[tor-commits] [tor/master] Move the initialization and cleanup parts of crypto.c

nickm at torproject.org nickm at torproject.org
Wed Sep 5 00:47:13 UTC 2018


commit 12a1ada15853f0cde2839921bf413ba24a741192
Author: Nick Mathewson <nickm at torproject.org>
Date:   Wed Jul 11 13:44:35 2018 -0400

    Move the initialization and cleanup parts of crypto.c
    
    These are now part of crypto_init.c.  The openssl-only parts now
    live in crypto_openssl_mgt.c.
    
    I recommend reviewing this patch with -b and --color-moved.
---
 src/core/mainloop/main.c               |   1 +
 src/feature/relay/router.c             |   1 +
 src/lib/crypt_ops/crypto.c             | 248 ---------------------------------
 src/lib/crypt_ops/crypto.h             |  10 --
 src/lib/crypt_ops/crypto_init.c        | 117 ++++++++++++++++
 src/lib/crypt_ops/crypto_init.h        |  28 ++++
 src/lib/crypt_ops/crypto_openssl_mgt.c | 195 +++++++++++++++++++++++++-
 src/lib/crypt_ops/crypto_openssl_mgt.h |   7 +-
 src/lib/crypt_ops/include.am           |   2 +
 src/test/bench.c                       |   1 +
 src/test/test_crypto.c                 |   1 +
 src/test/test_workqueue.c              |   1 +
 src/test/testing_common.c              |   1 +
 src/tools/tor-gencert.c                |   1 +
 14 files changed, 353 insertions(+), 261 deletions(-)

diff --git a/src/core/mainloop/main.c b/src/core/mainloop/main.c
index 048397a2d..ad8c1ead6 100644
--- a/src/core/mainloop/main.c
+++ b/src/core/mainloop/main.c
@@ -121,6 +121,7 @@
 #include "lib/evloop/compat_libevent.h"
 #include "lib/encoding/confline.h"
 #include "lib/evloop/timers.h"
+#include "lib/crypt_ops/crypto_init.h"
 
 #include <event2/event.h>
 
diff --git a/src/feature/relay/router.c b/src/feature/relay/router.c
index 973d3e110..edd5ef5d5 100644
--- a/src/feature/relay/router.c
+++ b/src/feature/relay/router.c
@@ -55,6 +55,7 @@
 #include "lib/tls/tortls.h"
 #include "lib/encoding/confline.h"
 #include "lib/crypt_ops/crypto_format.h"
+#include "lib/crypt_ops/crypto_init.h"
 
 /**
  * \file router.c
diff --git a/src/lib/crypt_ops/crypto.c b/src/lib/crypt_ops/crypto.c
index 5bc2da76a..d988473f4 100644
--- a/src/lib/crypt_ops/crypto.c
+++ b/src/lib/crypt_ops/crypto.c
@@ -38,7 +38,6 @@ DISABLE_GCC_WARNING(redundant-decls)
 
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/engine.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/conf.h>
@@ -74,211 +73,6 @@ ENABLE_GCC_WARNING(redundant-decls)
 
 #include <string.h>
 
-/** Boolean: has OpenSSL's crypto been initialized? */
-static int crypto_early_initialized_ = 0;
-
-/** Boolean: has OpenSSL's crypto been initialized? */
-static int crypto_global_initialized_ = 0;
-
-#ifndef DISABLE_ENGINES
-/** Log any OpenSSL engines we're using at NOTICE. */
-static void
-log_engine(const char *fn, ENGINE *e)
-{
-  if (e) {
-    const char *name, *id;
-    name = ENGINE_get_name(e);
-    id = ENGINE_get_id(e);
-    log_notice(LD_CRYPTO, "Default OpenSSL engine for %s is %s [%s]",
-               fn, name?name:"?", id?id:"?");
-  } else {
-    log_info(LD_CRYPTO, "Using default implementation for %s", fn);
-  }
-}
-#endif /* !defined(DISABLE_ENGINES) */
-
-#ifndef DISABLE_ENGINES
-/** Try to load an engine in a shared library via fully qualified path.
- */
-static ENGINE *
-try_load_engine(const char *path, const char *engine)
-{
-  ENGINE *e = ENGINE_by_id("dynamic");
-  if (e) {
-    if (!ENGINE_ctrl_cmd_string(e, "ID", engine, 0) ||
-        !ENGINE_ctrl_cmd_string(e, "DIR_LOAD", "2", 0) ||
-        !ENGINE_ctrl_cmd_string(e, "DIR_ADD", path, 0) ||
-        !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
-      ENGINE_free(e);
-      e = NULL;
-    }
-  }
-  return e;
-}
-#endif /* !defined(DISABLE_ENGINES) */
-
-static int have_seeded_siphash = 0;
-
-/** Set up the siphash key if we haven't already done so. */
-int
-crypto_init_siphash_key(void)
-{
-  struct sipkey key;
-  if (have_seeded_siphash)
-    return 0;
-
-  crypto_rand((char*) &key, sizeof(key));
-  siphash_set_global_key(&key);
-  have_seeded_siphash = 1;
-  return 0;
-}
-
-/** Initialize the crypto library.  Return 0 on success, -1 on failure.
- */
-int
-crypto_early_init(void)
-{
-  if (!crypto_early_initialized_) {
-
-    crypto_early_initialized_ = 1;
-
-#ifdef OPENSSL_1_1_API
-    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
-                     OPENSSL_INIT_LOAD_CRYPTO_STRINGS |
-                     OPENSSL_INIT_ADD_ALL_CIPHERS |
-                     OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
-#else
-    ERR_load_crypto_strings();
-    OpenSSL_add_all_algorithms();
-#endif
-
-    setup_openssl_threading();
-
-    unsigned long version_num = OpenSSL_version_num();
-    const char *version_str = OpenSSL_version(OPENSSL_VERSION);
-    if (version_num == OPENSSL_VERSION_NUMBER &&
-        !strcmp(version_str, OPENSSL_VERSION_TEXT)) {
-      log_info(LD_CRYPTO, "OpenSSL version matches version from headers "
-                 "(%lx: %s).", version_num, version_str);
-    } else {
-      log_warn(LD_CRYPTO, "OpenSSL version from headers does not match the "
-               "version we're running with. If you get weird crashes, that "
-               "might be why. (Compiled with %lx: %s; running with %lx: %s).",
-               (unsigned long)OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT,
-               version_num, version_str);
-    }
-
-    crypto_force_rand_ssleay();
-
-    if (crypto_seed_rng() < 0)
-      return -1;
-    if (crypto_init_siphash_key() < 0)
-      return -1;
-
-    curve25519_init();
-    ed25519_init();
-  }
-  return 0;
-}
-
-/** Initialize the crypto library.  Return 0 on success, -1 on failure.
- */
-int
-crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
-{
-  if (!crypto_global_initialized_) {
-    if (crypto_early_init() < 0)
-      return -1;
-
-    crypto_global_initialized_ = 1;
-
-    if (useAccel > 0) {
-#ifdef DISABLE_ENGINES
-      (void)accelName;
-      (void)accelDir;
-      log_warn(LD_CRYPTO, "No OpenSSL hardware acceleration support enabled.");
-#else
-      ENGINE *e = NULL;
-
-      log_info(LD_CRYPTO, "Initializing OpenSSL engine support.");
-      ENGINE_load_builtin_engines();
-      ENGINE_register_all_complete();
-
-      if (accelName) {
-        if (accelDir) {
-          log_info(LD_CRYPTO, "Trying to load dynamic OpenSSL engine \"%s\""
-                   " via path \"%s\".", accelName, accelDir);
-          e = try_load_engine(accelName, accelDir);
-        } else {
-          log_info(LD_CRYPTO, "Initializing dynamic OpenSSL engine \"%s\""
-                   " acceleration support.", accelName);
-          e = ENGINE_by_id(accelName);
-        }
-        if (!e) {
-          log_warn(LD_CRYPTO, "Unable to load dynamic OpenSSL engine \"%s\".",
-                   accelName);
-        } else {
-          log_info(LD_CRYPTO, "Loaded dynamic OpenSSL engine \"%s\".",
-                   accelName);
-        }
-      }
-      if (e) {
-        log_info(LD_CRYPTO, "Loaded OpenSSL hardware acceleration engine,"
-                 " setting default ciphers.");
-        ENGINE_set_default(e, ENGINE_METHOD_ALL);
-      }
-      /* Log, if available, the intersection of the set of algorithms
-         used by Tor and the set of algorithms available in the engine */
-      log_engine("RSA", ENGINE_get_default_RSA());
-      log_engine("DH", ENGINE_get_default_DH());
-#ifdef OPENSSL_1_1_API
-      log_engine("EC", ENGINE_get_default_EC());
-#else
-      log_engine("ECDH", ENGINE_get_default_ECDH());
-      log_engine("ECDSA", ENGINE_get_default_ECDSA());
-#endif /* defined(OPENSSL_1_1_API) */
-      log_engine("RAND", ENGINE_get_default_RAND());
-      log_engine("RAND (which we will not use)", ENGINE_get_default_RAND());
-      log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));
-      log_engine("3DES-CBC", ENGINE_get_cipher_engine(NID_des_ede3_cbc));
-      log_engine("AES-128-ECB", ENGINE_get_cipher_engine(NID_aes_128_ecb));
-      log_engine("AES-128-CBC", ENGINE_get_cipher_engine(NID_aes_128_cbc));
-#ifdef NID_aes_128_ctr
-      log_engine("AES-128-CTR", ENGINE_get_cipher_engine(NID_aes_128_ctr));
-#endif
-#ifdef NID_aes_128_gcm
-      log_engine("AES-128-GCM", ENGINE_get_cipher_engine(NID_aes_128_gcm));
-#endif
-      log_engine("AES-256-CBC", ENGINE_get_cipher_engine(NID_aes_256_cbc));
-#ifdef NID_aes_256_gcm
-      log_engine("AES-256-GCM", ENGINE_get_cipher_engine(NID_aes_256_gcm));
-#endif
-
-#endif /* defined(DISABLE_ENGINES) */
-    } else {
-      log_info(LD_CRYPTO, "NOT using OpenSSL engine support.");
-    }
-
-    if (crypto_force_rand_ssleay()) {
-      if (crypto_seed_rng() < 0)
-        return -1;
-    }
-
-    evaluate_evp_for_aes(-1);
-    evaluate_ctr_for_aes();
-  }
-  return 0;
-}
-
-/** Free crypto resources held by this thread. */
-void
-crypto_thread_cleanup(void)
-{
-#ifndef NEW_THREAD_API
-  ERR_remove_thread_state(NULL);
-#endif
-}
-
 /** Allocate and return a new symmetric cipher using the provided key and iv.
  * The key is <b>bits</b> bits long; the IV is CIPHER_IV_LEN bytes.  Both
  * must be provided. Key length must be 128, 192, or 256 */
@@ -465,45 +259,3 @@ crypto_cipher_decrypt_with_iv(const char *key,
   crypto_cipher_free(cipher);
   return (int)(fromlen - CIPHER_IV_LEN);
 }
-
-/** @{ */
-/** Uninitialize the crypto library. Return 0 on success. Does not detect
- * failure.
- */
-int
-crypto_global_cleanup(void)
-{
-#ifndef OPENSSL_1_1_API
-  EVP_cleanup();
-#endif
-#ifndef NEW_THREAD_API
-  ERR_remove_thread_state(NULL);
-#endif
-#ifndef OPENSSL_1_1_API
-  ERR_free_strings();
-#endif
-
-  crypto_dh_free_all();
-
-#ifndef DISABLE_ENGINES
-#ifndef OPENSSL_1_1_API
-  ENGINE_cleanup();
-#endif
-#endif
-
-  CONF_modules_unload(1);
-#ifndef OPENSSL_1_1_API
-  CRYPTO_cleanup_all_ex_data();
-#endif
-
-  crypto_openssl_free_all();
-
-  crypto_early_initialized_ = 0;
-  crypto_global_initialized_ = 0;
-  have_seeded_siphash = 0;
-  siphash_unset_global_key();
-
-  return 0;
-}
-
-/** @} */
diff --git a/src/lib/crypt_ops/crypto.h b/src/lib/crypt_ops/crypto.h
index 3a0b330be..6034c8417 100644
--- a/src/lib/crypt_ops/crypto.h
+++ b/src/lib/crypt_ops/crypto.h
@@ -32,16 +32,6 @@
 
 typedef struct aes_cnt_cipher crypto_cipher_t;
 
-/* global state */
-int crypto_init_siphash_key(void);
-int crypto_early_init(void) ATTR_WUR;
-int crypto_global_init(int hardwareAccel,
-                       const char *accelName,
-                       const char *accelPath) ATTR_WUR;
-
-void crypto_thread_cleanup(void);
-int crypto_global_cleanup(void);
-
 /* environment setup */
 crypto_cipher_t *crypto_cipher_new(const char *key);
 crypto_cipher_t *crypto_cipher_new_with_bits(const char *key, int bits);
diff --git a/src/lib/crypt_ops/crypto_init.c b/src/lib/crypt_ops/crypto_init.c
new file mode 100644
index 000000000..01d5baf5b
--- /dev/null
+++ b/src/lib/crypt_ops/crypto_init.c
@@ -0,0 +1,117 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_init.c
+ *
+ * \brief Initialize and shut down Tor's crypto library and subsystem.
+ **/
+
+#include "orconfig.h"
+
+#include "lib/crypt_ops/crypto_init.h"
+
+#include "lib/crypt_ops/crypto_curve25519.h"
+#include "lib/crypt_ops/crypto_dh.h"
+#include "lib/crypt_ops/crypto_ed25519.h"
+#include "lib/crypt_ops/crypto_openssl_mgt.h"
+#include "lib/crypt_ops/crypto_rand.h"
+
+#include "siphash.h"
+
+/** Boolean: has OpenSSL's crypto been initialized? */
+static int crypto_early_initialized_ = 0;
+
+/** Boolean: has OpenSSL's crypto been initialized? */
+static int crypto_global_initialized_ = 0;
+
+static int have_seeded_siphash = 0;
+
+/** Set up the siphash key if we haven't already done so. */
+int
+crypto_init_siphash_key(void)
+{
+  struct sipkey key;
+  if (have_seeded_siphash)
+    return 0;
+
+  crypto_rand((char*) &key, sizeof(key));
+  siphash_set_global_key(&key);
+  have_seeded_siphash = 1;
+  return 0;
+}
+
+/** Initialize the crypto library.  Return 0 on success, -1 on failure.
+ */
+int
+crypto_early_init(void)
+{
+  if (!crypto_early_initialized_) {
+
+    crypto_early_initialized_ = 1;
+
+#ifdef ENABLE_OPENSSL
+    crypto_openssl_early_init();
+#endif
+
+    if (crypto_seed_rng() < 0)
+      return -1;
+    if (crypto_init_siphash_key() < 0)
+      return -1;
+
+    curve25519_init();
+    ed25519_init();
+  }
+  return 0;
+}
+
+/** Initialize the crypto library.  Return 0 on success, -1 on failure.
+ */
+int
+crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
+{
+  if (!crypto_global_initialized_) {
+    if (crypto_early_init() < 0)
+      return -1;
+
+    crypto_global_initialized_ = 1;
+
+#ifdef ENABLE_OPENSSL
+    return crypto_openssl_late_init(useAccel, accelName, accelDir);
+#endif
+  }
+  return 0;
+}
+
+/** Free crypto resources held by this thread. */
+void
+crypto_thread_cleanup(void)
+{
+#ifndef NEW_THREAD_API
+  ERR_remove_thread_state(NULL);
+#endif
+}
+
+/**
+ * Uninitialize the crypto library. Return 0 on success. Does not detect
+ * failure.
+ */
+int
+crypto_global_cleanup(void)
+{
+  crypto_dh_free_all();
+
+#ifdef ENABLE_OPENSSL
+  crypto_openssl_global_cleanup();
+#endif
+
+  crypto_early_initialized_ = 0;
+  crypto_global_initialized_ = 0;
+  have_seeded_siphash = 0;
+  siphash_unset_global_key();
+
+  return 0;
+}
diff --git a/src/lib/crypt_ops/crypto_init.h b/src/lib/crypt_ops/crypto_init.h
new file mode 100644
index 000000000..e450e2d89
--- /dev/null
+++ b/src/lib/crypt_ops/crypto_init.h
@@ -0,0 +1,28 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_init.h
+ *
+ * \brief Headers for crypto_init.c
+ **/
+
+#ifndef TOR_CRYPTO_INIT_H
+#define TOR_CRYPTO_INIT_H
+
+#include "orconfig.h"
+#include "lib/cc/compat_compiler.h"
+
+int crypto_init_siphash_key(void);
+int crypto_early_init(void) ATTR_WUR;
+int crypto_global_init(int hardwareAccel,
+                       const char *accelName,
+                       const char *accelPath) ATTR_WUR;
+
+void crypto_thread_cleanup(void);
+int crypto_global_cleanup(void);
+
+#endif /* !defined(TOR_CRYPTO_H) */
diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.c b/src/lib/crypt_ops/crypto_openssl_mgt.c
index 01de6a9d9..b0c88bff4 100644
--- a/src/lib/crypt_ops/crypto_openssl_mgt.c
+++ b/src/lib/crypt_ops/crypto_openssl_mgt.c
@@ -12,8 +12,11 @@
 
 #include "lib/crypt_ops/compat_openssl.h"
 #include "lib/crypt_ops/crypto_openssl_mgt.h"
+#include "lib/crypt_ops/crypto_rand.h"
+#include "lib/crypt_ops/aes.h"
 #include "lib/string/util_string.h"
 #include "lib/lock/compat_mutex.h"
+#include "lib/log/log.h"
 #include "lib/testsupport/testsupport.h"
 #include "lib/thread/threads.h"
 
@@ -30,6 +33,7 @@ DISABLE_GCC_WARNING(redundant-decls)
 #include <openssl/conf.h>
 #include <openssl/hmac.h>
 #include <openssl/crypto.h>
+#include <openssl/ssl.h>
 
 ENABLE_GCC_WARNING(redundant-decls)
 
@@ -144,7 +148,7 @@ setup_openssl_threading(void)
 }
 
 /** free OpenSSL variables */
-void
+static void
 crypto_openssl_free_all(void)
 {
   tor_free(crypto_openssl_version_str);
@@ -164,3 +168,192 @@ crypto_openssl_free_all(void)
   }
 #endif /* !defined(NEW_THREAD_API) */
 }
+
+/** Perform early (pre-configuration) initialization tasks for OpenSSL. */
+void
+crypto_openssl_early_init(void)
+{
+#ifdef OPENSSL_1_1_API
+    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
+                     OPENSSL_INIT_LOAD_CRYPTO_STRINGS |
+                     OPENSSL_INIT_ADD_ALL_CIPHERS |
+                     OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+#else
+    ERR_load_crypto_strings();
+    OpenSSL_add_all_algorithms();
+#endif
+
+    setup_openssl_threading();
+
+    unsigned long version_num = OpenSSL_version_num();
+    const char *version_str = OpenSSL_version(OPENSSL_VERSION);
+    if (version_num == OPENSSL_VERSION_NUMBER &&
+        !strcmp(version_str, OPENSSL_VERSION_TEXT)) {
+      log_info(LD_CRYPTO, "OpenSSL version matches version from headers "
+                 "(%lx: %s).", version_num, version_str);
+    } else {
+      log_warn(LD_CRYPTO, "OpenSSL version from headers does not match the "
+               "version we're running with. If you get weird crashes, that "
+               "might be why. (Compiled with %lx: %s; running with %lx: %s).",
+               (unsigned long)OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT,
+               version_num, version_str);
+    }
+
+    crypto_force_rand_ssleay();
+}
+
+#ifndef DISABLE_ENGINES
+/** Try to load an engine in a shared library via fully qualified path.
+ */
+static ENGINE *
+try_load_engine(const char *path, const char *engine)
+{
+  ENGINE *e = ENGINE_by_id("dynamic");
+  if (e) {
+    if (!ENGINE_ctrl_cmd_string(e, "ID", engine, 0) ||
+        !ENGINE_ctrl_cmd_string(e, "DIR_LOAD", "2", 0) ||
+        !ENGINE_ctrl_cmd_string(e, "DIR_ADD", path, 0) ||
+        !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
+      ENGINE_free(e);
+      e = NULL;
+    }
+  }
+  return e;
+}
+#endif /* !defined(DISABLE_ENGINES) */
+
+#ifndef DISABLE_ENGINES
+/** Log any OpenSSL engines we're using at NOTICE. */
+static void
+log_engine(const char *fn, ENGINE *e)
+{
+  if (e) {
+    const char *name, *id;
+    name = ENGINE_get_name(e);
+    id = ENGINE_get_id(e);
+    log_notice(LD_CRYPTO, "Default OpenSSL engine for %s is %s [%s]",
+               fn, name?name:"?", id?id:"?");
+  } else {
+    log_info(LD_CRYPTO, "Using default implementation for %s", fn);
+  }
+}
+#endif /* !defined(DISABLE_ENGINES) */
+
+/** Initialize engines for openssl (if enabled). */
+static void
+crypto_openssl_init_engines(const char *accelName,
+                            const char *accelDir)
+{
+#ifdef DISABLE_ENGINES
+  (void)accelName;
+  (void)accelDir;
+  log_warn(LD_CRYPTO, "No OpenSSL hardware acceleration support enabled.");
+#else
+  ENGINE *e = NULL;
+
+  log_info(LD_CRYPTO, "Initializing OpenSSL engine support.");
+  ENGINE_load_builtin_engines();
+  ENGINE_register_all_complete();
+
+  if (accelName) {
+    if (accelDir) {
+      log_info(LD_CRYPTO, "Trying to load dynamic OpenSSL engine \"%s\""
+               " via path \"%s\".", accelName, accelDir);
+      e = try_load_engine(accelName, accelDir);
+    } else {
+      log_info(LD_CRYPTO, "Initializing dynamic OpenSSL engine \"%s\""
+               " acceleration support.", accelName);
+      e = ENGINE_by_id(accelName);
+    }
+    if (!e) {
+      log_warn(LD_CRYPTO, "Unable to load dynamic OpenSSL engine \"%s\".",
+               accelName);
+    } else {
+      log_info(LD_CRYPTO, "Loaded dynamic OpenSSL engine \"%s\".",
+               accelName);
+    }
+  }
+  if (e) {
+    log_info(LD_CRYPTO, "Loaded OpenSSL hardware acceleration engine,"
+             " setting default ciphers.");
+    ENGINE_set_default(e, ENGINE_METHOD_ALL);
+  }
+  /* Log, if available, the intersection of the set of algorithms
+     used by Tor and the set of algorithms available in the engine */
+  log_engine("RSA", ENGINE_get_default_RSA());
+  log_engine("DH", ENGINE_get_default_DH());
+#ifdef OPENSSL_1_1_API
+  log_engine("EC", ENGINE_get_default_EC());
+#else
+  log_engine("ECDH", ENGINE_get_default_ECDH());
+  log_engine("ECDSA", ENGINE_get_default_ECDSA());
+#endif /* defined(OPENSSL_1_1_API) */
+  log_engine("RAND", ENGINE_get_default_RAND());
+  log_engine("RAND (which we will not use)", ENGINE_get_default_RAND());
+  log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));
+  log_engine("3DES-CBC", ENGINE_get_cipher_engine(NID_des_ede3_cbc));
+  log_engine("AES-128-ECB", ENGINE_get_cipher_engine(NID_aes_128_ecb));
+  log_engine("AES-128-CBC", ENGINE_get_cipher_engine(NID_aes_128_cbc));
+#ifdef NID_aes_128_ctr
+  log_engine("AES-128-CTR", ENGINE_get_cipher_engine(NID_aes_128_ctr));
+#endif
+#ifdef NID_aes_128_gcm
+  log_engine("AES-128-GCM", ENGINE_get_cipher_engine(NID_aes_128_gcm));
+#endif
+  log_engine("AES-256-CBC", ENGINE_get_cipher_engine(NID_aes_256_cbc));
+#ifdef NID_aes_256_gcm
+  log_engine("AES-256-GCM", ENGINE_get_cipher_engine(NID_aes_256_gcm));
+#endif
+
+#endif /* defined(DISABLE_ENGINES) */
+}
+
+/** Perform late (post-init) initialization tasks for OpenSSL */
+int
+crypto_openssl_late_init(int useAccel, const char *accelName,
+                         const char *accelDir)
+{
+  if (useAccel > 0) {
+    crypto_openssl_init_engines(accelName, accelDir);
+  } else {
+    log_info(LD_CRYPTO, "NOT using OpenSSL engine support.");
+  }
+
+  if (crypto_force_rand_ssleay()) {
+    if (crypto_seed_rng() < 0)
+      return -1;
+  }
+
+  evaluate_evp_for_aes(-1);
+  evaluate_ctr_for_aes();
+
+  return 0;
+}
+
+/** Clean up global resources held by openssl. */
+void
+crypto_openssl_global_cleanup(void)
+{
+  #ifndef OPENSSL_1_1_API
+  EVP_cleanup();
+#endif
+#ifndef NEW_THREAD_API
+  ERR_remove_thread_state(NULL);
+#endif
+#ifndef OPENSSL_1_1_API
+  ERR_free_strings();
+#endif
+
+#ifndef DISABLE_ENGINES
+#ifndef OPENSSL_1_1_API
+  ENGINE_cleanup();
+#endif
+#endif
+
+  CONF_modules_unload(1);
+#ifndef OPENSSL_1_1_API
+  CRYPTO_cleanup_all_ex_data();
+#endif
+
+  crypto_openssl_free_all();
+}
diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.h b/src/lib/crypt_ops/crypto_openssl_mgt.h
index a2c53302e..60583a056 100644
--- a/src/lib/crypt_ops/crypto_openssl_mgt.h
+++ b/src/lib/crypt_ops/crypto_openssl_mgt.h
@@ -76,7 +76,10 @@ const char * crypto_openssl_get_header_version_str(void);
 /* OpenSSL threading setup function */
 int setup_openssl_threading(void);
 
-/* Tor OpenSSL utility functions */
-void crypto_openssl_free_all(void);
+void crypto_openssl_early_init(void);
+int crypto_openssl_late_init(int useAccel, const char *accelName,
+                             const char *accelDir);
+
+void crypto_openssl_global_cleanup(void);
 
 #endif /* !defined(TOR_CRYPTO_OPENSSL_H) */
diff --git a/src/lib/crypt_ops/include.am b/src/lib/crypt_ops/include.am
index 009e4c66c..6bb7c929a 100644
--- a/src/lib/crypt_ops/include.am
+++ b/src/lib/crypt_ops/include.am
@@ -14,6 +14,7 @@ src_lib_libtor_crypt_ops_a_SOURCES =			\
 	src/lib/crypt_ops/crypto_ed25519.c		\
 	src/lib/crypt_ops/crypto_format.c		\
 	src/lib/crypt_ops/crypto_hkdf.c			\
+	src/lib/crypt_ops/crypto_init.c			\
 	src/lib/crypt_ops/crypto_openssl_mgt.c		\
 	src/lib/crypt_ops/crypto_pwbox.c		\
 	src/lib/crypt_ops/crypto_rand.c			\
@@ -40,6 +41,7 @@ noinst_HEADERS +=					\
 	src/lib/crypt_ops/crypto_format.h		\
 	src/lib/crypt_ops/crypto.h			\
 	src/lib/crypt_ops/crypto_hkdf.h			\
+	src/lib/crypt_ops/crypto_init.h			\
 	src/lib/crypt_ops/crypto_openssl_mgt.h		\
 	src/lib/crypt_ops/crypto_pwbox.h		\
 	src/lib/crypt_ops/crypto_rand.h			\
diff --git a/src/test/bench.c b/src/test/bench.c
index 7919a4224..50af9e0d6 100644
--- a/src/test/bench.c
+++ b/src/test/bench.c
@@ -33,6 +33,7 @@
 #include "core/or/or_circuit_st.h"
 
 #include "lib/crypt_ops/digestset.h"
+#include "lib/crypt_ops/crypto_init.h"
 
 #if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID)
 static uint64_t nanostart;
diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c
index 2124e2219..17f23b96b 100644
--- a/src/test/test_crypto.c
+++ b/src/test/test_crypto.c
@@ -16,6 +16,7 @@
 #include "lib/crypt_ops/crypto_format.h"
 #include "lib/crypt_ops/crypto_hkdf.h"
 #include "lib/crypt_ops/crypto_rand.h"
+#include "lib/crypt_ops/crypto_init.h"
 #include "ed25519_vectors.inc"
 
 #ifdef HAVE_SYS_STAT_H
diff --git a/src/test/test_workqueue.c b/src/test/test_workqueue.c
index 4550bad1f..9d48d9277 100644
--- a/src/test/test_workqueue.c
+++ b/src/test/test_workqueue.c
@@ -12,6 +12,7 @@
 #include "lib/net/alertsock.h"
 #include "lib/evloop/compat_libevent.h"
 #include "lib/intmath/weakrng.h"
+#include "lib/crypt_ops/crypto_init.h"
 
 #include <stdio.h>
 
diff --git a/src/test/testing_common.c b/src/test/testing_common.c
index 3880bca9c..32d7bf7f0 100644
--- a/src/test/testing_common.c
+++ b/src/test/testing_common.c
@@ -23,6 +23,7 @@
 #include "core/mainloop/main.h"
 #include "lib/compress/compress.h"
 #include "lib/evloop/compat_libevent.h"
+#include "lib/crypt_ops/crypto_init.h"
 
 #include <stdio.h>
 #ifdef HAVE_FCNTL_H
diff --git a/src/tools/tor-gencert.c b/src/tools/tor-gencert.c
index ff924152a..f87283097 100644
--- a/src/tools/tor-gencert.c
+++ b/src/tools/tor-gencert.c
@@ -14,6 +14,7 @@
 #endif
 
 #include "lib/cc/compat_compiler.h"
+#include "lib/crypt_ops/crypto_init.h"
 
 /* Some versions of OpenSSL declare X509_STORE_CTX_set_verify_cb twice in
  * x509.h and x509_vfy.h. Suppress the GCC warning so we can build with





More information about the tor-commits mailing list