From ab827ab5bf7bdd65f0c672c43c3fdbe16a5e7d70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 11 Mar 2020 21:23:17 +0100
Subject: [PATCH] Stop leaking OpenSSL types and defines in the isc/safe.h

The two "functions" that isc/safe.h declared before were actually simple
defines to matching OpenSSL functions.  The downside of the approach was
enforcing all users of the libisc library to explicitly list the include
path to OpenSSL and link with -lcrypto.  By hiding the specific
implementation into the private namespace changing the defines into
simple functions, we no longer enforce this.  In the long run, this
might also allow us to switch cryptographic library implementation
without affecting the downstream users.
---
 lib/isc/Makefile.in                     |  4 ++--
 lib/isc/include/isc/safe.h              |  9 +++++----
 lib/isc/safe.c                          | 24 ++++++++++++++++++++++++
 lib/isc/win32/libisc.def.in             |  2 ++
 lib/isc/win32/libisc.vcxproj.filters.in |  3 +++
 lib/isc/win32/libisc.vcxproj.in         |  1 +
 util/copyrights                         |  1 +
 7 files changed, 38 insertions(+), 6 deletions(-)
 create mode 100644 lib/isc/safe.c

diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index abbaecb052..1b6b4466cd 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS =		pk11.@O@ pk11_result.@O@ \
 		parseint.@O@ portset.@O@ queue.@O@ quota.@O@ \
 		radix.@O@ random.@O@ ratelimiter.@O@ \
 		region.@O@ regex.@O@ result.@O@ rwlock.@O@ \
-		serial.@O@ siphash.@O@ sockaddr.@O@ stats.@O@ \
+		safe.@O@ serial.@O@ siphash.@O@ sockaddr.@O@ stats.@O@ \
 		string.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
 		tm.@O@ timer.@O@ version.@O@ \
 		${UNIXOBJS} ${THREADOBJS}
@@ -77,7 +77,7 @@ SRCS =		pk11.c pk11_result.c \
 		netaddr.c netscope.c nonce.c openssl_shim.c pool.c \
 		parseint.c portset.c queue.c quota.c radix.c random.c \
 		ratelimiter.c region.c regex.c result.c rwlock.c \
-		serial.c siphash.c sockaddr.c stats.c string.c \
+		safe.c serial.c siphash.c sockaddr.c stats.c string.c \
 		symtab.c task.c taskpool.c timer.c \
 		tm.c version.c
 
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
index 7fbcd60f86..3c4784114d 100644
--- a/lib/isc/include/isc/safe.h
+++ b/lib/isc/include/isc/safe.h
@@ -16,11 +16,10 @@
 
 #include <isc/lang.h>
 
-#include <openssl/crypto.h>
-
 ISC_LANG_BEGINDECLS
 
-#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n)
+int
+isc_safe_memequal(const void *, const void *, size_t);
 
 /*%<
  * Returns true iff. two blocks of memory are equal, otherwise
@@ -28,7 +27,9 @@ ISC_LANG_BEGINDECLS
  *
  */
 
-#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len)
+void
+isc_safe_memwipe(void *, size_t);
+
 /*%<
  * Clear the memory of length `len` pointed to by `ptr`.
  *
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
new file mode 100644
index 0000000000..91f397a95d
--- /dev/null
+++ b/lib/isc/safe.c
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <openssl/crypto.h>
+
+#include <isc/safe.h>
+
+int
+isc_safe_memequal(const void *s1, const void *s2, size_t len) {
+	return (!CRYPTO_memcmp(s1, s2, len));
+}
+
+void
+isc_safe_memwipe(void *ptr, size_t len) {
+	OPENSSL_cleanse(ptr, len);
+}
diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in
index cab49519a0..1559661777 100644
--- a/lib/isc/win32/libisc.def.in
+++ b/lib/isc/win32/libisc.def.in
@@ -541,6 +541,8 @@ isc_rwlock_lock
 isc_rwlock_trylock
 isc_rwlock_tryupgrade
 isc_rwlock_unlock
+isc_safe_memequal
+isc_safe_memwipe
 isc_serial_eq
 isc_serial_ge
 isc_serial_gt
diff --git a/lib/isc/win32/libisc.vcxproj.filters.in b/lib/isc/win32/libisc.vcxproj.filters.in
index 7a4d86b34e..5e8d0b40bd 100644
--- a/lib/isc/win32/libisc.vcxproj.filters.in
+++ b/lib/isc/win32/libisc.vcxproj.filters.in
@@ -584,6 +584,9 @@
     <ClCompile Include="..\rwlock.c">
       <Filter>Library Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\safe.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
     <ClCompile Include="..\serial.c">
       <Filter>Library Source Files</Filter>
     </ClCompile>
diff --git a/lib/isc/win32/libisc.vcxproj.in b/lib/isc/win32/libisc.vcxproj.in
index b7079bbf6c..5267abfe4d 100644
--- a/lib/isc/win32/libisc.vcxproj.in
+++ b/lib/isc/win32/libisc.vcxproj.in
@@ -464,6 +464,7 @@ copy InstallFiles ..\Build\Release\
     <ClCompile Include="..\region.c" />
     <ClCompile Include="..\result.c" />
     <ClCompile Include="..\rwlock.c" />
+    <ClCompile Include="..\safe.c" />
     <ClCompile Include="..\serial.c" />
     <ClCompile Include="..\siphash.c" />
     <ClCompile Include="..\sockaddr.c" />
diff --git a/util/copyrights b/util/copyrights
index 25d4c852ac..766615d0a3 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -2284,6 +2284,7 @@
 ./lib/isc/region.c				C	2002,2004,2005,2007,2016,2018,2019,2020
 ./lib/isc/result.c				C	1998,1999,2000,2001,2003,2004,2005,2007,2008,2012,2014,2015,2016,2017,2018,2019,2020
 ./lib/isc/rwlock.c				C	1998,1999,2000,2001,2003,2004,2005,2007,2009,2011,2012,2015,2016,2017,2018,2019,2020
+./lib/isc/safe.c				C	2020
 ./lib/isc/serial.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
 ./lib/isc/siphash.c				C	2019,2020
 ./lib/isc/sockaddr.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020