Tree - rpms/squid - CentOS Git server

rpms / squid

Blame SOURCES/squid-4.11-CVE-2020-14058.patch

Blob History Raw

		5871b5	`commit 93f5fda134a2a010b84ffedbe833d670e63ba4be`
		5871b5	`Author: Christos Tsantilas <christos@chtsanti.net>`
		5871b5	`Date: 2020-05-15 04:54:54 +0000`
		5871b5
		5871b5	`Fix sending of unknown validation errors to cert. validator (#633)`
		5871b5
		5871b5	`Squid may be compiled with an OpenSSL release introducing X509`
		5871b5	`validation errors that Squid does not have the names for. Send their`
		5871b5	`integer codes.`
		5871b5
		5871b5	`Also sync Squid certificate verification errors with OpenSSL v1.1.1g.`
		5871b5
		5871b5	`This is a Measurement Factory project.`
		5871b5
		5871b5	`diff --git a/src/format/Format.cc b/src/format/Format.cc`
		5871b5	`index 8c5574b..4b4ad42 100644`
		5871b5	`--- a/src/format/Format.cc`
		5871b5	`+++ b/src/format/Format.cc`
		5871b5	`@@ -322,15 +322,6 @@ log_quoted_string(const char str, char out)`
		5871b5	`*p = '\0';`
		5871b5	`}`
		5871b5
		5871b5	`-#if USE_OPENSSL`
		5871b5	`-static char *`
		5871b5	`-sslErrorName(Security::ErrorCode err, char *buf, size_t size)`
		5871b5	`-{`
		5871b5	`- snprintf(buf, size, "SSL_ERR=%d", err);`
		5871b5	`- return buf;`
		5871b5	`-}`
		5871b5	`-#endif`
		5871b5	`-`
		5871b5	`/// XXX: Misnamed. TODO: Split`
		5871b5	`/// headers from sent headers rather than failing to distinguish requests from responses.`
		5871b5	`/// \retval HttpReply sent to the HTTP client (access.log and default context).`
		5871b5	`@@ -959,9 +950,7 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS`
		5871b5	`case LFT_SQUID_ERROR_DETAIL:`
		5871b5	`#if USE_OPENSSL`
		5871b5	`if (al->request && al->request->errType == ERR_SECURE_CONNECT_FAIL) {`
		5871b5	`- out = Ssl::GetErrorName(al->request->errDetail);`
		5871b5	`- if (!out)`
		5871b5	`- out = sslErrorName(al->request->errDetail, tmp, sizeof(tmp));`
		5871b5	`+ out = Ssl::GetErrorName(al->request->errDetail, true);`
		5871b5	`} else`
		5871b5	`#endif`
		5871b5	`if (al->request && al->request->errDetail != ERR_DETAIL_NONE) {`
		5871b5	`@@ -1263,10 +1252,7 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS`
		5871b5	`for (const Security::CertErrors *sslError = srvBump->sslErrors(); sslError; sslError = sslError->next) {`
		5871b5	`if (!sb.isEmpty())`
		5871b5	`sb.append(separator);`
		5871b5	`- if (const char *errorName = Ssl::GetErrorName(sslError->element.code))`
		5871b5	`- sb.append(errorName);`
		5871b5	`- else`
		5871b5	`- sb.append(sslErrorName(sslError->element.code, tmp, sizeof(tmp)));`
		5871b5	`+ sb.append(Ssl::GetErrorName(sslError->element.code, true));`
		5871b5	`if (sslError->element.depth >= 0)`
		5871b5	`sb.appendf("@depth=%d", sslError->element.depth);`
		5871b5	`}`
		5871b5	`diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc`
		5871b5	`index ddd61fd..00eb0e2 100644`
		5871b5	`--- a/src/ssl/ErrorDetail.cc`
		5871b5	`+++ b/src/ssl/ErrorDetail.cc`
		5871b5	`@@ -233,6 +233,9 @@ static SslErrorEntry TheSslErrorArray[] = {`
		5871b5	`"X509_V_ERR_SUBTREE_MINMAX"`
		5871b5	`},`
		5871b5	`#endif`
		5871b5	`+ { X509_V_ERR_APPLICATION_VERIFICATION, //50`
		5871b5	`+ "X509_V_ERR_APPLICATION_VERIFICATION"`
		5871b5	`+ },`
		5871b5	`#if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE)`
		5871b5	`{`
		5871b5	`X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, //51`
		5871b5	`@@ -257,9 +260,132 @@ static SslErrorEntry TheSslErrorArray[] = {`
		5871b5	`"X509_V_ERR_CRL_PATH_VALIDATION_ERROR"`
		5871b5	`},`
		5871b5	`#endif`
		5871b5	`- { X509_V_ERR_APPLICATION_VERIFICATION,`
		5871b5	`- "X509_V_ERR_APPLICATION_VERIFICATION"`
		5871b5	`+#if defined(X509_V_ERR_PATH_LOOP)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_PATH_LOOP, //55`
		5871b5	`+ "X509_V_ERR_PATH_LOOP"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_SUITE_B_INVALID_VERSION, //56`
		5871b5	`+ "X509_V_ERR_SUITE_B_INVALID_VERSION"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_SUITE_B_INVALID_ALGORITHM)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_SUITE_B_INVALID_ALGORITHM, //57`
		5871b5	`+ "X509_V_ERR_SUITE_B_INVALID_ALGORITHM"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_SUITE_B_INVALID_CURVE)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_SUITE_B_INVALID_CURVE, //58`
		5871b5	`+ "X509_V_ERR_SUITE_B_INVALID_CURVE"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM, //59`
		5871b5	`+ "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED, //60`
		5871b5	`+ "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256, //61`
		5871b5	`+ "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_HOSTNAME_MISMATCH)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_HOSTNAME_MISMATCH, //62`
		5871b5	`+ "X509_V_ERR_HOSTNAME_MISMATCH"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_EMAIL_MISMATCH)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_EMAIL_MISMATCH, //63`
		5871b5	`+ "X509_V_ERR_EMAIL_MISMATCH"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_IP_ADDRESS_MISMATCH)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_IP_ADDRESS_MISMATCH, //64`
		5871b5	`+ "X509_V_ERR_IP_ADDRESS_MISMATCH"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_DANE_NO_MATCH)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_DANE_NO_MATCH, //65`
		5871b5	`+ "X509_V_ERR_DANE_NO_MATCH"`
		5871b5	`},`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_EE_KEY_TOO_SMALL)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_EE_KEY_TOO_SMALL, //66`
		5871b5	`+ "X509_V_ERR_EE_KEY_TOO_SMALL"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_CA_KEY_TOO_SMALL)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_CA_KEY_TOO_SMALL, //67`
		5871b5	`+ "X509_V_ERR_CA_KEY_TOO_SMALL"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_CA_MD_TOO_WEAK)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_CA_MD_TOO_WEAK, //68`
		5871b5	`+ "X509_V_ERR_CA_MD_TOO_WEAK"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_INVALID_CALL)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_INVALID_CALL, //69`
		5871b5	`+ "X509_V_ERR_INVALID_CALL"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_STORE_LOOKUP)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_STORE_LOOKUP, //70`
		5871b5	`+ "X509_V_ERR_STORE_LOOKUP"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_NO_VALID_SCTS)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_NO_VALID_SCTS, //71`
		5871b5	`+ "X509_V_ERR_NO_VALID_SCTS"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION, //72`
		5871b5	`+ "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_OCSP_VERIFY_NEEDED, //73`
		5871b5	`+ "X509_V_ERR_OCSP_VERIFY_NEEDED"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_OCSP_VERIFY_FAILED)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_OCSP_VERIFY_FAILED, //74`
		5871b5	`+ "X509_V_ERR_OCSP_VERIFY_FAILED"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`+#if defined(X509_V_ERR_OCSP_CERT_UNKNOWN)`
		5871b5	`+ {`
		5871b5	`+ X509_V_ERR_OCSP_CERT_UNKNOWN, //75`
		5871b5	`+ "X509_V_ERR_OCSP_CERT_UNKNOWN"`
		5871b5	`+ },`
		5871b5	`+#endif`
		5871b5	`{ SSL_ERROR_NONE, "SSL_ERROR_NONE"},`
		5871b5	`{SSL_ERROR_NONE, NULL}`
		5871b5	`};`
		5871b5	`@@ -286,6 +412,27 @@ static const char *OptionalSslErrors[] = {`
		5871b5	`"X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX",`
		5871b5	`"X509_V_ERR_UNSUPPORTED_NAME_SYNTAX",`
		5871b5	`"X509_V_ERR_CRL_PATH_VALIDATION_ERROR",`
		5871b5	`+ "X509_V_ERR_PATH_LOOP",`
		5871b5	`+ "X509_V_ERR_SUITE_B_INVALID_VERSION",`
		5871b5	`+ "X509_V_ERR_SUITE_B_INVALID_ALGORITHM",`
		5871b5	`+ "X509_V_ERR_SUITE_B_INVALID_CURVE",`
		5871b5	`+ "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM",`
		5871b5	`+ "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED",`
		5871b5	`+ "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256",`
		5871b5	`+ "X509_V_ERR_HOSTNAME_MISMATCH",`
		5871b5	`+ "X509_V_ERR_EMAIL_MISMATCH",`
		5871b5	`+ "X509_V_ERR_IP_ADDRESS_MISMATCH",`
		5871b5	`+ "X509_V_ERR_DANE_NO_MATCH",`
		5871b5	`+ "X509_V_ERR_EE_KEY_TOO_SMALL",`
		5871b5	`+ "X509_V_ERR_CA_KEY_TOO_SMALL",`
		5871b5	`+ "X509_V_ERR_CA_MD_TOO_WEAK",`
		5871b5	`+ "X509_V_ERR_INVALID_CALL",`
		5871b5	`+ "X509_V_ERR_STORE_LOOKUP",`
		5871b5	`+ "X509_V_ERR_NO_VALID_SCTS",`
		5871b5	`+ "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION",`
		5871b5	`+ "X509_V_ERR_OCSP_VERIFY_NEEDED",`
		5871b5	`+ "X509_V_ERR_OCSP_VERIFY_FAILED",`
		5871b5	`+ "X509_V_ERR_OCSP_CERT_UNKNOWN",`
		5871b5	`NULL`
		5871b5	`};`
		5871b5
		5871b5	`@@ -390,7 +537,7 @@ Ssl::ParseErrorString(const char *name, Security::Errors &errors)`
		5871b5	`return false; // not reached`
		5871b5	`}`
		5871b5
		5871b5	`-const char *Ssl::GetErrorName(Security::ErrorCode value)`
		5871b5	`+const char *Ssl::GetErrorName(Security::ErrorCode value, const bool prefixRawCode)`
		5871b5	`{`
		5871b5	`if (TheSslErrors.empty())`
		5871b5	`loadSslErrorMap();`
		5871b5	`@@ -399,7 +546,9 @@ const char *Ssl::GetErrorName(Security::ErrorCode value)`
		5871b5	`if (it != TheSslErrors.end())`
		5871b5	`return it->second->name;`
		5871b5
		5871b5	`- return NULL;`
		5871b5	`+ static char tmpBuffer[128];`
		5871b5	`+ snprintf(tmpBuffer, sizeof(tmpBuffer), "%s%d", prefixRawCode ? "SSL_ERR=" : "", (int)value);`
		5871b5	`+ return tmpBuffer;`
		5871b5	`}`
		5871b5
		5871b5	`bool`
		5871b5	`@@ -529,21 +678,14 @@ const char *Ssl::ErrorDetail::notafter() const`
		5871b5	`*/`
		5871b5	`const char *Ssl::ErrorDetail::err_code() const`
		5871b5	`{`
		5871b5	`- static char tmpBuffer[64];`
		5871b5	`// We can use the GetErrorName but using the detailEntry is faster,`
		5871b5	`// so try it first.`
		5871b5	`- const char *err = detailEntry.name.termedBuf();`
		5871b5	`+ if (const char *err = detailEntry.name.termedBuf())`
		5871b5	`+ return err;`
		5871b5
		5871b5	`// error details not loaded yet or not defined in error_details.txt,`
		5871b5	`// try the GetErrorName...`
		5871b5	`- if (!err)`
		5871b5	`- err = GetErrorName(error_no);`
		5871b5	`-`
		5871b5	`- if (!err) {`
		5871b5	`- snprintf(tmpBuffer, 64, "%d", (int)error_no);`
		5871b5	`- err = tmpBuffer;`
		5871b5	`- }`
		5871b5	`- return err;`
		5871b5	`+ return GetErrorName(error_no);`
		5871b5	`}`
		5871b5
		5871b5	`/**`
		5871b5	`diff --git a/src/ssl/ErrorDetail.h b/src/ssl/ErrorDetail.h`
		5871b5	`index 48dc405..0eec0a9 100644`
		5871b5	`--- a/src/ssl/ErrorDetail.h`
		5871b5	`+++ b/src/ssl/ErrorDetail.h`
		5871b5	`@@ -26,8 +26,9 @@ bool ParseErrorString(const char *name, Security::Errors &);`
		5871b5	`/// The Security::ErrorCode code of the error described by "name".`
		5871b5	`Security::ErrorCode GetErrorCode(const char *name);`
		5871b5
		5871b5	`-/// The string representation of the TLS error "value"`
		5871b5	`-const char *GetErrorName(Security::ErrorCode value);`
		5871b5	`+/// \return string representation of a known TLS error (or a raw error code)`
		5871b5	`+/// \param prefixRawCode whether to prefix raw codes with "SSL_ERR="`
		5871b5	`+const char *GetErrorName(Security::ErrorCode value, const bool prefixRawCode = false);`
		5871b5
		5871b5	`/// A short description of the TLS error "value"`
		5871b5	`const char *GetErrorDescr(Security::ErrorCode value);`

rpms / squid

Source Code

Blame SOURCES/squid-4.11-CVE-2020-14058.patch