1d3e419a19
- mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff GCM mode and Camellia ciphers added to the supported ciphers list. The additional ciphers are: rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256 rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [bnc#863035] - mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. [bnc#853039] - glue documentation added to /etc/apache2/conf.d/mod_nss.conf: * simultaneaous usage of mod_ssl and mod_nss * SNI concurrency * SUSE framework for apache configuration, Listen directive * module initialization - mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in or mod_nss.conf, respectively. This also leads to the removal of OBS-URL: https://build.opensuse.org/request/show/222758 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=8
244 lines
11 KiB
Diff
244 lines
11 KiB
Diff
diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
|
|
--- ../mod_nss-1.0.8-o/mod_nss.h 2014-02-18 16:30:19.000000000 +0100
|
|
+++ ./mod_nss.h 2014-02-18 16:30:51.000000000 +0100
|
|
@@ -318,103 +318,103 @@
|
|
|
|
/*
|
|
* Define the mod_ssl per-directory configuration structure
|
|
* (i.e. the local configuration for all <Directory>
|
|
* and .htaccess contexts)
|
|
*/
|
|
typedef struct {
|
|
BOOL bSSLRequired;
|
|
apr_array_header_t *aRequirement;
|
|
int nOptions;
|
|
int nOptionsAdd;
|
|
int nOptionsDel;
|
|
const char *szCipherSuite;
|
|
nss_verify_t nVerifyClient;
|
|
const char *szUserName;
|
|
} SSLDirConfigRec;
|
|
|
|
/*
|
|
* Cipher definitions
|
|
*/
|
|
typedef struct
|
|
{
|
|
const char *name;
|
|
int num;
|
|
int fortezza_only;
|
|
PRInt32 version; /* protocol version valid for this cipher */
|
|
} cipher_properties;
|
|
|
|
/* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of
|
|
* the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it
|
|
* is the last version without this define. This is used for more than just
|
|
* the below defines. It also determines which API is used.
|
|
*/
|
|
#ifndef AP_SERVER_MAJORVERSION_NUMBER
|
|
#define AP_SERVER_MAJORVERSION_NUMBER 2
|
|
#define AP_SERVER_MINORVERSION_NUMBER 0
|
|
#define AP_SERVER_PATCHLEVEL_NUMBER 55
|
|
#endif
|
|
|
|
#if AP_SERVER_MINORVERSION_NUMBER < 2
|
|
typedef struct regex_t ap_regex_t;
|
|
#define AP_REG_EXTENDED REG_EXTENDED
|
|
#define AP_REG_NOSUB REG_NOSUB
|
|
#define AP_REG_ICASE REG_ICASE
|
|
#endif
|
|
|
|
enum sslversion { SSL2=1, SSL3=2, TLS=4};
|
|
|
|
/* the table itself is defined in nss_engine_init.c */
|
|
#ifdef NSS_ENABLE_ECC
|
|
-#define ciphernum 48
|
|
+#define ciphernum 55
|
|
#else
|
|
-#define ciphernum 23
|
|
+#define ciphernum 26
|
|
#endif
|
|
|
|
/*
|
|
* function prototypes
|
|
*/
|
|
|
|
/* API glue structures */
|
|
extern module AP_MODULE_DECLARE_DATA nss_module;
|
|
|
|
/* configuration handling */
|
|
SSLModConfigRec *nss_config_global_create(server_rec *);
|
|
void *nss_config_perdir_create(apr_pool_t *p, char *dir);
|
|
void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv);
|
|
void *nss_config_server_create(apr_pool_t *p, server_rec *s);
|
|
void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv);
|
|
const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
|
|
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
|
|
const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
|
|
const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
|
|
const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg);
|
|
const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
#ifdef SSL_ENABLE_RENEGOTIATION
|
|
const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
|
|
const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
|
|
#endif
|
|
#ifdef NSS_ENABLE_ECC
|
|
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
#endif
|
|
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int);
|
|
const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSSessionCacheSize(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSPassPhraseHelper(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
|
|
const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *);
|
|
const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg);
|
|
const char *nss_cmd_NSSRequire(cmd_parms *, void *, const char *);
|
|
|
|
const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
|
|
const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
|
|
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
|
|
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
|
|
--- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.000000000 +0100
|
|
+++ ./nss_engine_init.c 2014-02-18 16:30:51.000000000 +0100
|
|
@@ -15,122 +15,130 @@
|
|
|
|
#include "mod_nss.h"
|
|
#include "apr_thread_proc.h"
|
|
#include "ap_mpm.h"
|
|
#include "secmod.h"
|
|
#include "sslerr.h"
|
|
#include "pk11func.h"
|
|
#include "ocsp.h"
|
|
#include "keyhi.h"
|
|
#include "cert.h"
|
|
|
|
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
|
|
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
|
|
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
|
|
static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
|
|
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
|
|
|
|
/*
|
|
* Global variables defined in this file.
|
|
*/
|
|
char* INTERNAL_TOKEN_NAME = "internal ";
|
|
|
|
cipher_properties ciphers_def[ciphernum] =
|
|
{
|
|
/* SSL2 cipher suites */
|
|
{"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
|
|
{"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
|
|
{"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
|
|
{"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
|
|
{"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
|
|
{"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
|
|
/* SSL3/TLS cipher suites */
|
|
{"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
|
|
{"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
|
|
{"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
|
|
{"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
|
{"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS},
|
|
{"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS},
|
|
{"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS},
|
|
{"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
|
|
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
|
|
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
|
{"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
|
|
{"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
|
|
{"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
|
|
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
|
|
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
|
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
|
|
/* AES ciphers.*/
|
|
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
|
|
+ {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
|
+ {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS},
|
|
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS},
|
|
+ {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS},
|
|
+
|
|
#ifdef NSS_ENABLE_ECC
|
|
/* ECC ciphers.*/
|
|
{"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 0, TLS},
|
|
{"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0, TLS},
|
|
{"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
|
{"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
|
+ {"ecdh_ecdsa_aes_128_gcm_sha", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
|
{"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
|
{"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0, TLS},
|
|
{"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
|
|
{"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
|
{"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
|
+ {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
|
{"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
|
{"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS},
|
|
{"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, 0, TLS},
|
|
{"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
|
{"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
|
+ {"ecdh_rsa_aes_128_gcm_sha", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
|
{"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
|
{"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, 0, TLS},
|
|
{"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS},
|
|
{"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
|
{"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
|
+ {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
|
{"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
|
{"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS},
|
|
{"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, 0, TLS},
|
|
{"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
|
{"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0, TLS},
|
|
{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0, TLS},
|
|
#endif
|
|
};
|
|
|
|
static char *version_components[] = {
|
|
"SSL_VERSION_PRODUCT",
|
|
"SSL_VERSION_INTERFACE",
|
|
"SSL_VERSION_LIBRARY",
|
|
NULL
|
|
};
|
|
|
|
static char *nss_add_version_component(apr_pool_t *p,
|
|
server_rec *s,
|
|
char *name)
|
|
{
|
|
char *val = nss_var_lookup(p, s, NULL, NULL, name);
|
|
|
|
if (val && *val) {
|
|
ap_add_version_component(p, val);
|
|
}
|
|
|
|
return val;
|
|
}
|
|
|
|
static void nss_add_version_components(apr_pool_t *p,
|
|
server_rec *s)
|
|
{
|
|
char *vals[sizeof(version_components)/sizeof(char *)];
|
|
int i;
|
|
|
|
for (i=0; version_components[i]; i++) {
|
|
vals[i] = nss_add_version_component(p, s,
|
|
version_components[i]);
|
|
}
|
|
|
|
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
|
"Server: %s, Interface: %s, Library: %s",
|
|
AP_SERVER_BASEVERSION,
|
|
vals[1], /* SSL_VERSION_INTERFACE */
|
|
vals[2]); /* SSL_VERSION_LIBRARY */
|
|
}
|
|
|
|
/*
|
|
* Initialize SSL library
|
|
*
|