Skip to content

Commit b614f7b

Browse files
razvancrainearazvancrainea
committed
stir_shaken: add global lock for loading the certificate
This prevents a crash generated by openssl internals regarding resetting the error stack. Many thanks go to ConnexCS for the valuable reports and testing fixes! (cherry picked from commit d49e090)
1 parent e279fbc commit b614f7b

1 file changed

Lines changed: 31 additions & 0 deletions

File tree

modules/stir_shaken/stir_shaken.c

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,22 @@
8383
#define parsed_ctx_set(_ptr) \
8484
context_put_ptr(CONTEXT_GLOBAL, current_processing_ctx, parsed_ctx_idx, _ptr)
8585

86+
#define SS_LOCK \
87+
do { \
88+
if (ss_openssl_lock) \
89+
lock_get(ss_openssl_lock); \
90+
else \
91+
LM_DBG("cannot lock openssl\n"); \
92+
} while (0)
93+
#define SS_UNLOCK \
94+
do { \
95+
if (ss_openssl_lock) \
96+
lock_release(ss_openssl_lock); \
97+
} while (0)
98+
99+
/*
100+
* Module core functions
101+
*/
86102
static int mod_init(void);
87103
static void mod_destroy(void);
88104

@@ -118,6 +134,7 @@ static int tn_authlist_nid;
118134
static int parsed_ctx_idx =-1;
119135

120136
static X509_STORE *store;
137+
static gen_lock_t *ss_openssl_lock;
121138

122139
static const param_export_t params[] = {
123140
{"auth_date_freshness", INT_PARAM, &auth_date_freshness},
@@ -231,6 +248,12 @@ static int init_cert_validation(void)
231248
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
232249
}
233250

251+
ss_openssl_lock = lock_alloc();
252+
if (!ss_openssl_lock || !lock_init(ss_openssl_lock)) {
253+
LM_ERR("could not allocate openssl lock\n");
254+
ss_openssl_lock = NULL;
255+
}
256+
234257
return 0;
235258
}
236259

@@ -853,12 +876,14 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
853876
LM_ERR("Unable to create BIO buf\n");
854877
return -1;
855878
}
879+
SS_LOCK;
856880

857881
/* parse end-entity certificate */
858882
*cert = PEM_read_bio_X509(cbio, NULL, 0, NULL);
859883
if (*cert == NULL) {
860884
LM_ERR("Failed to parse certificate\n");
861885
BIO_free(cbio);
886+
SS_UNLOCK;
862887
return -1;
863888
}
864889

@@ -870,6 +895,7 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
870895
X509_free(*cert);
871896
*cert = NULL;
872897
BIO_free(cbio);
898+
SS_UNLOCK;
873899
return -1;
874900
}
875901

@@ -880,6 +906,7 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
880906
*cert = NULL;
881907
BIO_free(cbio);
882908
sk_X509_free(stack);
909+
SS_UNLOCK;
883910
return -1;
884911
}
885912

@@ -902,6 +929,7 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
902929
} else {
903930
BIO_free(cbio);
904931
}
932+
SS_UNLOCK;
905933

906934
return 0;
907935
}
@@ -916,14 +944,17 @@ static int load_pkey(EVP_PKEY **pkey, str *pkey_buf)
916944
return -1;
917945
}
918946

947+
SS_LOCK;
919948
*pkey = PEM_read_bio_PrivateKey(kbio, NULL, NULL, NULL);
920949
if (*pkey == NULL) {
921950
LM_ERR("Failed to load private key from buffer\n");
922951
BIO_free(kbio);
952+
SS_UNLOCK;
923953
return -1;
924954
}
925955

926956
BIO_free(kbio);
957+
SS_UNLOCK;
927958

928959
return 0;
929960
}

0 commit comments

Comments
 (0)