curl-users
RE: Incorrect OpenSSL usage and thread-safety issues in Curl_ossl_seed
Date: Thu, 30 Jul 2009 11:06:08 +0100
Hi,
I apologize for posting to the wrong mailing list. I've just subscribed
to curl-library ML.
I support the curl_global_init() solution you propose, it makes a lot of
sense and AFAIK would follow the guidelines from OpenSSL.
Regards,
Tanguy
-----Original Message-----
From: curl-users-bounces_at_cool.haxx.se
[mailto:curl-users-bounces_at_cool.haxx.se] On Behalf Of Daniel Stenberg
Sent: 29 July 2009 16:18
To: the curl tool
Cc: libcurl hacking
Subject: Re: Incorrect OpenSSL usage and thread-safety issues in
Curl_ossl_seed
On Wed, 29 Jul 2009, Tanguy Fautre wrote:
I consider this topic better suited for the libcurl list, so I'm cc'ing
my
reply over there.
> As far as LibCurl is concerned, the problem comes from Curl_ossl_seed
that
> contains a non-thread-safe static initialization. See ssluse.c, line
270 to
> 276.
>
> Further down the stack, ossl_seed() calls RAND_screen(). Now
apparently
> RAND_screen is not thread-safe either. See the discussion on OpenSSL
> mailing list for more info.
> http://marc.info/?l=openssl-dev&m=124838339302787&w=2
Blargh. :-( I do think they could've mentioned at least something about
that
fact in their documentation.
Since we do have lots of seeding stuff based on options on the handle, I
figure we should start with simply moving the RAND_screen() call to the
Curl_ossl_init() function, which gets called from curl_global_init()
(which is
known and documented to not be thread-safe).
Wouldn't that be good enough?
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users FAQ: http://curl.haxx.se/docs/faq.html Etiquette: http://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users FAQ: http://curl.haxx.se/docs/faq.html Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2009-07-30