* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer
overflow in FakeBasicAuth code if client's subject DN exceeds 6K in
length (CVE CAN-2004-0488); switch to using apr-util base64 encoder
functions.
* modules/ssl/ssl_engine_init.c (ssl_init_Engine): Log the OpenSSL
error stack contents if engine load/init fails.
* modules/ssl/ssl_engine_log.c (ssl_log_ssl_error): Use %lu to print
an unsigned long.
* modules/ssl/ssl_engine_log.c (ssl_log_annotate, ssl_log_annotation,
ssl_log_ssl_error): const-ify annotation strings and simplify
ssl_log_annotation.
Reviewed by: Andr�� Malo, Jeff Trawick
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@103867
13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 2.0.50
+ *) SECURITY: CAN-2004-0488 (cve.mitre.org)
+ mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
+ (trusted) client certificate subject DN which exceeds 6K in length.
+ [Joe Orton]
+
+ *) mod_ssl: Log the errors returned on failure to load or initialize
+ a crypto accelerator engine. [Joe Orton]
+
*) Allow RequestHeader directives to be conditional. PR 27951.
[Vincent Deffontaines <vincent gryzor.com>, André Malo]
APACHE 2.0 STATUS: -*-text-*-
-Last modified at [$Date: 2004/06/06 22:19:38 $]
+Last modified at [$Date: 2004/06/07 10:18:36 $]
Release:
PR: 29318
+1: jorton, trawick, nd
- *) mod_ssl: Fix buffer overflow in FakeBasicAuth support (CVE CAN-2004-0488)
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106
- +1: jorton, nd, trawick
-
*) mod_ssl: Remove some unused functions (after CAN-2004-0488 fix is applied)
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_util.c?r1=1.46&r2=1.47
+1: jorton, nd
trawick: need changes to mod_ssl.h to remove prototypes for those removed functions
- *) mod_ssl: Fix a GCC strict-aliasing warning.
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_config.c?r1=1.90&r2=1.91
- +1: jorton, nd, trawick
-
- *) mod_ssl: Cleanups and fixes for mod_ssl logging.
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.124&r2=1.125
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_log.c?r1=1.31&r2=1.28
- +1: jorton, nd, trawick
-
*) Enable the option to support anonymous shared memory in mod_ldap.
This makes the cache work on Linux again.
modules/experimental/util_ldap.c r1.30
{
apr_pool_t *pool = s->process->pool;
SSLModConfigRec *mc;
+ void *vmc;
- apr_pool_userdata_get((void **)&mc, SSL_MOD_CONFIG_KEY,
- pool);
-
- if (mc) {
- return mc; /* reused for lifetime of the server */
+ apr_pool_userdata_get(&vmc, SSL_MOD_CONFIG_KEY, pool);
+ if (vmc) {
+ return vmc; /* reused for lifetime of the server */
}
/*
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Failed to load Crypto Device API `%s'",
mc->szCryptoDevice);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Failed to enable Crypto Device API `%s'",
mc->szCryptoDevice);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
SSLConnRec *sslconn = myConnConfig(r->connection);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
- char buf1[MAX_STRING_LEN], buf2[MAX_STRING_LEN];
char *clientdn;
const char *auth_line, *username, *password;
* adding the string "xxj31ZMTZzkVA" as the password in the user file.
* This is just the crypted variant of the word "password" ;-)
*/
- apr_snprintf(buf1, sizeof(buf1), "%s:password", clientdn);
- ssl_util_uuencode(buf2, buf1, FALSE);
-
- apr_snprintf(buf1, sizeof(buf1), "Basic %s", buf2);
- apr_table_set(r->headers_in, "Authorization", buf1);
+ auth_line = apr_pstrcat(r->pool, "Basic ",
+ ap_pbase64encode(r->pool,
+ apr_pstrcat(r->pool, clientdn,
+ ":password", NULL)),
+ NULL);
+ apr_table_set(r->headers_in, "Authorization", auth_line);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
- "Faking HTTP Basic Auth header: \"Authorization: %s\"", buf1);
+ "Faking HTTP Basic Auth header: \"Authorization: %s\"",
+ auth_line);
return DECLINED;
}
** _________________________________________________________________
*/
-static struct {
- char *cpPattern;
- char *cpAnnotation;
+static const struct {
+ const char *cpPattern;
+ const char *cpAnnotation;
} ssl_log_annotate[] = {
{ "*envelope*bad*decrypt*", "wrong pass phrase!?" },
{ "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" },
{ NULL, NULL }
};
-static char *ssl_log_annotation(char *error)
+static const char *ssl_log_annotation(const char *error)
{
- char *errstr;
- int i;
+ int i = 0;
- errstr = NULL;
- for (i = 0; ssl_log_annotate[i].cpPattern != NULL; i++) {
- if (ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) == 0) {
- errstr = ssl_log_annotate[i].cpAnnotation;
- break;
- }
- }
- return errstr;
+ while (ssl_log_annotate[i].cpPattern != NULL
+ && ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) != 0)
+ i++;
+
+ return ssl_log_annotate[i].cpAnnotation;
}
void ssl_die(void)
unsigned long e;
while ((e = ERR_get_error())) {
- char err[256], *annotation;
+ const char *annotation;
+ char err[256];
ERR_error_string_n(e, err, sizeof err);
annotation = ssl_log_annotation(err);
if (annotation) {
ap_log_error(file, line, level, 0, s,
- "SSL Library Error: %ld %s %s",
+ "SSL Library Error: %lu %s %s",
e, err, annotation);
}
else {
ap_log_error(file, line, level, 0, s,
- "SSL Library Error: %ld %s",
+ "SSL Library Error: %lu %s",
e, err);
}
}
projects / thirdparty / apache / httpd.git / commitdiff
