Also move entropy initialization to key-manager-main.cpp where it is used.
Change-Id: I187c76565b3864b6042a31a6eb71ac5921dc1ffd
#include <file-system.h>
#include <key-provider.h>
#include <db-row.h>
-#include <crypto-init.h>
#include <dpl/errno_string.h>
#include "smack-access.h"
{
m_control = Control::create();
m_mgr = Manager::create();
- initOpenSsl();
SmackAccess sa;
sa.add("System", LABEL, "rwx");
SET(COMMON_SOURCES
${COMMON_PATH}/common/algo-param.cpp
${COMMON_PATH}/common/base64.cpp
- ${COMMON_PATH}/common/crypto-init.cpp
${COMMON_PATH}/common/data-type.cpp
${COMMON_PATH}/common/openssl-error-handler.cpp
${COMMON_PATH}/common/exception.cpp
/*
- * Copyright (c) 2000-2019 Samsung Electronics Co., Ltd. All rights reserved
+ * Copyright (c) 2014 - 2020 Samsung Electronics Co., Ltd. All rights reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <fstream>
-#include <crypto-init.h>
#include <dpl/log/log.h>
#include <dpl/errno_string.h>
KEY_MANAGER_CAPI
int ckmc_load_cert_from_file(const char *file_path, ckmc_cert_s **cert)
{
- CKM::initOpenSslOnce();
-
FILE *fp = fopen(file_path, "r");
if (fp == NULL)
LogWarning("DEPRECATION WARNING: " << __func__ << "() is deprecated and will be "
"removed from next release. Use ckmc_pkcs12_load() instead.");
- CKM::initOpenSslOnce();
-
int ret = CKMC_ERROR_NONE;
Pkcs12Converter converter;
#include <dpl/serialization.h>
#include <dpl/log/log.h>
-#include <crypto-init.h>
#include <client-manager-impl.h>
#include <client-common.h>
#include <exception.h>
m_ocspConnection(SERVICE_SOCKET_OCSP),
m_encryptionConnection(SERVICE_SOCKET_ENCRYPTION)
{
- initOpenSslOnce();
}
+++ /dev/null
-/*
- * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file crypto-init.cpp
- * @author Maciej Karpiuk (m.karpiuk2@samsung.com)
- * @version 1.0
- */
-
-#include "crypto-init.h"
-
-#include <mutex>
-#include <atomic>
-#include <functional>
-#include <thread>
-#include <fstream>
-
-#include <openssl/evp.h>
-#include <openssl/crypto.h>
-#include <openssl/ssl.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
-
-#include <dpl/log/log.h>
-
-namespace CKM {
-namespace {
-
-const char *DEV_HW_RANDOM_FILE = "/dev/hwrng";
-const char *DEV_URANDOM_FILE = "/dev/urandom";
-const size_t RANDOM_BUFFER_LEN = 32;
-
-void initializeEntropy() // entropy sources - /dev/random,/dev/urandom(Default)
-{
- int ret = 0;
-
- std::ifstream ifile(DEV_HW_RANDOM_FILE);
-
- if (ifile.is_open())
- ret = RAND_load_file(DEV_HW_RANDOM_FILE, RANDOM_BUFFER_LEN);
-
- if (ret != RANDOM_BUFFER_LEN) {
- LogWarning("Error in HW_RAND file load");
- ret = RAND_load_file(DEV_URANDOM_FILE, RANDOM_BUFFER_LEN);
-
- if (ret != RANDOM_BUFFER_LEN)
- LogError("Error in U_RAND_file_load");
- }
-}
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-std::mutex *g_mutexes = NULL;
-
-void lockingCallback(int mode, int type, const char *, int)
-{
- if (!g_mutexes) {
- LogError("Openssl mutexes do not exist");
- return;
- }
-
- if (mode & CRYPTO_LOCK)
- g_mutexes[type].lock();
- else if (mode & CRYPTO_UNLOCK)
- g_mutexes[type].unlock();
-}
-
-unsigned long threadIdCallback()
-{
- std::hash<std::thread::id> hasher;
- return hasher(std::this_thread::get_id());
-}
-
-void opensslInstallLocks()
-{
- g_mutexes = new std::mutex[CRYPTO_num_locks()];
-
- CRYPTO_set_id_callback(threadIdCallback);
- CRYPTO_set_locking_callback(lockingCallback);
-}
-
-void opensslUninstallLocks()
-{
- CRYPTO_set_id_callback(NULL);
- CRYPTO_set_locking_callback(NULL);
-
- delete[] g_mutexes;
- g_mutexes = NULL;
-}
-
-void initOpenSsl(bool isLib)
-{
- /*
- * Initialize libcrypto (add all algorithms, digests & ciphers)
- * It also does the stuff from SSL_library_init() except for ssl_load_ciphers()
- */
- OpenSSL_add_all_algorithms(); // Can be optimized by using EVP_add_cipher instead
-
- if (isLib)
- return;
-
- // below initializes only for executable client. (key-manager daemon)
-
- initializeEntropy();
-
- /*
- * Initialize libssl (OCSP uses it)
- * SSL_library_init() == OpenSSL_add_ssl_algorithms()
- * It always returns 1
- */
- SSL_library_init();
-
- // load default configuration (/etc/ssl/openssl.cnf)
- OPENSSL_config(NULL);
- // Loads all error strings (crypto and ssl)
- SSL_load_error_strings();
-
- // Install locks for multithreading support
- opensslInstallLocks();
-}
-
-std::mutex cryptoInitMutex;
-
-void initOpenSslAndDetach();
-
-typedef void(*initFnPtr)();
-
-// has to be atomic as storing function pointer is not an atomic operation on armv7l
-std::atomic<initFnPtr> initFn(&initOpenSslAndDetach);
-
-void initEmpty() {}
-
-// this function will be called only once by initOpenSslOnce for library client
-void initOpenSslAndDetach()
-{
- // DCLP
- std::lock_guard<std::mutex> lock(cryptoInitMutex);
-
- /*
- * We don't care about memory ordering here. Current thread will order it
- * correctly and for other threads only store matters. Also only one thread
- * can be here at once because of lock.
- */
- if (initFn.load(std::memory_order_relaxed) != &initEmpty) {
- initOpenSsl(true);
-
- /*
- * Synchronizes with load. Everything that happened before this store in
- * this thread is visible to everything that happens after load in another
- * thread. We switch to an empty function here.
- */
- initFn.store(&initEmpty, std::memory_order_release);
- }
-}
-#endif
-} // namespace anonymous
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-void initOpenSsl()
-{
- initOpenSsl(false);
-}
-
-void deinitOpenSsl()
-{
- opensslUninstallLocks();
- CONF_modules_free(); // cleanup of OPENSSL_config
- EVP_cleanup(); // cleanup of OpenSSL_add_all_algorithms
- ERR_free_strings(); //cleanup of SSL_load_error_strings
- deinitOpenSslThread();
-}
-
-void deinitOpenSslThread()
-{
- CRYPTO_cleanup_all_ex_data();
- ERR_remove_thread_state(NULL);
-}
-
-void initOpenSslOnce()
-{
- /*
- * Synchronizes with store. Everything that happened before store in another
- * thread will be visible in this thread after load.
- */
- initFn.load(std::memory_order_acquire)();
-}
-#else
-void initOpenSsl()
-{
- initializeEntropy();
-}
-
-void deinitOpenSsl() {}
-void deinitOpenSslThread() {}
-void initOpenSslOnce() {}
-#endif
-
-} // namespace CKM
+++ /dev/null
-/* Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- *
- *
- * @file crypto-init.h
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 1.0
- * @brief Crypto module implementation.
- */
-#pragma once
-
-#include <symbol-visibility.h>
-
-namespace CKM {
-// Remarks!
-// These functions are used carefully depending on library / executable client.
-//
-// Init/deinit locking functions are only available for executable client
-// (it's key-manager daemon)
-//
-// For library client, locking functions are not supported because it can make
-// undefined behavior(usually segmentation fault) when the client is used as
-// plugin(dynamic loaded) because there's probability of openssl's locking function
-// being init/deinit on multiple plugins.
-
-// Must be called once manually because it'll handle openssl locking functions.
-// Only for server.
-COMMON_API void initOpenSsl();
-COMMON_API void deinitOpenSsl();
-// deinit for every service thread on server.
-COMMON_API void deinitOpenSslThread();
-
-// init for client or common libraries.
-// It'll only do OpenSSL_add_all_algorithms
-COMMON_API void initOpenSslOnce();
-
-} // namespace CKM
/* known errors */
switch (err) {
-#if OPENSSL_VERSION_NUMBER > 0x10100000L
case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN):
case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN):
case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_DATA_TOO_LARGE_FOR_MODULUS):
case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_TOO_LARGE_FOR_MODULUS):
case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_DATA_TOO_LARGE_FOR_MODULUS):
case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_DATA_TOO_LARGE_FOR_MODULUS):
-#else /* OPENSSL_VERSION_NUMBER > 0x10100000L */
- case ERR_PACK(ERR_LIB_RSA, RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS):
- case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_DATA_TOO_LARGE_FOR_MODULUS):
- case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN):
- case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN):
-#endif /* OPENSSL_VERSION_NUMBER > 0x10100000L */
case ERR_PACK(ERR_LIB_RSA, RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL):
case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_MISSING_PRIVATE_KEY):
case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY):
case ERR_PACK(ERR_LIB_X509, X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED):
case ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_VERIFY, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE):
case ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_VERIFY, EVP_R_OPERATON_NOT_INITIALIZED):
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- case ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_VERIFYFINAL, EVP_R_WRONG_PUBLIC_KEY_TYPE):
- case ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_VERIFYFINAL, EVP_R_NO_VERIFY_FUNCTION_CONFIGURED):
-#endif
ret = CKM_API_ERROR_VERIFICATION_FAILED;
break;
}
#include <dpl/log/log.h>
-#include <crypto-init.h>
#include <pkcs12-impl.h>
#include <certificate-impl.h>
return;
}
- // needed if parsing is done before manager initialization
- initOpenSslOnce();
-
if (!PKCS12_verify_mac(pkcs12, password.c_str(), password.size())) {
LogDebug("Pkcs12 verify failed. Wrong password");
return;
EVP_PKEY_CTX *pctx = NULL;
// Create the Message Digest Context
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- EvpMdCtxUPtr mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_destroy);
- if (!mdctx.get())
- ThrowErr(Exc::Crypto::InternalError, "Error in EVP_MD_CTX_create function");
-#else
EvpMdCtxUPtr mdctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);
if (!mdctx.get())
ThrowErr(Exc::Crypto::InternalError, "Error in EVP_MD_CTX_new function");
-#endif
OPENSSL_ERROR_HANDLE(EVP_DigestSignInit(mdctx.get(), &pctx, md_algo, NULL, privKey));
EVP_PKEY_CTX *pctx = NULL;
// Create the Message Digest Context
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- EvpMdCtxUPtr mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_destroy);
- if (!mdctx.get())
- ThrowErr(Exc::Crypto::InternalError, "Error in EVP_MD_CTX_create function");
-#else
EvpMdCtxUPtr mdctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);
if (!mdctx.get())
ThrowErr(Exc::Crypto::InternalError, "Error in EVP_MD_CTX_new function");
-#endif
OPENSSL_ERROR_HANDLE(EVP_DigestVerifyInit(mdctx.get(), &pctx, md_algo, NULL, pubKey));
// at this stage dsa->p, dsa->q & dsa->r should contain our params
// extract them into buffers
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- prime = extractBignumData(dsa->p);
- subprime = extractBignumData(dsa->q);
- base = extractBignumData(dsa->g);
-#else
const BIGNUM *p, *q, *g;
DSA_get0_pqg(dsa.get(), &p, &q, &g);
prime = extractBignumData(p);
subprime = extractBignumData(q);
base = extractBignumData(g);
-#endif
}
tz_data_type toTzDataType(const CKM::DataType dataType) {
/*
- * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include <stdlib.h>
#include <signal.h>
+#include <fstream>
+
+#include <openssl/rand.h>
+
#include <dpl/log/log.h>
#include <dpl/singleton.h>
#include <ocsp-service.h>
#include <encryption-service.h>
#include <glib-service.h>
-#include <crypto-init.h>
#include <key-provider.h>
#include <file-system.h>
+namespace {
+
+const char *DEV_HW_RANDOM_FILE = "/dev/hwrng";
+const char *DEV_URANDOM_FILE = "/dev/urandom";
+const size_t RANDOM_BUFFER_LEN = 32;
+
+void initializeEntropy() // entropy sources - /dev/random,/dev/urandom(Default)
+{
+ int ret = 0;
+
+ std::ifstream ifile(DEV_HW_RANDOM_FILE);
+
+ if (ifile.is_open())
+ ret = RAND_load_file(DEV_HW_RANDOM_FILE, RANDOM_BUFFER_LEN);
+
+ if (ret != RANDOM_BUFFER_LEN) {
+ LogWarning("Error in HW_RAND file load");
+ ret = RAND_load_file(DEV_URANDOM_FILE, RANDOM_BUFFER_LEN);
+
+ if (ret != RANDOM_BUFFER_LEN)
+ LogError("Error in U_RAND_file_load");
+ }
+}
+
+} // anonymous namespace
+
#define REGISTER_SOCKET_SERVICE(manager, service) \
registerSocketService<service>(manager, #service)
LogInfo("Init external libraries SKMM and openssl");
- CKM::initOpenSsl();
+ initializeEntropy();
CKM::KeyProvider::initializeLibrary();
// Manager has been destroyed and we may close external libraries.
LogInfo("Deinit SKMM and openssl");
CKM::KeyProvider::closeLibrary();
-
- CKM::deinitOpenSsl();
} catch (const std::runtime_error &e) {
LogError(e.what());
}
/*
- * Copyright (c) 2000-2019 Samsung Electronics Co., Ltd. All rights reserved
+ * Copyright (c) 2014 - 2020 Samsung Electronics Co., Ltd. All rights reserved
*
* Contact: Dongsun Lee <ds73.lee@samsung.com>
*
#include <functional>
#include <condition_variable>
-#include <crypto-init.h>
-
#include <cstdio>
#include <dpl/exception.h>
static void ThreadLoopStatic(ServiceThread *ptr)
{
ptr->ThreadLoop();
-
- // cleanup openssl in every thread
- deinitOpenSslThread();
}
void ThreadLoop()
${MANAGER_PATH}/common/base64.cpp
${MANAGER_PATH}/common/certificate-impl.cpp
${MANAGER_PATH}/common/ckm-zero-memory.cpp
- ${MANAGER_PATH}/common/crypto-init.cpp
${MANAGER_PATH}/common/data-type.cpp
${MANAGER_PATH}/common/exception.cpp
${MANAGER_PATH}/common/key-impl.cpp
projects / platform / core / security / key-manager.git / commitdiff