From 4022277272b5213ef34cfeed46d006800b131687 Mon Sep 17 00:00:00 2001 From: Fernando Fernandez Mancera Date: Mon, 8 Jan 2018 13:57:06 +0100 Subject: Refactor crypto.[ch] into smaller OpenSSL module. Add two new files (crypto_openssl.c, crypto_openssl.h) as new module of crypto.[ch]. This new module includes all functions and dependencies related to OpenSSL management. Those have been removed from crypto.[ch]. All new changes related to OpenSSL management must be done in these files. Follows #24658 Signed-off-by: Fernando Fernandez Mancera --- src/common/crypto.c | 143 ---------------------------------------------------- 1 file changed, 143 deletions(-) (limited to 'src/common/crypto.c') diff --git a/src/common/crypto.c b/src/common/crypto.c index c9db7cb4ba..0abb4a1afb 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -29,21 +29,6 @@ #include "crypto_ed25519.h" #include "crypto_format.h" -DISABLE_GCC_WARNING(redundant-decls) - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -ENABLE_GCC_WARNING(redundant-decls) - #if __GNUC__ && GCC_VERSION >= 402 #if GCC_VERSION >= 406 #pragma GCC diagnostic pop @@ -82,40 +67,12 @@ ENABLE_GCC_WARNING(redundant-decls) #include "keccak-tiny/keccak-tiny.h" -#ifdef ANDROID -/* Android's OpenSSL seems to have removed all of its Engine support. */ -#define DISABLE_ENGINES -#endif - -#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) && \ - !defined(LIBRESSL_VERSION_NUMBER) -/* OpenSSL as of 1.1.0pre4 has an "new" thread API, which doesn't require - * seting up various callbacks. - * - * OpenSSL 1.1.0pre4 has a messed up `ERR_remove_thread_state()` prototype, - * while the previous one was restored in pre5, and the function made a no-op - * (along with a deprecated annotation, which produces a compiler warning). - * - * While it is possible to support all three versions of the thread API, - * a version that existed only for one snapshot pre-release is kind of - * pointless, so let's not. - */ -#define NEW_THREAD_API -#endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) && ... */ - /** Longest recognized */ #define MAX_DNS_LABEL_SIZE 63 /** Largest strong entropy request */ #define MAX_STRONGEST_RAND_SIZE 256 -#ifndef NEW_THREAD_API -/** A number of preallocated mutexes for use by OpenSSL. */ -static tor_mutex_t **openssl_mutexes_ = NULL; -/** How many mutexes have we allocated for use by OpenSSL? */ -static int n_openssl_mutexes_ = 0; -#endif /* !defined(NEW_THREAD_API) */ - /** A public key, or a public/private key-pair. */ struct crypto_pk_t { @@ -129,7 +86,6 @@ struct crypto_dh_t { DH *dh; /**< The openssl DH object */ }; -static int setup_openssl_threading(void); static int tor_check_dh_key(int severity, const BIGNUM *bn); /** Return the number of bytes added by padding method padding. @@ -220,52 +176,6 @@ try_load_engine(const char *path, const char *engine) } #endif /* !defined(DISABLE_ENGINES) */ -/* Returns a trimmed and human-readable version of an openssl version string -* raw_version. They are usually in the form of 'OpenSSL 1.0.0b 10 -* May 2012' and this will parse them into a form similar to '1.0.0b' */ -static char * -parse_openssl_version_str(const char *raw_version) -{ - const char *end_of_version = NULL; - /* The output should be something like "OpenSSL 1.0.0b 10 May 2012. Let's - trim that down. */ - if (!strcmpstart(raw_version, "OpenSSL ")) { - raw_version += strlen("OpenSSL "); - end_of_version = strchr(raw_version, ' '); - } - - if (end_of_version) - return tor_strndup(raw_version, - end_of_version-raw_version); - else - return tor_strdup(raw_version); -} - -static char *crypto_openssl_version_str = NULL; -/* Return a human-readable version of the run-time openssl version number. */ -const char * -crypto_openssl_get_version_str(void) -{ - if (crypto_openssl_version_str == NULL) { - const char *raw_version = OpenSSL_version(OPENSSL_VERSION); - crypto_openssl_version_str = parse_openssl_version_str(raw_version); - } - return crypto_openssl_version_str; -} - -static char *crypto_openssl_header_version_str = NULL; -/* Return a human-readable version of the compile-time openssl version -* number. */ -const char * -crypto_openssl_get_header_version_str(void) -{ - if (crypto_openssl_header_version_str == NULL) { - crypto_openssl_header_version_str = - parse_openssl_version_str(OPENSSL_VERSION_TEXT); - } - return crypto_openssl_header_version_str; -} - /** Make sure that openssl is using its default PRNG. Return 1 if we had to * adjust it; 0 otherwise. */ STATIC int @@ -3347,36 +3257,6 @@ memwipe(void *mem, uint8_t byte, size_t sz) memset(mem, byte, sz); } -#ifndef OPENSSL_THREADS -#error OpenSSL has been built without thread support. Tor requires an \ - OpenSSL library with thread support enabled. -#endif - -#ifndef NEW_THREAD_API -/** Helper: OpenSSL uses this callback to manipulate mutexes. */ -static void -openssl_locking_cb_(int mode, int n, const char *file, int line) -{ - (void)file; - (void)line; - if (!openssl_mutexes_) - /* This is not a really good fix for the - * "release-freed-lock-from-separate-thread-on-shutdown" problem, but - * it can't hurt. */ - return; - if (mode & CRYPTO_LOCK) - tor_mutex_acquire(openssl_mutexes_[n]); - else - tor_mutex_release(openssl_mutexes_[n]); -} - -static void -tor_set_openssl_thread_id(CRYPTO_THREADID *threadid) -{ - CRYPTO_THREADID_set_numeric(threadid, tor_get_thread_id()); -} -#endif /* !defined(NEW_THREAD_API) */ - #if 0 /* This code is disabled, because OpenSSL never actually uses these callbacks. */ @@ -3428,29 +3308,6 @@ openssl_dynlock_destroy_cb_(struct CRYPTO_dynlock_value *v, #endif /* 0 */ /** @{ */ -/** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being - * multithreaded. Returns 0. */ -static int -setup_openssl_threading(void) -{ -#ifndef NEW_THREAD_API - int i; - int n = CRYPTO_num_locks(); - n_openssl_mutexes_ = n; - openssl_mutexes_ = tor_calloc(n, sizeof(tor_mutex_t *)); - for (i=0; i < n; ++i) - openssl_mutexes_[i] = tor_mutex_new(); - CRYPTO_set_locking_callback(openssl_locking_cb_); - CRYPTO_THREADID_set_callback(tor_set_openssl_thread_id); -#endif /* !defined(NEW_THREAD_API) */ -#if 0 - CRYPTO_set_dynlock_create_callback(openssl_dynlock_create_cb_); - CRYPTO_set_dynlock_lock_callback(openssl_dynlock_lock_cb_); - CRYPTO_set_dynlock_destroy_callback(openssl_dynlock_destroy_cb_); -#endif - return 0; -} - /** Uninitialize the crypto library. Return 0 on success. Does not detect * failure. */ -- cgit v1.2.3-54-g00ecf From 7353c9496e4f67321fbeee594cb8c488cff20aaf Mon Sep 17 00:00:00 2001 From: Fernando Fernandez Mancera Date: Mon, 8 Jan 2018 15:31:41 +0100 Subject: Add free_openssl() to crypto_openssl module. Add free_openssl() function to free the memory allocated for OpenSSL version management variables. It is required since OpenSSL management has been isolated from the crypto module. Follows #24658. Signed-off-by: Fernando Fernandez Mancera --- src/common/crypto.c | 3 +-- src/common/crypto_openssl.c | 8 ++++++++ src/common/crypto_openssl.h | 3 +++ 3 files changed, 12 insertions(+), 2 deletions(-) (limited to 'src/common/crypto.c') diff --git a/src/common/crypto.c b/src/common/crypto.c index 0abb4a1afb..12f4270cc4 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -3348,8 +3348,7 @@ crypto_global_cleanup(void) } #endif /* !defined(NEW_THREAD_API) */ - tor_free(crypto_openssl_version_str); - tor_free(crypto_openssl_header_version_str); + free_openssl(); return 0; } diff --git a/src/common/crypto_openssl.c b/src/common/crypto_openssl.c index 03485c0520..e7495f9720 100644 --- a/src/common/crypto_openssl.c +++ b/src/common/crypto_openssl.c @@ -113,3 +113,11 @@ setup_openssl_threading(void) return 0; } +/** free OpenSSL variables */ +void +free_openssl(void) +{ + tor_free(crypto_openssl_version_str); + tor_free(crypto_openssl_header_version_str); +} + diff --git a/src/common/crypto_openssl.h b/src/common/crypto_openssl.h index 7b5545f69c..0c6bccad41 100644 --- a/src/common/crypto_openssl.h +++ b/src/common/crypto_openssl.h @@ -101,5 +101,8 @@ void tor_set_openssl_thread_id(CRYPTO_THREADID *threadid); /* OpenSSL threading setup function */ int setup_openssl_threading(void); +/* Tor OpenSSL utility functions */ +void free_openssl(void); + #endif /* !defined(TOR_CRYPTO_OPENSSL_H) */ -- cgit v1.2.3-54-g00ecf From b3aa7be26c121d1a1fd6df7ab240745a08b6b406 Mon Sep 17 00:00:00 2001 From: Fernando Fernandez Mancera Date: Fri, 19 Jan 2018 18:07:49 +0100 Subject: Tweaks into functions and variables in crypto_openssl_mgt.[ch] Renamed free_openssl() to crypto_openssl_free_all(). Also we made variables and functions static again. Follows #24658. Signed-off-by: Fernando Fernandez Mancera --- src/common/crypto.c | 2 +- src/common/crypto_openssl_mgt.c | 19 +++++++++++++------ src/common/crypto_openssl_mgt.h | 10 +--------- 3 files changed, 15 insertions(+), 16 deletions(-) (limited to 'src/common/crypto.c') diff --git a/src/common/crypto.c b/src/common/crypto.c index 12f4270cc4..96a1f7c007 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -3348,7 +3348,7 @@ crypto_global_cleanup(void) } #endif /* !defined(NEW_THREAD_API) */ - free_openssl(); + crypto_openssl_free_all(); return 0; } diff --git a/src/common/crypto_openssl_mgt.c b/src/common/crypto_openssl_mgt.c index ff9052b560..c19da5b9f4 100644 --- a/src/common/crypto_openssl_mgt.c +++ b/src/common/crypto_openssl_mgt.c @@ -14,15 +14,22 @@ #ifndef NEW_THREAD_API /** A number of preallocated mutexes for use by OpenSSL. */ -tor_mutex_t **openssl_mutexes_ = NULL; +static tor_mutex_t **openssl_mutexes_ = NULL; /** How many mutexes have we allocated for use by OpenSSL? */ -int n_openssl_mutexes_ = 0; +static int n_openssl_mutexes_ = 0; #endif /* !defined(NEW_THREAD_API) */ +/** Declare STATIC functions */ +STATIC char * parse_openssl_version_str(const char *raw_version); +#ifndef NEW_THREAD_API +STATIC void openssl_locking_cb_(int mode, int n, const char *file, int line); +STATIC void tor_set_openssl_thread_id(CRYPTO_THREADID *threadid); +#endif + /* Returns a trimmed and human-readable version of an openssl version string * raw_version. They are usually in the form of 'OpenSSL 1.0.0b 10 * May 2012' and this will parse them into a form similar to '1.0.0b' */ -char * +STATIC char * parse_openssl_version_str(const char *raw_version) { const char *end_of_version = NULL; @@ -72,7 +79,7 @@ crypto_openssl_get_header_version_str(void) #ifndef NEW_THREAD_API /** Helper: OpenSSL uses this callback to manipulate mutexes. */ -void +STATIC void openssl_locking_cb_(int mode, int n, const char *file, int line) { (void)file; @@ -88,7 +95,7 @@ openssl_locking_cb_(int mode, int n, const char *file, int line) tor_mutex_release(openssl_mutexes_[n]); } -void +STATIC void tor_set_openssl_thread_id(CRYPTO_THREADID *threadid) { CRYPTO_THREADID_set_numeric(threadid, tor_get_thread_id()); @@ -115,7 +122,7 @@ setup_openssl_threading(void) /** free OpenSSL variables */ void -free_openssl(void) +crypto_openssl_free_all(void) { tor_free(crypto_openssl_version_str); tor_free(crypto_openssl_header_version_str); diff --git a/src/common/crypto_openssl_mgt.h b/src/common/crypto_openssl_mgt.h index 0c6bccad41..9b887abd5d 100644 --- a/src/common/crypto_openssl_mgt.h +++ b/src/common/crypto_openssl_mgt.h @@ -86,23 +86,15 @@ ENABLE_GCC_WARNING(redundant-decls) #define NEW_THREAD_API #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) && ... */ -tor_mutex_t **openssl_mutexes_; -int n_openssl_mutexes_; - /* global openssl state */ const char * crypto_openssl_get_version_str(void); const char * crypto_openssl_get_header_version_str(void); -/* generics OpenSSL functions */ -char * parse_openssl_version_str(const char *raw_version); -void openssl_locking_cb_(int mode, int n, const char *file, int line); -void tor_set_openssl_thread_id(CRYPTO_THREADID *threadid); - /* OpenSSL threading setup function */ int setup_openssl_threading(void); /* Tor OpenSSL utility functions */ -void free_openssl(void); +void crypto_openssl_free_all(void); #endif /* !defined(TOR_CRYPTO_OPENSSL_H) */ -- cgit v1.2.3-54-g00ecf From f2fca519762cdd37c8559eb95bb8b41973225d38 Mon Sep 17 00:00:00 2001 From: Fernando Fernandez Mancera Date: Mon, 22 Jan 2018 16:48:33 +0100 Subject: Move the openssl namespace back into .c files. As we're trying not to have all the other modules in Tor, we moved the openssl namespace includes back into crypto.c and crypto_openssl_mgt.c files. Follows #24658. Signed-off-by: Fernando Fernandez Mancera --- src/common/crypto.c | 15 +++++++++++++++ src/common/crypto_openssl_mgt.c | 15 +++++++++++++++ src/common/crypto_openssl_mgt.h | 15 --------------- 3 files changed, 30 insertions(+), 15 deletions(-) (limited to 'src/common/crypto.c') diff --git a/src/common/crypto.c b/src/common/crypto.c index 96a1f7c007..3fba2da5d9 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -29,6 +29,21 @@ #include "crypto_ed25519.h" #include "crypto_format.h" +DISABLE_GCC_WARNING(redundant-decls) + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +ENABLE_GCC_WARNING(redundant-decls) + #if __GNUC__ && GCC_VERSION >= 402 #if GCC_VERSION >= 406 #pragma GCC diagnostic pop diff --git a/src/common/crypto_openssl_mgt.c b/src/common/crypto_openssl_mgt.c index c19da5b9f4..ca91e12d1e 100644 --- a/src/common/crypto_openssl_mgt.c +++ b/src/common/crypto_openssl_mgt.c @@ -12,6 +12,21 @@ #include "crypto_openssl_mgt.h" +DISABLE_GCC_WARNING(redundant-decls) + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +ENABLE_GCC_WARNING(redundant-decls) + #ifndef NEW_THREAD_API /** A number of preallocated mutexes for use by OpenSSL. */ static tor_mutex_t **openssl_mutexes_ = NULL; diff --git a/src/common/crypto_openssl_mgt.h b/src/common/crypto_openssl_mgt.h index 9b887abd5d..09b6737962 100644 --- a/src/common/crypto_openssl_mgt.h +++ b/src/common/crypto_openssl_mgt.h @@ -18,21 +18,6 @@ #include -DISABLE_GCC_WARNING(redundant-decls) - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -ENABLE_GCC_WARNING(redundant-decls) - /* Macro to create an arbitrary OpenSSL version number as used by OPENSSL_VERSION_NUMBER or SSLeay(), since the actual numbers are a bit hard -- cgit v1.2.3-54-g00ecf