git://scientific.zcu.cz / jra1mw.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6bae1ed)
Take care of proxy_verify_desc and proxy_verify_ctx_desc structures;
authorMarcel Poul <marcel.poul@cern.ch>
Thu, 15 Nov 2012 15:01:44 +0000 (15:01 +0000)
committerMarcel Poul <marcel.poul@cern.ch>
Thu, 15 Nov 2012 15:01:44 +0000 (15:01 +0000)
-hold the pointer to pvd in caNl context
-free the memory in canl_free_ctx()
-new parameter to setup_SSL_proxy_handler, gridsite speciality (hand over pvd to SSL_CTX and do not free it in canl_free_ctx).

emi.canl.canl-c/src/canl_cred.c patch | blob | blame | history
emi.canl.canl-c/src/canl_mech_ssl.h patch | blob | blame | history
emi.canl.canl-c/src/canl_ssl.c patch | blob | blame | history
emi.canl.canl-c/src/canl_ssl.h patch | blob | blame | history

diff --git a/emi.canl.canl-c/src/canl_cred.c b/emi.canl.canl-c/src/canl_cred.c
index 83d4330..f101c31 100644 (file)
--- a/emi.canl.canl-c/src/canl_cred.c
+++ b/emi.canl.canl-c/src/canl_cred.c
@@ -775,13 +775,13 @@ proxy_verify_desc *pvd_setup_initializers(char *cadir)
        standard CA certificates directory name */
     if (!cadir){
         err = proxy_get_filenames(0, NULL, &ca_cert_dirn, NULL, NULL, NULL);
-        if (!err)
-            cadir = ca_cert_dirn;
+        if (!err){
+            pvd->pvxd->certdir = ca_cert_dirn;
+            return pvd;
+        }
     }
-    
-    /*cadir May still be NULL*/
-    pvd->pvxd->certdir = cadir;
-
+    else
+        pvd->pvxd->certdir = strdup(cadir);
     return pvd;
 }
 
diff --git a/emi.canl.canl-c/src/canl_mech_ssl.h b/emi.canl.canl-c/src/canl_mech_ssl.h
index cb0e920..0695eca 100644 (file)
--- a/emi.canl.canl-c/src/canl_mech_ssl.h
+++ b/emi.canl.canl-c/src/canl_mech_ssl.h
@@ -22,6 +22,7 @@ typedef struct _mech_glb_ctx
     char  *ca_file;
     char  *crl_dir;
     cert_key_store *cert_key;
+    proxy_verify_desc *pvd_ctx;
 } mech_glb_ctx;
 
 int do_set_ctx_own_cert_file(glb_ctx *cc, mech_glb_ctx *m_ctx,
diff --git a/emi.canl.canl-c/src/canl_ssl.c b/emi.canl.canl-c/src/canl_ssl.c
index cf01aa9..aa02051 100644 (file)
--- a/emi.canl.canl-c/src/canl_ssl.c
+++ b/emi.canl.canl-c/src/canl_ssl.c
@@ -18,9 +18,10 @@ canl_error map_verify_result(unsigned long ssl_err,
         const X509_STORE_CTX *store_ctx, SSL *ssl);
 static canl_error map_proxy_error(int reason);
 
-static void setup_SSL_proxy_handler(SSL_CTX *ssl, char *cadir);
+static int setup_SSL_proxy_handler(glb_ctx *cc, SSL_CTX *ssl, char *cadir,
+        int leave_pvd);
 extern proxy_verify_desc *pvd_setup_initializers(char *cadir);
-extern void pvd_destroy_initializers(char *cadir);
+extern void pvd_destroy_initializers(void *data);
 
 #ifdef DEBUG
 static void dbg_print_ssl_error(int errorcode);
@@ -387,10 +388,19 @@ err:
     return err;
 }
 
-void setup_SSL_proxy_handler(SSL_CTX *ssl, char *cadir)
+static int setup_SSL_proxy_handler(glb_ctx *cc, SSL_CTX *ssl, char *cadir,
+        int leave_pvd)
 {
-    SSL_CTX_set_ex_data(ssl, PVD_SSL_EX_DATA_IDX,
-            pvd_setup_initializers(cadir));
+    proxy_verify_desc *new_pvd = NULL;
+    mech_glb_ctx *m_ctx = (mech_glb_ctx *)cc->mech_ctx;
+    new_pvd =  pvd_setup_initializers(cadir);
+    if (new_pvd){
+        SSL_CTX_set_ex_data(ssl, PVD_SSL_EX_DATA_IDX, new_pvd);
+        if (!leave_pvd)
+            m_ctx->pvd_ctx = new_pvd;
+        return 0;
+    }
+    return 1;
 }
 
 static canl_err_code
@@ -417,7 +427,7 @@ ssl_connect(glb_ctx *cc, io_handler *io, void *auth_ctx,
     (void)fcntl(io->sock, F_SETFL, flags | O_NONBLOCK);
 
     ssl_ctx = SSL_get_SSL_CTX(ssl);
-    setup_SSL_proxy_handler(ssl_ctx, m_ctx->ca_dir);
+    setup_SSL_proxy_handler(cc, ssl_ctx, m_ctx->ca_dir, 0);
     SSL_set_fd(ssl, io->sock);
 
     err = do_ssl_connect(cc, io, ssl, timeout); 
@@ -534,7 +544,7 @@ ssl_accept(glb_ctx *cc, io_handler *io, void *auth_ctx, struct timeval *timeout)
     (void)fcntl(io->sock, F_SETFL, flags | O_NONBLOCK);
 
     ssl_ctx = SSL_get_SSL_CTX(ssl);
-    setup_SSL_proxy_handler(ssl_ctx, m_ctx->ca_dir);
+    setup_SSL_proxy_handler(cc, ssl_ctx, m_ctx->ca_dir, 0);
     SSL_set_fd(ssl, io->sock);
 
     err = do_ssl_accept(cc, io, ssl, timeout);
@@ -1105,6 +1115,10 @@ ssl_free_ctx(glb_ctx *cc)
         free(m_ctx->cert_key);
         m_ctx->cert_key = NULL;
     }
+    if (m_ctx->pvd_ctx){
+        pvd_destroy_initializers(m_ctx->pvd_ctx);
+        m_ctx->pvd_ctx = NULL;
+    }
     free(m_ctx);
     cc->mech_ctx = NULL;
     return 0;
@@ -1219,7 +1233,7 @@ canl_ssl_ctx_set_clb(canl_ctx cc, SSL_CTX *ssl_ctx, int ver_mode,
                 " initialized");
     mech_glb_ctx *m_ctx = (mech_glb_ctx *)glb_cc->mech_ctx;
     
-    setup_SSL_proxy_handler(ssl_ctx, m_ctx->ca_dir);
+    setup_SSL_proxy_handler(glb_cc, ssl_ctx, m_ctx->ca_dir, 1);
     SSL_CTX_set_cert_verify_callback(ssl_ctx, proxy_app_verify_callback, NULL);
 
     SSL_CTX_set_verify(ssl_ctx, ver_mode, vc);
diff --git a/emi.canl.canl-c/src/canl_ssl.h b/emi.canl.canl-c/src/canl_ssl.h
index b5189cf..a3bf96b 100644 (file)
--- a/emi.canl.canl-c/src/canl_ssl.h
+++ b/emi.canl.canl-c/src/canl_ssl.h
@@ -40,6 +40,12 @@ canl_ctx_sfncrl_dir(canl_ctx, const char *);
    to use its callback,but it must be called separately by canl_direct_pv_clb()
    (e.g. in verify_callback)-try to avoid this, unless you 
    know what you are doing.
+
+  Any data set into the extern SSL_CTX by the  caNl in this function
+  are not freed by calling canl_free_ctx().
+  This might look like memory leak (e.g. by valgrind), but in this special case
+  is intended.
+
 */
 canl_err_code CANL_CALLCONV
 canl_ssl_ctx_set_clb(canl_ctx cc, SSL_CTX *ssl_ctx, int ver_mode,
jra1mw project from LCG CVS.