commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2016-03-31 13:03:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_nss"
Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2016-01-23 01:16:32.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2016-03-31 13:03:47.000000000 +0200
@@ -1,0 +2,68 @@
+Thu Mar 17 16:27:13 UTC 2016 - vcizek@suse.com
+
+- use a whitelist approach for keeping directives in the migration
+ script (bsc#961907)
+ * modify mod_nss_migrate.pl
+
+-------------------------------------------------------------------
+Wed Mar 16 14:45:24 UTC 2016 - pgajdos@suse.com
+
+- fix test: add NSSPassPhraseDialog, point it to plain file
+
+-------------------------------------------------------------------
+Mon Mar 14 12:27:37 UTC 2016 - vcizek@suse.com
+
+- update to 1.0.13
+ Update default ciphers to something more modern and secure
+ Check for host and netstat commands in gencert before trying to use them
+ Add server support for DHE ciphers
+ Extract SAN from server/client certificates into env
+ Fix memory leaks and other coding issues caught by clang analyzer
+ Add support for Server Name Indication (SNI) (#1010751)
+ Add support for SNI for reverse proxy connections
+ Add RenegBufferSize? option
+ Add support for TLS Session Tickets (RFC 5077)
+ Fix logical AND support in OpenSSL cipher compatibility
+ Correctly handle disabled ciphers (CVE-2015-5244)
+ Implement a slew more OpenSSL cipher macros
+ Fix a number of illegal memory accesses and memory leaks
+ Support for SHA384 ciphers if they are available in NSS
+ Add compatibility for mod_ssl-style cipher definitions (#862938)
+ Add TLSv1.2-specific ciphers
+ Completely remove support for SSLv2
+ Add support for sqlite NSS databases (#1057650)
+ Compare subject CN and VS hostname during server start up
+ Add support for enabling TLS v1.2
+ Don't enable SSL 3 by default (CVE-2014-3566)
+ Fix CVE-2013-4566
+ Move nss_pcache to /usr/libexec
+ Support httpd 2.4+
+- drop almost all our patches (upstream)
+ * 0001-SNI-check-with-NameVirtualHosts.patch
+ * mod_nss-CVE-2013-4566-NSSVerifyClient.diff
+ * mod_nss-PK11_ListCerts_2.patch
+ * mod_nss-add_support_for_enabling_TLS_v1.2.patch
+ * mod_nss-array_overrun.patch
+ * mod_nss-cipherlist_update_for_tls12-doc.diff
+ * mod_nss-cipherlist_update_for_tls12.diff
+ * mod_nss-clientauth.patch
+ * mod_nss-compare_subject_CN_and_VS_hostname.patch
+ * mod_nss-gencert.patch
+ * mod_nss-httpd24.patch
+ * mod_nss-lockpcache.patch
+ * mod_nss-negotiate.patch
+ * mod_nss-no_shutdown_if_not_init_2.patch
+ * mod_nss-overlapping_memcpy.patch
+ * mod_nss-pcachesignal.h
+ * mod_nss-proxyvariables.patch
+ * mod_nss-reseterror.patch
+ * mod_nss-reverse_proxy_send_SNI.patch
+ * mod_nss-reverseproxy.patch
+ * mod_nss-sslmultiproxy.patch
+ * mod_nss-tlsv1_1.patch
+ * mod_nss-wouldblock.patch
+ * update-ciphers.patch
+- add automake and libtool to BuildRequires
+- temporarily comment out %check
+
+-------------------------------------------------------------------
Old:
----
0001-SNI-check-with-NameVirtualHosts.patch
mod_nss-1.0.8.tar.gz
mod_nss-CVE-2013-4566-NSSVerifyClient.diff
mod_nss-PK11_ListCerts_2.patch
mod_nss-add_support_for_enabling_TLS_v1.2.patch
mod_nss-array_overrun.patch
mod_nss-cipherlist_update_for_tls12-doc.diff
mod_nss-cipherlist_update_for_tls12.diff
mod_nss-clientauth.patch
mod_nss-compare_subject_CN_and_VS_hostname.patch
mod_nss-gencert.patch
mod_nss-httpd24.patch
mod_nss-lockpcache.patch
mod_nss-negotiate.patch
mod_nss-no_shutdown_if_not_init_2.patch
mod_nss-overlapping_memcpy.patch
mod_nss-pcachesignal.h
mod_nss-proxyvariables.patch
mod_nss-reseterror.patch
mod_nss-reverse_proxy_send_SNI.patch
mod_nss-reverseproxy.patch
mod_nss-sslmultiproxy.patch
mod_nss-tlsv1_1.patch
mod_nss-wouldblock.patch
update-ciphers.patch
New:
----
mod_nss-1.0.13.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_nss.spec ++++++
--- /var/tmp/diff_new_pack.ZpLJKc/_old 2016-03-31 13:03:48.000000000 +0200
+++ /var/tmp/diff_new_pack.ZpLJKc/_new 2016-03-31 13:03:48.000000000 +0200
@@ -20,7 +20,7 @@
Summary: SSL/TLS module for the Apache HTTP server
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
-Version: 1.0.8
+Version: 1.0.13
Release: 0.4.8
Url: https://fedorahosted.org/mod_nss
Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
@@ -38,6 +38,7 @@
PreReq: mozilla-nss-tools
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
+BuildRequires: automake
BuildRequires: bison
BuildRequires: curl
BuildRequires: findutils
@@ -45,43 +46,13 @@
BuildRequires: gcc-c++
BuildRequires: libapr-util1-devel
BuildRequires: libapr1-devel
+BuildRequires: libtool
BuildRequires: mozilla-nspr-devel >= 4.6.3
BuildRequires: mozilla-nss-devel >= 3.15.1
BuildRequires: mozilla-nss-tools
BuildRequires: pkgconfig
-# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
-# Fri Nov 8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch.
-#Patch1: mod_nss-conf.patch
-Patch2: mod_nss-gencert.patch
-Patch3: mod_nss-wouldblock.patch
-Patch4: mod_nss-negotiate.patch
-Patch5: mod_nss-reverseproxy.patch
-Patch6: mod_nss-pcachesignal.h
-Patch7: mod_nss-reseterror.patch
-Patch8: mod_nss-lockpcache.patch
-# Fix build with apache 2.4
-Patch9: mod_nss-httpd24.patch
-
-Patch10: mod_nss-proxyvariables.patch
-Patch11: mod_nss-tlsv1_1.patch
-Patch12: mod_nss-array_overrun.patch
-Patch13: mod_nss-clientauth.patch
-Patch14: mod_nss-no_shutdown_if_not_init_2.patch
-Patch15: mod_nss-PK11_ListCerts_2.patch
-Patch16: mod_nss-sslmultiproxy.patch
-Patch17: mod_nss-overlapping_memcpy.patch
-Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff
-Patch19: mod_nss-cipherlist_update_for_tls12.diff
-Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff
+
Patch23: mod_nss-bnc863518-reopen_dev_tty.diff
-# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name
-Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch
-# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2
-Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch
-# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreitova@suse.com -- add Server Name Indication support
-Patch26: 0001-SNI-check-with-NameVirtualHosts.patch
-Patch27: update-ciphers.patch
-Patch28: mod_nss-reverse_proxy_send_SNI.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apxs /usr/sbin/apxs2
@@ -101,36 +72,7 @@
%prep
%setup -q -n mod_nss-%{version}
-##%patch1 -p1 -b .conf.rpmpatch
-%patch2 -p1 -b .gencert.rpmpatch
-%patch3 -p1 -b .wouldblock.rpmpatch
-%patch4 -p1 -b .negotiate.rpmpatch
-%patch5 -p1 -b .reverseproxy.rpmpatch
-%patch6 -p1 -b .pcachesignal.h.rpmpatch
-%patch7 -p1 -b .reseterror.rpmpatch
-%patch8 -p1 -b .lockpcache.rpmpatch
-%patch10 -p1 -b .proxyvariables.rpmpatch
-%patch11 -p1 -b .tlsv1_1.rpmpatch
-%patch12 -p1 -b .array_overrun.rpmpatch
-%patch13 -p1 -b .clientauth.rpmpatch
-%patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch
-%patch15 -p1 -b .PK11_ListCerts_2.rpmpatch
-%patch16 -p1 -b .sslmultiproxy.rpmpatch
-%patch17 -p1 -b .overlapping_memcpy.rpmpatch
-%patch18 -p0 -b .CVE-2013-4566.rpmpatch
-%patch19 -p0 -b .ciphers.rpmpatch
-%patch20 -p0 -b .ciphers.doc.rpmpatch
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
-%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
-%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
-%patch26 -p1 -b .SNI_support.rpmpatch
-%patch27 -p1 -b .update-ciphers.rpmpatch
-%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch
-
-# keep this last, otherwise we get fuzzyness from above
-%if %{apache_branch} >= 204
-%patch9 -p1 -b .http24
-%endif
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -150,7 +92,7 @@
cp -a %{SOURCE1} ./nss.conf.in
cp -a %{SOURCE4} .
chmod 644 ./nss.conf.in
-#autoreconf -fvi
+autoreconf -fvi
%configure \
--with-nss-lib=$NSS_LIB_DIR \
--with-nss-inc=$NSS_INCLUDE_DIR \
@@ -193,11 +135,18 @@
%check
set +x
mkdir -p %{apache_test_module_dir}
+# create password file including internal token to suppress
+# apache 'builtin dialog', see NSSPassPhraseDialog below
+# (http://mcs.une.edu.au/doc/mod_nss/mod_nss.html)
+cat << EOF > %{apache_test_module_dir}/password.conf
+internal:httptest
+EOF
# create test configuration
cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf
NSSEngine on
NSSNickname Server-Cert
NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
+NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf
NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
++++++ mod_nss-1.0.8.tar.gz -> mod_nss-1.0.13.tar.gz ++++++
++++ 51602 lines of diff (skipped)
++++++ mod_nss-bnc863518-reopen_dev_tty.diff ++++++
--- /var/tmp/diff_new_pack.ZpLJKc/_old 2016-03-31 13:03:49.000000000 +0200
+++ /var/tmp/diff_new_pack.ZpLJKc/_new 2016-03-31 13:03:49.000000000 +0200
@@ -1,54 +1,8 @@
-diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c
---- ../mod_nss-1.0.8-o/nss_engine_pphrase.c 2014-07-24 12:23:30.000000000 +0200
-+++ ./nss_engine_pphrase.c 2014-07-24 13:54:23.000000000 +0200
-@@ -181,199 +181,218 @@
- * that may be done.
- */
- static PRBool nss_check_password(unsigned char *cp)
- {
- int len;
- unsigned char *end, ch;
-
- len = strlen((char *)cp);
- if (len < 8) {
- return PR_TRUE;
- }
- end = cp + len;
- while (cp < end) {
- ch = *cp++;
- if (!((ch >= 'A') && (ch <= 'Z')) &&
- !((ch >= 'a') && (ch <= 'z'))) {
- /* pass phrase has at least one non alphabetic in it */
- return PR_TRUE;
- }
- }
- return PR_TRUE;
- }
-
- /*
- * Password callback so the user is not prompted to enter the password
- * after the server starts.
- */
- static char * nss_no_password(PK11SlotInfo *slot, PRBool retry, void *arg)
- {
- return NULL;
- }
-
- /*
- * Password callback to prompt the user for a password. This requires
- * twiddling with the tty. Alternatively, if the file password.conf
- * exists then it may be used to store the token password(s).
- */
- static char *nss_get_password(FILE *input, FILE *output,
- PK11SlotInfo *slot,
- PRBool (*ok)(unsigned char *),
- pphrase_arg_t *parg)
- {
- char *pwdstr = NULL;
- char *token_name = NULL;
- int tmp;
- FILE *pwd_fileptr;
- char *ptr;
+Index: nss_engine_pphrase.c
+===================================================================
+--- nss_engine_pphrase.c.orig 2016-03-14 12:33:49.139529734 +0100
++++ nss_engine_pphrase.c 2016-03-14 12:40:42.603094487 +0100
+@@ -228,6 +228,7 @@ static char *nss_get_password(FILE *inpu
char line[1024];
unsigned char phrase[200];
int infd = fileno(input);
@@ -56,103 +10,10 @@
int isTTY = isatty(infd);
token_name = PK11_GetTokenName(slot);
-
- if (parg->mc->pphrase_dialog_type == SSL_PPTYPE_FILE ||
- parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) {
- /* Try to get the passwords from the password file if it exists.
- * THIS IS UNSAFE and is provided for convenience only. Without this
- * capability the server would have to be started in foreground mode.
- */
- if ((*parg->mc->pphrase_dialog_path != '\0') &&
- ((pwd_fileptr = fopen(parg->mc->pphrase_dialog_path, "r")) != NULL)) {
- while(fgets(line, 1024, pwd_fileptr)) {
- if (PL_strstr(line, token_name) == line) {
- tmp = PL_strlen(line) - 1;
- while((line[tmp] == ' ') || (line[tmp] == '\n'))
- tmp--;
- line[tmp+1] = '\0';
- ptr = PL_strchr(line, ':');
- if (ptr == NULL) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "Malformed password entry for token %s. Format should be token:password", token_name);
- continue;
- }
- for(tmp=1; ptr[tmp] == ' '; tmp++) {}
- pwdstr = strdup(&(ptr[tmp]));
- }
- }
- fclose(pwd_fileptr);
- } else {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "Unable to open password file %s", parg->mc->pphrase_dialog_path);
- nss_die();
- }
- }
-
- /* For SSL_PPTYPE_DEFER we only want to authenticate passwords found
- * in the password file.
- */
- if ((parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) &&
- (pwdstr == NULL)) {
- return NULL;
- }
-
- /* This purposely comes after the file check because that is more
- * authoritative.
- */
- if (parg->mc->nInitCount > 1) {
- char buf[1024];
- apr_status_t rv;
- apr_size_t nBytes = 1024;
- struct sembuf sb;
-
- /* lock the pipe */
- sb.sem_num = 0;
- sb.sem_op = -1;
- sb.sem_flg = SEM_UNDO;
- if (semop(parg->mc->semid, &sb, 1) == -1) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "Unable to reserve semaphore resource");
- }
-
- snprintf(buf, 1024, "RETR\t%s", token_name);
- rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL);
- if (rv != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "Unable to write to pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv);
- nss_die();
- }
-
- /* The helper just returns a token pw or "", so we don't have much
- * to check for.
- */
- memset(buf, 0, sizeof(buf));
- rv = apr_file_read(parg->mc->proc.out, buf, &nBytes);
- sb.sem_op = 1;
- if (semop(parg->mc->semid, &sb, 1) == -1) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "Unable to free semaphore resource");
- /* perror("semop free resource id"); */
- }
-
- if (rv != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv);
- nss_die();
- }
-
- /* Just return what we got. If we got this far and we don't have a
- * PIN then I/O is already shut down, so we can't do anything really
- * clever.
- */
- pwdstr = strdup(buf);
- }
-
- /* If we got a password we're done */
+@@ -327,6 +328,24 @@ static char *nss_get_password(FILE *inpu
if (pwdstr)
return pwdstr;
--
-+
+
+ /* It happens that stdin is not opened with O_RDONLY. Better make sure
+ * it is and re-open /dev/tty.
+ */
@@ -174,50 +35,3 @@
for (;;) {
/* Prompt for password */
if (isTTY) {
- if (parg->retryCount > 0) {
- fprintf(output, "Password incorrect. Please try again.\n");
- }
- fprintf(output, "%s", prompt);
- echoOff(infd);
- }
- fgets((char*) phrase, sizeof(phrase), input);
- if (isTTY) {
- fprintf(output, "\n");
- echoOn(infd);
- }
- /* stomp on newline */
- phrase[strlen((char*)phrase)-1] = 0;
-
- /* Validate password */
- if (!(*ok)(phrase)) {
- /* Not weird enough */
- if (!isTTY) return 0;
- fprintf(output, "Password must be at least 8 characters long with one or more\n");
- fprintf(output, "non-alphabetic characters\n");
- continue;
- }
- if (PK11_IsFIPS() && strlen(phrase) == 0) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "The FIPS security policy requires that a password be set.");
- nss_die();
- } else
- return (char*) PORT_Strdup((char*)phrase);
- }
- }
-
- /*
- * Turn the echoing off on a tty.
- */
- static void echoOff(int fd)
- {
- if (isatty(fd)) {
- struct termios tio;
- tcgetattr(fd, &tio);
- tio.c_lflag &= ~ECHO;
- tcsetattr(fd, TCSAFLUSH, &tio);
- }
- }
-
- /*
- * Turn the echoing on on a tty.
- */
++++++ mod_nss_migrate.pl ++++++
--- /var/tmp/diff_new_pack.ZpLJKc/_old 2016-03-31 13:03:49.000000000 +0200
+++ /var/tmp/diff_new_pack.ZpLJKc/_new 2016-03-31 13:03:49.000000000 +0200
@@ -6,7 +6,7 @@
use Getopt::Std;
BEGIN {
-# $NSSDir = cwd();
+ #$NSSDir = cwd();
$NSSDir = "/etc/apache2/mod_nss.d";
$SSLCACertificatePath = "";
@@ -18,21 +18,34 @@
$passphrase = 0;
}
-%skip = ( "SSLRandomSeed" => "",
- "SSLSessionCache" => "",
- "SSLMutex" => "",
- "SSLCertificateChainFile" => "",
- "SSLVerifyDepth" => "" ,
- "SSLCryptoDevice" => "" ,
- "LoadModule" => "" ,
- );
+# these directives are common for mod_ssl 2.4.18 and mod_nss 1.0.13
+%keep = ( "SSLCipherSuite" => "",
+ "SSLEngine" => "",
+ "SSLFIPS" => "",
+ "SSLOptions" => "",
+ "SSLPassPhraseDialog" => "",
+ "SSLProtocol" => "",
+ "SSLProxyCipherSuite" => "",
+ "SSLProxyEngine" => "",
+ "SSLProxyCheckPeerCN" => "",
+ "SSLProxyProtocol" => "",
+ "SSLRandomSeed" => "",
+ "SSLRenegBufferSize" => "",
+ "SSLRequire" => "",
+ "SSLRequireSSL" => "",
+ "SSLSessionCacheTimeout" => "",
+ "SSLSessionTickets" => "",
+ "SSLStrictSNIVHostCheck" => "",
+ "SSLUserName" => "",
+ "SSLVerifyClient" => "",
+);
-%insert = ( "NSSSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",);
+%insert = ( "SSLSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",);
getopts('chr:w:' , \%opt );
sub usage() {
- print STDERR "Usage: mod_nss_migrate.pl [-c] -r
participants (1)
-
root@hilbert.suse.de