upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-14 22:49:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

TLS context handling code: Fix an abort on ancient OpenSSL version

Browse source 
There was a logical bug when setting a list of enabled TLS protocols,
which may lead to a crash (an abort()) on systems with ancient OpenSSL
versions.

The problem was due to the fact that we were INSIST()ing on supporting
all of the TLS versions, while checking only for mentioned in the
configuration was implied.
This commit is contained in:
Artem Boldariev 2021-11-30 10:42:23 +02:00
parent 746052031a
commit 5f859d8a98
1 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
lib/isc/tls.c
View file

@ -453,14 +453,18 @@ isc_tlsctx_set_protocols(isc_tlsctx_t *ctx, const uint32_t tls_versions) {
for (uint32_t tls_ver = ISC_TLS_PROTO_VER_1_2;
tls_ver < ISC_TLS_PROTO_VER_UNDEFINED; tls_ver <<= 1)
{
/* Only supported versions should ever be passed to the
* function. The configuration file was not verified
* properly, if we are trying to enable an unsupported
* TLS version */
INSIST(isc_tls_protocol_supported(tls_ver));
if ((tls_versions & tls_ver) == 0) {
set_options |= get_tls_version_disable_bit(tls_ver);
} else {
/*
* Only supported versions should ever be passed to the
* function SSL_CTX_clear_options. For example, in order
* to enable TLS v1.2, we have to clear
* SSL_OP_NO_TLSv1_2. Insist that the configuration file
* was verified properly, so we are not trying to enable
* an unsupported TLS version.
*/
INSIST(isc_tls_protocol_supported(tls_ver));
clear_options |= get_tls_version_disable_bit(tls_ver);
}
versions &= ~(tls_ver);