mod_ssl: fix leak in OCSP stapling code (PR 63687, r1876548)

mod_systemd: restore descriptive startup logging
This commit is contained in:
Joe Orton 2020-04-17 08:50:06 +01:00
parent 8c4dc8876b
commit 356046ff98
5 changed files with 188 additions and 8684 deletions

8682
KEYS

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,96 @@
More verbose startup logging for mod_systemd.
--- httpd-2.4.43/modules/arch/unix/mod_systemd.c.mod_systemd
+++ httpd-2.4.43/modules/arch/unix/mod_systemd.c
@@ -29,11 +29,14 @@
#include "mpm_common.h"
#include "systemd/sd-daemon.h"
+#include "systemd/sd-journal.h"
#if APR_HAVE_UNISTD_H
#include <unistd.h>
#endif
+static char describe_listeners[30];
+
static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp)
{
@@ -44,6 +47,20 @@
return OK;
}
+static char *dump_listener(ap_listen_rec *lr, apr_pool_t *p)
+{
+ apr_sockaddr_t *sa = lr->bind_addr;
+ char addr[128];
+
+ if (apr_sockaddr_is_wildcard(sa)) {
+ return apr_pstrcat(p, "port ", apr_itoa(p, sa->port), NULL);
+ }
+
+ apr_sockaddr_ip_getbuf(addr, sizeof addr, sa);
+
+ return apr_psprintf(p, "%s port %u", addr, sa->port);
+}
+
/* Report the service is ready in post_config, which could be during
* startup or after a reload. The server could still hit a fatal
* startup error after this point during ap_run_mpm(), so this is
@@ -51,19 +68,51 @@
* the TCP ports so new connections will not be rejected. There will
* always be a possible async failure event simultaneous to the
* service reporting "ready", so this should be good enough. */
-static int systemd_post_config(apr_pool_t *p, apr_pool_t *plog,
+static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *main_server)
{
+ ap_listen_rec *lr;
+ apr_size_t plen = sizeof describe_listeners;
+ char *p = describe_listeners;
+
+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
+ return OK;
+
+ for (lr = ap_listeners; lr; lr = lr->next) {
+ char *s = dump_listener(lr, ptemp);
+
+ if (strlen(s) + 3 < plen) {
+ char *newp = apr_cpystrn(p, s, plen);
+ if (lr->next)
+ newp = apr_cpystrn(newp, ", ", 3);
+ plen -= newp - p;
+ p = newp;
+ }
+ else {
+ if (plen < 4) {
+ p = describe_listeners + sizeof describe_listeners - 4;
+ plen = 4;
+ }
+ apr_cpystrn(p, "...", plen);
+ break;
+ }
+ }
+
sd_notify(0, "READY=1\n"
"STATUS=Configuration loaded.\n");
+
+ sd_journal_print(LOG_INFO, "Server configured, listening on: %s",
+ describe_listeners);
+
return OK;
}
static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type)
{
sd_notifyf(0, "READY=1\n"
- "STATUS=Processing requests...\n"
- "MAINPID=%" APR_PID_T_FMT, getpid());
+ "STATUS=Started, listening on: %s\n"
+ "MAINPID=%" APR_PID_T_FMT,
+ describe_listeners, getpid());
return OK;
}

View File

@ -0,0 +1,82 @@
# ./pullrev.sh 1876548
http://svn.apache.org/viewvc?view=revision&revision=1876548
--- httpd-2.4.43/modules/ssl/ssl_util_stapling.c
+++ httpd-2.4.43/modules/ssl/ssl_util_stapling.c
@@ -130,6 +130,7 @@
X509 *issuer = NULL;
OCSP_CERTID *cid = NULL;
STACK_OF(OPENSSL_STRING) *aia = NULL;
+ int rv = 1; /* until further notice */
if (x == NULL)
return 0;
@@ -154,16 +155,18 @@
SSL_CTX_set_tlsext_status_cb(mctx->ssl_ctx, stapling_cb);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10177) "OCSP stapling added via hook");
}
- return 1;
+ goto cleanup;
}
if (mctx->stapling_enabled != TRUE) {
/* mod_ssl's own implementation is not enabled */
- return 1;
+ goto cleanup;
}
- if (X509_digest(x, EVP_sha1(), idx, NULL) != 1)
- return 0;
+ if (X509_digest(x, EVP_sha1(), idx, NULL) != 1) {
+ rv = 0;
+ goto cleanup;
+ }
cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
if (cinf) {
@@ -177,18 +180,18 @@
APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI "
"in certificate and no SSLStaplingForceURL "
"configured for server %s", mctx->sc->vhost_id);
- return 0;
+ rv = 0;
}
- return 1;
+ goto cleanup;
}
cid = OCSP_cert_to_id(NULL, x, issuer);
- X509_free(issuer);
if (!cid) {
ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02815)
"ssl_stapling_init_cert: can't create CertID "
"for OCSP request");
- return 0;
+ rv = 0;
+ goto cleanup;
}
aia = X509_get1_ocsp(x);
@@ -197,7 +200,8 @@
ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI "
"in certificate and no SSLStaplingForceURL set");
- return 0;
+ rv = 0;
+ goto cleanup;
}
/* At this point, we have determined that there's something to store */
@@ -218,8 +222,10 @@
mctx->sc->vhost_id);
apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf);
-
- return 1;
+
+cleanup:
+ X509_free(issuer);
+ return rv;
}
static certinfo *stapling_get_certinfo(server_rec *s, X509 *x, modssl_ctx_t *mctx,

View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.43
Release: 1%{?dist}
Release: 2%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -68,6 +68,7 @@ Patch3: httpd-2.4.43-deplibs.patch
Patch19: httpd-2.4.43-detect-systemd.patch
# Features/functional changes
Patch21: httpd-2.4.43-r1842929+.patch
Patch22: httpd-2.4.43-mod_systemd.patch
Patch23: httpd-2.4.43-export.patch
Patch24: httpd-2.4.43-corelimit.patch
Patch25: httpd-2.4.43-selinux.patch
@ -85,6 +86,7 @@ Patch42: httpd-2.4.43-r1828172+.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch60: httpd-2.4.43-enable-sslv3.patch
Patch62: httpd-2.4.43-r1870095+.patch
Patch63: httpd-2.4.43-r1876548.patch
# Security fixes
@ -207,6 +209,7 @@ interface for storing and accessing per-user session data.
%patch19 -p1 -b .detectsystemd
%patch21 -p1 -b .r1842929+
%patch22 -p1 -b .mod_systemd
%patch23 -p1 -b .export
%patch24 -p1 -b .corelimit
%patch25 -p1 -b .selinux
@ -222,6 +225,7 @@ interface for storing and accessing per-user session data.
%patch60 -p1 -b .enable-sslv3
%patch62 -p1 -b .r1870095
%patch63 -p1 -b .r1876548
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -746,6 +750,10 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Fri Apr 17 2020 Joe Orton <jorton@redhat.com> - 2.4.43-2
- mod_ssl: fix leak in OCSP stapling code (PR 63687, r1876548)
- mod_systemd: restore descriptive startup logging
* Tue Mar 31 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.43-1
- new version 2.4.43 (#1819023)

View File

@ -7,7 +7,7 @@ fi
repo="https://svn.apache.org/repos/asf/httpd/httpd/trunk"
#repo="https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x"
ver=2.4.41
ver=2.4.43
prefix="httpd-${ver}"
suffix="r$1${2:++}"
fn="${prefix}-${suffix}.patch"