Skip to content

Commit d49e090

Browse files
razvancrainearazvancrainea
committed
stir_shaken: add global lock for loading the certificate
This prevents a crash generated by openssl internals regarding resetting the error stack. Many thanks go to ConnexCS for the valuable reports and testing fixes!
1 parent 1f3f64c commit d49e090

1 file changed

Lines changed: 28 additions & 0 deletions

File tree

modules/stir_shaken/stir_shaken.c

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,19 @@
7272
#define parsed_ctx_set(_ptr) \
7373
context_put_ptr(CONTEXT_GLOBAL, current_processing_ctx, parsed_ctx_idx, _ptr)
7474

75+
#define SS_LOCK \
76+
do { \
77+
if (ss_openssl_lock) \
78+
lock_get(ss_openssl_lock); \
79+
else \
80+
LM_DBG("cannot lock openssl\n"); \
81+
} while (0)
82+
#define SS_UNLOCK \
83+
do { \
84+
if (ss_openssl_lock) \
85+
lock_release(ss_openssl_lock); \
86+
} while (0)
87+
7588
/*
7689
* Module core functions
7790
*/
@@ -133,6 +146,7 @@ static int tn_authlist_nid;
133146
static int parsed_ctx_idx =-1;
134147

135148
static X509_STORE *store;
149+
static gen_lock_t *ss_openssl_lock;
136150

137151

138152
static const param_export_t params[] = {
@@ -270,6 +284,12 @@ static int init_cert_validation(void)
270284
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
271285
}
272286

287+
ss_openssl_lock = lock_alloc();
288+
if (!ss_openssl_lock || !lock_init(ss_openssl_lock)) {
289+
LM_ERR("could not allocate openssl lock\n");
290+
ss_openssl_lock = NULL;
291+
}
292+
273293
return 0;
274294
}
275295

@@ -1019,12 +1039,14 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
10191039
LM_ERR("Unable to create BIO buf\n");
10201040
return -1;
10211041
}
1042+
SS_LOCK;
10221043

10231044
/* parse end-entity certificate */
10241045
*cert = PEM_read_bio_X509(cbio, NULL, 0, NULL);
10251046
if (*cert == NULL) {
10261047
LM_ERR("Failed to parse certificate\n");
10271048
BIO_free(cbio);
1049+
SS_UNLOCK;
10281050
return -1;
10291051
}
10301052

@@ -1036,6 +1058,7 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
10361058
X509_free(*cert);
10371059
*cert = NULL;
10381060
BIO_free(cbio);
1061+
SS_UNLOCK;
10391062
return -1;
10401063
}
10411064

@@ -1046,6 +1069,7 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
10461069
*cert = NULL;
10471070
BIO_free(cbio);
10481071
sk_X509_free(stack);
1072+
SS_UNLOCK;
10491073
return -1;
10501074
}
10511075

@@ -1068,6 +1092,7 @@ static int load_cert(X509 **cert, STACK_OF(X509) **certchain, str *cert_buf)
10681092
} else {
10691093
BIO_free(cbio);
10701094
}
1095+
SS_UNLOCK;
10711096

10721097
return 0;
10731098
}
@@ -1082,14 +1107,17 @@ static int load_pkey(EVP_PKEY **pkey, str *pkey_buf)
10821107
return -1;
10831108
}
10841109

1110+
SS_LOCK;
10851111
*pkey = PEM_read_bio_PrivateKey(kbio, NULL, NULL, NULL);
10861112
if (*pkey == NULL) {
10871113
LM_ERR("Failed to load private key from buffer\n");
10881114
BIO_free(kbio);
1115+
SS_UNLOCK;
10891116
return -1;
10901117
}
10911118

10921119
BIO_free(kbio);
1120+
SS_UNLOCK;
10931121

10941122
return 0;
10951123
}

0 commit comments

Comments
 (0)