Add the ability to fail when a hardware accelerator is missing.

Closes ticket 32406.

diff --git a/changes/ticket32406 b/changes/ticket32406
new file mode 100644 (file)
index 0000000..c0c6020
--- /dev/null
+++ b/changes/ticket32406
@@ -0,0 +1,4 @@
+  o Minor features (configuration):
+    - If the configured hardware crypto accelerator in AccelName
+      is prefixed with "!", Tor now exits when it cannot be found.
+      Closes ticket 32406.

diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 5e3953e3322948d1c9312771f82efc4c9807508b..a3c05961e37c00a49185c81679289d7c0af3ceaf 100644 (file)
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -843,6 +843,9 @@ GENERAL OPTIONS
     engine of this name. This must be used for any dynamic hardware engine.
     Names can be verified with the openssl engine command. Can not be changed
     while tor is running.
+ +
+    If the engine name is prefixed with a "!", then Tor will exit if the
+    engine cannot be loaded.
 
 [[AccelDir]] **AccelDir** __DIR__::
     Specify this option if using dynamic hardware acceleration and the engine

diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.c b/src/lib/crypt_ops/crypto_openssl_mgt.c
index 2fbebd87e07ecbbc4442df06cd144d579ba8ae86..d7a3e0692ba90d04ff87c2056be0042691d5302d 100644 (file)
--- a/src/lib/crypt_ops/crypto_openssl_mgt.c
+++ b/src/lib/crypt_ops/crypto_openssl_mgt.c
@@ -275,8 +275,14 @@ log_engine(const char *fn, ENGINE *e)
 }
 #endif /* !defined(DISABLE_ENGINES) */
 
-/** Initialize engines for openssl (if enabled). */
-static void
+/** Initialize engines for openssl (if enabled).  Load all the built-in
+ * engines, along with the one called <b>accelName</b> (which may be NULL).
+ * If <b>accelName is prefixed with "!", then it is required: return -1
+ * if it can't be loaded.  Otherwise return 0.
+ *
+ * If <b>accelDir</b> is not NULL, it is the path from which the engine should
+ * be loaded. */
+static int
 crypto_openssl_init_engines(const char *accelName,
                             const char *accelDir)
 {
@@ -284,6 +290,7 @@ crypto_openssl_init_engines(const char *accelName,
   (void)accelName;
   (void)accelDir;
   log_warn(LD_CRYPTO, "No OpenSSL hardware acceleration support enabled.");
+  return 0;
 #else
   ENGINE *e = NULL;
 
@@ -292,6 +299,9 @@ crypto_openssl_init_engines(const char *accelName,
   ENGINE_register_all_complete();
 
   if (accelName) {
+    const bool required = accelName[0] == '!';
+    if (required)
+      ++accelName;
     if (accelDir) {
       log_info(LD_CRYPTO, "Trying to load dynamic OpenSSL engine \"%s\""
                " via path \"%s\".", accelName, accelDir);
@@ -304,6 +314,8 @@ crypto_openssl_init_engines(const char *accelName,
     if (!e) {
       log_warn(LD_CRYPTO, "Unable to load dynamic OpenSSL engine \"%s\".",
                accelName);
+      if (required)
+        return -1;
     } else {
       log_info(LD_CRYPTO, "Loaded dynamic OpenSSL engine \"%s\".",
                accelName);
@@ -340,6 +352,7 @@ crypto_openssl_init_engines(const char *accelName,
 #ifdef NID_aes_256_gcm
   log_engine("AES-256-GCM", ENGINE_get_cipher_engine(NID_aes_256_gcm));
 #endif
+  return 0;
 
 #endif /* defined(DISABLE_ENGINES) */
 }
@@ -350,7 +363,8 @@ crypto_openssl_late_init(int useAccel, const char *accelName,
                          const char *accelDir)
 {
   if (useAccel > 0) {
-    crypto_openssl_init_engines(accelName, accelDir);
+    if (crypto_openssl_init_engines(accelName, accelDir) < 0)
+      return -1;
   } else {
     log_info(LD_CRYPTO, "NOT using OpenSSL engine support.");
   }