Add the ability to fail when a hardware accelerator is missing.

Closes ticket 32406.

changes/ticket32406

@@ -0,0 +1,4 @@
+  o Minor features (configuration):
+    - If the configured hardware crypto accelerator in AccelName
+      is prefixed with "!", Tor now exits when it cannot be found.
+      Closes ticket 32406.

doc/tor.1.txt

@@ -843,6 +843,9 @@ GENERAL OPTIONS
     engine of this name. This must be used for any dynamic hardware engine.
     Names can be verified with the openssl engine command. Can not be changed
     while tor is running.
+ +
+    If the engine name is prefixed with a "!", then Tor will exit if the
+    engine cannot be loaded.
 
 [[AccelDir]] **AccelDir** __DIR__::
     Specify this option if using dynamic hardware acceleration and the engine

src/lib/crypt_ops/crypto_openssl_mgt.c

@@ -275,8 +275,14 @@ log_engine(const char *fn, ENGINE *e)
 }
 #endif /* !defined(DISABLE_ENGINES) */
 
-/** Initialize engines for openssl (if enabled). */
-static void
+/** Initialize engines for openssl (if enabled).  Load all the built-in
+ * engines, along with the one called <b>accelName</b> (which may be NULL).
+ * If <b>accelName is prefixed with "!", then it is required: return -1
+ * if it can't be loaded.  Otherwise return 0.
+ *
+ * If <b>accelDir</b> is not NULL, it is the path from which the engine should
+ * be loaded. */
+static int
 crypto_openssl_init_engines(const char *accelName,
                             const char *accelDir)
 {
@@ -284,6 +290,7 @@ crypto_openssl_init_engines(const char *accelName,
   (void)accelName;
   (void)accelDir;
   log_warn(LD_CRYPTO, "No OpenSSL hardware acceleration support enabled.");
+  return 0;
 #else
   ENGINE *e = NULL;
 
@@ -292,6 +299,9 @@ crypto_openssl_init_engines(const char *accelName,
   ENGINE_register_all_complete();
 
   if (accelName) {
+    const bool required = accelName[0] == '!';
+    if (required)
+      ++accelName;
     if (accelDir) {
       log_info(LD_CRYPTO, "Trying to load dynamic OpenSSL engine \"%s\""
                " via path \"%s\".", accelName, accelDir);
@@ -304,6 +314,8 @@ crypto_openssl_init_engines(const char *accelName,
     if (!e) {
       log_warn(LD_CRYPTO, "Unable to load dynamic OpenSSL engine \"%s\".",
                accelName);
+      if (required)
+        return -1;
     } else {
       log_info(LD_CRYPTO, "Loaded dynamic OpenSSL engine \"%s\".",
                accelName);
@@ -340,6 +352,7 @@ crypto_openssl_init_engines(const char *accelName,
 #ifdef NID_aes_256_gcm
   log_engine("AES-256-GCM", ENGINE_get_cipher_engine(NID_aes_256_gcm));
 #endif
+  return 0;
 
 #endif /* defined(DISABLE_ENGINES) */
 }
@@ -350,7 +363,8 @@ crypto_openssl_late_init(int useAccel, const char *accelName,
                          const char *accelDir)
 {
   if (useAccel > 0) {
-    crypto_openssl_init_engines(accelName, accelDir);
+    if (crypto_openssl_init_engines(accelName, accelDir) < 0)
+      return -1;
   } else {
     log_info(LD_CRYPTO, "NOT using OpenSSL engine support.");
   }