diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index c30269447c..40ee709de0 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -72,8 +72,6 @@ static bool dst_initialized = false; void gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3); -LIBDNS_EXTERNAL_DATA isc_mem_t *dst__memory_pool = NULL; - /* * Static functions. */ @@ -124,20 +122,6 @@ static isc_result_t addsuffix(char *filename, int len, return (_r); \ } while (0); \ -static void * -default_memalloc(void *arg, size_t size) { - UNUSED(arg); - if (size == 0U) - size = 1; - return (malloc(size)); -} - -static void -default_memfree(void *arg, void *ptr) { - UNUSED(arg); - free(ptr); -} - isc_result_t dst_lib_init(isc_mem_t *mctx, const char *engine) { isc_result_t result; @@ -147,26 +131,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { UNUSED(engine); - dst__memory_pool = NULL; - - UNUSED(mctx); - /* - * When using --with-openssl, there seems to be no good way of not - * leaking memory due to the openssl error handling mechanism. - * Avoid assertions by using a local memory context and not checking - * for leaks on exit. Note: as there are leaks we cannot use - * ISC_MEMFLAG_INTERNAL as it will free up memory still being used - * by libcrypto. - */ - result = isc_mem_createx(0, 0, default_memalloc, default_memfree, - NULL, &dst__memory_pool, 0); - if (result != ISC_R_SUCCESS) - return (result); - isc_mem_setname(dst__memory_pool, "dst", NULL); -#ifndef OPENSSL_LEAKS - isc_mem_setdestroycheck(dst__memory_pool, false); -#endif - dst_result_register(); memset(dst_t_func, 0, sizeof(dst_t_func)); @@ -176,7 +140,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256])); RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); - RETERR(dst__openssl_init(engine)); + RETERR(dst__openssl_init(mctx, engine)); RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH])); #if USE_OPENSSL RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5], @@ -242,8 +206,6 @@ dst_lib_destroy(void) { #if USE_PKCS11 (void) dst__pkcs11_destroy(); #endif /* USE_PKCS11 */ - if (dst__memory_pool != NULL) - isc_mem_detach(&dst__memory_pool); } bool diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index f2d95f1723..bfa28f06ee 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -63,8 +63,6 @@ ISC_LANG_BEGINDECLS #define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC) #define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC) -LIBDNS_EXTERNAL_DATA extern isc_mem_t *dst__memory_pool; - /*** *** Types ***/ @@ -191,7 +189,7 @@ struct dst_func { /*% * Initializers */ -isc_result_t dst__openssl_init(const char *engine); +isc_result_t dst__openssl_init(isc_mem_t *, const char *engine); #define dst__pkcs11_init pk11_initialize isc_result_t dst__hmacmd5_init(struct dst_func **funcp); diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c index 82eac957c8..fc1d294ebc 100644 --- a/lib/dns/gssapi_link.c +++ b/lib/dns/gssapi_link.c @@ -190,7 +190,7 @@ gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) { gss_buffer_desc gmessage, gsig; OM_uint32 minor, gret; gss_ctx_id_t gssctx = dctx->key->keydata.gssctx; - unsigned char *buf; + unsigned char buf[sig->length]; char err[1024]; /* @@ -200,15 +200,6 @@ gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) { isc_buffer_usedregion(ctx->buffer, &message); REGION_TO_GBUFFER(message, gmessage); - /* - * XXXMLG - * It seem that gss_verify_mic() modifies the signature buffer, - * at least on Heimdal's implementation. Copy it here to an allocated - * buffer. - */ - buf = isc_mem_allocate(dst__memory_pool, sig->length); - if (buf == NULL) - return (ISC_R_FAILURE); memmove(buf, sig->base, sig->length); r.base = buf; r.length = sig->length; @@ -219,8 +210,6 @@ gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) { */ gret = gss_verify_mic(&minor, gssctx, &gmessage, &gsig, NULL); - isc_mem_free(dst__memory_pool, buf); - /* * Convert return codes into something useful to us. */ diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index 8e75849e02..507c272689 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -40,6 +40,8 @@ #include "dst_internal.h" #include "dst_openssl.h" +static isc_mem_t *dst__memory_pool = NULL; + #if !defined(OPENSSL_NO_ENGINE) #include #endif @@ -89,63 +91,6 @@ id_callback(void) { } #endif -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - -#define FLARG -#define FILELINE -#if ISC_MEM_TRACKLINES -#define FLARG_PASS , __FILE__, __LINE__ -#else -#define FLARG_PASS -#endif - -#else - -#define FLARG , const char *file, int line -#define FILELINE , __FILE__, __LINE__ -#if ISC_MEM_TRACKLINES -#define FLARG_PASS , file, line -#else -#define FLARG_PASS -#endif - -#endif - -static void * -mem_alloc(size_t size FLARG) { -#ifdef OPENSSL_LEAKS - void *ptr; - - INSIST(dst__memory_pool != NULL); - ptr = isc__mem_allocate(dst__memory_pool, size FLARG_PASS); - return (ptr); -#else - INSIST(dst__memory_pool != NULL); - return (isc__mem_allocate(dst__memory_pool, size FLARG_PASS)); -#endif -} - -static void -mem_free(void *ptr FLARG) { - INSIST(dst__memory_pool != NULL); - if (ptr != NULL) - isc__mem_free(dst__memory_pool, ptr FLARG_PASS); -} - -static void * -mem_realloc(void *ptr, size_t size FLARG) { -#ifdef OPENSSL_LEAKS - void *rptr; - - INSIST(dst__memory_pool != NULL); - rptr = isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS); - return (rptr); -#else - INSIST(dst__memory_pool != NULL); - return (isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS)); -#endif -} - #if OPENSSL_VERSION_NUMBER < 0x10100000L static void _set_thread_id(CRYPTO_THREADID *id) @@ -155,24 +100,21 @@ _set_thread_id(CRYPTO_THREADID *id) #endif isc_result_t -dst__openssl_init(const char *engine) { +dst__openssl_init(isc_mem_t *mctx, const char *engine) { isc_result_t result; + REQUIRE(dst__memory_pool == NULL); + dst__memory_pool = mctx; + #if defined(OPENSSL_NO_ENGINE) UNUSED(engine); #endif enable_fips_mode(); -#ifdef DNS_CRYPTO_LEAKS - CRYPTO_malloc_debug_init(); - CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); - CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); -#endif - CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free); #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) nlocks = CRYPTO_num_locks(); - locks = mem_alloc(sizeof(isc_mutex_t) * nlocks FILELINE); + locks = isc_mem_allocate(dst__memory_pool, sizeof(isc_mutex_t) * nlocks); if (locks == NULL) return (ISC_R_NOMEMORY); result = isc_mutexblock_init(locks, nlocks); @@ -241,7 +183,7 @@ dst__openssl_init(const char *engine) { CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); cleanup_mutexalloc: - mem_free(locks FILELINE); + isc_mem_free(dst__memory_pool, locks); locks = NULL; #endif return (result); @@ -278,7 +220,7 @@ dst__openssl_destroy(void) { if (locks != NULL) { CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); - mem_free(locks FILELINE); + isc_mem_free(dst__memory_pool, locks); locks = NULL; } #else diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index 83a77856bc..9642fa48cc 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -1437,6 +1437,5 @@ dns_tsig_hmacmd5_name DATA dns_zone_mkey_day DATA dns_zone_mkey_hour DATA dns_zone_mkey_month DATA -dst__memory_pool DATA dst_msgcat DATA @END NOLONGER