File: ssl_init.c

package info (click to toggle)
ntpsec 1.2.4%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 10,360 kB
  • sloc: ansic: 62,698; python: 32,477; sh: 1,575; yacc: 1,331; makefile: 193; javascript: 138
file content (121 lines) | stat: -rw-r--r-- 2,927 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
 
/* ssl_init.c	Common OpenSSL initialization code
 * This is needed for crypto as well as NTS
 */

#include "config.h"
#include "ntp_stdlib.h"
#include "ntp.h"

#include <stdbool.h>
#include <openssl/ssl.h>
#include <openssl/evp.h>
#include "hack-ancient-openssl.h"

#if OPENSSL_VERSION_NUMBER > 0x20000000L
#include <openssl/params.h>
#include <openssl/err.h>
#else
#include <openssl/cmac.h>
#endif

#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void	atexit_ssl_cleanup(void);
#endif

static bool ssl_init_done;
EVP_MD_CTX *digest_ctx;
#if OPENSSL_VERSION_NUMBER > 0x20000000L
EVP_MAC_CTX *evp_ctx;
#else
CMAC_CTX *cmac_ctx;
#endif

void
ssl_init(void)
{
	unsigned char dummy;

	if (ssl_init_done) {
		return;
	}

#ifndef DISABLE_NTS
	OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS|OPENSSL_INIT_ADD_ALL_CIPHERS|OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
#endif

#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
	OpenSSL_add_all_digests();
	OpenSSL_add_all_ciphers();
	atexit(&atexit_ssl_cleanup);
#endif

	/* More initialization help for seccomp */
	/* RAND_poll in OpenSSL on Raspbian needs get{u,g,eu,eg}id() */
	ntp_RAND_bytes(&dummy, 1);

	digest_ctx = EVP_MD_CTX_new();
#if OPENSSL_VERSION_NUMBER > 0x20000000L
	{
	EVP_MAC *mac = EVP_MAC_fetch(NULL, "cmac", NULL);
	if (NULL == mac) {
		msyslog(LOG_ERR, "ssl_init: EVP_MAC_fetch failed");
		exit(1);
	}
	evp_ctx = EVP_MAC_CTX_new(mac);
	if (NULL == evp_ctx) {
		msyslog(LOG_ERR, "ssl_init: EVP_MAC_CTX_new failed");
		exit(1);
	}
	// EVP_MAC_free(mac);
	}
/* Barf: EVP_MAC_CTX_dup doesn't work until src gets cipher and key */
	{
	EVP_MAC_CTX *ctx;
	OSSL_PARAM params[3];
	char key[16];
	char copy[100];		/* OSSL_PARAM vs const */

	ctx = EVP_MAC_CTX_dup(evp_ctx);
	if (NULL != ctx ) {
		/* Was failing: 2023-feb-20, OpenSSL 3.0.8 */
		unsigned long err = ERR_get_error();
		char * str = ERR_error_string(err, NULL);
		msyslog(LOG_ERR, "ssl_init: first dup worked: %s", str);
	}

	strlcpy(copy, "AES-128-CBC", sizeof(copy));
	params[0] = OSSL_PARAM_construct_utf8_string("cipher", copy, 0);
	params[1] = OSSL_PARAM_construct_octet_string("key", key, 16);
	params[2] = OSSL_PARAM_construct_end();
	if (0 == EVP_MAC_CTX_set_params(evp_ctx, params)) {
		unsigned long err = ERR_get_error();
		char * str = ERR_error_string(err, NULL);
		msyslog(LOG_ERR, "ssl_init: EVP_MAC_CTX_set_params() failed: %s", str);
	}


	ctx = EVP_MAC_CTX_dup(evp_ctx);
	if (NULL == ctx ) {
		unsigned long err = ERR_get_error();
		char * str = ERR_error_string(err, NULL);
		msyslog(LOG_ERR, "ssl_init: second dup failed: %s", str);
	}
	}
#else
	cmac_ctx = CMAC_CTX_new();
#endif
	ssl_init_done = true;
}


#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void
atexit_ssl_cleanup(void)
{
	if (!ssl_init_done)
		return;

	ssl_init_done = false;
	EVP_cleanup();
}
#endif