Move the dst__openssl_toresult to isc_tls unit

Since the enable_fips_mode() now resides inside the isc_tls unit, BIND 9
would fail to compile when FIPS mode was enabled as the DST subsystem
logging functions were missing.

Move the crypto library logging functions from the openssl_link unit to
isc_tls unit and enhance it, so it can now be used from both places
keeping the old dst__openssl_toresult* macros alive.

lib/dns/Makefile.am

@@ -205,7 +205,6 @@ libdns_la_SOURCES =			\
 	nsec3.c				\
 	nta.c				\
 	openssl_link.c			\
-	openssl_shim.c			\
 	openssl_shim.h			\
 	opensslecdsa_link.c		\
 	openssleddsa_link.c		\

lib/dns/dst_openssl.h

@@ -23,23 +23,18 @@
 #include <isc/lang.h>
 #include <isc/log.h>
 #include <isc/result.h>
+#include <isc/tls.h>
 
 ISC_LANG_BEGINDECLS
 
-isc_result_t
+#define dst__openssl_toresult(fallback) \
-dst__openssl_toresult(isc_result_t fallback);
+	isc__tlserr2result(NULL, NULL, NULL, fallback, __FILE__, __LINE__)
-
+#define dst__openssl_toresult2(funcname, fallback)                        \
-#define dst__openssl_toresult2(A, B) \
+	isc__tlserr2result(DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_CRYPTO, \
-	dst___openssl_toresult2(A, B, __FILE__, __LINE__)
+			   funcname, fallback, __FILE__, __LINE__)
-isc_result_t
+#define dst__openssl_toresult3(category, funcname, fallback)                   \
-dst___openssl_toresult2(const char *funcname, isc_result_t fallback,
+	isc__tlserr2result(category, DNS_LOGMODULE_CRYPTO, funcname, fallback, \
-			const char *file, int line);
+			   __FILE__, __LINE__)
-
-#define dst__openssl_toresult3(A, B, C) \
-	dst___openssl_toresult3(A, B, C, __FILE__, __LINE__)
-isc_result_t
-dst___openssl_toresult3(isc_logcategory_t *category, const char *funcname,
-			isc_result_t fallback, const char *file, int line);
 
 isc_result_t
 dst__openssl_fromlabel(int key_base_id, const char *label, const char *pin,

lib/dns/openssl_link.c

@@ -54,90 +54,6 @@
 		goto err; \
 	}
 
-static isc_result_t
-toresult(isc_result_t fallback) {
-	isc_result_t result = fallback;
-	unsigned long err = ERR_peek_error();
-#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
-	int lib = ERR_GET_LIB(err);
-#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
-	int reason = ERR_GET_REASON(err);
-
-	switch (reason) {
-	/*
-	 * ERR_* errors are globally unique; others
-	 * are unique per sublibrary
-	 */
-	case ERR_R_MALLOC_FAILURE:
-		result = ISC_R_NOMEMORY;
-		break;
-	default:
-#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
-		if (lib == ERR_R_ECDSA_LIB &&
-		    reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
-		{
-			result = ISC_R_NOENTROPY;
-			break;
-		}
-#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
-		break;
-	}
-
-	return (result);
-}
-
-isc_result_t
-dst__openssl_toresult(isc_result_t fallback) {
-	isc_result_t result;
-
-	result = toresult(fallback);
-
-	ERR_clear_error();
-	return (result);
-}
-
-isc_result_t
-dst___openssl_toresult2(const char *funcname, isc_result_t fallback,
-			const char *file, int line) {
-	return (dst___openssl_toresult3(DNS_LOGCATEGORY_GENERAL, funcname,
-					fallback, file, line));
-}
-
-isc_result_t
-dst___openssl_toresult3(isc_logcategory_t *category, const char *funcname,
-			isc_result_t fallback, const char *file, int line) {
-	isc_result_t result;
-	unsigned long err;
-	const char *func, *data;
-	int flags;
-	char buf[256];
-
-	result = toresult(fallback);
-
-	isc_log_write(dns_lctx, category, DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
-		      "%s (%s:%d) failed (%s)", funcname, file, line,
-		      isc_result_totext(result));
-
-	if (result == ISC_R_NOMEMORY) {
-		goto done;
-	}
-
-	for (;;) {
-		err = ERR_get_error_all(&file, &line, &func, &data, &flags);
-		if (err == 0U) {
-			goto done;
-		}
-		ERR_error_string_n(err, buf, sizeof(buf));
-		isc_log_write(dns_lctx, category, DNS_LOGMODULE_CRYPTO,
-			      ISC_LOG_INFO, "%s:%s:%d:%s", buf, file, line,
-			      ((flags & ERR_TXT_STRING) != 0) ? data : "");
-	}
-
-done:
-	ERR_clear_error();
-	return (result);
-}
-
 static isc_result_t
 dst__openssl_fromlabel_provider(int key_base_id, const char *label,
 				const char *pin, EVP_PKEY **ppub,

lib/dns/openssl_shim.c

@@ -1,27 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include "openssl_shim.h"
-
-#include <isc/util.h>
-
-#if !HAVE_ERR_GET_ERROR_ALL
-static const char err_empty_string = '\0';
-
-unsigned long
-ERR_get_error_all(const char **file, int *line, const char **func,
-		  const char **data, int *flags) {
-	SET_IF_NOT_NULL(func, &err_empty_string);
-	return (ERR_get_error_line_data(file, line, data, flags));
-}
-#endif /* if !HAVE_ERR_GET_ERROR_ALL */

lib/dns/openssl_shim.h

@@ -28,12 +28,6 @@
 #define RSA_MAX_PUBEXP_BITS 35
 #endif /* ifndef RSA_MAX_PUBEXP_BITS */
 
-#if !HAVE_ERR_GET_ERROR_ALL
-unsigned long
-ERR_get_error_all(const char **file, int *line, const char **func,
-		  const char **data, int *flags);
-#endif /* if !HAVE_ERR_GET_ERROR_ALL */
-
 #if !HAVE_EVP_PKEY_EQ
 #define EVP_PKEY_eq EVP_PKEY_cmp
 #endif

lib/isc/include/isc/tls.h

@@ -615,3 +615,11 @@ isc__tls_shutdown(void);
 
 void
 isc__tls_setdestroycheck(bool check);
+
+#define isc_tlserr2result(category, module, funcname, fallback)            \
+	isc__tlserr2result(category, module, funcname, fallback, __FILE__, \
+			   __LINE__)
+isc_result_t
+isc__tlserr2result(isc_logcategory_t *category, isc_logmodule_t *module,
+		   const char *funcname, isc_result_t fallback,
+		   const char *file, int line);

lib/isc/openssl_shim.c

@@ -16,11 +16,14 @@
 #include <string.h>
 
 #include <openssl/crypto.h>
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/opensslv.h>
 #include <openssl/ssl.h>
 
+#include <isc/util.h>
+
 #include "openssl_shim.h"
 
 #if !HAVE_BIO_READ_EX
@@ -57,3 +60,14 @@ SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) {
 	SSL_CTX_set_cert_store(ctx, store);
 }
 #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
+
+#if !HAVE_ERR_GET_ERROR_ALL
+static const char err_empty_string = '\0';
+
+unsigned long
+ERR_get_error_all(const char **file, int *line, const char **func,
+		  const char **data, int *flags) {
+	SET_IF_NOT_NULL(func, &err_empty_string);
+	return (ERR_get_error_line_data(file, line, data, flags));
+}
+#endif /* if !HAVE_ERR_GET_ERROR_ALL */

lib/isc/openssl_shim.h

@@ -37,3 +37,9 @@ BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written);
 void
 SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
 #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
+
+#if !HAVE_ERR_GET_ERROR_ALL
+unsigned long
+ERR_get_error_all(const char **file, int *line, const char **func,
+		  const char **data, int *flags);
+#endif /* if !HAVE_ERR_GET_ERROR_ALL */

lib/isc/tls.c

@@ -137,7 +137,8 @@ enable_fips_mode(void) {
 	}
 
 	if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
-		dst__openssl_toresult2("FIPS_mode_set", DST_R_OPENSSLFAILURE);
+		isc_tlserr2result(ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_OTHER,
+				  "FIPS_mode_set", ISC_R_CRYPTOFAILURE);
 		exit(EXIT_FAILURE);
 	}
 #endif
@@ -1652,3 +1653,75 @@ isc_tlsctx_set_random_session_id_context(isc_tlsctx_t *ctx) {
 	RUNTIME_CHECK(
 		SSL_CTX_set_session_id_context(ctx, session_id_ctx, len) == 1);
 }
+
+static isc_result_t
+isc__tls_toresult(isc_result_t fallback) {
+	isc_result_t result = fallback;
+	unsigned long err = ERR_peek_error();
+#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+	int lib = ERR_GET_LIB(err);
+#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
+	int reason = ERR_GET_REASON(err);
+
+	switch (reason) {
+	/*
+	 * ERR_* errors are globally unique; others
+	 * are unique per sublibrary
+	 */
+	case ERR_R_MALLOC_FAILURE:
+		result = ISC_R_NOMEMORY;
+		break;
+	default:
+#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+		if (lib == ERR_R_ECDSA_LIB &&
+		    reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+		{
+			result = ISC_R_NOENTROPY;
+			break;
+		}
+#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
+		break;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc__tlserr2result(isc_logcategory_t *category, isc_logmodule_t *module,
+		   const char *funcname, isc_result_t fallback,
+		   const char *file, int line) {
+	isc_result_t result = isc__tls_toresult(fallback);
+
+	if (category == NULL) {
+		goto done;
+	}
+
+	isc_log_write(isc_lctx, category, module, ISC_LOG_WARNING,
+		      "%s (%s:%d) failed (%s)", funcname, file, line,
+		      isc_result_totext(result));
+
+	if (result == ISC_R_NOMEMORY) {
+		goto done;
+	}
+
+	for (;;) {
+		const char *func, *data;
+		int flags;
+		unsigned long err = ERR_get_error_all(&file, &line, &func,
+						      &data, &flags);
+		if (err == 0U) {
+			break;
+		}
+
+		char buf[256];
+		ERR_error_string_n(err, buf, sizeof(buf));
+
+		isc_log_write(isc_lctx, category, module, ISC_LOG_INFO,
+			      "%s:%s:%d:%s", buf, file, line,
+			      ((flags & ERR_TXT_STRING) != 0) ? data : "");
+	}
+
+done:
+	ERR_clear_error();
+	return (result);
+}

tests/dns/rdata_test.c

@@ -24,7 +24,6 @@
 #define UNIT_TESTING
 
 #include <cmocka.h>
-#include <openssl_shim.h>
 
 #include <openssl/err.h>
 
@@ -37,6 +36,10 @@
 
 #include <dns/rdata.h>
 
+#include "../isc/openssl_shim.c"
+#include "../isc/openssl_shim.h"
+#include "openssl_shim.h"
+
 #include <tests/dns.h>
 
 static bool debug = false;