cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Incorrect OpenSSL usage and thread-safety issues in Curl_ossl_seed

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 29 Jul 2009 17:17:54 +0200 (CEST)

On Wed, 29 Jul 2009, Tanguy Fautre wrote:

I consider this topic better suited for the libcurl list, so I'm cc'ing my
reply over there.

> As far as LibCurl is concerned, the problem comes from Curl_ossl_seed that
> contains a non-thread-safe static initialization. See ssluse.c, line 270 to
> 276.
>
> Further down the stack, ossl_seed() calls RAND_screen(). Now apparently
> RAND_screen is not thread-safe either. See the discussion on OpenSSL
> mailing list for more info.
> http://marc.info/?l=openssl-dev&m=124838339302787&w=2

Blargh. :-( I do think they could've mentioned at least something about that
fact in their documentation.

Since we do have lots of seeding stuff based on options on the handle, I
figure we should start with simply moving the RAND_screen() call to the
Curl_ossl_init() function, which gets called from curl_global_init() (which is
known and documented to not be thread-safe).

Wouldn't that be good enough?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2009-07-29