From 72ed2601aeeb6d5ff0604b3a79161c5a9e902e59 Mon Sep 17 00:00:00 2001 From: Marcel Poul Date: Thu, 15 Nov 2012 15:01:44 +0000 Subject: [PATCH] Take care of proxy_verify_desc and proxy_verify_ctx_desc structures; -hold the pointer to pvd in caNl context -free the memory in canl_free_ctx() -new parameter to setup_SSL_proxy_handler, gridsite speciality (hand over pvd to SSL_CTX and do not free it in canl_free_ctx). --- emi.canl.canl-c/src/canl_cred.c | 12 ++++++------ emi.canl.canl-c/src/canl_mech_ssl.h | 1 + emi.canl.canl-c/src/canl_ssl.c | 30 ++++++++++++++++++++++-------- emi.canl.canl-c/src/canl_ssl.h | 6 ++++++ 4 files changed, 35 insertions(+), 14 deletions(-) diff --git a/emi.canl.canl-c/src/canl_cred.c b/emi.canl.canl-c/src/canl_cred.c index 83d4330..f101c31 100644 --- a/emi.canl.canl-c/src/canl_cred.c +++ b/emi.canl.canl-c/src/canl_cred.c @@ -775,13 +775,13 @@ proxy_verify_desc *pvd_setup_initializers(char *cadir) standard CA certificates directory name */ if (!cadir){ err = proxy_get_filenames(0, NULL, &ca_cert_dirn, NULL, NULL, NULL); - if (!err) - cadir = ca_cert_dirn; + if (!err){ + pvd->pvxd->certdir = ca_cert_dirn; + return pvd; + } } - - /*cadir May still be NULL*/ - pvd->pvxd->certdir = cadir; - + else + pvd->pvxd->certdir = strdup(cadir); return pvd; } diff --git a/emi.canl.canl-c/src/canl_mech_ssl.h b/emi.canl.canl-c/src/canl_mech_ssl.h index cb0e920..0695eca 100644 --- a/emi.canl.canl-c/src/canl_mech_ssl.h +++ b/emi.canl.canl-c/src/canl_mech_ssl.h @@ -22,6 +22,7 @@ typedef struct _mech_glb_ctx char *ca_file; char *crl_dir; cert_key_store *cert_key; + proxy_verify_desc *pvd_ctx; } mech_glb_ctx; int do_set_ctx_own_cert_file(glb_ctx *cc, mech_glb_ctx *m_ctx, diff --git a/emi.canl.canl-c/src/canl_ssl.c b/emi.canl.canl-c/src/canl_ssl.c index cf01aa9..aa02051 100644 --- a/emi.canl.canl-c/src/canl_ssl.c +++ b/emi.canl.canl-c/src/canl_ssl.c @@ -18,9 +18,10 @@ canl_error map_verify_result(unsigned long ssl_err, const X509_STORE_CTX *store_ctx, SSL *ssl); static canl_error map_proxy_error(int reason); -static void setup_SSL_proxy_handler(SSL_CTX *ssl, char *cadir); +static int setup_SSL_proxy_handler(glb_ctx *cc, SSL_CTX *ssl, char *cadir, + int leave_pvd); extern proxy_verify_desc *pvd_setup_initializers(char *cadir); -extern void pvd_destroy_initializers(char *cadir); +extern void pvd_destroy_initializers(void *data); #ifdef DEBUG static void dbg_print_ssl_error(int errorcode); @@ -387,10 +388,19 @@ err: return err; } -void setup_SSL_proxy_handler(SSL_CTX *ssl, char *cadir) +static int setup_SSL_proxy_handler(glb_ctx *cc, SSL_CTX *ssl, char *cadir, + int leave_pvd) { - SSL_CTX_set_ex_data(ssl, PVD_SSL_EX_DATA_IDX, - pvd_setup_initializers(cadir)); + proxy_verify_desc *new_pvd = NULL; + mech_glb_ctx *m_ctx = (mech_glb_ctx *)cc->mech_ctx; + new_pvd = pvd_setup_initializers(cadir); + if (new_pvd){ + SSL_CTX_set_ex_data(ssl, PVD_SSL_EX_DATA_IDX, new_pvd); + if (!leave_pvd) + m_ctx->pvd_ctx = new_pvd; + return 0; + } + return 1; } static canl_err_code @@ -417,7 +427,7 @@ ssl_connect(glb_ctx *cc, io_handler *io, void *auth_ctx, (void)fcntl(io->sock, F_SETFL, flags | O_NONBLOCK); ssl_ctx = SSL_get_SSL_CTX(ssl); - setup_SSL_proxy_handler(ssl_ctx, m_ctx->ca_dir); + setup_SSL_proxy_handler(cc, ssl_ctx, m_ctx->ca_dir, 0); SSL_set_fd(ssl, io->sock); err = do_ssl_connect(cc, io, ssl, timeout); @@ -534,7 +544,7 @@ ssl_accept(glb_ctx *cc, io_handler *io, void *auth_ctx, struct timeval *timeout) (void)fcntl(io->sock, F_SETFL, flags | O_NONBLOCK); ssl_ctx = SSL_get_SSL_CTX(ssl); - setup_SSL_proxy_handler(ssl_ctx, m_ctx->ca_dir); + setup_SSL_proxy_handler(cc, ssl_ctx, m_ctx->ca_dir, 0); SSL_set_fd(ssl, io->sock); err = do_ssl_accept(cc, io, ssl, timeout); @@ -1105,6 +1115,10 @@ ssl_free_ctx(glb_ctx *cc) free(m_ctx->cert_key); m_ctx->cert_key = NULL; } + if (m_ctx->pvd_ctx){ + pvd_destroy_initializers(m_ctx->pvd_ctx); + m_ctx->pvd_ctx = NULL; + } free(m_ctx); cc->mech_ctx = NULL; return 0; @@ -1219,7 +1233,7 @@ canl_ssl_ctx_set_clb(canl_ctx cc, SSL_CTX *ssl_ctx, int ver_mode, " initialized"); mech_glb_ctx *m_ctx = (mech_glb_ctx *)glb_cc->mech_ctx; - setup_SSL_proxy_handler(ssl_ctx, m_ctx->ca_dir); + setup_SSL_proxy_handler(glb_cc, ssl_ctx, m_ctx->ca_dir, 1); SSL_CTX_set_cert_verify_callback(ssl_ctx, proxy_app_verify_callback, NULL); SSL_CTX_set_verify(ssl_ctx, ver_mode, vc); diff --git a/emi.canl.canl-c/src/canl_ssl.h b/emi.canl.canl-c/src/canl_ssl.h index b5189cf..a3bf96b 100644 --- a/emi.canl.canl-c/src/canl_ssl.h +++ b/emi.canl.canl-c/src/canl_ssl.h @@ -40,6 +40,12 @@ canl_ctx_sfncrl_dir(canl_ctx, const char *); to use its callback,but it must be called separately by canl_direct_pv_clb() (e.g. in verify_callback)-try to avoid this, unless you know what you are doing. + + Any data set into the extern SSL_CTX by the caNl in this function + are not freed by calling canl_free_ctx(). + This might look like memory leak (e.g. by valgrind), but in this special case + is intended. + */ canl_err_code CANL_CALLCONV canl_ssl_ctx_set_clb(canl_ctx cc, SSL_CTX *ssl_ctx, int ver_mode, -- 1.8.2.3