Put sha256 context init/shutdown under a RAII wrapper (microsoft#7251)

Author: maxtropets

CHANGELOG.md

@@ -18,6 +18,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 - Correctly validate the full AMD ASK endorsement chain (#7233)
 
+### Removed
+
+- Removed `ccf::crypt::openssl_sha256_init()` and `ccf::crypt::openssl_sha256_shutdown()` interface, as it's now implicitly called by the crypto implementation (#7251).
+
 ## [7.0.0-dev2]
 
 [7.0.0-dev2]: https://github.com/microsoft/CCF/releases/tag/ccf-7.0.0-dev2

include/ccf/crypto/openssl_init.h

@@ -3,13 +3,95 @@
 
 #include "crypto/openssl/hash.h"
 
-#include "ccf/crypto/openssl_init.h"
-
 #include <limits>
 #include <openssl/evp.h>
 #include <openssl/sha.h>
 #include <stdexcept>
 
+namespace
+{
+  struct Sha256Context
+  {
+    Sha256Context()
+    {
+      openssl_sha256_init();
+    }
+
+    Sha256Context(const Sha256Context&) = delete;
+    Sha256Context& operator=(const Sha256Context&) = delete;
+
+    Sha256Context(Sha256Context&&) = delete;
+    Sha256Context& operator=(Sha256Context&&) = delete;
+
+    ~Sha256Context()
+    {
+      openssl_sha256_shutdown();
+    }
+
+    [[nodiscard]] EVP_MD_CTX* get_basectx() const
+    {
+      return basectx;
+    }
+
+    [[nodiscard]] EVP_MD_CTX* get_mdctx() const
+    {
+      return mdctx;
+    }
+
+  private:
+    void openssl_sha256_init()
+    {
+      if (mdctx != nullptr || basectx != nullptr)
+      {
+        throw std::logic_error(
+          "openssl_sha256_init: double-init of the context");
+      }
+
+      mdctx = EVP_MD_CTX_new();
+      if (mdctx == nullptr)
+      {
+        throw std::logic_error("openssl_sha256_init: failed to create mdctx");
+      }
+
+      basectx = EVP_MD_CTX_new();
+      if (basectx == nullptr)
+      {
+        mdctx = nullptr;
+        throw std::logic_error("openssl_sha256_init: failed to create basectx");
+      }
+
+      if (EVP_DigestInit_ex(basectx, EVP_sha256(), nullptr) != 1)
+      {
+        mdctx = nullptr;
+        basectx = nullptr;
+        throw std::logic_error("EVP_DigestInit_ex failed");
+      }
+
+      EVP_MD_CTX* mdctx{nullptr};
+      EVP_MD_CTX* basectx{nullptr};
+    }
+
+    void openssl_sha256_shutdown()
+    {
+      if (mdctx != nullptr)
+      {
+        EVP_MD_CTX_free(mdctx);
+        mdctx = nullptr;
+      }
+      if (basectx != nullptr)
+      {
+        EVP_MD_CTX_free(basectx);
+        basectx = nullptr;
+      }
+    }
+
+    EVP_MD_CTX* basectx{nullptr};
+    EVP_MD_CTX* mdctx{nullptr};
+  };
+
+  thread_local const Sha256Context sha256_context{};
+}
+
 namespace ccf::crypto
 {
   namespace OpenSSL
@@ -55,52 +137,6 @@ namespace ccf::crypto
 
   using namespace OpenSSL;
 
-  namespace
-  {
-    thread_local EVP_MD_CTX* mdctx = nullptr;
-    thread_local EVP_MD_CTX* basectx = nullptr;
-  }
-
-  void openssl_sha256_init()
-  {
-    if (mdctx != nullptr || basectx != nullptr)
-    {
-      return; // Already initialised
-    }
-
-    mdctx = EVP_MD_CTX_new();
-    if (mdctx == nullptr)
-    {
-      throw std::logic_error("openssl_sha256_init: failed to create mdctx");
-    }
-    basectx = EVP_MD_CTX_new();
-    if (basectx == nullptr)
-    {
-      mdctx = nullptr;
-      throw std::logic_error("openssl_sha256_init: failed to create basectx");
-    }
-    if (EVP_DigestInit_ex(basectx, EVP_sha256(), nullptr) != 1)
-    {
-      mdctx = nullptr;
-      basectx = nullptr;
-      throw std::logic_error("EVP_DigestInit_ex failed");
-    }
-  }
-
-  void openssl_sha256_shutdown()
-  {
-    if (mdctx != nullptr)
-    {
-      EVP_MD_CTX_free(mdctx);
-      mdctx = nullptr;
-    }
-    if (basectx != nullptr)
-    {
-      EVP_MD_CTX_free(basectx);
-      basectx = nullptr;
-    }
-  }
-
   void openssl_sha256(const std::span<const uint8_t>& data, uint8_t* h)
   {
     // EVP_Digest calls are notoriously slow with OpenSSL 3.x (see
@@ -109,6 +145,9 @@ namespace ccf::crypto
     // and reusing them between calls. This is about 2x faster than EVP_Digest
     // for 128-byte buffers.
 
+    auto* const mdctx = sha256_context.get_mdctx();
+    auto* const basectx = sha256_context.get_basectx();
+
     if (mdctx == nullptr || basectx == nullptr)
     {
       throw std::logic_error(
@@ -120,11 +159,13 @@ namespace ccf::crypto
     {
       throw std::logic_error(fmt::format("EVP_MD_CTX_copy_ex failed: {}", rc));
     }
+
     rc = EVP_DigestUpdate(mdctx, data.data(), data.size());
     if (rc != 1)
     {
       throw std::logic_error(fmt::format("EVP_DigestUpdate failed: {}", rc));
     }
+
     rc = EVP_DigestFinal_ex(mdctx, h, nullptr);
     if (rc != 1)
     {

src/crypto/openssl/hash.cpp

@@ -6,7 +6,6 @@
 #include "ccf/crypto/hash_provider.h"
 #include "ccf/crypto/hmac.h"
 #include "ccf/crypto/key_pair.h"
-#include "ccf/crypto/openssl_init.h"
 #include "ccf/crypto/sha256.h"
 #include "ccf/crypto/symmetric_key.h"
 #include "crypto/openssl/base64.h"
@@ -343,8 +342,6 @@ namespace Hashes
 template <size_t size>
 static void sha256_bench(picobench::state& s)
 {
-  ccf::crypto::openssl_sha256_init();
-
   std::vector<uint8_t> v(size);
   for (size_t i = 0; i < size; ++i)
   {
@@ -359,7 +356,6 @@ static void sha256_bench(picobench::state& s)
     ccf::crypto::openssl_sha256(v, h.h.data());
   }
   s.stop_timer();
-  ccf::crypto::openssl_sha256_shutdown();
 }
 
 // Variant of the code above that uses the OpenSSL API

src/crypto/test/bench.cpp

@@ -9,7 +9,6 @@
 #include "ccf/crypto/jwk.h"
 #include "ccf/crypto/key_pair.h"
 #include "ccf/crypto/key_wrap.h"
-#include "ccf/crypto/openssl_init.h"
 #include "ccf/crypto/rsa_key_pair.h"
 #include "ccf/crypto/symmetric_key.h"
 #include "ccf/crypto/verifier.h"
@@ -1150,7 +1149,6 @@ TEST_CASE("PEM to JWK and back")
 
 TEST_CASE("Incremental hash")
 {
-  ccf::crypto::openssl_sha256_init();
   auto simple_hash = ccf::crypto::Sha256Hash(contents);
 
   INFO("Incremental hash");
@@ -1191,7 +1189,6 @@ TEST_CASE("Incremental hash")
       REQUIRE_THROWS_AS(ihash->finalise(), std::logic_error);
     }
   }
-  ccf::crypto::openssl_sha256_shutdown();
 }
 
 TEST_CASE("Sign and verify with RSA key")

src/crypto/test/crypto.cpp

@@ -2,7 +2,6 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 #include "ccf/app_interface.h"
-#include "ccf/crypto/openssl_init.h"
 #include "ccf/ds/logger.h"
 #include "ccf/js/core/context.h"
 #include "ccf/node_context.h"
@@ -94,8 +93,6 @@ namespace ccf
       rpc_map(std::make_shared<RPCMap>()),
       rpcsessions(std::make_shared<RPCSessions>(*writer_factory, rpc_map))
     {
-      ccf::crypto::openssl_sha256_init();
-
       to_host = writer_factory->create_writer_to_outside();
 
       LOG_TRACE_FMT("Creating ledger secrets");
@@ -183,7 +180,6 @@ namespace ccf
     ~Enclave()
     {
       LOG_TRACE_FMT("Shutting down enclave");
-      ccf::crypto::openssl_sha256_shutdown();
     }
 
     CreateNodeStatus create_new_node(
@@ -237,7 +233,6 @@ namespace ccf
 
     bool run_main()
     {
-      ccf::crypto::openssl_sha256_init();
       LOG_DEBUG_FMT("Running main thread");
 
       {
@@ -421,8 +416,6 @@ namespace ccf
         LOG_INFO_FMT("Enclave stopped successfully. Stopping host...");
         RINGBUFFER_WRITE_MESSAGE(AdminMessage::stopped, to_host);
 
-        ccf::crypto::openssl_sha256_shutdown();
-
         return true;
       }
     }
@@ -439,7 +432,6 @@ namespace ccf
 
     bool run_worker()
     {
-      ccf::crypto::openssl_sha256_init();
       LOG_DEBUG_FMT("Running worker thread");
 
       {
@@ -449,7 +441,6 @@ namespace ccf
           msg->data.tid, std::move(msg));
 
         ::threading::ThreadMessaging::instance().run();
-        ccf::crypto::openssl_sha256_shutdown();
       }
 
       return true;

src/enclave/enclave.h

@@ -3,7 +3,6 @@
 
 #include "ccf/run.h"
 
-#include "ccf/crypto/openssl_init.h"
 #include "ccf/crypto/pem.h"
 #include "ccf/crypto/symmetric_key.h"
 #include "ccf/ds/logger.h"
@@ -112,8 +111,6 @@ namespace ccf
       return 1;
     }
 
-    ccf::crypto::openssl_sha256_init();
-
     CLI::App app{
       "Run a single CCF node, based on the given configuration file.\n"
       "Some parameters are marked \"(security critical)\" - these must be "
@@ -1032,7 +1029,6 @@ namespace ccf
       uv_walk(uv_default_loop(), cb, nullptr);
     }
     curl_global_cleanup();
-    ccf::crypto::openssl_sha256_shutdown();
 
     return loop_close_rc;
   }

src/host/run.cpp

@@ -2,7 +2,6 @@
 // Licensed under the Apache 2.0 License.
 #include "host/ledger.h"
 
-#include "ccf/crypto/openssl_init.h"
 #include "ccf/crypto/sha256_hash.h"
 #include "ccf/ds/logger.h"
 #include "crypto/openssl/hash.h"
@@ -2029,11 +2028,9 @@ TEST_CASE("Ledger init with existing files")
 int main(int argc, char** argv)
 {
   ccf::logger::config::default_init();
-  ccf::crypto::openssl_sha256_init();
   doctest::Context context;
   context.applyCommandLine(argc, argv);
   int res = context.run();
-  ccf::crypto::openssl_sha256_shutdown();
   if (context.shouldExit())
     return res;
   return res;