[Bug 63679] New: Usage of wrong mctx in ssl_callback_SSLVerify function

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 63679] New: Usage of wrong mctx in ssl_callback_SSLVerify function

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63679

            Bug ID: 63679
           Summary: Usage of wrong mctx in ssl_callback_SSLVerify function
           Product: Apache httpd-2
           Version: 2.4.41
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Created attachment 36728
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36728&action=edit
Patch fixing the bug

Hi all,

in the commit r1826995 a following change has been made to
ssl_callback_SSLVerify function in ssl_engine_kernel.c:

-    if (ok && sc->server->ocsp_enabled == TRUE) {
+    if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+         (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {  

Instead of using sc->server, mctx should be used. It causes now weird behavior,
since ocsp_mask is by default set to UNSET (which is -1, translated to signed
int...). When proxy is set set on the same server, if-condition above will be
true.

I'm proposing this change:

-    if (ok && sc->server->ocsp_enabled) {
+    if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+         (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {


It was working before, because ocsp_enabled was by default set to FALSE.
ocsp_mask is UNSET by default now and is set either to proxy or server
structure in sc. If sc with is_proxy is passed here, it will result in bug.

Attaching patch. Please merge it to 2.4.x if possible.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63679] Usage of wrong mctx in ssl_callback_SSLVerify function

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63679

Lubos Uhliarik <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.4.41                      |2.5-HEAD

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63679] Usage of wrong mctx in ssl_callback_SSLVerify function

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63679

Yann Ylavic <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk

--- Comment #1 from Yann Ylavic <[hidden email]> ---
Thanks for spotting and the patch, applied in r1865740.
I will propose it for backport soon, waiting a bit for others' review.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63679] Usage of wrong mctx in ssl_callback_SSLVerify function

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63679

Yann Ylavic <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Yann Ylavic <[hidden email]> ---
Backported to 2.4.x (r1872226), will be in the next release.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63679] Usage of wrong mctx in ssl_callback_SSLVerify function

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63679

--- Comment #3 from Christophe JAILLET <[hidden email]> ---
This is part of 2.4.42

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]