From: Joe Orton Date: Mon, 7 Jun 2004 10:18:37 +0000 (+0000) Subject: Backport from HEAD: X-Git-Tag: 2.0.50~39 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2767d52979fa8e7b3a31615e4a8366527b542060;p=thirdparty%2Fapache%2Fhttpd.git Backport from HEAD: * modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer overflow in FakeBasicAuth code if client's subject DN exceeds 6K in length (CVE CAN-2004-0488); switch to using apr-util base64 encoder functions. * modules/ssl/ssl_engine_init.c (ssl_init_Engine): Log the OpenSSL error stack contents if engine load/init fails. * modules/ssl/ssl_engine_log.c (ssl_log_ssl_error): Use %lu to print an unsigned long. * modules/ssl/ssl_engine_log.c (ssl_log_annotate, ssl_log_annotation, ssl_log_ssl_error): const-ify annotation strings and simplify ssl_log_annotation. Reviewed by: Andr�� Malo, Jeff Trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@103867 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 3fa84a3c7c6..d05b0ddfa2d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,13 @@ Changes with Apache 2.0.50 + *) SECURITY: CAN-2004-0488 (cve.mitre.org) + mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a + (trusted) client certificate subject DN which exceeds 6K in length. + [Joe Orton] + + *) mod_ssl: Log the errors returned on failure to load or initialize + a crypto accelerator engine. [Joe Orton] + *) Allow RequestHeader directives to be conditional. PR 27951. [Vincent Deffontaines , André Malo] diff --git a/STATUS b/STATUS index f3779235d92..d142685a881 100644 --- a/STATUS +++ b/STATUS @@ -1,5 +1,5 @@ APACHE 2.0 STATUS: -*-text-*- -Last modified at [$Date: 2004/06/06 22:19:38 $] +Last modified at [$Date: 2004/06/07 10:18:36 $] Release: @@ -77,24 +77,11 @@ PATCHES TO BACKPORT FROM 2.1 PR: 29318 +1: jorton, trawick, nd - *) mod_ssl: Fix buffer overflow in FakeBasicAuth support (CVE CAN-2004-0488) - http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106 - +1: jorton, nd, trawick - *) mod_ssl: Remove some unused functions (after CAN-2004-0488 fix is applied) http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_util.c?r1=1.46&r2=1.47 +1: jorton, nd trawick: need changes to mod_ssl.h to remove prototypes for those removed functions - *) mod_ssl: Fix a GCC strict-aliasing warning. - http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_config.c?r1=1.90&r2=1.91 - +1: jorton, nd, trawick - - *) mod_ssl: Cleanups and fixes for mod_ssl logging. - http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.124&r2=1.125 - http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_log.c?r1=1.31&r2=1.28 - +1: jorton, nd, trawick - *) Enable the option to support anonymous shared memory in mod_ldap. This makes the cache work on Linux again. modules/experimental/util_ldap.c r1.30 diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index e476b5abec3..2fecd7a72de 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -39,12 +39,11 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s) { apr_pool_t *pool = s->process->pool; SSLModConfigRec *mc; + void *vmc; - apr_pool_userdata_get((void **)&mc, SSL_MOD_CONFIG_KEY, - pool); - - if (mc) { - return mc; /* reused for lifetime of the server */ + apr_pool_userdata_get(&vmc, SSL_MOD_CONFIG_KEY, pool); + if (vmc) { + return vmc; /* reused for lifetime of the server */ } /* diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index f1c0e3bd8da..7f5e3e78a7c 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -326,6 +326,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Init: Failed to load Crypto Device API `%s'", mc->szCryptoDevice); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -337,6 +338,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Init: Failed to enable Crypto Device API `%s'", mc->szCryptoDevice); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 25614bdbeb6..0dae04da1e0 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -793,7 +793,6 @@ int ssl_hook_UserCheck(request_rec *r) SSLConnRec *sslconn = myConnConfig(r->connection); SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLDirConfigRec *dc = myDirConfig(r); - char buf1[MAX_STRING_LEN], buf2[MAX_STRING_LEN]; char *clientdn; const char *auth_line, *username, *password; @@ -872,14 +871,16 @@ int ssl_hook_UserCheck(request_rec *r) * adding the string "xxj31ZMTZzkVA" as the password in the user file. * This is just the crypted variant of the word "password" ;-) */ - apr_snprintf(buf1, sizeof(buf1), "%s:password", clientdn); - ssl_util_uuencode(buf2, buf1, FALSE); - - apr_snprintf(buf1, sizeof(buf1), "Basic %s", buf2); - apr_table_set(r->headers_in, "Authorization", buf1); + auth_line = apr_pstrcat(r->pool, "Basic ", + ap_pbase64encode(r->pool, + apr_pstrcat(r->pool, clientdn, + ":password", NULL)), + NULL); + apr_table_set(r->headers_in, "Authorization", auth_line); ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, - "Faking HTTP Basic Auth header: \"Authorization: %s\"", buf1); + "Faking HTTP Basic Auth header: \"Authorization: %s\"", + auth_line); return DECLINED; } diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index 0c15fd2926c..fc3596845cf 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -34,9 +34,9 @@ ** _________________________________________________________________ */ -static struct { - char *cpPattern; - char *cpAnnotation; +static const struct { + const char *cpPattern; + const char *cpAnnotation; } ssl_log_annotate[] = { { "*envelope*bad*decrypt*", "wrong pass phrase!?" }, { "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" }, @@ -51,19 +51,15 @@ static struct { { NULL, NULL } }; -static char *ssl_log_annotation(char *error) +static const char *ssl_log_annotation(const char *error) { - char *errstr; - int i; + int i = 0; - errstr = NULL; - for (i = 0; ssl_log_annotate[i].cpPattern != NULL; i++) { - if (ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) == 0) { - errstr = ssl_log_annotate[i].cpAnnotation; - break; - } - } - return errstr; + while (ssl_log_annotate[i].cpPattern != NULL + && ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) != 0) + i++; + + return ssl_log_annotate[i].cpAnnotation; } void ssl_die(void) @@ -84,19 +80,20 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) unsigned long e; while ((e = ERR_get_error())) { - char err[256], *annotation; + const char *annotation; + char err[256]; ERR_error_string_n(e, err, sizeof err); annotation = ssl_log_annotation(err); if (annotation) { ap_log_error(file, line, level, 0, s, - "SSL Library Error: %ld %s %s", + "SSL Library Error: %lu %s %s", e, err, annotation); } else { ap_log_error(file, line, level, 0, s, - "SSL Library Error: %ld %s", + "SSL Library Error: %lu %s", e, err); } }