Bug 3816: SSL_get_certificate call inside Ssl::verifySslCertificate crashes squid...

This patch try to avoid using the SSL_get_certificate function. While configures
squid run tests:
  - to examine if the workaround code can be used
  - to detect buggy SSL_get_certificate

Inside Ssl::verifySslCertificate try to use workarround code and if this is not
possible uses the SSL_get_certificate if it is not buggy, else hit an assertion

This is a Measurement Factory project

diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4
index 798769a5c4901e73105ebd38bc5f3dba7329ef4f..bcfc68a86d4e230f869588f28b123f212f25e995 100644 (file)
--- a/acinclude/lib-checks.m4
+++ b/acinclude/lib-checks.m4
@@ -94,3 +94,67 @@ AC_DEFUN([SQUID_CHECK_LIBIPHLPAPI],[
   ])
   SQUID_STATE_ROLLBACK(iphlpapi)
 ])
+
+dnl Checks whether the OpenSSL SSL_get_certificate crashes squid and if a
+dnl workaround can be used instead of using the SSL_get_certificate
+AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[
+  AH_TEMPLATE(SQUID_SSLGETCERTIFICATE_BUGGY, "Define to 1 if the SSL_get_certificate crashes squid")
+  AH_TEMPLATE(SQUID_USE_SSLGETCERTIFICATE_HACK, "Define to 1 to use squid workaround for SSL_get_certificate")
+  SQUID_STATE_SAVE(check_SSL_get_certificate)
+  LIBS="$LIBS $SSLLIB"
+  if test "x$SSLLIBDIR" != "x"; then
+     LIBS="$LIBS -Wl,-rpath -Wl,$SSLLIBDIR"
+  fi
+
+  AC_MSG_CHECKING(whether the SSL_get_certificate is buggy)
+  AC_RUN_IFELSE([
+  AC_LANG_PROGRAM(
+    [
+     #include <openssl/ssl.h>
+     #include <openssl/err.h>
+    ],
+    [
+    SSLeay_add_ssl_algorithms();
+    SSL_CTX *sslContext = SSL_CTX_new(SSLv3_method());
+    SSL *ssl = SSL_new(sslContext);
+    X509* cert = SSL_get_certificate(ssl);
+    return 0;
+    ])
+  ],
+  [
+   AC_MSG_RESULT([no])
+  ],
+  [
+   AC_DEFINE(SQUID_SSLGETCERTIFICATE_BUGGY, 1)
+   AC_MSG_RESULT([yes])
+  ],
+  [])
+
+  AC_MSG_CHECKING(whether the workaround for SSL_get_certificate works)
+  AC_RUN_IFELSE([
+  AC_LANG_PROGRAM(
+    [
+     #include <openssl/ssl.h>
+     #include <openssl/err.h>
+    ],
+    [
+    SSLeay_add_ssl_algorithms();
+    SSL_CTX *sslContext = SSL_CTX_new(SSLv3_method());
+    X509 ***pCert = (X509 ***)sslContext->cert;
+    X509 *sslCtxCert = pCert && *pCert ? **pCert : (X509 *)0x1;
+    if (sslCtxCert != NULL)
+        return 1;
+    return 0;
+    ])
+  ],
+  [
+   AC_MSG_RESULT([yes])
+   AC_DEFINE(SQUID_USE_SSLGETCERTIFICATE_HACK, 1)
+  ],
+  [
+   AC_MSG_RESULT([no])
+  ],
+[])
+
+SQUID_STATE_ROLLBACK(check_SSL_get_certificate)
+])

diff --git a/configure.ac b/configure.ac
index 3b638ca9100929789bb04ea47a40cf47bb7b5be6..5cacfc41bd782602dd5816ff43d83471bc08ae3a 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1264,6 +1264,9 @@ if test "x$SSLLIBDIR" != "x" ; then
 fi
 AC_SUBST(SSLLIB)
 
+if test "x$with_openssl" = "xyes"; then
+SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS
+fi
 
 AC_ARG_ENABLE(forw-via-db,
   AS_HELP_STRING([--enable-forw-via-db],[Enable Forw/Via database]), [

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 883d5ef4a841e63a793a82be883a687889df43d6..51f955e077b146b0abd763a67cd22249976f543e 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -1454,9 +1454,12 @@ bool Ssl::verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const
 {
     // SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e
     // Try to retrieve certificate directly from SSL_CTX object
-#if OPENSSL_VERSION_NUMBER == 0x1000105fL || OPENSSL_VERSION_NUMBER == 0x1000104fL
+#if SQUID_USE_SSLGETCERTIFICATE_HACK
     X509 ***pCert = (X509 ***)sslContext->cert;
     X509 * cert = pCert && *pCert ? **pCert : NULL;
+#elif SQUID_SSLGETCERTIFICATE_BUGGY
+    X509 * cert = NULL;
+    assert(0);
 #else
     // Temporary ssl for getting X509 certificate from SSL_CTX.
     Ssl::SSL_Pointer ssl(SSL_new(sslContext));