Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2013-07-24 17:28:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_nss" Changes: -------- New Changes file: --- /dev/null 2013-07-23 23:44:04.804033756 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2013-07-24 17:28:46.000000000 +0200 @@ -0,0 +1,28 @@ +------------------------------------------------------------------- +Fri Jul 12 10:42:06 UTC 2013 - a...@ajaissle.de + +- Changed source to original tar.gz + +------------------------------------------------------------------- +Thu Jul 11 14:50:42 UTC 2013 - a...@ajaissle.de + +- Added mod_nns-httpd24.patch to support build with apache 2.4 + +------------------------------------------------------------------- +Tue Jan 22 09:35:41 UTC 2013 - a...@ajaissle.de + +- Changed mod_nss-conf.patch to adjust mod_nss.conf to match SUSE + dir layout [bnc#799483] +- Cleaned up license tag + +------------------------------------------------------------------- +Sun Apr 15 14:17:19 UTC 2012 - w...@rosenauer.org + +- import some patches from Fedora +- removed autoreconf call + +------------------------------------------------------------------- +Wed Feb 17 13:30:47 UTC 2010 - n...@opensuse.org + +- Fix mod_nss-conf.patch to work on SUSE +- Rename package from mod_nss to apache2-mod_nss New: ---- apache2-mod_nss.changes apache2-mod_nss.spec mod_nss-1.0.8.tar.gz mod_nss-conf.patch mod_nss-gencert.patch mod_nss-httpd24.patch mod_nss-lockpcache.patch mod_nss-negotiate.patch mod_nss-overlapping_memcpy.patch mod_nss-pcachesignal.h mod_nss-reseterror.patch mod_nss-reverseproxy.patch mod_nss-wouldblock.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ # # spec file for package apache2-mod_nss # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: apache2-mod_nss Summary: SSL/TLS module for the Apache HTTP server Version: 1.0.8 Release: 3 Group: Productivity/Networking/Web/Servers License: Apache-2.0 Url: http://directory.fedoraproject.org/wiki/Mod_nss Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz Provides: mod_nss Requires: apache2 >= 2.0.52 Requires: findutils Requires(post): mozilla-nss-tools BuildRequires: bison BuildRequires: findutils BuildRequires: gcc-c++ BuildRequires: libapr1-devel BuildRequires: libapr-util1-devel BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.12.6 BuildRequires: apache2-devel >= 2.0.52 BuildRequires: pkgconfig # [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout Patch1: mod_nss-conf.patch Patch2: mod_nss-gencert.patch Patch3: mod_nss-wouldblock.patch Patch4: mod_nss-negotiate.patch Patch5: mod_nss-reverseproxy.patch Patch6: mod_nss-pcachesignal.h Patch7: mod_nss-reseterror.patch Patch8: mod_nss-lockpcache.patch # Fix build with apache 2.4 Patch9: mod_nss-httpd24.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root %define apxs /usr/sbin/apxs2 %define apache apache2 %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) %define apache_sysconfdir %(%{apxs} -q SYSCONFDIR) %define apache_includedir %(%{apxs} -q INCLUDEDIR) %define apache_serverroot %(%{apxs} -q PREFIX) %define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %description The mod_nss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the Network Security Services (NSS) security library. %prep %setup -q -n mod_nss-%{version} %patch1 -p1 -b .conf %patch2 -p1 -b .gencert %patch3 -p1 -b .wouldblock %patch4 -p1 -b .negotiate %patch5 -p1 -b .reverseproxy %patch6 -p1 -b .pcachesignal.h %patch7 -p1 -b .reseterror %patch8 -p1 -b .lockpcache %if 0%{?suse_version} >= 1300 %patch9 -p1 -b .http24 %endif # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] %build CFLAGS="$RPM_OPT_FLAGS" export CFLAGS NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr` NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr` NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss` NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss` NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss` # For some reason mod_nss can't find nss on SUSE unless we do the following C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/" export C_INCLUDE_PATH #autoreconf -fvi %configure \ --with-nss-lib=$NSS_LIB_DIR \ --with-nss-inc=$NSS_INCLUDE_DIR \ --with-nspr-lib=$NSPR_LIB_DIR \ --with-nspr-inc=$NSPR_INCLUDE_DIR \ --with-apxs=%{apxs} \ --with-apr-config make %{?_smp_mflags} all %install # The install target of the Makefile isn't used because that uses apxs # which tries to enable the module in the build host httpd instead of in # the build root. mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir} mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/alias %if 0%{?suse_version} perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf %endif install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/ install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir} install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/ install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconfdir}/alias/ touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/secmod.db touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/cert8.db touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/key3.db touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/install.log perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert %clean rm -rf $RPM_BUILD_ROOT %post umask 077 if [ "$1" -eq 1 ] ; then if [ ! -e %{apache_sysconfdir}/alias/key3.db ]; then %{_sbindir}/gencert %{apache_sysconfdir}/alias > %{apache_sysconfdir}/alias/install.log 2>&1 echo "" echo "%{name} certificate database generated." echo "" fi # Make sure that the database ownership is setup properly. find %{apache_sysconfdir}/alias -user root -name "*.db" -exec /bin/chgrp www {} \; find %{apache_sysconfdir}/alias -user root -name "*.db" -exec /bin/chmod g+r {} \; fi %files %defattr(-,root,root,-) %doc README LICENSE docs/mod_nss.html %config(noreplace) %{apache_sysconfdir}/conf.d/nss.conf %dir %{apache_libexecdir} %{apache_libexecdir}/libmodnss.so %dir %{apache_sysconfdir}/alias/ %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/secmod.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/cert8.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/key3.db %ghost %config(noreplace) %{apache_sysconfdir}/alias/install.log #%%{apache_sysconfdir}/alias/libnssckbi.so %{_sbindir}/nss_pcache %{_sbindir}/gencert %changelog ++++++ mod_nss-conf.patch ++++++ --- mod_nss-1.0.6/nss.conf.in.orig 2006-10-20 11:08:42.000000000 -0400 +++ mod_nss-1.0.6/nss.conf.in 2013-01-22 10:33:25.000000000 +0100 @@ -8,14 +8,16 @@ # consult the online docs. You have been warned. # +LoadModule nss_module @apache_lib@/libmodnss.so + # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two -# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" +# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443" # -Listen 443 +Listen 8443 ## ## SSL Global Context @@ -40,7 +42,7 @@ # Pass Phrase Helper: # This helper program stores the token password pins between # restarts of Apache. -NSSPassPhraseHelper @apache_bin@/nss_pcache +NSSPassPhraseHelper /usr/sbin/nss_pcache # Configure the SSL Session Cache. # NSSSessionCacheSize is the number of entries in the cache. @@ -68,17 +70,17 @@ ## SSL Virtual Host Context ## -<VirtualHost _default_:443> +<VirtualHost _default_:8443> # General setup for the virtual host #DocumentRoot "@apache_prefix@/htdocs" -#ServerName www.example.com:443 +#ServerName www.example.com:8443 #ServerAdmin y...@example.com # mod_nss can log to separate log files, you can choose to do that if you'd like # LogLevel is not inherited from httpd.conf. -#ErrorLog @apache_prefix@/logs/error_log -#TransferLog @apache_prefix@/logs/access_log +ErrorLog /var/log/apache2/error_log +TransferLog /var/log/apache2/access_log LogLevel warn # SSL Engine Switch: @@ -113,7 +115,7 @@ # The NSS security database directory that holds the certificates and # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. # Provide the directory that these files exist. -NSSCertificateDatabase @apache_conf@ +NSSCertificateDatabase @apache_conf@/alias # Database Prefix: # In order to be able to store multiple NSS databases in one directory @@ -189,7 +191,7 @@ <Files ~ "\.(cgi|shtml|phtml|php3?)$"> NSSOptions +StdEnvVars </Files> -<Directory "@apache_prefix@/cgi-bin"> +<Directory "@apache_prefix@/cgi-bin"> NSSOptions +StdEnvVars </Directory> ++++++ mod_nss-gencert.patch ++++++ --- mod_nss-1.0/gencert.in 2006-06-20 22:43:33.000000000 -0400 +++ mod_nss-1.0/gencert.in.orig 2006-06-20 22:57:08.000000000 -0400 @@ -82,12 +82,11 @@ DEST=$1 -echo "httptest" > $DEST/pw.txt +echo -e "\n" > $DEST/pw.txt echo "" echo "#####################################################################" -echo "Generating new server certificate and key database. The password" -echo "is httptest" +echo "Generating new server certificate and key database." echo "#####################################################################" $CERTUTIL -N -d $DEST -f $DEST/pw.txt @@ -183,8 +182,4 @@ rm $DEST/pw.txt rm $DEST/noise -echo "" -echo "The database password is httptest" -echo "" - exit 0 ++++++ mod_nss-httpd24.patch ++++++ diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c --- mod_nss/mod_nss.c 2012-06-12 12:23:29.961000000 -0700 +++ mod_nss-1.0.8/mod_nss.c 2012-06-12 12:00:35.957002099 -0700 @@ -349,7 +349,7 @@ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, "Connection to child %ld established " "(server %s, client %s)", c->id, sc->vhost_id, - c->remote_ip ? c->remote_ip : "unknown"); + c->client_ip ? c->client_ip : "unknown"); mctx = sslconn->is_proxy ? sc->proxy : sc->server; diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h --- mod_nss/mod_nss.h 2012-06-12 12:23:29.962000000 -0700 +++ mod_nss-1.0.8/mod_nss.h 2012-06-12 12:00:35.955002240 -0700 @@ -27,7 +27,6 @@ #include "http_protocol.h" #include "util_script.h" #include "util_filter.h" -#include "mpm.h" #include "apr.h" #include "apr_strings.h" #define APR_WANT_STRFUNC @@ -490,7 +489,7 @@ SECStatus nss_Init_Tokens(server_rec *s); /* Logging */ -void nss_log_nss_error(const char *file, int line, int level, server_rec *s); +void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s); void nss_die(void); /* NSS callback */ diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c --- mod_nss/nss_engine_init.c 2012-06-12 12:23:29.962000000 -0700 +++ mod_nss-1.0.8/nss_engine_init.c 2012-06-12 12:00:35.955002240 -0700 @@ -15,7 +15,7 @@ #include "mod_nss.h" #include "apr_thread_proc.h" -#include "ap_mpm.h" +#include "mpm_common.h" #include "secmod.h" #include "sslerr.h" #include "pk11func.h" diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c --- mod_nss/nss_engine_io.c 2012-06-12 12:23:29.963000000 -0700 +++ mod_nss-1.0.8/nss_engine_io.c 2012-06-12 12:00:35.956002167 -0700 @@ -621,13 +621,13 @@ PR_Close(ssl); /* log the fact that we've closed the connection */ - if (c->base_server->loglevel >= APLOG_INFO) { + if (c->base_server->log.level >= APLOG_INFO) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, "Connection to child %ld closed " "(server %s, client %s)", c->id, nss_util_vhostid(c->pool, c->base_server), - c->remote_ip ? c->remote_ip : "unknown"); + c->client_ip ? c->client_ip : "unknown"); } /* deallocate the SSL connection */ @@ -1165,7 +1165,7 @@ filter_ctx = (nss_filter_ctx_t *)(fd->secret); c = filter_ctx->c; - return PR_StringToNetAddr(c->remote_ip, addr); + return PR_StringToNetAddr(c->client_ip, addr); } /* diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c --- mod_nss/nss_engine_kernel.c 2012-06-12 12:23:29.963000000 -0700 +++ mod_nss-1.0.8/nss_engine_kernel.c 2012-06-12 12:00:35.954002314 -0700 @@ -73,7 +73,7 @@ /* * Log information about incoming HTTPS requests */ - if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) { + if (r->server->log.level >= APLOG_INFO && ap_is_initial_req(r)) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "%s HTTPS request received for child %ld (server %s)", (r->connection->keepalives <= 0 ? @@ -530,7 +530,7 @@ ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Access to %s denied for %s " "(requirement expression not fulfilled)", - r->filename, r->connection->remote_ip); + r->filename, r->connection->client_ip); ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Failed expression: %s", req->cpExpr); diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c --- mod_nss/nss_engine_log.c 2012-06-12 12:23:29.964000000 -0700 +++ mod_nss-1.0.8/nss_engine_log.c 2012-06-12 12:00:35.955002240 -0700 @@ -321,7 +321,7 @@ exit(1); } -void nss_log_nss_error(const char *file, int line, int level, server_rec *s) +void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s) { const char *err; PRInt32 error; @@ -340,7 +340,7 @@ err = "Unknown"; } - ap_log_error(file, line, level, 0, s, + ap_log_error(file, line, module_index, level, 0, s, "SSL Library Error: %d %s", error, err); } diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c --- mod_nss/nss_engine_vars.c 2012-06-12 12:23:29.965000000 -0700 +++ mod_nss-1.0.8/nss_engine_vars.c 2012-06-12 12:00:35.948002812 -0700 @@ -178,7 +178,7 @@ && sslconn && sslconn->ssl) result = nss_var_lookup_ssl(p, c, var+4); else if (strcEQ(var, "REMOTE_ADDR")) - result = c->remote_ip; + result = c->client_ip; else if (strcEQ(var, "HTTPS")) { if (sslconn && sslconn->ssl) result = "on"; @@ -194,7 +194,7 @@ if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12)) result = nss_var_lookup_nss_version(p, var+12); else if (strcEQ(var, "SERVER_SOFTWARE")) - result = (char *)ap_get_server_version(); + result = (char *)ap_get_server_banner(); else if (strcEQ(var, "API_VERSION")) { result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER); resdup = FALSE; ++++++ mod_nss-lockpcache.patch ++++++ diff -u --recursive mod_nss-1.0.8/mod_nss.c mod_nss-1.0.8.lock/mod_nss.c --- mod_nss-1.0.8/mod_nss.c 2011-03-02 16:19:52.000000000 -0500 +++ mod_nss-1.0.8.lock/mod_nss.c 2011-03-02 16:17:48.000000000 -0500 @@ -152,6 +152,8 @@ AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL, "SSLLogLevel directive is no longer supported - use LogLevel."), #endif + AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF, + "Apache user. Comes from httpd.conf."), AP_END_CMD }; diff -u --recursive mod_nss-1.0.8/mod_nss.h mod_nss-1.0.8.lock/mod_nss.h --- mod_nss-1.0.8/mod_nss.h 2011-03-02 16:19:52.000000000 -0500 +++ mod_nss-1.0.8.lock/mod_nss.h 2011-03-02 16:17:48.000000000 -0500 @@ -41,6 +41,9 @@ #include "apr_shm.h" #include "apr_global_mutex.h" #include "apr_optional.h" +#include <sys/types.h> +#include <sys/ipc.h> +#include <sys/sem.h> #define MOD_NSS_VERSION AP_SERVER_BASEREVISION @@ -244,6 +247,9 @@ struct { void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; } rCtx; + + int semid; + const char *user; } SSLModConfigRec; typedef struct SSLSrvConfigRec SSLSrvConfigRec; @@ -412,6 +418,7 @@ const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); +const char *set_user(cmd_parms *cmd, void *dummy, const char *arg); /* module initialization */ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); diff -u --recursive mod_nss-1.0.8/nss_engine_config.c mod_nss-1.0.8.lock/nss_engine_config.c --- mod_nss-1.0.8/nss_engine_config.c 2011-03-02 16:19:52.000000000 -0500 +++ mod_nss-1.0.8.lock/nss_engine_config.c 2011-03-02 16:17:48.000000000 -0500 @@ -830,3 +830,12 @@ return NULL; } + +const char *set_user(cmd_parms *cmd, void *dummy, const char *arg) +{ + SSLModConfigRec *mc = myModConfig(cmd->server); + + mc->user = arg; + + return NULL; +} diff -u --recursive mod_nss-1.0.8/nss_engine_init.c mod_nss-1.0.8.lock/nss_engine_init.c --- mod_nss-1.0.8/nss_engine_init.c 2011-03-02 16:19:49.000000000 -0500 +++ mod_nss-1.0.8.lock/nss_engine_init.c 2011-03-02 16:17:48.000000000 -0500 @@ -312,6 +312,7 @@ int sslenabled = FALSE; int fipsenabled = FALSE; int threaded = 0; + struct semid_ds status; mc->nInitCount++; @@ -412,10 +413,26 @@ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i"); + /* The first pass through this function will create the semaphore that + * will be used to lock the pipe. The user is still root at that point + * so for any later calls the semaphore ops will fail with permission + * errors. So switch the user to the Apache user. + */ + if (mc->semid) { + uid_t user_id; + + user_id = ap_uname2id(mc->user); + semctl(mc->semid, 0, IPC_STAT, &status); + status.sem_perm.uid = user_id; + semctl(mc->semid,0,IPC_SET,&status); + } + /* Do we need to fire up our password helper? */ if (mc->nInitCount == 1) { const char * child_argv[5]; apr_status_t rv; + struct sembuf sb; + char sembuf[32]; if (mc->pphrase_dialog_helper == NULL) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, @@ -423,11 +440,31 @@ nss_die(); } + mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600); + if (mc->semid == -1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to obtain semaphore."); + nss_die(); + } + + /* Initialize the semaphore */ + sb.sem_num = 0; + sb.sem_op = 1; + sb.sem_flg = 0; + if ((semop(mc->semid, &sb, 1)) == -1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to initialize semaphore."); + nss_die(); + } + + PR_snprintf(sembuf, 32, "%d", mc->semid); + child_argv[0] = mc->pphrase_dialog_helper; - child_argv[1] = fipsenabled ? "on" : "off"; - child_argv[2] = mc->pCertificateDatabase; - child_argv[3] = mc->pDBPrefix; - child_argv[4] = NULL; + child_argv[1] = sembuf; + child_argv[2] = fipsenabled ? "on" : "off"; + child_argv[3] = mc->pCertificateDatabase; + child_argv[4] = mc->pDBPrefix; + child_argv[5] = NULL; rv = apr_procattr_create(&mc->procattr, mc->pPool); diff -u --recursive mod_nss-1.0.8/nss_engine_pphrase.c mod_nss-1.0.8.lock/nss_engine_pphrase.c --- mod_nss-1.0.8/nss_engine_pphrase.c 2008-07-02 10:54:37.000000000 -0400 +++ mod_nss-1.0.8.lock/nss_engine_pphrase.c 2011-03-02 16:17:48.000000000 -0500 @@ -279,6 +279,16 @@ char buf[1024]; apr_status_t rv; apr_size_t nBytes = 1024; + struct sembuf sb; + + /* lock the pipe */ + sb.sem_num = 0; + sb.sem_op = -1; + sb.sem_flg = SEM_UNDO; + if (semop(parg->mc->semid, &sb, 1) == -1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Unable to reserve semaphore resource"); + } snprintf(buf, 1024, "RETR\t%s", token_name); rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL); @@ -293,6 +303,13 @@ */ memset(buf, 0, sizeof(buf)); rv = apr_file_read(parg->mc->proc.out, buf, &nBytes); + sb.sem_op = 1; + if (semop(parg->mc->semid, &sb, 1) == -1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Unable to free semaphore resource"); + /* perror("semop free resource id"); */ + } + if (rv != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); diff -u --recursive mod_nss-1.0.8/nss_pcache.c mod_nss-1.0.8.lock/nss_pcache.c --- mod_nss-1.0.8/nss_pcache.c 2011-03-02 16:19:55.000000000 -0500 +++ mod_nss-1.0.8.lock/nss_pcache.c 2011-03-02 16:19:10.000000000 -0500 @@ -21,6 +21,9 @@ #include <pk11func.h> #include <secmod.h> #include <signal.h> +#include <sys/types.h> +#include <sys/ipc.h> +#include <sys/sem.h> #include "nss_pcache.h" static char * getstr(const char * cmd, int el); @@ -70,6 +73,13 @@ unsigned char *crypt; }; +union semun { + int val; + struct semid_ds *buf; + unsigned short *array; + struct seminfo *__buf; +}; + /* * Node - for maintaining link list of tokens with cached PINs */ @@ -304,15 +314,19 @@ char * tokenName; char * tokenpw; int fipsmode = 0; + int semid = 0; + union semun semarg; - if (argc < 3 || argc > 4) { - fprintf(stderr, "Usage: nss_pcache <fips on/off> <directory> <prefix>\n"); + if (argc < 4 || argc > 5) { + fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> <prefix>\n"); exit(1); } signal(SIGHUP, SIG_IGN); - if (!strcasecmp(argv[1], "on")) + semid = strtol(argv[1], NULL, 10); + + if (!strcasecmp(argv[2], "on")) fipsmode = 1; /* Initialize NSPR */ @@ -322,7 +336,7 @@ PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1); /* Initialize NSS and open the certificate database read-only. */ - rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY); + rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY); if (rv != SECSuccess) { fprintf(stderr, "Unable to initialize NSS database: %d\n", rv); @@ -437,6 +451,11 @@ } freeList(pinList); PR_Close(in); + /* Remove the semaphore used for locking here. This is because this + * program only goes away when Apache shuts down so we don't have to + * worry about reloads. + */ + semctl(semid, 0, IPC_RMID, semarg); return 0; } Only in mod_nss-1.0.8.lock/: nss_pcache.c.orig Only in mod_nss-1.0.8.lock/: nss_pcache.c.rej ++++++ mod_nss-negotiate.patch ++++++ diff -up ./mod_nss.c.norego ./mod_nss.c --- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100 @@ -97,6 +97,14 @@ static const command_rec nss_config_cmds SSL_CMD_SRV(Nickname, TAKE1, "SSL RSA Server Certificate nickname " "(`Server-Cert'") +#ifdef SSL_ENABLE_RENEGOTIATION + SSL_CMD_SRV(Renegotiation, FLAG, + "Enable SSL Renegotiation (default off) " + "(`on', `off')") + SSL_CMD_SRV(RequireSafeNegotiation, FLAG, + "If Rengotiation is allowed, require safe negotiation (default off) " + "(`on', `off')") +#endif #ifdef NSS_ENABLE_ECC SSL_CMD_SRV(ECCNickname, TAKE1, "SSL ECC Server Certificate nickname " diff -up ./mod_nss.h.norego ./mod_nss.h --- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100 @@ -269,6 +269,10 @@ typedef struct { int tls; int tlsrollback; int enforce; +#ifdef SSL_ENABLE_RENEGOTIATION + int enablerenegotiation; + int requiresafenegotiation; +#endif const char *nickname; #ifdef NSS_ENABLE_ECC const char *eccnickname; @@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg); +#ifdef SSL_ENABLE_RENEGOTIATION +const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag); +const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag); +#endif #ifdef NSS_ENABLE_ECC const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg); #endif diff -up ./nss_engine_config.c.norego ./nss_engine_config.c --- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100 @@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t mctx->tls = PR_FALSE; mctx->tlsrollback = PR_FALSE; +#ifdef SSL_ENABLE_RENEGOTIATION + mctx->enablerenegotiation = PR_FALSE; + mctx->requiresafenegotiation = PR_FALSE; +#endif mctx->enforce = PR_TRUE; mctx->nickname = NULL; #ifdef NSS_ENABLE_ECC @@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_ cfgMerge(eccnickname, NULL); #endif cfgMerge(enforce, PR_TRUE); +#ifdef SSL_ENABLE_RENEGOTIATION + cfgMerge(enablerenegotiation, PR_FALSE); + cfgMerge(requiresafenegotiation, PR_FALSE); +#endif } static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base, @@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm return NULL; } +#ifdef SSL_ENABLE_RENEGOTIATION +const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE; + + return NULL; +} + +const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE; + + return NULL; +} +#endif + #ifdef NSS_ENABLE_ECC const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, diff -up ./nss_engine_init.c.norego ./nss_engine_init.c --- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100 @@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r nss_die(); } } +#ifdef SSL_ENABLE_RENEGOTIATION + if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION, + mctx->enablerenegotiation ? + SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER + ) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Unable to set SSL renegotiation"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } + if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION, + mctx->requiresafenegotiation) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Unable to set SSL safe negotiation"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } +#endif } static void nss_init_ctx_protocol(server_rec *s, diff -up ./nss.conf.in.norego ./nss.conf.in --- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000 +++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000 @@ -64,6 +64,17 @@ #NSSRandomSeed startup file:/dev/random 512 #NSSRandomSeed startup file:/dev/urandom 512 +# +# TLS Negotiation configuration under RFC 5746 +# +# Only renegotiate if the peer's hello bears the TLS renegotiation_info +# extension. Default off. +NSSRenegotiation off + +# Peer must send Signaling Cipher Suite Value (SCSV) or +# Renegotiation Info (RI) extension in ALL handshakes. Default: off +NSSRequireSafeNegotiation off + ## ## SSL Virtual Host Context ## diff -up ./nss_engine_log.c.norego ./nss_engine_log.c --- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000 +++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000 @@ -27,7 +27,7 @@ #define LIBSEC_ERROR_BASE (-8192) #define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155) #define LIBSSL_ERROR_BASE (-12288) -#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102) +#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114) typedef struct l_error_t { int errorNumber; @@ -296,7 +296,19 @@ { 99, "Server requires ciphers more secure than those supported by client" }, { 100, "Peer reports it experienced an internal error" }, { 101, "Peer user canceled handshake" }, - { 102, "Peer does not permit renegotiation of SSL security parameters" } + { 102, "Peer does not permit renegotiation of SSL security parameters" }, + { 103, "Server cache not configured" }, + { 104, "Unsupported extension" }, + { 105, "Certificate unobtainable" }, + { 106, "Unrecognized name" }, + { 107, "Bad certificate status" }, + { 108, "Bad certificate hash value" }, + { 109, "Unexpected new session ticket" }, + { 110, "Malformed new session ticket" }, + { 111, "Decompression failure" }, + { 112, "Renegotiation not allowed" }, + { 113, "Safe negotiation required but not provided by client" }, + { 114, "Unexpected uncompressed record" }, }; void nss_die(void) ++++++ mod_nss-overlapping_memcpy.patch ++++++ Bug 669118 memcpy of overlapping memory is no longer allowed by glibc. This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444 --- mod_nss-1.0.8.orig/nss_engine_io.c 2011-01-12 12:31:27.339425702 -0500 +++ mod_nss-1.0.8/nss_engine_io.c 2011-01-12 12:31:35.507405595 -0500 @@ -123,13 +123,13 @@ if (buffer->length > inl) { /* we have have enough to fill the caller's buffer */ - memcpy(in, buffer->value, inl); + memmove(in, buffer->value, inl); buffer->value += inl; buffer->length -= inl; } else { /* swallow remainder of the buffer */ - memcpy(in, buffer->value, buffer->length); + memmove(in, buffer->value, buffer->length); inl = buffer->length; buffer->value = NULL; buffer->length = 0; ++++++ mod_nss-pcachesignal.h ++++++ diff -u --recursive mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c --- mod_nss-1.0.8.orig/nss_pcache.c 2008-07-02 10:54:06.000000000 -0400 +++ mod_nss-1.0.8/nss_pcache.c 2010-05-14 13:32:57.000000000 -0400 @@ -20,6 +20,7 @@ #include <seccomon.h> #include <pk11func.h> #include <secmod.h> +#include <signal.h> #include "nss_pcache.h" static char * getstr(const char * cmd, int el); @@ -309,6 +310,8 @@ exit(1); } + signal(SIGHUP, SIG_IGN); + if (!strcasecmp(argv[1], "on")) fipsmode = 1; Only in mod_nss-1.0.8: nss_pcache.c.rej ++++++ mod_nss-reseterror.patch ++++++ --- mod_nss-1.0.8.orig/nss_engine_io.c 2010-09-23 18:12:56.000000000 -0400 +++ mod_nss-1.0.8/nss_engine_io.c 2010-09-23 18:13:07.000000000 -0400 @@ -348,6 +348,7 @@ break; } + PR_SetError(0, 0); rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes); if (rc > 0) { ++++++ mod_nss-reverseproxy.patch ++++++ mod_proxy now sets the requested remote host name. Use this to compare to the CN value of the peer certificate and reject the request if they do not match (and we are have NSSProxyCheckPeerCN set to on). diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html --- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400 +++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400 @@ -1028,7 +1028,21 @@ <br> <span style="font-weight: bold;">Example</span><br> <br> -<code>NSSProxyNickname beta</code><br> +<code>NSSProxyNickname beta<br> +<br> +</code><big><big>NSSProxyCheckPeerCN</big></big><br> +<br> +Compare the CN value of the peer certificate with the hostname being +requested. If this is set to on, the default, then the request will +fail if they do not match. If this is set to off then this comparison +is not done. Note that this test is your only protection against a +man-in-the-middle attack so leaving this as on is strongly recommended.<br> +<br> +<span style="font-weight: bold;">Example</span><br> +<br> +<span style="font-family: monospace;">NSSProcyCheckPeerCN</span><code> +on<br> +</code><br> <h1><a name="Environment"></a>Environment Variables</h1> Quite a few environment variables (for CGI and SSI) may be set depending on the NSSOptions configuration. It can be expensive to set @@ -1435,42 +1449,9 @@ <h1><a name="FAQ"></a>Frequently Asked Questions</h1> Q. Does mod_nss support mod_proxy?<br> <br> -A. In order to use the mod_nss proxy support you will need to build -your own mod_proxy by applying a patch found in bug <a - href="http://issues.apache.org/bugzilla/show_bug.cgi?id=36468";>36468</a>. -The patch is needed so we can compare the hostname contained in the -remote certificate with the hostname you meant to visit. This prevents -man-in-the-middle attacks.<br> -<br> -You also have to change the SSL functions that mod_proxy looks to use. -You'll need to apply this patch:<br> -<br> -<code>1038,1039c1038,1039<br> -< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));<br> -< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));<br> ----<br> -> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));<br> -> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));<br> -1041,1042c1041,1042<br> -< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = -NULL;<br> -< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable -= NULL;<br> ----<br> -> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable = -NULL;<br> -> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable -= NULL;<br> -1069,1070c1069,1070<br> -< proxy_ssl_enable = -APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);<br> -< proxy_ssl_disable = -APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);<br> ----<br> -> proxy_ssl_enable = -APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);<br> -> proxy_ssl_disable = -APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);<br> -</code><br> +A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy +provides a single interface for SSL providers and mod_nss defers to +mod_ssl +if it is loaded. </body> </html> diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c --- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400 +++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400 @@ -142,6 +142,8 @@ SSL_CMD_SRV(ProxyNickname, TAKE1, "SSL Proxy: client certificate Nickname to be for proxy connections " "(`nickname')") + SSL_CMD_SRV(ProxyCheckPeerCN, FLAG, + "SSL Proxy: check the peers certificate CN") #ifdef IGNORE /* Deprecated directives. */ @@ -238,23 +240,30 @@ SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket) { conn_rec *c = (conn_rec *)arg; + SSLSrvConfigRec *sc = mySrvConfig(c->base_server); PRErrorCode err = PR_GetError(); SECStatus rv = SECFailure; CERTCertificate *peerCert = SSL_PeerCertificate(socket); + const char *hostname_note; switch (err) { case SSL_ERROR_BAD_CERT_DOMAIN: - if (c->remote_host != NULL) { - rv = CERT_VerifyCertName(peerCert, c->remote_host); - if (rv != SECSuccess) { - char *remote = CERT_GetCommonName(&peerCert->subject); + if (sc->proxy_ssl_check_peer_cn == TRUE) { + if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) { + apr_table_unset(c->notes, "proxy-request-hostname"); + rv = CERT_VerifyCertName(peerCert, hostname_note); + if (rv != SECSuccess) { + char *remote = CERT_GetCommonName(&peerCert->subject); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note); + PORT_Free(remote); + } + } else { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host); - PORT_Free(remote); + "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."); } } else { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468."); + rv = SECSuccess; } break; default: diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h --- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400 +++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400 @@ -306,6 +306,7 @@ int vhost_id_len; modnss_ctx_t *server; modnss_ctx_t *proxy; + BOOL proxy_ssl_check_peer_cn; }; /* @@ -410,6 +411,7 @@ const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *); const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); +const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); /* module initialization */ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c --- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400 +++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400 @@ -140,6 +140,7 @@ sc->vhost_id_len = 0; /* set during module init */ sc->proxy = NULL; sc->server = NULL; + sc->proxy_ssl_check_peer_cn = TRUE; modnss_ctx_init_proxy(sc, p); @@ -214,6 +215,7 @@ cfgMergeBool(fips); cfgMergeBool(enabled); cfgMergeBool(proxy_enabled); + cfgMergeBool(proxy_ssl_check_peer_cn); modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); @@ -544,6 +546,15 @@ return NULL; } +const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE; + + return NULL; +} + const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd, void *dcfg, int flag) ++++++ mod_nss-wouldblock.patch ++++++ --- mod_nss-1.0.3.orig/nss_engine_io.c 2006-04-07 16:17:12.000000000 -0400 +++ mod_nss-1.0.3/nss_engine_io.c 2009-02-17 22:51:44.000000000 -0500 @@ -259,7 +259,8 @@ */ if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) || (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) { - return 0; + PR_SetError(PR_WOULD_BLOCK_ERROR, 0); + return -1; } if (inctx->rc != APR_SUCCESS) { -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
