From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 1 Aug 2012 11:31:29 +0000 (+0000)
Subject: - Fix openssl race condition, initializes openssl locks, reported
X-Git-Tag: release-1.4.19rc1~37
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9762ba453ebb5e76b5c6c2ab4bfd5c8e1a40eb2;p=thirdparty%2Funbound.git

- Fix openssl race condition, initializes openssl locks, reported
  by Einar Lonn and Patrik Wallstrom.


git-svn-id: file:///svn/unbound/trunk@2733 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/daemon/daemon.c b/daemon/daemon.c
index b17d54881..534f2a4cf 100644
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@@ -209,6 +209,10 @@ daemon_init(void)
 	comp_meth = (void*)SSL_COMP_get_compression_methods();
 #  endif
 	(void)SSL_library_init();
+#  if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+	if(!ub_openssl_lock_init())
+		fatal_exit("could not init openssl locks");
+#  endif
 #elif defined(HAVE_NSS)
 	if(NSS_NoDB_Init(NULL) != SECSuccess)
 		fatal_exit("could not init NSS");
@@ -568,6 +572,9 @@ daemon_delete(struct daemon* daemon)
 	ERR_remove_state(0);
 	ERR_free_strings();
 	RAND_cleanup();
+#  if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+	ub_openssl_lock_delete();
+#  endif
 #elif defined(HAVE_NSS)
 	NSS_Shutdown();
 #endif /* HAVE_SSL or HAVE_NSS */
diff --git a/doc/Changelog b/doc/Changelog
index 80d7c4aad..c645075da 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+1 August 2012: Wouter
+	- Fix openssl race condition, initializes openssl locks, reported
+	  by Einar Lonn and Patrik Wallstrom.
+
 31 July 2012: Wouter
 	- Improved forward-first and stub-first documentation.
 	- Fix that enables modules to register twice for the same
diff --git a/util/net_help.c b/util/net_help.c
index d8c624fd6..6e71d544b 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -725,3 +725,54 @@ void* outgoing_ssl_fd(void* sslctx, int fd)
 	return NULL;
 #endif
 }
+
+/** global lock list for openssl locks */
+static lock_basic_t *ub_openssl_locks = NULL;
+
+/** callback that gets thread id for openssl */
+static unsigned long
+ub_crypto_id_cb(void)
+{
+	return (unsigned long)ub_thread_self();
+}
+
+static void
+ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
+	int ATTR_UNUSED(line))
+{
+	if((mode&CRYPTO_LOCK)) {
+		lock_basic_lock(&ub_openssl_locks[type]);
+	} else {
+		lock_basic_unlock(&ub_openssl_locks[type]);
+	}
+}
+
+int ub_openssl_lock_init(void)
+{
+#ifdef OPENSSL_THREADS
+	size_t i;
+	ub_openssl_locks = (lock_basic_t*)malloc(
+		sizeof(lock_basic_t)*CRYPTO_num_locks());
+	if(!ub_openssl_locks)
+		return 0;
+	for(i=0; i<CRYPTO_num_locks(); i++) {
+		lock_basic_init(&ub_openssl_locks[i]);
+	}
+	CRYPTO_set_id_callback(&ub_crypto_id_cb);
+	CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
+#endif /* OPENSSL_THREADS */
+	return 1;
+}
+
+void ub_openssl_lock_delete(void)
+{
+#ifdef OPENSSL_THREADS
+	size_t i;
+	if(!ub_openssl_locks)
+		return;
+	for(i=0; i<CRYPTO_num_locks(); i++) {
+		lock_basic_destroy(&ub_openssl_locks[i]);
+	}
+#endif /* OPENSSL_THREADS */
+}
+
diff --git a/util/net_help.h b/util/net_help.h
index e0c0ebea1..05b5087b4 100644
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -369,4 +369,15 @@ void* incoming_ssl_fd(void* sslctx, int fd);
  */
 void* outgoing_ssl_fd(void* sslctx, int fd);
 
+/**
+ * Initialize openssl locking for thread safety
+ * @return false on failure (alloc failure).
+ */
+int ub_openssl_lock_init(void);
+
+/**
+ * De-init the allocated openssl locks
+ */
+void ub_openssl_lock_delete(void);
+
 #endif /* NET_HELP_H */