From: Giovanni Bechis <gbechis@apache.org>
Date: Tue, 4 Apr 2023 16:46:05 +0000 (+0000)
Subject: check SSL_do_handshake(3) return value
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=132d4ee48f1c1ee786d13b61017e8e549a70d2de;p=thirdparty%2Fapache%2Fhttpd.git

check SSL_do_handshake(3) return value


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908964 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
index d69788b083f..2624afa3656 100644
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-10421
+10422
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index f63865c37a3..96aaf6602d0 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -78,9 +78,8 @@ static apr_status_t upgrade_connection(request_rec *r)
 
     /* Perform initial SSL handshake. */
     SSL_set_accept_state(ssl);
-    SSL_do_handshake(ssl);
 
-    if (!SSL_is_init_finished(ssl)) {
+    if ((SSL_do_handshake(ssl) != 1) || !SSL_is_init_finished(ssl)) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
                       "TLS upgrade handshake failed");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -1182,7 +1181,12 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
             
             modssl_set_app_data2(ssl, r);
 
-            SSL_do_handshake(ssl);
+            if(SSL_do_handshake(ssl) != 1) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10421)
+                              "TLS handshake failure");
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+                return HTTP_FORBIDDEN;
+            }
             /* Need to trigger renegotiation handshake by reading.
              * Peeking 0 bytes actually works.
              * See: http://marc.info/?t=145493359200002&r=1&w=2