httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rpl...@apache.org
Subject svn commit: r896900 - in /httpd/httpd/branches/2.2.x: ./ CHANGES STATUS docs/ modules/ssl/ssl_engine_io.c modules/ssl/ssl_engine_kernel.c support/ab.c support/suexec.c
Date Thu, 07 Jan 2010 15:13:30 GMT
Author: rpluem
Date: Thu Jan  7 15:11:53 2010
New Revision: 896900

URL: http://svn.apache.org/viewvc?rev=896900&view=rev
Log:
Merge r891282 from trunk:

Further mitigation for the TLS renegotation attack, CVE-2009-3555:

* modules/ssl/ssl_engine_kernel.c (has_buffered_data): New function.
  (ssl_hook_Access): Forcibly disable keepalive for the connection if
  there is any buffered data readable from the input filter stack.

* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Ensure that the
  BIO uses blocking operations when invoked outside direct control of
  the httpd filter stack.

Thanks to Hartmut Keil <Hartmut.Keil adnovum.ch> for proposing this
technique.

Submitted by: jorton
Reviewed by: rpluem, jim, trawick

Modified:
    httpd/httpd/branches/2.2.x/   (props changed)
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/docs/   (props changed)
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/branches/2.2.x/support/ab.c   (props changed)
    httpd/httpd/branches/2.2.x/support/suexec.c   (props changed)

Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Jan  7 15:11:53 2010
@@ -1 +1 @@
-/httpd/httpd/trunk:395552,451572,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785661,790587,803704,823536,823563
+/httpd/httpd/trunk:395552,451572,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785661,790587,803704,823536,823563,891282

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=896900&r1=896899&r2=896900&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Thu Jan  7 15:11:53 2010
@@ -3,10 +3,11 @@
 
   *) SECURITY: CVE-2009-3555 (cve.mitre.org)
      A partial fix for the TLS renegotiation prefix injection attack by
-     rejecting any client-initiated renegotiations.  Any configuration
-     which requires renegotiation for per-directory/location access 
-     control is still vulnerable, unless using OpenSSL >= 0.9.8l.  
-     [Joe Orton, Ruediger Pluem]
+     rejecting any client-initiated renegotiations. Forcibly disable keepalive
+     for the connection if there is any buffered data readable. Any
+     configuration which requires renegotiation for per-directory/location
+     access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
+     [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
 
   *) mod_filter: fix FilterProvider matching where "dispatch" string
      doesn't exist.

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=896900&r1=896899&r2=896900&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Thu Jan  7 15:11:53 2010
@@ -87,12 +87,6 @@
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * mod_ssl: Further mitigation for the TLS renegotation attack, CVE-2009-3555
-      Trunk version of patch:
-         http://svn.apache.org/viewcvs.cgi?rev=891282&view=rev
-      Backport version for 2.2.x of patch:
-         Trunk version of patch works
-      +1: rpluem, jim, trawick
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

Propchange: httpd/httpd/branches/2.2.x/docs/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Jan  7 15:11:53 2010
@@ -1 +1 @@
-/httpd/httpd/trunk/docs:395552,451572,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,675610,678761,680082,681190,682369,683626,684351,685112,686549,686805,686809,687099,687754,692325,693120,693392,693727-693728,696006,697093,703441,703997,706318,707163,708902,711421,719357,720250,726109,728015,728020,728220,729316-729317,729586,732414,732421,732451,732504,732832,733127,733134,733218-733219,733465,733467,733695,734703,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785661,790587,803704
+/httpd/httpd/trunk/docs:395552,451572,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,675610,678761,680082,681190,682369,683626,684351,685112,686549,686805,686809,687099,687754,692325,693120,693392,693727-693728,696006,697093,703441,703997,706318,707163,708902,711421,719357,720250,726109,728015,728020,728220,729316-729317,729586,732414,732421,732451,732504,732832,733127,733134,733218-733219,733465,733467,733695,734703,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785661,790587,803704,891282

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=896900&r1=896899&r2=896900&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Thu Jan  7 15:11:53 2010
@@ -1371,9 +1371,17 @@
     }
     else {
         /* We have no idea what you are talking about, so return an error. */
-        return APR_ENOTIMPL;
+        status = APR_ENOTIMPL;
     }
 
+    /* It is possible for mod_ssl's BIO to be used outside of the
+     * direct control of mod_ssl's input or output filter -- notably,
+     * when mod_ssl initiates a renegotiation.  Switching the BIO mode
+     * back to "blocking" here ensures such operations don't fail with
+     * SSL_ERROR_WANT_READ. */
+    inctx->block = APR_BLOCK_READ;
+
+    /* Handle custom errors. */
     if (status != APR_SUCCESS) {
         return ssl_io_filter_error(f, bb, status);
     }

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c?rev=896900&r1=896899&r2=896900&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c Thu Jan  7 15:11:53 2010
@@ -35,6 +35,29 @@
 static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
 #endif
 
+/* Perform a speculative (and non-blocking) read from the connection
+ * filters for the given request, to determine whether there is any
+ * pending data to read.  Return non-zero if there is, else zero. */
+static int has_buffered_data(request_rec *r) 
+{
+    apr_bucket_brigade *bb;
+    apr_off_t len;
+    apr_status_t rv;
+    int result;
+    
+    bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
+    
+    rv = ap_get_brigade(r->connection->input_filters, bb, AP_MODE_SPECULATIVE,
+                        APR_NONBLOCK_READ, 1); 
+    result = rv == APR_SUCCESS
+        && apr_brigade_length(bb, 1, &len) == APR_SUCCESS
+        && len > 0;
+    
+    apr_brigade_destroy(bb);
+    
+    return result;
+}
+
 /*
  *  Post Read Request Handler
  */
@@ -720,6 +743,23 @@
         else {
             request_rec *id = r->main ? r->main : r;
 
+            /* Additional mitigation for CVE-2009-3555: At this point,
+             * before renegotiating, an (entire) request has been read
+             * from the connection.  An attacker may have sent further
+             * data to "prefix" any subsequent request by the victim's
+             * client after the renegotiation; this data may already
+             * have been read and buffered.  Forcing a connection
+             * closure after the response ensures such data will be
+             * discarded.  Legimately pipelined HTTP requests will be
+             * retried anyway with this approach. */
+            if (has_buffered_data(r)) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "insecure SSL re-negotiation required, but "
+                              "a pipelined request is present; keepalive "
+                              "disabled");
+                r->connection->keepalive = AP_CONN_CLOSE;
+            }
+
             /* do a full renegotiation */
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                           "Performing full renegotiation: "

Propchange: httpd/httpd/branches/2.2.x/support/ab.c
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Jan  7 15:11:53 2010
@@ -1 +1 @@
-/httpd/httpd/trunk/support/ab.c:83751-655654,657354,657433,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785661,790587,803704
+/httpd/httpd/trunk/support/ab.c:83751-655654,657354,657433,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785661,790587,803704,891282

Propchange: httpd/httpd/branches/2.2.x/support/suexec.c
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Jan  7 15:11:53 2010
@@ -1 +1 @@
-/httpd/httpd/trunk/support/suexec.c:395552,451572,583817,583830,611483,630858,639005,639010,647395,655711,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785661,790587,803704
+/httpd/httpd/trunk/support/suexec.c:395552,451572,583817,583830,611483,630858,639005,639010,647395,655711,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785661,790587,803704,891282



Mime
View raw message