/* * Copyright (C) 2001-2016 Free Software Foundation, Inc. * Copyright (C) 2015-2016 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * * This file is part of GnuTLS. * * The GnuTLS is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License * as published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . * */ #include "gnutls_int.h" #include "errors.h" #include #include #include #include #include /* for _gnutls_hello_ext_init */ #include /* for _gnutls_supplemental_deinit */ #include #include #include #include #include #include #include #include #include "str.h" #include "global.h" /* Minimum library versions we accept. */ #define GNUTLS_MIN_LIBTASN1_VERSION "0.3.4" #ifdef __sun # pragma fini(lib_deinit) # pragma init(lib_init) # define _CONSTRUCTOR # define _DESTRUCTOR #else # define _CONSTRUCTOR __attribute__((constructor)) # define _DESTRUCTOR __attribute__((destructor)) #endif #ifndef _WIN32 int __attribute__((weak)) _gnutls_global_init_skip(void); int _gnutls_global_init_skip(void) { return 0; } #else inline static int _gnutls_global_init_skip(void) { return 0; } #endif /* created by asn1c */ extern const asn1_static_node gnutls_asn1_tab[]; extern const asn1_static_node pkix_asn1_tab[]; asn1_node _gnutls_pkix1_asn = NULL; asn1_node _gnutls_gnutls_asn = NULL; gnutls_log_func _gnutls_log_func = NULL; gnutls_audit_log_func _gnutls_audit_log_func = NULL; int _gnutls_log_level = 0; /* default log level */ unsigned int _gnutls_global_version = GNUTLS_VERSION_NUMBER; static int _gnutls_global_init(unsigned constructor); static void _gnutls_global_deinit(unsigned destructor); static void default_log_func(int level, const char* str) { fprintf(stderr, "gnutls[%d]: %s", level, str); } /** * gnutls_global_set_log_function: * @log_func: it's a log function * * This is the function where you set the logging function gnutls is * going to use. This function only accepts a character array. * Normally you may not use this function since it is only used for * debugging purposes. * * @gnutls_log_func is of the form, * void (*gnutls_log_func)( int level, const char*); **/ void gnutls_global_set_log_function(gnutls_log_func log_func) { _gnutls_log_func = log_func; } /** * gnutls_global_set_audit_log_function: * @log_func: it is the audit log function * * This is the function to set the audit logging function. This * is a function to report important issues, such as possible * attacks in the protocol. This is different from gnutls_global_set_log_function() * because it will report also session-specific events. The session * parameter will be null if there is no corresponding TLS session. * * @gnutls_audit_log_func is of the form, * void (*gnutls_audit_log_func)( gnutls_session_t, const char*); * * Since: 3.0 **/ void gnutls_global_set_audit_log_function(gnutls_audit_log_func log_func) { _gnutls_audit_log_func = log_func; } /** * gnutls_global_set_time_function: * @time_func: it's the system time function, a gnutls_time_func() callback. * * This is the function where you can override the default system time * function. The application provided function should behave the same * as the standard function. * * Since: 2.12.0 **/ void gnutls_global_set_time_function(gnutls_time_func time_func) { gnutls_time = time_func; } /** * gnutls_global_set_log_level: * @level: it's an integer from 0 to 99. * * This is the function that allows you to set the log level. The * level is an integer between 0 and 9. Higher values mean more * verbosity. The default value is 0. Larger values should only be * used with care, since they may reveal sensitive information. * * Use a log level over 10 to enable all debugging options. **/ void gnutls_global_set_log_level(int level) { _gnutls_log_level = level; } /** * gnutls_global_set_mem_functions: * @alloc_func: it's the default memory allocation function. Like malloc(). * @secure_alloc_func: This is the memory allocation function that will be used for sensitive data. * @is_secure_func: a function that returns 0 if the memory given is not secure. May be NULL. * @realloc_func: A realloc function * @free_func: The function that frees allocated data. Must accept a NULL pointer. * * Deprecated: since 3.3.0 it is no longer possible to replace the internally used * memory allocation functions * * This is the function where you set the memory allocation functions * gnutls is going to use. By default the libc's allocation functions * (malloc(), free()), are used by gnutls, to allocate both sensitive * and not sensitive data. This function is provided to set the * memory allocation functions to something other than the defaults * * This function must be called before gnutls_global_init() is called. * This function is not thread safe. **/ void gnutls_global_set_mem_functions(gnutls_alloc_function alloc_func, gnutls_alloc_function secure_alloc_func, gnutls_is_secure_function is_secure_func, gnutls_realloc_function realloc_func, gnutls_free_function free_func) { _gnutls_debug_log("called the deprecated gnutls_global_set_mem_functions()\n"); } GNUTLS_STATIC_MUTEX(global_init_mutex); static int _gnutls_init = 0; /* cache the return code */ static int _gnutls_init_ret = 0; /** * gnutls_global_init: * * Since GnuTLS 3.3.0 this function is no longer necessary to be explicitly * called. To disable the implicit call (in a library constructor) of this * function set the environment variable %GNUTLS_NO_IMPLICIT_INIT to 1. * * This function performs any required precalculations, detects * the supported CPU capabilities and initializes the underlying * cryptographic backend. In order to free any resources * taken by this call you should gnutls_global_deinit() * when gnutls usage is no longer needed. * * This function increments a global counter, so that * gnutls_global_deinit() only releases resources when it has been * called as many times as gnutls_global_init(). This is useful when * GnuTLS is used by more than one library in an application. This * function can be called many times, but will only do something the * first time. It is thread safe since GnuTLS 3.3.0. * * A subsequent call of this function if the initial has failed will * return the same error code. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, * otherwise a negative error code is returned. **/ int gnutls_global_init(void) { return _gnutls_global_init(0); } static int _gnutls_global_init(unsigned constructor) { int ret = 0, res; int level; const char* e; if (!constructor) { ret = gnutls_static_mutex_lock(&global_init_mutex); if (ret < 0) { return gnutls_assert_val(ret); } } _gnutls_init++; if (_gnutls_init > 1) { ret = _gnutls_init_ret; goto out; } _gnutls_switch_lib_state(LIB_STATE_INIT); e = secure_getenv("GNUTLS_DEBUG_LEVEL"); if (e != NULL) { level = atoi(e); gnutls_global_set_log_level(level); if (_gnutls_log_func == NULL) gnutls_global_set_log_function(default_log_func); _gnutls_debug_log("Enabled GnuTLS "VERSION" logging...\n"); } #ifdef HAVE_DCGETTEXT bindtextdomain(PACKAGE, LOCALEDIR); #endif res = gnutls_crypto_init(); if (res != 0) { gnutls_assert(); ret = GNUTLS_E_CRYPTO_INIT_FAILED; goto out; } ret = _gnutls_system_key_init(); if (ret != 0) { gnutls_assert(); } /* initialize ASN.1 parser */ if (asn1_check_version(GNUTLS_MIN_LIBTASN1_VERSION) == NULL) { gnutls_assert(); _gnutls_debug_log ("Checking for libtasn1 failed: %s < %s\n", asn1_check_version(NULL), GNUTLS_MIN_LIBTASN1_VERSION); ret = GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY; goto out; } _gnutls_pkix1_asn = NULL; res = asn1_array2tree(pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); if (res != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(res); goto out; } res = asn1_array2tree(gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); if (res != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(res); goto out; } /* Initialize the random generator */ ret = _gnutls_rnd_preinit(); if (ret < 0) { gnutls_assert(); goto out; } /* Initialize the default TLS extensions */ ret = _gnutls_hello_ext_init(); if (ret < 0) { gnutls_assert(); goto out; } ret = gnutls_system_global_init(); if (ret < 0) { gnutls_assert(); goto out; } #ifndef _WIN32 ret = _gnutls_register_fork_handler(); if (ret < 0) { gnutls_assert(); goto out; } #endif #ifdef ENABLE_FIPS140 res = _gnutls_fips_mode_enabled(); /* res == 1 -> fips140-2 mode enabled * res == 2 -> only self checks performed - but no failure * res == not in fips140 mode */ if (res != 0) { _gnutls_debug_log("FIPS140-2 mode: %d\n", res); _gnutls_priority_update_fips(); /* first round of self checks, these are done on the * nettle algorithms which are used internally */ _gnutls_switch_lib_state(LIB_STATE_SELFTEST); ret = _gnutls_fips_perform_self_checks1(); if (ret < 0) { _gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n"); if (res != 2) { gnutls_assert(); goto out; } } } #endif _gnutls_register_accel_crypto(); _gnutls_cryptodev_init(); _gnutls_afalg_init(); #ifdef ENABLE_FIPS140 /* These self tests are performed on the overridden algorithms * (e.g., AESNI overridden AES). They are after _gnutls_register_accel_crypto() * intentionally */ if (res != 0) { _gnutls_switch_lib_state(LIB_STATE_SELFTEST); ret = _gnutls_fips_perform_self_checks2(); if (ret < 0) { _gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n"); if (res != 2) { gnutls_assert(); goto out; } } _gnutls_fips_mode_reset_zombie(); } #endif _gnutls_prepare_to_load_system_priorities(); _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); ret = 0; out: _gnutls_init_ret = ret; if (!constructor) { (void)gnutls_static_mutex_unlock(&global_init_mutex); } return ret; } static void _gnutls_global_deinit(unsigned destructor) { if (!destructor) { if (gnutls_static_mutex_lock(&global_init_mutex) < 0) { return; } } if (_gnutls_init == 1) { _gnutls_init = 0; if (_gnutls_init_ret < 0) { /* only deinitialize if gnutls_global_init() has * succeeded */ gnutls_assert(); goto fail; } _gnutls_system_key_deinit(); gnutls_crypto_deinit(); _gnutls_rnd_deinit(); _gnutls_hello_ext_deinit(); asn1_delete_structure(&_gnutls_gnutls_asn); asn1_delete_structure(&_gnutls_pkix1_asn); _gnutls_crypto_deregister(); gnutls_system_global_deinit(); _gnutls_cryptodev_deinit(); _gnutls_supplemental_deinit(); _gnutls_unload_system_priorities(); #ifdef ENABLE_PKCS11 /* Do not try to deinitialize the PKCS #11 libraries * from the destructor. If we do and the PKCS #11 modules * are already being unloaded, we may crash. */ if (destructor == 0) { gnutls_pkcs11_deinit(); } #endif #ifdef HAVE_TROUSERS _gnutls_tpm_global_deinit(); #endif #ifdef HAVE_TPM2 _gnutls_tpm2_deinit(); #endif _gnutls_nss_keylog_deinit(); } else { if (_gnutls_init > 0) _gnutls_init--; } fail: if (!destructor) { (void)gnutls_static_mutex_unlock(&global_init_mutex); } } /** * gnutls_global_deinit: * * This function deinitializes the global data, that were initialized * using gnutls_global_init(). * * Since GnuTLS 3.3.0 this function is no longer necessary to be explicitly * called. GnuTLS will automatically deinitialize on library destructor. See * gnutls_global_init() for disabling the implicit initialization/deinitialization. * **/ void gnutls_global_deinit(void) { _gnutls_global_deinit(0); } /** * gnutls_check_version: * @req_version: version string to compare with, or %NULL. * * Check the GnuTLS Library version against the provided string. * See %GNUTLS_VERSION for a suitable @req_version string. * * See also gnutls_check_version_numeric(), which provides this * functionality as a macro. * * Returns: Check that the version of the library is at * minimum the one given as a string in @req_version and return the * actual version string of the library; return %NULL if the * condition is not met. If %NULL is passed to this function no * check is done and only the version string is returned. **/ const char *gnutls_check_version(const char *req_version) { if (!req_version || strverscmp(req_version, VERSION) <= 0) return VERSION; return NULL; } static void _CONSTRUCTOR lib_init(void) { int ret; const char *e; if (_gnutls_global_init_skip() != 0) return; e = secure_getenv("GNUTLS_NO_IMPLICIT_INIT"); if (e != NULL) { ret = atoi(e); if (ret == 1) return; } e = secure_getenv("GNUTLS_NO_EXPLICIT_INIT"); if (e != NULL) { _gnutls_debug_log("GNUTLS_NO_EXPLICIT_INIT is deprecated; use GNUTLS_NO_IMPLICIT_INIT\n"); ret = atoi(e); if (ret == 1) return; } ret = _gnutls_global_init(1); if (ret < 0) { fprintf(stderr, "Error in GnuTLS initialization: %s\n", gnutls_strerror(ret)); _gnutls_switch_lib_state(LIB_STATE_ERROR); } } static void _DESTRUCTOR lib_deinit(void) { int ret; const char *e; if (_gnutls_global_init_skip() != 0) return; e = secure_getenv("GNUTLS_NO_IMPLICIT_INIT"); if (e != NULL) { ret = atoi(e); if (ret == 1) return; } e = secure_getenv("GNUTLS_NO_EXPLICIT_INIT"); if (e != NULL) { _gnutls_debug_log("GNUTLS_NO_EXPLICIT_INIT is deprecated; use GNUTLS_NO_IMPLICIT_INIT\n"); ret = atoi(e); if (ret == 1) return; } _gnutls_global_deinit(1); } static const struct gnutls_library_config_st _gnutls_library_config[] = { #ifdef FIPS_MODULE_NAME { "fips-module-name", FIPS_MODULE_NAME }, #endif #ifdef FIPS_MODULE_VERSION { "fips-module-version", FIPS_MODULE_VERSION }, #endif { "libgnutls-soname", GNUTLS_LIBRARY_SONAME }, { "libnettle-soname", NETTLE_LIBRARY_SONAME }, { "libhogweed-soname", HOGWEED_LIBRARY_SONAME }, { "libgmp-soname", GMP_LIBRARY_SONAME }, { "hardware-features", HW_FEATURES }, { "tls-features", TLS_FEATURES }, { "default-system-config", SYSTEM_PRIORITY_FILE }, { NULL, NULL } }; /** * gnutls_get_library_config: * * Returns the library configuration as key value pairs. * Currently defined keys are: * * - fips-module-name: the name of the FIPS140 module * * - fips-module-version: the version of the FIPS140 module * * - libgnutls-soname: the SONAME of the library itself * * - libnettle-soname: the library SONAME of linked libnettle * * - libhogweed-soname: the library SONAME of linked libhogweed * * - libgmp-soname: the library SONAME of linked libgmp * * - hardware-features: enabled hardware support features * * - tls-features: enabled TLS protocol features * * Returns: a NUL-terminated %gnutls_library_config_st array * * Since: 3.7.3 */ const gnutls_library_config_st * gnutls_get_library_config(void) { return _gnutls_library_config; }