diff --git a/openldap-nss-cipher-attributes.patch b/openldap-nss-cipher-attributes.patch index 5ebd347..ad15aea 100644 --- a/openldap-nss-cipher-attributes.patch +++ b/openldap-nss-cipher-attributes.patch @@ -67,7 +67,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c /* cipher strength */ #define SSL_NULL 0x00000001L -@@ -240,10 +257,14 @@ typedef struct { +@@ -240,10 +257,15 @@ typedef struct { #define SSL_MEDIUM 0x00000010L #define SSL_HIGH 0x00000020L @@ -79,6 +79,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c /* OpenSSL treats SSL3 and TLSv1 the same */ #define TLS1 SSL3 +#define TLS1_2 0x00000004L ++#define TLS1_3 0x00000008L /* Cipher translation */ static cipher_properties ciphers_def[] = { diff --git a/openldap-nss-ciphers-definitions.patch b/openldap-nss-ciphers-definitions.patch index 7b7a868..6de142c 100644 --- a/openldap-nss-ciphers-definitions.patch +++ b/openldap-nss-ciphers-definitions.patch @@ -6,7 +6,7 @@ PreviousAuthor: Jan Vcelak diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c -@@ -268,29 +268,104 @@ typedef struct { +@@ -268,29 +268,109 @@ typedef struct { /* Cipher translation */ static cipher_properties ciphers_def[] = { @@ -129,6 +129,11 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c + //{"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, + //{"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, + //{"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ ++ // TLSv1.3 ++ {"TLS13-AES-128-GCM-SHA256", 0x1301 /* TLS_AES_128_GCM_SHA256 */, SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_3, SSL_HIGH}, ++ {"TLS13-AES-256-GCM-SHA384", 0x1302 /* TLS_AES_256_GCM_SHA384 */, SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_3, SSL_HIGH}, ++ {"TLS13-CHACHA20-POLY1305-SHA256", 0x1303 /* TLS_CHACHA20_POLY1305_SHA256 */, SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_3, SSL_HIGH}, }; #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties)) diff --git a/openldap-nss-ciphers-parsing.patch b/openldap-nss-ciphers-parsing.patch index b91d07d..dd0407b 100644 --- a/openldap-nss-ciphers-parsing.patch +++ b/openldap-nss-ciphers-parsing.patch @@ -69,7 +69,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c } else if (!strcmp(cipher, "3DES")) { mask |= SSL_3DES; } else if (!strcmp(cipher, "DES")) { -@@ -693,26 +707,67 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -693,26 +707,69 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) mask |= SSL_RC2; } else if (!strcmp(cipher, "MD5")) { mask |= SSL_MD5; @@ -122,6 +122,8 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c protocol |= TLS1; + } else if (!strcmp(cipher, "TLSv1.2")) { + protocol |= TLS1_2; ++ } else if (!strcmp(cipher, "TLSv1.3")) { ++ protocol |= TLS1_3; } else if (!strcmp(cipher, "HIGH")) { strength |= SSL_HIGH; } else if (!strcmp(cipher, "MEDIUM")) { diff --git a/openldap.spec b/openldap.spec index 74632df..2a546bd 100644 --- a/openldap.spec +++ b/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.44 -Release: 8%{?dist} +Release: 9%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -548,6 +548,9 @@ exit 0 %{_mandir}/man3/* %changelog +* Fri Mar 24 2017 Matus Honek - 2.4.44-9 +- NSS: Enhance OpenLDAP to support TLSv1.3 protocol with NSS (#1435689) + * Fri Mar 24 2017 Matus Honek - 2.4.44-8 - NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435689)