From 0e8c6302240c78d6b86284aaeab25693c1c6d444 Mon Sep 17 00:00:00 2001
From: Russell Bryant <russell@russellbryant.com>
Date: Wed, 8 Jul 2009 15:17:19 +0000
Subject: [PATCH] Move OpenSSL initialization to a single place, make library
usage thread-safe.
While doing some reading about OpenSSL, I noticed a couple of things that
needed to be improved with our usage of OpenSSL.
1) We had initialization of the library done in multiple modules. This has now
been moved to a core function that gets executed during Asterisk startup.
We already link OpenSSL into the core for TCP/TLS functionality, so this
was the most logical place to do it.
2) OpenSSL is not thread-safe by default. However, making it thread safe is
very easy. We just have to provide a couple of callbacks. One callback
returns a thread ID. The other handles locking. For more information,
start with the "Is OpenSSL thread-safe?" question on the FAQ page of
openssl.org.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@205120 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
include/asterisk/_private.h | 1 +
main/asterisk.c | 5 ++
main/ssl.c | 100 ++++++++++++++++++++++++++++++++++++
res/res_crypto.c | 2 -
res/res_jabber.c | 4 --
5 files changed, 106 insertions(+), 6 deletions(-)
create mode 100644 main/ssl.c
diff --git a/include/asterisk/_private.h b/include/asterisk/_private.h
index fc65a463c0..b6b26597e9 100644
--- a/include/asterisk/_private.h
+++ b/include/asterisk/_private.h
@@ -44,6 +44,7 @@ int ast_indications_reload(void);/*!< Provided by indications.c */
void ast_stun_init(void); /*!< Provided by stun.c */
int ast_cel_engine_init(void); /*!< Provided by cel.c */
int ast_cel_engine_reload(void); /*!< Provided by cel.c */
+int ast_ssl_init(void); /*!< Porvided by ssl.c */
/*!
* \brief Reload asterisk modules.
diff --git a/main/asterisk.c b/main/asterisk.c
index b497a64a58..3e9837641f 100644
--- a/main/asterisk.c
+++ b/main/asterisk.c
@@ -3571,6 +3571,11 @@ int main(int argc, char *argv[])
exit(1);
}
+ if (ast_ssl_init()) {
+ printf("%s", term_quit());
+ exit(1);
+ }
+
#ifdef AST_XML_DOCS
/* Load XML documentation. */
ast_xmldoc_load_documentation();
diff --git a/main/ssl.c b/main/ssl.c
new file mode 100644
index 0000000000..4f039c4f17
--- /dev/null
+++ b/main/ssl.c
@@ -0,0 +1,100 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 2009, Digium, Inc.
+ *
+ * Russell Bryant <russell@digium.com>
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+
+/*!
+ * \file
+ * \brief Common OpenSSL support code
+ *
+ * \author Russell Bryant <russell@digium.com>
+ */
+
+#include "asterisk.h"
+
+ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
+
+#ifdef HAVE_OPENSSL
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#endif
+
+#include "asterisk/_private.h" /* ast_ssl_init() */
+
+#include "asterisk/utils.h"
+#include "asterisk/lock.h"
+
+#ifdef HAVE_OPENSSL
+
+static ast_mutex_t *ssl_locks;
+
+static int ssl_num_locks;
+
+static unsigned long ssl_threadid(void)
+{
+ return pthread_self();
+}
+
+static void ssl_lock(int mode, int n, const char *file, int line)
+{
+ if (n < 0 || n >= ssl_num_locks) {
+ ast_log(LOG_ERROR, "OpenSSL is full of LIES!!! - "
+ "ssl_num_locks '%d' - n '%d'\n",
+ ssl_num_locks, n);
+ return;
+ }
+
+ if (mode & CRYPTO_LOCK) {
+ ast_mutex_lock(&ssl_locks[n]);
+ } else {
+ ast_mutex_unlock(&ssl_locks[n]);
+ }
+}
+
+#endif /* HAVE_OPENSSL */
+
+/*!
+ * \internal
+ * \brief Common OpenSSL initialization for all of Asterisk.
+ */
+int ast_ssl_init(void)
+{
+#ifdef HAVE_OPENSSL
+ unsigned int i;
+
+ SSL_library_init();
+ SSL_load_error_strings();
+ ERR_load_crypto_strings();
+ ERR_load_BIO_strings();
+ OpenSSL_add_all_algorithms();
+
+ /* Make OpenSSL thread-safe. */
+
+ CRYPTO_set_id_callback(ssl_threadid);
+
+ ssl_num_locks = CRYPTO_num_locks();
+ if (!(ssl_locks = ast_calloc(ssl_num_locks, sizeof(ssl_locks[0])))) {
+ return -1;
+ }
+ for (i = 0; i < ssl_num_locks; i++) {
+ ast_mutex_init(&ssl_locks[i]);
+ }
+ CRYPTO_set_locking_callback(ssl_lock);
+
+#endif /* HAVE_OPENSSL */
+ return 0;
+}
+
diff --git a/res/res_crypto.c b/res/res_crypto.c
index d8bf1da45b..9a39b2fa03 100644
--- a/res/res_crypto.c
+++ b/res/res_crypto.c
@@ -585,8 +585,6 @@ static struct ast_cli_entry cli_crypto[] = {
/*! \brief initialise the res_crypto module */
static int crypto_init(void)
{
- SSL_library_init();
- ERR_load_crypto_strings();
ast_cli_register_multiple(cli_crypto, ARRAY_LEN(cli_crypto));
/* Install ourselves into stubs */
diff --git a/res/res_jabber.c b/res/res_jabber.c
index c918d2e09e..e7feb37dfa 100644
--- a/res/res_jabber.c
+++ b/res/res_jabber.c
@@ -639,10 +639,6 @@ static int aji_tls_handshake(struct aji_client *client)
ast_debug(1, "Starting TLS handshake\n");
- /* Load encryption, hashing algorithms and error strings */
- SSL_library_init();
- SSL_load_error_strings();
-
/* Choose an SSL/TLS protocol version, create SSL_CTX */
client->ssl_method = SSLv3_method();
client->ssl_context = SSL_CTX_new(client->ssl_method);
--
GitLab