Remove internal dst memory context that was used just for OpenSSL and was passthrough for malloc and free

lib/dns/dst_api.c

@@ -72,8 +72,6 @@ static bool dst_initialized = false;
 
 void gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
 
-LIBDNS_EXTERNAL_DATA isc_mem_t *dst__memory_pool = NULL;
-
 /*
  * Static functions.
  */
@@ -124,20 +122,6 @@ static isc_result_t	addsuffix(char *filename, int len,
 			return (_r);		\
 	} while (0);				\
 
-static void *
-default_memalloc(void *arg, size_t size) {
-	UNUSED(arg);
-	if (size == 0U)
-		size = 1;
-	return (malloc(size));
-}
-
-static void
-default_memfree(void *arg, void *ptr) {
-	UNUSED(arg);
-	free(ptr);
-}
-
 isc_result_t
 dst_lib_init(isc_mem_t *mctx, const char *engine) {
 	isc_result_t result;
@@ -147,26 +131,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 
 	UNUSED(engine);
 
-	dst__memory_pool = NULL;
-
-	UNUSED(mctx);
-	/*
-	 * When using --with-openssl, there seems to be no good way of not
-	 * leaking memory due to the openssl error handling mechanism.
-	 * Avoid assertions by using a local memory context and not checking
-	 * for leaks on exit.  Note: as there are leaks we cannot use
-	 * ISC_MEMFLAG_INTERNAL as it will free up memory still being used
-	 * by libcrypto.
-	 */
-	result = isc_mem_createx(0, 0, default_memalloc, default_memfree,
-				 NULL, &dst__memory_pool, 0);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_mem_setname(dst__memory_pool, "dst", NULL);
-#ifndef OPENSSL_LEAKS
-	isc_mem_setdestroycheck(dst__memory_pool, false);
-#endif
-
 	dst_result_register();
 
 	memset(dst_t_func, 0, sizeof(dst_t_func));
@@ -176,7 +140,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 	RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
 	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
 	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
-	RETERR(dst__openssl_init(engine));
+	RETERR(dst__openssl_init(mctx, engine));
 	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
 #if USE_OPENSSL
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
@@ -242,8 +206,6 @@ dst_lib_destroy(void) {
 #if USE_PKCS11
 	(void) dst__pkcs11_destroy();
 #endif /* USE_PKCS11 */
-	if (dst__memory_pool != NULL)
-		isc_mem_detach(&dst__memory_pool);
 }
 
 bool

lib/dns/dst_internal.h

@@ -63,8 +63,6 @@ ISC_LANG_BEGINDECLS
 #define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
 #define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
 
-LIBDNS_EXTERNAL_DATA extern isc_mem_t *dst__memory_pool;
-
 /***
  *** Types
  ***/
@@ -191,7 +189,7 @@ struct dst_func {
 /*%
  * Initializers
  */
-isc_result_t dst__openssl_init(const char *engine);
+isc_result_t dst__openssl_init(isc_mem_t *, const char *engine);
 #define dst__pkcs11_init pk11_initialize
 
 isc_result_t dst__hmacmd5_init(struct dst_func **funcp);

lib/dns/gssapi_link.c

@@ -190,7 +190,7 @@ gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	gss_buffer_desc gmessage, gsig;
 	OM_uint32 minor, gret;
 	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
-	unsigned char *buf;
+	unsigned char buf[sig->length];
 	char err[1024];
 
 	/*
@@ -200,15 +200,6 @@ gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	isc_buffer_usedregion(ctx->buffer, &message);
 	REGION_TO_GBUFFER(message, gmessage);
 
-	/*
-	 * XXXMLG
-	 * It seem that gss_verify_mic() modifies the signature buffer,
-	 * at least on Heimdal's implementation.  Copy it here to an allocated
-	 * buffer.
-	 */
-	buf = isc_mem_allocate(dst__memory_pool, sig->length);
-	if (buf == NULL)
-		return (ISC_R_FAILURE);
 	memmove(buf, sig->base, sig->length);
 	r.base = buf;
 	r.length = sig->length;
@@ -219,8 +210,6 @@ gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	 */
 	gret = gss_verify_mic(&minor, gssctx, &gmessage, &gsig, NULL);
 
-	isc_mem_free(dst__memory_pool, buf);
-
 	/*
 	 * Convert return codes into something useful to us.
 	 */

lib/dns/openssl_link.c

@@ -40,6 +40,8 @@
 #include "dst_internal.h"
 #include "dst_openssl.h"
 
+static isc_mem_t *dst__memory_pool = NULL;
+
 #if !defined(OPENSSL_NO_ENGINE)
 #include <openssl/engine.h>
 #endif
@@ -89,63 +91,6 @@ id_callback(void) {
 }
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-
-#define FLARG
-#define FILELINE
-#if ISC_MEM_TRACKLINES
-#define FLARG_PASS      , __FILE__, __LINE__
-#else
-#define FLARG_PASS
-#endif
-
-#else
-
-#define FLARG           , const char *file, int line
-#define FILELINE	, __FILE__, __LINE__
-#if ISC_MEM_TRACKLINES
-#define FLARG_PASS      , file, line
-#else
-#define FLARG_PASS
-#endif
-
-#endif
-
-static void *
-mem_alloc(size_t size FLARG) {
-#ifdef OPENSSL_LEAKS
-	void *ptr;
-
-	INSIST(dst__memory_pool != NULL);
-	ptr = isc__mem_allocate(dst__memory_pool, size FLARG_PASS);
-	return (ptr);
-#else
-	INSIST(dst__memory_pool != NULL);
-	return (isc__mem_allocate(dst__memory_pool, size FLARG_PASS));
-#endif
-}
-
-static void
-mem_free(void *ptr FLARG) {
-	INSIST(dst__memory_pool != NULL);
-	if (ptr != NULL)
-		isc__mem_free(dst__memory_pool, ptr FLARG_PASS);
-}
-
-static void *
-mem_realloc(void *ptr, size_t size FLARG) {
-#ifdef OPENSSL_LEAKS
-	void *rptr;
-
-	INSIST(dst__memory_pool != NULL);
-	rptr = isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS);
-	return (rptr);
-#else
-	INSIST(dst__memory_pool != NULL);
-	return (isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS));
-#endif
-}
-
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 static void
 _set_thread_id(CRYPTO_THREADID *id)
@@ -155,24 +100,21 @@ _set_thread_id(CRYPTO_THREADID *id)
 #endif
 
 isc_result_t
-dst__openssl_init(const char *engine) {
+dst__openssl_init(isc_mem_t *mctx, const char *engine) {
 	isc_result_t result;
 
+	REQUIRE(dst__memory_pool == NULL);
+	dst__memory_pool = mctx;
+
 #if defined(OPENSSL_NO_ENGINE)
 	UNUSED(engine);
 #endif
 
 	enable_fips_mode();
 
-#ifdef  DNS_CRYPTO_LEAKS
-	CRYPTO_malloc_debug_init();
-	CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
-	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-#endif
-	CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	nlocks = CRYPTO_num_locks();
-	locks = mem_alloc(sizeof(isc_mutex_t) * nlocks FILELINE);
+	locks = isc_mem_allocate(dst__memory_pool, sizeof(isc_mutex_t) * nlocks);
 	if (locks == NULL)
 		return (ISC_R_NOMEMORY);
 	result = isc_mutexblock_init(locks, nlocks);
@@ -241,7 +183,7 @@ dst__openssl_init(const char *engine) {
 	CRYPTO_set_locking_callback(NULL);
 	DESTROYMUTEXBLOCK(locks, nlocks);
  cleanup_mutexalloc:
-	mem_free(locks FILELINE);
+	isc_mem_free(dst__memory_pool, locks);
 	locks = NULL;
 #endif
 	return (result);
@@ -278,7 +220,7 @@ dst__openssl_destroy(void) {
 	if (locks != NULL) {
 		CRYPTO_set_locking_callback(NULL);
 		DESTROYMUTEXBLOCK(locks, nlocks);
-		mem_free(locks FILELINE);
+		isc_mem_free(dst__memory_pool, locks);
 		locks = NULL;
 	}
 #else

lib/dns/win32/libdns.def.in

@@ -1437,6 +1437,5 @@ dns_tsig_hmacmd5_name	DATA
 dns_zone_mkey_day	DATA
 dns_zone_mkey_hour	DATA
 dns_zone_mkey_month	DATA
-dst__memory_pool	DATA
 dst_msgcat		DATA
 @END NOLONGER