* modules/ssl/ssl_util_ssl.c (SSL_X509_STORE_create): Catch errors
returned by X509_LOOKUP_add_dir or X509_LOOKUP_load_file to detect
malformed or misconfigured CRLs. Clear error stack beforehand to
ensure reported errors are relevant.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Fix gcc
4.x different-pointer-signedness warning.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that
renegotiation is performed for a transition from "SSLVerifyClient
optional" to "SSLVerifyClient require". (CVE CAN-2005-2700)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@290159
13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.1.8
+ *) SECURITY: CAN-2005-2700 (cve.mitre.org)
+ mod_ssl: Fix a security issue where "SSLVerifyClient" was not
+ enforced in per-location context if "SSLVerifyClient optional"
+ was configured in the vhost configuration. [Joe Orton]
+
+ *) mod_ssl: Catch parse errors from misconfigured or malformed
+ CRLs. PR 36438. [Joe Orton]
+
*) mod_proxy/mod_proxy_balancer: lbmethods now implemented as
providers. Prevent problems when no Vhost containers were
configured with proxy balancers. [Jim Jagielski]
(!(verify_old & SSL_VERIFY_PEER) &&
(verify & SSL_VERIFY_PEER)) ||
- (!(verify_old & SSL_VERIFY_PEER_STRICT) &&
- (verify & SSL_VERIFY_PEER_STRICT)))
+ (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
+ (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
{
renegotiate = TRUE;
/* optimization */
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {
- result = apr_pstrmemdup(p,
- X509_NAME_ENTRY_get_data_ptr(xsne),
+ unsigned char *data = X509_NAME_ENTRY_get_data_ptr(xsne);
+ /* cast needed from unsigned char to char */
+ result = apr_pstrmemdup(p, (char *)data,
X509_NAME_ENTRY_get_data_len(xsne));
#if APR_CHARSET_EBCDIC
ap_xlate_proto_from_ascii(result, X509_NAME_ENTRY_get_data_len(xsne));
{
X509_STORE *pStore;
X509_LOOKUP *pLookup;
+ int rv = 1;
+
+ ERR_clear_error();
if (cpFile == NULL && cpPath == NULL)
return NULL;
X509_STORE_free(pStore);
return NULL;
}
- X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM);
+ rv = X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM);
}
- if (cpPath != NULL) {
+ if (cpPath != NULL && rv == 1) {
pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_hash_dir());
if (pLookup == NULL) {
X509_STORE_free(pStore);
return NULL;
}
- X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM);
+ rv = X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM);
}
- return pStore;
+ return rv == 1 ? pStore : NULL;
}
int SSL_X509_STORE_lookup(X509_STORE *pStore, int nType,
projects / thirdparty / apache / httpd.git / commitdiff
