From 3515f1cca48bde3e1602324b8f760613445df6fe Mon Sep 17 00:00:00 2001 From: CentOS Buildsys Date: Jul 09 2013 19:56:00 +0000 Subject: import mod_revocator-1.0.3-17.el7.src.rpm --- diff --git a/.mod_revocator.metadata b/.mod_revocator.metadata new file mode 100644 index 0000000..57412af --- /dev/null +++ b/.mod_revocator.metadata @@ -0,0 +1 @@ +dd7c812cf8823757dc90ab16e399dd59b343b06a SOURCES/mod_revocator-1.0.3.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/mod_revocator-32-bit-semaphore-fix.patch b/SOURCES/mod_revocator-32-bit-semaphore-fix.patch new file mode 100644 index 0000000..62b9fb5 --- /dev/null +++ b/SOURCES/mod_revocator-32-bit-semaphore-fix.patch @@ -0,0 +1,12 @@ +diff -rupN mod_revocator-1.0.3.patched/mod_rev.c mod_revocator-1.0.3/mod_rev.c +--- mod_revocator-1.0.3.patched/mod_rev.c 2011-10-21 16:21:44.862124000 -0700 ++++ mod_revocator-1.0.3/mod_rev.c 2011-10-21 16:23:11.028211000 -0700 +@@ -74,7 +74,7 @@ apr_status_t rev_module_kill(void *data) + + static void kill_apache(void) { + char buffer[1024]; +- PR_snprintf(buffer, sizeof(buffer), "%lld %s", 0, "kill"); ++ PR_snprintf(buffer, sizeof(buffer), "%ld %s", 0, "kill"); + write(outfd, buffer, strlen(buffer)); + } + diff --git a/SOURCES/mod_revocator-array-size.patch b/SOURCES/mod_revocator-array-size.patch new file mode 100644 index 0000000..d52c7eb --- /dev/null +++ b/SOURCES/mod_revocator-array-size.patch @@ -0,0 +1,12 @@ +diff -rupN mod_revocator-1.0.3.patched/mod_rev.c mod_revocator-1.0.3/mod_rev.c +--- mod_revocator-1.0.3.patched/mod_rev.c 2011-10-27 13:51:14.452000000 -0700 ++++ mod_revocator-1.0.3/mod_rev.c 2011-10-27 13:58:07.598000000 -0700 +@@ -374,7 +374,7 @@ init_Module(apr_pool_t *p, apr_pool_t *p + semctl(sc->semid,0,IPC_SET,&status); + } + } else if (sc->nInitCount == 2) { +- const char * child_argv[5]; ++ const char * child_argv[6]; + apr_status_t rv; + char sembuf[32]; + char pidbuf[32]; diff --git a/SOURCES/mod_revocator-kill.patch b/SOURCES/mod_revocator-kill.patch new file mode 100644 index 0000000..009bdcd --- /dev/null +++ b/SOURCES/mod_revocator-kill.patch @@ -0,0 +1,245 @@ +diff -upN --recursive mod_revocator-1.0.3/crlhelper.cpp mod_revocator-1.0.3-kill/crlhelper.cpp +--- mod_revocator-1.0.3/crlhelper.cpp 2010-04-13 10:11:12.000000000 -0400 ++++ mod_revocator-1.0.3-kill/crlhelper.cpp 2010-11-17 13:53:07.000000000 -0500 +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -107,6 +108,7 @@ int main(int argc, char ** argv) + PRPollDesc pd; + PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; + int semid; ++ pid_t parent_pid; + union semun semarg; + char buf[4096]; + char url[4096]; +@@ -124,18 +126,19 @@ int main(int argc, char ** argv) + while (fd < fdlimit) + close(fd++); + +- if (argc < 3 || argc > 4) { +- fprintf(stderr, "Usage: crlhelper \n"); ++ if (argc < 4 || argc > 5) { ++ fprintf(stderr, "Usage: crlhelper \n"); + exit(1); + } + + semid = strtol(argv[1], NULL, 10); ++ parent_pid = strtol(argv[2], NULL, 10); + + /* Initialize NSPR */ + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256); + + /* Initialize NSS and open the certificate database read-only. */ +- rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY); ++ rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY); + + if (rv != SECSuccess) { + fprintf(stderr, "Unable to initialize NSS database: %d\n", rv); +@@ -187,6 +190,10 @@ int main(int argc, char ** argv) + continue; + } + #endif ++ if (!(strcmp(url, "kill"))) { ++ kill(parent_pid, SIGTERM); ++ continue; ++ } + + /* + * TODO: +diff -upN --recursive mod_revocator-1.0.3/crlmanager.cpp mod_revocator-1.0.3-kill/crlmanager.cpp +--- mod_revocator-1.0.3/crlmanager.cpp 2010-04-13 10:11:11.000000000 -0400 ++++ mod_revocator-1.0.3-kill/crlmanager.cpp 2010-11-17 13:53:07.000000000 -0500 +@@ -66,13 +66,19 @@ RevStatus CRLInstance :: DownloadCRL(con + sb.sem_op = -1; + sb.sem_flg = SEM_UNDO; + if (semop(crlm->semid, &sb, 1) == -1) { +- perror("semop reserve resource"); ++ mystatus.setDetailedError(REV_ERROR_SEMAPHORE_ERROR, ++ "Unable to reserve semaphore resource"); ++ return mystatus; ++ /* perror("semop reserve resource"); */ + } + void* data = get_crl(crlm->infd, crlm->outfd, inurl, timeout, lastfetchtime, &len, mystatus); + /* unlock the pipe */ + sb.sem_op = 1; + if (semop(crlm->semid, &sb, 1) == -1) { +- perror("semop free resource id"); ++ mystatus.setDetailedError(REV_ERROR_SEMAPHORE_ERROR, ++ "Unable to free semaphore resource"); ++ return mystatus; ++ /* perror("semop free resource id"); */ + } + + /* We have a special case. If we have an HTTP request and the server +diff -upN --recursive mod_revocator-1.0.3/mod_rev.c mod_revocator-1.0.3-kill/mod_rev.c +--- mod_revocator-1.0.3/mod_rev.c 2010-04-13 10:11:11.000000000 -0400 ++++ mod_revocator-1.0.3-kill/mod_rev.c 2010-11-19 18:43:08.000000000 -0500 +@@ -58,6 +58,8 @@ SECStatus ShutdownRevocation(void *data) + + static pid_t parent_pid; + ++int infd, outfd; /* file descriptors for our semaphore-controlled pipe */ ++ + apr_status_t rev_module_kill(void *data) + { + server_rec *s = (server_rec *)data; +@@ -70,6 +72,12 @@ apr_status_t rev_module_kill(void *data) + return APR_SUCCESS; + } + ++static void kill_apache(void) { ++ char buffer[1024]; ++ PR_snprintf(buffer, sizeof(buffer), "%lld %s", 0, "kill"); ++ write(outfd, buffer, strlen(buffer)); ++} ++ + /* + * Create the global config + */ +@@ -196,6 +204,7 @@ PRBool NESRevocationFailureNotification( + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, + "%s : %s %s", + errMsg, url, subject ? subject : ""); ++ return PR_TRUE; + } else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Error updating CRL %s %s : %s", +@@ -208,8 +217,8 @@ PRBool NESRevocationFailureNotification( + if (critical && revocatorInitialized) + { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "Critical CRL update failure. Shutting down server. %d", parent_pid); +- kill(parent_pid, 15); ++ "Critical CRL update failure. Shutting down server pid %d", parent_pid); ++ kill_apache(); + } + } + return PR_TRUE; +@@ -298,11 +307,11 @@ PRBool NESRevocationDownloadNotification + { + /* this CRL is outdated, log it */ + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "CRL %s %s is outdated. Shutting down server. %d", ++ "CRL %s %s is outdated. Shutting down server pid %d", + url, subject, parent_pid); + + /* we have to shut down the web server */ +- kill(parent_pid, 15); ++ kill_apache(); + } + } + +@@ -335,6 +344,25 @@ init_Module(apr_pool_t *p, apr_pool_t *p + + sc->nInitCount++; + ++ if (sc->nInitCount == 1) { ++ struct sembuf sb; ++ sc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600); ++ if (sc->semid == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Unable to obtain semaphore."); ++ nss_die(); ++ } ++ ++ /* Initialize the semaphore */ ++ sb.sem_num = 0; ++ sb.sem_op = 1; ++ sb.sem_flg = 0; ++ if ((semop(sc->semid, &sb, 1)) == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Unable to initialize semaphore."); ++ nss_die(); ++ } ++ + /* The first pass through this function will create the semaphore that + * will be used to lock the pipe. The user is still root at that point + * so for any later calls the semaphore ops will fail with permission +@@ -345,12 +373,11 @@ init_Module(apr_pool_t *p, apr_pool_t *p + status.sem_perm.uid = user_id; + semctl(sc->semid,0,IPC_SET,&status); + } +- +- if (sc->nInitCount == 1) { ++ } else if (sc->nInitCount == 2) { + const char * child_argv[5]; + apr_status_t rv; +- struct sembuf sb; + char sembuf[32]; ++ char pidbuf[32]; + + if (sc->crlhelper == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +@@ -358,29 +385,16 @@ init_Module(apr_pool_t *p, apr_pool_t *p + nss_die(); + } + +- sc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600); +- if (sc->semid == -1) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +- "Unable to obtain semaphore."); +- nss_die(); +- } +- +- /* Initialize the semaphore */ +- sb.sem_num = 0; +- sb.sem_op = 1; +- sb.sem_flg = 0; +- if ((semop(sc->semid, &sb, 1)) == -1) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +- "Unable to initialize semaphore."); +- nss_die(); +- } +- + PR_snprintf(sembuf, 32, "%d", sc->semid); ++ PR_snprintf(pidbuf, 32, "%d", parent_pid); + child_argv[0] = sc->crlhelper; + child_argv[1] = sembuf; +- child_argv[2] = sc->database; +- child_argv[3] = sc->dbprefix; +- child_argv[4] = NULL; ++ child_argv[2] = pidbuf; ++ child_argv[3] = sc->database; ++ child_argv[4] = sc->dbprefix; ++ child_argv[5] = NULL; ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, ++ "Parent PID is %d", parent_pid); + + rv = apr_procattr_create(&sc->procattr, s->process->pool); + +@@ -428,7 +442,6 @@ InitRevocation(apr_pool_t *p, server_rec + void* critical = (void *)sc->crlcritical; + Rev_SetFailureCallbackEntryPoint setfcb = NULL; + Rev_SetDownloadCallbackEntryPoint setncb = NULL; +- int infd, outfd; + + /* Do nothing until Apache is ready to run */ + if (sc->nInitCount < 2) return APR_SUCCESS; +@@ -499,7 +512,10 @@ InitRevocation(apr_pool_t *p, server_rec + free(configstring); + apr_dso_unload(dlh); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, +- "Unable to load secmod module: %d", PR_GetError()); ++ "Unable to load Revocation module, NSS error %d. %s", PR_GetError(), critical ? "" : "CRL retrieval will be disabled."); ++ if (critical) { ++ kill_apache(); ++ } + return APR_EGENERAL; + } + free(configstring); +diff -upN --recursive mod_revocator-1.0.3/reverror.h mod_revocator-1.0.3-kill/reverror.h +--- mod_revocator-1.0.3/reverror.h 2007-06-05 10:38:58.000000000 -0400 ++++ mod_revocator-1.0.3-kill/reverror.h 2010-11-17 13:53:07.000000000 -0500 +@@ -54,6 +54,7 @@ const PRInt32 REV_ERROR_BAD_ISSUER_USAGE + const PRInt32 REV_ERROR_MISSING_CRL_DATA = 1014; + const PRInt32 REV_ERROR_BAD_ISSUER_TRUST = 1015; + const PRInt32 REV_ERROR_NOUPDATE_AVAILABLE = 1016; ++const PRInt32 REV_ERROR_SEMAPHORE_ERROR = 1017; + + #endif + diff --git a/SOURCES/mod_revocator-libpath.patch b/SOURCES/mod_revocator-libpath.patch new file mode 100644 index 0000000..02ad727 --- /dev/null +++ b/SOURCES/mod_revocator-libpath.patch @@ -0,0 +1,9 @@ +diff -u mod_revocator-1.0.2.orig/revocator.conf mod_revocator-1.0.2/revocator.conf +--- mod_revocator-1.0.2.orig/revocator.conf 2006-08-04 14:49:33.000000000 -0400 ++++ mod_revocator-1.0.2/revocator.conf 2006-10-16 10:10:33.000000000 -0400 +@@ -1,4 +1,4 @@ +-LoadModule rev_module modules/libmodrev.so ++LoadModule rev_module modules/mod_rev.so + + # CRL Engine Switch: + # Enable/Disable CRL retrieval diff --git a/SOURCES/mod_revocator-man.patch b/SOURCES/mod_revocator-man.patch new file mode 100644 index 0000000..71429fd --- /dev/null +++ b/SOURCES/mod_revocator-man.patch @@ -0,0 +1,220 @@ +diff -rupN mod_revocator-1.0.3.orig/crlhelper.8 mod_revocator-1.0.3/crlhelper.8 +--- mod_revocator-1.0.3.orig/crlhelper.8 1969-12-31 16:00:00.000000000 -0800 ++++ mod_revocator-1.0.3/crlhelper.8 2013-07-03 18:42:58.000000000 -0700 +@@ -0,0 +1,97 @@ ++.\" A man page for crlhelper ++.\" ++.\" Licensed under the Apache License, Version 2.0 (the "License"); ++.\" you may not use this file except in compliance with the License. ++.\" You may obtain a copy of the License at ++.\" ++.\" http://www.apache.org/licenses/LICENSE-2.0 ++.\" ++.\" Unless required by applicable law or agreed to in writing, software ++.\" distributed under the License is distributed on an "AS IS" BASIS, ++.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++.\" See the License for the specific language governing permissions and ++.\" limitations under the License. ++.\" ++.\" Author: Rob Crittenden ++.\" ++.TH "crlhelper" "8" "Jul 3 2013" "Rob Crittenden" "" ++.SH "NAME" ++crlhelper \- Helper program used to store-and-forward CRLs ++ ++.SH "SYNOPSIS" ++crlhelper [prefix] ++ ++.SH "DESCRIPTION" ++A helper program used by the Apache \fBhttpd\fP mod_revocator plug-in to ++store-and-forward CRLs from upstream to the various Apache processes in ++the preform MPM. This saves each process from having to fetch the CRL itself. ++This is not expected to be run by end-users. ++.PP ++The mod_revocator plug-in requires the mod_nss plug-in to also be registered ++with this Apache \fBhttpd\fP process. ++.PP ++Whenever an Apache \fBhttpd\fP process configured to use the mod_revocator ++plug-in is started, this program will be automatically invoked via reference ++to the mod_revocator configuration file stored under ++\fB/etc/httpd/conf.d/revocator.conf\fP which contains the following default ++entry: ++.IP ++# CRL Helper: ++.br ++# This helper program does the actual CRL retrieval ++.br ++# ++.br ++# NOTE: Located at '/usr/bin/crlhelper' prior ++.br ++# to 'mod_revocator-1.0.3-16'. ++.br ++# ++.br ++CRLHelper /usr/libexec/crlhelper ++ ++.SH OPTIONS ++.TP ++.B ++The semaphore which corresponds to the mod_revocator plug-in registered with the Apache \fBhttpd\fP process during startup. ++.TP ++.B ++The primary parent pid of the Apache \fBhttpd\fP process into which both the mod_nss and mod_revocator plug-ins have been loaded. ++.TP ++.B ++Since the mod_revocator plug-in depends upon the mod_nss plug-in being configured, this option specifies the destination directory of the NSS databases that will be associated with this executable specified by the following entry in the mod_nss plug-in's \fB/etc/httpd/conf.d/nss.conf\fP configuration file: ++.IP ++.TS ++tab(;); ++ll,ll. ++;# Server Certificate Database: ++;# The NSS security database directory that holds the ++;# certificates and keys. The database consists ++;# of 3 files: cert8.db, key3.db and secmod.db. ++;# Provide the directory that these files exist. ++;NSSCertificateDatabase /etc/httpd/alias ++.TE ++.TP ++.B [prefix] ++Optional prefix to attach prior to the names of the NSS certificate and key databases contained in the directory referenced by the previous argument and specified by the following entry in mod_nss plug-in's \fB/etc/httpd/conf.d/nss.conf\fP configuration file (must be uncommented in order to be utilized): ++.IP ++.TS ++tab(;); ++ll,ll. ++;# Database Prefix: ++;# In order to be able to store multiple NSS databases ++;# in one directory they need unique names. This option ++;# sets the database prefix used for cert8.db and key3.db. ++;#NSSDBPrefix my-prefix- ++.TE ++ ++.SH BUGS ++Report bugs to http://bugzilla.redhat.com. ++ ++.SH AUTHORS ++Rob Crittenden . ++ ++.SH COPYRIGHT ++Copyright (c) 2013 Red Hat, Inc. This is licensed under the Apache License, Version 2.0 (the "License"); no one may use this file except in compliance with the License. A copy of this license is available at http://www.apache.org/licenses/LICENSE-2.0. ++.PP ++Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. +diff -rupN mod_revocator-1.0.3.orig/crlhelper.cpp mod_revocator-1.0.3/crlhelper.cpp +--- mod_revocator-1.0.3.orig/crlhelper.cpp 2013-07-02 17:03:45.000000000 -0700 ++++ mod_revocator-1.0.3/crlhelper.cpp 2013-07-03 19:08:13.000000000 -0700 +@@ -127,7 +127,7 @@ int main(int argc, char ** argv) + close(fd++); + + if (argc < 4 || argc > 5) { +- fprintf(stderr, "Usage: crlhelper \n"); ++ fprintf(stderr, "Usage: crlhelper [prefix]\n"); + exit(1); + } + +diff -rupN mod_revocator-1.0.3.orig/ldapget.8 mod_revocator-1.0.3/ldapget.8 +--- mod_revocator-1.0.3.orig/ldapget.8 1969-12-31 16:00:00.000000000 -0800 ++++ mod_revocator-1.0.3/ldapget.8 2013-07-03 19:23:11.000000000 -0700 +@@ -0,0 +1,76 @@ ++.\" A man page for ldapget ++.\" ++.\" Licensed under the Apache License, Version 2.0 (the "License"); ++.\" you may not use this file except in compliance with the License. ++.\" You may obtain a copy of the License at ++.\" ++.\" http://www.apache.org/licenses/LICENSE-2.0 ++.\" ++.\" Unless required by applicable law or agreed to in writing, software ++.\" distributed under the License is distributed on an "AS IS" BASIS, ++.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++.\" See the License for the specific language governing permissions and ++.\" limitations under the License. ++.\" ++.\" Author: Rob Crittenden ++.\" ++.TH "ldapget" "8" "Jul 3 2013" "Rob Crittenden" "" ++.SH "NAME" ++ldapget \- Tool used to fetch URLs via LDAP/LDAPS ++ ++.SH "SYNOPSIS" ++ldapget [NSS database] ++ ++.SH "DESCRIPTION" ++A tool supplied with the Apache \fBhttpd\fP mod_revocator plug-in used to demonstrate how CRLs can be fetched using LDAP/LDAPS without the use of any direct LDAP/LDAPS URLs. ++.PP ++The mod_revocator plug-in requires the mod_nss plug-in to also be registered ++with this Apache \fBhttpd\fP process. ++.PP ++Prior to \fBmod_revocator-1.0.3-16\fP, this tool was located at \fB/usr/bin/ldapget\fP. ++ ++.SH OPTIONS ++.TP ++.B [NSS database] ++Optionally specifies the destination directory where the NSS databases reside. If this parameter is not provided, the location specified in mod_nss plug-in's \fB/etc/httpd/conf.d/nss.conf\fP configuration file will be utilized: ++.IP ++.TS ++tab(;); ++ll,ll. ++;# Server Certificate Database: ++;# The NSS security database directory that holds the ++;# certificates and keys. The database consists ++;# of 3 files: cert8.db, key3.db and secmod.db. ++;# Provide the directory that these files exist. ++;NSSCertificateDatabase /etc/httpd/alias ++.TE ++.TP ++.B ++.br ++The LDAP/LDAPS URL utilized to fetch the CRL. The following entry in mod_revocator plug-in's \fB/etc/httpd/conf.d/revocator.conf\fP configuration file contains a sample utilization of this executable (the line containing \fBldapget\fP must be uncommented in order to be utilized): ++.IP ++.TS ++tab(+); ++ll,ll. +++# CRL URLs: +++# A space delimited list of URLs to retrieve and install. +++# protocol://urldata;update_interval;max_age +++#CRLFile "ldap://ldap.example.com:5000/o=example.net? +++usercertificate%3binary?sub?(sn=Jensen)??;30;30" +++\fB#CRLFile "exec:///usr/sbin/ldapget|ldap://ldap.example.com: +++3389/o=example.com?userCertificate%3bbinary?sub? +++(uid=crl)??;30;30"\fP +++#CRLFile "https://ca.example.com:1025/getCRL?op= +++getCRL&issuepoint=MasterCRL;30;30" ++.TE ++ ++.SH BUGS ++Report bugs to http://bugzilla.redhat.com. ++ ++.SH AUTHORS ++Rob Crittenden . ++ ++.SH COPYRIGHT ++Copyright (c) 2013 Red Hat, Inc. This is licensed under the Apache License, Version 2.0 (the "License"); no one may use this file except in compliance with the License. A copy of this license is available at http://www.apache.org/licenses/LICENSE-2.0. ++.PP ++Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. +diff -rupN mod_revocator-1.0.3.orig/ldapget.cpp mod_revocator-1.0.3/ldapget.cpp +--- mod_revocator-1.0.3.orig/ldapget.cpp 2010-04-13 07:11:11.000000000 -0700 ++++ mod_revocator-1.0.3/ldapget.cpp 2013-07-03 19:08:38.000000000 -0700 +@@ -45,7 +45,7 @@ main( int argc, char **argv ) + const char *url; + + if (argc < 2 || argc > 4) { +- printf("Usage: %s url\n", argv[0]); ++ printf("Usage: %s [NSS database] \n", argv[0]); + return 1; + } + +diff -rupN mod_revocator-1.0.3.orig/revocator.conf mod_revocator-1.0.3/revocator.conf +--- mod_revocator-1.0.3.orig/revocator.conf 2013-07-02 17:03:44.000000000 -0700 ++++ mod_revocator-1.0.3/revocator.conf 2013-07-03 17:53:11.000000000 -0700 +@@ -15,7 +15,10 @@ CRLUpdateCritical off + + # CRL Helper: + # This helper program does the actual CRL retrieval +-CRLHelper /usr/bin/crlhelper ++# ++# NOTE: Located at '/usr/bin/crlhelper' prior to 'mod_revocator-1.0.3-16'. ++# ++CRLHelper /usr/libexec/crlhelper + + # CRL URLs: + # A space delimited list of URLs to retrieve and install. diff --git a/SOURCES/mod_revocator-segfault-fix.patch b/SOURCES/mod_revocator-segfault-fix.patch new file mode 100644 index 0000000..e32dd34 --- /dev/null +++ b/SOURCES/mod_revocator-segfault-fix.patch @@ -0,0 +1,73 @@ +diff -rupN mod_revocator-1.0.3.patched/Makefile.am mod_revocator-1.0.3.segfault/Makefile.am +--- mod_revocator-1.0.3.patched/Makefile.am 2010-04-13 07:11:09.000000000 -0700 ++++ mod_revocator-1.0.3.segfault/Makefile.am 2011-10-11 09:41:23.000000000 -0700 +@@ -10,7 +10,7 @@ libmodrev_la_SOURCES = mod_rev.c + libmodrev_la_LDFLAGS = -module -avoid-version + + INCLUDES = -I@apache_inc@ @nspr_inc@ @nss_inc@ @apr_inc@ -Imozilla/security/nss/lib/base @ldapsdk_inc@ -Imozilla/security/nss/lib/ckfw +-LIBS = @ldapsdk_lib@ @nspr_lib@ @nss_lib@ @ldapsdk_libs_ssl@ -lssl3 -lsmime3 -lnss3 -lnssb @ldapsdk_libs@ -lplc4 -lplds4 -lnspr4 -lpthread -ldl ++LIBS = @ldapsdk_lib@ @nspr_lib@ @nss_lib@ @ldapsdk_libs_ssl@ -lssl3 -lsmime3 -lnss3 -lnssutil3 -lnssb @ldapsdk_libs@ -lplc4 -lplds4 -lnspr4 -lpthread -ldl + DEFS = -D__REVOCATION_IMPLEMENTATION__=1 @extra_cppflags@ + + # Remove nsprstub.o from libnssckfw.a so we can use our own stub, then +diff -rupN mod_revocator-1.0.3.patched/crlhelper.cpp mod_revocator-1.0.3.segfault/crlhelper.cpp +--- mod_revocator-1.0.3.patched/crlhelper.cpp 2011-10-11 09:18:33.000000000 -0700 ++++ mod_revocator-1.0.3.segfault/crlhelper.cpp 2011-10-11 09:35:53.000000000 -0700 +@@ -229,7 +229,7 @@ int main(int argc, char ** argv) + } + if (NULL == data) { + data = fetch_url(url, 30, lastfetchtime, &len, &errnum); +- if (expired) ++ if (expired) { + if (errnum == CL_NOUPDATE_AVAILABLE) { + node->fetchtime = PR_Now(); + data = node->data; +@@ -243,6 +243,7 @@ int main(int argc, char ** argv) + urlcache = node->next; + } + freeNode(node); ++ } + } + if (data) { + node = (Node *)malloc(sizeof(Node)); +@@ -262,10 +263,11 @@ int main(int argc, char ** argv) + data = node->data; + node->fetchtime = PR_Now(); + node->errnum = errnum; +- if (urlcache) ++ if (urlcache) { + node->next = urlcache; +- else ++ } else { + node->next = NULL; ++ } + urlcache = node; + } + } +diff -rupN mod_revocator-1.0.3.patched/mod_rev.c mod_revocator-1.0.3.segfault/mod_rev.c +--- mod_revocator-1.0.3.patched/mod_rev.c 2011-10-11 09:18:33.000000000 -0700 ++++ mod_revocator-1.0.3.segfault/mod_rev.c 2011-10-11 11:15:37.000000000 -0700 +@@ -501,6 +501,23 @@ InitRevocation(apr_pool_t *p, server_rec + apr_os_file_get(&infd, sc->proc.out); + PR_snprintf(configstring, CONFIGLEN, "library=%s name=revocation parameters=\"%s %ld %d %d\"", revocation_library, sc->crlfile ? sc->crlfile : "", sc->semid, infd, outfd); + ++ /* Since NSS now separates some functionality into 'libnssutil3.so', ++ * to prevent a segmentation violation from occurring, it is now ++ * necessary to insure that all executables and libraries are ++ * linked against this library, and that the SECOID_Init() function ++ * is called prior to calling the SECMOD_LoadUserModule() function. ++ */ ++ if (SECOID_Init() != SECSuccess) { ++ free(configstring); ++ apr_dso_unload(dlh); ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, ++ "Unable to initialize SECOID, NSS error %d. %s", PR_GetError(), critical ? "" : "CRL retrieval will be disabled."); ++ if (critical) { ++ kill_apache(); ++ } ++ return APR_EGENERAL; ++ } ++ + mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE); + if (!mod || !mod->loaded) + { diff --git a/SOURCES/mod_revocator-waitpid.patch b/SOURCES/mod_revocator-waitpid.patch new file mode 100644 index 0000000..a2676a8 --- /dev/null +++ b/SOURCES/mod_revocator-waitpid.patch @@ -0,0 +1,61 @@ +diff -rupN mod_revocator-1.0.3.orig/exec-client.cpp mod_revocator-1.0.3/exec-client.cpp +--- mod_revocator-1.0.3.orig/exec-client.cpp 2006-10-16 11:16:35.000000000 -0700 ++++ mod_revocator-1.0.3/exec-client.cpp 2012-10-08 13:36:11.093881000 -0700 +@@ -36,6 +36,8 @@ + #ifdef XP_UNIX + #include + #include ++#include ++#include + #endif + + #include "client.h" +@@ -50,6 +52,7 @@ PR_IMPLEMENT(void *)exec_client(const ch + char * separator; + int pfildes[2]; + int pid; ++ int status; + char * tmpurl = NULL; + int ldap = 0; + char * arg; +@@ -105,12 +108,10 @@ PR_IMPLEMENT(void *)exec_client(const ch + int done = 0; + + close(pfildes[1]); +- dup2(pfildes[0],0); +- close(pfildes[0]); + + totalread = 0; + do { +- numbytes = read(0, buffer, (BIG_LINE * 4) - 1); ++ numbytes = read(pfildes[0], buffer, (BIG_LINE * 4) - 1); + if (numbytes > 0) { + buffer[numbytes] = '\0'; + totalread += numbytes; +@@ -125,6 +126,8 @@ PR_IMPLEMENT(void *)exec_client(const ch + } + *errnum = CL_OUT_OF_MEMORY; + free(tmpurl); ++ close(pfildes[0]); ++ waitpid(pid, &status, WNOHANG); + return NULL; + } + sz += (BIG_LINE * 4); +@@ -135,6 +138,8 @@ PR_IMPLEMENT(void *)exec_client(const ch + if (data) free(data); + data = 0; + free(tmpurl); ++ close(pfildes[0]); ++ waitpid(pid, &status, WNOHANG); + return NULL; + } else if (numbytes == 0) { + done = 1; +@@ -148,6 +153,8 @@ PR_IMPLEMENT(void *)exec_client(const ch + } + free(tmpurl); + *len = totalread; ++ close(pfildes[0]); ++ waitpid(pid, &status, 0); + return data; + } + } diff --git a/SPECS/mod_revocator.spec b/SPECS/mod_revocator.spec new file mode 100644 index 0000000..a849791 --- /dev/null +++ b/SPECS/mod_revocator.spec @@ -0,0 +1,237 @@ +%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} +%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} +# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 +%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} + +Name: mod_revocator +Version: 1.0.3 +Release: 17%{?dist} +Summary: CRL retrieval module for the Apache HTTP server +Group: System Environment/Daemons +License: ASL 2.0 +URL: http://directory.fedoraproject.org/wiki/Mod_revocator +Source: http://directory.fedoraproject.org/sources/%{name}-%{version}.tar.gz +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: nspr-devel >= 4.6, nss-devel >= 3.11.9 +BuildRequires: nss-pkcs11-devel >= 3.11 +BuildRequires: nss-pkcs11-devel-static +BuildRequires: httpd-devel >= 0:2.0.52, apr-devel, apr-util-devel +BuildRequires: pkgconfig, autoconf, automake, libtool +BuildRequires: openldap-devel >= 2.2.29 +Requires: mod_nss >= 1.0.8 +Patch1: mod_revocator-libpath.patch +Patch2: mod_revocator-kill.patch +Patch3: mod_revocator-segfault-fix.patch +Patch4: mod_revocator-32-bit-semaphore-fix.patch +Patch5: mod_revocator-array-size.patch +Patch6: mod_revocator-waitpid.patch +Patch7: mod_revocator-man.patch + +%description +The mod_revocator module retrieves and installs remote +Certificate Revocate Lists (CRLs) into an Apache web server. + +%prep +%setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 + +%build +autoreconf -fvi + +# Needed for ppc64, automake can't be run here +for file in %{_datadir}/automake-*/config.{guess,sub} +do + cp -f $file . +done + +CFLAGS="$RPM_OPT_FLAGS" +export CFLAGS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr` +NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr` + +NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss` +NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss` + +NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss` + +%configure \ + --with-nss-lib=$NSS_LIB_DIR \ + --with-nss-inc=$NSS_INCLUDE_DIR \ + --with-nspr-lib=$NSPR_LIB_DIR \ + --with-nspr-inc=$NSPR_INCLUDE_DIR \ + --with-apr-config --enable-openldap \ + --with-apxs=%{_httpd_apxs} + +make %{?_smp_flags} all + +%install +# The install target of the Makefile isn't used because that uses apxs +# which tries to enable the module in the build host httpd instead of in +# the build root. +rm -rf $RPM_BUILD_ROOT + +mkdir -p $RPM_BUILD_ROOT%{_httpd_confdir} $RPM_BUILD_ROOT%{_httpd_modconfdir} \ + $RPM_BUILD_ROOT%{_libdir}/httpd/modules $RPM_BUILD_ROOT%{_bindir} \ + $RPM_BUILD_ROOT%{_libexecdir} $RPM_BUILD_ROOT%{_sbindir} \ + $RPM_BUILD_ROOT%{_mandir}/man8 + +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +# httpd >= 2.4.x +sed -n /^LoadModule/p revocator.conf > 11-revocator.conf +sed -i /^LoadModule/d revocator.conf +install -m 644 11-revocator.conf $RPM_BUILD_ROOT%{_httpd_modconfdir}/11-revocator.conf +%endif +install -m 644 revocator.conf $RPM_BUILD_ROOT%{_httpd_confdir}/revocator.conf +install -m 755 .libs/libmodrev.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/mod_rev.so +install -m 644 ldapget.8 $RPM_BUILD_ROOT%{_mandir}/man8/ +install -m 644 crlhelper.8 $RPM_BUILD_ROOT%{_mandir}/man8/ +# Ugh, manually create the ldconfig symbolic links +version=`grep -v '^\#' ./libtool-version` +current=`echo $version | cut -d: -f1` +revision=`echo $version | cut -d: -f2` +age=`echo $version | cut -d: -f3` +install -m 755 .libs/librevocation.so.$current.$revision.$age $RPM_BUILD_ROOT%{_libdir}/ +# install missing symlink (was giving no-ldconfig-symlink rpmlint errors) +ldconfig -n $RPM_BUILD_ROOT%{_libdir} +(cd $RPM_BUILD_ROOT%{_libdir} && ln -s librevocation.so.$current.$revision.$age librevocation.so.0) +(cd $RPM_BUILD_ROOT%{_libdir} && ln -s librevocation.so.$current.$revision.$age librevocation.so) +install -m 755 ldapget $RPM_BUILD_ROOT%{_sbindir}/ +install -m 755 crlhelper $RPM_BUILD_ROOT%{_libexecdir}/ +# Provide compatibility links to prevent disruption of customized deployments. +# +# NOTE: These links may be deprecated in a future release +# of 'mod_revocator'. +# +ln -s %{_sbindir}/ldapget $RPM_BUILD_ROOT%{_bindir}/ldapget +ln -s %{_libexecdir}/crlhelper $RPM_BUILD_ROOT%{_bindir}/crlhelper + +%clean +rm -rf $RPM_BUILD_ROOT + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root,-) +%doc README LICENSE docs/mod_revocator.html +%{_mandir}/man8/* +%config(noreplace) %{_httpd_confdir}/*.conf +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +%config(noreplace) %{_httpd_modconfdir}/*.conf +%endif +%{_libdir}/httpd/modules/mod_rev.so +# rpmlint will complain that librevocation.so is a shared library but this +# must be ignored because this file is loaded directly by name by the Apache +# module. +%{_libdir}/librevocation.*so* +%{_sbindir}/ldapget +%{_libexecdir}/crlhelper +%{_bindir}/ldapget +%{_bindir}/crlhelper + +%changelog +* Tue Jul 9 2013 Matthew Harmsen - 1.0.3-17 +- Add the following explanation to the 'Brewtap results' textbox in rpmdiff: + The '/etc/httpd/conf.d/revocator.conf' file does not require a man page + because its parameters are sufficiently documented within the + configuration file itself. + The '/etc/httpd/conf.modules.d/11-revocator.conf' file does not require + a man page because the file merely contains the line + 'LoadModule rev_module modules/mod_rev.so' to support httpd + loading of Dynamic Shared Objects ('/etc/httpd/conf/httpd.conf'). + +* Wed Jul 3 2013 Matthew Harmsen - 1.0.3-16 +- Bugzilla Bug #948875 - Man page scan results for mod_revocator +- Moved 'ldapget' from %%bindir to %%sbindir (provided compatibility link) +- Moved 'crlhelper' from %%bindir to %%libexecdir (provided compatibility link) + +* Thu Feb 14 2013 Fedora Release Engineering - 1.0.3-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Oct 8 2012 Matthew Harmsen - 1.0.3-14 +- Bugzilla Bug #861999 - mod_revocator exec CLR URIs fail to load: unable to + load Revocation module, NSS error -8187 - stephen.capstick64@gmail.com + (mod_revocator-waitpid.patch) + +* Fri Jul 20 2012 Fedora Release Engineering - 1.0.3-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Apr 23 2012 Joe Orton - 1.0.3-12 +- use 11- prefix for config file w/2.4 + +* Wed Apr 18 2012 Joe Orton - 1.0.3-11 +- fix deps, packaging for 2.4 (#803074) + +* Fri Jan 13 2012 Fedora Release Engineering - 1.0.3-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Oct 27 2011 Matthew Harmsen - 1.0.3-9 +- Bugzilla Bug #716874 - httpd (32 bit) failed to start if mod_revocator + (32 bit) is installed on ppc64 + +* Fri Oct 21 2011 Matthew Harmsen - 1.0.3-7 +- Bugzilla Bug #716355 - mod_revocator does not shut down httpd server if + expired CRL is fetched +- Bugzilla Bug #716361 - mod_revocator does not bring down httpd server if + CRLUpdate fails + +* Tue Oct 11 2011 Matthew Harmsen - 1.0.3-6 +- Bugzilla Bug #737556 - CRLS are not downloaded when mod_revocator module + is loaded successfully. And no error was thrown in httpd error_log - + mharmsen +- Add 'autoreconf -fvi' to build section - mharmsen +- Fix shutting down Apache if CRLUpdateCritical is on and a CRL + is not available at startup (#654378) - rcritten@redhat.com +- Updated mod_revocator-kill patch. The ownership of the semaphore used to + control access to crlhelper was not always changed to the Apache user + (#648546) - rcritten@redhat.com +- Actually apply the patch (#648546) - rcritten@redhat.com +- Fix killing the web server if updatecritical is set (#648546) - + rcritten@redhat.com + +* Mon Mar 7 2011 Rob Crittenden - 1.0.3-4 +- Use correct package name, nss-pkcs11-devel-static (#640293) + +* Tue Feb 08 2011 Fedora Release Engineering - 1.0.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Oct 5 2010 Rob Crittenden - 1.0.3-2 +- Add BuildRequires: nss-pkcs11-static (#640293) + +* Wed Apr 14 2010 Rob Crittenden - 1.0.3-1 +- Update to upstream 1.0.3 + +* Sat Jul 25 2009 Fedora Release Engineering - 1.0.2-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Mar 04 2009 Robert Scheck - 1.0.2-7 +- Solve the ppc64-redhat-linux-gnu configure target error + +* Wed Feb 25 2009 Fedora Release Engineering - 1.0.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Aug 11 2008 Tom "spot" Callaway - 1.0.2-5 +- fix license tag + +* Mon Feb 25 2008 Rob Crittenden 1.0.2-4 +- The nss package changed the location of the NSS shared libraries to /lib from + /usr/lib. Static libraries remained in /usr/lib. They then updated their + devel package to put symlinks back from /lib to /usr. Respin to pick that up. + BZ 434395. + +* Tue Feb 19 2008 Fedora Release Engineering - 1.0.2-3 +- Autorebuild for GCC 4.3 + +* Wed Dec 5 2007 Rob Crittenden 1.0.2-2 +- Respin to pick up new openldap + +* Mon Oct 16 2006 Rob Crittenden 1.0.2-1 +- Initial build