/*
 * Copyright (C) 2001-2016 Free Software Foundation, Inc.
 * Copyright (C) 2015-2016 Red Hat, Inc.
 *
 * Author: Nikos Mavrogiannopoulos
 *
 * This file is part of GnuTLS.
 *
 * The GnuTLS is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 *
 */

#include "gnutls_int.h"
#include "errors.h"
#include <libtasn1.h>
#include <dh.h>
#include <random.h>
#include <gnutls/pkcs11.h>

#include <hello_ext.h>	/* for _gnutls_hello_ext_init */
#include <supplemental.h> /* for _gnutls_supplemental_deinit */
#include <locks.h>
#include <system.h>
#include <accelerated/cryptodev.h>
#include <accelerated/afalg.h>
#include <accelerated/accelerated.h>
#include <fips.h>
#include <atfork.h>
#include <system-keys.h>
#include "str.h"
#include "global.h"

/* Minimum library versions we accept. */
#define GNUTLS_MIN_LIBTASN1_VERSION "0.3.4"

#ifdef __sun
# pragma fini(lib_deinit)
# pragma init(lib_init)
# define _CONSTRUCTOR
# define _DESTRUCTOR
#else
# define _CONSTRUCTOR __attribute__((constructor))
# define _DESTRUCTOR __attribute__((destructor))
#endif

#ifndef _WIN32
int __attribute__((weak)) _gnutls_global_init_skip(void);
int _gnutls_global_init_skip(void)
{
	return 0;
}
#else
inline static int _gnutls_global_init_skip(void)
{
	return 0;
}
#endif

/* created by asn1c */
extern const asn1_static_node gnutls_asn1_tab[];
extern const asn1_static_node pkix_asn1_tab[];

asn1_node _gnutls_pkix1_asn = NULL;
asn1_node _gnutls_gnutls_asn = NULL;

gnutls_log_func _gnutls_log_func = NULL;
gnutls_audit_log_func _gnutls_audit_log_func = NULL;
int _gnutls_log_level = 0;	/* default log level */

unsigned int _gnutls_global_version = GNUTLS_VERSION_NUMBER;

static int _gnutls_global_init(unsigned constructor);
static void _gnutls_global_deinit(unsigned destructor);

static void default_log_func(int level, const char* str)
{
	fprintf(stderr, "gnutls[%d]: %s", level, str);
}

/**
 * gnutls_global_set_log_function:
 * @log_func: it's a log function
 *
 * This is the function where you set the logging function gnutls is
 * going to use.  This function only accepts a character array.
 * Normally you may not use this function since it is only used for
 * debugging purposes.
 *
 * @gnutls_log_func is of the form,
 * void (*gnutls_log_func)( int level, const char*);
 **/
void gnutls_global_set_log_function(gnutls_log_func log_func)
{
	_gnutls_log_func = log_func;
}

/**
 * gnutls_global_set_audit_log_function:
 * @log_func: it is the audit log function
 *
 * This is the function to set the audit logging function. This
 * is a function to report important issues, such as possible
 * attacks in the protocol. This is different from gnutls_global_set_log_function()
 * because it will report also session-specific events. The session
 * parameter will be null if there is no corresponding TLS session.
 *
 * @gnutls_audit_log_func is of the form,
 * void (*gnutls_audit_log_func)( gnutls_session_t, const char*);
 *
 * Since: 3.0
 **/
void gnutls_global_set_audit_log_function(gnutls_audit_log_func log_func)
{
	_gnutls_audit_log_func = log_func;
}

/**
 * gnutls_global_set_time_function:
 * @time_func: it's the system time function, a gnutls_time_func() callback.
 *
 * This is the function where you can override the default system time
 * function.  The application provided function should behave the same
 * as the standard function.
 *
 * Since: 2.12.0
 **/
void gnutls_global_set_time_function(gnutls_time_func time_func)
{
	gnutls_time = time_func;
}

/**
 * gnutls_global_set_log_level:
 * @level: it's an integer from 0 to 99.
 *
 * This is the function that allows you to set the log level.  The
 * level is an integer between 0 and 9.  Higher values mean more
 * verbosity. The default value is 0.  Larger values should only be
 * used with care, since they may reveal sensitive information.
 *
 * Use a log level over 10 to enable all debugging options.
 **/
void gnutls_global_set_log_level(int level)
{
	_gnutls_log_level = level;
}

/**
 * gnutls_global_set_mem_functions:
 * @alloc_func: it's the default memory allocation function. Like malloc().
 * @secure_alloc_func: This is the memory allocation function that will be used for sensitive data.
 * @is_secure_func: a function that returns 0 if the memory given is not secure. May be NULL.
 * @realloc_func: A realloc function
 * @free_func: The function that frees allocated data. Must accept a NULL pointer.
 *
 * Deprecated: since 3.3.0 it is no longer possible to replace the internally used 
 *  memory allocation functions
 *
 * This is the function where you set the memory allocation functions
 * gnutls is going to use. By default the libc's allocation functions
 * (malloc(), free()), are used by gnutls, to allocate both sensitive
 * and not sensitive data.  This function is provided to set the
 * memory allocation functions to something other than the defaults
 *
 * This function must be called before gnutls_global_init() is called.
 * This function is not thread safe.
 **/
void
gnutls_global_set_mem_functions(gnutls_alloc_function alloc_func,
				gnutls_alloc_function secure_alloc_func,
				gnutls_is_secure_function is_secure_func,
				gnutls_realloc_function realloc_func,
				gnutls_free_function free_func)
{
	_gnutls_debug_log("called the deprecated gnutls_global_set_mem_functions()\n");
}

GNUTLS_STATIC_MUTEX(global_init_mutex);
static int _gnutls_init = 0;

/* cache the return code */
static int _gnutls_init_ret = 0;

/**
 * gnutls_global_init:
 *
 * Since GnuTLS 3.3.0 this function is no longer necessary to be explicitly
 * called. To disable the implicit call (in a library constructor) of this
 * function set the environment variable %GNUTLS_NO_IMPLICIT_INIT to 1.
 *
 * This function performs any required precalculations, detects
 * the supported CPU capabilities and initializes the underlying
 * cryptographic backend. In order to free any resources 
 * taken by this call you should gnutls_global_deinit() 
 * when gnutls usage is no longer needed.
 *
 * This function increments a global counter, so that
 * gnutls_global_deinit() only releases resources when it has been
 * called as many times as gnutls_global_init().  This is useful when
 * GnuTLS is used by more than one library in an application.  This
 * function can be called many times, but will only do something the
 * first time. It is thread safe since GnuTLS 3.3.0.
 *
 * A subsequent call of this function if the initial has failed will
 * return the same error code.
 *
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
 *   otherwise a negative error code is returned.
 **/
int gnutls_global_init(void)
{
	return _gnutls_global_init(0);
}

static int _gnutls_global_init(unsigned constructor)
{
	int ret = 0, res;
	int level;
	const char* e;

	if (!constructor) {
		ret = gnutls_static_mutex_lock(&global_init_mutex);
		if (ret < 0) {
			return gnutls_assert_val(ret);
		}
	}

	_gnutls_init++;
	if (_gnutls_init > 1) {
		ret = _gnutls_init_ret;
		goto out;
	}

	_gnutls_switch_lib_state(LIB_STATE_INIT);

	e = secure_getenv("GNUTLS_DEBUG_LEVEL");
	if (e != NULL) {
		level = atoi(e);
		gnutls_global_set_log_level(level);
		if (_gnutls_log_func == NULL)
			gnutls_global_set_log_function(default_log_func);
		_gnutls_debug_log("Enabled GnuTLS "VERSION" logging...\n");
	}

#ifdef HAVE_DCGETTEXT
	bindtextdomain(PACKAGE, LOCALEDIR);
#endif

	res = gnutls_crypto_init();
	if (res != 0) {
		gnutls_assert();
		ret = GNUTLS_E_CRYPTO_INIT_FAILED;
		goto out;
	}

	ret = _gnutls_system_key_init();
	if (ret != 0) {
		gnutls_assert();
	}

	/* initialize ASN.1 parser
	 */
	if (asn1_check_version(GNUTLS_MIN_LIBTASN1_VERSION) == NULL) {
		gnutls_assert();
		_gnutls_debug_log
		    ("Checking for libtasn1 failed: %s < %s\n",
		     asn1_check_version(NULL),
		     GNUTLS_MIN_LIBTASN1_VERSION);
		ret = GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY;
		goto out;
	}

	_gnutls_pkix1_asn = NULL;
	res = asn1_array2tree(pkix_asn1_tab, &_gnutls_pkix1_asn, NULL);
	if (res != ASN1_SUCCESS) {
		gnutls_assert();
		ret = _gnutls_asn2err(res);
		goto out;
	}

	res = asn1_array2tree(gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL);
	if (res != ASN1_SUCCESS) {
		gnutls_assert();
		ret = _gnutls_asn2err(res);
		goto out;
	}

	/* Initialize the random generator */
	ret = _gnutls_rnd_preinit();
	if (ret < 0) {
		gnutls_assert();
		goto out;
	}

	/* Initialize the default TLS extensions */
	ret = _gnutls_hello_ext_init();
	if (ret < 0) {
		gnutls_assert();
		goto out;
	}

	ret = gnutls_system_global_init();
	if (ret < 0) {
		gnutls_assert();
		goto out;
	}

#ifndef _WIN32
	ret = _gnutls_register_fork_handler();
	if (ret < 0) {
		gnutls_assert();
		goto out;
	}
#endif

#ifdef ENABLE_FIPS140
	res = _gnutls_fips_mode_enabled();
	/* res == 1 -> fips140-2 mode enabled
	 * res == 2 -> only self checks performed - but no failure
	 * res == not in fips140 mode
	 */
	if (res != 0) {
		_gnutls_debug_log("FIPS140-2 mode: %d\n", res);
		_gnutls_priority_update_fips();

		/* first round of self checks, these are done on the
		 * nettle algorithms which are used internally */
		ret = _gnutls_fips_perform_self_checks1();
		if (res != 2) {
			if (ret < 0) {
				gnutls_assert();
				goto out;
			}
		}
	}
#endif

	_gnutls_register_accel_crypto();
	_gnutls_cryptodev_init();
	_gnutls_afalg_init();

#ifdef ENABLE_FIPS140
	/* These self tests are performed on the overridden algorithms
	 * (e.g., AESNI overridden AES). They are after _gnutls_register_accel_crypto()
	 * intentionally */
	if (res != 0) {
		ret = _gnutls_fips_perform_self_checks2();
		if (res != 2) {
			if (ret < 0) {
				gnutls_assert();
				goto out;
			}
		}
		_gnutls_fips_mode_reset_zombie();
	}
#endif
	_gnutls_load_system_priorities();
	_gnutls_switch_lib_state(LIB_STATE_OPERATIONAL);
	ret = 0;

      out:
	_gnutls_init_ret = ret;
	if (!constructor) {
		(void)gnutls_static_mutex_unlock(&global_init_mutex);
	}
	return ret;
}

static void _gnutls_global_deinit(unsigned destructor)
{
	if (!destructor) {
		if (gnutls_static_mutex_lock(&global_init_mutex) < 0) {
			return;
		}
	}

	if (_gnutls_init == 1) {
		_gnutls_init = 0;
		if (_gnutls_init_ret < 0) {
			/* only deinitialize if gnutls_global_init() has
			 * succeeded */
			gnutls_assert();
			goto fail;
		}

		_gnutls_system_key_deinit();
		gnutls_crypto_deinit();
		_gnutls_rnd_deinit();
		_gnutls_hello_ext_deinit();
		asn1_delete_structure(&_gnutls_gnutls_asn);
		asn1_delete_structure(&_gnutls_pkix1_asn);

		_gnutls_crypto_deregister();
		gnutls_system_global_deinit();
		_gnutls_cryptodev_deinit();

		_gnutls_supplemental_deinit();
		_gnutls_unload_system_priorities();

#ifdef ENABLE_PKCS11
		/* Do not try to deinitialize the PKCS #11 libraries
		 * from the destructor. If we do and the PKCS #11 modules
		 * are already being unloaded, we may crash.
		 */
		if (destructor == 0) {
			gnutls_pkcs11_deinit();
		}
#endif
#ifdef HAVE_TROUSERS
		_gnutls_tpm_global_deinit();
#endif
#ifdef HAVE_TPM2
		_gnutls_tpm2_deinit();
#endif

		_gnutls_nss_keylog_deinit();
	} else {
		if (_gnutls_init > 0)
			_gnutls_init--;
	}

 fail:
	if (!destructor) {
		(void)gnutls_static_mutex_unlock(&global_init_mutex);
	}
}

/**
 * gnutls_global_deinit:
 *
 * This function deinitializes the global data, that were initialized
 * using gnutls_global_init().
 *
 * Since GnuTLS 3.3.0 this function is no longer necessary to be explicitly
 * called. GnuTLS will automatically deinitialize on library destructor. See
 * gnutls_global_init() for disabling the implicit initialization/deinitialization.
 *
 **/
void gnutls_global_deinit(void)
{
	_gnutls_global_deinit(0);
}

/**
 * gnutls_check_version:
 * @req_version: version string to compare with, or %NULL.
 *
 * Check the GnuTLS Library version against the provided string.
 * See %GNUTLS_VERSION for a suitable @req_version string.
 *
 * See also gnutls_check_version_numeric(), which provides this
 * functionality as a macro.
 *
 * Returns: Check that the version of the library is at
 *   minimum the one given as a string in @req_version and return the
 *   actual version string of the library; return %NULL if the
 *   condition is not met.  If %NULL is passed to this function no
 *   check is done and only the version string is returned.
  **/
const char *gnutls_check_version(const char *req_version)
{
	if (!req_version || strverscmp(req_version, VERSION) <= 0)
		return VERSION;

	return NULL;
}

static void _CONSTRUCTOR lib_init(void)
{
	int ret;
	const char *e;

	if (_gnutls_global_init_skip() != 0)
		return;

	e = secure_getenv("GNUTLS_NO_IMPLICIT_INIT");
	if (e != NULL) {
		ret = atoi(e);
		if (ret == 1)
			return;
	}

	e = secure_getenv("GNUTLS_NO_EXPLICIT_INIT");
	if (e != NULL) {
		_gnutls_debug_log("GNUTLS_NO_EXPLICIT_INIT is deprecated; use GNUTLS_NO_IMPLICIT_INIT\n");
		ret = atoi(e);
		if (ret == 1)
			return;
	}

	ret = _gnutls_global_init(1);
	if (ret < 0) {
		fprintf(stderr, "Error in GnuTLS initialization: %s\n", gnutls_strerror(ret));
		_gnutls_switch_lib_state(LIB_STATE_ERROR);
	}
}

static void _DESTRUCTOR lib_deinit(void)
{
	int ret;
	const char *e;

	if (_gnutls_global_init_skip() != 0)
		return;

	e = secure_getenv("GNUTLS_NO_IMPLICIT_INIT");
	if (e != NULL) {
		ret = atoi(e);
		if (ret == 1)
			return;
	}

	e = secure_getenv("GNUTLS_NO_EXPLICIT_INIT");
	if (e != NULL) {
		_gnutls_debug_log("GNUTLS_NO_EXPLICIT_INIT is deprecated; use GNUTLS_NO_IMPLICIT_INIT\n");
		ret = atoi(e);
		if (ret == 1)
			return;
	}

	_gnutls_global_deinit(1);
}