From 301f5142f8eac474ff3f92d83450cdd3b023c92b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 19 Sep 2016 16:37:05 +0200 Subject: [PATCH 1/3] nss: fix typo in ecdhe_rsa_null cipher suite string As it seems to be a rarely used cipher suite (for securely established but _unencrypted_ connections), I believe it is fine not to provide an alias for the misspelled variant. Upstream-commit: 75912202709e0f74a5bab91ef57254d7038f5f42 Signed-off-by: Kamil Dudka --- lib/nss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/nss.c b/lib/nss.c index 7b4fe57..d0db3cd 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -144,7 +144,7 @@ static const cipher_s cipherlist[] = { {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA}, {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA}, {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA}, - {"echde_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA}, + {"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA}, {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA}, {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA}, {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, -- 2.7.4 From 3b11781032d9c04ba8a9500899339a4758da4ad7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 19 Sep 2016 17:38:23 +0200 Subject: [PATCH 2/3] nss: add cipher suites using SHA384 if supported by NSS Upstream-commit: 049aa9254687f6738642bd73da9bf96d8af2a833 Signed-off-by: Kamil Dudka --- lib/nss.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lib/nss.c b/lib/nss.c index d0db3cd..16b0218 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -174,6 +174,16 @@ static const cipher_s cipherlist[] = { {"ecdhe_rsa_aes_128_gcm_sha_256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, {"ecdh_rsa_aes_128_gcm_sha_256", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256}, #endif +#ifdef TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + /* cipher suites using SHA384 */ + {"rsa_aes_256_gcm_sha_384", TLS_RSA_WITH_AES_256_GCM_SHA384}, + {"dhe_rsa_aes_256_gcm_sha_384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384}, + {"dhe_dss_aes_256_gcm_sha_384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384}, + {"ecdhe_ecdsa_aes_256_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384}, + {"ecdhe_rsa_aes_256_sha_384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384}, + {"ecdhe_ecdsa_aes_256_gcm_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384}, + {"ecdhe_rsa_aes_256_gcm_sha_384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384}, +#endif }; static const char* pem_library = "libnsspem.so"; -- 2.7.4 From e796e68d2f1ef647a91afa10deb0986e082a14be Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 19 Sep 2016 17:45:53 +0200 Subject: [PATCH 3/3] nss: add chacha20-poly1305 cipher suites if supported by NSS Upstream-commit: d1f1c857ad559eafef9373621d30174c046261ef Signed-off-by: Kamil Dudka --- lib/nss.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/nss.c b/lib/nss.c index 16b0218..36c100d 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -184,6 +184,15 @@ static const cipher_s cipherlist[] = { {"ecdhe_ecdsa_aes_256_gcm_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384}, {"ecdhe_rsa_aes_256_gcm_sha_384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384}, #endif +#ifdef TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + /* chacha20-poly1305 cipher suites */ + {"ecdhe_rsa_chacha20_poly1305_sha_256", + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, + {"ecdhe_ecdsa_chacha20_poly1305_sha_256", + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256}, + {"dhe_rsa_chacha20_poly1305_sha_256", + TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, +#endif }; static const char* pem_library = "libnsspem.so"; -- 2.7.4