mod_nss-negotiate.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180


diff -up ./mod_nss.c.norego ./mod_nss.c
--- ./mod_nss.c.norego	2010-01-28 20:42:14.000000000 +0100
+++ ./mod_nss.c	2010-01-28 20:44:49.000000000 +0100
@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds
     SSL_CMD_SRV(Nickname, TAKE1,
                 "SSL RSA Server Certificate nickname "
                 "(`Server-Cert'")
+#ifdef SSL_ENABLE_RENEGOTIATION
+    SSL_CMD_SRV(Renegotiation, FLAG,
+                "Enable SSL Renegotiation (default off) "
+                "(`on', `off')")
+    SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
+                "If Rengotiation is allowed, require safe negotiation (default off) "
+                "(`on', `off')")
+#endif
 #ifdef NSS_ENABLE_ECC
     SSL_CMD_SRV(ECCNickname, TAKE1,
                 "SSL ECC Server Certificate nickname "
diff -up ./mod_nss.h.norego ./mod_nss.h
--- ./mod_nss.h.norego	2010-01-28 20:42:14.000000000 +0100
+++ ./mod_nss.h	2010-01-28 20:44:49.000000000 +0100
@@ -269,6 +269,10 @@ typedef struct {
     int tls;
     int tlsrollback;
     int enforce;
+#ifdef SSL_ENABLE_RENEGOTIATION
+    int enablerenegotiation;
+    int requiresafenegotiation;
+#endif
     const char *nickname;
 #ifdef NSS_ENABLE_ECC
     const char *eccnickname;
@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p
 const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
+#endif
 #ifdef NSS_ENABLE_ECC
 const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
 #endif
diff -up ./nss_engine_config.c.norego ./nss_engine_config.c
--- ./nss_engine_config.c.norego	2010-01-28 20:42:14.000000000 +0100
+++ ./nss_engine_config.c	2010-01-28 20:44:49.000000000 +0100
@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t
     mctx->tls                 = PR_FALSE;
     mctx->tlsrollback         = PR_FALSE;
 
+#ifdef SSL_ENABLE_RENEGOTIATION
+    mctx->enablerenegotiation   = PR_FALSE;
+    mctx->requiresafenegotiation = PR_FALSE;
+#endif
     mctx->enforce             = PR_TRUE;
     mctx->nickname            = NULL;
 #ifdef NSS_ENABLE_ECC
@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_
     cfgMerge(eccnickname, NULL);
 #endif
     cfgMerge(enforce, PR_TRUE);
+#ifdef SSL_ENABLE_RENEGOTIATION
+    cfgMerge(enablerenegotiation, PR_FALSE);
+    cfgMerge(requiresafenegotiation, PR_FALSE);
+#endif
 }
 
 static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm
     return NULL;
 }
 
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
+ 
+    return NULL;
+}
+
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
+ 
+    return NULL;
+}
+#endif
+
 #ifdef NSS_ENABLE_ECC
 const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
                                 void *dcfg,
diff -up ./nss_engine_init.c.norego ./nss_engine_init.c
--- ./nss_engine_init.c.norego	2010-01-28 20:42:14.000000000 +0100
+++ ./nss_engine_init.c	2010-01-28 20:48:42.000000000 +0100
@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r
             nss_die();
         }
     }
+#ifdef SSL_ENABLE_RENEGOTIATION
+    if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
+            mctx->enablerenegotiation ?
+              SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
+              ) != SECSuccess) {
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                    "Unable to set SSL renegotiation");
+            nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+            nss_die();
+    }
+    if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
+            mctx->requiresafenegotiation) != SECSuccess) {
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                    "Unable to set SSL safe negotiation");
+            nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+            nss_die();
+    }
+#endif
 }
 
 static void nss_init_ctx_protocol(server_rec *s,

diff -up ./nss.conf.in.norego ./nss.conf.in
--- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000
+++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000
@@ -64,6 +64,17 @@
 #NSSRandomSeed startup file:/dev/random  512
 #NSSRandomSeed startup file:/dev/urandom 512
 
+#
+# TLS Negotiation configuration under RFC 5746
+#
+# Only renegotiate if the peer's hello bears the TLS renegotiation_info
+# extension. Default off.
+NSSRenegotiation off
+
+# Peer must send Signaling Cipher Suite Value (SCSV) or
+# Renegotiation Info (RI) extension in ALL handshakes.  Default: off
+NSSRequireSafeNegotiation off
+
 ##
 ## SSL Virtual Host Context
 ##

diff -up ./nss_engine_log.c.norego ./nss_engine_log.c
--- ./nss_engine_log.c.norego    17 Oct 2006 16:45:57 -0000
+++ ./nss_engine_log.c    18 Mar 2010 19:39:10 -0000
@@ -27,7 +27,7 @@
 #define LIBSEC_ERROR_BASE		(-8192)
 #define LIBSEC_MAX_ERROR		(LIBSEC_ERROR_BASE + 155)
 #define LIBSSL_ERROR_BASE		(-12288)
-#define LIBSSL_MAX_ERROR		(LIBSSL_ERROR_BASE + 102)
+#define LIBSSL_MAX_ERROR		(LIBSSL_ERROR_BASE + 114)
 
 typedef struct l_error_t {
     int errorNumber;
@@ -296,7 +296,19 @@
     { 99, "Server requires ciphers more secure than those supported by client" },
     { 100, "Peer reports it experienced an internal error" },
     { 101, "Peer user canceled handshake" },
-    { 102, "Peer does not permit renegotiation of SSL security parameters" }
+    { 102, "Peer does not permit renegotiation of SSL security parameters" },
+    { 103, "Server cache not configured" },
+    { 104, "Unsupported extension" },
+    { 105, "Certificate unobtainable" },
+    { 106, "Unrecognized name" },
+    { 107, "Bad certificate status" },
+    { 108, "Bad certificate hash value" },
+    { 109, "Unexpected new session ticket" },
+    { 110, "Malformed new session ticket" },
+    { 111, "Decompression failure" },
+    { 112, "Renegotiation not allowed" },
+    { 113, "Safe negotiation required but not provided by client" },
+    { 114, "Unexpected uncompressed record" },
 };
 
 void nss_die(void)