You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by sh...@apache.org on 2015/02/10 04:57:54 UTC
[1/2] trafficserver git commit: TS-3375: Memory leak and error
handling in SSL loading.
Repository: trafficserver
Updated Branches:
refs/heads/master 87efe7937 -> 064126785
TS-3375: Memory leak and error handling in SSL loading.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/5fb742d6
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/5fb742d6
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/5fb742d6
Branch: refs/heads/master
Commit: 5fb742d63742abbc0e441b6b9b8a74673097cf81
Parents: 2dbdd9c
Author: shinrich <sh...@yahoo-inc.com>
Authored: Mon Feb 9 21:56:08 2015 -0600
Committer: shinrich <sh...@yahoo-inc.com>
Committed: Mon Feb 9 21:56:08 2015 -0600
----------------------------------------------------------------------
CHANGES | 2 ++
iocore/net/SSLNetProcessor.cc | 2 +-
iocore/net/SSLUtils.cc | 44 +++++++++++++++++++++++++++-----------
proxy/Main.cc | 5 ++++-
4 files changed, 38 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5fb742d6/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 4a80d57..8a58d47 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 5.3.0
+ *) [TS-3375] Memory leak and error handling in SSL loading.
+
*) [TS-3380] Fix the detection of new openssl calls to enable compilation against libressl.
*) [TS-3364] Add command line config validation support to traffic_server
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5fb742d6/iocore/net/SSLNetProcessor.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc
index 9547617..761487c 100644
--- a/iocore/net/SSLNetProcessor.cc
+++ b/iocore/net/SSLNetProcessor.cc
@@ -68,7 +68,7 @@ SSLNetProcessor::start(int number_of_ssl_threads, size_t stacksize)
SSLInitializeLibrary();
SSLConfig::startup();
- (void) SSLCertificateConfig::startup();
+ if (!SSLCertificateConfig::startup()) return -1;
// Acquire a SSLConfigParams instance *after* we start SSL up.
SSLConfig::scoped_config params;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5fb742d6/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 638b7ab..86c9149 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1584,16 +1584,17 @@ asn1_strdup(ASN1_STRING * s)
// Given a certificate and it's corresponding SSL_CTX context, insert hash
// table aliases for subject CN and subjectAltNames DNS without wildcard,
// insert trie aliases for those with wildcard.
-static void
+static bool
ssl_index_certificate(SSLCertLookup * lookup, SSLCertContext const& cc, const char * certfile)
{
X509_NAME * subject = NULL;
X509 * cert;
scoped_BIO bio(BIO_new_file(certfile, "r"));
+ bool inserted = false;
cert = PEM_read_bio_X509_AUX(bio.get(), NULL, NULL, NULL);
if (NULL == cert) {
- return;
+ return inserted;
}
// Insert a key for the subject CN.
@@ -1612,7 +1613,7 @@ ssl_index_certificate(SSLCertLookup * lookup, SSLCertContext const& cc, const ch
subj_name = asn1_strdup(cn);
Debug("ssl", "mapping '%s' to certificate %s", (const char *) subj_name, certfile);
- lookup->insert(subj_name, cc);
+ if (lookup->insert(subj_name, cc) >= 0) inserted = true;
}
}
@@ -1630,7 +1631,7 @@ ssl_index_certificate(SSLCertLookup * lookup, SSLCertContext const& cc, const ch
// only try to insert if the alternate name is not the main name
if (strcmp(dns, subj_name) != 0) {
Debug("ssl", "mapping '%s' to certificate %s", (const char *) dns, certfile);
- lookup->insert(dns, cc);
+ if (lookup->insert(dns, cc) >= 0) inserted = true;
}
}
}
@@ -1639,6 +1640,7 @@ ssl_index_certificate(SSLCertLookup * lookup, SSLCertContext const& cc, const ch
}
#endif // HAVE_OPENSSL_TS_H
X509_free(cert);
+ return inserted;
}
// This callback function is executed while OpenSSL processes the SSL
@@ -1697,6 +1699,8 @@ ssl_store_ssl_context(
ssl_ticket_key_block *keyblock = NULL;
bool inserted = false;
+ if (!ctx) return ctx;
+
// The certificate callbacks are set by the caller only
// for the default certificate
@@ -1740,6 +1744,7 @@ ssl_store_ssl_context(
}
} else {
Error("'%s' is not a valid IPv4 or IPv6 address", (const char *)sslMultCertSettings.addr);
+ goto end;
}
}
}
@@ -1757,14 +1762,14 @@ ssl_store_ssl_context(
Debug("ssl", "ssl ocsp stapling is enabled");
SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
if (!ssl_stapling_init_cert(ctx, (const char *)certpath)) {
- Error("fail to configure SSL_CTX for OCSP Stapling info");
+ Warning("fail to configure SSL_CTX for OCSP Stapling info for certificate at %s", (const char *)certpath);
}
} else {
Debug("ssl", "ssl ocsp stapling is disabled");
}
#else
if (SSLConfigParams::ssl_ocsp_enabled) {
- Error("fail to enable ssl ocsp stapling, this openssl version does not support it");
+ Warning("fail to enable ssl ocsp stapling, this openssl version does not support it");
}
#endif /* HAVE_OPENSSL_OCSP_STAPLING */
@@ -1772,16 +1777,25 @@ ssl_store_ssl_context(
// this code is updated to reconfigure the SSL certificates, it will need some sort of
// refcounting or alternate way of avoiding double frees.
Debug("ssl", "importing SNI names from %s", (const char *)certpath);
- ssl_index_certificate(lookup, SSLCertContext(ctx, sslMultCertSettings.opt), certpath);
+ inserted = inserted || ssl_index_certificate(lookup, SSLCertContext(ctx, sslMultCertSettings.opt), certpath);
- if (SSLConfigParams::init_ssl_ctx_cb) {
- SSLConfigParams::init_ssl_ctx_cb(ctx, true);
+ if (inserted) {
+ if (SSLConfigParams::init_ssl_ctx_cb) {
+ SSLConfigParams::init_ssl_ctx_cb(ctx, true);
+ }
}
+end:
+ if (!inserted) {
#if HAVE_OPENSSL_SESSION_TICKETS
- if (!inserted && keyblock != NULL) {
- ticket_block_free(keyblock);
- }
+ if (keyblock != NULL) {
+ ticket_block_free(keyblock);
+ }
#endif
+ if (ctx != NULL) {
+ SSL_CTX_free(ctx);
+ ctx = NULL;
+ }
+ }
return ctx;
}
@@ -1905,6 +1919,7 @@ SSLParseCertificateConfiguration(const SSLConfigParams * params, SSLCertLookup *
if (ssl_store_ssl_context(params, lookup, sslMultiCertSettings) == NULL) {
Error("failed to load SSL certificate specification from %s line %u",
params->configFilePath, line_num);
+ return false;
}
} else {
RecSignalWarning(REC_SIGNAL_CONFIG_ERROR, "%s: discarding invalid %s entry at line %u",
@@ -1923,7 +1938,10 @@ SSLParseCertificateConfiguration(const SSLConfigParams * params, SSLCertLookup *
if (lookup->ssl_default == NULL) {
ssl_user_config sslMultiCertSettings;
sslMultiCertSettings.addr = ats_strdup("*");
- ssl_store_ssl_context(params, lookup, sslMultiCertSettings);
+ if (ssl_store_ssl_context(params, lookup, sslMultiCertSettings) == NULL) {
+ Error("failed set default context");
+ return false;
+ }
}
return true;
}
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5fb742d6/proxy/Main.cc
----------------------------------------------------------------------
diff --git a/proxy/Main.cc b/proxy/Main.cc
index 7e9a433..c4991d3 100644
--- a/proxy/Main.cc
+++ b/proxy/Main.cc
@@ -1697,7 +1697,10 @@ main(int /* argc ATS_UNUSED */, char **argv)
(void) plugin_init(); // plugin.config
SSLConfigParams::init_ssl_ctx_cb = init_ssl_ctx_callback;
- sslNetProcessor.start(getNumSSLThreads(), stacksize);
+ if (sslNetProcessor.start(getNumSSLThreads(), stacksize) < 0) {
+ // Failure to load SSL state
+ exit(1);
+ }
pmgmt->registerPluginCallbacks(global_config_cbs);
cacheProcessor.set_after_init_callback(&CB_After_Cache_Init);
[2/2] trafficserver git commit: Merge branch 'master' of
https://git-wip-us.apache.org/repos/asf/trafficserver
Posted by sh...@apache.org.
Merge branch 'master' of https://git-wip-us.apache.org/repos/asf/trafficserver
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/06412678
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/06412678
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/06412678
Branch: refs/heads/master
Commit: 064126785da054daf35e08f85c308b3028321db7
Parents: 5fb742d 87efe79
Author: shinrich <sh...@yahoo-inc.com>
Authored: Mon Feb 9 21:56:51 2015 -0600
Committer: shinrich <sh...@yahoo-inc.com>
Committed: Mon Feb 9 21:56:51 2015 -0600
----------------------------------------------------------------------
example/Makefile.am | 2 +
example/remap_header_add/build.txt | 17 +++
example/remap_header_add/remap_header_add.cc | 178 ++++++++++++++++++++++
iocore/dns/SplitDNS.cc | 2 +-
lib/ts/MatcherUtils.h | 9 +-
proxy/CacheControl.cc | 2 +-
proxy/ControlMatcher.cc | 10 +-
proxy/ParentSelection.cc | 2 +-
proxy/congest/Congestion.cc | 2 +-
9 files changed, 213 insertions(+), 11 deletions(-)
----------------------------------------------------------------------