-
Notifications
You must be signed in to change notification settings - Fork 38
tcp: fix SSL_CONF_cmd/SSL_new ordering in OpenSSL client connect path #291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Cropi
wants to merge
1
commit into
rsyslog:master
Choose a base branch
from
Cropi:fix/ossl-ssl-new-ordering
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1891,6 +1891,15 @@ relpTcpConnectTLSInit_ossl(relpTcp_t *const pThis) | |
| /*if we reach this point we are in tls mode */ | ||
| pThis->pEngine->dbgprint((char*)"relpTcpConnectTLSInit: TLS Mode\n"); | ||
|
|
||
| /* set before relpTcpSetSslConfCmd_ossl: tlsConfigCmd may contain | ||
| * flag-restricted commands that require SSL_CONF_FLAG_CLIENT */ | ||
| pThis->sslState = osslClient; | ||
|
|
||
| /* SSL_CONF_cmd targets the SSL_CTX; SSL_new() snapshots the SSL_CTX's | ||
| * group list at construction time, so this must run before SSL_new() | ||
| * or the SSL object keeps the default groups set by SSL_CTX_new() */ | ||
| CHKRet(relpTcpSetSslConfCmd_ossl(pThis, pThis->tlsConfigCmd)); | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. P1: Race condition: per-connection TLS config modifies shared global SSL_CTX without synchronization before SSL_new Prompt for AI agents |
||
|
|
||
| if(!(pThis->ssl = SSL_new(ctx))) { | ||
| relpTcpLastSSLErrorMsg(0, pThis, "relpTcpConnectTLSInit"); | ||
| ABORT_FINALIZE(RELP_RET_IO_ERR); | ||
|
|
@@ -1906,17 +1915,11 @@ relpTcpConnectTLSInit_ossl(relpTcp_t *const pThis) | |
| } else | ||
| pThis->authmode = eRelpAuthMode_None; | ||
|
|
||
| /* Set TLS Options if configured */ | ||
| CHKRet(relpTcpSetSslConfCmd_ossl(pThis, pThis->tlsConfigCmd)); | ||
|
|
||
| /* Set TLS Priority Options */ | ||
| CHKRet(relpTcpTLSSetPrio(pThis)); | ||
|
|
||
| SSL_set_ex_data(pThis->ssl, 0, (void*)pThis); | ||
|
|
||
| /*set client state */ | ||
| pThis->sslState = osslClient; | ||
|
|
||
| /* Create BIO from ptcp socket! */ | ||
| conn = BIO_new_socket(pThis->sock, BIO_CLOSE /*BIO_NOCLOSE*/); | ||
| pThis->pEngine->dbgprint((char*)"relpTcpConnectTLSInit: Init conn BIO[%p] done\n", (void *)conn); | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Applying configuration commands to the global
SSL_CTX(ctx) viaSSL_CONF_cmdis problematic in a multi-threaded environment likelibrelp/rsyslog. Sincectxis a single static global variable shared across all client and server connections:SSL_CONF_cmdon the sameSSL_CTXsimultaneously without locking, leading to undefined behavior or crashes.tlsConfigCmdsettings, they will overwrite each other's configurations on the globalctx. Whichever connection is created next viaSSL_new(ctx)will inherit the configuration of the last connection that calledSSL_CONF_cmd.Recommended Solution
Instead of targeting the global
SSL_CTX, the configuration should be applied directly to the per-connectionSSLobject (pThis->ssl) usingSSL_CONF_CTX_set_sslinstead ofSSL_CONF_CTX_set_ssl_ctx.To implement this:
relpTcpSetSslConfCmd_osslafterSSL_new(as it was originally) so thatpThis->sslis already allocated.relpTcpSetSslConfCmd_ossl(around line 1696) to target theSSLobject if available:This ensures thread safety, prevents configuration leakage between connections, and correctly applies the configuration to the active connection.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The race condition is real but pre-dates this patch. The original code called relpTcpSetSslConfCmd_ossl on the same shared global SSL_CTX too just after SSL_new instead of before. This PR didn't introduce it.