diff options
author | Rob Crittenden <rcritten@redhat.com> | 2015-09-30 20:32:46 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2015-10-02 16:51:56 -0400 |
commit | 979a74f6ce2e61fb607414d9ce5f39226630bab2 (patch) | |
tree | c5801695e918d87af2e0d02ded72ec08b09f4e14 | |
parent | d42edc43ef8bd40897f5dc599eb4c02b7e69e4b2 (diff) | |
download | mod_nss-979a74f6ce2e61fb607414d9ce5f39226630bab2.tar.gz mod_nss-979a74f6ce2e61fb607414d9ce5f39226630bab2.tar.xz mod_nss-979a74f6ce2e61fb607414d9ce5f39226630bab2.zip |
Fix compatibility with RHEL 6.x (Apache 2.2.x and NSS 3.15.1)
-rw-r--r-- | configure.ac | 15 | ||||
-rw-r--r-- | mod_nss.c | 4 | ||||
-rw-r--r-- | mod_nss.h | 4 | ||||
-rw-r--r-- | nss_engine_cipher.c | 10 | ||||
-rw-r--r-- | nss_engine_cipher.h | 21 | ||||
-rw-r--r-- | nss_engine_init.c | 3 | ||||
-rw-r--r-- | nss_engine_io.c | 12 | ||||
-rw-r--r-- | nss_engine_kernel.c | 11 | ||||
-rw-r--r-- | nss_engine_log.c | 8 | ||||
-rw-r--r-- | nss_engine_vars.c | 4 | ||||
-rw-r--r-- | test/test_cipher.py | 5 | ||||
-rw-r--r-- | test_cipher.c | 8 |
12 files changed, 97 insertions, 8 deletions
diff --git a/configure.ac b/configure.ac index 7e2f369..2676b92 100644 --- a/configure.ac +++ b/configure.ac @@ -8,6 +8,7 @@ AM_INIT_AUTOMAKE(mod_nss, 1.0) # Add a test for a compiler. AC_PROG_CC +AM_PROG_CC_C_O AM_PROG_LIBTOOL # Check for header files @@ -241,14 +242,20 @@ fi nspr_dir=`echo "$nspr_lib" | sed 's/\/lib[[/]]*$//' | sed 's/-L//'` nss_dir=`echo "$nss_lib" | sed 's/\/lib[[/]]*$//' | sed 's/-L//'` +AX_CHECK_DEFINE(nss3/sslproto.h, TLS_RSA_WITH_AES_128_GCM_SHA256, gcm=$enableval, gcm=no) +if test $gcm = yes; then + extra_cppflags="$extra_cppflags -DENABLE_GCM" + echo "ENABLE_GCM=1" > test/variable.py +else + echo "ENABLE_GCM=0" > test/variable.py +fi + AX_CHECK_DEFINE(nss3/sslproto.h, TLS_RSA_WITH_AES_256_GCM_SHA384, sha384=$enableval, sha384=no) if test $sha384 = yes; then - AC_MSG_RESULT(yes) extra_cppflags="$extra_cppflags -DENABLE_SHA384" - echo "ENABLE_SHA384=1" > test/variable.py + echo "ENABLE_SHA384=1" >> test/variable.py else - echo "ENABLE_SHA384=0" > test/variable.py - AC_MSG_RESULT(no) + echo "ENABLE_SHA384=0" >> test/variable.py fi # Substitute values @@ -375,7 +375,11 @@ static int nss_hook_pre_connection(conn_rec *c, void *csd) ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, "Connection to child %ld established " "(server %s, client %s)", c->id, sc->vhost_id, +#if AP_SERVER_MINORVERSION_NUMBER <= 2 + c->remote_ip ? c->remote_ip : "unknown"); +#else c->client_ip ? c->client_ip : "unknown"); +#endif mctx = sslconn->is_proxy ? sc->proxy : sc->server; @@ -484,7 +484,11 @@ int nss_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix); SECStatus nss_Init_Tokens(server_rec *s); /* Logging */ +#if AP_SERVER_MINORVERSION_NUMBER <= 2 +void nss_log_nss_error(const char *file, int line, int level, server_rec *s); +#else void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s); +#endif void nss_die(void); /* NSS callback */ diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c index 1bd9941..258150a 100644 --- a/nss_engine_cipher.c +++ b/nss_engine_cipher.c @@ -21,7 +21,7 @@ #include <sslproto.h> /* ciphernum is defined in nss_engine_cipher.h */ -cipher_properties ciphers_def[ciphernum] = +cipher_properties ciphers_def[] = { {"rsa_null_md5", TLS_RSA_WITH_NULL_MD5, "NULL-MD5", SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSLV3, SSL_STRONG_NONE, 0, 0}, {"rsa_null_sha", TLS_RSA_WITH_NULL_SHA, "NULL-SHA", SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSLV3, SSL_STRONG_NONE, 0, 0}, @@ -41,7 +41,9 @@ cipher_properties ciphers_def[ciphernum] = {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, "EXP1024-DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLSV1, SSL_EXPORT56, 56, 56}, {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, "EXP1024-RC4-SHA", SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_EXPORT56, 56, 128}, {"camelia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "CAMELLIA256-SHA", SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256}, +#ifdef ENABLE_GCM {"rsa_aes_128_gcm_sha_256", TLS_RSA_WITH_AES_128_GCM_SHA256, "AES128-GCM-SHA256", SSL_kRSA|SSL_aRSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128}, +#endif #ifdef ENABLE_SHA384 {"rsa_aes_256_gcm_sha_384", TLS_RSA_WITH_AES_256_GCM_SHA384, "AES256-GCM-SHA384", SSL_kRSA|SSL_aRSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256}, #endif @@ -75,14 +77,18 @@ cipher_properties ciphers_def[ciphernum] = {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, "AECDH-AES256-SHA", SSL_kEECDH|SSL_aNULL|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256}, {"ecdhe_ecdsa_aes_128_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "ECDHE-ECDSA-AES128-SHA256", SSL_kEECDH|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLSV1_2, SSL_HIGH, 128, 128}, {"ecdhe_rsa_aes_128_sha_256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "ECDHE-RSA-AES128-SHA256", SSL_kEECDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLSV1_2, SSL_HIGH, 128, 128}, +#ifdef ENABLE_GCM {"ecdhe_ecdsa_aes_128_gcm_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "ECDHE-ECDSA-AES128-GCM-SHA256", SSL_kEECDH|SSL_aECDSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128}, +#endif #ifdef ENABLE_SHA384 {"ecdhe_ecdsa_aes_256_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "ECDHE-ECDSA-AES256-SHA384", SSL_kEECDH|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLSV1_2, SSL_HIGH, 256, 256}, {"ecdhe_rsa_aes_256_sha_384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "ECDHE-RSA-AES256-SHA384", SSL_kEECDH|SSL_aRSA|SSL_AES256|SSL_SHA384, TLSV1_2, SSL_HIGH, 256, 256}, {"ecdhe_ecdsa_aes_256_gcm_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "ECDHE-ECDSA-AES256-GCM-SHA384", SSL_kEECDH|SSL_aECDSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256}, {"ecdhe_rsa_aes_256_gcm_sha_384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "ECDHE-RSA-AES256-GCM-SHA384", SSL_kEECDH|SSL_aRSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256}, #endif +#ifdef ENABLE_GCM {"ecdhe_rsa_aes_128_gcm_sha_256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "ECDHE-RSA-AES128-GCM-SHA256", SSL_kEECDH|SSL_aRSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128}, +#endif /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 is not implemented */ /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 is not implemented */ /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 is not implemented */ @@ -90,6 +96,8 @@ cipher_properties ciphers_def[ciphernum] = #endif }; +#define CIPHERNUM sizeof(ciphers_def) / sizeof(cipher_properties) +int ciphernum = CIPHERNUM; /* Some ciphers are optionally enabled in OpenSSL. For safety sake assume * they are not available. diff --git a/nss_engine_cipher.h b/nss_engine_cipher.h index 2213f5d..80aac0e 100644 --- a/nss_engine_cipher.h +++ b/nss_engine_cipher.h @@ -83,6 +83,7 @@ typedef struct #define TLSV1_2 0x00000004L /* the table itself is defined in nss_engine_cipher.c */ +#if 0 #ifdef NSS_ENABLE_ECC # ifdef ENABLE_SHA384 # define ciphernum 54 @@ -92,7 +93,27 @@ typedef struct #else #define ciphernum 20 #endif +#endif + +extern int ciphernum; /* function prototypes */ int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]); int countciphers(PRBool cipher_state[ciphernum], int version); + +/* I chose an arbitrary cipher to test the existence for to handle older + * versions of NSS, at least back to 3.15.1 + */ +#ifndef TLS_NULL_WITH_NULL_NULL +#define TLS_NULL_WITH_NULL_NULL SSL_NULL_WITH_NULL_NULL +#define TLS_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_MD5 +#define TLS_RSA_WITH_NULL_SHA SSL_RSA_WITH_NULL_SHA +#define TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_RC4_40_MD5 +#define TLS_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_MD5 +#define TLS_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_SHA +#define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 +#define TLS_RSA_WITH_IDEA_CBC_SHA SSL_RSA_WITH_IDEA_CBC_SHA +#define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA +#define TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA +#define TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA +#endif diff --git a/nss_engine_init.c b/nss_engine_init.c index a8039ea..5ed277a 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -17,6 +17,9 @@ #include "nss_engine_cipher.h" #include "apr_thread_proc.h" #include "mpm_common.h" +#if AP_SERVER_MINORVERSION_NUMBER <= 2 +#include "ap_mpm.h" +#endif #include "secmod.h" #include "sslerr.h" #include "pk11func.h" diff --git a/nss_engine_io.c b/nss_engine_io.c index f1ac69c..1360748 100644 --- a/nss_engine_io.c +++ b/nss_engine_io.c @@ -621,13 +621,21 @@ static apr_status_t nss_filter_io_shutdown(nss_filter_ctx_t *filter_ctx, PR_Close(ssl); /* log the fact that we've closed the connection */ +#if AP_SERVER_MINORVERSION_NUMBER <= 2 + if (c->base_server->loglevel >= APLOG_INFO) { +#else if (c->base_server->log.level >= APLOG_INFO) { +#endif ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, "Connection to child %ld closed " "(server %s, client %s)", c->id, nss_util_vhostid(c->pool, c->base_server), +#if AP_SERVER_MINORVERSION_NUMBER <= 2 + c->remote_ip ? c->remote_ip : "unknown"); +#else c->client_ip ? c->client_ip : "unknown"); +#endif } /* deallocate the SSL connection */ @@ -1167,7 +1175,11 @@ static PRStatus PR_CALLBACK nspr_filter_getpeername(PRFileDesc *fd, PRNetAddr *a filter_ctx = (nss_filter_ctx_t *)(fd->secret); c = filter_ctx->c; +#if AP_SERVER_MINORVERSION_NUMBER <= 2 + return PR_StringToNetAddr(c->remote_ip, addr); +#else return PR_StringToNetAddr(c->client_ip, addr); +#endif } /* diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c index 93e7c74..28042fb 100644 --- a/nss_engine_kernel.c +++ b/nss_engine_kernel.c @@ -17,6 +17,8 @@ #include "secerr.h" static void HandshakeDone(PRFileDesc *fd, void *doneflag); +extern cipher_properties ciphers_def[]; +extern int ciphernum; /* * Post Read Request Handler @@ -144,7 +146,11 @@ int nss_hook_ReadReq(request_rec *r) /* * Log information about incoming HTTPS requests */ +#if AP_SERVER_MINORVERSION_NUMBER <= 2 + if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) { +#else if (r->server->log.level >= APLOG_INFO && ap_is_initial_req(r)) { +#endif ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "%s HTTPS request received for child %ld (server %s)", (r->connection->keepalives <= 0 ? @@ -180,7 +186,6 @@ int nss_hook_Access(request_rec *r) CERTCertificate *cert; CERTCertificate *peercert; int verify_old, verify; - extern cipher_properties ciphers_def[]; PRBool ciphers_old[ciphernum]; PRBool ciphers_new[ciphernum]; char * cipher = NULL; @@ -633,7 +638,11 @@ int nss_hook_Access(request_rec *r) ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Access to %s denied for %s " "(requirement expression not fulfilled)", +#if AP_SERVER_MINORVERSION_NUMBER <= 2 + r->filename, r->connection->remote_ip); +#else r->filename, r->connection->client_ip); +#endif ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Failed expression: %s", req->cpExpr); diff --git a/nss_engine_log.c b/nss_engine_log.c index 62a4de8..b4e5d1b 100644 --- a/nss_engine_log.c +++ b/nss_engine_log.c @@ -321,7 +321,11 @@ void nss_die(void) exit(1); } +#if AP_SERVER_MINORVERSION_NUMBER <= 2 +void nss_log_nss_error(const char *file, int line, int level, server_rec *s) +#else void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s) +#endif { const char *err; PRInt32 error; @@ -340,7 +344,11 @@ void nss_log_nss_error(const char *file, int line, int module_index, int level, err = "Unknown"; } +#if AP_SERVER_MINORVERSION_NUMBER <= 2 + ap_log_error(file, line, level, 0, s, +#else ap_log_error(file, line, module_index, level, 0, s, +#endif "SSL Library Error: %d %s", error, err); } diff --git a/nss_engine_vars.c b/nss_engine_vars.c index 86a6c76..a954e08 100644 --- a/nss_engine_vars.c +++ b/nss_engine_vars.c @@ -201,7 +201,11 @@ char *nss_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, #endif } else if (strcEQ(var, "REMOTE_ADDR")) +#if AP_SERVER_MINORVERSION_NUMBER <= 2 + result = c->remote_ip; +#else result = c->client_ip; +#endif else if (strcEQ(var, "HTTPS")) { if (sslconn && sslconn->ssl) result = "on"; diff --git a/test/test_cipher.py b/test/test_cipher.py index 719e8b1..5b1a348 100644 --- a/test/test_cipher.py +++ b/test/test_cipher.py @@ -1,11 +1,10 @@ -from test_config import Declarative from test_util import run, assert_equal import os import nose from nose.tools import make_decorator # This file is auto-generated by configure -from variable import ENABLE_SHA384 +from variable import ENABLE_SHA384, ENABLE_GCM cwd = os.getcwd() srcdir = os.path.dirname(cwd) @@ -44,6 +43,8 @@ def assert_equal_openssl(nss_ciphers, ossl_ciphers): for o in ossl_list: if not ENABLE_SHA384 and 'SHA384' in o: continue + if not ENABLE_GCM and 'GCM' in o: + continue if o in CIPHERS_NOT_IN_NSS: continue t.append(o) diff --git a/test_cipher.c b/test_cipher.c index 97c8848..05b0a34 100644 --- a/test_cipher.c +++ b/test_cipher.c @@ -17,6 +17,7 @@ #include <stdlib.h> #include <stdarg.h> #include <sslproto.h> +#include "ap_release.h" /* Fake a few Apache and NSPR data types and definitions */ typedef char server_rec; @@ -29,9 +30,14 @@ typedef int PRInt32; #include <nss_engine_cipher.h> extern cipher_properties ciphers_def[]; +extern ciphernum; /* An Apache-like error logger */ +#if AP_SERVER_MINORVERSION_NUMBER <= 2 +int ap_log_error(const char *fn, int line, +#else int ap_log_error_(const char *fn, int line, int module_index, +#endif int level, int status, const server_rec *s, char *fmt, ...) { @@ -46,7 +52,9 @@ int ap_log_error_(const char *fn, int line, int module_index, return 0; } +#if AP_SERVER_MINORVERSION_NUMBER > 2 #define ap_log_error_ ap_log_error +#endif int main(int argc, char ** argv) { |