From: Willy Tarreau <w@1wt.eu>
Date: Tue, 4 Feb 2020 13:02:02 +0000 (+0100)
Subject: BUG/MINOR: ssl: we may only ignore the first 64 errors
X-Git-Tag: v2.2-dev2~41
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=731248f0dbba03688e433789790f65580a472151;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: we may only ignore the first 64 errors

We have the ability per bind option to ignore certain errors (CA, crt, ...),
and for this we use a 64-bit field. In issue #479 coverity reports a risk of
too large a left shift. For now as of OpenSSL 1.1.1 the highest error value
that may be reported by X509_STORE_CTX_get_error() seems to be around 50 so
there should be no risk yet, but it's enough of a warning to add a check so
that we don't accidently hide random errors in the future.

This may be backported to relevant stable branches.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 99072a58de..e00dafaa0e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1730,7 +1730,7 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store)
 			ctx->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth);
 		}
 
-		if (__objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
+		if (err < 64 && __objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
 			ssl_sock_dump_errors(conn);
 			ERR_clear_error();
 			return 1;
@@ -1744,7 +1744,7 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store)
 		ctx->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err);
 
 	/* check if certificate error needs to be ignored */
-	if (__objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
+	if (err < 64 && __objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
 		ssl_sock_dump_errors(conn);
 		ERR_clear_error();
 		return 1;