g_mutexes = NULL;
}
-} // namespace anonymous
-
-
-void initOpenSsl()
+void initOpenSsl(bool isLib)
{
- // Loads all error strings (crypto and ssl)
- SSL_load_error_strings();
-
/*
* Initialize libcrypto (add all algorithms, digests & ciphers)
* It also does the stuff from SSL_library_init() except for ssl_load_ciphers()
*/
OpenSSL_add_all_algorithms(); // Can be optimized by using EVP_add_cipher instead
- /*
- * Initialize libssl (OCSP uses it)
- * SSL_library_init() == OpenSSL_add_ssl_algorithms()
- * It always returns 1
- */
- SSL_library_init();
-
- // load default configuration (/etc/ssl/openssl.cnf)
- OPENSSL_config(NULL);
+ if (isLib)
+ return;
- // enable FIPS mode by default
- if (0 == FIPS_mode_set(1))
- LogWarning("Failed to set FIPS mode. Key-manager will be operated in non FIPS mode.");
+ // below initializes only for executable client. (key-manager daemon)
/*
* Initialize entropy
LogError("Error in U_RAND_file_load");
}
- // Install locks for multithreading support
- opensslInstallLocks();
-}
+ /*
+ * Initialize libssl (OCSP uses it)
+ * SSL_library_init() == OpenSSL_add_ssl_algorithms()
+ * It always returns 1
+ */
+ SSL_library_init();
-void deinitOpenSsl()
-{
- opensslUninstallLocks();
- CONF_modules_unload(1);
- EVP_cleanup();
- ERR_free_strings();
- deinitOpenSslThread();
-}
+ // load default configuration (/etc/ssl/openssl.cnf)
+ OPENSSL_config(NULL);
+ // Loads all error strings (crypto and ssl)
+ SSL_load_error_strings();
-void deinitOpenSslThread()
-{
- CRYPTO_cleanup_all_ex_data();
- ERR_remove_thread_state(NULL);
+ // Install locks for multithreading support
+ opensslInstallLocks();
}
-namespace {
std::mutex cryptoInitMutex;
void initOpenSslAndDetach();
void initEmpty() {}
+// this function will be called only once by initOpenSslOnce for library client
void initOpenSslAndDetach()
{
// DCLP
std::lock_guard<std::mutex> lock(cryptoInitMutex);
/*
- * We don't care about memory ordering here. Current thread will order it correctly and for
- * other threads only store matters. Also only one thread can be here at once because of lock.
+ * We don't care about memory ordering here. Current thread will order it
+ * correctly and for other threads only store matters. Also only one thread
+ * can be here at once because of lock.
*/
if (initFn.load(std::memory_order_relaxed) != &initEmpty) {
- initOpenSsl();
+ initOpenSsl(true);
/*
- * Synchronizes with load. Everything that happened before this store in this thread is
- * visible to everything that happens after load in another thread. We switch to an empty
- * function here.
+ * Synchronizes with load. Everything that happened before this store in
+ * this thread is visible to everything that happens after load in another
+ * thread. We switch to an empty function here.
*/
initFn.store(&initEmpty, std::memory_order_release);
}
} // namespace anonymous
+void initOpenSsl()
+{
+ initOpenSsl(false);
+}
+
+void deinitOpenSsl()
+{
+ opensslUninstallLocks();
+ CONF_modules_free(); // cleanup of OPENSSL_config
+ EVP_cleanup(); // cleanup of OpenSSL_add_all_algorithms
+ ERR_free_strings(); //cleanup of SSL_load_error_strings
+ deinitOpenSslThread();
+}
+
+void deinitOpenSslThread()
+{
+ CRYPTO_cleanup_all_ex_data();
+ ERR_remove_thread_state(NULL);
+}
+
void initOpenSslOnce()
{
/*
- * Synchronizes with store. Everything that happened before store in another thread will be
- * visible in this thread after load.
+ * Synchronizes with store. Everything that happened before store in another
+ * thread will be visible in this thread after load.
*/
initFn.load(std::memory_order_acquire)();
}
-} /* namespace CKM */
+} // namespace CKM
#include <symbol-visibility.h>
namespace CKM {
+// Remarks!
+// These functions are used carefully depending on library / executable client.
+//
+// Init/deinit locking functions are only available for executable client
+// (it's key-manager daemon)
+//
+// For library client, locking functions are not supported because it can make
+// undefined behavior(usually segmentation fault) when the client is used as
+// plugin(dynamic loaded) because there's probability of openssl's locking function
+// being init/deinit on multiple plugins.
+// Must be called once manually because it'll handle openssl locking functions.
+// Only for server.
COMMON_API void initOpenSsl();
COMMON_API void deinitOpenSsl();
+// deinit for every service thread on server.
COMMON_API void deinitOpenSslThread();
+
+// init for client or common libraries.
+// It'll only do OpenSSL_add_all_algorithms
COMMON_API void initOpenSslOnce();
} // namespace CKM
-