static int rand_status(void)
{
CRYPTO_THREAD_ID cur;
int ret;
int do_not_lock;
if (!RUN_ONCE(&rand_lock_init, do_rand_lock_init))
return 0;
cur = CRYPTO_THREAD_get_current_id();
/*
* check if we already have the lock (could happen if a RAND_poll()
* implementation calls RAND_status())
*/
if (crypto_lock_rand) {
CRYPTO_THREAD_read_lock(rand_tmp_lock);
do_not_lock = CRYPTO_THREAD_compare_id(locking_threadid, cur);
CRYPTO_THREAD_unlock(rand_tmp_lock);
} else
do_not_lock = 0;
if (!do_not_lock) {
CRYPTO_THREAD_write_lock(rand_lock);
/*
* Prevent deadlocks in case we end up in an async engine
*/
ASYNC_block_pause();
/*
* prevent rand_bytes() from trying to obtain the lock again
*/
CRYPTO_THREAD_write_lock(rand_tmp_lock);
locking_threadid = cur;
CRYPTO_THREAD_unlock(rand_tmp_lock);
crypto_lock_rand = 1;
}
if (!initialized) {
RAND_poll();
initialized = 1;
}
ret = entropy >= ENTROPY_NEEDED;
if (!do_not_lock) {
/* before unlocking, we must clear 'crypto_lock_rand' */
crypto_lock_rand = 0;
ASYNC_unblock_pause();
CRYPTO_THREAD_unlock(rand_lock);
}
return ret;
}
/* Implements the default OpenSSL RAND_add() method */
static int drbg_add(const void *buf, int num, double randomness)
{
int ret = 0;
RAND_DRBG *drbg = RAND_DRBG_get0_master();
if (drbg == NULL)
return 0;
if (num < 0 || randomness < 0.0)
return 0;
if (randomness > (double)drbg->max_entropylen) {
/*
* The purpose of this check is to bound |randomness| by a
* relatively small value in order to prevent an integer
* overflow when multiplying by 8 in the rand_drbg_restart()
* call below.
*/
return 0;
}
CRYPTO_THREAD_write_lock(drbg->lock);
ret = rand_drbg_restart(drbg, buf,
(size_t)(unsigned int)num,
(size_t)(8*randomness));
CRYPTO_THREAD_unlock(drbg->lock);
return ret;
}
/* Implements the default OpenSSL RAND_bytes() method */
static int drbg_bytes(unsigned char *out, int count)
{
int ret = 0;
size_t chunk;
RAND_DRBG *drbg = RAND_DRBG_get0_public();
if (drbg == NULL)
return 0;
CRYPTO_THREAD_write_lock(drbg->lock);
if (drbg->state == DRBG_UNINITIALISED)
goto err;
for ( ; count > 0; count -= chunk, out += chunk) {
chunk = count;
if (chunk > drbg->max_request)
chunk = drbg->max_request;
ret = RAND_DRBG_generate(drbg, out, chunk, 0, NULL, 0);
if (!ret)
goto err;
}
ret = 1;
err:
CRYPTO_THREAD_unlock(drbg->lock);
return ret;
}
int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
{
X509_OBJECT *obj;
int ret = 1;
if (x == NULL)
return 0;
obj = X509_OBJECT_new();
if (obj == NULL)
return 0;
obj->type = X509_LU_CRL;
obj->data.crl = x;
CRYPTO_THREAD_write_lock(ctx->lock);
X509_OBJECT_up_ref_count(obj);
if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
X509_OBJECT_free(obj);
X509err(X509_F_X509_STORE_ADD_CRL, X509_R_CERT_ALREADY_IN_HASH_TABLE);
ret = 0;
} else
sk_X509_OBJECT_push(ctx->objs, obj);
CRYPTO_THREAD_unlock(ctx->lock);
return ret;
}
const RAND_METHOD *RAND_get_rand_method(void)
{
const RAND_METHOD *tmp_meth = NULL;
if (!RUN_ONCE(&rand_lock_init, do_rand_lock_init))
return NULL;
CRYPTO_THREAD_write_lock(rand_meth_lock);
if (!default_RAND_meth) {
#ifndef OPENSSL_NO_ENGINE
ENGINE *e = ENGINE_get_default_RAND();
if (e) {
default_RAND_meth = ENGINE_get_RAND(e);
if (default_RAND_meth == NULL) {
ENGINE_finish(e);
e = NULL;
}
}
if (e)
funct_ref = e;
else
#endif
default_RAND_meth = RAND_OpenSSL();
}
tmp_meth = default_RAND_meth;
CRYPTO_THREAD_unlock(rand_meth_lock);
return tmp_meth;
}
/* No padding or other stuff needed. We can call PKCS11 from here */
static int pkcs11_ecdsa_sign(const unsigned char *msg, unsigned int msg_len,
unsigned char *sigret, unsigned int *siglen, PKCS11_KEY *key)
{
int rv;
PKCS11_SLOT *slot = KEY2SLOT(key);
PKCS11_CTX *ctx = KEY2CTX(key);
PKCS11_KEY_private *kpriv = PRIVKEY(key);
PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
CK_MECHANISM mechanism;
CK_ULONG ck_sigsize;
ck_sigsize = *siglen;
memset(&mechanism, 0, sizeof(mechanism));
mechanism.mechanism = CKM_ECDSA;
CRYPTO_THREAD_write_lock(PRIVSLOT(slot)->rwlock);
rv = CRYPTOKI_call(ctx,
C_SignInit(spriv->session, &mechanism, kpriv->object));
if (!rv)
rv = pkcs11_authenticate(key);
if (!rv)
rv = CRYPTOKI_call(ctx,
C_Sign(spriv->session, (CK_BYTE *)msg, msg_len, sigret, &ck_sigsize));
CRYPTO_THREAD_unlock(PRIVSLOT(slot)->rwlock);
if (rv) {
PKCS11err(PKCS11_F_PKCS11_EC_KEY_SIGN, pkcs11_map_err(rv));
return -1;
}
*siglen = ck_sigsize;
return ck_sigsize;
}
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
{
SSL_SESSION *r;
int ret = 0;
if ((c != NULL) && (c->session_id_length != 0)) {
if (lck)
CRYPTO_THREAD_write_lock(ctx->lock);
if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) {
ret = 1;
r = lh_SSL_SESSION_delete(ctx->sessions, c);
SSL_SESSION_list_remove(ctx, c);
}
c->not_resumable = 1;
if (lck)
CRYPTO_THREAD_unlock(ctx->lock);
if (ret)
SSL_SESSION_free(r);
if (ctx->remove_session_cb != NULL)
ctx->remove_session_cb(ctx, c);
} else
ret = 0;
return (ret);
}
/*
* Free a functional reference to a engine type. This version is only used
* internally.
*/
int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers)
{
int to_return = 1;
/*
* Reduce the functional reference count here so if it's the terminating
* case, we can release the lock safely and call the finish() handler
* without risk of a race. We get a race if we leave the count until
* after and something else is calling "finish" at the same time -
* there's a chance that both threads will together take the count from 2
* to 0 without either calling finish().
*/
e->funct_ref--;
engine_ref_debug(e, 1, -1);
if ((e->funct_ref == 0) && e->finish) {
if (unlock_for_handlers)
CRYPTO_THREAD_unlock(global_engine_lock);
to_return = e->finish(e);
if (unlock_for_handlers)
CRYPTO_THREAD_write_lock(global_engine_lock);
if (!to_return)
return 0;
}
REF_ASSERT_ISNT(e->funct_ref < 0);
/* Release the structural reference too */
if (!engine_free_util(e, 0)) {
ENGINEerr(ENGINE_F_ENGINE_UNLOCKED_FINISH, ENGINE_R_FINISH_FAILED);
return 0;
}
return to_return;
}
/*
* Return the EX_CALLBACKS from the |ex_data| array that corresponds to
* a given class. On success, *holds the lock.*
*/
static EX_CALLBACKS *get_and_lock(OPENSSL_CTX *ctx, int class_index)
{
EX_CALLBACKS *ip;
OSSL_EX_DATA_GLOBAL *global = NULL;
if (class_index < 0 || class_index >= CRYPTO_EX_INDEX__COUNT) {
CRYPTOerr(CRYPTO_F_GET_AND_LOCK, ERR_R_PASSED_INVALID_ARGUMENT);
return NULL;
}
global = openssl_ctx_get_ex_data_global(ctx);
if (global->ex_data_lock == NULL) {
/*
* This can happen in normal operation when using CRYPTO_mem_leaks().
* The CRYPTO_mem_leaks() function calls OPENSSL_cleanup() which cleans
* up the locks. Subsequently the BIO that CRYPTO_mem_leaks() uses gets
* freed, which also attempts to free the ex_data. However
* CRYPTO_mem_leaks() ensures that the ex_data is freed early (i.e.
* before OPENSSL_cleanup() is called), so if we get here we can safely
* ignore this operation. We just treat it as an error.
*/
return NULL;
}
ip = &global->ex_data[class_index];
CRYPTO_THREAD_write_lock(global->ex_data_lock);
return ip;
}
int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
{
X509_OBJECT *obj;
int ret = 1;
if (x == NULL)
return 0;
obj = OPENSSL_malloc(sizeof(*obj));
if (obj == NULL) {
X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE);
return 0;
}
obj->type = X509_LU_CRL;
obj->data.crl = x;
CRYPTO_THREAD_write_lock(ctx->lock);
X509_OBJECT_up_ref_count(obj);
if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
X509_OBJECT_free_contents(obj);
OPENSSL_free(obj);
X509err(X509_F_X509_STORE_ADD_CRL, X509_R_CERT_ALREADY_IN_HASH_TABLE);
ret = 0;
} else
sk_X509_OBJECT_push(ctx->objs, obj);
CRYPTO_THREAD_unlock(ctx->lock);
return ret;
}
/*
* This function retrieves the context structure from an ENGINE's "ex_data",
* or if it doesn't exist yet, sets it up.
*/
static dynamic_data_ctx *dynamic_get_data_ctx(ENGINE *e)
{
dynamic_data_ctx *ctx;
if (dynamic_ex_data_idx < 0) {
/*
* Create and register the ENGINE ex_data, and associate our "free"
* function with it to ensure any allocated contexts get freed when
* an ENGINE goes underground.
*/
int new_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL,
dynamic_data_ctx_free_func);
if (new_idx == -1) {
ENGINEerr(ENGINE_F_DYNAMIC_GET_DATA_CTX, ENGINE_R_NO_INDEX);
return NULL;
}
CRYPTO_THREAD_write_lock(global_engine_lock);
/* Avoid a race by checking again inside this lock */
if (dynamic_ex_data_idx < 0) {
/* Good, someone didn't beat us to it */
dynamic_ex_data_idx = new_idx;
new_idx = -1;
}
CRYPTO_THREAD_unlock(global_engine_lock);
/*
* In theory we could "give back" the index here if (new_idx>-1), but
* it's not possible and wouldn't gain us much if it were.
*/
}
ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e, dynamic_ex_data_idx);
/* Check if the context needs to be created */
if ((ctx == NULL) && !dynamic_set_data_ctx(e, &ctx))
/* "set_data" will set errors if necessary */
return NULL;
return ctx;
}
const RAND_METHOD *RAND_get_rand_method(void)
{
const RAND_METHOD *tmp_meth = NULL;
if (!RUN_ONCE(&rand_init, do_rand_init))
return NULL;
CRYPTO_THREAD_write_lock(rand_meth_lock);
if (default_RAND_meth == NULL) {
#ifndef OPENSSL_NO_ENGINE
ENGINE *e;
/* If we have an engine that can do RAND, use it. */
if ((e = ENGINE_get_default_RAND()) != NULL
&& (tmp_meth = ENGINE_get_RAND(e)) != NULL) {
funct_ref = e;
default_RAND_meth = tmp_meth;
} else {
ENGINE_finish(e);
default_RAND_meth = &rand_meth;
}
#else
default_RAND_meth = &rand_meth;
#endif
}
tmp_meth = default_RAND_meth;
CRYPTO_THREAD_unlock(rand_meth_lock);
return tmp_meth;
}
void CRYPTO_secure_clear_free(void *ptr, size_t num,
const char *file, int line)
{
#ifdef IMPLEMENTED
size_t actual_size;
if (ptr == NULL)
return;
if (!CRYPTO_secure_allocated(ptr)) {
OPENSSL_cleanse(ptr, num);
CRYPTO_free(ptr, file, line);
return;
}
CRYPTO_THREAD_write_lock(sec_malloc_lock);
actual_size = sh_actual_size(ptr);
CLEAR(ptr, actual_size);
secure_mem_used -= actual_size;
sh_free(ptr);
CRYPTO_THREAD_unlock(sec_malloc_lock);
#else
if (ptr == NULL)
return;
OPENSSL_cleanse(ptr, num);
CRYPTO_free(ptr, file, line);
#endif /* IMPLEMENTED */
}
static int def_crl_lookup(X509_CRL *crl,
X509_REVOKED **ret, ASN1_INTEGER *serial,
X509_NAME *issuer)
{
X509_REVOKED rtmp, *rev;
int idx;
rtmp.serialNumber = *serial;
/*
* Sort revoked into serial number order if not already sorted. Do this
* under a lock to avoid race condition.
*/
if (!sk_X509_REVOKED_is_sorted(crl->crl.revoked)) {
CRYPTO_THREAD_write_lock(crl->lock);
sk_X509_REVOKED_sort(crl->crl.revoked);
CRYPTO_THREAD_unlock(crl->lock);
}
idx = sk_X509_REVOKED_find(crl->crl.revoked, &rtmp);
if (idx < 0)
return 0;
/* Need to look for matching name */
for (; idx < sk_X509_REVOKED_num(crl->crl.revoked); idx++) {
rev = sk_X509_REVOKED_value(crl->crl.revoked, idx);
if (ASN1_INTEGER_cmp(&rev->serialNumber, serial))
return 0;
if (crl_revoked_issuer_match(crl, issuer, rev)) {
if (ret)
*ret = rev;
if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
return 2;
return 1;
}
}
return 0;
}
void engine_table_unregister(ENGINE_TABLE **table, ENGINE *e)
{
CRYPTO_THREAD_write_lock(global_engine_lock);
if (int_table_check(table, 0))
lh_ENGINE_PILE_doall_ENGINE(&(*table)->piles, int_unregister_cb, e);
CRYPTO_THREAD_unlock(global_engine_lock);
}
/*
* Enumerate all certs on the card
*/
int pkcs11_enumerate_certs(PKCS11_TOKEN *token,
PKCS11_CERT **certp, unsigned int *countp)
{
PKCS11_SLOT *slot = TOKEN2SLOT(token);
PKCS11_CTX *ctx = SLOT2CTX(slot);
PKCS11_TOKEN_private *tpriv = PRIVTOKEN(token);
PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
int rv;
if (tpriv->ncerts < 0) {
/* Make sure we have a session */
if (!spriv->haveSession && PKCS11_open_session(slot, 0))
return -1;
CRYPTO_THREAD_write_lock(cpriv->rwlock);
rv = pkcs11_find_certs(token);
CRYPTO_THREAD_unlock(cpriv->rwlock);
if (rv < 0) {
pkcs11_destroy_certs(token);
return -1;
}
}
if (certp)
*certp = tpriv->certs;
if (countp)
*countp = tpriv->ncerts;
return 0;
}
/*
* Locks the given drbg. Locking a drbg which does not have locking
* enabled is considered a successful no-op.
*
* Returns 1 on success, 0 on failure.
*/
int rand_drbg_lock(RAND_DRBG *drbg)
{
if (drbg->lock != NULL)
return CRYPTO_THREAD_write_lock(drbg->lock);
return 1;
}
/*
* Return keys of a given type (public or private)
* Use the cached values if available
*/
int pkcs11_enumerate_keys(PKCS11_TOKEN *token, unsigned int type,
PKCS11_KEY ** keyp, unsigned int *countp)
{
PKCS11_SLOT *slot = TOKEN2SLOT(token);
PKCS11_CTX *ctx = TOKEN2CTX(token);
PKCS11_TOKEN_private *tpriv = PRIVTOKEN(token);
PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
PKCS11_keys *keys = (type == CKO_PRIVATE_KEY) ? &tpriv->prv : &tpriv->pub;
int rv;
if (keys->num < 0) { /* No cache was built for the specified type */
/* Make sure we have a session */
if (!spriv->haveSession && PKCS11_open_session(slot, 0))
return -1;
CRYPTO_THREAD_write_lock(cpriv->rwlock);
rv = pkcs11_find_keys(token, type);
CRYPTO_THREAD_unlock(cpriv->rwlock);
if (rv < 0) {
pkcs11_destroy_keys(token, type);
return -1;
}
}
if (keyp)
*keyp = keys->keys;
if (countp)
*countp = keys->num;
return 0;
}
static void build_SYS_str_reasons(void)
{
/* OPENSSL_malloc cannot be used here, use static storage instead */
static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
static int init = 1;
int i;
CRYPTO_THREAD_write_lock(err_string_lock);
if (!init) {
CRYPTO_THREAD_unlock(err_string_lock);
return;
}
for (i = 1; i <= NUM_SYS_STR_REASONS; i++) {
ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
str->error = (unsigned long)i;
if (str->string == NULL) {
char (*dest)[LEN_SYS_STR_REASON] = &(strerror_tab[i - 1]);
if (openssl_strerror_r(i, *dest, sizeof(*dest)))
str->string = *dest;
}
if (str->string == NULL)
str->string = "unknown";
}
/*
* Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL}, as
* required by ERR_load_strings.
*/
init = 0;
CRYPTO_THREAD_unlock(err_string_lock);
}
/* RSA private key decryption */
int pkcs11_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
PKCS11_KEY *key, int padding)
{
PKCS11_SLOT *slot = KEY2SLOT(key);
PKCS11_CTX *ctx = KEY2CTX(key);
PKCS11_KEY_private *kpriv = PRIVKEY(key);
PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
CK_MECHANISM mechanism;
CK_ULONG size = flen;
CK_RV rv;
if (pkcs11_mechanism(&mechanism, padding) < 0)
return -1;
CRYPTO_THREAD_write_lock(PRIVSLOT(slot)->rwlock);
rv = CRYPTOKI_call(ctx,
C_DecryptInit(spriv->session, &mechanism, kpriv->object));
if (rv == CKR_USER_NOT_LOGGED_IN)
rv = pkcs11_authenticate(key);
if (!rv)
rv = CRYPTOKI_call(ctx,
C_Decrypt(spriv->session, (CK_BYTE *)from, size,
(CK_BYTE_PTR)to, &size));
CRYPTO_THREAD_unlock(PRIVSLOT(slot)->rwlock);
if (rv) {
PKCS11err(PKCS11_F_PKCS11_RSA_DECRYPT, pkcs11_map_err(rv));
return -1;
}
return size;
}
/*
* Implements the get_entropy() callback (see RAND_DRBG_set_callbacks())
*
* If the DRBG has a parent, then the required amount of entropy input
* is fetched using the parent's RAND_DRBG_generate().
*
* Otherwise, the entropy is polled from the system entropy sources
* using RAND_POOL_acquire_entropy().
*
* If a random pool has been added to the DRBG using RAND_add(), then
* its entropy will be used up first.
*/
size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
unsigned char **pout,
int entropy, size_t min_len, size_t max_len)
{
size_t ret = 0;
size_t entropy_available = 0;
RAND_POOL *pool = RAND_POOL_new(entropy, min_len, max_len);
if (pool == NULL)
return 0;
if (drbg->pool) {
RAND_POOL_add(pool,
RAND_POOL_buffer(drbg->pool),
RAND_POOL_length(drbg->pool),
RAND_POOL_entropy(drbg->pool));
RAND_POOL_free(drbg->pool);
drbg->pool = NULL;
}
if (drbg->parent) {
size_t bytes_needed = RAND_POOL_bytes_needed(pool, 8);
unsigned char *buffer = RAND_POOL_add_begin(pool, bytes_needed);
if (buffer != NULL) {
size_t bytes = 0;
/*
* Get random from parent, include our state as additional input.
* Our lock is already held, but we need to lock our parent before
* generating bits from it.
*/
if (drbg->parent->lock)
CRYPTO_THREAD_write_lock(drbg->parent->lock);
if (RAND_DRBG_generate(drbg->parent,
buffer, bytes_needed,
0,
(unsigned char *)drbg, sizeof(*drbg)) != 0)
bytes = bytes_needed;
if (drbg->parent->lock)
CRYPTO_THREAD_unlock(drbg->parent->lock);
entropy_available = RAND_POOL_add_end(pool, bytes, 8 * bytes);
}
} else {
/* Get entropy by polling system entropy sources. */
entropy_available = RAND_POOL_acquire_entropy(pool);
}
if (entropy_available > 0) {
ret = RAND_POOL_length(pool);
*pout = RAND_POOL_detach(pool);
}
RAND_POOL_free(pool);
return ret;
}
static void build_SYS_str_reasons(void)
{
/* OPENSSL_malloc cannot be used here, use static storage instead */
static char strerror_pool[SPACE_SYS_STR_REASONS];
char *cur = strerror_pool;
size_t cnt = 0;
static int init = 1;
int i;
int saveerrno = get_last_sys_error();
CRYPTO_THREAD_write_lock(err_string_lock);
if (!init) {
CRYPTO_THREAD_unlock(err_string_lock);
return;
}
for (i = 1; i <= NUM_SYS_STR_REASONS; i++) {
ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
if (str->string == NULL) {
if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
size_t l = strlen(cur);
str->string = cur;
cnt += l;
if (cnt > sizeof(strerror_pool))
cnt = sizeof(strerror_pool);
cur += l;
/*
* VMS has an unusual quirk of adding spaces at the end of
* some (most? all?) messages. Lets trim them off.
*/
while (ossl_isspace(cur[-1])) {
cur--;
cnt--;
}
*cur++ = '\0';
cnt++;
}
}
if (str->string == NULL)
str->string = "unknown";
}
/*
* Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL}, as
* required by ERR_load_strings.
*/
init = 0;
CRYPTO_THREAD_unlock(err_string_lock);
/* openssl_strerror_r could change errno, but we want to preserve it */
set_sys_error(saveerrno);
err_load_strings(SYS_str_reasons);
}
/*
* Privately exposed (via eng_int.h) functions for adding and/or removing
* ENGINEs from the implementation table
*/
int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
ENGINE *e, const int *nids, int num_nids,
int setdefault)
{
int ret = 0, added = 0;
ENGINE_PILE tmplate, *fnd;
CRYPTO_THREAD_write_lock(global_engine_lock);
if (!(*table))
added = 1;
if (!int_table_check(table, 1))
goto end;
if (added)
/* The cleanup callback needs to be added */
engine_cleanup_add_first(cleanup);
while (num_nids--) {
tmplate.nid = *nids;
fnd = lh_ENGINE_PILE_retrieve(&(*table)->piles, &tmplate);
if (!fnd) {
fnd = OPENSSL_malloc(sizeof(*fnd));
if (fnd == NULL)
goto end;
fnd->uptodate = 1;
fnd->nid = *nids;
fnd->sk = sk_ENGINE_new_null();
if (!fnd->sk) {
OPENSSL_free(fnd);
goto end;
}
fnd->funct = NULL;
(void)lh_ENGINE_PILE_insert(&(*table)->piles, fnd);
}
/* A registration shouldn't add duplicate entries */
(void)sk_ENGINE_delete_ptr(fnd->sk, e);
/*
* if 'setdefault', this ENGINE goes to the head of the list
*/
if (!sk_ENGINE_push(fnd->sk, e))
goto end;
/* "touch" this ENGINE_PILE */
fnd->uptodate = 0;
if (setdefault) {
if (!engine_unlocked_init(e)) {
ENGINEerr(ENGINE_F_ENGINE_TABLE_REGISTER,
ENGINE_R_INIT_FAILED);
goto end;
}
if (fnd->funct)
engine_unlocked_finish(fnd->funct, 0);
fnd->funct = e;
fnd->uptodate = 1;
}
nids++;
}
ret = 1;
end:
CRYPTO_THREAD_unlock(global_engine_lock);
return ret;
}
/*
* Hash in |str| error strings. Assumes the URN_ONCE was done.
*/
static int err_load_strings(const ERR_STRING_DATA *str)
{
CRYPTO_THREAD_write_lock(err_string_lock);
for (; str->error; str++)
(void)lh_ERR_STRING_DATA_insert(int_error_hash,
(ERR_STRING_DATA *)str);
CRYPTO_THREAD_unlock(err_string_lock);
return 1;
}
void err_free_strings_int(void)
{
CRYPTO_THREAD_run_once(&err_string_init, do_err_strings_init);
CRYPTO_THREAD_write_lock(err_string_lock);
lh_ERR_STRING_DATA_free(int_error_hash);
int_error_hash = NULL;
CRYPTO_THREAD_unlock(err_string_lock);
}
/*
* DRBG has two sets of callbacks; we only discuss the "entropy" one
* here. When the DRBG needs additional randomness bits (called entropy
* in the NIST document), it calls the get_entropy callback which fills in
* a pointer and returns the number of bytes. When the DRBG is finished with
* the buffer, it calls the cleanup_entropy callback, with the value of
* the buffer that the get_entropy callback filled in.
*
* Get entropy from the system, via RAND_poll if needed. The |entropy|
* is the bits of randomness required, and is expected to fit into a buffer
* of |min_len|..|max__len| size. We assume we're getting high-quality
* randomness from the system, and that |min_len| bytes will do.
*/
size_t drbg_entropy_from_system(RAND_DRBG *drbg,
unsigned char **pout,
int entropy, size_t min_len, size_t max_len)
{
int i;
if (min_len > (size_t)drbg->size) {
/* Should not happen. See comment near RANDOMNESS_NEEDED. */
min_len = drbg->size;
}
if (drbg->filled) {
/* Re-use what we have. */
*pout = drbg->randomness;
return drbg->size;
}
drbg->randomness = drbg->secure ? OPENSSL_secure_malloc(drbg->size)
: OPENSSL_malloc(drbg->size);
/* If we don't have enough, try to get more. */
CRYPTO_THREAD_write_lock(rand_bytes.lock);
for (i = RAND_POLL_RETRIES; rand_bytes.curr < min_len && --i >= 0; ) {
CRYPTO_THREAD_unlock(rand_bytes.lock);
RAND_poll();
CRYPTO_THREAD_write_lock(rand_bytes.lock);
}
/* Get desired amount, but no more than we have. */
if (min_len > rand_bytes.curr)
min_len = rand_bytes.curr;
if (min_len != 0) {
memcpy(drbg->randomness, rand_bytes.buff, min_len);
drbg->filled = 1;
/* Update amount left and shift it down. */
rand_bytes.curr -= min_len;
if (rand_bytes.curr != 0)
memmove(rand_bytes.buff, &rand_bytes.buff[min_len], rand_bytes.curr);
}
CRYPTO_THREAD_unlock(rand_bytes.lock);
*pout = drbg->randomness;
return min_len;
}
void err_free_strings_int(void)
{
if (!RUN_ONCE(&err_string_init, do_err_strings_init))
return;
CRYPTO_THREAD_write_lock(err_string_lock);
lh_ERR_STRING_DATA_free(int_error_hash);
int_error_hash = NULL;
CRYPTO_THREAD_unlock(err_string_lock);
}
void log_close(void) {
/* prevent changing the mode while logging */
CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LOG_MODE]);
log_mode=LOG_MODE_BUFFER;
if(outfile) {
file_close(outfile);
outfile=NULL;
}
CRYPTO_THREAD_write_unlock(stunnel_locks[LOCK_LOG_MODE]);
}
int X509_check_ca(X509 *x)
{
if (!(x->ex_flags & EXFLAG_SET)) {
CRYPTO_THREAD_write_lock(x->lock);
x509v3_cache_extensions(x);
CRYPTO_THREAD_unlock(x->lock);
}
return check_ca(x);
}
void engine_table_cleanup(ENGINE_TABLE **table)
{
CRYPTO_THREAD_write_lock(global_engine_lock);
if (*table) {
lh_ENGINE_PILE_doall(&(*table)->piles, int_cleanup_cb_doall);
lh_ENGINE_PILE_free(&(*table)->piles);
*table = NULL;
}
CRYPTO_THREAD_unlock(global_engine_lock);
}