Beispiel #1
0
/* Prepare the ENGINE structure for registration */
static int padlock_bind_helper(ENGINE *e)
{
    /* Check available features */
    padlock_available();

    /*
     * RNG is currently disabled for reasons discussed in commentary just
     * before padlock_rand_bytes function.
     */
    padlock_use_rng = 0;

    /* Generate a nice engine name with available features */
    BIO_snprintf(padlock_name, sizeof(padlock_name),
                 "VIA PadLock (%s, %s)",
                 padlock_use_rng ? "RNG" : "no-RNG",
                 padlock_use_ace ? "ACE" : "no-ACE");

    /* Register everything or return with an error */
    if (!ENGINE_set_id(e, padlock_id) ||
        !ENGINE_set_name(e, padlock_name) ||
        !ENGINE_set_init_function(e, padlock_init) ||
#   ifndef OPENSSL_NO_AES
        (padlock_use_ace && !ENGINE_set_ciphers(e, padlock_ciphers)) ||
#   endif
        (padlock_use_rng && !ENGINE_set_RAND(e, &padlock_rand))) {
        return 0;
    }

    /* Everything looks good */
    return 1;
}
Beispiel #2
0
/* Prepare the ENGINE structure for registration */
static int
padlock_bind_helper(ENGINE *e)
{
	/* Check available features */
	padlock_available();

#if 1	/* disable RNG for now, see commentary in vicinity of RNG code */
	padlock_use_rng=0;
#endif

	/* Generate a nice engine name with available features */
	BIO_snprintf(padlock_name, sizeof(padlock_name),
		"VIA PadLock (%s, %s)", 
		 padlock_use_rng ? "RNG" : "no-RNG",
		 padlock_use_ace ? "ACE" : "no-ACE");

	/* Register everything or return with an error */ 
	if (!ENGINE_set_id(e, padlock_id) ||
	    !ENGINE_set_name(e, padlock_name) ||

	    !ENGINE_set_init_function(e, padlock_init) ||
#ifndef OPENSSL_NO_AES
	    (padlock_use_ace && !ENGINE_set_ciphers (e, padlock_ciphers)) ||
#endif
	    (padlock_use_rng && !ENGINE_set_RAND (e, &padlock_rand))) {
		return 0;
	}

	/* Everything looks good */
	return 1;
}
Beispiel #3
0
/* ---------------------*/
static int bind_helper(ENGINE *e)
{

    if (!ENGINE_set_id(e, engine_cluster_labs_id) ||
        !ENGINE_set_name(e, engine_cluster_labs_name) ||
#  ifndef OPENSSL_NO_RSA
        !ENGINE_set_RSA(e, &cluster_labs_rsa) ||
#  endif
#  ifndef OPENSSL_NO_DSA
        !ENGINE_set_DSA(e, &cluster_labs_dsa) ||
#  endif
#  ifndef OPENSSL_NO_DH
        !ENGINE_set_DH(e, &cluster_labs_dh) ||
#  endif
        !ENGINE_set_RAND(e, &cluster_labs_rand) ||
        !ENGINE_set_destroy_function(e, cluster_labs_destroy) ||
        !ENGINE_set_init_function(e, cluster_labs_init) ||
        !ENGINE_set_finish_function(e, cluster_labs_finish) ||
        !ENGINE_set_ctrl_function(e, cluster_labs_ctrl) ||
        !ENGINE_set_cmd_defns(e, cluster_labs_cmd_defns))
        return 0;
    /* Ensure the error handling is set up */
    ERR_load_CL_strings();
    return 1;
}
Beispiel #4
0
static int bind_helper (ENGINE * e)
{
    if (!ENGINE_set_id (e, engine_e_rdrand_id) ||
        !ENGINE_set_name (e, engine_e_rdrand_name) ||
        !ENGINE_set_flags (e, ENGINE_FLAGS_NO_REGISTER_ALL) ||
        !ENGINE_set_init_function (e, rdrand_init) || !ENGINE_set_RAND (e, &rdrand_meth))
        return 0;

    return 1;
}
Beispiel #5
0
static int bind_helper(ENGINE *e)
	{
	if (!ENGINE_set_id(e, engine_e_rdrand_id) ||
	    !ENGINE_set_name(e, engine_e_rdrand_name) ||
	    !ENGINE_set_init_function(e, rdrand_init) ||
	    !ENGINE_set_RAND(e, &rdrand_meth) )
		return 0;

	return 1;
	}
Beispiel #6
0
isc_result_t
dst__openssl_init() {
	isc_result_t result;

#ifdef  DNS_CRYPTO_LEAKS
	CRYPTO_malloc_debug_init();
	CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#endif
	CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
	nlocks = CRYPTO_num_locks();
	locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
	if (locks == NULL)
		return (ISC_R_NOMEMORY);
	result = isc_mutexblock_init(locks, nlocks);
	if (result != ISC_R_SUCCESS)
		goto cleanup_mutexalloc;
	CRYPTO_set_locking_callback(lock_callback);
	CRYPTO_set_id_callback(id_callback);

	rm = mem_alloc(sizeof(RAND_METHOD));
	if (rm == NULL) {
		result = ISC_R_NOMEMORY;
		goto cleanup_mutexinit;
	}
	rm->seed = NULL;
	rm->bytes = entropy_get;
	rm->cleanup = NULL;
	rm->add = entropy_add;
	rm->pseudorand = entropy_getpseudo;
	rm->status = entropy_status;
#ifdef USE_ENGINE
	e = ENGINE_new();
	if (e == NULL) {
		result = ISC_R_NOMEMORY;
		goto cleanup_rm;
	}
	ENGINE_set_RAND(e, rm);
	RAND_set_rand_method(rm);
#else
	RAND_set_rand_method(rm);
#endif /* USE_ENGINE */
	return (ISC_R_SUCCESS);

#ifdef USE_ENGINE
 cleanup_rm:
	mem_free(rm);
#endif
 cleanup_mutexinit:
	CRYPTO_set_locking_callback(NULL);
	DESTROYMUTEXBLOCK(locks, nlocks);
 cleanup_mutexalloc:
	mem_free(locks);
	return (result);
}
Beispiel #7
0
/*
 * This internal function is used by ENGINE_cswift() and possibly by the
 * "dynamic" ENGINE support too
 */
static int bind_helper(ENGINE *e)
{
#  ifndef OPENSSL_NO_RSA
    const RSA_METHOD *meth1;
#  endif
#  ifndef OPENSSL_NO_DH
    const DH_METHOD *meth2;
#  endif
    if (!ENGINE_set_id(e, engine_cswift_id) ||
        !ENGINE_set_name(e, engine_cswift_name) ||
#  ifndef OPENSSL_NO_RSA
        !ENGINE_set_RSA(e, &cswift_rsa) ||
#  endif
#  ifndef OPENSSL_NO_DSA
        !ENGINE_set_DSA(e, &cswift_dsa) ||
#  endif
#  ifndef OPENSSL_NO_DH
        !ENGINE_set_DH(e, &cswift_dh) ||
#  endif
        !ENGINE_set_RAND(e, &cswift_random) ||
        !ENGINE_set_destroy_function(e, cswift_destroy) ||
        !ENGINE_set_init_function(e, cswift_init) ||
        !ENGINE_set_finish_function(e, cswift_finish) ||
        !ENGINE_set_ctrl_function(e, cswift_ctrl) ||
        !ENGINE_set_cmd_defns(e, cswift_cmd_defns))
        return 0;

#  ifndef OPENSSL_NO_RSA
    /*
     * We know that the "PKCS1_SSLeay()" functions hook properly to the
     * cswift-specific mod_exp and mod_exp_crt so we use those functions. NB:
     * We don't use ENGINE_openssl() or anything "more generic" because
     * something like the RSAref code may not hook properly, and if you own
     * one of these cards then you have the right to do RSA operations on it
     * anyway!
     */
    meth1 = RSA_PKCS1_SSLeay();
    cswift_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
    cswift_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
    cswift_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
    cswift_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
#  endif

#  ifndef OPENSSL_NO_DH
    /* Much the same for Diffie-Hellman */
    meth2 = DH_OpenSSL();
    cswift_dh.generate_key = meth2->generate_key;
    cswift_dh.compute_key = meth2->compute_key;
#  endif

    /* Ensure the cswift error handling is set up */
    ERR_load_CSWIFT_strings();
    return 1;
}
Beispiel #8
0
static ENGINE *
sc_get_engine(void)
{
	static ENGINE *smart_engine = NULL;

	if ((smart_engine = ENGINE_new()) == NULL)
		fatal("ENGINE_new failed");

	ENGINE_set_id(smart_engine, "sectok");
	ENGINE_set_name(smart_engine, "libsectok");

	ENGINE_set_RSA(smart_engine, sc_get_rsa_method());
	ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
	ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
	ENGINE_set_RAND(smart_engine, RAND_SSLeay());
	ENGINE_set_BN_mod_exp(smart_engine, BN_mod_exp);

	return smart_engine;
}
Beispiel #9
0
/*
 * This internal function is used by ENGINE_openssl() and possibly by the
 * "dynamic" ENGINE support too
 */
static int bind_helper(ENGINE *e)
{
    if (!ENGINE_set_id(e, engine_openssl_id)
        || !ENGINE_set_name(e, engine_openssl_name)
        || !ENGINE_set_destroy_function(e, openssl_destroy)
#ifndef TEST_ENG_OPENSSL_NO_ALGORITHMS
# ifndef OPENSSL_NO_RSA
        || !ENGINE_set_RSA(e, RSA_get_default_method())
# endif
# ifndef OPENSSL_NO_DSA
        || !ENGINE_set_DSA(e, DSA_get_default_method())
# endif
# ifndef OPENSSL_NO_EC
        || !ENGINE_set_EC(e, EC_KEY_OpenSSL())
# endif
# ifndef OPENSSL_NO_DH
        || !ENGINE_set_DH(e, DH_get_default_method())
# endif
        || !ENGINE_set_RAND(e, RAND_OpenSSL())
# ifdef TEST_ENG_OPENSSL_RC4
        || !ENGINE_set_ciphers(e, openssl_ciphers)
# endif
# ifdef TEST_ENG_OPENSSL_SHA
        || !ENGINE_set_digests(e, openssl_digests)
# endif
#endif
#ifdef TEST_ENG_OPENSSL_PKEY
        || !ENGINE_set_load_privkey_function(e, openssl_load_privkey)
#endif
#ifdef TEST_ENG_OPENSSL_HMAC
        || !ossl_register_hmac_meth()
        || !ENGINE_set_pkey_meths(e, ossl_pkey_meths)
#endif
        )
        return 0;
    /*
     * If we add errors to this ENGINE, ensure the error handling is setup
     * here
     */
    /* openssl_load_error_strings(); */
    return 1;
}
Beispiel #10
0
/* This internal function is used by ENGINE_tpm() and possibly by the
 * "dynamic" ENGINE support too */
static int bind_helper(ENGINE * e)
{
	if (!ENGINE_set_id(e, engine_tpm_id) ||
	    !ENGINE_set_name(e, engine_tpm_name) ||
#ifndef OPENSSL_NO_RSA
	    !ENGINE_set_RSA(e, &tpm_rsa) ||
#endif
	    !ENGINE_set_RAND(e, &tpm_rand) ||
	    !ENGINE_set_destroy_function(e, tpm_engine_destroy) ||
	    !ENGINE_set_init_function(e, tpm_engine_init) ||
	    !ENGINE_set_finish_function(e, tpm_engine_finish) ||
	    !ENGINE_set_ctrl_function(e, tpm_engine_ctrl) ||
	    !ENGINE_set_load_pubkey_function(e, tpm_engine_load_key) ||
	    !ENGINE_set_load_privkey_function(e, tpm_engine_load_key) ||
	    !ENGINE_set_cmd_defns(e, tpm_cmd_defns))
		return 0;

	/* Ensure the tpm error handling is set up */
	ERR_load_TPM_strings();
	return 1;
}
/* This internal function is used by ENGINE_openssl() and possibly by the
 * "dynamic" ENGINE support too */
static int bind_helper(ENGINE *e)
	{
	if(!ENGINE_set_id(e, engine_openssl_id)
			|| !ENGINE_set_name(e, engine_openssl_name)
#ifndef TEST_ENG_OPENSSL_NO_ALGORITHMS
#ifndef OPENSSL_NO_RSA
			|| !ENGINE_set_RSA(e, RSA_get_default_method())
#endif
#ifndef OPENSSL_NO_DSA
			|| !ENGINE_set_DSA(e, DSA_get_default_method())
#endif
#ifndef OPENSSL_NO_ECDH
			|| !ENGINE_set_ECDH(e, ECDH_OpenSSL())
#endif
#ifndef OPENSSL_NO_ECDSA
			|| !ENGINE_set_ECDSA(e, ECDSA_OpenSSL())
#endif
#ifndef OPENSSL_NO_DH
			|| !ENGINE_set_DH(e, DH_get_default_method())
#endif
			|| !ENGINE_set_RAND(e, RAND_SSLeay())
#ifdef TEST_ENG_OPENSSL_RC4
			|| !ENGINE_set_ciphers(e, openssl_ciphers)
#endif
#ifdef TEST_ENG_OPENSSL_SHA
			|| !ENGINE_set_digests(e, openssl_digests)
#endif
#endif
//MS:
#ifndef OPENSSL_NO_STDIO
#ifdef TEST_ENG_OPENSSL_PKEY
			|| !ENGINE_set_load_privkey_function(e, openssl_load_privkey)
#endif
#endif
			)
		return 0;
	/* If we add errors to this ENGINE, ensure the error handling is setup here */
	/* openssl_load_error_strings(); */
	return 1;
	}
Beispiel #12
0
/* ---------------------*/
static int bind_helper(ENGINE *e)
{
    if (!ENGINE_set_id(e, engine_4758_cca_id) ||
        !ENGINE_set_name(e, engine_4758_cca_name) ||
#  ifndef OPENSSL_NO_RSA
        !ENGINE_set_RSA(e, &ibm_4758_cca_rsa) ||
#  endif
        !ENGINE_set_RAND(e, &ibm_4758_cca_rand) ||
        !ENGINE_set_destroy_function(e, ibm_4758_cca_destroy) ||
        !ENGINE_set_init_function(e, ibm_4758_cca_init) ||
        !ENGINE_set_finish_function(e, ibm_4758_cca_finish) ||
        !ENGINE_set_ctrl_function(e, ibm_4758_cca_ctrl) ||
#  ifndef OPENSSL_NO_RSA
        !ENGINE_set_load_privkey_function(e, ibm_4758_load_privkey) ||
        !ENGINE_set_load_pubkey_function(e, ibm_4758_load_pubkey) ||
#  endif
        !ENGINE_set_cmd_defns(e, cca4758_cmd_defns))
        return 0;
    /* Ensure the error handling is set up */
    ERR_load_CCA4758_strings();
    return 1;
}
/* Returns 1 if successfully added, 2 if engine has previously been added,
   and 0 for error. */
int Cryptography_add_osrandom_engine(void) {
    ENGINE *e;

    ERR_load_Cryptography_OSRandom_strings();

    e = ENGINE_by_id(Cryptography_osrandom_engine_id);
    if (e != NULL) {
        ENGINE_free(e);
        return 2;
    } else {
        ERR_clear_error();
    }

    e = ENGINE_new();
    if (e == NULL) {
        return 0;
    }
    if (!ENGINE_set_id(e, Cryptography_osrandom_engine_id) ||
            !ENGINE_set_name(e, Cryptography_osrandom_engine_name) ||
            !ENGINE_set_RAND(e, &osrandom_rand) ||
            !ENGINE_set_init_function(e, osrandom_init) ||
            !ENGINE_set_finish_function(e, osrandom_finish) ||
            !ENGINE_set_cmd_defns(e, osrandom_cmd_defns) ||
            !ENGINE_set_ctrl_function(e, osrandom_ctrl)) {
        ENGINE_free(e);
        return 0;
    }
    if (!ENGINE_add(e)) {
        ENGINE_free(e);
        return 0;
    }
    if (!ENGINE_free(e)) {
        return 0;
    }

    return 1;
}
Beispiel #14
0
/*
 * This internal function is used by ENGINE_aep() and possibly by the
 * "dynamic" ENGINE support too
 */
static int bind_aep(ENGINE *e)
{
#  ifndef OPENSSL_NO_RSA
    const RSA_METHOD *meth1;
#  endif
#  ifndef OPENSSL_NO_DSA
    const DSA_METHOD *meth2;
#  endif
#  ifndef OPENSSL_NO_DH
    const DH_METHOD *meth3;
#  endif

    if (!ENGINE_set_id(e, engine_aep_id) ||
        !ENGINE_set_name(e, engine_aep_name) ||
#  ifndef OPENSSL_NO_RSA
        !ENGINE_set_RSA(e, &aep_rsa) ||
#  endif
#  ifndef OPENSSL_NO_DSA
        !ENGINE_set_DSA(e, &aep_dsa) ||
#  endif
#  ifndef OPENSSL_NO_DH
        !ENGINE_set_DH(e, &aep_dh) ||
#  endif
#  ifdef AEPRAND
        !ENGINE_set_RAND(e, &aep_random) ||
#  endif
        !ENGINE_set_init_function(e, aep_init) ||
        !ENGINE_set_destroy_function(e, aep_destroy) ||
        !ENGINE_set_finish_function(e, aep_finish) ||
        !ENGINE_set_ctrl_function(e, aep_ctrl) ||
        !ENGINE_set_cmd_defns(e, aep_cmd_defns))
        return 0;

#  ifndef OPENSSL_NO_RSA
    /*
     * We know that the "PKCS1_SSLeay()" functions hook properly to the
     * aep-specific mod_exp and mod_exp_crt so we use those functions. NB: We
     * don't use ENGINE_openssl() or anything "more generic" because
     * something like the RSAref code may not hook properly, and if you own
     * one of these cards then you have the right to do RSA operations on it
     * anyway!
     */
    meth1 = RSA_PKCS1_SSLeay();
    aep_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
    aep_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
    aep_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
    aep_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
#  endif

#  ifndef OPENSSL_NO_DSA
    /*
     * Use the DSA_OpenSSL() method and just hook the mod_exp-ish bits.
     */
    meth2 = DSA_OpenSSL();
    aep_dsa.dsa_do_sign = meth2->dsa_do_sign;
    aep_dsa.dsa_sign_setup = meth2->dsa_sign_setup;
    aep_dsa.dsa_do_verify = meth2->dsa_do_verify;

    aep_dsa = *DSA_get_default_method();
    aep_dsa.dsa_mod_exp = aep_dsa_mod_exp;
    aep_dsa.bn_mod_exp = aep_mod_exp_dsa;
#  endif

#  ifndef OPENSSL_NO_DH
    /* Much the same for Diffie-Hellman */
    meth3 = DH_OpenSSL();
    aep_dh.generate_key = meth3->generate_key;
    aep_dh.compute_key = meth3->compute_key;
    aep_dh.bn_mod_exp = meth3->bn_mod_exp;
#  endif

    /* Ensure the aep error handling is set up */
    ERR_load_AEPHK_strings();

    return 1;
}
Beispiel #15
0
/* As this is only ever called once, there's no need for locking
 * (indeed - the lock will already be held by our caller!!!) */
static int bind_sureware(ENGINE *e)
{
#ifndef OPENSSL_NO_RSA
    const RSA_METHOD *meth1;
#endif
#ifndef OPENSSL_NO_DSA
    const DSA_METHOD *meth2;
#endif
#ifndef OPENSSL_NO_DH
    const DH_METHOD *meth3;
#endif

    if(!ENGINE_set_id(e, engine_sureware_id) ||
            !ENGINE_set_name(e, engine_sureware_name) ||
#ifndef OPENSSL_NO_RSA
            !ENGINE_set_RSA(e, &surewarehk_rsa) ||
#endif
#ifndef OPENSSL_NO_DSA
            !ENGINE_set_DSA(e, &surewarehk_dsa) ||
#endif
#ifndef OPENSSL_NO_DH
            !ENGINE_set_DH(e, &surewarehk_dh) ||
#endif
            !ENGINE_set_RAND(e, &surewarehk_rand) ||
            !ENGINE_set_destroy_function(e, surewarehk_destroy) ||
            !ENGINE_set_init_function(e, surewarehk_init) ||
            !ENGINE_set_finish_function(e, surewarehk_finish) ||
            !ENGINE_set_ctrl_function(e, (ENGINE_CTRL_FUNC_PTR)surewarehk_ctrl) ||
            !ENGINE_set_load_privkey_function(e, surewarehk_load_privkey) ||
            !ENGINE_set_load_pubkey_function(e, surewarehk_load_pubkey))
        return 0;

#ifndef OPENSSL_NO_RSA
    /* We know that the "PKCS1_SSLeay()" functions hook properly
     * to the cswift-specific mod_exp and mod_exp_crt so we use
     * those functions. NB: We don't use ENGINE_openssl() or
     * anything "more generic" because something like the RSAref
     * code may not hook properly, and if you own one of these
     * cards then you have the right to do RSA operations on it
     * anyway! */
    meth1 = RSA_PKCS1_SSLeay();
    if (meth1)
    {
        surewarehk_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
        surewarehk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
    }
#endif

#ifndef OPENSSL_NO_DSA
    /* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
     * bits. */
    meth2 = DSA_OpenSSL();
    if (meth2)
    {
        surewarehk_dsa.dsa_do_verify = meth2->dsa_do_verify;
    }
#endif

#ifndef OPENSSL_NO_DH
    /* Much the same for Diffie-Hellman */
    meth3 = DH_OpenSSL();
    if (meth3)
    {
        surewarehk_dh.generate_key = meth3->generate_key;
        surewarehk_dh.compute_key = meth3->compute_key;
    }
#endif

    /* Ensure the sureware error handling is set up */
    ERR_load_SUREWARE_strings();
    return 1;
}
Beispiel #16
0
isc_result_t
dst__openssl_init() {
	isc_result_t result;
#ifdef USE_ENGINE
	/* const char  *name; */
	ENGINE *re;
#endif

#ifdef  DNS_CRYPTO_LEAKS
	CRYPTO_malloc_debug_init();
	CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#endif
	CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
	nlocks = CRYPTO_num_locks();
	locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
	if (locks == NULL)
		return (ISC_R_NOMEMORY);
	result = isc_mutexblock_init(locks, nlocks);
	if (result != ISC_R_SUCCESS)
		goto cleanup_mutexalloc;
	CRYPTO_set_locking_callback(lock_callback);
	CRYPTO_set_id_callback(id_callback);

	rm = mem_alloc(sizeof(RAND_METHOD));
	if (rm == NULL) {
		result = ISC_R_NOMEMORY;
		goto cleanup_mutexinit;
	}
	rm->seed = NULL;
	rm->bytes = entropy_get;
	rm->cleanup = NULL;
	rm->add = entropy_add;
	rm->pseudorand = entropy_getpseudo;
	rm->status = entropy_status;
#ifdef USE_ENGINE
	OPENSSL_config(NULL);
#ifdef USE_PKCS11
#ifndef PKCS11_SO_PATH
#define PKCS11_SO_PATH		"/usr/local/lib/engines/engine_pkcs11.so"
#endif
#ifndef PKCS11_MODULE_PATH
#define PKCS11_MODULE_PATH	"/usr/lib/libpkcs11.so"
#endif
	{
		/*
		 * to use this to config the PIN, add in openssl.cnf:
		 *  - at the beginning: "openssl_conf = openssl_def"
		 *  - at any place these sections:
		 * [ openssl_def ]
		 * engines = engine_section
		 * [ engine_section ]
		 * pkcs11 = pkcs11_section
		 * [ pkcs11_section ]
		 * PIN = my___pin
		 */

		const char *pre_cmds[] = {
			"SO_PATH", PKCS11_SO_PATH,
			"LOAD", NULL,
			"MODULE_PATH", PKCS11_MODULE_PATH
		};
		const char *post_cmds[] = {
			/* "PIN", "my___pin" */
		};
		result = dst__openssl_load_engine("pkcs11", "pkcs11",
						  pre_cmds, 0,
						  post_cmds, /*1*/ 0);
		if (result != ISC_R_SUCCESS)
			goto cleanup_rm;
	}
#endif /* USE_PKCS11 */
	if (engine_id != NULL) {
		e = ENGINE_by_id(engine_id);
		if (e == NULL) {
			result = ISC_R_NOTFOUND;
			goto cleanup_rm;
		}
		if (!ENGINE_init(e)) {
			result = ISC_R_FAILURE;
			ENGINE_free(e);
			goto cleanup_rm;
		}
		ENGINE_set_default(e, ENGINE_METHOD_ALL);
		ENGINE_free(e);
	} else {
		ENGINE_register_all_complete();
		for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {

			/*
			 * Something weird here. If we call ENGINE_finish()
			 * ENGINE_get_default_RAND() will fail.
			 */
			if (ENGINE_init(e)) {
				if (he == NULL)
					he = e;
			}
		}
	}
	re = ENGINE_get_default_RAND();
	if (re == NULL) {
		re = ENGINE_new();
		if (re == NULL) {
			result = ISC_R_NOMEMORY;
			goto cleanup_rm;
		}
		ENGINE_set_RAND(re, rm);
		ENGINE_set_default_RAND(re);
		ENGINE_free(re);
	} else
		ENGINE_finish(re);

#else
	RAND_set_rand_method(rm);
#endif /* USE_ENGINE */
	return (ISC_R_SUCCESS);

#ifdef USE_ENGINE
 cleanup_rm:
	mem_free(rm);
#endif
 cleanup_mutexinit:
	CRYPTO_set_locking_callback(NULL);
	DESTROYMUTEXBLOCK(locks, nlocks);
 cleanup_mutexalloc:
	mem_free(locks);
	return (result);
}
Beispiel #17
0
/*
 * This internal function is used by ENGINE_chil() and possibly by the
 * "dynamic" ENGINE support too
 */
static int bind_helper(ENGINE *e)
{
#  ifndef OPENSSL_NO_RSA
    const RSA_METHOD *meth1;
#  endif
#  ifndef OPENSSL_NO_DH
    const DH_METHOD *meth2;
#  endif

    chil_lock = CRYPTO_THREAD_lock_new();
    if (chil_lock == NULL) {
        HWCRHKerr(HWCRHK_F_BIND_HELPER, ERR_R_MALLOC_FAILURE);
        return 0;
    }

    if (!ENGINE_set_id(e, engine_hwcrhk_id) ||
        !ENGINE_set_name(e, engine_hwcrhk_name) ||
#  ifndef OPENSSL_NO_RSA
        !ENGINE_set_RSA(e, &hwcrhk_rsa) ||
#  endif
#  ifndef OPENSSL_NO_DH
        !ENGINE_set_DH(e, &hwcrhk_dh) ||
#  endif
        !ENGINE_set_RAND(e, &hwcrhk_rand) ||
        !ENGINE_set_destroy_function(e, hwcrhk_destroy) ||
        !ENGINE_set_init_function(e, hwcrhk_init) ||
        !ENGINE_set_finish_function(e, hwcrhk_finish) ||
        !ENGINE_set_ctrl_function(e, hwcrhk_ctrl) ||
        !ENGINE_set_load_privkey_function(e, hwcrhk_load_privkey) ||
        !ENGINE_set_load_pubkey_function(e, hwcrhk_load_pubkey) ||
        !ENGINE_set_cmd_defns(e, hwcrhk_cmd_defns))
        return 0;

#  ifndef OPENSSL_NO_RSA
    /*
     * We know that the "PKCS1_OpenSSL()" functions hook properly to the
     * cswift-specific mod_exp and mod_exp_crt so we use those functions. NB:
     * We don't use ENGINE_openssl() or anything "more generic" because
     * something like the RSAref code may not hook properly, and if you own
     * one of these cards then you have the right to do RSA operations on it
     * anyway!
     */
    meth1 = RSA_PKCS1_OpenSSL();
    hwcrhk_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
    hwcrhk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
    hwcrhk_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
    hwcrhk_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
#  endif

#  ifndef OPENSSL_NO_DH
    /* Much the same for Diffie-Hellman */
    meth2 = DH_OpenSSL();
    hwcrhk_dh.generate_key = meth2->generate_key;
    hwcrhk_dh.compute_key = meth2->compute_key;
#  endif

    /* Ensure the hwcrhk error handling is set up */
    ERR_load_HWCRHK_strings();

    return 1;
}
Beispiel #18
0
static int bind_helper(ENGINE *e)

	{

#ifndef OPENSSL_NO_RSA

	const RSA_METHOD *meth1;

#endif

#ifndef OPENSSL_NO_DSA

	const DSA_METHOD *meth2;

#endif

#ifndef OPENSSL_NO_DH

	const DH_METHOD *meth3;

#endif

	if(!ENGINE_set_id(e, engine_ibmca_id) ||

		!ENGINE_set_name(e, engine_ibmca_name) ||

#ifndef OPENSSL_NO_RSA

		!ENGINE_set_RSA(e, &ibmca_rsa) ||

#endif

#ifndef OPENSSL_NO_DSA

		!ENGINE_set_DSA(e, &ibmca_dsa) ||

#endif

#ifndef OPENSSL_NO_DH

		!ENGINE_set_DH(e, &ibmca_dh) ||

#endif

		!ENGINE_set_RAND(e, &ibmca_rand) ||

		!ENGINE_set_destroy_function(e, ibmca_destroy) ||

		!ENGINE_set_init_function(e, ibmca_init) ||

		!ENGINE_set_finish_function(e, ibmca_finish) ||

		!ENGINE_set_ctrl_function(e, ibmca_ctrl) ||

		!ENGINE_set_cmd_defns(e, ibmca_cmd_defns))

		return 0;



#ifndef OPENSSL_NO_RSA

	/* We know that the "PKCS1_SSLeay()" functions hook properly

	 * to the ibmca-specific mod_exp and mod_exp_crt so we use

	 * those functions. NB: We don't use ENGINE_openssl() or

	 * anything "more generic" because something like the RSAref

	 * code may not hook properly, and if you own one of these

	 * cards then you have the right to do RSA operations on it

	 * anyway! */ 

	meth1 = RSA_PKCS1_SSLeay();

	ibmca_rsa.rsa_pub_enc = meth1->rsa_pub_enc;

	ibmca_rsa.rsa_pub_dec = meth1->rsa_pub_dec;

	ibmca_rsa.rsa_priv_enc = meth1->rsa_priv_enc;

	ibmca_rsa.rsa_priv_dec = meth1->rsa_priv_dec;

#endif



#ifndef OPENSSL_NO_DSA

	/* Use the DSA_OpenSSL() method and just hook the mod_exp-ish

	 * bits. */

	meth2 = DSA_OpenSSL();

	ibmca_dsa.dsa_do_sign = meth2->dsa_do_sign;

	ibmca_dsa.dsa_sign_setup = meth2->dsa_sign_setup;

	ibmca_dsa.dsa_do_verify = meth2->dsa_do_verify;

#endif



#ifndef OPENSSL_NO_DH

	/* Much the same for Diffie-Hellman */

	meth3 = DH_OpenSSL();

	ibmca_dh.generate_key = meth3->generate_key;

	ibmca_dh.compute_key = meth3->compute_key;

#endif



	/* Ensure the ibmca error handling is set up */

	ERR_load_IBMCA_strings(); 

	return 1;

	}
Beispiel #19
0
isc_result_t
dst__openssl_init(const char *engine) {
	isc_result_t result;
#ifdef USE_ENGINE
	ENGINE *re;
#else

	UNUSED(engine);
#endif

#ifdef  DNS_CRYPTO_LEAKS
	CRYPTO_malloc_debug_init();
	CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#endif
	CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
	nlocks = CRYPTO_num_locks();
	locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
	if (locks == NULL)
		return (ISC_R_NOMEMORY);
	result = isc_mutexblock_init(locks, nlocks);
	if (result != ISC_R_SUCCESS)
		goto cleanup_mutexalloc;
	CRYPTO_set_locking_callback(lock_callback);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
	CRYPTO_set_id_callback(id_callback);
#endif

	ERR_load_crypto_strings();

	rm = mem_alloc(sizeof(RAND_METHOD));
	if (rm == NULL) {
		result = ISC_R_NOMEMORY;
		goto cleanup_mutexinit;
	}
	rm->seed = NULL;
	rm->bytes = entropy_get;
	rm->cleanup = NULL;
	rm->add = entropy_add;
	rm->pseudorand = entropy_getpseudo;
	rm->status = entropy_status;

#ifdef USE_ENGINE
	OPENSSL_config(NULL);

	if (engine != NULL && *engine == '\0')
		engine = NULL;

	if (engine != NULL) {
		e = ENGINE_by_id(engine);
		if (e == NULL) {
			result = DST_R_NOENGINE;
			goto cleanup_rm;
		}
		/* This will init the engine. */
		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
			result = DST_R_NOENGINE;
			goto cleanup_rm;
		}
	}

	re = ENGINE_get_default_RAND();
	if (re == NULL) {
		re = ENGINE_new();
		if (re == NULL) {
			result = ISC_R_NOMEMORY;
			goto cleanup_rm;
		}
		ENGINE_set_RAND(re, rm);
		ENGINE_set_default_RAND(re);
		ENGINE_free(re);
	} else
		ENGINE_finish(re);
#else
	RAND_set_rand_method(rm);
#endif /* USE_ENGINE */
	return (ISC_R_SUCCESS);

#ifdef USE_ENGINE
 cleanup_rm:
	if (e != NULL)
		ENGINE_free(e);
	e = NULL;
	mem_free(rm);
	rm = NULL;
#endif
 cleanup_mutexinit:
	CRYPTO_set_locking_callback(NULL);
	DESTROYMUTEXBLOCK(locks, nlocks);
 cleanup_mutexalloc:
	mem_free(locks);
	locks = NULL;
	return (result);
}
Beispiel #20
0
int64_t s2n_public_random(int64_t max)
{
    uint64_t r;

    gt_check(max, 0);

    while(1) {
        struct s2n_blob blob = { .data = (void *) &r, sizeof(r) };
        GUARD(s2n_get_public_random_data(&blob));

        /* Imagine an int was one byte and UINT_MAX was 256. If the
         * caller asked for s2n_random(129, ...) we'd end up in
         * trouble. Each number in the range 0...127 would be twice
         * as likely as 128. That's because r == 0 % 129 -> 0, and
         * r == 129 % 129 -> 0, but only r == 128 returns 128,
         * r == 257 is out of range.
         *
         * To de-bias the dice, we discard values of r that are higher
         * that the highest multiple of 'max' an int can support. If
         * max is a uint, then in the worst case we discard 50% - 1 r's.
         * But since 'max' is an int and INT_MAX is <= UINT_MAX / 2,
         * in the worst case we discard 25% - 1 r's.
         */
        if (r < (UINT64_MAX - (UINT64_MAX % max))) {
            return r % max;
        }
    }

    return -1;
}

#ifndef OPENSSL_IS_BORINGSSL

int s2n_openssl_compat_rand(unsigned char *buf, int num)
{
    struct s2n_blob out = {.data = buf, .size = num};

    if(s2n_get_private_random_data(&out) < 0) {
        return 0;
    }
    return 1;
}

int s2n_openssl_compat_status(void)
{
    return 1;
}

int s2n_openssl_compat_init(ENGINE *unused)
{
    return 1;
}

RAND_METHOD s2n_openssl_rand_method = {
    .seed = NULL,
    .bytes = s2n_openssl_compat_rand,
    .cleanup = NULL,
    .add = NULL,
    .pseudorand = s2n_openssl_compat_rand,
    .status = s2n_openssl_compat_status
};
#endif

int s2n_init(void)
{
    GUARD(s2n_mem_init());

    OPEN:
    entropy_fd = open(ENTROPY_SOURCE, O_RDONLY);
    if (entropy_fd == -1) {
        if (errno == EINTR) {
            goto OPEN;
        }
        S2N_ERROR(S2N_ERR_OPEN_RANDOM);
    }

#if defined(MAP_INHERIT_ZERO)
    if ((zero_if_forked_ptr = mmap(NULL, sizeof(int), PROT_READ|PROT_WRITE,
                                   MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) {
        S2N_ERROR(S2N_ERR_OPEN_RANDOM);
    }

    if (minherit(zero_if_forked_ptr, sizeof(int), MAP_INHERIT_ZERO) == -1) {
        S2N_ERROR(S2N_ERR_OPEN_RANDOM);
    }
#else

    if (pthread_atfork(NULL, NULL, s2n_on_fork) != 0) {
        S2N_ERROR(S2N_ERR_OPEN_RANDOM);
    }
#endif

    GUARD(s2n_check_fork());

#ifndef OPENSSL_IS_BORINGSSL
    /* Create an engine */
    ENGINE *e = ENGINE_new();
    if (e == NULL ||
        ENGINE_set_id(e, "s2n") != 1 ||
        ENGINE_set_name(e, "s2n entropy generator") != 1 ||
        ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) != 1 ||
        ENGINE_set_init_function(e, s2n_openssl_compat_init) != 1 ||
        ENGINE_set_RAND(e, &s2n_openssl_rand_method) != 1 ||
        ENGINE_add(e) != 1 ||
        ENGINE_free(e) != 1) {
        S2N_ERROR(S2N_ERR_OPEN_RANDOM);
    }

    /* Use that engine for rand() */
    e = ENGINE_by_id("s2n");
    if (e == NULL ||
        ENGINE_init(e) != 1 ||
        ENGINE_set_default(e, ENGINE_METHOD_RAND) != 1) {
        S2N_ERROR(S2N_ERR_OPEN_RANDOM);
    }

#endif

    return 0;
}
/* This internal function is used by ENGINE_zencod () and possibly by the
 * "dynamic" ENGINE support too   ;-)
 */
static int bind_helper ( ENGINE *e )
{

#ifndef OPENSSL_NO_RSA
	const RSA_METHOD *meth_rsa ;
#endif
#ifndef OPENSSL_NO_DSA
	const DSA_METHOD *meth_dsa ;
#endif
#ifndef OPENSSL_NO_DH
	const DH_METHOD *meth_dh ;
#endif

	const RAND_METHOD *meth_rand ;


	if ( !ENGINE_set_id ( e, engine_zencod_id ) ||
			!ENGINE_set_name ( e, engine_zencod_name ) ||
#ifndef OPENSSL_NO_RSA
			!ENGINE_set_RSA ( e, &zencod_rsa ) ||
#endif
#ifndef OPENSSL_NO_DSA
			!ENGINE_set_DSA ( e, &zencod_dsa ) ||
#endif
#ifndef OPENSSL_NO_DH
			!ENGINE_set_DH ( e, &zencod_dh ) ||
#endif
			!ENGINE_set_RAND ( e, &zencod_rand ) ||

			!ENGINE_set_destroy_function ( e, zencod_destroy ) ||
			!ENGINE_set_init_function ( e, zencod_init ) ||
			!ENGINE_set_finish_function ( e, zencod_finish ) ||
			!ENGINE_set_ctrl_function ( e, zencod_ctrl ) ||
			!ENGINE_set_cmd_defns ( e, zencod_cmd_defns ) ||
			!ENGINE_set_digests ( e, engine_digests ) ||
			!ENGINE_set_ciphers ( e, engine_ciphers ) ) {
		return 0 ;
	}

#ifndef OPENSSL_NO_RSA
	/* We know that the "PKCS1_SSLeay()" functions hook properly
	 * to the Zencod-specific mod_exp and mod_exp_crt so we use
	 * those functions. NB: We don't use ENGINE_openssl() or
	 * anything "more generic" because something like the RSAref
	 * code may not hook properly, and if you own one of these
	 * cards then you have the right to do RSA operations on it
	 * anyway!
	 */
	meth_rsa = RSA_PKCS1_SSLeay () ;

	zencod_rsa.rsa_pub_enc = meth_rsa->rsa_pub_enc ;
	zencod_rsa.rsa_pub_dec = meth_rsa->rsa_pub_dec ;
	zencod_rsa.rsa_priv_enc = meth_rsa->rsa_priv_enc ;
	zencod_rsa.rsa_priv_dec = meth_rsa->rsa_priv_dec ;
	/* meth_rsa->rsa_mod_exp */
	/* meth_rsa->bn_mod_exp */
	zencod_rsa.init = meth_rsa->init ;
	zencod_rsa.finish = meth_rsa->finish ;
#endif

#ifndef OPENSSL_NO_DSA
	/* We use OpenSSL meth to supply what we don't provide ;-*)
	 */
	meth_dsa = DSA_OpenSSL () ;

	/* meth_dsa->dsa_do_sign */
	zencod_dsa.dsa_sign_setup = meth_dsa->dsa_sign_setup ;
	/* meth_dsa->dsa_do_verify */
	zencod_dsa.dsa_mod_exp = meth_dsa->dsa_mod_exp ;
	/* zencod_dsa.bn_mod_exp = meth_dsa->bn_mod_exp ; */
	zencod_dsa.init = meth_dsa->init ;
	zencod_dsa.finish = meth_dsa->finish ;
#endif

#ifndef OPENSSL_NO_DH
	/* We use OpenSSL meth to supply what we don't provide ;-*)
	 */
	meth_dh = DH_OpenSSL () ;

	/* zencod_dh.generate_key = meth_dh->generate_key ; */
	/* zencod_dh.compute_key = meth_dh->compute_key ; */
	/* zencod_dh.bn_mod_exp = meth_dh->bn_mod_exp ; */
	zencod_dh.init = meth_dh->init ;
	zencod_dh.finish = meth_dh->finish ;

#endif

	/* We use OpenSSL (SSLeay) meth to supply what we don't provide ;-*)
	 */
	meth_rand = RAND_SSLeay () ;

	/* meth_rand->seed ; */
	/* zencod_rand.seed = meth_rand->seed ; */
	/* meth_rand->bytes ; */
	/* zencod_rand.bytes = meth_rand->bytes ; */
	zencod_rand.cleanup = meth_rand->cleanup ;
	zencod_rand.add = meth_rand->add ;
	/* meth_rand->pseudorand ; */
	/* zencod_rand.pseudorand = meth_rand->pseudorand ; */
	/* zencod_rand.status = meth_rand->status ; */
	/* meth_rand->status ; */

	/* Ensure the zencod error handling is set up */
	ERR_load_ZENCOD_strings () ;
	return 1 ;
}