diff options
| author | David Benjamin <davidben@google.com> | 2024-06-18 01:13:09 -0400 |
|---|---|---|
| committer | Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2024-06-21 04:01:30 +0000 |
| commit | 2fcdd11f6d33b667968a5bc5147e2ba83a2082b8 (patch) | |
| tree | 260adccb46fb6f99f663fde586f941afed961f36 /include | |
| parent | 6c98ebeb8cf24c7be5d462ded7e60d88b2ceccec (diff) | |
| download | boringssl-2fcdd11f6d33b667968a5bc5147e2ba83a2082b8.zip boringssl-2fcdd11f6d33b667968a5bc5147e2ba83a2082b8.tar.gz boringssl-2fcdd11f6d33b667968a5bc5147e2ba83a2082b8.tar.bz2 | |
Make BoringSSL initialization-less
Now that we don't depend on external CRYPTO_library_init calls or the
static initializer to initialize CPU capabilities, we can drop a ton of
code.
This makes CRYPTO_library_init, and all its wrappers, into no-ops and
drops the (non-FIPS) static initializer. I've added an internal
OPENSSL_init_cpuid function for the places where the library actually
needs to initialize the CPU vector.
Note this slightly changes the default, previously
static-initializer-full build: previously, CRYPTO_library_init was a
no-op and we relied on the static initializer. Now we uniformly use
CRYPTO_once. This should be an atomic read in the steady state and
essentially free. We can restore the static initializer by default if
this ends up being a problem, but having only one mode is more
straightforward. This also avoids problems if an application calls into
BoringSSL during its own static initializer. Static initializers are not
coherently ordered.
Update-Note: The BORINGSSL_NO_STATIC_INITIALIZER build option and
CRYPTO_library_init are now unnecessary. Once updating past this
revision, those options can now be cleaned up from downstream projects.
Fixed: 40644931
Change-Id: Idc2e6ea7a73d6352e0360fd886c46d88dba3568c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69508
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/openssl/crypto.h | 17 | ||||
| -rw-r--r-- | include/openssl/ssl.h | 4 |
2 files changed, 8 insertions, 13 deletions
diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index 2981e68..63dbcb2 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -32,18 +32,9 @@ extern "C" { #endif -// crypto.h contains functions for initializing the crypto library. +// crypto.h contains functions for library-wide initialization and properties. -// CRYPTO_library_init initializes the crypto library. It must be called if the -// library is built with BORINGSSL_NO_STATIC_INITIALIZER. Otherwise, it does -// nothing and a static initializer is used instead. It is safe to call this -// function multiple times and concurrently from multiple threads. -// -// On some ARM configurations, this function may require filesystem access and -// should be called before entering a sandbox. -OPENSSL_EXPORT void CRYPTO_library_init(void); - // CRYPTO_is_confidential_build returns one if the linked version of BoringSSL // has been built with the BORINGSSL_CONFIDENTIAL define and zero otherwise. // @@ -164,7 +155,7 @@ OPENSSL_EXPORT void OPENSSL_load_builtin_modules(void); #define OPENSSL_INIT_NO_LOAD_CONFIG 0 #define OPENSSL_INIT_NO_ATEXIT 0 -// OPENSSL_init_crypto calls |CRYPTO_library_init| and returns one. +// OPENSSL_init_crypto returns one. OPENSSL_EXPORT int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); @@ -199,6 +190,10 @@ OPENSSL_EXPORT int FIPS_query_algorithm_status(const char *algorithm); OPENSSL_EXPORT int CRYPTO_has_broken_NEON(void); #endif +// CRYPTO_library_init does nothing. Historically, it was needed in some build +// configurations to initialization the library. This is no longer necessary. +OPENSSL_EXPORT void CRYPTO_library_init(void); + #if defined(__cplusplus) } // extern C diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 9d7abe8..9f95a06 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -4864,7 +4864,7 @@ OPENSSL_EXPORT void SSL_set_check_ecdsa_curve(SSL *ssl, int enable); // Deprecated functions. -// SSL_library_init calls |CRYPTO_library_init| and returns one. +// SSL_library_init returns one. OPENSSL_EXPORT int SSL_library_init(void); // SSL_CIPHER_description writes a description of |cipher| into |buf| and @@ -5427,7 +5427,7 @@ OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl); #define OPENSSL_INIT_LOAD_SSL_STRINGS 0 #define OPENSSL_INIT_SSL_DEFAULT 0 -// OPENSSL_init_ssl calls |CRYPTO_library_init| and returns one. +// OPENSSL_init_ssl returns one. OPENSSL_EXPORT int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); |