Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix HTTPS proxy regressions caused by the MultiSSL patches #1871

Closed
wants to merge 3 commits into from
Closed

Fix HTTPS proxy regressions caused by the MultiSSL patches #1871

wants to merge 3 commits into from

Conversation

dscho
Copy link
Contributor

@dscho dscho commented Sep 6, 2017

As reported in #1855, HTTPS proxy support was broken by my patches in #1601.

@jay kindly investigated, diagnosed correctly an issue in my design where a pointer would be reset incorrectly by a memset(..., 0, ...) call and provided the diff of the first commit of this Pull Request.

It took me a while to figure out how to test cURL with HTTP proxies, as the command line provided in the ticket did not work for me. I had to use this command line instead:

./src/curl -v --proxy-insecure --proxy https:https://127.0.0.1:443 https://www.google.com

(note the "repeated" https:, but it seems that this has been somehow fixed in master since I started investigating), after I enabled proxy_connect in my local Apache installation, turned ProxyRequests on and allowed access from localhost via Require ip 127.0.0.1 in a new <Proxy *> section.

Turns out that my manual fixups of the largely mechanical conversion from connssl-> to BACKEND-> in preparation for encapsulating the SSL backends' private data out of struct ssl_connect_data were not quite right.

In particular, these two replacements were incorrect, inserting BACKEND-> into the wrong line.

Clearly a late-night snafu, so I decided to revisit the entire commit, turning up another, similar problem in Curl_ossl_data_pending().

I also ran into a problem in that commit's changes to lib/vtls/polarssl.c where conn was replaced with BACKEND by mistake, but @bagder already fixed that in 5734f73 (along with another bug that I did not catch, where I must have mistyped ssl[sockindex] as sock[sockindex] while trying to avoid copy/paste).

Of course I hope that there are no other bugs lurking in that commit, I really tried my best to spot issues. At least with this PR, three problems get addressed.

jay and others added 3 commits September 7, 2017 01:04
@jay @dscho
vtls: fix memory corruption
6de62c3 
Ever since 70f1db3 (vtls: encapsulate SSL backend-specific data,
2017-07-28), the code handling HTTPS proxies was broken because the
pointer to the SSL backend data was not swapped between
conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
instead set to NULL (causing segmentation faults).

[jes: provided the commit message, tested and verified the patch]

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
@dscho
OpenSSL: fix erroneous SSL backend encapsulation
ba37014 
In d65e6cc (vtls: prepare the SSL backends for encapsulated private
data, 2017-06-21), this developer prepared for a separation of the
private data of the SSL backends from the general connection data.

This conversion was partially automated (search-and-replace) and
partially manual (e.g. proxy_ssl's backend data).

Sadly, there was a crucial error in the manual part, where the wrong
handle was used: rather than connecting ssl[sockindex]' BIO to the
proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason
was an incorrect location to paste "BACKEND->"... d'oh.

Reported by Jay Satiro in curl#1855.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
@dscho
OpenSSL: fix yet another mistake while encapsulating SSL backend data
281b30c 
Another mistake in my manual fixups of the largely mechanical
search-and-replace ("connssl->" -> "BACKEND->"), just like the previous
commit concerning HTTPS proxies (and hence not caught during my
earlier testing).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
@dscho
Copy link
Contributor Author

dscho commented Sep 7, 2017

@jay @bagder just to make sure: I tested this locally, and it fixes the segmentation fault with HTTPS proxies here. I would love to see this make it into the next release...

bagder
bagder approved these changes Sep 7, 2017
View reviewed changes
Copy link
Member

@bagder bagder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes and motivations all seem sensible, thanks!

@bagder bagder closed this in f4a6238 Sep 7, 2017
@bagder
Copy link
Member

bagder commented Sep 7, 2017

Thanks a lot!

@dscho dscho deleted the https-proxy-fixes branch September 7, 2017 15:37
@dscho
Copy link
Contributor Author

dscho commented Sep 7, 2017

Thank you!

@lock lock bot locked as resolved and limited conversation to collaborators Jan 18, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bagder bagder bagder approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dscho @bagder @jay