| Summary: | Unsafe error handling: when using OpenSSL API | ||
|---|---|---|---|
| Product: | Apache httpd-2 | Reporter: | summerlinasity |
| Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
| Status: | NEW --- | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | 2.5-HEAD | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Linux | ||
There is a potential bug in modules/ssl/ssl_engine_init.c:1715-1727. According to OpenSSL API document, "X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous call to X509_verify_cert() is successful. If the call to X509_verify_cert() is not successful the returned chain may be incomplete or invalid. " So it's unsafe to just log the error and execute the 'X509_STORE_CTX_get1_chain' when (X509_verify_cert(sctx) != 1. 1715: if (X509_verify_cert(sctx) != 1) { int err = X509_STORE_CTX_get_error(sctx); ssl_log_xerror(SSLLOG_MARK, APLOG_WARNING, 0, ptemp, s, inf->x509, APLOGNO(02270) "SSL proxy client cert chain " "verification failed: %s :", X509_verify_cert_error_string(err)); } /* Clear X509_verify_cert errors */ ERR_clear_error(); /* Obtain a copy of the verified chain */ chain = X509_STORE_CTX_get1_chain(sctx);