/* * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC") * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. * * Portions Copyright (C) Network Associates, Inc. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #ifdef OPENSSL #include #include #include #include #include #include #include #include #include #include #include "dst_internal.h" #include "dst_openssl.h" #if !defined(OPENSSL_NO_ENGINE) #include #endif static RAND_METHOD *rm = NULL; #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static isc_mutex_t *locks = NULL; static int nlocks; #endif #if !defined(OPENSSL_NO_ENGINE) static ENGINE *e = NULL; #endif static int entropy_get(unsigned char *buf, int num) { isc_result_t result; if (num < 0) return (-1); result = dst__entropy_getdata(buf, (unsigned int) num, false); return (result == ISC_R_SUCCESS ? 1 : -1); } static int entropy_status(void) { return (dst__entropy_status() > 32); } static int entropy_getpseudo(unsigned char *buf, int num) { isc_result_t result; if (num < 0) return (-1); result = dst__entropy_getdata(buf, (unsigned int) num, true); return (result == ISC_R_SUCCESS ? 1 : -1); } #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static void entropy_add(const void *buf, int num, double entropy) { /* * Do nothing. The only call to this provides no useful data anyway. */ UNUSED(buf); UNUSED(num); UNUSED(entropy); } #else static int entropy_add(const void *buf, int num, double entropy) { /* * Do nothing. The only call to this provides no useful data anyway. */ UNUSED(buf); UNUSED(num); UNUSED(entropy); return (1); } #endif #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static void lock_callback(int mode, int type, const char *file, int line) { UNUSED(file); UNUSED(line); if ((mode & CRYPTO_LOCK) != 0) LOCK(&locks[type]); else UNLOCK(&locks[type]); } #endif #if OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER) static unsigned long id_callback(void) { return ((unsigned long)isc_thread_self()); } #endif #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define FLARG #define FILELINE #if ISC_MEM_TRACKLINES #define FLARG_PASS , __FILE__, __LINE__ #else #define FLARG_PASS #endif #else #define FLARG , const char *file, int line #define FILELINE , __FILE__, __LINE__ #if ISC_MEM_TRACKLINES #define FLARG_PASS , file, line #else #define FLARG_PASS #endif #endif static void * mem_alloc(size_t size FLARG) { #ifdef OPENSSL_LEAKS void *ptr; INSIST(dst__memory_pool != NULL); ptr = isc__mem_allocate(dst__memory_pool, size FLARG_PASS); return (ptr); #else INSIST(dst__memory_pool != NULL); return (isc__mem_allocate(dst__memory_pool, size FLARG_PASS)); #endif } static void mem_free(void *ptr FLARG) { if (ptr != NULL) { INSIST(dst__memory_pool != NULL); isc__mem_free(dst__memory_pool, ptr FLARG_PASS); } } static void * mem_realloc(void *ptr, size_t size FLARG) { #ifdef OPENSSL_LEAKS void *rptr; INSIST(dst__memory_pool != NULL); rptr = isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS); return (rptr); #else INSIST(dst__memory_pool != NULL); return (isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS)); #endif } #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L static void _set_thread_id(CRYPTO_THREADID *id) { CRYPTO_THREADID_set_numeric(id, (unsigned long)isc_thread_self()); } #endif isc_result_t dst__openssl_init(const char *engine) { isc_result_t result; #if !defined(OPENSSL_NO_ENGINE) ENGINE *re; #else UNUSED(engine); #endif #ifdef DNS_CRYPTO_LEAKS CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free); #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) nlocks = CRYPTO_num_locks(); locks = mem_alloc(sizeof(isc_mutex_t) * nlocks FILELINE); if (locks == NULL) return (ISC_R_NOMEMORY); result = isc_mutexblock_init(locks, nlocks); if (result != ISC_R_SUCCESS) goto cleanup_mutexalloc; CRYPTO_set_locking_callback(lock_callback); # if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L CRYPTO_THREADID_set_callback(_set_thread_id); # else CRYPTO_set_id_callback(id_callback); # endif ERR_load_crypto_strings(); #endif rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); if (rm == NULL) { result = ISC_R_NOMEMORY; goto cleanup_mutexinit; } rm->seed = NULL; rm->bytes = entropy_get; rm->cleanup = NULL; rm->add = entropy_add; rm->pseudorand = entropy_getpseudo; rm->status = entropy_status; #if !defined(OPENSSL_NO_ENGINE) #if !defined(CONF_MFLAGS_DEFAULT_SECTION) OPENSSL_config(NULL); #else /* * OPENSSL_config() can only be called a single time as of * 1.0.2e so do the steps individually. */ OPENSSL_load_builtin_modules(); ENGINE_load_builtin_engines(); ERR_clear_error(); CONF_modules_load_file(NULL, NULL, CONF_MFLAGS_DEFAULT_SECTION | CONF_MFLAGS_IGNORE_MISSING_FILE); #endif if (engine != NULL && *engine == '\0') engine = NULL; if (engine != NULL) { e = ENGINE_by_id(engine); if (e == NULL) { result = DST_R_NOENGINE; goto cleanup_rm; } /* This will init the engine. */ if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { result = DST_R_NOENGINE; goto cleanup_rm; } } re = ENGINE_get_default_RAND(); if (re == NULL) { re = ENGINE_new(); if (re == NULL) { result = ISC_R_NOMEMORY; goto cleanup_rm; } ENGINE_set_RAND(re, rm); ENGINE_set_default_RAND(re); ENGINE_free(re); } else ENGINE_finish(re); #else RAND_set_rand_method(rm); #endif /* !defined(OPENSSL_NO_ENGINE) */ return (ISC_R_SUCCESS); #if !defined(OPENSSL_NO_ENGINE) cleanup_rm: if (e != NULL) ENGINE_free(e); e = NULL; mem_free(rm FILELINE); rm = NULL; #endif cleanup_mutexinit: #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); cleanup_mutexalloc: mem_free(locks FILELINE); locks = NULL; #endif return (result); } void dst__openssl_destroy(void) { #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) OPENSSL_cleanup(); if (rm != NULL) { mem_free(rm FILELINE); rm = NULL; } #else /* * Sequence taken from apps_shutdown() in . */ if (rm != NULL) { #if OPENSSL_VERSION_NUMBER >= 0x00907000L RAND_cleanup(); #endif mem_free(rm FILELINE); rm = NULL; } #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) CONF_modules_free(); #endif OBJ_cleanup(); EVP_cleanup(); #if !defined(OPENSSL_NO_ENGINE) if (e != NULL) ENGINE_free(e); e = NULL; #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L ENGINE_cleanup(); #endif #endif #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) CRYPTO_cleanup_all_ex_data(); #endif ERR_clear_error(); #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L ERR_remove_thread_state(NULL); #elif OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER) ERR_remove_state(0); #endif ERR_free_strings(); #ifdef DNS_CRYPTO_LEAKS CRYPTO_mem_leaks_fp(stderr); #endif if (locks != NULL) { CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); mem_free(locks FILELINE); locks = NULL; } #endif } static isc_result_t toresult(isc_result_t fallback) { isc_result_t result = fallback; unsigned long err = ERR_peek_error(); #if defined(HAVE_OPENSSL_ECDSA) && \ defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) int lib = ERR_GET_LIB(err); #endif int reason = ERR_GET_REASON(err); switch (reason) { /* * ERR_* errors are globally unique; others * are unique per sublibrary */ case ERR_R_MALLOC_FAILURE: result = ISC_R_NOMEMORY; break; default: #if defined(HAVE_OPENSSL_ECDSA) && \ defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) if (lib == ERR_R_ECDSA_LIB && reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) { result = ISC_R_NOENTROPY; break; } #endif break; } return (result); } isc_result_t dst__openssl_toresult(isc_result_t fallback) { isc_result_t result; result = toresult(fallback); ERR_clear_error(); return (result); } isc_result_t dst__openssl_toresult2(const char *funcname, isc_result_t fallback) { return (dst__openssl_toresult3(DNS_LOGCATEGORY_GENERAL, funcname, fallback)); } isc_result_t dst__openssl_toresult3(isc_logcategory_t *category, const char *funcname, isc_result_t fallback) { isc_result_t result; unsigned long err; const char *file, *data; int line, flags; char buf[256]; result = toresult(fallback); isc_log_write(dns_lctx, category, DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING, "%s failed (%s)", funcname, isc_result_totext(result)); if (result == ISC_R_NOMEMORY) goto done; for (;;) { err = ERR_get_error_line_data(&file, &line, &data, &flags); if (err == 0U) goto done; ERR_error_string_n(err, buf, sizeof(buf)); isc_log_write(dns_lctx, category, DNS_LOGMODULE_CRYPTO, ISC_LOG_INFO, "%s:%s:%d:%s", buf, file, line, ((flags & ERR_TXT_STRING) != 0) ? data : ""); } done: ERR_clear_error(); return (result); } #if !defined(OPENSSL_NO_ENGINE) ENGINE * dst__openssl_getengine(const char *engine) { if (engine == NULL) return (NULL); if (e == NULL) return (NULL); if (strcmp(engine, ENGINE_get_id(e)) == 0) return (e); return (NULL); } #endif #else /* OPENSSL */ #include EMPTY_TRANSLATION_UNIT #endif /* OPENSSL */ /*! \file */