Tree - rpms/squid - CentOS Git server

rpms / squid

Blame SOURCES/squid-4.11-CVE-2020-14058.patch

Blob History Raw

		818ced	`commit 93f5fda134a2a010b84ffedbe833d670e63ba4be`
		818ced	`Author: Christos Tsantilas <christos@chtsanti.net>`
		818ced	`Date: 2020-05-15 04:54:54 +0000`
		818ced
		818ced	`Fix sending of unknown validation errors to cert. validator (#633)`
		818ced
		818ced	`Squid may be compiled with an OpenSSL release introducing X509`
		818ced	`validation errors that Squid does not have the names for. Send their`
		818ced	`integer codes.`
		818ced
		818ced	`Also sync Squid certificate verification errors with OpenSSL v1.1.1g.`
		818ced
		818ced	`This is a Measurement Factory project.`
		818ced
		818ced	`diff --git a/src/format/Format.cc b/src/format/Format.cc`
		818ced	`index 8c5574b..4b4ad42 100644`
		818ced	`--- a/src/format/Format.cc`
		818ced	`+++ b/src/format/Format.cc`
		818ced	`@@ -322,15 +322,6 @@ log_quoted_string(const char str, char out)`
		818ced	`*p = '\0';`
		818ced	`}`
		818ced
		818ced	`-#if USE_OPENSSL`
		818ced	`-static char *`
		818ced	`-sslErrorName(Security::ErrorCode err, char *buf, size_t size)`
		818ced	`-{`
		818ced	`- snprintf(buf, size, "SSL_ERR=%d", err);`
		818ced	`- return buf;`
		818ced	`-}`
		818ced	`-#endif`
		818ced	`-`
		818ced	`/// XXX: Misnamed. TODO: Split`
		818ced	`/// headers from sent headers rather than failing to distinguish requests from responses.`
		818ced	`/// \retval HttpReply sent to the HTTP client (access.log and default context).`
		818ced	`@@ -959,9 +950,7 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS`
		818ced	`case LFT_SQUID_ERROR_DETAIL:`
		818ced	`#if USE_OPENSSL`
		818ced	`if (al->request && al->request->errType == ERR_SECURE_CONNECT_FAIL) {`
		818ced	`- out = Ssl::GetErrorName(al->request->errDetail);`
		818ced	`- if (!out)`
		818ced	`- out = sslErrorName(al->request->errDetail, tmp, sizeof(tmp));`
		818ced	`+ out = Ssl::GetErrorName(al->request->errDetail, true);`
		818ced	`} else`
		818ced	`#endif`
		818ced	`if (al->request && al->request->errDetail != ERR_DETAIL_NONE) {`
		818ced	`@@ -1263,10 +1252,7 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS`
		818ced	`for (const Security::CertErrors *sslError = srvBump->sslErrors(); sslError; sslError = sslError->next) {`
		818ced	`if (!sb.isEmpty())`
		818ced	`sb.append(separator);`
		818ced	`- if (const char *errorName = Ssl::GetErrorName(sslError->element.code))`
		818ced	`- sb.append(errorName);`
		818ced	`- else`
		818ced	`- sb.append(sslErrorName(sslError->element.code, tmp, sizeof(tmp)));`
		818ced	`+ sb.append(Ssl::GetErrorName(sslError->element.code, true));`
		818ced	`if (sslError->element.depth >= 0)`
		818ced	`sb.appendf("@depth=%d", sslError->element.depth);`
		818ced	`}`
		818ced	`diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc`
		818ced	`index ddd61fd..00eb0e2 100644`
		818ced	`--- a/src/ssl/ErrorDetail.cc`
		818ced	`+++ b/src/ssl/ErrorDetail.cc`
		818ced	`@@ -233,6 +233,9 @@ static SslErrorEntry TheSslErrorArray[] = {`
		818ced	`"X509_V_ERR_SUBTREE_MINMAX"`
		818ced	`},`
		818ced	`#endif`
		818ced	`+ { X509_V_ERR_APPLICATION_VERIFICATION, //50`
		818ced	`+ "X509_V_ERR_APPLICATION_VERIFICATION"`
		818ced	`+ },`
		818ced	`#if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE)`
		818ced	`{`
		818ced	`X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, //51`
		818ced	`@@ -257,9 +260,132 @@ static SslErrorEntry TheSslErrorArray[] = {`
		818ced	`"X509_V_ERR_CRL_PATH_VALIDATION_ERROR"`
		818ced	`},`
		818ced	`#endif`
		818ced	`- { X509_V_ERR_APPLICATION_VERIFICATION,`
		818ced	`- "X509_V_ERR_APPLICATION_VERIFICATION"`
		818ced	`+#if defined(X509_V_ERR_PATH_LOOP)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_PATH_LOOP, //55`
		818ced	`+ "X509_V_ERR_PATH_LOOP"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_SUITE_B_INVALID_VERSION, //56`
		818ced	`+ "X509_V_ERR_SUITE_B_INVALID_VERSION"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_SUITE_B_INVALID_ALGORITHM)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_SUITE_B_INVALID_ALGORITHM, //57`
		818ced	`+ "X509_V_ERR_SUITE_B_INVALID_ALGORITHM"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_SUITE_B_INVALID_CURVE)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_SUITE_B_INVALID_CURVE, //58`
		818ced	`+ "X509_V_ERR_SUITE_B_INVALID_CURVE"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM, //59`
		818ced	`+ "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED, //60`
		818ced	`+ "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256, //61`
		818ced	`+ "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_HOSTNAME_MISMATCH)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_HOSTNAME_MISMATCH, //62`
		818ced	`+ "X509_V_ERR_HOSTNAME_MISMATCH"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_EMAIL_MISMATCH)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_EMAIL_MISMATCH, //63`
		818ced	`+ "X509_V_ERR_EMAIL_MISMATCH"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_IP_ADDRESS_MISMATCH)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_IP_ADDRESS_MISMATCH, //64`
		818ced	`+ "X509_V_ERR_IP_ADDRESS_MISMATCH"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_DANE_NO_MATCH)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_DANE_NO_MATCH, //65`
		818ced	`+ "X509_V_ERR_DANE_NO_MATCH"`
		818ced	`},`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_EE_KEY_TOO_SMALL)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_EE_KEY_TOO_SMALL, //66`
		818ced	`+ "X509_V_ERR_EE_KEY_TOO_SMALL"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_CA_KEY_TOO_SMALL)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_CA_KEY_TOO_SMALL, //67`
		818ced	`+ "X509_V_ERR_CA_KEY_TOO_SMALL"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_CA_MD_TOO_WEAK)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_CA_MD_TOO_WEAK, //68`
		818ced	`+ "X509_V_ERR_CA_MD_TOO_WEAK"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_INVALID_CALL)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_INVALID_CALL, //69`
		818ced	`+ "X509_V_ERR_INVALID_CALL"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_STORE_LOOKUP)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_STORE_LOOKUP, //70`
		818ced	`+ "X509_V_ERR_STORE_LOOKUP"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_NO_VALID_SCTS)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_NO_VALID_SCTS, //71`
		818ced	`+ "X509_V_ERR_NO_VALID_SCTS"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION, //72`
		818ced	`+ "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_OCSP_VERIFY_NEEDED, //73`
		818ced	`+ "X509_V_ERR_OCSP_VERIFY_NEEDED"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_OCSP_VERIFY_FAILED)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_OCSP_VERIFY_FAILED, //74`
		818ced	`+ "X509_V_ERR_OCSP_VERIFY_FAILED"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`+#if defined(X509_V_ERR_OCSP_CERT_UNKNOWN)`
		818ced	`+ {`
		818ced	`+ X509_V_ERR_OCSP_CERT_UNKNOWN, //75`
		818ced	`+ "X509_V_ERR_OCSP_CERT_UNKNOWN"`
		818ced	`+ },`
		818ced	`+#endif`
		818ced	`{ SSL_ERROR_NONE, "SSL_ERROR_NONE"},`
		818ced	`{SSL_ERROR_NONE, NULL}`
		818ced	`};`
		818ced	`@@ -286,6 +412,27 @@ static const char *OptionalSslErrors[] = {`
		818ced	`"X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX",`
		818ced	`"X509_V_ERR_UNSUPPORTED_NAME_SYNTAX",`
		818ced	`"X509_V_ERR_CRL_PATH_VALIDATION_ERROR",`
		818ced	`+ "X509_V_ERR_PATH_LOOP",`
		818ced	`+ "X509_V_ERR_SUITE_B_INVALID_VERSION",`
		818ced	`+ "X509_V_ERR_SUITE_B_INVALID_ALGORITHM",`
		818ced	`+ "X509_V_ERR_SUITE_B_INVALID_CURVE",`
		818ced	`+ "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM",`
		818ced	`+ "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED",`
		818ced	`+ "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256",`
		818ced	`+ "X509_V_ERR_HOSTNAME_MISMATCH",`
		818ced	`+ "X509_V_ERR_EMAIL_MISMATCH",`
		818ced	`+ "X509_V_ERR_IP_ADDRESS_MISMATCH",`
		818ced	`+ "X509_V_ERR_DANE_NO_MATCH",`
		818ced	`+ "X509_V_ERR_EE_KEY_TOO_SMALL",`
		818ced	`+ "X509_V_ERR_CA_KEY_TOO_SMALL",`
		818ced	`+ "X509_V_ERR_CA_MD_TOO_WEAK",`
		818ced	`+ "X509_V_ERR_INVALID_CALL",`
		818ced	`+ "X509_V_ERR_STORE_LOOKUP",`
		818ced	`+ "X509_V_ERR_NO_VALID_SCTS",`
		818ced	`+ "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION",`
		818ced	`+ "X509_V_ERR_OCSP_VERIFY_NEEDED",`
		818ced	`+ "X509_V_ERR_OCSP_VERIFY_FAILED",`
		818ced	`+ "X509_V_ERR_OCSP_CERT_UNKNOWN",`
		818ced	`NULL`
		818ced	`};`
		818ced
		818ced	`@@ -390,7 +537,7 @@ Ssl::ParseErrorString(const char *name, Security::Errors &errors)`
		818ced	`return false; // not reached`
		818ced	`}`
		818ced
		818ced	`-const char *Ssl::GetErrorName(Security::ErrorCode value)`
		818ced	`+const char *Ssl::GetErrorName(Security::ErrorCode value, const bool prefixRawCode)`
		818ced	`{`
		818ced	`if (TheSslErrors.empty())`
		818ced	`loadSslErrorMap();`
		818ced	`@@ -399,7 +546,9 @@ const char *Ssl::GetErrorName(Security::ErrorCode value)`
		818ced	`if (it != TheSslErrors.end())`
		818ced	`return it->second->name;`
		818ced
		818ced	`- return NULL;`
		818ced	`+ static char tmpBuffer[128];`
		818ced	`+ snprintf(tmpBuffer, sizeof(tmpBuffer), "%s%d", prefixRawCode ? "SSL_ERR=" : "", (int)value);`
		818ced	`+ return tmpBuffer;`
		818ced	`}`
		818ced
		818ced	`bool`
		818ced	`@@ -529,21 +678,14 @@ const char *Ssl::ErrorDetail::notafter() const`
		818ced	`*/`
		818ced	`const char *Ssl::ErrorDetail::err_code() const`
		818ced	`{`
		818ced	`- static char tmpBuffer[64];`
		818ced	`// We can use the GetErrorName but using the detailEntry is faster,`
		818ced	`// so try it first.`
		818ced	`- const char *err = detailEntry.name.termedBuf();`
		818ced	`+ if (const char *err = detailEntry.name.termedBuf())`
		818ced	`+ return err;`
		818ced
		818ced	`// error details not loaded yet or not defined in error_details.txt,`
		818ced	`// try the GetErrorName...`
		818ced	`- if (!err)`
		818ced	`- err = GetErrorName(error_no);`
		818ced	`-`
		818ced	`- if (!err) {`
		818ced	`- snprintf(tmpBuffer, 64, "%d", (int)error_no);`
		818ced	`- err = tmpBuffer;`
		818ced	`- }`
		818ced	`- return err;`
		818ced	`+ return GetErrorName(error_no);`
		818ced	`}`
		818ced
		818ced	`/**`
		818ced	`diff --git a/src/ssl/ErrorDetail.h b/src/ssl/ErrorDetail.h`
		818ced	`index 48dc405..0eec0a9 100644`
		818ced	`--- a/src/ssl/ErrorDetail.h`
		818ced	`+++ b/src/ssl/ErrorDetail.h`
		818ced	`@@ -26,8 +26,9 @@ bool ParseErrorString(const char *name, Security::Errors &);`
		818ced	`/// The Security::ErrorCode code of the error described by "name".`
		818ced	`Security::ErrorCode GetErrorCode(const char *name);`
		818ced
		818ced	`-/// The string representation of the TLS error "value"`
		818ced	`-const char *GetErrorName(Security::ErrorCode value);`
		818ced	`+/// \return string representation of a known TLS error (or a raw error code)`
		818ced	`+/// \param prefixRawCode whether to prefix raw codes with "SSL_ERR="`
		818ced	`+const char *GetErrorName(Security::ErrorCode value, const bool prefixRawCode = false);`
		818ced
		818ced	`/// A short description of the TLS error "value"`
		818ced	`const char *GetErrorDescr(Security::ErrorCode value);`

rpms / squid

Source Code

Blame SOURCES/squid-4.11-CVE-2020-14058.patch