hardening (#397)

 * Hardening: when build with OpenSSL older than 1.0.2 or old libressl versions,
   the parsing of ASN.1 time strings did not do a length check.
 * Hardening: when reading back OCSP responses stored in the local JSON store,
   missing 'valid' key led to uninitialized values, resulting in wrong
   refresh behaviour.

Author: icing

ChangeLog

@@ -1,3 +1,21 @@
+ * Hardening: when build with OpenSSL older than 1.0.2 or old libressl versions,
+   the parsing of ASN.1 time strings did not do a length check.
+ * Hardening: when reading back OCSP responses stored in the local JSON store,
+   missing 'valid' key led to uninitialized values, resulting in wrong
+   refresh behaviour.
+
+v2.6.4
+----------------------------------------------------------------------------------------------------
+ * New directive `MDInitialDelay`, controlling how longer to wait after
+   a server restart before checking certificates for renewal.
+   [Michael Kaufmann]
+
+v2.6.3
+----------------------------------------------------------------------------------------------------
+ * borked the git tag. meh.
+
+v2.6.2
+----------------------------------------------------------------------------------------------------
  * Fix error retry delay calculation to not already doubling the wait
    on the first error.
 

configure.ac

@@ -14,7 +14,7 @@
 #
 
 AC_PREREQ([2.69])
-AC_INIT([mod_md], [2.6.1], [[email protected]])
+AC_INIT([mod_md], [2.6.4], [[email protected]])
 
 LT_PREREQ([2.2.6])
 LT_INIT()

src/md_crypt.c

@@ -206,7 +206,7 @@ static int pem_passwd(char *buf, int size, int rwflag, void *baton)
 
 /* Get the apr time (micro seconds, since 1970) from an ASN1 time, as stored in X509
  * certificates. OpenSSL now has a utility function, but other *SSL derivatives have
- * not caughts up yet or chose to ignore. An alternative is implemented, we prefer 
+ * not caught up yet or chose to ignore. An alternative is implemented, we prefer
  * however the *SSL to maintain such things.
  */
 static apr_time_t md_asn1_time_get(const ASN1_TIME* time)
@@ -220,6 +220,10 @@ static apr_time_t md_asn1_time_get(const ASN1_TIME* time)
     const char* str = (const char*) time->data;
     apr_size_t i = 0;
 
+    if ((time->length < 12) || (
+        (time->type == V_ASN1_GENERALIZEDTIME) && time->length < 16))
+      return 0;
+
     memset(&t, 0, sizeof(t));
 
     if (time->type == V_ASN1_UTCTIME) {/* two digit year */

src/md_ocsp.c

@@ -190,6 +190,7 @@ static apr_status_t ostat_from_json(md_ocsp_cert_stat_t *pstat,
     md_timeperiod_t valid;
     apr_status_t rv = APR_ENOENT;
 
+    memset(&valid, 0, sizeof(valid));
     memset(resp_der, 0, sizeof(*resp_der));
     memset(resp_valid, 0, sizeof(*resp_valid));
     s = md_json_dups(p, json, MD_KEY_VALID, MD_KEY_FROM, NULL);

src/md_version.h

@@ -27,15 +27,15 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "2.6.1-git"
+#define MOD_MD_VERSION "2.6.4-git"
 
 /**
  * @macro
  * Numerical representation of the version number of the md module
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x020601
+#define MOD_MD_VERSION_NUM 0x020604
 
 #define MD_ACME_DEF_URL         "https://acme-v02.api.letsencrypt.org/directory"