Provide openssl_init_crypto_constructor() and invoke via a constructor.

There are a very large number of entry points to libcrypto, which means it
is easy to run code prior to OPENSSL_init_crypto() being invoked. This
means that CPU capability detection will not have been run, leading to
poor choices with regards to the use of accelerated implementations.

Now that our CPU capability detection code has been cleaned up and is safe,
provide an openssl_init_crypto_constructor() that runs CPU capability
detection and invoke it as a library constructor. This should only be used
to invoke code that does not do memory allocation or trigger signals.

ok tb@

1 files changed, 14 insertions, 3 deletions

diff --git a/src/lib/libcrypto/crypto_init.c b/src/lib/libcrypto/crypto_init.c
index 44c4846762..79c100f668 100644
--- a/src/lib/libcrypto/crypto_init.c
+++ b/src/lib/libcrypto/crypto_init.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_init.c,v 1.24 2025/05/24 07:23:14 jsing Exp $ */
+/*      $OpenBSD: crypto_init.c,v 1.25 2025/05/24 07:41:14 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  *
@@ -37,6 +37,8 @@ static pthread_once_t crypto_init_once = PTHREAD_ONCE_INIT;
 static pthread_t crypto_init_thread;
 static int crypto_init_cleaned_up;
 
+void openssl_init_crypto_constructor(void)  __attribute__((constructor));
+
 #ifndef HAVE_CRYPTO_CPU_CAPS_INIT
 void
 crypto_cpu_caps_init(void)
@@ -44,6 +46,17 @@ crypto_cpu_caps_init(void)
 }
 #endif
 
+/*
+ * This function is invoked as a constructor when the library is loaded. The
+ * code run from here must not allocate memory or trigger signals. The only
+ * safe code is to read data and update global variables.
+ */
+void
+openssl_init_crypto_constructor(void)
+{
+        crypto_cpu_caps_init();
+}
+
 void
 OPENSSL_init(void)
 {
@@ -55,8 +68,6 @@ OPENSSL_init_crypto_internal(void)
 {
         crypto_init_thread = pthread_self();
 
-        crypto_cpu_caps_init();
-
         ERR_load_crypto_strings();
 }