \ |
||||
while read ectype testmax param testname |
||||
@@ -283,6 +296,12 @@ ssl_cov() |
||||
echo "${testname}" | grep "EXPORT" > /dev/null |
||||
EXP=$? |
||||
|
||||
+ # skip export tests |
||||
+ if [ ${EXP} -eq 0 ]; then |
||||
+ echo "export test skipped" |
||||
+ continue |
||||
+ fi |
||||
+ |
||||
if [ "$ectype" = "ECC" ] ; then |
||||
echo "$SCRIPTNAME: skipping $testname (ECC only)" |
||||
else |
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -0,0 +1,16 @@
@@ -0,0 +1,16 @@
|
||||
diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk |
||||
--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700 |
||||
+++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700 |
||||
@@ -174,6 +174,12 @@ endif |
||||
endif |
||||
endif |
||||
|
||||
+# harden DSOs/executables a bit against exploits |
||||
+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE)))) |
||||
+DSO_LDOPTS+=-Wl,-z,relro |
||||
+LDFLAGS += -Wl,-z,relro |
||||
+endif |
||||
+ |
||||
USE_SYSTEM_ZLIB = 1 |
||||
ZLIB_LIBS = -lz |
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -0,0 +1,59 @@
@@ -0,0 +1,59 @@
|
||||
<?xml version='1.0' encoding='utf-8'?> |
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
||||
<!ENTITY date SYSTEM "date.xml"> |
||||
<!ENTITY version SYSTEM "version.xml"> |
||||
]> |
||||
|
||||
<refentry id="cert8.db"> |
||||
|
||||
<refentryinfo> |
||||
<date>&date;</date> |
||||
<title>Network Security Services</title> |
||||
<productname>nss</productname> |
||||
<productnumber>&version;</productnumber> |
||||
</refentryinfo> |
||||
|
||||
<refmeta> |
||||
<refentrytitle>cert8.db</refentrytitle> |
||||
<manvolnum>5</manvolnum> |
||||
</refmeta> |
||||
|
||||
<refnamediv> |
||||
<refname>cert8.db</refname> |
||||
<refpurpose>Legacy NSS certificate database</refpurpose> |
||||
</refnamediv> |
||||
|
||||
<refsection id="description"> |
||||
<title>Description</title> |
||||
<para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para> |
||||
<para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access. |
||||
</para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Files</title> |
||||
<para><filename>/etc/pki/nssdb/cert8.db</filename></para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>See also</title> |
||||
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para> |
||||
</refsection> |
||||
|
||||
<refsection id="authors"> |
||||
<title>Authors</title> |
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para> |
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para> |
||||
</refsection> |
||||
|
||||
<!-- don't change --> |
||||
<refsection id="license"> |
||||
<title>LICENSE</title> |
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
</para> |
||||
|
||||
</refsection> |
||||
|
||||
|
||||
</refentry> |
||||
@ -0,0 +1,59 @@
@@ -0,0 +1,59 @@
|
||||
<?xml version='1.0' encoding='utf-8'?> |
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
||||
<!ENTITY date SYSTEM "date.xml"> |
||||
<!ENTITY version SYSTEM "version.xml"> |
||||
]> |
||||
|
||||
<refentry id="cert9.db"> |
||||
|
||||
<refentryinfo> |
||||
<date>&date;</date> |
||||
<title>Network Security Services</title> |
||||
<productname>nss</productname> |
||||
<productnumber>&version;</productnumber> |
||||
</refentryinfo> |
||||
|
||||
<refmeta> |
||||
<refentrytitle>cert9.db</refentrytitle> |
||||
<manvolnum>5</manvolnum> |
||||
</refmeta> |
||||
|
||||
<refnamediv> |
||||
<refname>cert9.db</refname> |
||||
<refpurpose>Legacy NSS certificate database</refpurpose> |
||||
</refnamediv> |
||||
|
||||
<refsection id="description"> |
||||
<title>Description</title> |
||||
<para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para> |
||||
<para>This certificate database is the sqlite-based shared databse with support for concurrent access. |
||||
</para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Files</title> |
||||
<para><filename>/etc/pki/nssdb/cert9.db</filename></para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>See also</title> |
||||
<para>pkcs11.txt(5)</para> |
||||
</refsection> |
||||
|
||||
<refsection id="authors"> |
||||
<title>Authors</title> |
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para> |
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para> |
||||
</refsection> |
||||
|
||||
<!-- don't change --> |
||||
<refsection id="license"> |
||||
<title>LICENSE</title> |
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
</para> |
||||
|
||||
</refsection> |
||||
|
||||
|
||||
</refentry> |
||||
@ -0,0 +1,79 @@
@@ -0,0 +1,79 @@
|
||||
diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c |
||||
--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100 |
||||
+++ nss/lib/pk11wrap/pk11pars.c 2018-03-09 17:24:39.815838810 +0100 |
||||
@@ -671,6 +671,10 @@ SECMOD_CreateModuleEx(const char *librar |
||||
|
||||
mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc); |
||||
mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc); |
||||
+ /* if the system FIPS mode is enabled, force FIPS to be on */ |
||||
+ if (SECMOD_GetSystemFIPSEnabled()) { |
||||
+ mod->isFIPS = PR_TRUE; |
||||
+ } |
||||
mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc); |
||||
slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc); |
||||
mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams, |
||||
diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c |
||||
--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100 |
||||
+++ nss/lib/pk11wrap/pk11util.c 2018-03-09 17:25:46.804347730 +0100 |
||||
@@ -95,6 +95,26 @@ SECMOD_Shutdown() |
||||
return SECSuccess; |
||||
} |
||||
|
||||
+int SECMOD_GetSystemFIPSEnabled(void) { |
||||
+#ifdef LINUX |
||||
+ FILE *f; |
||||
+ char d; |
||||
+ size_t size; |
||||
+ |
||||
+ f = fopen("/proc/sys/crypto/fips_enabled", "r"); |
||||
+ if (!f) |
||||
+ return 0; |
||||
+ |
||||
+ size = fread(&d, 1, 1, f); |
||||
+ fclose(f); |
||||
+ if (size != 1) |
||||
+ return 0; |
||||
+ if (d == '1') |
||||
+ return 1; |
||||
+#endif |
||||
+ return 0; |
||||
+} |
||||
+ |
||||
/* |
||||
* retrieve the internal module |
||||
*/ |
||||
@@ -428,7 +448,7 @@ SECMOD_DeleteInternalModule(const char * |
||||
SECMODModuleList **mlpp; |
||||
SECStatus rv = SECFailure; |
||||
|
||||
- if (pendingModule) { |
||||
+ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) { |
||||
PORT_SetError(SEC_ERROR_MODULE_STUCK); |
||||
return rv; |
||||
} |
||||
@@ -963,7 +983,7 @@ SECMOD_CanDeleteInternalModule(void) |
||||
#ifdef NSS_FIPS_DISABLED |
||||
return PR_FALSE; |
||||
#else |
||||
- return (PRBool)(pendingModule == NULL); |
||||
+ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled()); |
||||
#endif |
||||
} |
||||
|
||||
diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h |
||||
--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100 |
||||
+++ nss/lib/pk11wrap/secmodi.h 2018-03-09 17:24:39.816838788 +0100 |
||||
@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd |
||||
CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, |
||||
SECItem **param, SECItem *pwd, PRBool faulty3DES); |
||||
|
||||
+/* Get the state of the system FIPS mode */ |
||||
+/* NSS uses this to force FIPS mode if the system bit is on. Applications which |
||||
+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or |
||||
+ * from FIPS mode will automatically be told that they can't swith out of FIPS |
||||
+ * mode */ |
||||
+int SECMOD_GetSystemFIPSEnabled(); |
||||
+ |
||||
extern void pk11sdr_Init(void); |
||||
extern void pk11sdr_Shutdown(void); |
||||
|
||||
@ -0,0 +1,12 @@
@@ -0,0 +1,12 @@
|
||||
diff -up ./lib/ssl/sslsock.c.1171318 ./lib/ssl/sslsock.c |
||||
--- ./lib/ssl/sslsock.c.1171318 2016-02-04 10:57:08.489310227 -0800 |
||||
+++ ./lib/ssl/sslsock.c 2016-02-04 11:02:59.290818001 -0800 |
||||
@@ -92,7 +92,7 @@ static sslOptions ssl_defaults = { |
||||
* default range of enabled SSL/TLS protocols |
||||
*/ |
||||
static SSLVersionRange versions_defaults_stream = { |
||||
- SSL_LIBRARY_VERSION_TLS_1_0, |
||||
+ SSL_LIBRARY_VERSION_3_0, |
||||
SSL_LIBRARY_VERSION_TLS_1_2 |
||||
}; |
||||
|
||||
@ -0,0 +1,59 @@
@@ -0,0 +1,59 @@
|
||||
<?xml version='1.0' encoding='utf-8'?> |
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
||||
<!ENTITY date SYSTEM "date.xml"> |
||||
<!ENTITY version SYSTEM "version.xml"> |
||||
]> |
||||
|
||||
<refentry id="key3.db"> |
||||
|
||||
<refentryinfo> |
||||
<date>&date;</date> |
||||
<title>Network Security Services</title> |
||||
<productname>nss</productname> |
||||
<productnumber>&version;</productnumber> |
||||
</refentryinfo> |
||||
|
||||
<refmeta> |
||||
<refentrytitle>key3.db</refentrytitle> |
||||
<manvolnum>5</manvolnum> |
||||
</refmeta> |
||||
|
||||
<refnamediv> |
||||
<refname>key3.db</refname> |
||||
<refpurpose>Legacy NSS certificate database</refpurpose> |
||||
</refnamediv> |
||||
|
||||
<refsection id="description"> |
||||
<title>Description</title> |
||||
<para><emphasis>key3.db</emphasis> is an NSS certificate database.</para> |
||||
<para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access. |
||||
</para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Files</title> |
||||
<para><filename>/etc/pki/nssdb/key3.db</filename></para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>See also</title> |
||||
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para> |
||||
</refsection> |
||||
|
||||
<refsection id="authors"> |
||||
<title>Authors</title> |
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para> |
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para> |
||||
</refsection> |
||||
|
||||
<!-- don't change --> |
||||
<refsection id="license"> |
||||
<title>LICENSE</title> |
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
</para> |
||||
|
||||
</refsection> |
||||
|
||||
|
||||
</refentry> |
||||
@ -0,0 +1,59 @@
@@ -0,0 +1,59 @@
|
||||
<?xml version='1.0' encoding='utf-8'?> |
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
||||
<!ENTITY date SYSTEM "date.xml"> |
||||
<!ENTITY version SYSTEM "version.xml"> |
||||
]> |
||||
|
||||
<refentry id="key4.db"> |
||||
|
||||
<refentryinfo> |
||||
<date>&date;</date> |
||||
<title>Network Security Services</title> |
||||
<productname>nss</productname> |
||||
<productnumber>&version;</productnumber> |
||||
</refentryinfo> |
||||
|
||||
<refmeta> |
||||
<refentrytitle>key4.db</refentrytitle> |
||||
<manvolnum>5</manvolnum> |
||||
</refmeta> |
||||
|
||||
<refnamediv> |
||||
<refname>key4.db</refname> |
||||
<refpurpose>NSS certificate database</refpurpose> |
||||
</refnamediv> |
||||
|
||||
<refsection id="description"> |
||||
<title>Description</title> |
||||
<para><emphasis>key4.db</emphasis> is an NSS key database.</para> |
||||
<para>This key database is the sqlite-based shared database format with support for concurrent access. |
||||
</para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Files</title> |
||||
<para><filename>/etc/pki/nssdb/key4.db</filename></para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>See also</title> |
||||
<para>pkcs11.txt(5)</para> |
||||
</refsection> |
||||
|
||||
<refsection id="authors"> |
||||
<title>Authors</title> |
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para> |
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para> |
||||
</refsection> |
||||
|
||||
<!-- don't change --> |
||||
<refsection id="license"> |
||||
<title>LICENSE</title> |
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
</para> |
||||
|
||||
</refsection> |
||||
|
||||
|
||||
</refentry> |
||||
@ -0,0 +1,11 @@
@@ -0,0 +1,11 @@
|
||||
diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios |
||||
--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700 |
||||
+++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700 |
||||
@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg |
||||
realcerts.cfg |
||||
dsa.cfg |
||||
revoc.cfg |
||||
-ocsp.cfg |
||||
crldp.cfg |
||||
trustanchors.cfg |
||||
nameconstraints.cfg |
||||
@ -0,0 +1,44 @@
@@ -0,0 +1,44 @@
|
||||
diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c |
||||
--- nss/cmd/httpserv/httpserv.c.539183 2016-08-15 17:58:41.756630037 +0200 |
||||
+++ nss/cmd/httpserv/httpserv.c 2016-08-15 18:04:13.559131620 +0200 |
||||
@@ -976,13 +976,13 @@ getBoundListenSocket(unsigned short port |
||||
PRNetAddr addr; |
||||
PRSocketOptionData opt; |
||||
|
||||
- addr.inet.family = PR_AF_INET; |
||||
- addr.inet.ip = PR_INADDR_ANY; |
||||
- addr.inet.port = PR_htons(port); |
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { |
||||
+ errExit("PR_SetNetAddr"); |
||||
+ } |
||||
|
||||
- listen_sock = PR_NewTCPSocket(); |
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); |
||||
if (listen_sock == NULL) { |
||||
- errExit("PR_NewTCPSocket"); |
||||
+ errExit("PR_OpenTCPSocket error"); |
||||
} |
||||
|
||||
opt.option = PR_SockOpt_Nonblocking; |
||||
diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c |
||||
--- nss/cmd/selfserv/selfserv.c.539183 2016-08-15 17:58:41.756630037 +0200 |
||||
+++ nss/cmd/selfserv/selfserv.c 2016-08-15 18:05:11.027487891 +0200 |
||||
@@ -1731,13 +1731,13 @@ getBoundListenSocket(unsigned short port |
||||
PRNetAddr addr; |
||||
PRSocketOptionData opt; |
||||
|
||||
- addr.inet.family = PR_AF_INET; |
||||
- addr.inet.ip = PR_INADDR_ANY; |
||||
- addr.inet.port = PR_htons(port); |
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { |
||||
+ errExit("PR_SetNetAddr"); |
||||
+ } |
||||
|
||||
- listen_sock = PR_NewTCPSocket(); |
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); |
||||
if (listen_sock == NULL) { |
||||
- errExit("PR_NewTCPSocket"); |
||||
+ errExit("PR_OpenTCPSocket error"); |
||||
} |
||||
|
||||
opt.option = PR_SockOpt_Nonblocking; |
||||
@ -0,0 +1,49 @@
@@ -0,0 +1,49 @@
|
||||
diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c |
||||
--- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-02-28 10:49:53.811343156 +0100 |
||||
+++ nss/lib/pk11wrap/pk11pars.c 2017-02-28 10:59:41.178647490 +0100 |
||||
@@ -109,6 +109,7 @@ secmod_NewModule(void) |
||||
*other flags are set */ |
||||
#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02 |
||||
#define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04 |
||||
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08 |
||||
|
||||
/* private flags for internal (field in SECMODModule). */ |
||||
/* The meaing of these flags is as follows: |
||||
@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar |
||||
if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) { |
||||
flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB; |
||||
} |
||||
+ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) { |
||||
+ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY; |
||||
+ } |
||||
/* additional moduleDB flags could be added here in the future */ |
||||
mod->isModuleDB = (PRBool)flags; |
||||
} |
||||
@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule |
||||
} |
||||
|
||||
PRBool |
||||
+secmod_PolicyOnly(SECMODModule *mod) |
||||
+{ |
||||
+ char flags = (char) mod->isModuleDB; |
||||
+ |
||||
+ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE; |
||||
+} |
||||
+ |
||||
+PRBool |
||||
secmod_IsInternalKeySlot(SECMODModule *mod) |
||||
{ |
||||
char flags = (char)mod->internal; |
||||
@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM |
||||
if (!module) { |
||||
goto loser; |
||||
} |
||||
+ |
||||
+ /* a policy only stanza doesn't actually get 'loaded'. policy has already |
||||
+ * been parsed as a side effect of the CreateModuleEx call */ |
||||
+ if (secmod_PolicyOnly(module)) { |
||||
+ return module; |
||||
+ } |
||||
if (parent) { |
||||
module->parent = SECMOD_ReferenceModule(parent); |
||||
if (module->internal && secmod_IsInternalKeySlot(parent)) { |
||||
@ -0,0 +1,145 @@
@@ -0,0 +1,145 @@
|
||||
#!/bin/sh |
||||
|
||||
prefix=@prefix@ |
||||
|
||||
major_version=@MOD_MAJOR_VERSION@ |
||||
minor_version=@MOD_MINOR_VERSION@ |
||||
patch_version=@MOD_PATCH_VERSION@ |
||||
|
||||
usage() |
||||
{ |
||||
cat <<EOF |
||||
Usage: nss-config [OPTIONS] [LIBRARIES] |
||||
Options: |
||||
[--prefix[=DIR]] |
||||
[--exec-prefix[=DIR]] |
||||
[--includedir[=DIR]] |
||||
[--libdir[=DIR]] |
||||
[--version] |
||||
[--libs] |
||||
[--cflags] |
||||
Dynamic Libraries: |
||||
nss |
||||
nssutil |
||||
ssl |
||||
smime |
||||
EOF |
||||
exit $1 |
||||
} |
||||
|
||||
if test $# -eq 0; then |
||||
usage 1 1>&2 |
||||
fi |
||||
|
||||
lib_ssl=yes |
||||
lib_smime=yes |
||||
lib_nss=yes |
||||
lib_nssutil=yes |
||||
|
||||
while test $# -gt 0; do |
||||
case "$1" in |
||||
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; |
||||
*) optarg= ;; |
||||
esac |
||||
|
||||
case $1 in |
||||
--prefix=*) |
||||
prefix=$optarg |
||||
;; |
||||
--prefix) |
||||
echo_prefix=yes |
||||
;; |
||||
--exec-prefix=*) |
||||
exec_prefix=$optarg |
||||
;; |
||||
--exec-prefix) |
||||
echo_exec_prefix=yes |
||||
;; |
||||
--includedir=*) |
||||
includedir=$optarg |
||||
;; |
||||
--includedir) |
||||
echo_includedir=yes |
||||
;; |
||||
--libdir=*) |
||||
libdir=$optarg |
||||
;; |
||||
--libdir) |
||||
echo_libdir=yes |
||||
;; |
||||
--version) |
||||
echo ${major_version}.${minor_version}.${patch_version} |
||||
;; |
||||
--cflags) |
||||
echo_cflags=yes |
||||
;; |
||||
--libs) |
||||
echo_libs=yes |
||||
;; |
||||
ssl) |
||||
lib_ssl=yes |
||||
;; |
||||
smime) |
||||
lib_smime=yes |
||||
;; |
||||
nss) |
||||
lib_nss=yes |
||||
;; |
||||
nssutil) |
||||
lib_nssutil=yes |
||||
;; |
||||
*) |
||||
usage 1 1>&2 |
||||
;; |
||||
esac |
||||
shift |
||||
done |
||||
|
||||
# Set variables that may be dependent upon other variables |
||||
if test -z "$exec_prefix"; then |
||||
exec_prefix=`pkg-config --variable=exec_prefix nss` |
||||
fi |
||||
if test -z "$includedir"; then |
||||
includedir=`pkg-config --variable=includedir nss` |
||||
fi |
||||
if test -z "$libdir"; then |
||||
libdir=`pkg-config --variable=libdir nss` |
||||
fi |
||||
|
||||
if test "$echo_prefix" = "yes"; then |
||||
echo $prefix |
||||
fi |
||||
|
||||
if test "$echo_exec_prefix" = "yes"; then |
||||
echo $exec_prefix |
||||
fi |
||||
|
||||
if test "$echo_includedir" = "yes"; then |
||||
echo $includedir |
||||
fi |
||||
|
||||
if test "$echo_libdir" = "yes"; then |
||||
echo $libdir |
||||
fi |
||||
|
||||
if test "$echo_cflags" = "yes"; then |
||||
echo -I$includedir |
||||
fi |
||||
|
||||
if test "$echo_libs" = "yes"; then |
||||
libdirs="-Wl,-rpath-link,$libdir -L$libdir" |
||||
if test -n "$lib_ssl"; then |
||||
libdirs="$libdirs -lssl${major_version}" |
||||
fi |
||||
if test -n "$lib_smime"; then |
||||
libdirs="$libdirs -lsmime${major_version}" |
||||
fi |
||||
if test -n "$lib_nss"; then |
||||
libdirs="$libdirs -lnss${major_version}" |
||||
fi |
||||
if test -n "$lib_nssutil"; then |
||||
libdirs="$libdirs -lnssutil${major_version}" |
||||
fi |
||||
echo $libdirs |
||||
fi |
||||
|
||||
@ -0,0 +1,132 @@
@@ -0,0 +1,132 @@
|
||||
<?xml version='1.0' encoding='utf-8'?> |
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
||||
<!ENTITY date SYSTEM "date.xml"> |
||||
<!ENTITY version SYSTEM "version.xml"> |
||||
]> |
||||
|
||||
<refentry id="nss-config"> |
||||
|
||||
<refentryinfo> |
||||
<date>&date;</date> |
||||
<title>Network Security Services</title> |
||||
<productname>nss</productname> |
||||
<productnumber>&version;</productnumber> |
||||
</refentryinfo> |
||||
|
||||
<refmeta> |
||||
<refentrytitle>nss-config</refentrytitle> |
||||
<manvolnum>1</manvolnum> |
||||
</refmeta> |
||||
|
||||
<refnamediv> |
||||
<refname>nss-config</refname> |
||||
<refpurpose>Return meta information about nss libraries</refpurpose> |
||||
</refnamediv> |
||||
|
||||
<refsynopsisdiv> |
||||
<cmdsynopsis> |
||||
<command>nss-config</command> |
||||
<arg><option>--prefix</option></arg> |
||||
<arg><option>--exec-prefix</option></arg> |
||||
<arg><option>--includedir</option></arg> |
||||
<arg><option>--libs</option></arg> |
||||
<arg><option>--cflags</option></arg> |
||||
<arg><option>--libdir</option></arg> |
||||
<arg><option>--version</option></arg> |
||||
</cmdsynopsis> |
||||
</refsynopsisdiv> |
||||
|
||||
<refsection id="description"> |
||||
<title>Description</title> |
||||
|
||||
<para><command>nss-config</command> is a shell scrip |
||||
tool which can be used to obtain gcc options for building client pacakges of nspt. </para> |
||||
|
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Options</title> |
||||
|
||||
<variablelist> |
||||
<varlistentry> |
||||
<term><option>--prefix</option></term> |
||||
<listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem> |
||||
</varlistentry> |
||||
|
||||
<varlistentry> |
||||
<term><option>--exec-prefix</option></term> |
||||
<listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem> |
||||
</varlistentry> |
||||
|
||||
<varlistentry> |
||||
<term><option>--includedir</option> <replaceable>count</replaceable></term> |
||||
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem> |
||||
</varlistentry> |
||||
|
||||
<varlistentry> |
||||
<term><option>--version</option></term> |
||||
<listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem> |
||||
</varlistentry> |
||||
|
||||
<varlistentry> |
||||
<term><option>--libs</option></term> |
||||
<listitem><simpara>returns the compiler linking flags.</simpara></listitem> |
||||
</varlistentry> |
||||
|
||||
<varlistentry> |
||||
<term><option>--cflags</option></term> |
||||
<listitem><simpara>returns the compiler include flags.</simpara></listitem> |
||||
</varlistentry> |
||||
|
||||
<varlistentry> |
||||
<term><option>--libdir</option></term> |
||||
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem> |
||||
</varlistentry> |
||||
|
||||
</variablelist> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Examples</title> |
||||
|
||||
<para>The following example will query for both include path and linkage flags: |
||||
|
||||
<programlisting> |
||||
/usr/bin/nss-config --cflags --libs |
||||
</programlisting> |
||||
|
||||
</para> |
||||
|
||||
|
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Files</title> |
||||
|
||||
<para><filename>/usr/bin/nss-config</filename></para> |
||||
|
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>See also</title> |
||||
<para>pkg-config(1)</para> |
||||
</refsection> |
||||
|
||||
<refsection id="authors"> |
||||
<title>Authors</title> |
||||
<para>The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para> |
||||
<para> |
||||
Authors: Elio Maldonado <emaldona@redhat.com>. |
||||
</para> |
||||
</refsection> |
||||
|
||||
<!-- don't change --> |
||||
<refsection id="license"> |
||||
<title>LICENSE</title> |
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
</para> |
||||
</refsection> |
||||
|
||||
</refentry> |
||||
|
||||
@ -0,0 +1,95 @@
@@ -0,0 +1,95 @@
|
||||
# HG changeset patch |
||||
# User Daiki Ueno <dueno@redhat.com> |
||||
# Date 1521731296 -3600 |
||||
# Thu Mar 22 16:08:16 2018 +0100 |
||||
# Node ID 6ae3ab8a1e7b4161f3f8eee90db7a745acced408 |
||||
# Parent dedf5290c679153e5b3555ba9c711fe62323c156 |
||||
Bug 1447628, devslot: avoid deadlock when re-inserting a token, r=rrelyea |
||||
|
||||
diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c |
||||
--- a/lib/dev/devslot.c |
||||
+++ b/lib/dev/devslot.c |
||||
@@ -96,10 +96,16 @@ nssSlot_ResetDelay( |
||||
} |
||||
|
||||
static PRBool |
||||
-within_token_delay_period(const NSSSlot *slot) |
||||
+token_status_checked(const NSSSlot *slot) |
||||
{ |
||||
PRIntervalTime time; |
||||
int lastPingState = slot->lastTokenPingState; |
||||
+ /* When called from the same thread, that means |
||||
+ * nssSlot_IsTokenPresent() is called recursively through |
||||
+ * nssSlot_Refresh(). Return immediately in that case. */ |
||||
+ if (slot->isPresentThread == PR_GetCurrentThread()) { |
||||
+ return PR_TRUE; |
||||
+ } |
||||
/* Set the delay time for checking the token presence */ |
||||
if (s_token_delay_time == 0) { |
||||
s_token_delay_time = PR_SecondsToInterval(NSSSLOT_TOKEN_DELAY_TIME); |
||||
@@ -130,7 +136,7 @@ nssSlot_IsTokenPresent( |
||||
|
||||
/* avoid repeated calls to check token status within set interval */ |
||||
PZ_Lock(slot->isPresentLock); |
||||
- if (within_token_delay_period(slot)) { |
||||
+ if (token_status_checked(slot)) { |
||||
CK_FLAGS ckFlags = slot->ckFlags; |
||||
PZ_Unlock(slot->isPresentLock); |
||||
return ((ckFlags & CKF_TOKEN_PRESENT) != 0); |
||||
@@ -146,12 +152,12 @@ nssSlot_IsTokenPresent( |
||||
|
||||
/* set up condition so only one thread is active in this part of the code at a time */ |
||||
PZ_Lock(slot->isPresentLock); |
||||
- while (slot->inIsPresent) { |
||||
+ while (slot->isPresentThread) { |
||||
PR_WaitCondVar(slot->isPresentCondition, 0); |
||||
} |
||||
/* if we were one of multiple threads here, the first thread will have |
||||
* given us the answer, no need to make more queries of the token. */ |
||||
- if (within_token_delay_period(slot)) { |
||||
+ if (token_status_checked(slot)) { |
||||
CK_FLAGS ckFlags = slot->ckFlags; |
||||
PZ_Unlock(slot->isPresentLock); |
||||
return ((ckFlags & CKF_TOKEN_PRESENT) != 0); |
||||
@@ -159,7 +165,7 @@ nssSlot_IsTokenPresent( |
||||
/* this is the winning thread, block all others until we've determined |
||||
* if the token is present and that it needs initialization. */ |
||||
slot->lastTokenPingState = nssSlotLastPingState_Update; |
||||
- slot->inIsPresent = PR_TRUE; |
||||
+ slot->isPresentThread = PR_GetCurrentThread(); |
||||
|
||||
PZ_Unlock(slot->isPresentLock); |
||||
|
||||
@@ -257,7 +263,7 @@ done: |
||||
slot->lastTokenPingTime = PR_IntervalNow(); |
||||
slot->lastTokenPingState = nssSlotLastPingState_Valid; |
||||
} |
||||
- slot->inIsPresent = PR_FALSE; |
||||
+ slot->isPresentThread = NULL; |
||||
PR_NotifyAllCondVar(slot->isPresentCondition); |
||||
PZ_Unlock(slot->isPresentLock); |
||||
return isPresent; |
||||
diff --git a/lib/dev/devt.h b/lib/dev/devt.h |
||||
--- a/lib/dev/devt.h |
||||
+++ b/lib/dev/devt.h |
||||
@@ -92,7 +92,7 @@ struct NSSSlotStr { |
||||
PK11SlotInfo *pk11slot; |
||||
PZLock *isPresentLock; |
||||
PRCondVar *isPresentCondition; |
||||
- PRBool inIsPresent; |
||||
+ PRThread *isPresentThread; |
||||
}; |
||||
|
||||
struct nssSessionStr { |
||||
diff --git a/lib/pk11wrap/dev3hack.c b/lib/pk11wrap/dev3hack.c |
||||
--- a/lib/pk11wrap/dev3hack.c |
||||
+++ b/lib/pk11wrap/dev3hack.c |
||||
@@ -122,7 +122,7 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD |
||||
rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock; |
||||
rvSlot->isPresentLock = PZ_NewLock(nssiLockOther); |
||||
rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock); |
||||
- rvSlot->inIsPresent = PR_FALSE; |
||||
+ rvSlot->isPresentThread = NULL; |
||||
rvSlot->lastTokenPingState = nssSlotLastPingState_Reset; |
||||
return rvSlot; |
||||
} |
||||
@ -0,0 +1,27 @@
@@ -0,0 +1,27 @@
|
||||
diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c |
||||
--- nss/lib/ssl/ssl3con.c.disable-cipher-suites 2017-04-26 11:53:57.980039632 +0200 |
||||
+++ nss/lib/ssl/ssl3con.c 2017-04-26 11:55:56.374264466 +0200 |
||||
@@ -97,7 +97,10 @@ static ssl3CipherSuiteCfg cipherSuites[s |
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is disabled by default. |
||||
+ * The GCM variant is preferred for new applications. |
||||
+ */ |
||||
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
@@ -106,7 +109,10 @@ static ssl3CipherSuiteCfg cipherSuites[s |
||||
{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is disabled by default. |
||||
+ * The GCM variant is preferred for new applications. |
||||
+ */ |
||||
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
@ -0,0 +1,12 @@
@@ -0,0 +1,12 @@
|
||||
diff -up nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests nss/gtests/ssl_gtest/ssl_skip_unittest.cc |
||||
--- nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests 2017-10-16 17:13:51.798825185 +0200 |
||||
+++ nss/gtests/ssl_gtest/ssl_skip_unittest.cc 2017-10-16 17:14:08.238496409 +0200 |
||||
@@ -234,6 +234,8 @@ INSTANTIATE_TEST_CASE_P( |
||||
INSTANTIATE_TEST_CASE_P(SkipVariants, TlsSkipTest, |
||||
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, |
||||
TlsConnectTestBase::kTlsV11V12)); |
||||
+#if 0 |
||||
INSTANTIATE_TEST_CASE_P(Skip13Variants, Tls13SkipTest, |
||||
TlsConnectTestBase::kTlsVariantsAll); |
||||
+#endif |
||||
} // namespace nss_test |
||||
@ -0,0 +1,39 @@
@@ -0,0 +1,39 @@
|
||||
diff -up nss/lib/ssl/ssl3con.c.enable-cipher-suites nss/lib/ssl/ssl3con.c |
||||
--- nss/lib/ssl/ssl3con.c.enable-cipher-suites 2017-02-20 16:32:39.464067010 +0100 |
||||
+++ nss/lib/ssl/ssl3con.c 2017-02-20 16:37:00.506731989 +0100 |
||||
@@ -91,7 +91,7 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi |
||||
/* clang-format off */ |
||||
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
||||
/* cipher_suite policy enabled isPresent */ |
||||
- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
@@ -102,7 +102,7 @@ static ssl3CipherSuiteCfg cipherSuites[s |
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
@@ -113,7 +113,7 @@ static ssl3CipherSuiteCfg cipherSuites[s |
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
@@ -140,7 +140,7 @@ static ssl3CipherSuiteCfg cipherSuites[s |
||||
{ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
@ -0,0 +1,112 @@
@@ -0,0 +1,112 @@
|
||||
diff -up nss/lib/pki/tdcache.c.fix_deadlock nss/lib/pki/tdcache.c |
||||
--- nss/lib/pki/tdcache.c.fix_deadlock 2017-01-13 17:10:36.055530248 +0100 |
||||
+++ nss/lib/pki/tdcache.c 2017-01-13 17:14:04.015338438 +0100 |
||||
@@ -374,13 +374,19 @@ struct token_cert_dtor { |
||||
PRUint32 numCerts, arrSize; |
||||
}; |
||||
|
||||
-static void |
||||
-remove_token_certs(const void *k, void *v, void *a) |
||||
+static void cert_iter(const void *k, void *v, void *a) |
||||
{ |
||||
+ nssList *certList = (nssList *)a; |
||||
NSSCertificate *c = (NSSCertificate *)k; |
||||
+ nssList_Add(certList, nssCertificate_AddRef(c)); |
||||
+} |
||||
+ |
||||
+static void |
||||
+remove_token_certs(NSSCertificate *c, struct token_cert_dtor *dtor) |
||||
+{ |
||||
nssPKIObject *object = &c->object; |
||||
- struct token_cert_dtor *dtor = a; |
||||
PRUint32 i; |
||||
+ |
||||
nssPKIObject_AddRef(object); |
||||
nssPKIObject_Lock(object); |
||||
for (i = 0; i < object->numInstances; i++) { |
||||
@@ -416,6 +422,11 @@ nssTrustDomain_RemoveTokenCertsFromCache |
||||
NSSCertificate **certs; |
||||
PRUint32 i, arrSize = 10; |
||||
struct token_cert_dtor dtor; |
||||
+ nssList *certList; |
||||
+ PRStatus nspr_rv = PR_FAILURE; |
||||
+ nssListIterator *iter; |
||||
+ NSSCertificate *c; |
||||
+ |
||||
certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize); |
||||
if (!certs) { |
||||
return PR_FAILURE; |
||||
@@ -425,8 +436,33 @@ nssTrustDomain_RemoveTokenCertsFromCache |
||||
dtor.certs = certs; |
||||
dtor.numCerts = 0; |
||||
dtor.arrSize = arrSize; |
||||
+ |
||||
+ certList = nssList_Create(NULL, PR_FALSE); |
||||
+ if (!certList) { |
||||
+ goto loser; |
||||
+ } |
||||
+ /* fetch the list of certs in the cache */ |
||||
+ PZ_Lock(td->cache->lock); |
||||
+ nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList); |
||||
+ PZ_Unlock(td->cache->lock); |
||||
+ |
||||
+ /* find the certs that match this token without olding the td cache lock */ |
||||
+ iter=nssList_CreateIterator(certList); |
||||
+ if (!iter) { |
||||
+ goto loser; |
||||
+ } |
||||
+ for (c = (NSSCertificate *)nssListIterator_Start(iter); |
||||
+ c != (NSSCertificate *)NULL; |
||||
+ c = (NSSCertificate *)nssListIterator_Next(iter)) { |
||||
+ remove_token_certs( c, &dtor); |
||||
+ } |
||||
+ nssListIterator_Finish(iter); |
||||
+ nssListIterator_Destroy(iter); |
||||
+ nssList_Destroy(certList); |
||||
+ certList = NULL; |
||||
+ |
||||
+ /* now remove theose certs attached to this token */ |
||||
PZ_Lock(td->cache->lock); |
||||
- nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor); |
||||
for (i = 0; i < dtor.numCerts; i++) { |
||||
if (dtor.certs[i]->object.numInstances == 0) { |
||||
nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]); |
||||
@@ -437,14 +473,22 @@ nssTrustDomain_RemoveTokenCertsFromCache |
||||
} |
||||
} |
||||
PZ_Unlock(td->cache->lock); |
||||
+ |
||||
+ /* clean up */ |
||||
for (i = 0; i < dtor.numCerts; i++) { |
||||
if (dtor.certs[i]) { |
||||
STAN_ForceCERTCertificateUpdate(dtor.certs[i]); |
||||
nssCertificate_Destroy(dtor.certs[i]); |
||||
} |
||||
} |
||||
+ |
||||
+ nspr_rv = PR_SUCCESS; |
||||
+loser: |
||||
+ if (certList) { |
||||
+ nssList_Destroy(certList); |
||||
+ } |
||||
nss_ZFreeIf(dtor.certs); |
||||
- return PR_SUCCESS; |
||||
+ return nspr_rv; |
||||
} |
||||
|
||||
NSS_IMPLEMENT PRStatus |
||||
@@ -1058,14 +1102,6 @@ nssTrustDomain_GetCertByDERFromCache( |
||||
return rvCert; |
||||
} |
||||
|
||||
-static void |
||||
-cert_iter(const void *k, void *v, void *a) |
||||
-{ |
||||
- nssList *certList = (nssList *)a; |
||||
- NSSCertificate *c = (NSSCertificate *)k; |
||||
- nssList_Add(certList, nssCertificate_AddRef(c)); |
||||
-} |
||||
- |
||||
NSS_EXTERN NSSCertificate ** |
||||
nssTrustDomain_GetCertsFromCache( |
||||
NSSTrustDomain *td, |
||||
@ -0,0 +1,68 @@
@@ -0,0 +1,68 @@
|
||||
# HG changeset patch |
||||
# User Franziskus Kiefer <franziskuskiefer@gmail.com> |
||||
# Date 1486546862 -3600 |
||||
# Wed Feb 08 10:41:02 2017 +0100 |
||||
# Node ID 896e3eb3a79933a51886949c7adb67ef37b721c0 |
||||
# Parent a8d77070526320ad0edc7ba164ce97f10c4f7d94 |
||||
Bug 1278965 - tsan race in CERTCertificate, r=wtc,ttaubert |
||||
|
||||
diff --git a/lib/certdb/cert.h b/lib/certdb/cert.h |
||||
--- a/lib/certdb/cert.h |
||||
+++ b/lib/certdb/cert.h |
||||
@@ -1405,24 +1405,11 @@ void CERT_SetStatusConfig(CERTCertDBHand |
||||
void CERT_LockCertRefCount(CERTCertificate *cert); |
||||
|
||||
/* |
||||
- * Free the cert reference count lock |
||||
+ * Release the cert reference count lock |
||||
*/ |
||||
void CERT_UnlockCertRefCount(CERTCertificate *cert); |
||||
|
||||
/* |
||||
- * Acquire the cert trust lock |
||||
- * There is currently one global lock for all certs, but I'm putting a cert |
||||
- * arg here so that it will be easy to make it per-cert in the future if |
||||
- * that turns out to be necessary. |
||||
- */ |
||||
-void CERT_LockCertTrust(const CERTCertificate *cert); |
||||
- |
||||
-/* |
||||
- * Free the cert trust lock |
||||
- */ |
||||
-void CERT_UnlockCertTrust(const CERTCertificate *cert); |
||||
- |
||||
-/* |
||||
* Digest the cert's subject public key using the specified algorithm. |
||||
* NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding |
||||
* the tag, length, and number of unused bits) rather than the whole |
||||
diff --git a/lib/certdb/certi.h b/lib/certdb/certi.h |
||||
--- a/lib/certdb/certi.h |
||||
+++ b/lib/certdb/certi.h |
||||
@@ -378,14 +378,27 @@ PRUint32 cert_CountDNSPatterns(CERTGener |
||||
SECStatus cert_CheckLeafTrust(CERTCertificate* cert, SECCertUsage usage, |
||||
unsigned int* failedFlags, PRBool* isTrusted); |
||||
|
||||
/* |
||||
* Acquire the cert temp/perm lock |
||||
*/ |
||||
void CERT_LockCertTempPerm(const CERTCertificate* cert); |
||||
|
||||
/* |
||||
* Release the temp/perm lock |
||||
*/ |
||||
void CERT_UnlockCertTempPerm(const CERTCertificate* cert); |
||||
|
||||
+/* |
||||
+ * Acquire the cert trust lock |
||||
+ * There is currently one global lock for all certs, but I'm putting a cert |
||||
+ * arg here so that it will be easy to make it per-cert in the future if |
||||
+ * that turns out to be necessary. |
||||
+ */ |
||||
+void CERT_LockCertTrust(const CERTCertificate* cert); |
||||
+ |
||||
+/* |
||||
+ * Release the cert trust lock |
||||
+ */ |
||||
+void CERT_UnlockCertTrust(const CERTCertificate* cert); |
||||
+ |
||||
#endif /* _CERTI_H_ */ |
||||
@ -0,0 +1,22 @@
@@ -0,0 +1,22 @@
|
||||
# HG changeset patch |
||||
# User Daiki Ueno <dueno@redhat.com> |
||||
# Date 1523546409 -7200 |
||||
# Thu Apr 12 17:20:09 2018 +0200 |
||||
# Node ID 919e116728f29263c17ec31716ac2bd04c10e9ca |
||||
# Parent 2eefd697d661efb82a77c84d893e6fbceefdf458 |
||||
Bug 1453408, modutil -changepw fails in FIPS mode if password is an empty string |
||||
|
||||
diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c |
||||
--- a/cmd/modutil/pk11.c |
||||
+++ b/cmd/modutil/pk11.c |
||||
@@ -764,6 +764,10 @@ ChangePW(char *tokenName, char *pwFile, |
||||
ret = CHANGEPW_FAILED_ERR; |
||||
goto loser; |
||||
} |
||||
+ } else if (PK11_IsFIPS() && *newpw == '\0' && PK11_CheckUserPassword(slot, newpw) == SECSuccess) { |
||||
+ /* Workaround to suppress harmless error in FIPS mode: |
||||
+ * When explicitly setting empty password while the old |
||||
+ * password is also empty, skip */ |
||||
} else { |
||||
if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) { |
||||
PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName); |
||||
@ -0,0 +1,24 @@
@@ -0,0 +1,24 @@
|
||||
# HG changeset patch |
||||
# User J.C. Jones <jjones@mozilla.com> |
||||
# Date 1521824312 25200 |
||||
# Fri Mar 23 09:58:32 2018 -0700 |
||||
# Branch NSS_3_36_BRANCH |
||||
# Node ID ba3f1cc8a8e644ee6f8a763624d97e987816304d |
||||
# Parent 2355c9e3bba477c947a09a2fe8b1ed8971fab1cb |
||||
Bug 1278071 - Limit iterations for PKCS #12 export for Windows r=kaie |
||||
|
||||
Per Bug 1436873, Windows is limited on importing PKCS12 files of 600k rounds |
||||
or less. So for compatibility's sake, let's limit there, too. |
||||
|
||||
diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c |
||||
--- a/lib/pkcs7/p7create.c |
||||
+++ b/lib/pkcs7/p7create.c |
||||
@@ -22,7 +22,7 @@ const int NSS_PBE_DEFAULT_ITERATION_COUN |
||||
#ifdef DEBUG |
||||
10000 |
||||
#else |
||||
- 1000000 |
||||
+ 600000 |
||||
#endif |
||||
; |
||||
|
||||
@ -0,0 +1,47 @@
@@ -0,0 +1,47 @@
|
||||
diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_auth_unittest.cc |
||||
--- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests 2018-03-05 16:58:32.000000000 +0100 |
||||
+++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc 2018-03-09 17:29:32.985313219 +0100 |
||||
@@ -231,7 +231,9 @@ static SSLNamedGroup NamedGroupForEcdsa3 |
||||
// NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and |
||||
// 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so |
||||
// we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519. |
||||
- if (version <= SSL_LIBRARY_VERSION_TLS_1_1) { |
||||
+ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
||||
+ // a higher priority than AES-128 GCM. |
||||
+ if (version <= SSL_LIBRARY_VERSION_TLS_1_2) { |
||||
return ssl_grp_ec_secp384r1; |
||||
} |
||||
return ssl_grp_ec_curve25519; |
||||
@@ -870,20 +872,24 @@ INSTANTIATE_TEST_CASE_P( |
||||
::testing::Values(TlsAgent::kServerEcdsa256), |
||||
::testing::Values(ssl_auth_ecdsa), |
||||
::testing::Values(ssl_sig_ecdsa_secp256r1_sha256))); |
||||
+ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
||||
+ // a higher priority than AES-128 GCM, and that causes the following |
||||
+ // 3 TLS 1.2 tests to fail. |
||||
INSTANTIATE_TEST_CASE_P( |
||||
SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration, |
||||
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, |
||||
- TlsConnectTestBase::kTlsV12Plus, |
||||
+ TlsConnectTestBase::kTlsV13, |
||||
::testing::Values(TlsAgent::kServerEcdsa384), |
||||
::testing::Values(ssl_auth_ecdsa), |
||||
::testing::Values(ssl_sig_ecdsa_secp384r1_sha384))); |
||||
INSTANTIATE_TEST_CASE_P( |
||||
SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration, |
||||
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, |
||||
- TlsConnectTestBase::kTlsV12Plus, |
||||
+ TlsConnectTestBase::kTlsV13, |
||||
::testing::Values(TlsAgent::kServerEcdsa521), |
||||
::testing::Values(ssl_auth_ecdsa), |
||||
::testing::Values(ssl_sig_ecdsa_secp521r1_sha512))); |
||||
+#if 0 |
||||
INSTANTIATE_TEST_CASE_P( |
||||
SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration, |
||||
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, |
||||
@@ -892,4 +898,5 @@ INSTANTIATE_TEST_CASE_P( |
||||
TlsAgent::kServerEcdsa384), |
||||
::testing::Values(ssl_auth_ecdsa), |
||||
::testing::Values(ssl_sig_ecdsa_sha1))); |
||||
+#endif |
||||
} // namespace nss_test |
||||
@ -0,0 +1,234 @@
@@ -0,0 +1,234 @@
|
||||
diff -up nss/lib/ssl/ssl3con.c.reorder-cipher-suites nss/lib/ssl/ssl3con.c |
||||
--- nss/lib/ssl/ssl3con.c.reorder-cipher-suites 2017-04-26 11:47:33.690047402 +0200 |
||||
+++ nss/lib/ssl/ssl3con.c 2017-04-26 11:51:51.103013632 +0200 |
||||
@@ -91,54 +91,44 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi |
||||
/* clang-format off */ |
||||
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
||||
/* cipher_suite policy enabled isPresent */ |
||||
- /* Special TLS 1.3 suites. */ |
||||
- { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
||||
- { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
||||
- { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
||||
- |
||||
- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around |
||||
- * bug 946147. |
||||
- */ |
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- |
||||
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, |
||||
{ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- |
||||
{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
@@ -147,27 +137,21 @@ static ssl3CipherSuiteCfg cipherSuites[s |
||||
{ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- |
||||
- /* RSA */ |
||||
- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
+ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
||||
- |
||||
- /* 56-bit DES "domestic" cipher suites */ |
||||
{ TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
- |
||||
- /* ciphersuites with no encryption */ |
||||
{ TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
@@ -175,6 +159,9 @@ static ssl3CipherSuiteCfg cipherSuites[s |
||||
{ TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
{ TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
||||
+ { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
||||
+ { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
||||
+ { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
||||
}; |
||||
/* clang-format on */ |
||||
|
||||
diff -up nss/lib/ssl/sslenum.c.reorder-cipher-suites nss/lib/ssl/sslenum.c |
||||
--- nss/lib/ssl/sslenum.c.reorder-cipher-suites 2017-04-26 11:46:50.215066457 +0200 |
||||
+++ nss/lib/ssl/sslenum.c 2017-04-26 11:47:09.362617638 +0200 |
||||
@@ -55,53 +55,44 @@ |
||||
* the third one. |
||||
*/ |
||||
const PRUint16 SSL_ImplementedCiphers[] = { |
||||
- TLS_AES_128_GCM_SHA256, |
||||
- TLS_CHACHA20_POLY1305_SHA256, |
||||
- TLS_AES_256_GCM_SHA384, |
||||
- |
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
||||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, |
||||
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, |
||||
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, |
||||
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, |
||||
- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before |
||||
- * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147. |
||||
- */ |
||||
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
||||
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, |
||||
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
||||
+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, |
||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
||||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, |
||||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
||||
+ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
||||
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
||||
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, |
||||
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, |
||||
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, |
||||
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, |
||||
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
||||
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
||||
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, |
||||
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
||||
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
||||
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, |
||||
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
||||
TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
||||
- |
||||
+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, |
||||
+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, |
||||
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, |
||||
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, |
||||
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, |
||||
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, |
||||
+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, |
||||
+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, |
||||
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, |
||||
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, |
||||
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, |
||||
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, |
||||
- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, |
||||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, |
||||
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, |
||||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, |
||||
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, |
||||
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, |
||||
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, |
||||
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA, |
||||
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA, |
||||
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, |
||||
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, |
||||
- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, |
||||
- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, |
||||
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, |
||||
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, |
||||
TLS_DHE_DSS_WITH_RC4_128_SHA, |
||||
- |
||||
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, |
||||
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, |
||||
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, |
||||
@@ -110,26 +101,21 @@ const PRUint16 SSL_ImplementedCiphers[] |
||||
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, |
||||
TLS_ECDH_ECDSA_WITH_RC4_128_SHA, |
||||
TLS_ECDH_RSA_WITH_RC4_128_SHA, |
||||
- |
||||
- TLS_RSA_WITH_AES_128_GCM_SHA256, |
||||
TLS_RSA_WITH_AES_256_GCM_SHA384, |
||||
- TLS_RSA_WITH_AES_128_CBC_SHA, |
||||
- TLS_RSA_WITH_AES_128_CBC_SHA256, |
||||
- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, |
||||
TLS_RSA_WITH_AES_256_CBC_SHA, |
||||
TLS_RSA_WITH_AES_256_CBC_SHA256, |
||||
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, |
||||
+ TLS_RSA_WITH_AES_128_GCM_SHA256, |
||||
+ TLS_RSA_WITH_AES_128_CBC_SHA, |
||||
+ TLS_RSA_WITH_AES_128_CBC_SHA256, |
||||
+ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, |
||||
TLS_RSA_WITH_SEED_CBC_SHA, |
||||
TLS_RSA_WITH_3DES_EDE_CBC_SHA, |
||||
TLS_RSA_WITH_RC4_128_SHA, |
||||
TLS_RSA_WITH_RC4_128_MD5, |
||||
- |
||||
- /* 56-bit DES "domestic" cipher suites */ |
||||
TLS_DHE_RSA_WITH_DES_CBC_SHA, |
||||
TLS_DHE_DSS_WITH_DES_CBC_SHA, |
||||
TLS_RSA_WITH_DES_CBC_SHA, |
||||
- |
||||
- /* ciphersuites with no encryption */ |
||||
TLS_ECDHE_ECDSA_WITH_NULL_SHA, |
||||
TLS_ECDHE_RSA_WITH_NULL_SHA, |
||||
TLS_ECDH_RSA_WITH_NULL_SHA, |
||||
@@ -137,6 +123,9 @@ const PRUint16 SSL_ImplementedCiphers[] |
||||
TLS_RSA_WITH_NULL_SHA, |
||||
TLS_RSA_WITH_NULL_SHA256, |
||||
TLS_RSA_WITH_NULL_MD5, |
||||
+ TLS_AES_128_GCM_SHA256, |
||||
+ TLS_CHACHA20_POLY1305_SHA256, |
||||
+ TLS_AES_256_GCM_SHA384, |
||||
|
||||
0 |
||||
}; |
||||
@ -0,0 +1,7 @@
@@ -0,0 +1,7 @@
|
||||
# To re-enable legacy algorithms, edit this file |
||||
# Note that the last empty line in this file must be preserved |
||||
library= |
||||
name=Policy |
||||
NSS=flags=policyOnly,moduleDB |
||||
config="disallow=md5 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023" |
||||
|
||||
@ -0,0 +1,15 @@
@@ -0,0 +1,15 @@
|
||||
diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile |
||||
--- nss/cmd/Makefile.skipthem 2017-01-13 16:41:04.117486801 +0100 |
||||
+++ nss/cmd/Makefile 2017-01-13 16:42:31.396335957 +0100 |
||||
@@ -19,7 +19,11 @@ BLTEST_SRCDIR = |
||||
ECPERF_SRCDIR = |
||||
FREEBL_ECTEST_SRCDIR = |
||||
FIPSTEST_SRCDIR = |
||||
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1) |
||||
+SHLIBSIGN_SRCDIR = shlibsign |
||||
+else |
||||
SHLIBSIGN_SRCDIR = |
||||
+endif |
||||
else |
||||
BLTEST_SRCDIR = bltest |
||||
ECPERF_SRCDIR = ecperf |
||||
@ -0,0 +1,33 @@
@@ -0,0 +1,33 @@
|
||||
diff -up nss/gtests/manifest.mn.skip-util-gtests nss/gtests/manifest.mn |
||||
--- nss/gtests/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200 |
||||
+++ nss/gtests/manifest.mn 2017-10-19 11:02:27.773910909 +0200 |
||||
@@ -32,6 +32,5 @@ endif |
||||
|
||||
DIRS = \ |
||||
$(LIB_SRCDIRS) \ |
||||
- $(UTIL_SRCDIRS) \ |
||||
$(NSS_SRCDIRS) \ |
||||
$(NULL) |
||||
diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn |
||||
--- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200 |
||||
+++ nss/gtests/ssl_gtest/manifest.mn 2017-10-19 11:02:27.773910909 +0200 |
||||
@@ -58,6 +58,7 @@ PROGRAM = ssl_gtest |
||||
EXTRA_LIBS += \ |
||||
$(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \ |
||||
$(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \ |
||||
+ -lsoftokn3 |
||||
$(NULL) |
||||
|
||||
USE_STATIC_LIBS = 1 |
||||
diff -up nss/tests/gtests/gtests.sh.skip-util-gtests nss/tests/gtests/gtests.sh |
||||
--- nss/tests/gtests/gtests.sh.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200 |
||||
+++ nss/tests/gtests/gtests.sh 2017-10-19 11:03:57.473976538 +0200 |
||||
@@ -83,7 +83,7 @@ gtest_cleanup() |
||||
} |
||||
|
||||
################## main ################################################# |
||||
-GTESTS="prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest blake2b_gtest" |
||||
+GTESTS="certhigh_gtest certdb_gtest der_gtest pk11_gtest softoken_gtest" |
||||
SOURCE_DIR="$PWD"/../.. |
||||
gtest_init $0 |
||||
gtest_start |
||||
@ -0,0 +1,21 @@
@@ -0,0 +1,21 @@
|
||||
diff -up nss/tests/ssl/sslauth.txt.sni_c_v_fix nss/tests/ssl/sslauth.txt |
||||
--- nss/tests/ssl/sslauth.txt.sni_c_v_fix 2017-04-05 14:23:56.000000000 +0200 |
||||
+++ nss/tests/ssl/sslauth.txt 2017-06-02 10:22:27.457072785 +0200 |
||||
@@ -64,13 +64,13 @@ |
||||
# |
||||
# SNI Tests |
||||
# |
||||
- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI |
||||
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI |
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI |
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert |
||||
- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI |
||||
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser SSL3 Server hello response without SNI |
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions |
||||
- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI |
||||
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI |
||||
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI |
||||
- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS |
||||
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS |
||||
SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS |
||||
SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert |
||||
@ -0,0 +1,42 @@
@@ -0,0 +1,42 @@
|
||||
# HG changeset patch |
||||
# User Kai Engert <kaie@kuix.de> |
||||
# Date 1511548994 -3600 |
||||
# Fri Nov 24 19:43:14 2017 +0100 |
||||
# Node ID b0658ed367633e505d38c0c0f63b801ddbbb21a4 |
||||
# Parent 807662e6ba57db5be05036511ac8634466ed473f |
||||
Bug 1377940, Change NSS default storage file format (currently DBM), when no prefix is given, to SQL, r=rrelyea, r=fkiefer |
||||
|
||||
--- a/tests/all.sh |
||||
+++ b/tests/all.sh |
||||
@@ -111,6 +111,8 @@ RUN_FIPS="" |
||||
######################################################################## |
||||
run_tests() |
||||
{ |
||||
+ echo "Running test cycle: ${TEST_MODE} ----------------------" |
||||
+ echo "List of tests that will be executed: ${TESTS}" |
||||
for TEST in ${TESTS} |
||||
do |
||||
# NOTE: the spaces are important. If you don't include |
||||
@@ -172,8 +174,9 @@ run_cycle_pkix() |
||||
NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` |
||||
export -n NSS_SSL_RUN |
||||
|
||||
- # use the default format |
||||
+ # use the default format. (unset for the shell, export -n for binaries) |
||||
export -n NSS_DEFAULT_DB_TYPE |
||||
+ unset NSS_DEFAULT_DB_TYPE |
||||
|
||||
run_tests |
||||
} |
||||
diff --git a/tests/merge/merge.sh b/tests/merge/merge.sh |
||||
--- a/tests/merge/merge.sh |
||||
+++ b/tests/merge/merge.sh |
||||
@@ -98,7 +98,7 @@ merge_init() |
||||
# are dbm databases. |
||||
if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then |
||||
save=${NSS_DEFAULT_DB_TYPE} |
||||
- NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE |
||||
+ NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE |
||||
fi |
||||
|
||||
certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE} |
||||
@ -0,0 +1,57 @@
@@ -0,0 +1,57 @@
|
||||
diff --git a/lib/sysinit/nsssysinit.c b/lib/sysinit/nsssysinit.c |
||||
--- a/lib/sysinit/nsssysinit.c |
||||
+++ b/lib/sysinit/nsssysinit.c |
||||
@@ -1,11 +1,15 @@ |
||||
/* This Source Code Form is subject to the terms of the Mozilla Public |
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this |
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
||||
+ |
||||
+#define _GNU_SOURCE 1 |
||||
+#include <stdlib.h> |
||||
+ |
||||
#include "seccomon.h" |
||||
#include "prio.h" |
||||
#include "prprf.h" |
||||
#include "plhash.h" |
||||
#include "prenv.h" |
||||
|
||||
/* |
||||
* The following provides a default example for operating systems to set up |
||||
@@ -37,17 +41,17 @@ testdir(char *dir) |
||||
return S_ISDIR(buf.st_mode); |
||||
} |
||||
|
||||
#define NSS_USER_PATH1 "/.pki" |
||||
#define NSS_USER_PATH2 "/nssdb" |
||||
static char * |
||||
getUserDB(void) |
||||
{ |
||||
- char *userdir = PR_GetEnvSecure("HOME"); |
||||
+ char *userdir = secure_getenv("HOME"); |
||||
char *nssdir = NULL; |
||||
|
||||
if (userdir == NULL) { |
||||
return NULL; |
||||
} |
||||
|
||||
nssdir = PORT_Alloc(strlen(userdir) + sizeof(NSS_USER_PATH1) + sizeof(NSS_USER_PATH2)); |
||||
if (nssdir == NULL) { |
||||
@@ -129,17 +133,17 @@ userCanModifySystemDB() |
||||
#else |
||||
#error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions" |
||||
#endif |
||||
#endif |
||||
|
||||
static PRBool |
||||
getFIPSEnv(void) |
||||
{ |
||||
- char *fipsEnv = PR_GetEnvSecure("NSS_FIPS"); |
||||
+ char *fipsEnv = secure_getenv("NSS_FIPS"); |
||||
if (!fipsEnv) { |
||||
return PR_FALSE; |
||||
} |
||||
if ((strcasecmp(fipsEnv, "fips") == 0) || |
||||
(strcasecmp(fipsEnv, "true") == 0) || |
||||
(strcasecmp(fipsEnv, "on") == 0) || |
||||
(strcasecmp(fipsEnv, "1") == 0)) { |
||||
return PR_TRUE; |
||||
@ -0,0 +1,11 @@
@@ -0,0 +1,11 @@
|
||||
prefix=%prefix% |
||||
exec_prefix=%exec_prefix% |
||||
libdir=%libdir% |
||||
includedir=%includedir% |
||||
|
||||
Name: NSS |
||||
Description: Network Security Services |
||||
Version: %NSS_VERSION% |
||||
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% |
||||
Libs: -L${libdir} -lssl3 -lsmime3 -lnss3 |
||||
Cflags: -I${includedir} |
||||
@ -0,0 +1,25 @@
@@ -0,0 +1,25 @@
|
||||
diff -up nss/lib/ssl/sslsock.c.1026677_ignore_set_policy nss/lib/ssl/sslsock.c |
||||
--- nss/lib/ssl/sslsock.c.1026677_ignore_set_policy 2017-01-13 17:10:36.049530395 +0100 |
||||
+++ nss/lib/ssl/sslsock.c 2017-01-13 17:10:36.053530297 +0100 |
||||
@@ -1391,7 +1391,6 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3 |
||||
SECStatus |
||||
NSS_SetDomesticPolicy(void) |
||||
{ |
||||
- SECStatus status = SECSuccess; |
||||
const PRUint16 *cipher; |
||||
SECStatus rv; |
||||
PRUint32 policy; |
||||
@@ -1403,11 +1402,9 @@ NSS_SetDomesticPolicy(void) |
||||
} |
||||
|
||||
for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { |
||||
- status = SSL_SetPolicy(*cipher, SSL_ALLOWED); |
||||
- if (status != SECSuccess) |
||||
- break; |
||||
+ (void) SSL_SetPolicy(*cipher, SSL_ALLOWED); |
||||
} |
||||
- return status; |
||||
+ return SECSuccess; |
||||
} |
||||
|
||||
SECStatus |
||||
@ -0,0 +1,56 @@
@@ -0,0 +1,56 @@
|
||||
<?xml version='1.0' encoding='UTF-8'?> |
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
||||
<!ENTITY date SYSTEM "date.xml"> |
||||
<!ENTITY version SYSTEM "version.xml"> |
||||
]> |
||||
|
||||
<refentry id="pkcs11.txt"> |
||||
|
||||
<refentryinfo> |
||||
<date>&date;</date> |
||||
<title>Network Security Services</title> |
||||
<productname>nss</productname> |
||||
<productnumber>&version;</productnumber> |
||||
</refentryinfo> |
||||
|
||||
<refmeta> |
||||
<refentrytitle>pkcs11.txt</refentrytitle> |
||||
<manvolnum>5</manvolnum> |
||||
</refmeta> |
||||
|
||||
<refnamediv> |
||||
<refname>pkcs11.txt</refname> |
||||
<refpurpose>NSS PKCS #11 module configuration file</refpurpose> |
||||
</refnamediv> |
||||
|
||||
<refsection id="description"> |
||||
<title>Description</title> |
||||
<para> |
||||
The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules. |
||||
</para> |
||||
<para> |
||||
For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>. |
||||
</para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Files</title> |
||||
<para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para> |
||||
</refsection> |
||||
|
||||
<refsection id="authors"> |
||||
<title>Authors</title> |
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para> |
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para> |
||||
</refsection> |
||||
|
||||
<!-- don't change --> |
||||
<refsection id="license"> |
||||
<title>LICENSE</title> |
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
</para> |
||||
</refsection> |
||||
|
||||
</refentry> |
||||
|
||||
@ -0,0 +1,12 @@
@@ -0,0 +1,12 @@
|
||||
diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c |
||||
--- nss/lib/ssl/sslsock.c.transitional 2018-03-09 17:21:52.593560971 +0100 |
||||
+++ nss/lib/ssl/sslsock.c 2018-03-09 17:22:21.096926523 +0100 |
||||
@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = { |
||||
.noLocks = PR_FALSE, |
||||
.enableSessionTickets = PR_FALSE, |
||||
.enableDeflate = PR_FALSE, |
||||
- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, |
||||
+ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL, |
||||
.requireSafeNegotiation = PR_FALSE, |
||||
.enableFalseStart = PR_FALSE, |
||||
.cbcRandomIV = PR_TRUE, |
||||
@ -0,0 +1,63 @@
@@ -0,0 +1,63 @@
|
||||
<?xml version='1.0' encoding='utf-8'?> |
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
||||
<!ENTITY date SYSTEM "date.xml"> |
||||
<!ENTITY version SYSTEM "version.xml"> |
||||
]> |
||||
|
||||
<refentry id="secmod.db"> |
||||
|
||||
<refentryinfo> |
||||
<date>&date;</date> |
||||
<title>Network Security Services</title> |
||||
<productname>nss</productname> |
||||
<productnumber>&version;</productnumber> |
||||
</refentryinfo> |
||||
|
||||
<refmeta> |
||||
<refentrytitle>secmod.db</refentrytitle> |
||||
<manvolnum>5</manvolnum> |
||||
</refmeta> |
||||
|
||||
<refnamediv> |
||||
<refname>secmod.db</refname> |
||||
<refpurpose>Legacy NSS security modules database</refpurpose> |
||||
</refnamediv> |
||||
|
||||
<refsection id="description"> |
||||
<title>Description</title> |
||||
<para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para> |
||||
<para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface. |
||||
</para> |
||||
<para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens. |
||||
</para> |
||||
<para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases. |
||||
</para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Files</title> |
||||
<para><filename>/etc/pki/nssdb/secmod.db</filename></para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>See also</title> |
||||
<para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para> |
||||
</refsection> |
||||
|
||||
<refsection id="authors"> |
||||
<title>Authors</title> |
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para> |
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para> |
||||
</refsection> |
||||
|
||||
<!-- don't change --> |
||||
<refsection id="license"> |
||||
<title>LICENSE</title> |
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
</para> |
||||
|
||||
</refsection> |
||||
|
||||
|
||||
</refentry> |
||||
@ -0,0 +1,68 @@
@@ -0,0 +1,68 @@
|
||||
#!/bin/sh |
||||
# |
||||
# Turns on or off the nss-sysinit module db by editing the |
||||
# global PKCS #11 congiguration file. Displays the status. |
||||
# |
||||
# This script can be invoked by the user as super user. |
||||
# It is invoked at nss-sysinit post install time with argument on. |
||||
# |
||||
usage() |
||||
{ |
||||
cat <<EOF |
||||
Usage: setup-nsssysinit [on|off] |
||||
on - turns on nsssysinit |
||||
off - turns off nsssysinit |
||||
status - reports whether nsssysinit is turned on or off |
||||
EOF |
||||
exit $1 |
||||
} |
||||
|
||||
# validate |
||||
if [ $# -eq 0 ]; then |
||||
usage 1 1>&2 |
||||
fi |
||||
|
||||
# the system-wide configuration file |
||||
p11conf="/etc/pki/nssdb/pkcs11.txt" |
||||
# must exist, otherwise report it and exit with failure |
||||
if [ ! -f $p11conf ]; then |
||||
echo "Could not find ${p11conf}" |
||||
exit 1 |
||||
fi |
||||
|
||||
# check if nsssysinit is currently enabled or disabled |
||||
sysinit_enabled() |
||||
{ |
||||
grep -q '^library=libnsssysinit' ${p11conf} |
||||
} |
||||
|
||||
umask 022 |
||||
case "$1" in |
||||
on | ON ) |
||||
if sysinit_enabled; then |
||||
exit 0 |
||||
fi |
||||
cat ${p11conf} | \ |
||||
sed -e 's/^library=$/library=libnsssysinit.so/' \ |
||||
-e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ |
||||
${p11conf}.on |
||||
mv ${p11conf}.on ${p11conf} |
||||
;; |
||||
off | OFF ) |
||||
if ! sysinit_enabled; then |
||||
exit 0 |
||||
fi |
||||
cat ${p11conf} | \ |
||||
sed -e 's/^library=libnsssysinit.so/library=/' \ |
||||
-e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ |
||||
${p11conf}.off |
||||
mv ${p11conf}.off ${p11conf} |
||||
;; |
||||
status ) |
||||
echo -n 'NSS sysinit is ' |
||||
sysinit_enabled && echo 'enabled' || echo 'disabled' |
||||
;; |
||||
* ) |
||||
usage 1 1>&2 |
||||
;; |
||||
esac |
||||
@ -0,0 +1,106 @@
@@ -0,0 +1,106 @@
|
||||
<?xml version='1.0' encoding='utf-8'?> |
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
||||
<!ENTITY date SYSTEM "date.xml"> |
||||
<!ENTITY version SYSTEM "version.xml"> |
||||
]> |
||||
|
||||
<refentry id="setup-nsssysinit"> |
||||
|
||||
<refentryinfo> |
||||
<date>&date;</date> |
||||
<title>Network Security Services</title> |
||||
<productname>nss</productname> |
||||
<productnumber>&version;</productnumber> |
||||
</refentryinfo> |
||||
|
||||
<refmeta> |
||||
<refentrytitle>setup-nsssysinit</refentrytitle> |
||||
<manvolnum>1</manvolnum> |
||||
</refmeta> |
||||
|
||||
<refnamediv> |
||||
<refname>setup-nsssysinit</refname> |
||||
<refpurpose>Query or enable the nss-sysinit module</refpurpose> |
||||
</refnamediv> |
||||
|
||||
<refsynopsisdiv> |
||||
<cmdsynopsis> |
||||
<command>setup-nsssysinit</command> |
||||
<arg><option>on</option></arg> |
||||
<arg><option>off</option></arg> |
||||
<arg><option>status</option></arg> |
||||
</cmdsynopsis> |
||||
</refsynopsisdiv> |
||||
|
||||
<refsection id="description"> |
||||
<title>Description</title> |
||||
<para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para> |
||||
<para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on. |
||||
</para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Options</title> |
||||
|
||||
<variablelist> |
||||
<varlistentry> |
||||
<term><option>on</option></term> |
||||
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem> |
||||
</varlistentry> |
||||
|
||||
<varlistentry> |
||||
<term><option>off</option></term> |
||||
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem> |
||||
</varlistentry> |
||||
|
||||
<varlistentry> |
||||
<term><option>status</option></term> |
||||
<listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem> |
||||
</varlistentry> |
||||
|
||||
</variablelist> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Examples</title> |
||||
|
||||
<para>The following example will query for the status of nss-sysinit: |
||||
<programlisting> |
||||
/usr/bin/setup-nsssysinit status |
||||
</programlisting> |
||||
</para> |
||||
|
||||
<para>The following example, when run as superuser, will turn on nss-sysinit: |
||||
<programlisting> |
||||
/usr/bin/setup-nsssysinit on |
||||
</programlisting> |
||||
</para> |
||||
|
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>Files</title> |
||||
<para><filename>/usr/bin/setup-nsssysinit</filename></para> |
||||
</refsection> |
||||
|
||||
<refsection> |
||||
<title>See also</title> |
||||
<para>pkg-config(1)</para> |
||||
</refsection> |
||||
|
||||
<refsection id="authors"> |
||||
<title>Authors</title> |
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para> |
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para> |
||||
</refsection> |
||||
|
||||
<!-- don't change --> |
||||
<refsection id="license"> |
||||
<title>LICENSE</title> |
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
</para> |
||||
</refsection> |
||||
|
||||
</refentry> |
||||
|
||||
@ -0,0 +1,5 @@
@@ -0,0 +1,5 @@
|
||||
library=libnsssysinit.so |
||||
name=NSS Internal PKCS #11 Module |
||||
parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' |
||||
NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) |
||||
|
||||
@ -0,0 +1,14 @@
@@ -0,0 +1,14 @@
|
||||
diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk |
||||
--- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700 |
||||
+++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700 |
||||
@@ -3,6 +3,10 @@ |
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this |
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
|
||||
+#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) |
||||
+INCLUDES += -I/usr/include/nss3/templates |
||||
+#endif |
||||
+ |
||||
# can't do this in manifest.mn because OS_TARGET isn't defined there. |
||||
ifeq (,$(filter-out WIN%,$(OS_TARGET))) |
||||
|
||||
Loading…
Reference in new issue