Fix crash on config reload with BoringSSL #9840
Conversation
| @@ -952,7 +952,8 @@ SSLConfigParams::getCTX(const std::string &client_cert, const std::string &key_f | |||
| SSLError("failed to attach client chain certificate from %s", client_cert.c_str()); | |||
| goto fail; | |||
| } | |||
| X509_free(cert); | |||
| // Do not free cert becasue SSL_CTX_add_extra_chain_cert takes ownership of cert if it succeeds, unlike | |||
| // SSL_CTX_use_certificate. | |||
There was a problem hiding this comment.
If SSL_CTX_add_extra_chain_cert, but a subsequent operation fails, we would free the certificate at the failed label. Wouldn't that also be a double free when the SSL_CTX is freed?
There was a problem hiding this comment.
I'm not sure if I understand your comment correctly.
If SSL_CTX_add_extra_chain_cert succeeds, PEM_read_bio_X509 will be called. And if that fails, cert is nullptr and we leave this while loop. Since cert is nullptr, it won't be freed even if we go to fail label later.
If SSL_CTX_add_extra_chain_cert fails, SSL_CTX doesn't have ownership, so the cert has to be freed. We jump to fail label, and the cert will be freed.
There was a problem hiding this comment.
Oh, I missed the extra read at the end of the loop. IMHO, writing it like this would be a lot clearer:
// Continue to fetch certs to associate intermediate certificates.
while ((cert = PEM_read_bio_X509(biop, nullptr, nullptr, nullptr)) {
if (!SSL_CTX_add_extra_chain_cert(client_ctx.get(), cert)) {
SSLError("failed to attach client chain certificate from %s", client_cert.c_str());
goto fail;
}
}
|
While I'm looking at this code, it seems a bit fragile that cleanup_bio is non-static and is the one to set BIO_NOCLOSE, rather than setting it at BIO_new_mem_buf create time (since cleanup_bio should easily be applied to a BIO that does actually own its memory). |
(cherry picked from commit b0f4a04)
|
Cherry-picked to v9.2.x |
* asf/master: (90 commits) doc: fix the internal libraries section formatting (apache#9879) Add max thread count options to CMake build (apache#9883) Add yaml libs reference to HTTP proxy test suite. Closes apache#9882 (apache#9885) Add transparent proxy support to CMake build (apache#9884) Check for symbol IP_TOS in CMake build (apache#9870) RAT license fix: renamed_records.out -> .gold (apache#9876) Add traffic_wccp to CMake build (apache#9867) cleanup cast warning with reinterpret_cast (apache#9866) Fixes Coverity 1513058, introduced with apache#9643 (apache#9860) add some missing libs for clang (apache#9865) Add support for libunwind in CMake build (apache#9862) Add option to build regression tests (apache#9863) Fix crash on config reload with BoringSSL (apache#9840) Check for SO_PEERCRED in CMake build (apache#9855) Check for SO_MARK in CMake build (apache#9854) Clean up UnixNetProcessor entanglements. (apache#9825) Remove unneeded DEBUG conditionals. (apache#9849) Add option to enable fast SDK in CMake build (apache#9853) Add support for POSIX Cap in CMake build (apache#9852) WCCP: remove ts::Buffer (apache#9824) ...
ATS crashed due to double free if it reloads a cert file that contains chained certs.
According to BoringSSL documentation,
and
So we cannot free cert here.
It kinda made sense before #9177 because we used to call
SSL_CTX_use_certificatehere instead (which is incorrect as the PR explains) andSSL_CTX_use_certificatedoes not seem like to take ownership according to BoringSSL documentation.I checked OpenSSL's implementation and it looks like OpenSSL takes ownership too. The behavior is the same, but BoringSSL aborts during the second free because of internal sanity check. I don't think we need
ifdeffor BoringSSL.