2016-02-09 18:17:59 +08:00
|
|
|
=pod
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
2016-06-21 19:03:34 +08:00
|
|
|
OPENSSL_init_new, OPENSSL_INIT_set_config_appname, OPENSSL_INIT_free,
|
2016-02-10 00:52:40 +08:00
|
|
|
OPENSSL_init_crypto, OPENSSL_cleanup,
|
|
|
|
OPENSSL_atexit, OPENSSL_thread_stop - OpenSSL
|
2016-02-09 18:17:59 +08:00
|
|
|
initialisation and deinitialisation functions
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
#include <openssl/crypto.h>
|
|
|
|
|
2016-02-10 00:52:40 +08:00
|
|
|
void OPENSSL_cleanup(void);
|
2016-02-10 21:59:15 +08:00
|
|
|
int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
|
2016-02-10 00:52:40 +08:00
|
|
|
int OPENSSL_atexit(void (*handler)(void));
|
|
|
|
void OPENSSL_thread_stop(void);
|
2016-02-09 18:17:59 +08:00
|
|
|
|
2016-02-10 22:55:48 +08:00
|
|
|
OPENSSL_INIT_SETTINGS *OPENSSL_init_new(void);
|
2016-06-13 09:49:40 +08:00
|
|
|
int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *init,
|
|
|
|
const char* name);
|
2016-05-23 17:55:54 +08:00
|
|
|
void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *init);
|
2016-02-10 22:55:48 +08:00
|
|
|
|
2016-02-09 18:17:59 +08:00
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
During normal operation OpenSSL (libcrypto) will allocate various resources at
|
|
|
|
start up that must, subsequently, be freed on close down of the library.
|
|
|
|
Additionally some resources are allocated on a per thread basis (if the
|
|
|
|
application is multi-threaded), and these resources must be freed prior to the
|
|
|
|
thread closing.
|
|
|
|
|
|
|
|
As of version 1.1.0 OpenSSL will automatically allocate all resources that it
|
|
|
|
needs so no explicit initialisation is required. Similarly it will also
|
|
|
|
automatically deinitialise as required.
|
|
|
|
|
|
|
|
However, there way be situations when explicit initialisation is desirable or
|
|
|
|
needed, for example when some non-default initialisation is required. The
|
2016-02-10 00:52:40 +08:00
|
|
|
function OPENSSL_init_crypto() can be used for this purpose for
|
|
|
|
libcrypto (see also L<OPENSSL_init_ssl(3)> for the libssl
|
2016-02-09 21:12:34 +08:00
|
|
|
equivalent).
|
|
|
|
|
2016-02-10 00:52:40 +08:00
|
|
|
Numerous internal OpenSSL functions call OPENSSL_init_crypto().
|
2016-02-09 21:12:34 +08:00
|
|
|
Therefore, in order to perform non-default initialisation,
|
2016-02-10 00:52:40 +08:00
|
|
|
OPENSSL_init_crypto() MUST be called by application code prior to
|
2016-02-09 21:12:34 +08:00
|
|
|
any other OpenSSL function calls.
|
2016-02-09 18:17:59 +08:00
|
|
|
|
|
|
|
The B<opts> parameter specifies which aspects of libcrypto should be
|
|
|
|
initialised. Valid options are:
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS
|
|
|
|
|
2016-02-10 00:52:40 +08:00
|
|
|
Suppress automatic loading of the libcrypto error strings. This option is
|
2016-02-09 18:17:59 +08:00
|
|
|
not a default option. Once selected subsequent calls to
|
2016-02-10 00:52:40 +08:00
|
|
|
OPENSSL_init_crypto() with the option
|
|
|
|
B<OPENSSL_INIT_LOAD_CRYPTO_STRINGS> will be ignored.
|
2016-02-09 18:17:59 +08:00
|
|
|
|
|
|
|
=item OPENSSL_INIT_LOAD_CRYPTO_STRINGS
|
|
|
|
|
|
|
|
Automatic loading of the libcrypto error strings. With this option the
|
2016-02-10 00:52:40 +08:00
|
|
|
library will automatically load the libcrypto error strings.
|
|
|
|
This option is a default option. Once selected subsequent calls to
|
|
|
|
OPENSSL_init_crypto() with the option
|
2016-02-09 18:17:59 +08:00
|
|
|
B<OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS> will be ignored.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_ADD_ALL_CIPHERS
|
|
|
|
|
|
|
|
With this option the library will automatically load and make available all
|
|
|
|
libcrypto ciphers. This option is a default option. Once selected subsequent
|
2016-02-10 00:52:40 +08:00
|
|
|
calls to OPENSSL_init_crypto() with the option
|
2016-02-09 18:17:59 +08:00
|
|
|
B<OPENSSL_INIT_NO_ADD_ALL_CIPHERS> will be ignored.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_ADD_ALL_DIGESTS
|
|
|
|
|
|
|
|
With this option the library will automatically load and make available all
|
|
|
|
libcrypto digests. This option is a default option. Once selected subsequent
|
2016-02-10 00:52:40 +08:00
|
|
|
calls to OPENSSL_init_crypto() with the option
|
2016-02-09 18:17:59 +08:00
|
|
|
B<OPENSSL_INIT_NO_ADD_ALL_CIPHERS> will be ignored.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_NO_ADD_ALL_CIPHERS
|
|
|
|
|
|
|
|
With this option the library will suppress automatic loading of libcrypto
|
|
|
|
ciphers. This option is not a default option. Once selected subsequent
|
2016-02-10 00:52:40 +08:00
|
|
|
calls to OPENSSL_init_crypto() with the option
|
2016-02-09 18:17:59 +08:00
|
|
|
B<OPENSSL_INIT_ADD_ALL_CIPHERS> will be ignored.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_NO_ADD_ALL_DIGESTS
|
|
|
|
|
|
|
|
With this option the library will suppress automatic loading of libcrypto
|
|
|
|
digests. This option is not a default option. Once selected subsequent
|
2016-02-10 00:52:40 +08:00
|
|
|
calls to OPENSSL_init_crypto() with the option
|
2016-02-09 18:17:59 +08:00
|
|
|
B<OPENSSL_INIT_ADD_ALL_DIGESTS> will be ignored.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_LOAD_CONFIG
|
|
|
|
|
|
|
|
With this option an OpenSSL configuration file will be automatically loaded and
|
|
|
|
used by calling OPENSSL_config(). This is not a default option.
|
2016-02-10 22:55:48 +08:00
|
|
|
See the description of OPENSSL_init_new(), below.
|
2016-02-09 18:17:59 +08:00
|
|
|
|
|
|
|
=item OPENSSL_INIT_NO_LOAD_CONFIG
|
|
|
|
|
|
|
|
With this option the loading of OpenSSL configuration files will be suppressed.
|
|
|
|
It is the equivalent of calling OPENSSL_no_config(). This is not a default
|
|
|
|
option.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_ASYNC
|
|
|
|
|
|
|
|
With this option the library with automatically initialise the libcrypto async
|
|
|
|
sub-library (see L<ASYNC_start_job(3)>). This is a default option.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_ENGINE_RDRAND
|
|
|
|
|
|
|
|
With this option the library will automatically load and initialise the
|
|
|
|
RDRAND engine (if available). This not a default option.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_ENGINE_DYNAMIC
|
|
|
|
|
|
|
|
With this option the library will automatically load and initialise the
|
|
|
|
dynamic engine. This not a default option.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_ENGINE_OPENSSL
|
|
|
|
|
|
|
|
With this option the library will automatically load and initialise the
|
|
|
|
openssl engine. This not a default option.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_ENGINE_CRYPTODEV
|
|
|
|
|
|
|
|
With this option the library will automatically load and initialise the
|
|
|
|
cryptodev engine (if available). This not a default option.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_ENGINE_CAPI
|
|
|
|
|
|
|
|
With this option the library will automatically load and initialise the
|
|
|
|
CAPI engine (if available). This not a default option.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_ENGINE_PADLOCK
|
|
|
|
|
|
|
|
With this option the library will automatically load and initialise the
|
|
|
|
padlock engine (if available). This not a default option.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_ENGINE_DASYNC
|
|
|
|
|
|
|
|
With this option the library will automatically load and initialise the
|
|
|
|
DASYNC engine. This not a default option.
|
|
|
|
|
|
|
|
=item OPENSSL_INIT_ENGINE_ALL_BUILTIN
|
|
|
|
|
|
|
|
With this option the library will automatically load and initialise all the
|
|
|
|
built in engines listed above with the exception of the openssl and dasync
|
|
|
|
engines. This not a default option.
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
Multiple options may be combined together in a single call to
|
2016-02-11 00:17:01 +08:00
|
|
|
OPENSSL_init_crypto(). For example:
|
2016-02-09 18:17:59 +08:00
|
|
|
|
2016-02-11 00:17:01 +08:00
|
|
|
OPENSSL_init_crypto(OPENSSL_INIT_NO_ADD_ALL_CIPHERS
|
|
|
|
| OPENSSL_INIT_NO_ADD_ALL_DIGESTS, NULL);
|
2016-02-09 18:17:59 +08:00
|
|
|
|
2016-02-10 00:52:40 +08:00
|
|
|
The OPENSSL_cleanup() function deinitialises OpenSSL (both libcrypto
|
2016-02-09 18:17:59 +08:00
|
|
|
and libssl). All resources allocated by OpenSSL are freed. Typically there
|
|
|
|
should be no need to call this function directly as it is initiated
|
|
|
|
automatically on application exit. This is done via the standard C library
|
2017-03-11 21:56:44 +08:00
|
|
|
atexit() function. In the event that the application will close in a manner
|
2016-02-09 18:17:59 +08:00
|
|
|
that will not call the registered atexit() handlers then the application should
|
2016-02-10 00:52:40 +08:00
|
|
|
call OPENSSL_cleanup() directly. Developers of libraries using OpenSSL
|
2016-02-09 18:17:59 +08:00
|
|
|
are discouraged from calling this function and should instead, typically, rely
|
|
|
|
on auto-deinitialisation. This is to avoid error conditions where both an
|
|
|
|
application and a library it depends on both use OpenSSL, and the library
|
|
|
|
deinitialises it before the application has finished using it.
|
|
|
|
|
2016-02-11 00:17:01 +08:00
|
|
|
Once OPENSSL_cleanup() has been called the library cannot be reinitialised.
|
|
|
|
Attempts to call OPENSSL_init_crypto() will fail and an ERR_R_INIT_FAIL error
|
|
|
|
will be added to the error stack. Note that because initialisation has failed
|
|
|
|
OpenSSL error strings will not be available, only an error code. This code can
|
|
|
|
be put through the openssl errstr command line application to produce a human
|
|
|
|
readable error (see L<errstr(1)>).
|
|
|
|
|
2016-02-10 00:52:40 +08:00
|
|
|
The OPENSSL_atexit() function enables the registration of a
|
|
|
|
function to be called during OPENSSL_cleanup(). Stop handlers are
|
2016-02-09 18:17:59 +08:00
|
|
|
called after deinitialisation of resources local to a thread, but before other
|
|
|
|
process wide resources are freed. In the event that multiple stop handlers are
|
|
|
|
registered, no guarantees are made about the order of execution.
|
|
|
|
|
2016-02-10 00:52:40 +08:00
|
|
|
The OPENSSL_thread_stop() function deallocates resources associated
|
2016-02-09 18:17:59 +08:00
|
|
|
with the current thread. Typically this function will be called automatically by
|
|
|
|
the library when the thread exits. This should only be called directly if
|
|
|
|
resources should be freed at an earlier time, or under the circumstances
|
|
|
|
described in the NOTES section below.
|
|
|
|
|
2016-02-10 22:55:48 +08:00
|
|
|
The B<OPENSSL_INIT_LOAD_CONFIG> flag will load a default configuration
|
|
|
|
file. To specify a different file, an B<OPENSSL_INIT_SETTINGS> must
|
|
|
|
be created and used. The routines
|
2016-06-13 09:49:40 +08:00
|
|
|
OPENSSL_init_new() and OPENSSL_INIT_set_config_appname() can be used to
|
|
|
|
allocate the object and set the application name, and then the
|
2016-02-10 22:55:48 +08:00
|
|
|
object can be released with OPENSSL_INIT_free() when done.
|
|
|
|
|
2016-02-09 18:17:59 +08:00
|
|
|
=head1 NOTES
|
|
|
|
|
|
|
|
Resources local to a thread are deallocated automatically when the thread exits
|
|
|
|
(e.g. in a pthreads environment, when pthread_exit() is called). On Windows
|
|
|
|
platforms this is done in response to a DLL_THREAD_DETACH message being sent to
|
2016-03-03 19:42:01 +08:00
|
|
|
the libcrypto32.dll entry point. Some windows functions may cause threads to exit
|
2016-02-09 18:17:59 +08:00
|
|
|
without sending this message (for example ExitProcess()). If the application
|
|
|
|
uses such functions, then the application must free up OpenSSL resources
|
Document the issue with threads and dlopen()
If using threads and OpenSSL is loaded via dlopen(), and subsequently
closed again via dlclose() *before* the threads are destroyed, then
OpenSSL will not free up the per thread resources. We need to document
this restriction, and provide some guidance on what to do about it.
I did some testing and discovered/verified a few of things (at least
this is the behaviour on Linux):
- Using OpenSSL via dlopen in a mutli-threaded app does leak memory if
threads are destroyed after dlcose() is called.
- In a single threaded environment, or if threads are destroyed prior to
dlclose() being called, then no memory is leaked
- Using the RTLD_NODELETE flag to dlopen solves the above problem
- Interestingly the OpenSSL atexit() handler gets called when dlclose()
is called rather than at application exit (I was worred that it might crash
if there was an atexit() handler for a function that has been unloaded)
- RTLD_NODELETE is a non-standard flag - but it does seem to be fairly
widely supported. As far as I could determine (via google), at least Linux,
Solaris, OpenBSD, FreeBSD, HP-UX all seem to support it.
I also tested on Windows (using LoadLibrary instead of dlopen and
FreeLibrary instead of dlclose) and experienced similar behaviour, except
that (AFAIK) there is no equivalent of RTLD_NODELETE on Windows.
GitHub Issue #653
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-07 20:24:01 +08:00
|
|
|
directly via a call to OPENSSL_thread_stop() on each thread. Similarly this
|
|
|
|
message will also not be sent if OpenSSL is linked statically, and therefore
|
|
|
|
applications using static linking should also call OPENSSL_thread_stop() on each
|
|
|
|
thread. Additionally if OpenSSL is loaded dynamically via LoadLibrary() and the
|
|
|
|
threads are not destroyed until after FreeLibrary() is called then each thread
|
|
|
|
should call OPENSSL_thread_stop() prior to the FreeLibrary() call.
|
|
|
|
|
|
|
|
On Linux/Unix where OpenSSL has been loaded via dlopen() and the application is
|
|
|
|
multi-threaded and if dlclose() is subsequently called prior to the threads
|
|
|
|
being destroyed then OpenSSL will not be able to deallocate resources associated
|
|
|
|
with those threads. The application should either call OPENSSL_thread_stop() on
|
|
|
|
each thread prior to the dlclose() call, or alternatively the original dlopen()
|
|
|
|
call should use the RTLD_NODELETE flag (where available on the platform).
|
2016-02-09 18:17:59 +08:00
|
|
|
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
|
2016-05-23 17:55:54 +08:00
|
|
|
The functions OPENSSL_init_crypto, OPENSSL_atexit() and
|
2016-06-13 09:49:40 +08:00
|
|
|
OPENSSL_INIT_set_config_appname() return 1 on success or 0 on error.
|
2016-02-09 18:17:59 +08:00
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
2016-02-10 00:52:40 +08:00
|
|
|
L<OPENSSL_init_ssl(3)>
|
2016-02-09 18:17:59 +08:00
|
|
|
|
|
|
|
=head1 HISTORY
|
|
|
|
|
2016-02-10 00:52:40 +08:00
|
|
|
The OPENSSL_init_crypto(), OPENSSL_cleanup(), OPENSSL_atexit(),
|
2016-06-13 09:49:40 +08:00
|
|
|
OPENSSL_thread_stop(), OPENSSL_init_new(), OPENSSL_INIT_set_config_appname()
|
2016-05-23 17:55:54 +08:00
|
|
|
and OPENSSL_INIT_free() functions were added in OpenSSL 1.1.0.
|
2016-02-09 18:17:59 +08:00
|
|
|
|
2016-05-18 23:44:05 +08:00
|
|
|
=head1 COPYRIGHT
|
|
|
|
|
2017-03-11 21:56:44 +08:00
|
|
|
Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
|
2016-05-18 23:44:05 +08:00
|
|
|
|
|
|
|
Licensed under the OpenSSL license (the "License"). You may not use
|
|
|
|
this file except in compliance with the License. You can obtain a copy
|
|
|
|
in the file LICENSE in the source distribution or at
|
|
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
|
|
|
|
=cut
|