2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib_int.h"
12 #include <openssl/err.h>
13 #include "internal/rand_int.h"
14 #include "internal/bio.h"
15 #include <openssl/evp.h>
16 #include "internal/evp_int.h"
17 #include "internal/conf.h"
18 #include "internal/async.h"
19 #include "internal/engine.h"
20 #include "internal/comp.h"
21 #include "internal/err.h"
22 #include "internal/err_int.h"
23 #include "internal/objects.h"
26 #include "internal/thread_once.h"
27 #include "internal/dso_conf.h"
28 #include "internal/dso.h"
29 #include "internal/store.h"
30 #include <openssl/trace.h>
32 static int stopped = 0;
34 typedef struct ossl_init_stop_st OPENSSL_INIT_STOP;
35 struct ossl_init_stop_st {
36 void (*handler)(void);
37 OPENSSL_INIT_STOP *next;
40 static OPENSSL_INIT_STOP *stop_handlers = NULL;
41 static CRYPTO_RWLOCK *init_lock = NULL;
43 static CRYPTO_ONCE base = CRYPTO_ONCE_STATIC_INIT;
44 static int base_inited = 0;
45 DEFINE_RUN_ONCE_STATIC(ossl_init_base)
47 /* no need to init trace */
49 OSSL_TRACE(INIT, "ossl_init_base: setting up stop handlers\n");
50 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
51 ossl_malloc_setup_failures();
54 if ((init_lock = CRYPTO_THREAD_lock_new()) == NULL)
56 OPENSSL_cpuid_setup();
58 if (!ossl_init_thread())
65 OSSL_TRACE(INIT, "ossl_init_base failed!\n");
66 CRYPTO_THREAD_lock_free(init_lock);
72 static CRYPTO_ONCE register_atexit = CRYPTO_ONCE_STATIC_INIT;
73 #if !defined(OPENSSL_SYS_UEFI) && defined(_WIN32)
74 static int win32atexit(void)
81 DEFINE_RUN_ONCE_STATIC(ossl_init_register_atexit)
83 #ifdef OPENSSL_INIT_DEBUG
84 fprintf(stderr, "OPENSSL_INIT: ossl_init_register_atexit()\n");
86 #ifndef OPENSSL_SYS_UEFI
88 /* We use _onexit() in preference because it gets called on DLL unload */
89 if (_onexit(win32atexit) == NULL)
92 if (atexit(OPENSSL_cleanup) != 0)
100 DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_register_atexit,
101 ossl_init_register_atexit)
103 #ifdef OPENSSL_INIT_DEBUG
104 fprintf(stderr, "OPENSSL_INIT: ossl_init_no_register_atexit ok!\n");
106 /* Do nothing in this case */
110 static CRYPTO_ONCE load_crypto_nodelete = CRYPTO_ONCE_STATIC_INIT;
111 DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete)
113 OSSL_TRACE(INIT, "ossl_init_load_crypto_nodelete()\n");
115 #if !defined(OPENSSL_USE_NODELETE) \
116 && !defined(OPENSSL_NO_PINSHARED)
117 # if defined(DSO_WIN32) && !defined(_WIN32_WCE)
119 HMODULE handle = NULL;
122 /* We don't use the DSO route for WIN32 because there is a better way */
123 ret = GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS
124 | GET_MODULE_HANDLE_EX_FLAG_PIN,
125 (void *)&base_inited, &handle);
128 "ossl_init_load_crypto_nodelete: "
129 "obtained DSO reference? %s\n",
130 (ret == TRUE ? "No!" : "Yes."));
131 return (ret == TRUE) ? 1 : 0;
133 # elif !defined(DSO_NONE)
135 * Deliberately leak a reference to ourselves. This will force the library
136 * to remain loaded until the atexit() handler is run at process exit.
142 if (!err_shelve_state(&err))
145 dso = DSO_dsobyaddr(&base_inited, DSO_FLAG_NO_UNLOAD_ON_FREE);
147 * In case of No!, it is uncertain our exit()-handlers can still be
148 * called. After dlclose() the whole library might have been unloaded
151 OSSL_TRACE1(INIT, "obtained DSO reference? %s\n",
152 (dso == NULL ? "No!" : "Yes."));
154 err_unshelve_state(err);
162 static CRYPTO_ONCE load_crypto_strings = CRYPTO_ONCE_STATIC_INIT;
163 static int load_crypto_strings_inited = 0;
164 DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
168 * OPENSSL_NO_AUTOERRINIT is provided here to prevent at compile time
169 * pulling in all the error strings during static linking
171 #if !defined(OPENSSL_NO_ERR) && !defined(OPENSSL_NO_AUTOERRINIT)
172 OSSL_TRACE(INIT, "err_load_crypto_strings_int()\n");
173 ret = err_load_crypto_strings_int();
174 load_crypto_strings_inited = 1;
179 DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_load_crypto_strings,
180 ossl_init_load_crypto_strings)
182 /* Do nothing in this case */
186 static CRYPTO_ONCE add_all_ciphers = CRYPTO_ONCE_STATIC_INIT;
187 DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_ciphers)
190 * OPENSSL_NO_AUTOALGINIT is provided here to prevent at compile time
191 * pulling in all the ciphers during static linking
193 #ifndef OPENSSL_NO_AUTOALGINIT
194 OSSL_TRACE(INIT, "openssl_add_all_ciphers_int()\n");
195 openssl_add_all_ciphers_int();
200 DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_add_all_ciphers,
201 ossl_init_add_all_ciphers)
207 static CRYPTO_ONCE add_all_digests = CRYPTO_ONCE_STATIC_INIT;
208 DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_digests)
211 * OPENSSL_NO_AUTOALGINIT is provided here to prevent at compile time
212 * pulling in all the ciphers during static linking
214 #ifndef OPENSSL_NO_AUTOALGINIT
215 OSSL_TRACE(INIT, "openssl_add_all_digests()\n");
216 openssl_add_all_digests_int();
221 DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_add_all_digests,
222 ossl_init_add_all_digests)
228 static CRYPTO_ONCE add_all_kdfs = CRYPTO_ONCE_STATIC_INIT;
229 DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_kdfs)
232 * OPENSSL_NO_AUTOALGINIT is provided here to prevent at compile time
233 * pulling in all the macs during static linking
235 #ifndef OPENSSL_NO_AUTOALGINIT
236 OSSL_TRACE(INIT, "openssl_add_all_kdfs_int()\n");
237 openssl_add_all_kdfs_int();
242 DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_add_all_kdfs, ossl_init_add_all_kdfs)
248 static CRYPTO_ONCE config = CRYPTO_ONCE_STATIC_INIT;
249 static int config_inited = 0;
250 static const OPENSSL_INIT_SETTINGS *conf_settings = NULL;
251 DEFINE_RUN_ONCE_STATIC(ossl_init_config)
253 int ret = openssl_config_int(conf_settings);
257 DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_config, ossl_init_config)
259 OSSL_TRACE(INIT, "openssl_no_config_int()\n");
260 openssl_no_config_int();
265 static CRYPTO_ONCE async = CRYPTO_ONCE_STATIC_INIT;
266 static int async_inited = 0;
267 DEFINE_RUN_ONCE_STATIC(ossl_init_async)
269 OSSL_TRACE(INIT, "async_init()\n");
276 #ifndef OPENSSL_NO_ENGINE
277 static CRYPTO_ONCE engine_openssl = CRYPTO_ONCE_STATIC_INIT;
278 DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl)
280 OSSL_TRACE(INIT, "engine_load_openssl_int()\n");
281 engine_load_openssl_int();
284 # ifndef OPENSSL_NO_RDRAND
285 static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT;
286 DEFINE_RUN_ONCE_STATIC(ossl_init_engine_rdrand)
288 OSSL_TRACE(INIT, "engine_load_rdrand_int()\n");
289 engine_load_rdrand_int();
293 static CRYPTO_ONCE engine_dynamic = CRYPTO_ONCE_STATIC_INIT;
294 DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic)
296 OSSL_TRACE(INIT, "engine_load_dynamic_int()\n");
297 engine_load_dynamic_int();
300 # ifndef OPENSSL_NO_STATIC_ENGINE
301 # ifndef OPENSSL_NO_DEVCRYPTOENG
302 static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT;
303 DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto)
305 OSSL_TRACE(INIT, "engine_load_devcrypto_int()\n");
306 engine_load_devcrypto_int();
310 # if !defined(OPENSSL_NO_PADLOCKENG)
311 static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT;
312 DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock)
314 OSSL_TRACE(INIT, "engine_load_padlock_int()\n");
315 engine_load_padlock_int();
319 # if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
320 static CRYPTO_ONCE engine_capi = CRYPTO_ONCE_STATIC_INIT;
321 DEFINE_RUN_ONCE_STATIC(ossl_init_engine_capi)
323 OSSL_TRACE(INIT, "engine_load_capi_int()\n");
324 engine_load_capi_int();
328 # if !defined(OPENSSL_NO_AFALGENG)
329 static CRYPTO_ONCE engine_afalg = CRYPTO_ONCE_STATIC_INIT;
330 DEFINE_RUN_ONCE_STATIC(ossl_init_engine_afalg)
332 OSSL_TRACE(INIT, "engine_load_afalg_int()\n");
333 engine_load_afalg_int();
340 #ifndef OPENSSL_NO_COMP
341 static CRYPTO_ONCE zlib = CRYPTO_ONCE_STATIC_INIT;
343 static int zlib_inited = 0;
344 DEFINE_RUN_ONCE_STATIC(ossl_init_zlib)
346 /* Do nothing - we need to know about this for the later cleanup */
352 void OPENSSL_cleanup(void)
354 OPENSSL_INIT_STOP *currhandler, *lasthandler;
357 * TODO(3.0): This function needs looking at with a view to moving most/all
358 * of this into onfree handlers in OPENSSL_CTX.
361 /* If we've not been inited then no need to deinit */
365 /* Might be explicitly called and also by atexit */
371 * Thread stop may not get automatically called by the thread library for
372 * the very last thread in some situations, so call it directly.
374 OPENSSL_thread_stop();
376 currhandler = stop_handlers;
377 while (currhandler != NULL) {
378 currhandler->handler();
379 lasthandler = currhandler;
380 currhandler = currhandler->next;
381 OPENSSL_free(lasthandler);
383 stop_handlers = NULL;
385 CRYPTO_THREAD_lock_free(init_lock);
389 * We assume we are single-threaded for this function, i.e. no race
390 * conditions for the various "*_inited" vars below.
393 #ifndef OPENSSL_NO_COMP
395 OSSL_TRACE(INIT, "OPENSSL_cleanup: comp_zlib_cleanup_int()\n");
396 comp_zlib_cleanup_int();
401 OSSL_TRACE(INIT, "OPENSSL_cleanup: async_deinit()\n");
405 if (load_crypto_strings_inited) {
406 OSSL_TRACE(INIT, "OPENSSL_cleanup: err_free_strings_int()\n");
407 err_free_strings_int();
411 * Note that cleanup order is important:
412 * - rand_cleanup_int could call an ENGINE's RAND cleanup function so
413 * must be called before engine_cleanup_int()
414 * - ENGINEs use CRYPTO_EX_DATA and therefore, must be cleaned up
415 * before the ex data handlers are wiped during default openssl_ctx deinit.
416 * - conf_modules_free_int() can end up in ENGINE code so must be called
417 * before engine_cleanup_int()
418 * - ENGINEs and additional EVP algorithms might use added OIDs names so
419 * obj_cleanup_int() must be called last
421 OSSL_TRACE(INIT, "OPENSSL_cleanup: rand_cleanup_int()\n");
424 OSSL_TRACE(INIT, "OPENSSL_cleanup: conf_modules_free_int()\n");
425 conf_modules_free_int();
427 #ifndef OPENSSL_NO_ENGINE
428 OSSL_TRACE(INIT, "OPENSSL_cleanup: engine_cleanup_int()\n");
429 engine_cleanup_int();
431 OSSL_TRACE(INIT, "OPENSSL_cleanup: ossl_store_cleanup_int()\n");
432 ossl_store_cleanup_int();
434 OSSL_TRACE(INIT, "OPENSSL_cleanup: openssl_ctx_default_deinit()\n");
435 openssl_ctx_default_deinit();
437 ossl_cleanup_thread();
439 OSSL_TRACE(INIT, "OPENSSL_cleanup: bio_cleanup()\n");
442 OSSL_TRACE(INIT, "OPENSSL_cleanup: evp_cleanup_int()\n");
445 OSSL_TRACE(INIT, "OPENSSL_cleanup: obj_cleanup_int()\n");
448 OSSL_TRACE(INIT, "OPENSSL_cleanup: err_int()\n");
451 OSSL_TRACE(INIT, "OPENSSL_cleanup: CRYPTO_secure_malloc_done()\n");
452 CRYPTO_secure_malloc_done();
454 OSSL_TRACE(INIT, "OPENSSL_cleanup: ossl_trace_cleanup()\n");
455 ossl_trace_cleanup();
461 * If this function is called with a non NULL settings value then it must be
462 * called prior to any threads making calls to any OpenSSL functions,
463 * i.e. passing a non-null settings value is assumed to be single-threaded.
465 int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
468 * TODO(3.0): This function needs looking at with a view to moving most/all
469 * of this into OPENSSL_CTX.
473 if (!(opts & OPENSSL_INIT_BASE_ONLY))
474 CRYPTOerr(CRYPTO_F_OPENSSL_INIT_CRYPTO, ERR_R_INIT_FAIL);
479 * When the caller specifies OPENSSL_INIT_BASE_ONLY, that should be the
480 * *only* option specified. With that option we return immediately after
481 * doing the requested limited initialization. Note that
482 * err_shelve_state() called by us via ossl_init_load_crypto_nodelete()
483 * re-enters OPENSSL_init_crypto() with OPENSSL_INIT_BASE_ONLY, but with
484 * base already initialized this is a harmless NOOP.
486 * If we remain the only caller of err_shelve_state() the recursion should
487 * perhaps be removed, but if in doubt, it can be left in place.
489 if (!RUN_ONCE(&base, ossl_init_base))
492 if (opts & OPENSSL_INIT_BASE_ONLY)
496 * Now we don't always set up exit handlers, the INIT_BASE_ONLY calls
497 * should not have the side-effect of setting up exit handlers, and
498 * therefore, this code block is below the INIT_BASE_ONLY-conditioned early
501 if ((opts & OPENSSL_INIT_NO_ATEXIT) != 0) {
502 if (!RUN_ONCE_ALT(®ister_atexit, ossl_init_no_register_atexit,
503 ossl_init_register_atexit))
505 } else if (!RUN_ONCE(®ister_atexit, ossl_init_register_atexit)) {
509 if (!RUN_ONCE(&load_crypto_nodelete, ossl_init_load_crypto_nodelete))
512 if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS)
513 && !RUN_ONCE_ALT(&load_crypto_strings,
514 ossl_init_no_load_crypto_strings,
515 ossl_init_load_crypto_strings))
518 if ((opts & OPENSSL_INIT_LOAD_CRYPTO_STRINGS)
519 && !RUN_ONCE(&load_crypto_strings, ossl_init_load_crypto_strings))
522 if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS)
523 && !RUN_ONCE_ALT(&add_all_ciphers, ossl_init_no_add_all_ciphers,
524 ossl_init_add_all_ciphers))
527 if ((opts & OPENSSL_INIT_ADD_ALL_CIPHERS)
528 && !RUN_ONCE(&add_all_ciphers, ossl_init_add_all_ciphers))
531 if ((opts & OPENSSL_INIT_NO_ADD_ALL_DIGESTS)
532 && !RUN_ONCE_ALT(&add_all_digests, ossl_init_no_add_all_digests,
533 ossl_init_add_all_digests))
536 if ((opts & OPENSSL_INIT_ADD_ALL_DIGESTS)
537 && !RUN_ONCE(&add_all_digests, ossl_init_add_all_digests))
540 if ((opts & OPENSSL_INIT_NO_ADD_ALL_KDFS)
541 && !RUN_ONCE_ALT(&add_all_kdfs, ossl_init_no_add_all_kdfs,
542 ossl_init_add_all_kdfs))
545 if ((opts & OPENSSL_INIT_ADD_ALL_KDFS)
546 && !RUN_ONCE(&add_all_kdfs, ossl_init_add_all_kdfs))
549 if ((opts & OPENSSL_INIT_ATFORK)
550 && !openssl_init_fork_handlers())
553 if ((opts & OPENSSL_INIT_NO_LOAD_CONFIG)
554 && !RUN_ONCE_ALT(&config, ossl_init_no_config, ossl_init_config))
557 if (opts & OPENSSL_INIT_LOAD_CONFIG) {
559 CRYPTO_THREAD_write_lock(init_lock);
560 conf_settings = settings;
561 ret = RUN_ONCE(&config, ossl_init_config);
562 conf_settings = NULL;
563 CRYPTO_THREAD_unlock(init_lock);
568 if ((opts & OPENSSL_INIT_ASYNC)
569 && !RUN_ONCE(&async, ossl_init_async))
572 #ifndef OPENSSL_NO_ENGINE
573 if ((opts & OPENSSL_INIT_ENGINE_OPENSSL)
574 && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl))
576 # ifndef OPENSSL_NO_RDRAND
577 if ((opts & OPENSSL_INIT_ENGINE_RDRAND)
578 && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand))
581 if ((opts & OPENSSL_INIT_ENGINE_DYNAMIC)
582 && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic))
584 # ifndef OPENSSL_NO_STATIC_ENGINE
585 # ifndef OPENSSL_NO_DEVCRYPTOENG
586 if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV)
587 && !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto))
590 # if !defined(OPENSSL_NO_PADLOCKENG)
591 if ((opts & OPENSSL_INIT_ENGINE_PADLOCK)
592 && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock))
595 # if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
596 if ((opts & OPENSSL_INIT_ENGINE_CAPI)
597 && !RUN_ONCE(&engine_capi, ossl_init_engine_capi))
600 # if !defined(OPENSSL_NO_AFALGENG)
601 if ((opts & OPENSSL_INIT_ENGINE_AFALG)
602 && !RUN_ONCE(&engine_afalg, ossl_init_engine_afalg))
606 if (opts & (OPENSSL_INIT_ENGINE_ALL_BUILTIN
607 | OPENSSL_INIT_ENGINE_OPENSSL
608 | OPENSSL_INIT_ENGINE_AFALG)) {
609 ENGINE_register_all_complete();
613 #ifndef OPENSSL_NO_COMP
614 if ((opts & OPENSSL_INIT_ZLIB)
615 && !RUN_ONCE(&zlib, ossl_init_zlib))
622 int OPENSSL_atexit(void (*handler)(void))
624 OPENSSL_INIT_STOP *newhand;
626 #if !defined(OPENSSL_USE_NODELETE)\
627 && !defined(OPENSSL_NO_PINSHARED)
634 handlersym.func = handler;
635 # if defined(DSO_WIN32) && !defined(_WIN32_WCE)
637 HMODULE handle = NULL;
641 * We don't use the DSO route for WIN32 because there is a better
644 ret = GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS
645 | GET_MODULE_HANDLE_EX_FLAG_PIN,
646 handlersym.sym, &handle);
651 # elif !defined(DSO_NONE)
653 * Deliberately leak a reference to the handler. This will force the
654 * library/code containing the handler to remain loaded until we run the
655 * atexit handler. If -znodelete has been used then this is
662 dso = DSO_dsobyaddr(handlersym.sym, DSO_FLAG_NO_UNLOAD_ON_FREE);
663 /* See same code above in ossl_init_base() for an explanation. */
665 "atexit: obtained DSO reference? %s\n",
666 (dso == NULL ? "No!" : "Yes."));
674 if ((newhand = OPENSSL_malloc(sizeof(*newhand))) == NULL) {
675 CRYPTOerr(CRYPTO_F_OPENSSL_ATEXIT, ERR_R_MALLOC_FAILURE);
679 newhand->handler = handler;
680 newhand->next = stop_handlers;
681 stop_handlers = newhand;
686 #ifdef OPENSSL_SYS_UNIX
688 * The following three functions are for OpenSSL developers. This is
689 * where we set/reset state across fork (called via pthread_atfork when
690 * it exists, or manually by the application when it doesn't).
692 * WARNING! If you put code in either OPENSSL_fork_parent or
693 * OPENSSL_fork_child, you MUST MAKE SURE that they are async-signal-
694 * safe. See this link, for example:
695 * http://man7.org/linux/man-pages/man7/signal-safety.7.html
698 void OPENSSL_fork_prepare(void)
702 void OPENSSL_fork_parent(void)
706 void OPENSSL_fork_child(void)
709 /* TODO(3.0): Inform all providers about a fork event */