Mailing List Archive: Apache: Bugs

[Bug 47408] segfault potential in modssl ssl_log_cxerror

Index | Next | Previous | View Threaded

bugzilla at apache

Jun 23, 2009, 5:23 AM

Post #1 of 4 (308 views)
Permalink

[Bug 47408] segfault potential in modssl ssl_log_cxerror

https://issues.apache.org/bugzilla/show_bug.cgi?id=47408

--- Comment #1 from Joe Orton <jorton[at]redhat.com> 2009-06-23 05:23:37 PST ---
Can you give more details on what's changed in OpenSSL?

Invoking the callback in a case where X509_STORE_CTX_get_current_cert() would
return NULL seems non-sensical. What is the function supposed to verify?

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: bugs-help[at]httpd.apache.org

bugzilla at apache

Jun 23, 2009, 6:41 AM

Post #2 of 4 (279 views)
Permalink

[Bug 47408] segfault potential in modssl ssl_log_cxerror [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=47408

--- Comment #2 from Peter Sylvester <peter.sylvester[at]edelweb.fr> 2009-06-23 06:41:04 PST ---
In crypto/x509/x509_vfy.c : the call back is called explicitely with
no certficate under two circumstances:

- When there is no acceptable explicit certficationpolicy found.

- To notify the active policy.

in the check_policy routine which is invoked after presenting
each certficate in the chain to the callback, the callback is called
again.

if (ret == -2)
{
ctx->current_cert = NULL;
ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
return ctx->verify_cb(0, ctx);
}

if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
{
ctx->current_cert = NULL;
ctx->error = X509_V_OK;
if (!ctx->verify_cb(2, ctx))
return 0;
}

The "previous" cert had already be presented to the verify callback, so it was
already logged by apache.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: bugs-help[at]httpd.apache.org

bugzilla at apache

Jun 23, 2009, 6:57 AM

Post #3 of 4 (278 views)
Permalink

[Bug 47408] segfault potential in modssl ssl_log_cxerror [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=47408

Joe Orton <jorton[at]redhat.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO

--- Comment #3 from Joe Orton <jorton[at]redhat.com> 2009-06-23 06:57:27 PST ---
So far as I can tell, that policy verification code is only going to get
invoked if the caller has explicitly enabled policy checking:

if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
ok = ctx->check_policy(ctx);

and this is not done by default, nor can be enabled via mod_ssl. Am I missing
something?

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: bugs-help[at]httpd.apache.org

bugzilla at apache

Jun 23, 2009, 8:19 AM

Post #4 of 4 (279 views)
Permalink

[Bug 47408] segfault potential in modssl ssl_log_cxerror [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=47408

--- Comment #4 from Peter Sylvester <peter.sylvester[at]edelweb.fr> 2009-06-23 08:19:10 PST ---
No, you are not missing anything. Currently, the segfault only occurs if
the policycheck flag is enabled by some magic.

ut since openssl doesn't seem to guarantee anymore that the point is non null,
one might be prepared to that in a simular way as the cxerror log is
prepared not to get issuer, subject, and serial.

it is a suggestion to be more robust. So the status should
probably better 'enhancement'.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: bugs-help[at]httpd.apache.org

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com