8 files changed, 75 insertions, 32 deletions

diff --git a/cpp/src/IceSSL/Context.cpp b/cpp/src/IceSSL/Context.cpp
index 71dd0d8af97..6edb2294fc1 100644
--- a/cpp/src/IceSSL/Context.cpp
+++ b/cpp/src/IceSSL/Context.cpp
@@ -37,12 +37,7 @@ void IceInternal::decRef(::IceSSL::Context* p) { p->__decRef(); }
 
 IceSSL::Context::~Context()
 {
-    if(_sslContext != 0)
-    {
-        SSL_CTX_free(_sslContext);
-
-        _sslContext = 0;
-    }
+    cleanUp();
 }
 
 bool
@@ -52,6 +47,17 @@ IceSSL::Context::isConfigured()
 }
 
 void
+IceSSL::Context::cleanUp()
+{
+    if(_sslContext != 0)
+    {
+        SSL_CTX_free(_sslContext);
+
+        _sslContext = 0;
+    }
+}
+
+void
 IceSSL::Context::setCertificateVerifier(const CertificateVerifierPtr& verifier)
 {
     _certificateVerifier = verifier;
@@ -74,8 +80,7 @@ IceSSL::Context::addTrustedCertificate(const Ice::ByteSeq& trustedCert)
 }
 
 void
-IceSSL::Context::setRSAKeysBase64(const string& privateKey,
-                                           const string& publicKey)
+IceSSL::Context::setRSAKeysBase64(const string& privateKey, const string& publicKey)
 {
     if(privateKey.empty())
     {
@@ -264,7 +269,6 @@ IceSSL::Context::loadCertificateAuthority(const CertificateAuthority& certAuth)
     {
         int setDefaultVerifyPathsRet = SSL_CTX_set_default_verify_paths(_sslContext);
 
-
         if(!setDefaultVerifyPathsRet && (_traceLevels->security >= IceSSL::SECURITY_WARNINGS))
         { 
             Trace out(_communicator->getLogger(), _traceLevels->securityCat);
@@ -282,8 +286,8 @@ IceSSL::Context::loadCertificateAuthority(const CertificateAuthority& certAuth)
 
 void
 IceSSL::Context::setKeyCert(const CertificateDesc& certDesc,
-                                     const string& privateProperty,
-                                     const string& publicProperty)
+                            const string& privateProperty,
+                            const string& publicProperty)
 {
     string privateKey;
     string publicKey;
diff --git a/cpp/src/IceSSL/Context.h b/cpp/src/IceSSL/Context.h
index 05a572bea3c..337b7e533b9 100644
--- a/cpp/src/IceSSL/Context.h
+++ b/cpp/src/IceSSL/Context.h
@@ -40,6 +40,8 @@ public:
 
     bool isConfigured();
 
+    void cleanUp();
+
     virtual void setCertificateVerifier(const CertificateVerifierPtr&);
 
     virtual void addTrustedCertificateBase64(const std::string&);
diff --git a/cpp/src/IceSSL/OpenSSLPluginI.cpp b/cpp/src/IceSSL/OpenSSLPluginI.cpp
index 1abddafe113..a82257a1d4a 100644
--- a/cpp/src/IceSSL/OpenSSLPluginI.cpp
+++ b/cpp/src/IceSSL/OpenSSLPluginI.cpp
@@ -34,6 +34,7 @@
 
 #include <openssl/rand.h>
 #include <openssl/err.h>
+#include <openssl/engine.h>
 
 #include <sstream>
 
@@ -190,10 +191,24 @@ IceSSL::OpenSSLPluginI::OpenSSLPluginI(const ProtocolPluginFacadePtr& protocolPl
     _protocolPluginFacade(protocolPluginFacade),
     _traceLevels(new TraceLevels(_protocolPluginFacade)),
     _properties(_protocolPluginFacade->getCommunicator()->getProperties()),
+    _memDebug(_properties->getPropertyAsIntWithDefault("IceSSL.MemoryDebug", 0)),
     _serverContext(new TraceLevels(protocolPluginFacade), protocolPluginFacade->getCommunicator()),
     _clientContext(new TraceLevels(protocolPluginFacade), protocolPluginFacade->getCommunicator()),
     _randSeeded(0)
 {
+    if(_memDebug != 0)
+    {
+        CRYPTO_malloc_debug_init();
+        CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+    }
+    else
+    {
+        CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
+    }
+
+    SSL_library_init();
+
     SSL_load_error_strings();
 
     OpenSSL_add_ssl_algorithms();
@@ -201,8 +216,21 @@ IceSSL::OpenSSLPluginI::OpenSSLPluginI(const ProtocolPluginFacadePtr& protocolPl
 
 IceSSL::OpenSSLPluginI::~OpenSSLPluginI()
 {
-    unregisterThreads();
+    _serverContext.cleanUp();
+    _clientContext.cleanUp();
+
+    ENGINE_cleanup();
+    CRYPTO_cleanup_all_ex_data();
+
     ERR_free_strings();
+    unregisterThreads();
+
+    EVP_cleanup();
+
+    if(_memDebug != 0)
+    {
+        CRYPTO_mem_leaks_fp(stderr);
+    }
 }
 
 IceSSL::SslTransceiverPtr
diff --git a/cpp/src/IceSSL/OpenSSLPluginI.h b/cpp/src/IceSSL/OpenSSLPluginI.h
index d6c2dd12946..1d79de37189 100644
--- a/cpp/src/IceSSL/OpenSSLPluginI.h
+++ b/cpp/src/IceSSL/OpenSSLPluginI.h
@@ -94,6 +94,7 @@ private:
     const IceInternal::ProtocolPluginFacadePtr _protocolPluginFacade;
     const TraceLevelsPtr _traceLevels;
     const Ice::PropertiesPtr _properties;
+    const int _memDebug;
 
     IceSSL::ServerContext _serverContext;
     IceSSL::ClientContext _clientContext;
diff --git a/cpp/src/IceSSL/OpenSSLUtils.cpp b/cpp/src/IceSSL/OpenSSLUtils.cpp
index f8fd7a2cd6c..04b7ae941a8 100644
--- a/cpp/src/IceSSL/OpenSSLUtils.cpp
+++ b/cpp/src/IceSSL/OpenSSLUtils.cpp
@@ -327,6 +327,7 @@ IceSSL::getTempDH(unsigned char* p, int plen, unsigned char* g, int glen)
 
         if((dh->p == 0) || (dh->g == 0))
         {
+            // Note: Clears both p and g if they are not NULL.
             DH_free(dh);
             dh = 0;
         }
@@ -338,33 +339,25 @@ IceSSL::getTempDH(unsigned char* p, int plen, unsigned char* g, int glen)
 DH*
 IceSSL::getTempDH512()
 {
-    DH* dh = getTempDH(dh512_p, (int) sizeof(dh512_p), dh512_g, (int) sizeof(dh512_g));
-
-    return dh;
+    return getTempDH(dh512_p, (int) sizeof(dh512_p), dh512_g, (int) sizeof(dh512_g));
 }
 
 DH*
 IceSSL::getTempDH1024()
 {
-    DH* dh = getTempDH(dh1024_p, (int) sizeof(dh1024_p), dh1024_g, (int) sizeof(dh1024_g));
-
-    return dh;
+    return getTempDH(dh1024_p, (int) sizeof(dh1024_p), dh1024_g, (int) sizeof(dh1024_g));
 }
 
 DH*
 IceSSL::getTempDH2048()
 {
-    DH* dh = getTempDH(dh2048_p, (int) sizeof(dh2048_p), dh2048_g, (int) sizeof(dh2048_g));
-
-    return dh;
+    return getTempDH(dh2048_p, (int) sizeof(dh2048_p), dh2048_g, (int) sizeof(dh2048_g));
 }
 
 DH*
 IceSSL::getTempDH4096()
 {
-    DH* dh = getTempDH(dh4096_p, (int) sizeof(dh4096_p), dh4096_g, (int) sizeof(dh4096_g));
-
-    return dh;
+    return getTempDH(dh4096_p, (int) sizeof(dh4096_p), dh4096_g, (int) sizeof(dh4096_g));
 }
 
 string
diff --git a/cpp/src/IceSSL/RSACertificateGen.cpp b/cpp/src/IceSSL/RSACertificateGen.cpp
index d55a09631f9..1564b262583 100644
--- a/cpp/src/IceSSL/RSACertificateGen.cpp
+++ b/cpp/src/IceSSL/RSACertificateGen.cpp
@@ -252,12 +252,18 @@ IceSSL::RSACertificateGen::generate(const RSACertificateGenContext& context)
     X509_gmtime_adj(X509_get_notAfter(x509SelfSigned), context.getSecondsValid());
 
     // Set up subject/issuer Distinguished Name (DN).
-    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("C"),  MBSTRING_ASC, context.getCountry(),            -1, -1, 0);
-    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("ST"), MBSTRING_ASC, context.getStateProvince(),      -1, -1, 0);
-    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("L"),  MBSTRING_ASC, context.getLocality(),           -1, -1, 0);
-    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("O"),  MBSTRING_ASC, context.getOrganization(),       -1, -1, 0);
-    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("OU"), MBSTRING_ASC, context.getOrganizationalUnit(), -1, -1, 0);
-    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("CN"), MBSTRING_ASC, context.getCommonName(),         -1, -1, 0);
+    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("C"), MBSTRING_ASC, context.getCountry(),
+        -1, -1, 0);
+    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("ST"), MBSTRING_ASC, context.getStateProvince(),
+        -1, -1, 0);
+    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("L"), MBSTRING_ASC, context.getLocality(),
+        -1, -1, 0);
+    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("O"), MBSTRING_ASC, context.getOrganization(),
+        -1, -1, 0);
+    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("OU"), MBSTRING_ASC, context.getOrganizationalUnit(),
+        -1, -1, 0);
+    X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("CN"), MBSTRING_ASC, context.getCommonName(),
+        -1, -1, 0);
 
     // Self signed - set issuer and subject names identical
     X509_set_issuer_name(x509SelfSigned, subjectName);
@@ -279,6 +285,7 @@ IceSSL::RSACertificateGen::generate(const RSACertificateGenContext& context)
     }
 
     // Nasty Hack: Getting the pkey to let go of our rsaKeyPair - we own that now.
+    //             Checked this out, though, and there are no current issues (0.9.7a) with doing this.
     pkey->pkey.ptr = 0;
 
     RSAPrivateKeyPtr privKeyPtr = new RSAPrivateKey(rsaKeyPair);
diff --git a/cpp/src/IceSSL/RSAPublicKey.cpp b/cpp/src/IceSSL/RSAPublicKey.cpp
index 0a5dc23821d..5e978deb394 100644
--- a/cpp/src/IceSSL/RSAPublicKey.cpp
+++ b/cpp/src/IceSSL/RSAPublicKey.cpp
@@ -111,6 +111,8 @@ IceSSL::RSAPublicKey::byteSeqToCert(const ByteSeq& certSeq)
 
     _publicKey = d2i_X509(x509pp, pubKeyBuffpp, (long)certSeq.size());
 
+    delete []publicKeyBuffer;
+
     if(_publicKey == 0)
     {
         IceSSL::CertificateParseException certParseException(__FILE__, __LINE__);
@@ -119,8 +121,6 @@ IceSSL::RSAPublicKey::byteSeqToCert(const ByteSeq& certSeq)
 
         throw certParseException;
     }
-
-    delete []publicKeyBuffer;
 }
 
 
diff --git a/cpp/src/IceSSL/SslTransceiver.cpp b/cpp/src/IceSSL/SslTransceiver.cpp
index 1a3970fbaf0..13b3952b308 100644
--- a/cpp/src/IceSSL/SslTransceiver.cpp
+++ b/cpp/src/IceSSL/SslTransceiver.cpp
@@ -54,6 +54,12 @@ IceSSL::SslTransceiver::fd()
 void
 IceSSL::SslTransceiver::close()
 {
+    if(_fd == INVALID_SOCKET)
+    {
+        // Ignore - the connection was never set up.
+        return;
+    }
+
     if(_traceLevels->network >= 1)
     {
    	Trace out(_logger, _traceLevels->networkCat);
@@ -315,6 +321,8 @@ IceSSL::SslTransceiver::forceHandshake()
             out << "Handshake retry maximum reached.\n" << toString();
         }
 
+        close();
+
         // If the handshake fails, the connection failed.
         ConnectFailedException ex(__FILE__, __LINE__);
 #ifdef _WIN32