FreeBSD Bugzilla – Attachment 169468 Details for
Bug 207901
www/squid Host header forgery detection with sslbump leads to crash
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
port patch
squid-3.5.16_1.patch (text/plain), 10.22 KB, created by
Pavel Timofeev
on 2016-04-19 13:25:56 UTC
(
hide
)
Description:
port patch
Filename:
MIME Type:
Creator:
Pavel Timofeev
Created:
2016-04-19 13:25:56 UTC
Size:
10.22 KB
patch
obsolete
>diff -ruN /home/timp/squid.bak/Makefile squid/Makefile >--- /home/timp/squid.bak/Makefile 2016-04-17 20:16:19.099696000 +0300 >+++ squid/Makefile 2016-04-19 11:21:12.819742000 +0300 >@@ -2,6 +2,7 @@ > > PORTNAME= squid > PORTVERSION= 3.5.16 >+PORTREVISION= 1 > CATEGORIES= www ipv6 > MASTER_SITES= http://www.squid-cache.org/Versions/v3/${PORTVERSION:R}/ \ > http://www2.us.squid-cache.org/Versions/v3/${PORTVERSION:R}/ \ >@@ -17,6 +18,17 @@ > http://www1.jp.squid-cache.org/%SUBDIR%/ \ > http://master.squid-cache.org/~amosjeffries/patches/:nosid > PATCH_SITE_SUBDIR= Versions/v3/${PORTVERSION:R}/changesets >+PATCHFILES= squid-3.5-14020.patch \ >+ squid-3.5-14021.patch \ >+ squid-3.5-14022.patch \ >+ squid-3.5-14023.patch \ >+ squid-3.5-14024.patch \ >+ squid-3.5-14025.patch \ >+ squid-3.5-14026.patch \ >+ squid-3.5-14027.patch \ >+ squid-3.5-14028.patch \ >+ squid-3.5-14029.patch \ >+ squid-3.5-14030.patch > > MAINTAINER= timp87@gmail.com > COMMENT= HTTP Caching Proxy >diff -ruN /home/timp/squid.bak/distinfo squid/distinfo >--- /home/timp/squid.bak/distinfo 2016-04-17 20:16:19.099822000 +0300 >+++ squid/distinfo 2016-04-19 11:23:25.790918000 +0300 >@@ -1,2 +1,24 @@ > SHA256 (squid3.5/squid-3.5.16.tar.xz) = e73d821180eed8bed230f357c680c0b19f1efa51a24725e810f2b48a2079d385 > SIZE (squid3.5/squid-3.5.16.tar.xz) = 2317320 >+SHA256 (squid3.5/squid-3.5-14020.patch) = ef2ca3158e9dc86a5a6fd4d76a6dc2d2fdf817ec45811e2c033f2bb27255debf >+SIZE (squid3.5/squid-3.5-14020.patch) = 2080 >+SHA256 (squid3.5/squid-3.5-14021.patch) = de498c8cbed75cf32f8de01bd2ccec1aac88fa1534223a18c2cac6d161847d3a >+SIZE (squid3.5/squid-3.5-14021.patch) = 1513 >+SHA256 (squid3.5/squid-3.5-14022.patch) = 5722068a8e6bf28a150f95daf91cca646c8d0f23fbb471d363ee3c7c3278707d >+SIZE (squid3.5/squid-3.5-14022.patch) = 2145 >+SHA256 (squid3.5/squid-3.5-14023.patch) = 0c89fec2091ca23ee031dc76147bfe2f0100518bdf78dd635110cb091530a73c >+SIZE (squid3.5/squid-3.5-14023.patch) = 1763 >+SHA256 (squid3.5/squid-3.5-14024.patch) = 0a833174ddb3d8906b0bb9933894e1932b3d4ac37406febed1090fbcc0fcd79e >+SIZE (squid3.5/squid-3.5-14024.patch) = 1475 >+SHA256 (squid3.5/squid-3.5-14025.patch) = d66e885114c98c607fb24a0d774ac5456d6883100b04a49077dc682a05246725 >+SIZE (squid3.5/squid-3.5-14025.patch) = 1542 >+SHA256 (squid3.5/squid-3.5-14026.patch) = 6de1cca5db2151550f9dc23a2a51731cf1b3d6dfbde446cf654f638527b9ff9d >+SIZE (squid3.5/squid-3.5-14026.patch) = 1811 >+SHA256 (squid3.5/squid-3.5-14027.patch) = 8bdd1684c4b595bc0e89e4ec7cb130aedc854f166493e8324128b0485c54bcd5 >+SIZE (squid3.5/squid-3.5-14027.patch) = 1766 >+SHA256 (squid3.5/squid-3.5-14028.patch) = 1a9b79a1ddfdd87608019cec12f23fd4421aef366c9065a6c8564ea197f093b3 >+SIZE (squid3.5/squid-3.5-14028.patch) = 1841 >+SHA256 (squid3.5/squid-3.5-14029.patch) = 0693035319cd505a3c39195fc141ab41d43f2526b96f906d2904837b24ebec3e >+SIZE (squid3.5/squid-3.5-14029.patch) = 4945 >+SHA256 (squid3.5/squid-3.5-14030.patch) = 45b05b3e446d5376818bc59b64afe617737833f4ee20fa25d5c28c74ecf86990 >+SIZE (squid3.5/squid-3.5-14030.patch) = 1361 >diff -ruN /home/timp/squid.bak/files/patch-squid-4-14626.patch squid/files/patch-squid-4-14626.patch >--- /home/timp/squid.bak/files/patch-squid-4-14626.patch 1970-01-01 03:00:00.000000000 +0300 >+++ squid/files/patch-squid-4-14626.patch 2016-04-19 11:46:35.426447000 +0300 >@@ -0,0 +1,137 @@ >+------------------------------------------------------------ >+revno: 14626 >+revision-id: chtsanti@users.sourceforge.net-20160405094347-7khcau1ijh7r1ssr >+parent: squid3@treenet.co.nz-20160403234158-svt2o34oa75guq7f >+committer: Christos Tsantilas <chtsanti@users.sourceforge.net> >+branch nick: trunk >+timestamp: Tue 2016-04-05 12:43:47 +0300 >+message: >+ author: Nathan Hoad <nathan@getoffmalawn.com> >+ Add chained certificates and signing certificate to peek-then-bumped connections. >+ >+ The scenario this patch addresses is when Squid is configured with an >+ intermediate signing CA certificate, and clients have the root CA installed on >+ their machines. What happens is that the generated certificates come down with >+ an unknown issuer (the intermediate signing certificate), with no >+ intermediates, so they are rejected. By adding the configured certificate chain >+ as old client-first mode did, the intermediate and root certificates come down >+ as well, resulting in the issuer being identified and the connection being >+ established "securely". >+ >+ This work is submitted on behalf of Bloomberg L.P. >+------------------------------------------------------------ >+# Bazaar merge directive format 2 (Bazaar 0.90) >+# revision_id: chtsanti@users.sourceforge.net-20160405094347-\ >+# 7khcau1ijh7r1ssr >+# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ >+# testament_sha1: 0ff7e1a8aeee056295e14520c6b4740f0094a58d >+# timestamp: 2016-04-05 09:51:01 +0000 >+# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk >+# base_revision_id: squid3@treenet.co.nz-20160403234158-\ >+# svt2o34oa75guq7f >+# >+# Begin patch >+=== modified file 'src/client_side.cc' >+--- src/client_side.cc 2016-04-03 23:41:58 +0000 >++++ src/client_side.cc 2016-04-05 09:43:47 +0000 >+@@ -2867,6 +2867,9 @@ >+ bool ret = Ssl::configureSSLUsingPkeyAndCertFromMemory(ssl, reply_message.getBody().c_str(), *port); >+ if (!ret) >+ debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode"); >++ >++ SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl); >++ Ssl::configureUnconfiguredSslContext(sslContext, signAlgorithm, *port); >+ } else { >+ auto ctx = Ssl::generateSslContextUsingPkeyAndCertFromMemory(reply_message.getBody().c_str(), *port); >+ getSslContextDone(ctx, true); >+@@ -3026,6 +3029,9 @@ >+ auto ssl = fd_table[clientConnection->fd].ssl.get(); >+ if (!Ssl::configureSSL(ssl, certProperties, *port)) >+ debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode"); >++ >++ SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl); >++ Ssl::configureUnconfiguredSslContext(sslContext, certProperties.signAlgorithm, *port); >+ } else { >+ auto dynCtx = Ssl::generateSslContext(certProperties, *port); >+ getSslContextDone(dynCtx, true); >+@@ -3041,17 +3047,10 @@ >+ // Try to add generated ssl context to storage. >+ if (port->generateHostCertificates && isNew) { >+ >+- if (signAlgorithm == Ssl::algSignTrusted) { >+- // Add signing certificate to the certificates chain >+- X509 *cert = port->signingCert.get(); >+- if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) { >+- // increase the certificate lock >+- CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509); >+- } else { >+- const int ssl_error = ERR_get_error(); >+- debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL)); >+- } >+- Ssl::addChainToSslContext(sslContext, port->certsToChain.get()); >++ if (sslContext && (signAlgorithm == Ssl::algSignTrusted)) { >++ Ssl::chainCertificatesToSSLContext(sslContext, *port); >++ } else if (signAlgorithm == Ssl::algSignTrusted) { >++ debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain because SSL context chain is invalid!"); >+ } >+ //else it is self-signed or untrusted do not attrach any certificate >+ >+ >+=== modified file 'src/ssl/support.cc' >+--- src/ssl/support.cc 2016-03-07 16:03:45 +0000 >++++ src/ssl/support.cc 2016-04-05 09:43:47 +0000 >+@@ -969,6 +969,30 @@ >+ return createSSLContext(cert, pkey, port); >+ } >+ >++void >++Ssl::chainCertificatesToSSLContext(SSL_CTX *sslContext, AnyP::PortCfg &port) >++{ >++ assert(sslContext != NULL); >++ // Add signing certificate to the certificates chain >++ X509 *signingCert = port.signingCert.get(); >++ if (SSL_CTX_add_extra_chain_cert(sslContext, signingCert)) { >++ // increase the certificate lock >++ CRYPTO_add(&(signingCert->references),1,CRYPTO_LOCK_X509); >++ } else { >++ const int ssl_error = ERR_get_error(); >++ debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL)); >++ } >++ Ssl::addChainToSslContext(sslContext, port.certsToChain.get()); >++} >++ >++void >++Ssl::configureUnconfiguredSslContext(SSL_CTX *sslContext, Ssl::CertSignAlgorithm signAlgorithm,AnyP::PortCfg &port) >++{ >++ if (sslContext && signAlgorithm == Ssl::algSignTrusted) { >++ Ssl::chainCertificatesToSSLContext(sslContext, port); >++ } >++} >++ >+ bool >+ Ssl::configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port) >+ { >+ >+=== modified file 'src/ssl/support.h' >+--- src/ssl/support.h 2016-02-23 08:51:22 +0000 >++++ src/ssl/support.h 2016-04-05 09:43:47 +0000 >+@@ -240,6 +240,18 @@ >+ Security::ContextPtr createSSLContext(Security::CertPointer & x509, Ssl::EVP_PKEY_Pointer & pkey, AnyP::PortCfg &port); >+ >+ /** >++ \ingroup ServerProtocolSSLAPI >++ * Chain signing certificate and chained certificates to an SSL Context >++ */ >++void chainCertificatesToSSLContext(SSL_CTX *sslContext, AnyP::PortCfg &port); >++ >++/** >++ \ingroup ServerProtocolSSLAPI >++ * Configure a previously unconfigured SSL context object. >++ */ >++void configureUnconfiguredSslContext(SSL_CTX *sslContext, Ssl::CertSignAlgorithm signAlgorithm,AnyP::PortCfg &port); >++ >++/** >+ \ingroup ServerProtocolSSLAPI >+ * Generates a certificate and a private key using provided properies and set it >+ * to SSL object. >+ >diff -ruN /home/timp/squid.bak/files/patch-src__ip__Intercept.cc squid/files/patch-src__ip__Intercept.cc >--- /home/timp/squid.bak/files/patch-src__ip__Intercept.cc 2016-04-17 20:16:19.102548000 +0300 >+++ squid/files/patch-src__ip__Intercept.cc 2016-04-17 20:27:38.350212000 +0300 >@@ -8,7 +8,7 @@ > + // warn once every million at critical level, then push down a level each repeated event > static int warningLevel = DBG_CRITICAL; > debugs(89, warningLevel, "IPF (IPFilter v4) NAT does not support IPv6. Please upgrade to IPFilter v5.1"); >-- warningLevel = ++warningLevel % 10; >+- warningLevel = (warningLevel + 1) % 10; > + warningLevel = (warningLevel + 1) % 1048576; > return false; > #else
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=169468">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 207901
:
169422
|
169468
|
169469
|
169481
|
169482