From 7801489cdb3c45d23b1d51a00813297ff12cd965 Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Wed, 31 Mar 2010 13:55:28 +0000 Subject: [PATCH] Sync --- org.gridsite.core/VERSION | 2 +- org.gridsite.core/src/mod_gridsite.c | 50 ++++++++++++++++++++++++--------- org.gridsite.core/src/mod_ssl-private.h | 29 ++++++++++++++++++- 3 files changed, 65 insertions(+), 16 deletions(-) diff --git a/org.gridsite.core/VERSION b/org.gridsite.core/VERSION index 3a207ce..990175b 100644 --- a/org.gridsite.core/VERSION +++ b/org.gridsite.core/VERSION @@ -1,5 +1,5 @@ MAJOR_VERSION=1 MINOR_VERSION=1.5 -PATCH_VERSION=1.5.10 +PATCH_VERSION=1.5.10.4 DEFVERSION=010510 VERSION=$(PATCH_VERSION) diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index 6a04c54..49e9c7e 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -46,6 +46,9 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. + + This work has been partially funded by the EU Commission (contract + INFSO-RI-222667) under the EGEE-III collaboration. */ /*------------------------------------------------------------------* @@ -132,6 +135,10 @@ char *ocspmodes = NULL; struct sitecast_group sitecastgroups[GRST_SITECAST_GROUPS+1]; struct sitecast_alias sitecastaliases[GRST_SITECAST_ALIASES]; + /* This global records whether the SSLSrvConfigRec struct will have + the extra BOOL insecure_reneg member */ +int mod_ssl_with_insecure_reneg = 0; + #if AP_MODULE_MAGIC_AT_LEAST(20051115,0) /* SSL_app_data2_idx is private in Apache 2.2 mod_ssl but can be determined at init time, and then recorded here */ @@ -1616,7 +1623,7 @@ static void *create_gridsite_srv_config(apr_pool_t *p, server_rec *s) sitecastgroups[i].port = 0; /* GridSiteCastGroup mcast-list */ } - for (i=1; i <= GRST_SITECAST_ALIASES; ++i) + for (i=0; i <= GRST_SITECAST_ALIASES; ++i) { sitecastaliases[i].sitecast_url = NULL; sitecastaliases[i].port = 0; @@ -3433,7 +3440,7 @@ int GRST_ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) server_rec *s = c->base_server; SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module); SSLConnRec *sslconn = (SSLConnRec *) ap_get_module_config(c->conn_config, &ssl_module); - modssl_ctx_t *mctx = sslconn->is_proxy ? sc->proxy : sc->server; + modssl_ctx_t *mctx = sslconn->is_proxy ? SSLSrvConfigRec_proxy(sc) : SSLSrvConfigRec_server(sc); X509_OBJECT obj; X509_NAME *subject, *issuer; X509 *cert; @@ -3643,7 +3650,7 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) request_rec *r = (request_rec *) SSL_get_ex_data(ssl, GRST_SSL_app_data2_idx); SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module); SSLDirConfigRec *dc = r ? (SSLDirConfigRec *) ap_get_module_config(r->per_dir_config, &ssl_module) : NULL; - modssl_ctx_t *mctx = sslconn->is_proxy ? sc->proxy : sc->server; + modssl_ctx_t *mctx = sslconn->is_proxy ? SSLSrvConfigRec_proxy(sc) : SSLSrvConfigRec_server(sc); int verify, depth; #endif STACK_OF(X509) *certstack; @@ -4180,11 +4187,13 @@ static int mod_gridsite_server_post_config(apr_pool_t *pPool, { SSL_CTX *ctx; SSLSrvConfigRec *sc; + int i = 0; server_rec *this_server; apr_proc_t *procnew = NULL; apr_status_t status; - char *path; - const char *userdata_key = "sitecast_init"; + char *path; + const char *userdata_key = "sitecast_init"; + const char *insecure_reneg = "SSLInsecureRenegotiation"; apr_pool_userdata_get((void **) &procnew, userdata_key, main_server->process->pool); @@ -4237,20 +4246,33 @@ static int mod_gridsite_server_post_config(apr_pool_t *pPool, GRST_SSL_app_data2_idx); #endif + + /* look for a SSLInsecureRenegotiation flag - if it exists then the mod_ssl + internal variable 'SSLSrvConfigRec' is different */ + while ( ssl_module.cmds[i].name && !mod_ssl_with_insecure_reneg) + { + mod_ssl_with_insecure_reneg = (strncmp( ssl_module.cmds[i].name, + insecure_reneg, sizeof(insecure_reneg) ) == 0); + i++; + } + + ap_log_error(APLOG_MARK, APLOG_NOTICE, status, main_server, + "mod_gridsite: mod_ssl_with_insecure_reneg = %d", mod_ssl_with_insecure_reneg); + for (this_server = main_server; this_server != NULL; this_server = this_server->next) { /* we do some GridSite OpenSSL magic for HTTPS servers */ - + sc = ap_get_module_config(this_server->module_config, &ssl_module); - - if ((sc != NULL) && - (sc->enabled) && - (sc->server != NULL) && - (sc->server->ssl_ctx != NULL)) + + if ((sc != NULL) && + (sc->enabled) && + (SSLSrvConfigRec_server(sc) != NULL) && + (SSLSrvConfigRec_server(sc)->ssl_ctx != NULL)) { - ctx = sc->server->ssl_ctx; + ctx = SSLSrvConfigRec_server(sc)->ssl_ctx; /* in 0.9.7 we could set the issuer-checking callback directly */ // ctx->cert_store->check_issued = GRST_X509_check_issued_wrapper; @@ -4302,8 +4324,8 @@ static void mod_gridsite_child_init(apr_pool_t *pPool, server_rec *pServer) apr_dir_t *dir; char *filename; apr_finfo_t finfo; - SSLSrvConfigRec *sc = ap_get_module_config(pServer->module_config, - &ssl_module); + SSLSrvConfigRec *sc = ap_get_module_config(pServer->module_config, + &ssl_module); GRSTgaclInit(); mod_gridsite_log_func_server = pServer; GRSTerrorLogFunc = mod_gridsite_log_func; diff --git a/org.gridsite.core/src/mod_ssl-private.h b/org.gridsite.core/src/mod_ssl-private.h index f4d3582..07f9d8b 100644 --- a/org.gridsite.core/src/mod_ssl-private.h +++ b/org.gridsite.core/src/mod_ssl-private.h @@ -49,6 +49,11 @@ * limitations under the License. */ +/* + This work has been partially funded by the EU Commission (contract + INFSO-RI-222667) under the EGEE-III collaboration. +*/ + /*------------------------------------------------------------------* * This program is part of GridSite: http://www.gridsite.org/ * *------------------------------------------------------------------*/ @@ -150,6 +155,7 @@ typedef struct { #endif } modssl_ctx_t; +/* original SSLSrvConfigRec */ typedef struct { void *mc; BOOL enabled; @@ -164,6 +170,28 @@ typedef struct { modssl_ctx_t *proxy; } SSLSrvConfigRec; +/* SSLSrvConfigRec after mod_ssl patch for CVE-2009-3555 */ +typedef struct { + void *mc; + unsigned int enabled; + unsigned int proxy_enabled; + const char *vhost_id; + int vhost_id_len; + int session_cache_timeout; +#if AP_MODULE_MAGIC_AT_LEAST(20051115,0) + BOOL cipher_server_pref; +#endif + /* this is the member that was added */ + int insecure_reneg; + modssl_ctx_t *server; + modssl_ctx_t *proxy; +} SSLSrvConfigRec2; + +/* The server and proxy members of SSLSrvConfigRec must only be accessed + using these macros: */ +#define SSLSrvConfigRec_server(sc) (mod_ssl_with_insecure_reneg ? (((SSLSrvConfigRec2 *) sc)->server) : (((SSLSrvConfigRec *) sc)->server)) +#define SSLSrvConfigRec_proxy(sc) (mod_ssl_with_insecure_reneg ? (((SSLSrvConfigRec2 *) sc)->proxy) : (((SSLSrvConfigRec *) sc)->proxy)) + #if AP_MODULE_MAGIC_AT_LEAST(20051115,0) typedef struct { BOOL bSSLRequired; @@ -180,5 +208,4 @@ typedef struct { } SSLDirConfigRec; #endif - extern module AP_MODULE_DECLARE_DATA ssl_module; -- 1.8.2.3