--- ./lib/ssl/config.mk.disableSSL2libssl 2016-03-05 09:20:12.712130884 -0800
+++ ./lib/ssl/config.mk 2016-03-05 09:24:22.748518581 -0800
@@ -2,16 +2,20 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
ifdef NISCC_TEST
DEFINES += -DNISCC_TEST
endif
+ifdef NSS_NO_SSL2_NO_EXPORT
+DEFINES += -DNSS_NO_SSL2_NO_EXPORT
+endif
+
ifdef NSS_NO_PKCS11_BYPASS
DEFINES += -DNO_PKCS11_BYPASS
else
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
EXTRA_LIBS += \
$(CRYPTOLIB) \
$(NULL)
--- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-03-05 09:20:12.713130866 -0800
+++ ./lib/ssl/sslsock.c 2016-03-05 09:32:55.060592007 -0800
@@ -707,16 +707,22 @@
if (ss->cipherSpecs) {
PORT_Free(ss->cipherSpecs);
ss->cipherSpecs = NULL;
ss->sizeCipherSpecs = 0;
}
break;
case SSL_ENABLE_SSL2:
+#ifdef NSS_NO_SSL2_NO_EXPORT
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure; /* not allowed */
}
break;
}
if (on) {
@@ -731,52 +737,67 @@
ss->opt.v2CompatibleHello = on;
}
ss->preferredCipher = NULL;
if (ss->cipherSpecs) {
PORT_Free(ss->cipherSpecs);
ss->cipherSpecs = NULL;
ss->sizeCipherSpecs = 0;
}
+#endif /* NSS_NO_SSL2_NO_EXPORT */
break;
case SSL_NO_CACHE:
ss->opt.noCache = on;
break;
case SSL_ENABLE_FDX:
if (on && ss->opt.noLocks) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
}
ss->opt.fdx = on;
break;
case SSL_V2_COMPATIBLE_HELLO:
+#ifdef NSS_NO_SSL2_NO_EXPORT
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure; /* not allowed */
}
break;
}
ss->opt.v2CompatibleHello = on;
if (!on) {
ss->opt.enableSSL2 = on;
}
+#endif /* NSS_NO_SSL2_NO_EXPORT */
break;
case SSL_ROLLBACK_DETECTION:
ss->opt.detectRollBack = on;
break;
case SSL_NO_STEP_DOWN:
+#ifdef NSS_NO_SSL2_NO_EXPORT
+ if (!on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+#else
ss->opt.noStepDown = on;
if (on)
SSL_DisableExportCipherSuites(fd);
+#endif /* NSS_NO_SSL2_NO_EXPORT */
break;
case SSL_BYPASS_PKCS11:
if (ss->handshakeBegun) {
PORT_SetError(PR_INVALID_STATE_ERROR);
rv = SECFailure;
} else {
if (PR_FALSE != on) {
@@ -1324,16 +1345,32 @@
}
return SECSuccess;
}
/* function tells us if the cipher suite is one that we no longer support. */
static PRBool
ssl_IsRemovedCipherSuite(PRInt32 suite)
{
+#ifdef NSS_NO_SSL2_NO_EXPORT
+ /* both ssl2 and export cipher suites disabled */
+ if (SSL_IS_SSL2_CIPHER(suite))
+ return PR_TRUE;
+ if (SSL_IsExportCipherSuite(suite)) {
+ SSLCipherSuiteInfo csdef;
+ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
+ /* failure to retrieve info, disable */
+ return PR_TRUE;
+ }
+ if (csdef.symCipher != ssl_calg_null) {
+ /* disable all except NULL ciphersuites */
+ return PR_TRUE;
+ }
+ }
+#endif /* NSS_NO_SSL2_NO_EXPORT */
switch (suite) {
case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
return PR_TRUE;
default:
return PR_FALSE;
}