[Pkg-fedora-ds-maintainers] libapache2-mod-nss: Changes to 'upstream'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Thu Oct 22 09:11:44 UTC 2015
.gitignore | 1
ChangeLog | 44 +++++++
Makefile.am | 23 ++-
README | 14 ++
acinclude.m4 | 92 ++++++++++++++
configure.ac | 24 +++
docs/mod_nss.html | 67 +++++++++-
gencert.in | 71 ++++++++++-
mod_nss.c | 37 ++++-
mod_nss.h | 53 +++++++-
nss_engine_cipher.c | 255 +++++++++++++++++++++++++++++++++++-----
nss_engine_cipher.h | 89 +++++++++-----
nss_engine_config.c | 96 +++++++++++----
nss_engine_init.c | 308 +++++++++++++++++++++++++++++++++++++++++--------
nss_engine_io.c | 134 +++++++++++++++++----
nss_engine_kernel.c | 150 ++++++++++++++++++++---
nss_engine_log.c | 16 +-
nss_engine_pphrase.c | 20 +--
nss_engine_rand.c | 4
nss_engine_vars.c | 52 +++++---
nss_expr_eval.c | 2
nss_pcache.c | 14 +-
nss_util.c | 57 ++++++++-
test/README.sni | 30 ++++
test/createinstance.sh | 77 +++++++-----
test/httpd.conf.tmpl | 2
test/printenv.pl | 11 +
test/setup.sh | 20 +++
test/sni.tmpl | 28 ++++
test/suite1.tmpl | 184 ++++++++++++++++++-----------
test/test.py | 53 +++++++-
test/test_cipher.py | 291 ++++++++++++++++++++++++++++++++--------------
test/test_config.py | 41 ++++--
test/test_request.py | 35 ++++-
test/testsni.py | 109 +++++++++++++++++
test_cipher.c | 40 +++++-
36 files changed, 2062 insertions(+), 482 deletions(-)
New commits:
commit 3e91d3dbc5ded79d42a02edcce7b6a0d895ecdeb
Author: Rob Crittenden <rcritten at redhat.com>
Date: Fri Oct 2 17:07:58 2015 -0400
Become 1.0.12
diff --git a/ChangeLog b/ChangeLog
index d704c81..7bf61d1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@
on reverse proxy requests.
* Cleanup a bunch of trailing whitespace spread across all the
source files.
+ * Become 1.0.12
2015-10-01 Rob Crittenden <rcritten at redhat.com>
* Add compatibility for Apache 2.2 and older versions of NSS.
diff --git a/configure.ac b/configure.ac
index 1e4e778..dd4078e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
# Required initializer
-AC_INIT([mod_nss],[1.0.11])
+AC_INIT([mod_nss],[1.0.12])
m4_include([acinclude.m4])
commit 4b2297ac9ac2d60912df1d47cc2553580ea1962f
Author: Rob Crittenden <rcritten at redhat.com>
Date: Fri Oct 2 14:29:15 2015 -0400
Fix memory leaks, uninit var, invalid read
Issues reported from valgrind.
The invalid read came from using SNI hostInfo data directly. Just
use the copy we apr_strndup() instead and all is well.
The SNI hostInfo values were leaking. I had removed the calls
to SECITEM_FreweItem at some point and forgotten to re-add them.
mc->semid was not explicitly initialized so could have blown up
if the compiler didn't automatically set it to 0. Explicitly set
it to make warning go away (and to be safe).
diff --git a/nss_engine_config.c b/nss_engine_config.c
index 0b4b8b0..c0c7155 100644
--- a/nss_engine_config.c
+++ b/nss_engine_config.c
@@ -53,6 +53,7 @@ SSLModConfigRec *nss_config_global_create(server_rec *s)
mc->pphrase_dialog_path = NULL;
mc->aRandSeed = apr_array_make(pool, 4,
sizeof(ssl_randseed_t));
+ mc->semid = 0;
apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
apr_pool_cleanup_null,
diff --git a/nss_engine_init.c b/nss_engine_init.c
index 211752c..95a5867 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -1205,6 +1205,7 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
nnptr++;
nn--;
}
+ PORT_FreeArena(certNickDNS->arena, PR_FALSE);
}
/* Subject/hostname check */
@@ -1787,6 +1788,10 @@ PRInt32 nssSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"SNI: Successfully paired vhost %s with nickname: %s", vhost, nickName);
+ apr_pool_destroy(str_p);
+ SECKEY_DestroyPrivateKey(privKey);
+ CERT_DestroyCertificate(cert);
+
return 0;
loser:
diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c
index 6c15ac5..7995952 100644
--- a/nss_engine_kernel.c
+++ b/nss_engine_kernel.c
@@ -90,24 +90,25 @@ int nss_hook_ReadReq(request_rec *r)
apr_status_t rv;
apr_pool_t *s_p;
- hostInfo->data[hostInfo->len] = '\0';
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
- "SNI request for %s", (char *)hostInfo->data);
-
apr_pool_create(&s_p, NULL);
+
servername = apr_pstrndup(s_p, (char *) hostInfo->data, hostInfo->len);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "SNI request for %s", servername);
if (!r->hostname) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"Hostname %s provided via SNI, but no hostname"
" provided in HTTP request", servername);
apr_pool_destroy(s_p);
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
return HTTP_BAD_REQUEST;
}
rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
if (rv != APR_SUCCESS || scope_id) {
apr_pool_destroy(s_p);
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
return HTTP_BAD_REQUEST;
}
@@ -117,9 +118,11 @@ int nss_hook_ReadReq(request_rec *r)
" via HTTP are different", servername, host);
apr_pool_destroy(s_p);
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
return HTTP_BAD_REQUEST;
}
apr_pool_destroy(s_p);
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
}
} else if (((sc->strict_sni_vhost_check)
|| (mySrvConfig(r->server))->strict_sni_vhost_check)
@@ -927,6 +930,7 @@ int nss_hook_Fixup(request_rec *r)
if (hostInfo) {
servername = apr_pstrndup(r->pool, (char *) hostInfo->data, hostInfo->len);
apr_table_set(env, "SSL_TLS_SNI", servername);
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
}
/* standard SSL environment variables */
commit fc91e5d5f5bd58f9dec4f7653855fd3b9bfaac81
Author: Rob Crittenden <rcritten at redhat.com>
Date: Fri Oct 2 14:27:40 2015 -0400
Fix typo in valgrind in start script, create separate logs
Use the %p option to generate separate logs for each process
with valgrind.
diff --git a/test/createinstance.sh b/test/createinstance.sh
index f3ed4d7..cc76671 100755
--- a/test/createinstance.sh
+++ b/test/createinstance.sh
@@ -77,7 +77,7 @@ cat << EOF > start
MALLOC_CHECK_=3
MALLOC_PERTURB=9
HTTPD=/usr/sbin/httpd
-#valgrind --leak-check=full --log-file=valgrind.out --trace-children=yes --track-origins=yes\$HTTPD -X -k start -d . -f ./conf/httpd.conf
+#valgrind --leak-check=full --log-file=valgrind.out.%p --trace-children=yes --track-origins=yes \$HTTPD -X -k start -d . -f ./conf/httpd.conf
\$HTTPD -k start -d . -f ./conf/httpd.conf
EOF
commit b09c47fa2acfdb14ce8ef18edb644ec15a740784
Author: Rob Crittenden <rcritten at redhat.com>
Date: Fri Oct 2 11:29:13 2015 -0400
Update changelog with reverse proxy SNI and whitespace cleanup
diff --git a/ChangeLog b/ChangeLog
index 3d68334..d704c81 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-10-02 Rob Crittenden <rcritten at redhat.com>
+ * Integrate patch from Stanislav Tokos to set the SNI hostname
+ on reverse proxy requests.
+ * Cleanup a bunch of trailing whitespace spread across all the
+ source files.
+
2015-10-01 Rob Crittenden <rcritten at redhat.com>
* Add compatibility for Apache 2.2 and older versions of NSS.
Tested on RHEL 6.5.
commit 44409398b2bb63a092e16db686f4ddcd2cd88554
Author: Rob Crittenden <rcritten at redhat.com>
Date: Fri Oct 2 15:34:36 2015 -0400
Cleanup to remove a slew of trailing whitespace
diff --git a/docs/mod_nss.html b/docs/mod_nss.html
index f073978..37588e8 100644
--- a/docs/mod_nss.html
+++ b/docs/mod_nss.html
@@ -1076,7 +1076,7 @@ Configures whether a non-SNI client is allowed to access a name-based
VirtualHost. If set to on in the default name-based VirtualHost
then clients that are SNI unaware cannot access any virtual host. If set
to on in any other VirtualHost then SNI unaware clients cannot access
-this particular virtual host.
+this particular virtual host.
<br>
<br>
<span style="font-weight: bold;">Example</span><br>
diff --git a/mod_nss.c b/mod_nss.c
index c58ca47..b3ea6f0 100644
--- a/mod_nss.c
+++ b/mod_nss.c
@@ -133,14 +133,14 @@ static const command_rec nss_config_cmds[] = {
"Require the SSL protocol for the per-directory context "
"(no arguments)")
SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS,
- "Require a boolean expression to evaluate to true for granting access"
+ "Require a boolean expression to evaluate to true for granting access"
"(arbitrary complex boolean expression - see manual)")
SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1,
"Configure the amount of memory that will be used for buffering the "
"request body if a per-location SSL renegotiation is required due to "
"changed access control requirements")
- /*
+ /*
* Proxy configuration for remote SSL connections
*/
SSL_CMD_SRV(ProxyEngine, FLAG,
@@ -160,14 +160,14 @@ static const command_rec nss_config_cmds[] = {
#ifdef IGNORE
/* Deprecated directives. */
- AP_INIT_RAW_ARGS("NSSLog", ap_set_deprecated, NULL, OR_ALL,
+ AP_INIT_RAW_ARGS("NSSLog", ap_set_deprecated, NULL, OR_ALL,
"SSLLog directive is no longer supported - use ErrorLog."),
- AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL,
+ AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL,
"SSLLogLevel directive is no longer supported - use LogLevel."),
#endif
AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF,
"Apache user. Comes from httpd.conf."),
-
+
AP_END_CMD
};
@@ -273,7 +273,7 @@ SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket)
SECStatus rv = SECFailure;
CERTCertificate *peerCert = SSL_PeerCertificate(socket);
const char *hostname_note;
-
+
switch (err) {
case SSL_ERROR_BAD_CERT_DOMAIN:
if (sc->proxy_ssl_check_peer_cn == TRUE) {
@@ -329,7 +329,7 @@ static SECStatus NSSGetClientAuthData(void *arg, PRFileDesc *socket,
} else {
CERT_DestroyCertificate(cert);
}
- }
+ }
if (rv == SECSuccess) {
*pRetCert = cert;
@@ -374,7 +374,7 @@ static int nss_hook_pre_connection(conn_rec *c, void *csd)
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
"Connection to child %ld established "
- "(server %s, client %s)", c->id, sc->vhost_id,
+ "(server %s, client %s)", c->id, sc->vhost_id,
#if AP_SERVER_MINORVERSION_NUMBER <= 2
c->remote_ip ? c->remote_ip : "unknown");
#else
@@ -462,7 +462,7 @@ static apr_port_t nss_hook_default_port(const request_rec *r)
static void nss_register_hooks(apr_pool_t *p)
{
/* nss_hook_ReadReq needs to use the BrowserMatch settings so must
- * run after mod_setenvif's post_read_request hook. */
+ * run after mod_setenvif's post_read_request hook. */
static const char *pre_prr[] = { "mod_setenvif.c", NULL };
nss_io_filter_register(p);
diff --git a/mod_nss.h b/mod_nss.h
index 5c1d642..06710e4 100644
--- a/mod_nss.h
+++ b/mod_nss.h
@@ -147,7 +147,7 @@ ap_set_module_config(c->conn_config, &nss_module, val)
#define SSL_SESSION_CACHE_TIMEOUT 100
#endif
-#ifndef SSL3_SESSION_CACHE_TIMEOUT
+#ifndef SSL3_SESSION_CACHE_TIMEOUT
#define SSL3_SESSION_CACHE_TIMEOUT 86400
#endif
@@ -176,7 +176,7 @@ typedef int nss_opt_t;
/*
* Define the SSL requirement structure
- */
+ */
typedef struct {
char *cpExpr;
nss_expr *mpExpr;
@@ -231,7 +231,7 @@ typedef enum {
typedef struct {
PRFileDesc *ssl;
const char *client_dn;
- CERTCertificate *client_cert;
+ CERTCertificate *client_cert;
int is_proxy;
int disabled;
int non_nss_request;
@@ -282,7 +282,7 @@ typedef struct {
typedef struct {
SSLSrvConfigRec *sc; /* pointer back to server config */
-
+
char *cipherSuite;
int as_server;
@@ -376,7 +376,7 @@ typedef struct regex_t ap_regex_t;
#define AP_REG_NOSUB REG_NOSUB
#define AP_REG_ICASE REG_ICASE
#endif
-
+
/*
* function prototypes
*/
@@ -455,7 +455,7 @@ void nss_var_log_config_register(apr_pool_t *p);
APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup,
(apr_pool_t *, server_rec *,
- conn_rec *, request_rec *,
+ conn_rec *, request_rec *,
char *));
/* An optional function which returns non-zero if the given connection
diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c
index 5ea1f53..b0b51e4 100644
--- a/nss_engine_cipher.c
+++ b/nss_engine_cipher.c
@@ -155,7 +155,7 @@ int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum
/* Given a set of ciphers perform a given action on the indexed value.
- *
+ *
* This is needed because the + action doesn't do anything in the NSS
* context. In OpenSSL it will re-order the cipher list.
*/
diff --git a/nss_engine_config.c b/nss_engine_config.c
index 0945380..0b4b8b0 100644
--- a/nss_engine_config.c
+++ b/nss_engine_config.c
@@ -126,7 +126,7 @@ static void modnss_ctx_init_server(SSLSrvConfigRec *sc,
static SSLSrvConfigRec *nss_config_server_new(apr_pool_t *p)
{
SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc));
-
+
sc->mc = NULL;
sc->ocsp = UNSET;
sc->ocsp_default = UNSET;
@@ -250,13 +250,13 @@ void *nss_config_perdir_create(apr_pool_t *p, char *dir) {
return dc;
}
-
+
const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg)
{
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
dc->bSSLRequired = TRUE;
-
+
return NULL;
}
@@ -334,16 +334,16 @@ const char *nss_cmd_NSSEngine(cmd_parms *cmd, void *dcfg, int flag)
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->enabled = flag ? TRUE : FALSE;
-
+
return NULL;
}
const char *nss_cmd_NSSFIPS(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-
+
sc->fips = flag ? TRUE : FALSE;
-
+
return NULL;
}
@@ -521,7 +521,7 @@ const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
-
+
return NULL;
}
@@ -530,7 +530,7 @@ const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int fl
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
-
+
return NULL;
}
#endif
@@ -551,12 +551,12 @@ const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-
+
sc->proxy_enabled = flag ? TRUE : FALSE;
return NULL;
}
-
+
const char *nss_cmd_NSSProxyProtocol(cmd_parms *cmd,
void *dcfg,
const char *arg)
@@ -573,12 +573,12 @@ const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *cmd,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-
+
sc->proxy->auth.cipher_suite = arg;
-
+
return NULL;
}
-
+
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd,
void *dcfg,
const char *arg)
@@ -606,7 +606,7 @@ const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd,
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->enforce = flag ? PR_TRUE : PR_FALSE;
-
+
return NULL;
}
@@ -716,16 +716,16 @@ const char *nss_cmd_NSSRandomSeed(cmd_parms *cmd,
const char *arg1,
const char *arg2,
const char *arg3)
-{
+{
SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
ssl_randseed_t *seed;
int arg2len = strlen(arg2);
-
+
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
-
+
/* Only run through this once. Otherwise the random seed sources are
* pushed into the array for each server start (and we are guaranteed 2) */
if (mc->nInitCount >= 1) {
@@ -823,10 +823,10 @@ const char *nss_cmd_NSSOptions(cmd_parms *cmd,
const char *arg)
{
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
- nss_opt_t opt;
- int first = TRUE;
- char action, *w;
-
+ nss_opt_t opt;
+ int first = TRUE;
+ char action, *w;
+
while (*arg) {
w = ap_getword_conf(cmd->pool, &arg);
action = NUL;
diff --git a/nss_engine_init.c b/nss_engine_init.c
index 00d8d8b..211752c 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -47,12 +47,12 @@ static char *version_components[] = {
"SSL_VERSION_INTERFACE",
"SSL_VERSION_LIBRARY",
NULL
-};
+};
static char *nss_add_version_component(apr_pool_t *p,
server_rec *s,
char *name)
-{
+{
char *val = nss_var_lookup(p, s, NULL, NULL, name);
if (val && *val) {
@@ -61,7 +61,7 @@ static char *nss_add_version_component(apr_pool_t *p,
return val;
}
-
+
static void nss_add_version_components(apr_pool_t *p,
server_rec *s)
{
@@ -88,7 +88,7 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
{
SECStatus rv;
SSLModConfigRec *mc = myModConfig(base_server);
- SSLSrvConfigRec *sc;
+ SSLSrvConfigRec *sc;
char cwd[PATH_MAX];
server_rec *s;
int fipsenabled = FALSE;
@@ -143,7 +143,7 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
}
if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0)
dbdir = (char *)mc->pCertificateDatabase + 4;
- else
+ else
dbdir = (char *)mc->pCertificateDatabase;
if (chdir(dbdir) != 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
@@ -254,7 +254,7 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
/* We ensure that ocspname and ocspurl are not NULL above. */
if (ocspdefault) {
SECStatus sv;
-
+
sv = CERT_SetOCSPDefaultResponder(CERT_GetDefaultCertDB(),
ocspurl, ocspname);
@@ -289,7 +289,7 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
"SNI is disabled");
}
- /*
+ /*
* Seed the Pseudo Random Number Generator (PRNG)
* only need ptemp here; nothing inside allocated from the pool
* needs to live once we return from nss_rand_seed().
@@ -302,7 +302,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
server_rec *base_server)
{
SSLModConfigRec *mc = myModConfig(base_server);
- SSLSrvConfigRec *sc;
+ SSLSrvConfigRec *sc;
server_rec *s;
int sslenabled = FALSE;
int fipsenabled = FALSE;
@@ -313,7 +313,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
mc->nInitCount++;
- /*
+ /*
* Let us cleanup on restarts and exists
*/
apr_pool_cleanup_register(p, base_server,
@@ -321,7 +321,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
apr_pool_cleanup_null);
mc->ptemp = ptemp;
-
+
/*
* Any init round fixes the global config
*/
@@ -334,7 +334,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,
"NSSSessionCacheTimeout is deprecated. Ignoring.");
- /* We still need to pass in a legal value to
+ /* We still need to pass in a legal value to
* SSL_ConfigMPServerSIDCache() and SSL_ConfigServerSessionIDCache()
*/
mc->session_cache_timeout = 0; /* use NSS default */
@@ -893,14 +893,14 @@ static void nss_init_ctx_cipher_suite(server_rec *s,
{
PRBool cipher_state[ciphernum];
PRBool fips_state[ciphernum];
- const char *suite = mctx->auth.cipher_suite;
+ const char *suite = mctx->auth.cipher_suite;
char * object_type = NULL;
char * cipher_suite_marker = NULL;
char * ciphers;
char * fipsciphers = NULL;
int i;
-
- /*
+
+ /*
* Configure SSL Cipher Suite
*/
if (!suite) {
@@ -1067,17 +1067,17 @@ static void nss_init_server_check(server_rec *s,
static void nss_init_ctx(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- modnss_ctx_t *mctx)
+ modnss_ctx_t *mctx)
{
nss_init_ctx_socket(s, p, ptemp, mctx);
nss_init_ctx_protocol(s, p, ptemp, mctx);
-
+
nss_init_ctx_session_cache(s, p, ptemp, mctx);
-
+
nss_init_ctx_callbacks(s, p, ptemp, mctx);
-
+
nss_init_ctx_verify(s, p, ptemp, mctx);
nss_init_ctx_cipher_suite(s, p, ptemp, mctx);
@@ -1102,7 +1102,7 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
apr_array_header_t *names = NULL;
apr_array_header_t *wild_names = NULL;
int i, j;
-
+
if (nickname == NULL) {
return;
}
@@ -1132,13 +1132,13 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
if (strchr(nickname, ':'))
{
- char* token = strdup(nickname);
+ char* token = strdup(nickname);
char* colon = strchr(token, ':');
if (colon) {
*colon = 0;
slot = PK11_FindSlotByName(token);
if (!slot) {
- /*
+ /*
* Slot not found. This should never happen because we
* already found the cert.
*/
@@ -1200,7 +1200,7 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
nn = certNickDNS->numnicknames;
while ( nn > 0 ) {
- ap_str_tolower(*nnptr);
+ ap_str_tolower(*nnptr);
addHashVhostNick(*nnptr, (char *)nickname);
nnptr++;
nn--;
@@ -1327,7 +1327,7 @@ static void nss_init_server_certs(server_rec *s,
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
-
+
}
static void nss_init_proxy_ctx(server_rec *s,
@@ -1434,7 +1434,7 @@ void nss_init_Child(apr_pool_t *p, server_rec *base_server)
CERT_DestroyCertList(clist);
}
- /*
+ /*
* Let us cleanup on restarts and exits
*/
apr_pool_cleanup_register(p, base_server,
@@ -1574,7 +1574,7 @@ SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg)
*/
static PRBool
cert_IsNewer(CERTCertificate *certa, CERTCertificate *certb)
-{
+{
PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now;
SECStatus rv;
PRBool newerbefore, newerafter;
@@ -1662,11 +1662,11 @@ FindServerCertFromNickname(const char* name, const CERTCertList* clist)
* Otherwise just return the cert if the nickname matches.
*/
if (CERT_CheckCertUsage(cert, certUsageSSLServer) == SECSuccess) {
- matchedUsage = 2;
+ matchedUsage = 2;
} else {
- if (CERT_CheckCertUsage(cert, certUsageEmailRecipient) == SECSuccess)
+ if (CERT_CheckCertUsage(cert, certUsageEmailRecipient) == SECSuccess)
{
- matchedUsage = 1;
+ matchedUsage = 1;
}
}
@@ -1776,7 +1776,7 @@ PRInt32 nssSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
}
privKey = PK11_FindKeyByAnyCert(cert, &pinArg);
if (privKey == NULL) {
- goto loser;
+ goto loser;
}
SSLKEAType certKEA = NSS_FindCertKEAType(cert);
diff --git a/nss_engine_io.c b/nss_engine_io.c
index 5593246..a13b74f 100644
--- a/nss_engine_io.c
+++ b/nss_engine_io.c
@@ -415,7 +415,7 @@ static apr_status_t nss_io_input_read(nspr_filter_in_ctx_t *inctx,
if (APR_STATUS_IS_EAGAIN(inctx->rc)
|| APR_STATUS_IS_EINTR(inctx->rc)) {
/* Already read something, return APR_SUCCESS instead. */
- if (*len > 0) {
+ if (*len > 0) {
inctx->rc = APR_SUCCESS;
break;
}
@@ -458,7 +458,7 @@ static apr_status_t nss_io_input_getline(nspr_filter_in_ctx_t *inctx,
while (tmplen > 0) {
status = nss_io_input_read(inctx, buf + offset, &tmplen);
-
+
if (status != APR_SUCCESS) {
return status;
}
@@ -551,13 +551,13 @@ static apr_status_t nss_filter_write(ap_filter_t *f,
/* Just use a simple request. Any request will work for this, because
* we use a flag in the conn_rec->conn_vector now. The fake request just
* gets the request back to the Apache core so that a response can be sent.
- *
+ *
* To avoid calling back for more data from the socket, use an HTTP/0.9
* request, and tack on an EOS bucket.
*/
#define HTTP_ON_HTTPS_PORT \
"GET /" CRLF
-
+
#define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
sizeof(HTTP_ON_HTTPS_PORT) - 1, \
@@ -569,15 +569,15 @@ static void nss_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f)
nspr_filter_in_ctx_t *inctx = f->ctx;
sslconn->ssl = NULL;
inctx->filter_ctx->pssl = NULL;
-}
+}
static apr_status_t nss_io_filter_error(ap_filter_t *f,
apr_bucket_brigade *bb,
apr_status_t status)
-{
+{
SSLConnRec *sslconn = myConnConfig(f->c);
apr_bucket *bucket;
-
+
switch (status) {
case HTTP_BAD_REQUEST:
/* log the situation */
@@ -612,7 +612,7 @@ static apr_status_t nss_filter_io_shutdown(nss_filter_ctx_t *filter_ctx,
{
PRFileDesc *ssl = filter_ctx->pssl;
SSLConnRec *sslconn = myConnConfig(c);
-
+
if (!ssl) {
return APR_SUCCESS;
}
@@ -1010,7 +1010,7 @@ int nss_io_buffer_fill(request_rec *r, apr_size_t maxlen)
apr_bucket_brigade *tempb;
apr_off_t total = 0; /* total length buffered */
int eos = 0; /* non-zero once EOS is seen */
-
+
/* Create the context which will be passed to the input filter. */
ctx = apr_palloc(r->pool, sizeof *ctx);
apr_pool_create(&ctx->pool, r->pool);
@@ -1038,10 +1038,10 @@ int nss_io_buffer_fill(request_rec *r, apr_size_t maxlen)
"could not read request body for SSL buffer");
return HTTP_INTERNAL_SERVER_ERROR;
}
-
+
/* Iterate through the returned brigade: setaside each bucket
* into the context's pool and move it into the brigade. */
- for (e = APR_BRIGADE_FIRST(tempb);
+ for (e = APR_BRIGADE_FIRST(tempb);
e != APR_BRIGADE_SENTINEL(tempb) && !eos; e = next) {
const char *data;
apr_size_t len;
@@ -1059,19 +1059,19 @@ int nss_io_buffer_fill(request_rec *r, apr_size_t maxlen)
}
total += len;
}
-
+
rv = apr_bucket_setaside(e, ctx->pool);
if (rv != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
"could not setaside bucket for SSL buffer");
return HTTP_INTERNAL_SERVER_ERROR;
}
-
+
APR_BUCKET_REMOVE(e);
APR_BRIGADE_INSERT_TAIL(ctx->bb, e);
}
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"total of %" APR_OFF_T_FMT " bytes in buffer, eos=%d",
total, eos);
@@ -1133,7 +1133,7 @@ static apr_status_t nss_io_filter_buffer(ap_filter_t *f,
apr_bucket *d = APR_BRIGADE_FIRST(ctx->bb);
e = APR_BUCKET_PREV(e);
-
+
/* Unsplice the partitioned segment and move it into the
* passed-in brigade; no convenient way to do this with
* the APR_BRIGADE_* macros. */
@@ -1158,7 +1158,7 @@ static apr_status_t nss_io_filter_buffer(ap_filter_t *f,
if (APR_BRIGADE_EMPTY(ctx->bb)) {
apr_bucket *e = APR_BRIGADE_LAST(bb);
-
+
/* Ensure that the brigade is terminated by an EOS if the
* buffered request body has been entirely consumed. */
if (e == APR_BRIGADE_SENTINEL(bb) || !APR_BUCKET_IS_EOS(e)) {
@@ -1219,9 +1219,9 @@ void nss_io_filter_init(conn_rec *c, PRFileDesc *ssl)
void nss_io_filter_register(apr_pool_t *p)
{
ap_register_input_filter (nss_io_filter, nss_io_filter_input, NULL, AP_FTYPE_CONNECTION + 5);
- ap_register_output_filter (nss_io_filter, nss_io_filter_output, NULL, AP_FTYPE_CONNECTION + 5);
+ ap_register_output_filter (nss_io_filter, nss_io_filter_output, NULL, AP_FTYPE_CONNECTION + 5);
ap_register_input_filter (nss_io_buffer, nss_io_filter_buffer, NULL, AP_FTYPE_PROTOCOL - 1);
- return;
+ return;
}
PRFileDesc * nss_io_new_fd() {
@@ -1248,7 +1248,7 @@ static PRStatus PR_CALLBACK nspr_filter_getpeername(PRFileDesc *fd, PRNetAddr *a
#endif
}
-/*
+/*
* Translate NSPR PR_GetSocketOption() calls into apr_socket_opt_get() calls.
*/
static PRStatus PR_CALLBACK nspr_filter_getsocketoption(PRFileDesc *fd, PRSocketOptionData *data) {
@@ -1309,7 +1309,7 @@ static PRStatus PR_CALLBACK nspr_filter_getsocketoption(PRFileDesc *fd, PRSocket
return rv;
}
-/*
+/*
* Translate NSPR PR_SetSocketOption() calls into apr_socket_opt_set() calls.
*/
static PRStatus PR_CALLBACK nspr_filter_setsocketOption(PRFileDesc *fd, const PRSocketOptionData *data) {
@@ -1370,7 +1370,7 @@ static PRStatus PR_CALLBACK nspr_filter_setsocketOption(PRFileDesc *fd, const PR
}
static PRStatus PR_CALLBACK
-nspr_filter_shutdown(PRFileDesc *fd, PRIntn how)
+nspr_filter_shutdown(PRFileDesc *fd, PRIntn how)
{
return PR_SUCCESS;
}
@@ -1391,7 +1391,7 @@ static PRInt32 PR_CALLBACK nspr_filter_send(PRFileDesc *fd, const void *buf, PRI
return nspr_filter_out_write(fd, buf, amount);
}
-/*
+/*
* Called once to initialize the NSPR layer that we push for each
* request.
*/
diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c
index 28042fb..6c15ac5 100644
--- a/nss_engine_kernel.c
+++ b/nss_engine_kernel.c
@@ -72,7 +72,7 @@ int nss_hook_ReadReq(request_rec *r)
* delayed interlinking from SSL back to request_rec
*/
if (!ssl) {
- return DECLINED;
+ return DECLINED;
}
/*
@@ -118,7 +118,7 @@ int nss_hook_ReadReq(request_rec *r)
apr_pool_destroy(s_p);
return HTTP_BAD_REQUEST;
- }
+ }
apr_pool_destroy(s_p);
}
} else if (((sc->strict_sni_vhost_check)
@@ -178,8 +178,8 @@ int nss_hook_Access(request_rec *r)
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLConnRec *sslconn = myConnConfig(r->connection);
PRFileDesc *ssl = sslconn ? sslconn->ssl : NULL;
- apr_array_header_t *requires;
- nss_require_t *nss_requires;
+ apr_array_header_t *requires;
+ nss_require_t *nss_requires;
char *cp;
int ok, i;
BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
@@ -217,7 +217,7 @@ int nss_hook_Access(request_rec *r)
/*
* Support for per-directory reconfigured SSL connection parameters.
- *
+ *
* This is implemented by forcing an SSL renegotiation with the
* reconfigured parameter suite. But Apache's internal API processing
* makes our life very hard here, because when internal sub-requests occur
@@ -235,7 +235,7 @@ int nss_hook_Access(request_rec *r)
* the reconfigured parameter suite is stronger (more restrictions) than
* the currently active one.
*/
-
+
/*
* Override of NSSCipherSuite
*
@@ -286,7 +286,7 @@ int nss_hook_Access(request_rec *r)
"permitted SSL ciphers");
nss_log_nss_error(APLOG_MARK, APLOG_ERR, r->server);
free(ciphers);
-
+
return HTTP_FORBIDDEN;
}
free(ciphers);
@@ -375,7 +375,7 @@ int nss_hook_Access(request_rec *r)
SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_FALSE);
SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
}
-
+
/* determine whether we've to force a renegotiation */
if (!renegotiate && verify != verify_old) {
if (((verify_old == SSL_CVERIFY_NONE) &&
@@ -415,7 +415,7 @@ int nss_hook_Access(request_rec *r)
More information about the Pkg-fedora-ds-maintainers
mailing list