From 39aef50b9b942c409bbf6efb94c603f58f594c91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 8 Aug 2024 10:59:49 +0200
Subject: [PATCH] Move the dst__openssl_toresult to isc_tls unit

Since the enable_fips_mode() now resides inside the isc_tls unit, BIND 9
would fail to compile when FIPS mode was enabled as the DST subsystem
logging functions were missing.

Move the crypto library logging functions from the openssl_link unit to
isc_tls unit and enhance it, so it can now be used from both places
keeping the old dst__openssl_toresult* macros alive.
---
 lib/dns/Makefile.am       |  1 -
 lib/dns/dst_openssl.h     | 23 +++++------
 lib/dns/openssl_link.c    | 84 ---------------------------------------
 lib/dns/openssl_shim.c    | 27 -------------
 lib/dns/openssl_shim.h    |  6 ---
 lib/isc/include/isc/tls.h |  8 ++++
 lib/isc/openssl_shim.c    | 14 +++++++
 lib/isc/openssl_shim.h    |  6 +++
 lib/isc/tls.c             | 75 +++++++++++++++++++++++++++++++++-
 tests/dns/rdata_test.c    |  5 ++-
 10 files changed, 115 insertions(+), 134 deletions(-)
 delete mode 100644 lib/dns/openssl_shim.c

diff --git a/lib/dns/Makefile.am b/lib/dns/Makefile.am
index 2e6f8d6961..18c02d8f3d 100644
--- a/lib/dns/Makefile.am
+++ b/lib/dns/Makefile.am
@@ -205,7 +205,6 @@ libdns_la_SOURCES =			\
 	nsec3.c				\
 	nta.c				\
 	openssl_link.c			\
-	openssl_shim.c			\
 	openssl_shim.h			\
 	opensslecdsa_link.c		\
 	openssleddsa_link.c		\
diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
index f4ff5cc46e..55e54380cb 100644
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -23,23 +23,18 @@
 #include <isc/lang.h>
 #include <isc/log.h>
 #include <isc/result.h>
+#include <isc/tls.h>
 
 ISC_LANG_BEGINDECLS
 
-isc_result_t
-dst__openssl_toresult(isc_result_t fallback);
-
-#define dst__openssl_toresult2(A, B) \
-	dst___openssl_toresult2(A, B, __FILE__, __LINE__)
-isc_result_t
-dst___openssl_toresult2(const char *funcname, isc_result_t fallback,
-			const char *file, int line);
-
-#define dst__openssl_toresult3(A, B, C) \
-	dst___openssl_toresult3(A, B, C, __FILE__, __LINE__)
-isc_result_t
-dst___openssl_toresult3(isc_logcategory_t *category, const char *funcname,
-			isc_result_t fallback, const char *file, int line);
+#define dst__openssl_toresult(fallback) \
+	isc__tlserr2result(NULL, NULL, NULL, fallback, __FILE__, __LINE__)
+#define dst__openssl_toresult2(funcname, fallback)                        \
+	isc__tlserr2result(DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_CRYPTO, \
+			   funcname, fallback, __FILE__, __LINE__)
+#define dst__openssl_toresult3(category, funcname, fallback)                   \
+	isc__tlserr2result(category, DNS_LOGMODULE_CRYPTO, funcname, fallback, \
+			   __FILE__, __LINE__)
 
 isc_result_t
 dst__openssl_fromlabel(int key_base_id, const char *label, const char *pin,
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 57638a9245..6ae723646f 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -54,90 +54,6 @@
 		goto err; \
 	}
 
-static isc_result_t
-toresult(isc_result_t fallback) {
-	isc_result_t result = fallback;
-	unsigned long err = ERR_peek_error();
-#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
-	int lib = ERR_GET_LIB(err);
-#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
-	int reason = ERR_GET_REASON(err);
-
-	switch (reason) {
-	/*
-	 * ERR_* errors are globally unique; others
-	 * are unique per sublibrary
-	 */
-	case ERR_R_MALLOC_FAILURE:
-		result = ISC_R_NOMEMORY;
-		break;
-	default:
-#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
-		if (lib == ERR_R_ECDSA_LIB &&
-		    reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
-		{
-			result = ISC_R_NOENTROPY;
-			break;
-		}
-#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
-		break;
-	}
-
-	return (result);
-}
-
-isc_result_t
-dst__openssl_toresult(isc_result_t fallback) {
-	isc_result_t result;
-
-	result = toresult(fallback);
-
-	ERR_clear_error();
-	return (result);
-}
-
-isc_result_t
-dst___openssl_toresult2(const char *funcname, isc_result_t fallback,
-			const char *file, int line) {
-	return (dst___openssl_toresult3(DNS_LOGCATEGORY_GENERAL, funcname,
-					fallback, file, line));
-}
-
-isc_result_t
-dst___openssl_toresult3(isc_logcategory_t *category, const char *funcname,
-			isc_result_t fallback, const char *file, int line) {
-	isc_result_t result;
-	unsigned long err;
-	const char *func, *data;
-	int flags;
-	char buf[256];
-
-	result = toresult(fallback);
-
-	isc_log_write(dns_lctx, category, DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
-		      "%s (%s:%d) failed (%s)", funcname, file, line,
-		      isc_result_totext(result));
-
-	if (result == ISC_R_NOMEMORY) {
-		goto done;
-	}
-
-	for (;;) {
-		err = ERR_get_error_all(&file, &line, &func, &data, &flags);
-		if (err == 0U) {
-			goto done;
-		}
-		ERR_error_string_n(err, buf, sizeof(buf));
-		isc_log_write(dns_lctx, category, DNS_LOGMODULE_CRYPTO,
-			      ISC_LOG_INFO, "%s:%s:%d:%s", buf, file, line,
-			      ((flags & ERR_TXT_STRING) != 0) ? data : "");
-	}
-
-done:
-	ERR_clear_error();
-	return (result);
-}
-
 static isc_result_t
 dst__openssl_fromlabel_provider(int key_base_id, const char *label,
 				const char *pin, EVP_PKEY **ppub,
diff --git a/lib/dns/openssl_shim.c b/lib/dns/openssl_shim.c
deleted file mode 100644
index 1034713b8d..0000000000
--- a/lib/dns/openssl_shim.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include "openssl_shim.h"
-
-#include <isc/util.h>
-
-#if !HAVE_ERR_GET_ERROR_ALL
-static const char err_empty_string = '\0';
-
-unsigned long
-ERR_get_error_all(const char **file, int *line, const char **func,
-		  const char **data, int *flags) {
-	SET_IF_NOT_NULL(func, &err_empty_string);
-	return (ERR_get_error_line_data(file, line, data, flags));
-}
-#endif /* if !HAVE_ERR_GET_ERROR_ALL */
diff --git a/lib/dns/openssl_shim.h b/lib/dns/openssl_shim.h
index 72d462d0bd..215cd363a8 100644
--- a/lib/dns/openssl_shim.h
+++ b/lib/dns/openssl_shim.h
@@ -28,12 +28,6 @@
 #define RSA_MAX_PUBEXP_BITS 35
 #endif /* ifndef RSA_MAX_PUBEXP_BITS */
 
-#if !HAVE_ERR_GET_ERROR_ALL
-unsigned long
-ERR_get_error_all(const char **file, int *line, const char **func,
-		  const char **data, int *flags);
-#endif /* if !HAVE_ERR_GET_ERROR_ALL */
-
 #if !HAVE_EVP_PKEY_EQ
 #define EVP_PKEY_eq EVP_PKEY_cmp
 #endif
diff --git a/lib/isc/include/isc/tls.h b/lib/isc/include/isc/tls.h
index 75ad88df46..7d96dda4f0 100644
--- a/lib/isc/include/isc/tls.h
+++ b/lib/isc/include/isc/tls.h
@@ -615,3 +615,11 @@ isc__tls_shutdown(void);
 
 void
 isc__tls_setdestroycheck(bool check);
+
+#define isc_tlserr2result(category, module, funcname, fallback)            \
+	isc__tlserr2result(category, module, funcname, fallback, __FILE__, \
+			   __LINE__)
+isc_result_t
+isc__tlserr2result(isc_logcategory_t *category, isc_logmodule_t *module,
+		   const char *funcname, isc_result_t fallback,
+		   const char *file, int line);
diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
index 6b1f3c6909..38543573db 100644
--- a/lib/isc/openssl_shim.c
+++ b/lib/isc/openssl_shim.c
@@ -16,11 +16,14 @@
 #include <string.h>
 
 #include <openssl/crypto.h>
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/opensslv.h>
 #include <openssl/ssl.h>
 
+#include <isc/util.h>
+
 #include "openssl_shim.h"
 
 #if !HAVE_BIO_READ_EX
@@ -57,3 +60,14 @@ SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) {
 	SSL_CTX_set_cert_store(ctx, store);
 }
 #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
+
+#if !HAVE_ERR_GET_ERROR_ALL
+static const char err_empty_string = '\0';
+
+unsigned long
+ERR_get_error_all(const char **file, int *line, const char **func,
+		  const char **data, int *flags) {
+	SET_IF_NOT_NULL(func, &err_empty_string);
+	return (ERR_get_error_line_data(file, line, data, flags));
+}
+#endif /* if !HAVE_ERR_GET_ERROR_ALL */
diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
index 7817a248fe..dc5d7e82b4 100644
--- a/lib/isc/openssl_shim.h
+++ b/lib/isc/openssl_shim.h
@@ -37,3 +37,9 @@ BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written);
 void
 SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
 #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
+
+#if !HAVE_ERR_GET_ERROR_ALL
+unsigned long
+ERR_get_error_all(const char **file, int *line, const char **func,
+		  const char **data, int *flags);
+#endif /* if !HAVE_ERR_GET_ERROR_ALL */
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index 7c8d684c2d..55e7f206de 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -137,7 +137,8 @@ enable_fips_mode(void) {
 	}
 
 	if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
-		dst__openssl_toresult2("FIPS_mode_set", DST_R_OPENSSLFAILURE);
+		isc_tlserr2result(ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_OTHER,
+				  "FIPS_mode_set", ISC_R_CRYPTOFAILURE);
 		exit(EXIT_FAILURE);
 	}
 #endif
@@ -1652,3 +1653,75 @@ isc_tlsctx_set_random_session_id_context(isc_tlsctx_t *ctx) {
 	RUNTIME_CHECK(
 		SSL_CTX_set_session_id_context(ctx, session_id_ctx, len) == 1);
 }
+
+static isc_result_t
+isc__tls_toresult(isc_result_t fallback) {
+	isc_result_t result = fallback;
+	unsigned long err = ERR_peek_error();
+#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+	int lib = ERR_GET_LIB(err);
+#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
+	int reason = ERR_GET_REASON(err);
+
+	switch (reason) {
+	/*
+	 * ERR_* errors are globally unique; others
+	 * are unique per sublibrary
+	 */
+	case ERR_R_MALLOC_FAILURE:
+		result = ISC_R_NOMEMORY;
+		break;
+	default:
+#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+		if (lib == ERR_R_ECDSA_LIB &&
+		    reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+		{
+			result = ISC_R_NOENTROPY;
+			break;
+		}
+#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
+		break;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc__tlserr2result(isc_logcategory_t *category, isc_logmodule_t *module,
+		   const char *funcname, isc_result_t fallback,
+		   const char *file, int line) {
+	isc_result_t result = isc__tls_toresult(fallback);
+
+	if (category == NULL) {
+		goto done;
+	}
+
+	isc_log_write(isc_lctx, category, module, ISC_LOG_WARNING,
+		      "%s (%s:%d) failed (%s)", funcname, file, line,
+		      isc_result_totext(result));
+
+	if (result == ISC_R_NOMEMORY) {
+		goto done;
+	}
+
+	for (;;) {
+		const char *func, *data;
+		int flags;
+		unsigned long err = ERR_get_error_all(&file, &line, &func,
+						      &data, &flags);
+		if (err == 0U) {
+			break;
+		}
+
+		char buf[256];
+		ERR_error_string_n(err, buf, sizeof(buf));
+
+		isc_log_write(isc_lctx, category, module, ISC_LOG_INFO,
+			      "%s:%s:%d:%s", buf, file, line,
+			      ((flags & ERR_TXT_STRING) != 0) ? data : "");
+	}
+
+done:
+	ERR_clear_error();
+	return (result);
+}
diff --git a/tests/dns/rdata_test.c b/tests/dns/rdata_test.c
index 2b675b1864..60069093ef 100644
--- a/tests/dns/rdata_test.c
+++ b/tests/dns/rdata_test.c
@@ -24,7 +24,6 @@
 #define UNIT_TESTING
 
 #include <cmocka.h>
-#include <openssl_shim.h>
 
 #include <openssl/err.h>
 
@@ -37,6 +36,10 @@
 
 #include <dns/rdata.h>
 
+#include "../isc/openssl_shim.c"
+#include "../isc/openssl_shim.h"
+#include "openssl_shim.h"
+
 #include <tests/dns.h>
 
 static bool debug = false;