[AOLSERVER-COMMITS] nsopenssl Makefile,1.43,1.44 nsopenssl.c,1.76,1.77 sslcontext.c,1.9,1.10

[<do...@us...>]

Update of /cvsroot/aolserver/nsopenssl
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv23495

Modified Files:
	Makefile nsopenssl.c sslcontext.c 
Log Message:
Fix memory leak in IssueTmpRSAKey, introducing new NsMakeTmpRSAKey and
pre-generating 512-bit and 1024-bit temporary RSA keys at nsopenssl
module initialization time.  Closes SF Bug #1069595.


Index: Makefile
===================================================================
RCS file: /cvsroot/aolserver/nsopenssl/Makefile,v
retrieving revision 1.43
retrieving revision 1.44
diff -C2 -d -r1.43 -r1.44
*** Makefile	14 Apr 2004 01:07:54 -0000	1.43
--- Makefile	20 Nov 2004 06:42:54 -0000	1.44
***************
*** 22,37 ****
  # Copyright (C) 2001-2003 Scott S. Goodwin
  #
  # $Header$
  #
  
! # XXX AOLserver 3.x defines this, but AOLserver 4.x uses the install binary
! # XXX instead. We'll need to update all the modules to use install
! CP = /bin/cp -fp
  
- ifdef INST
- NSHOME ?= $(INST)
  else
- NSHOME ?= ../aolserver
- endif
  
  #
--- 22,47 ----
  # Copyright (C) 2001-2003 Scott S. Goodwin
  #
+ # Portions created by AOL are Copyright (C) 1999 America Online, Inc.  All
+ # Rights Reserved.
+ #
+ #
  # $Header$
  #
  
! AOLSERVER ?= ../aolserver
! 
! ifndef OPENSSL
! 
! all:
! 	@echo "** "
! 	@echo "** OPENSSL variable not set."
! 	@echo "** nsopenssl will not be built."
! 	@echo "** "
! 
! install: all
! 
! clean:
  
  else
  
  #
***************
*** 48,52 ****
  
  MOD      = nsopenssl.so
! OBJS     = nsopenssl.o
  HDRS     = nsopenssl.h
  MODLIBS  = -L$(OPENSSL)/lib -lssl -lcrypto
--- 58,62 ----
  
  MOD      = nsopenssl.so
! MODOBJS  = nsopenssl.o
  HDRS     = nsopenssl.h
  MODLIBS  = -L$(OPENSSL)/lib -lssl -lcrypto
***************
*** 54,70 ****
  TCLMOD   = https.tcl
  
- # XXX take out the -g for production
- CFLAGS += -g
- 
- #
- # Extra libraries required by your module (-L and -l go here)
- #
- 
  # Add static compilation ability, per grax3272
! #MODLIBS  =  -L$(OPENSSL)/lib ../openssl-0.9.6g/libssl.a ../openssl-0.9.6g/libcrypto.a#-lssl -lcrypto
  
  #
- # Compiler flags required by your module (-I for external headers goes here).
- #
  # Kerberos headers are included in case your OpenSSL library was built with
  # Kerberos support. This is generally true on RedHat 9 and possibly Fedora
--- 64,73 ----
  TCLMOD   = https.tcl
  
  # Add static compilation ability, per grax3272
! ifeq ($(STATIC),1)
! 	MODLIBS	= $(OPENSSL)/lib/libssl.a $(OPENSSL)/lib/libcrypto.a
! endif
  
  #
  # Kerberos headers are included in case your OpenSSL library was built with
  # Kerberos support. This is generally true on RedHat 9 and possibly Fedora
***************
*** 75,82 ****
  CFLAGS   += -I$(OPENSSL)/include -I/usr/kerberos/include
  
! #
! # The common Makefile defined by AOLserver for making modules
! #
! include  $(NSHOME)/include/Makefile.module
  
  #
--- 78,93 ----
  CFLAGS   += -I$(OPENSSL)/include -I/usr/kerberos/include
  
! INSTALL	= install-https.tcl
! 
! include  $(AOLSERVER)/include/Makefile.module
! 
! ##
! ## Extra install targets.
! ##
! 
! install-https.tcl:
! 	$(INSTALL_SH) $(TCLMOD) $(INSTTCL)
! 
! .PHONY: install-https.tcl
  
  #
***************
*** 105,109 ****
  #
  tag:
! 	@if [ "$$VER" = "" ]; then echo 1>&2 "VER must be set to version number!"; exit 1; fi
  	cvs rtag v$(VER_) $(MODNAME)
  
--- 116,120 ----
  #
  tag:
! 	@if [ "$(VER)" = "" ]; then echo 1>&2 "VER must be set to version number!"; exit 1; fi
  	cvs rtag v$(VER_) $(MODNAME)
  
***************
*** 112,171 ****
  #
  file-release:
! 	@if [ "$$VER" = "" ]; then echo 1>&2 "VER must be set to version number!"; exit 1; fi
! 	/bin/rm -rf /tmp/file-release
! 	/bin/mkdir /tmp/file-release
! 	echo "(Just hit the return key when prompted for CVS password)"
! 	cvs -d :pserver:ano...@cv...:/cvsroot/aolserver login
! 	(cd /tmp/file-release && cvs -d :pserver:ano...@cv...:/cvsroot/aolserver co -r v$(VER_) $(MODNAME))
! 	mv /tmp/file-release/$(MODNAME) /tmp/file-release/$(MODNAME)-$(VER)
! 	(cd /tmp/file-release && tar czf $(MODNAME)-$(VER).tar.gz $(MODNAME)-$(VER))
! 	/bin/mv /tmp/file-release/$(MODNAME)-$(VER).tar.gz /tmp
! 	rm -rf /tmp/file-release
  	echo "--- FILE RELEASE is: /tmp/$(MODNAME)-$(VER).tar.gz"
  
! # XXX alter this to work with sed or tcl instead of perl
! # perl -pi -e 's/\@VER\@/$(VER)/g' work/nscache/index.html work/nscache/tclcache.c
! 
! #
! # Check to see that the OPENSSL variable has been set
! #
! .PHONY: check-env
! nsopenssl.h: check-env
! check-env:
! 	@if [ "$(OPENSSL)" = "" ]; then \
! 	    echo "** "; \
! 	    echo "** OPENSSL variable not set."; \
! 	    echo "** nsopenssl.so will not be built."; \
! 	    echo "** Usage: make OPENSSL=/path/to/openssl"; \
! 	    echo "** Usage: make install OPENSSL=/path/to/openssl INST=/path/to/aolserver"; \
! 	    echo "** "; \
! 	    exit 1; \
! 	fi
! 
! #
! # This overrides the install directive in $(NSHOME)/include/Makefile.module because we
! # have a Tcl module (https.tcl) to install as well.
! #
! install: all
! 	$(RM) $(INSTBIN)/$(MOD)
! 	$(CP) $(MOD) $(INSTBIN)
! 	$(MKDIR) $(INSTTCL)
! 	$(CP) $(TCLMOD) $(INSTTCL)
! 
! ## NOTES #################################################################################
! 
! # Solaris users *might* need the following, 
! # but you'll need to modify it to point to where 
! # your libgcc.a lives. Replace the MODLIBS above with
! # this:
! #
! #   MODLIBS  =  -L$(OPENSSL)/lib -lssl -lcrypto \
! #   -L/usr/local/products/gcc-2.95/lib/gcc-lib/sparc-sun-solaris2.5.1/2.95 -lgcc
! 
! 
! # For development purposes, put the GCCOPT above somewhere
! # to turn off 'no-unused' so gcc will report unused funcs
! # and variables.
! #
! #   GCCOPT       =   $(GCCOPTIMIZE) -fPIC -Wall
! 
--- 123,131 ----
  #
  file-release:
! 	@if [ "$(VER)" = "" ]; then echo 1>&2 "VER must be set to version number!"; exit 1; fi
! 	@echo "(Just hit the return key when prompted for CVS password)"
! 	cvs -d :pserver:ano...@cv...:/cvsroot/aolserver login
! 	cd /tmp && cvs -d :pserver:ano...@cv...:/cvsroot/aolserver co -rv$(VER_) -d$(MODNAME)-$(VER) $(MODNAME) && tar cf - $(MODNAME)-$(VER) | gzip -c > $(MODNAME)-$(VER).tar.gz
  	echo "--- FILE RELEASE is: /tmp/$(MODNAME)-$(VER).tar.gz"
  
! endif

Index: nsopenssl.c
===================================================================
RCS file: /cvsroot/aolserver/nsopenssl/nsopenssl.c,v
retrieving revision 1.76
retrieving revision 1.77
diff -C2 -d -r1.76 -r1.77
*** nsopenssl.c	27 Oct 2004 16:40:08 -0000	1.76
--- nsopenssl.c	20 Nov 2004 06:42:54 -0000	1.77
***************
*** 25,28 ****
--- 25,30 ----
   * Freddie Mendoze and Rob Mayoff.
   *
+  * Portions created by AOL are Copyright (C) 1999 America Online, Inc.
+  * All Rights Reserved.
   */
  
***************
*** 33,108 ****
   */
  
! static const char *RCSID =
!     "@(#) $Header$, compiled: "
!     __DATE__ " " __TIME__;
  
  #include "nsopenssl.h"
  
! /*
!  * Globals defined in this file
!  */
! 
! extern Tcl_HashTable
! NsOpenSSLServers;
! 
! extern void
! NsOpenSSLDriversLoad(char *server);
! 
! /*
!  * Local functions defined in this file.
!  */
! 
! static int
! InitOpenSSL(void);
! 
! static void
! InitServerState(char *server);
! 
! static int
! SeedPRNG(void);
! 
! static Ns_Mutex
! *locks;
! 
! static void
! ThreadLockCallback(int mode, int n, const char *file, int line);
! 
! static unsigned long
! ThreadIdCallback(void);
! 
! static struct
! CRYPTO_dynlock_value *ThreadDynlockCreateCallback(char *file, int line);
! 
! static void 
! ThreadDynlockLockCallback(int mode, struct CRYPTO_dynlock_value *dynlock, const char *file, int line);
! 
! static void
! ThreadDynlockDestroyCallback(struct CRYPTO_dynlock_value *dynlock, const char *file, int line);
! 
! static void
! ServerShutdown(void *arg);
! 
! static void 
! LoadSSLContexts(char *server);
! 
! static NsOpenSSLContext *
! LoadSSLContext(char *server, char *name);
! 
! static int
! InitSSLDriver(char *server, NsOpenSSLDriver *ssldriver);
! 
! static void
! LoadSSLDrivers(char *server);
  
! #if 0
! static void
! OpenSSLDriverDestroy(NsOpenSSLDriver *ssldriver);
! #endif
  
! static Ns_DriverProc
! OpenSSLProc;
  
! NS_EXPORT int 
! Ns_ModuleVersion = 1;
  
  
--- 35,64 ----
   */
  
! static const char *RCSID = "@(#) $Header$, compiled: " __DATE__ " " __TIME__;
  
  #include "nsopenssl.h"
  
! extern Tcl_HashTable NsOpenSSLServers;
! extern void     NsOpenSSLDriversLoad(char *server);
! extern int      NsMakeTmpRSAKey(int keylen);
  
! static Ns_Mutex *locks;
! static Ns_DriverProc OpenSSLProc;
  
! static int      InitOpenSSL(void);
! static void     InitServerState(char *server);
! static int      SeedPRNG(void);
! static void     ThreadLockCallback(int mode, int n, const char *file, int line);
! static unsigned long ThreadIdCallback(void);
! static struct CRYPTO_dynlock_value *ThreadDynlockCreateCallback(char *file, int line);
! static void     ThreadDynlockLockCallback(int mode, struct CRYPTO_dynlock_value *dynlock, const char *file, int line);
! static void     ThreadDynlockDestroyCallback(struct CRYPTO_dynlock_value *dynlock, const char *file, int line);
! static void     ServerShutdown(void *arg);
! static void     LoadSSLContexts(char *server);
! static NsOpenSSLContext *LoadSSLContext(char *server, char *name);
! static int      InitSSLDriver(char *server, NsOpenSSLDriver *ssldriver);
! static void     LoadSSLDrivers(char *server);
  
! int Ns_ModuleVersion = 1;
  
  
***************
*** 122,129 ****
   */
  
! extern int
  Ns_ModuleInit(char *server, char *module)
  {
!     static int globalInit = 0;
  
      /* 
--- 78,86 ----
   */
  
! int
  Ns_ModuleInit(char *server, char *module)
  {
!     static int  initialized = NS_FALSE;
!     int         i;
  
      /* 
***************
*** 131,135 ****
       */
  
!     if (!globalInit) {
          if (!STREQ(module, MODULE)) {
              Ns_Log(Fatal, "Module '%s' should be named '%s'", module, MODULE);
--- 88,92 ----
       */
  
!     if (initialized == NS_FALSE) {
          if (!STREQ(module, MODULE)) {
              Ns_Log(Fatal, "Module '%s' should be named '%s'", module, MODULE);
***************
*** 140,144 ****
          }
          Tcl_InitHashTable(&NsOpenSSLServers, TCL_STRING_KEYS);
!         globalInit = 1;
      }
  
--- 97,109 ----
          }
          Tcl_InitHashTable(&NsOpenSSLServers, TCL_STRING_KEYS);
! 
!         /*
!          * Pre-generate temporary RSA keys for 512 and 1024 bit keys.
!          */
! 
!         NsMakeTmpRSAKey(512);
!         NsMakeTmpRSAKey(1024);
! 
!         initialized = NS_TRUE;
      }
  

Index: sslcontext.c
===================================================================
RCS file: /cvsroot/aolserver/nsopenssl/sslcontext.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -C2 -d -r1.9 -r1.10
*** sslcontext.c	21 Sep 2004 23:32:55 -0000	1.9
--- sslcontext.c	20 Nov 2004 06:42:54 -0000	1.10
***************
*** 24,27 ****
--- 24,30 ----
   * Module originally written by Stefan Arentz. Early contributions made by
   * Freddie Mendoze and Rob Mayoff.
+  *
+  * Portions created by AOL are Copyright (C) 1999 America Online, Inc.
+  * All Rights Reserved.
   */
  
***************
*** 32,82 ****
   */
  
! static const char *RCSID =
!     "@(#) $Header$, compiled: "
!     __DATE__ " " __TIME__;
  
  #include "nsopenssl.h"
  
! Tcl_HashTable
! NsOpenSSLServers;
! 
! static RSA *
! IssueTmpRSAKey(SSL *ssl, int export, int keylen);
! 
! static char *
! SSLContextSessionCacheIdNew(char *server);
! 
! static void
! OpenSSLTrace(SSL *ssl, int where, int rc);
! 
! static void
! SSLContextCAFileInit(NsOpenSSLContext *sslcontext);
! 
! static void
! SSLContextCADirInit(NsOpenSSLContext *sslcontext);
! 
! static int 
! SSLContextCiphersInit(NsOpenSSLContext *sslcontext);
! 
! static int
! SSLContextProtocolsInit(NsOpenSSLContext *sslcontext);
! 
! static int
! SSLContextCertFileInit(NsOpenSSLContext *sslcontext);
! 
! static void
! SSLContextPeerVerifyInit(NsOpenSSLContext *sslcontext);
! 
! static void
! SSLContextPeerVerifyDepthInit(NsOpenSSLContext *sslcontext);
! 
! static void
! SSLContextSessionCacheInit(NsOpenSSLContext *sslcontext);
! 
! static void
! SSLContextTraceInit(NsOpenSSLContext *sslcontext);
  
! static int
! PeerVerifyCallback(int preverify_ok, X509_STORE_CTX *x509_ctx);
  
  
--- 35,58 ----
   */
  
! static const char *RCSID = "@(#) $Header$, compiled: " __DATE__ " " __TIME__;
  
  #include "nsopenssl.h"
  
! Tcl_HashTable NsOpenSSLServers;
! RSA *rsa_512, *rsa_1024;
  
! static RSA      *IssueTmpRSAKey(SSL *ssl, int export, int keylen);
! static char     *SSLContextSessionCacheIdNew(char *server);
! static void     OpenSSLTrace(SSL *ssl, int where, int rc);
! static void     SSLContextCAFileInit(NsOpenSSLContext *sslcontext);
! static void     SSLContextCADirInit(NsOpenSSLContext *sslcontext);
! static int      SSLContextCiphersInit(NsOpenSSLContext *sslcontext);
! static int      SSLContextProtocolsInit(NsOpenSSLContext *sslcontext);
! static int      SSLContextCertFileInit(NsOpenSSLContext *sslcontext);
! static void     SSLContextPeerVerifyInit(NsOpenSSLContext *sslcontext);
! static void     SSLContextPeerVerifyDepthInit(NsOpenSSLContext *sslcontext);
! static void     SSLContextSessionCacheInit(NsOpenSSLContext *sslcontext);
! static void     SSLContextTraceInit(NsOpenSSLContext *sslcontext);
! static int      PeerVerifyCallback(int preverify_ok, X509_STORE_CTX *x509_ctx);
  
  
***************
*** 1357,1365 ****
   * IssueTmpRSAKey --
   *
!  *       Give out the temporary key when needed. This is a callback function
!  *       used by OpenSSL and is required for 40-bit browsers.
   *
   * Results:
!  *       Returns a pointer to the new temporary key.
   *
   * Side effects:
--- 1333,1341 ----
   * IssueTmpRSAKey --
   *
!  *       Give out the temporary key when needed.  This is a callback
!  *       function used by OpenSSL and is required for 40-bit browsers.
   *
   * Results:
!  *       Returns a pointer to the server's temporary RSA key.
   *
   * Side effects:
***************
*** 1372,1394 ****
  IssueTmpRSAKey(SSL *ssl, int export, int keylen)
  {
!     NsOpenSSLConn *sslconn;
!     RSA *rsa_tmp;
!     char *server = "none";
  
      sslconn = (NsOpenSSLConn *) SSL_get_app_data(ssl);
!     if (sslconn && sslconn->ssldriver) {
          server = sslconn->ssldriver->server;
      }
  
!     rsa_tmp = RSA_generate_key(keylen, RSA_F4, NULL, NULL);
!     if (rsa_tmp == NULL) {
!         Ns_Log(Error, "%s (%s): Error generating %u-bit temporary RSA key",
!                 MODULE, server, keylen);
!     } else {
!         Ns_Log(Notice, "%s (%s): Generated %u-bit temporary RSA key",
!                 MODULE, server, keylen);
      }
  
!     return rsa_tmp;
  }
  
--- 1348,1401 ----
  IssueTmpRSAKey(SSL *ssl, int export, int keylen)
  {
!     NsOpenSSLConn   *sslconn;
!     char            *server = "none";
!     RSA             *rsaPtr = NULL;
  
      sslconn = (NsOpenSSLConn *) SSL_get_app_data(ssl);
!     if (sslconn != NULL && sslconn->ssldriver != NULL) {
          server = sslconn->ssldriver->server;
      }
  
!     switch (keylen) {
!     case 512:
!         rsaPtr = rsa_512;
!         break;
! 
!     case 1024:
!         rsaPtr = rsa_1024;
!         break;
! 
!     default:
!         Ns_Log(Error, "nsopenssl (%s): unexpected request for a %d-bit temporary RSA key", server, keylen);
!         break;
      }
  
!     return rsaPtr;
! }
! 
! int 
! NsMakeTmpRSAKey(int keylen)
! {
!     RSA **rsaPtrPtr;
! 
!     switch (keylen) {
!     case 512:
!         rsaPtrPtr = &rsa_512;
!         break;
! 
!     case 1024:
!         rsaPtrPtr = &rsa_1024;
!         break;
! 
!     default:
!         Ns_Log(Error, "nsopenssl: unexpected request to generate a %d-bit temporary RSA key", keylen);
!         return NS_ERROR;
!     }
! 
!     Ns_Log(Notice, "nsopenssl: generating %d-bit temporary RSA key ...",
!             keylen);
!     *rsaPtrPtr = RSA_generate_key(keylen, RSA_F4, NULL, NULL);
! 
!     return NS_OK;
  }