From a7e3f7c46aec7e7a11f412ba32b292d00eae7dde Mon Sep 17 00:00:00 2001 From: Randall Meyer Date: Wed, 8 Jul 2020 15:25:43 -0700 Subject: [PATCH] Fixes use after free when boringssl is used Ownership of the ca_list is transferred when SSL_CTX_set_client_CA_list is called. This change delays that transfer to after the elements are hashed. (cherry picked from commit be234547bde4bb50e7b05a0cae37a1efaa45eac6) Conflicts: iocore/net/SSLUtils.cc --- iocore/net/SSLUtils.cc | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 2787f3c16f7..7ffcb41aaf5 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -1879,13 +1879,8 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu SSL_CTX_set_verify_depth(ctx, params->verify_depth); // might want to make configurable at some point. } - // Set the list of CA's to send to client if we ask for a client - // certificate if (params->serverCACertFilename) { ca_list = SSL_load_client_CA_file(params->serverCACertFilename); - if (ca_list) { - SSL_CTX_set_client_CA_list(ctx, ca_list); - } } if (EVP_DigestInit_ex(digest, evp_md_func, nullptr) == 0) { @@ -1912,6 +1907,9 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu goto fail; } } + + // Set the list of CA's to send to client if we ask for a client certificate + SSL_CTX_set_client_CA_list(ctx, ca_list); } if (EVP_DigestFinal_ex(digest, hash_buf, &hash_len) == 0) {