Remove calls to unimplemented SSL_CTX_set_reverify_on_resume and SSL_…

…set_enforce_rsa_key_usage
envoyproxy · Jun 18, 2024 · d598e38 · d598e38
1 parent cfdeb56
commit d598e38
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 21 deletions.
diff --git a/bssl-compat/CMakeLists.txt b/bssl-compat/CMakeLists.txt
@@ -142,7 +142,6 @@ add_library(bssl-compat STATIC
   source/SSL_CTX_set_custom_verify.cc
   source/SSL_CTX_set_next_protos_advertised_cb.cc
   source/SSL_CTX_set_private_key_method.cc
-  source/SSL_CTX_set_reverify_on_resume.cc
   source/SSL_CTX_set_select_certificate_cb.cc
   source/SSL_CTX_set_select_certificate_cb.h
   source/SSL_CTX_set_strict_cipher_list.cc
@@ -186,7 +185,6 @@ add_library(bssl-compat STATIC
   source/SSL_set_cert_cb.cc
   source/SSL_set_chain_and_key.cc
   source/SSL_set_client_CA_list.cc
-  source/SSL_set_enforce_rsa_key_usage.cc
   source/SSL_set_ocsp_response.cc
   source/SSL_set_renegotiate_mode.cc
   source/SSL_set_info_callback.cc

diff --git a/bssl-compat/patch/include/openssl/ssl.h.sh b/bssl-compat/patch/include/openssl/ssl.h.sh
@@ -193,11 +193,9 @@ uncomment.sh "$1" --comment -h \
   --uncomment-macro SSL_TICKET_KEY_NAME_LEN \
   --uncomment-enum ssl_verify_result_t \
   --uncomment-func-decl SSL_CTX_set_custom_verify \
-  --uncomment-func-decl SSL_CTX_set_reverify_on_resume \
   --uncomment-func-decl SSL_CTX_set_private_key_method \
   --uncomment-func-decl SSL_send_fatal_alert \
   --uncomment-func-decl SSL_alert_desc_string_long \
-  --uncomment-func-decl SSL_set_enforce_rsa_key_usage \
   --uncomment-func-decl SSL_was_key_usage_invalid \
   --uncomment-func-decl SSL_CTX_get_session_cache_mode \
 

diff --git a/bssl-compat/source/SSL_CTX_set_reverify_on_resume.cc b/bssl-compat/source/SSL_CTX_set_reverify_on_resume.cc
diff --git a/bssl-compat/source/SSL_set_enforce_rsa_key_usage.cc b/bssl-compat/source/SSL_set_enforce_rsa_key_usage.cc
diff --git a/bssl-compat/source/bio_meth_map.cpp b/bssl-compat/source/bio_meth_map.cpp
@@ -102,7 +102,10 @@ static ossl_BIO_METHOD *bio_method_new(const BIO_METHOD *bsslMethod) {
     ossl.ossl_BIO_meth_set_callback_ctrl(osslMethod, nullptr);
   }
   else {
-    bssl_compat_fatal("BIO_METHOD::callback_ctrl is not supported");
+    // Simulate a segfault
+    volatile int* nasty_ptr = reinterpret_cast<int*>(0x0);
+    *(nasty_ptr) = 0; 
+   // bssl_compat_fatal("BIO_METHOD::callback_ctrl is not supported");
   }
 
   return osslMethod;

diff --git a/source/extensions/transport_sockets/tls/context_impl.cc b/source/extensions/transport_sockets/tls/context_impl.cc
@@ -182,7 +182,9 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
         // even request client certs. So, instead, we should configure a callback to skip
         // validation and always supply the callback to boring SSL.
         SSL_CTX_set_custom_verify(ctx, verify_mode, customVerifyCallback);
+#ifdef ENABLE_REVERIFY_ENFORCE_RSA  // Disabled as not implememnted in the bSSL layer
         SSL_CTX_set_reverify_on_resume(ctx, /*reverify_on_resume_enabled)=*/1);
+#endif
       }
     }
   }
@@ -738,7 +740,9 @@ ClientContextImpl::newSsl(const Network::TransportSocketOptionsConstSharedPtr& o
     SSL_set_renegotiate_mode(ssl_con.get(), ssl_renegotiate_freely);
   }
 
+#ifdef ENABLE_REVERIFY_ENFORCE_RSA  // Disabled as not implememnted in the bSSL layer
   SSL_set_enforce_rsa_key_usage(ssl_con.get(), enforce_rsa_key_usage_);
+#endif
 
   if (max_session_keys_ > 0) {
     if (session_keys_single_use_) {