[PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

[PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

am 22.11.2009 01:21:32 von Rainer Jung

Hi,

I backported the patch against CVE-2009-3555 from Apache trunk, 2.2 and
2.0 (proposed). The patch is available at

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ss l_2_8_21-1_3_41.patch

CVE-2009-3555 is about the Man in the Middle attack against HTTPS.
The patch disables the use of client initiated SSL renegotiation. Server
initiated reneg is still allowed (and vulnerable).

See also:

http://svn.apache.org/viewvc?rev=833582&view=rev
http://svn.apache.org/viewvc?rev=833622&view=rev
http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_ 2_0_x-v2.patch

Backport is not totally straightforward, because the original patches
use the filter architecture not present in Apache 1.3.

Any Feedback on the patch is welcome. Some additional debug output can
be activated by using -DRENEG_DEBUG.

Regards,

Rainer
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

am 23.11.2009 18:57:55 von John Lightsey

On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
> Backport is not totally straightforward, because the original patches
> use the filter architecture not present in Apache 1.3.
>
> Any Feedback on the patch is welcome. Some additional debug output can
> be activated by using -DRENEG_DEBUG.
>

There are a few lines of c99 syntax in this patch (variable declarations
of "char *reneg" in the middle of code) that cause it to fail with gcc
2.95.

Seems to work fine otherwise.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

am 23.11.2009 21:59:41 von Rainer Jung

On 23.11.2009 18:57, John Lightsey wrote:
> On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
>> Backport is not totally straightforward, because the original patches
>> use the filter architecture not present in Apache 1.3.
>>
>> Any Feedback on the patch is welcome. Some additional debug output can
>> be activated by using -DRENEG_DEBUG.
>>
>
> There are a few lines of c99 syntax in this patch (variable declarations
> of "char *reneg" in the middle of code) that cause it to fail with gcc
> 2.95.

Sorry, I forgot to fix those. Thanks for the feedback.

> Seems to work fine otherwise.

Good to know! The more eyes the better.

Regards,

Rainer
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

am 23.11.2009 22:12:13 von Rainer Jung

On 23.11.2009 18:57, John Lightsey wrote:
> On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
>> Backport is not totally straightforward, because the original patches
>> use the filter architecture not present in Apache 1.3.
>>
>> Any Feedback on the patch is welcome. Some additional debug output can
>> be activated by using -DRENEG_DEBUG.
>>
>
> There are a few lines of c99 syntax in this patch (variable declarations
> of "char *reneg" in the middle of code) that cause it to fail with gcc
> 2.95.
>
> Seems to work fine otherwise.

Thanks again. I updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ss l_2_8_21-1_3_41-v2.patch

The only changes are in ssl_engine_io.c, where the declaration of "char
*reneg" is moved 4 times to the beginning of the function. Anything else
you observed?

Regards,

Rainer
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

am 29.12.2009 22:57:11 von John Lightsey

On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:
> On 23.11.2009 18:57, John Lightsey wrote:
> > On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:

> Thanks again. I updated the patch:
>
> http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ss l_2_8_21-1_3_41-v2.patch
>
> The only changes are in ssl_engine_io.c, where the declaration of "char
> *reneg" is moved 4 times to the beginning of the function. Anything else
> you observed?

I received a report of segfaults caused by this patch. They happen when
you have Apache proxy connections to a SSL destination. IE:

RewriteRule ^/(.*) https://other_site.com/$1 [P]

The segfault happens at:

reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");

in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.


#0 0x0000000000454bb5 in ssl_io_suck_read (ssl=0x10a26070,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
actx = (ap_ctx *) 0x10a26070
ss = (struct ssl_io_suck_st *) 0x0
r = (request_rec *) 0x0
rv = 0
reneg = 0x0
c = (conn_rec *) 0x0
#1 0x0000000000454f31 in ssl_io_hook_read (fb=0x10a25c28,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
ssl = (SSL *) 0x10a26070
c = (conn_rec *) 0x0
s = (server_rec *) 0x0
rc = 0
reneg = 0x0
#2 0x000000000049a00f in ap_hook_call_func (ap=0x7fff98699110,
he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
v1 = (void *) 0x10a25c28
v2 = (void *) 0x107ccd88
v3 = 4096
v_rc = (void *) 0x7fff9869922c
v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
v_double = 0, v_ptr = 0x0}
rc = 1
#3 0x00000000004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
at ap_hook.c:382
i = 0
he = (ap_hook_entry *) 0x104f33b0
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff98699200, reg_save_area = 0x7fff98699140}}
rc = 0
#4 0x000000000046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
nbyte=4096) at buff.c:255
rv = 0


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

am 01.01.2010 21:44:00 von Rainer Jung

On 29.12.2009 22:57, John Lightsey wrote:
> On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:
>> On 23.11.2009 18:57, John Lightsey wrote:
>>> On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
>
>> Thanks again. I updated the patch:
>>
>> http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ss l_2_8_21-1_3_41-v2.patch
>>
>> The only changes are in ssl_engine_io.c, where the declaration of "char
>> *reneg" is moved 4 times to the beginning of the function. Anything else
>> you observed?
>
> I received a report of segfaults caused by this patch. They happen when
> you have Apache proxy connections to a SSL destination. IE:
>
> RewriteRule ^/(.*) https://other_site.com/$1 [P]
>
> The segfault happens at:
>
> reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");
>
> in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.
>
>
> #0 0x0000000000454bb5 in ssl_io_suck_read (ssl=0x10a26070,
> buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
> actx = (ap_ctx *) 0x10a26070
> ss = (struct ssl_io_suck_st *) 0x0
> r = (request_rec *) 0x0
> rv = 0
> reneg = 0x0
> c = (conn_rec *) 0x0
> #1 0x0000000000454f31 in ssl_io_hook_read (fb=0x10a25c28,
> buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
> ssl = (SSL *) 0x10a26070
> c = (conn_rec *) 0x0
> s = (server_rec *) 0x0
> rc = 0
> reneg = 0x0
> #2 0x000000000049a00f in ap_hook_call_func (ap=0x7fff98699110,
> he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
> v1 = (void *) 0x10a25c28
> v2 = (void *) 0x107ccd88
> v3 = 4096
> v_rc = (void *) 0x7fff9869922c
> v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
> v_double = 0, v_ptr = 0x0}
> rc = 1
> #3 0x00000000004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
> at ap_hook.c:382
> i = 0
> he = (ap_hook_entry *) 0x104f33b0
> ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
> 0x7fff98699200, reg_save_area = 0x7fff98699140}}
> rc = 0
> #4 0x000000000046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
> nbyte=4096) at buff.c:255
> rv = 0

Thank you for your feedback and the analysis. I could reproduce this and
have updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ss l_2_8_21-1_3_41-v3.patch

I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my
tests. The code doesn't try to change/fix renegotiation behaviour for
ssl on the client side when used as a proxy.

As always: feedback welcome!

Regards,

Rainer
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

am 17.03.2010 07:33:25 von Rainer Jung

I updated the patch. The most recent version is now available at

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ss l_2_8_31-1_3_41-v4.patch

In addition to the v3 version of the patch, it now also contains a
backport of the SSLInsecureRenegotiation directive introduced in Apache
httpd 2.2.15 in combination with OpenSSL 0.9.8m and beyond.

The patch needs some more testing, but backport was straightforward.

Regards,

Rainer

On 01.01.2010 21:44, Rainer Jung wrote:
> On 29.12.2009 22:57, John Lightsey wrote:
>> On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:
>>> On 23.11.2009 18:57, John Lightsey wrote:
>>>> On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
>>
>>> Thanks again. I updated the patch:
>>>
>>> http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ss l_2_8_21-1_3_41-v2.patch
>>>
>>>
>>> The only changes are in ssl_engine_io.c, where the declaration of "char
>>> *reneg" is moved 4 times to the beginning of the function. Anything else
>>> you observed?
>>
>> I received a report of segfaults caused by this patch. They happen when
>> you have Apache proxy connections to a SSL destination. IE:
>>
>> RewriteRule ^/(.*) https://other_site.com/$1 [P]
>>
>> The segfault happens at:
>>
>> reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");
>>
>> in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.
>>
>>
>> #0 0x0000000000454bb5 in ssl_io_suck_read (ssl=0x10a26070,
>> buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
>> actx = (ap_ctx *) 0x10a26070
>> ss = (struct ssl_io_suck_st *) 0x0
>> r = (request_rec *) 0x0
>> rv = 0
>> reneg = 0x0
>> c = (conn_rec *) 0x0
>> #1 0x0000000000454f31 in ssl_io_hook_read (fb=0x10a25c28,
>> buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
>> ssl = (SSL *) 0x10a26070
>> c = (conn_rec *) 0x0
>> s = (server_rec *) 0x0
>> rc = 0
>> reneg = 0x0
>> #2 0x000000000049a00f in ap_hook_call_func (ap=0x7fff98699110,
>> he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
>> v1 = (void *) 0x10a25c28
>> v2 = (void *) 0x107ccd88
>> v3 = 4096
>> v_rc = (void *) 0x7fff9869922c
>> v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
>> v_double = 0, v_ptr = 0x0}
>> rc = 1
>> #3 0x00000000004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
>> at ap_hook.c:382
>> i = 0
>> he = (ap_hook_entry *) 0x104f33b0
>> ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
>> 0x7fff98699200, reg_save_area = 0x7fff98699140}}
>> rc = 0
>> #4 0x000000000046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
>> nbyte=4096) at buff.c:255
>> rv = 0
>
> Thank you for your feedback and the analysis. I could reproduce this and
> have updated the patch:
>
> http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ss l_2_8_21-1_3_41-v3.patch
>
>
> I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my
> tests. The code doesn't try to change/fix renegotiation behaviour for
> ssl on the client side when used as a proxy.
>
> As always: feedback welcome!
>
> Regards,
>
> Rainer
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org