Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
apache2.15682
apache2-avoid-crypto_threadid.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apache2-avoid-crypto_threadid.patch of Package apache2.15682
From d7dad162b7294df358284134c06d0889076d98af Mon Sep 17 00:00:00 2001 From: Jacob Champion <jchampion@apache.org> Date: Tue, 18 Apr 2017 00:19:32 +0000 Subject: [PATCH] PR60947: avoid CRYPTO_THREADID_set_callback() if possible CRYPTO_THREADID_set_callback() is write-once, so if mod_ssl is unloaded and reloaded into a different address, we'll crash if OpenSSL wasn't also unloaded and reloaded at the same time. This can happen if another module or library is using OpenSSL as well. - OpenSSL 1.1.0 isn't affected. - Certain platforms (Windows, BeOS, and POSIX-compliant systems) can make use of the default THREADID callback in OpenSSL 1.0.x. - If the deprecated CRYPTO_set_id_callback() is available, we can use it instead of CRYPTO_THREADID_set_callback(). Otherwise, we have to fall back to CRYPTO_THREADID_set_callback(), but hopefully that applies to a small percentage of users at this point. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/trunk-openssl-threadid@1791732 13f79535-47bb-0310-9956-ffa450edef68 --- acinclude.m4 | 3 +- modules/ssl/ssl_util.c | 67 ++++++++++++++++++++++++++++-------------- 2 files changed, 47 insertions(+), 23 deletions(-) Index: httpd-2.4.23/acinclude.m4 =================================================================== --- httpd-2.4.23.orig/acinclude.m4 +++ httpd-2.4.23/acinclude.m4 @@ -587,7 +587,8 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[ liberrors="" AC_CHECK_HEADERS([openssl/engine.h]) AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"]) - AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd]) + AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd \ + CRYPTO_set_id_callback]) if test "x$liberrors" != "x"; then AC_MSG_WARN([OpenSSL libraries are unusable]) fi Index: httpd-2.4.23/modules/ssl/ssl_util.c =================================================================== --- httpd-2.4.23.orig/modules/ssl/ssl_util.c +++ httpd-2.4.23/modules/ssl/ssl_util.c @@ -252,6 +252,13 @@ void ssl_asn1_table_unset(apr_hash_t *ta * To ensure thread-safetyness in OpenSSL - work in progress */ +#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && \ + (_WIN32 || __BEOS__ || AP_OPENSSL_USE_ERRNO_THREADID) +/* Windows and BeOS can use the default THREADID callback shipped with OpenSSL + * 1.0.x, as can any platform with a thread-safe errno. */ +# define DEFAULT_THREADID_IS_SAFE 1 +#endif + static apr_thread_mutex_t **lock_cs; static int lock_num_locks; @@ -363,6 +370,13 @@ static void ssl_dyn_destroy_function(str apr_pool_destroy(l->pool); } +#if DEFAULT_THREADID_IS_SAFE + +/* We don't need to set up a threadid callback on this platform. */ +void ssl_util_thread_id_setup(apr_pool_t *p) { } + +#else + /** * Used by both versions of ssl_util_thr_id(). Returns an unsigned long that * should be unique to the currently executing thread. @@ -384,33 +398,54 @@ static unsigned long ssl_util_thr_id_int return (unsigned long) apr_os_thread_current(); #endif } -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -static void ssl_util_thr_id(CRYPTO_THREADID *id) +#if HAVE_CRYPTO_SET_ID_CALLBACK + +static unsigned long ssl_util_thr_id(void) { - CRYPTO_THREADID_set_numeric(id, ssl_util_thr_id_internal()); + return ssl_util_thr_id_internal(); } #else -static unsigned long ssl_util_thr_id(void) +static void ssl_util_thr_id(CRYPTO_THREADID *id) { - return ssl_util_thr_id_internal(); + CRYPTO_THREADID_set_numeric(id, ssl_util_thr_id_internal()); } -#endif +#endif /* HAVE_CRYPTO_SET_ID_CALLBACK */ static apr_status_t ssl_util_thr_id_cleanup(void *old) { -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - CRYPTO_THREADID_set_callback(old); -#else +#if HAVE_CRYPTO_SET_ID_CALLBACK CRYPTO_set_id_callback(old); +#else + /* XXX This does nothing. The new-style THREADID callback is write-once. */ + CRYPTO_THREADID_set_callback(old); #endif return APR_SUCCESS; } +void ssl_util_thread_id_setup(apr_pool_t *p) +{ +#if HAVE_CRYPTO_SET_ID_CALLBACK + /* This API is deprecated, but we prefer it to its replacement since it + * allows us to unset the callback when this module is being unloaded. */ + CRYPTO_set_id_callback(ssl_util_thr_id); +#else + /* This is a last resort. We can only set this once, which means that we'd + * better not get loaded into a different address during a restart. See + * PR60947. */ + CRYPTO_THREADID_set_callback(ssl_util_thr_id); +#endif + + apr_pool_cleanup_register(p, NULL, ssl_util_thr_id_cleanup, + apr_pool_cleanup_null); +} + +#endif /* DEFAULT_THREADID_IS_SAFE */ + static apr_status_t ssl_util_thread_cleanup(void *data) { CRYPTO_set_locking_callback(NULL); @@ -451,15 +486,5 @@ void ssl_util_thread_setup(apr_pool_t *p apr_pool_cleanup_null); } -void ssl_util_thread_id_setup(apr_pool_t *p) -{ -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - CRYPTO_THREADID_set_callback(ssl_util_thr_id); -#else - CRYPTO_set_id_callback(ssl_util_thr_id); -#endif - apr_pool_cleanup_register(p, NULL, ssl_util_thr_id_cleanup, - apr_pool_cleanup_null); -} #endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ #endif /* #if APR_HAS_THREADS */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor