external/management/libs/pjproject/patches/0111-ssl-premature-destroy.patch - T108 - Gitiles

 From 68c69f516f95df1faa42e5647e9ce7cfdc41ac38 Mon Sep 17 00:00:00 2001
 From: Nanang Izzuddin <nanang@teluu.com>
 Date: Wed, 16 Jun 2021 12:15:29 +0700
 Subject: [PATCH 2/2] - Fix silly mistake: accepted active socket created
  without group lock in SSL socket. - Replace assertion with normal validation
  check of SSL socket instance in OpenSSL verification callback (verify_cb())
  to avoid crash, e.g: if somehow race condition with SSL socket destroy
  happens or OpenSSL application data index somehow gets corrupted.

 ---
  pjlib/src/pj/ssl_sock_imp_common.c |  3 +-
  pjlib/src/pj/ssl_sock_ossl.c       | 45 +++++++++++++++++++++++++-----
  2 files changed, 40 insertions(+), 8 deletions(-)

 --- a/pjlib/src/pj/ssl_sock_imp_common.c
 +++ b/pjlib/src/pj/ssl_sock_imp_common.c
 @@ -949,6 +949,7 @@ static pj_bool_t asock_on_accept_complet

      /* Create active socket */
      pj_activesock_cfg_default(&asock_cfg);
 +    asock_cfg.grp_lock = ssock->param.grp_lock;
      asock_cfg.async_cnt = ssock->param.async_cnt;
      asock_cfg.concurrency = ssock->param.concurrency;
      asock_cfg.whole_data = PJ_TRUE;
 @@ -964,7 +965,7 @@ static pj_bool_t asock_on_accept_complet
  	    goto on_return;

  	pj_grp_lock_add_ref(glock);
 -	asock_cfg.grp_lock = ssock->param.grp_lock = glock;
 +	ssock->param.grp_lock = glock;
  	pj_grp_lock_add_handler(ssock->param.grp_lock, ssock->pool, ssock,
  				ssl_on_destroy);
      }
 --- a/pjlib/src/pj/ssl_sock_ossl.c
 +++ b/pjlib/src/pj/ssl_sock_ossl.c
 @@ -327,7 +327,8 @@ static pj_status_t STATUS_FROM_SSL_ERR(c
  	ERROR_LOG("STATUS_FROM_SSL_ERR", err, ssock);
      }

 -    ssock->last_err = err;
 +    if (ssock)
 +	ssock->last_err = err;
      return GET_STATUS_FROM_SSL_ERR(err);
  }

 @@ -344,7 +345,8 @@ static pj_status_t STATUS_FROM_SSL_ERR2(
      /* Dig for more from OpenSSL error queue */
      SSLLogErrors(action, ret, err, len, ssock);

 -    ssock->last_err = ssl_err;
 +    if (ssock)
 +	ssock->last_err = ssl_err;
      return GET_STATUS_FROM_SSL_ERR(ssl_err);
  }

 @@ -587,6 +589,13 @@ static pj_status_t init_openssl(void)

      /* Create OpenSSL application data index for SSL socket */
      sslsock_idx = SSL_get_ex_new_index(0, "SSL socket", NULL, NULL, NULL);
 +	if (sslsock_idx == -1) {
 +		status = STATUS_FROM_SSL_ERR2("Init", NULL, -1, ERR_get_error(), 0);
 +		PJ_LOG(1,(THIS_FILE,
 +				  "Fatal error: failed to get application data index for "
 +				  "SSL socket"));
 +		return status;
 +	}

      return status;
  }
 @@ -614,21 +623,36 @@ static int password_cb(char *buf, int nu
  }


 -/* SSL password callback. */
 +/* SSL certificate verification result callback.
 + * Note that this callback seems to be always called from library worker
 + * thread, e.g: active socket on_read_complete callback, which should have
 + * already been equipped with race condition avoidance mechanism (should not
 + * be destroyed while callback is being invoked).
 + */
  static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
  {
 -    pj_ssl_sock_t *ssock;
 -    SSL *ossl_ssl;
 +    pj_ssl_sock_t *ssock = NULL;
 +    SSL *ossl_ssl = NULL;
      int err;

      /* Get SSL instance */
      ossl_ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
  				    SSL_get_ex_data_X509_STORE_CTX_idx());
 -    pj_assert(ossl_ssl);
 +    if (!ossl_ssl) {
 +	PJ_LOG(1,(THIS_FILE,
 +		  "SSL verification callback failed to get SSL instance"));
 +	goto on_return;
 +    }

      /* Get SSL socket instance */
      ssock = SSL_get_ex_data(ossl_ssl, sslsock_idx);
 -    pj_assert(ssock);
 +    if (!ssock) {
 +	/* SSL socket may have been destroyed */
 +	PJ_LOG(1,(THIS_FILE,
 +		  "SSL verification callback failed to get SSL socket "
 +		  "instance (sslsock_idx=%d).", sslsock_idx));
 +	goto on_return;
 +    }

      /* Store verification status */
      err = X509_STORE_CTX_get_error(x509_ctx);
 @@ -706,6 +730,7 @@ static int verify_cb(int preverify_ok, X
      if (PJ_FALSE == ssock->param.verify_peer)
  	preverify_ok = 1;

 +on_return:
      return preverify_ok;
  }

 @@ -1213,6 +1238,12 @@ static void ssl_destroy(pj_ssl_sock_t *s
  static void ssl_reset_sock_state(pj_ssl_sock_t *ssock)
  {
      ossl_sock_t *ossock = (ossl_sock_t *)ssock;
 +
 +    /* Detach from SSL instance */
 +    if (ossock->ossl_ssl) {
 +	SSL_set_ex_data(ossock->ossl_ssl, sslsock_idx, NULL);
 +    }
 +
      /**
       * Avoid calling SSL_shutdown() if handshake wasn't completed.
       * OpenSSL 1.0.2f complains if SSL_shutdown() is called during an
	From 68c69f516f95df1faa42e5647e9ce7cfdc41ac38 Mon Sep 17 00:00:00 2001
	From: Nanang Izzuddin <nanang@teluu.com>
	Date: Wed, 16 Jun 2021 12:15:29 +0700
	Subject: [PATCH 2/2] - Fix silly mistake: accepted active socket created
	without group lock in SSL socket. - Replace assertion with normal validation
	check of SSL socket instance in OpenSSL verification callback (verify_cb())
	to avoid crash, e.g: if somehow race condition with SSL socket destroy
	happens or OpenSSL application data index somehow gets corrupted.

	---
	pjlib/src/pj/ssl_sock_imp_common.c \| 3 +-
	pjlib/src/pj/ssl_sock_ossl.c \| 45 +++++++++++++++++++++++++-----
	2 files changed, 40 insertions(+), 8 deletions(-)

	--- a/pjlib/src/pj/ssl_sock_imp_common.c
	+++ b/pjlib/src/pj/ssl_sock_imp_common.c
	@@ -949,6 +949,7 @@ static pj_bool_t asock_on_accept_complet

	/* Create active socket */
	pj_activesock_cfg_default(&asock_cfg);
	+ asock_cfg.grp_lock = ssock->param.grp_lock;
	asock_cfg.async_cnt = ssock->param.async_cnt;
	asock_cfg.concurrency = ssock->param.concurrency;
	asock_cfg.whole_data = PJ_TRUE;
	@@ -964,7 +965,7 @@ static pj_bool_t asock_on_accept_complet
	goto on_return;

	pj_grp_lock_add_ref(glock);
	- asock_cfg.grp_lock = ssock->param.grp_lock = glock;
	+ ssock->param.grp_lock = glock;
	pj_grp_lock_add_handler(ssock->param.grp_lock, ssock->pool, ssock,
	ssl_on_destroy);
	}
	--- a/pjlib/src/pj/ssl_sock_ossl.c
	+++ b/pjlib/src/pj/ssl_sock_ossl.c
	@@ -327,7 +327,8 @@ static pj_status_t STATUS_FROM_SSL_ERR(c
	ERROR_LOG("STATUS_FROM_SSL_ERR", err, ssock);
	}

	- ssock->last_err = err;
	+ if (ssock)
	+ ssock->last_err = err;
	return GET_STATUS_FROM_SSL_ERR(err);
	}

	@@ -344,7 +345,8 @@ static pj_status_t STATUS_FROM_SSL_ERR2(
	/* Dig for more from OpenSSL error queue */
	SSLLogErrors(action, ret, err, len, ssock);

	- ssock->last_err = ssl_err;
	+ if (ssock)
	+ ssock->last_err = ssl_err;
	return GET_STATUS_FROM_SSL_ERR(ssl_err);
	}

	@@ -587,6 +589,13 @@ static pj_status_t init_openssl(void)

	/* Create OpenSSL application data index for SSL socket */
	sslsock_idx = SSL_get_ex_new_index(0, "SSL socket", NULL, NULL, NULL);
	+ if (sslsock_idx == -1) {
	+ status = STATUS_FROM_SSL_ERR2("Init", NULL, -1, ERR_get_error(), 0);
	+ PJ_LOG(1,(THIS_FILE,
	+ "Fatal error: failed to get application data index for "
	+ "SSL socket"));
	+ return status;
	+ }

	return status;
	}
	@@ -614,21 +623,36 @@ static int password_cb(char *buf, int nu
	}


	-/* SSL password callback. */
	+/* SSL certificate verification result callback.
	+ * Note that this callback seems to be always called from library worker
	+ * thread, e.g: active socket on_read_complete callback, which should have
	+ * already been equipped with race condition avoidance mechanism (should not
	+ * be destroyed while callback is being invoked).
	+ */
	static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
	{
	- pj_ssl_sock_t *ssock;
	- SSL *ossl_ssl;
	+ pj_ssl_sock_t *ssock = NULL;
	+ SSL *ossl_ssl = NULL;
	int err;

	/* Get SSL instance */
	ossl_ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
	SSL_get_ex_data_X509_STORE_CTX_idx());
	- pj_assert(ossl_ssl);
	+ if (!ossl_ssl) {
	+ PJ_LOG(1,(THIS_FILE,
	+ "SSL verification callback failed to get SSL instance"));
	+ goto on_return;
	+ }

	/* Get SSL socket instance */
	ssock = SSL_get_ex_data(ossl_ssl, sslsock_idx);
	- pj_assert(ssock);
	+ if (!ssock) {
	+ /* SSL socket may have been destroyed */
	+ PJ_LOG(1,(THIS_FILE,
	+ "SSL verification callback failed to get SSL socket "
	+ "instance (sslsock_idx=%d).", sslsock_idx));
	+ goto on_return;
	+ }

	/* Store verification status */
	err = X509_STORE_CTX_get_error(x509_ctx);
	@@ -706,6 +730,7 @@ static int verify_cb(int preverify_ok, X
	if (PJ_FALSE == ssock->param.verify_peer)
	preverify_ok = 1;

	+on_return:
	return preverify_ok;
	}

	@@ -1213,6 +1238,12 @@ static void ssl_destroy(pj_ssl_sock_t *s
	static void ssl_reset_sock_state(pj_ssl_sock_t *ssock)
	{
	ossl_sock_t ossock = (ossl_sock_t )ssock;
	+
	+ /* Detach from SSL instance */
	+ if (ossock->ossl_ssl) {
	+ SSL_set_ex_data(ossock->ossl_ssl, sslsock_idx, NULL);
	+ }
	+
	/**
	* Avoid calling SSL_shutdown() if handshake wasn't completed.
	* OpenSSL 1.0.2f complains if SSL_shutdown() is called during an