From: Aydın Mercan Date: Tue, 16 Sep 2025 13:11:37 +0000 (+0200) Subject: switch isc_md_type_t to a proper enum X-Git-Tag: v9.21.18~2^2~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9ec4a1cdfcb9430d565c4a9a81a8825d298c498;p=thirdparty%2Fbind9.git switch isc_md_type_t to a proper enum Get rid of the OpenSSL-isms that plague the codebase where the hash type is `EVP_MD *` By using a proper enum, alongside the cleanup, we also get the ability to use constants for known hash sizes instead of having a function call every time. `EVP_MD_CTX_get0_md` has been removed instead of being adapted since it wasn't used anymore. --- diff --git a/lib/dns/catz.c b/lib/dns/catz.c index 410e00f0782..6e166212040 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -1859,7 +1859,7 @@ dns_catz_generate_masterfilename(dns_catz_zone_t *catz, dns_catz_entry_t *entry, isc_buffer_subtract(tbuf, 1); /* __catz__.db */ - rlen = (isc_md_type_get_size(ISC_MD_SHA256) * 2 + 1) + 12; + rlen = (ISC_SHA256_DIGESTLENGTH * 2 + 1) + 12; /* optionally prepend with / */ if (entry->opts.zonedir != NULL) { diff --git a/lib/dns/ds.c b/lib/dns/ds.c index e8c71a80c72..bc937c8eecd 100644 --- a/lib/dns/ds.c +++ b/lib/dns/ds.c @@ -41,7 +41,7 @@ dns_ds_fromkeyrdata(const dns_name_t *owner, dns_rdata_t *key, unsigned int privatelen = 0; isc_region_t r; isc_md_t *md; - const isc_md_type_t *md_type = NULL; + isc_md_type_t md_type = ISC_MD_UNKNOWN; REQUIRE(key != NULL); REQUIRE(key->type == dns_rdatatype_dnskey || diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 2f4ebf9753a..b8b673043b2 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -1321,22 +1321,22 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { *n = DNS_SIG_ED448SIZE; break; case DST_ALG_HMACMD5: - *n = isc_md_type_get_size(ISC_MD_MD5); + *n = ISC_MD5_DIGESTLENGTH; break; case DST_ALG_HMACSHA1: - *n = isc_md_type_get_size(ISC_MD_SHA1); + *n = ISC_SHA1_DIGESTLENGTH; break; case DST_ALG_HMACSHA224: - *n = isc_md_type_get_size(ISC_MD_SHA224); + *n = ISC_SHA224_DIGESTLENGTH; break; case DST_ALG_HMACSHA256: - *n = isc_md_type_get_size(ISC_MD_SHA256); + *n = ISC_SHA256_DIGESTLENGTH; break; case DST_ALG_HMACSHA384: - *n = isc_md_type_get_size(ISC_MD_SHA384); + *n = ISC_SHA384_DIGESTLENGTH; break; case DST_ALG_HMACSHA512: - *n = isc_md_type_get_size(ISC_MD_SHA512); + *n = ISC_SHA512_DIGESTLENGTH; break; case DST_ALG_GSSAPI: *n = 128; /*%< XXX */ diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c index 320b8adb855..40a87aac70c 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c @@ -141,7 +141,7 @@ } static isc_result_t -hmac_fromdns(const isc_md_type_t *type, dst_key_t *key, isc_buffer_t *data); +hmac_fromdns(isc_md_type_t type, dst_key_t *key, isc_buffer_t *data); struct dst_hmac_key { uint8_t key[ISC_MAX_BLOCK_SIZE]; @@ -161,8 +161,7 @@ getkeybits(dst_key_t *key, struct dst_private_element *element) { } static isc_result_t -hmac_createctx(const isc_md_type_t *type, const dst_key_t *key, - dst_context_t *dctx) { +hmac_createctx(isc_md_type_t type, const dst_key_t *key, dst_context_t *dctx) { isc_result_t result; const dst_hmac_key_t *hkey = key->keydata.hmac_key; isc_hmac_t *ctx = isc_hmac_new(); /* Either returns or abort()s */ @@ -252,8 +251,7 @@ hmac_verify(const dst_context_t *dctx, const isc_region_t *sig) { } static bool -hmac_compare(const isc_md_type_t *type, const dst_key_t *key1, - const dst_key_t *key2) { +hmac_compare(isc_md_type_t type, const dst_key_t *key1, const dst_key_t *key2) { dst_hmac_key_t *hkey1, *hkey2; hkey1 = key1->keydata.hmac_key; @@ -270,7 +268,7 @@ hmac_compare(const isc_md_type_t *type, const dst_key_t *key1, } static isc_result_t -hmac_generate(const isc_md_type_t *type, dst_key_t *key) { +hmac_generate(isc_md_type_t type, dst_key_t *key) { isc_buffer_t b; isc_result_t result; unsigned int bytes, len; @@ -327,7 +325,7 @@ hmac_todns(const dst_key_t *key, isc_buffer_t *data) { } static isc_result_t -hmac_fromdns(const isc_md_type_t *type, dst_key_t *key, isc_buffer_t *data) { +hmac_fromdns(isc_md_type_t type, dst_key_t *key, isc_buffer_t *data) { dst_hmac_key_t *hkey; unsigned int keylen; isc_region_t r; @@ -363,7 +361,7 @@ hmac_fromdns(const isc_md_type_t *type, dst_key_t *key, isc_buffer_t *data) { } static int -hmac__get_tag_key(const isc_md_type_t *type) { +hmac__get_tag_key(isc_md_type_t type) { if (type == ISC_MD_MD5) { return TAG_HMACMD5_KEY; } else if (type == ISC_MD_SHA1) { @@ -382,7 +380,7 @@ hmac__get_tag_key(const isc_md_type_t *type) { } static int -hmac__get_tag_bits(const isc_md_type_t *type) { +hmac__get_tag_bits(isc_md_type_t type) { if (type == ISC_MD_MD5) { return TAG_HMACMD5_BITS; } else if (type == ISC_MD_SHA1) { @@ -401,8 +399,7 @@ hmac__get_tag_bits(const isc_md_type_t *type) { } static isc_result_t -hmac_tofile(const isc_md_type_t *type, const dst_key_t *key, - const char *directory) { +hmac_tofile(isc_md_type_t type, const dst_key_t *key, const char *directory) { dst_hmac_key_t *hkey; dst_private_t priv; int bytes = (key->key_size + 7) / 8; @@ -434,7 +431,7 @@ hmac_tofile(const isc_md_type_t *type, const dst_key_t *key, } static int -hmac__to_dst_alg(const isc_md_type_t *type) { +hmac__to_dst_alg(isc_md_type_t type) { if (type == ISC_MD_MD5) { return DST_ALG_HMACMD5; } else if (type == ISC_MD_SHA1) { @@ -453,7 +450,7 @@ hmac__to_dst_alg(const isc_md_type_t *type) { } static isc_result_t -hmac_parse(const isc_md_type_t *type, dst_key_t *key, isc_lex_t *lexer, +hmac_parse(isc_md_type_t type, dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst_private_t priv; isc_result_t result = ISC_R_SUCCESS, tresult; diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 54213d5cdf3..7bd3729b8bb 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -26,6 +26,7 @@ #include #endif +#include #include #include #include @@ -39,6 +40,9 @@ #include "dst_parse.h" #include "openssl_shim.h" +/* TODO(aydin): remove this crap */ +extern EVP_MD *isc__crypto_md[]; + #ifndef NID_X9_62_prime256v1 #error "P-256 group is not known (NID_X9_62_prime256v1)" #endif /* ifndef NID_X9_62_prime256v1 */ @@ -684,9 +688,9 @@ opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { CLEANUP(dst__openssl_toresult(ISC_R_NOMEMORY)); } if (dctx->key->key_alg == DST_ALG_ECDSA256) { - type = isc__crypto_sha256; + type = isc__crypto_md[ISC_MD_SHA256]; } else { - type = isc__crypto_sha384; + type = isc__crypto_md[ISC_MD_SHA384]; } if (dctx->use == DO_SIGN) { diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 465e1f663d3..bc79ae01002 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -39,6 +39,9 @@ #define OPENSSLRSA_MAX_MODULUS_BITS 4096 +/* TODO(aydin): remove this crap */ +extern EVP_MD *isc__crypto_md[]; + typedef struct rsa_components { bool bnfree; const BIGNUM *e, *n, *d, *p, *q, *dmp1, *dmq1, *iqmp; @@ -210,15 +213,15 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { switch (dctx->key->key_alg) { case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: - type = isc__crypto_sha1; /* SHA1 + RSA */ + type = isc__crypto_md[ISC_MD_SHA1]; /* SHA1 + RSA */ break; case DST_ALG_RSASHA256: case DST_ALG_RSASHA256PRIVATEOID: - type = isc__crypto_sha256; /* SHA256 + RSA */ + type = isc__crypto_md[ISC_MD_SHA256]; /* SHA256 + RSA */ break; case DST_ALG_RSASHA512: case DST_ALG_RSASHA512PRIVATEOID: - type = isc__crypto_sha512; + type = isc__crypto_md[ISC_MD_SHA512]; break; default: UNREACHABLE(); @@ -1312,19 +1315,19 @@ check_algorithm(unsigned short algorithm) { switch (algorithm) { case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: - type = isc__crypto_sha1; /* SHA1 + RSA */ + type = isc__crypto_md[ISC_MD_SHA1]; /* SHA1 + RSA */ sig = sha1_sig; len = sizeof(sha1_sig) - 1; break; case DST_ALG_RSASHA256: case DST_ALG_RSASHA256PRIVATEOID: - type = isc__crypto_sha256; /* SHA256 + RSA */ + type = isc__crypto_md[ISC_MD_SHA256]; /* SHA256 + RSA */ sig = sha256_sig; len = sizeof(sha256_sig) - 1; break; case DST_ALG_RSASHA512: case DST_ALG_RSASHA512PRIVATEOID: - type = isc__crypto_sha512; + type = isc__crypto_md[ISC_MD_SHA512]; sig = sha512_sig; len = sizeof(sha512_sig) - 1; break; diff --git a/lib/isc/crypto/crypto_p.h b/lib/isc/crypto/crypto_p.h new file mode 100644 index 00000000000..899d9a2b405 --- /dev/null +++ b/lib/isc/crypto/crypto_p.h @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +#include + +extern EVP_MD *isc__crypto_md[]; diff --git a/lib/isc/crypto/ossl1_1.c b/lib/isc/crypto/ossl1_1.c index a8ac863fc66..6920273b67c 100644 --- a/lib/isc/crypto/ossl1_1.c +++ b/lib/isc/crypto/ossl1_1.c @@ -19,31 +19,34 @@ #include #include +#include #include #include #include +#include "crypto_p.h" + static isc_mem_t *isc__crypto_mctx = NULL; -#define md_register_algorithm(alg) \ - { \ - isc__crypto_##alg = UNCONST(EVP_##alg()); \ - if (isc__crypto_##alg == NULL) { \ - ERR_clear_error(); \ - } \ +#define md_register_algorithm(alg, upperalg) \ + { \ + isc__crypto_md[ISC_MD_##upperalg] = UNCONST(EVP_##alg()); \ + if (isc__crypto_md[ISC_MD_##upperalg] == NULL) { \ + ERR_clear_error(); \ + } \ } static isc_result_t register_algorithms(void) { if (!isc_crypto_fips_mode()) { - md_register_algorithm(md5); + md_register_algorithm(md5, MD5); } - md_register_algorithm(sha1); - md_register_algorithm(sha224); - md_register_algorithm(sha256); - md_register_algorithm(sha384); - md_register_algorithm(sha512); + md_register_algorithm(sha1, SHA1); + md_register_algorithm(sha224, SHA224); + md_register_algorithm(sha256, SHA256); + md_register_algorithm(sha384, SHA384); + md_register_algorithm(sha512, SHA512); return ISC_R_SUCCESS; } diff --git a/lib/isc/crypto/ossl3.c b/lib/isc/crypto/ossl3.c index 5f90df2bdda..00ac7c82571 100644 --- a/lib/isc/crypto/ossl3.c +++ b/lib/isc/crypto/ossl3.c @@ -20,57 +20,51 @@ #include #include +#include #include #include #include +#include "crypto_p.h" + static isc_mem_t *isc__crypto_mctx = NULL; static OSSL_PROVIDER *base = NULL, *fips = NULL; -#define md_register_algorithm(alg, algname) \ - { \ - REQUIRE(isc__crypto_##alg == NULL); \ - isc__crypto_##alg = EVP_MD_fetch(NULL, algname, NULL); \ - if (isc__crypto_##alg == NULL) { \ - ERR_clear_error(); \ - } \ - } - -#define md_unregister_algorithm(alg) \ - { \ - if (isc__crypto_##alg != NULL) { \ - EVP_MD_free(isc__crypto_##alg); \ - isc__crypto_##alg = NULL; \ - } \ +#define md_register_algorithm(alg) \ + { \ + REQUIRE(isc__crypto_md[ISC_MD_##alg] == NULL); \ + isc__crypto_md[ISC_MD_##alg] = EVP_MD_fetch(NULL, #alg, NULL); \ + if (isc__crypto_md[ISC_MD_##alg] == NULL) { \ + ERR_clear_error(); \ + } \ } static isc_result_t register_algorithms(void) { if (!isc_crypto_fips_mode()) { - md_register_algorithm(md5, "MD5"); + md_register_algorithm(MD5); } - md_register_algorithm(sha1, "SHA1"); - md_register_algorithm(sha224, "SHA224"); - md_register_algorithm(sha256, "SHA256"); - md_register_algorithm(sha384, "SHA384"); - md_register_algorithm(sha512, "SHA512"); + md_register_algorithm(SHA1); + md_register_algorithm(SHA224); + md_register_algorithm(SHA256); + md_register_algorithm(SHA384); + md_register_algorithm(SHA512); return ISC_R_SUCCESS; } static void unregister_algorithms(void) { - md_unregister_algorithm(sha512); - md_unregister_algorithm(sha384); - md_unregister_algorithm(sha256); - md_unregister_algorithm(sha224); - md_unregister_algorithm(sha1); - md_unregister_algorithm(md5); + for (size_t i = 0; i < ISC_MD_MAX; i++) { + if (isc__crypto_md[i] != NULL) { + EVP_MD_free(isc__crypto_md[i]); + isc__crypto_md[i] = NULL; + } + } } -#undef md_unregister_algorithm #undef md_register_algorithm #if ISC_MEM_TRACKLINES diff --git a/lib/isc/crypto/ossl_common.c b/lib/isc/crypto/ossl_common.c index 1d940fa1095..41bd2841027 100644 --- a/lib/isc/crypto/ossl_common.c +++ b/lib/isc/crypto/ossl_common.c @@ -11,11 +11,16 @@ * information regarding copyright ownership. */ +#include #include -EVP_MD *isc__crypto_md5 = NULL; -EVP_MD *isc__crypto_sha1 = NULL; -EVP_MD *isc__crypto_sha224 = NULL; -EVP_MD *isc__crypto_sha256 = NULL; -EVP_MD *isc__crypto_sha384 = NULL; -EVP_MD *isc__crypto_sha512 = NULL; +#include +#include + +#include "crypto_p.h" + +EVP_MD *isc__crypto_md[] = { + [ISC_MD_UNKNOWN] = NULL, [ISC_MD_MD5] = NULL, [ISC_MD_SHA1] = NULL, + [ISC_MD_SHA224] = NULL, [ISC_MD_SHA256] = NULL, [ISC_MD_SHA384] = NULL, + [ISC_MD_SHA512] = NULL, +}; diff --git a/lib/isc/hmac.c b/lib/isc/hmac.c index 46582ea9ec2..05134cc1853 100644 --- a/lib/isc/hmac.c +++ b/lib/isc/hmac.c @@ -23,6 +23,7 @@ #include #include +#include "crypto/crypto_p.h" #include "openssl_shim.h" isc_hmac_t * @@ -43,14 +44,17 @@ isc_hmac_free(isc_hmac_t *hmac_st) { isc_result_t isc_hmac_init(isc_hmac_t *hmac_st, const void *key, const size_t keylen, - const isc_md_type_t *md_type) { + isc_md_type_t type) { EVP_PKEY *pkey; + EVP_MD *md; REQUIRE(hmac_st != NULL); REQUIRE(key != NULL); REQUIRE(keylen <= INT_MAX); + REQUIRE(type < ISC_MD_MAX); - if (md_type == NULL) { + md = isc__crypto_md[type]; + if (md == NULL) { return ISC_R_NOTIMPLEMENTED; } @@ -60,7 +64,7 @@ isc_hmac_init(isc_hmac_t *hmac_st, const void *key, const size_t keylen, return ISC_R_CRYPTOFAILURE; } - if (EVP_DigestSignInit(hmac_st, NULL, md_type, NULL, pkey) != 1) { + if (EVP_DigestSignInit(hmac_st, NULL, md, NULL, pkey) != 1) { EVP_PKEY_free(pkey); ERR_clear_error(); return ISC_R_CRYPTOFAILURE; @@ -119,13 +123,6 @@ isc_hmac_final(isc_hmac_t *hmac_st, unsigned char *digest, return ISC_R_SUCCESS; } -const isc_md_type_t * -isc_hmac_get_md_type(isc_hmac_t *hmac_st) { - REQUIRE(hmac_st != NULL); - - return EVP_MD_CTX_get0_md(hmac_st); -} - size_t isc_hmac_get_size(isc_hmac_t *hmac_st) { REQUIRE(hmac_st != NULL); @@ -141,7 +138,7 @@ isc_hmac_get_block_size(isc_hmac_t *hmac_st) { } isc_result_t -isc_hmac(const isc_md_type_t *type, const void *key, const size_t keylen, +isc_hmac(isc_md_type_t type, const void *key, const size_t keylen, const unsigned char *buf, const size_t len, unsigned char *digest, unsigned int *digestlen) { isc_result_t res; diff --git a/lib/isc/include/isc/crypto.h b/lib/isc/include/isc/crypto.h index a7dc9f45a4d..cd32da93918 100644 --- a/lib/isc/include/isc/crypto.h +++ b/lib/isc/include/isc/crypto.h @@ -13,17 +13,8 @@ #pragma once -#include - #include -extern EVP_MD *isc__crypto_md5; -extern EVP_MD *isc__crypto_sha1; -extern EVP_MD *isc__crypto_sha224; -extern EVP_MD *isc__crypto_sha256; -extern EVP_MD *isc__crypto_sha384; -extern EVP_MD *isc__crypto_sha512; - bool isc_crypto_fips_mode(void); /* diff --git a/lib/isc/include/isc/hmac.h b/lib/isc/include/isc/hmac.h index 0a6ba8c4ff1..ecfc6e279c2 100644 --- a/lib/isc/include/isc/hmac.h +++ b/lib/isc/include/isc/hmac.h @@ -43,7 +43,7 @@ typedef void isc_hmac_t; * of digest written to @digest. */ isc_result_t -isc_hmac(const isc_md_type_t *type, const void *key, const size_t keylen, +isc_hmac(isc_md_type_t type, const void *key, const size_t keylen, const unsigned char *buf, const size_t len, unsigned char *digest, unsigned int *digestlen); @@ -77,7 +77,7 @@ isc_hmac_free(isc_hmac_t *hmac); isc_result_t isc_hmac_init(isc_hmac_t *hmac, const void *key, const size_t keylen, - const isc_md_type_t *type); + isc_md_type_t type); /** * isc_hmac_reset: @@ -118,16 +118,6 @@ isc_result_t isc_hmac_final(isc_hmac_t *hmac, unsigned char *digest, unsigned int *digestlen); -/** - * isc_hmac_md_type: - * @hmac: HMAC context - * - * This function return the isc_md_type_t previously set for the supplied - * HMAC context or NULL if no isc_md_type_t has been set. - */ -const isc_md_type_t * -isc_hmac_get_md_type(isc_hmac_t *hmac); - /** * isc_hmac_get_size: * diff --git a/lib/isc/include/isc/md.h b/lib/isc/include/isc/md.h index 41c3447565c..db95d1e84c6 100644 --- a/lib/isc/include/isc/md.h +++ b/lib/isc/include/isc/md.h @@ -35,27 +35,29 @@ typedef void isc_md_t; * * Enumeration of supported message digest algorithms. */ -typedef void isc_md_type_t; - -#define ISC_MD_MD5 isc__crypto_md5 -#define ISC_MD_SHA1 isc__crypto_sha1 -#define ISC_MD_SHA224 isc__crypto_sha224 -#define ISC_MD_SHA256 isc__crypto_sha256 -#define ISC_MD_SHA384 isc__crypto_sha384 -#define ISC_MD_SHA512 isc__crypto_sha512 - -#define ISC_MD5_DIGESTLENGTH isc_md_type_get_size(ISC_MD_MD5) -#define ISC_MD5_BLOCK_LENGTH isc_md_type_get_block_size(ISC_MD_MD5) -#define ISC_SHA1_DIGESTLENGTH isc_md_type_get_size(ISC_MD_SHA1) -#define ISC_SHA1_BLOCK_LENGTH isc_md_type_get_block_size(ISC_MD_SHA1) -#define ISC_SHA224_DIGESTLENGTH isc_md_type_get_size(ISC_MD_SHA224) -#define ISC_SHA224_BLOCK_LENGTH isc_md_type_get_block_size(ISC_MD_SHA224) -#define ISC_SHA256_DIGESTLENGTH isc_md_type_get_size(ISC_MD_SHA256) -#define ISC_SHA256_BLOCK_LENGTH isc_md_type_get_block_size(ISC_MD_SHA256) -#define ISC_SHA384_DIGESTLENGTH isc_md_type_get_size(ISC_MD_SHA384) -#define ISC_SHA384_BLOCK_LENGTH isc_md_type_get_block_size(ISC_MD_SHA384) -#define ISC_SHA512_DIGESTLENGTH isc_md_type_get_size(ISC_MD_SHA512) -#define ISC_SHA512_BLOCK_LENGTH isc_md_type_get_block_size(ISC_MD_SHA512) +typedef enum isc_md_type { + ISC_MD_UNKNOWN = 0x00, + ISC_MD_MD5 = 0x01, + ISC_MD_SHA1 = 0x02, + ISC_MD_SHA224 = 0x03, + ISC_MD_SHA256 = 0x04, + ISC_MD_SHA384 = 0x05, + ISC_MD_SHA512 = 0x06, + ISC_MD_MAX = 0x07, +} isc_md_type_t; + +#define ISC_MD5_DIGESTLENGTH 16 +#define ISC_MD5_BLOCK_LENGTH 64 +#define ISC_SHA1_DIGESTLENGTH 20 +#define ISC_SHA1_BLOCK_LENGTH 64 +#define ISC_SHA224_DIGESTLENGTH 28 +#define ISC_SHA224_BLOCK_LENGTH 64 +#define ISC_SHA256_DIGESTLENGTH 32 +#define ISC_SHA256_BLOCK_LENGTH 64 +#define ISC_SHA384_DIGESTLENGTH 48 +#define ISC_SHA384_BLOCK_LENGTH 128 +#define ISC_SHA512_DIGESTLENGTH 64 +#define ISC_SHA512_BLOCK_LENGTH 128 #define ISC_MAX_MD_SIZE 64U /* EVP_MAX_MD_SIZE */ #define ISC_MAX_BLOCK_SIZE 128U /* ISC_SHA512_BLOCK_LENGTH */ @@ -74,7 +76,7 @@ typedef void isc_md_type_t; * at @digestlen, at most ISC_MAX_MD_SIZE bytes will be written. */ isc_result_t -isc_md(const isc_md_type_t *type, const unsigned char *buf, const size_t len, +isc_md(isc_md_type_t type, const unsigned char *buf, const size_t len, unsigned char *digest, unsigned int *digestlen); /** @@ -93,7 +95,7 @@ isc_md_new(void); * to it. */ void -isc_md_free(isc_md_t *); +isc_md_free(isc_md_t *md); /** * isc_md_init: @@ -104,7 +106,7 @@ isc_md_free(isc_md_t *); * initialized before calling this function. */ isc_result_t -isc_md_init(isc_md_t *, const isc_md_type_t *md_type); +isc_md_init(isc_md_t *md, isc_md_type_t type); /** * isc_md_reset: @@ -144,16 +146,6 @@ isc_md_update(isc_md_t *md, const unsigned char *buf, const size_t len); isc_result_t isc_md_final(isc_md_t *md, unsigned char *digest, unsigned int *digestlen); -/** - * isc_md_get_type: - * @md: message digest contezt - * - * This function return the isc_md_type_t previously set for the supplied - * message digest context or NULL if no isc_md_type_t has been set. - */ -const isc_md_type_t * -isc_md_get_md_type(isc_md_t *md); - /** * isc_md_size: * @@ -172,15 +164,6 @@ isc_md_get_size(isc_md_t *md); size_t isc_md_get_block_size(isc_md_t *md); -/** - * isc_md_size: - * - * This function return the size of the message digest when passed an - * isc_md_type_t , i.e. the size of the hash. - */ -size_t -isc_md_type_get_size(const isc_md_type_t *md_type); - /** * isc_md_block_size: * @@ -188,4 +171,4 @@ isc_md_type_get_size(const isc_md_type_t *md_type); * isc_md_type_t. */ size_t -isc_md_type_get_block_size(const isc_md_type_t *md_type); +isc_md_type_get_block_size(isc_md_type_t type); diff --git a/lib/isc/iterated_hash.c b/lib/isc/iterated_hash.c index dfffe3b1297..fae09809073 100644 --- a/lib/isc/iterated_hash.c +++ b/lib/isc/iterated_hash.c @@ -17,11 +17,13 @@ #include #include -#include #include +#include #include #include +#include "crypto/crypto_p.h" + #if OPENSSL_VERSION_NUMBER < 0x30000000L #include @@ -150,7 +152,8 @@ isc__iterated_hash_initialize(void) { mdctx = EVP_MD_CTX_new(); INSIST(mdctx != NULL); - RUNTIME_CHECK(EVP_DigestInit_ex(basectx, isc__crypto_sha1, NULL) == 1); + RUNTIME_CHECK(EVP_DigestInit_ex(basectx, isc__crypto_md[ISC_MD_SHA1], + NULL) == 1); initialized = true; } diff --git a/lib/isc/md.c b/lib/isc/md.c index 8f461d60ca0..87a167984c5 100644 --- a/lib/isc/md.c +++ b/lib/isc/md.c @@ -20,6 +20,7 @@ #include #include +#include "crypto/crypto_p.h" #include "openssl_shim.h" isc_md_t * @@ -39,14 +40,18 @@ isc_md_free(isc_md_t *md) { } isc_result_t -isc_md_init(isc_md_t *md, const isc_md_type_t *md_type) { +isc_md_init(isc_md_t *md, isc_md_type_t type) { + EVP_MD *evp; + REQUIRE(md != NULL); + REQUIRE(type < ISC_MD_MAX); - if (md_type == NULL) { + evp = isc__crypto_md[type]; + if (evp == NULL) { return ISC_R_NOTIMPLEMENTED; } - if (EVP_DigestInit_ex(md, md_type, NULL) != 1) { + if (EVP_DigestInit_ex(md, evp, NULL) != 1) { ERR_clear_error(); return ISC_R_CRYPTOFAILURE; } @@ -95,13 +100,6 @@ isc_md_final(isc_md_t *md, unsigned char *digest, unsigned int *digestlen) { return ISC_R_SUCCESS; } -const isc_md_type_t * -isc_md_get_md_type(isc_md_t *md) { - REQUIRE(md != NULL); - - return EVP_MD_CTX_get0_md(md); -} - size_t isc_md_get_size(isc_md_t *md) { REQUIRE(md != NULL); @@ -117,38 +115,31 @@ isc_md_get_block_size(isc_md_t *md) { } size_t -isc_md_type_get_size(const isc_md_type_t *md_type) { - STATIC_ASSERT(ISC_MAX_MD_SIZE >= EVP_MAX_MD_SIZE, - "Change ISC_MAX_MD_SIZE to be greater than or equal to " - "EVP_MAX_MD_SIZE"); - if (md_type != NULL) { - return (size_t)EVP_MD_size(md_type); - } +isc_md_type_get_block_size(isc_md_type_t type) { + EVP_MD *evp; - return ISC_MAX_MD_SIZE; -} - -size_t -isc_md_type_get_block_size(const isc_md_type_t *md_type) { + REQUIRE(type < ISC_MD_MAX); STATIC_ASSERT(ISC_MAX_MD_SIZE >= EVP_MAX_MD_SIZE, "Change ISC_MAX_MD_SIZE to be greater than or equal to " "EVP_MAX_MD_SIZE"); - if (md_type != NULL) { - return (size_t)EVP_MD_block_size(md_type); + + evp = isc__crypto_md[type]; + if (evp != NULL) { + return (size_t)EVP_MD_block_size(evp); } return ISC_MAX_MD_SIZE; } isc_result_t -isc_md(const isc_md_type_t *md_type, const unsigned char *buf, const size_t len, +isc_md(isc_md_type_t type, const unsigned char *buf, const size_t len, unsigned char *digest, unsigned int *digestlen) { isc_md_t *md; isc_result_t res; md = isc_md_new(); - res = isc_md_init(md, md_type); + res = isc_md_init(md, type); if (res != ISC_R_SUCCESS) { goto end; } diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h index d2f8eeda720..316d7ae7dd4 100644 --- a/lib/isc/openssl_shim.h +++ b/lib/isc/openssl_shim.h @@ -18,10 +18,6 @@ #include #include -#if !HAVE_EVP_MD_CTX_GET0_MD -#define EVP_MD_CTX_get0_md EVP_MD_CTX_md -#endif /* if !HAVE_EVP_MD_CTX_GET0_MD */ - #if !HAVE_BIO_READ_EX int BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes); diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 215730d76ba..7477a1b9dea 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include @@ -51,6 +52,9 @@ #include "openssl_shim.h" +/* TODO(aydin): remove this crap */ +extern EVP_MD *isc__crypto_md[]; + #define COMMON_SSL_OPTIONS \ (SSL_OP_NO_COMPRESSION | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION) @@ -315,7 +319,7 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, -1, -1, 0); X509_set_issuer_name(cert, name); - X509_sign(cert, pkey, isc__crypto_sha256); + X509_sign(cert, pkey, isc__crypto_md[ISC_MD_SHA256]); rv = SSL_CTX_use_certificate(ctx, cert); if (rv != 1) { goto ssl_error; diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c index a8f1a759aff..bb3f3530d5f 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c @@ -242,7 +242,7 @@ list_towire(isccc_sexpr_t *list, isc_buffer_t **buffer) { static isc_result_t sign(unsigned char *data, unsigned int length, unsigned char *out, uint32_t algorithm, isccc_region_t *secret) { - const isc_md_type_t *md_type; + isc_md_type_t md_type; isccc_region_t source, target; unsigned char digest[ISC_MAX_MD_SIZE]; unsigned int digestlen = sizeof(digest); @@ -353,7 +353,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, uint32_t algorithm, static isc_result_t verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, uint32_t algorithm, isccc_region_t *secret) { - const isc_md_type_t *md_type; + isc_md_type_t md_type; isccc_region_t source; isccc_region_t target; isccc_sexpr_t *_auth, *hmacvalue; diff --git a/meson.build b/meson.build index 2529a0155b4..443c5760db4 100644 --- a/meson.build +++ b/meson.build @@ -642,7 +642,6 @@ foreach fn, header : { 'ERR_get_error_all': '#include ', 'BIO_read_ex': '#include ', 'BIO_write_ex': '#include ', - 'EVP_MD_CTX_get0_md': '#include ', 'EVP_PKEY_eq': '#include ', 'SSL_CTX_set1_cert_store': '#include ', } diff --git a/tests/isc/hmac_test.c b/tests/isc/hmac_test.c index 05b93bf79a3..0245d6041b4 100644 --- a/tests/isc/hmac_test.c +++ b/tests/isc/hmac_test.c @@ -94,7 +94,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_free) { static void isc_hmac_test(isc_hmac_t *hmac_st, const void *key, size_t keylen, - const isc_md_type_t *type, const char *buf, size_t buflen, + isc_md_type_t type, const char *buf, size_t buflen, const char *result, const size_t repeats) { isc_result_t res; @@ -131,7 +131,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_init) { isc_hmac_t *hmac_st = *state; assert_non_null(hmac_st); - assert_int_equal(isc_hmac_init(hmac_st, "", 0, NULL), + assert_int_equal(isc_hmac_init(hmac_st, "", 0, ISC_MD_UNKNOWN), ISC_R_NOTIMPLEMENTED); if (!isc_crypto_fips_mode()) { diff --git a/tests/isc/md_test.c b/tests/isc/md_test.c index 3602f968e7d..b217a25b9c2 100644 --- a/tests/isc/md_test.c +++ b/tests/isc/md_test.c @@ -82,8 +82,8 @@ ISC_RUN_TEST_IMPL(isc_md_free) { } static void -isc_md_test(isc_md_t *md, const isc_md_type_t *type, const char *buf, - size_t buflen, const char *result, const size_t repeats) { +isc_md_test(isc_md_t *md, isc_md_type_t type, const char *buf, size_t buflen, + const char *result, const size_t repeats) { isc_result_t res; assert_non_null(md); @@ -118,7 +118,7 @@ ISC_RUN_TEST_IMPL(isc_md_init) { expect_assert_failure(isc_md_init(NULL, ISC_MD_MD5)); - assert_int_equal(isc_md_init(md, NULL), ISC_R_NOTIMPLEMENTED); + assert_int_equal(isc_md_init(md, ISC_MD_UNKNOWN), ISC_R_NOTIMPLEMENTED); if (isc_crypto_fips_mode()) { assert_int_equal(isc_md_init(md, ISC_MD_MD5),