4

I'm learning how to write a multi-threaded DTLS server using OpenSSL. I've been looking through documentation, and it looks like OpenSSL should work with multiple threads if i set CRYPTO_set_id_callback and CRYPTO_set_locking_callback. I'm using OpenSSL 1.1.1c, and when I look in crypto.h, I find this:

/*
 * The old locking functions have been removed completely without compatibility
 * macros. This is because the old functions either could not properly report
 * errors, or the returned error values were not clearly documented.
 * Replacing the locking functions with no-ops would cause race condition
 * issues in the affected applications. It is far better for them to fail at
 * compile time.
 * On the other hand, the locking callbacks are no longer used.  Consequently,
 * the callback management functions can be safely replaced with no-op macros.
 */
#  define CRYPTO_num_locks()            (1)
#  define CRYPTO_set_locking_callback(func)
#  define CRYPTO_get_locking_callback()         (NULL)
#  define CRYPTO_set_add_lock_callback(func)
#  define CRYPTO_get_add_lock_callback()        (NULL)

So, I looks like this method is outdated. What should I do instead to ensure that my OpenSSL code is thread safe?

-- After researching some more, I've found this: Tutorial on Using OpenSSL with pthreads. I've also found https://www.openssl.org/docs/man1.0.2/man3/CRYPTO_THREADID_set_callback.html. However, CRYPTO_THREADID_set_callback() is also a no-op! It looks like I could do nothing but compile OpenSSL with the right flags.

Rotartsi
  • 527
  • 5
  • 19
  • Hmm. What do you mean by that? I don't plan on re-writing parts of openssl... I'm only compiling the latest version with threads and zlib. What are some examples of these "professional implementations?" – Rotartsi Apr 30 '20 at 22:47

1 Answers1

2

Actually, you no longer need to set up locks in OpenSSL 1.1.0 and later.

Programming with OpenSSL Is OpenSSL thread-safe?

Yes but with some limitations; for example, an SSL connection cannot be used concurrently > by multiple threads. This is true for most OpenSSL objects.

For version 1.1.0 and later, there is nothing further you need do.

For earlier versions than 1.1.0, it is necessary for your application to set up the thread callback functions. To do this, your application must call CRYPTO_set_locking_callback(3) and one of the CRYPTO_THREADID_set... API's. See the OpenSSL threads manpage for details and "note on multi-threading" in the INSTALL file in the source distribution.

You can check OpenSSL faq here!

Erbo Shan
  • 36
  • 3
  • Yes. I just compiled OpenSSL with `./config --release threads` and moved on. :) – Rotartsi May 15 '20 at 20:45
  • 1
    "For version 1.1.0 and later, there is nothing further you need do." Does this mean there are mutexes within openssl? Or, only if you compile it with mutexes? – user997112 Oct 04 '22 at 07:57