Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: > Backport is not totally straightforward, because the original patches > use the filter architecture not present in Apache 1.3. > > Any Feedback on the patch is welcome. Some additional debug output can > be activated by using -DRENEG_DEBUG. > There are a few lines of c99 syntax in this patch (variable declarations of "char *reneg" in the middle of code) that cause it to fail with gcc 2.95. Seems to work fine otherwise. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On 23.11.2009 18:57, John Lightsey wrote: > On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: >> Backport is not totally straightforward, because the original patches >> use the filter architecture not present in Apache 1.3. >> >> Any Feedback on the patch is welcome. Some additional debug output can >> be activated by using -DRENEG_DEBUG. >> > > There are a few lines of c99 syntax in this patch (variable declarations > of "char *reneg" in the middle of code) that cause it to fail with gcc > 2.95. Sorry, I forgot to fix those. Thanks for the feedback. > Seems to work fine otherwise. Good to know! The more eyes the better. Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On 23.11.2009 18:57, John Lightsey wrote: > On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: >> Backport is not totally straightforward, because the original patches >> use the filter architecture not present in Apache 1.3. >> >> Any Feedback on the patch is welcome. Some additional debug output can >> be activated by using -DRENEG_DEBUG. >> > > There are a few lines of c99 syntax in this patch (variable declarations > of "char *reneg" in the middle of code) that cause it to fail with gcc > 2.95. > > Seems to work fine otherwise. Thanks again. I updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch The only changes are in ssl_engine_io.c, where the declaration of "char *reneg" is moved 4 times to the beginning of the function. Anything else you observed? Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote: > On 23.11.2009 18:57, John Lightsey wrote: > > On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: > Thanks again. I updated the patch: > > http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch > > The only changes are in ssl_engine_io.c, where the declaration of "char > *reneg" is moved 4 times to the beginning of the function. Anything else > you observed? I received a report of segfaults caused by this patch. They happen when you have Apache proxy connections to a SSL destination. IE: RewriteRule ^/(.*) https://other_site.com/$1 [P] The segfault happens at: reneg = ap_ctx_get(c->client->ctx, "ssl::reneg"); in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL. #0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275 actx = (ap_ctx *) 0x10a26070 ss = (struct ssl_io_suck_st *) 0x0 r = (request_rec *) 0x0 rv = 0 reneg = 0x0 c = (conn_rec *) 0x0 #1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394 ssl = (SSL *) 0x10a26070 c = (conn_rec *) 0x0 s = (server_rec *) 0x0 rc = 0 reneg = 0x0 #2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110, he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649 v1 = (void *) 0x10a25c28 v2 = (void *) 0x107ccd88 v3 = 4096 v_rc = (void *) 0x7fff9869922c v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0, v_double = 0, v_ptr = 0x0} rc = 1 #3 0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read") at ap_hook.c:382 i = 0 he = (ap_hook_entry *) 0x104f33b0 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff98699200, reg_save_area = 0x7fff98699140}} rc = 0 #4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88, nbyte=4096) at buff.c:255 rv = 0 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On 29.12.2009 22:57, John Lightsey wrote: On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote: On 23.11.2009 18:57, John Lightsey wrote: On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: Thanks again. I updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch The only changes are in ssl_engine_io.c, where the declaration of "char *reneg" is moved 4 times to the beginning of the function. Anything else you observed? I received a report of segfaults caused by this patch. They happen when you have Apache proxy connections to a SSL destination. IE: RewriteRule ^/(.*) https://other_site.com/$1 [P] The segfault happens at: reneg = ap_ctx_get(c->client->ctx, "ssl::reneg"); in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL. #0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275 actx = (ap_ctx *) 0x10a26070 ss = (struct ssl_io_suck_st *) 0x0 r = (request_rec *) 0x0 rv = 0 reneg = 0x0 c = (conn_rec *) 0x0 #1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394 ssl = (SSL *) 0x10a26070 c = (conn_rec *) 0x0 s = (server_rec *) 0x0 rc = 0 reneg = 0x0 #2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110, he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649 v1 = (void *) 0x10a25c28 v2 = (void *) 0x107ccd88 v3 = 4096 v_rc = (void *) 0x7fff9869922c v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0, v_double = 0, v_ptr = 0x0} rc = 1 #3 0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read") at ap_hook.c:382 i = 0 he = (ap_hook_entry *) 0x104f33b0 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff98699200, reg_save_area = 0x7fff98699140}} rc = 0 #4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88, nbyte=4096) at buff.c:255 rv = 0 Thank you for your feedback and the analysis. I could reproduce this and have updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my tests. The code doesn't try to change/fix renegotiation behaviour for ssl on the client side when used as a proxy. As always: feedback welcome! Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
I updated the patch. The most recent version is now available at http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_31-1_3_41-v4.patch In addition to the v3 version of the patch, it now also contains a backport of the SSLInsecureRenegotiation directive introduced in Apache httpd 2.2.15 in combination with OpenSSL 0.9.8m and beyond. The patch needs some more testing, but backport was straightforward. Regards, Rainer On 01.01.2010 21:44, Rainer Jung wrote: On 29.12.2009 22:57, John Lightsey wrote: On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote: On 23.11.2009 18:57, John Lightsey wrote: On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: Thanks again. I updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch The only changes are in ssl_engine_io.c, where the declaration of "char *reneg" is moved 4 times to the beginning of the function. Anything else you observed? I received a report of segfaults caused by this patch. They happen when you have Apache proxy connections to a SSL destination. IE: RewriteRule ^/(.*) https://other_site.com/$1 [P] The segfault happens at: reneg = ap_ctx_get(c->client->ctx, "ssl::reneg"); in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL. #0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275 actx = (ap_ctx *) 0x10a26070 ss = (struct ssl_io_suck_st *) 0x0 r = (request_rec *) 0x0 rv = 0 reneg = 0x0 c = (conn_rec *) 0x0 #1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394 ssl = (SSL *) 0x10a26070 c = (conn_rec *) 0x0 s = (server_rec *) 0x0 rc = 0 reneg = 0x0 #2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110, he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649 v1 = (void *) 0x10a25c28 v2 = (void *) 0x107ccd88 v3 = 4096 v_rc = (void *) 0x7fff9869922c v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0, v_double = 0, v_ptr = 0x0} rc = 1 #3 0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read") at ap_hook.c:382 i = 0 he = (ap_hook_entry *) 0x104f33b0 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff98699200, reg_save_area = 0x7fff98699140}} rc = 0 #4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88, nbyte=4096) at buff.c:255 rv = 0 Thank you for your feedback and the analysis. I could reproduce this and have updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my tests. The code doesn't try to change/fix renegotiation behaviour for ssl on the client side when used as a proxy. As always: feedback welcome! Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org