On 14/06/2019 09:17, Graham Leggett wrote: > On 14 Jun 2019, at 09:41, Matt Caswell <matt@xxxxxxxxxxx > <mailto:matt@xxxxxxxxxxx>> wrote: > >> Correct. *All* of the above calls are no-ops in 1.1.0+, e.g: >> >> # define EVP_cleanup() while(0) continue >> >> There are one or two caveats around auto-init and auto-deinit of the library. >> The documentation for it is here: >> >> https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html > > Further to the above question, having read the documentation, it looks like all > of these init routines should be removed in v1.1.0 and above: Mostly, but not quite. The library will automatically initialise itself with no requirement to explicitly do so. However there are certain things that don't happen automatically because they're not necessarily appropriate for all applications. See comments below: > > https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.39/modules/ssl/mod_ssl.c?view=markup#l398 > > CRYPTO_malloc_init(); This function doesn't exist at all in 1.1.0+. > OPENSSL_malloc_init(); This is a no-op in 1.1.0+ > ERR_load_crypto_strings(); > SSL_load_error_strings(); > SSL_library_init(); These all happen automatically. There is no need to call them directly. They're all macros for calling OPENSSL_init_crypto() explicitly with default options...but since they are default options anyway there is no need to do this. > ENGINE_load_builtin_engines(); This does NOT happen automatically. It is a non-default option in OPENSSL_init_crypto(). You can get the same effect by calling OPENSSL_init_crypto with the OPENSSL_INIT_ENGINE_ALL_BUILTIN option explicitly. See: https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html > OpenSSL_add_all_algorithms(); No need to call this one. Its a macro for calling OPENSSL_init_crypto() explicitly with default options - but this will happen anyway. > OPENSSL_load_builtin_modules(); This does NOT happen automatically if you are just using libcrypto. This is used for initialising config file modules. libcrypto does not automatically load a config file. If you call OPENSSL_init_crypto() explicitly with the OPENSSL_INIT_LOAD_CONFIG option then it will load the config file and end up calling the above function automatically as part of that. In 1.1.1 a config file is loaded automatically for libssl users. So if you're a 1.1.1 libssl user then you don't need to call this function. A config file is not loaded automatically for libssl in 1.1.0. It is expected that in OpenSSL 3.0 loading a config file will happen automatically in both libcrypto and libssl. > > https://svn.apache.org/viewvc/apr/apr-util/tags/1.6.1/crypto/apr_crypto_openssl.c?view=markup#l133 > > CRYPTO_malloc_init(); > OPENSSL_malloc_init(); > ERR_load_crypto_strings(); > OpenSSL_add_all_algorithms(); > ENGINE_load_builtin_engines(); As above. > ENGINE_register_all_complete(); This is the same as for ENGINE_load_builtin_engines(). It does NOT happen automatically, but will get called if you use the OPENSSL_INIT_ENGINE_ALL_BUILTIN option to OPENSSL_init_crypto. Matt > > Can you confirm I’ve interpreted this correctly? > > Regards, > Graham > — >