NSS added support for some SHA384 ciphers, add them

I don't want to assume these ciphers are available in
every distro so I'm bending over backwards a bit to
check for availablility and get the defines right
for the python cipher tests.

6 files changed, 130 insertions, 5 deletions

diff --git a/.gitignore b/.gitignore
index 72906da..e85b8f2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,4 @@ py-compile
 # Generated files
 gencert
 nss.conf
+test/variable.py
diff --git a/acinclude.m4 b/acinclude.m4
new file mode 100644
index 0000000..4bc6948
--- /dev/null
+++ b/acinclude.m4
@@ -0,0 +1,92 @@
+# ===========================================================================
+#      http://www.gnu.org/software/autoconf-archive/ax_check_define.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AC_CHECK_DEFINE([symbol], [ACTION-IF-FOUND], [ACTION-IF-NOT])
+#   AX_CHECK_DEFINE([includes],[symbol], [ACTION-IF-FOUND], [ACTION-IF-NOT])
+#
+# DESCRIPTION
+#
+#   Complements AC_CHECK_FUNC but it does not check for a function but for a
+#   define to exist. Consider a usage like:
+#
+#    AC_CHECK_DEFINE(__STRICT_ANSI__, CFLAGS="$CFLAGS -D_XOPEN_SOURCE=500")
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+#
+#   This program is free software; you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation; either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 8
+
+AU_ALIAS([AC_CHECK_DEFINED], [AC_CHECK_DEFINE])
+AC_DEFUN([AC_CHECK_DEFINE],[
+AS_VAR_PUSHDEF([ac_var],[ac_cv_defined_$1])dnl
+AC_CACHE_CHECK([for $1 defined], ac_var,
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[
+  #ifdef $1
+  int ok;
+  #else
+  choke me
+  #endif
+]])],[AS_VAR_SET(ac_var, yes)],[AS_VAR_SET(ac_var, no)]))
+AS_IF([test AS_VAR_GET(ac_var) != "no"], [$2], [$3])dnl
+AS_VAR_POPDEF([ac_var])dnl
+])
+
+AU_ALIAS([AX_CHECK_DEFINED], [AX_CHECK_DEFINE])
+AC_DEFUN([AX_CHECK_DEFINE],[
+AS_VAR_PUSHDEF([ac_var],[ac_cv_defined_$2_$1])dnl
+AC_CACHE_CHECK([for $2 defined in $1], ac_var,
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <$1>]], [[
+  #ifdef $2
+  int ok;
+  #else
+  choke me
+  #endif
+]])],[AS_VAR_SET(ac_var, yes)],[AS_VAR_SET(ac_var, no)]))
+AS_IF([test AS_VAR_GET(ac_var) != "no"], [$3], [$4])dnl
+AS_VAR_POPDEF([ac_var])dnl
+])
+
+AC_DEFUN([AX_CHECK_FUNC],
+[AS_VAR_PUSHDEF([ac_var], [ac_cv_func_$2])dnl
+AC_CACHE_CHECK([for $2], ac_var,
+dnl AC_LANG_FUNC_LINK_TRY
+[AC_LINK_IFELSE([AC_LANG_PROGRAM([$1
+                #undef $2
+                char $2 ();],[
+                char (*f) () = $2;
+                return f != $2; ])],
+                [AS_VAR_SET(ac_var, yes)],
+                [AS_VAR_SET(ac_var, no)])])
+AS_IF([test AS_VAR_GET(ac_var) = yes], [$3], [$4])dnl
+AS_VAR_POPDEF([ac_var])dnl
+])# AC_CHECK_FUNC
diff --git a/configure.ac b/configure.ac
index de184da..7e2f369 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,6 +1,8 @@
 # Required initializer
 AC_INIT
 
+m4_include([acinclude.m4])
+
 # Automake initialization
 AM_INIT_AUTOMAKE(mod_nss, 1.0)
 
@@ -239,6 +241,16 @@ fi
 nspr_dir=`echo "$nspr_lib" | sed 's/\/lib[[/]]*$//' | sed 's/-L//'`
 nss_dir=`echo "$nss_lib" | sed 's/\/lib[[/]]*$//' | sed 's/-L//'`
 
+AX_CHECK_DEFINE(nss3/sslproto.h, TLS_RSA_WITH_AES_256_GCM_SHA384, sha384=$enableval, sha384=no)
+if test $sha384 = yes; then
+   AC_MSG_RESULT(yes)
+   extra_cppflags="$extra_cppflags -DENABLE_SHA384"
+   echo "ENABLE_SHA384=1" > test/variable.py
+else
+   echo "ENABLE_SHA384=0" > test/variable.py
+   AC_MSG_RESULT(no)
+fi
+
 # Substitute values 
 AC_SUBST(APXS)
 AC_SUBST(apr_inc)
diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c
index bede228..1bd9941 100644
--- a/nss_engine_cipher.c
+++ b/nss_engine_cipher.c
@@ -42,6 +42,9 @@ cipher_properties ciphers_def[ciphernum] =
     {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, "EXP1024-RC4-SHA", SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_EXPORT56, 56, 128},
     {"camelia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "CAMELLIA256-SHA", SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256},
     {"rsa_aes_128_gcm_sha_256", TLS_RSA_WITH_AES_128_GCM_SHA256, "AES128-GCM-SHA256", SSL_kRSA|SSL_aRSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128},
+#ifdef ENABLE_SHA384
+    {"rsa_aes_256_gcm_sha_384", TLS_RSA_WITH_AES_256_GCM_SHA384, "AES256-GCM-SHA384", SSL_kRSA|SSL_aRSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256},
+#endif
     {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "FIPS-DES-CBC3-SHA", SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSLV3, SSL_HIGH, 112, 168},
     {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, "FIPS-DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56},
 #ifdef NSS_ENABLE_ECC
@@ -73,6 +76,12 @@ cipher_properties ciphers_def[ciphernum] =
     {"ecdhe_ecdsa_aes_128_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "ECDHE-ECDSA-AES128-SHA256", SSL_kEECDH|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLSV1_2, SSL_HIGH, 128, 128},
     {"ecdhe_rsa_aes_128_sha_256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "ECDHE-RSA-AES128-SHA256", SSL_kEECDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLSV1_2, SSL_HIGH, 128, 128},
     {"ecdhe_ecdsa_aes_128_gcm_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "ECDHE-ECDSA-AES128-GCM-SHA256", SSL_kEECDH|SSL_aECDSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128},
+#ifdef ENABLE_SHA384
+    {"ecdhe_ecdsa_aes_256_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "ECDHE-ECDSA-AES256-SHA384", SSL_kEECDH|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLSV1_2, SSL_HIGH, 256, 256},
+    {"ecdhe_rsa_aes_256_sha_384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "ECDHE-RSA-AES256-SHA384", SSL_kEECDH|SSL_aRSA|SSL_AES256|SSL_SHA384, TLSV1_2, SSL_HIGH, 256, 256},
+    {"ecdhe_ecdsa_aes_256_gcm_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "ECDHE-ECDSA-AES256-GCM-SHA384", SSL_kEECDH|SSL_aECDSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256},
+    {"ecdhe_rsa_aes_256_gcm_sha_384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "ECDHE-RSA-AES256-GCM-SHA384", SSL_kEECDH|SSL_aRSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256},
+#endif
     {"ecdhe_rsa_aes_128_gcm_sha_256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "ECDHE-RSA-AES128-GCM-SHA256", SSL_kEECDH|SSL_aRSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128},
     /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 is not implemented */
     /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 is not implemented */
@@ -334,6 +343,8 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
                     mask |= SSL_SHA1;
                 } else if (!strcmp(cipher, "SHA256")) {
                     mask |= SSL_SHA256;
+                } else if (!strcmp(cipher, "SHA384")) {
+                    mask |= SSL_SHA384;
                 } else if (!strcmp(cipher, "SSLv2")) {
                     /* no-op */
                 } else if (!strcmp(cipher, "SSLv3")) {
diff --git a/nss_engine_cipher.h b/nss_engine_cipher.h
index 2cd103b..2213f5d 100644
--- a/nss_engine_cipher.h
+++ b/nss_engine_cipher.h
@@ -70,7 +70,8 @@ typedef struct
 #define SSL_AES128GCM     0x04000000L
 #define SSL_AES256GCM     0x08000000L
 #define SSL_SHA256        0x10000000L
-#define SSL_AEAD          0x20000000L
+#define SSL_SHA384        0x20000000L
+#define SSL_AEAD          0x40000000L
 
 #define SSL_AES           (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
 #define SSL_CAMELLIA      (SSL_CAMELLIA128|SSL_CAMELLIA256)
@@ -83,7 +84,11 @@ typedef struct
 
 /* the table itself is defined in nss_engine_cipher.c */
 #ifdef NSS_ENABLE_ECC
-#define ciphernum 49
+# ifdef ENABLE_SHA384
+#  define ciphernum 54
+# else
+#  define ciphernum 49
+# endif
 #else
 #define ciphernum 20
 #endif
diff --git a/test/test_cipher.py b/test/test_cipher.py
index 3f1f344..2c27796 100644
--- a/test/test_cipher.py
+++ b/test/test_cipher.py
@@ -4,8 +4,8 @@ import os
 import nose
 from nose.tools import make_decorator
 
-# As of now there are 47 ciphers including ECC
-WITH_ECC=47
+# This file is auto-generated by configure
+from variable import ENABLE_SHA384
 
 cwd = os.getcwd()
 srcdir = os.path.dirname(cwd)
@@ -19,6 +19,10 @@ CIPHERS_NOT_IN_NSS = ['ECDH-RSA-AES128-SHA256',
                       'ECDH-ECDSA-AES128-SHA256',
                       'ECDH-RSA-AES128-GCM-SHA256',
                       'EXP-DES-CBC-SHA',
+                      'ECDH-RSA-AES256-GCM-SHA384',
+                      'ECDH-ECDSA-AES256-SHA384',
+                      'ECDH-RSA-AES256-SHA384',
+                      'ECDH-ECDSA-AES256-GCM-SHA384',
 ]
 
 def assert_equal_openssl(nss_ciphers, ossl_ciphers):
@@ -38,7 +42,7 @@ def assert_equal_openssl(nss_ciphers, ossl_ciphers):
     # output.
     t = list()
     for o in ossl_list:
-        if 'SHA384' in o:
+        if not ENABLE_SHA384 and 'SHA384' in o:
             continue
         if o in CIPHERS_NOT_IN_NSS:
             continue