summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-06-14 22:13:08 -0400
committerRob Crittenden <rcritten@redhat.com>2011-06-14 22:13:08 -0400
commita6c3370491ae1d3bc552e8de9353c82f73e510e3 (patch)
tree9328f22e7d9a5401f8dc8e123307b36cbfd5c610
parentf656ffc036af239a4236f1c1fc97e32a809d470d (diff)
downloadmod_nss-a6c3370491ae1d3bc552e8de9353c82f73e510e3.tar.gz
mod_nss-a6c3370491ae1d3bc552e8de9353c82f73e510e3.tar.xz
mod_nss-a6c3370491ae1d3bc552e8de9353c82f73e510e3.zip
Always copy in client certificate and fix FakeBasicAuth
When NSSOptions +FakeBasicAuth is set for a directory, and a certificate is not provided with which the BasicAuth can be Faked, and the client provides an Authorization header, the FakeBasicAuth code in mod_nss may not properly reject an attempt to spoof. BZ 702437
Diffstat
-rw-r--r--nss_engine_io.c10
-rw-r--r--nss_engine_kernel.c9
2 files changed, 10 insertions, 9 deletions
diff --git a/nss_engine_io.c b/nss_engine_io.c
index c9697ec..2f9559f 100644
--- a/nss_engine_io.c
+++ b/nss_engine_io.c
@@ -1365,13 +1365,9 @@ nss_AuthCertificate(void *arg, PRFileDesc *socket,
status = SSL_AuthCertificate(arg, socket, checksig, isServer);
- if (status == SECSuccess) {
- conn_rec *c = filter_ctx->c;
- SSLConnRec *sslconn = myConnConfig(c);
-
- sslconn->client_cert = SSL_PeerCertificate(socket);
- sslconn->client_dn = NULL;
- }
+ /* The certificate is copied to sslconn->client_cert in
+ * nss_hook_ReadReq()
+ */
return status;
}
diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c
index ae56cf2..1f37d45 100644
--- a/nss_engine_kernel.c
+++ b/nss_engine_kernel.c
@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
nss_util_vhostid(r->pool, r->server));
}
+ if (sslconn->client_cert != NULL)
+ CERT_DestroyCertificate(sslconn->client_cert);
+ sslconn->client_cert = SSL_PeerCertificate(ssl);
+ sslconn->client_dn = NULL;
+
return DECLINED;
}
@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
}
if (!sslconn->client_dn) {
- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
+ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
+ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
PORT_Free(cp);
}
generated by cgit (git 2.34.1) at 2025-09-14 16:00:07 +0000