BUG/MINOR: ssl: we may only ignore the first 64 errors
We have the ability per bind option to ignore certain errors (CA, crt, ...),
and for this we use a 64-bit field. In issue #479 coverity reports a risk of
too large a left shift. For now as of OpenSSL 1.1.1 the highest error value
that may be reported by X509_STORE_CTX_get_error() seems to be around 50 so
there should be no risk yet, but it's enough of a warning to add a check so
that we don't accidently hide random errors in the future.
This may be backported to relevant stable branches.
(cherry picked from commit 731248f0dbba03688e433789790f65580a472151)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 3017d288dfd42e632e1c18575c356ec4ae5e297d)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c487ffc..32e478e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1595,7 +1595,7 @@
ctx->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth);
}
- if (__objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
+ if (err < 64 && __objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
ssl_sock_dump_errors(conn);
ERR_clear_error();
return 1;
@@ -1609,7 +1609,7 @@
ctx->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err);
/* check if certificate error needs to be ignored */
- if (__objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
+ if (err < 64 && __objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
ssl_sock_dump_errors(conn);
ERR_clear_error();
return 1;