Get rid of the openssl 1.0.2 specific code 11/238511/1
authorKrzysztof Jackiewicz <k.jackiewicz@samsung.com>
Tue, 14 Jul 2020 16:21:34 +0000 (18:21 +0200)
committerKrzysztof Jackiewicz <k.jackiewicz@samsung.com>
Tue, 14 Jul 2020 16:27:19 +0000 (18:27 +0200)
Also move entropy initialization to key-manager-main.cpp where it is used.

Change-Id: I187c76565b3864b6042a31a6eb71ac5921dc1ffd

13 files changed:
misc/encryption_scheme/scheme-test.cpp
src/manager/CMakeLists.txt
src/manager/client-capi/ckmc-type.cpp
src/manager/client/client-manager-impl.cpp
src/manager/common/crypto-init.cpp [deleted file]
src/manager/common/crypto-init.h [deleted file]
src/manager/common/openssl-error-handler.cpp
src/manager/common/pkcs12-impl.cpp
src/manager/crypto/sw-backend/internals.cpp
src/manager/crypto/tz-backend/internals.cpp
src/manager/main/key-manager-main.cpp
src/manager/main/service-thread.h
unit-tests/CMakeLists.txt

index 4aa19f1..70d5e8d 100644 (file)
@@ -40,7 +40,6 @@
 #include <file-system.h>
 #include <key-provider.h>
 #include <db-row.h>
-#include <crypto-init.h>
 #include <dpl/errno_string.h>
 #include "smack-access.h"
 
@@ -402,7 +401,6 @@ SchemeTest::SchemeTest() : m_userChanged(false), m_directAccessEnabled(false)
 {
        m_control = Control::create();
        m_mgr = Manager::create();
-       initOpenSsl();
 
        SmackAccess sa;
        sa.add("System", LABEL, "rwx");
index 742d905..cbf39b3 100644 (file)
@@ -14,7 +14,6 @@ SET(COMMON_PATH ${PROJECT_SOURCE_DIR}/src/manager)
 SET(COMMON_SOURCES
     ${COMMON_PATH}/common/algo-param.cpp
     ${COMMON_PATH}/common/base64.cpp
-    ${COMMON_PATH}/common/crypto-init.cpp
     ${COMMON_PATH}/common/data-type.cpp
     ${COMMON_PATH}/common/openssl-error-handler.cpp
     ${COMMON_PATH}/common/exception.cpp
index 9409025..3e1ca0a 100644 (file)
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2000-2019 Samsung Electronics Co., Ltd. All rights reserved
+ *  Copyright (c) 2014 - 2020 Samsung Electronics Co., Ltd. All rights reserved
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -35,7 +35,6 @@
 #include <openssl/evp.h>
 #include <openssl/pem.h>
 #include <fstream>
-#include <crypto-init.h>
 #include <dpl/log/log.h>
 #include <dpl/errno_string.h>
 
@@ -240,8 +239,6 @@ int ckmc_cert_new(unsigned char *raw_cert, size_t cert_size,
 KEY_MANAGER_CAPI
 int ckmc_load_cert_from_file(const char *file_path, ckmc_cert_s **cert)
 {
-       CKM::initOpenSslOnce();
-
        FILE *fp = fopen(file_path, "r");
 
        if (fp == NULL)
@@ -478,8 +475,6 @@ int ckmc_load_from_pkcs12_file(const char *file_path, const char *passphrase,
        LogWarning("DEPRECATION WARNING: " << __func__ << "() is deprecated and will be "
                           "removed from next release. Use ckmc_pkcs12_load() instead.");
 
-       CKM::initOpenSslOnce();
-
        int ret = CKMC_ERROR_NONE;
 
        Pkcs12Converter converter;
index d5b2df5..9eecd5a 100644 (file)
@@ -23,7 +23,6 @@
 #include <dpl/serialization.h>
 #include <dpl/log/log.h>
 
-#include <crypto-init.h>
 #include <client-manager-impl.h>
 #include <client-common.h>
 #include <exception.h>
@@ -94,7 +93,6 @@ Manager::Impl::Impl()
          m_ocspConnection(SERVICE_SOCKET_OCSP),
          m_encryptionConnection(SERVICE_SOCKET_ENCRYPTION)
 {
-       initOpenSslOnce();
 }
 
 
diff --git a/src/manager/common/crypto-init.cpp b/src/manager/common/crypto-init.cpp
deleted file mode 100644 (file)
index 7fa6671..0000000
+++ /dev/null
@@ -1,210 +0,0 @@
-/*
- *  Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
- *
- *  Licensed under the Apache License, Version 2.0 (the "License");
- *  you may not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License
- */
-/*
- * @file       crypto-init.cpp
- * @author     Maciej Karpiuk (m.karpiuk2@samsung.com)
- * @version    1.0
- */
-
-#include "crypto-init.h"
-
-#include <mutex>
-#include <atomic>
-#include <functional>
-#include <thread>
-#include <fstream>
-
-#include <openssl/evp.h>
-#include <openssl/crypto.h>
-#include <openssl/ssl.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
-
-#include <dpl/log/log.h>
-
-namespace CKM {
-namespace {
-
-const char *DEV_HW_RANDOM_FILE = "/dev/hwrng";
-const char *DEV_URANDOM_FILE = "/dev/urandom";
-const size_t RANDOM_BUFFER_LEN = 32;
-
-void initializeEntropy() // entropy sources - /dev/random,/dev/urandom(Default)
-{
-       int ret = 0;
-
-       std::ifstream ifile(DEV_HW_RANDOM_FILE);
-
-       if (ifile.is_open())
-               ret = RAND_load_file(DEV_HW_RANDOM_FILE, RANDOM_BUFFER_LEN);
-
-       if (ret != RANDOM_BUFFER_LEN) {
-               LogWarning("Error in HW_RAND file load");
-               ret = RAND_load_file(DEV_URANDOM_FILE, RANDOM_BUFFER_LEN);
-
-               if (ret != RANDOM_BUFFER_LEN)
-                       LogError("Error in U_RAND_file_load");
-       }
-}
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-std::mutex *g_mutexes = NULL;
-
-void lockingCallback(int mode, int type, const char *, int)
-{
-       if (!g_mutexes) {
-               LogError("Openssl mutexes do not exist");
-               return;
-       }
-
-       if (mode & CRYPTO_LOCK)
-               g_mutexes[type].lock();
-       else if (mode & CRYPTO_UNLOCK)
-               g_mutexes[type].unlock();
-}
-
-unsigned long threadIdCallback()
-{
-       std::hash<std::thread::id> hasher;
-       return hasher(std::this_thread::get_id());
-}
-
-void opensslInstallLocks()
-{
-       g_mutexes = new std::mutex[CRYPTO_num_locks()];
-
-       CRYPTO_set_id_callback(threadIdCallback);
-       CRYPTO_set_locking_callback(lockingCallback);
-}
-
-void opensslUninstallLocks()
-{
-       CRYPTO_set_id_callback(NULL);
-       CRYPTO_set_locking_callback(NULL);
-
-       delete[] g_mutexes;
-       g_mutexes = NULL;
-}
-
-void initOpenSsl(bool isLib)
-{
-       /*
-        * Initialize libcrypto (add all algorithms, digests & ciphers)
-        * It also does the stuff from SSL_library_init() except for ssl_load_ciphers()
-        */
-       OpenSSL_add_all_algorithms(); // Can be optimized by using EVP_add_cipher instead
-
-       if (isLib)
-               return;
-
-       // below initializes only for executable client. (key-manager daemon)
-
-       initializeEntropy();
-
-       /*
-        *  Initialize libssl (OCSP uses it)
-        *  SSL_library_init() == OpenSSL_add_ssl_algorithms()
-        *  It always returns 1
-        */
-       SSL_library_init();
-
-       // load default configuration (/etc/ssl/openssl.cnf)
-       OPENSSL_config(NULL);
-       // Loads all error strings (crypto and ssl)
-       SSL_load_error_strings();
-
-       // Install locks for multithreading support
-       opensslInstallLocks();
-}
-
-std::mutex cryptoInitMutex;
-
-void initOpenSslAndDetach();
-
-typedef void(*initFnPtr)();
-
-// has to be atomic as storing function pointer is not an atomic operation on armv7l
-std::atomic<initFnPtr> initFn(&initOpenSslAndDetach);
-
-void initEmpty() {}
-
-// this function will be called only once by initOpenSslOnce for library client
-void initOpenSslAndDetach()
-{
-       // DCLP
-       std::lock_guard<std::mutex> lock(cryptoInitMutex);
-
-       /*
-        * We don't care about memory ordering here. Current thread will order it
-        * correctly and for other threads only store matters. Also only one thread
-        * can be here at once because of lock.
-        */
-       if (initFn.load(std::memory_order_relaxed) != &initEmpty) {
-               initOpenSsl(true);
-
-               /*
-                * Synchronizes with load. Everything that happened before this store in
-                * this thread is visible to everything that happens after load in another
-                * thread. We switch to an empty function here.
-                */
-               initFn.store(&initEmpty, std::memory_order_release);
-       }
-}
-#endif
-} // namespace anonymous
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-void initOpenSsl()
-{
-       initOpenSsl(false);
-}
-
-void deinitOpenSsl()
-{
-       opensslUninstallLocks();
-       CONF_modules_free(); // cleanup of OPENSSL_config
-       EVP_cleanup(); // cleanup of OpenSSL_add_all_algorithms
-       ERR_free_strings(); //cleanup of SSL_load_error_strings
-       deinitOpenSslThread();
-}
-
-void deinitOpenSslThread()
-{
-       CRYPTO_cleanup_all_ex_data();
-       ERR_remove_thread_state(NULL);
-}
-
-void initOpenSslOnce()
-{
-       /*
-        * Synchronizes with store. Everything that happened before store in another
-        * thread will be visible in this thread after load.
-        */
-       initFn.load(std::memory_order_acquire)();
-}
-#else
-void initOpenSsl()
-{
-       initializeEntropy();
-}
-
-void deinitOpenSsl() {}
-void deinitOpenSslThread() {}
-void initOpenSslOnce() {}
-#endif
-
-} // namespace CKM
diff --git a/src/manager/common/crypto-init.h b/src/manager/common/crypto-init.h
deleted file mode 100644 (file)
index d8abeca..0000000
+++ /dev/null
@@ -1,48 +0,0 @@
-/* Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- *  Licensed under the Apache License, Version 2.0 (the "License");
- *  you may not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License
- *
- *
- * @file        crypto-init.h
- * @author      Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version     1.0
- * @brief       Crypto module implementation.
- */
-#pragma once
-
-#include <symbol-visibility.h>
-
-namespace CKM {
-// Remarks!
-//   These functions are used carefully depending on library / executable client.
-//
-//   Init/deinit locking functions are only available for executable client
-//     (it's key-manager daemon)
-//
-//   For library client, locking functions are not supported because it can make
-//   undefined behavior(usually segmentation fault) when the client is used as
-//   plugin(dynamic loaded) because there's probability of openssl's locking function
-//   being init/deinit on multiple plugins.
-
-// Must be called once manually because it'll handle openssl locking functions.
-// Only for server.
-COMMON_API void initOpenSsl();
-COMMON_API void deinitOpenSsl();
-// deinit for every service thread on server.
-COMMON_API void deinitOpenSslThread();
-
-// init for client or common libraries.
-// It'll only do OpenSSL_add_all_algorithms
-COMMON_API void initOpenSslOnce();
-
-} // namespace CKM
index 60f5e45..9d2bf37 100644 (file)
@@ -88,19 +88,12 @@ void errorHandle(const char *file, int line, const char *function, int openssl_r
 
        /* known errors */
        switch (err) {
-#if OPENSSL_VERSION_NUMBER > 0x10100000L
        case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN):
        case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN):
        case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_DATA_TOO_LARGE_FOR_MODULUS):
        case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_TOO_LARGE_FOR_MODULUS):
        case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_DATA_TOO_LARGE_FOR_MODULUS):
        case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_DATA_TOO_LARGE_FOR_MODULUS):
-#else /* OPENSSL_VERSION_NUMBER > 0x10100000L */
-       case ERR_PACK(ERR_LIB_RSA, RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS):
-       case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_DATA_TOO_LARGE_FOR_MODULUS):
-       case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN):
-       case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN):
-#endif /* OPENSSL_VERSION_NUMBER > 0x10100000L */
        case ERR_PACK(ERR_LIB_RSA, RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL):
        case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_MISSING_PRIVATE_KEY):
        case ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY):
@@ -131,10 +124,6 @@ void errorHandle(const char *file, int line, const char *function, int openssl_r
        case ERR_PACK(ERR_LIB_X509, X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED):
        case ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_VERIFY, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE):
        case ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_VERIFY, EVP_R_OPERATON_NOT_INITIALIZED):
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       case ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_VERIFYFINAL, EVP_R_WRONG_PUBLIC_KEY_TYPE):
-       case ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_VERIFYFINAL, EVP_R_NO_VERIFY_FUNCTION_CONFIGURED):
-#endif
                ret = CKM_API_ERROR_VERIFICATION_FAILED;
                break;
        }
index 17f60a1..814781b 100644 (file)
@@ -25,7 +25,6 @@
 
 #include <dpl/log/log.h>
 
-#include <crypto-init.h>
 #include <pkcs12-impl.h>
 
 #include <certificate-impl.h>
@@ -73,9 +72,6 @@ PKCS12Impl::PKCS12Impl(const RawBuffer &buffer, const Password &password)
                return;
        }
 
-       // needed if parsing is done before manager initialization
-       initOpenSslOnce();
-
        if (!PKCS12_verify_mac(pkcs12, password.c_str(), password.size())) {
                LogDebug("Pkcs12 verify failed. Wrong password");
                return;
index 9a13c03..493d586 100644 (file)
@@ -570,15 +570,9 @@ RawBuffer digestSignMessage(EVP_PKEY *privKey,
        EVP_PKEY_CTX *pctx = NULL;
 
        // Create the Message Digest Context
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       EvpMdCtxUPtr mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_destroy);
-       if (!mdctx.get())
-               ThrowErr(Exc::Crypto::InternalError, "Error in EVP_MD_CTX_create function");
-#else
        EvpMdCtxUPtr mdctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);
        if (!mdctx.get())
                ThrowErr(Exc::Crypto::InternalError, "Error in EVP_MD_CTX_new function");
-#endif
 
        OPENSSL_ERROR_HANDLE(EVP_DigestSignInit(mdctx.get(), &pctx, md_algo, NULL, privKey));
 
@@ -643,15 +637,9 @@ int digestVerifyMessage(EVP_PKEY *pubKey,
        EVP_PKEY_CTX *pctx = NULL;
 
        // Create the Message Digest Context
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       EvpMdCtxUPtr mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_destroy);
-       if (!mdctx.get())
-               ThrowErr(Exc::Crypto::InternalError, "Error in EVP_MD_CTX_create function");
-#else
        EvpMdCtxUPtr mdctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);
        if (!mdctx.get())
                ThrowErr(Exc::Crypto::InternalError, "Error in EVP_MD_CTX_new function");
-#endif
 
        OPENSSL_ERROR_HANDLE(EVP_DigestVerifyInit(mdctx.get(), &pctx, md_algo, NULL, pubKey));
 
index b5a3dc1..9d8efe9 100644 (file)
@@ -81,17 +81,11 @@ void generateDSAParams(const int sizeBits, CKM::RawBuffer &prime,
 
        // at this stage dsa->p, dsa->q & dsa->r should contain our params
        // extract them into buffers
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       prime = extractBignumData(dsa->p);
-       subprime = extractBignumData(dsa->q);
-       base = extractBignumData(dsa->g);
-#else
        const BIGNUM *p, *q, *g;
        DSA_get0_pqg(dsa.get(), &p, &q, &g);
        prime = extractBignumData(p);
        subprime = extractBignumData(q);
        base = extractBignumData(g);
-#endif
 }
 
 tz_data_type toTzDataType(const CKM::DataType dataType) {
index 47b5c34..bb867b7 100644 (file)
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2014 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
 #include <stdlib.h>
 #include <signal.h>
 
+#include <fstream>
+
+#include <openssl/rand.h>
+
 #include <dpl/log/log.h>
 #include <dpl/singleton.h>
 
 #include <ocsp-service.h>
 #include <encryption-service.h>
 #include <glib-service.h>
-#include <crypto-init.h>
 
 #include <key-provider.h>
 #include <file-system.h>
 
+namespace {
+
+const char *DEV_HW_RANDOM_FILE = "/dev/hwrng";
+const char *DEV_URANDOM_FILE = "/dev/urandom";
+const size_t RANDOM_BUFFER_LEN = 32;
+
+void initializeEntropy() // entropy sources - /dev/random,/dev/urandom(Default)
+{
+       int ret = 0;
+
+       std::ifstream ifile(DEV_HW_RANDOM_FILE);
+
+       if (ifile.is_open())
+               ret = RAND_load_file(DEV_HW_RANDOM_FILE, RANDOM_BUFFER_LEN);
+
+       if (ret != RANDOM_BUFFER_LEN) {
+               LogWarning("Error in HW_RAND file load");
+               ret = RAND_load_file(DEV_URANDOM_FILE, RANDOM_BUFFER_LEN);
+
+               if (ret != RANDOM_BUFFER_LEN)
+                       LogError("Error in U_RAND_file_load");
+       }
+}
+
+} // anonymous namespace
+
 #define REGISTER_SOCKET_SERVICE(manager, service) \
        registerSocketService<service>(manager, #service)
 
@@ -91,7 +120,7 @@ int main(void)
 
                LogInfo("Init external libraries SKMM and openssl");
 
-               CKM::initOpenSsl();
+               initializeEntropy();
 
                CKM::KeyProvider::initializeLibrary();
 
@@ -110,8 +139,6 @@ int main(void)
                // Manager has been destroyed and we may close external libraries.
                LogInfo("Deinit SKMM and openssl");
                CKM::KeyProvider::closeLibrary();
-
-               CKM::deinitOpenSsl();
        } catch (const std::runtime_error &e) {
                LogError(e.what());
        }
index dd11452..ac7ea75 100644 (file)
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2000-2019 Samsung Electronics Co., Ltd. All rights reserved
+ *  Copyright (c) 2014 - 2020 Samsung Electronics Co., Ltd. All rights reserved
  *
  *  Contact: Dongsun Lee <ds73.lee@samsung.com>
  *
@@ -34,8 +34,6 @@
 #include <functional>
 #include <condition_variable>
 
-#include <crypto-init.h>
-
 #include <cstdio>
 
 #include <dpl/exception.h>
@@ -102,9 +100,6 @@ protected:
        static void ThreadLoopStatic(ServiceThread *ptr)
        {
                ptr->ThreadLoop();
-
-               // cleanup openssl in every thread
-               deinitOpenSslThread();
        }
 
        void ThreadLoop()
index 35c05d8..087717f 100644 (file)
@@ -101,7 +101,6 @@ SET(UNIT_TESTS_SOURCES
     ${MANAGER_PATH}/common/base64.cpp
     ${MANAGER_PATH}/common/certificate-impl.cpp
     ${MANAGER_PATH}/common/ckm-zero-memory.cpp
-    ${MANAGER_PATH}/common/crypto-init.cpp
     ${MANAGER_PATH}/common/data-type.cpp
     ${MANAGER_PATH}/common/exception.cpp
     ${MANAGER_PATH}/common/key-impl.cpp