https://github.com/tobez/validns/pull/71 Index: rrsig.c --- rrsig.c.orig +++ rrsig.c @@ -26,7 +26,7 @@ struct verification_data { struct verification_data *next; - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx; struct rr_dnskey *key; struct rr_rrsig *rr; int ok; @@ -180,7 +180,7 @@ void *verification_thread(void *dummy) if (d) { int r; d->next = NULL; - r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); + r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); if (r == 1) { d->ok = 1; } else { @@ -232,7 +232,7 @@ static void schedule_verification(struct verification_ } else { int r; G.stats.signatures_verified++; - r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); + r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); if (r == 1) { d->ok = 1; } else { @@ -250,21 +250,22 @@ static int verify_signature(struct verification_data * struct rr *signed_rr; int i; - EVP_MD_CTX_init(&d->ctx); + if ((d->ctx = EVP_MD_CTX_new()) == NULL) + return 0; switch (d->rr->algorithm) { case ALG_DSA: case ALG_RSASHA1: case ALG_DSA_NSEC3_SHA1: case ALG_RSASHA1_NSEC3_SHA1: - if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1) + if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1) return 0; break; case ALG_RSASHA256: - if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1) + if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1) return 0; break; case ALG_RSASHA512: - if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1) + if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1) return 0; break; default: @@ -274,7 +275,7 @@ static int verify_signature(struct verification_data * chunk = rrsig_wirerdata_ex(&d->rr->rr, 0); if (chunk.length < 0) return 0; - EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); + EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); set = getmem_temp(sizeof(*set) * signed_set->count); @@ -294,12 +295,12 @@ static int verify_signature(struct verification_data * chunk = name2wire_name(signed_set->named_rr->name); if (chunk.length < 0) return 0; - EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); - b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(&d->ctx, &b2, 2); - b2 = htons(1); /* class IN */ EVP_VerifyUpdate(&d->ctx, &b2, 2); - b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(&d->ctx, &b4, 4); - b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2); - EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length); + EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); + b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(d->ctx, &b2, 2); + b2 = htons(1); /* class IN */ EVP_VerifyUpdate(d->ctx, &b2, 2); + b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(d->ctx, &b4, 4); + b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2); + EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length); } schedule_verification(d); @@ -371,49 +372,12 @@ static void *rrsig_validate(struct rr *rrv) return rr; } -static pthread_mutex_t *lock_cs; -static long *lock_count; - -static unsigned long pthreads_thread_id(void) -{ - unsigned long ret; - - ret=(unsigned long)pthread_self(); - return(ret); -} - -static void pthreads_locking_callback(int mode, int type, char *file, int line) -{ - if (mode & CRYPTO_LOCK) { - pthread_mutex_lock(&(lock_cs[type])); - lock_count[type]++; - } else { - pthread_mutex_unlock(&(lock_cs[type])); - } -} - void verify_all_keys(void) { struct keys_to_verify *k = all_keys_to_verify; int i; struct timespec sleep_time; - ERR_load_crypto_strings(); - if (G.opt.n_threads > 1) { - lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); - lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); - for (i = 0; i < CRYPTO_num_locks(); i++) { - lock_count[i] = 0; - pthread_mutex_init(&lock_cs[i],NULL); - } - - CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id); - CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback); - - if (pthread_mutex_init(&queue_lock, NULL) != 0) - croak(1, "pthread_mutex_init"); - } - while (k) { freeall_temp(); for (i = 0; i < k->n_keys; i++) { @@ -440,6 +404,7 @@ void verify_all_keys(void) if (k->to_verify[i].openssl_error != 0) e = k->to_verify[i].openssl_error; } + EVP_MD_CTX_free(k->to_verify[i].ctx); } if (!ok) { struct named_rr *named_rr;