591. [bug] Work around non-reentrancy in openssl by disabling

author Brian Wellington <source@isc.org>

Mon, 4 Dec 2000 23:06:37 +0000 (23:06 +0000)

committer Brian Wellington <source@isc.org>

Mon, 4 Dec 2000 23:06:37 +0000 (23:06 +0000)
author Brian Wellington <source@isc.org>
Mon, 4 Dec 2000 23:06:37 +0000 (23:06 +0000)
committer Brian Wellington <source@isc.org>
Mon, 4 Dec 2000 23:06:37 +0000 (23:06 +0000)
diff --git a/CHANGES b/CHANGES

index 53d9faf225ddce9383c50f1b5ddcf01bb5be7c2e..e7f0b539b17a33dc3d2d1a17d24dfdcf41465166 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
  
         --- 9.1.0b1 released ---
  
+ 591.  [bug]           Work around non-reentrancy in openssl by disabling
+                       precomputation in keys.
+
   590.  [doc]           There are now man pages for the lwres library in
                         doc/man/lwres.
  
diff --git a/lib/dns/sec/dst/openssl_link.c b/lib/dns/sec/dst/openssl_link.c

index 37dc6472b6c956fc8b29c67323a2545cd15e06b9..c8809681fb6c51dafe0a07e09d1e46f06c1e54d7 100644 (file)
--- a/lib/dns/sec/dst/openssl_link.c
+++ b/lib/dns/sec/dst/openssl_link.c
@@ -19,7 +19,7 @@
  
  /*
   * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.37 2000/09/08 14:23:46 bwelling Exp $
+ * $Id: openssl_link.c,v 1.38 2000/12/04 23:06:35 bwelling Exp $
   */
  #if defined(OPENSSL)
  
@@ -27,8 +27,11 @@
  
  #include <isc/entropy.h>
  #include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/mutexblock.h>
  #include <isc/sha1.h>
  #include <isc/string.h>
+#include <isc/thread.h>
  #include <isc/util.h>
  
  #include <dst/result.h>
@@ -40,6 +43,7 @@
  #include <openssl/rand.h>
  
  static RAND_METHOD *rm = NULL;
+static isc_mutex_t locks[CRYPTO_NUM_LOCKS];
  
  static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
  
@@ -200,6 +204,7 @@ openssldsa_generate(dst_key_t *key, int unused) {
                 DSA_free(dsa);
                 return (DST_R_OPENSSLFAILURE);
         }
+       dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
  
         key->opaque = dsa;
  
@@ -282,6 +287,7 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
         dsa = DSA_new();
         if (dsa == NULL)
                 return (ISC_R_NOMEMORY);
+       dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
  
         t = (unsigned int) *r.base++;
         if (t > 8) {
@@ -387,6 +393,7 @@ openssldsa_fromfile(dst_key_t *key, const isc_uint16_t id, const char *filename)
         dsa = DSA_new();
         if (dsa == NULL)
                 DST_RET(ISC_R_NOMEMORY);
+       dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
         key->opaque = dsa;
  
         for (i=0; i < priv.nelements; i++) {
@@ -493,10 +500,30 @@ entropy_add(const void *buf, int num, double entropy) {
         UNUSED(entropy);
  }
  
+static void
+lock_callback(int mode, int type, const char *file, int line) {
+       if ((mode & CRYPTO_LOCK) != 0)
+               LOCK(&locks[type]);
+       else
+               UNLOCK(&locks[type]);
+}
+
+static unsigned long
+id_callback(void) {
+       return ((unsigned long)isc_thread_self());
+}
+
  isc_result_t
  dst__openssl_init(void) {
+       isc_result_t result;
+
         CRYPTO_set_mem_functions(dst__mem_alloc, dst__mem_realloc,
                                  dst__mem_free);
+       result = isc_mutexblock_init(locks, CRYPTO_NUM_LOCKS);
+       if (result != ISC_R_SUCCESS)
+               return (result);
+       CRYPTO_set_locking_callback(lock_callback);
+       CRYPTO_set_id_callback(id_callback);
         rm = dst__mem_alloc(sizeof(RAND_METHOD));
         if (rm == NULL)
                 return (ISC_R_NOMEMORY);
@@ -512,6 +539,8 @@ dst__openssl_init(void) {
  
  void
  dst__openssl_destroy(void) {
+       RUNTIME_CHECK(isc_mutexblock_destroy(locks, CRYPTO_NUM_LOCKS) ==
+                     ISC_R_SUCCESS);
         dst__mem_free(rm);
  }
  
diff --git a/lib/dns/sec/dst/openssldh_link.c b/lib/dns/sec/dst/openssldh_link.c

index d49a8d12f35da6536c6de31ea1fe0a656d53d75e..b2a8df59e59614bdfbf1be6b81a980d027c74e15 100644 (file)
--- a/lib/dns/sec/dst/openssldh_link.c
+++ b/lib/dns/sec/dst/openssldh_link.c
@@ -19,7 +19,7 @@
  
  /*
   * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.31 2000/09/08 14:23:48 bwelling Exp $
+ * $Id: openssldh_link.c,v 1.32 2000/12/04 23:06:36 bwelling Exp $
   */
  
  #if defined(OPENSSL)
@@ -161,6 +161,7 @@ openssldh_generate(dst_key_t *key, int generator) {
                 DH_free(dh);
                 return (DST_R_OPENSSLFAILURE);
         }
+       dh->flags &= ~DH_FLAG_CACHE_MONT_P;
  
         key->opaque = dh;
  
@@ -279,6 +280,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
         dh = DH_new();
         if (dh == NULL)
                 return (ISC_R_NOMEMORY);
+       dh->flags &= ~DH_FLAG_CACHE_MONT_P;
  
         /*
          * Read the prime length.  1 & 2 are table entries, > 16 means a
@@ -444,6 +446,7 @@ openssldh_fromfile(dst_key_t *key, const isc_uint16_t id, const char *filename)
         dh = DH_new();
         if (dh == NULL)
                 DST_RET(ISC_R_NOMEMORY);
+       dh->flags &= ~DH_FLAG_CACHE_MONT_P;
         key->opaque = dh;
  
         for (i=0; i < priv.nelements; i++) {
diff --git a/lib/dns/sec/dst/opensslrsa_link.c b/lib/dns/sec/dst/opensslrsa_link.c

index aa1b37d767d0d528a1082eead1d50f9bad1d8acb..df9dbc2ba9409559d4f9b8ac17139650f6a85d64 100644 (file)
--- a/lib/dns/sec/dst/opensslrsa_link.c
+++ b/lib/dns/sec/dst/opensslrsa_link.c
@@ -17,7 +17,7 @@
  
  /*
   * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.4 2000/11/22 00:11:30 bwelling Exp $
+ * $Id: opensslrsa_link.c,v 1.5 2000/12/04 23:06:37 bwelling Exp $
   */
  #if defined(OPENSSL)
  
@@ -215,6 +215,7 @@ opensslrsa_generate(dst_key_t *key, int exp) {
         else
                 e = RSA_F4;
         rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
+       rsa->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE);
  
         if (rsa == NULL) {
                 ERR_clear_error();
@@ -302,6 +303,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
         rsa = RSA_new();
         if (rsa == NULL)
                 return (ISC_R_NOMEMORY);
+       rsa->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE);
  
         if (r.length < 1)
                 return (DST_R_INVALIDPUBLICKEY);
@@ -438,6 +440,7 @@ opensslrsa_fromfile(dst_key_t *key, const isc_uint16_t id,
         rsa = RSA_new();
         if (rsa == NULL)
                 DST_RET(ISC_R_NOMEMORY);
+       rsa->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE);
         key->opaque = rsa;
  
         for (i = 0; i < priv.nelements; i++) {
author	Brian Wellington <source@isc.org>
	Mon, 4 Dec 2000 23:06:37 +0000 (23:06 +0000)
committer	Brian Wellington <source@isc.org>
	Mon, 4 Dec 2000 23:06:37 +0000 (23:06 +0000)
CHANGES		patch \| blob \| blame \| history
lib/dns/sec/dst/openssl_link.c		patch \| blob \| blame \| history
lib/dns/sec/dst/openssldh_link.c		patch \| blob \| blame \| history
lib/dns/sec/dst/opensslrsa_link.c		patch \| blob \| blame \| history