From: Geoff Thorpe Date: Thu, 16 Nov 2000 00:15:50 +0000 (+0000) Subject: Many applications that use OpenSSL with ENGINE support might face a X-Git-Tag: OpenSSL_0_9_6a-beta1~107^2~180 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=ef02b10a16e027498b962cc503b24e02ef25470c;ds=sidebyside Many applications that use OpenSSL with ENGINE support might face a situation where they've initialised the ENGINE, loaded keys (which are then linked to that ENGINE), and performed other checks (such as verifying certificate chains etc). At that point, if the application goes multi-threaded or multi-process it creates problems for any ENGINE implementations that are either not thread/process safe or that perform optimally when they do not have to perform locking and other contention management tasks at "run-time". This defines a new ENGINE_ctrl() command that can be supported by engines at their discretion. If ENGINE_ctrl(..., ENGINE_CTRL_HUP,...) returns an error then the caller should check if the *_R_COMMAND_NOT_IMPLEMENTED error reason was set - it may just be that the engine doesn't support or need the HUP command, or it could be that the attempted reinitialisation failed. A crude alternative is to ignore the return value from ENGINE_ctrl() (and clear any errors with ERR_clear_error()) and perform a test operation immediately after the "HUP". Very crude indeed. ENGINEs can support this command to close and reopen connections, files, handles, or whatever as an alternative to run-time locking when such things would otherwise be needed. In such a case, it's advisable for the engine implementations to support locking by default but disable it after the arrival of a HUP command, or any other indication by the application that locking is not required. NB: This command exists to allow an ENGINE to reinitialise without the ENGINE's functional reference count having to sink down to zero and back up - which is what is normally required for the finish() and init() handlers to get invoked. It would also be a bad idea for engine_lib to catch this command itself and interpret it by calling the engine's init() and finish() handlers directly, because reinitialisation may need special handling on a case-by-case basis that is distinct from a finish/init pair - eg. calling a finish() handler may invalidate the state stored inside individual keys that have already loaded for this engine. --- diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h index 2d93ad0d60..d57cdab59a 100644 --- a/crypto/engine/engine.h +++ b/crypto/engine/engine.h @@ -89,6 +89,9 @@ extern "C" { * the error ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED. */ #define ENGINE_CTRL_SET_LOGSTREAM 1 #define ENGINE_CTRL_SET_PASSWORD_CALLBACK 2 +#define ENGINE_CTRL_HUP 3 /* Close and reinitialise any + handles/connections etc. */ + /* Flags specific to the nCipher "chil" engine */ #define ENGINE_CTRL_CHIL_SET_FORKCHECK 100 /* Depending on the value of the (long)i argument, this sets or