httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r290159 - in /httpd/httpd/branches/2.2.x: CHANGES modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_engine_vars.c modules/ssl/ssl_util_ssl.c
Date Mon, 19 Sep 2005 13:50:41 GMT
Author: jorton
Date: Mon Sep 19 06:50:35 2005
New Revision: 290159

URL: http://svn.apache.org/viewcvs?rev=290159&view=rev
Log:
Merge r265702, r290136, r264800 from trunk:

* modules/ssl/ssl_util_ssl.c (SSL_X509_STORE_create): Catch errors
returned by X509_LOOKUP_add_dir or X509_LOOKUP_load_file to detect
malformed or misconfigured CRLs.  Clear error stack beforehand to
ensure reported errors are relevant.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Fix gcc
4.x different-pointer-signedness warning.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that
renegotiation is performed for a transition from "SSLVerifyClient
optional" to "SSLVerifyClient require".  (CVE CAN-2005-2700)

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_util_ssl.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/CHANGES?rev=290159&r1=290158&r2=290159&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Sep 19 06:50:35 2005
@@ -1,6 +1,14 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.1.8
 
+  *) SECURITY: CAN-2005-2700 (cve.mitre.org)
+     mod_ssl: Fix a security issue where "SSLVerifyClient" was not
+     enforced in per-location context if "SSLVerifyClient optional"
+     was configured in the vhost configuration.  [Joe Orton]
+
+  *) mod_ssl: Catch parse errors from misconfigured or malformed
+     CRLs.  PR 36438.  [Joe Orton]
+
   *) mod_proxy/mod_proxy_balancer: lbmethods now implemented as
      providers. Prevent problems when no Vhost containers were
      configured with proxy balancers. [Jim Jagielski]

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c?rev=290159&r1=290158&r2=290159&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c Mon Sep 19 06:50:35 2005
@@ -406,8 +406,8 @@
                 (!(verify_old & SSL_VERIFY_PEER) &&
                   (verify     & SSL_VERIFY_PEER)) ||
 
-                (!(verify_old & SSL_VERIFY_PEER_STRICT) &&
-                  (verify     & SSL_VERIFY_PEER_STRICT)))
+                (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
+                  (verify     & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
             {
                 renegotiate = TRUE;
                 /* optimization */

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c?rev=290159&r1=290158&r2=290159&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c Mon Sep 19 06:50:35 2005
@@ -431,8 +431,9 @@
                 n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
 
                 if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {
-                    result = apr_pstrmemdup(p, 
-                                            X509_NAME_ENTRY_get_data_ptr(xsne),
+                    unsigned char *data = X509_NAME_ENTRY_get_data_ptr(xsne);
+                    /* cast needed from unsigned char to char */
+                    result = apr_pstrmemdup(p, (char *)data,
                                             X509_NAME_ENTRY_get_data_len(xsne));
 #if APR_CHARSET_EBCDIC
                     ap_xlate_proto_from_ascii(result, X509_NAME_ENTRY_get_data_len(xsne));

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_util_ssl.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/modules/ssl/ssl_util_ssl.c?rev=290159&r1=290158&r2=290159&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_util_ssl.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_util_ssl.c Mon Sep 19 06:50:35 2005
@@ -202,6 +202,9 @@
 {
     X509_STORE *pStore;
     X509_LOOKUP *pLookup;
+    int rv = 1;
+
+    ERR_clear_error();
 
     if (cpFile == NULL && cpPath == NULL)
         return NULL;
@@ -213,17 +216,17 @@
             X509_STORE_free(pStore);
             return NULL;
         }
-        X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM);
+        rv = X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM);
     }
-    if (cpPath != NULL) {
+    if (cpPath != NULL && rv == 1) {
         pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_hash_dir());
         if (pLookup == NULL) {
             X509_STORE_free(pStore);
             return NULL;
         }
-        X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM);
+        rv = X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM);
     }
-    return pStore;
+    return rv == 1 ? pStore : NULL;
 }
 
 int SSL_X509_STORE_lookup(X509_STORE *pStore, int nType,



Mime
View raw message