Skip to content

Commit cc41d43

Browse files
sonertarisonertari
committed
Fix crash if no global ca crt/key specified, issue #80
Reported by @pranavbhalerao Also, add @mdulane to NEWS
1 parent 9bf883d commit cc41d43

File tree

3 files changed

+100
-7
lines changed

3 files changed

+100
-7
lines changed

NEWS.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
- Fix possible memleak and use after free for srchost_clean
1515
- Use strdup instead of strlen+malloc+memcpy in sys_sockaddr_str(), thanks to
1616
@disaykin
17-
- Use CLOCK_REALTIME to fix pcap timestamp, issue #78
17+
- Use CLOCK_REALTIME to fix pcap timestamp, issue #78 thanks to @mdulaney
1818

1919

2020
### SSLproxy 0.9.6 2024-07-04

src/opts.c

Lines changed: 93 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -191,22 +191,44 @@ global_new(void)
191191
void
192192
conn_opts_free(conn_opts_t *conn_opts)
193193
{
194+
if (conn_opts->clientcrt_str) {
195+
free(conn_opts->clientcrt_str);
196+
}
194197
if (conn_opts->clientcrt) {
195198
X509_free(conn_opts->clientcrt);
196199
}
200+
201+
if (conn_opts->clientkey_str) {
202+
free(conn_opts->clientkey_str);
203+
}
197204
if (conn_opts->clientkey) {
198205
EVP_PKEY_free(conn_opts->clientkey);
199206
}
207+
208+
if (conn_opts->cacrt_str) {
209+
free(conn_opts->cacrt_str);
210+
}
200211
if (conn_opts->cacrt) {
201212
X509_free(conn_opts->cacrt);
202213
}
214+
215+
if (conn_opts->cakey_str) {
216+
free(conn_opts->cakey_str);
217+
}
203218
if (conn_opts->cakey) {
204219
EVP_PKEY_free(conn_opts->cakey);
205220
}
221+
222+
if (conn_opts->chain_str) {
223+
free(conn_opts->chain_str);
224+
}
206225
if (conn_opts->chain) {
207226
sk_X509_pop_free(conn_opts->chain, X509_free);
208227
}
209228
#ifndef OPENSSL_NO_DH
229+
if (conn_opts->dh_str) {
230+
free(conn_opts->dh_str);
231+
}
210232
if (conn_opts->dh) {
211233
#if OPENSSL_VERSION_NUMBER < 0x30000000L || defined(LIBRESSL_VERSION_NUMBER)
212234
DH_free(conn_opts->dh);
@@ -594,32 +616,85 @@ conn_opts_copy(conn_opts_t *conn_opts, const char *argv0, tmp_opts_t *tmp_opts)
594616

595617
// Pass NULL as tmp_opts param, so we don't reassign the var to itself
596618
// That would be harmless but incorrect
597-
if (tmp_opts && tmp_opts->chain_str) {
619+
if (conn_opts->chain_str) {
620+
if ((cops->chain_str = strdup(conn_opts->chain_str)) == NULL)
621+
return oom_return_null(argv0);
622+
if (opts_set_chain(cops, argv0, conn_opts->chain_str, NULL) == -1)
623+
return NULL;
624+
}
625+
else if (tmp_opts && tmp_opts->chain_str) {
626+
if ((cops->chain_str = strdup(tmp_opts->chain_str)) == NULL)
627+
return oom_return_null(argv0);
598628
if (opts_set_chain(cops, argv0, tmp_opts->chain_str, NULL) == -1)
599629
return NULL;
600630
}
631+
601632
if (tmp_opts && tmp_opts->leafcrlurl_str) {
602633
if (opts_set_leafcrlurl(cops, argv0, tmp_opts->leafcrlurl_str, NULL) == -1)
603634
return NULL;
604635
}
605-
if (tmp_opts && tmp_opts->cacrt_str) {
636+
637+
if (conn_opts->cacrt_str) {
638+
if ((cops->cacrt_str = strdup(conn_opts->cacrt_str)) == NULL)
639+
return oom_return_null(argv0);
640+
if (opts_set_cacrt(cops, argv0, conn_opts->cacrt_str, NULL) == -1)
641+
return NULL;
642+
}
643+
else if (tmp_opts && tmp_opts->cacrt_str) {
644+
if ((cops->cacrt_str = strdup(tmp_opts->cacrt_str)) == NULL)
645+
return oom_return_null(argv0);
606646
if (opts_set_cacrt(cops, argv0, tmp_opts->cacrt_str, NULL) == -1)
607647
return NULL;
608648
}
609-
if (tmp_opts && tmp_opts->cakey_str) {
649+
650+
if (conn_opts->cakey_str) {
651+
if ((cops->cakey_str = strdup(conn_opts->cakey_str)) == NULL)
652+
return oom_return_null(argv0);
653+
if (opts_set_cakey(cops, argv0, conn_opts->cakey_str, NULL) == -1)
654+
return NULL;
655+
}
656+
else if (tmp_opts && tmp_opts->cakey_str) {
657+
if ((cops->cakey_str = strdup(tmp_opts->cakey_str)) == NULL)
658+
return oom_return_null(argv0);
610659
if (opts_set_cakey(cops, argv0, tmp_opts->cakey_str, NULL) == -1)
611660
return NULL;
612661
}
613-
if (tmp_opts && tmp_opts->clientcrt_str) {
662+
663+
if (conn_opts->clientcrt_str) {
664+
if ((cops->clientcrt_str = strdup(conn_opts->clientcrt_str)) == NULL)
665+
return oom_return_null(argv0);
666+
if (opts_set_clientcrt(cops, argv0, conn_opts->clientcrt_str, NULL) == -1)
667+
return NULL;
668+
}
669+
else if (tmp_opts && tmp_opts->clientcrt_str) {
670+
if ((cops->clientcrt_str = strdup(tmp_opts->clientcrt_str)) == NULL)
671+
return oom_return_null(argv0);
614672
if (opts_set_clientcrt(cops, argv0, tmp_opts->clientcrt_str, NULL) == -1)
615673
return NULL;
616674
}
617-
if (tmp_opts && tmp_opts->clientkey_str) {
675+
676+
if (conn_opts->clientkey_str) {
677+
if ((cops->clientkey_str = strdup(conn_opts->clientkey_str)) == NULL)
678+
return oom_return_null(argv0);
679+
if (opts_set_clientkey(cops, argv0, conn_opts->clientkey_str, NULL) == -1)
680+
return NULL;
681+
}
682+
else if (tmp_opts && tmp_opts->clientkey_str) {
683+
if ((cops->clientkey_str = strdup(tmp_opts->clientkey_str)) == NULL)
684+
return oom_return_null(argv0);
618685
if (opts_set_clientkey(cops, argv0, tmp_opts->clientkey_str, NULL) == -1)
619686
return NULL;
620687
}
621688
#ifndef OPENSSL_NO_DH
622-
if (tmp_opts && tmp_opts->dh_str) {
689+
if (conn_opts->dh_str) {
690+
if ((cops->dh_str = strdup(conn_opts->dh_str)) == NULL)
691+
return oom_return_null(argv0);
692+
if (opts_set_dh(cops, argv0, conn_opts->dh_str, NULL) == -1)
693+
return NULL;
694+
}
695+
else if (tmp_opts && tmp_opts->dh_str) {
696+
if ((cops->dh_str = strdup(tmp_opts->dh_str)) == NULL)
697+
return oom_return_null(argv0);
623698
if (opts_set_dh(cops, argv0, tmp_opts->dh_str, NULL) == -1)
624699
return NULL;
625700
}
@@ -2553,14 +2628,24 @@ set_conn_opts_option(conn_opts_t *conn_opts, const char *argv0,
25532628
}
25542629

25552630
if (equal(name, "CACert")) {
2631+
if ((conn_opts->cacrt_str = strdup(value)) == NULL)
2632+
return oom_return(argv0);
25562633
return opts_set_cacrt(conn_opts, argv0, value, tmp_opts);
25572634
} else if (equal(name, "CAKey")) {
2635+
if ((conn_opts->cakey_str = strdup(value)) == NULL)
2636+
return oom_return(argv0);
25582637
return opts_set_cakey(conn_opts, argv0, value, tmp_opts);
25592638
} else if (equal(name, "ClientCert")) {
2639+
if ((conn_opts->clientcrt_str = strdup(value)) == NULL)
2640+
return oom_return(argv0);
25602641
return opts_set_clientcrt(conn_opts, argv0, value, tmp_opts);
25612642
} else if (equal(name, "ClientKey")) {
2643+
if ((conn_opts->clientkey_str = strdup(value)) == NULL)
2644+
return oom_return(argv0);
25622645
return opts_set_clientkey(conn_opts, argv0, value, tmp_opts);
25632646
} else if (equal(name, "CAChain")) {
2647+
if ((conn_opts->chain_str = strdup(value)) == NULL)
2648+
return oom_return(argv0);
25642649
return opts_set_chain(conn_opts, argv0, value, tmp_opts);
25652650
} else if (equal(name, "LeafCRLURL")) {
25662651
return opts_set_leafcrlurl(conn_opts, argv0, value, tmp_opts);
@@ -2582,6 +2667,8 @@ set_conn_opts_option(conn_opts_t *conn_opts, const char *argv0,
25822667
#endif /* DEBUG_OPTS */
25832668
#ifndef OPENSSL_NO_DH
25842669
} else if (equal(name, "DHGroupParams")) {
2670+
if ((conn_opts->dh_str = strdup(value)) == NULL)
2671+
return oom_return(argv0);
25852672
return opts_set_dh(conn_opts, argv0, value, tmp_opts);
25862673
#endif /* !OPENSSL_NO_DH */
25872674
#ifndef OPENSSL_NO_ECDH

src/opts.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,12 +111,18 @@ typedef struct conn_opts {
111111
int minsslversion;
112112
int maxsslversion;
113113
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
114+
char *cacrt_str;
114115
X509 *cacrt;
116+
char *cakey_str;
115117
EVP_PKEY *cakey;
118+
char *chain_str;
116119
STACK_OF(X509) *chain;
120+
char *clientcrt_str;
117121
X509 *clientcrt;
122+
char *clientkey_str;
118123
EVP_PKEY *clientkey;
119124
#ifndef OPENSSL_NO_DH
125+
char *dh_str;
120126
#if OPENSSL_VERSION_NUMBER < 0x30000000L || defined(LIBRESSL_VERSION_NUMBER)
121127
DH *dh;
122128
#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */

0 commit comments

Comments
 (0)