Issue proftpd#859, proftpd#861: Fix handling of CRL lookups by proper…

…ly using issuer for lookups, and guarding against null pointers.
Sashan · Dec 16, 2019 · a666067 · a666067
1 parent 9a18af0
commit a666067
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/NEWS b/NEWS
@@ -15,19 +15,22 @@
   where `N' is the issue number.
 -----------------------------------------------------------------------------
 
+=======
 1.3.6 - Released 09-Apr-2017
 --------------------------------
 - Bug 4284 - SITE UTIME not working with group permissions.
 - Bug 4289 - LDAPSearchScope does not alter search scope as expected.  When
   the LDAPServer directive is used with LDAP URLs, the LDAPSearchScope should
   not be used; the handler was failing to handle this case properly.
+- Issue 859 - Improper handling of TLS CRL lookups.
 - Bug 4285 - In AIX, log failed logins so that user accounts can be locked by
   the OS after multiple failed login attempts.
 - Added mod_wrap2_redis to the contrib/ modules directory.
 - Bug 4295 - AllowChrootSymlinks off does not check entire DefaultRoot path
   for symlinks (CVE-2017-7418).
 - Bug 4299 - TimeoutLogin not working for SFTP connections.
 - Issue 846 - Remote denial-of-service due to issue in network IO handling.
+- Issue 859 - Improper handling of TLS CRL lookups.
 
 1.3.6rc4 - Released 15-Jan-2017
 --------------------------------

diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c
@@ -8972,10 +8972,10 @@ static int tls_verify_crl(int ok, X509_STORE_CTX *ctx) {
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
     !defined(HAVE_LIBRESSL)
-  crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
+  crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
 #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \
       !defined(HAVE_LIBRESSL)
-  crls = X509_STORE_get1_crls(store_ctx, subject);
+  crls = X509_STORE_get1_crls(store_ctx, issuer);
 #else
   /* Your OpenSSL is before 1.0.0.  You really need to upgrade. */
   crls = NULL;
@@ -8994,6 +8994,9 @@ static int tls_verify_crl(int ok, X509_STORE_CTX *ctx) {
         ASN1_INTEGER *sn;
 
         revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
+        if (revoked == NULL) {
+          continue;
+        }
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
     !defined(HAVE_LIBRESSL)
         sn = X509_REVOKED_get0_serialNumber(revoked);