You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by cl...@apache.org on 2016/02/10 22:35:56 UTC
qpid-proton git commit: PROTON-1115: valgrind fix,
provide missing X509_free() for openssl data struct
Repository: qpid-proton
Updated Branches:
refs/heads/master 5ada2ec00 -> 5f7582c98
PROTON-1115: valgrind fix, provide missing X509_free() for openssl data struct
Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/5f7582c9
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/5f7582c9
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/5f7582c9
Branch: refs/heads/master
Commit: 5f7582c98810e089fbc02eeaeacd842a6f58ecda
Parents: 5ada2ec
Author: Clifford Jansen <cl...@apache.org>
Authored: Wed Feb 10 16:34:36 2016 -0500
Committer: Clifford Jansen <cl...@apache.org>
Committed: Wed Feb 10 16:34:36 2016 -0500
----------------------------------------------------------------------
examples/cpp/example_test.py | 4 ++--
proton-c/src/ssl/openssl.c | 20 +++++++++++++++++---
2 files changed, 19 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/5f7582c9/examples/cpp/example_test.py
----------------------------------------------------------------------
diff --git a/examples/cpp/example_test.py b/examples/cpp/example_test.py
index e5cc53c..78b84d8 100644
--- a/examples/cpp/example_test.py
+++ b/examples/cpp/example_test.py
@@ -321,7 +321,7 @@ Tock...
# SSL without SASL
addr = "amqps://" + pick_addr() + "/examples"
# Disable valgrind when using OpenSSL
- out = self.proc(["ssl", addr, self.ssl_certs_dir()], skip_valgrind=True).wait_exit()
+ out = self.proc(["ssl", addr, self.ssl_certs_dir()]).wait_exit()
expect = "Outgoing client connection connected via SSL. Server certificate identity CN=test_server\nHello World!"
expect_found = (out.find(expect) >= 0)
self.assertEqual(expect_found, True)
@@ -335,7 +335,7 @@ Hello World!
"""
addr = "amqps://" + pick_addr() + "/examples"
# Disable valgrind when using OpenSSL
- out = self.proc(["ssl_client_cert", addr, self.ssl_certs_dir()], skip_valgrind=True).wait_exit()
+ out = self.proc(["ssl_client_cert", addr, self.ssl_certs_dir()]).wait_exit()
expect_found = (out.find(expect) >= 0)
self.assertEqual(expect_found, True)
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/5f7582c9/proton-c/src/ssl/openssl.c
----------------------------------------------------------------------
diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c
index 923c0dc..4750b30 100644
--- a/proton-c/src/ssl/openssl.c
+++ b/proton-c/src/ssl/openssl.c
@@ -113,6 +113,7 @@ struct pni_ssl_t {
bool write_blocked; // SSL blocked until data is written to network
char *subject;
+ X509 *peer_certificate;
};
static inline pn_transport_t *get_transport_internal(pn_ssl_t *ssl)
@@ -152,6 +153,7 @@ static void release_ssl_socket( pni_ssl_t * );
static pn_ssl_session_t *ssn_cache_find( pn_ssl_domain_t *, const char * );
static void ssl_session_free( pn_ssl_session_t *);
static size_t buffered_output( pn_transport_t *transport );
+static X509 *get_peer_certificate(pni_ssl_t *ssl);
static void ssl_vlog(pn_transport_t *transport, const char *fmt, va_list ap)
{
@@ -798,6 +800,7 @@ void pn_ssl_free(pn_transport_t *transport)
if (ssl->inbuf) free((void *)ssl->inbuf);
if (ssl->outbuf) free((void *)ssl->outbuf);
if (ssl->subject) free(ssl->subject);
+ if (ssl->peer_certificate) X509_free(ssl->peer_certificate);
free(ssl);
}
@@ -1203,6 +1206,7 @@ static int init_ssl_socket(pn_transport_t* transport, pni_ssl_t *ssl)
ssl_log( transport, "Client SSL socket created." );
}
ssl->subject = NULL;
+ ssl->peer_certificate = NULL;
return 0;
}
@@ -1273,12 +1277,22 @@ int pn_ssl_get_peer_hostname(pn_ssl_t *ssl0, char *hostname, size_t *bufsize)
return 0;
}
+static X509 *get_peer_certificate(pni_ssl_t *ssl)
+{
+ // Cache for multiple use and final X509_free
+ if (!ssl->peer_certificate && ssl->ssl) {
+ ssl->peer_certificate = SSL_get_peer_certificate(ssl->ssl);
+ // May still be NULL depending on timing or type of SSL connection
+ }
+ return ssl->peer_certificate;
+}
+
const char* pn_ssl_get_remote_subject(pn_ssl_t *ssl0)
{
pni_ssl_t *ssl = get_ssl_internal(ssl0);
if (!ssl || !ssl->ssl) return NULL;
if (!ssl->subject) {
- X509 *cert = SSL_get_peer_certificate(ssl->ssl);
+ X509 *cert = get_peer_certificate(ssl);
if (!cert) return NULL;
X509_NAME *subject = X509_get_subject_name(cert);
if (!subject) return NULL;
@@ -1337,7 +1351,7 @@ int pn_ssl_get_cert_fingerprint(pn_ssl_t *ssl0, char *fingerprint, size_t finger
pni_ssl_t *ssl = get_ssl_internal(ssl0);
- X509 *cert = SSL_get_peer_certificate(ssl->ssl);
+ X509 *cert = get_peer_certificate(ssl);
if(cert) {
unsigned int len;
@@ -1397,7 +1411,7 @@ const char* pn_ssl_get_remote_subject_subfield(pn_ssl_t *ssl0, pn_ssl_cert_subje
}
pni_ssl_t *ssl = get_ssl_internal(ssl0);
- X509 *cert = SSL_get_peer_certificate(ssl->ssl);
+ X509 *cert = get_peer_certificate(ssl);
X509_NAME *subject_name = X509_get_subject_name(cert);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org