<p>George Joseph has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/16208">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2021-009 - pjproject-bundled: Avoid crash during handshake for TLS<br><br>If an SSL socket parent/listener was destroyed during the handshake,<br>depending on timing, it was possible for the handling callback to<br>attempt access of it after the fact thus causing a crash.<br><br>ASTERISK-29415 #close<br><br>Change-Id: I105dacdcd130ea7fdd4cf2010ccf35b5eaf1432d<br>---<br>A third-party/pjproject/patches/0110-tls-parent-listener-destroyed.patch<br>A third-party/pjproject/patches/0111-ssl-premature-destroy.patch<br>2 files changed, 302 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/08/16208/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/third-party/pjproject/patches/0110-tls-parent-listener-destroyed.patch b/third-party/pjproject/patches/0110-tls-parent-listener-destroyed.patch</span><br><span>new file mode 100644</span><br><span>index 0000000..81781f2</span><br><span>--- /dev/null</span><br><span>+++ b/third-party/pjproject/patches/0110-tls-parent-listener-destroyed.patch</span><br><span>@@ -0,0 +1,166 @@</span><br><span style="color: hsl(120, 100%, 40%);">+From bb92c97ea512aa0ef316c9b2335c7d57b84dfc9a Mon Sep 17 00:00:00 2001</span><br><span style="color: hsl(120, 100%, 40%);">+From: Nanang Izzuddin <nanang@teluu.com></span><br><span style="color: hsl(120, 100%, 40%);">+Date: Wed, 16 Jun 2021 12:12:35 +0700</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: [PATCH 1/2] - Avoid SSL socket parent/listener getting destroyed</span><br><span style="color: hsl(120, 100%, 40%);">+ during handshake by increasing parent's reference count. - Add missing SSL</span><br><span style="color: hsl(120, 100%, 40%);">+ socket close when the newly accepted SSL socket is discarded in SIP TLS</span><br><span style="color: hsl(120, 100%, 40%);">+ transport.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+---</span><br><span style="color: hsl(120, 100%, 40%);">+ pjlib/src/pj/ssl_sock_imp_common.c | 44 +++++++++++++++++++++--------</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip/src/pjsip/sip_transport_tls.c | 23 ++++++++++++++-</span><br><span style="color: hsl(120, 100%, 40%);">+ 2 files changed, 55 insertions(+), 12 deletions(-)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjlib/src/pj/ssl_sock_imp_common.c b/pjlib/src/pj/ssl_sock_imp_common.c</span><br><span style="color: hsl(120, 100%, 40%);">+index bc468bcb3..abec31805 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjlib/src/pj/ssl_sock_imp_common.c</span><br><span>++++ b/pjlib/src/pj/ssl_sock_imp_common.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -224,6 +224,8 @@ static pj_bool_t on_handshake_complete(pj_ssl_sock_t *ssock,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Accepting */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ssock->is_server) {</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_bool_t ret = PJ_TRUE;</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status != PJ_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Handshake failed in accepting, destroy our self silently. */</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -241,6 +243,12 @@ static pj_bool_t on_handshake_complete(pj_ssl_sock_t *ssock,</span><br><span style="color: hsl(120, 100%, 40%);">+ status);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">++ /* Decrement ref count of parent */</span><br><span style="color: hsl(120, 100%, 40%);">++ if (ssock->parent->param.grp_lock) {</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_grp_lock_dec_ref(ssock->parent->param.grp_lock);</span><br><span style="color: hsl(120, 100%, 40%);">++ ssock->parent = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Originally, this is a workaround for ticket #985. However,</span><br><span style="color: hsl(120, 100%, 40%);">+ * a race condition may occur in multiple worker threads</span><br><span style="color: hsl(120, 100%, 40%);">+ * environment when we are destroying SSL objects while other</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -284,23 +292,29 @@ static pj_bool_t on_handshake_complete(pj_ssl_sock_t *ssock,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ return PJ_FALSE;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Notify application the newly accepted SSL socket */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ssock->param.cb.on_accept_complete2) {</span><br><span style="color: hsl(120, 100%, 40%);">+- pj_bool_t ret;</span><br><span style="color: hsl(120, 100%, 40%);">+ ret = (*ssock->param.cb.on_accept_complete2) </span><br><span style="color: hsl(120, 100%, 40%);">+ (ssock->parent, ssock, (pj_sockaddr_t*)&ssock->rem_addr, </span><br><span style="color: hsl(120, 100%, 40%);">+ pj_sockaddr_get_len((pj_sockaddr_t*)&ssock->rem_addr), </span><br><span style="color: hsl(120, 100%, 40%);">+ status);</span><br><span style="color: hsl(120, 100%, 40%);">+- if (ret == PJ_FALSE)</span><br><span style="color: hsl(120, 100%, 40%);">+- return PJ_FALSE; </span><br><span style="color: hsl(120, 100%, 40%);">+ } else if (ssock->param.cb.on_accept_complete) {</span><br><span style="color: hsl(120, 100%, 40%);">+- pj_bool_t ret;</span><br><span style="color: hsl(120, 100%, 40%);">+ ret = (*ssock->param.cb.on_accept_complete)</span><br><span style="color: hsl(120, 100%, 40%);">+ (ssock->parent, ssock, (pj_sockaddr_t*)&ssock->rem_addr,</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_sockaddr_get_len((pj_sockaddr_t*)&ssock->rem_addr));</span><br><span style="color: hsl(120, 100%, 40%);">+- if (ret == PJ_FALSE)</span><br><span style="color: hsl(120, 100%, 40%);">+- return PJ_FALSE;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ /* Decrement ref count of parent and reset parent (we don't need it</span><br><span style="color: hsl(120, 100%, 40%);">++ * anymore, right?).</span><br><span style="color: hsl(120, 100%, 40%);">++ */</span><br><span style="color: hsl(120, 100%, 40%);">++ if (ssock->parent->param.grp_lock) {</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_grp_lock_dec_ref(ssock->parent->param.grp_lock);</span><br><span style="color: hsl(120, 100%, 40%);">++ ssock->parent = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ if (ret == PJ_FALSE)</span><br><span style="color: hsl(120, 100%, 40%);">++ return PJ_FALSE;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Connecting */</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -864,9 +878,13 @@ static pj_bool_t asock_on_accept_complete (pj_activesock_t *asock,</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status != PJ_SUCCESS)</span><br><span style="color: hsl(120, 100%, 40%);">+ goto on_return;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">++ /* Set parent and add ref count (avoid parent destroy during handshake) */</span><br><span style="color: hsl(120, 100%, 40%);">++ ssock->parent = ssock_parent;</span><br><span style="color: hsl(120, 100%, 40%);">++ if (ssock->parent->param.grp_lock)</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_grp_lock_add_ref(ssock->parent->param.grp_lock);</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Update new SSL socket attributes */</span><br><span style="color: hsl(120, 100%, 40%);">+ ssock->sock = newsock;</span><br><span style="color: hsl(120, 100%, 40%);">+- ssock->parent = ssock_parent;</span><br><span style="color: hsl(120, 100%, 40%);">+ ssock->is_server = PJ_TRUE;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ssock_parent->cert) {</span><br><span style="color: hsl(120, 100%, 40%);">+ status = pj_ssl_sock_set_certificate(ssock, ssock->pool, </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -913,16 +931,20 @@ static pj_bool_t asock_on_accept_complete (pj_activesock_t *asock,</span><br><span style="color: hsl(120, 100%, 40%);">+ ssock->asock_rbuf = (void**)pj_pool_calloc(ssock->pool, </span><br><span style="color: hsl(120, 100%, 40%);">+ ssock->param.async_cnt,</span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(void*));</span><br><span style="color: hsl(120, 100%, 40%);">+- if (!ssock->asock_rbuf)</span><br><span style="color: hsl(120, 100%, 40%);">+- return PJ_ENOMEM;</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!ssock->asock_rbuf) {</span><br><span style="color: hsl(120, 100%, 40%);">++ status = PJ_ENOMEM;</span><br><span style="color: hsl(120, 100%, 40%);">++ goto on_return;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ for (i = 0; i<ssock->param.async_cnt; ++i) {</span><br><span style="color: hsl(120, 100%, 40%);">+- ssock->asock_rbuf[i] = (void*) pj_pool_alloc(</span><br><span style="color: hsl(120, 100%, 40%);">++ ssock->asock_rbuf[i] = (void*) pj_pool_alloc(</span><br><span style="color: hsl(120, 100%, 40%);">+ ssock->pool, </span><br><span style="color: hsl(120, 100%, 40%);">+ ssock->param.read_buffer_size + </span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(read_data_t*));</span><br><span style="color: hsl(120, 100%, 40%);">+- if (!ssock->asock_rbuf[i])</span><br><span style="color: hsl(120, 100%, 40%);">+- return PJ_ENOMEM;</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!ssock->asock_rbuf[i]) {</span><br><span style="color: hsl(120, 100%, 40%);">++ status = PJ_ENOMEM;</span><br><span style="color: hsl(120, 100%, 40%);">++ goto on_return;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Create active socket */</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjsip/src/pjsip/sip_transport_tls.c b/pjsip/src/pjsip/sip_transport_tls.c</span><br><span style="color: hsl(120, 100%, 40%);">+index 17b7ae3de..ce524d53f 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjsip/src/pjsip/sip_transport_tls.c</span><br><span>++++ b/pjsip/src/pjsip/sip_transport_tls.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1325,9 +1325,26 @@ static pj_bool_t on_accept_complete2(pj_ssl_sock_t *ssock,</span><br><span style="color: hsl(120, 100%, 40%);">+ PJ_UNUSED_ARG(src_addr_len);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ listener = (struct tls_listener*) pj_ssl_sock_get_user_data(ssock);</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!listener) {</span><br><span style="color: hsl(120, 100%, 40%);">++ /* Listener already destroyed, e.g: after TCP accept but before SSL</span><br><span style="color: hsl(120, 100%, 40%);">++ * handshake is completed.</span><br><span style="color: hsl(120, 100%, 40%);">++ */</span><br><span style="color: hsl(120, 100%, 40%);">++ if (new_ssock && accept_status == PJ_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">++ /* Close the SSL socket if the accept op is successful */</span><br><span style="color: hsl(120, 100%, 40%);">++ PJ_LOG(4,(THIS_FILE,</span><br><span style="color: hsl(120, 100%, 40%);">++ "Incoming TLS connection from %s (sock=%d) is discarded "</span><br><span style="color: hsl(120, 100%, 40%);">++ "because listener is already destroyed",</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_sockaddr_print(src_addr, addr, sizeof(addr), 3),</span><br><span style="color: hsl(120, 100%, 40%);">++ new_ssock));</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_ssl_sock_close(new_ssock);</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ return PJ_FALSE;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ if (accept_status != PJ_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+- if (listener && listener->tls_setting.on_accept_fail_cb) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (listener->tls_setting.on_accept_fail_cb) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_tls_on_accept_fail_param param;</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_ssl_sock_info ssi;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1350,6 +1367,8 @@ static pj_bool_t on_accept_complete2(pj_ssl_sock_t *ssock,</span><br><span style="color: hsl(120, 100%, 40%);">+ PJ_ASSERT_RETURN(new_ssock, PJ_TRUE);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ if (!listener->is_registered) {</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_ssl_sock_close(new_ssock);</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ if (listener->tls_setting.on_accept_fail_cb) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_tls_on_accept_fail_param param;</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_bzero(¶m, sizeof(param));</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1401,6 +1420,8 @@ static pj_bool_t on_accept_complete2(pj_ssl_sock_t *ssock,</span><br><span style="color: hsl(120, 100%, 40%);">+ ssl_info.grp_lock, &tls);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ if (status != PJ_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_ssl_sock_close(new_ssock);</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ if (listener->tls_setting.on_accept_fail_cb) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_tls_on_accept_fail_param param;</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_bzero(¶m, sizeof(param));</span><br><span>diff --git a/third-party/pjproject/patches/0111-ssl-premature-destroy.patch b/third-party/pjproject/patches/0111-ssl-premature-destroy.patch</span><br><span>new file mode 100644</span><br><span>index 0000000..9de2915</span><br><span>--- /dev/null</span><br><span>+++ b/third-party/pjproject/patches/0111-ssl-premature-destroy.patch</span><br><span>@@ -0,0 +1,136 @@</span><br><span style="color: hsl(120, 100%, 40%);">+From 68c69f516f95df1faa42e5647e9ce7cfdc41ac38 Mon Sep 17 00:00:00 2001</span><br><span style="color: hsl(120, 100%, 40%);">+From: Nanang Izzuddin <nanang@teluu.com></span><br><span style="color: hsl(120, 100%, 40%);">+Date: Wed, 16 Jun 2021 12:15:29 +0700</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: [PATCH 2/2] - Fix silly mistake: accepted active socket created</span><br><span style="color: hsl(120, 100%, 40%);">+ without group lock in SSL socket. - Replace assertion with normal validation</span><br><span style="color: hsl(120, 100%, 40%);">+ check of SSL socket instance in OpenSSL verification callback (verify_cb())</span><br><span style="color: hsl(120, 100%, 40%);">+ to avoid crash, e.g: if somehow race condition with SSL socket destroy</span><br><span style="color: hsl(120, 100%, 40%);">+ happens or OpenSSL application data index somehow gets corrupted.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+---</span><br><span style="color: hsl(120, 100%, 40%);">+ pjlib/src/pj/ssl_sock_imp_common.c | 3 +-</span><br><span style="color: hsl(120, 100%, 40%);">+ pjlib/src/pj/ssl_sock_ossl.c | 45 +++++++++++++++++++++++++-----</span><br><span style="color: hsl(120, 100%, 40%);">+ 2 files changed, 40 insertions(+), 8 deletions(-)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjlib/src/pj/ssl_sock_imp_common.c b/pjlib/src/pj/ssl_sock_imp_common.c</span><br><span style="color: hsl(120, 100%, 40%);">+index bc468bcb3..c2b8a846b 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjlib/src/pj/ssl_sock_imp_common.c</span><br><span>++++ b/pjlib/src/pj/ssl_sock_imp_common.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -927,6 +927,7 @@ static pj_bool_t asock_on_accept_complete (pj_activesock_t *asock,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Create active socket */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_activesock_cfg_default(&asock_cfg);</span><br><span style="color: hsl(120, 100%, 40%);">++ asock_cfg.grp_lock = ssock->param.grp_lock;</span><br><span style="color: hsl(120, 100%, 40%);">+ asock_cfg.async_cnt = ssock->param.async_cnt;</span><br><span style="color: hsl(120, 100%, 40%);">+ asock_cfg.concurrency = ssock->param.concurrency;</span><br><span style="color: hsl(120, 100%, 40%);">+ asock_cfg.whole_data = PJ_TRUE;</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -942,7 +943,7 @@ static pj_bool_t asock_on_accept_complete (pj_activesock_t *asock,</span><br><span style="color: hsl(120, 100%, 40%);">+ goto on_return;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ pj_grp_lock_add_ref(glock);</span><br><span style="color: hsl(120, 100%, 40%);">+- asock_cfg.grp_lock = ssock->param.grp_lock = glock;</span><br><span style="color: hsl(120, 100%, 40%);">++ ssock->param.grp_lock = glock;</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_grp_lock_add_handler(ssock->param.grp_lock, ssock->pool, ssock,</span><br><span style="color: hsl(120, 100%, 40%);">+ ssl_on_destroy);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c</span><br><span style="color: hsl(120, 100%, 40%);">+index a95b339a5..56841f80a 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjlib/src/pj/ssl_sock_ossl.c</span><br><span>++++ b/pjlib/src/pj/ssl_sock_ossl.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -327,7 +327,8 @@ static pj_status_t STATUS_FROM_SSL_ERR(char *action, pj_ssl_sock_t *ssock,</span><br><span style="color: hsl(120, 100%, 40%);">+ ERROR_LOG("STATUS_FROM_SSL_ERR", err, ssock);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- ssock->last_err = err;</span><br><span style="color: hsl(120, 100%, 40%);">++ if (ssock)</span><br><span style="color: hsl(120, 100%, 40%);">++ ssock->last_err = err;</span><br><span style="color: hsl(120, 100%, 40%);">+ return GET_STATUS_FROM_SSL_ERR(err);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -344,7 +345,8 @@ static pj_status_t STATUS_FROM_SSL_ERR2(char *action, pj_ssl_sock_t *ssock,</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Dig for more from OpenSSL error queue */</span><br><span style="color: hsl(120, 100%, 40%);">+ SSLLogErrors(action, ret, err, len, ssock);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- ssock->last_err = ssl_err;</span><br><span style="color: hsl(120, 100%, 40%);">++ if (ssock)</span><br><span style="color: hsl(120, 100%, 40%);">++ ssock->last_err = ssl_err;</span><br><span style="color: hsl(120, 100%, 40%);">+ return GET_STATUS_FROM_SSL_ERR(ssl_err);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -587,6 +589,13 @@ static pj_status_t init_openssl(void)</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Create OpenSSL application data index for SSL socket */</span><br><span style="color: hsl(120, 100%, 40%);">+ sslsock_idx = SSL_get_ex_new_index(0, "SSL socket", NULL, NULL, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">++ if (sslsock_idx == -1) {</span><br><span style="color: hsl(120, 100%, 40%);">++ status = STATUS_FROM_SSL_ERR2("Init", NULL, -1, ERR_get_error(), 0);</span><br><span style="color: hsl(120, 100%, 40%);">++ PJ_LOG(1,(THIS_FILE,</span><br><span style="color: hsl(120, 100%, 40%);">++ "Fatal error: failed to get application data index for "</span><br><span style="color: hsl(120, 100%, 40%);">++ "SSL socket"));</span><br><span style="color: hsl(120, 100%, 40%);">++ return status;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -614,21 +623,36 @@ static int password_cb(char *buf, int num, int rwflag, void *user_data)</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+-/* SSL password callback. */</span><br><span style="color: hsl(120, 100%, 40%);">++/* SSL certificate verification result callback.</span><br><span style="color: hsl(120, 100%, 40%);">++ * Note that this callback seems to be always called from library worker</span><br><span style="color: hsl(120, 100%, 40%);">++ * thread, e.g: active socket on_read_complete callback, which should have</span><br><span style="color: hsl(120, 100%, 40%);">++ * already been equipped with race condition avoidance mechanism (should not</span><br><span style="color: hsl(120, 100%, 40%);">++ * be destroyed while callback is being invoked).</span><br><span style="color: hsl(120, 100%, 40%);">++ */</span><br><span style="color: hsl(120, 100%, 40%);">+ static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+- pj_ssl_sock_t *ssock;</span><br><span style="color: hsl(120, 100%, 40%);">+- SSL *ossl_ssl;</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_ssl_sock_t *ssock = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">++ SSL *ossl_ssl = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ int err;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Get SSL instance */</span><br><span style="color: hsl(120, 100%, 40%);">+ ossl_ssl = X509_STORE_CTX_get_ex_data(x509_ctx, </span><br><span style="color: hsl(120, 100%, 40%);">+ SSL_get_ex_data_X509_STORE_CTX_idx());</span><br><span style="color: hsl(120, 100%, 40%);">+- pj_assert(ossl_ssl);</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!ossl_ssl) {</span><br><span style="color: hsl(120, 100%, 40%);">++ PJ_LOG(1,(THIS_FILE,</span><br><span style="color: hsl(120, 100%, 40%);">++ "SSL verification callback failed to get SSL instance"));</span><br><span style="color: hsl(120, 100%, 40%);">++ goto on_return;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Get SSL socket instance */</span><br><span style="color: hsl(120, 100%, 40%);">+ ssock = SSL_get_ex_data(ossl_ssl, sslsock_idx);</span><br><span style="color: hsl(120, 100%, 40%);">+- pj_assert(ssock);</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!ssock) {</span><br><span style="color: hsl(120, 100%, 40%);">++ /* SSL socket may have been destroyed */</span><br><span style="color: hsl(120, 100%, 40%);">++ PJ_LOG(1,(THIS_FILE,</span><br><span style="color: hsl(120, 100%, 40%);">++ "SSL verification callback failed to get SSL socket "</span><br><span style="color: hsl(120, 100%, 40%);">++ "instance (sslsock_idx=%d).", sslsock_idx));</span><br><span style="color: hsl(120, 100%, 40%);">++ goto on_return;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Store verification status */</span><br><span style="color: hsl(120, 100%, 40%);">+ err = X509_STORE_CTX_get_error(x509_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -706,6 +730,7 @@ static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)</span><br><span style="color: hsl(120, 100%, 40%);">+ if (PJ_FALSE == ssock->param.verify_peer)</span><br><span style="color: hsl(120, 100%, 40%);">+ preverify_ok = 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">++on_return:</span><br><span style="color: hsl(120, 100%, 40%);">+ return preverify_ok;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1213,6 +1238,12 @@ static void ssl_destroy(pj_ssl_sock_t *ssock)</span><br><span style="color: hsl(120, 100%, 40%);">+ static void ssl_reset_sock_state(pj_ssl_sock_t *ssock)</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+ ossl_sock_t *ossock = (ossl_sock_t *)ssock;</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ /* Detach from SSL instance */</span><br><span style="color: hsl(120, 100%, 40%);">++ if (ossock->ossl_ssl) {</span><br><span style="color: hsl(120, 100%, 40%);">++ SSL_set_ex_data(ossock->ossl_ssl, sslsock_idx, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ /**</span><br><span style="color: hsl(120, 100%, 40%);">+ * Avoid calling SSL_shutdown() if handshake wasn't completed.</span><br><span style="color: hsl(120, 100%, 40%);">+ * OpenSSL 1.0.2f complains if SSL_shutdown() is called during an</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/16208">change 16208</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/16208"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 16.19 </div>
<div style="display:none"> Gerrit-Change-Id: I105dacdcd130ea7fdd4cf2010ccf35b5eaf1432d </div>
<div style="display:none"> Gerrit-Change-Number: 16208 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>