Bug fix in origin connection handling

Origin: upstream
Applied-Upstream: https://github.com/apache/trafficserver/commit/d3f36f79820ea10c26573c742b1bbc370c351716
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2022-05-21

Last-Update: 2022-05-21
Gbp-Pq: Name 0019-CVE_2021_44759.patch

diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 72b691333a842b4f9daf8d4d966c9b61bab6e801..216b7649034f3c26c982352a3255dfa759facdea 100644 (file)
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1041,8 +1041,7 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
       // Making the check here instead of later, so we only
       // do this setting immediately after we create the SSL object
       SNIConfig::scoped_config sniParam;
-      int8_t clientVerify = 0;
-      cchar *serverKey    = this->options.sni_servername;
+      cchar *serverKey = this->options.sni_servername;
       if (!serverKey) {
         ats_ip_ntop(this->get_remote_addr(), buff, INET6_ADDRSTRLEN);
         serverKey = buff;
@@ -1051,25 +1050,30 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
       SSL_CTX *clientCTX = nullptr;
 
       if (nps) {
-        clientCTX    = nps->ctx;
-        clientVerify = nps->verifyLevel;
+        clientCTX = nps->ctx;
       } else {
         clientCTX = params->client_ctx;
-        // Keeping backwards compatability on the proxy.config.ssl.client.verify.server setting
-        clientVerify = params->clientVerify ? (params->clientVerify == 1 ? 2 : 1) : 0;
       }
+
       if (!clientCTX) {
         SSLErrorVC(this, "failed to create SSL client session");
         return EVENT_ERROR;
       }
 
+      if (nps && nps->verifyLevel != static_cast<uint8_t>(YamlSNIConfig::Level::UNSET)) {
+        this->options.clientVerificationFlag = nps->verifyLevel;
+      } else {
+        // Keeping backwards compatibility on the proxy.config.ssl.client.verify.server setting
+        this->options.clientVerificationFlag = params->clientVerify ? (params->clientVerify == 1 ? 2 : 1) : 0;
+      }
+
       this->ssl = make_ssl_connection(clientCTX, this);
       if (this->ssl == nullptr) {
         SSLErrorVC(this, "failed to create SSL client session");
         return EVENT_ERROR;
       }
       int verify_op;
-      if (clientVerify) {
+      if (this->options.clientVerificationFlag) {
         verify_op = SSL_VERIFY_PEER;
         SSL_set_verify(this->ssl, verify_op, verify_callback);
       } else {

diff --git a/iocore/net/YamlSNIConfig.h b/iocore/net/YamlSNIConfig.h
index 7bdd6195004426115a047433597896570ea54a81..cfbeecf411f5d9a219c0e99664add597ffb3c1cb 100644 (file)
--- a/iocore/net/YamlSNIConfig.h
+++ b/iocore/net/YamlSNIConfig.h
@@ -45,7 +45,7 @@ struct YamlSNIConfig {
     client_cert
 
   };
-  enum class Level { NONE = 0, MODERATE, STRICT };
+  enum class Level { NONE = 0, MODERATE, STRICT, UNSET };
   enum class TLSProtocol : uint8_t { TLSv1 = 0, TLSv1_1, TLSv1_2, TLSv1_3, TLS_MAX = TLSv1_3 };
 
   YamlSNIConfig() {}
@@ -55,7 +55,7 @@ struct YamlSNIConfig {
     bool disable_h2             = false;
     uint8_t verify_client_level = 0;
     std::string tunnel_destination;
-    uint8_t verify_origin_server = 0;
+    uint8_t verify_origin_server = static_cast<uint8_t>(Level::UNSET);
     std::string client_cert;
     std::string ip_allow;
     bool protocol_unset = true;