/**
* Module deactivation
*
*/
static
int
globus_l_openssl_deactivate(void)
{
int i;
OBJ_cleanup();
ERR_clear_error();
X509V3_EXT_cleanup();
if (CRYPTO_get_id_callback() == globus_l_openssl_thread_id)
{
CRYPTO_set_id_callback(NULL);
}
if (CRYPTO_get_locking_callback() == globus_l_openssl_locking_cb)
{
CRYPTO_set_locking_callback(NULL);
}
for (i=0; i<CRYPTO_num_locks(); i++)
{
globus_mutex_destroy(&(mutex_pool[i]));
}
free(mutex_pool);
globus_module_deactivate(GLOBUS_GSI_OPENSSL_ERROR_MODULE);
globus_module_deactivate(GLOBUS_COMMON_MODULE);
return GLOBUS_SUCCESS;
}
/*
Initialize the MPR SSL layer
*/
PUBLIC int mprSslInit(void *unused, MprModule *module)
{
RandBuf randBuf;
int i;
randBuf.now = mprGetTime();
randBuf.pid = getpid();
RAND_seed((void*) &randBuf, sizeof(randBuf));
#if ME_UNIX_LIKE
RAND_load_file("/dev/urandom", 256);
#endif
if ((openProvider = mprAllocObj(MprSocketProvider, manageOpenProvider)) == NULL) {
return MPR_ERR_MEMORY;
}
openProvider->name = sclone("openssl");
openProvider->upgradeSocket = upgradeOss;
openProvider->closeSocket = closeOss;
openProvider->disconnectSocket = disconnectOss;
openProvider->flushSocket = flushOss;
openProvider->socketState = getOssState;
openProvider->readSocket = readOss;
openProvider->writeSocket = writeOss;
mprSetSslProvider(openProvider);
/*
Configure the SSL library. Use the crypto ID as a one-time test. This allows
users to configure the library and have their configuration used instead.
*/
mprGlobalLock();
if (CRYPTO_get_id_callback() == 0) {
numLocks = CRYPTO_num_locks();
if ((olocks = mprAlloc(numLocks * sizeof(MprMutex*))) == 0) {
return MPR_ERR_MEMORY;
}
for (i = 0; i < numLocks; i++) {
olocks[i] = mprCreateLock();
}
CRYPTO_set_id_callback(sslThreadId);
CRYPTO_set_locking_callback(sslStaticLock);
CRYPTO_set_dynlock_create_callback(sslCreateDynLock);
CRYPTO_set_dynlock_destroy_callback(sslDestroyDynLock);
CRYPTO_set_dynlock_lock_callback(sslDynLock);
#if !ME_WIN_LIKE
OpenSSL_add_all_algorithms();
#endif
/*
WARNING: SSL_library_init() is not reentrant. Caller must ensure safety.
*/
SSL_library_init();
SSL_load_error_strings();
}
mprGlobalUnlock();
return 0;
}
/* called after g_module_check_init(), after shadow searches for __shadow_plugin_init__ */
void __shadow_plugin_init__(ShadowFunctionTable* shadowlibFuncs) {
/* save the shadow functions we will use */
scallion.shadowlibFuncs = shadowlibFuncs;
/* tell shadow which functions it should call to manage nodes */
shadowlibFuncs->registerPlugin(&_scallion_new, &_scallion_free, &_scallion_notify);
shadowlibFuncs->log(SHADOW_LOG_LEVEL_INFO, __FUNCTION__, "finished registering scallion plug-in state");
/* setup openssl locks */
#define OPENSSL_THREAD_DEFINES
#include <openssl/opensslconf.h>
#if defined(OPENSSL_THREADS)
/* thread support enabled */
/* make sure openssl uses Shadow's random sources and make crypto thread-safe */
const RAND_METHOD* shadowRandomMethod = NULL;
CRYPTO_lock_func shadowLockFunc = NULL;
CRYPTO_id_func shadowIdFunc = NULL;
int nLocks = CRYPTO_num_locks();
gboolean success = shadowlibFuncs->cryptoSetup(nLocks, (gpointer*)&shadowLockFunc,
(gpointer*)&shadowIdFunc, (gconstpointer*)&shadowRandomMethod);
if(!success) {
/* ok, lets see if we can get shadow function pointers through LD_PRELOAD */
shadowRandomMethod = RAND_get_rand_method();
shadowLockFunc = CRYPTO_get_locking_callback();
shadowIdFunc = CRYPTO_get_id_callback();
}
CRYPTO_set_locking_callback(shadowLockFunc);
CRYPTO_set_id_callback(shadowIdFunc);
RAND_set_rand_method(shadowRandomMethod);
shadowlibFuncs->log(SHADOW_LOG_LEVEL_INFO, __FUNCTION__, "finished initializing crypto thread state");
#else
/* no thread support */
shadowlibFuncs->log(SHADOW_LOG_LEVEL_CRITICAL, __FUNCTION__, "please rebuild openssl with threading support. expect segfaults.");
#endif
/* setup libevent locks */
#ifdef EVTHREAD_USE_PTHREADS_IMPLEMENTED
if(evthread_use_pthreads()) {
shadowlibFuncs->log(SHADOW_LOG_LEVEL_CRITICAL, __FUNCTION__, "error in evthread_use_pthreads()");
}
shadowlibFuncs->log(SHADOW_LOG_LEVEL_MESSAGE, __FUNCTION__, "finished initializing event thread state evthread_use_pthreads()");
#else
shadowlibFuncs->log(SHADOW_LOG_LEVEL_CRITICAL, __FUNCTION__, "please rebuild libevent with threading support, or link with event_pthread. expect segfaults.");
#endif
}
static BOOL _winpr_openssl_cleanup_locking(void)
{
/* undo our static locking modifications */
if (CRYPTO_get_locking_callback() == _winpr_openssl_locking)
{
int i;
CRYPTO_set_locking_callback(NULL);
for (i = 0; i < g_winpr_openssl_num_locks; i++)
{
CloseHandle(g_winpr_openssl_locks[i]);
}
g_winpr_openssl_num_locks = 0;
free(g_winpr_openssl_locks);
g_winpr_openssl_locks = NULL;
}
/* unset our dynamic locking callbacks */
if (CRYPTO_get_dynlock_create_callback() == _winpr_openssl_dynlock_create)
{
CRYPTO_set_dynlock_create_callback(NULL);
}
if (CRYPTO_get_dynlock_lock_callback() == _winpr_openssl_dynlock_lock)
{
CRYPTO_set_dynlock_lock_callback(NULL);
}
if (CRYPTO_get_dynlock_destroy_callback() == _winpr_openssl_dynlock_destroy)
{
CRYPTO_set_dynlock_destroy_callback(NULL);
}
#if (OPENSSL_VERSION_NUMBER < 0x10000000L)
if (CRYPTO_get_id_callback() == _winpr_openssl_id)
{
CRYPTO_set_id_callback(NULL);
}
#endif
return TRUE;
}
void init_ssl()
{
#ifdef ENABLE_TCMALLOC
HeapLeakChecker::Disabler disabler;
#endif
load_ssl_library();
if ((CRYPTO_get_id_callback() == NULL) &&
(CRYPTO_get_locking_callback() == NULL))
{
//cuint_t n;
CRYPTO_set_id_callback (__get_thread_id);
CRYPTO_set_locking_callback (__lock_thread);
int locks_num = CRYPTO_num_locks();
ssl_lock = new KMutex[locks_num];
}
}
bool secure::init(void)
{
if(private_locks)
return true;
Thread::init();
Socket::init();
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_digests();
if(CRYPTO_get_id_callback() != NULL)
return false;
private_locks = new Mutex[CRYPTO_num_locks()];
CRYPTO_set_id_callback(ssl_self);
CRYPTO_set_locking_callback(ssl_lock);
return true;
}
static BOOL _winpr_openssl_initialize_locking(void)
{
int i, count;
/* OpenSSL static locking */
if (CRYPTO_get_locking_callback())
{
WLog_WARN(TAG, "OpenSSL static locking callback is already set");
}
else
{
if ((count = CRYPTO_num_locks()) > 0)
{
HANDLE* locks;
if (!(locks = calloc(count, sizeof(HANDLE))))
{
WLog_ERR(TAG, "error allocating lock table");
return FALSE;
}
for (i = 0; i < count; i++)
{
if (!(locks[i] = CreateMutex(NULL, FALSE, NULL)))
{
WLog_ERR(TAG, "error creating lock #%d", i);
while (i--)
{
if (locks[i])
CloseHandle(locks[i]);
}
free(locks);
return FALSE;
}
}
g_winpr_openssl_locks = locks;
g_winpr_openssl_num_locks = count;
CRYPTO_set_locking_callback(_winpr_openssl_locking);
}
}
/* OpenSSL dynamic locking */
if (CRYPTO_get_dynlock_create_callback() ||
CRYPTO_get_dynlock_lock_callback() ||
CRYPTO_get_dynlock_destroy_callback())
{
WLog_WARN(TAG, "dynamic locking callbacks are already set");
}
else
{
CRYPTO_set_dynlock_create_callback(_winpr_openssl_dynlock_create);
CRYPTO_set_dynlock_lock_callback(_winpr_openssl_dynlock_lock);
CRYPTO_set_dynlock_destroy_callback(_winpr_openssl_dynlock_destroy);
}
/* Use the deprecated CRYPTO_get_id_callback() if building against OpenSSL < 1.0.0 */
#if (OPENSSL_VERSION_NUMBER < 0x10000000L)
if (CRYPTO_get_id_callback())
{
WLog_WARN(TAG, "OpenSSL id_callback is already set");
}
else
{
CRYPTO_set_id_callback(_winpr_openssl_id);
}
#endif
return TRUE;
}
/**
* Module activation
*/
static
int
globus_l_openssl_activate(void)
{
int i;
int pci_NID;
int pci_old_NID;
X509V3_EXT_METHOD * pci_x509v3_ext_meth = NULL;
X509V3_EXT_METHOD * pci_old_x509v3_ext_meth = NULL;
SSL_library_init();
globus_module_activate(GLOBUS_COMMON_MODULE);
globus_module_activate(GLOBUS_GSI_OPENSSL_ERROR_MODULE);
mutex_pool = malloc(CRYPTO_num_locks() * sizeof(globus_mutex_t));
for(i=0;i<CRYPTO_num_locks();i++)
{
globus_mutex_init(&(mutex_pool[i]),NULL);
}
if (!CRYPTO_get_locking_callback())
{
CRYPTO_set_locking_callback(globus_l_openssl_locking_cb);
}
if (!CRYPTO_get_id_callback())
{
CRYPTO_set_id_callback(globus_l_openssl_thread_id);
}
if (OBJ_txt2nid(ANY_LANGUAGE_OID) == 0)
{
OBJ_create(ANY_LANGUAGE_OID,
ANY_LANGUAGE_SN,
ANY_LANGUAGE_LN);
}
if (OBJ_txt2nid(IMPERSONATION_PROXY_OID) == 0)
{
OBJ_create(IMPERSONATION_PROXY_OID,
IMPERSONATION_PROXY_SN,
IMPERSONATION_PROXY_LN);
}
if (OBJ_txt2nid(INDEPENDENT_PROXY_OID) == 0)
{
OBJ_create(INDEPENDENT_PROXY_OID,
INDEPENDENT_PROXY_SN,
INDEPENDENT_PROXY_LN);
}
if (OBJ_txt2nid(LIMITED_PROXY_OID) == 0)
{
OBJ_create(LIMITED_PROXY_OID,
LIMITED_PROXY_SN,
LIMITED_PROXY_LN);
}
pci_NID = OBJ_txt2nid(PROXYCERTINFO_OID);
if (pci_NID == 0)
{
pci_NID = OBJ_create(PROXYCERTINFO_OID,
PROXYCERTINFO_SN,
PROXYCERTINFO_LN);
}
pci_old_NID = OBJ_txt2nid(PROXYCERTINFO_OLD_OID);
if (pci_old_NID == 0)
{
pci_old_NID = OBJ_create(PROXYCERTINFO_OLD_OID,
PROXYCERTINFO_OLD_SN,
PROXYCERTINFO_OLD_LN);
}
/* this sets the pci NID in the static X509V3_EXT_METHOD struct */
if (X509V3_EXT_get_nid(pci_NID) == NULL)
{
pci_x509v3_ext_meth = PROXYCERTINFO_x509v3_ext_meth();
pci_x509v3_ext_meth->ext_nid = pci_NID;
X509V3_EXT_add(pci_x509v3_ext_meth);
}
if (X509V3_EXT_get_nid(pci_old_NID) == NULL)
{
pci_old_x509v3_ext_meth = PROXYCERTINFO_OLD_x509v3_ext_meth();
pci_old_x509v3_ext_meth->ext_nid = pci_old_NID;
X509V3_EXT_add(pci_old_x509v3_ext_meth);
}
return GLOBUS_SUCCESS;
}
ret_t
http2d_init (void)
{
if (_initialized)
return ret_ok;
/* Init OpenSSL
*/
OPENSSL_config (NULL);
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
/* Ensure PRNG has been seeded with enough data
*/
if (RAND_status() == 0) {
LOG_WARNING_S (HTTP2D_ERROR_SSL_NO_ENTROPY);
}
/* Init concurrency related stuff
*/
if ((CRYPTO_get_id_callback() == NULL) &&
(CRYPTO_get_locking_callback() == NULL))
{
cuint_t n;
CRYPTO_set_id_callback (__get_thread_id);
CRYPTO_set_locking_callback (__lock_thread);
locks_num = CRYPTO_num_locks();
locks = malloc (locks_num * sizeof(*locks));
for (n = 0; n < locks_num; n++) {
HTTP2D_MUTEX_INIT (&locks[n], NULL);
}
}
/* Engines
*/
ENGINE_load_builtin_engines();
OpenSSL_add_all_algorithms();
ENGINE *e = ENGINE_by_id("pkcs11");
while (e != NULL) {
if(! ENGINE_init(e)) {
ENGINE_free (e);
LOG_CRITICAL_S (HTTP2D_ERROR_SSL_PKCS11);
break;
}
if(! ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
ENGINE_free (e);
LOG_CRITICAL_S (HTTP2D_ERROR_SSL_DEFAULTS);
break;
}
ENGINE_finish(e);
ENGINE_free(e);
break;
}
return ret_ok;
}
