Re: [diff] httpd: tls client cert & CRL checks

Mon, 07 Aug 2017 21:23:46 -0700 

On Saturday 29 July 2017 20:49:18 Jan Klemkow wrote:
> Hi Jack,
> 
> On Fri, Jul 28, 2017 at 02:05:34AM +0930, Jack Burton wrote:
> > On Thu, 27 Jul 2017 13:10:14 +0200
> > 
> > > But, I found a bug in the part of the FastCGI variables.  The
> > > following condition is always false.
> > > 
> > > > Index: usr.sbin/httpd/server_fcgi.c
> > > > ===================================================================
> > > > RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
> > > > retrieving revision 1.74
> > > > diff -u -p -r1.74 server_fcgi.c
> > > > --- usr.sbin/httpd/server_fcgi.c        21 Jan 2017 11:32:04
> > > > -0000   1.74 +++ usr.sbin/httpd/server_fcgi.c   21 Jul
> > > > 2017 08:25:57 -0000 @@ -282,11 +283,57 @@ server_fcgi(struct httpd
> > > > *env, struct cl
> > > 
> > > ...
> > > 
> > > > +               if (srv_conf->tls_ca != NULL) {
> > > 
> > > ...
> > 
> > That's odd -- I'm not seeing that behaviour here -- in my tests
> > srv_conf->tls_ca always behaved just as expected (it's NULL iff the "tls
> > client ca" directive is not given for that server).
> 
> In the End, I found and fixed the real bug here:
> 
> @@ -430,7 +438,11 @@ config_getserver_config(struct httpd *en
>                 }
> 
>                 f = SRVFLAG_TLS;
> -               srv_conf->flags |= parent->flags & f;
> +               if ((srv_conf->flags & f) == 0) {
> +                       srv_conf->flags |= parent->flags & f;
> +                       srv_conf->tls_ca = parent->tls_ca;
> +                       srv_conf->tls_crl = parent->tls_crl;

I'd have to double check, however I'm pretty sure that this will result in a 
double-free since you're copying the pointer (without a reference count) 
across server config structs. Both will likely be passed to 
serverconfig_free(), 
which means free() will then be passed the same pointer twice.

> +               }
> 
>                 f = SRVFLAG_ACCESS_LOG;
>                 if ((srv_conf->flags & f) == 0) {
> 
> This additional copy fixes the bug I have seen by this config:
> 
> server "default" {
>         listen on 127.0.0.1 tls port 443
> 
>         # TLS certificate and key files created with acme-client(1)
>         tls certificate "/root/ca/server.crt"
>         tls key "/root/ca/server.key"
>         #tls client ca "/root/ca/ca.crt" crl "/root/ca/ca.crl"
>         tls client ca "/root/ca/ca.crt"
> 
>         location "*.cgi" {
>                 fastcgi
>                 root "/var/www/cgi-bin/env.cgi"
>         }
> 
>         root "/htdocs/"
> }
> 
> You find the whole diff below.
> I tested:
>  - TLS without client certs
>  - TLS with client certs and without CRL
>  - TLS with client certs and with CRL
>  - as well as environment variables in CGI-Scripts
> 
> Everything should work now.
> 
> Bye,
> Jan

Reply via email to