Rosen Penev
2018-Nov-19 21:24 UTC
[PATCH] openssl-compat: Test for OpenSSL_add_all_algorithms before using.
OpenSSL 1.1.0 has deprecated this function.
---
configure.ac | 1 +
openbsd-compat/openssl-compat.c | 2 ++
openbsd-compat/openssl-compat.h | 4 ++++
3 files changed, 7 insertions(+)
diff --git a/configure.ac b/configure.ac
index 3f7fe2cd..db2aade8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2710,6 +2710,7 @@ if test "x$openssl" = "xyes" ; then
])
# LibreSSL/OpenSSL 1.1x API
AC_CHECK_FUNCS([ \
+ OpenSSL_add_all_algorithms \
OPENSSL_init_crypto \
DH_get0_key \
DH_get0_pqg \
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 5ade8f0b..71e049bd 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -70,7 +70,9 @@ ssh_compatible_openssl(long headerver, long libver)
void
ssh_OpenSSL_add_all_algorithms(void)
{
+#ifdef HAVE_OPENSSL_ADD_ALL_ALGORITHMS
OpenSSL_add_all_algorithms();
+#endif
/* Enable use of crypto hardware */
ENGINE_load_builtin_engines();
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index b87ce59e..3ebdcca1 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -113,6 +113,10 @@ void ssh_OpenSSL_add_all_algorithms(void);
#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
+#if !defined(USE_OPENSSL_ENGINE) &&
!defined(HAVE_OPENSSL_ADD_ALL_ALGORITHMS)
+# define OpenSSL_add_all_algorithms
+#endif
+
/* LibreSSL/OpenSSL 1.1x API compat */
#ifndef HAVE_DSA_GET0_PQG
void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
--
2.19.1
Damien Miller
2018-Nov-20 03:59 UTC
[PATCH] openssl-compat: Test for OpenSSL_add_all_algorithms before using.
On Mon, 19 Nov 2018, Rosen Penev wrote:> OpenSSL 1.1.0 has deprecated this function.I think we could consolidate a bit more. This folds the libcrypto init into the seed_rng() call that should happen early in each tool's main(). -d diff --git a/configure.ac b/configure.ac index 3f7fe2cd..5a9b3ff1 100644 --- a/configure.ac +++ b/configure.ac @@ -2671,8 +2671,8 @@ if test "x$openssl" = "xyes" ; then AC_MSG_CHECKING([if programs using OpenSSL functions will link]) AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], - [[ OpenSSL_add_all_algorithms(); ]])], + [AC_LANG_PROGRAM([[ #include <openssl/err.h> ]], + [[ ERR_load_crypto_strings(); ]])], [ AC_MSG_RESULT([yes]) ], @@ -2682,8 +2682,8 @@ if test "x$openssl" = "xyes" ; then LIBS="$LIBS -ldl" AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], - [[ OpenSSL_add_all_algorithms(); ]])], + [AC_LANG_PROGRAM([[ #include <openssl/err.h> ]], + [[ ERR_load_crypto_strings(); ]])], [ AC_MSG_RESULT([yes]) ], @@ -2698,15 +2698,16 @@ if test "x$openssl" = "xyes" ; then AC_CHECK_FUNCS([ \ BN_is_prime_ex \ DSA_generate_parameters_ex \ - EVP_DigestInit_ex \ + EVP_CIPHER_CTX_ctrl \ EVP_DigestFinal_ex \ - EVP_MD_CTX_init \ + EVP_DigestInit_ex \ EVP_MD_CTX_cleanup \ EVP_MD_CTX_copy_ex \ + EVP_MD_CTX_init \ HMAC_CTX_init \ + OpenSSL_add_all_algorithms \ RSA_generate_key_ex \ RSA_get_default_method \ - EVP_CIPHER_CTX_ctrl \ ]) # LibreSSL/OpenSSL 1.1x API AC_CHECK_FUNCS([ \ diff --git a/entropy.c b/entropy.c index fc710ec2..97e83608 100644 --- a/entropy.c +++ b/entropy.c @@ -56,6 +56,8 @@ #include "sshbuf.h" #include "ssherr.h" +#define RANDOM_SEED_SIZE 48 + /* * Portable OpenSSH PRNG seeding: * If OpenSSL has not "internally seeded" itself (e.g. pulled data from @@ -64,8 +66,6 @@ */ #ifndef OPENSSL_PRNG_ONLY -#define RANDOM_SEED_SIZE 48 - /* * Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon * listening either on 'tcp_port', or via Unix domain socket at * @@ -216,9 +216,11 @@ rexec_recv_rng_seed(struct sshbuf *m) void seed_rng(void) { -#ifndef OPENSSL_PRNG_ONLY unsigned char buf[RANDOM_SEED_SIZE]; -#endif + + /* Initialise libcrypto */ + ssh_libcrypto_init(); + if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, OpenSSL_version_num())) fatal("OpenSSL version mismatch. Built against %lx, you " @@ -226,27 +228,34 @@ seed_rng(void) OpenSSL_version_num()); #ifndef OPENSSL_PRNG_ONLY - if (RAND_status() == 1) { + if (RAND_status() == 1) debug3("RNG is ready, skipping seeding"); - return; + else { + if (seed_from_prngd(buf, sizeof(buf)) == -1) + fatal("Could not obtain seed from PRNGd"); + RAND_add(buf, sizeof(buf), sizeof(buf)); } - - if (seed_from_prngd(buf, sizeof(buf)) == -1) - fatal("Could not obtain seed from PRNGd"); - RAND_add(buf, sizeof(buf), sizeof(buf)); - memset(buf, '\0', sizeof(buf)); - #endif /* OPENSSL_PRNG_ONLY */ + if (RAND_status() != 1) fatal("PRNG is not seeded"); + + /* Ensure arc4random() is primed */ + arc4random_buf(buf, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); } #else /* WITH_OPENSSL */ -/* Handled in arc4random() */ +/* Acutal initialisation is handled in arc4random() */ void seed_rng(void) { + unsigned char buf[RANDOM_SEED_SIZE]; + + /* Ensure arc4random() is primed */ + arc4random_buf(buf, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); } #endif /* WITH_OPENSSL */ diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 5ade8f0b..d8c00ebc 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c @@ -66,26 +66,31 @@ ssh_compatible_openssl(long headerver, long libver) return 0; } -#ifdef USE_OPENSSL_ENGINE void -ssh_OpenSSL_add_all_algorithms(void) +ssh_libcrypto_init(void) { +#if defined(HAVE_OPENSSL_ADD_ALL_ALGORITHMS) OpenSSL_add_all_algorithms(); +#elif defined(HAVE_OPENSSL_INIT_CRYPTO) && \ + defined(OPENSSL_INIT_ADD_ALL_CIPHERS) && \ + defined(OPENSSL_INIT_ADD_ALL_DIGESTS) + OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | + OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); +#endif +#ifdef USE_OPENSSL_ENGINE /* Enable use of crypto hardware */ ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); -#if defined(HAVE_OPENSSL_INIT_CRYPTO) && \ - defined(OPENSSL_INIT_ADD_ALL_CIPHERS) && \ - defined(OPENSSL_INIT_ADD_ALL_DIGESTS) && \ - defined(OPENSSL_INIT_LOAD_CONFIG) + /* Load the libcrypto config file to pick up engines defined there */ +# if defined(HAVE_OPENSSL_INIT_CRYPTO) && defined(OPENSSL_INIT_LOAD_CONFIG) OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG, NULL); -#else +# else OPENSSL_config(NULL); -#endif +# endif +#endif /* USE_OPENSSL_ENGINE */ } -#endif #endif /* WITH_OPENSSL */ diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index b87ce59e..917bc6f7 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -31,6 +31,7 @@ #include <openssl/dh.h> int ssh_compatible_openssl(long, long); +void ssh_libcrypto_init(void); #if (OPENSSL_VERSION_NUMBER < 0x1000100fL) # error OpenSSL 1.0.1 or greater is required @@ -92,27 +93,6 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); # endif #endif -/* - * We overload some of the OpenSSL crypto functions with ssh_* equivalents - * to automatically handle OpenSSL engine initialisation. - * - * In order for the compat library to call the real functions, it must - * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and - * implement the ssh_* equivalents. - */ -#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS - -# ifdef USE_OPENSSL_ENGINE -# ifdef OpenSSL_add_all_algorithms -# undef OpenSSL_add_all_algorithms -# endif -# define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms() -# endif - -void ssh_OpenSSL_add_all_algorithms(void); - -#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ - /* LibreSSL/OpenSSL 1.1x API compat */ #ifndef HAVE_DSA_GET0_PQG void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, diff --git a/regress/unittests/sshkey/tests.c b/regress/unittests/sshkey/tests.c index 13f265cd..78aa9223 100644 --- a/regress/unittests/sshkey/tests.c +++ b/regress/unittests/sshkey/tests.c @@ -7,8 +7,6 @@ #include "includes.h" -#include <openssl/evp.h> - #include "../test_helper/test_helper.h" void sshkey_tests(void); @@ -18,9 +16,6 @@ void sshkey_fuzz_tests(void); void tests(void) { - OpenSSL_add_all_algorithms(); - ERR_load_CRYPTO_strings(); - sshkey_tests(); sshkey_file_tests(); sshkey_fuzz_tests(); diff --git a/regress/unittests/test_helper/test_helper.c b/regress/unittests/test_helper/test_helper.c index 4cc70852..11c3ee39 100644 --- a/regress/unittests/test_helper/test_helper.c +++ b/regress/unittests/test_helper/test_helper.c @@ -35,11 +35,13 @@ #include <signal.h> #include <openssl/bn.h> +#include <openssl/err.h> #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) # include <vis.h> #endif +#include "entropy.h" #include "test_helper.h" #include "atomicio.h" @@ -121,6 +123,9 @@ main(int argc, char **argv) { int ch; + seed_rng(); + ERR_load_CRYPTO_strings(); + /* Handle systems without __progname */ if (__progname == NULL) { __progname = strrchr(argv[0], '/'); diff --git a/scp.c b/scp.c index 4f3fdcd3..eb17c341 100644 --- a/scp.c +++ b/scp.c @@ -400,6 +400,8 @@ main(int argc, char **argv) /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); + seed_rng(); + msetlocale(); /* Copy argv, because we modify it */ diff --git a/sftp-server-main.c b/sftp-server-main.c index c6ccd623..6230d897 100644 --- a/sftp-server-main.c +++ b/sftp-server-main.c @@ -43,6 +43,8 @@ main(int argc, char **argv) /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); + seed_rng(); + if ((user_pw = getpwuid(getuid())) == NULL) { fprintf(stderr, "No user found for uid %lu\n", (u_long)getuid()); diff --git a/sftp.c b/sftp.c index ed95cf81..f886b330 100644 --- a/sftp.c +++ b/sftp.c @@ -2367,6 +2367,8 @@ main(int argc, char **argv) sanitise_stdfd(); msetlocale(); + seed_rng(); + __progname = ssh_get_progname(argv[0]); memset(&args, '\0', sizeof(args)); args.list = NULL; diff --git a/ssh-add.c b/ssh-add.c index 627c0298..50165e7d 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -544,10 +544,6 @@ main(int argc, char **argv) __progname = ssh_get_progname(argv[0]); seed_rng(); -#ifdef WITH_OPENSSL - OpenSSL_add_all_algorithms(); -#endif - setvbuf(stdout, NULL, _IOLBF, 0); /* First, get a connection to the authentication agent. */ diff --git a/ssh-agent.c b/ssh-agent.c index cb552462..6baebc31 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1095,10 +1095,6 @@ main(int ac, char **av) if (getrlimit(RLIMIT_NOFILE, &rlim) == -1) fatal("%s: getrlimit: %s", __progname, strerror(errno)); -#ifdef WITH_OPENSSL - OpenSSL_add_all_algorithms(); -#endif - __progname = ssh_get_progname(av[0]); seed_rng(); diff --git a/ssh-keygen.c b/ssh-keygen.c index 416d25be..a6773735 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -2459,13 +2459,10 @@ main(int argc, char **argv) __progname = ssh_get_progname(argv[0]); -#ifdef WITH_OPENSSL - OpenSSL_add_all_algorithms(); -#endif - log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); - seed_rng(); + log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + msetlocale(); /* we need this for the home * directory. */ diff --git a/ssh-keysign.c b/ssh-keysign.c index bcd1508c..8f487b8c 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -174,9 +174,6 @@ main(int argc, char **argv) u_char *signature, *data, rver; char *host, *fp; size_t slen, dlen; -#ifdef WITH_OPENSSL - u_int32_t rnd[256]; -#endif ssh_malloc_init(); /* must be called before any mallocs */ if (pledge("stdio rpath getpw dns id", NULL) != 0) @@ -224,12 +221,6 @@ main(int argc, char **argv) if (found == 0) fatal("could not open any host key"); -#ifdef WITH_OPENSSL - OpenSSL_add_all_algorithms(); - arc4random_buf(rnd, sizeof(rnd)); - RAND_seed(rnd, sizeof(rnd)); -#endif - found = 0; for (i = 0; i < NUM_KEYTYPES; i++) { keys[i] = NULL; diff --git a/ssh.c b/ssh.c index 1e471f5c..1ac903d1 100644 --- a/ssh.c +++ b/ssh.c @@ -610,6 +610,8 @@ main(int ac, char **av) av = saved_av; #endif + seed_rng(); + /* * Discard other fds that are hanging around. These can cause problem * with backgrounded ssh processes started by ControlPersist. @@ -1036,11 +1038,6 @@ main(int ac, char **av) host_arg = xstrdup(host); -#ifdef WITH_OPENSSL - OpenSSL_add_all_algorithms(); - ERR_load_crypto_strings(); -#endif - /* Initialize the command to execute on remote host. */ if ((command = sshbuf_new()) == NULL) fatal("sshbuf_new failed"); @@ -1264,8 +1261,6 @@ main(int ac, char **av) tty_flag = 0; } - seed_rng(); - if (options.user == NULL) options.user = xstrdup(pw->pw_name); diff --git a/ssh_api.c b/ssh_api.c index e727c0d6..53bbc9b4 100644 --- a/ssh_api.c +++ b/ssh_api.c @@ -81,9 +81,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params) int r; if (!called) { -#ifdef WITH_OPENSSL - OpenSSL_add_all_algorithms(); -#endif /* WITH_OPENSSL */ + seed_rng(); called = 1; } diff --git a/sshd.c b/sshd.c index afd95932..fb9d9b60 100644 --- a/sshd.c +++ b/sshd.c @@ -1510,6 +1510,8 @@ main(int ac, char **av) /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); + seed_rng(); + /* Initialize configuration options to their default values. */ initialize_server_options(&options); @@ -1631,10 +1633,6 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); -#ifdef WITH_OPENSSL - OpenSSL_add_all_algorithms(); -#endif - /* If requested, redirect the logs to the specified logfile. */ if (logfile != NULL) log_redirect_stderr_to(logfile); @@ -1677,8 +1675,6 @@ main(int ac, char **av) parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, cfg, NULL); - seed_rng(); - /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options);
Rosen Penev
2018-Nov-21 22:38 UTC
[PATCH] openssl-compat: Test for OpenSSL_add_all_algorithms before using.
On Mon, Nov 19, 2018 at 8:00 PM Damien Miller <djm at mindrot.org> wrote:> > On Mon, 19 Nov 2018, Rosen Penev wrote: > > > OpenSSL 1.1.0 has deprecated this function. > > I think we could consolidate a bit more. This folds the libcrypto init > into the seed_rng() call that should happen early in each tool's main().Looks good.> > -d > > diff --git a/configure.ac b/configure.ac > index 3f7fe2cd..5a9b3ff1 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -2671,8 +2671,8 @@ if test "x$openssl" = "xyes" ; then > > AC_MSG_CHECKING([if programs using OpenSSL functions will link]) > AC_LINK_IFELSE( > - [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], > - [[ OpenSSL_add_all_algorithms(); ]])], > + [AC_LANG_PROGRAM([[ #include <openssl/err.h> ]], > + [[ ERR_load_crypto_strings(); ]])], > [ > AC_MSG_RESULT([yes]) > ], > @@ -2682,8 +2682,8 @@ if test "x$openssl" = "xyes" ; then > LIBS="$LIBS -ldl" > AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) > AC_LINK_IFELSE( > - [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], > - [[ OpenSSL_add_all_algorithms(); ]])], > + [AC_LANG_PROGRAM([[ #include <openssl/err.h> ]], > + [[ ERR_load_crypto_strings(); ]])], > [ > AC_MSG_RESULT([yes]) > ], > @@ -2698,15 +2698,16 @@ if test "x$openssl" = "xyes" ; then > AC_CHECK_FUNCS([ \ > BN_is_prime_ex \ > DSA_generate_parameters_ex \ > - EVP_DigestInit_ex \ > + EVP_CIPHER_CTX_ctrl \ > EVP_DigestFinal_ex \ > - EVP_MD_CTX_init \ > + EVP_DigestInit_ex \ > EVP_MD_CTX_cleanup \ > EVP_MD_CTX_copy_ex \ > + EVP_MD_CTX_init \ > HMAC_CTX_init \ > + OpenSSL_add_all_algorithms \ > RSA_generate_key_ex \ > RSA_get_default_method \ > - EVP_CIPHER_CTX_ctrl \ > ]) > # LibreSSL/OpenSSL 1.1x API > AC_CHECK_FUNCS([ \ > diff --git a/entropy.c b/entropy.c > index fc710ec2..97e83608 100644 > --- a/entropy.c > +++ b/entropy.c > @@ -56,6 +56,8 @@ > #include "sshbuf.h" > #include "ssherr.h" > > +#define RANDOM_SEED_SIZE 48 > + > /* > * Portable OpenSSH PRNG seeding: > * If OpenSSL has not "internally seeded" itself (e.g. pulled data from > @@ -64,8 +66,6 @@ > */ > #ifndef OPENSSL_PRNG_ONLY > > -#define RANDOM_SEED_SIZE 48 > - > /* > * Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon > * listening either on 'tcp_port', or via Unix domain socket at * > @@ -216,9 +216,11 @@ rexec_recv_rng_seed(struct sshbuf *m) > void > seed_rng(void) > { > -#ifndef OPENSSL_PRNG_ONLY > unsigned char buf[RANDOM_SEED_SIZE]; > -#endif > + > + /* Initialise libcrypto */ > + ssh_libcrypto_init(); > + > if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, > OpenSSL_version_num())) > fatal("OpenSSL version mismatch. Built against %lx, you " > @@ -226,27 +228,34 @@ seed_rng(void) > OpenSSL_version_num()); > > #ifndef OPENSSL_PRNG_ONLY > - if (RAND_status() == 1) { > + if (RAND_status() == 1) > debug3("RNG is ready, skipping seeding"); > - return; > + else { > + if (seed_from_prngd(buf, sizeof(buf)) == -1) > + fatal("Could not obtain seed from PRNGd"); > + RAND_add(buf, sizeof(buf), sizeof(buf)); > } > - > - if (seed_from_prngd(buf, sizeof(buf)) == -1) > - fatal("Could not obtain seed from PRNGd"); > - RAND_add(buf, sizeof(buf), sizeof(buf)); > - memset(buf, '\0', sizeof(buf)); > - > #endif /* OPENSSL_PRNG_ONLY */ > + > if (RAND_status() != 1) > fatal("PRNG is not seeded"); > + > + /* Ensure arc4random() is primed */ > + arc4random_buf(buf, sizeof(buf)); > + explicit_bzero(buf, sizeof(buf)); > } > > #else /* WITH_OPENSSL */ > > -/* Handled in arc4random() */ > +/* Acutal initialisation is handled in arc4random() */ > void > seed_rng(void) > { > + unsigned char buf[RANDOM_SEED_SIZE]; > + > + /* Ensure arc4random() is primed */ > + arc4random_buf(buf, sizeof(buf)); > + explicit_bzero(buf, sizeof(buf)); > } > > #endif /* WITH_OPENSSL */ > diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c > index 5ade8f0b..d8c00ebc 100644 > --- a/openbsd-compat/openssl-compat.c > +++ b/openbsd-compat/openssl-compat.c > @@ -66,26 +66,31 @@ ssh_compatible_openssl(long headerver, long libver) > return 0; > } > > -#ifdef USE_OPENSSL_ENGINE > void > -ssh_OpenSSL_add_all_algorithms(void) > +ssh_libcrypto_init(void) > { > +#if defined(HAVE_OPENSSL_ADD_ALL_ALGORITHMS) > OpenSSL_add_all_algorithms(); > +#elif defined(HAVE_OPENSSL_INIT_CRYPTO) && \ > + defined(OPENSSL_INIT_ADD_ALL_CIPHERS) && \ > + defined(OPENSSL_INIT_ADD_ALL_DIGESTS) > + OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | > + OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); > +#endif > > +#ifdef USE_OPENSSL_ENGINE > /* Enable use of crypto hardware */ > ENGINE_load_builtin_engines(); > ENGINE_register_all_complete(); > > -#if defined(HAVE_OPENSSL_INIT_CRYPTO) && \ > - defined(OPENSSL_INIT_ADD_ALL_CIPHERS) && \ > - defined(OPENSSL_INIT_ADD_ALL_DIGESTS) && \ > - defined(OPENSSL_INIT_LOAD_CONFIG) > + /* Load the libcrypto config file to pick up engines defined there */ > +# if defined(HAVE_OPENSSL_INIT_CRYPTO) && defined(OPENSSL_INIT_LOAD_CONFIG) > OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | > OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG, NULL); > -#else > +# else > OPENSSL_config(NULL); > -#endif > +# endif > +#endif /* USE_OPENSSL_ENGINE */ > } > -#endif > > #endif /* WITH_OPENSSL */ > diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h > index b87ce59e..917bc6f7 100644 > --- a/openbsd-compat/openssl-compat.h > +++ b/openbsd-compat/openssl-compat.h > @@ -31,6 +31,7 @@ > #include <openssl/dh.h> > > int ssh_compatible_openssl(long, long); > +void ssh_libcrypto_init(void); > > #if (OPENSSL_VERSION_NUMBER < 0x1000100fL) > # error OpenSSL 1.0.1 or greater is required > @@ -92,27 +93,6 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); > # endif > #endif > > -/* > - * We overload some of the OpenSSL crypto functions with ssh_* equivalents > - * to automatically handle OpenSSL engine initialisation. > - * > - * In order for the compat library to call the real functions, it must > - * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and > - * implement the ssh_* equivalents. > - */ > -#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS > - > -# ifdef USE_OPENSSL_ENGINE > -# ifdef OpenSSL_add_all_algorithms > -# undef OpenSSL_add_all_algorithms > -# endif > -# define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms() > -# endif > - > -void ssh_OpenSSL_add_all_algorithms(void); > - > -#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ > - > /* LibreSSL/OpenSSL 1.1x API compat */ > #ifndef HAVE_DSA_GET0_PQG > void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, > diff --git a/regress/unittests/sshkey/tests.c b/regress/unittests/sshkey/tests.c > index 13f265cd..78aa9223 100644 > --- a/regress/unittests/sshkey/tests.c > +++ b/regress/unittests/sshkey/tests.c > @@ -7,8 +7,6 @@ > > #include "includes.h" > > -#include <openssl/evp.h> > - > #include "../test_helper/test_helper.h" > > void sshkey_tests(void); > @@ -18,9 +16,6 @@ void sshkey_fuzz_tests(void); > void > tests(void) > { > - OpenSSL_add_all_algorithms(); > - ERR_load_CRYPTO_strings(); > - > sshkey_tests(); > sshkey_file_tests(); > sshkey_fuzz_tests(); > diff --git a/regress/unittests/test_helper/test_helper.c b/regress/unittests/test_helper/test_helper.c > index 4cc70852..11c3ee39 100644 > --- a/regress/unittests/test_helper/test_helper.c > +++ b/regress/unittests/test_helper/test_helper.c > @@ -35,11 +35,13 @@ > #include <signal.h> > > #include <openssl/bn.h> > +#include <openssl/err.h> > > #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) > # include <vis.h> > #endif > > +#include "entropy.h" > #include "test_helper.h" > #include "atomicio.h" > > @@ -121,6 +123,9 @@ main(int argc, char **argv) > { > int ch; > > + seed_rng(); > + ERR_load_CRYPTO_strings(); > + > /* Handle systems without __progname */ > if (__progname == NULL) { > __progname = strrchr(argv[0], '/'); > diff --git a/scp.c b/scp.c > index 4f3fdcd3..eb17c341 100644 > --- a/scp.c > +++ b/scp.c > @@ -400,6 +400,8 @@ main(int argc, char **argv) > /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ > sanitise_stdfd(); > > + seed_rng(); > + > msetlocale(); > > /* Copy argv, because we modify it */ > diff --git a/sftp-server-main.c b/sftp-server-main.c > index c6ccd623..6230d897 100644 > --- a/sftp-server-main.c > +++ b/sftp-server-main.c > @@ -43,6 +43,8 @@ main(int argc, char **argv) > /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ > sanitise_stdfd(); > > + seed_rng(); > + > if ((user_pw = getpwuid(getuid())) == NULL) { > fprintf(stderr, "No user found for uid %lu\n", > (u_long)getuid()); > diff --git a/sftp.c b/sftp.c > index ed95cf81..f886b330 100644 > --- a/sftp.c > +++ b/sftp.c > @@ -2367,6 +2367,8 @@ main(int argc, char **argv) > sanitise_stdfd(); > msetlocale(); > > + seed_rng(); > + > __progname = ssh_get_progname(argv[0]); > memset(&args, '\0', sizeof(args)); > args.list = NULL; > diff --git a/ssh-add.c b/ssh-add.c > index 627c0298..50165e7d 100644 > --- a/ssh-add.c > +++ b/ssh-add.c > @@ -544,10 +544,6 @@ main(int argc, char **argv) > __progname = ssh_get_progname(argv[0]); > seed_rng(); > > -#ifdef WITH_OPENSSL > - OpenSSL_add_all_algorithms(); > -#endif > - > setvbuf(stdout, NULL, _IOLBF, 0); > > /* First, get a connection to the authentication agent. */ > diff --git a/ssh-agent.c b/ssh-agent.c > index cb552462..6baebc31 100644 > --- a/ssh-agent.c > +++ b/ssh-agent.c > @@ -1095,10 +1095,6 @@ main(int ac, char **av) > if (getrlimit(RLIMIT_NOFILE, &rlim) == -1) > fatal("%s: getrlimit: %s", __progname, strerror(errno)); > > -#ifdef WITH_OPENSSL > - OpenSSL_add_all_algorithms(); > -#endif > - > __progname = ssh_get_progname(av[0]); > seed_rng(); > > diff --git a/ssh-keygen.c b/ssh-keygen.c > index 416d25be..a6773735 100644 > --- a/ssh-keygen.c > +++ b/ssh-keygen.c > @@ -2459,13 +2459,10 @@ main(int argc, char **argv) > > __progname = ssh_get_progname(argv[0]); > > -#ifdef WITH_OPENSSL > - OpenSSL_add_all_algorithms(); > -#endif > - log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); > - > seed_rng(); > > + log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); > + > msetlocale(); > > /* we need this for the home * directory. */ > diff --git a/ssh-keysign.c b/ssh-keysign.c > index bcd1508c..8f487b8c 100644 > --- a/ssh-keysign.c > +++ b/ssh-keysign.c > @@ -174,9 +174,6 @@ main(int argc, char **argv) > u_char *signature, *data, rver; > char *host, *fp; > size_t slen, dlen; > -#ifdef WITH_OPENSSL > - u_int32_t rnd[256]; > -#endif > > ssh_malloc_init(); /* must be called before any mallocs */ > if (pledge("stdio rpath getpw dns id", NULL) != 0) > @@ -224,12 +221,6 @@ main(int argc, char **argv) > if (found == 0) > fatal("could not open any host key"); > > -#ifdef WITH_OPENSSL > - OpenSSL_add_all_algorithms(); > - arc4random_buf(rnd, sizeof(rnd)); > - RAND_seed(rnd, sizeof(rnd)); > -#endif > - > found = 0; > for (i = 0; i < NUM_KEYTYPES; i++) { > keys[i] = NULL; > diff --git a/ssh.c b/ssh.c > index 1e471f5c..1ac903d1 100644 > --- a/ssh.c > +++ b/ssh.c > @@ -610,6 +610,8 @@ main(int ac, char **av) > av = saved_av; > #endif > > + seed_rng(); > + > /* > * Discard other fds that are hanging around. These can cause problem > * with backgrounded ssh processes started by ControlPersist. > @@ -1036,11 +1038,6 @@ main(int ac, char **av) > > host_arg = xstrdup(host); > > -#ifdef WITH_OPENSSL > - OpenSSL_add_all_algorithms(); > - ERR_load_crypto_strings(); > -#endif > - > /* Initialize the command to execute on remote host. */ > if ((command = sshbuf_new()) == NULL) > fatal("sshbuf_new failed"); > @@ -1264,8 +1261,6 @@ main(int ac, char **av) > tty_flag = 0; > } > > - seed_rng(); > - > if (options.user == NULL) > options.user = xstrdup(pw->pw_name); > > diff --git a/ssh_api.c b/ssh_api.c > index e727c0d6..53bbc9b4 100644 > --- a/ssh_api.c > +++ b/ssh_api.c > @@ -81,9 +81,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params) > int r; > > if (!called) { > -#ifdef WITH_OPENSSL > - OpenSSL_add_all_algorithms(); > -#endif /* WITH_OPENSSL */ > + seed_rng(); > called = 1; > } > > diff --git a/sshd.c b/sshd.c > index afd95932..fb9d9b60 100644 > --- a/sshd.c > +++ b/sshd.c > @@ -1510,6 +1510,8 @@ main(int ac, char **av) > /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ > sanitise_stdfd(); > > + seed_rng(); > + > /* Initialize configuration options to their default values. */ > initialize_server_options(&options); > > @@ -1631,10 +1633,6 @@ main(int ac, char **av) > else > closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); > > -#ifdef WITH_OPENSSL > - OpenSSL_add_all_algorithms(); > -#endif > - > /* If requested, redirect the logs to the specified logfile. */ > if (logfile != NULL) > log_redirect_stderr_to(logfile); > @@ -1677,8 +1675,6 @@ main(int ac, char **av) > parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, > cfg, NULL); > > - seed_rng(); > - > /* Fill in default values for those options not explicitly set. */ > fill_default_server_options(&options); >