mod_ssl: Fix recognition of OCSP stapling responses that are encoded

author Jeff Trawick <trawick@apache.org>

Sat, 22 Nov 2014 14:51:01 +0000 (14:51 +0000)

committer Jeff Trawick <trawick@apache.org>

Sat, 22 Nov 2014 14:51:01 +0000 (14:51 +0000)
author Jeff Trawick <trawick@apache.org>
Sat, 22 Nov 2014 14:51:01 +0000 (14:51 +0000)
committer Jeff Trawick <trawick@apache.org>
Sat, 22 Nov 2014 14:51:01 +0000 (14:51 +0000)
diff --git a/CHANGES b/CHANGES

index 00f5887df054af769c3f53ca990cbf285b0e12fc..a962108758417ddeecb7fddaf0f6ab5c1b71f5e3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,9 @@ Changes with Apache 2.5.0
       mod_proxy_fcgi: Fix a potential crash with response headers' size above 
       8K. [Teguh <chain rop.io>, Yann Ylavic, Jeff Trawick]
  
+  *) mod_ssl: Fix recognition of OCSP stapling responses that are encoded
+     improperly or too large.  [Jeff Trawick]
+
    *) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an
       error when parsing or forwarding the response fails. [Yann Ylavic]
  
diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c

index 81e95b41cad7ee7e653e977f1b13045985fef801..2d4172882131e56841952e2d0b442c3efdbc39f5 100644 (file)
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -210,13 +210,13 @@ static BOOL stapling_cache_response(server_rec *s, modssl_ctx_t *mctx,
                                      BOOL ok, apr_pool_t *pool)
  {
      SSLModConfigRec *mc = myModConfig(s);
-    unsigned char resp_der[MAX_STAPLING_DER];
+    unsigned char resp_der[MAX_STAPLING_DER]; /* includes one-byte flag + response */
      unsigned char *p;
      int resp_derlen;
      BOOL rv;
      apr_time_t expiry;
  
-    resp_derlen = i2d_OCSP_RESPONSE(rsp, NULL) + 1;
+    resp_derlen = i2d_OCSP_RESPONSE(rsp, NULL);
  
      if (resp_derlen <= 0) {
          ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01927)
@@ -224,7 +224,7 @@ static BOOL stapling_cache_response(server_rec *s, modssl_ctx_t *mctx,
          return FALSE;
      }
  
-    if (resp_derlen > sizeof resp_der) {
+    if (resp_derlen + 1 > sizeof resp_der) { /* response + ok flag too big? */
          ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01928)
                       "OCSP stapling response too big (%u bytes)", resp_derlen);
          return FALSE;
author	Jeff Trawick <trawick@apache.org>
	Sat, 22 Nov 2014 14:51:01 +0000 (14:51 +0000)
committer	Jeff Trawick <trawick@apache.org>
	Sat, 22 Nov 2014 14:51:01 +0000 (14:51 +0000)
CHANGES		patch \| blob \| history
modules/ssl/ssl_util_stapling.c		patch \| blob \| history