------------------------------------------------------------
revno: 12626
tags: SQUID_3_3_9
revision-id: squid3@treenet.co.nz-20130911015334-tu6v9uvjmlr4j9w9
parent: squid3@treenet.co.nz-20130911013913-46mm3ozyx1a8ohfz
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.3
timestamp: Tue 2013-09-10 19:53:34 -0600
message:
  Revert r12609 due to compile errors on stable branch
  
  src/ssl/support.cc:302: error: expected type-specifier
  src/ssl/support.cc:302: error: cannot convert 'int*' to 'Ssl::Errors*' in assignment
  src/ssl/support.cc:302: error: expected `;'
  src/ssl/support.cc:303: error: 'class ACLFilledChecklist' has no member named 'serverCert'
  src/ssl/support.cc:312: error: 'class ACLFilledChecklist' has no member named 'serverCert'
  src/ssl/support.cc:316: error: 'TheConfig' is not a member of 'Ssl'
  src/ssl/support.cc:319: error: 'ssl_ex_index_ssl_cert_chain' was not declared in this scope
  src/ssl/support.cc:495: error: a function-definition is not allowed here before '{' token
  src/ssl/support.cc:1595: error: expected `}' at end of input
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20130911015334-tu6v9uvjmlr4j9w9
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# testament_sha1: 3c2296baa2336fb3e7f3155a8480800e2122bf35
# timestamp: 2013-09-11 04:37:46 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# base_revision_id: squid3@treenet.co.nz-20130911013913-\
#   46mm3ozyx1a8ohfz
# 
# Begin patch
=== modified file 'ChangeLog'
--- ChangeLog	2013-09-11 01:39:13 +0000
+++ ChangeLog	2013-09-11 01:53:34 +0000
@@ -12,7 +12,6 @@
 	- Fix myportname ACL on ICAP/eCAP transactions
 	- Fix external ACL user:pass detail logging after adaptation
 	- Fix SMP mgr:info report 'Largest file desc currently in use'
-	- Handle infinite certificate validation loops caused by OpenSSL Bug 3090.
 	- Improved compatibility with gcc 4.8, clang and icc
 	- Show number of available filedescriptors when reserved FD changes
 	- Sync with newest OpenSSL error codes

=== modified file 'errors/templates/error-details.txt'
--- errors/templates/error-details.txt	2013-09-10 07:31:09 +0000
+++ errors/templates/error-details.txt	2013-09-11 01:53:34 +0000
@@ -1,7 +1,3 @@
-name: SQUID_X509_V_ERR_INFINITE_VALIDATION
-detail: "%ssl_error_descr: %ssl_subject"
-descr: "Cert validation infinite loop detected"
-
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"

=== modified file 'src/cf.data.pre'
--- src/cf.data.pre	2013-09-10 07:22:44 +0000
+++ src/cf.data.pre	2013-09-11 01:53:34 +0000
@@ -2295,9 +2295,6 @@
 	Without this option, all server certificate validation errors
 	terminate the transaction to protect Squid and the client.
 
-	SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
-	but should not happen unless your OpenSSL library is buggy.
-
 	SECURITY WARNING:
 		Bypassing validation errors is dangerous because an
 		error usually implies that the server cannot be trusted

=== modified file 'src/globals.h'
--- src/globals.h	2013-09-10 07:22:44 +0000
+++ src/globals.h	2013-09-11 01:53:34 +0000
@@ -134,7 +134,6 @@
 extern int ssl_ex_index_ssl_error_detail;      /* -1 */
 extern int ssl_ex_index_ssl_peeked_cert;      /* -1 */
 extern int ssl_ex_index_ssl_errors;   /* -1 */
-extern int ssl_ex_index_ssl_validation_counter;  /* -1 */
 
 extern const char *external_acl_message;      /* NULL */
 extern int opt_send_signal;	/* -1 */

=== modified file 'src/ssl/ErrorDetail.cc'
--- src/ssl/ErrorDetail.cc	2013-09-10 07:31:09 +0000
+++ src/ssl/ErrorDetail.cc	2013-09-11 01:53:34 +0000
@@ -19,10 +19,8 @@
 SslErrors TheSslErrors;
 
 static SslErrorEntry TheSslErrorArray[] = {
-    {SQUID_X509_V_ERR_INFINITE_VALIDATION,
-        "SQUID_X509_V_ERR_INFINITE_VALIDATION"},
     {SQUID_X509_V_ERR_CERT_CHANGE,
-     "SQUID_X509_V_ERR_CERT_CHANGE"},
+        "SQUID_X509_V_ERR_CERT_CHANGE"},
     {SQUID_ERR_SSL_HANDSHAKE,
      "SQUID_ERR_SSL_HANDSHAKE"},
     {SQUID_X509_V_ERR_DOMAIN_MISMATCH,

=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc	2013-09-11 01:05:03 +0000
+++ src/ssl/support.cc	2013-09-11 01:53:34 +0000
@@ -238,23 +238,6 @@
     X509_NAME_oneline(X509_get_subject_name(peer_cert), buffer,
                       sizeof(buffer));
 
-    // detect infinite loops
-    uint32_t *validationCounter = static_cast<uint32_t *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_validation_counter));
-    if (!validationCounter) {
-        validationCounter = new uint32_t(1);
-        SSL_set_ex_data(ssl, ssl_ex_index_ssl_validation_counter, validationCounter);
-    } else {
-        // overflows allowed if SQUID_CERT_VALIDATION_ITERATION_MAX >= UINT32_MAX
-        (*validationCounter)++;
-    }
-
-    if ((*validationCounter) >= SQUID_CERT_VALIDATION_ITERATION_MAX) {
-        ok = 0; // or the validation loop will never stop
-        error_no = SQUID_X509_V_ERR_INFINITE_VALIDATION;
-        debugs(83, 2, "SQUID_X509_V_ERR_INFINITE_VALIDATION: " <<
-               *validationCounter << " iterations while checking " << buffer);
-    }
-
     if (ok) {
         debugs(83, 5, "SSL Certificate signature OK: " << buffer);
 
@@ -293,34 +276,18 @@
         else
             debugs(83, DBG_IMPORTANT, "SSL unknown certificate error " << error_no << " in " << buffer);
 
-        // Check if the certificate error can be bypassed.
-        // Infinity validation loop errors can not bypassed.
-        if (error_no != SQUID_X509_V_ERR_INFINITE_VALIDATION) {
-            if (check) {
-                ACLFilledChecklist *filledCheck = Filled(check);
-                assert(!filledCheck->sslErrors);
-                filledCheck->sslErrors = new Ssl::CertErrors(Ssl::CertError(error_no, broken_cert));
-                filledCheck->serverCert.resetAndLock(peer_cert);
-                if (check->fastCheck() == ACCESS_ALLOWED) {
-                    debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer);
-                    ok = 1;
-                } else {
-                    debugs(83, 5, "confirming SSL error " << error_no);
-                }
-                delete filledCheck->sslErrors;
-                filledCheck->sslErrors = NULL;
-                filledCheck->serverCert.reset(NULL);
-            }
-            // If the certificate validator is used then we need to allow all errors and
-            // pass them to certficate validator for more processing
-            else if (Ssl::TheConfig.ssl_crt_validator) {
+        if (check) {
+            ACLFilledChecklist *filledCheck = Filled(check);
+            assert(!filledCheck->sslErrors);
+            filledCheck->sslErrors = new Ssl::Errors(error_no);
+            if (check->fastCheck() == ACCESS_ALLOWED) {
+                debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer);
                 ok = 1;
-                // Check if we have stored certificates chain. Store if not.
-                if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) {
-                    STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx);
-                    if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack))
-                        sk_X509_pop_free(certStack, X509_free);
-                }
+            } else {
+                debugs(83, 5, "confirming SSL error " << error_no);
+            }
+            delete filledCheck->sslErrors;
+            filledCheck->sslErrors = NULL;
         }
     }
 
@@ -665,15 +632,6 @@
     delete errs;
 }
 
-// "free" function for SSL_get_ex_new_index("ssl_ex_index_ssl_validation_counter")
-static void
-ssl_free_int(void *, void *ptr, CRYPTO_EX_DATA *,
-             int, long, void *)
-{
-    uint32_t *counter = static_cast <uint32_t *>(ptr);
-    delete counter;
-}
-
 // "free" function for X509 certificates
 static void
 ssl_free_X509(void *, void *ptr, CRYPTO_EX_DATA *,
@@ -724,7 +682,6 @@
     ssl_ex_index_ssl_error_detail = SSL_get_ex_new_index(0, (void *) "ssl_error_detail", NULL, NULL, &ssl_free_ErrorDetail);
     ssl_ex_index_ssl_peeked_cert  = SSL_get_ex_new_index(0, (void *) "ssl_peeked_cert", NULL, NULL, &ssl_free_X509);
     ssl_ex_index_ssl_errors =  SSL_get_ex_new_index(0, (void *) "ssl_errors", NULL, NULL, &ssl_free_SslErrors);
-    ssl_ex_index_ssl_validation_counter = SSL_get_ex_new_index(0, (void *) "ssl_validation_counter", NULL, NULL, &ssl_free_int);
 }
 
 /// \ingroup ServerProtocolSSLInternal

=== modified file 'src/ssl/support.h'
--- src/ssl/support.h	2013-09-10 07:22:44 +0000
+++ src/ssl/support.h	2013-09-11 01:53:34 +0000
@@ -55,7 +55,6 @@
  */
 
 // Custom SSL errors; assumes all official errors are positive
-#define SQUID_X509_V_ERR_INFINITE_VALIDATION -4
 #define SQUID_X509_V_ERR_CERT_CHANGE -3
 #define SQUID_ERR_SSL_HANDSHAKE -2
 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
@@ -63,14 +62,6 @@
 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
 #define SQUID_SSL_ERROR_MAX INT_MAX
 
-// Maximum certificate validation callbacks. OpenSSL versions exceeding this
-// limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
-// and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
-// Can be set to a number up to UINT32_MAX
-#ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
-#define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
-#endif
-
 namespace AnyP
 {
 class PortCfg;