refactor libcrypto initialisation

Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually supports it. Move all libcrypto initialisation to a single function, and call that from seed_rng() that is called early in each tool's main(). Prompted by patch from Rosen Penev
author: Damien Miller <djm@mindrot.org> 2018-11-23 10:40:06 +1100
committer: Damien Miller <djm@mindrot.org> 2018-11-23 10:42:05 +1100
commit: 42c5ec4b97b6a1bae70f323952d0646af16ce710 (patch)
tree: 6d85f7daebb7241b80bc91126f433dca62e850e8 /openbsd-compat
parent: 5b60b6c02009547a3e2a99d4886965de2a4719da (diff)
2 files changed, 15 insertions, 30 deletions
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 5ade8f0ba..d8c00ebcb 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -66,26 +66,31 @@ ssh_compatible_openssl(long headerver, long libver)
        return 0;
 }
-#ifdef  USE_OPENSSL_ENGINE
 void
-ssh_OpenSSL_add_all_algorithms(void)
+ssh_libcrypto_init(void)
 {
+#if defined(HAVE_OPENSSL_ADD_ALL_ALGORITHMS)
        OpenSSL_add_all_algorithms();
+#elif defined(HAVE_OPENSSL_INIT_CRYPTO) && \
+      defined(OPENSSL_INIT_ADD_ALL_CIPHERS) && \
+      defined(OPENSSL_INIT_ADD_ALL_DIGESTS)
+        OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
+            OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+#endif
+#ifdef  USE_OPENSSL_ENGINE
        /* Enable use of crypto hardware */
        ENGINE_load_builtin_engines();
        ENGINE_register_all_complete();
-#if defined(HAVE_OPENSSL_INIT_CRYPTO) && \
+        /* Load the libcrypto config file to pick up engines defined there */
-     defined(OPENSSL_INIT_ADD_ALL_CIPHERS) && \
+# if defined(HAVE_OPENSSL_INIT_CRYPTO) && defined(OPENSSL_INIT_LOAD_CONFIG)
-     defined(OPENSSL_INIT_ADD_ALL_DIGESTS) && \
-     defined(OPENSSL_INIT_LOAD_CONFIG)
        OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
            OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG, NULL);
-#else
+# else
        OPENSSL_config(NULL);
-#endif
+# endif
+#endif /* USE_OPENSSL_ENGINE */
 }
-#endif
 #endif /* WITH_OPENSSL */
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index b87ce59e7..917bc6f7c 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -31,6 +31,7 @@
 #include <openssl/dh.h>
 int ssh_compatible_openssl(long, long);
+void ssh_libcrypto_init(void);
 #if (OPENSSL_VERSION_NUMBER < 0x1000100fL)
 # error OpenSSL 1.0.1 or greater is required
@@ -92,27 +93,6 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
 # endif
 #endif
-/*
- * We overload some of the OpenSSL crypto functions with ssh_* equivalents
- * to automatically handle OpenSSL engine initialisation.
- *
- * In order for the compat library to call the real functions, it must
- * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
- * implement the ssh_* equivalents.
- */
-#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
-# ifdef USE_OPENSSL_ENGINE
-#  ifdef OpenSSL_add_all_algorithms
-#   undef OpenSSL_add_all_algorithms
-#  endif
-#  define OpenSSL_add_all_algorithms()  ssh_OpenSSL_add_all_algorithms()
-# endif
-void ssh_OpenSSL_add_all_algorithms(void);
-#endif  /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
 /* LibreSSL/OpenSSL 1.1x API compat */
 #ifndef HAVE_DSA_GET0_PQG
 void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
author	Damien Miller <djm@mindrot.org>	2018-11-23 10:40:06 +1100
committer	Damien Miller <djm@mindrot.org>	2018-11-23 10:42:05 +1100
commit	42c5ec4b97b6a1bae70f323952d0646af16ce710 (patch)
tree	6d85f7daebb7241b80bc91126f433dca62e850e8 /openbsd-compat
parent	5b60b6c02009547a3e2a99d4886965de2a4719da (diff)