[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 119/156: Always copy in client certificate and fix FakeBasicAuth

Timo Aaltonen tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:34 UTC 2014 

This is an automated email from the git hooks/post-receive script.

tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.

commit a6c3370491ae1d3bc552e8de9353c82f73e510e3
Author: Rob Crittenden <rcritten at redhat.com>
Date:   Tue Jun 14 22:13:08 2011 -0400

    Always copy in client certificate and fix FakeBasicAuth
    
    When NSSOptions +FakeBasicAuth is set for a directory, and a certificate
    is not provided with which the BasicAuth can be Faked, and the client
    provides an Authorization header, the FakeBasicAuth code in mod_nss may
    not properly reject an attempt to spoof.
    
    BZ 702437
---
 nss_engine_io.c     | 10 +++-------
 nss_engine_kernel.c |  9 +++++++--
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/nss_engine_io.c b/nss_engine_io.c
index c9697ec..2f9559f 100644
--- a/nss_engine_io.c
+++ b/nss_engine_io.c
@@ -1365,13 +1365,9 @@ nss_AuthCertificate(void *arg, PRFileDesc *socket,
 
     status = SSL_AuthCertificate(arg, socket, checksig, isServer);
 
-    if (status == SECSuccess) {
-        conn_rec *c = filter_ctx->c;
-        SSLConnRec *sslconn = myConnConfig(c);
-
-        sslconn->client_cert = SSL_PeerCertificate(socket);
-        sslconn->client_dn = NULL;
-    }
+    /* The certificate is copied to sslconn->client_cert in
+     * nss_hook_ReadReq()
+     */
 
     return status;
 }
diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c
index ae56cf2..1f37d45 100644
--- a/nss_engine_kernel.c
+++ b/nss_engine_kernel.c
@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
                      nss_util_vhostid(r->pool, r->server));
     }
 
+    if (sslconn->client_cert != NULL)
+        CERT_DestroyCertificate(sslconn->client_cert);
+    sslconn->client_cert = SSL_PeerCertificate(ssl);
+    sslconn->client_dn = NULL;
+
     return DECLINED;
 }
 
@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
     }
 
     if (!sslconn->client_dn) {
-        char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
-        sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
+        char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
+        sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
         PORT_Free(cp);
     }
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git

More information about the Pkg-fedora-ds-maintainers mailing list