From d38c8395b4f66b8dfcb485628ab548342ac8e54c Mon Sep 17 00:00:00 2001 From: Russell Bryant Date: Wed, 8 Jul 2009 15:22:43 +0000 Subject: [PATCH] Merged revisions 205120 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ........ r205120 | russell | 2009-07-08 10:17:19 -0500 (Wed, 08 Jul 2009) | 16 lines Move OpenSSL initialization to a single place, make library usage thread-safe. While doing some reading about OpenSSL, I noticed a couple of things that needed to be improved with our usage of OpenSSL. 1) We had initialization of the library done in multiple modules. This has now been moved to a core function that gets executed during Asterisk startup. We already link OpenSSL into the core for TCP/TLS functionality, so this was the most logical place to do it. 2) OpenSSL is not thread-safe by default. However, making it thread safe is very easy. We just have to provide a couple of callbacks. One callback returns a thread ID. The other handles locking. For more information, start with the "Is OpenSSL thread-safe?" question on the FAQ page of openssl.org. ........ git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.0@205139 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- include/asterisk/_private.h | 1 + main/Makefile | 2 +- main/asterisk.c | 5 ++ main/ssl.c | 100 ++++++++++++++++++++++++++++++++++++ res/res_crypto.c | 2 - res/res_jabber.c | 4 -- 6 files changed, 107 insertions(+), 7 deletions(-) create mode 100644 main/ssl.c diff --git a/include/asterisk/_private.h b/include/asterisk/_private.h index 65437c2b22..ae68817411 100644 --- a/include/asterisk/_private.h +++ b/include/asterisk/_private.h @@ -34,6 +34,7 @@ int astobj2_init(void); /*!< Provided by astobj2.c */ int ast_file_init(void); /*!< Provided by file.c */ int ast_features_init(void); /*!< Provided by features.c */ void ast_autoservice_init(void); /*!< Provided by autoservice.c */ +int ast_ssl_init(void); /*!< Porvided by ssl.c */ /*! * \brief Reload asterisk modules. diff --git a/main/Makefile b/main/Makefile index bc4054e511..654fde0e73 100644 --- a/main/Makefile +++ b/main/Makefile @@ -28,7 +28,7 @@ OBJS= tcptls.o io.o sched.o logger.o frame.o loader.o config.o channel.o \ cryptostub.o sha1.o http.o fixedjitterbuf.o abstract_jb.o \ strcompat.o threadstorage.o dial.o event.o adsistub.o audiohook.o \ astobj2.o hashtab.o global_datastores.o version.o \ - features.o poll.o + features.o poll.o ssl.o # we need to link in the objects statically, not as a library, because # otherwise modules will not have them available if none of the static diff --git a/main/asterisk.c b/main/asterisk.c index 95190e2cf8..c6f8ceec80 100644 --- a/main/asterisk.c +++ b/main/asterisk.c @@ -3410,6 +3410,11 @@ int main(int argc, char *argv[]) ast_autoservice_init(); + if (ast_ssl_init()) { + printf("%s", term_quit()); + exit(1); + } + if (load_modules(1)) { /* Load modules, pre-load only */ printf("%s", term_quit()); exit(1); diff --git a/main/ssl.c b/main/ssl.c new file mode 100644 index 0000000000..4f039c4f17 --- /dev/null +++ b/main/ssl.c @@ -0,0 +1,100 @@ +/* + * Asterisk -- An open source telephony toolkit. + * + * Copyright (C) 2009, Digium, Inc. + * + * Russell Bryant + * + * See http://www.asterisk.org for more information about + * the Asterisk project. Please do not directly contact + * any of the maintainers of this project for assistance; + * the project provides a web site, mailing lists and IRC + * channels for your use. + * + * This program is free software, distributed under the terms of + * the GNU General Public License Version 2. See the LICENSE file + * at the top of the source tree. + */ + +/*! + * \file + * \brief Common OpenSSL support code + * + * \author Russell Bryant + */ + +#include "asterisk.h" + +ASTERISK_FILE_VERSION(__FILE__, "$Revision$") + +#ifdef HAVE_OPENSSL +#include +#include +#endif + +#include "asterisk/_private.h" /* ast_ssl_init() */ + +#include "asterisk/utils.h" +#include "asterisk/lock.h" + +#ifdef HAVE_OPENSSL + +static ast_mutex_t *ssl_locks; + +static int ssl_num_locks; + +static unsigned long ssl_threadid(void) +{ + return pthread_self(); +} + +static void ssl_lock(int mode, int n, const char *file, int line) +{ + if (n < 0 || n >= ssl_num_locks) { + ast_log(LOG_ERROR, "OpenSSL is full of LIES!!! - " + "ssl_num_locks '%d' - n '%d'\n", + ssl_num_locks, n); + return; + } + + if (mode & CRYPTO_LOCK) { + ast_mutex_lock(&ssl_locks[n]); + } else { + ast_mutex_unlock(&ssl_locks[n]); + } +} + +#endif /* HAVE_OPENSSL */ + +/*! + * \internal + * \brief Common OpenSSL initialization for all of Asterisk. + */ +int ast_ssl_init(void) +{ +#ifdef HAVE_OPENSSL + unsigned int i; + + SSL_library_init(); + SSL_load_error_strings(); + ERR_load_crypto_strings(); + ERR_load_BIO_strings(); + OpenSSL_add_all_algorithms(); + + /* Make OpenSSL thread-safe. */ + + CRYPTO_set_id_callback(ssl_threadid); + + ssl_num_locks = CRYPTO_num_locks(); + if (!(ssl_locks = ast_calloc(ssl_num_locks, sizeof(ssl_locks[0])))) { + return -1; + } + for (i = 0; i < ssl_num_locks; i++) { + ast_mutex_init(&ssl_locks[i]); + } + CRYPTO_set_locking_callback(ssl_lock); + +#endif /* HAVE_OPENSSL */ + return 0; +} + diff --git a/res/res_crypto.c b/res/res_crypto.c index e55abe891c..1a779968fa 100644 --- a/res/res_crypto.c +++ b/res/res_crypto.c @@ -585,8 +585,6 @@ static struct ast_cli_entry cli_crypto[] = { /*! \brief initialise the res_crypto module */ static int crypto_init(void) { - SSL_library_init(); - ERR_load_crypto_strings(); ast_cli_register_multiple(cli_crypto, sizeof(cli_crypto) / sizeof(struct ast_cli_entry)); /* Install ourselves into stubs */ diff --git a/res/res_jabber.c b/res/res_jabber.c index 543dd909bd..5751f42c32 100644 --- a/res/res_jabber.c +++ b/res/res_jabber.c @@ -541,10 +541,6 @@ static int aji_tls_handshake(struct aji_client *client) ast_debug(1, "Starting TLS handshake\n"); - /* Load encryption, hashing algorithms and error strings */ - SSL_library_init(); - SSL_load_error_strings(); - /* Choose an SSL/TLS protocol version, create SSL_CTX */ client->ssl_method = SSLv3_method(); client->ssl_context = SSL_CTX_new(client->ssl_method);