Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

2009-11-23 Thread John Lightsey
On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
> Backport is not totally straightforward, because the original patches
> use the filter architecture not present in Apache 1.3.
> 
> Any Feedback on the patch is welcome. Some additional debug output can
> be activated by using -DRENEG_DEBUG.
> 

There are a few lines of c99 syntax in this patch (variable declarations
of "char *reneg" in the middle of code) that cause it to fail with gcc
2.95.

Seems to work fine otherwise.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org


Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

2009-11-23 Thread Rainer Jung
On 23.11.2009 18:57, John Lightsey wrote:
> On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
>> Backport is not totally straightforward, because the original patches
>> use the filter architecture not present in Apache 1.3.
>>
>> Any Feedback on the patch is welcome. Some additional debug output can
>> be activated by using -DRENEG_DEBUG.
>>
> 
> There are a few lines of c99 syntax in this patch (variable declarations
> of "char *reneg" in the middle of code) that cause it to fail with gcc
> 2.95.

Sorry, I forgot to fix those. Thanks for the feedback.

> Seems to work fine otherwise.

Good to know! The more eyes the better.

Regards,

Rainer
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org


Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

2009-11-23 Thread Rainer Jung
On 23.11.2009 18:57, John Lightsey wrote:
> On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
>> Backport is not totally straightforward, because the original patches
>> use the filter architecture not present in Apache 1.3.
>>
>> Any Feedback on the patch is welcome. Some additional debug output can
>> be activated by using -DRENEG_DEBUG.
>>
> 
> There are a few lines of c99 syntax in this patch (variable declarations
> of "char *reneg" in the middle of code) that cause it to fail with gcc
> 2.95.
> 
> Seems to work fine otherwise.

Thanks again. I updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch

The only changes are in ssl_engine_io.c, where the declaration of "char
*reneg" is moved 4 times to the beginning of the function. Anything else
you observed?

Regards,

Rainer
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org


Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

2009-12-29 Thread John Lightsey
On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:
> On 23.11.2009 18:57, John Lightsey wrote:
> > On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:

> Thanks again. I updated the patch:
> 
> http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch
> 
> The only changes are in ssl_engine_io.c, where the declaration of "char
> *reneg" is moved 4 times to the beginning of the function. Anything else
> you observed?

I received a report of segfaults caused by this patch.  They happen when
you have Apache proxy connections to a SSL destination.  IE:

RewriteRule ^/(.*) https://other_site.com/$1 [P]

The segfault happens at:

reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");

in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.


#0  0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
actx = (ap_ctx *) 0x10a26070
ss = (struct ssl_io_suck_st *) 0x0
r = (request_rec *) 0x0
rv = 0
reneg = 0x0
c = (conn_rec *) 0x0
#1  0x00454f31 in ssl_io_hook_read (fb=0x10a25c28,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
ssl = (SSL *) 0x10a26070
c = (conn_rec *) 0x0
s = (server_rec *) 0x0
rc = 0
reneg = 0x0
#2  0x0049a00f in ap_hook_call_func (ap=0x7fff98699110,
he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
v1 = (void *) 0x10a25c28
v2 = (void *) 0x107ccd88
v3 = 4096
v_rc = (void *) 0x7fff9869922c
v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
v_double = 0, v_ptr = 0x0}
rc = 1
#3  0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
at ap_hook.c:382
i = 0
he = (ap_hook_entry *) 0x104f33b0
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff98699200, reg_save_area = 0x7fff98699140}}
rc = 0
#4  0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
nbyte=4096) at buff.c:255
rv = 0


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org


Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

2010-01-01 Thread Rainer Jung

On 29.12.2009 22:57, John Lightsey wrote:

On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:

On 23.11.2009 18:57, John Lightsey wrote:

On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:



Thanks again. I updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch

The only changes are in ssl_engine_io.c, where the declaration of "char
*reneg" is moved 4 times to the beginning of the function. Anything else
you observed?


I received a report of segfaults caused by this patch.  They happen when
you have Apache proxy connections to a SSL destination.  IE:

RewriteRule ^/(.*) https://other_site.com/$1 [P]

The segfault happens at:

reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");

in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.


#0  0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
 actx = (ap_ctx *) 0x10a26070
 ss = (struct ssl_io_suck_st *) 0x0
 r = (request_rec *) 0x0
 rv = 0
 reneg = 0x0
 c = (conn_rec *) 0x0
#1  0x00454f31 in ssl_io_hook_read (fb=0x10a25c28,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
 ssl = (SSL *) 0x10a26070
 c = (conn_rec *) 0x0
 s = (server_rec *) 0x0
 rc = 0
 reneg = 0x0
#2  0x0049a00f in ap_hook_call_func (ap=0x7fff98699110,
he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
 v1 = (void *) 0x10a25c28
 v2 = (void *) 0x107ccd88
 v3 = 4096
 v_rc = (void *) 0x7fff9869922c
 v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
v_double = 0, v_ptr = 0x0}
 rc = 1
#3  0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
at ap_hook.c:382
 i = 0
 he = (ap_hook_entry *) 0x104f33b0
 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff98699200, reg_save_area = 0x7fff98699140}}
 rc = 0
#4  0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
nbyte=4096) at buff.c:255
 rv = 0


Thank you for your feedback and the analysis. I could reproduce this and 
have updated the patch:


http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch

I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my 
tests. The code doesn't try to change/fix renegotiation behaviour for 
ssl on the client side when used as a proxy.


As always: feedback welcome!

Regards,

Rainer
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org


Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

2010-03-16 Thread Rainer Jung

I updated the patch. The most recent version is now available at

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_31-1_3_41-v4.patch

In addition to the v3 version of the patch, it now also contains a 
backport of the SSLInsecureRenegotiation directive introduced in Apache 
httpd 2.2.15 in combination with OpenSSL 0.9.8m and beyond.


The patch needs some more testing, but backport was straightforward.

Regards,

Rainer

On 01.01.2010 21:44, Rainer Jung wrote:

On 29.12.2009 22:57, John Lightsey wrote:

On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:

On 23.11.2009 18:57, John Lightsey wrote:

On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:



Thanks again. I updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch


The only changes are in ssl_engine_io.c, where the declaration of "char
*reneg" is moved 4 times to the beginning of the function. Anything else
you observed?


I received a report of segfaults caused by this patch. They happen when
you have Apache proxy connections to a SSL destination. IE:

RewriteRule ^/(.*) https://other_site.com/$1 [P]

The segfault happens at:

reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");

in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.


#0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
actx = (ap_ctx *) 0x10a26070
ss = (struct ssl_io_suck_st *) 0x0
r = (request_rec *) 0x0
rv = 0
reneg = 0x0
c = (conn_rec *) 0x0
#1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
ssl = (SSL *) 0x10a26070
c = (conn_rec *) 0x0
s = (server_rec *) 0x0
rc = 0
reneg = 0x0
#2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110,
he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
v1 = (void *) 0x10a25c28
v2 = (void *) 0x107ccd88
v3 = 4096
v_rc = (void *) 0x7fff9869922c
v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
v_double = 0, v_ptr = 0x0}
rc = 1
#3 0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
at ap_hook.c:382
i = 0
he = (ap_hook_entry *) 0x104f33b0
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff98699200, reg_save_area = 0x7fff98699140}}
rc = 0
#4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
nbyte=4096) at buff.c:255
rv = 0


Thank you for your feedback and the analysis. I could reproduce this and
have updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch


I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my
tests. The code doesn't try to change/fix renegotiation behaviour for
ssl on the client side when used as a proxy.

As always: feedback welcome!

Regards,

Rainer
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majord...@modssl.org

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org