curl-users
Re: Incorrect OpenSSL usage and thread-safety issues in Curl_ossl_seed
Date: Wed, 29 Jul 2009 17:17:54 +0200 (CEST)
On Wed, 29 Jul 2009, Tanguy Fautre wrote:
I consider this topic better suited for the libcurl list, so I'm cc'ing my
reply over there.
> As far as LibCurl is concerned, the problem comes from Curl_ossl_seed that
> contains a non-thread-safe static initialization. See ssluse.c, line 270 to
> 276.
>
> Further down the stack, ossl_seed() calls RAND_screen(). Now apparently
> RAND_screen is not thread-safe either. See the discussion on OpenSSL
> mailing list for more info.
> http://marc.info/?l=openssl-dev&m=124838339302787&w=2
Blargh. :-( I do think they could've mentioned at least something about that
fact in their documentation.
Since we do have lots of seeding stuff based on options on the handle, I
figure we should start with simply moving the RAND_screen() call to the
Curl_ossl_init() function, which gets called from curl_global_init() (which is
known and documented to not be thread-safe).
Wouldn't that be good enough?
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users FAQ: http://curl.haxx.se/docs/faq.html Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2009-07-29