File mod_nss-cipherlist_update_for_tls12.diff of Package apache2-mod_nss

diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
--- ../mod_nss-1.0.8-o/mod_nss.h	2014-02-18 16:30:19.000000000 +0100
+++ ./mod_nss.h	2014-02-18 16:30:51.000000000 +0100
@@ -318,103 +318,103 @@
 
 /*
  * Define the mod_ssl per-directory configuration structure
  * (i.e. the local configuration for all <Directory>
  *  and .htaccess contexts)
  */
 typedef struct {
     BOOL                bSSLRequired;
     apr_array_header_t *aRequirement;
     int                 nOptions;
     int                 nOptionsAdd;
     int                 nOptionsDel;
     const char         *szCipherSuite;
     nss_verify_t        nVerifyClient;
     const char         *szUserName;
 } SSLDirConfigRec;
 
 /*
  * Cipher definitions
  */
 typedef struct
 {
     const char *name;
     int num;
     int fortezza_only;
     PRInt32 version; /* protocol version valid for this cipher */
 } cipher_properties;
 
 /* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of
  * the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it
  * is the last version without this define. This is used for more than just
  * the below defines. It also determines which API is used.
  */
 #ifndef AP_SERVER_MAJORVERSION_NUMBER
 #define AP_SERVER_MAJORVERSION_NUMBER 2
 #define AP_SERVER_MINORVERSION_NUMBER 0
 #define AP_SERVER_PATCHLEVEL_NUMBER   55
 #endif
 
 #if AP_SERVER_MINORVERSION_NUMBER < 2
 typedef struct regex_t ap_regex_t;
 #define AP_REG_EXTENDED REG_EXTENDED
 #define AP_REG_NOSUB REG_NOSUB
 #define AP_REG_ICASE REG_ICASE
 #endif
  
 enum sslversion { SSL2=1, SSL3=2, TLS=4};
 
 /* the table itself is defined in nss_engine_init.c */
 #ifdef NSS_ENABLE_ECC
-#define ciphernum 48
+#define ciphernum 59
 #else
-#define ciphernum 23
+#define ciphernum 28
 #endif
 
 /*
  *  function prototypes
  */
 
 /*  API glue structures  */
 extern module AP_MODULE_DECLARE_DATA nss_module;
 
 /*  configuration handling   */
 SSLModConfigRec *nss_config_global_create(server_rec *);
 void *nss_config_perdir_create(apr_pool_t *p, char *dir);
 void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv);
 void *nss_config_server_create(apr_pool_t *p, server_rec *s);
 void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv);
 const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
 const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
 const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
 const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
 const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg);
 const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg);
 const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
 #ifdef SSL_ENABLE_RENEGOTIATION
 const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
 const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
 #endif
 #ifdef NSS_ENABLE_ECC
 const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
 #endif
 const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int);
 const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSSessionCacheSize(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSPassPhraseHelper(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
 const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *);
 const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg);
 const char  *nss_cmd_NSSRequire(cmd_parms *, void *, const char *);
 
 const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
 const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
 const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
 const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
--- ../mod_nss-1.0.8-o/nss_engine_init.c	2014-02-18 16:30:19.000000000 +0100
+++ ./nss_engine_init.c	2014-02-18 16:30:51.000000000 +0100
@@ -15,122 +15,134 @@
 
 #include "mod_nss.h"
 #include "apr_thread_proc.h"
 #include "ap_mpm.h"
 #include "secmod.h"
 #include "sslerr.h"
 #include "pk11func.h"
 #include "ocsp.h"
 #include "keyhi.h"
 #include "cert.h"
 
 static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
 static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
 static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
 static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
 SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
 
 /*
  * Global variables defined in this file.
  */
 char* INTERNAL_TOKEN_NAME = "internal                         ";
 
 cipher_properties ciphers_def[ciphernum] =
 {
     /* SSL2 cipher suites */
     {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
     {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
     {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
     {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
     {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
     {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
     /* SSL3/TLS cipher suites */
     {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
     {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
     {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
     {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
     {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS},
     {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS},
     {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS},
     {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
     {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
     {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
     {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
     {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
     {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
     /* TLS 1.0: Exportable 56-bit Cipher Suites. */
     {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
     {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
     /* AES ciphers.*/
     {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
+    {"rsa_aes_128_sha256", TLS_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+    {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
+    {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS},
     {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS},
+    {"rsa_aes_256_sha256", TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS},
+    {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS},
+
 #ifdef NSS_ENABLE_ECC
     /* ECC ciphers.*/
     {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 0, TLS},
     {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0, TLS},
     {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
     {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
+    {"ecdh_ecdsa_aes_128_gcm_sha", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
     {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
     {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0, TLS},
     {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
     {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
     {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
+    {"ecdhe_ecdsa_aes_128_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+    {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
     {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
     {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS},
     {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, 0, TLS},
     {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
     {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
+    {"ecdh_rsa_aes_128_gcm_sha", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
     {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
     {"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, 0, TLS},
     {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS},
     {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
     {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
+    {"ecdhe_rsa_aes_128_sha256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+    {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
     {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
     {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS},
     {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, 0, TLS},
     {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0, TLS},
     {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0, TLS},
     {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0, TLS},
 #endif
 };
 
 static char *version_components[] = {
     "SSL_VERSION_PRODUCT",
     "SSL_VERSION_INTERFACE",
     "SSL_VERSION_LIBRARY",
     NULL
 }; 
 
 static char *nss_add_version_component(apr_pool_t *p,
                                        server_rec *s,
                                        char *name)
 {   
     char *val = nss_var_lookup(p, s, NULL, NULL, name);
 
     if (val && *val) {
         ap_add_version_component(p, val);
     }
 
     return val;
 }
  
 static void nss_add_version_components(apr_pool_t *p,
                                        server_rec *s)
 {
     char *vals[sizeof(version_components)/sizeof(char *)];
     int i;
 
     for (i=0; version_components[i]; i++) {
         vals[i] = nss_add_version_component(p, s,
                                             version_components[i]);
     }
 
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
                  "Server: %s, Interface: %s, Library: %s",
                  AP_SERVER_BASEVERSION,
                  vals[1],  /* SSL_VERSION_INTERFACE */
                  vals[2]); /* SSL_VERSION_LIBRARY */
 }
 
 /*
  *  Initialize SSL library
  *
openSUSE Build Service is sponsored by