From a6c3370491ae1d3bc552e8de9353c82f73e510e3 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 14 Jun 2011 22:13:08 -0400 Subject: Always copy in client certificate and fix FakeBasicAuth When NSSOptions +FakeBasicAuth is set for a directory, and a certificate is not provided with which the BasicAuth can be Faked, and the client provides an Authorization header, the FakeBasicAuth code in mod_nss may not properly reject an attempt to spoof. BZ 702437 --- nss_engine_io.c | 10 +++------- nss_engine_kernel.c | 9 +++++++-- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/nss_engine_io.c b/nss_engine_io.c index c9697ec..2f9559f 100644 --- a/nss_engine_io.c +++ b/nss_engine_io.c @@ -1365,13 +1365,9 @@ nss_AuthCertificate(void *arg, PRFileDesc *socket, status = SSL_AuthCertificate(arg, socket, checksig, isServer); - if (status == SECSuccess) { - conn_rec *c = filter_ctx->c; - SSLConnRec *sslconn = myConnConfig(c); - - sslconn->client_cert = SSL_PeerCertificate(socket); - sslconn->client_dn = NULL; - } + /* The certificate is copied to sslconn->client_cert in + * nss_hook_ReadReq() + */ return status; } diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c index ae56cf2..1f37d45 100644 --- a/nss_engine_kernel.c +++ b/nss_engine_kernel.c @@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r) nss_util_vhostid(r->pool, r->server)); } + if (sslconn->client_cert != NULL) + CERT_DestroyCertificate(sslconn->client_cert); + sslconn->client_cert = SSL_PeerCertificate(ssl); + sslconn->client_dn = NULL; + return DECLINED; } @@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r) } if (!sslconn->client_dn) { - char * cp = CERT_GetCommonName(&sslconn->client_cert->subject); - sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); + char * cp = CERT_NameToAscii(&sslconn->client_cert->subject); + sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL); PORT_Free(cp); } -- cgit