On Wed, Dec 16, 2009 at 11:08 AM, <[email protected]> wrote:
> Author: jorton
> Date: Wed Dec 16 16:08:34 2009
> New Revision: 891284
>
> URL: http://svn.apache.org/viewvc?rev=891284&view=rev
> Log:
> - add test case for a prefix attack which attempts
> to a inject additional requests beyond the
> renegotiation.
>
> Added:
> httpd/test/framework/trunk/t/security/CVE-2009-3555.t
>
> Added: httpd/test/framework/trunk/t/security/CVE-2009-3555.t
> URL:
> http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2009-3555.t?rev=891284&view=auto
> ==============================================================================
> --- httpd/test/framework/trunk/t/security/CVE-2009-3555.t (added)
> +++ httpd/test/framework/trunk/t/security/CVE-2009-3555.t Wed Dec 16 16:08:34
> 2009
> @@ -0,0 +1,60 @@
> +use strict;
> +use warnings FATAL => 'all';
> +
> +use Apache::Test;
> +use Apache::TestRequest;
> +use Apache::TestUtil;
> +
> +plan tests => 4, need 'ssl';
> +
> +# This test case attempts only one type of attack which is possible
> +# due to the TLS renegotiation vulnerability, CVE-2009-3555. A
> +# specific defense against this attack was added to mod_ssl in
> +# r891282. For more information, see the d...@httpd thread beginning
> +# at message ID <[email protected]>.
> +
> +Apache::TestRequest::set_client_cert("client_ok");
> +
> +Apache::TestRequest::module('mod_ssl');
> +
> +my $sock = Apache::TestRequest::vhost_socket('mod_ssl');
> +ok $sock && $sock->connected;
> +
> +
> +my $req = "GET /require/asf/ HTTP/1.1\r\n".
> + "Host: " . Apache::TestRequest::hostport() . "\r\n".
> + "\r\n".
> + "GET /this/is/a/prefix/injection/attack HTTP/1.0\r\n".
> + "\r\n";
> +
> +ok $sock->print($req);
> +
> +my $line = Apache::TestRequest::getline($sock) || '';
With 0.9.8l, the client busy-loops here, repeating this sequence:
alarm(600) = 0
alarm(0) = 600
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
rt_sigaction(SIGALRM, {SIG_DFL}, {0x809aad0, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
rt_sigaction(SIGALRM, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
rt_sigaction(SIGALRM, {0x809aad0, [], 0}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
(It seems that 600 is the read timeout.)
This resolves the loop for me:
Index: Apache-Test/lib/Apache/TestRequest.pm
===================================================================
--- Apache-Test/lib/Apache/TestRequest.pm (revision 895795)
+++ Apache-Test/lib/Apache/TestRequest.pm (working copy)
@@ -303,7 +303,7 @@
do {
$self->read($c, 1);
$buf .= $c;
- } until ($c eq "\n");
+ } until ($c eq "\n" || $c eq "");
$buf;
},
);
