Shutting down openssl - is the correct thing to do nothing?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Shutting down openssl - is the correct thing to do nothing?

Graham Leggett
Hi all,

I am currently reviewing the shutdown behaviour in both httpd’s mod_ssl and apr’s apr-crypto-openssl modules.

Am I right in understanding that from openssl v1.1.0 and upwards, all the following calls are no longer necessary, will be called automatically atexit by the openssl library, and these can be removed from the code?

https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.39/modules/ssl/mod_ssl.c?view=markup#l329

    FIPS_mode_set(0);
    OBJ_cleanup();
    CONF_modules_free();
    EVP_cleanup();
    ENGINE_cleanup();
    SSL_COMP_free_compression_methods();
    ERR_remove_thread_state(NULL);
    ERR_remove_state(0);
    ERR_free_strings();
    CRYPTO_cleanup_all_ex_data();

https://svn.apache.org/viewvc/apr/apr-util/tags/1.6.1/crypto/apr_crypto_openssl.c?view=markup#l114

    ERR_free_strings();
    EVP_cleanup();
    ENGINE_cleanup();

Regards,
Graham




smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Shutting down openssl - is the correct thing to do nothing?

Matt Caswell-2


On 14/06/2019 00:42, Graham Leggett wrote:

> Hi all,
>
> I am currently reviewing the shutdown behaviour in both httpd’s mod_ssl and apr’s apr-crypto-openssl modules.
>
> Am I right in understanding that from openssl v1.1.0 and upwards, all the following calls are no longer necessary, will be called automatically atexit by the openssl library, and these can be removed from the code?
>
> https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.39/modules/ssl/mod_ssl.c?view=markup#l329
>
>     FIPS_mode_set(0);
>     OBJ_cleanup();
>     CONF_modules_free();
>     EVP_cleanup();
>     ENGINE_cleanup();
>     SSL_COMP_free_compression_methods();
>     ERR_remove_thread_state(NULL);
>     ERR_remove_state(0);
>     ERR_free_strings();
>     CRYPTO_cleanup_all_ex_data();
>
> https://svn.apache.org/viewvc/apr/apr-util/tags/1.6.1/crypto/apr_crypto_openssl.c?view=markup#l114
>
>     ERR_free_strings();
>     EVP_cleanup();
>     ENGINE_cleanup();
>

Correct. *All* of the above calls are no-ops in 1.1.0+, e.g:

#  define EVP_cleanup() while(0) continue

There are one or two caveats around auto-init and auto-deinit of the library.
The documentation for it is here:

https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html

Matt
Reply | Threaded
Open this post in threaded view
|

Re: Shutting down openssl - is the correct thing to do nothing?

Graham Leggett
On 14 Jun 2019, at 09:41, Matt Caswell <[hidden email]> wrote:

Correct. *All* of the above calls are no-ops in 1.1.0+, e.g:

#  define EVP_cleanup() while(0) continue

There are one or two caveats around auto-init and auto-deinit of the library.
The documentation for it is here:

https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html

Further to the above question, having read the documentation, it looks like all of these init routines should be removed in v1.1.0 and above:


CRYPTO_malloc_init();
OPENSSL_malloc_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
ENGINE_load_builtin_engines();
OpenSSL_add_all_algorithms();
OPENSSL_load_builtin_modules();


CRYPTO_malloc_init();
OPENSSL_malloc_init();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();

Can you confirm I’ve interpreted this correctly?

Regards,
Graham


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Shutting down openssl - is the correct thing to do nothing?

Matt Caswell-2


On 14/06/2019 09:17, Graham Leggett wrote:

> On 14 Jun 2019, at 09:41, Matt Caswell <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>> Correct. *All* of the above calls are no-ops in 1.1.0+, e.g:
>>
>> #  define EVP_cleanup() while(0) continue
>>
>> There are one or two caveats around auto-init and auto-deinit of the library.
>> The documentation for it is here:
>>
>> https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html
>
> Further to the above question, having read the documentation, it looks like all
> of these init routines should be removed in v1.1.0 and above:

Mostly, but not quite. The library will automatically initialise itself with no
requirement to explicitly do so. However there are certain things that don't
happen automatically because they're not necessarily appropriate for all
applications. See comments below:

>
> https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.39/modules/ssl/mod_ssl.c?view=markup#l398
>
> CRYPTO_malloc_init();

This function doesn't exist at all in 1.1.0+.

> OPENSSL_malloc_init();

This is a no-op in 1.1.0+

> ERR_load_crypto_strings();
> SSL_load_error_strings();
> SSL_library_init();

These all happen automatically. There is no need to call them directly. They're
all macros for calling OPENSSL_init_crypto() explicitly with default
options...but since they are default options anyway there is no need to do this.

> ENGINE_load_builtin_engines();

This does NOT happen automatically. It is a non-default option in
OPENSSL_init_crypto(). You can get the same effect by calling
OPENSSL_init_crypto with the OPENSSL_INIT_ENGINE_ALL_BUILTIN option explicitly. See:

https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html

> OpenSSL_add_all_algorithms();

No need to call this one. Its a macro for calling OPENSSL_init_crypto()
explicitly with default options - but this will happen anyway.

> OPENSSL_load_builtin_modules();

This does NOT happen automatically if you are just using libcrypto. This is used
for initialising config file modules. libcrypto does not automatically load a
config file. If you call OPENSSL_init_crypto() explicitly with the
OPENSSL_INIT_LOAD_CONFIG option then it will load the config file and end up
calling the above function automatically as part of that.

In 1.1.1 a config file is loaded automatically for libssl users. So if you're a
1.1.1 libssl user then you don't need to call this function. A config file is
not loaded automatically for libssl in 1.1.0.

It is expected that in OpenSSL 3.0 loading a config file will happen
automatically in both libcrypto and libssl.

>
> https://svn.apache.org/viewvc/apr/apr-util/tags/1.6.1/crypto/apr_crypto_openssl.c?view=markup#l133
>
> CRYPTO_malloc_init();
> OPENSSL_malloc_init();
> ERR_load_crypto_strings();
> OpenSSL_add_all_algorithms();
> ENGINE_load_builtin_engines();

As above.

> ENGINE_register_all_complete();

This is the same as for ENGINE_load_builtin_engines(). It does NOT happen
automatically, but will get called if you use the
OPENSSL_INIT_ENGINE_ALL_BUILTIN option to OPENSSL_init_crypto.


Matt
>
> Can you confirm I’ve interpreted this correctly?
>
> Regards,
> Graham
> —
>