From: Christos Tsantilas Date: Tue, 14 May 2013 17:15:02 +0000 (+0300) Subject: Bug 3816: SSL_get_certificate call inside Ssl::verifySslCertificate crashes squid... X-Git-Tag: SQUID_3_4_0_1~143 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc321c30fdc09a715c724b05e5b8e3ed2a2887b9;p=thirdparty%2Fsquid.git Bug 3816: SSL_get_certificate call inside Ssl::verifySslCertificate crashes squid, part2 This patch try to avoid using the SSL_get_certificate function. While configures squid run tests: - to examine if the workaround code can be used - to detect buggy SSL_get_certificate Inside Ssl::verifySslCertificate try to use workarround code and if this is not possible uses the SSL_get_certificate if it is not buggy, else hit an assertion This is a Measurement Factory project --- diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4 index 798769a5c4..bcfc68a86d 100644 --- a/acinclude/lib-checks.m4 +++ b/acinclude/lib-checks.m4 @@ -94,3 +94,67 @@ AC_DEFUN([SQUID_CHECK_LIBIPHLPAPI],[ ]) SQUID_STATE_ROLLBACK(iphlpapi) ]) + +dnl Checks whether the OpenSSL SSL_get_certificate crashes squid and if a +dnl workaround can be used instead of using the SSL_get_certificate +AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[ + AH_TEMPLATE(SQUID_SSLGETCERTIFICATE_BUGGY, "Define to 1 if the SSL_get_certificate crashes squid") + AH_TEMPLATE(SQUID_USE_SSLGETCERTIFICATE_HACK, "Define to 1 to use squid workaround for SSL_get_certificate") + SQUID_STATE_SAVE(check_SSL_get_certificate) + LIBS="$LIBS $SSLLIB" + if test "x$SSLLIBDIR" != "x"; then + LIBS="$LIBS -Wl,-rpath -Wl,$SSLLIBDIR" + fi + + AC_MSG_CHECKING(whether the SSL_get_certificate is buggy) + AC_RUN_IFELSE([ + AC_LANG_PROGRAM( + [ + #include + #include + ], + [ + SSLeay_add_ssl_algorithms(); + SSL_CTX *sslContext = SSL_CTX_new(SSLv3_method()); + SSL *ssl = SSL_new(sslContext); + X509* cert = SSL_get_certificate(ssl); + return 0; + ]) + ], + [ + AC_MSG_RESULT([no]) + ], + [ + AC_DEFINE(SQUID_SSLGETCERTIFICATE_BUGGY, 1) + AC_MSG_RESULT([yes]) + ], + []) + + AC_MSG_CHECKING(whether the workaround for SSL_get_certificate works) + AC_RUN_IFELSE([ + AC_LANG_PROGRAM( + [ + #include + #include + ], + [ + SSLeay_add_ssl_algorithms(); + SSL_CTX *sslContext = SSL_CTX_new(SSLv3_method()); + X509 ***pCert = (X509 ***)sslContext->cert; + X509 *sslCtxCert = pCert && *pCert ? **pCert : (X509 *)0x1; + if (sslCtxCert != NULL) + return 1; + return 0; + ]) + ], + [ + AC_MSG_RESULT([yes]) + AC_DEFINE(SQUID_USE_SSLGETCERTIFICATE_HACK, 1) + ], + [ + AC_MSG_RESULT([no]) + ], +[]) + +SQUID_STATE_ROLLBACK(check_SSL_get_certificate) +]) diff --git a/configure.ac b/configure.ac index 3b638ca910..5cacfc41bd 100644 --- a/configure.ac +++ b/configure.ac @@ -1264,6 +1264,9 @@ if test "x$SSLLIBDIR" != "x" ; then fi AC_SUBST(SSLLIB) +if test "x$with_openssl" = "xyes"; then +SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS +fi AC_ARG_ENABLE(forw-via-db, AS_HELP_STRING([--enable-forw-via-db],[Enable Forw/Via database]), [ diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 883d5ef4a8..51f955e077 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -1454,9 +1454,12 @@ bool Ssl::verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const { // SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e // Try to retrieve certificate directly from SSL_CTX object -#if OPENSSL_VERSION_NUMBER == 0x1000105fL || OPENSSL_VERSION_NUMBER == 0x1000104fL +#if SQUID_USE_SSLGETCERTIFICATE_HACK X509 ***pCert = (X509 ***)sslContext->cert; X509 * cert = pCert && *pCert ? **pCert : NULL; +#elif SQUID_SSLGETCERTIFICATE_BUGGY + X509 * cert = NULL; + assert(0); #else // Temporary ssl for getting X509 certificate from SSL_CTX. Ssl::SSL_Pointer ssl(SSL_new(sslContext));