[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 119/156: Always copy in client certificate and fix FakeBasicAuth
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:34 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.
commit a6c3370491ae1d3bc552e8de9353c82f73e510e3
Author: Rob Crittenden <rcritten at redhat.com>
Date: Tue Jun 14 22:13:08 2011 -0400
Always copy in client certificate and fix FakeBasicAuth
When NSSOptions +FakeBasicAuth is set for a directory, and a certificate
is not provided with which the BasicAuth can be Faked, and the client
provides an Authorization header, the FakeBasicAuth code in mod_nss may
not properly reject an attempt to spoof.
BZ 702437
---
nss_engine_io.c | 10 +++-------
nss_engine_kernel.c | 9 +++++++--
2 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/nss_engine_io.c b/nss_engine_io.c
index c9697ec..2f9559f 100644
--- a/nss_engine_io.c
+++ b/nss_engine_io.c
@@ -1365,13 +1365,9 @@ nss_AuthCertificate(void *arg, PRFileDesc *socket,
status = SSL_AuthCertificate(arg, socket, checksig, isServer);
- if (status == SECSuccess) {
- conn_rec *c = filter_ctx->c;
- SSLConnRec *sslconn = myConnConfig(c);
-
- sslconn->client_cert = SSL_PeerCertificate(socket);
- sslconn->client_dn = NULL;
- }
+ /* The certificate is copied to sslconn->client_cert in
+ * nss_hook_ReadReq()
+ */
return status;
}
diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c
index ae56cf2..1f37d45 100644
--- a/nss_engine_kernel.c
+++ b/nss_engine_kernel.c
@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
nss_util_vhostid(r->pool, r->server));
}
+ if (sslconn->client_cert != NULL)
+ CERT_DestroyCertificate(sslconn->client_cert);
+ sslconn->client_cert = SSL_PeerCertificate(ssl);
+ sslconn->client_dn = NULL;
+
return DECLINED;
}
@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
}
if (!sslconn->client_dn) {
- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
+ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
+ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
PORT_Free(cp);
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list