Ubuntu
apache2 package

Merge ~ahasenack/ubuntu/+source/apache2:focal-apache-pha-with-post-tlsv13 into ubuntu/+source/apache2:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/apache2
  3. focal-apache-pha-with-post-tlsv13
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 39e94eeb52120796a4be5639df774840a2339500
Merge reported by: Andreas Hasenack
Merged at revision: 39e94eeb52120796a4be5639df774840a2339500
Proposed branch: ~ahasenack/ubuntu/+source/apache2:focal-apache-pha-with-post-tlsv13
Merge into: ubuntu/+source/apache2:ubuntu/devel
Diff against target: 196 lines (+168/-0)
4 files modified
debian/changelog (+9/-0)
debian/patches/buffer-http-request-bodies-for-tlsv13.diff (+134/-0)
debian/patches/series (+2/-0)
debian/patches/tlsv13-add-logno.diff (+23/-0)
Reviewer Review Type Date Requested Status
Bryce Harrington (community) Approve
Canonical Server Core Reviewers Pending
Timo Aaltonen Pending
Review via email: mp+382127@code.launchpad.net

Description of the change

Fix POST with client cert auth and TLSv1.3. Details and testing steps are in the linked bug, which I prepared as if this were an SRU.

This is a straight cherry-pick from debian's apache2 package.

To post a comment you must log in.
~ahasenack/ubuntu/+source/apache2:focal-apache-pha-with-post-tlsv13 updated
39e94ee... by Andreas Hasenack

changelog

Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for the detailed test case, was easy to follow.

There wasn't a PPA identified in this MP or the LP bug, but I found https://launchpad.net/~ahasenack/+archive/ubuntu/apache-tlsv13-post-pha and assume it is the one to test against; or at least, after installing it I got the documented test result successes.

* Changelog:
  - [√] changelog entry correct version and targeted codename
  - [√] changelog entries correct
  - [√] update-maintainer has been run

* Actual changes:
  - [-] no upstream changes to consider
  - [-] no further upstream version to consider
  - [√] debian changes look safe

* Old Delta:
  - [-] dropped changes are ok to be dropped
  - [-] nothing else to drop
  - [√] changes forwarded upstream/debian (if appropriate)

* New Delta:
  - [-] no new patches added
  - [√] patches match what was proposed upstream
  - [√] patches correctly included in debian/patches/series
  - [√] patches have correct DEP3 metadata

* Build/Test:
  - [-] build is ok
  - [√] verified PPA package installs/uninstalls
  - [√] autopkgtest against the PPA package passes
  - [√] sanity checks test fine

I verified the patches match upstream, and did a cursory code review of them. I ran the test cases in LXC and verified I got the same output in error.log, access.log, and stdout as documented in the test case. I also ran the autopkgtests in another lxc container, and verified they pass (several SKIP due to testbed not providing revert-full-system).

I did not rebuild the apache2 package myself, and am presuming the PPA build is sufficient.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, that was the right PPA indeed, sorry for not mentioning it anywhere.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagging and uploading 39e94eeb52120796a4be5639df774840a2339500

$ git push pkg upload/2.4.41-4ubuntu3
Enumerating objects: 23, done.
Counting objects: 100% (23/23), done.
Delta compression using up to 4 threads
Compressing objects: 100% (14/14), done.
Writing objects: 100% (15/15), 4.06 KiB | 64.00 KiB/s, done.
Total 15 (delta 10), reused 3 (delta 1)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/apache2
 * [new tag] upload/2.4.41-4ubuntu3 -> upload/2.4.41-4ubuntu3

$ dput ubuntu ../apache2_2.4.41-4ubuntu3_source.changes
Checking signature on .changes
gpg: ../apache2_2.4.41-4ubuntu3_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../apache2_2.4.41-4ubuntu3.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.41-4ubuntu3.dsc: done.
  Uploading apache2_2.4.41-4ubuntu3.debian.tar.xz: done.
  Uploading apache2_2.4.41-4ubuntu3_source.buildinfo: done.
  Uploading apache2_2.4.41-4ubuntu3_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This migrated.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 1e8587a..c16feee 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
1apache2 (2.4.41-4ubuntu3) focal; urgency=medium
2
3 [ Timo Aaltonen ]
4 * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
5 mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
6 Closes: #955348, LP: #1872478
7
8 -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
9
1apache2 (2.4.41-4ubuntu2) focal; urgency=medium10apache2 (2.4.41-4ubuntu2) focal; urgency=medium
211
3 * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"12 * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
diff --git a/debian/patches/buffer-http-request-bodies-for-tlsv13.diff b/debian/patches/buffer-http-request-bodies-for-tlsv13.diff
4new file mode 10064413new file mode 100644
index 0000000..3f6352c
--- /dev/null
+++ b/debian/patches/buffer-http-request-bodies-for-tlsv13.diff
@@ -0,0 +1,134 @@
1From 3b6181a317bdecac0305c8eb538de4960405e3dd Mon Sep 17 00:00:00 2001
2From: Joe Orton <jorton@apache.org>
3Date: Thu, 21 Nov 2019 15:51:32 +0000
4Subject: [PATCH] Buffer HTTP request bodies for TLSv1.3 PHA in the same way as
5 for TLSv<1.3 renegotiation.
6
7* modules/ssl/ssl_engine_kernel.c (fill_reneg_buffer): Factor
8 out...
9 (ssl_hook_Access_classic): ... from here.
10 (ssl_hook_Access_modern): Use it here too.
11
12Github: closes #75
13
14
15git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1870095 13f79535-47bb-0310-9956-ffa450edef68
16---
17 modules/ssl/ssl_engine_kernel.c | 87 +++++++++++++++++++++------------
18 1 file changed, 55 insertions(+), 32 deletions(-)
19
20diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
21index 758cc09bb69..516e7082bb0 100644
22--- a/modules/ssl/ssl_engine_kernel.c
23+++ b/modules/ssl/ssl_engine_kernel.c
24@@ -114,6 +114,45 @@ static int has_buffered_data(request_rec *r)
25 return result;
26 }
27
28+/* If a renegotiation is required for the location, and the request
29+ * includes a message body (and the client has not requested a "100
30+ * Continue" response), then the client will be streaming the request
31+ * body over the wire already. In that case, it is not possible to
32+ * stop and perform a new SSL handshake immediately; once the SSL
33+ * library moves to the "accept" state, it will reject the SSL packets
34+ * which the client is sending for the request body.
35+ *
36+ * To allow authentication to complete in the hook, the solution used
37+ * here is to fill a (bounded) buffer with the request body, and then
38+ * to reinject that request body later.
39+ *
40+ * This function is called to fill the renegotiation buffer for the
41+ * location as required, or fail. Returns zero on success or HTTP_
42+ * error code on failure.
43+ */
44+static int fill_reneg_buffer(request_rec *r, SSLDirConfigRec *dc)
45+{
46+ int rv;
47+ apr_size_t rsize;
48+
49+ /* ### this is HTTP/1.1 specific, special case for protocol? */
50+ if (r->expecting_100 || !ap_request_has_body(r)) {
51+ return 0;
52+ }
53+
54+ rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE : dc->nRenegBufferSize;
55+ if (rsize > 0) {
56+ /* Fill the I/O buffer with the request body if possible. */
57+ rv = ssl_io_buffer_fill(r, rsize);
58+ }
59+ else {
60+ /* If the reneg buffer size is set to zero, just fail. */
61+ rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
62+ }
63+
64+ return rv;
65+}
66+
67 #ifdef HAVE_TLSEXT
68 static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
69 {
70@@ -814,41 +853,14 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
71 }
72 }
73
74- /* If a renegotiation is now required for this location, and the
75- * request includes a message body (and the client has not
76- * requested a "100 Continue" response), then the client will be
77- * streaming the request body over the wire already. In that
78- * case, it is not possible to stop and perform a new SSL
79- * handshake immediately; once the SSL library moves to the
80- * "accept" state, it will reject the SSL packets which the client
81- * is sending for the request body.
82- *
83- * To allow authentication to complete in this auth hook, the
84- * solution used here is to fill a (bounded) buffer with the
85- * request body, and then to reinject that request body later.
86- */
87- if (renegotiate && !renegotiate_quick
88- && !r->expecting_100
89- && ap_request_has_body(r)) {
90- int rv;
91- apr_size_t rsize;
92-
93- rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE :
94- dc->nRenegBufferSize;
95- if (rsize > 0) {
96- /* Fill the I/O buffer with the request body if possible. */
97- rv = ssl_io_buffer_fill(r, rsize);
98- }
99- else {
100- /* If the reneg buffer size is set to zero, just fail. */
101- rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
102- }
103-
104- if (rv) {
105+ /* Fill reneg buffer if required. */
106+ if (renegotiate && !renegotiate_quick) {
107+ rc = fill_reneg_buffer(r, dc);
108+ if (rc) {
109 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02257)
110 "could not buffer message body to allow "
111 "SSL renegotiation to proceed");
112- return rv;
113+ return rc;
114 }
115 }
116
117@@ -1132,6 +1144,17 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
118 }
119 }
120
121+ /* Fill reneg buffer if required. */
122+ if (change_vmode) {
123+ rc = fill_reneg_buffer(r, dc);
124+ if (rc) {
125+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
126+ "could not buffer message body to allow "
127+ "TLS Post-Handshake Authentication to proceed");
128+ return rc;
129+ }
130+ }
131+
132 if (change_vmode) {
133 char peekbuf[1];
134
diff --git a/debian/patches/series b/debian/patches/series
index 3278e1a..e69e713 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,5 @@ spelling-errors.patch
13086_svn_cross_compiles13086_svn_cross_compiles
14mod_proxy_ajp-secret-parameter-doc.patch14mod_proxy_ajp-secret-parameter-doc.patch
15mod_proxy_ajp-secret-parameter.patch15mod_proxy_ajp-secret-parameter.patch
16buffer-http-request-bodies-for-tlsv13.diff
17tlsv13-add-logno.diff
diff --git a/debian/patches/tlsv13-add-logno.diff b/debian/patches/tlsv13-add-logno.diff
16new file mode 10064418new file mode 100644
index 0000000..e25c1e9
--- /dev/null
+++ b/debian/patches/tlsv13-add-logno.diff
@@ -0,0 +1,23 @@
1From 55239ec1e23ec02734c0738a57e244b2a0de1060 Mon Sep 17 00:00:00 2001
2From: Joe Orton <jorton@apache.org>
3Date: Thu, 21 Nov 2019 16:55:14 +0000
4Subject: [PATCH] Add logno.
5
6git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1870097 13f79535-47bb-0310-9956-ffa450edef68
7---
8 modules/ssl/ssl_engine_kernel.c | 2 +-
9 2 files changed, 2 insertions(+), 2 deletions(-)
10
11diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
12index 516e7082bb0..408ffd90202 100644
13--- a/modules/ssl/ssl_engine_kernel.c
14+++ b/modules/ssl/ssl_engine_kernel.c
15@@ -1148,7 +1148,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
16 if (change_vmode) {
17 rc = fill_reneg_buffer(r, dc);
18 if (rc) {
19- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
20+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10228)
21 "could not buffer message body to allow "
22 "TLS Post-Handshake Authentication to proceed");
23 return rc;

Subscribers

People subscribed via source and target branches