[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 151/156: update patches, remove upstreamed ones
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:38 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.
commit b4e755f84c614440edf614d12ccda9cba9f1c9e0
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Jul 2 12:18:56 2014 +0300
update patches, remove upstreamed ones
---
debian/changelog | 5 +-
debian/control | 2 +-
debian/patches/fix_build | 14 --
debian/patches/mod_nss-clientauth.patch | 50 -----
debian/patches/mod_nss-conf.patch | 47 ++---
debian/patches/mod_nss-gencert.patch | 8 +-
debian/patches/mod_nss-httpd24.patch | 135 -------------
debian/patches/mod_nss-lockpcache.patch | 240 ------------------------
debian/patches/mod_nss-negotiate.patch | 184 ------------------
debian/patches/mod_nss-nssverifyclient.patch | 12 --
debian/patches/mod_nss-overlapping_memcpy.patch | 24 ---
debian/patches/mod_nss-pcachesignal.patch | 21 ---
debian/patches/mod_nss-reseterror.patch | 10 -
debian/patches/mod_nss-reverseproxy.patch | 182 ------------------
debian/patches/mod_nss-wouldblock.patch | 12 --
debian/patches/series | 11 --
debian/rules | 5 +
17 files changed, 40 insertions(+), 922 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 1ccba54..d8a4fe7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,14 +1,17 @@
libapache2-mod-nss (1.0.8+git20140226-1) UNRELEASED; urgency=medium
* New upstream snapshot
+ - removed a bunch of patches merged upstream
+ - updated the remaining patches
* mod_nss-conf.patch: Updated paths, use /etc/apache2/nssdb.
* dirs: Create /etc/apache2/nssdb instead.
* control: Use canonical vcs urls.
- * compat: Bump to 9.
+ * compat, control: Bump dh to 9.
* debian/nss.conf: Removed, use the patched upstream conf instead.
* control, rules: Use dh and dh-autoreconf.
* install: Install nss_pcache in /usr/lib/libapache2-mod-nss instead
of /usr/sbin.
+ * rules: Added a gentarball target.
-- Timo Aaltonen <tjaalton at ubuntu.com> Wed, 02 Jul 2014 09:43:00 +0300
diff --git a/debian/control b/debian/control
index f37e5be..691deda 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: web
Priority: extra
Maintainer: Debian 389ds Team <pkg-fedora-ds-maintainers at lists.alioth.debian.org>
Uploaders: Timo Aaltonen <tjaalton at ubuntu.com>
-Build-Depends: debhelper (>= 5),
+Build-Depends: debhelper (>= 9),
dh-apache2,
dh-autoreconf,
apache2-dev (>= 2.4),
diff --git a/debian/patches/fix_build b/debian/patches/fix_build
deleted file mode 100644
index faf70ce..0000000
--- a/debian/patches/fix_build
+++ /dev/null
@@ -1,14 +0,0 @@
-Fix build with Debian's libapr1-dev pkg
-Index: libapache2-mod-nss-1.0.8/configure.in
-===================================================================
---- libapache2-mod-nss-1.0.8.orig/configure.in 2010-05-24 00:57:20.000000000 +0200
-+++ libapache2-mod-nss-1.0.8/configure.in 2010-05-24 00:57:30.000000000 +0200
-@@ -66,7 +66,7 @@
-
- if test -n "$APR_CONFIG"; then
- AC_MSG_RESULT([using $APR_CONFIG. Use --with-apr-config to specify another.])
-- apr_inc=`$APR_CONFIG --includes`
-+ apr_inc=`$APR_CONFIG --cppflags --cflags --includes`
- else
- AC_MSG_ERROR([neither apr-config nor apr-1-config were not found. use --with-apr-config to specify it.])
- fi
diff --git a/debian/patches/mod_nss-clientauth.patch b/debian/patches/mod_nss-clientauth.patch
deleted file mode 100644
index 44f3c97..0000000
--- a/debian/patches/mod_nss-clientauth.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-The first fix is to retrieve the full certificate subject instead of just the
-CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL.
-
-The second always attempts to retrieve the client certificate in
-nss_hook_ReadReq().
-
-https://bugzilla.redhat.com/show_bug.cgi?id=702437
---- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400
-+++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400
-@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes
-
- status = SSL_AuthCertificate(arg, socket, checksig, isServer);
-
-- if (status == SECSuccess) {
-- conn_rec *c = filter_ctx->c;
-- SSLConnRec *sslconn = myConnConfig(c);
--
-- sslconn->client_cert = SSL_PeerCertificate(socket);
-- sslconn->client_dn = NULL;
-- }
-+ /* The certificate is copied to sslconn->client_cert in
-+ * nss_hook_ReadReq()
-+ */
-
- return status;
- }
---- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400
-+++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400
-@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
- nss_util_vhostid(r->pool, r->server));
- }
-
-+ if (sslconn->client_cert != NULL)
-+ CERT_DestroyCertificate(sslconn->client_cert);
-+ sslconn->client_cert = SSL_PeerCertificate(ssl);
-+ sslconn->client_dn = NULL;
-+
- return DECLINED;
- }
-
-@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
- }
-
- if (!sslconn->client_dn) {
-- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
-- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
-+ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
-+ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
- PORT_Free(cp);
- }
diff --git a/debian/patches/mod_nss-conf.patch b/debian/patches/mod_nss-conf.patch
index affc6c6..bb1d4aa 100644
--- a/debian/patches/mod_nss-conf.patch
+++ b/debian/patches/mod_nss-conf.patch
@@ -1,13 +1,11 @@
---- mod_nss-1.0.6/nss.conf.in.orig 2006-10-20 11:08:42.000000000 -0400
-+++ mod_nss-1.0.6/nss.conf.in 2006-10-23 15:27:22.000000000 -0400
-@@ -8,14 +8,16 @@
- # consult the online docs. You have been warned.
+--- a/nss.conf.in
++++ b/nss.conf.in
+@@ -1,3 +1,4 @@
++<IfModule mod_nss>
#
-
-+LoadModule nss_module modules/mod_nss.so
-+
- #
- # When we also provide SSL we have to listen to the
+ # This is the Apache server configuration file providing SSL support using.
+ # the mod_nss plugin. It contains the configuration directives to instruct
+@@ -13,9 +14,9 @@
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
@@ -19,16 +17,16 @@
##
## SSL Global Context
-@@ -40,7 +42,7 @@
+@@ -40,7 +41,7 @@ NSSPassPhraseDialog builtin
# Pass Phrase Helper:
# This helper program stores the token password pins between
# restarts of Apache.
--NSSPassPhraseHelper @apache_bin@/nss_pcache
-+NSSPassPhraseHelper /usr/sbin/nss_pcache
+-NSSPassPhraseHelper /usr/libexec/nss_pcache
++NSSPassPhraseHelper /usr/lib/libapache2-mod-nss/nss_pcache
# Configure the SSL Session Cache.
# NSSSessionCacheSize is the number of entries in the cache.
-@@ -68,17 +70,17 @@
+@@ -79,11 +80,11 @@ NSSRequireSafeNegotiation off
## SSL Virtual Host Context
##
@@ -42,15 +40,17 @@
#ServerAdmin you at example.com
# mod_nss can log to separate log files, you can choose to do that if you'd like
- # LogLevel is not inherited from httpd.conf.
--#ErrorLog @apache_prefix@/logs/error_log
--#TransferLog @apache_prefix@/logs/access_log
-+ErrorLog /var/log/apache2/error_log
-+TransferLog /var/log/apache2/access_log
- LogLevel warn
+@@ -94,6 +95,9 @@ LogLevel warn
# SSL Engine Switch:
-@@ -113,7 +115,7 @@
+ # Enable/Disable SSL for this virtual host.
++<IfModule mod_ssl.c>
++ SSLEngine off
++</IfModule>
+ NSSEngine on
+
+ # SSL Cipher Suite:
+@@ -133,7 +137,7 @@ NSSNickname Server-Cert
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
# Provide the directory that these files exist.
@@ -59,7 +59,7 @@
# Database Prefix:
# In order to be able to store multiple NSS databases in one directory
-@@ -189,7 +191,7 @@
+@@ -209,7 +213,7 @@ NSSCertificateDatabase @apache_conf@
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
@@ -68,3 +68,8 @@
NSSOptions +StdEnvVars
</Directory>
+@@ -221,3 +225,4 @@ NSSCertificateDatabase @apache_conf@
+
+ </VirtualHost>
+
++</IfModule>
diff --git a/debian/patches/mod_nss-gencert.patch b/debian/patches/mod_nss-gencert.patch
index b328032..c2b2f4d 100644
--- a/debian/patches/mod_nss-gencert.patch
+++ b/debian/patches/mod_nss-gencert.patch
@@ -1,6 +1,6 @@
---- mod_nss-1.0/gencert.in 2006-06-20 22:43:33.000000000 -0400
-+++ mod_nss-1.0/gencert.in.orig 2006-06-20 22:57:08.000000000 -0400
-@@ -82,12 +82,11 @@
+--- a/gencert.in
++++ b/gencert.in
+@@ -83,12 +83,11 @@ fi
DEST=$1
@@ -15,7 +15,7 @@
echo "#####################################################################"
$CERTUTIL -N -d $DEST -f $DEST/pw.txt
-@@ -183,8 +182,4 @@
+@@ -205,8 +204,4 @@ echo "##################################
rm $DEST/pw.txt
rm $DEST/noise
diff --git a/debian/patches/mod_nss-httpd24.patch b/debian/patches/mod_nss-httpd24.patch
deleted file mode 100644
index 4863140..0000000
--- a/debian/patches/mod_nss-httpd24.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c
---- mod_nss/mod_nss.c 2012-06-12 12:23:29.961000000 -0700
-+++ mod_nss-1.0.8/mod_nss.c 2012-06-12 12:00:35.957002099 -0700
-@@ -349,7 +349,7 @@
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
- "Connection to child %ld established "
- "(server %s, client %s)", c->id, sc->vhost_id,
-- c->remote_ip ? c->remote_ip : "unknown");
-+ c->client_ip ? c->client_ip : "unknown");
-
- mctx = sslconn->is_proxy ? sc->proxy : sc->server;
-
-diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h
---- mod_nss/mod_nss.h 2012-06-12 12:23:29.962000000 -0700
-+++ mod_nss-1.0.8/mod_nss.h 2012-06-12 12:00:35.955002240 -0700
-@@ -27,7 +27,6 @@
- #include "http_protocol.h"
- #include "util_script.h"
- #include "util_filter.h"
--#include "mpm.h"
- #include "apr.h"
- #include "apr_strings.h"
- #define APR_WANT_STRFUNC
-@@ -490,7 +489,7 @@
- SECStatus nss_Init_Tokens(server_rec *s);
-
- /* Logging */
--void nss_log_nss_error(const char *file, int line, int level, server_rec *s);
-+void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s);
- void nss_die(void);
-
- /* NSS callback */
-diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
---- mod_nss/nss_engine_init.c 2012-06-12 12:23:29.962000000 -0700
-+++ mod_nss-1.0.8/nss_engine_init.c 2012-06-12 12:00:35.955002240 -0700
-@@ -15,7 +15,7 @@
-
- #include "mod_nss.h"
- #include "apr_thread_proc.h"
--#include "ap_mpm.h"
-+#include "mpm_common.h"
- #include "secmod.h"
- #include "sslerr.h"
- #include "pk11func.h"
-diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c
---- mod_nss/nss_engine_io.c 2012-06-12 12:23:29.963000000 -0700
-+++ mod_nss-1.0.8/nss_engine_io.c 2012-06-12 12:00:35.956002167 -0700
-@@ -621,13 +621,13 @@
- PR_Close(ssl);
-
- /* log the fact that we've closed the connection */
-- if (c->base_server->loglevel >= APLOG_INFO) {
-+ if (c->base_server->log.level >= APLOG_INFO) {
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
- "Connection to child %ld closed "
- "(server %s, client %s)",
- c->id,
- nss_util_vhostid(c->pool, c->base_server),
-- c->remote_ip ? c->remote_ip : "unknown");
-+ c->client_ip ? c->client_ip : "unknown");
- }
-
- /* deallocate the SSL connection */
-@@ -1165,7 +1165,7 @@
- filter_ctx = (nss_filter_ctx_t *)(fd->secret);
- c = filter_ctx->c;
-
-- return PR_StringToNetAddr(c->remote_ip, addr);
-+ return PR_StringToNetAddr(c->client_ip, addr);
- }
-
- /*
-diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c
---- mod_nss/nss_engine_kernel.c 2012-06-12 12:23:29.963000000 -0700
-+++ mod_nss-1.0.8/nss_engine_kernel.c 2012-06-12 12:00:35.954002314 -0700
-@@ -73,7 +73,7 @@
- /*
- * Log information about incoming HTTPS requests
- */
-- if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
-+ if (r->server->log.level >= APLOG_INFO && ap_is_initial_req(r)) {
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
- "%s HTTPS request received for child %ld (server %s)",
- (r->connection->keepalives <= 0 ?
-@@ -530,7 +530,7 @@
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
- "Access to %s denied for %s "
- "(requirement expression not fulfilled)",
-- r->filename, r->connection->remote_ip);
-+ r->filename, r->connection->client_ip);
-
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
- "Failed expression: %s", req->cpExpr);
-diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c
---- mod_nss/nss_engine_log.c 2012-06-12 12:23:29.964000000 -0700
-+++ mod_nss-1.0.8/nss_engine_log.c 2012-06-12 12:00:35.955002240 -0700
-@@ -321,7 +321,7 @@
- exit(1);
- }
-
--void nss_log_nss_error(const char *file, int line, int level, server_rec *s)
-+void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s)
- {
- const char *err;
- PRInt32 error;
-@@ -340,7 +340,7 @@
- err = "Unknown";
- }
-
-- ap_log_error(file, line, level, 0, s,
-+ ap_log_error(file, line, module_index, level, 0, s,
- "SSL Library Error: %d %s",
- error, err);
- }
-diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
---- mod_nss/nss_engine_vars.c 2012-06-12 12:23:29.965000000 -0700
-+++ mod_nss-1.0.8/nss_engine_vars.c 2012-06-12 12:00:35.948002812 -0700
-@@ -178,7 +178,7 @@
- && sslconn && sslconn->ssl)
- result = nss_var_lookup_ssl(p, c, var+4);
- else if (strcEQ(var, "REMOTE_ADDR"))
-- result = c->remote_ip;
-+ result = c->client_ip;
- else if (strcEQ(var, "HTTPS")) {
- if (sslconn && sslconn->ssl)
- result = "on";
-@@ -194,7 +194,7 @@
- if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
- result = nss_var_lookup_nss_version(p, var+12);
- else if (strcEQ(var, "SERVER_SOFTWARE"))
-- result = (char *)ap_get_server_version();
-+ result = (char *)ap_get_server_banner();
- else if (strcEQ(var, "API_VERSION")) {
- result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER);
- resdup = FALSE;
diff --git a/debian/patches/mod_nss-lockpcache.patch b/debian/patches/mod_nss-lockpcache.patch
deleted file mode 100644
index e14265b..0000000
--- a/debian/patches/mod_nss-lockpcache.patch
+++ /dev/null
@@ -1,240 +0,0 @@
-diff -u --recursive mod_nss-1.0.8/mod_nss.c mod_nss-1.0.8.lock/mod_nss.c
---- mod_nss-1.0.8/mod_nss.c 2011-03-02 16:19:52.000000000 -0500
-+++ mod_nss-1.0.8.lock/mod_nss.c 2011-03-02 16:17:48.000000000 -0500
-@@ -152,6 +152,8 @@
- AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL,
- "SSLLogLevel directive is no longer supported - use LogLevel."),
- #endif
-+ AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF,
-+ "Apache user. Comes from httpd.conf."),
-
- AP_END_CMD
- };
-diff -u --recursive mod_nss-1.0.8/mod_nss.h mod_nss-1.0.8.lock/mod_nss.h
---- mod_nss-1.0.8/mod_nss.h 2011-03-02 16:19:52.000000000 -0500
-+++ mod_nss-1.0.8.lock/mod_nss.h 2011-03-02 16:17:48.000000000 -0500
-@@ -41,6 +41,9 @@
- #include "apr_shm.h"
- #include "apr_global_mutex.h"
- #include "apr_optional.h"
-+#include <sys/types.h>
-+#include <sys/ipc.h>
-+#include <sys/sem.h>
-
- #define MOD_NSS_VERSION AP_SERVER_BASEREVISION
-
-@@ -244,6 +247,9 @@
- struct {
- void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
- } rCtx;
-+
-+ int semid;
-+ const char *user;
- } SSLModConfigRec;
-
- typedef struct SSLSrvConfigRec SSLSrvConfigRec;
-@@ -412,6 +418,7 @@
- const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
- const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
- const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
-+const char *set_user(cmd_parms *cmd, void *dummy, const char *arg);
-
- /* module initialization */
- int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
-diff -u --recursive mod_nss-1.0.8/nss_engine_config.c mod_nss-1.0.8.lock/nss_engine_config.c
---- mod_nss-1.0.8/nss_engine_config.c 2011-03-02 16:19:52.000000000 -0500
-+++ mod_nss-1.0.8.lock/nss_engine_config.c 2011-03-02 16:17:48.000000000 -0500
-@@ -830,3 +830,12 @@
-
- return NULL;
- }
-+
-+const char *set_user(cmd_parms *cmd, void *dummy, const char *arg)
-+{
-+ SSLModConfigRec *mc = myModConfig(cmd->server);
-+
-+ mc->user = arg;
-+
-+ return NULL;
-+}
-diff -u --recursive mod_nss-1.0.8/nss_engine_init.c mod_nss-1.0.8.lock/nss_engine_init.c
---- mod_nss-1.0.8/nss_engine_init.c 2011-03-02 16:19:49.000000000 -0500
-+++ mod_nss-1.0.8.lock/nss_engine_init.c 2011-03-02 16:17:48.000000000 -0500
-@@ -312,6 +312,7 @@
- int sslenabled = FALSE;
- int fipsenabled = FALSE;
- int threaded = 0;
-+ struct semid_ds status;
-
- mc->nInitCount++;
-
-@@ -412,10 +413,26 @@
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i");
-
-+ /* The first pass through this function will create the semaphore that
-+ * will be used to lock the pipe. The user is still root at that point
-+ * so for any later calls the semaphore ops will fail with permission
-+ * errors. So switch the user to the Apache user.
-+ */
-+ if (mc->semid) {
-+ uid_t user_id;
-+
-+ user_id = ap_uname2id(mc->user);
-+ semctl(mc->semid, 0, IPC_STAT, &status);
-+ status.sem_perm.uid = user_id;
-+ semctl(mc->semid,0,IPC_SET,&status);
-+ }
-+
- /* Do we need to fire up our password helper? */
- if (mc->nInitCount == 1) {
- const char * child_argv[5];
- apr_status_t rv;
-+ struct sembuf sb;
-+ char sembuf[32];
-
- if (mc->pphrase_dialog_helper == NULL) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-@@ -423,11 +440,31 @@
- nss_die();
- }
-
-+ mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600);
-+ if (mc->semid == -1) {
-+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-+ "Unable to obtain semaphore.");
-+ nss_die();
-+ }
-+
-+ /* Initialize the semaphore */
-+ sb.sem_num = 0;
-+ sb.sem_op = 1;
-+ sb.sem_flg = 0;
-+ if ((semop(mc->semid, &sb, 1)) == -1) {
-+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-+ "Unable to initialize semaphore.");
-+ nss_die();
-+ }
-+
-+ PR_snprintf(sembuf, 32, "%d", mc->semid);
-+
- child_argv[0] = mc->pphrase_dialog_helper;
-- child_argv[1] = fipsenabled ? "on" : "off";
-- child_argv[2] = mc->pCertificateDatabase;
-- child_argv[3] = mc->pDBPrefix;
-- child_argv[4] = NULL;
-+ child_argv[1] = sembuf;
-+ child_argv[2] = fipsenabled ? "on" : "off";
-+ child_argv[3] = mc->pCertificateDatabase;
-+ child_argv[4] = mc->pDBPrefix;
-+ child_argv[5] = NULL;
-
- rv = apr_procattr_create(&mc->procattr, mc->pPool);
-
-diff -u --recursive mod_nss-1.0.8/nss_engine_pphrase.c mod_nss-1.0.8.lock/nss_engine_pphrase.c
---- mod_nss-1.0.8/nss_engine_pphrase.c 2008-07-02 10:54:37.000000000 -0400
-+++ mod_nss-1.0.8.lock/nss_engine_pphrase.c 2011-03-02 16:17:48.000000000 -0500
-@@ -279,6 +279,16 @@
- char buf[1024];
- apr_status_t rv;
- apr_size_t nBytes = 1024;
-+ struct sembuf sb;
-+
-+ /* lock the pipe */
-+ sb.sem_num = 0;
-+ sb.sem_op = -1;
-+ sb.sem_flg = SEM_UNDO;
-+ if (semop(parg->mc->semid, &sb, 1) == -1) {
-+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
-+ "Unable to reserve semaphore resource");
-+ }
-
- snprintf(buf, 1024, "RETR\t%s", token_name);
- rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL);
-@@ -293,6 +303,13 @@
- */
- memset(buf, 0, sizeof(buf));
- rv = apr_file_read(parg->mc->proc.out, buf, &nBytes);
-+ sb.sem_op = 1;
-+ if (semop(parg->mc->semid, &sb, 1) == -1) {
-+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
-+ "Unable to free semaphore resource");
-+ /* perror("semop free resource id"); */
-+ }
-+
- if (rv != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv);
-diff -u --recursive mod_nss-1.0.8/nss_pcache.c mod_nss-1.0.8.lock/nss_pcache.c
---- mod_nss-1.0.8/nss_pcache.c 2011-03-02 16:19:55.000000000 -0500
-+++ mod_nss-1.0.8.lock/nss_pcache.c 2011-03-02 16:19:10.000000000 -0500
-@@ -21,6 +21,9 @@
- #include <pk11func.h>
- #include <secmod.h>
- #include <signal.h>
-+#include <sys/types.h>
-+#include <sys/ipc.h>
-+#include <sys/sem.h>
- #include "nss_pcache.h"
-
- static char * getstr(const char * cmd, int el);
-@@ -70,6 +73,13 @@
- unsigned char *crypt;
- };
-
-+union semun {
-+ int val;
-+ struct semid_ds *buf;
-+ unsigned short *array;
-+ struct seminfo *__buf;
-+};
-+
- /*
- * Node - for maintaining link list of tokens with cached PINs
- */
-@@ -304,15 +314,19 @@
- char * tokenName;
- char * tokenpw;
- int fipsmode = 0;
-+ int semid = 0;
-+ union semun semarg;
-
-- if (argc < 3 || argc > 4) {
-- fprintf(stderr, "Usage: nss_pcache <fips on/off> <directory> <prefix>\n");
-+ if (argc < 4 || argc > 5) {
-+ fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> <prefix>\n");
- exit(1);
- }
-
- signal(SIGHUP, SIG_IGN);
-
-- if (!strcasecmp(argv[1], "on"))
-+ semid = strtol(argv[1], NULL, 10);
-+
-+ if (!strcasecmp(argv[2], "on"))
- fipsmode = 1;
-
- /* Initialize NSPR */
-@@ -322,7 +336,7 @@
- PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
-
- /* Initialize NSS and open the certificate database read-only. */
-- rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY);
-+ rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
-
- if (rv != SECSuccess) {
- fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
-@@ -437,6 +451,11 @@
- }
- freeList(pinList);
- PR_Close(in);
-+ /* Remove the semaphore used for locking here. This is because this
-+ * program only goes away when Apache shuts down so we don't have to
-+ * worry about reloads.
-+ */
-+ semctl(semid, 0, IPC_RMID, semarg);
- return 0;
- }
-
-Only in mod_nss-1.0.8.lock/: nss_pcache.c.orig
-Only in mod_nss-1.0.8.lock/: nss_pcache.c.rej
diff --git a/debian/patches/mod_nss-negotiate.patch b/debian/patches/mod_nss-negotiate.patch
deleted file mode 100644
index 28b47a7..0000000
--- a/debian/patches/mod_nss-negotiate.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-
-Index: libapache2-mod-nss/mod_nss.c
-===================================================================
---- libapache2-mod-nss.orig/mod_nss.c 2011-10-06 15:44:26.230899717 +0300
-+++ libapache2-mod-nss/mod_nss.c 2011-10-06 16:40:25.630986828 +0300
-@@ -97,6 +97,14 @@
- SSL_CMD_SRV(Nickname, TAKE1,
- "SSL RSA Server Certificate nickname "
- "(`Server-Cert'")
-+#ifdef SSL_ENABLE_RENEGOTIATION
-+ SSL_CMD_SRV(Renegotiation, FLAG,
-+ "Enable SSL Renegotiation (default off) "
-+ "(`on', `off')")
-+ SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
-+ "If Rengotiation is allowed, require safe negotiation (default off) "
-+ "(`on', `off')")
-+#endif
- #ifdef NSS_ENABLE_ECC
- SSL_CMD_SRV(ECCNickname, TAKE1,
- "SSL ECC Server Certificate nickname "
-Index: libapache2-mod-nss/mod_nss.h
-===================================================================
---- libapache2-mod-nss.orig/mod_nss.h 2011-10-06 15:44:26.230899717 +0300
-+++ libapache2-mod-nss/mod_nss.h 2011-10-06 16:40:25.630986828 +0300
-@@ -269,6 +269,10 @@
- int tls;
- int tlsrollback;
- int enforce;
-+#ifdef SSL_ENABLE_RENEGOTIATION
-+ int enablerenegotiation;
-+ int requiresafenegotiation;
-+#endif
- const char *nickname;
- #ifdef NSS_ENABLE_ECC
- const char *eccnickname;
-@@ -383,6 +387,10 @@
- const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
- const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
- const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
-+#ifdef SSL_ENABLE_RENEGOTIATION
-+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
-+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
-+#endif
- #ifdef NSS_ENABLE_ECC
- const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
- #endif
-Index: libapache2-mod-nss/nss_engine_config.c
-===================================================================
---- libapache2-mod-nss.orig/nss_engine_config.c 2011-10-06 15:44:26.230899717 +0300
-+++ libapache2-mod-nss/nss_engine_config.c 2011-10-06 16:40:25.630986828 +0300
-@@ -78,6 +78,10 @@
- mctx->tls = PR_FALSE;
- mctx->tlsrollback = PR_FALSE;
-
-+#ifdef SSL_ENABLE_RENEGOTIATION
-+ mctx->enablerenegotiation = PR_FALSE;
-+ mctx->requiresafenegotiation = PR_FALSE;
-+#endif
- mctx->enforce = PR_TRUE;
- mctx->nickname = NULL;
- #ifdef NSS_ENABLE_ECC
-@@ -174,6 +178,10 @@
- cfgMerge(eccnickname, NULL);
- #endif
- cfgMerge(enforce, PR_TRUE);
-+#ifdef SSL_ENABLE_RENEGOTIATION
-+ cfgMerge(enablerenegotiation, PR_FALSE);
-+ cfgMerge(requiresafenegotiation, PR_FALSE);
-+#endif
- }
-
- static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
-@@ -461,6 +469,26 @@
- return NULL;
- }
-
-+#ifdef SSL_ENABLE_RENEGOTIATION
-+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
-+{
-+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-+
-+ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
-+
-+ return NULL;
-+}
-+
-+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
-+{
-+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-+
-+ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
-+
-+ return NULL;
-+}
-+#endif
-+
- #ifdef NSS_ENABLE_ECC
- const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
- void *dcfg,
-Index: libapache2-mod-nss/nss_engine_init.c
-===================================================================
---- libapache2-mod-nss.orig/nss_engine_init.c 2011-10-06 15:44:26.230899717 +0300
-+++ libapache2-mod-nss/nss_engine_init.c 2011-10-06 16:40:25.630986828 +0300
-@@ -548,6 +548,24 @@
- nss_die();
- }
- }
-+#ifdef SSL_ENABLE_RENEGOTIATION
-+ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
-+ mctx->enablerenegotiation ?
-+ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
-+ ) != SECSuccess) {
-+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+ "Unable to set SSL renegotiation");
-+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
-+ nss_die();
-+ }
-+ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
-+ mctx->requiresafenegotiation) != SECSuccess) {
-+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+ "Unable to set SSL safe negotiation");
-+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
-+ nss_die();
-+ }
-+#endif
- }
-
- static void nss_init_ctx_protocol(server_rec *s,
-Index: libapache2-mod-nss/nss.conf.in
-===================================================================
---- libapache2-mod-nss.orig/nss.conf.in 2011-10-06 16:40:25.606986828 +0300
-+++ libapache2-mod-nss/nss.conf.in 2011-10-06 16:40:25.630986828 +0300
-@@ -66,6 +66,17 @@
- #NSSRandomSeed startup file:/dev/random 512
- #NSSRandomSeed startup file:/dev/urandom 512
-
-+#
-+# TLS Negotiation configuration under RFC 5746
-+#
-+# Only renegotiate if the peer's hello bears the TLS renegotiation_info
-+# extension. Default off.
-+NSSRenegotiation off
-+
-+# Peer must send Signaling Cipher Suite Value (SCSV) or
-+# Renegotiation Info (RI) extension in ALL handshakes. Default: off
-+NSSRequireSafeNegotiation off
-+
- ##
- ## SSL Virtual Host Context
- ##
-Index: libapache2-mod-nss/nss_engine_log.c
-===================================================================
---- libapache2-mod-nss.orig/nss_engine_log.c 2011-10-06 16:40:25.594986827 +0300
-+++ libapache2-mod-nss/nss_engine_log.c 2011-10-06 16:40:25.630986828 +0300
-@@ -27,7 +27,7 @@
- #define LIBSEC_ERROR_BASE (-8192)
- #define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155)
- #define LIBSSL_ERROR_BASE (-12288)
--#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102)
-+#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114)
-
- typedef struct l_error_t {
- int errorNumber;
-@@ -296,7 +296,19 @@
- { 99, "Server requires ciphers more secure than those supported by client" },
- { 100, "Peer reports it experienced an internal error" },
- { 101, "Peer user canceled handshake" },
-- { 102, "Peer does not permit renegotiation of SSL security parameters" }
-+ { 102, "Peer does not permit renegotiation of SSL security parameters" },
-+ { 103, "Server cache not configured" },
-+ { 104, "Unsupported extension" },
-+ { 105, "Certificate unobtainable" },
-+ { 106, "Unrecognized name" },
-+ { 107, "Bad certificate status" },
-+ { 108, "Bad certificate hash value" },
-+ { 109, "Unexpected new session ticket" },
-+ { 110, "Malformed new session ticket" },
-+ { 111, "Decompression failure" },
-+ { 112, "Renegotiation not allowed" },
-+ { 113, "Safe negotiation required but not provided by client" },
-+ { 114, "Unexpected uncompressed record" },
- };
-
- void nss_die(void)
diff --git a/debian/patches/mod_nss-nssverifyclient.patch b/debian/patches/mod_nss-nssverifyclient.patch
deleted file mode 100644
index d9858c3..0000000
--- a/debian/patches/mod_nss-nssverifyclient.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -rupN mod_nss-1.0.8.patched/nss_engine_kernel.c mod_nss-1.0.8.989724/nss_engine_kernel.c
---- mod_nss-1.0.8.patched/nss_engine_kernel.c 2007-05-31 14:36:03.000000000 -0700
-+++ mod_nss-1.0.8.989724/nss_engine_kernel.c 2013-10-25 13:32:47.000000000 -0700
-@@ -275,7 +275,7 @@ int nss_hook_Access(request_rec *r)
-
- if (verify == SSL_CVERIFY_REQUIRE) {
- SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
-- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
-+ SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS);
- } else if (verify == SSL_CVERIFY_OPTIONAL) {
- SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
diff --git a/debian/patches/mod_nss-overlapping_memcpy.patch b/debian/patches/mod_nss-overlapping_memcpy.patch
deleted file mode 100644
index c60e435..0000000
--- a/debian/patches/mod_nss-overlapping_memcpy.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Bug 669118
-
-memcpy of overlapping memory is no longer allowed by glibc.
-
-This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444
-
---- mod_nss-1.0.8.orig/nss_engine_io.c 2011-01-12 12:31:27.339425702 -0500
-+++ mod_nss-1.0.8/nss_engine_io.c 2011-01-12 12:31:35.507405595 -0500
-@@ -123,13 +123,13 @@
-
- if (buffer->length > inl) {
- /* we have have enough to fill the caller's buffer */
-- memcpy(in, buffer->value, inl);
-+ memmove(in, buffer->value, inl);
- buffer->value += inl;
- buffer->length -= inl;
- }
- else {
- /* swallow remainder of the buffer */
-- memcpy(in, buffer->value, buffer->length);
-+ memmove(in, buffer->value, buffer->length);
- inl = buffer->length;
- buffer->value = NULL;
- buffer->length = 0;
diff --git a/debian/patches/mod_nss-pcachesignal.patch b/debian/patches/mod_nss-pcachesignal.patch
deleted file mode 100644
index cb2e135..0000000
--- a/debian/patches/mod_nss-pcachesignal.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff -u --recursive mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c
---- mod_nss-1.0.8.orig/nss_pcache.c 2008-07-02 10:54:06.000000000 -0400
-+++ mod_nss-1.0.8/nss_pcache.c 2010-05-14 13:32:57.000000000 -0400
-@@ -20,6 +20,7 @@
- #include <seccomon.h>
- #include <pk11func.h>
- #include <secmod.h>
-+#include <signal.h>
- #include "nss_pcache.h"
-
- static char * getstr(const char * cmd, int el);
-@@ -309,6 +310,8 @@
- exit(1);
- }
-
-+ signal(SIGHUP, SIG_IGN);
-+
- if (!strcasecmp(argv[1], "on"))
- fipsmode = 1;
-
-Only in mod_nss-1.0.8: nss_pcache.c.rej
diff --git a/debian/patches/mod_nss-reseterror.patch b/debian/patches/mod_nss-reseterror.patch
deleted file mode 100644
index 73ac3e4..0000000
--- a/debian/patches/mod_nss-reseterror.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- mod_nss-1.0.8.orig/nss_engine_io.c 2010-09-23 18:12:56.000000000 -0400
-+++ mod_nss-1.0.8/nss_engine_io.c 2010-09-23 18:13:07.000000000 -0400
-@@ -348,6 +348,7 @@
- break;
- }
-
-+ PR_SetError(0, 0);
- rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes);
-
- if (rc > 0) {
diff --git a/debian/patches/mod_nss-reverseproxy.patch b/debian/patches/mod_nss-reverseproxy.patch
deleted file mode 100644
index 928c92f..0000000
--- a/debian/patches/mod_nss-reverseproxy.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-mod_proxy now sets the requested remote host name. Use this to compare
-to the CN value of the peer certificate and reject the request if they
-do not match (and we are have NSSProxyCheckPeerCN set to on).
-
-diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html
---- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400
-+++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400
-@@ -1028,7 +1028,21 @@
- <br>
- <span style="font-weight: bold;">Example</span><br>
- <br>
--<code>NSSProxyNickname beta</code><br>
-+<code>NSSProxyNickname beta<br>
-+<br>
-+</code><big><big>NSSProxyCheckPeerCN</big></big><br>
-+<br>
-+Compare the CN value of the peer certificate with the hostname being
-+requested. If this is set to on, the default, then the request will
-+fail if they do not match. If this is set to off then this comparison
-+is not done. Note that this test is your only protection against a
-+man-in-the-middle attack so leaving this as on is strongly recommended.<br>
-+<br>
-+<span style="font-weight: bold;">Example</span><br>
-+<br>
-+<span style="font-family: monospace;">NSSProcyCheckPeerCN</span><code>
-+on<br>
-+</code><br>
- <h1><a name="Environment"></a>Environment Variables</h1>
- Quite a few environment variables (for CGI and SSI) may be set
- depending on the NSSOptions configuration. It can be expensive to set
-@@ -1435,42 +1449,9 @@
- <h1><a name="FAQ"></a>Frequently Asked Questions</h1>
- Q. Does mod_nss support mod_proxy?<br>
- <br>
--A. In order to use the mod_nss proxy support you will need to build
--your own mod_proxy by applying a patch found in bug <a
-- href="http://issues.apache.org/bugzilla/show_bug.cgi?id=36468">36468</a>.
--The patch is needed so we can compare the hostname contained in the
--remote certificate with the hostname you meant to visit. This prevents
--man-in-the-middle attacks.<br>
--<br>
--You also have to change the SSL functions that mod_proxy looks to use.
--You'll need to apply this patch:<br>
--<br>
--<code>1038,1039c1038,1039<br>
--< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));<br>
--< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));<br>
-----<br>
--> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));<br>
--> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));<br>
--1041,1042c1041,1042<br>
--< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable =
--NULL;<br>
--< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable
--= NULL;<br>
-----<br>
--> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable =
--NULL;<br>
--> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable
--= NULL;<br>
--1069,1070c1069,1070<br>
--< proxy_ssl_enable =
--APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);<br>
--< proxy_ssl_disable =
--APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);<br>
-----<br>
--> proxy_ssl_enable =
--APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);<br>
--> proxy_ssl_disable =
--APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);<br>
--</code><br>
-+A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
-+provides a single interface for SSL providers and mod_nss defers to
-+mod_ssl
-+if it is loaded.
- </body>
- </html>
-diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
---- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400
-+++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400
-@@ -142,6 +142,8 @@
- SSL_CMD_SRV(ProxyNickname, TAKE1,
- "SSL Proxy: client certificate Nickname to be for proxy connections "
- "(`nickname')")
-+ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
-+ "SSL Proxy: check the peers certificate CN")
-
- #ifdef IGNORE
- /* Deprecated directives. */
-@@ -238,23 +240,30 @@
- SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket)
- {
- conn_rec *c = (conn_rec *)arg;
-+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
- PRErrorCode err = PR_GetError();
- SECStatus rv = SECFailure;
- CERTCertificate *peerCert = SSL_PeerCertificate(socket);
-+ const char *hostname_note;
-
- switch (err) {
- case SSL_ERROR_BAD_CERT_DOMAIN:
-- if (c->remote_host != NULL) {
-- rv = CERT_VerifyCertName(peerCert, c->remote_host);
-- if (rv != SECSuccess) {
-- char *remote = CERT_GetCommonName(&peerCert->subject);
-+ if (sc->proxy_ssl_check_peer_cn == TRUE) {
-+ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) {
-+ apr_table_unset(c->notes, "proxy-request-hostname");
-+ rv = CERT_VerifyCertName(peerCert, hostname_note);
-+ if (rv != SECSuccess) {
-+ char *remote = CERT_GetCommonName(&peerCert->subject);
-+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
-+ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note);
-+ PORT_Free(remote);
-+ }
-+ } else {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
-- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host);
-- PORT_Free(remote);
-+ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.");
- }
- } else {
-- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
-- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468.");
-+ rv = SECSuccess;
- }
- break;
- default:
-diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h
---- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400
-+++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400
-@@ -306,6 +306,7 @@
- int vhost_id_len;
- modnss_ctx_t *server;
- modnss_ctx_t *proxy;
-+ BOOL proxy_ssl_check_peer_cn;
- };
-
- /*
-@@ -410,6 +411,7 @@
- const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
- const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
- const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
-+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
-
- /* module initialization */
- int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
-diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c
---- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400
-+++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400
-@@ -140,6 +140,7 @@
- sc->vhost_id_len = 0; /* set during module init */
- sc->proxy = NULL;
- sc->server = NULL;
-+ sc->proxy_ssl_check_peer_cn = TRUE;
-
- modnss_ctx_init_proxy(sc, p);
-
-@@ -214,6 +215,7 @@
- cfgMergeBool(fips);
- cfgMergeBool(enabled);
- cfgMergeBool(proxy_enabled);
-+ cfgMergeBool(proxy_ssl_check_peer_cn);
-
- modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
-
-@@ -544,6 +546,15 @@
- return NULL;
- }
-
-+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
-+{
-+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-+
-+ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE;
-+
-+ return NULL;
-+}
-+
- const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd,
- void *dcfg,
- int flag)
diff --git a/debian/patches/mod_nss-wouldblock.patch b/debian/patches/mod_nss-wouldblock.patch
deleted file mode 100644
index 405b67a..0000000
--- a/debian/patches/mod_nss-wouldblock.patch
+++ /dev/null
@@ -1,12 +0,0 @@
---- mod_nss-1.0.3.orig/nss_engine_io.c 2006-04-07 16:17:12.000000000 -0400
-+++ mod_nss-1.0.3/nss_engine_io.c 2009-02-17 22:51:44.000000000 -0500
-@@ -259,7 +259,8 @@
- */
- if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc)
- || (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) {
-- return 0;
-+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
-+ return -1;
- }
-
- if (inctx->rc != APR_SUCCESS) {
diff --git a/debian/patches/series b/debian/patches/series
index 01f1e74..e477741 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,14 +1,3 @@
-fix_build
speling_fixes
mod_nss-conf.patch
mod_nss-gencert.patch
-mod_nss-wouldblock.patch
-mod_nss-negotiate.patch
-mod_nss-reverseproxy.patch
-mod_nss-pcachesignal.patch
-mod_nss-reseterror.patch
-mod_nss-lockpcache.patch
-mod_nss-overlapping_memcpy.patch
-mod_nss-httpd24.patch
-mod_nss-clientauth.patch
-mod_nss-nssverifyclient.patch
diff --git a/debian/rules b/debian/rules
index d75b284..5832e6b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,6 +1,7 @@
#!/usr/bin/make -f
#export DH_VERBOSE=1
+SOURCE=libapache2-mod-nss
override_dh_auto_configure:
dh_auto_configure -- \
@@ -14,3 +15,7 @@ override_dh_install:
%:
dh $@ --with autoreconf,apache2
+
+gentarball: UV=$(shell dpkg-parsechangelog|awk '/^Version:/ {print $$2}'|sed 's/-.*$$//')
+gentarball:
+ git archive --format=tar upstream --prefix=$(SOURCE)-$(UV)/ | xz --best > ../$(SOURCE)_$(UV).orig.tar.xz
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list