<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
A while ago, the Solaris security group noticed that stunnel uses
CRYPTO_NUM_LOCKS to size a lock table in the code at compile time.
They noted that there is function CRYPTO_num_locks() that can do the
same thing at runtime and have requested that the function be used
so that FIPS/non-FIPS support can be switched on by users simply
using interposition. As a result of this, I put together this patch
that switches to code to use the function instead of macro.<br>
<br>
-Norm<br>
<blockquote>
<pre># stunnel should use CRYPTO_num_locks() function instead of CRYPTO_NUM_LOCKS
# macro. The function interogates libcrypto at run-time for sizing and the
# macro at compile time. If you interpose a a version at runtime to switch
# between FIPS/non-FIPS support, the lock table may not be sized correctly.
#
diff -r -u stunnel-4.55.orig/src/sthreads.c stunnel-4.55/src/sthreads.c
--- stunnel-4.55.orig/src/sthreads.c 2012-08-09 14:44:18.000000000 -0700
+++ stunnel-4.55/src/sthreads.c 2013-03-21 23:29:34.912001586 -0700
@@ -212,7 +212,7 @@
#ifdef USE_PTHREAD
static pthread_mutex_t stunnel_cs[CRIT_SECTIONS];
-static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS];
+static pthread_mutex_t *lock_cs;
void enter_critical_section(SECTION_CODE i) {
pthread_mutex_lock(stunnel_cs+i);
@@ -275,13 +275,15 @@
int sthreads_init(void) {
int i;
+ int num_locks = CRYPTO_num_locks();
/* initialize stunnel critical sections */
for(i=0; i<CRIT_SECTIONS; i++)
pthread_mutex_init(stunnel_cs+i, NULL);
/* initialize OpenSSL locking callback */
- for(i=0; i<CRYPTO_NUM_LOCKS; i++)
+ lock_cs = calloc(num_locks, sizeof (*lock_cs));
+ for(i=0; i<num_locks; i++)
pthread_mutex_init(lock_cs+i, NULL);
CRYPTO_set_id_callback(stunnel_thread_id);
CRYPTO_set_locking_callback(locking_callback);
</pre>
</blockquote>
</body>
</html>