BUG/MINOR: ssl: we may only ignore the first 64 errors

We have the ability per bind option to ignore certain errors (CA, crt, ...),
and for this we use a 64-bit field. In issue #479 coverity reports a risk of
too large a left shift. For now as of OpenSSL 1.1.1 the highest error value
that may be reported by X509_STORE_CTX_get_error() seems to be around 50 so
there should be no risk yet, but it's enough of a warning to add a check so
that we don't accidently hide random errors in the future.

This may be backported to relevant stable branches.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 99072a58de65e5fc62cd8894e1c437574be2beed..e00dafaa0eda223fd9f0a84a4ee24fe543710158 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1730,7 +1730,7 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store)
                        ctx->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth);
                }
 
-               if (__objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
+               if (err < 64 && __objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
                        ssl_sock_dump_errors(conn);
                        ERR_clear_error();
                        return 1;
@@ -1744,7 +1744,7 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store)
                ctx->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err);
 
        /* check if certificate error needs to be ignored */
-       if (__objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
+       if (err < 64 && __objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
                ssl_sock_dump_errors(conn);
                ERR_clear_error();
                return 1;