You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ruediger Pluem <rp...@apache.org> on 2023/04/05 06:37:31 UTC

Re: svn commit: r1908971 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/ssl/ssl_engine_kernel.c


On 4/4/23 11:34 PM, gbechis@apache.org wrote:
> Author: gbechis
> Date: Tue Apr  4 21:34:57 2023
> New Revision: 1908971
> 
> URL: http://svn.apache.org/viewvc?rev=1908971&view=rev
> Log:
> add SSL_CTX_set_session_id_context(3) checks
> bz #66226
> 
> Modified:
>     httpd/httpd/trunk/docs/log-message-tags/next-number
>     httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> 
> Modified: httpd/httpd/trunk/docs/log-message-tags/next-number
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1908971&r1=1908970&r2=1908971&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/docs/log-message-tags/next-number (original)
> +++ httpd/httpd/trunk/docs/log-message-tags/next-number Tue Apr  4 21:34:57 2023
> @@ -1 +1 @@
> -10422
> +10423
> 
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1908971&r1=1908970&r2=1908971&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue Apr  4 21:34:57 2023
> @@ -988,9 +988,17 @@ static int ssl_hook_Access_classic(reque
>                            "protocol (%s support secure renegotiation)",
>                            reneg_support);
>  
> -            SSL_set_session_id_context(ssl,
> +            if(!SSL_set_session_id_context(ssl,
>                                         (unsigned char *)&id,
> -                                       sizeof(id));
> +                                       sizeof(id))) {
> +
> +                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10422)
> +                              "error setting SSL session context");
> +                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
> +
> +                r->connection->keepalive = AP_CONN_CLOSE;
> +                return HTTP_FORBIDDEN;
> +            }
>  
>              /* Toggle the renegotiation state to allow the new
>               * handshake to proceed. */
> @@ -2576,7 +2584,9 @@ static int ssl_find_vhost(void *serverna
>           * a renegotiation.
>           */
>          if (SSL_num_renegotiations(ssl) == 0) {
> -            SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2);
> +            if(!SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2)) {
> +              return 0;
> +            }
>          }
>  
>          /*

While the checks don't harm we know that we always succeed as in both cases (sizeof(id), APR_MD5_DIGESTSIZE*2) the value is <=
SSL_MAX_SID_CTX_LENGTH. Only if we would be larger than SSL_MAX_SID_CTX_LENGTH we would fail. If the value of
SSL_MAX_SID_CTX_LENGTH would become smaller at some time or APR_MD5_DIGESTSIZE would become larger we would likely fail always as
we use static length values to call SSL_set_session_id_context.

Regards

RĂ¼diger