QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-30 03:34:39 +00:00
Code Issues Projects Releases Wiki Activity

Provide a version of ossl_init_thread_start that works in FIPS mode

Browse Source 
This will need to be hooked up in a later commit with an event sent to
the FIPS provider informing it of thread stop events.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9040)
This commit is contained in:
Matt Caswell 2019-05-24 18:20:49 +01:00
parent 72592b8664
commit e41faf5784
3 changed files with 77 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
crypto/include/internal/cryptlib_int.h
View File

@ -16,6 +16,7 @@ int ossl_init_thread_start(OPENSSL_CTX *ctx,
ossl_thread_stop_handler_fn handfn); ossl_thread_stop_handler_fn handfn);
int init_thread(void); int init_thread(void);
void cleanup_thread(void); void cleanup_thread(void);
void fips_thread_stop(OPENSSL_CTX *ctx);
/* /*
* OPENSSL_INIT flags. The primary list of these is in crypto.h. Flags below * OPENSSL_INIT flags. The primary list of these is in crypto.h. Flags below

85
crypto/initthread.c
View File

@ -17,6 +17,9 @@ struct thread_event_handler_st {
THREAD_EVENT_HANDLER *next; THREAD_EVENT_HANDLER *next;
}; };
static void ossl_init_thread_stop(THREAD_EVENT_HANDLER **hands);
#ifndef FIPS_MODE
/* /*
* Since per-thread-specific-data destructors are not universally * Since per-thread-specific-data destructors are not universally
* available, i.e. not on Windows, only below CRYPTO_THREAD_LOCAL key * available, i.e. not on Windows, only below CRYPTO_THREAD_LOCAL key
@ -36,8 +39,6 @@ static union {
CRYPTO_THREAD_LOCAL value; CRYPTO_THREAD_LOCAL value;
} destructor_key = { -1 }; } destructor_key = { -1 };
static void ossl_init_thread_stop(THREAD_EVENT_HANDLER **hands);
static void ossl_init_thread_destructor(void *hands) static void ossl_init_thread_destructor(void *hands)
{ {
ossl_init_thread_stop((THREAD_EVENT_HANDLER **)hands); ossl_init_thread_stop((THREAD_EVENT_HANDLER **)hands);
@ -78,6 +79,61 @@ static THREAD_EVENT_HANDLER **ossl_init_get_thread_local(int alloc)
return hands; return hands;
} }
void OPENSSL_thread_stop(void)
{
if (destructor_key.sane != -1)
ossl_init_thread_stop(ossl_init_get_thread_local(0));
}
#else
static void *thread_event_ossl_ctx_new(OPENSSL_CTX *libctx)
{
THREAD_EVENT_HANDLER **hands = NULL;
CRYPTO_THREAD_LOCAL *tlocal = OPENSSL_zalloc(sizeof(CRYPTO_THREAD_LOCAL));
if (tlocal == NULL)
return NULL;
hands = OPENSSL_zalloc(sizeof(*hands));
if (hands == NULL)
goto err;
if (!CRYPTO_THREAD_set_local(tlocal, hands))
goto err;
return tlocal;
err:
OPENSSL_free(hands);
OPENSSL_free(tlocal);
return NULL;
}
static void thread_event_ossl_ctx_free(void *vtlocal)
{
CRYPTO_THREAD_LOCAL *tlocal = vtlocal;
THREAD_EVENT_HANDLER **hands = CRYPTO_THREAD_get_local(tlocal);
if (hands != NULL)
ossl_init_thread_stop(hands);
OPENSSL_free(tlocal);
}
static const OPENSSL_CTX_METHOD thread_event_ossl_ctx_method = {
thread_event_ossl_ctx_new,
thread_event_ossl_ctx_free,
};
void fips_thread_stop(OPENSSL_CTX *ctx)
{
THREAD_EVENT_HANDLER **hands;
hands = openssl_ctx_get_data(ctx, OPENSSL_CTX_THREAD_EVENT_HANDLER_INDEX,
&thread_event_ossl_ctx_method);
if (hands != NULL)
ossl_init_thread_stop(hands);
}
#endif /* FIPS_MODE */
static void ossl_init_thread_stop(THREAD_EVENT_HANDLER **hands) static void ossl_init_thread_stop(THREAD_EVENT_HANDLER **hands)
{ {
THREAD_EVENT_HANDLER *curr, *prev = NULL; THREAD_EVENT_HANDLER *curr, *prev = NULL;
@ -97,21 +153,28 @@ static void ossl_init_thread_stop(THREAD_EVENT_HANDLER **hands)
OPENSSL_free(hands); OPENSSL_free(hands);
} }
void OPENSSL_thread_stop(void)
{
if (destructor_key.sane != -1)
ossl_init_thread_stop(ossl_init_get_thread_local(0));
}
int ossl_init_thread_start(OPENSSL_CTX *ctx, ossl_thread_stop_handler_fn handfn) int ossl_init_thread_start(OPENSSL_CTX *ctx, ossl_thread_stop_handler_fn handfn)
{ {
THREAD_EVENT_HANDLER **hands; THREAD_EVENT_HANDLER **hands;
THREAD_EVENT_HANDLER *hand; THREAD_EVENT_HANDLER *hand;
if (!OPENSSL_init_crypto(0, NULL)) #ifdef FIPS_MODE
return 0; /*
* In FIPS mode the list of THREAD_EVENT_HANDLERs is unique per combination
* of OPENSSL_CTX and thread. This is because in FIPS mode each OPENSSL_CTX
* gets informed about thread stop events individually.
*/
hands = openssl_ctx_get_data(ctx, OPENSSL_CTX_THREAD_EVENT_HANDLER_INDEX,
&thread_event_ossl_ctx_method);
#else
/*
* Outside of FIPS mode the list of THREAD_EVENT_HANDLERs is unique per
* thread, but may hold multiple OPENSSL_CTXs. We only get told about
* thread stop events globally, so we have to ensure all affected
* OPENSSL_CTXs are informed.
*/
hands = ossl_init_get_thread_local(1); hands = ossl_init_get_thread_local(1);
#endif
if (hands == NULL) if (hands == NULL)
return 0; return 0;

3
include/internal/cryptlib.h
View File

@ -149,7 +149,8 @@ typedef struct ossl_ex_data_global_st {
# define OPENSSL_CTX_DRBG_INDEX 5 # define OPENSSL_CTX_DRBG_INDEX 5
# define OPENSSL_CTX_DRBG_NONCE_INDEX 6 # define OPENSSL_CTX_DRBG_NONCE_INDEX 6
# define OPENSSL_CTX_RAND_CRNGT_INDEX 7 # define OPENSSL_CTX_RAND_CRNGT_INDEX 7
# define OPENSSL_CTX_MAX_INDEXES 8 # define OPENSSL_CTX_THREAD_EVENT_HANDLER_INDEX 8
# define OPENSSL_CTX_MAX_INDEXES 9
typedef struct openssl_ctx_method { typedef struct openssl_ctx_method {
void *(*new_func)(OPENSSL_CTX *ctx); void *(*new_func)(OPENSSL_CTX *ctx);