Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
tls-openssl: using a mutex to guard access to certificate files
  • Loading branch information
franku committed Dec 18, 2018
1 parent 7e0e15b commit b1ef2db
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 1 deletion.
7 changes: 6 additions & 1 deletion core/src/lib/tls_openssl_private.cc
Expand Up @@ -38,6 +38,7 @@
/* static private */
std::map<const SSL_CTX *, PskCredentials> TlsOpenSslPrivate::psk_client_credentials_;
std::mutex TlsOpenSslPrivate::psk_client_credentials_mutex_;
std::mutex TlsOpenSslPrivate::file_access_mutex_;

/* static private */
/* No anonymous ciphers, no <128 bit ciphers, no export ciphers, no MD5 ciphers */
Expand Down Expand Up @@ -107,6 +108,7 @@ bool TlsOpenSslPrivate::init()
const char *ca_certdir = ca_certdir_.empty() ? nullptr : ca_certdir_.c_str();

if (ca_certfile || ca_certdir) { /* at least one should be set */
std::lock_guard<std::mutex> lg(file_access_mutex_);
if (!SSL_CTX_load_verify_locations(openssl_ctx_, ca_certfile, ca_certdir)) {
OpensslPostErrors(M_FATAL, _("Error loading certificate verification stores"));
return false;
Expand All @@ -119,20 +121,23 @@ bool TlsOpenSslPrivate::init()

#if (OPENSSL_VERSION_NUMBER >= 0x00907000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
if (!crlfile_.empty()) {
std::lock_guard<std::mutex> lg(file_access_mutex_);
if (!SetCertificateRevocationList(crlfile_, openssl_ctx_)) {
return false;
}
}
#endif

if (!certfile_.empty()) {
std::lock_guard<std::mutex> lg(file_access_mutex_);
if (!SSL_CTX_use_certificate_chain_file(openssl_ctx_, certfile_.c_str())) {
OpensslPostErrors(M_FATAL, _("Error loading certificate file"));
return false;
}
}

if (!keyfile_.empty()) {
std::lock_guard<std::mutex> lg(file_access_mutex_);
if (!SSL_CTX_use_PrivateKey_file(openssl_ctx_, keyfile_.c_str(), SSL_FILETYPE_PEM)) {
OpensslPostErrors(M_FATAL, _("Error loading private key"));
return false;
Expand All @@ -141,6 +146,7 @@ bool TlsOpenSslPrivate::init()

if (!dhfile_.empty()) { /* Diffie-Hellman parameters */
BIO *bio;
std::lock_guard<std::mutex> lg(file_access_mutex_);
if (!(bio = BIO_new_file(dhfile_.c_str(), "r"))) {
OpensslPostErrors(M_FATAL, _("Unable to open DH parameters file"));
return false;
Expand All @@ -156,7 +162,6 @@ bool TlsOpenSslPrivate::init()
DH_free(dh);
return false;
}

SSL_CTX_set_options(openssl_ctx_, SSL_OP_SINGLE_DH_USE);
}

Expand Down
1 change: 1 addition & 0 deletions core/src/lib/tls_openssl_private.h
Expand Up @@ -64,6 +64,7 @@ class TlsOpenSslPrivate {
/* PskCredentials lookup map for all connections */
static std::map<const SSL_CTX *, PskCredentials> psk_client_credentials_;
static std::mutex psk_client_credentials_mutex_;
static std::mutex file_access_mutex_;

/* tls_default_ciphers_ if no user ciphers given */
static const std::string tls_default_ciphers_;
Expand Down

0 comments on commit b1ef2db

Please sign in to comment.