void ssl_init_Engine(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
ENGINE *e;
if (mc->szCryptoDevice) {
if (!(e = ENGINE_by_id(mc->szCryptoDevice))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Failed to load Crypto Device API `%s'",
mc->szCryptoDevice);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
if (strEQ(mc->szCryptoDevice, "chil")) {
ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
}
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Failed to enable Crypto Device API `%s'",
mc->szCryptoDevice);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Init: loaded Crypto Device API `%s'",
mc->szCryptoDevice);
ENGINE_free(e);
}
}
static int openssl_engine_set_default(lua_State*L){
ENGINE* eng = CHECK_OBJECT(1,ENGINE,"openssl.engine");
int ret = 0;
int first = 3;
int top = lua_gettop(L);
if(top==2){
if(lua_isnumber(L, 2))
{
int methods = luaL_checkint(L, 2);
ret = ENGINE_set_default(eng, methods);
}else if(lua_isstring(L,2)){
const char* s = luaL_checkstring(L, 2);
ret = ENGINE_set_default_string(eng, s);
}else
luaL_error(L, "#2 must be a number or string");
lua_pushboolean(L, ret);
return 1;
}
while(first<=top){
int c = luaL_checkoption(L, first, "RSA",list);
switch(c){
case 0:
ret = ENGINE_set_default_RSA(eng);
break;
case 1:
ret = ENGINE_set_default_DSA(eng);
break;
case 2:
ret = ENGINE_set_default_ECDH(eng);
break;
case 3:
ret = ENGINE_set_default_ECDSA(eng);
break;
case 4:
ret = ENGINE_set_default_DH(eng);
break;
case 5:
ret = ENGINE_set_default_RAND(eng);
break;
case 7:
ret = ENGINE_set_default_ciphers(eng);
break;
case 8:
ret = ENGINE_set_default_digests(eng);
break;
case 6:
default:
luaL_error(L,"not support %d for %s",c, list[c]);
break;
}
first++;
if(ret!=1){
lua_pushboolean(L, 0);
return 1;
}
}
lua_pushboolean(L, ret);
return 1;
};
void
tor_init_with_engine (const char* name, const char* path)
{
ENGINE* engine;
if (initialized) {
return;
}
tor_init();
if (path == NULL) {
engine = ENGINE_by_id(name);
}
else {
engine = ENGINE_by_id("dynamic");
if (!ENGINE_ctrl_cmd_string(engine, "ID", name, 0) ||
!ENGINE_ctrl_cmd_string(engine, "DIR_LOAD", "2", 0) ||
!ENGINE_ctrl_cmd_string(engine, "DIR_ADD", path, 0) ||
!ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0)) {
ENGINE_free(engine);
engine = NULL;
}
}
if (engine) {
ENGINE_set_default(engine, ENGINE_METHOD_ALL);
}
}
int TS_CONF_set_default_engine(const char *name)
{
ENGINE *e = NULL;
int ret = 0;
/* Leave the default if builtin specified. */
if (strcmp(name, "builtin") == 0) return 1;
if (!(e = ENGINE_by_id(name))) goto err;
/* Enable the use of the NCipher HSM for forked children. */
if (strcmp(name, "chil") == 0)
ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
/* All the operations are going to be carried out by the engine. */
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) goto err;
ret = 1;
err:
if (!ret)
{
TSerr(TS_F_TS_CONF_SET_DEFAULT_ENGINE,
TS_R_COULD_NOT_SET_ENGINE);
ERR_add_error_data(2, "engine:", name);
}
if (e) ENGINE_free(e);
return ret;
}
static int load_engine(void **ctx,MESSAGE *msg)
{
int i;
ENGINE **e=(ENGINE **)ctx;
ENGINE_load_dynamic();
if(!(*e=ENGINE_by_id("dynamic")))goto err1;
if(!ENGINE_ctrl_cmd_string(*e,"SO_PATH",msg->engine,0))goto err2;
for(i=0;pkcs11[i].name;i++)
if(!ENGINE_ctrl_cmd_string(*e,pkcs11[i].name,pkcs11[i].value,0))
goto err2;
if(!ENGINE_ctrl_cmd_string(*e,"MODULE_PATH",msg->pkcs11,0))goto err2;
if(msg->nopin)if(!ENGINE_ctrl_cmd_string(*e,"NOLOGIN","1",0))goto err2;
if(!ENGINE_ctrl_cmd_string(*e,"PIN",msg->nopin?"":msg->pin,0))goto err2;
if(!ENGINE_init(*e))
{
err2: ENGINE_free(*e);
err1: ENGINE_cleanup();
return ENGFAIL;
}
ENGINE_free(*e);
ENGINE_set_default(*e,ENGINE_METHOD_ALL&~ENGINE_METHOD_RAND);
return OK;
}
static ENGINE *
setup_engine (const char *engine)
{
ENGINE *e = NULL;
ENGINE_load_builtin_engines ();
if (engine)
{
if (strcmp (engine, "auto") == 0)
{
msg (M_INFO, "Initializing OpenSSL auto engine support");
ENGINE_register_all_complete ();
return NULL;
}
if ((e = ENGINE_by_id (engine)) == NULL
&& (e = try_load_engine (engine)) == NULL)
{
msg (M_FATAL, "OpenSSL error: cannot load engine '%s'", engine);
}
if (!ENGINE_set_default (e, ENGINE_METHOD_ALL))
{
msg (M_FATAL, "OpenSSL error: ENGINE_set_default failed on engine '%s'",
engine);
}
msg (M_INFO, "Initializing OpenSSL support for engine '%s'",
ENGINE_get_id (e));
}
return e;
}
int main(int argc, char **argv) {
OpenSSL_add_all_algorithms();
int len = 128 * MB;
if (argc > 1) {
len = atoi(argv[1]) * MB;
}
unsigned char *buf = (unsigned char *) malloc(TOTAL_LEN);
if (!buf) {
fprintf(stderr, "Error Allocating Memory");
}
ENGINE_load_builtin_engines();
#ifdef OPENCL_ENGINE
ENGINE *e = ENGINE_by_id("dynamic");
if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", OPENCL_ENGINE, 0) ||
!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
fprintf(stderr, "Failed to load OpenCL engine!\n");
return -1;
}
ENGINE_set_default(e, ENGINE_METHOD_ALL);
#endif
run(argv[0], buf, len);
free(buf);
return 0;
}
/* Use AES-NI if available. This is not supported with low-level calls,
we have to use EVP) */
static void init_aesni(void)
{
ENGINE *e;
const char *engine_id = "aesni";
ENGINE_load_builtin_engines();
e = ENGINE_by_id(engine_id);
if (!e) {
//fprintf(stderr, "AES-NI engine not available\n");
return;
}
if (!ENGINE_init(e)) {
fprintf(stderr, "AES-NI engine could not init\n");
ENGINE_free(e);
return;
}
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL & ~ENGINE_METHOD_RAND)) {
/* This should only happen when 'e' can't initialise, but the
* previous statement suggests it did. */
fprintf(stderr, "AES-NI engine initialized but then failed\n");
abort();
}
ENGINE_finish(e);
ENGINE_free(e);
}
void
sc_pkcs11_register_openssl_mechanisms(struct sc_pkcs11_card *card)
{
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_ENGINE)
void (*locking_cb)(int, int, const char *, int);
ENGINE *e;
locking_cb = CRYPTO_get_locking_callback();
if (locking_cb)
CRYPTO_set_locking_callback(NULL);
e = ENGINE_by_id("gost");
if (!e)
{
#if !defined(OPENSSL_NO_STATIC_ENGINE) && !defined(OPENSSL_NO_GOST)
ENGINE_load_gost();
e = ENGINE_by_id("gost");
#else
/* try to load dynamic gost engine */
e = ENGINE_by_id("dynamic");
if (!e) {
ENGINE_load_dynamic();
e = ENGINE_by_id("dynamic");
}
if (e && (!ENGINE_ctrl_cmd_string(e, "SO_PATH", "gost", 0) ||
!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))) {
ENGINE_free(e);
e = NULL;
}
#endif /* !OPENSSL_NO_STATIC_ENGINE && !OPENSSL_NO_GOST */
}
if (e) {
ENGINE_set_default(e, ENGINE_METHOD_ALL);
ENGINE_free(e);
}
if (locking_cb)
CRYPTO_set_locking_callback(locking_cb);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_ENGINE) */
openssl_sha1_mech.mech_data = EVP_sha1();
sc_pkcs11_register_mechanism(card, &openssl_sha1_mech);
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
openssl_sha256_mech.mech_data = EVP_sha256();
sc_pkcs11_register_mechanism(card, &openssl_sha256_mech);
openssl_sha384_mech.mech_data = EVP_sha384();
sc_pkcs11_register_mechanism(card, &openssl_sha384_mech);
openssl_sha512_mech.mech_data = EVP_sha512();
sc_pkcs11_register_mechanism(card, &openssl_sha512_mech);
#endif
openssl_md5_mech.mech_data = EVP_md5();
sc_pkcs11_register_mechanism(card, &openssl_md5_mech);
openssl_ripemd160_mech.mech_data = EVP_ripemd160();
sc_pkcs11_register_mechanism(card, &openssl_ripemd160_mech);
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
openssl_gostr3411_mech.mech_data = EVP_get_digestbynid(NID_id_GostR3411_94);
sc_pkcs11_register_mechanism(card, &openssl_gostr3411_mech);
#endif
}
int ENGINE_set_default_string(ENGINE *e, const char *def_list)
{
unsigned int flags = 0;
if (!CONF_parse_list(def_list, ',', 1, int_def_cb, &flags)) {
ENGINEerr(ENGINE_F_ENGINE_SET_DEFAULT_STRING,
ENGINE_R_INVALID_STRING);
ERR_add_error_data(2, "str=", def_list);
return 0;
}
return ENGINE_set_default(e, flags);
}
static VALUE
ossl_engine_set_default(VALUE self, VALUE flag)
{
ENGINE *e;
int f = NUM2INT(flag);
GetEngine(self, e);
ENGINE_set_default(e, f);
return Qtrue;
}
void initializeSecHandler()
{
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
// <FS:ND If we can, enabled the rdrand engine. It is available as a CPU instruction on newer Intel CPUs
ENGINE_load_builtin_engines();
ENGINE* engRdRand = ENGINE_by_id("rdrand");
if( engRdRand )
ENGINE_set_default(engRdRand, ENGINE_METHOD_RAND);
unsigned long lErr ( ERR_get_error() );
while( lErr )
{
char aError[128];
ERR_error_string_n( lErr, aError, sizeof( aError ) );
LL_WARNS() << aError << LL_ENDL;
lErr = ERR_get_error();
}
// </FS:ND>
gHandlerMap[BASIC_SECHANDLER] = new LLSecAPIBasicHandler();
// Currently, we only have the Basic handler, so we can point the main sechandler
// pointer to the basic handler. Later, we'll create a wrapper handler that
// selects the appropriate sechandler as needed, for instance choosing the
// mac keyring handler, with fallback to the basic sechandler
gSecAPIHandler = gHandlerMap[BASIC_SECHANDLER];
// initialize all SecAPIHandlers
std::string exception_msg;
std::map<std::string, LLPointer<LLSecAPIHandler> >::const_iterator itr;
for(itr = gHandlerMap.begin(); itr != gHandlerMap.end(); ++itr)
{
LLPointer<LLSecAPIHandler> handler = (*itr).second;
try
{
handler->init();
}
catch (LLProtectedDataException e)
{
exception_msg = e.getMessage();
}
}
if (!exception_msg.empty()) // an exception was thrown.
{
throw LLProtectedDataException(exception_msg.c_str());
}
}
isc_result_t
dst__openssl_setdefault(const char *name) {
UNUSED(name);
#if defined(USE_ENGINE)
ENGINE_set_default(e, ENGINE_METHOD_ALL);
#endif
/*
* XXXMPA If the engine does not have a default RAND method
* restore our method.
*/
return (ISC_R_SUCCESS);
}
int
sldns_key_EVP_load_gost_id(void)
{
static int gost_id = 0;
const EVP_PKEY_ASN1_METHOD* meth;
ENGINE* e;
if(gost_id) return gost_id;
/* see if configuration loaded gost implementation from other engine*/
meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
if(meth) {
EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
return gost_id;
}
/* see if engine can be loaded already */
e = ENGINE_by_id("gost");
if(!e) {
/* load it ourself, in case statically linked */
ENGINE_load_builtin_engines();
ENGINE_load_dynamic();
e = ENGINE_by_id("gost");
}
if(!e) {
/* no gost engine in openssl */
return 0;
}
if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
ENGINE_finish(e);
ENGINE_free(e);
return 0;
}
meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
if(!meth) {
/* algo not found */
ENGINE_finish(e);
ENGINE_free(e);
return 0;
}
/* Note: do not ENGINE_finish and ENGINE_free the acquired engine
* on some platforms this frees up the meth and unloads gost stuff */
sldns_gost_engine = e;
EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
return gost_id;
}
void Engines::setEngineDefault(Engine &engine, Engine::Algorithm algorithm)
throw (EngineException)
{
unsigned int flag;
ENGINE *e;
e = engine.getEngine();
if (!e)
{
throw EngineException(EngineException::INVALID_ENGINE, "Engines::setEngineDefault");
}
flag = Engines::getAlgorithmFlags(algorithm);
if (!(ENGINE_set_default(e, flag)))
{
throw EngineException(EngineException::INTERNAL_ERROR, "Engines::setEngineDefault");
}
}
/* Sets engine as default for all SSL operations
*/
CURLcode Curl_ossl_set_engine_default(struct SessionHandle *data)
{
#ifdef HAVE_OPENSSL_ENGINE_H
if (data->state.engine) {
if (ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
infof(data,"set default crypto engine %s\n", data->state.engine);
}
else {
failf(data, "set default crypto engine %s failed", data->state.engine);
return CURLE_SSL_ENGINE_SETFAILED;
}
}
#else
(void) data;
#endif
return CURLE_OK;
}
int
_openssl_env_init(openssl_env *env, char *engine, int server) {
/*
* Create an OpenSSL environment (method and context).
* If ``server'' is 1, the environment is that of a SSL
* server.
*/
const long options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
env->meth = SSLv23_method();
env->ctx = SSL_CTX_new(env->meth);
SSL_CTX_set_options(env->ctx, options);
if (_options.sslciphers) {
SSL_CTX_set_cipher_list(env->ctx, _options.sslciphers);
}
#ifdef HAVE_OPENSSL_ENGINE
if (engine) {
retry:
if ((env->engine = ENGINE_by_id(engine)) == NULL) {
fprintf(stderr,"invalid engine \"%s\"\n", engine);
ENGINE_free(env->engine);
engine = "openssl";
goto retry;
}
if (!ENGINE_set_default(env->engine, ENGINE_METHOD_ALL)) {
fprintf(stderr,"can't use that engine\n");
ENGINE_free(env->engine);
engine = "openssl";
goto retry;
}
}
#endif
#ifdef HAVE_OPENSSL_ENGINE
SSL_CTX_set_app_data(env->ctx, env);
#endif
if (server) {
SSL_CTX_set_options(env->ctx, SSL_OP_SINGLE_DH_USE);
SSL_CTX_set_session_cache_mode(env->ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_quiet_shutdown(env->ctx, 1);
}
return 1;
}
static int rand_openssl_init_rdrand(void)
{
ENGINE *e;
#if 0
OPENSSL_cpuid_setup();
#endif
ENGINE_load_rdrand();
e = ENGINE_by_id("rdrand");
if (!e)
return 1;
if (ENGINE_init(e) == 0)
return 1;
if (ENGINE_set_default(e, ENGINE_METHOD_RAND) == 0)
return 1;
return 0;
}
/* Attempt to hook up the hardware random number
* generator, if it's available. */
static void load_hardware_engine () {
if (rand_loaded)
return;
OPENSSL_cpuid_setup ();
ENGINE_load_rdrand ();
reng = ENGINE_by_id ("rdrand");
ERR_get_error ();
if (!reng)
return;
int rc = ENGINE_set_default (reng, ENGINE_METHOD_RAND);
ERR_get_error ();
if (!rc) {
unload_hardware_engine ();
}
rand_loaded = 1;
}
int TS_CONF_set_default_engine(const char *name)
{
ENGINE *e = NULL;
int ret = 0;
if (strcmp(name, "builtin") == 0)
return 1;
if ((e = ENGINE_by_id(name)) == NULL)
goto err;
if (strcmp(name, "chil") == 0)
ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
goto err;
ret = 1;
err:
if (!ret) {
TSerr(TS_F_TS_CONF_SET_DEFAULT_ENGINE, TS_R_COULD_NOT_SET_ENGINE);
ERR_add_error_data(2, "engine:", name);
}
ENGINE_free(e);
return ret;
}
isc_result_t
dst__openssl_init(const char *engine) {
isc_result_t result;
#ifdef USE_ENGINE
ENGINE *re;
#else
UNUSED(engine);
#endif
#ifdef DNS_CRYPTO_LEAKS
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#endif
CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
nlocks = CRYPTO_num_locks();
locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
if (locks == NULL)
return (ISC_R_NOMEMORY);
result = isc_mutexblock_init(locks, nlocks);
if (result != ISC_R_SUCCESS)
goto cleanup_mutexalloc;
CRYPTO_set_locking_callback(lock_callback);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
CRYPTO_set_id_callback(id_callback);
#endif
ERR_load_crypto_strings();
rm = mem_alloc(sizeof(RAND_METHOD));
if (rm == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup_mutexinit;
}
rm->seed = NULL;
rm->bytes = entropy_get;
rm->cleanup = NULL;
rm->add = entropy_add;
rm->pseudorand = entropy_getpseudo;
rm->status = entropy_status;
#ifdef USE_ENGINE
OPENSSL_config(NULL);
if (engine != NULL && *engine == '\0')
engine = NULL;
if (engine != NULL) {
e = ENGINE_by_id(engine);
if (e == NULL) {
result = DST_R_NOENGINE;
goto cleanup_rm;
}
/* This will init the engine. */
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
result = DST_R_NOENGINE;
goto cleanup_rm;
}
}
re = ENGINE_get_default_RAND();
if (re == NULL) {
re = ENGINE_new();
if (re == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup_rm;
}
ENGINE_set_RAND(re, rm);
ENGINE_set_default_RAND(re);
ENGINE_free(re);
} else
ENGINE_finish(re);
#else
RAND_set_rand_method(rm);
#endif /* USE_ENGINE */
return (ISC_R_SUCCESS);
#ifdef USE_ENGINE
cleanup_rm:
if (e != NULL)
ENGINE_free(e);
e = NULL;
mem_free(rm);
rm = NULL;
#endif
cleanup_mutexinit:
CRYPTO_set_locking_callback(NULL);
DESTROYMUTEXBLOCK(locks, nlocks);
cleanup_mutexalloc:
mem_free(locks);
locks = NULL;
return (result);
}
isc_result_t
dst__openssl_init() {
isc_result_t result;
#ifdef USE_ENGINE
/* const char *name; */
ENGINE *re;
#endif
#ifdef DNS_CRYPTO_LEAKS
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#endif
CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
nlocks = CRYPTO_num_locks();
locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
if (locks == NULL)
return (ISC_R_NOMEMORY);
result = isc_mutexblock_init(locks, nlocks);
if (result != ISC_R_SUCCESS)
goto cleanup_mutexalloc;
CRYPTO_set_locking_callback(lock_callback);
CRYPTO_set_id_callback(id_callback);
rm = mem_alloc(sizeof(RAND_METHOD));
if (rm == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup_mutexinit;
}
rm->seed = NULL;
rm->bytes = entropy_get;
rm->cleanup = NULL;
rm->add = entropy_add;
rm->pseudorand = entropy_getpseudo;
rm->status = entropy_status;
#ifdef USE_ENGINE
OPENSSL_config(NULL);
#ifdef USE_PKCS11
#ifndef PKCS11_SO_PATH
#define PKCS11_SO_PATH "/usr/local/lib/engines/engine_pkcs11.so"
#endif
#ifndef PKCS11_MODULE_PATH
#define PKCS11_MODULE_PATH "/usr/lib/libpkcs11.so"
#endif
{
/*
* to use this to config the PIN, add in openssl.cnf:
* - at the beginning: "openssl_conf = openssl_def"
* - at any place these sections:
* [ openssl_def ]
* engines = engine_section
* [ engine_section ]
* pkcs11 = pkcs11_section
* [ pkcs11_section ]
* PIN = my___pin
*/
const char *pre_cmds[] = {
"SO_PATH", PKCS11_SO_PATH,
"LOAD", NULL,
"MODULE_PATH", PKCS11_MODULE_PATH
};
const char *post_cmds[] = {
/* "PIN", "my___pin" */
};
result = dst__openssl_load_engine("pkcs11", "pkcs11",
pre_cmds, 0,
post_cmds, /*1*/ 0);
if (result != ISC_R_SUCCESS)
goto cleanup_rm;
}
#endif /* USE_PKCS11 */
if (engine_id != NULL) {
e = ENGINE_by_id(engine_id);
if (e == NULL) {
result = ISC_R_NOTFOUND;
goto cleanup_rm;
}
if (!ENGINE_init(e)) {
result = ISC_R_FAILURE;
ENGINE_free(e);
goto cleanup_rm;
}
ENGINE_set_default(e, ENGINE_METHOD_ALL);
ENGINE_free(e);
} else {
ENGINE_register_all_complete();
for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
/*
* Something weird here. If we call ENGINE_finish()
* ENGINE_get_default_RAND() will fail.
*/
if (ENGINE_init(e)) {
if (he == NULL)
he = e;
}
}
}
re = ENGINE_get_default_RAND();
if (re == NULL) {
re = ENGINE_new();
if (re == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup_rm;
}
ENGINE_set_RAND(re, rm);
ENGINE_set_default_RAND(re);
ENGINE_free(re);
} else
ENGINE_finish(re);
#else
RAND_set_rand_method(rm);
#endif /* USE_ENGINE */
return (ISC_R_SUCCESS);
#ifdef USE_ENGINE
cleanup_rm:
mem_free(rm);
#endif
cleanup_mutexinit:
CRYPTO_set_locking_callback(NULL);
DESTROYMUTEXBLOCK(locks, nlocks);
cleanup_mutexalloc:
mem_free(locks);
return (result);
}
ENGINE *scep_engine_init(ENGINE *e) {
ENGINE_load_builtin_engines();
ENGINE_load_dynamic();
//if its not dynamic, try to load it directly. If OpenSSL has it already we are good to go!
if(strcmp(g_char, "dynamic") != 0)
{
e = ENGINE_by_id(g_char);
if ((e==NULL) && v_flag){
printf("%s: Engine %s could not be loaded. Trying to load dynamically...\n", pname, g_char);
}
}
if(e == NULL)
{
ERR_clear_error();
e = scep_engine_load_dynamic(e);
}
if(scep_conf->engine->module_path) {
if(ENGINE_ctrl_cmd_string(e, "MODULE_PATH", scep_conf->engine->module_path, 0) == 0) {
fprintf(stderr, "%s: Adding MODULE PATH %s was not successful!\n", pname, scep_conf->engine->module_path);
sscep_engine_report_error();
exit (SCEP_PKISTATUS_ERROR);
}
}
//define this engine as a default for all our crypto operations. This way OpenSSL automatically chooses the right functions
if(ENGINE_set_default(e, ENGINE_METHOD_ALL) == 0) {
fprintf(stderr, "%s: Error loading on setting defaults\n", pname);
sscep_engine_report_error();
exit (SCEP_PKISTATUS_ERROR);
} else if(v_flag)
printf("%s: Engine %s made default for all operations\n", pname, g_char);
//we need a functional reference and as such need to initialize
if(ENGINE_init(e) == 0) {
fprintf(stderr, "%s: Engine Init did not work\n", pname);
sscep_engine_report_error();
exit (SCEP_PKISTATUS_ERROR);
} else if(v_flag)
printf("%s: Engine %s initialized\n", pname, g_char);
//TODO: remove capi specific part!
if(v_flag && strncmp(scep_conf->engine->engine_id, "capi", 4) == 0) {
// set debug level
if(!ENGINE_ctrl(e, (ENGINE_CMD_BASE + 2), 2, NULL, NULL)) {
fprintf(stderr, "%s: Could not set debug level to %i\n", pname, 2);
sscep_engine_report_error();
exit (SCEP_PKISTATUS_ERROR);
}
// set debug file (log)
if(!ENGINE_ctrl(e, (ENGINE_CMD_BASE + 3), 0, "capi.log", NULL)) {
fprintf(stderr, "%s: Could not set debug file to %s\n", pname, "capi.log");
sscep_engine_report_error();
exit (SCEP_PKISTATUS_ERROR);
}
}
//TODO: remove JKSEngine specific part!
if(strncmp(scep_conf->engine->engine_id, "jksengine", 9) == 0) {
if(scep_conf->engine->storepass) {
if(!ENGINE_ctrl(e, 2, 0, scep_conf->engine->storepass, NULL)) {
fprintf(stderr, "%s: Could not set %s\n", pname, SCEP_CONFIGURATION_ENGINE_JKSENGINE_KEYSTOREPASS);
sscep_engine_report_error();
exit (SCEP_PKISTATUS_ERROR);
}
}
if(scep_conf->engine->jconnpath) {
if(!ENGINE_ctrl(e, 3, 0, scep_conf->engine->jconnpath, 0)) {
fprintf(stderr, "%s: Could not set %s\n", pname, SCEP_CONFIGURATION_ENGINE_JKSENGINE_JCONNPATH);
sscep_engine_report_error();
exit (SCEP_PKISTATUS_ERROR);
}
}
if(scep_conf->engine->provider) {
if(!ENGINE_ctrl(e, 4, 0, scep_conf->engine->provider, 0)) {
fprintf(stderr, "%s: Could not set %s\n", pname, SCEP_CONFIGURATION_ENGINE_JKSENGINE_PROVIDER);
sscep_engine_report_error();
exit (SCEP_PKISTATUS_ERROR);
}
}
if(scep_conf->engine->javapath) {
if(!ENGINE_ctrl(e, 5, 0, scep_conf->engine->javapath, 0)) {
fprintf(stderr, "%s: Could not set %s\n", pname, SCEP_CONFIGURATION_ENGINE_JKSENGINE_JAVAPATH);
sscep_engine_report_error();
exit (SCEP_PKISTATUS_ERROR);
}
}
}
//TODO: remove pkcs11 specific part!
if(strncmp(scep_conf->engine->engine_id, "pkcs11", 6) == 0) {
if(scep_conf->engine->pin) {
if(!ENGINE_ctrl(e, (ENGINE_CMD_BASE + 2), 0, scep_conf->engine->pin, NULL)) {
fprintf(stderr, "%s: Could not define PIN\n", pname);
sscep_engine_report_error();
exit (SCEP_PKISTATUS_ERROR);
}
}
}
return e;
}
static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id,
const char *CAfile, const char *cert,
const char *key, const char *dcert,
const char *dkey, const char *cipher_list,
const char *dh_file,
const char *dh_special, int tmp_rsa,
int ctx_options, int out_state,
int out_verify, int verify_mode,
unsigned int verify_depth)
{
SSL_CTX *ctx = NULL, *ret = NULL;
const SSL_METHOD *meth;
ENGINE *e = NULL;
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
meth = (server_mode ? SSLv23_server_method() : SSLv23_client_method());
if (meth == NULL)
goto err;
if (engine_id) {
ENGINE_load_builtin_engines();
if ((e = ENGINE_by_id(engine_id)) == NULL) {
fprintf(stderr, "Error obtaining '%s' engine, openssl "
"errors follow\n", engine_id);
goto err;
}
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
fprintf(stderr, "Error assigning '%s' engine, openssl "
"errors follow\n", engine_id);
goto err;
}
ENGINE_free(e);
}
if ((ctx = SSL_CTX_new(meth)) == NULL)
goto err;
/* cacert */
if (CAfile) {
if (!X509_STORE_load_locations(SSL_CTX_get_cert_store(ctx),
CAfile, NULL)) {
fprintf(stderr, "Error loading CA cert(s) in '%s'\n", CAfile);
goto err;
}
fprintf(stderr, "Info, operating with CA cert(s) in '%s'\n", CAfile);
} else
fprintf(stderr, "Info, operating without a CA cert(-list)\n");
if (!SSL_CTX_set_default_verify_paths(ctx)) {
fprintf(stderr, "Error setting default verify paths\n");
goto err;
}
/* cert and key */
if ((cert || key) && !ctx_set_cert(ctx, cert, key))
goto err;
/* dcert and dkey */
if ((dcert || dkey) && !ctx_set_cert(ctx, dcert, dkey))
goto err;
/* temporary RSA key generation */
if (tmp_rsa)
SSL_CTX_set_tmp_rsa_callback(ctx, cb_generate_tmp_rsa);
/* cipher_list */
if (cipher_list) {
if (!SSL_CTX_set_cipher_list(ctx, cipher_list)) {
fprintf(stderr, "Error setting cipher list '%s'\n", cipher_list);
goto err;
}
fprintf(stderr, "Info, set cipher list '%s'\n", cipher_list);
} else
fprintf(stderr, "Info, operating with default cipher list\n");
/* dh_file & dh_special */
if ((dh_file || dh_special) && !ctx_set_dh(ctx, dh_file, dh_special))
goto err;
/* ctx_options */
SSL_CTX_set_options(ctx, ctx_options);
/* out_state (output of SSL handshake states to screen). */
if (out_state)
cb_ssl_info_set_output(stderr);
/* out_verify */
if (out_verify > 0) {
cb_ssl_verify_set_output(stderr);
cb_ssl_verify_set_level(out_verify);
}
/* verify_depth */
cb_ssl_verify_set_depth(verify_depth);
/* Success! (includes setting verify_mode) */
SSL_CTX_set_info_callback(ctx, cb_ssl_info);
SSL_CTX_set_verify(ctx, verify_mode, cb_ssl_verify);
ret = ctx;
err:
if (!ret) {
ERR_print_errors_fp(stderr);
if (ctx)
SSL_CTX_free(ctx);
}
return ret;
}
ret_t
http2d_init (void)
{
if (_initialized)
return ret_ok;
/* Init OpenSSL
*/
OPENSSL_config (NULL);
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
/* Ensure PRNG has been seeded with enough data
*/
if (RAND_status() == 0) {
LOG_WARNING_S (HTTP2D_ERROR_SSL_NO_ENTROPY);
}
/* Init concurrency related stuff
*/
if ((CRYPTO_get_id_callback() == NULL) &&
(CRYPTO_get_locking_callback() == NULL))
{
cuint_t n;
CRYPTO_set_id_callback (__get_thread_id);
CRYPTO_set_locking_callback (__lock_thread);
locks_num = CRYPTO_num_locks();
locks = malloc (locks_num * sizeof(*locks));
for (n = 0; n < locks_num; n++) {
HTTP2D_MUTEX_INIT (&locks[n], NULL);
}
}
/* Engines
*/
ENGINE_load_builtin_engines();
OpenSSL_add_all_algorithms();
ENGINE *e = ENGINE_by_id("pkcs11");
while (e != NULL) {
if(! ENGINE_init(e)) {
ENGINE_free (e);
LOG_CRITICAL_S (HTTP2D_ERROR_SSL_PKCS11);
break;
}
if(! ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
ENGINE_free (e);
LOG_CRITICAL_S (HTTP2D_ERROR_SSL_DEFAULTS);
break;
}
ENGINE_finish(e);
ENGINE_free(e);
break;
}
return ret_ok;
}
int64_t s2n_public_random(int64_t max)
{
uint64_t r;
gt_check(max, 0);
while(1) {
struct s2n_blob blob = { .data = (void *) &r, sizeof(r) };
GUARD(s2n_get_public_random_data(&blob));
/* Imagine an int was one byte and UINT_MAX was 256. If the
* caller asked for s2n_random(129, ...) we'd end up in
* trouble. Each number in the range 0...127 would be twice
* as likely as 128. That's because r == 0 % 129 -> 0, and
* r == 129 % 129 -> 0, but only r == 128 returns 128,
* r == 257 is out of range.
*
* To de-bias the dice, we discard values of r that are higher
* that the highest multiple of 'max' an int can support. If
* max is a uint, then in the worst case we discard 50% - 1 r's.
* But since 'max' is an int and INT_MAX is <= UINT_MAX / 2,
* in the worst case we discard 25% - 1 r's.
*/
if (r < (UINT64_MAX - (UINT64_MAX % max))) {
return r % max;
}
}
return -1;
}
#ifndef OPENSSL_IS_BORINGSSL
int s2n_openssl_compat_rand(unsigned char *buf, int num)
{
struct s2n_blob out = {.data = buf, .size = num};
if(s2n_get_private_random_data(&out) < 0) {
return 0;
}
return 1;
}
int s2n_openssl_compat_status(void)
{
return 1;
}
int s2n_openssl_compat_init(ENGINE *unused)
{
return 1;
}
RAND_METHOD s2n_openssl_rand_method = {
.seed = NULL,
.bytes = s2n_openssl_compat_rand,
.cleanup = NULL,
.add = NULL,
.pseudorand = s2n_openssl_compat_rand,
.status = s2n_openssl_compat_status
};
#endif
int s2n_init(void)
{
GUARD(s2n_mem_init());
OPEN:
entropy_fd = open(ENTROPY_SOURCE, O_RDONLY);
if (entropy_fd == -1) {
if (errno == EINTR) {
goto OPEN;
}
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#if defined(MAP_INHERIT_ZERO)
if ((zero_if_forked_ptr = mmap(NULL, sizeof(int), PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
if (minherit(zero_if_forked_ptr, sizeof(int), MAP_INHERIT_ZERO) == -1) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#else
if (pthread_atfork(NULL, NULL, s2n_on_fork) != 0) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#endif
GUARD(s2n_check_fork());
#ifndef OPENSSL_IS_BORINGSSL
/* Create an engine */
ENGINE *e = ENGINE_new();
if (e == NULL ||
ENGINE_set_id(e, "s2n") != 1 ||
ENGINE_set_name(e, "s2n entropy generator") != 1 ||
ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) != 1 ||
ENGINE_set_init_function(e, s2n_openssl_compat_init) != 1 ||
ENGINE_set_RAND(e, &s2n_openssl_rand_method) != 1 ||
ENGINE_add(e) != 1 ||
ENGINE_free(e) != 1) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
/* Use that engine for rand() */
e = ENGINE_by_id("s2n");
if (e == NULL ||
ENGINE_init(e) != 1 ||
ENGINE_set_default(e, ENGINE_METHOD_RAND) != 1) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#endif
return 0;
}
