mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-22 10:10:06 +00:00
532 lines
12 KiB
C
532 lines
12 KiB
C
/*
|
|
* Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*
|
|
* Portions Copyright (C) Network Associates, Inc.
|
|
*
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
|
|
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
|
|
* WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
|
|
* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
|
|
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
/*
|
|
* Principal Author: Brian Wellington
|
|
*/
|
|
#ifdef OPENSSL
|
|
|
|
#include <config.h>
|
|
|
|
#include <isc/entropy.h>
|
|
#include <isc/mem.h>
|
|
#include <isc/mutex.h>
|
|
#include <isc/mutexblock.h>
|
|
#include <isc/platform.h>
|
|
#include <isc/string.h>
|
|
#include <isc/thread.h>
|
|
#include <isc/util.h>
|
|
|
|
#include <dns/log.h>
|
|
|
|
#include <dst/result.h>
|
|
|
|
#include "dst_internal.h"
|
|
#include "dst_openssl.h"
|
|
|
|
#ifdef USE_ENGINE
|
|
#include <openssl/engine.h>
|
|
#endif
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
static isc_mutex_t *locks = NULL;
|
|
static int nlocks;
|
|
#endif
|
|
|
|
#ifdef USE_ENGINE
|
|
static ENGINE *e = NULL;
|
|
#endif
|
|
|
|
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
static RAND_METHOD *rm = NULL;
|
|
|
|
static int
|
|
entropy_get(unsigned char *buf, int num) {
|
|
isc_result_t result;
|
|
if (num < 0)
|
|
return (-1);
|
|
result = dst__entropy_getdata(buf, (unsigned int) num, ISC_FALSE);
|
|
return (result == ISC_R_SUCCESS ? 1 : -1);
|
|
}
|
|
|
|
static int
|
|
entropy_status(void) {
|
|
return (dst__entropy_status() > 32);
|
|
}
|
|
|
|
static int
|
|
entropy_getpseudo(unsigned char *buf, int num) {
|
|
isc_result_t result;
|
|
if (num < 0)
|
|
return (-1);
|
|
result = dst__entropy_getdata(buf, (unsigned int) num, ISC_TRUE);
|
|
return (result == ISC_R_SUCCESS ? 1 : -1);
|
|
}
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
static void
|
|
entropy_add(const void *buf, int num, double entropy) {
|
|
/*
|
|
* Do nothing. The only call to this provides no useful data anyway.
|
|
*/
|
|
UNUSED(buf);
|
|
UNUSED(num);
|
|
UNUSED(entropy);
|
|
}
|
|
#else
|
|
static int
|
|
entropy_add(const void *buf, int num, double entropy) {
|
|
/*
|
|
* Do nothing. The only call to this provides no useful data anyway.
|
|
*/
|
|
UNUSED(buf);
|
|
UNUSED(num);
|
|
UNUSED(entropy);
|
|
return (1);
|
|
}
|
|
#endif
|
|
#endif /* !ISC_PLATFORM_CRYPTORANDOM */
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
static void
|
|
lock_callback(int mode, int type, const char *file, int line) {
|
|
UNUSED(file);
|
|
UNUSED(line);
|
|
if ((mode & CRYPTO_LOCK) != 0)
|
|
LOCK(&locks[type]);
|
|
else
|
|
UNLOCK(&locks[type]);
|
|
}
|
|
#endif
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
static unsigned long
|
|
id_callback(void) {
|
|
return ((unsigned long)isc_thread_self());
|
|
}
|
|
#endif
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
|
|
#define FLARG
|
|
#define FILELINE
|
|
#if ISC_MEM_TRACKLINES
|
|
#define FLARG_PASS , __FILE__, __LINE__
|
|
#else
|
|
#define FLARG_PASS
|
|
#endif
|
|
|
|
#else
|
|
|
|
#define FLARG , const char *file, int line
|
|
#define FILELINE , __FILE__, __LINE__
|
|
#if ISC_MEM_TRACKLINES
|
|
#define FLARG_PASS , file, line
|
|
#else
|
|
#define FLARG_PASS
|
|
#endif
|
|
|
|
#endif
|
|
|
|
static void *
|
|
mem_alloc(size_t size FLARG) {
|
|
#ifdef OPENSSL_LEAKS
|
|
void *ptr;
|
|
|
|
INSIST(dst__memory_pool != NULL);
|
|
ptr = isc__mem_allocate(dst__memory_pool, size FLARG_PASS);
|
|
return (ptr);
|
|
#else
|
|
INSIST(dst__memory_pool != NULL);
|
|
return (isc__mem_allocate(dst__memory_pool, size FLARG_PASS));
|
|
#endif
|
|
}
|
|
|
|
static void
|
|
mem_free(void *ptr FLARG) {
|
|
INSIST(dst__memory_pool != NULL);
|
|
if (ptr != NULL)
|
|
isc__mem_free(dst__memory_pool, ptr FLARG_PASS);
|
|
}
|
|
|
|
static void *
|
|
mem_realloc(void *ptr, size_t size FLARG) {
|
|
#ifdef OPENSSL_LEAKS
|
|
void *rptr;
|
|
|
|
INSIST(dst__memory_pool != NULL);
|
|
rptr = isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS);
|
|
return (rptr);
|
|
#else
|
|
INSIST(dst__memory_pool != NULL);
|
|
return (isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS));
|
|
#endif
|
|
}
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
static void
|
|
_set_thread_id(CRYPTO_THREADID *id)
|
|
{
|
|
CRYPTO_THREADID_set_numeric(id, (unsigned long)isc_thread_self());
|
|
}
|
|
#endif
|
|
|
|
isc_result_t
|
|
dst__openssl_init(const char *engine) {
|
|
isc_result_t result;
|
|
#if defined(USE_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM)
|
|
ENGINE *re;
|
|
#else
|
|
|
|
UNUSED(engine);
|
|
#endif
|
|
|
|
#ifdef DNS_CRYPTO_LEAKS
|
|
CRYPTO_malloc_debug_init();
|
|
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
|
|
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
|
|
#endif
|
|
CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
nlocks = CRYPTO_num_locks();
|
|
locks = mem_alloc(sizeof(isc_mutex_t) * nlocks FILELINE);
|
|
if (locks == NULL)
|
|
return (ISC_R_NOMEMORY);
|
|
result = isc_mutexblock_init(locks, nlocks);
|
|
if (result != ISC_R_SUCCESS)
|
|
goto cleanup_mutexalloc;
|
|
CRYPTO_set_locking_callback(lock_callback);
|
|
# if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
CRYPTO_THREADID_set_callback(_set_thread_id);
|
|
# else
|
|
CRYPTO_set_id_callback(id_callback);
|
|
# endif
|
|
|
|
ERR_load_crypto_strings();
|
|
#endif
|
|
|
|
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
|
|
if (rm == NULL) {
|
|
result = ISC_R_NOMEMORY;
|
|
goto cleanup_mutexinit;
|
|
}
|
|
rm->seed = NULL;
|
|
rm->bytes = entropy_get;
|
|
rm->cleanup = NULL;
|
|
rm->add = entropy_add;
|
|
rm->pseudorand = entropy_getpseudo;
|
|
rm->status = entropy_status;
|
|
#endif
|
|
|
|
#ifdef USE_ENGINE
|
|
#if !defined(CONF_MFLAGS_DEFAULT_SECTION)
|
|
OPENSSL_config(NULL);
|
|
#else
|
|
/*
|
|
* OPENSSL_config() can only be called a single time as of
|
|
* 1.0.2e so do the steps individually.
|
|
*/
|
|
OPENSSL_load_builtin_modules();
|
|
ENGINE_load_builtin_engines();
|
|
ERR_clear_error();
|
|
CONF_modules_load_file(NULL, NULL,
|
|
CONF_MFLAGS_DEFAULT_SECTION |
|
|
CONF_MFLAGS_IGNORE_MISSING_FILE);
|
|
#endif
|
|
|
|
if (engine != NULL && *engine == '\0')
|
|
engine = NULL;
|
|
|
|
if (engine != NULL) {
|
|
e = ENGINE_by_id(engine);
|
|
if (e == NULL) {
|
|
result = DST_R_NOENGINE;
|
|
goto cleanup_rm;
|
|
}
|
|
/* This will init the engine. */
|
|
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
|
|
result = DST_R_NOENGINE;
|
|
goto cleanup_rm;
|
|
}
|
|
}
|
|
|
|
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
re = ENGINE_get_default_RAND();
|
|
if (re == NULL) {
|
|
re = ENGINE_new();
|
|
if (re == NULL) {
|
|
result = ISC_R_NOMEMORY;
|
|
goto cleanup_rm;
|
|
}
|
|
ENGINE_set_RAND(re, rm);
|
|
ENGINE_set_default_RAND(re);
|
|
ENGINE_free(re);
|
|
} else
|
|
ENGINE_finish(re);
|
|
#endif
|
|
#else
|
|
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
RAND_set_rand_method(rm);
|
|
#endif
|
|
#endif /* USE_ENGINE */
|
|
|
|
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
/* Protect ourselves against unseeded PRNG */
|
|
if (RAND_status() != 1) {
|
|
FATAL_ERROR(__FILE__, __LINE__,
|
|
"OpenSSL pseudorandom number generator "
|
|
"cannot be initialized (see the `PRNG not "
|
|
"seeded' message in the OpenSSL FAQ)");
|
|
}
|
|
#endif
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
#ifdef USE_ENGINE
|
|
cleanup_rm:
|
|
if (e != NULL)
|
|
ENGINE_free(e);
|
|
e = NULL;
|
|
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
mem_free(rm FILELINE);
|
|
rm = NULL;
|
|
#endif
|
|
#endif
|
|
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
cleanup_mutexinit:
|
|
#endif
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
CRYPTO_set_locking_callback(NULL);
|
|
DESTROYMUTEXBLOCK(locks, nlocks);
|
|
cleanup_mutexalloc:
|
|
mem_free(locks FILELINE);
|
|
locks = NULL;
|
|
#endif
|
|
return (result);
|
|
}
|
|
|
|
void
|
|
dst__openssl_destroy(void) {
|
|
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
|
|
OPENSSL_cleanup();
|
|
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
if (rm != NULL) {
|
|
mem_free(rm FILELINE);
|
|
rm = NULL;
|
|
}
|
|
#endif
|
|
#else
|
|
/*
|
|
* Sequence taken from apps_shutdown() in <apps/apps.h>.
|
|
*/
|
|
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
if (rm != NULL) {
|
|
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
|
RAND_cleanup();
|
|
#endif
|
|
mem_free(rm FILELINE);
|
|
rm = NULL;
|
|
}
|
|
#endif
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
|
CONF_modules_free();
|
|
#endif
|
|
OBJ_cleanup();
|
|
EVP_cleanup();
|
|
#if defined(USE_ENGINE)
|
|
if (e != NULL)
|
|
ENGINE_free(e);
|
|
e = NULL;
|
|
#if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
|
|
ENGINE_cleanup();
|
|
#endif
|
|
#endif
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
|
CRYPTO_cleanup_all_ex_data();
|
|
#endif
|
|
ERR_clear_error();
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
ERR_remove_thread_state(NULL);
|
|
#elif OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
ERR_remove_state(0);
|
|
#endif
|
|
ERR_free_strings();
|
|
|
|
#ifdef DNS_CRYPTO_LEAKS
|
|
CRYPTO_mem_leaks_fp(stderr);
|
|
#endif
|
|
|
|
if (locks != NULL) {
|
|
CRYPTO_set_locking_callback(NULL);
|
|
DESTROYMUTEXBLOCK(locks, nlocks);
|
|
mem_free(locks FILELINE);
|
|
locks = NULL;
|
|
}
|
|
#endif
|
|
}
|
|
|
|
static isc_result_t
|
|
toresult(isc_result_t fallback) {
|
|
isc_result_t result = fallback;
|
|
unsigned long err = ERR_get_error();
|
|
#if defined(HAVE_OPENSSL_ECDSA) && \
|
|
defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
|
|
int lib = ERR_GET_LIB(err);
|
|
#endif
|
|
int reason = ERR_GET_REASON(err);
|
|
|
|
switch (reason) {
|
|
/*
|
|
* ERR_* errors are globally unique; others
|
|
* are unique per sublibrary
|
|
*/
|
|
case ERR_R_MALLOC_FAILURE:
|
|
result = ISC_R_NOMEMORY;
|
|
break;
|
|
default:
|
|
#if defined(HAVE_OPENSSL_ECDSA) && \
|
|
defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
|
|
if (lib == ERR_R_ECDSA_LIB &&
|
|
reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) {
|
|
result = ISC_R_NOENTROPY;
|
|
break;
|
|
}
|
|
#endif
|
|
break;
|
|
}
|
|
|
|
return (result);
|
|
}
|
|
|
|
isc_result_t
|
|
dst__openssl_toresult(isc_result_t fallback) {
|
|
isc_result_t result;
|
|
|
|
result = toresult(fallback);
|
|
|
|
ERR_clear_error();
|
|
return (result);
|
|
}
|
|
|
|
isc_result_t
|
|
dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
|
|
return (dst__openssl_toresult3(DNS_LOGCATEGORY_GENERAL,
|
|
funcname, fallback));
|
|
}
|
|
|
|
isc_result_t
|
|
dst__openssl_toresult3(isc_logcategory_t *category,
|
|
const char *funcname, isc_result_t fallback) {
|
|
isc_result_t result;
|
|
unsigned long err;
|
|
const char *file, *data;
|
|
int line, flags;
|
|
char buf[256];
|
|
|
|
result = toresult(fallback);
|
|
|
|
isc_log_write(dns_lctx, category,
|
|
DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
|
|
"%s failed (%s)", funcname,
|
|
isc_result_totext(result));
|
|
|
|
if (result == ISC_R_NOMEMORY)
|
|
goto done;
|
|
|
|
for (;;) {
|
|
err = ERR_get_error_line_data(&file, &line, &data, &flags);
|
|
if (err == 0U)
|
|
goto done;
|
|
ERR_error_string_n(err, buf, sizeof(buf));
|
|
isc_log_write(dns_lctx, category,
|
|
DNS_LOGMODULE_CRYPTO, ISC_LOG_INFO,
|
|
"%s:%s:%d:%s", buf, file, line,
|
|
(flags & ERR_TXT_STRING) ? data : "");
|
|
}
|
|
|
|
done:
|
|
ERR_clear_error();
|
|
return (result);
|
|
}
|
|
|
|
#if defined(USE_ENGINE)
|
|
ENGINE *
|
|
dst__openssl_getengine(const char *engine) {
|
|
|
|
if (engine == NULL)
|
|
return (NULL);
|
|
if (e == NULL)
|
|
return (NULL);
|
|
if (strcmp(engine, ENGINE_get_id(e)) == 0)
|
|
return (e);
|
|
return (NULL);
|
|
}
|
|
#endif
|
|
|
|
isc_result_t
|
|
dst_random_getdata(void *data, unsigned int length,
|
|
unsigned int *returned, unsigned int flags)
|
|
{
|
|
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
#ifndef DONT_REQUIRE_DST_LIB_INIT
|
|
INSIST(dst__memory_pool != NULL);
|
|
#endif
|
|
REQUIRE(data != NULL);
|
|
REQUIRE(length > 0);
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
if ((flags & ISC_ENTROPY_GOODONLY) == 0) {
|
|
if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0)
|
|
return (dst__openssl_toresult2("RAND_pseudo_bytes",
|
|
DST_R_OPENSSLFAILURE));
|
|
} else {
|
|
if (RAND_bytes((unsigned char *)data, (int)length) != 1)
|
|
return (dst__openssl_toresult2("RAND_bytes",
|
|
DST_R_OPENSSLFAILURE));
|
|
}
|
|
#else
|
|
UNUSED(flags);
|
|
|
|
if (RAND_bytes((unsigned char *)data, (int)length) != 1)
|
|
return (dst__openssl_toresult2("RAND_bytes",
|
|
DST_R_OPENSSLFAILURE));
|
|
#endif
|
|
if (returned != NULL)
|
|
*returned = length;
|
|
return (ISC_R_SUCCESS);
|
|
#else
|
|
UNUSED(data);
|
|
UNUSED(length);
|
|
UNUSED(returned);
|
|
UNUSED(flags);
|
|
|
|
return (ISC_R_NOTIMPLEMENTED);
|
|
#endif
|
|
}
|
|
|
|
#endif /* OPENSSL */
|
|
/*! \file */
|