Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Version numbers curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
API Bindings Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl documentation bug

From: Short, Todd <tshort_at_akamai.com>
Date: Thu, 15 Sep 2016 14:43:54 +0000

The intent of the CRYPTO_cleanup_all_ex_data() is to cleanup memory at the termination of the program. As you’ve discovered, documentation for that function is, ahem, very poor.

CRYPTO_cleanup_all_ex_data() is only to be called when the application is completely done using OpenSSL. The FAQ (https://www.openssl.org/docs/faq.html#PROG13) indicates that CRYPTO_cleanup_all_ex_data() is a “”Brutal” (thread-unsafe) Application-global cleanup function”. Code comments for the function indicate:

/* Release all "ex_data" state to prevent memory leaks. This can't be made
 * thread-safe without overhauling a lot of stuff, and shouldn't really be
 * called under potential race-conditions anyway (it's for program shutdown
 * after all). */

I would recommend changing the curl documentation rather than changing code. Curl’s use of OpenSSL is correct as long as curl_global_cleanup() is called only once at program termination. The problem is exacerbated when another portion of the program uses OpenSSL also.

Of course, this is only a problem if ex_data is used within OpenSSL by the application. 

--
-Todd Short
// tshort_at_akamai.com
// "One if by land, two if by sea, three if by the Internet."
> On Sep 15, 2016, at 10:29 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> 
> On Thu, 15 Sep 2016, Short, Todd wrote:
> 
>> We’ve discovered a bug in the libcurl documentation. The issue revolves around curl_global_cleanup() that ends up calling CRYPTO_cleanup_all_ex_data(). This OpenSSL function is meant to be called only once, at program termination, as it cleans up data that leaves users of ex_data in an inconsistent state. (tl;dr: ex_data index values are basically reset, but are still held by application).
> 
> Thanks for this. We've supported OpenSSL for 17 years or so by now and there are still new confusions reported regularly...
> 
> Can you clarify _where_ said limitation is documented by OpenSSL? I tried to find docs for this function, but failed. And also, shouldn't "ex_data index values are basically reset, but are still held by application" be considered an OpenSSL bug? What could possbily be the motivation for leaving it like that?
> 
>> “You can call both of these multiple times, as long as all calls meet these requirements and the number of calls to each is the same.”
>> 
>> This statement is wrong, as curl_global_cleanup() cannot be called multiple times due to CRYPTO_cleanup_all_ex_data().
> 
> Apparently, yes.
> 
>> If the intended use is as documented, then perhaps the CRYTPO_cleanup_all_ex_data() call should be removed from the library.
> 
> Then we would instead leak memory, right?
Memory used for ex_data, yes. 
> 
> -- 
> 
> / daniel.haxx.se-------------------------------------------------------------------
> List admin: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette:  https://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-15