Bug 64262 - Unsafe error handling: when using OpenSSL API
Summary: Unsafe error handling: when using OpenSSL API
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-25 08:22 UTC by summerlinasity
Modified: 2020-03-25 08:22 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description summerlinasity 2020-03-25 08:22:15 UTC
There is a potential bug in modules/ssl/ssl_engine_init.c:1715-1727. 

According to OpenSSL API document, "X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous call to X509_verify_cert() is successful. If the call to X509_verify_cert() is not successful the returned chain may be incomplete or invalid. "

So it's unsafe to just log the error and execute the 'X509_STORE_CTX_get1_chain' when (X509_verify_cert(sctx) != 1.

1715:   if (X509_verify_cert(sctx) != 1) {
            int err = X509_STORE_CTX_get_error(sctx);
            ssl_log_xerror(SSLLOG_MARK, APLOG_WARNING, 0, ptemp, s, inf->x509,
                           APLOGNO(02270) "SSL proxy client cert chain "
                           "verification failed: %s :",
                           X509_verify_cert_error_string(err));
        }


        /* Clear X509_verify_cert errors */
        ERR_clear_error();


        /* Obtain a copy of the verified chain */
        chain = X509_STORE_CTX_get1_chain(sctx);