From 310abe64eff0a2abd439e4cb7b142a677cd7f916 Mon Sep 17 00:00:00 2001 From: Clement Laforet Date: Wed, 13 Oct 2004 09:17:38 +0000 Subject: [PATCH] - Yet Another Security Fix Fix CAN-2004-0885: * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a correct cipher suite has been negotiated, else deny access. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL 0.9.7, prevent session resumption during a renegotiation to force the client to negotiate a new (and acceptable) cipher suite. Credits: Hartmut Keil, Joe Orton --- www/apache2/Makefile | 1 + www/apache2/files/patch-secfix-CAN-2004-0885 | 56 +++++++++++++++++++ www/apache20/Makefile | 1 + www/apache20/files/patch-secfix-CAN-2004-0885 | 56 +++++++++++++++++++ 4 files changed, 114 insertions(+) create mode 100644 www/apache2/files/patch-secfix-CAN-2004-0885 create mode 100644 www/apache20/files/patch-secfix-CAN-2004-0885 diff --git a/www/apache2/Makefile b/www/apache2/Makefile index 7be52aa5d002..ecaad59fbe21 100644 --- a/www/apache2/Makefile +++ b/www/apache2/Makefile @@ -9,6 +9,7 @@ PORTNAME= apache PORTVERSION= 2.0.52 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ ${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo diff --git a/www/apache2/files/patch-secfix-CAN-2004-0885 b/www/apache2/files/patch-secfix-CAN-2004-0885 new file mode 100644 index 000000000000..f19a7e55c165 --- /dev/null +++ b/www/apache2/files/patch-secfix-CAN-2004-0885 @@ -0,0 +1,56 @@ +Index: ssl_engine_init.c +=================================================================== +RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v +retrieving revision 1.128 +retrieving revision 1.129 +diff -d -w -u -r1.128 -r1.129 +--- modules/ssl/ssl_engine_init.c 3 Jun 2004 13:03:08 -0000 1.128 ++++ modules/ssl/ssl_engine_init.c 8 Oct 2004 11:59:32 -0000 1.129 +@@ -443,6 +443,14 @@ + * Configure additional context ingredients + */ + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); ++ ++#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION ++ /* ++ * Disallow a session from being resumed during a renegotiation, ++ * so that an acceptable cipher suite can be negotiated. ++ */ ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); ++#endif + } + + static void ssl_init_ctx_session_cache(server_rec *s, +Index: ssl_engine_kernel.c +=================================================================== +RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v +retrieving revision 1.110 +retrieving revision 1.111 +diff -d -w -u -r1.110 -r1.111 +--- modules/ssl/ssl_engine_kernel.c 18 Aug 2004 11:05:22 -0000 1.110 ++++ modules/ssl/ssl_engine_kernel.c 8 Oct 2004 11:59:33 -0000 1.111 +@@ -733,6 +733,21 @@ + X509_free(peercert); + } + } ++ ++ /* ++ * Also check that SSLCipherSuite has been enforced as expected. ++ */ ++ if (cipher_list) { ++ cipher = SSL_get_current_cipher(ssl); ++ if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "SSL cipher suite not renegotiated: " ++ "access to %s denied using cipher %s", ++ r->filename, ++ SSL_CIPHER_get_name(cipher)); ++ return HTTP_FORBIDDEN; ++ } ++ } + } + + /* + + + diff --git a/www/apache20/Makefile b/www/apache20/Makefile index 7be52aa5d002..ecaad59fbe21 100644 --- a/www/apache20/Makefile +++ b/www/apache20/Makefile @@ -9,6 +9,7 @@ PORTNAME= apache PORTVERSION= 2.0.52 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ ${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo diff --git a/www/apache20/files/patch-secfix-CAN-2004-0885 b/www/apache20/files/patch-secfix-CAN-2004-0885 new file mode 100644 index 000000000000..f19a7e55c165 --- /dev/null +++ b/www/apache20/files/patch-secfix-CAN-2004-0885 @@ -0,0 +1,56 @@ +Index: ssl_engine_init.c +=================================================================== +RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v +retrieving revision 1.128 +retrieving revision 1.129 +diff -d -w -u -r1.128 -r1.129 +--- modules/ssl/ssl_engine_init.c 3 Jun 2004 13:03:08 -0000 1.128 ++++ modules/ssl/ssl_engine_init.c 8 Oct 2004 11:59:32 -0000 1.129 +@@ -443,6 +443,14 @@ + * Configure additional context ingredients + */ + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); ++ ++#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION ++ /* ++ * Disallow a session from being resumed during a renegotiation, ++ * so that an acceptable cipher suite can be negotiated. ++ */ ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); ++#endif + } + + static void ssl_init_ctx_session_cache(server_rec *s, +Index: ssl_engine_kernel.c +=================================================================== +RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v +retrieving revision 1.110 +retrieving revision 1.111 +diff -d -w -u -r1.110 -r1.111 +--- modules/ssl/ssl_engine_kernel.c 18 Aug 2004 11:05:22 -0000 1.110 ++++ modules/ssl/ssl_engine_kernel.c 8 Oct 2004 11:59:33 -0000 1.111 +@@ -733,6 +733,21 @@ + X509_free(peercert); + } + } ++ ++ /* ++ * Also check that SSLCipherSuite has been enforced as expected. ++ */ ++ if (cipher_list) { ++ cipher = SSL_get_current_cipher(ssl); ++ if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "SSL cipher suite not renegotiated: " ++ "access to %s denied using cipher %s", ++ r->filename, ++ SSL_CIPHER_get_name(cipher)); ++ return HTTP_FORBIDDEN; ++ } ++ } + } + + /* + + +