- Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.

git-svn-id: file:///svn/unbound/trunk@3766 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 21a09daf9b45687b218babba4c97321e45cf016e..a07c0774de571be6d497bdf15129f16400b603d2 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -3,6 +3,7 @@
 
 7 June 2016: Wouter
        - Fix #773: Non-standard Python location build failure with pyunbound.
+       - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
 
 6 June 2016: Wouter
        - Better help text from -h (from Ray Griffith).

diff --git a/testcode/unitmain.c b/testcode/unitmain.c
index e8bb898b0d74efb68a55096e7f5feda24fbadf96..3daa7383f8ebf82af2affb0b9f4156843b1822da 100644 (file)
--- a/testcode/unitmain.c
+++ b/testcode/unitmain.c
@@ -568,6 +568,9 @@ void unit_show_feature(const char* feature)
        printf("test %s functions\n", feature);
 }
 
+#ifdef USE_ECDSA_EVP_WORKAROUND
+void ecdsa_evp_workaround_init(void);
+#endif
 /**
  * Main unit test program. Setup, teardown and report errors.
  * @param argc: arg count.
@@ -589,6 +592,9 @@ main(int argc, char* argv[])
 #  ifdef USE_GOST
        (void)sldns_key_EVP_load_gost_id();
 #  endif
+#  ifdef USE_ECDSA_EVP_WORKAROUND
+       ecdsa_evp_workaround_init();
+#  endif
 #elif defined(HAVE_NSS)
        if(NSS_NoDB_Init(".") != SECSuccess)
                fatal_exit("could not init NSS");

diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index 11c8cd16e8f9a2c3ecb2ac973d34a47248dd4e52..43d580a884fe94e6a2ebe4f8cfb459066d70790a 100644 (file)
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -350,6 +350,23 @@ i   * the '44' is the total remaining length.
 }
 #endif /* USE_ECDSA */
 
+#ifdef USE_ECDSA_EVP_WORKAROUND
+static EVP_MD ecdsa_evp_256_md;
+static EVP_MD ecdsa_evp_384_md;
+void ecdsa_evp_workaround_init(void)
+{
+       /* openssl before 1.0.0 fixes RSA with the SHA256
+        * hash in EVP.  We create one for ecdsa_sha256 */
+       ecdsa_evp_256_md = *EVP_sha256();
+       ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
+       ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
+
+       ecdsa_evp_384_md = *EVP_sha384();
+       ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
+       ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
+}
+#endif /* USE_ECDSA_EVP_WORKAROUND */
+
 /**
  * Setup key and digest for verification. Adjust sig if necessary.
  *
@@ -478,20 +495,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
                                return 0;
                        }
 #ifdef USE_ECDSA_EVP_WORKAROUND
-                       /* openssl before 1.0.0 fixes RSA with the SHA256
-                        * hash in EVP.  We create one for ecdsa_sha256 */
-                       {
-                               static int md_ecdsa_256_done = 0;
-                               static EVP_MD md;
-                               if(!md_ecdsa_256_done) {
-                                       EVP_MD m = *EVP_sha256();
-                                       md_ecdsa_256_done = 1;
-                                       m.required_pkey_type[0] = (*evp_key)->type;
-                                       m.verify = (void*)ECDSA_verify;
-                                       md = m;
-                               }
-                               *digest_type = &md;
-                       }
+                       *digest_type = &ecdsa_evp_256_md;
 #else
                        *digest_type = EVP_sha256();
 #endif
@@ -505,20 +509,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
                                return 0;
                        }
 #ifdef USE_ECDSA_EVP_WORKAROUND
-                       /* openssl before 1.0.0 fixes RSA with the SHA384
-                        * hash in EVP.  We create one for ecdsa_sha384 */
-                       {
-                               static int md_ecdsa_384_done = 0;
-                               static EVP_MD md;
-                               if(!md_ecdsa_384_done) {
-                                       EVP_MD m = *EVP_sha384();
-                                       md_ecdsa_384_done = 1;
-                                       m.required_pkey_type[0] = (*evp_key)->type;
-                                       m.verify = (void*)ECDSA_verify;
-                                       md = m;
-                               }
-                               *digest_type = &md;
-                       }
+                       *digest_type = &ecdsa_evp_384_md;
 #else
                        *digest_type = EVP_sha384();
 #endif

diff --git a/validator/validator.c b/validator/validator.c
index db4383bedcdcedc4d2db0204026e0553be4eea1d..f9b6a986ec9e1b0f937eba5c340b883417cef162 100644 (file)
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -156,6 +156,9 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
        return 1;
 }
 
+#ifdef USE_ECDSA_EVP_WORKAROUND
+void ecdsa_evp_workaround_init(void);
+#endif
 int
 val_init(struct module_env* env, int id)
 {
@@ -171,6 +174,9 @@ val_init(struct module_env* env, int id)
        lock_basic_init(&val_env->bogus_lock);
        lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus,
                sizeof(val_env->num_rrset_bogus));
+#ifdef USE_ECDSA_EVP_WORKAROUND
+       ecdsa_evp_workaround_init();
+#endif
        if(!val_apply_cfg(env, val_env, env->cfg)) {
                log_err("validator: could not apply configuration settings.");
                return 0;