Skip to content

Commit 579ba99

Browse files
razvancrainearazvancrainea
committed
stir_shaken: add global lock for loading the certificate
This prevents a crash generated by openssl internals regarding resetting the error stack. Many thanks go to ConnexCS for the valuable reports and testing fixes! (cherry picked from commit d49e090)
1 parent 8134191 commit 579ba99

1 file changed

Lines changed: 28 additions & 0 deletions

File tree

modules/stir_shaken/stir_shaken.c

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,6 +84,19 @@
8484
#define parsed_ctx_set(_ptr) \
8585
context_put_ptr(CONTEXT_GLOBAL, current_processing_ctx, parsed_ctx_idx, _ptr)
8686

87+
#define SS_LOCK \
88+
do { \
89+
if (ss_openssl_lock) \
90+
lock_get(ss_openssl_lock); \
91+
else \
92+
LM_DBG("cannot lock openssl\n"); \
93+
} while (0)
94+
#define SS_UNLOCK \
95+
do { \
96+
if (ss_openssl_lock) \
97+
lock_release(ss_openssl_lock); \
98+
} while (0)
99+
87100
/*
88101
* Module core functions
89102
*/
@@ -145,6 +158,7 @@ static int tn_authlist_nid;
145158
static int parsed_ctx_idx =-1;
146159

147160
static X509_STORE *store;
161+
static gen_lock_t *ss_openssl_lock;
148162

149163

150164
static const param_export_t params[] = {
@@ -282,6 +296,12 @@ static int init_cert_validation(void)
282296
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
283297
}
284298

299+
ss_openssl_lock = lock_alloc();
300+
if (!ss_openssl_lock || !lock_init(ss_openssl_lock)) {
301+
LM_ERR("could not allocate openssl lock\n");
302+
ss_openssl_lock = NULL;
303+
}
304+
285305
return 0;
286306
}
287307

@@ -1031,12 +1051,14 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
10311051
LM_ERR("Unable to create BIO buf\n");
10321052
return -1;
10331053
}
1054+
SS_LOCK;
10341055

10351056
/* parse end-entity certificate */
10361057
*cert = PEM_read_bio_X509(cbio, NULL, 0, NULL);
10371058
if (*cert == NULL) {
10381059
LM_ERR("Failed to parse certificate\n");
10391060
BIO_free(cbio);
1061+
SS_UNLOCK;
10401062
return -1;
10411063
}
10421064

@@ -1048,6 +1070,7 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
10481070
X509_free(*cert);
10491071
*cert = NULL;
10501072
BIO_free(cbio);
1073+
SS_UNLOCK;
10511074
return -1;
10521075
}
10531076

@@ -1058,6 +1081,7 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
10581081
*cert = NULL;
10591082
BIO_free(cbio);
10601083
sk_X509_free(stack);
1084+
SS_UNLOCK;
10611085
return -1;
10621086
}
10631087

@@ -1080,6 +1104,7 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
10801104
} else {
10811105
BIO_free(cbio);
10821106
}
1107+
SS_UNLOCK;
10831108

10841109
return 0;
10851110
}
@@ -1094,14 +1119,17 @@ static int load_pkey(EVP_PKEY **pkey, str *pkey_buf)
10941119
return -1;
10951120
}
10961121

1122+
SS_LOCK;
10971123
*pkey = PEM_read_bio_PrivateKey(kbio, NULL, NULL, NULL);
10981124
if (*pkey == NULL) {
10991125
LM_ERR("Failed to load private key from buffer\n");
11001126
BIO_free(kbio);
1127+
SS_UNLOCK;
11011128
return -1;
11021129
}
11031130

11041131
BIO_free(kbio);
1132+
SS_UNLOCK;
11051133

11061134
return 0;
11071135
}

0 commit comments

Comments
 (0)