[asterisk-commits] mjordan: branch 10 r373062 - in /branches/10: ./ channels/ main/
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Fri Sep 14 14:13:35 CDT 2012
Author: mjordan
Date: Fri Sep 14 14:12:48 2012
New Revision: 373062
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=373062
Log:
Resolve memory leaks in TLS initialization and TLS client connections
This patch resolves two sources of memory leaks when using TLS in Asterisk:
1) It removes improper initialization (and multiple re-initializations) of
portions of the SSL library. Asterisk calls SSL_library_init and
SSL_load_error_strings during SSL initialization; collectively this
obviates the need for calling any of the following during initialization
or client connection handling:
* ERR_load_crypto_strings (handled by SSL_load_error_strings)
* OpenSSL_add_all_algorithms (synonym for SSL_library_init)
* SSLeay_add_ssl_algorithms (synonym for SSL_library_init)
2) Failure to completely clean up all memory allocated by Asterisk and by
the SSL library for TLS clients. This included not freeing the SSL_CTX
object in the SIP channel driver, as well as not clearing the error
stack when the TLS client exited.
Note that these memory leaks were found by Thomas Arimont, and this patch
was essentially written by him with some minor tweaks.
(closes issue AST-889)
Reported by: Thomas Arimont
Tested by: Thomas Arimont
patches:
(bugAST-889.patch) by Thomas Arimont (license 5525)
Review: https://reviewboard.asterisk.org/r/2105
........
Merged revisions 373061 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Modified:
branches/10/ (props changed)
branches/10/channels/chan_sip.c
branches/10/main/ssl.c
branches/10/main/tcptls.c
Propchange: branches/10/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.
Modified: branches/10/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/channels/chan_sip.c?view=diff&rev=373062&r1=373061&r2=373062
==============================================================================
--- branches/10/channels/chan_sip.c (original)
+++ branches/10/channels/chan_sip.c Fri Sep 14 14:12:48 2012
@@ -2373,6 +2373,8 @@
ast_free(args->tls_cfg->cipher);
ast_free(args->tls_cfg->cafile);
ast_free(args->tls_cfg->capath);
+
+ ast_ssl_teardown(args->tls_cfg);
}
ast_free(args->tls_cfg);
ast_free((char *) args->name);
Modified: branches/10/main/ssl.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/main/ssl.c?view=diff&rev=373062&r1=373061&r2=373062
==============================================================================
--- branches/10/main/ssl.c (original)
+++ branches/10/main/ssl.c Fri Sep 14 14:12:48 2012
@@ -81,9 +81,7 @@
SSL_library_init();
SSL_load_error_strings();
- ERR_load_crypto_strings();
ERR_load_BIO_strings();
- OpenSSL_add_all_algorithms();
/* Make OpenSSL thread-safe. */
Modified: branches/10/main/tcptls.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/main/tcptls.c?view=diff&rev=373062&r1=373061&r2=373062
==============================================================================
--- branches/10/main/tcptls.c (original)
+++ branches/10/main/tcptls.c Fri Sep 14 14:12:48 2012
@@ -82,6 +82,7 @@
{
int cookie_fd = SSL_get_fd(cookie);
int ret;
+
if (cookie_fd > -1) {
/*
* According to the TLS standard, it is acceptable for an application to only send its shutdown
@@ -91,6 +92,12 @@
if ((ret = SSL_shutdown(cookie)) < 0) {
ast_log(LOG_ERROR, "SSL_shutdown() failed: %d\n", SSL_get_error(cookie, ret));
}
+
+ if (!((SSL*)cookie)->server) {
+ /* For client threads, ensure that the error stack is cleared */
+ ERR_remove_state(0);
+ }
+
SSL_free(cookie);
/* adding shutdown(2) here has no added benefit */
if (close(cookie_fd)) {
@@ -313,9 +320,6 @@
if (!cfg->enabled)
return 0;
- SSL_load_error_strings();
- SSLeay_add_ssl_algorithms();
-
/* Get rid of an old SSL_CTX since we're about to
* allocate a new one
*/
@@ -357,7 +361,6 @@
if (!client) {
/* Clients don't need a certificate, but if its setup we can use it */
ast_verb(0, "SSL error loading cert file. <%s>", cfg->certfile);
- sleep(2);
cfg->enabled = 0;
SSL_CTX_free(cfg->ssl_ctx);
cfg->ssl_ctx = NULL;
@@ -368,7 +371,6 @@
if (!client) {
/* Clients don't need a private key, but if its setup we can use it */
ast_verb(0, "SSL error loading private key file. <%s>", tmpprivate);
- sleep(2);
cfg->enabled = 0;
SSL_CTX_free(cfg->ssl_ctx);
cfg->ssl_ctx = NULL;
@@ -380,7 +382,6 @@
if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
if (!client) {
ast_verb(0, "SSL cipher error <%s>", cfg->cipher);
- sleep(2);
cfg->enabled = 0;
SSL_CTX_free(cfg->ssl_ctx);
cfg->ssl_ctx = NULL;
More information about the asterisk-commits
mailing list