mirror of
https://github.com/3proxy/3proxy.git
synced 2025-02-23 18:45:40 +08:00
SSLPlugin race condition fix
+ minor corrections to PCREPlugin
This commit is contained in:
z3APA3A
parent
7951de875a
commit
522e6732fe
@ -14,7 +14,7 @@ LN = link
|
|||||||
LDFLAGS = /nologo /subsystem:console /incremental:no /machine:I386
|
LDFLAGS = /nologo /subsystem:console /incremental:no /machine:I386
|
||||||
DLFLAGS = /DLL
|
DLFLAGS = /DLL
|
||||||
DLSUFFICS = .dll
|
DLSUFFICS = .dll
|
||||||
LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib kernel32.lib Gdi32.lib
|
LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib kernel32.lib Gdi32.lib libeay32MT.lib ssleay32MT.lib
|
||||||
LIBSOLD = libeay32MT.lib ssleay32MT.lib
|
LIBSOLD = libeay32MT.lib ssleay32MT.lib
|
||||||
LIBEXT = .lib
|
LIBEXT = .lib
|
||||||
LNOUT = /out:
|
LNOUT = /out:
|
||||||
@ -26,7 +26,7 @@ REMOVECOMMAND = del 2>NUL >NUL
|
|||||||
TYPECOMMAND = type
|
TYPECOMMAND = type
|
||||||
COMPATLIBS =
|
COMPATLIBS =
|
||||||
MAKEFILE = Makefile.msvc
|
MAKEFILE = Makefile.msvc
|
||||||
PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin lastFripper FilePlugin
|
PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin lastFripper FilePlugin SSLPlugin
|
||||||
VERFILE = $(VERFILE)
|
VERFILE = $(VERFILE)
|
||||||
|
|
||||||
include Makefile.inc
|
include Makefile.inc
|
||||||
|
|||||||
@ -229,12 +229,12 @@ static int h_pcre(int argc, unsigned char **argv){
|
|||||||
struct filter *newf;
|
struct filter *newf;
|
||||||
char *replace = NULL;
|
char *replace = NULL;
|
||||||
|
|
||||||
if(!strcmp(argv[2], "allow")) action = PASS;
|
if(!strncmp(argv[2], "allow",5)) action = PASS;
|
||||||
else if(!strcmp(argv[2], "deny")) action = REJECT;
|
else if(!strncmp(argv[2], "deny",4)) action = REJECT;
|
||||||
else if(!strcmp(argv[2], "remove")) action = REMOVE;
|
else if(!strncmp(argv[2], "remove",6)) action = REMOVE;
|
||||||
else if(!strcmp(argv[2], "dunno")) action = CONTINUE;
|
else if(!strncmp(argv[2], "dunno",5)) action = CONTINUE;
|
||||||
else return 1;
|
else return 1;
|
||||||
if(!strcmp(argv[0], "pcre_rewrite")) {
|
if(!strncmp(argv[0], "pcre_rewrite", 12)) {
|
||||||
int i,j;
|
int i,j;
|
||||||
offset = 5;
|
offset = 5;
|
||||||
replace = pl->mystrdup(argv[4]);
|
replace = pl->mystrdup(argv[4]);
|
||||||
@ -266,6 +266,7 @@ static int h_pcre(int argc, unsigned char **argv){
|
|||||||
replace[j] = 0;
|
replace[j] = 0;
|
||||||
}
|
}
|
||||||
if(!(acl = pl->make_ace(argc - offset, argv + offset))) return 2;
|
if(!(acl = pl->make_ace(argc - offset, argv + offset))) return 2;
|
||||||
|
acl->nolog = (strstr(argv[2],"log") == 0);
|
||||||
if(*argv[3] && !(*argv[3] == '*' && !argv[3][1]) ){
|
if(*argv[3] && !(*argv[3] == '*' && !argv[3][1]) ){
|
||||||
re = pcre_compile((char *)argv[3], pcre_options, &errptr, &offset, NULL);
|
re = pcre_compile((char *)argv[3], pcre_options, &errptr, &offset, NULL);
|
||||||
if(!re) {
|
if(!re) {
|
||||||
|
|||||||
@ -8,6 +8,9 @@
|
|||||||
#include <memory.h>
|
#include <memory.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
|
#ifndef _WIN32
|
||||||
|
#include <sys/file.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#include <openssl/crypto.h>
|
#include <openssl/crypto.h>
|
||||||
#include <openssl/x509.h>
|
#include <openssl/x509.h>
|
||||||
@ -110,20 +113,23 @@ SSL_CERT ssl_copy_cert(SSL_CERT cert)
|
|||||||
static char hash_name[sizeof(src_cert->sha1_hash)*2 + 1];
|
static char hash_name[sizeof(src_cert->sha1_hash)*2 + 1];
|
||||||
static char cache_name[200];
|
static char cache_name[200];
|
||||||
|
|
||||||
pthread_mutex_lock(&ssl_file_mutex);
|
|
||||||
bin2hex(src_cert->sha1_hash, sizeof(src_cert->sha1_hash), hash_name, sizeof(hash_name));
|
bin2hex(src_cert->sha1_hash, sizeof(src_cert->sha1_hash), hash_name, sizeof(hash_name));
|
||||||
sprintf(cache_name, "%s%s.pem", cert_path, hash_name);
|
sprintf(cache_name, "%s%s.pem", cert_path, hash_name);
|
||||||
/* check if certificate is already cached */
|
/* check if certificate is already cached */
|
||||||
fcache = fopen(cache_name, "rb");
|
fcache = fopen(cache_name, "rb");
|
||||||
if ( fcache != NULL ) {
|
if ( fcache != NULL ) {
|
||||||
|
#ifndef _WIN32
|
||||||
|
flock(fileno(fcache), LOCK_SH);
|
||||||
|
#endif
|
||||||
dst_cert = PEM_read_X509(fcache, &dst_cert, NULL, NULL);
|
dst_cert = PEM_read_X509(fcache, &dst_cert, NULL, NULL);
|
||||||
|
#ifndef _WIN32
|
||||||
|
flock(fileno(fcache), LOCK_UN);
|
||||||
|
#endif
|
||||||
fclose(fcache);
|
fclose(fcache);
|
||||||
if ( dst_cert != NULL ){
|
if ( dst_cert != NULL ){
|
||||||
pthread_mutex_unlock(&ssl_file_mutex);
|
|
||||||
return dst_cert;
|
return dst_cert;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
pthread_mutex_unlock(&ssl_file_mutex);
|
|
||||||
|
|
||||||
/* proceed if certificate is not cached */
|
/* proceed if certificate is not cached */
|
||||||
dst_cert = X509_dup(src_cert);
|
dst_cert = X509_dup(src_cert);
|
||||||
@ -163,13 +169,17 @@ SSL_CERT ssl_copy_cert(SSL_CERT cert)
|
|||||||
|
|
||||||
/* write to cache */
|
/* write to cache */
|
||||||
|
|
||||||
pthread_mutex_lock(&ssl_file_mutex);
|
|
||||||
fcache = fopen(cache_name, "wb");
|
fcache = fopen(cache_name, "wb");
|
||||||
if ( fcache != NULL ) {
|
if ( fcache != NULL ) {
|
||||||
|
#ifndef _WIN32
|
||||||
|
flock(fileno(fcache), LOCK_EX);
|
||||||
|
#endif
|
||||||
PEM_write_X509(fcache, dst_cert);
|
PEM_write_X509(fcache, dst_cert);
|
||||||
|
#ifndef _WIN32
|
||||||
|
flock(fileno(fcache), LOCK_UN);
|
||||||
|
#endif
|
||||||
fclose(fcache);
|
fclose(fcache);
|
||||||
}
|
}
|
||||||
pthread_mutex_unlock(&ssl_file_mutex);
|
|
||||||
return dst_cert;
|
return dst_cert;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -212,6 +222,10 @@ SSL_CONN ssl_handshake_to_server(SOCKET s, SSL_CERT *server_cert, char **errSSL)
|
|||||||
}
|
}
|
||||||
|
|
||||||
cert = SSL_get_peer_certificate(conn->ssl);
|
cert = SSL_get_peer_certificate(conn->ssl);
|
||||||
|
if(!cert) {
|
||||||
|
ssl_conn_free(conn);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
/* TODO: Verify certificate */
|
/* TODO: Verify certificate */
|
||||||
|
|
||||||
@ -312,10 +326,14 @@ void ssl_conn_free(SSL_CONN connection)
|
|||||||
{
|
{
|
||||||
ssl_conn *conn = (ssl_conn *) connection;
|
ssl_conn *conn = (ssl_conn *) connection;
|
||||||
|
|
||||||
SSL_shutdown(conn->ssl);
|
if(conn){
|
||||||
SSL_free(conn->ssl);
|
if(conn->ssl){
|
||||||
SSL_CTX_free(conn->ctx);
|
SSL_shutdown(conn->ssl);
|
||||||
free(conn);
|
SSL_free(conn->ssl);
|
||||||
|
}
|
||||||
|
if(conn->ctx) SSL_CTX_free(conn->ctx);
|
||||||
|
free(conn);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void _ssl_cert_free(SSL_CERT cert)
|
void _ssl_cert_free(SSL_CERT cert)
|
||||||
|
|||||||
@ -53,13 +53,15 @@ struct SSLqueue {
|
|||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Todo: use hashtable
|
TO DO: use hashtable
|
||||||
*/
|
*/
|
||||||
static struct SSLqueue *searchSSL(SOCKET s){
|
static struct SSLqueue *searchSSL(SOCKET s){
|
||||||
struct SSLqueue *sslq;
|
struct SSLqueue *sslq = NULL;
|
||||||
|
pthread_mutex_lock(&ssl_mutex);
|
||||||
for(sslq = SSLq; sslq; sslq = sslq->next)
|
for(sslq = SSLq; sslq; sslq = sslq->next)
|
||||||
if(sslq->s == s) return sslq;
|
if(sslq->s == s) break;
|
||||||
return NULL;
|
pthread_mutex_lock(&ssl_mutex);
|
||||||
|
return sslq;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void addSSL(SOCKET s, SSL_CERT cert, SSL_CONN conn, struct clientparam* param){
|
static void addSSL(SOCKET s, SSL_CERT cert, SSL_CONN conn, struct clientparam* param){
|
||||||
|
|||||||
@ -1,2 +1,2 @@
|
|||||||
#define VERSION "3proxy-0.8b-devel"
|
#define VERSION "3proxy-0.8b-devel"
|
||||||
#define BUILDDATE "150216013249"
|
#define BUILDDATE "150302205552"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user