httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject cvs commit: httpd-2.0/modules/ssl ssl_engine_config.c ssl_engine_init.c ssl_engine_kernel.c ssl_engine_log.c
Date Mon, 07 Jun 2004 10:18:38 GMT
jorton      2004/06/07 03:18:37

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES STATUS
               modules/ssl Tag: APACHE_2_0_BRANCH ssl_engine_config.c
                        ssl_engine_init.c ssl_engine_kernel.c
                        ssl_engine_log.c
  Log:
  Backport from HEAD:
  
    * modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer
    overflow in FakeBasicAuth code if client's subject DN exceeds 6K in
    length (CVE CAN-2004-0488); switch to using apr-util base64 encoder
    functions.
  
    * modules/ssl/ssl_engine_init.c (ssl_init_Engine): Log the OpenSSL
    error stack contents if engine load/init fails.
  
    * modules/ssl/ssl_engine_log.c (ssl_log_ssl_error): Use %lu to print
    an unsigned long.
  
    * modules/ssl/ssl_engine_log.c (ssl_log_annotate, ssl_log_annotation,
    ssl_log_ssl_error): const-ify annotation strings and simplify
    ssl_log_annotation.
  
  Reviewed by: André Malo, Jeff Trawick
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.988.2.296 +8 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.295
  retrieving revision 1.988.2.296
  diff -d -w -u -r1.988.2.295 -r1.988.2.296
  --- CHANGES	6 Jun 2004 22:19:37 -0000	1.988.2.295
  +++ CHANGES	7 Jun 2004 10:18:35 -0000	1.988.2.296
  @@ -1,5 +1,13 @@
   Changes with Apache 2.0.50
   
  +  *) SECURITY: CAN-2004-0488 (cve.mitre.org)
  +     mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
  +     (trusted) client certificate subject DN which exceeds 6K in length.
  +     [Joe Orton]
  +
  +  *) mod_ssl: Log the errors returned on failure to load or initialize
  +     a crypto accelerator engine.  [Joe Orton]
  +
     *) Allow RequestHeader directives to be conditional. PR 27951.
        [Vincent Deffontaines <vincent gryzor.com>, André Malo]
   
  
  
  
  1.751.2.904 +1 -14     httpd-2.0/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/STATUS,v
  retrieving revision 1.751.2.903
  retrieving revision 1.751.2.904
  diff -d -w -u -r1.751.2.903 -r1.751.2.904
  --- STATUS	6 Jun 2004 22:19:38 -0000	1.751.2.903
  +++ STATUS	7 Jun 2004 10:18:36 -0000	1.751.2.904
  @@ -77,23 +77,10 @@
          PR: 29318
          +1: jorton, trawick, nd
   
  -    *) mod_ssl: Fix buffer overflow in FakeBasicAuth support (CVE CAN-2004-0488)
  -       http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106
  -       +1: jorton, nd, trawick
  -
       *) mod_ssl: Remove some unused functions (after CAN-2004-0488 fix is applied)
          http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_util.c?r1=1.46&r2=1.47
          +1: jorton, nd
          trawick: need changes to mod_ssl.h to remove prototypes for those removed functions
  -
  -    *) mod_ssl: Fix a GCC strict-aliasing warning.
  -       http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_config.c?r1=1.90&r2=1.91
  -       +1: jorton, nd, trawick
  -
  -    *) mod_ssl: Cleanups and fixes for mod_ssl logging.
  -       http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.124&r2=1.125
  -       http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_log.c?r1=1.31&r2=1.28
  -       +1: jorton, nd, trawick
   
       *) Enable the option to support anonymous shared memory in mod_ldap.
          This makes the cache work on Linux again.
  
  
  
  No                   revision
  No                   revision
  1.70.2.8  +4 -5      httpd-2.0/modules/ssl/ssl_engine_config.c
  
  Index: ssl_engine_config.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_config.c,v
  retrieving revision 1.70.2.7
  retrieving revision 1.70.2.8
  diff -d -w -u -r1.70.2.7 -r1.70.2.8
  --- ssl_engine_config.c	9 Feb 2004 20:53:20 -0000	1.70.2.7
  +++ ssl_engine_config.c	7 Jun 2004 10:18:37 -0000	1.70.2.8
  @@ -39,12 +39,11 @@
   {
       apr_pool_t *pool = s->process->pool;
       SSLModConfigRec *mc;
  +    void *vmc;
   
  -    apr_pool_userdata_get((void **)&mc, SSL_MOD_CONFIG_KEY,
  -                          pool);
  -
  -    if (mc) {
  -        return mc; /* reused for lifetime of the server */
  +    apr_pool_userdata_get(&vmc, SSL_MOD_CONFIG_KEY, pool);
  +    if (vmc) {
  +        return vmc; /* reused for lifetime of the server */
       }
   
       /*
  
  
  
  1.106.2.13 +2 -0      httpd-2.0/modules/ssl/ssl_engine_init.c
  
  Index: ssl_engine_init.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
  retrieving revision 1.106.2.12
  retrieving revision 1.106.2.13
  diff -d -w -u -r1.106.2.12 -r1.106.2.13
  --- ssl_engine_init.c	15 Apr 2004 19:54:51 -0000	1.106.2.12
  +++ ssl_engine_init.c	7 Jun 2004 10:18:37 -0000	1.106.2.13
  @@ -326,6 +326,7 @@
               ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                            "Init: Failed to load Crypto Device API `%s'",
                            mc->szCryptoDevice);
  +            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
               ssl_die();
           }
   
  @@ -337,6 +338,7 @@
               ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                            "Init: Failed to enable Crypto Device API `%s'",
                            mc->szCryptoDevice);
  +            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
               ssl_die();
           }
   
  
  
  
  1.82.2.13 +8 -7      httpd-2.0/modules/ssl/ssl_engine_kernel.c
  
  Index: ssl_engine_kernel.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
  retrieving revision 1.82.2.12
  retrieving revision 1.82.2.13
  diff -d -w -u -r1.82.2.12 -r1.82.2.13
  --- ssl_engine_kernel.c	9 Feb 2004 20:53:20 -0000	1.82.2.12
  +++ ssl_engine_kernel.c	7 Jun 2004 10:18:37 -0000	1.82.2.13
  @@ -793,7 +793,6 @@
       SSLConnRec *sslconn = myConnConfig(r->connection);
       SSLSrvConfigRec *sc = mySrvConfig(r->server);
       SSLDirConfigRec *dc = myDirConfig(r);
  -    char buf1[MAX_STRING_LEN], buf2[MAX_STRING_LEN];
       char *clientdn;
       const char *auth_line, *username, *password;
   
  @@ -872,14 +871,16 @@
        * adding the string "xxj31ZMTZzkVA" as the password in the user file.
        * This is just the crypted variant of the word "password" ;-)
        */
  -    apr_snprintf(buf1, sizeof(buf1), "%s:password", clientdn);
  -    ssl_util_uuencode(buf2, buf1, FALSE);
  -
  -    apr_snprintf(buf1, sizeof(buf1), "Basic %s", buf2);
  -    apr_table_set(r->headers_in, "Authorization", buf1);
  +    auth_line = apr_pstrcat(r->pool, "Basic ", 
  +                            ap_pbase64encode(r->pool, 
  +                                             apr_pstrcat(r->pool, clientdn, 
  +                                                         ":password", NULL)),
  +                            NULL);
  +    apr_table_set(r->headers_in, "Authorization", auth_line);
   
       ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
  -                 "Faking HTTP Basic Auth header: \"Authorization: %s\"", buf1);
  +                 "Faking HTTP Basic Auth header: \"Authorization: %s\"",
  +                 auth_line);
   
       return DECLINED;
   }
  
  
  
  1.21.2.6  +14 -17    httpd-2.0/modules/ssl/ssl_engine_log.c
  
  Index: ssl_engine_log.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_log.c,v
  retrieving revision 1.21.2.5
  retrieving revision 1.21.2.6
  diff -d -w -u -r1.21.2.5 -r1.21.2.6
  --- ssl_engine_log.c	9 Feb 2004 20:53:20 -0000	1.21.2.5
  +++ ssl_engine_log.c	7 Jun 2004 10:18:37 -0000	1.21.2.6
  @@ -34,9 +34,9 @@
   **  _________________________________________________________________
   */
   
  -static struct {
  -    char *cpPattern;
  -    char *cpAnnotation;
  +static const struct {
  +    const char *cpPattern;
  +    const char *cpAnnotation;
   } ssl_log_annotate[] = {
       { "*envelope*bad*decrypt*", "wrong pass phrase!?" },
       { "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" },
  @@ -51,19 +51,15 @@
       { NULL, NULL }
   };
   
  -static char *ssl_log_annotation(char *error)
  +static const char *ssl_log_annotation(const char *error)
   {
  -    char *errstr;
  -    int i;
  +    int i = 0;
   
  -    errstr = NULL;
  -    for (i = 0; ssl_log_annotate[i].cpPattern != NULL; i++) {
  -        if (ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) == 0) {
  -            errstr = ssl_log_annotate[i].cpAnnotation;
  -            break;
  -        }
  -    }
  -    return errstr;
  +    while (ssl_log_annotate[i].cpPattern != NULL 
  +           && ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) != 0)
  +        i++;
  +
  +    return ssl_log_annotate[i].cpAnnotation;
   }
   
   void ssl_die(void)
  @@ -84,19 +80,20 @@
       unsigned long e;
   
       while ((e = ERR_get_error())) {
  -        char err[256], *annotation;
  +        const char *annotation;
  +        char err[256];
   
           ERR_error_string_n(e, err, sizeof err);
           annotation = ssl_log_annotation(err);
   
           if (annotation) {
               ap_log_error(file, line, level, 0, s,
  -                         "SSL Library Error: %ld %s %s",
  +                         "SSL Library Error: %lu %s %s",
                            e, err, annotation); 
           }
           else {
               ap_log_error(file, line, level, 0, s,
  -                         "SSL Library Error: %ld %s",
  +                         "SSL Library Error: %lu %s",
                            e, err); 
           }
       }
  
  
  

Mime
View raw message