Convert CRYPTO_LOCK_SSL_* to new multi-threading API (16203f7b) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

include/openssl/crypto.h

+0 −7

Original line number	Diff line number	Diff line
		@@ -166,15 +166,8 @@ extern "C" {
		*/

		# define CRYPTO_LOCK_X509_STORE 11
		# define CRYPTO_LOCK_SSL_CTX 12
		# define CRYPTO_LOCK_SSL_CERT 13
		# define CRYPTO_LOCK_SSL_SESSION 14
		# define CRYPTO_LOCK_SSL_SESS_CERT 15
		# define CRYPTO_LOCK_SSL 16
		# define CRYPTO_LOCK_SSL_METHOD 17
		# define CRYPTO_LOCK_RAND 18
		# define CRYPTO_LOCK_RAND2 19
		# define CRYPTO_LOCK_READDIR 24
		# define CRYPTO_LOCK_RSA_BLINDING 25
		# define CRYPTO_LOCK_DYNLOCK 29
		# define CRYPTO_LOCK_ENGINE 30

include/openssl/ssl.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -1499,6 +1499,7 @@ int SSL_SESSION_print_fp(FILE fp, const SSL_SESSION ses);
		# endif
		int SSL_SESSION_print(BIO fp, const SSL_SESSION ses);
		int SSL_SESSION_print_keylog(BIO bp, const SSL_SESSION x);
		int SSL_SESSION_up_ref(SSL_SESSION *ses);
		void SSL_SESSION_free(SSL_SESSION *ses);
		__owur int i2d_SSL_SESSION(SSL_SESSION in, unsigned char *pp);
		__owur int SSL_set_session(SSL to, SSL_SESSION session);

ssl/ssl_cert.c

+31 −28

Original line number	Diff line number	Diff line
		@@ -129,36 +129,27 @@
		# include <openssl/dh.h>
		#endif
		#include <openssl/bn.h>
		#include "internal/threads.h"
		#include "ssl_locl.h"

		static int ssl_security_default_callback(SSL s, SSL_CTX ctx, int op,
		int bits, int nid, void *other,
		void *ex);

		int SSL_get_ex_data_X509_STORE_CTX_idx(void)
		{
		static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
		static volatile int ssl_x509_store_ctx_idx = -1;
		int got_write_lock = 0;

		CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);

		if (ssl_x509_store_ctx_idx < 0) {
		CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
		CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
		got_write_lock = 1;

		if (ssl_x509_store_ctx_idx < 0) {
		ssl_x509_store_ctx_idx =
		X509_STORE_CTX_get_ex_new_index(0, "SSL for verify callback",
		static void ssl_x509_store_ctx_init(void)
		{
		ssl_x509_store_ctx_idx = X509_STORE_CTX_get_ex_new_index(0,
		"SSL for verify callback",
		NULL, NULL, NULL);
		}
		}

		if (got_write_lock)
		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
		else
		CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
		int SSL_get_ex_data_X509_STORE_CTX_idx(void)
		{

		CRYPTO_THREAD_run_once(&ssl_x509_store_ctx_once, ssl_x509_store_ctx_init);
		return ssl_x509_store_ctx_idx;
		}

		@@ -168,7 +159,7 @@ CERT *ssl_cert_new(void)

		if (ret == NULL) {
		SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE);
		return (NULL);
		return NULL;
		}

		ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
		@@ -176,7 +167,14 @@ CERT *ssl_cert_new(void)
		ret->sec_cb = ssl_security_default_callback;
		ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;
		ret->sec_ex = NULL;
		return (ret);
		ret->lock = CRYPTO_THREAD_lock_new();
		if (ret->lock == NULL) {
		SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE);
		OPENSSL_free(ret);
		return NULL;
		}

		return ret;
		}

		CERT ssl_cert_dup(CERT cert)
		@@ -186,11 +184,17 @@ CERT ssl_cert_dup(CERT cert)

		if (ret == NULL) {
		SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
		return (NULL);
		return NULL;
		}

		ret->references = 1;
		ret->key = &ret->pkeys[cert->key - cert->pkeys];
		ret->lock = CRYPTO_THREAD_lock_new();
		if (ret == NULL) {
		SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
		OPENSSL_free(ret);
		return NULL;
		}

		#ifndef OPENSSL_NO_DH
		if (cert->dh_tmp != NULL) {
		@@ -297,7 +301,7 @@ CERT ssl_cert_dup(CERT cert)
		goto err;
		}
		#endif
		return (ret);
		return ret;

		err:
		ssl_cert_free(ret);
		@@ -333,7 +337,7 @@ void ssl_cert_free(CERT *c)
		if (c == NULL)
		return;

		i = CRYPTO_add(&c->references, -1, CRYPTO_LOCK_SSL_CERT);
		CRYPTO_atomic_add(&c->references, -1, &i, c->lock);
		REF_PRINT_COUNT("CERT", c);
		if (i > 0)
		return;
		@@ -355,6 +359,7 @@ void ssl_cert_free(CERT *c)
		#ifndef OPENSSL_NO_PSK
		OPENSSL_free(c->psk_identity_hint);
		#endif
		CRYPTO_THREAD_lock_free(c->lock);
		OPENSSL_free(c);
		}

		@@ -784,8 +789,6 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
		const char *filename;
		int ret = 0;

		CRYPTO_w_lock(CRYPTO_LOCK_READDIR);

		/* Note that a side effect is that the CAs will be sorted by name */

		while ((filename = OPENSSL_DIR_read(&d, dir))) {
		@@ -820,7 +823,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
		err:
		if (d)
		OPENSSL_DIR_end(&d);
		CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);

		return ret;
		}

ssl/ssl_ciph.c

+24 −31

Original line number	Diff line number	Diff line
		@@ -147,6 +147,7 @@
		#ifndef OPENSSL_NO_ENGINE
		# include <openssl/engine.h>
		#endif
		#include "internal/threads.h"
		#include "ssl_locl.h"

		#define SSL_ENC_DES_IDX 0
		@@ -213,6 +214,8 @@ static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {

		static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;

		static CRYPTO_ONCE ssl_load_builtin_comp_once = CRYPTO_ONCE_STATIC_INIT;

		/*
		* Constant SSL_MAX_DIGEST equal to size of digests array should be defined
		* in the ssl_locl.h
		@@ -575,24 +578,15 @@ static int sk_comp_cmp(const SSL_COMP const a, const SSL_COMP const b)
		return ((a)->id - (b)->id);
		}

		static void load_builtin_compressions(void)
		static void do_load_builtin_compressions(void)
		{
		int got_write_lock = 0;

		CRYPTO_r_lock(CRYPTO_LOCK_SSL);
		if (ssl_comp_methods == NULL) {
		CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
		CRYPTO_w_lock(CRYPTO_LOCK_SSL);
		got_write_lock = 1;

		if (ssl_comp_methods == NULL) {
		SSL_COMP *comp = NULL;
		COMP_METHOD *method = COMP_zlib();

		CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
		ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
		if (COMP_get_type(method) != NID_undef
		&& ssl_comp_methods != NULL) {

		if (COMP_get_type(method) != NID_undef && ssl_comp_methods != NULL) {
		comp = OPENSSL_malloc(sizeof(*comp));
		if (comp != NULL) {
		comp->method = method;
		@@ -604,12 +598,11 @@ static void load_builtin_compressions(void)
		}
		CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
		}
		}

		if (got_write_lock)
		CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
		else
		CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
		static void load_builtin_compressions(void)
		{
		CRYPTO_THREAD_run_once(&ssl_load_builtin_comp_once,
		do_load_builtin_compressions);
		}
		#endif

ssl/ssl_lib.c

+41 −21

Original line number	Diff line number	Diff line
		@@ -631,6 +631,13 @@ SSL SSL_new(SSL_CTX ctx)
		if (s == NULL)
		goto err;

		s->lock = CRYPTO_THREAD_lock_new();
		if (s->lock == NULL) {
		SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
		OPENSSL_free(s);
		return NULL;
		}

		RECORD_LAYER_init(&s->rlayer, s);

		s->options = ctx->options;
		@@ -677,7 +684,7 @@ SSL SSL_new(SSL_CTX ctx)
		if (ctx->default_read_buf_len > 0)
		SSL_set_default_read_buffer_len(s, ctx->default_read_buf_len);

		CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
		SSL_CTX_up_ref(ctx);
		s->ctx = ctx;
		s->tlsext_debug_cb = 0;
		s->tlsext_debug_arg = NULL;
		@@ -688,7 +695,7 @@ SSL SSL_new(SSL_CTX ctx)
		s->tlsext_ocsp_exts = NULL;
		s->tlsext_ocsp_resp = NULL;
		s->tlsext_ocsp_resplen = -1;
		CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
		SSL_CTX_up_ref(ctx);
		s->initial_ctx = ctx;
		# ifndef OPENSSL_NO_EC
		if (ctx->tlsext_ecpointformatlist) {
		@@ -755,16 +762,17 @@ SSL SSL_new(SSL_CTX ctx)
		goto err;
		#endif

		return (s);
		return s;
		err:
		SSL_free(s);
		SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
		return (NULL);
		return NULL;
		}

		void SSL_up_ref(SSL *s)
		{
		CRYPTO_add(&s->references, 1, CRYPTO_LOCK_SSL);
		int i;
		CRYPTO_atomic_add(&s->references, 1, &i, s->lock);
		}

		int SSL_CTX_set_session_id_context(SSL_CTX ctx, const unsigned char sid_ctx,
		@@ -797,17 +805,17 @@ int SSL_set_session_id_context(SSL ssl, const unsigned char sid_ctx,

		int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
		{
		CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
		CRYPTO_THREAD_write_lock(ctx->lock);
		ctx->generate_session_id = cb;
		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
		CRYPTO_THREAD_unlock(ctx->lock);
		return 1;
		}

		int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
		{
		CRYPTO_w_lock(CRYPTO_LOCK_SSL);
		CRYPTO_THREAD_write_lock(ssl->lock);
		ssl->generate_session_id = cb;
		CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
		CRYPTO_THREAD_unlock(ssl->lock);
		return 1;
		}

		@@ -830,9 +838,9 @@ int SSL_has_matching_session_id(const SSL ssl, const unsigned char id,
		r.session_id_length = id_len;
		memcpy(r.session_id, id, id_len);

		CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
		CRYPTO_THREAD_read_lock(ssl->ctx->lock);
		p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r);
		CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
		CRYPTO_THREAD_unlock(ssl->ctx->lock);
		return (p != NULL);
		}

		@@ -1009,7 +1017,7 @@ void SSL_free(SSL *s)
		if (s == NULL)
		return;

		i = CRYPTO_add(&s->references, -1, CRYPTO_LOCK_SSL);
		CRYPTO_atomic_add(&s->references, -1, &i, s->lock);
		REF_PRINT_COUNT("SSL", s);
		if (i > 0)
		return;
		@@ -1084,6 +1092,8 @@ void SSL_free(SSL *s)
		sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
		#endif

		CRYPTO_THREAD_lock_free(s->lock);

		OPENSSL_free(s);
		}

		@@ -1366,6 +1376,7 @@ STACK_OF(X509) SSL_get_peer_cert_chain(const SSL s)
		*/
		int SSL_copy_session_id(SSL t, const SSL f)
		{
		int i;
		/* Do we need to to SSL locking? */
		if (!SSL_set_session(t, SSL_get_session(f))) {
		return 0;
		@@ -1381,7 +1392,7 @@ int SSL_copy_session_id(SSL t, const SSL f)
		return 0;
		}

		CRYPTO_add(&f->cert->references, 1, CRYPTO_LOCK_SSL_CERT);
		CRYPTO_atomic_add(&f->cert->references, 1, &i, f->cert->lock);
		ssl_cert_free(t->cert);
		t->cert = f->cert;
		if (!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) {
		@@ -2369,6 +2380,12 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD meth)
		/* We take the system default. */
		ret->session_timeout = meth->get_timeout();
		ret->references = 1;
		ret->lock = CRYPTO_THREAD_lock_new();
		if (ret->lock == NULL) {
		SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
		OPENSSL_free(ret);
		return NULL;
		}
		ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
		ret->verify_mode = SSL_VERIFY_NONE;
		if ((ret->cert = ssl_cert_new()) == NULL)
		@@ -2459,17 +2476,18 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD meth)
		*/
		ret->options \|= SSL_OP_NO_COMPRESSION;

		return (ret);
		return ret;
		err:
		SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
		err2:
		SSL_CTX_free(ret);
		return (NULL);
		return NULL;
		}

		void SSL_CTX_up_ref(SSL_CTX *ctx)
		{
		CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
		int i;
		CRYPTO_atomic_add(&ctx->references, 1, &i, ctx->lock);
		}

		void SSL_CTX_free(SSL_CTX *a)
		@@ -2479,7 +2497,7 @@ void SSL_CTX_free(SSL_CTX *a)
		if (a == NULL)
		return;

		i = CRYPTO_add(&a->references, -1, CRYPTO_LOCK_SSL_CTX);
		CRYPTO_atomic_add(&a->references, -1, &i, a->lock);
		REF_PRINT_COUNT("SSL_CTX", a);
		if (i > 0)
		return;
		@@ -2528,6 +2546,8 @@ void SSL_CTX_free(SSL_CTX *a)
		#endif
		OPENSSL_free(a->alpn_client_proto_list);

		CRYPTO_THREAD_lock_free(a->lock);

		OPENSSL_free(a);
		}

		@@ -2833,7 +2853,7 @@ void ssl_update_cache(SSL *s, int mode)
		&& ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
		\|\| SSL_CTX_add_session(s->session_ctx, s->session))
		&& (s->session_ctx->new_session_cb != NULL)) {
		CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION);
		SSL_SESSION_up_ref(s->session);
		if (!s->session_ctx->new_session_cb(s, s->session))
		SSL_SESSION_free(s->session);
		}
		@@ -3069,7 +3089,7 @@ SSL SSL_dup(SSL s)

		/* If we're not quiescent, just up_ref! */
		if (!SSL_in_init(s) \|\| !SSL_in_before(s)) {
		CRYPTO_add(&s->references, 1, CRYPTO_LOCK_SSL);
		CRYPTO_atomic_add(&s->references, 1, &i, s->lock);
		return s;
		}

		@@ -3382,11 +3402,11 @@ SSL_CTX SSL_set_SSL_CTX(SSL ssl, SSL_CTX *ctx)
		memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
		}

		CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
		SSL_CTX_up_ref(ctx);
		SSL_CTX_free(ssl->ctx); /* decrement reference count */
		ssl->ctx = ctx;

		return (ssl->ctx);
		return ssl->ctx;
		}

		int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)