From: Wouter Wijngaards Date: Tue, 7 Jun 2016 13:02:02 +0000 (+0000) Subject: - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures. X-Git-Tag: release-1.5.10~98 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=230ef2110bdba3cfd7db07be8a390025c3b120ef;p=thirdparty%2Funbound.git - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures. git-svn-id: file:///svn/unbound/trunk@3766 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 21a09daf9..a07c0774d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -3,6 +3,7 @@ 7 June 2016: Wouter - Fix #773: Non-standard Python location build failure with pyunbound. + - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures. 6 June 2016: Wouter - Better help text from -h (from Ray Griffith). diff --git a/testcode/unitmain.c b/testcode/unitmain.c index e8bb898b0..3daa7383f 100644 --- a/testcode/unitmain.c +++ b/testcode/unitmain.c @@ -568,6 +568,9 @@ void unit_show_feature(const char* feature) printf("test %s functions\n", feature); } +#ifdef USE_ECDSA_EVP_WORKAROUND +void ecdsa_evp_workaround_init(void); +#endif /** * Main unit test program. Setup, teardown and report errors. * @param argc: arg count. @@ -589,6 +592,9 @@ main(int argc, char* argv[]) # ifdef USE_GOST (void)sldns_key_EVP_load_gost_id(); # endif +# ifdef USE_ECDSA_EVP_WORKAROUND + ecdsa_evp_workaround_init(); +# endif #elif defined(HAVE_NSS) if(NSS_NoDB_Init(".") != SECSuccess) fatal_exit("could not init NSS"); diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index 11c8cd16e..43d580a88 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -350,6 +350,23 @@ i * the '44' is the total remaining length. } #endif /* USE_ECDSA */ +#ifdef USE_ECDSA_EVP_WORKAROUND +static EVP_MD ecdsa_evp_256_md; +static EVP_MD ecdsa_evp_384_md; +void ecdsa_evp_workaround_init(void) +{ + /* openssl before 1.0.0 fixes RSA with the SHA256 + * hash in EVP. We create one for ecdsa_sha256 */ + ecdsa_evp_256_md = *EVP_sha256(); + ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC; + ecdsa_evp_256_md.verify = (void*)ECDSA_verify; + + ecdsa_evp_384_md = *EVP_sha384(); + ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC; + ecdsa_evp_384_md.verify = (void*)ECDSA_verify; +} +#endif /* USE_ECDSA_EVP_WORKAROUND */ + /** * Setup key and digest for verification. Adjust sig if necessary. * @@ -478,20 +495,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, return 0; } #ifdef USE_ECDSA_EVP_WORKAROUND - /* openssl before 1.0.0 fixes RSA with the SHA256 - * hash in EVP. We create one for ecdsa_sha256 */ - { - static int md_ecdsa_256_done = 0; - static EVP_MD md; - if(!md_ecdsa_256_done) { - EVP_MD m = *EVP_sha256(); - md_ecdsa_256_done = 1; - m.required_pkey_type[0] = (*evp_key)->type; - m.verify = (void*)ECDSA_verify; - md = m; - } - *digest_type = &md; - } + *digest_type = &ecdsa_evp_256_md; #else *digest_type = EVP_sha256(); #endif @@ -505,20 +509,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, return 0; } #ifdef USE_ECDSA_EVP_WORKAROUND - /* openssl before 1.0.0 fixes RSA with the SHA384 - * hash in EVP. We create one for ecdsa_sha384 */ - { - static int md_ecdsa_384_done = 0; - static EVP_MD md; - if(!md_ecdsa_384_done) { - EVP_MD m = *EVP_sha384(); - md_ecdsa_384_done = 1; - m.required_pkey_type[0] = (*evp_key)->type; - m.verify = (void*)ECDSA_verify; - md = m; - } - *digest_type = &md; - } + *digest_type = &ecdsa_evp_384_md; #else *digest_type = EVP_sha384(); #endif diff --git a/validator/validator.c b/validator/validator.c index db4383bed..f9b6a986e 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -156,6 +156,9 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env, return 1; } +#ifdef USE_ECDSA_EVP_WORKAROUND +void ecdsa_evp_workaround_init(void); +#endif int val_init(struct module_env* env, int id) { @@ -171,6 +174,9 @@ val_init(struct module_env* env, int id) lock_basic_init(&val_env->bogus_lock); lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus, sizeof(val_env->num_rrset_bogus)); +#ifdef USE_ECDSA_EVP_WORKAROUND + ecdsa_evp_workaround_init(); +#endif if(!val_apply_cfg(env, val_env, env->cfg)) { log_err("validator: could not apply configuration settings."); return 0;