head 1.3; access; symbols OPENPKG_2_STABLE_MP:1.2 OPENPKG_E1_MP_HEAD:1.1 OPENPKG_E1_MP:1.1 OPENPKG_E1_MP_2_STABLE:1.1 OPENPKG_E1_FP:1.1 OPENPKG_2_STABLE_20061018:1.1 OPENPKG_2_STABLE:1.1.0.16 OPENPKG_2_STABLE_BP:1.1 OPENPKG_2_5_SOLID:1.1.0.14 OPENPKG_2_5_SOLID_BP:1.1 OPENPKG_2_4_RELEASE:1.1 OPENPKG_2_4_SOLID:1.1.0.12 OPENPKG_2_4_SOLID_BP:1.1 OPENPKG_2_3_RELEASE:1.1 OPENPKG_2_3_SOLID:1.1.0.10 OPENPKG_2_3_SOLID_BP:1.1 OPENPKG_2_2_RELEASE:1.1 OPENPKG_2_2_SOLID:1.1.0.8 OPENPKG_2_2_SOLID_BP:1.1 OPENPKG_2_1_RELEASE:1.1 OPENPKG_2_1_SOLID:1.1.0.6 OPENPKG_2_1_SOLID_BP:1.1 OPENPKG_1_3_SOLID:1.1.0.4 OPENPKG_2_0_SOLID:1.1.0.2; locks; strict; comment @# @; 1.3 date 2007.06.22.10.54.02; author rse; state dead; branches; next 1.2; commitid ZbFoU2hEtnBxHTms; 1.2 date 2007.03.13.16.42.48; author cs; state Exp; branches; next 1.1; commitid jG9pxzk9HsptSW9s; 1.1 date 2004.05.27.13.28.19; author rse; state dead; branches 1.1.2.1 1.1.4.1 1.1.6.1 1.1.10.1 1.1.12.1 1.1.16.1; next ; 1.1.2.1 date 2004.05.27.13.28.19; author rse; state Exp; branches; next 1.1.2.2; 1.1.2.2 date 2004.07.16.09.55.21; author rse; state Exp; branches; next 1.1.2.3; 1.1.2.3 date 2004.10.15.13.58.19; author rse; state Exp; branches; next ; 1.1.4.1 date 2004.05.27.13.33.09; author rse; state Exp; branches; next 1.1.4.2; 1.1.4.2 date 2004.07.16.10.02.06; author rse; state Exp; branches; next ; 1.1.6.1 date 2004.07.16.09.47.04; author rse; state Exp; branches; next 1.1.6.2; 1.1.6.2 date 2004.10.15.14.00.48; author rse; state Exp; branches; next ; 1.1.10.1 date 2005.09.02.21.17.20; author rse; state Exp; branches; next ; 1.1.12.1 date 2005.09.02.21.14.51; author rse; state Exp; branches; next ; 1.1.16.1 date 2007.03.18.23.30.37; author thl; state Exp; branches; next ; commitid j886gsownDQWXCas; desc @@ 1.3 log @new OpenPKG world order: upgrade from Apache 1.3 to 2.2 (part 1/3: updated/new packages) @ text @Index: pkg.sslmod/mod_ssl.h --- pkg.sslmod/mod_ssl.h.orig 2006-05-08 09:15:38 +0200 +++ pkg.sslmod/mod_ssl.h 2007-03-13 17:03:24 +0100 @@@@ -290,6 +290,9 @@@@ #if defined(USE_SYSVSEM_SERIALIZED_ACCEPT) ||\ (defined(__FreeBSD__) && defined(__FreeBSD_version) &&\ __FreeBSD_version >= 300000) ||\ + (defined(__NetBSD__) && defined(__NetBSD_Version__) &&\ + __NetBSD_Version__ >= 105000000) ||\ + defined(__OpenBSD__) ||\ (defined(LINUX) && defined(__GLIBC__) && defined(__GLIBC_MINOR__) &&\ LINUX >= 2 && __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1) ||\ defined(SOLARIS2) || defined(__hpux) ||\ @ 1.2 log @enable SysV IPC semaphore based mutexes on NetBSD >= 1.5 and OpenBSD @ text @@ 1.1 log @file apache.patch.modssl was initially added on branch OPENPKG_2_0_SOLID. @ text @d1 13 @ 1.1.16.1 log @MFC: make up leeway for 2_STABLE by virtue of build-time results @ text @a0 13 Index: pkg.sslmod/mod_ssl.h --- pkg.sslmod/mod_ssl.h.orig 2006-05-08 09:15:38 +0200 +++ pkg.sslmod/mod_ssl.h 2007-03-13 17:03:24 +0100 @@@@ -290,6 +290,9 @@@@ #if defined(USE_SYSVSEM_SERIALIZED_ACCEPT) ||\ (defined(__FreeBSD__) && defined(__FreeBSD_version) &&\ __FreeBSD_version >= 300000) ||\ + (defined(__NetBSD__) && defined(__NetBSD_Version__) &&\ + __NetBSD_Version__ >= 105000000) ||\ + defined(__OpenBSD__) ||\ (defined(LINUX) && defined(__GLIBC__) && defined(__GLIBC_MINOR__) &&\ LINUX >= 2 && __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1) ||\ defined(SOLARIS2) || defined(__hpux) ||\ @ 1.1.10.1 log @fix security issue (CAN-2005-2700) @ text @a0 14 Index: pkg.sslmod/ssl_engine_kernel.c --- pkg.sslmod/ssl_engine_kernel.c 6 Jul 2005 08:34:19 -0000 1.111 +++ pkg.sslmod/ssl_engine_kernel.c 2 Sep 2005 20:57:47 -0000 1.112 @@@@ -868,8 +868,8 @@@@ && (nVerify != SSL_VERIFY_NONE)) || ( !(nVerifyOld & SSL_VERIFY_PEER) && (nVerify & SSL_VERIFY_PEER)) - || ( !(nVerifyOld & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) - && (nVerify & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))) { + || ( !(nVerifyOld & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) + && (nVerify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { renegotiate = TRUE; /* optimization */ if ( dc->nOptions & SSL_OPT_OPTRENEGOTIATE @ 1.1.12.1 log @fix security issue (CAN-2005-2700) @ text @a0 14 Index: pkg.sslmod/ssl_engine_kernel.c --- pkg.sslmod/ssl_engine_kernel.c 6 Jul 2005 08:34:19 -0000 1.111 +++ pkg.sslmod/ssl_engine_kernel.c 2 Sep 2005 20:57:47 -0000 1.112 @@@@ -868,8 +868,8 @@@@ && (nVerify != SSL_VERIFY_NONE)) || ( !(nVerifyOld & SSL_VERIFY_PEER) && (nVerify & SSL_VERIFY_PEER)) - || ( !(nVerifyOld & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) - && (nVerify & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))) { + || ( !(nVerifyOld & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) + && (nVerify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { renegotiate = TRUE; /* optimization */ if ( dc->nOptions & SSL_OPT_OPTRENEGOTIATE @ 1.1.6.1 log @fix format string vulnerability @ text @a0 15 Fix Format String Vulnerability. Index: pkg.sslmod/ssl_engine_ext.c =================================================================== --- pkg.sslmod/ssl_engine_ext.c 11 May 2004 18:44:55 -0000 1.41 +++ pkg.sslmod/ssl_engine_ext.c 16 Jul 2004 09:10:37 -0000 1.42 @@@@ -524,7 +524,7 @@@@ #endif errmsg = ap_psprintf(r->pool, "SSL proxy connect failed (%s): peer %s: %s", cpVHostID, peer, ERR_reason_error_string(ERR_get_error())); - ssl_log(r->server, SSL_LOG_ERROR, errmsg); + ssl_log(r->server, SSL_LOG_ERROR, "%s", errmsg); SSL_free(ssl); ap_ctx_set(fb->ctx, "ssl", NULL); return errmsg; @ 1.1.6.2 log @Fix SSL Renegotiation Vulnerability (CAN-2004-0885) @ text @d4 1 a15 56 ----------------------------------------------------------------------------- Fix SSL Renegotiation Vulnerability (CAN-2004-0885). Index: pkg.sslmod/ssl_engine_init.c --- pkg.sslmod/ssl_engine_init.c 11 May 2004 19:16:39 -0000 1.74 +++ pkg.sslmod/ssl_engine_init.c 15 Oct 2004 13:26:55 -0000 1.75 @@@@ -603,6 +603,14 @@@@ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); /* + * Disallow a session from being resumed during a renegotiation, + * so that an acceptable cipher suite can be negotiated. + */ +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); +#endif + + /* * Configure callbacks for SSL context */ nVerify = SSL_VERIFY_NONE; Index: pkg.sslmod/ssl_engine_kernel.c --- pkg.sslmod/ssl_engine_kernel.c 27 May 2004 13:13:52 -0000 1.108 +++ pkg.sslmod/ssl_engine_kernel.c 15 Oct 2004 13:26:55 -0000 1.110 @@@@ -672,7 +672,7 @@@@ X509_STORE_CTX certstorectx; int depth; STACK_OF(SSL_CIPHER) *skCipherOld; - STACK_OF(SSL_CIPHER) *skCipher; + STACK_OF(SSL_CIPHER) *skCipher = NULL; SSL_CIPHER *pCipher; ap_ctx *apctx; int nVerifyOld; @@@@ -1067,6 +1067,20 @@@@ if (cert != NULL) X509_free(cert); } + + /* + * Also check that SSLCipherSuite has been enforced as expected + */ + if (skCipher != NULL) { + pCipher = SSL_get_current_cipher(ssl); + if (sk_SSL_CIPHER_find(skCipher, pCipher) < 0) { + ssl_log(r->server, SSL_LOG_ERROR, + "SSL cipher suite not renegotiated: " + "access to %s denied using cipher %s", + r->filename, SSL_CIPHER_get_name(pCipher)); + return FORBIDDEN; + } + } } /* @ 1.1.4.1 log @apply security bugfix (CAN-2004-0488) @ text @a0 38 Security Fix (CAN-2004-0488) Fix buffer overflow in "SSLOptions +FakeBasicAuth" implementation if the Subject-DN in the client certificate exceeds 6KB in length. Index: src/modules/ssl/ssl_engine_kernel.c =================================================================== RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v retrieving revision 1.143 diff -u -d -r1.143 ssl_engine_kernel.c --- src/modules/ssl/ssl_engine_kernel.c 11 May 2004 18:44:15 -0000 1.143 +++ src/modules/ssl/ssl_engine_kernel.c 27 May 2004 12:29:16 -0000 @@@@ -1136,7 +1136,6 @@@@ { SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLDirConfigRec *dc = myDirConfig(r); - char b1[MAX_STRING_LEN], b2[MAX_STRING_LEN]; char *clientdn; const char *cpAL; const char *cpUN; @@@@ -1197,12 +1196,11 @@@@ * adding the string "xxj31ZMTZzkVA" as the password in the user file. * This is just the crypted variant of the word "password" ;-) */ - ap_snprintf(b1, sizeof(b1), "%s:password", clientdn); - ssl_util_uuencode(b2, b1, FALSE); - ap_snprintf(b1, sizeof(b1), "Basic %s", b2); - ap_table_set(r->headers_in, "Authorization", b1); + cpAL = ap_pstrcat(r->pool, "Basic ", ap_pbase64encode(r->pool, + ap_pstrcat(r->pool, clientdn, ":password", NULL)), NULL); + ap_table_set(r->headers_in, "Authorization", cpAL); ssl_log(r->server, SSL_LOG_INFO, - "Faking HTTP Basic Auth header: \"Authorization: %s\"", b1); + "Faking HTTP Basic Auth header: \"Authorization: %s\"", cpAL); return DECLINED; } @ 1.1.4.2 log @fix format string vulnerability @ text @d7 4 a38 16 ----------------------------------------------------------------------------- Fix Format String Vulnerability. Index: src/modules/ssl/ssl_engine_ext.c --- src/modules/ssl/ssl_engine_ext.c 11 May 2004 18:44:15 -0000 1.50 +++ src/modules/ssl/ssl_engine_ext.c 16 Jul 2004 08:31:18 -0000 1.51 @@@@ -524,7 +524,7 @@@@ #endif errmsg = ap_psprintf(r->pool, "SSL proxy connect failed (%s): peer %s: %s", cpVHostID, peer, ERR_reason_error_string(ERR_get_error())); - ssl_log(r->server, SSL_LOG_ERROR, errmsg); + ssl_log(r->server, SSL_LOG_ERROR, "%s", errmsg); SSL_free(ssl); ap_ctx_set(fb->ctx, "ssl", NULL); return errmsg; @ 1.1.2.1 log @apply security bugfix (CAN-2004-0488) @ text @a0 38 Security Fix (CAN-2004-0488) Fix buffer overflow in "SSLOptions +FakeBasicAuth" implementation if the Subject-DN in the client certificate exceeds 6KB in length. Index: src/modules/ssl/ssl_engine_kernel.c =================================================================== RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v retrieving revision 1.143 diff -u -d -r1.143 ssl_engine_kernel.c --- src/modules/ssl/ssl_engine_kernel.c 11 May 2004 18:44:15 -0000 1.143 +++ src/modules/ssl/ssl_engine_kernel.c 27 May 2004 12:29:16 -0000 @@@@ -1139,7 +1139,6 @@@@ { SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLDirConfigRec *dc = myDirConfig(r); - char b1[MAX_STRING_LEN], b2[MAX_STRING_LEN]; char *clientdn; const char *cpAL; const char *cpUN; @@@@ -1200,12 +1199,11 @@@@ * adding the string "xxj31ZMTZzkVA" as the password in the user file. * This is just the crypted variant of the word "password" ;-) */ - ap_snprintf(b1, sizeof(b1), "%s:password", clientdn); - ssl_util_uuencode(b2, b1, FALSE); - ap_snprintf(b1, sizeof(b1), "Basic %s", b2); - ap_table_set(r->headers_in, "Authorization", b1); + cpAL = ap_pstrcat(r->pool, "Basic ", ap_pbase64encode(r->pool, + ap_pstrcat(r->pool, clientdn, ":password", NULL)), NULL); + ap_table_set(r->headers_in, "Authorization", cpAL); ssl_log(r->server, SSL_LOG_INFO, - "Faking HTTP Basic Auth header: \"Authorization: %s\"", b1); + "Faking HTTP Basic Auth header: \"Authorization: %s\"", cpAL); return DECLINED; } @ 1.1.2.2 log @fix format string vulnerability @ text @d7 4 a38 16 ----------------------------------------------------------------------------- Fix Format String Vulnerability. Index: src/modules/ssl/ssl_engine_ext.c --- src/modules/ssl/ssl_engine_ext.c 11 May 2004 18:44:15 -0000 1.50 +++ src/modules/ssl/ssl_engine_ext.c 16 Jul 2004 08:31:18 -0000 1.51 @@@@ -524,7 +524,7 @@@@ #endif errmsg = ap_psprintf(r->pool, "SSL proxy connect failed (%s): peer %s: %s", cpVHostID, peer, ERR_reason_error_string(ERR_get_error())); - ssl_log(r->server, SSL_LOG_ERROR, errmsg); + ssl_log(r->server, SSL_LOG_ERROR, "%s", errmsg); SSL_free(ssl); ap_ctx_set(fb->ctx, "ssl", NULL); return errmsg; @ 1.1.2.3 log @Fix SSL Renegotiation Vulnerability (CAN-2004-0885) @ text @a50 57 ----------------------------------------------------------------------------- Fix SSL Renegotiation Vulnerability (CAN-2004-0885). Index: src/modules/ssl/ssl_engine_init.c --- src/modules/ssl/ssl_engine_init.c 11 May 2004 19:16:39 -0000 1.74 +++ src/modules/ssl/ssl_engine_init.c 15 Oct 2004 13:26:55 -0000 1.75 @@@@ -603,6 +603,14 @@@@ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); /* + * Disallow a session from being resumed during a renegotiation, + * so that an acceptable cipher suite can be negotiated. + */ +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); +#endif + + /* * Configure callbacks for SSL context */ nVerify = SSL_VERIFY_NONE; Index: src/modules/ssl/ssl_engine_kernel.c --- src/modules/ssl/ssl_engine_kernel.c 27 May 2004 13:13:52 -0000 1.108 +++ src/modules/ssl/ssl_engine_kernel.c 15 Oct 2004 13:26:55 -0000 1.110 @@@@ -672,7 +672,7 @@@@ X509_STORE_CTX certstorectx; int depth; STACK_OF(SSL_CIPHER) *skCipherOld; - STACK_OF(SSL_CIPHER) *skCipher; + STACK_OF(SSL_CIPHER) *skCipher = NULL; SSL_CIPHER *pCipher; ap_ctx *apctx; int nVerifyOld; @@@@ -1067,6 +1067,20 @@@@ if (cert != NULL) X509_free(cert); } + + /* + * Also check that SSLCipherSuite has been enforced as expected + */ + if (skCipher != NULL) { + pCipher = SSL_get_current_cipher(ssl); + if (sk_SSL_CIPHER_find(skCipher, pCipher) < 0) { + ssl_log(r->server, SSL_LOG_ERROR, + "SSL cipher suite not renegotiated: " + "access to %s denied using cipher %s", + r->filename, SSL_CIPHER_get_name(pCipher)); + return FORBIDDEN; + } + } } /* @