From e464d58452a0842aa8954833a7d46480949f5a6b Mon Sep 17 00:00:00 2001 From: beck <> Date: Mon, 19 Mar 2018 03:35:38 +0000 Subject: Correct mistake of loading the default openssl.conf by default during autoinit. This brings in the OPENSSL_INIT_LOAD_CONFIG flag with the same semantics as OpenSSL. As a result, by default the openssl.conf file is not loaded during autoinit, which makes autoinit safe for pledge(stdio). ok jsing@ --- src/lib/libcrypto/conf/conf_sap.c | 31 ++++++++++++++++++++++++------- src/lib/libcrypto/crypto.h | 4 ++-- src/lib/libcrypto/crypto_init.c | 15 +++++++++++---- 3 files changed, 37 insertions(+), 13 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/conf/conf_sap.c b/src/lib/libcrypto/conf/conf_sap.c index f1844f69f4..98497025ee 100644 --- a/src/lib/libcrypto/conf/conf_sap.c +++ b/src/lib/libcrypto/conf/conf_sap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf_sap.c,v 1.12 2018/03/17 16:20:01 beck Exp $ */ +/* $OpenBSD: conf_sap.c,v 1.13 2018/03/19 03:35:38 beck Exp $ */ /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -108,8 +108,8 @@ OPENSSL_config_internal(void) return; } -void -OPENSSL_config(const char *config_name) +int +OpenSSL_config(const char *config_name) { /* Don't override if NULL */ /* @@ -120,11 +120,19 @@ OPENSSL_config(const char *config_name) if (config_name != NULL) openssl_config_name = config_name; - (void) OPENSSL_init_crypto(0, NULL); + if (OPENSSL_init_crypto(0, NULL) == 0) + return 0; - (void) pthread_once(&openssl_configured, OPENSSL_config_internal); + if (pthread_once(&openssl_configured, OPENSSL_config_internal) != 0) + return 0; - return; + return 1; +} + +void +OPENSSL_config(const char *config_name) +{ + (void) OpenSSL_config(config_name); } static void @@ -132,8 +140,17 @@ OPENSSL_no_config_internal(void) { } +int +OpenSSL_no_config(void) +{ + if (pthread_once(&openssl_configured, OPENSSL_no_config_internal) != 0) + return 0; + + return 1; +} + void OPENSSL_no_config(void) { - (void) pthread_once(&openssl_configured, OPENSSL_no_config_internal); + (void) OpenSSL_no_config(); } diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h index f13ce92584..67e06a1509 100644 --- a/src/lib/libcrypto/crypto.h +++ b/src/lib/libcrypto/crypto.h @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto.h,v 1.44 2018/03/18 01:39:26 tb Exp $ */ +/* $OpenBSD: crypto.h,v 1.45 2018/03/19 03:35:38 beck Exp $ */ /* ==================================================================== * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * @@ -547,6 +547,7 @@ void ERR_load_CRYPTO_strings(void); */ #define OPENSSL_INIT_NO_LOAD_CONFIG 0x00000001L +#define OPENSSL_INIT_LOAD_CONFIG 0x00000002L /* LibreSSL specific */ #define _OPENSSL_INIT_FLAG_NOOP 0x80000000L @@ -555,7 +556,6 @@ void ERR_load_CRYPTO_strings(void); * These are provided for compatibiliy, but have no effect * on how LibreSSL is initialized. */ -#define OPENSSL_INIT_LOAD_CONFIG _OPENSSL_INIT_FLAG_NOOP #define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS _OPENSSL_INIT_FLAG_NOOP #define OPENSSL_INIT_LOAD_CRYPTO_STRINGS _OPENSSL_INIT_FLAG_NOOP #define OPENSSL_INIT_ADD_ALL_CIPHERS _OPENSSL_INIT_FLAG_NOOP diff --git a/src/lib/libcrypto/crypto_init.c b/src/lib/libcrypto/crypto_init.c index f3d1a2bce9..ed2b5d4810 100644 --- a/src/lib/libcrypto/crypto_init.c +++ b/src/lib/libcrypto/crypto_init.c @@ -25,6 +25,9 @@ #include #include "cryptlib.h" +int OpenSSL_config(char *); +int OpenSSL_no_config(char *); + static pthread_t crypto_init_thread; static void @@ -35,7 +38,6 @@ OPENSSL_init_crypto_internal(void) ERR_load_crypto_strings(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); - OPENSSL_config(NULL); } int @@ -46,11 +48,16 @@ OPENSSL_init_crypto(uint64_t opts, const void *settings) if (pthread_equal(pthread_self(), crypto_init_thread)) return 1; /* don't recurse */ - if (opts & OPENSSL_INIT_NO_LOAD_CONFIG) - OPENSSL_no_config(); - if (pthread_once(&once, OPENSSL_init_crypto_internal) != 0) return 0; + if ((opts & OPENSSL_INIT_NO_LOAD_CONFIG) && + (OpenSSL_no_config(NULL) == 0)) + return 0; + + if ((opts & OPENSSL_INIT_LOAD_CONFIG) && + (OpenSSL_config(NULL) == 0)) + return 0; + return 1; } -- cgit v1.2.3-55-g6feb