diff --git a/SOURCES/mod_nss-group-permissions.patch b/SOURCES/mod_nss-group-permissions.patch new file mode 100644 index 0000000..c4d7ef0 --- /dev/null +++ b/SOURCES/mod_nss-group-permissions.patch @@ -0,0 +1,127 @@ +From 302905ffe8fdcb9abdf36f16bc4420f5e1dbab01 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 23 Feb 2017 13:06:21 -0500 +Subject: [PATCH] Handle group membership when testing for file permissions + +This was a bit of a corner case but group membership wasn't +considered when trying to determine if the NSS databases are +readable. + +Resolves BZ 1395300 +--- + nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 33 insertions(+), 12 deletions(-) + +diff --git a/nss_engine_init.c b/nss_engine_init.c +index 0bb2054..14f86d8 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -29,6 +29,7 @@ + #include "cert.h" + #include + #include ++#include + + static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); + static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); +@@ -56,17 +57,33 @@ static char *version_components[] = { + * Return 0 on failure or file doesn't exist + * Return 1 on success + */ +-static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p) ++static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath, ++ apr_pool_t *p) + { + apr_finfo_t finfo; +- int rv; ++ PRBool in_group = PR_FALSE; ++ struct group *gr; ++ int i = 0; ++ ++ if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p)) ++ == APR_SUCCESS) { ++ if ((gr = getgrgid(finfo.group)) == NULL) { ++ return 0; ++ } + +- if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, +- p)) == APR_SUCCESS) { ++ if (gid == finfo.group) { ++ in_group = PR_TRUE; ++ } else { ++ while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) { ++ if (!strcasecmp(user, gr->gr_mem[i++])) { ++ in_group = PR_TRUE; ++ break; ++ } ++ } ++ } + if (((uid == finfo.user) && + (finfo.protection & APR_FPROT_UREAD)) || +- ((gid == finfo.group) && +- (finfo.protection & APR_FPROT_GREAD)) || ++ (in_group && (finfo.protection & APR_FPROT_GREAD)) || + (finfo.protection & APR_FPROT_WREAD) + ) + { +@@ -176,7 +193,7 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + "Checking permissions for user %s: uid %d gid %d", + mc->user, pw->pw_uid, pw->pw_gid); + +- if (!(check_path(pw->pw_uid, pw->pw_gid, dbdir, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, dbdir, p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS " + "database directory %s.", mc->user, dbdir); +@@ -186,7 +203,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) { + apr_snprintf(filepath, 1024, "%s/key4.db", + mc->pCertificateDatabase+4); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS key " + "database %s.", mc->user, filepath); +@@ -194,7 +212,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } + apr_snprintf(filepath, 1024, "%s/cert9.db", + mc->pCertificateDatabase+4); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS cert " + "database %s.", mc->user, filepath); +@@ -203,7 +222,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } else { + apr_snprintf(filepath, 1024, "%s/key3.db", + mc->pCertificateDatabase); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS key " + "database %s.", mc->user, filepath); +@@ -211,7 +231,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } + apr_snprintf(filepath, 1024, "%s/cert8.db", + mc->pCertificateDatabase); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS cert " + "database %s.", mc->user, filepath); +@@ -219,7 +240,7 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } + apr_snprintf(filepath, 1024, "%s/secmod.db", + mc->pCertificateDatabase); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS secmod " + "database %s.", mc->user, filepath); +-- +2.9.3 + diff --git a/SOURCES/mod_nss-invalid-protocol-setting.patch b/SOURCES/mod_nss-invalid-protocol-setting.patch new file mode 100644 index 0000000..4e12a53 --- /dev/null +++ b/SOURCES/mod_nss-invalid-protocol-setting.patch @@ -0,0 +1,29 @@ +From dc6afabbd94fa5b8e1da286ba387814e5df70ff1 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 3 Feb 2017 08:06:14 -0500 +Subject: [PATCH] Make an invalid protocol setting fatal + +An invalid protocol setting would end up with the default +list which is a bit unexpected so kill the server and let +the admin figure out what went wrong and fix it. + +Resolves BZ 1389114 +--- + nss_engine_init.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/nss_engine_init.c b/nss_engine_init.c +index 03ac644..0bb2054 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -785,6 +785,7 @@ static void nss_init_ctx_protocol(server_rec *s, + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%s: Unknown protocol '%s' not supported", + protocol_marker, token); ++ nss_die(); + } + } + } +-- +2.9.3 + diff --git a/SOURCES/mod_nss-nss_pcache_man.patch b/SOURCES/mod_nss-nss_pcache_man.patch new file mode 100644 index 0000000..bf29bdc --- /dev/null +++ b/SOURCES/mod_nss-nss_pcache_man.patch @@ -0,0 +1,67 @@ +From e50c94c0e52659633418d590ac68001e44fb5edf Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 10 May 2017 12:32:34 -0400 +Subject: [PATCH] Update nss_pcache.8 man page to drop directory and prefix + +I missed updating this when I made the change to drop sharing the +NSS database between Apache and nss_pcache. +--- + nss_pcache.8 | 31 ++----------------------------- + 1 file changed, 2 insertions(+), 29 deletions(-) + +diff --git a/nss_pcache.8 b/nss_pcache.8 +index 1641f48..5e9743f 100644 +--- a/nss_pcache.8 ++++ b/nss_pcache.8 +@@ -14,12 +14,12 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "nss_pcache" "8" "Jul 1 2013" "Rob Crittenden" "" ++.TH "nss_pcache" "8" "May 10 2017" "Rob Crittenden" "" + .SH "NAME" + nss_pcache \- Helper program used to store token password pins + + .SH "SYNOPSIS" +-nss_pcache [prefix] ++nss_pcache + + .SH "DESCRIPTION" + A helper program used by the Apache \fBhttpd\fP mod_nss plug-in to store the NSS PKCS #11 token password pins between restarts of Apache. +@@ -55,33 +55,6 @@ tab(;); + ll,ll. + ;NSSFIPS on + .TE +-.TP +-.B +-Specifies the destination directory of the NSS databases that will be associated with this executable specified by the following entry in \fB/etc/httpd/conf.d/nss.conf\fP: +-.IP +-.TS +-tab(;); +-ll,ll. +-;# Server Certificate Database: +-;# The NSS security database directory that holds the +-;# certificates and keys. The database consists +-;# of 3 files: cert8.db, key3.db and secmod.db. +-;# Provide the directory that these files exist. +-;NSSCertificateDatabase /etc/httpd/alias +-.TE +-.TP +-.B [prefix] +-Optional prefix to attach prior to the names of the NSS certificate and key databases contained in the directory referenced by the previous argument and specified by the following entry in \fB/etc/httpd/conf.d/nss.conf\fP (must be uncommented in order to be utilized): +-.IP +-.TS +-tab(;); +-ll,ll. +-;# Database Prefix: +-;# In order to be able to store multiple NSS databases +-;# in one directory they need unique names. This option +-;# sets the database prefix used for cert8.db and key3.db. +-;#NSSDBPrefix my-prefix- +-.TE + + .SH BUGS + Report bugs to http://bugzilla.redhat.com. +-- +2.9.3 + diff --git a/SOURCES/mod_nss-ocsp-tuning-knobs.patch b/SOURCES/mod_nss-ocsp-tuning-knobs.patch new file mode 100644 index 0000000..3635a34 --- /dev/null +++ b/SOURCES/mod_nss-ocsp-tuning-knobs.patch @@ -0,0 +1,303 @@ +From 8d6121731175f3a9a1fa1fbe3752763b0b48a67d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 31 Oct 2016 15:06:36 -0400 +Subject: [PATCH] Add OCSP cache and timeout tuning knobs + +NSS provides functions to control the timeout for connecting to +an OCSP server and for caching the results. This includes the +number of responses to cache and the duration to cache them. + +Based on a patch by Jack Magne +--- + docs/mod_nss.html | 42 ++++++++++++++++++++++++++ + mod_nss.c | 12 ++++++++ + mod_nss.h | 8 +++++ + nss_engine_config.c | 86 +++++++++++++++++++++++++++++++++++++++++++---------- + nss_engine_init.c | 47 +++++++++++++++++++++++++++++ + 5 files changed, 179 insertions(+), 16 deletions(-) + +diff --git a/docs/mod_nss.html b/docs/mod_nss.html +index 65d0bd8..655d2f2 100644 +--- a/docs/mod_nss.html ++++ b/docs/mod_nss.html +@@ -544,6 +544,48 @@ Example
+
+ NSSOCSP on
+
++NSSOCSPTimeout
++
++Configure the maximum time to wait for an OCSP response in seconds. ++There are no constraints or special meanings for this value. The default ++is 60 seconds. ++
++
++Example
++
++NSSOCSPTimeout 30
++
++NSSOCSPCacheSize
++
++Configures the maximum number of entries in the OCSP cache. A value of ++-1 will disable the cache completely. A value of 0 configures an unlimited ++number of cache entries. The default is 1000. ++
++
++Example
++
++NSSOCSPCacheSize 300
++
++NSSOCSPMinCacheEntryDuration
++
++Configure the minimum amount of time an OCSP response is cached in seconds. ++The default is 3600 seconds (1 hour). ++
++
++Example
++
++NSSOCSPMinCacheEntryDuration 30
++
++NSSOCSPMaxCacheEntryDuration
++
++Configure the maximum amount of time an OCSP response is cached in seconds ++before being updated. The default is 86400 seconds (24 hours). ++
++
++Example
++
++NSSOCSPMaxCacheEntryDuration 300
++
+ NSSCipherSuite
+

+ There are two options for configuring the available ciphers. mod_nss +diff --git a/mod_nss.c b/mod_nss.c +index 38098c8..dca5a73 100644 +--- a/mod_nss.c ++++ b/mod_nss.c +@@ -66,6 +66,18 @@ static const command_rec nss_config_cmds[] = { + SSL_CMD_SRV(OCSP, FLAG, + "OCSP (Online Certificate Status Protocol)" + "(`on', `off')") ++ SSL_CMD_SRV(OCSPTimeout, TAKE1, ++ "OCSP Timeout" ++ "(`N' - Max number of seconds to wait for an OCSP response.)") ++ SSL_CMD_SRV(OCSPCacheSize, TAKE1, ++ "OCSP Cache size" ++ "(`N' - number of entries -1 for no cache)") ++ SSL_CMD_SRV(OCSPMinCacheEntryDuration, TAKE1, ++ "OCSP Minimum time until next fetch attempt" ++ "(`N' - Time in seconds)") ++ SSL_CMD_SRV(OCSPMaxCacheEntryDuration, TAKE1, ++ "OCSP Maximum time until next fetch attempt" ++ "(`N' - Time in seconds)") + SSL_CMD_SRV(OCSPDefaultResponder, FLAG, + "Use a default OCSP Responder" + "(`on', `off')") +diff --git a/mod_nss.h b/mod_nss.h +index 226f7a8..8643e88 100644 +--- a/mod_nss.h ++++ b/mod_nss.h +@@ -325,6 +325,10 @@ struct SSLSrvConfigRec { + const char *ocsp_url; + const char *ocsp_name; + BOOL ocsp; ++ int ocsp_timeout; ++ int ocsp_cache_size; ++ int ocsp_min_cache_entry_duration; ++ int ocsp_max_cache_entry_duration; + BOOL enabled; + BOOL sni; + BOOL strict_sni_vhost_check; +@@ -398,6 +402,10 @@ const char *nss_cmd_NSSSNI(cmd_parms *, void *, int); + const char *nss_cmd_NSSStrictSNIVHostCheck(cmd_parms *, void *, int); + const char *nss_cmd_NSSEngine(cmd_parms *, void *, int); + const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int); ++const char *nss_cmd_NSSOCSPTimeout(cmd_parms *, void *, const char *arg); ++const char *nss_cmd_NSSOCSPCacheSize(cmd_parms *, void *, const char *arg); ++const char *nss_cmd_NSSOCSPMinCacheEntryDuration(cmd_parms *, void *, const char *arg); ++const char *nss_cmd_NSSOCSPMaxCacheEntryDuration(cmd_parms *, void *, const char *arg); + const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int); + const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg); + const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg); +diff --git a/nss_engine_config.c b/nss_engine_config.c +index e1fbe41..597d56d 100644 +--- a/nss_engine_config.c ++++ b/nss_engine_config.c +@@ -129,22 +129,26 @@ static SSLSrvConfigRec *nss_config_server_new(apr_pool_t *p) + { + SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc)); + +- sc->mc = NULL; +- sc->ocsp = UNSET; +- sc->ocsp_default = UNSET; +- sc->ocsp_url = NULL; +- sc->ocsp_name = NULL; +- sc->fips = UNSET; +- sc->enabled = UNSET; +- sc->sni = TRUE; +- sc->strict_sni_vhost_check = TRUE; +- sc->proxy_enabled = UNSET; +- sc->vhost_id = NULL; /* set during module init */ +- sc->vhost_id_len = 0; /* set during module init */ +- sc->proxy = NULL; +- sc->server = NULL; +- sc->proxy_ssl_check_peer_cn = TRUE; +- sc->session_tickets = FALSE; ++ sc->mc = NULL; ++ sc->ocsp = UNSET; ++ sc->ocsp_timeout = 60; ++ sc->ocsp_cache_size = 1000; ++ sc->ocsp_min_cache_entry_duration = 1*60*60L; ++ sc->ocsp_max_cache_entry_duration = 24*60*60L; ++ sc->ocsp_default = UNSET; ++ sc->ocsp_url = NULL; ++ sc->ocsp_name = NULL; ++ sc->fips = UNSET; ++ sc->enabled = UNSET; ++ sc->sni = TRUE; ++ sc->strict_sni_vhost_check = TRUE; ++ sc->proxy_enabled = UNSET; ++ sc->vhost_id = NULL; /* set during module init */ ++ sc->vhost_id_len = 0; /* set during module init */ ++ sc->proxy = NULL; ++ sc->server = NULL; ++ sc->proxy_ssl_check_peer_cn = TRUE; ++ sc->session_tickets = FALSE; + + modnss_ctx_init_proxy(sc, p); + +@@ -213,6 +217,10 @@ void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv) { + + cfgMerge(mc, NULL); + cfgMergeBool(ocsp); ++ cfgMergeInt(ocsp_timeout); ++ cfgMergeInt(ocsp_cache_size); ++ cfgMergeInt(ocsp_min_cache_entry_duration); ++ cfgMergeInt(ocsp_max_cache_entry_duration); + cfgMergeBool(ocsp_default); + cfgMerge(ocsp_url, NULL); + cfgMerge(ocsp_name, NULL); +@@ -376,6 +384,52 @@ const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag) + return NULL; + } + ++const char *nss_cmd_NSSOCSPTimeout(cmd_parms *cmd, void *dcfg, const char *arg) ++{ ++ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->ocsp_timeout = atoi(arg); ++ ++ return NULL; ++} ++ ++const char *nss_cmd_NSSOCSPCacheSize(cmd_parms *cmd, void *dcfg, const char *arg) ++{ ++ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->ocsp_cache_size = atoi(arg); ++ ++ if (sc->ocsp_cache_size < -1) { ++ return "NSSOCSPCacheSize: must be >= -1"; ++ } ++ ++ return NULL; ++} ++ ++const char *nss_cmd_NSSOCSPMinCacheEntryDuration(cmd_parms *cmd, void *dcfg, ++ const char *arg) ++{ ++ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->ocsp_min_cache_entry_duration = atoi(arg); ++ ++ return NULL; ++} ++ ++const char *nss_cmd_NSSOCSPMaxCacheEntryDuration(cmd_parms *cmd, void *dcfg, ++ const char *arg) ++{ ++ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->ocsp_max_cache_entry_duration = atoi(arg); ++ ++ return NULL; ++} ++ + const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, int flag) + { + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); +diff --git a/nss_engine_init.c b/nss_engine_init.c +index 14f86d8..2571591 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -174,6 +174,18 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } + } + ++ if (ocspenabled) { ++ if (sc->ocsp_min_cache_entry_duration > sc->ocsp_max_cache_entry_duration) { ++ ap_log_error(APLOG_MARK,APLOG_ERR, 0, base_server, ++ "OCSP minimum cache duration must be less than the maximum."); ++ ++ if (mc->nInitCount == 1) ++ nss_die(); ++ else ++ return; ++ } ++ } ++ + if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) + dbdir = (char *)mc->pCertificateDatabase + 4; + else +@@ -343,10 +355,45 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } + + if (ocspenabled) { ++ SECStatus rv; ++ + CERT_EnableOCSPChecking(CERT_GetDefaultCertDB()); + ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, + "OCSP is enabled."); + ++ /* Set desired OCSP Cache Settings, values already checked. */ ++ rv = CERT_OCSPCacheSettings((PRInt32)sc->ocsp_cache_size, ++ (PRUint32)sc->ocsp_min_cache_entry_duration, ++ (PRUint32)sc->ocsp_max_cache_entry_duration); ++ ++ if (rv == SECFailure) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, ++ "Unable to set the OCSP cache settings."); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server); ++ if (mc->nInitCount == 1) ++ nss_die(); ++ else ++ return; ++ } else { ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, ++ "OCSP cache size %d, duration %d - %d seconds.", sc->ocsp_cache_size, sc->ocsp_min_cache_entry_duration, sc->ocsp_max_cache_entry_duration); ++ } ++ ++ /* Set OCSP timeout. */ ++ rv = CERT_SetOCSPTimeout((PRUint32) sc->ocsp_timeout); ++ if (rv == SECFailure) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, ++ "Unable to set the OCSP timeout. (this shouldn't happen."); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server); ++ if (mc->nInitCount == 1) ++ nss_die(); ++ else ++ return; ++ } else { ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, ++ "OCSP timeout set to %d.", sc->ocsp_timeout); ++ } ++ + /* We ensure that ocspname and ocspurl are not NULL above. */ + if (ocspdefault) { + SECStatus sv; +-- +2.9.3 + diff --git a/SOURCES/mod_nss-pcache_nodbinit.patch b/SOURCES/mod_nss-pcache_nodbinit.patch new file mode 100644 index 0000000..0968caf --- /dev/null +++ b/SOURCES/mod_nss-pcache_nodbinit.patch @@ -0,0 +1,163 @@ +From 395280a1e87ce876f3a601c00a429e852bfc9f3b Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 23 Nov 2016 09:53:02 -0500 +Subject: [PATCH] Don't use same NSS db in nss_pcache as mod_nss, use + NSS_NoDB_Init() + +This is to avoid doing the wrapping within an HSM. There have been +reports of disconnects which causes future mod_nss children to fail +to spawn because the PIN cannot be retrieved. + +A side-effect is that nss_pcache is only used for storage now. It used +to also verify that the PIN was correct since it had the NSS database +with the token available. + +mod_nss will be responsible for validating the PIN which it already +does. + +This move is also needed if mod_nss eventually moves to using +NSS Contexts because multiple databases may be configured at once. +--- + docs/mod_nss.html | 4 ++-- + nss_engine_init.c | 6 ++---- + nss_pcache.c | 34 ++++++---------------------------- + nss_pcache.h | 2 +- + 4 files changed, 11 insertions(+), 35 deletions(-) + +diff --git a/docs/mod_nss.html b/docs/mod_nss.html +index 655d2f2..c3ae924 100644 +--- a/docs/mod_nss.html ++++ b/docs/mod_nss.html +@@ -1811,7 +1811,7 @@ httpd.service - The Apache HTTP Server + Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" + CGroup: name=systemd:/system/httpd.service + |_____20807 /usr/sbin/httpd -DFOREGROUND +- |_____20808 /usr/libexec/nss_pcache 10027086 off /etc/httpd/alias ++ |_____20808 /usr/libexec/nss_pcache 10027086 off + |_____20809 /usr/sbin/httpd -DFOREGROUND + |_____20810 /usr/sbin/httpd -DFOREGROUND + |_____20811 /usr/sbin/httpd -DFOREGROUND +@@ -1972,7 +1972,7 @@ httpd.service - The Apache HTTP Server + Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" + CGroup: name=systemd:/system/httpd.service + |_____21299 /usr/sbin/httpd -DFOREGROUND +- |_____21300 /usr/libexec/nss_pcache 10289231 on /etc/httpd/alias ++ |_____21300 /usr/libexec/nss_pcache 10289231 on + |_____21340 /usr/sbin/httpd -DFOREGROUND + |_____21341 /usr/sbin/httpd -DFOREGROUND + |_____21342 /usr/sbin/httpd -DFOREGROUND +diff --git a/nss_engine_init.c b/nss_engine_init.c +index 2571591..bf90994 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -582,7 +582,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, + + /* Do we need to fire up our password helper? */ + if (mc->nInitCount == 1) { +- const char * child_argv[6]; ++ const char * child_argv[4]; + apr_status_t rv; + struct sembuf sb; + char sembuf[32]; +@@ -615,9 +615,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, + child_argv[0] = mc->pphrase_dialog_helper; + child_argv[1] = sembuf; + child_argv[2] = fipsenabled ? "on" : "off"; +- child_argv[3] = mc->pCertificateDatabase; +- child_argv[4] = mc->pDBPrefix; +- child_argv[5] = NULL; ++ child_argv[3] = NULL; + + rv = apr_procattr_create(&mc->procattr, mc->pPool); + +diff --git a/nss_pcache.c b/nss_pcache.c +index 5e98adb..d0e457b 100644 +--- a/nss_pcache.c ++++ b/nss_pcache.c +@@ -131,7 +131,7 @@ void signalhandler(int signo) { + * CreatePk11PinStore + */ + int +-CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin) ++CreatePk11PinStore(Pk11PinStore **out, const char *pin) + { + int err = PIN_SUCCESS; + Pk11PinStore *store; +@@ -146,29 +146,9 @@ CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin) + store->params = 0; + store->crypt = 0; + +- /* Use the tokenName to find a PKCS11 slot */ +- store->slot = PK11_FindSlotByName((char *)tokenName); ++ store->slot = PK11_GetInternalSlot(); + if (store->slot == 0) { err = PIN_NOSUCHTOKEN; break; } + +- /* Check the password/PIN. This allows access to the token */ +- { +- SECStatus rv = PK11_CheckUserPassword(store->slot, (char *)pin); +- +- if (rv == SECSuccess) +- ; +- else if (rv == SECWouldBlock) +- { +- /* NSS returns a blocking error when the pin is wrong */ +- err = PIN_INCORRECTPW; +- break; +- } +- else +- { +- err = PIN_SYSTEMERROR; +- break; +- } +- } +- + /* Find the mechanism that this token can do */ + { + const mech_item *tp; +@@ -349,8 +329,8 @@ int main(int argc, char ** argv) + int fipsmode = 0; + union semun semarg; + +- if (argc < 4 || argc > 5) { +- fprintf(stderr, "Usage: nss_pcache [prefix]\n"); ++ if (argc != 3) { ++ fprintf(stderr, "Usage: nss_pcache \n"); + exit(1); + } + +@@ -368,8 +348,7 @@ int main(int argc, char ** argv) + /* Set the PKCS #11 strings for the internal token. */ + PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1); + +- /* Initialize NSS and open the certificate database read-only. */ +- rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY); ++ rv = NSS_NoDB_Init(NULL); + + if (rv != SECSuccess) { + fprintf(stderr, "Unable to initialize NSS database: %d\n", rv); +@@ -436,8 +415,7 @@ int main(int argc, char ** argv) + node->next = 0; + + if (err == PIN_SUCCESS) +- err = CreatePk11PinStore(&node->store, +- tokenName, tokenpw); ++ err = CreatePk11PinStore(&node->store, tokenpw); + memset(tokenpw, 0, strlen(tokenpw)); + } + } else +diff --git a/nss_pcache.h b/nss_pcache.h +index 74cb19d..a0b8e62 100644 +--- a/nss_pcache.h ++++ b/nss_pcache.h +@@ -21,7 +21,7 @@ + + typedef struct Pk11PinStore Pk11PinStore; + +-int CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin); ++int CreatePk11PinStore(Pk11PinStore **out, const char *pin); + + int Pk11StoreGetPin(char **out, Pk11PinStore *store); + +-- +2.9.3 + diff --git a/SPECS/mod_nss.spec b/SPECS/mod_nss.spec index 2de3a7c..c075986 100644 --- a/SPECS/mod_nss.spec +++ b/SPECS/mod_nss.spec @@ -6,7 +6,7 @@ Name: mod_nss Version: 1.0.14 -Release: 7%{?dist} +Release: 10%{?dist} Summary: SSL/TLS module for the Apache HTTP server Group: System Environment/Daemons License: ASL 2.0 @@ -48,6 +48,16 @@ Patch6: mod_nss-remove-r-user-from-hook-fixup.patch Patch7: mod_nss-clean-semaphore.patch # Check certificate database directory permissions Patch8: mod_nss-certdb-permissions.patch +# Die on invalid Protocol settings +Patch9: mod_nss-invalid-protocol-setting.patch +# Handle group membership when testing file perms +Patch10: mod_nss-group-permissions.patch +# Add OCSP cache tuning directives +Patch11: mod_nss-ocsp-tuning-knobs.patch +# Use NoDBInit in nss_pcache +Patch12: mod_nss-pcache_nodbinit.patch +# Update nss_pcache man page to drop directory and prefix +Patch13: mod_nss-nss_pcache_man.patch %description The mod_nss module provides strong cryptography for the Apache Web @@ -65,6 +75,11 @@ security library. %patch6 -p1 -b .remove_r_user %patch7 -p1 -b .semaphore %patch8 -p1 -b .permissions +%patch9 -p1 -b .protocol_fatal +%patch10 -p1 -b .group_permissions +%patch11 -p1 -b .ocsp_tuning +%patch12 -p1 -b .pcache_nodbinit +%patch13 -p1 -b .pcache_man # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] @@ -179,6 +194,20 @@ fi %{_sbindir}/gencert %changelog +* Wed May 10 2017 Rob Crittenden - 1.0.14-10 +- Apply the nss_pcache man page patch (#1382102) + +* Wed May 10 2017 Rob Crittenden - 1.0.14-9 +- Update nss_pcache.8 to drop directory and prefix options (#1382102) + +- Don't share mod_nss NSS database with nss_pcache (#1382102) +* Thu Feb 23 2017 Rob Crittenden - 1.0.14-8 +- Fail start start when there are invalid Protocols defined (#1389114) +- Handle group membership when testing NSS database filesystem + permissions (#1395300) +- Add OCSP cache tuning directives (#1392582) +- Don't share mod_nss NSS database with nss_pcache (#1382102) + * Wed Sep 21 2016 Rob Crittenden - 1.0.14-7 - Add the permission patch to the repository (#1312583)