From: Aydın Mercan <aydin@isc.org>
Date: Mon, 1 Dec 2025 10:49:46 +0000 (+0300)
Subject: move openssl error reporting to isc/ossl_wrap
X-Git-Tag: v9.21.18~2^2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f21d237374cf2ada5da109ea11465f5b306c4722;p=thirdparty%2Fbind9.git

move openssl error reporting to isc/ossl_wrap

While being the best place at the time, the tlserr2result doesn't belong
inside TLS code since it is generic to OpenSSL and mostly used in the
dst interface. The newly created ossl_wrap interface is the idea place
for flushing the OpenSSL thread error queue.
---

diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
index 8d57211af2d..55d42645c45 100644
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -21,18 +21,20 @@
 #include <openssl/rand.h>
 
 #include <isc/log.h>
+#include <isc/ossl_wrap.h>
 #include <isc/result.h>
-#include <isc/tls.h>
-
-#define dst__openssl_toresult(fallback)                                    \
-	isc__tlserr2result(ISC_LOGCATEGORY_INVALID, ISC_LOGMODULE_INVALID, \
-			   NULL, fallback, __FILE__, __LINE__)
-#define dst__openssl_toresult2(funcname, fallback)                        \
-	isc__tlserr2result(DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_CRYPTO, \
-			   funcname, fallback, __FILE__, __LINE__)
-#define dst__openssl_toresult3(category, funcname, fallback)                   \
-	isc__tlserr2result(category, DNS_LOGMODULE_CRYPTO, funcname, fallback, \
-			   __FILE__, __LINE__)
+
+#define dst__openssl_toresult(fallback)                                       \
+	isc__ossl_wrap_logged_toresult(ISC_LOGCATEGORY_INVALID,               \
+				       ISC_LOGMODULE_INVALID, NULL, fallback, \
+				       __FILE__, __LINE__)
+#define dst__openssl_toresult2(funcname, fallback)                     \
+	isc__ossl_wrap_logged_toresult(DNS_LOGCATEGORY_GENERAL,        \
+				       DNS_LOGMODULE_CRYPTO, funcname, \
+				       fallback, __FILE__, __LINE__)
+#define dst__openssl_toresult3(category, funcname, fallback)           \
+	isc__ossl_wrap_logged_toresult(category, DNS_LOGMODULE_CRYPTO, \
+				       funcname, fallback, __FILE__, __LINE__)
 
 isc_result_t
 dst__openssl_fromlabel(int key_base_id, const char *label, const char *pin,
diff --git a/lib/isc/crypto/ossl1_1.c b/lib/isc/crypto/ossl1_1.c
index e47e294ddda..6ecbac47bcb 100644
--- a/lib/isc/crypto/ossl1_1.c
+++ b/lib/isc/crypto/ossl1_1.c
@@ -26,8 +26,8 @@
 #include <isc/magic.h>
 #include <isc/md.h>
 #include <isc/mem.h>
+#include <isc/ossl_wrap.h>
 #include <isc/safe.h>
-#include <isc/tls.h>
 #include <isc/util.h>
 
 #include "crypto_p.h"
@@ -322,9 +322,9 @@ isc_crypto_fips_enable(void) {
 	}
 
 	if (FIPS_mode_set(1) == 0) {
-		return isc_tlserr2result(ISC_LOGCATEGORY_GENERAL,
-					 ISC_LOGMODULE_CRYPTO, "FIPS_mode_set",
-					 ISC_R_CRYPTOFAILURE);
+		return isc_ossl_wrap_logged_toresult(
+			ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_CRYPTO,
+			"FIPS_mode_set", ISC_R_CRYPTOFAILURE);
 	}
 
 	register_algorithms();
@@ -389,8 +389,9 @@ isc__crypto_initialize(void) {
 
 	/* Protect ourselves against unseeded PRNG */
 	if (RAND_status() != 1) {
-		isc_tlserr2result(ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_CRYPTO,
-				  "RAND_status", ISC_R_CRYPTOFAILURE);
+		isc_ossl_wrap_logged_toresult(
+			ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_CRYPTO,
+			"RAND_status", ISC_R_CRYPTOFAILURE);
 		FATAL_ERROR("OpenSSL pseudorandom number generator "
 			    "cannot be initialized (see the `PRNG not "
 			    "seeded' message in the OpenSSL FAQ)");
diff --git a/lib/isc/crypto/ossl3.c b/lib/isc/crypto/ossl3.c
index 9b6e19bb27d..dc3388a35a4 100644
--- a/lib/isc/crypto/ossl3.c
+++ b/lib/isc/crypto/ossl3.c
@@ -29,9 +29,9 @@
 #include <isc/magic.h>
 #include <isc/md.h>
 #include <isc/mem.h>
+#include <isc/ossl_wrap.h>
 #include <isc/region.h>
 #include <isc/safe.h>
-#include <isc/tls.h>
 #include <isc/util.h>
 
 #include "crypto_p.h"
@@ -399,7 +399,7 @@ isc_crypto_fips_enable(void) {
 	INSIST(fips == NULL);
 	fips = OSSL_PROVIDER_load(NULL, "fips");
 	if (fips == NULL) {
-		return isc_tlserr2result(
+		return isc_ossl_wrap_logged_toresult(
 			ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_CRYPTO,
 			"OSSL_PROVIDER_load", ISC_R_CRYPTOFAILURE);
 	}
@@ -408,16 +408,16 @@ isc_crypto_fips_enable(void) {
 	base = OSSL_PROVIDER_load(NULL, "base");
 	if (base == NULL) {
 		OSSL_PROVIDER_unload(fips);
-		return isc_tlserr2result(
+		return isc_ossl_wrap_logged_toresult(
 			ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_CRYPTO,
 			"OSS_PROVIDER_load", ISC_R_CRYPTOFAILURE);
 	}
 
 	if (EVP_default_properties_enable_fips(NULL, 1) == 0) {
-		return isc_tlserr2result(ISC_LOGCATEGORY_GENERAL,
-					 ISC_LOGMODULE_CRYPTO,
-					 "EVP_default_properties_enable_fips",
-					 ISC_R_CRYPTOFAILURE);
+		return isc_ossl_wrap_logged_toresult(
+			ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_CRYPTO,
+			"EVP_default_properties_enable_fips",
+			ISC_R_CRYPTOFAILURE);
 	}
 
 	unregister_algorithms();
@@ -466,8 +466,9 @@ isc__crypto_initialize(void) {
 
 	/* Protect ourselves against unseeded PRNG */
 	if (RAND_status() != 1) {
-		isc_tlserr2result(ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_CRYPTO,
-				  "RAND_status", ISC_R_CRYPTOFAILURE);
+		isc_ossl_wrap_logged_toresult(
+			ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_CRYPTO,
+			"RAND_status", ISC_R_CRYPTOFAILURE);
 		FATAL_ERROR("OpenSSL pseudorandom number generator "
 			    "cannot be initialized (see the `PRNG not "
 			    "seeded' message in the OpenSSL FAQ)");
diff --git a/lib/isc/include/isc/ossl_wrap.h b/lib/isc/include/isc/ossl_wrap.h
index acfe13e762a..4b9b330f04c 100644
--- a/lib/isc/include/isc/ossl_wrap.h
+++ b/lib/isc/include/isc/ossl_wrap.h
@@ -12,3 +12,19 @@
  */
 
 #pragma once
+
+#include <isc/log.h>
+#include <isc/types.h>
+
+#define isc_ossl_wrap_logged_toresult(category, module, funcname, fallback)  \
+	isc__ossl_wrap_logged_toresult(category, module, funcname, fallback, \
+				       __FILE__, __LINE__)
+
+isc_result_t
+isc_ossl_wrap_toresult(isc_result_t fallback);
+
+isc_result_t
+isc__ossl_wrap_logged_toresult(isc_logcategory_t category,
+			       isc_logmodule_t module, const char *funcname,
+			       isc_result_t fallback, const char *file,
+			       int line);
diff --git a/lib/isc/include/isc/tls.h b/lib/isc/include/isc/tls.h
index 50755ac2b1e..1e10a7d6492 100644
--- a/lib/isc/include/isc/tls.h
+++ b/lib/isc/include/isc/tls.h
@@ -615,11 +615,3 @@ isc_tls_valid_sni_hostname(const char *hostname);
  * string. Returns 'true' if the hostname is likely a domain name, and
  * 'false' if it represents an IP address.
  */
-
-#define isc_tlserr2result(category, module, funcname, fallback)            \
-	isc__tlserr2result(category, module, funcname, fallback, __FILE__, \
-			   __LINE__)
-isc_result_t
-isc__tlserr2result(isc_logcategory_t category, isc_logmodule_t module,
-		   const char *funcname, isc_result_t fallback,
-		   const char *file, int line);
diff --git a/lib/isc/ossl_wrap/ossl_common.c b/lib/isc/ossl_wrap/ossl_common.c
index 844583345b1..cf09d93a182 100644
--- a/lib/isc/ossl_wrap/ossl_common.c
+++ b/lib/isc/ossl_wrap/ossl_common.c
@@ -11,7 +11,87 @@
  * information regarding copyright ownership.
  */
 
+#include <openssl/err.h>
+
 #include <isc/ossl_wrap.h>
 #include <isc/util.h>
 
-EMPTY_TRANSLATION_UNIT;
+#include "../openssl_shim.h"
+
+isc_result_t
+isc_ossl_wrap_toresult(isc_result_t fallback) {
+	isc_result_t result = fallback;
+	unsigned long err = ERR_peek_error();
+#ifdef ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED
+	int lib = ERR_GET_LIB(err);
+#endif /* ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED */
+	int reason = ERR_GET_REASON(err);
+
+	switch (reason) {
+	/*
+	 * ERR_* errors are globally unique; others
+	 * are unique per sublibrary
+	 */
+	case ERR_R_MALLOC_FAILURE:
+		result = ISC_R_NOMEMORY;
+		break;
+	default:
+#ifdef ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED
+		if (lib == ERR_R_ECDSA_LIB &&
+		    reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+		{
+			result = ISC_R_NOENTROPY;
+			break;
+		}
+#endif /* ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED */
+		break;
+	}
+
+	return result;
+}
+
+isc_result_t
+isc__ossl_wrap_logged_toresult(isc_logcategory_t category,
+			       isc_logmodule_t module, const char *funcname,
+			       isc_result_t fallback, const char *file,
+			       int line) {
+	isc_result_t result = isc_ossl_wrap_toresult(fallback);
+
+	/*
+	 * This is an exception - normally, we don't allow this, but the
+	 * compatibility shims in dst_openssl.h needs a call that just
+	 * translates the error code and don't do any logging.
+	 */
+	if (category == ISC_LOGCATEGORY_INVALID) {
+		goto done;
+	}
+
+	isc_log_write(category, module, ISC_LOG_WARNING,
+		      "%s (%s:%d) failed (%s)", funcname, file, line,
+		      isc_result_totext(result));
+
+	if (result == ISC_R_NOMEMORY) {
+		goto done;
+	}
+
+	for (;;) {
+		const char *func, *data;
+		int flags;
+		unsigned long err = ERR_get_error_all(&file, &line, &func,
+						      &data, &flags);
+		if (err == 0U) {
+			break;
+		}
+
+		char buf[256];
+		ERR_error_string_n(err, buf, sizeof(buf));
+
+		isc_log_write(category, module, ISC_LOG_INFO, "%s:%s:%d:%s",
+			      buf, file, line,
+			      ((flags & ERR_TXT_STRING) != 0) ? data : "");
+	}
+
+done:
+	ERR_clear_error();
+	return result;
+}
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index 7477a1b9dea..c4a3fd5ee9b 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -1550,80 +1550,3 @@ isc_tls_valid_sni_hostname(const char *hostname) {
 
 	return true;
 }
-
-static isc_result_t
-isc__tls_toresult(isc_result_t fallback) {
-	isc_result_t result = fallback;
-	unsigned long err = ERR_peek_error();
-#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
-	int lib = ERR_GET_LIB(err);
-#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
-	int reason = ERR_GET_REASON(err);
-
-	switch (reason) {
-	/*
-	 * ERR_* errors are globally unique; others
-	 * are unique per sublibrary
-	 */
-	case ERR_R_MALLOC_FAILURE:
-		result = ISC_R_NOMEMORY;
-		break;
-	default:
-#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
-		if (lib == ERR_R_ECDSA_LIB &&
-		    reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
-		{
-			result = ISC_R_NOENTROPY;
-			break;
-		}
-#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
-		break;
-	}
-
-	return result;
-}
-
-isc_result_t
-isc__tlserr2result(isc_logcategory_t category, isc_logmodule_t module,
-		   const char *funcname, isc_result_t fallback,
-		   const char *file, int line) {
-	isc_result_t result = isc__tls_toresult(fallback);
-
-	/*
-	 * This is an exception - normally, we don't allow this, but the
-	 * compatibility shims in dst_openssl.h needs a call that just
-	 * translates the error code and don't do any logging.
-	 */
-	if (category == ISC_LOGCATEGORY_INVALID) {
-		goto done;
-	}
-
-	isc_log_write(category, module, ISC_LOG_WARNING,
-		      "%s (%s:%d) failed (%s)", funcname, file, line,
-		      isc_result_totext(result));
-
-	if (result == ISC_R_NOMEMORY) {
-		goto done;
-	}
-
-	for (;;) {
-		const char *func, *data;
-		int flags;
-		unsigned long err = ERR_get_error_all(&file, &line, &func,
-						      &data, &flags);
-		if (err == 0U) {
-			break;
-		}
-
-		char buf[256];
-		ERR_error_string_n(err, buf, sizeof(buf));
-
-		isc_log_write(category, module, ISC_LOG_INFO, "%s:%s:%d:%s",
-			      buf, file, line,
-			      ((flags & ERR_TXT_STRING) != 0) ? data : "");
-	}
-
-done:
-	ERR_clear_error();
-	return result;
-}