- Fix openssl race condition, initializes openssl locks, reported

  by Einar Lonn and Patrik Wallstrom.

git-svn-id: file:///svn/unbound/trunk@2733 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/daemon/daemon.c b/daemon/daemon.c
index b17d5488184ef65fe2934a4ced8e53054787a5b7..534f2a4cfb2773af0f68d210dd2577dfe8f2dbc0 100644 (file)
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@@ -209,6 +209,10 @@ daemon_init(void)
        comp_meth = (void*)SSL_COMP_get_compression_methods();
 #  endif
        (void)SSL_library_init();
+#  if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+       if(!ub_openssl_lock_init())
+               fatal_exit("could not init openssl locks");
+#  endif
 #elif defined(HAVE_NSS)
        if(NSS_NoDB_Init(NULL) != SECSuccess)
                fatal_exit("could not init NSS");
@@ -568,6 +572,9 @@ daemon_delete(struct daemon* daemon)
        ERR_remove_state(0);
        ERR_free_strings();
        RAND_cleanup();
+#  if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+       ub_openssl_lock_delete();
+#  endif
 #elif defined(HAVE_NSS)
        NSS_Shutdown();
 #endif /* HAVE_SSL or HAVE_NSS */

diff --git a/doc/Changelog b/doc/Changelog
index 80d7c4aad4c4a8303986a52c3f0b0437d0c04a06..c645075dac65d35bc5ddd6abcf8b9bb320889e01 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+1 August 2012: Wouter
+       - Fix openssl race condition, initializes openssl locks, reported
+         by Einar Lonn and Patrik Wallstrom.
+
 31 July 2012: Wouter
        - Improved forward-first and stub-first documentation.
        - Fix that enables modules to register twice for the same

diff --git a/util/net_help.c b/util/net_help.c
index d8c624fd6657a93849e3391eb665da827db0d821..6e71d544bc960fb191f511886c0e164a71cb607c 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -725,3 +725,54 @@ void* outgoing_ssl_fd(void* sslctx, int fd)
        return NULL;
 #endif
 }
+
+/** global lock list for openssl locks */
+static lock_basic_t *ub_openssl_locks = NULL;
+
+/** callback that gets thread id for openssl */
+static unsigned long
+ub_crypto_id_cb(void)
+{
+       return (unsigned long)ub_thread_self();
+}
+
+static void
+ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
+       int ATTR_UNUSED(line))
+{
+       if((mode&CRYPTO_LOCK)) {
+               lock_basic_lock(&ub_openssl_locks[type]);
+       } else {
+               lock_basic_unlock(&ub_openssl_locks[type]);
+       }
+}
+
+int ub_openssl_lock_init(void)
+{
+#ifdef OPENSSL_THREADS
+       size_t i;
+       ub_openssl_locks = (lock_basic_t*)malloc(
+               sizeof(lock_basic_t)*CRYPTO_num_locks());
+       if(!ub_openssl_locks)
+               return 0;
+       for(i=0; i<CRYPTO_num_locks(); i++) {
+               lock_basic_init(&ub_openssl_locks[i]);
+       }
+       CRYPTO_set_id_callback(&ub_crypto_id_cb);
+       CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
+#endif /* OPENSSL_THREADS */
+       return 1;
+}
+
+void ub_openssl_lock_delete(void)
+{
+#ifdef OPENSSL_THREADS
+       size_t i;
+       if(!ub_openssl_locks)
+               return;
+       for(i=0; i<CRYPTO_num_locks(); i++) {
+               lock_basic_destroy(&ub_openssl_locks[i]);
+       }
+#endif /* OPENSSL_THREADS */
+}
+

diff --git a/util/net_help.h b/util/net_help.h
index e0c0ebea17572e081ec17c4fe3ee05e782250b1e..05b5087b41299292fb99e450e721c56015df022e 100644 (file)
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -369,4 +369,15 @@ void* incoming_ssl_fd(void* sslctx, int fd);
  */
 void* outgoing_ssl_fd(void* sslctx, int fd);
 
+/**
+ * Initialize openssl locking for thread safety
+ * @return false on failure (alloc failure).
+ */
+int ub_openssl_lock_init(void);
+
+/**
+ * De-init the allocated openssl locks
+ */
+void ub_openssl_lock_delete(void);
+
 #endif /* NET_HELP_H */