From 347dafaa45d9f6e60a146974cdadf7df94cf369522532fe863fd4bc290424383 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Thu, 11 Jul 2013 16:44:28 +0000 Subject: [PATCH] osc copypac from project:mozilla package:apache2-mod_nss revision:4 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=1 --- .gitattributes | 23 +++ .gitignore | 1 + apache2-mod_nss.changes | 23 +++ apache2-mod_nss.spec | 161 +++++++++++++++++++++ mod_nss-1.0.8.tar.bz2 | 3 + mod_nss-conf.patch | 70 +++++++++ mod_nss-gencert.patch | 26 ++++ mod_nss-httpd24.patch | 135 +++++++++++++++++ mod_nss-lockpcache.patch | 240 +++++++++++++++++++++++++++++++ mod_nss-negotiate.patch | 180 +++++++++++++++++++++++ mod_nss-overlapping_memcpy.patch | 24 ++++ mod_nss-pcachesignal.h | 21 +++ mod_nss-reseterror.patch | 10 ++ mod_nss-reverseproxy.patch | 182 +++++++++++++++++++++++ mod_nss-wouldblock.patch | 12 ++ 15 files changed, 1111 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 apache2-mod_nss.changes create mode 100644 apache2-mod_nss.spec create mode 100644 mod_nss-1.0.8.tar.bz2 create mode 100644 mod_nss-conf.patch create mode 100644 mod_nss-gencert.patch create mode 100644 mod_nss-httpd24.patch create mode 100644 mod_nss-lockpcache.patch create mode 100644 mod_nss-negotiate.patch create mode 100644 mod_nss-overlapping_memcpy.patch create mode 100644 mod_nss-pcachesignal.h create mode 100644 mod_nss-reseterror.patch create mode 100644 mod_nss-reverseproxy.patch create mode 100644 mod_nss-wouldblock.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes new file mode 100644 index 0000000..7536142 --- /dev/null +++ b/apache2-mod_nss.changes @@ -0,0 +1,23 @@ +------------------------------------------------------------------- +Thu Jul 11 14:50:42 UTC 2013 - aj@ajaissle.de + +- Added mod_nns-httpd24.patch to support build with apache 2.4 + +------------------------------------------------------------------- +Tue Jan 22 09:35:41 UTC 2013 - aj@ajaissle.de + +- Changed mod_nss-conf.patch to adjust mod_nss.conf to match SUSE + dir layout [bnc#799483] +- Cleaned up license tag + +------------------------------------------------------------------- +Sun Apr 15 14:17:19 UTC 2012 - wr@rosenauer.org + +- import some patches from Fedora +- removed autoreconf call + +------------------------------------------------------------------- +Wed Feb 17 13:30:47 UTC 2010 - nix@opensuse.org + +- Fix mod_nss-conf.patch to work on SUSE +- Rename package from mod_nss to apache2-mod_nss diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec new file mode 100644 index 0000000..810654a --- /dev/null +++ b/apache2-mod_nss.spec @@ -0,0 +1,161 @@ +# +# spec file for package apache2-mod_nss +# +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + +Name: apache2-mod_nss +Summary: SSL/TLS module for the Apache HTTP server +Version: 1.0.8 +Release: 3 +Group: Productivity/Networking/Web/Servers +License: Apache-2.0 +Url: http://directory.fedoraproject.org/wiki/Mod_nss +Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.bz2 +Provides: mod_nss +Requires: apache2 >= 2.0.52 +Requires: findutils +Requires(post): mozilla-nss-tools +BuildRequires: bison +BuildRequires: findutils +BuildRequires: gcc-c++ +BuildRequires: libapr1-devel +BuildRequires: libapr-util1-devel +BuildRequires: mozilla-nspr-devel >= 4.6.3 +BuildRequires: mozilla-nss-devel >= 3.12.6 +BuildRequires: apache2-devel >= 2.0.52 +BuildRequires: pkgconfig +# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout +Patch1: mod_nss-conf.patch +Patch2: mod_nss-gencert.patch +Patch3: mod_nss-wouldblock.patch +Patch4: mod_nss-negotiate.patch +Patch5: mod_nss-reverseproxy.patch +Patch6: mod_nss-pcachesignal.h +Patch7: mod_nss-reseterror.patch +Patch8: mod_nss-lockpcache.patch +# Fix build with apache 2.4 +Patch9: mod_nss-httpd24.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root +%define apxs /usr/sbin/apxs2 +%define apache apache2 +%define apache_libexecdir %(%{apxs} -q LIBEXECDIR) +%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR) +%define apache_includedir %(%{apxs} -q INCLUDEDIR) +%define apache_serverroot %(%{apxs} -q PREFIX) +%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) + +%description +The mod_nss module provides strong cryptography for the Apache Web +server via the Secure Sockets Layer (SSL) and Transport Layer +Security (TLS) protocols using the Network Security Services (NSS) +security library. + +%prep +%setup -q -n mod_nss-%{version} +%patch1 -p1 -b .conf +%patch2 -p1 -b .gencert +%patch3 -p1 -b .wouldblock +%patch4 -p1 -b .negotiate +%patch5 -p1 -b .reverseproxy +%patch6 -p1 -b .pcachesignal.h +%patch7 -p1 -b .reseterror +%patch8 -p1 -b .lockpcache +%if 0%{?suse_version} >= 1300 +%patch9 -p1 -b .http24 +%endif + +# Touch expression parser sources to prevent regenerating it +touch nss_expr_*.[chyl] + +%build +CFLAGS="$RPM_OPT_FLAGS" +export CFLAGS +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr` +NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr` +NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss` +NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss` +NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss` +# For some reason mod_nss can't find nss on SUSE unless we do the following +C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/" +export C_INCLUDE_PATH +#autoreconf -fvi +%configure \ + --with-nss-lib=$NSS_LIB_DIR \ + --with-nss-inc=$NSS_INCLUDE_DIR \ + --with-nspr-lib=$NSPR_LIB_DIR \ + --with-nspr-inc=$NSPR_INCLUDE_DIR \ + --with-apxs=%{apxs} \ + --with-apr-config +make %{?_smp_mflags} all + +%install +# The install target of the Makefile isn't used because that uses apxs +# which tries to enable the module in the build host httpd instead of in +# the build root. +mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir} +mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d +mkdir -p $RPM_BUILD_ROOT%{_sbindir} +mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/alias + +%if 0%{?suse_version} +perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf +%endif + +install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/ +install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir} +install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/ +install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ + +#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconfdir}/alias/ +touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/secmod.db +touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/cert8.db +touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/key3.db +touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/install.log +perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +umask 077 +if [ "$1" -eq 1 ] ; then + if [ ! -e %{apache_sysconfdir}/alias/key3.db ]; then + %{_sbindir}/gencert %{apache_sysconfdir}/alias > %{apache_sysconfdir}/alias/install.log 2>&1 + echo "" + echo "%{name} certificate database generated." + echo "" + fi + # Make sure that the database ownership is setup properly. + find %{apache_sysconfdir}/alias -user root -name "*.db" -exec /bin/chgrp www {} \; + find %{apache_sysconfdir}/alias -user root -name "*.db" -exec /bin/chmod g+r {} \; +fi + +%files +%defattr(-,root,root,-) +%doc README LICENSE docs/mod_nss.html +%config(noreplace) %{apache_sysconfdir}/conf.d/nss.conf +%dir %{apache_libexecdir} +%{apache_libexecdir}/libmodnss.so +%dir %{apache_sysconfdir}/alias/ +%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/secmod.db +%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/cert8.db +%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/key3.db +%ghost %config(noreplace) %{apache_sysconfdir}/alias/install.log +#%%{apache_sysconfdir}/alias/libnssckbi.so +%{_sbindir}/nss_pcache +%{_sbindir}/gencert + +%changelog diff --git a/mod_nss-1.0.8.tar.bz2 b/mod_nss-1.0.8.tar.bz2 new file mode 100644 index 0000000..ae4ed92 --- /dev/null +++ b/mod_nss-1.0.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d723c51ac594158252d22a5fc7c0ae7ebf4ff37f6ff65b9c8ab1e234fdd67622 +size 299015 diff --git a/mod_nss-conf.patch b/mod_nss-conf.patch new file mode 100644 index 0000000..41cd15f --- /dev/null +++ b/mod_nss-conf.patch @@ -0,0 +1,70 @@ +--- mod_nss-1.0.6/nss.conf.in.orig 2006-10-20 11:08:42.000000000 -0400 ++++ mod_nss-1.0.6/nss.conf.in 2013-01-22 10:33:25.000000000 +0100 +@@ -8,14 +8,16 @@ + # consult the online docs. You have been warned. + # + ++LoadModule nss_module @apache_lib@/libmodnss.so ++ + # + # When we also provide SSL we have to listen to the + # standard HTTP port (see above) and to the HTTPS port + # + # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two +-# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" ++# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443" + # +-Listen 443 ++Listen 8443 + + ## + ## SSL Global Context +@@ -40,7 +42,7 @@ + # Pass Phrase Helper: + # This helper program stores the token password pins between + # restarts of Apache. +-NSSPassPhraseHelper @apache_bin@/nss_pcache ++NSSPassPhraseHelper /usr/sbin/nss_pcache + + # Configure the SSL Session Cache. + # NSSSessionCacheSize is the number of entries in the cache. +@@ -68,17 +70,17 @@ + ## SSL Virtual Host Context + ## + +- ++ + + # General setup for the virtual host + #DocumentRoot "@apache_prefix@/htdocs" +-#ServerName www.example.com:443 ++#ServerName www.example.com:8443 + #ServerAdmin you@example.com + + # mod_nss can log to separate log files, you can choose to do that if you'd like + # LogLevel is not inherited from httpd.conf. +-#ErrorLog @apache_prefix@/logs/error_log +-#TransferLog @apache_prefix@/logs/access_log ++ErrorLog /var/log/apache2/error_log ++TransferLog /var/log/apache2/access_log + LogLevel warn + + # SSL Engine Switch: +@@ -113,7 +115,7 @@ + # The NSS security database directory that holds the certificates and + # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. + # Provide the directory that these files exist. +-NSSCertificateDatabase @apache_conf@ ++NSSCertificateDatabase @apache_conf@/alias + + # Database Prefix: + # In order to be able to store multiple NSS databases in one directory +@@ -189,7 +191,7 @@ + + NSSOptions +StdEnvVars + +- ++ + NSSOptions +StdEnvVars + + diff --git a/mod_nss-gencert.patch b/mod_nss-gencert.patch new file mode 100644 index 0000000..6f5ce8a --- /dev/null +++ b/mod_nss-gencert.patch @@ -0,0 +1,26 @@ +--- mod_nss-1.0/gencert.in 2006-06-20 22:43:33.000000000 -0400 ++++ mod_nss-1.0/gencert.in.orig 2006-06-20 22:57:08.000000000 -0400 +@@ -82,12 +82,11 @@ + + DEST=$1 + +-echo "httptest" > $DEST/pw.txt ++echo -e "\n" > $DEST/pw.txt + + echo "" + echo "#####################################################################" +-echo "Generating new server certificate and key database. The password" +-echo "is httptest" ++echo "Generating new server certificate and key database." + echo "#####################################################################" + $CERTUTIL -N -d $DEST -f $DEST/pw.txt + +@@ -183,8 +182,4 @@ + rm $DEST/pw.txt + rm $DEST/noise + +-echo "" +-echo "The database password is httptest" +-echo "" +- + exit 0 diff --git a/mod_nss-httpd24.patch b/mod_nss-httpd24.patch new file mode 100644 index 0000000..e047653 --- /dev/null +++ b/mod_nss-httpd24.patch @@ -0,0 +1,135 @@ +diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c +--- mod_nss/mod_nss.c 2012-06-12 12:23:29.961000000 -0700 ++++ mod_nss-1.0.8/mod_nss.c 2012-06-12 12:00:35.957002099 -0700 +@@ -349,7 +349,7 @@ + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, + "Connection to child %ld established " + "(server %s, client %s)", c->id, sc->vhost_id, +- c->remote_ip ? c->remote_ip : "unknown"); ++ c->client_ip ? c->client_ip : "unknown"); + + mctx = sslconn->is_proxy ? sc->proxy : sc->server; + +diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h +--- mod_nss/mod_nss.h 2012-06-12 12:23:29.962000000 -0700 ++++ mod_nss-1.0.8/mod_nss.h 2012-06-12 12:00:35.955002240 -0700 +@@ -27,7 +27,6 @@ + #include "http_protocol.h" + #include "util_script.h" + #include "util_filter.h" +-#include "mpm.h" + #include "apr.h" + #include "apr_strings.h" + #define APR_WANT_STRFUNC +@@ -490,7 +489,7 @@ + SECStatus nss_Init_Tokens(server_rec *s); + + /* Logging */ +-void nss_log_nss_error(const char *file, int line, int level, server_rec *s); ++void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s); + void nss_die(void); + + /* NSS callback */ +diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c +--- mod_nss/nss_engine_init.c 2012-06-12 12:23:29.962000000 -0700 ++++ mod_nss-1.0.8/nss_engine_init.c 2012-06-12 12:00:35.955002240 -0700 +@@ -15,7 +15,7 @@ + + #include "mod_nss.h" + #include "apr_thread_proc.h" +-#include "ap_mpm.h" ++#include "mpm_common.h" + #include "secmod.h" + #include "sslerr.h" + #include "pk11func.h" +diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c +--- mod_nss/nss_engine_io.c 2012-06-12 12:23:29.963000000 -0700 ++++ mod_nss-1.0.8/nss_engine_io.c 2012-06-12 12:00:35.956002167 -0700 +@@ -621,13 +621,13 @@ + PR_Close(ssl); + + /* log the fact that we've closed the connection */ +- if (c->base_server->loglevel >= APLOG_INFO) { ++ if (c->base_server->log.level >= APLOG_INFO) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, + "Connection to child %ld closed " + "(server %s, client %s)", + c->id, + nss_util_vhostid(c->pool, c->base_server), +- c->remote_ip ? c->remote_ip : "unknown"); ++ c->client_ip ? c->client_ip : "unknown"); + } + + /* deallocate the SSL connection */ +@@ -1165,7 +1165,7 @@ + filter_ctx = (nss_filter_ctx_t *)(fd->secret); + c = filter_ctx->c; + +- return PR_StringToNetAddr(c->remote_ip, addr); ++ return PR_StringToNetAddr(c->client_ip, addr); + } + + /* +diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c +--- mod_nss/nss_engine_kernel.c 2012-06-12 12:23:29.963000000 -0700 ++++ mod_nss-1.0.8/nss_engine_kernel.c 2012-06-12 12:00:35.954002314 -0700 +@@ -73,7 +73,7 @@ + /* + * Log information about incoming HTTPS requests + */ +- if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) { ++ if (r->server->log.level >= APLOG_INFO && ap_is_initial_req(r)) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, + "%s HTTPS request received for child %ld (server %s)", + (r->connection->keepalives <= 0 ? +@@ -530,7 +530,7 @@ + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, + "Access to %s denied for %s " + "(requirement expression not fulfilled)", +- r->filename, r->connection->remote_ip); ++ r->filename, r->connection->client_ip); + + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, + "Failed expression: %s", req->cpExpr); +diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c +--- mod_nss/nss_engine_log.c 2012-06-12 12:23:29.964000000 -0700 ++++ mod_nss-1.0.8/nss_engine_log.c 2012-06-12 12:00:35.955002240 -0700 +@@ -321,7 +321,7 @@ + exit(1); + } + +-void nss_log_nss_error(const char *file, int line, int level, server_rec *s) ++void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s) + { + const char *err; + PRInt32 error; +@@ -340,7 +340,7 @@ + err = "Unknown"; + } + +- ap_log_error(file, line, level, 0, s, ++ ap_log_error(file, line, module_index, level, 0, s, + "SSL Library Error: %d %s", + error, err); + } +diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c +--- mod_nss/nss_engine_vars.c 2012-06-12 12:23:29.965000000 -0700 ++++ mod_nss-1.0.8/nss_engine_vars.c 2012-06-12 12:00:35.948002812 -0700 +@@ -178,7 +178,7 @@ + && sslconn && sslconn->ssl) + result = nss_var_lookup_ssl(p, c, var+4); + else if (strcEQ(var, "REMOTE_ADDR")) +- result = c->remote_ip; ++ result = c->client_ip; + else if (strcEQ(var, "HTTPS")) { + if (sslconn && sslconn->ssl) + result = "on"; +@@ -194,7 +194,7 @@ + if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12)) + result = nss_var_lookup_nss_version(p, var+12); + else if (strcEQ(var, "SERVER_SOFTWARE")) +- result = (char *)ap_get_server_version(); ++ result = (char *)ap_get_server_banner(); + else if (strcEQ(var, "API_VERSION")) { + result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER); + resdup = FALSE; diff --git a/mod_nss-lockpcache.patch b/mod_nss-lockpcache.patch new file mode 100644 index 0000000..d7b4105 --- /dev/null +++ b/mod_nss-lockpcache.patch @@ -0,0 +1,240 @@ +diff -u --recursive mod_nss-1.0.8/mod_nss.c mod_nss-1.0.8.lock/mod_nss.c +--- mod_nss-1.0.8/mod_nss.c 2011-03-02 16:19:52.000000000 -0500 ++++ mod_nss-1.0.8.lock/mod_nss.c 2011-03-02 16:17:48.000000000 -0500 +@@ -152,6 +152,8 @@ + AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL, + "SSLLogLevel directive is no longer supported - use LogLevel."), + #endif ++ AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF, ++ "Apache user. Comes from httpd.conf."), + + AP_END_CMD + }; +diff -u --recursive mod_nss-1.0.8/mod_nss.h mod_nss-1.0.8.lock/mod_nss.h +--- mod_nss-1.0.8/mod_nss.h 2011-03-02 16:19:52.000000000 -0500 ++++ mod_nss-1.0.8.lock/mod_nss.h 2011-03-02 16:17:48.000000000 -0500 +@@ -41,6 +41,9 @@ + #include "apr_shm.h" + #include "apr_global_mutex.h" + #include "apr_optional.h" ++#include ++#include ++#include + + #define MOD_NSS_VERSION AP_SERVER_BASEREVISION + +@@ -244,6 +247,9 @@ + struct { + void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; + } rCtx; ++ ++ int semid; ++ const char *user; + } SSLModConfigRec; + + typedef struct SSLSrvConfigRec SSLSrvConfigRec; +@@ -412,6 +418,7 @@ + const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); + const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); ++const char *set_user(cmd_parms *cmd, void *dummy, const char *arg); + + /* module initialization */ + int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); +diff -u --recursive mod_nss-1.0.8/nss_engine_config.c mod_nss-1.0.8.lock/nss_engine_config.c +--- mod_nss-1.0.8/nss_engine_config.c 2011-03-02 16:19:52.000000000 -0500 ++++ mod_nss-1.0.8.lock/nss_engine_config.c 2011-03-02 16:17:48.000000000 -0500 +@@ -830,3 +830,12 @@ + + return NULL; + } ++ ++const char *set_user(cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ SSLModConfigRec *mc = myModConfig(cmd->server); ++ ++ mc->user = arg; ++ ++ return NULL; ++} +diff -u --recursive mod_nss-1.0.8/nss_engine_init.c mod_nss-1.0.8.lock/nss_engine_init.c +--- mod_nss-1.0.8/nss_engine_init.c 2011-03-02 16:19:49.000000000 -0500 ++++ mod_nss-1.0.8.lock/nss_engine_init.c 2011-03-02 16:17:48.000000000 -0500 +@@ -312,6 +312,7 @@ + int sslenabled = FALSE; + int fipsenabled = FALSE; + int threaded = 0; ++ struct semid_ds status; + + mc->nInitCount++; + +@@ -412,10 +413,26 @@ + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i"); + ++ /* The first pass through this function will create the semaphore that ++ * will be used to lock the pipe. The user is still root at that point ++ * so for any later calls the semaphore ops will fail with permission ++ * errors. So switch the user to the Apache user. ++ */ ++ if (mc->semid) { ++ uid_t user_id; ++ ++ user_id = ap_uname2id(mc->user); ++ semctl(mc->semid, 0, IPC_STAT, &status); ++ status.sem_perm.uid = user_id; ++ semctl(mc->semid,0,IPC_SET,&status); ++ } ++ + /* Do we need to fire up our password helper? */ + if (mc->nInitCount == 1) { + const char * child_argv[5]; + apr_status_t rv; ++ struct sembuf sb; ++ char sembuf[32]; + + if (mc->pphrase_dialog_helper == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +@@ -423,11 +440,31 @@ + nss_die(); + } + ++ mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600); ++ if (mc->semid == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Unable to obtain semaphore."); ++ nss_die(); ++ } ++ ++ /* Initialize the semaphore */ ++ sb.sem_num = 0; ++ sb.sem_op = 1; ++ sb.sem_flg = 0; ++ if ((semop(mc->semid, &sb, 1)) == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Unable to initialize semaphore."); ++ nss_die(); ++ } ++ ++ PR_snprintf(sembuf, 32, "%d", mc->semid); ++ + child_argv[0] = mc->pphrase_dialog_helper; +- child_argv[1] = fipsenabled ? "on" : "off"; +- child_argv[2] = mc->pCertificateDatabase; +- child_argv[3] = mc->pDBPrefix; +- child_argv[4] = NULL; ++ child_argv[1] = sembuf; ++ child_argv[2] = fipsenabled ? "on" : "off"; ++ child_argv[3] = mc->pCertificateDatabase; ++ child_argv[4] = mc->pDBPrefix; ++ child_argv[5] = NULL; + + rv = apr_procattr_create(&mc->procattr, mc->pPool); + +diff -u --recursive mod_nss-1.0.8/nss_engine_pphrase.c mod_nss-1.0.8.lock/nss_engine_pphrase.c +--- mod_nss-1.0.8/nss_engine_pphrase.c 2008-07-02 10:54:37.000000000 -0400 ++++ mod_nss-1.0.8.lock/nss_engine_pphrase.c 2011-03-02 16:17:48.000000000 -0500 +@@ -279,6 +279,16 @@ + char buf[1024]; + apr_status_t rv; + apr_size_t nBytes = 1024; ++ struct sembuf sb; ++ ++ /* lock the pipe */ ++ sb.sem_num = 0; ++ sb.sem_op = -1; ++ sb.sem_flg = SEM_UNDO; ++ if (semop(parg->mc->semid, &sb, 1) == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "Unable to reserve semaphore resource"); ++ } + + snprintf(buf, 1024, "RETR\t%s", token_name); + rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL); +@@ -293,6 +303,13 @@ + */ + memset(buf, 0, sizeof(buf)); + rv = apr_file_read(parg->mc->proc.out, buf, &nBytes); ++ sb.sem_op = 1; ++ if (semop(parg->mc->semid, &sb, 1) == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "Unable to free semaphore resource"); ++ /* perror("semop free resource id"); */ ++ } ++ + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); +diff -u --recursive mod_nss-1.0.8/nss_pcache.c mod_nss-1.0.8.lock/nss_pcache.c +--- mod_nss-1.0.8/nss_pcache.c 2011-03-02 16:19:55.000000000 -0500 ++++ mod_nss-1.0.8.lock/nss_pcache.c 2011-03-02 16:19:10.000000000 -0500 +@@ -21,6 +21,9 @@ + #include + #include + #include ++#include ++#include ++#include + #include "nss_pcache.h" + + static char * getstr(const char * cmd, int el); +@@ -70,6 +73,13 @@ + unsigned char *crypt; + }; + ++union semun { ++ int val; ++ struct semid_ds *buf; ++ unsigned short *array; ++ struct seminfo *__buf; ++}; ++ + /* + * Node - for maintaining link list of tokens with cached PINs + */ +@@ -304,15 +314,19 @@ + char * tokenName; + char * tokenpw; + int fipsmode = 0; ++ int semid = 0; ++ union semun semarg; + +- if (argc < 3 || argc > 4) { +- fprintf(stderr, "Usage: nss_pcache \n"); ++ if (argc < 4 || argc > 5) { ++ fprintf(stderr, "Usage: nss_pcache \n"); + exit(1); + } + + signal(SIGHUP, SIG_IGN); + +- if (!strcasecmp(argv[1], "on")) ++ semid = strtol(argv[1], NULL, 10); ++ ++ if (!strcasecmp(argv[2], "on")) + fipsmode = 1; + + /* Initialize NSPR */ +@@ -322,7 +336,7 @@ + PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1); + + /* Initialize NSS and open the certificate database read-only. */ +- rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY); ++ rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY); + + if (rv != SECSuccess) { + fprintf(stderr, "Unable to initialize NSS database: %d\n", rv); +@@ -437,6 +451,11 @@ + } + freeList(pinList); + PR_Close(in); ++ /* Remove the semaphore used for locking here. This is because this ++ * program only goes away when Apache shuts down so we don't have to ++ * worry about reloads. ++ */ ++ semctl(semid, 0, IPC_RMID, semarg); + return 0; + } + +Only in mod_nss-1.0.8.lock/: nss_pcache.c.orig +Only in mod_nss-1.0.8.lock/: nss_pcache.c.rej diff --git a/mod_nss-negotiate.patch b/mod_nss-negotiate.patch new file mode 100644 index 0000000..b6f572f --- /dev/null +++ b/mod_nss-negotiate.patch @@ -0,0 +1,180 @@ + +diff -up ./mod_nss.c.norego ./mod_nss.c +--- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100 +@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds + SSL_CMD_SRV(Nickname, TAKE1, + "SSL RSA Server Certificate nickname " + "(`Server-Cert'") ++#ifdef SSL_ENABLE_RENEGOTIATION ++ SSL_CMD_SRV(Renegotiation, FLAG, ++ "Enable SSL Renegotiation (default off) " ++ "(`on', `off')") ++ SSL_CMD_SRV(RequireSafeNegotiation, FLAG, ++ "If Rengotiation is allowed, require safe negotiation (default off) " ++ "(`on', `off')") ++#endif + #ifdef NSS_ENABLE_ECC + SSL_CMD_SRV(ECCNickname, TAKE1, + "SSL ECC Server Certificate nickname " +diff -up ./mod_nss.h.norego ./mod_nss.h +--- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100 +@@ -269,6 +269,10 @@ typedef struct { + int tls; + int tlsrollback; + int enforce; ++#ifdef SSL_ENABLE_RENEGOTIATION ++ int enablerenegotiation; ++ int requiresafenegotiation; ++#endif + const char *nickname; + #ifdef NSS_ENABLE_ECC + const char *eccnickname; +@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p + const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg); ++#ifdef SSL_ENABLE_RENEGOTIATION ++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag); ++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag); ++#endif + #ifdef NSS_ENABLE_ECC + const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg); + #endif +diff -up ./nss_engine_config.c.norego ./nss_engine_config.c +--- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100 +@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t + mctx->tls = PR_FALSE; + mctx->tlsrollback = PR_FALSE; + ++#ifdef SSL_ENABLE_RENEGOTIATION ++ mctx->enablerenegotiation = PR_FALSE; ++ mctx->requiresafenegotiation = PR_FALSE; ++#endif + mctx->enforce = PR_TRUE; + mctx->nickname = NULL; + #ifdef NSS_ENABLE_ECC +@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_ + cfgMerge(eccnickname, NULL); + #endif + cfgMerge(enforce, PR_TRUE); ++#ifdef SSL_ENABLE_RENEGOTIATION ++ cfgMerge(enablerenegotiation, PR_FALSE); ++ cfgMerge(requiresafenegotiation, PR_FALSE); ++#endif + } + + static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base, +@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm + return NULL; + } + ++#ifdef SSL_ENABLE_RENEGOTIATION ++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE; ++ ++ return NULL; ++} ++ ++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE; ++ ++ return NULL; ++} ++#endif ++ + #ifdef NSS_ENABLE_ECC + const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, + void *dcfg, +diff -up ./nss_engine_init.c.norego ./nss_engine_init.c +--- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100 +@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r + nss_die(); + } + } ++#ifdef SSL_ENABLE_RENEGOTIATION ++ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION, ++ mctx->enablerenegotiation ? ++ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER ++ ) != SECSuccess) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "Unable to set SSL renegotiation"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); ++ nss_die(); ++ } ++ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION, ++ mctx->requiresafenegotiation) != SECSuccess) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "Unable to set SSL safe negotiation"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); ++ nss_die(); ++ } ++#endif + } + + static void nss_init_ctx_protocol(server_rec *s, + +diff -up ./nss.conf.in.norego ./nss.conf.in +--- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000 ++++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000 +@@ -64,6 +64,17 @@ + #NSSRandomSeed startup file:/dev/random 512 + #NSSRandomSeed startup file:/dev/urandom 512 + ++# ++# TLS Negotiation configuration under RFC 5746 ++# ++# Only renegotiate if the peer's hello bears the TLS renegotiation_info ++# extension. Default off. ++NSSRenegotiation off ++ ++# Peer must send Signaling Cipher Suite Value (SCSV) or ++# Renegotiation Info (RI) extension in ALL handshakes. Default: off ++NSSRequireSafeNegotiation off ++ + ## + ## SSL Virtual Host Context + ## + +diff -up ./nss_engine_log.c.norego ./nss_engine_log.c +--- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000 ++++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000 +@@ -27,7 +27,7 @@ + #define LIBSEC_ERROR_BASE (-8192) + #define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155) + #define LIBSSL_ERROR_BASE (-12288) +-#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102) ++#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114) + + typedef struct l_error_t { + int errorNumber; +@@ -296,7 +296,19 @@ + { 99, "Server requires ciphers more secure than those supported by client" }, + { 100, "Peer reports it experienced an internal error" }, + { 101, "Peer user canceled handshake" }, +- { 102, "Peer does not permit renegotiation of SSL security parameters" } ++ { 102, "Peer does not permit renegotiation of SSL security parameters" }, ++ { 103, "Server cache not configured" }, ++ { 104, "Unsupported extension" }, ++ { 105, "Certificate unobtainable" }, ++ { 106, "Unrecognized name" }, ++ { 107, "Bad certificate status" }, ++ { 108, "Bad certificate hash value" }, ++ { 109, "Unexpected new session ticket" }, ++ { 110, "Malformed new session ticket" }, ++ { 111, "Decompression failure" }, ++ { 112, "Renegotiation not allowed" }, ++ { 113, "Safe negotiation required but not provided by client" }, ++ { 114, "Unexpected uncompressed record" }, + }; + + void nss_die(void) diff --git a/mod_nss-overlapping_memcpy.patch b/mod_nss-overlapping_memcpy.patch new file mode 100644 index 0000000..3e82f1b --- /dev/null +++ b/mod_nss-overlapping_memcpy.patch @@ -0,0 +1,24 @@ +Bug 669118 + +memcpy of overlapping memory is no longer allowed by glibc. + +This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444 + +--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-01-12 12:31:27.339425702 -0500 ++++ mod_nss-1.0.8/nss_engine_io.c 2011-01-12 12:31:35.507405595 -0500 +@@ -123,13 +123,13 @@ + + if (buffer->length > inl) { + /* we have have enough to fill the caller's buffer */ +- memcpy(in, buffer->value, inl); ++ memmove(in, buffer->value, inl); + buffer->value += inl; + buffer->length -= inl; + } + else { + /* swallow remainder of the buffer */ +- memcpy(in, buffer->value, buffer->length); ++ memmove(in, buffer->value, buffer->length); + inl = buffer->length; + buffer->value = NULL; + buffer->length = 0; diff --git a/mod_nss-pcachesignal.h b/mod_nss-pcachesignal.h new file mode 100644 index 0000000..ef167a6 --- /dev/null +++ b/mod_nss-pcachesignal.h @@ -0,0 +1,21 @@ +diff -u --recursive mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c +--- mod_nss-1.0.8.orig/nss_pcache.c 2008-07-02 10:54:06.000000000 -0400 ++++ mod_nss-1.0.8/nss_pcache.c 2010-05-14 13:32:57.000000000 -0400 +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include "nss_pcache.h" + + static char * getstr(const char * cmd, int el); +@@ -309,6 +310,8 @@ + exit(1); + } + ++ signal(SIGHUP, SIG_IGN); ++ + if (!strcasecmp(argv[1], "on")) + fipsmode = 1; + +Only in mod_nss-1.0.8: nss_pcache.c.rej diff --git a/mod_nss-reseterror.patch b/mod_nss-reseterror.patch new file mode 100644 index 0000000..ae483e5 --- /dev/null +++ b/mod_nss-reseterror.patch @@ -0,0 +1,10 @@ +--- mod_nss-1.0.8.orig/nss_engine_io.c 2010-09-23 18:12:56.000000000 -0400 ++++ mod_nss-1.0.8/nss_engine_io.c 2010-09-23 18:13:07.000000000 -0400 +@@ -348,6 +348,7 @@ + break; + } + ++ PR_SetError(0, 0); + rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes); + + if (rc > 0) { diff --git a/mod_nss-reverseproxy.patch b/mod_nss-reverseproxy.patch new file mode 100644 index 0000000..a4e8608 --- /dev/null +++ b/mod_nss-reverseproxy.patch @@ -0,0 +1,182 @@ +mod_proxy now sets the requested remote host name. Use this to compare +to the CN value of the peer certificate and reject the request if they +do not match (and we are have NSSProxyCheckPeerCN set to on). + +diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html +--- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400 ++++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400 +@@ -1028,7 +1028,21 @@ +
+ Example
+
+-NSSProxyNickname beta
++NSSProxyNickname beta
++
++NSSProxyCheckPeerCN
++
++Compare the CN value of the peer certificate with the hostname being ++requested. If this is set to on, the default, then the request will ++fail if they do not match. If this is set to off then this comparison ++is not done. Note that this test is your only protection against a ++man-in-the-middle attack so leaving this as on is strongly recommended.
++
++Example
++
++NSSProcyCheckPeerCN ++on
++
+

Environment Variables

+ Quite a few environment variables (for CGI and SSI) may be set + depending on the NSSOptions configuration. It can be expensive to set +@@ -1435,42 +1449,9 @@ +

Frequently Asked Questions

+ Q. Does mod_nss support mod_proxy?
+
+-A. In order to use the mod_nss proxy support you will need to build +-your own mod_proxy by applying a patch found in bug 36468. +-The patch is needed so we can compare the hostname contained in the +-remote certificate with the hostname you meant to visit. This prevents +-man-in-the-middle attacks.
+-
+-You also have to change the SSL functions that mod_proxy looks to use. +-You'll need to apply this patch:
+-
+-1038,1039c1038,1039
+-< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+-< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+----
+-> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
+-> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
+-1041,1042c1041,1042
+-< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = +-NULL;
+-< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable +-= NULL;
+----
+-> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable = +-NULL;
+-> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable +-= NULL;
+-1069,1070c1069,1070
+-<     proxy_ssl_enable = +-APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
+-<     proxy_ssl_disable = +-APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+----
+->     proxy_ssl_enable = +-APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);
+->     proxy_ssl_disable = +-APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);
+-
++A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy ++provides a single interface for SSL providers and mod_nss defers to ++mod_ssl ++if it is loaded. + + +diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c +--- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400 +@@ -142,6 +142,8 @@ + SSL_CMD_SRV(ProxyNickname, TAKE1, + "SSL Proxy: client certificate Nickname to be for proxy connections " + "(`nickname')") ++ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG, ++ "SSL Proxy: check the peers certificate CN") + + #ifdef IGNORE + /* Deprecated directives. */ +@@ -238,23 +240,30 @@ + SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket) + { + conn_rec *c = (conn_rec *)arg; ++ SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + PRErrorCode err = PR_GetError(); + SECStatus rv = SECFailure; + CERTCertificate *peerCert = SSL_PeerCertificate(socket); ++ const char *hostname_note; + + switch (err) { + case SSL_ERROR_BAD_CERT_DOMAIN: +- if (c->remote_host != NULL) { +- rv = CERT_VerifyCertName(peerCert, c->remote_host); +- if (rv != SECSuccess) { +- char *remote = CERT_GetCommonName(&peerCert->subject); ++ if (sc->proxy_ssl_check_peer_cn == TRUE) { ++ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) { ++ apr_table_unset(c->notes, "proxy-request-hostname"); ++ rv = CERT_VerifyCertName(peerCert, hostname_note); ++ if (rv != SECSuccess) { ++ char *remote = CERT_GetCommonName(&peerCert->subject); ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note); ++ PORT_Free(remote); ++ } ++ } else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host); +- PORT_Free(remote); ++ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."); + } + } else { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468."); ++ rv = SECSuccess; + } + break; + default: +diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h +--- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400 +@@ -306,6 +306,7 @@ + int vhost_id_len; + modnss_ctx_t *server; + modnss_ctx_t *proxy; ++ BOOL proxy_ssl_check_peer_cn; + }; + + /* +@@ -410,6 +411,7 @@ + const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *); + const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); + const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); ++const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); + + /* module initialization */ + int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); +diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c +--- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400 +@@ -140,6 +140,7 @@ + sc->vhost_id_len = 0; /* set during module init */ + sc->proxy = NULL; + sc->server = NULL; ++ sc->proxy_ssl_check_peer_cn = TRUE; + + modnss_ctx_init_proxy(sc, p); + +@@ -214,6 +215,7 @@ + cfgMergeBool(fips); + cfgMergeBool(enabled); + cfgMergeBool(proxy_enabled); ++ cfgMergeBool(proxy_ssl_check_peer_cn); + + modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); + +@@ -544,6 +546,15 @@ + return NULL; + } + ++const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE; ++ ++ return NULL; ++} ++ + const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd, + void *dcfg, + int flag) diff --git a/mod_nss-wouldblock.patch b/mod_nss-wouldblock.patch new file mode 100644 index 0000000..4053715 --- /dev/null +++ b/mod_nss-wouldblock.patch @@ -0,0 +1,12 @@ +--- mod_nss-1.0.3.orig/nss_engine_io.c 2006-04-07 16:17:12.000000000 -0400 ++++ mod_nss-1.0.3/nss_engine_io.c 2009-02-17 22:51:44.000000000 -0500 +@@ -259,7 +259,8 @@ + */ + if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) + || (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) { +- return 0; ++ PR_SetError(PR_WOULD_BLOCK_ERROR, 0); ++ return -1; + } + + if (inctx->rc != APR_SUCCESS) {