From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Sat, 3 Mar 2012 06:25:33 +0000 (+0200)
Subject: Bug fix: ssl_crtd crashes when accessing HTTPS sites with a domain name exceeding... 
X-Git-Tag: BumpSslServerFirst.take06~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5367d84507a6cd6f9fc18e723638350751d39292;p=thirdparty%2Fsquid.git

Bug fix: ssl_crtd crashes when accessing HTTPS sites with a domain name exceeding 64 characters

Squid tries to generate a certificate for long domain names, which is not
possible.
According to RFC 5280 (Section A.1), the common name length in a certificate
can be at most 64 characters. Therefore it is not possible to generate a valid
certificate with the above domain name as common name.
This patch does not allow use of common names longer than 64 bytes in
setCommonName adaptation algorithm. Also In the case the openssl fails to
read subject name from mimicking certificate does not set any subject to
generated certification. (currently ssl_crtd crashes).
---

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index bea414f43d..4ceeb0a50b 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -4520,6 +4520,11 @@ static void parse_sslproxy_cert_adapt(sslproxy_cert_adapt **cert_adapt)
     else if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetCommonName]) == 0) {
         ca->alg = Ssl::algSetCommonName;
         if (param) {
+            if (strlen(param) > 64) {
+                debugs(3, DBG_CRITICAL, "FATAL: sslproxy_cert_adapt: setCommonName{" <<param << "} : using common name longer than 64 bytes is not supported");
+                self_destruct();
+                return;
+            }
             ca->param = strdup(param);
         }
     } else {
diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 5c0a62ea1a..4d23f87d3d 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -230,10 +230,10 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie
     // returns a pointer to the existing subject name. Nothing to clean here.
     if (properties.mimicCert.get()) {
         X509_NAME *name = X509_get_subject_name(properties.mimicCert.get());
-        if (!name)
-            return false;
-        // X509_set_subject_name will call X509_dup for name 
-        X509_set_subject_name(cert.get(), name);
+        if (name) {
+            // X509_set_subject_name will call X509_dup for name 
+            X509_set_subject_name(cert.get(), name);
+        }
     }
 
     if (properties.setCommonName || !properties.mimicCert.get()) {