[arch-commits] Commit in apache/trunk (PKGBUILD httpd-2.2.14-CVE-2009-3555.patch)

Jan de Groot jgc at archlinux.org
Sat Mar 6 13:17:39 EST 2010


    Date: Saturday, March 6, 2010 @ 13:17:38
  Author: jgc
Revision: 71325

upgpkg: apache 2.2.14-3
Add patch for CVE-2009-3555 to fix renegotiation issues

Added:
  apache/trunk/httpd-2.2.14-CVE-2009-3555.patch
Modified:
  apache/trunk/PKGBUILD

----------------------------------+
 PKGBUILD                         |    3 
 httpd-2.2.14-CVE-2009-3555.patch |  284 +++++++++++++++++++++++++++++++++++++
 2 files changed, 287 insertions(+)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2010-03-06 17:46:02 UTC (rev 71324)
+++ PKGBUILD	2010-03-06 18:17:38 UTC (rev 71325)
@@ -28,6 +28,7 @@
         ${_itkurl}/08-max-clients-per-vhost.patch
         ${_itkurl}/09-capabilities.patch
         ${_itkurl}/10-nice.patch
+        httpd-2.2.14-CVE-2009-3555.patch
         apachectl-confd.patch
         apache.conf.d
         httpd.logrotate
@@ -43,6 +44,7 @@
          '9f7a8935f9cabc7b46d0052906634cef'
          '1b28e3363e1b0d05b738a21e7ddd264f'
          'd9667fcd2ffecc63e446edd4d6666731'
+         '65df0a4f22728b84479dd59155ac940c'
          '4ac64df6e019edbe137017cba1ff2f51'
          '08b3c875f6260644f2f52b4056d656b0'
          'f4d627c64024c1b7b95efb5ffbaa625e'
@@ -52,6 +54,7 @@
 build() {
 	cd "${srcdir}/httpd-${pkgver}"
 
+  patch -Np1 -i "${srcdir}/httpd-2.2.14-CVE-2009-3555.patch" || return 1
   patch -Np0 -i "${srcdir}/apachectl-confd.patch" || return 1
 
 	# set default user

Added: httpd-2.2.14-CVE-2009-3555.patch
===================================================================
--- httpd-2.2.14-CVE-2009-3555.patch	                        (rev 0)
+++ httpd-2.2.14-CVE-2009-3555.patch	2010-03-06 18:17:38 UTC (rev 71325)
@@ -0,0 +1,284 @@
+--- httpd-2.2.14/modules/ssl/ssl_engine_init.c.cve3555
++++ httpd-2.2.14/modules/ssl/ssl_engine_init.c
+@@ -501,10 +501,7 @@ static void ssl_init_ctx_callbacks(serve
+     SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
+     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
+ 
+-    if (s->loglevel >= APLOG_DEBUG) {
+-        /* this callback only logs if LogLevel >= info */
+-        SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
+-    }
++    SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+ }
+ 
+ static void ssl_init_ctx_verify(server_rec *s,
+--- httpd-2.2.14/modules/ssl/ssl_engine_io.c.cve3555
++++ httpd-2.2.14/modules/ssl/ssl_engine_io.c
+@@ -103,6 +103,7 @@ typedef struct {
+     ap_filter_t        *pInputFilter;
+     ap_filter_t        *pOutputFilter;
+     int                nobuffer; /* non-zero to prevent buffering */
++    SSLConnRec         *config;
+ } ssl_filter_ctx_t;
+ 
+ typedef struct {
+@@ -193,7 +194,13 @@ static int bio_filter_out_read(BIO *bio,
+ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
+ {
+     bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+-
++    
++    /* Abort early if the client has initiated a renegotiation. */
++    if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
++        outctx->rc = APR_ECONNABORTED;
++        return -1;
++    }
++    
+     /* when handshaking we'll have a small number of bytes.
+      * max size SSL will pass us here is about 16k.
+      * (16413 bytes to be exact)
+@@ -466,6 +473,12 @@ static int bio_filter_in_read(BIO *bio, 
+     if (!in)
+         return 0;
+ 
++    /* Abort early if the client has initiated a renegotiation. */
++    if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
++        inctx->rc = APR_ECONNABORTED;
++        return -1;
++    }
++
+     /* XXX: flush here only required for SSLv2;
+      * OpenSSL calls BIO_flush() at the appropriate times for
+      * the other protocols.
+@@ -1724,6 +1737,8 @@ void ssl_io_filter_init(conn_rec *c, SSL
+ 
+     filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t));
+ 
++    filter_ctx->config          = myConnConfig(c);
++
+     filter_ctx->nobuffer        = 0;
+     filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,
+                                                    filter_ctx, NULL, c);
+--- httpd-2.2.14/modules/ssl/ssl_engine_kernel.c.cve3555
++++ httpd-2.2.14/modules/ssl/ssl_engine_kernel.c
+@@ -729,6 +729,10 @@ int ssl_hook_Access(request_rec *r)
+                                        (unsigned char *)&id,
+                                        sizeof(id));
+ 
++            /* Toggle the renegotiation state to allow the new
++             * handshake to proceed. */
++            sslconn->reneg_state = RENEG_ALLOW;
++            
+             SSL_renegotiate(ssl);
+             SSL_do_handshake(ssl);
+ 
+@@ -750,6 +754,8 @@ int ssl_hook_Access(request_rec *r)
+             SSL_set_state(ssl, SSL_ST_ACCEPT);
+             SSL_do_handshake(ssl);
+ 
++            sslconn->reneg_state = RENEG_REJECT;
++
+             if (SSL_get_state(ssl) != SSL_ST_OK) {
+                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                               "Re-negotiation handshake failed: "
+@@ -1844,76 +1850,55 @@ void ssl_callback_DelSessionCacheEntry(S
+     return;
+ }
+ 
+-/*
+- * This callback function is executed while OpenSSL processes the
+- * SSL handshake and does SSL record layer stuff. We use it to
+- * trace OpenSSL's processing in out SSL logfile.
+- */
+-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
++/* Dump debugginfo trace to the log file. */
++static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, 
++                              server_rec *s, int where, int rc)
+ {
+-    conn_rec *c;
+-    server_rec *s;
+-    SSLSrvConfigRec *sc;
+-
+-    /*
+-     * find corresponding server
+-     */
+-    if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) {
+-        return;
+-    }
+-
+-    s = mySrvFromConn(c);
+-    if (!(sc = mySrvConfig(s))) {
+-        return;
+-    }
+-
+     /*
+      * create the various trace messages
+      */
+-    if (s->loglevel >= APLOG_DEBUG) {
+-        if (where & SSL_CB_HANDSHAKE_START) {
+-            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+-                         "%s: Handshake: start", SSL_LIBRARY_NAME);
+-        }
+-        else if (where & SSL_CB_HANDSHAKE_DONE) {
+-            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+-                         "%s: Handshake: done", SSL_LIBRARY_NAME);
+-        }
+-        else if (where & SSL_CB_LOOP) {
+-            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+-                         "%s: Loop: %s",
+-                         SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+-        }
+-        else if (where & SSL_CB_READ) {
++    if (where & SSL_CB_HANDSHAKE_START) {
++        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++                     "%s: Handshake: start", SSL_LIBRARY_NAME);
++    }
++    else if (where & SSL_CB_HANDSHAKE_DONE) {
++        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++                     "%s: Handshake: done", SSL_LIBRARY_NAME);
++    }
++    else if (where & SSL_CB_LOOP) {
++        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++                     "%s: Loop: %s",
++                     SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
++    }
++    else if (where & SSL_CB_READ) {
++        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++                     "%s: Read: %s",
++                     SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
++    }
++    else if (where & SSL_CB_WRITE) {
++        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++                     "%s: Write: %s",
++                     SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
++    }
++    else if (where & SSL_CB_ALERT) {
++        char *str = (where & SSL_CB_READ) ? "read" : "write";
++        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++                     "%s: Alert: %s:%s:%s",
++                     SSL_LIBRARY_NAME, str,
++                     SSL_alert_type_string_long(rc),
++                     SSL_alert_desc_string_long(rc));
++    }
++    else if (where & SSL_CB_EXIT) {
++        if (rc == 0) {
+             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+-                         "%s: Read: %s",
++                         "%s: Exit: failed in %s",
+                          SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+         }
+-        else if (where & SSL_CB_WRITE) {
++        else if (rc < 0) {
+             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+-                         "%s: Write: %s",
++                         "%s: Exit: error in %s",
+                          SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+         }
+-        else if (where & SSL_CB_ALERT) {
+-            char *str = (where & SSL_CB_READ) ? "read" : "write";
+-            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+-                         "%s: Alert: %s:%s:%s",
+-                         SSL_LIBRARY_NAME, str,
+-                         SSL_alert_type_string_long(rc),
+-                         SSL_alert_desc_string_long(rc));
+-        }
+-        else if (where & SSL_CB_EXIT) {
+-            if (rc == 0) {
+-                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+-                             "%s: Exit: failed in %s",
+-                             SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+-            }
+-            else if (rc < 0) {
+-                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+-                             "%s: Exit: error in %s",
+-                             SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+-            }
+-        }
+     }
+ 
+     /*
+@@ -1933,6 +1918,52 @@ void ssl_callback_LogTracingState(MODSSL
+     }
+ }
+ 
++/*
++ * This callback function is executed while OpenSSL processes the SSL
++ * handshake and does SSL record layer stuff.  It's used to trap
++ * client-initiated renegotiations, and for dumping everything to the
++ * log.
++ */
++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
++{
++    conn_rec *c;
++    server_rec *s;
++    SSLConnRec *scr;
++
++    /* Retrieve the conn_rec and the associated SSLConnRec. */
++    if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
++        return;
++    }
++
++    if ((scr = myConnConfig(c)) == NULL) {
++        return;
++    }
++
++    /* If the reneg state is to reject renegotiations, check the SSL
++     * state machine and move to ABORT if a Client Hello is being
++     * read. */
++    if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
++        int state = SSL_get_state(ssl);
++        
++        if (state == SSL3_ST_SR_CLNT_HELLO_A 
++            || state == SSL23_ST_SR_CLNT_HELLO_A) {
++            scr->reneg_state = RENEG_ABORT;
++            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
++                          "rejecting client initiated renegotiation");
++        }
++    }
++    /* If the first handshake is complete, change state to reject any
++     * subsequent client-initated renegotiation. */
++    else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
++        scr->reneg_state = RENEG_REJECT;
++    }
++
++    s = mySrvFromConn(c);
++    if (s && s->loglevel >= APLOG_DEBUG) {
++        log_tracing_state(ssl, c, s, where, rc);
++    }
++}
++
+ #ifndef OPENSSL_NO_TLSEXT
+ /*
+  * This callback function is executed when OpenSSL encounters an extended
+--- httpd-2.2.14/modules/ssl/ssl_private.h.cve3555
++++ httpd-2.2.14/modules/ssl/ssl_private.h
+@@ -356,6 +356,20 @@ typedef struct {
+     int is_proxy;
+     int disabled;
+     int non_ssl_request;
++
++    /* Track the handshake/renegotiation state for the connection so
++     * that all client-initiated renegotiations can be rejected, as a
++     * partial fix for CVE-2009-3555. */
++    enum { 
++        RENEG_INIT = 0, /* Before initial handshake */
++        RENEG_REJECT, /* After initial handshake; any client-initiated
++                       * renegotiation should be rejected */
++        RENEG_ALLOW, /* A server-initated renegotiation is taking
++                      * place (as dictated by configuration) */
++        RENEG_ABORT /* Renegotiation initiated by client, abort the
++                     * connection */
++    } reneg_state;
++    
+     server_rec *server;
+ } SSLConnRec;
+ 
+@@ -574,7 +588,7 @@ int          ssl_callback_proxy_cert(SSL
+ int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
+ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
+ void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
+-void         ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
++void         ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int);
+ #ifndef OPENSSL_NO_TLSEXT
+ int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
+ #endif



More information about the arch-commits mailing list