Fix SEGV in 'shmcb' session cache:
When a 'read' or 'write' to session cache is done, we need to check the size
of the data being 'read' or 'written' to avoid buffer over-run.
In the newer versions of OpenSSL, the flag SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
just prevents the internal lookup but does not prevent the caching.
OpenSSL 0.9.6h onwards has a new flag 'SSL_SESS_CACHE_NO_INTERNAL' to
prevent OpenSSL from both lookup and caching the sessions internally.
Joe Orton [Sat, 6 Mar 2004 16:47:41 +0000 (16:47 +0000)]
Fix use of mod_ssl as a DSO linked against static SSL libraries; also
stop linking all of support/* against the SSL libraries:
* acinclude.m4 (APACHE_MODULE): Define MOD_FOO_LDADD which each
module .la library will be linked against.
(APACHE_MODPATH_ADD): Link static modules against the provided libraries.
(APACHE_CHECK_SSL_TOOLKIT): Put SSL libraries in SSL_LIBS and export
that to config_vars.mk.
* support/Makefile.in: Link ab against SSL_LIBS.
* modules/ssl/config.m4: Add SSL_LIBS and distcache libraries to
MOD_SSL_LDADD.
Allow the enabled flag to be set to more than just TRUE or FALSE so that
the OPTIONAL flag can be correctly merged within the
ssl_config_server_merge() function.
Allow the enabled flag to be set to more that just TRUE or FALSE so that
the OPTIONAL flag is correctly merged within the
ssl_config_server_merge() function.
Joe Orton [Thu, 4 Mar 2004 20:39:53 +0000 (20:39 +0000)]
* modules/ssl/ssl_engine_vars (ssl_var_lookup): const'ify result and
drop a bunch of casts; use apr_table_get directly in place of
ssl_var_lookup_header.
(ssl_var_lookup_header): Remove function.
Joe Orton [Thu, 4 Mar 2004 13:42:09 +0000 (13:42 +0000)]
* modules/ssl/ssl_engine_vars (ssl_var_lookup): Optimise such that
lookup of SSL_* variables (the common case) requires 2 rather than 29
strcasecmp calls before getting to ssl_var_lookup_ssl().
Joe Orton [Sat, 28 Feb 2004 22:56:01 +0000 (22:56 +0000)]
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): For a DN
which includes several RDNs with the same OID, allow lookup of any
particular RDN using an "_<n>" suffix on the name.
Send the 'Close Alert' message to the peer upon closing a SSL session. This
required creating a new EOC (End-Of-Connection) bucket type to notify mod_ssl
that the connection is about to be closed.
Joe Orton [Fri, 23 Jan 2004 16:50:24 +0000 (16:50 +0000)]
* modules/ssl/ssl_engine_io.c (ssl_io_filter_output): Use non-blocking
bucket reads whilst data remains available; flush when a read returns
EAGAIN. Fixes streaming nph- CGI scripts over SSL.
Joe Orton [Tue, 25 Nov 2003 13:10:09 +0000 (13:10 +0000)]
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Only call
ssl_var_lookup_ssl for a real SSL connection; fix lookup of "HTTPS"
for non-SSL connections.
(ssl_var_log_handler_x): Give results for non-SSL connections too;
e.g. %{HTTPS}x does the right thing.
Joe Orton [Tue, 25 Nov 2003 12:35:45 +0000 (12:35 +0000)]
* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early
(rather than segfault later) if a client cert is configured which is
missing either the certificate or private key.
Simplify includes - we always (in HTTPD 2.1 forward) are looking
for the openssl/foo.h headers explicitly. Fix the abs.dsp build
to define HAVE_OPENSSL instead of USE_SSL so the correct headers
are included upfront.
Cliff Woolley [Tue, 12 Aug 2003 20:58:53 +0000 (20:58 +0000)]
Make mod_ssl consistent with itself when you have a halfass install of
openssl-engine (ie, you're missing the headers). ssl_cmd_SSLCryptoDevice()
is thrown away by the preprocessor if you're missing the header, so the
call to it should have the same condition applied. otherwise, mod_ssl
will fail to link.
Sander Striker [Thu, 7 Aug 2003 23:57:11 +0000 (23:57 +0000)]
Add an error msg when encountering a spoofed identity. If this would
have been here in the first place. Makes issues like these be found
easier in the future.
The fix is to make mod_ssl's check_user_id hook stop tripping
over it's own checks in case of a subrequest. That is, it
should DECLINE in case of a subrequest.
Although we initialize mc->pid in the child init phase,
we haven't initialized it before initially performing
our ssl_rand_seed() in the parent/postconfig phase.
Joe Orton [Mon, 21 Jul 2003 12:02:40 +0000 (12:02 +0000)]
Prevent segfaults after SSL renegotiation failures.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Set aborted flag
after renegotiation failure.
* modules/ssl/ssl_engine_io.c (ssl_filter_write, ssl_io_filter_output):
Don't dereference BIOs in filter_ctx when filter_ctx->pssl is NULL.
(ssl_filter_io_shutdown): Set aborted flag on abortive shutdown.
PR: 21370
Submitted by: Hartmut Keil <Hartmut.Keil@adnovum.ch>
Cleaned up by: Jeff Trawick, Joe Orton
SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one. [Ben Laurie]
Reaction to Jeff Trawick's observations that we are double-initializing
dynalinked OpenSSL Engines and Configs. Move the library teardown code
so that it is torn down in the proper order, corresponding to when the
library itself was initialized. And leave a little reminder that some
memory diagnostics would be good if OpenSSL is built for malloc debugging.
Jeff Trawick [Sat, 7 Jun 2003 19:50:01 +0000 (19:50 +0000)]
Unix: Handle permissions settings for flock-based mutexes in
unixd_set_global|proc_mutex_perms(). Allow the functions to be
called for any type of mutex.
This resolves a fatal problem with mod_rewrite on systems where
APR uses flock-based mutex.
It simplifies mod_ssl as well, which had special logic to perform
the chown(). It fixed an init error with mod_ssl on systems where
flock is used when the user had no SSLMutex directive.
The Unix MPMs continue to call unixd_set_global|proc_mutex_perms()
only for SysV sems. There is no permission problem with flock-based
accept mutexes since the child init logic for the MPMs is done
prior to switching identity.
The right patch (thanks to Eric for identifying the wrong patch) to move
SSL_library_init() into the register hooks phase. OpenSSL_add_ssl_algorithms
devolves to SSL_library_init, which is the same for most toolkits (and would
be accomodated in ssl_toolkit_config.h if not.)
OpenSSL_add_all_algorithms is simply an alias for SSL_load_library.
Note that the entire schema of what-we-load-how follows from
OpenSSL 0.9.7's own apps/ example applications. More review
is greatly desired, but that's where I believed I should
start looking for the 'correct' order of operations.
Provide a far more useful explanation when SSLCryptoDevice fails to
find a device. Still would be nice to implement dynamic:{options}
but this gets us to display the usual, builtin devices.
We now load builtin engines up front, in the pre_config phase, because
this and any other config cmd processor must have an already valid
library config. So loading builtin engines becomes redundant in this
cmd handler.
Solve a pretty horrific bug in SSLCryptoDevice and other places where
the config cmd processors should be examining the SSL context. We must
initialize the SSL library before we can actually obtain any useful
information from the SSL library.
Based on list discussion between myself and Geoff, it seems prudent
to check for both the existence of the openssl/engine.h header file
and some 'expected function' such as ENGINE_init() (better suggestions
are welcome.) Also clear up some confusion; so long as we have
ENGINE_load_builtin_engines() we should attempt to preload those.
This patch protects all ENGINE-based code within the tests for the
engine header and function, and changes a version test into a
function test.
The patch below reverts the prior commit to eliminate SSL_set_state().
Some additional work or research is required in order to pass the
perl-framework regressions, but I don't have the cycles and don't
care to leave the broken code in cvs HEAD.
REVERTING: wrowe 2003/05/19 08:13:19
Modified: modules/ssl config.m4 ssl_engine_io.c ssl_engine_kernel.c
ssl_toolkit_compat.h
Log:
Drop SSL_set_state() in favor of a proper SSL_renegotiate() to begin
rehandshaking the SSL connection, vis-a-vis ApacheSSL.
Assure that we block on the read BIO when we invoke the read BIO for both
first-use cases (via ssl_io_input_add_filter) and when we are writing and
need response from the client (via ssl_io_filter_output). Both of these
cases are always blocking. [
PR: 19242
Submitted by: David Deaves <David.Deaves@dd.id.au>, William Rowe
Solve SSL-C breakage introduced in mod_ssl.h rev 1.129 and
ssl_engine_kernel.c rev 1.88. SSL* is not const under SSL-C.
I've confirmed Jeff's comment that the original patch doesn't harm
earlier OpenSSL versions which declared no arguments at all.
I suspect now that we could fold
#define MODSSL_BIO_CB_ARG_TYPE const char
#define MODSSL_CRYPTO_CB_ARG_TYPE const char
#define MODSSL_INFO_CB_ARG_TYPE const SSL*
into a single MODSSL_CB_ARG_CONST define, but this works for now.
Reapply the fix *intended* by rev 1.79 in a safer manner. Prior to
all assignments and the final SSL_free(), free ssl_conn->client_cert
to avoid leaks of this refcounted X509*. Prereleasing refcounted
objects is unsafe programming; fix applied to both branches.
EVP_PKEY_free() is refcounted on OpenSSL, but NOT under RSA SSL-C.
Eliminate a number of test failures by conditionally reverting rev 1.79
pubkey handling in ssl_engine_kernel.c, except under OpenSSL.
Also revert a rev 1.79 bogisity for all toolkits; it's entirely bogus
to release a refcount after setting aside the results in a persistant
structure, in this case sslconn->client_cert from SSL_get_peer_certificate()
mustn't be freed while sslconn is still in play. The proper patch (not
written yet) is to invoke the X509_free(sslconn->client_cert) when we
cleanup the sslconn structure.
projects / thirdparty / apache / httpd.git / log
