Skip to content

Commit 41f5965

Browse files
notrojnotroj
committed
Backport from HEAD:
 * modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer overflow in FakeBasicAuth code if client's subject DN exceeds 6K in length (CVE CAN-2004-0488); switch to using apr-util base64 encoder functions. * modules/ssl/ssl_engine_init.c (ssl_init_Engine): Log the OpenSSL error stack contents if engine load/init fails. * modules/ssl/ssl_engine_log.c (ssl_log_ssl_error): Use %lu to print an unsigned long. * modules/ssl/ssl_engine_log.c (ssl_log_annotate, ssl_log_annotation, ssl_log_ssl_error): const-ify annotation strings and simplify ssl_log_annotation. Reviewed by: Andr�� Malo, Jeff Trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@103867 13f79535-47bb-0310-9956-ffa450edef68
1 parent 489feed commit 41f5965

6 files changed

Lines changed: 37 additions & 43 deletions

File tree

CHANGES

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,13 @@
11
Changes with Apache 2.0.50
22

3+
*) SECURITY: CAN-2004-0488 (cve.mitre.org)
4+
mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
5+
(trusted) client certificate subject DN which exceeds 6K in length.
6+
[Joe Orton]
7+
8+
*) mod_ssl: Log the errors returned on failure to load or initialize
9+
a crypto accelerator engine. [Joe Orton]
10+
311
*) Allow RequestHeader directives to be conditional. PR 27951.
412
[Vincent Deffontaines <vincent gryzor.com>, Andr� Malo]
513

STATUS

Lines changed: 1 addition & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
APACHE 2.0 STATUS: -*-text-*-
2-
Last modified at [$Date: 2004/06/06 22:19:38 $]
2+
Last modified at [$Date: 2004/06/07 10:18:36 $]
33

44
Release:
55

@@ -77,24 +77,11 @@ PATCHES TO BACKPORT FROM 2.1
7777
PR: 29318
7878
+1: jorton, trawick, nd
7979

80-
*) mod_ssl: Fix buffer overflow in FakeBasicAuth support (CVE CAN-2004-0488)
81-
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106
82-
+1: jorton, nd, trawick
83-
8480
*) mod_ssl: Remove some unused functions (after CAN-2004-0488 fix is applied)
8581
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_util.c?r1=1.46&r2=1.47
8682
+1: jorton, nd
8783
trawick: need changes to mod_ssl.h to remove prototypes for those removed functions
8884

89-
*) mod_ssl: Fix a GCC strict-aliasing warning.
90-
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_config.c?r1=1.90&r2=1.91
91-
+1: jorton, nd, trawick
92-
93-
*) mod_ssl: Cleanups and fixes for mod_ssl logging.
94-
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.124&r2=1.125
95-
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_log.c?r1=1.31&r2=1.28
96-
+1: jorton, nd, trawick
97-
9885
*) Enable the option to support anonymous shared memory in mod_ldap.
9986
This makes the cache work on Linux again.
10087
modules/experimental/util_ldap.c r1.30

modules/ssl/ssl_engine_config.c

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -39,12 +39,11 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
3939
{
4040
apr_pool_t *pool = s->process->pool;
4141
SSLModConfigRec *mc;
42+
void *vmc;
4243

43-
apr_pool_userdata_get((void **)&mc, SSL_MOD_CONFIG_KEY,
44-
pool);
45-
46-
if (mc) {
47-
return mc; /* reused for lifetime of the server */
44+
apr_pool_userdata_get(&vmc, SSL_MOD_CONFIG_KEY, pool);
45+
if (vmc) {
46+
return vmc; /* reused for lifetime of the server */
4847
}
4948

5049
/*

modules/ssl/ssl_engine_init.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -326,6 +326,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p)
326326
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
327327
"Init: Failed to load Crypto Device API `%s'",
328328
mc->szCryptoDevice);
329+
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
329330
ssl_die();
330331
}
331332

@@ -337,6 +338,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p)
337338
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
338339
"Init: Failed to enable Crypto Device API `%s'",
339340
mc->szCryptoDevice);
341+
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
340342
ssl_die();
341343
}
342344

modules/ssl/ssl_engine_kernel.c

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -793,7 +793,6 @@ int ssl_hook_UserCheck(request_rec *r)
793793
SSLConnRec *sslconn = myConnConfig(r->connection);
794794
SSLSrvConfigRec *sc = mySrvConfig(r->server);
795795
SSLDirConfigRec *dc = myDirConfig(r);
796-
char buf1[MAX_STRING_LEN], buf2[MAX_STRING_LEN];
797796
char *clientdn;
798797
const char *auth_line, *username, *password;
799798

@@ -872,14 +871,16 @@ int ssl_hook_UserCheck(request_rec *r)
872871
* adding the string "xxj31ZMTZzkVA" as the password in the user file.
873872
* This is just the crypted variant of the word "password" ;-)
874873
*/
875-
apr_snprintf(buf1, sizeof(buf1), "%s:password", clientdn);
876-
ssl_util_uuencode(buf2, buf1, FALSE);
877-
878-
apr_snprintf(buf1, sizeof(buf1), "Basic %s", buf2);
879-
apr_table_set(r->headers_in, "Authorization", buf1);
874+
auth_line = apr_pstrcat(r->pool, "Basic ",
875+
ap_pbase64encode(r->pool,
876+
apr_pstrcat(r->pool, clientdn,
877+
":password", NULL)),
878+
NULL);
879+
apr_table_set(r->headers_in, "Authorization", auth_line);
880880

881881
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
882-
"Faking HTTP Basic Auth header: \"Authorization: %s\"", buf1);
882+
"Faking HTTP Basic Auth header: \"Authorization: %s\"",
883+
auth_line);
883884

884885
return DECLINED;
885886
}

modules/ssl/ssl_engine_log.c

Lines changed: 14 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -34,9 +34,9 @@
3434
** _________________________________________________________________
3535
*/
3636

37-
static struct {
38-
char *cpPattern;
39-
char *cpAnnotation;
37+
static const struct {
38+
const char *cpPattern;
39+
const char *cpAnnotation;
4040
} ssl_log_annotate[] = {
4141
{ "*envelope*bad*decrypt*", "wrong pass phrase!?" },
4242
{ "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" },
@@ -51,19 +51,15 @@ static struct {
5151
{ NULL, NULL }
5252
};
5353

54-
static char *ssl_log_annotation(char *error)
54+
static const char *ssl_log_annotation(const char *error)
5555
{
56-
char *errstr;
57-
int i;
56+
int i = 0;
5857

59-
errstr = NULL;
60-
for (i = 0; ssl_log_annotate[i].cpPattern != NULL; i++) {
61-
if (ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) == 0) {
62-
errstr = ssl_log_annotate[i].cpAnnotation;
63-
break;
64-
}
65-
}
66-
return errstr;
58+
while (ssl_log_annotate[i].cpPattern != NULL
59+
&& ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) != 0)
60+
i++;
61+
62+
return ssl_log_annotate[i].cpAnnotation;
6763
}
6864

6965
void ssl_die(void)
@@ -84,19 +80,20 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
8480
unsigned long e;
8581

8682
while ((e = ERR_get_error())) {
87-
char err[256], *annotation;
83+
const char *annotation;
84+
char err[256];
8885

8986
ERR_error_string_n(e, err, sizeof err);
9087
annotation = ssl_log_annotation(err);
9188

9289
if (annotation) {
9390
ap_log_error(file, line, level, 0, s,
94-
"SSL Library Error: %ld %s %s",
91+
"SSL Library Error: %lu %s %s",
9592
e, err, annotation);
9693
}
9794
else {
9895
ap_log_error(file, line, level, 0, s,
99-
"SSL Library Error: %ld %s",
96+
"SSL Library Error: %lu %s",
10097
e, err);
10198
}
10299
}

0 commit comments

Comments
 (0)