add SSL_CTX_set_session_id_context(3) checks

author Giovanni Bechis <gbechis@apache.org>

Tue, 4 Apr 2023 21:34:57 +0000 (21:34 +0000)

committer Giovanni Bechis <gbechis@apache.org>

Tue, 4 Apr 2023 21:34:57 +0000 (21:34 +0000)
author Giovanni Bechis <gbechis@apache.org>
Tue, 4 Apr 2023 21:34:57 +0000 (21:34 +0000)
committer Giovanni Bechis <gbechis@apache.org>
Tue, 4 Apr 2023 21:34:57 +0000 (21:34 +0000)
diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number

index 2624afa36560bfd94cb678f6f9d4a3bf579856fc..021188b79752dc78a77d5a272e7308346259c274 100644 (file)
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-10422
+10423
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c

index 96aaf6602d0811421268b7a720952d1a6496a513..a416ce3f0f4b11752478f1e1318a218c1bf236de 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -988,9 +988,17 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
                            "protocol (%s support secure renegotiation)",
                            reneg_support);
  
-            SSL_set_session_id_context(ssl,
+            if(!SSL_set_session_id_context(ssl,
                                         (unsigned char *)&id,
-                                       sizeof(id));
+                                       sizeof(id))) {
+
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10422)
+                              "error setting SSL session context");
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+
+                r->connection->keepalive = AP_CONN_CLOSE;
+                return HTTP_FORBIDDEN;
+            }
  
              /* Toggle the renegotiation state to allow the new
               * handshake to proceed. */
@@ -2576,7 +2584,9 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
           * a renegotiation.
           */
          if (SSL_num_renegotiations(ssl) == 0) {
-            SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2);
+            if(!SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2)) {
+              return 0;
+            }
          }
  
          /*
author	Giovanni Bechis <gbechis@apache.org>
	Tue, 4 Apr 2023 21:34:57 +0000 (21:34 +0000)
committer	Giovanni Bechis <gbechis@apache.org>
	Tue, 4 Apr 2023 21:34:57 +0000 (21:34 +0000)
docs/log-message-tags/next-number		patch \| blob \| blame \| history
modules/ssl/ssl_engine_kernel.c		patch \| blob \| blame \| history