Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2016-04-28 16:54:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_nss" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2016-03-31 13:03:47.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2016-04-28 16:57:51.000000000 +0200 @@ -1,0 +2,12 @@ +Sat Apr 16 09:12:29 UTC 2016 - [email protected] + +- update to 1.0.14 (fixes boo#973996) + * OpenSSL ciphers stopped parsing at +, CVE-2016-3099 + * Created valgrind suppression files to ease debugging + * Implement SSL_PPTYPE_FILTER to call executables to get + the key password pins. Can be used to prompt with systemd. + * Improvements to migrate.pl +- drop mod_nss_migrate.pl and use upstream migrate script instead + * add mod_nss-migrate.patch + +------------------------------------------------------------------- Old: ---- mod_nss-1.0.13.tar.gz mod_nss_migrate.pl New: ---- mod_nss-1.0.14.tar.gz mod_nss-migrate.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ --- /var/tmp/diff_new_pack.Pu1grj/_old 2016-04-28 16:57:54.000000000 +0200 +++ /var/tmp/diff_new_pack.Pu1grj/_new 2016-04-28 16:57:54.000000000 +0200 @@ -20,13 +20,12 @@ Summary: SSL/TLS module for the Apache HTTP server License: Apache-2.0 Group: Productivity/Networking/Web/Servers -Version: 1.0.13 +Version: 1.0.14 Release: 0.4.8 Url: https://fedorahosted.org/mod_nss Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz Source1: mod_nss.conf.in Source2: listen_nss.conf -Source3: mod_nss_migrate.pl Source4: README-SUSE.txt Source5: vhost-nss.template Provides: mod_nss @@ -52,7 +51,8 @@ BuildRequires: mozilla-nss-tools BuildRequires: pkgconfig -Patch23: mod_nss-bnc863518-reopen_dev_tty.diff +Patch0: mod_nss-bnc863518-reopen_dev_tty.diff +Patch1: mod_nss-migrate.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 @@ -72,7 +72,8 @@ %prep %setup -q -n mod_nss-%{version} -%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch +%patch0 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch +%patch1 -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] @@ -123,7 +124,7 @@ install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/ install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ -install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/ +install -m 755 migrate.pl $RPM_BUILD_ROOT%{_sbindir}/mod_nss_migrate.pl #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/ touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db ++++++ mod_nss-1.0.13.tar.gz -> mod_nss-1.0.14.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/ChangeLog new/mod_nss-1.0.14/ChangeLog --- old/mod_nss-1.0.13/ChangeLog 2016-03-05 23:39:14.000000000 +0100 +++ new/mod_nss-1.0.14/ChangeLog 2016-04-15 20:27:59.000000000 +0200 @@ -1,3 +1,19 @@ +2016-04-15 Rob Crittenden <[email protected]> + * Become 1.0.14 + +2016-03-31 Rob Crittenden <[email protected]> + * Created valgrind suppression files to ease debugging + +2016-03-30 Rob Crittenden <[email protected]> + * Implement SSL_PPTYPE_FILTER to call executables to get + the key password pins. Can be used to prompt with systemd. + +2016-03-30 Vitezslav Cizek <[email protected]> + * Improvements to migrate.pl + +2016-03-17 Rob Crittenden <[email protected]> + * OpenSSL ciphers stopped parsing at +, CVE-2016-3099 + 2016-03-04 Rob Crittenden <[email protected]> * Fix a number of issues discovered by clang-analyzer diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/configure.ac new/mod_nss-1.0.14/configure.ac --- old/mod_nss-1.0.13/configure.ac 2016-03-05 23:39:14.000000000 +0100 +++ new/mod_nss-1.0.14/configure.ac 2016-04-15 20:27:59.000000000 +0200 @@ -1,5 +1,5 @@ # Required initializer -AC_INIT([mod_nss],[1.0.13]) +AC_INIT([mod_nss],[1.0.14]) m4_include([acinclude.m4]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/docs/mod_nss.html new/mod_nss-1.0.14/docs/mod_nss.html --- old/mod_nss-1.0.13/docs/mod_nss.html 2016-03-05 23:39:14.000000000 +0100 +++ new/mod_nss-1.0.14/docs/mod_nss.html 2016-04-15 20:27:59.000000000 +0200 @@ -255,6 +255,8 @@ <ul> <li>Use a password file that contains your token passwords. See NSSPassPhraseDialog for details.</li> + <li>Exec a program which provides the token password (either by +asking the user or other means.</li> <li>Change the internal token password to a blank with:</li> </ul> <div style="margin-left: 40px;"> @@ -320,10 +322,38 @@ </div> <div style="margin-left: 80px;"><code>internal:secret12</code><br> </div> +<ul> + <li><code>exec:/path/to/executable</code></li> +</ul> +<div style="margin-left: 40px;">The listed program will be executed. +The only argument is the NSS token name to be authenticated. +The return value of the program is ignored. Only what is printed on +stdout is passed along as the password. +</div> +<br> +<div style="margin-left: 40px;">A trivial example script is:<br> +<br> +</div> +<div style="margin-left: 80px;"><code> +#!/bin/sh<br> +echo "secret123" +</code><br> +</div> +<br> +<div style="margin-left: 40px;">To prompt using systemd (as root):<br> +<br> +</div> +<div style="margin-left: 80px;"><code> +#!/bin/sh<br> +exec /bin/systemd-ask-password "Enter SSL pass phrase for $1: " +</code><br> +</div> <br> <span style="font-weight: bold;">Example</span><br> <br> <code>NSSPassPhraseDialog builtin</code><br> +<code>NSSPassPhraseDialog file:/etc/httpd/alias/password.conf</code><br> +<code>NSSPassPhraseDialog exec:/usr/libexec/httpd/httpd-ssl-pass-dialog</code><br> <div style="margin-left: 80px;"><br> </div> <font size="+2">NSSPassPhraseHelper</font> <br> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/migrate.pl new/mod_nss-1.0.14/migrate.pl --- old/mod_nss-1.0.13/migrate.pl 2016-03-05 23:39:14.000000000 +0100 +++ new/mod_nss-1.0.14/migrate.pl 2016-04-15 20:27:59.000000000 +0200 @@ -17,33 +17,73 @@ $passphrase = 0; } -%skip = ( "SSLRandomSeed" => "", - "SSLSessionCache" => "", - "SSLMutex" => "", - "SSLCertificateChainFile" => "", - "SSLVerifyDepth" => "" , - "SSLCryptoDevice" => "" , - "LoadModule" => "" , - ); - -%insert = ( "NSSSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",); - -getopts('ch'); - -if ($opt_h) { - print "Usage: migrate.pl -c\n"; - print "\t-c convert the certificates\n"; +# these directives are common for mod_ssl 2.4.18 and mod_nss 1.0.13 +%keep = ( "SSLCipherSuite" => "", + "SSLEngine" => "", + "SSLOptions" => "", + "SSLPassPhraseDialog" => "", + "SSLProtocol" => "", + "SSLProxyCipherSuite" => "", + "SSLProxyEngine" => "", + "SSLProxyCheckPeerCN" => "", + "SSLProxyProtocol" => "", + "SSLRandomSeed" => "", + "SSLRenegBufferSize" => "", + "SSLRequire" => "", + "SSLRequireSSL" => "", + "SSLSessionCacheTimeout" => "", + "SSLSessionTickets" => "", + "SSLStrictSNIVHostCheck" => "", + "SSLUserName" => "", + "SSLVerifyClient" => "", +); + +%insert = ( "SSLSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",); + +getopts('chr:w:' , \%opt ); + +sub usage() { + print STDERR "Usage: migrate.pl [-c] -r <mod_ssl input file> -w <mod_nss output file>\n"; + print STDERR "\t-c converts the certificates\n"; + print STDERR "\t-r path to mod_ssl configuration file\n"; + print STDERR "\t-w path to new mod_nss configuration file\n"; + print STDERR "\n"; + print STDERR "This conversion script is not aware of apache's configuration blocks\n"; + print STDERR "and nestable conditional directives. Please check the output of the\n"; + print STDERR "conversion and adjust manually if necessary!\n"; exit(); } -open (NSS, "> nss.conf") or die "Unable to open nss.conf: $!.\n"; -open (SSL, "< ssl.conf") or die "Unable to open ssl.conf: $!.\n"; +usage() if ($opt{h} || !$opt{r} || !$opt{w}); + +print STDERR "input: $opt{r}\noutput: $opt{w}\n"; + +open (SSL, "<", $opt{r} ) or die "Unable to open $opt{r}: $!.\n"; +open (NSS, ">", $opt{w} ) or die "Unable to open $opt{w}: $!.\n"; + +print NSS "## This is a conversion of mod_ssl specific options by migrate.pl\n"; +print NSS "## \n"; +print NSS "## Please read through this configuration and verify the individual options!\n\n"; while (<SSL>) { my $comment = 0; + # write through even if in comment before comments are stripped below. + if(/(ServerName|ServerAlias)/) { + print NSS $_; + next; + } + # skip blank lines and comments - if (/^#/ || /^\s*$/) { + if (/^\s*#/ || /^\s*$/) { + print NSS $_; + next; + } + + s/mod_ssl\.c/mod_nss.c/; + + # write through nestable apache configuration block directives: + if (/^</ || /^\s</) { print NSS $_; next; } @@ -59,10 +99,37 @@ next; } - if ($stmt eq "SSLCipherSuite") { - print NSS "NSSCipherSuite ", get_ciphers($val), "\n"; - print NSS "NSSProtocol SSLv3,TLSv1\n"; - $comment = 1; + if ($stmt eq "SSLRandomSeed" && $value eq "connect builtin") { + print NSS "## mod_nss doesn't do per-connection random seeding\n"; + print NSS "##$_"; + next; + } + + # we support OpenSSL cipher strings now, keeping the string as is + # unless using system-wide crypto policy + if (($stmt eq "SSLCipherSuite" || $stmt eq "SSLProxyCipherSuite") && + $value eq "PROFILE=SYSTEM") { + my $fname = "/etc/crypto-policies/back-ends/openssl.config"; + open (my $fh, "<", $fname) or die "Unable to open $fname: $!.\n"; + my $ciphers = <$fh>; + close($fh); + + (my $newstmt = $stmt) =~ s/SSL/NSS/; + print NSS $newstmt, " ", $ciphers, "\n"; + next; + } + if ($stmt eq "SSLProtocol" ) { + print NSS "## we ignore the arguments to SSLProtocol. The original value was:\n"; + print NSS "##$_"; + print NSS "## The following is a _range_ from TLSv1.0 to TLSv1.2.\n"; + print NSS "NSSProtocol TLSv1.0,TLSv1.2\n\n"; + next; + } elsif ($stmt eq "SSLProxyProtocol" ) { + print NSS "## we ignore the arguments to SSLProxyProtocol. The original value was:\n"; + print NSS "##$_"; + print NSS "## The following is a _range_ from TLSv1.0 to TLSv1.2.\n"; + print NSS "NSSProxyProtocol TLSv1.0,TLSv1.2\n\n"; + next; } elsif ($stmt eq "SSLCACertificatePath") { $SSLCACertificatePath = $value; $comment = 1; @@ -84,26 +151,28 @@ $SSLCARevocationFile = $value; $comment = 1; } elsif ($stmt eq "SSLPassPhraseDialog") { - print NSS "NSSPassPhraseHelper /usr/local/bin/nss_pcache\n"; + print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n"; $passphrase = 1; $comment = 1; } - if (exists($skip{$stmt})) { - print NSS "# Skipping, not applicable in mod_nss\n"; - print NSS "##$_"; - next; - } - - # Fix up any remaining directive names - s/^SSL/NSS/; - if (exists($insert{$stmt})) { - print NSS "$_"; + #print NSS "$_"; print NSS $insert{$stmt}; next; } + if (m/^\s*SSL/) { + if (!exists($keep{$stmt})) { + print NSS "# Skipping, not applicable in mod_nss\n"; + print NSS "##$_"; + next; + } else { + # Fix up any remaining directive names + s/^(\s*)SSL/\1NSS/; + } + } + # Fall-through to print whatever is left if ($comment) { print NSS "##$_"; @@ -111,7 +180,6 @@ } else { print NSS $_; } - } if ($passphrase == 0) { @@ -126,14 +194,14 @@ # Create NSS certificate database and import any existing certificates # -if ($opt_c) { - print "Creating NSS certificate database.\n"; +if ($opt{c}) { + print STDERR "Creating NSS certificate database.\n"; run_command("certutil -N -d $NSSDir"); # Convert the certificate into pkcs12 format if ($SSLCertificateFile ne "" && $SSLCertificateKeyFile ne "") { my $subject = get_cert_subject($SSLCertificateFile); - print "Importing certificate $subject as \"Server-Cert\".\n"; + print STDERR "Importing certificate $subject as \"Server-Cert\".\n"; run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo"); run_command("pk12util -i server.p12 -d $NSSDir -W foo"); } @@ -141,7 +209,7 @@ if ($SSLCACertificateFile ne "") { my $subject = get_cert_subject($SSLCACertificateFile); if ($subject ne "") { - print "Importing CA certificate $subject\n"; + print STDERR "Importing CA certificate $subject\n"; run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile"); } } @@ -156,7 +224,7 @@ if ($file =~ /hash.*/) { my $subject = get_cert_subject("$SSLCACertificatePath/$file"); if ($subject ne "") { - print "Importing CA certificate $subject\n"; + print STDERR "Importing CA certificate $subject\n"; run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file"); } } @@ -165,11 +233,11 @@ } if ($SSLCARevocationFile ne "") { - print "Importing CRL file $CARevocationFile\n"; + print STDERR "Importing CRL file $CARevocationFile\n"; # Convert to DER format - run_command("openssl crl -in $SSLCARevocationFile -out /tmp/crl.tmp -inform PEM -outform DER"); - run_command("crlutil -I -t 1 -d $NSSDir -i /tmp/crl.tmp"); - unlink("/tmp/crl.tmp"); + run_command("openssl crl -in $SSLCARevocationFile -out /root/crl.tmp -inform PEM -outform DER"); + run_command("crlutil -I -t 1 -d $NSSDir -i /root/crl.tmp"); + unlink("/root/crl.tmp"); } if ($SSLCARevocationPath ne "") { @@ -182,11 +250,11 @@ if ($file =~ /hash.*/) { my $subject = get_cert_subject("$SSLCARevocationPath/$file"); if ($subject ne "") { - print "Importing CRL file $file\n"; + print STDERR "Importing CRL file $file\n"; # Convert to DER format - run_command("openssl crl -in $SSLCARevocationPath/$file -out /tmp/crl.tmp -inform PEM -outform DER"); - run_command("crlutil -I -t 1 -d $NSSDir -i /tmp/crl.tmp"); - unlink("/tmp/crl.tmp"); + run_command("openssl crl -in $SSLCARevocationPath/$file -out /root/crl.tmp -inform PEM -outform DER"); + run_command("crlutil -I -t 1 -d $NSSDir -i /root/crl.tmp"); + unlink("/root/crl.tmp"); } } } @@ -194,120 +262,16 @@ } } -print "Conversion complete.\n"; -print "You will need to:\n"; -print " - rename/remove ssl.conf or Apache will not start.\n"; -print " - verify the location of nss_pcache. It is set as /usr/local/bin/nss_pcache\n"; +print STDERR "\nConversion complete.\n\n"; +print STDERR "The output file should contain a valid mod_nss configuration\n"; +print STDERR "based on the mod_ssl directives from the input file.\n\n"; -exit(0); +print STDERR "Do not forget to rename the mod_ssl based apache config file\n"; +print STDERR "to a name that does not end in .conf\n\n"; +print STDERR "Restart apache and check the server error logs for problems.\n"; -# Migrate configuration from OpenSSL to NSS -sub get_ciphers { - my $str = shift; - - %cipher_list = ( - "rc4" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC4:", - "rc4export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC4:", - "rc2" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC2:", - "rc2export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC2:", - "des" => ":ALL:SSLv2:RSA:EXP:EXPORT56:MD5:DES:LOW:", - "desede3" => ":ALL:SSLv2:RSA:MD5:3DES:HIGH:", - "rsa_rc4_128_md5" => ":ALL:SSLv3:TLSv1:RSA:MD5:RC4:MEDIUM:", - "rsa_rc4_128_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:RC4:MEDIUM:", - "rsa_3des_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:3DES:HIGH:", - "rsa_des_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:DES:LOW:", - "rsa_rc4_40_md5" => ":ALL:SSLv3:TLSv1:RSA:EXP:EXPORT40:RC4:", - "rsa_rc2_40_md5" => ":ALL:SSLv3:TLSv1:RSA:EXP:EXPORT40:RC2:", - "rsa_null_md5" => ":SSLv3:TLSv1:RSA:MD5:NULL:", - "rsa_null_sha" => ":SSLv3:TLSv1:RSA:SHA:NULL:", - "rsa_des_56_sha" => ":ALL:SSLv3:TLSv1:RSA:DES:SHA:EXP:EXPORT56:", - "rsa_rc4_56_sha" => ":ALL:SSLv3:TLSv1:RSA:RC4:SHA:EXP:EXPORT56:", - ); - - $NUM_CIPHERS = 16; - - for ($i = 0; $i < $NUM_CIPHERS; $i++) { - $selected[$i] = 0; - } - - # Don't need to worry about the ordering properties of "+" because - # NSS always chooses the "best" cipher anyway. You can't specify - # preferred order. - - # -1: this cipher is completely out - # 0: this cipher is currently unselected, but maybe added later - # 1: this cipher is selected - - @s = split(/:/, $str); - - for ($i = 0; $i <= $#s; $i++) { - $j = 0; - $val = 1; - - # ! means this cipher is disabled forever - if ($s[$i] =~ /^!/) { - $val = -1; - ($s[$i] =~ s/^!//); - } elsif ($s[$i] =~ /^-/) { - $val = 0; - ($s[$i] =~ s/^-//); - } elsif ($s[$i] =~ /^+/) { - ($s[$i] =~ s/^+//); - } - - for $cipher (sort keys %cipher_list) { - $match = 0; - - # For embedded + we do an AND for all options - if ($s[$i] =~ m/(\w+\+)+/) { - @sub = split(/^\+/, $s[$i]); - $match = 1; - for ($k = 0; $k <=$#sub; $k++) { - if ($cipher_list{$cipher} !=~ m/:$sub[$k]:/) { - $match = 0; - } - } - } else { # straightforward match - if ($cipher_list{$cipher} =~ m/:$s[$i]:/) { - $match = 1; - } - } - - if ($match && $selected[$j] != -1) { - $selected[$j] = $val; - } - $j++; - } - } - - # NSS doesn't honor the order of a cipher list, it uses the "strongest" - # cipher available. So we'll print out the ciphers as SSLv2, SSLv3 and - # the NSS ciphers not available in OpenSSL. - $str = "SSLv2:SSLv3"; - @s = split(/:/, $str); - - $ciphersuite = ""; - - for ($i = 0; $i <= $#s; $i++) { - $j = 0; - for $cipher (sort keys %cipher_list) { - if ($cipher_list{$cipher} =~ m/:$s[$i]:/) { - if ($selected[$j]) { - $ciphersuite .= "+"; - } else { - $ciphersuite .= "-"; - } - $ciphersuite .= $cipher . ","; - } - $j++; - } - } - - $ciphersuite .= "-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha"; - - return $ciphersuite; -} +exit(0); # Given the filename of a PEM file, use openssl to fetch the certificate # subject @@ -334,12 +298,12 @@ sub run_command { my @args = shift; my $status = 0; - + $status = 0xffff & system(@args); return if ($status == 0); - print "Command '@args' failed: $!\n"; + print STDERR "Command '@args' failed: $!\n"; exit; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/mod_nss.h new/mod_nss-1.0.14/mod_nss.h --- old/mod_nss-1.0.13/mod_nss.h 2016-03-05 23:39:14.000000000 +0100 +++ new/mod_nss-1.0.14/mod_nss.h 2016-04-15 20:27:59.000000000 +0200 @@ -221,6 +221,7 @@ SSL_PPTYPE_BUILTIN = 0, SSL_PPTYPE_FILE = 1, SSL_PPTYPE_DEFER = 2, + SSL_PPTYPE_FILTER = 3, } nss_pphrase_t; /* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/nss_engine_cipher.c new/mod_nss-1.0.14/nss_engine_cipher.c --- old/mod_nss-1.0.13/nss_engine_cipher.c 2016-03-05 23:39:14.000000000 +0100 +++ new/mod_nss-1.0.14/nss_engine_cipher.c 2016-04-15 20:27:59.000000000 +0200 @@ -20,6 +20,12 @@ #include <stdlib.h> #include <sslproto.h> +/* Cipher actions */ +#define PERMANENTLY_DISABLE_CIPHER -1 /* !CIPHER */ +#define SUBTRACT_CIPHER 0 /* -CIPHER */ +#define ENABLE_CIPHER 1 /* CIPHER */ +#define REORDER_CIPHER 2 /* +CIPHER */ + /* ciphernum is defined in nss_engine_cipher.h */ cipher_properties ciphers_def[] = { @@ -181,14 +187,18 @@ { int i; + if (action == REORDER_CIPHER) + /* NSS doesn't allow ordering so do nothing */ + return; + for (i = 0; i < skip_ciphers; i++) { if (ciphers_def[index].num == ciphers_not_in_openssl[i]) { - cipher_list[index] = -1; + cipher_list[index] = PERMANENTLY_DISABLE_CIPHER; return; } } - if (cipher_list[index] != -1) /* cipher is disabled */ + if (cipher_list[index] != PERMANENTLY_DISABLE_CIPHER) cipher_list[index] = action; } @@ -207,23 +217,24 @@ while ((*cipher) && (isspace(*cipher))) ++cipher; - action = 1; /* default to enable */ + action = ENABLE_CIPHER; /* default to enable */ switch(*cipher) { - case '+': /* Add something */ + case '+': /* Cipher ordering is not supported in NSS */ - return 0; + action = REORDER_CIPHER; + cipher++; break; - case '-': /* Subtract something */ - action = 0; + case '-': + action = SUBTRACT_CIPHER; cipher++; break; - case '!': /* Disable something */ - action = -1; + case '!': + action = PERMANENTLY_DISABLE_CIPHER; cipher++; break; default: - /* do nothing */ + /* Add the cipher */ break; } @@ -253,12 +264,13 @@ int mask = SSL_aNULL | SSL_eNULL; found = PR_TRUE; for (i=0; i < ciphernum; i++) { - if (cipher_list[i] != -1) + if (cipher_list[i] != PERMANENTLY_DISABLE_CIPHER) SSL_CipherPrefGetDefault(ciphers_def[i].num, &cipher_list[i]); if (PR_TRUE == first) { if (ciphers_def[i].attr & mask) { - set_cipher_value(cipher_list, i, -1); + set_cipher_value(cipher_list, i, + PERMANENTLY_DISABLE_CIPHER); } } } @@ -414,7 +426,7 @@ if (((ciphers_def[i].attr & mask) || (ciphers_def[i].strength & strength) || (ciphers_def[i].version & protocol)) && - (cipher_list[i] != -1)) { + (cipher_list[i] != PERMANENTLY_DISABLE_CIPHER)) { if (amask != 0) { PRBool match = PR_FALSE; if (ciphers_def[i].attr & amask) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/nss_engine_config.c new/mod_nss-1.0.14/nss_engine_config.c --- old/mod_nss-1.0.13/nss_engine_config.c 2016-03-05 23:39:14.000000000 +0100 +++ new/mod_nss-1.0.14/nss_engine_config.c 2016-04-15 20:27:59.000000000 +0200 @@ -692,7 +692,27 @@ "' does not exist", NULL); } } + else if ((arglen > 5) && strEQn(arg, "exec:", 5)) { + apr_finfo_t finfo; + apr_status_t rc; + mc->pphrase_dialog_type = SSL_PPTYPE_FILTER; + mc->pphrase_dialog_path = + ap_server_root_relative(cmd->pool, arg+5); + if (!mc->pphrase_dialog_path) { + return apr_pstrcat(cmd->pool, + "Invalid NSSPassPhraseDialog exec: path ", + arg+5, NULL); + } + rc = apr_stat(&finfo, mc->pphrase_dialog_path, + APR_FINFO_TYPE|APR_FINFO_SIZE, cmd->pool); + if ((rc != APR_SUCCESS) || (finfo.filetype != APR_REG)) { + return apr_pstrcat(cmd->pool, + "NSSPassPhraseDialog: file '", + mc->pphrase_dialog_path, + "' does not exist", NULL); + } + } return NULL; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/nss_engine_pphrase.c new/mod_nss-1.0.14/nss_engine_pphrase.c --- old/mod_nss-1.0.13/nss_engine_pphrase.c 2016-03-05 23:39:14.000000000 +0100 +++ new/mod_nss-1.0.14/nss_engine_pphrase.c 2016-04-15 20:27:59.000000000 +0200 @@ -19,6 +19,7 @@ typedef struct { SSLModConfigRec *mc; + server_rec *s; PRInt32 retryCount; } pphrase_arg_t; @@ -51,6 +52,7 @@ parg = (pphrase_arg_t*)malloc(sizeof(*parg)); parg->mc = mc; parg->retryCount = 0; + parg->s = s; PK11_SetPasswordFunc(nss_password_prompt); @@ -149,7 +151,7 @@ snprintf(buf, 1024, "STOR\t%s\t%s", PK11_GetTokenName(slot), passwd); rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL); if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parg->s, "Unable to write to pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); nss_die(); } @@ -166,7 +168,7 @@ res = atoi(buf); if (rv != APR_SUCCESS || (res != PIN_SUCCESS && res != PIN_INCORRECTPW)) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parg->s, "Unable to read from pin store for slot: %s APR err: %d pcache: %d", PK11_GetTokenName(slot), rv, res); nss_die(); } @@ -216,9 +218,9 @@ * exists then it may be used to store the token password(s). */ static char *nss_get_password(FILE *input, FILE *output, - PK11SlotInfo *slot, - PRBool (*ok)(unsigned char *), - pphrase_arg_t *parg) + PK11SlotInfo *slot, + PRBool (*ok)(unsigned char *), + pphrase_arg_t *parg) { char *pwdstr = NULL; char *token_name = NULL; @@ -248,7 +250,7 @@ line[tmp+1] = '\0'; ptr = PL_strchr(line, ':'); if (ptr == NULL) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parg->s, "Malformed password entry for token %s. Format should be token:password", token_name); continue; } @@ -258,10 +260,32 @@ } fclose(pwd_fileptr); } else { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parg->s, "Unable to open password file %s", parg->mc->pphrase_dialog_path); nss_die(); } + } else if ((parg->mc->pphrase_dialog_type == SSL_PPTYPE_FILTER) && + (parg->mc->nInitCount == 1)) { + /* We only have tty during first module load */ + const char *cmd = parg->mc->pphrase_dialog_path; + const char **argv = apr_palloc(parg->mc->pPool, sizeof(char *) * 4); + char *result; + int i; + + ap_log_error(APLOG_MARK, APLOG_INFO, 0, parg->s, + "Requesting pass phrase from dialog filter " + "program (%s)", cmd); + + argv[0] = cmd; + argv[1] = token_name; + argv[2] = "NSS"; + argv[3] = NULL; + + result = nss_util_readfilter(NULL, parg->mc->pPool, cmd, argv); + + /* readfilter returns NULL in case of ANY error */ + if (NULL != result) + pwdstr = strdup(result); } /* For SSL_PPTYPE_DEFER we only want to authenticate passwords found @@ -286,14 +310,14 @@ sb.sem_op = -1; sb.sem_flg = SEM_UNDO; if (semop(parg->mc->semid, &sb, 1) == -1) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parg->s, "Unable to reserve semaphore resource"); } snprintf(buf, 1024, "RETR\t%s", token_name); rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL); if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parg->s, "Unable to write to pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); nss_die(); } @@ -305,13 +329,13 @@ rv = apr_file_read(parg->mc->proc.out, buf, &nBytes); sb.sem_op = 1; if (semop(parg->mc->semid, &sb, 1) == -1) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parg->s, "Unable to free semaphore resource"); /* perror("semop free resource id"); */ } if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parg->s, "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); nss_die(); } @@ -353,7 +377,7 @@ continue; } if (PK11_IsFIPS() && strlen((char *)phrase) == 0) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parg->s, "The FIPS security policy requires that a password be set."); nss_die(); } else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/nss_pcache.c new/mod_nss-1.0.14/nss_pcache.c --- old/mod_nss-1.0.13/nss_pcache.c 2016-03-05 23:39:14.000000000 +0100 +++ new/mod_nss-1.0.14/nss_pcache.c 2016-04-15 20:27:59.000000000 +0200 @@ -387,8 +387,6 @@ break; } command = getstr(buf, 0); - tokenName = getstr(buf, 1); - tokenpw = getstr(buf, 2); if (command && !strcmp(command, "QUIT")) { break; @@ -396,6 +394,9 @@ PRInt32 err = PIN_SUCCESS; Node *node = NULL; + tokenName = getstr(buf, 1); + tokenpw = getstr(buf, 2); + if (tokenName && tokenpw) { node = (Node*)malloc(sizeof (Node)); if (!node) { @@ -431,6 +432,8 @@ char *pin = 0; PRBool found = PR_FALSE; + tokenName = getstr(buf, 1); + for (node = pinList; node != NULL; node = node->next) { if (!strcmp(node->tokenName, tokenName)) { if (Pk11StoreGetPin(&pin, node->store) == SECSuccess) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/test/createinstance.sh new/mod_nss-1.0.14/test/createinstance.sh --- old/mod_nss-1.0.13/test/createinstance.sh 2016-03-05 23:39:14.000000000 +0100 +++ new/mod_nss-1.0.14/test/createinstance.sh 2016-04-15 20:27:59.000000000 +0200 @@ -88,7 +88,7 @@ MALLOC_CHECK_=2 MALLOC_PERTURB=\$((\$RANDOM % 255 + 1)) HTTPD=/usr/sbin/httpd -#valgrind --leak-check=full --log-file=valgrind.out.%p --trace-children=yes --track-origins=yes \$HTTPD -X -k start -d . -f ./conf/httpd.conf +#valgrind --suppressions=../../mod_nss.supp --suppressions=../../nss_pcache.supp --leak-check=full --log-file=valgrind.out.%p --trace-children=yes --track-origins=yes \$HTTPD -X -k start -d . -f ./conf/httpd.conf \$HTTPD -k start -d . -f ./conf/httpd.conf EOF diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/test/mod_nss.supp new/mod_nss-1.0.14/test/mod_nss.supp --- old/mod_nss-1.0.13/test/mod_nss.supp 1970-01-01 01:00:00.000000000 +0100 +++ new/mod_nss-1.0.14/test/mod_nss.supp 2016-04-15 20:27:59.000000000 +0200 @@ -0,0 +1,310 @@ +{ + <NSS I/O Layer> + Memcheck:Leak + ... + fun:PR_CreateIOLayerStub +} +{ + <PK11_ConfigurePKCS11> + Memcheck:Leak + ... + fun:PK11_ConfigurePKCS11 +} +{ + <NSS_Initialize> + Memcheck:Leak + ... + fun:NSS_Initialize +} +{ + <PK11_GetAllTokens> + Memcheck:Leak + ... + fun:PK11_GetAllTokens +} +{ + <NSSTrustDomain_TraverseCertificates> + Memcheck:Leak + ... + fun:NSSTrustDomain_TraverseCertificates +} +{ + <nssDecodedPKIXCertificate_Create> + Memcheck:Leak + ... + fun:nssDecodedPKIXCertificate_Create +} +{ + <serverCAListSetup> + Memcheck:Leak + ... + fun:serverCAListSetup +} +{ + <Apache resource_config> + Memcheck:Leak + ... + fun:ap_process_resource_config +} +{ + <Apache leak ap_process_config_tree> + Memcheck:Leak + ... + fun:ap_process_config_tree +} +{ + <Apache proxy initialize> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_pool_create_ex + ... + fun:ap_proxy_initialize_worker + fun:child_init + fun:ap_run_child_init + fun:child_main + fun:make_child + fun:prefork_run + fun:ap_run_mpm + fun:main +} +{ + <Apache build config> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_palloc + fun:apr_pmemdup + fun:ap_build_config_sub + fun:ap_build_config + fun:ap_process_resource_config + fun:ap_read_config + fun:main +} +{ + <Apache build config open include file> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_palloc + fun:apr_file_open + fun:ap_pcfg_openfile + fun:ap_process_resource_config + fun:process_resource_config_nofnmatch + fun:ap_process_fnmatch_configs + fun:include_config + fun:invoke_cmd + fun:execute_now + fun:ap_build_config_sub + fun:ap_build_config + fun:ap_process_resource_config +} +{ + <Apache build config include> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_palloc + fun:ap_build_config_sub + fun:ap_build_config + fun:ap_process_resource_config + fun:process_resource_config_nofnmatch + fun:ap_process_fnmatch_configs + fun:include_config + fun:invoke_cmd + fun:execute_now + fun:ap_build_config_sub + fun:ap_build_config + fun:ap_process_resource_config +} +{ + <Apache process config> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_palloc + fun:apr_strmatch_precompile + fun:add_setenvif_core + fun:invoke_cmd + fun:ap_walk_config_sub + fun:ap_walk_config + fun:ap_process_config_tree + fun:main +} +{ + <Apache config VirtualHost> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_palloc + fun:create_empty_config + fun:urlsection + fun:invoke_cmd + fun:ap_walk_config_sub + fun:ap_walk_config + fun:virtualhost_section + fun:invoke_cmd + fun:ap_walk_config_sub + fun:ap_walk_config + fun:ap_process_config_tree + fun:main +} +{ + <Apache virtualhost reorder> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_pool_create_ex + fun:ap_core_reorder_directories + fun:ap_fixup_virtual_hosts + fun:main +} +{ + <Apache init pool allocator> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_pool_create_ex + ... + fun:apr_initialize + fun:init_process + fun:main +} +{ + <Apache init pool allocator> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_pool_create_ex + fun:init_process + fun:main +} +{ + <Apache init pool allocator> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:init_process + fun:main +} +{ + <Apache apr_pool_create_ex> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_pool_create_ex + fun:main +} +{ + <Apache ap_setup_prelinked_modules> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + ... + fun:ap_setup_prelinked_modules + fun:main +} +{ + <Apache init server config> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_palloc + fun:make_array_core + fun:apr_array_make + fun:so_sconf_create + fun:create_server_config + fun:init_server_config + fun:ap_read_config + fun:main +} +{ + <Apache register hooks> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_palloc + ... + fun:ap_add_module + fun:ap_add_loaded_module + fun:load_module + fun:invoke_cmd + fun:execute_now + fun:ap_build_config_sub + fun:ap_build_config +} +{ + <Apache apr_sort_hook_all> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + ... + fun:apr_hook_sort_all + fun:main +} +{ + <Apache apr_strmatch_precompile> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_palloc + fun:apr_strmatch_precompile + fun:ap_setup_make_content_type + fun:core_post_config + fun:ap_run_post_config + fun:main +} +{ + <Apache rewritelock mutex> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_palloc + fun:proc_mutex_sysv_create + fun:proc_mutex_create + fun:apr_proc_mutex_create + fun:apr_global_mutex_create + fun:ap_global_mutex_create + fun:rewritelock_create + fun:post_config + fun:ap_run_post_config + fun:main +} +{ + <Apache ap_init_rng> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_palloc + fun:apr_random_add_entropy + fun:ap_init_rng + fun:main +} +{ + <Apache mime_post_config> + Memcheck:Leak + match-leak-kinds: possible + fun:malloc + fun:allocator_alloc + fun:apr_palloc + ... + fun:mime_post_config + fun:ap_run_post_config + fun:main +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/test/nss_pcache.supp new/mod_nss-1.0.14/test/nss_pcache.supp --- old/mod_nss-1.0.13/test/nss_pcache.supp 1970-01-01 01:00:00.000000000 +0100 +++ new/mod_nss-1.0.14/test/nss_pcache.supp 2016-04-15 20:27:59.000000000 +0200 @@ -0,0 +1,19 @@ +{ + <NSS_Initialize> + Memcheck:Leak + ... + fun:NSS_Initialize + fun:main +} +{ + <secmod_ModuleInit> + Memcheck:Leak + ... + fun:secmod_ModuleInit +} +{ + <nsc_CommonInitialize> + Memcheck:Leak + ... + fun:nsc_CommonInitialize +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/test/test_cipher.py new/mod_nss-1.0.14/test/test_cipher.py --- old/mod_nss-1.0.13/test/test_cipher.py 2016-03-05 23:39:14.000000000 +0100 +++ new/mod_nss-1.0.14/test/test_cipher.py 2016-04-15 20:27:59.000000000 +0200 @@ -6,6 +6,15 @@ # This file is auto-generated by configure from variable import ENABLE_SHA384, ENABLE_GCM, ENABLE_SERVER_DHE +# Things to be aware of if some tests fail: +# +# OpenSSL 1.0.2g +# removed LOW from the DEFAULT cipher list +# OpenSSL 1.0.2f +# doesn't provide EXPORT or LOW ciphers unless built that way +# +# See https://www.openssl.org/news/cl102.txt for more details + cwd = os.getcwd() srcdir = os.path.dirname(cwd) exe = "%s/test_cipher" % srcdir @@ -31,7 +40,7 @@ OPENSSL_CIPHERS_IGNORE += ':-DH' def assert_equal_openssl(ciphers): - nss_ciphers = ciphers + nss_ciphers = ciphers + ":-EXP:-LOW" ossl_ciphers = ciphers + OPENSSL_CIPHERS_IGNORE (nss, err, rc) = run([exe, "--o", nss_ciphers]) assert rc == 0 @@ -99,8 +108,9 @@ def test_RC4(self): assert_equal_openssl("RC4") - def test_RC2(self): - assert_equal_openssl("RC2") +# OpenSSL 1.0.2f disabled LOW ciphers by default +# def test_RC2(self): +# assert_equal_openssl("RC2") def test_AES(self): assert_equal_openssl("AES") @@ -126,8 +136,9 @@ def test_3DES(self): assert_equal_openssl("3DES") - def test_DES(self): - assert_equal_openssl("DES") +# OpenSSL 1.0.2f disabled LOW ciphers by default +# def test_DES(self): +# assert_equal_openssl("DES") def test_ALL(self): assert_equal_openssl("ALL") @@ -163,14 +174,15 @@ assert rc == 0 assert_equal(out, 'rsa_rc4_128_md5, rsa_rc4_128_sha') - def test_EXP(self): - assert_equal_openssl("EXP") - - def test_EXPORT(self): - assert_equal_openssl("EXPORT") - - def test_EXPORT40(self): - assert_equal_openssl("EXPORT40") +# OpenSSL 1.0.2g disabled export ciphers by default +# def test_EXP(self): +# assert_equal_openssl("EXP") +# +# def test_EXPORT(self): +# assert_equal_openssl("EXPORT") +# +# def test_EXPORT40(self): +# assert_equal_openssl("EXPORT40") def test_MD5(self): assert_equal_openssl("MD5") @@ -184,8 +196,9 @@ def test_MEDIUM(self): assert_equal_openssl("MEDIUM") - def test_LOW(self): - assert_equal_openssl("LOW") +# OpenSSL 1.0.2f disabled LOW ciphers by default +# def test_LOW(self): +# assert_equal_openssl("LOW") def test_SHA256(self): assert_equal_openssl("SHA256") @@ -256,6 +269,14 @@ def test_DEFAULT_aRSA(self): assert_no_NULL("DEFAULT:aRSA") + def test_SYSTEM_DEFAULT(self): + # I've added in !DHE here which differs from F-23 default + assert_equal_openssl("!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!DHE") + + def test_cipher_reorder(self): + # re-ordering now allowed but shouldn't blow up either + assert_equal_openssl("3DES:RC4:AES:+3DES:MD5") + def test_nss_subtraction(self): (out, err, rc) = run([exe, "+rsa_rc4_128_md5,+rsa_rc4_128_sha,-rsa_rc4_128_md5"]) assert rc == 0 ++++++ mod_nss-bnc863518-reopen_dev_tty.diff ++++++ --- /var/tmp/diff_new_pack.Pu1grj/_old 2016-04-28 16:57:54.000000000 +0200 +++ /var/tmp/diff_new_pack.Pu1grj/_new 2016-04-28 16:57:54.000000000 +0200 @@ -1,8 +1,8 @@ Index: nss_engine_pphrase.c =================================================================== ---- nss_engine_pphrase.c.orig 2016-03-14 12:33:49.139529734 +0100 -+++ nss_engine_pphrase.c 2016-03-14 12:40:42.603094487 +0100 -@@ -228,6 +228,7 @@ static char *nss_get_password(FILE *inpu +--- nss_engine_pphrase.c.orig 2016-04-15 20:27:59.000000000 +0200 ++++ nss_engine_pphrase.c 2016-04-16 11:11:49.472862662 +0200 +@@ -230,6 +230,7 @@ static char *nss_get_password(FILE *inpu char line[1024]; unsigned char phrase[200]; int infd = fileno(input); @@ -10,7 +10,7 @@ int isTTY = isatty(infd); token_name = PK11_GetTokenName(slot); -@@ -327,6 +328,24 @@ static char *nss_get_password(FILE *inpu +@@ -351,6 +352,24 @@ static char *nss_get_password(FILE *inpu if (pwdstr) return pwdstr; ++++++ mod_nss-migrate.patch ++++++ Index: mod_nss-1.0.14/migrate.pl =================================================================== --- mod_nss-1.0.14.orig/migrate.pl 2016-04-15 20:27:59.000000000 +0200 +++ mod_nss-1.0.14/migrate.pl 2016-04-16 11:50:59.588366719 +0200 @@ -6,7 +6,7 @@ use Cwd; use Getopt::Std; BEGIN { - $NSSDir = cwd(); + $NSSDir = "/etc/apache2/mod_nss.d"; $SSLCACertificatePath = ""; $SSLCACertificateFile = "";
