From: <do...@us...> - 2004-11-20 06:43:05
|
Update of /cvsroot/aolserver/nsopenssl In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv23495 Modified Files: Makefile nsopenssl.c sslcontext.c Log Message: Fix memory leak in IssueTmpRSAKey, introducing new NsMakeTmpRSAKey and pre-generating 512-bit and 1024-bit temporary RSA keys at nsopenssl module initialization time. Closes SF Bug #1069595. Index: Makefile =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/Makefile,v retrieving revision 1.43 retrieving revision 1.44 diff -C2 -d -r1.43 -r1.44 *** Makefile 14 Apr 2004 01:07:54 -0000 1.43 --- Makefile 20 Nov 2004 06:42:54 -0000 1.44 *************** *** 22,37 **** # Copyright (C) 2001-2003 Scott S. Goodwin # # $Header$ # ! # XXX AOLserver 3.x defines this, but AOLserver 4.x uses the install binary ! # XXX instead. We'll need to update all the modules to use install ! CP = /bin/cp -fp - ifdef INST - NSHOME ?= $(INST) else - NSHOME ?= ../aolserver - endif # --- 22,47 ---- # Copyright (C) 2001-2003 Scott S. Goodwin # + # Portions created by AOL are Copyright (C) 1999 America Online, Inc. All + # Rights Reserved. + # + # # $Header$ # ! AOLSERVER ?= ../aolserver ! ! ifndef OPENSSL ! ! all: ! @echo "** " ! @echo "** OPENSSL variable not set." ! @echo "** nsopenssl will not be built." ! @echo "** " ! ! install: all ! ! clean: else # *************** *** 48,52 **** MOD = nsopenssl.so ! OBJS = nsopenssl.o HDRS = nsopenssl.h MODLIBS = -L$(OPENSSL)/lib -lssl -lcrypto --- 58,62 ---- MOD = nsopenssl.so ! MODOBJS = nsopenssl.o HDRS = nsopenssl.h MODLIBS = -L$(OPENSSL)/lib -lssl -lcrypto *************** *** 54,70 **** TCLMOD = https.tcl - # XXX take out the -g for production - CFLAGS += -g - - # - # Extra libraries required by your module (-L and -l go here) - # - # Add static compilation ability, per grax3272 ! #MODLIBS = -L$(OPENSSL)/lib ../openssl-0.9.6g/libssl.a ../openssl-0.9.6g/libcrypto.a#-lssl -lcrypto # - # Compiler flags required by your module (-I for external headers goes here). - # # Kerberos headers are included in case your OpenSSL library was built with # Kerberos support. This is generally true on RedHat 9 and possibly Fedora --- 64,73 ---- TCLMOD = https.tcl # Add static compilation ability, per grax3272 ! ifeq ($(STATIC),1) ! MODLIBS = $(OPENSSL)/lib/libssl.a $(OPENSSL)/lib/libcrypto.a ! endif # # Kerberos headers are included in case your OpenSSL library was built with # Kerberos support. This is generally true on RedHat 9 and possibly Fedora *************** *** 75,82 **** CFLAGS += -I$(OPENSSL)/include -I/usr/kerberos/include ! # ! # The common Makefile defined by AOLserver for making modules ! # ! include $(NSHOME)/include/Makefile.module # --- 78,93 ---- CFLAGS += -I$(OPENSSL)/include -I/usr/kerberos/include ! INSTALL = install-https.tcl ! ! include $(AOLSERVER)/include/Makefile.module ! ! ## ! ## Extra install targets. ! ## ! ! install-https.tcl: ! $(INSTALL_SH) $(TCLMOD) $(INSTTCL) ! ! .PHONY: install-https.tcl # *************** *** 105,109 **** # tag: ! @if [ "$$VER" = "" ]; then echo 1>&2 "VER must be set to version number!"; exit 1; fi cvs rtag v$(VER_) $(MODNAME) --- 116,120 ---- # tag: ! @if [ "$(VER)" = "" ]; then echo 1>&2 "VER must be set to version number!"; exit 1; fi cvs rtag v$(VER_) $(MODNAME) *************** *** 112,171 **** # file-release: ! @if [ "$$VER" = "" ]; then echo 1>&2 "VER must be set to version number!"; exit 1; fi ! /bin/rm -rf /tmp/file-release ! /bin/mkdir /tmp/file-release ! echo "(Just hit the return key when prompted for CVS password)" ! cvs -d :pserver:ano...@cv...:/cvsroot/aolserver login ! (cd /tmp/file-release && cvs -d :pserver:ano...@cv...:/cvsroot/aolserver co -r v$(VER_) $(MODNAME)) ! mv /tmp/file-release/$(MODNAME) /tmp/file-release/$(MODNAME)-$(VER) ! (cd /tmp/file-release && tar czf $(MODNAME)-$(VER).tar.gz $(MODNAME)-$(VER)) ! /bin/mv /tmp/file-release/$(MODNAME)-$(VER).tar.gz /tmp ! rm -rf /tmp/file-release echo "--- FILE RELEASE is: /tmp/$(MODNAME)-$(VER).tar.gz" ! # XXX alter this to work with sed or tcl instead of perl ! # perl -pi -e 's/\@VER\@/$(VER)/g' work/nscache/index.html work/nscache/tclcache.c ! ! # ! # Check to see that the OPENSSL variable has been set ! # ! .PHONY: check-env ! nsopenssl.h: check-env ! check-env: ! @if [ "$(OPENSSL)" = "" ]; then \ ! echo "** "; \ ! echo "** OPENSSL variable not set."; \ ! echo "** nsopenssl.so will not be built."; \ ! echo "** Usage: make OPENSSL=/path/to/openssl"; \ ! echo "** Usage: make install OPENSSL=/path/to/openssl INST=/path/to/aolserver"; \ ! echo "** "; \ ! exit 1; \ ! fi ! ! # ! # This overrides the install directive in $(NSHOME)/include/Makefile.module because we ! # have a Tcl module (https.tcl) to install as well. ! # ! install: all ! $(RM) $(INSTBIN)/$(MOD) ! $(CP) $(MOD) $(INSTBIN) ! $(MKDIR) $(INSTTCL) ! $(CP) $(TCLMOD) $(INSTTCL) ! ! ## NOTES ################################################################################# ! ! # Solaris users *might* need the following, ! # but you'll need to modify it to point to where ! # your libgcc.a lives. Replace the MODLIBS above with ! # this: ! # ! # MODLIBS = -L$(OPENSSL)/lib -lssl -lcrypto \ ! # -L/usr/local/products/gcc-2.95/lib/gcc-lib/sparc-sun-solaris2.5.1/2.95 -lgcc ! ! ! # For development purposes, put the GCCOPT above somewhere ! # to turn off 'no-unused' so gcc will report unused funcs ! # and variables. ! # ! # GCCOPT = $(GCCOPTIMIZE) -fPIC -Wall ! --- 123,131 ---- # file-release: ! @if [ "$(VER)" = "" ]; then echo 1>&2 "VER must be set to version number!"; exit 1; fi ! @echo "(Just hit the return key when prompted for CVS password)" ! cvs -d :pserver:ano...@cv...:/cvsroot/aolserver login ! cd /tmp && cvs -d :pserver:ano...@cv...:/cvsroot/aolserver co -rv$(VER_) -d$(MODNAME)-$(VER) $(MODNAME) && tar cf - $(MODNAME)-$(VER) | gzip -c > $(MODNAME)-$(VER).tar.gz echo "--- FILE RELEASE is: /tmp/$(MODNAME)-$(VER).tar.gz" ! endif Index: nsopenssl.c =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/nsopenssl.c,v retrieving revision 1.76 retrieving revision 1.77 diff -C2 -d -r1.76 -r1.77 *** nsopenssl.c 27 Oct 2004 16:40:08 -0000 1.76 --- nsopenssl.c 20 Nov 2004 06:42:54 -0000 1.77 *************** *** 25,28 **** --- 25,30 ---- * Freddie Mendoze and Rob Mayoff. * + * Portions created by AOL are Copyright (C) 1999 America Online, Inc. + * All Rights Reserved. */ *************** *** 33,108 **** */ ! static const char *RCSID = ! "@(#) $Header$, compiled: " ! __DATE__ " " __TIME__; #include "nsopenssl.h" ! /* ! * Globals defined in this file ! */ ! ! extern Tcl_HashTable ! NsOpenSSLServers; ! ! extern void ! NsOpenSSLDriversLoad(char *server); ! ! /* ! * Local functions defined in this file. ! */ ! ! static int ! InitOpenSSL(void); ! ! static void ! InitServerState(char *server); ! ! static int ! SeedPRNG(void); ! ! static Ns_Mutex ! *locks; ! ! static void ! ThreadLockCallback(int mode, int n, const char *file, int line); ! ! static unsigned long ! ThreadIdCallback(void); ! ! static struct ! CRYPTO_dynlock_value *ThreadDynlockCreateCallback(char *file, int line); ! ! static void ! ThreadDynlockLockCallback(int mode, struct CRYPTO_dynlock_value *dynlock, const char *file, int line); ! ! static void ! ThreadDynlockDestroyCallback(struct CRYPTO_dynlock_value *dynlock, const char *file, int line); ! ! static void ! ServerShutdown(void *arg); ! ! static void ! LoadSSLContexts(char *server); ! ! static NsOpenSSLContext * ! LoadSSLContext(char *server, char *name); ! ! static int ! InitSSLDriver(char *server, NsOpenSSLDriver *ssldriver); ! ! static void ! LoadSSLDrivers(char *server); ! #if 0 ! static void ! OpenSSLDriverDestroy(NsOpenSSLDriver *ssldriver); ! #endif ! static Ns_DriverProc ! OpenSSLProc; ! NS_EXPORT int ! Ns_ModuleVersion = 1; --- 35,64 ---- */ ! static const char *RCSID = "@(#) $Header$, compiled: " __DATE__ " " __TIME__; #include "nsopenssl.h" ! extern Tcl_HashTable NsOpenSSLServers; ! extern void NsOpenSSLDriversLoad(char *server); ! extern int NsMakeTmpRSAKey(int keylen); ! static Ns_Mutex *locks; ! static Ns_DriverProc OpenSSLProc; ! static int InitOpenSSL(void); ! static void InitServerState(char *server); ! static int SeedPRNG(void); ! static void ThreadLockCallback(int mode, int n, const char *file, int line); ! static unsigned long ThreadIdCallback(void); ! static struct CRYPTO_dynlock_value *ThreadDynlockCreateCallback(char *file, int line); ! static void ThreadDynlockLockCallback(int mode, struct CRYPTO_dynlock_value *dynlock, const char *file, int line); ! static void ThreadDynlockDestroyCallback(struct CRYPTO_dynlock_value *dynlock, const char *file, int line); ! static void ServerShutdown(void *arg); ! static void LoadSSLContexts(char *server); ! static NsOpenSSLContext *LoadSSLContext(char *server, char *name); ! static int InitSSLDriver(char *server, NsOpenSSLDriver *ssldriver); ! static void LoadSSLDrivers(char *server); ! int Ns_ModuleVersion = 1; *************** *** 122,129 **** */ ! extern int Ns_ModuleInit(char *server, char *module) { ! static int globalInit = 0; /* --- 78,86 ---- */ ! int Ns_ModuleInit(char *server, char *module) { ! static int initialized = NS_FALSE; ! int i; /* *************** *** 131,135 **** */ ! if (!globalInit) { if (!STREQ(module, MODULE)) { Ns_Log(Fatal, "Module '%s' should be named '%s'", module, MODULE); --- 88,92 ---- */ ! if (initialized == NS_FALSE) { if (!STREQ(module, MODULE)) { Ns_Log(Fatal, "Module '%s' should be named '%s'", module, MODULE); *************** *** 140,144 **** } Tcl_InitHashTable(&NsOpenSSLServers, TCL_STRING_KEYS); ! globalInit = 1; } --- 97,109 ---- } Tcl_InitHashTable(&NsOpenSSLServers, TCL_STRING_KEYS); ! ! /* ! * Pre-generate temporary RSA keys for 512 and 1024 bit keys. ! */ ! ! NsMakeTmpRSAKey(512); ! NsMakeTmpRSAKey(1024); ! ! initialized = NS_TRUE; } Index: sslcontext.c =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/sslcontext.c,v retrieving revision 1.9 retrieving revision 1.10 diff -C2 -d -r1.9 -r1.10 *** sslcontext.c 21 Sep 2004 23:32:55 -0000 1.9 --- sslcontext.c 20 Nov 2004 06:42:54 -0000 1.10 *************** *** 24,27 **** --- 24,30 ---- * Module originally written by Stefan Arentz. Early contributions made by * Freddie Mendoze and Rob Mayoff. + * + * Portions created by AOL are Copyright (C) 1999 America Online, Inc. + * All Rights Reserved. */ *************** *** 32,82 **** */ ! static const char *RCSID = ! "@(#) $Header$, compiled: " ! __DATE__ " " __TIME__; #include "nsopenssl.h" ! Tcl_HashTable ! NsOpenSSLServers; ! ! static RSA * ! IssueTmpRSAKey(SSL *ssl, int export, int keylen); ! ! static char * ! SSLContextSessionCacheIdNew(char *server); ! ! static void ! OpenSSLTrace(SSL *ssl, int where, int rc); ! ! static void ! SSLContextCAFileInit(NsOpenSSLContext *sslcontext); ! ! static void ! SSLContextCADirInit(NsOpenSSLContext *sslcontext); ! ! static int ! SSLContextCiphersInit(NsOpenSSLContext *sslcontext); ! ! static int ! SSLContextProtocolsInit(NsOpenSSLContext *sslcontext); ! ! static int ! SSLContextCertFileInit(NsOpenSSLContext *sslcontext); ! ! static void ! SSLContextPeerVerifyInit(NsOpenSSLContext *sslcontext); ! ! static void ! SSLContextPeerVerifyDepthInit(NsOpenSSLContext *sslcontext); ! ! static void ! SSLContextSessionCacheInit(NsOpenSSLContext *sslcontext); ! ! static void ! SSLContextTraceInit(NsOpenSSLContext *sslcontext); ! static int ! PeerVerifyCallback(int preverify_ok, X509_STORE_CTX *x509_ctx); --- 35,58 ---- */ ! static const char *RCSID = "@(#) $Header$, compiled: " __DATE__ " " __TIME__; #include "nsopenssl.h" ! Tcl_HashTable NsOpenSSLServers; ! RSA *rsa_512, *rsa_1024; ! static RSA *IssueTmpRSAKey(SSL *ssl, int export, int keylen); ! static char *SSLContextSessionCacheIdNew(char *server); ! static void OpenSSLTrace(SSL *ssl, int where, int rc); ! static void SSLContextCAFileInit(NsOpenSSLContext *sslcontext); ! static void SSLContextCADirInit(NsOpenSSLContext *sslcontext); ! static int SSLContextCiphersInit(NsOpenSSLContext *sslcontext); ! static int SSLContextProtocolsInit(NsOpenSSLContext *sslcontext); ! static int SSLContextCertFileInit(NsOpenSSLContext *sslcontext); ! static void SSLContextPeerVerifyInit(NsOpenSSLContext *sslcontext); ! static void SSLContextPeerVerifyDepthInit(NsOpenSSLContext *sslcontext); ! static void SSLContextSessionCacheInit(NsOpenSSLContext *sslcontext); ! static void SSLContextTraceInit(NsOpenSSLContext *sslcontext); ! static int PeerVerifyCallback(int preverify_ok, X509_STORE_CTX *x509_ctx); *************** *** 1357,1365 **** * IssueTmpRSAKey -- * ! * Give out the temporary key when needed. This is a callback function ! * used by OpenSSL and is required for 40-bit browsers. * * Results: ! * Returns a pointer to the new temporary key. * * Side effects: --- 1333,1341 ---- * IssueTmpRSAKey -- * ! * Give out the temporary key when needed. This is a callback ! * function used by OpenSSL and is required for 40-bit browsers. * * Results: ! * Returns a pointer to the server's temporary RSA key. * * Side effects: *************** *** 1372,1394 **** IssueTmpRSAKey(SSL *ssl, int export, int keylen) { ! NsOpenSSLConn *sslconn; ! RSA *rsa_tmp; ! char *server = "none"; sslconn = (NsOpenSSLConn *) SSL_get_app_data(ssl); ! if (sslconn && sslconn->ssldriver) { server = sslconn->ssldriver->server; } ! rsa_tmp = RSA_generate_key(keylen, RSA_F4, NULL, NULL); ! if (rsa_tmp == NULL) { ! Ns_Log(Error, "%s (%s): Error generating %u-bit temporary RSA key", ! MODULE, server, keylen); ! } else { ! Ns_Log(Notice, "%s (%s): Generated %u-bit temporary RSA key", ! MODULE, server, keylen); } ! return rsa_tmp; } --- 1348,1401 ---- IssueTmpRSAKey(SSL *ssl, int export, int keylen) { ! NsOpenSSLConn *sslconn; ! char *server = "none"; ! RSA *rsaPtr = NULL; sslconn = (NsOpenSSLConn *) SSL_get_app_data(ssl); ! if (sslconn != NULL && sslconn->ssldriver != NULL) { server = sslconn->ssldriver->server; } ! switch (keylen) { ! case 512: ! rsaPtr = rsa_512; ! break; ! ! case 1024: ! rsaPtr = rsa_1024; ! break; ! ! default: ! Ns_Log(Error, "nsopenssl (%s): unexpected request for a %d-bit temporary RSA key", server, keylen); ! break; } ! return rsaPtr; ! } ! ! int ! NsMakeTmpRSAKey(int keylen) ! { ! RSA **rsaPtrPtr; ! ! switch (keylen) { ! case 512: ! rsaPtrPtr = &rsa_512; ! break; ! ! case 1024: ! rsaPtrPtr = &rsa_1024; ! break; ! ! default: ! Ns_Log(Error, "nsopenssl: unexpected request to generate a %d-bit temporary RSA key", keylen); ! return NS_ERROR; ! } ! ! Ns_Log(Notice, "nsopenssl: generating %d-bit temporary RSA key ...", ! keylen); ! *rsaPtrPtr = RSA_generate_key(keylen, RSA_F4, NULL, NULL); ! ! return NS_OK; } |