Is openssl crypto library thread-safe?

deiva shanmugam

unread,

Sep 9, 2009, 9:30:51 AM9/9/09

to

--001636e0ae4d6b05a9047324b732
Content-Type: text/plain; charset=ISO-8859-1

Hi,

We are planning to make use of openssl crypto library in multithreaded
environment.

We call OpenSSL_add_all_algorithms() before creating threads and will create
BIO, EVP_KEY, SHA256 , SHA1 and RSA object in each thread and makes use of
the following functions:

SHA1_Init BIO_new_mem_buf EVP_PKEY_get1
RSA_size
SHA1_Final BIO_free EVP_PKEY_free
RSA_PKCS1_PADDING
SHA1_Update BIO_write EVP_cleanup
RSA_free
SHA256_Init BIO_flush
RSA_verify
SHA256_Final BIO_new
SHA256_Update BIO_s_mem

We found in the openssl website that "OpenSSL can safely be used in
multi-threaded applications provided that at least two callback functions
are set, locking_function and threadid_func." And from FAQ, its stated that
"Openssl is thread safe with limitations [ SSL connections may not be used
concurrently in many threads]" .

So, can someone let us know that the functions mentioned above are MT safe
without implementing the two callback functions.

Thanks in advance,
Deiva Shanmugam

--001636e0ae4d6b05a9047324b732
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi, We are=
planning to make use of openssl crypto library in multithreaded environmen=
t. 
 We c=
all OpenSSL_add_all_algorithms() before creating threads and<=
span style=3D"font-size: 10pt; font-family: "Courier New";"><span=
style=3D"font-family: arial,helvetica,sans-serif;"> will create BIO, EVP_K=
EY, SHA256 , SHA1 and RSA object in each thread and makes use of the follow=
ing functions: 
 SHA1_Init=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 BIO_new_mem_b=
uf=A0=A0=A0 =A0=A0=A0 EVP_PKEY_get1=A0=A0=A0 =A0=A0=A0 RSA_size SHA1_Fin=
al=A0=A0=A0 =A0=A0=A0=A0=A0=A0=A0=A0 BIO_free=A0=A0=A0 =A0=A0=A0 =A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 EVP_PKEY_free=A0=A0=A0 =
=A0=A0=A0=A0 RSA_PKCS1_PADDING SHA1_Update=A0=A0=A0 =A0=A0=A0=A0 BIO_wri=
te=A0=A0=A0 =A0=A0=A0 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0 EVP_cleanup=A0=A0=A0 =A0=A0=A0 =A0=A0=A0=A0=A0 RSA_free 
SHA256_Init=A0=A0=A0 =A0=A0=A0=A0=A0=A0=A0 BIO_flush=A0=A0=A0 =A0=A0=A0 =A0=
=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0 RSA_verify SHA256_Final=A0=A0=A0=A0=A0=A0=A0 BIO_new=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 <b=
r>SHA256_Update=A0=A0=A0 BIO_s_mem 
We found in the openssl website =
that=A0 "<meta http-equiv=3D"Content-Type" content=3D"text/html=
; charset=3Dutf-8"><meta name=3D"ProgId" content=3D"Word.Document"><meta na=
me=3D"Generator" content=3D"Microsoft Word 9"><meta name=3D"Originator" con=
tent=3D"Microsoft Word 9"><link style=3D"font-family: arial,helvetica,sans-=
serif;" rel=3D"File-List" href=3D"file:///C:/DOCUME%7E1/dshanmug/LOCALS%7E1=
/Temp/msoclip1/01/clip_filelist.xml"><style>

</style>OpenSSL
can safely be used in multi-threaded
applications provided that at least two callback functions are set,
locking_function and threadid_func." And from FAQ, its stated that
"Openssl is thread safe with limitations [ SSL connections may not be
used concurrently in many threads]" . So, can someone let us kn=
ow that the functions mentioned above are MT safe without implementing the =
two callback functions. Thanks in advance, Deiva Shanmugam

--001636e0ae4d6b05a9047324b732--
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Dr. Stephen Henson

unread,

Sep 9, 2009, 11:59:26 AM9/9/09

to

On Wed, Sep 09, 2009, deiva shanmugam wrote:

> Hi,
>
> We are planning to make use of openssl crypto library in multithreaded
> environment.
>
> We call OpenSSL_add_all_algorithms() before creating threads and will create
> BIO, EVP_KEY, SHA256 , SHA1 and RSA object in each thread and makes use of
> the following functions:
>
> SHA1_Init BIO_new_mem_buf EVP_PKEY_get1
> RSA_size
> SHA1_Final BIO_free EVP_PKEY_free
> RSA_PKCS1_PADDING
> SHA1_Update BIO_write EVP_cleanup
> RSA_free
> SHA256_Init BIO_flush
> RSA_verify
> SHA256_Final BIO_new
> SHA256_Update BIO_s_mem
>
> We found in the openssl website that "OpenSSL can safely be used in
> multi-threaded applications provided that at least two callback functions
> are set, locking_function and threadid_func." And from FAQ, its stated that
> "Openssl is thread safe with limitations [ SSL connections may not be used
> concurrently in many threads]" .
>
> So, can someone let us know that the functions mentioned above are MT safe
> without implementing the two callback functions.
>

Use of SHA* functions directly is not recommended, you should use EVP instead.

You need the callbacks for almost any usage because the locks are used to
maintain the error queue which is used by just about every subsection of
OpenSSL.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

deiva shanmugam

unread,

Sep 10, 2009, 2:03:36 AM9/10/09

to

--00c09f8de204d2a4fc047332ddad
Content-Type: text/plain; charset=ISO-8859-1

Hi,

Thanks for the response, steve.

So, irrepective of creating the openssl object per thread or globally for
all threads, callback functions should be implemented to make the
application thread safe?

Thanks,
Deiva Shanmugam

--00c09f8de204d2a4fc047332ddad

Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi, Thanks for the response, steve. So, irrepective of creati=
ng the openssl object=A0 per thread or globally for all threads,=A0 callbac=
k functions should be implemented to make the application thread safe? <=
br>
Thanks, Deiva Shanmugam <div class=3D"gmail_quote">On Wed, Sep 9,=
2009 at 8:35 PM, Dr. Stephen Henson <<a href=3D"mailt=
o:st...@openssl.org">st...@openssl.org</a>> wrote: <blockquote=
class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); =
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class=3D"h5">On Wed, Sep 09, 2009, deiva shanmugam wro=
te: 
 
> Hi, 
> 
> We are planning to make use of openssl crypto library in multithreaded=
 
> environment. 
> 
> We call OpenSSL_add_all_algorithms() before creating threads and will =
create 
> BIO, EVP_KEY, SHA256 , SHA1 and RSA object in each thread and makes us=
e of 
> the following functions: 
> 
> SHA1_Init =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 BIO_new_mem_buf =A0 =A0 =A0 =
=A0EVP_PKEY_get1 
> RSA_size 
> SHA1_Final =A0 =A0 =A0 =A0 =A0 =A0 BIO_free =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 EVP_PKEY_free 
> =A0 =A0 =A0RSA_PKCS1_PADDING 
> SHA1_Update =A0 =A0 =A0 =A0 BIO_write =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 EVP_cleanup 
> =A0 =A0 =A0 RSA_free 
> SHA256_Init =A0 =A0 =A0 =A0 =A0 =A0BIO_flush 
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 RSA_verify 
> SHA256_Final =A0 =A0 =A0 =A0BIO_new 
> SHA256_Update =A0 =A0BIO_s_mem 
> 
> We found in the openssl website that =A0"OpenSSL can safely be us=
ed in 
> multi-threaded applications provided that at least two callback functi=
ons 
> are set, locking_function and threadid_func." And from FAQ, its s=
tated that 
> "Openssl is thread safe with limitations [ SSL connections may no=
t be used 
> concurrently in many threads]" . 
> 
> So, can someone let us know that the functions mentioned above are MT =
safe 
> without implementing the two callback functions. 
> 
 
</div></div>Use of SHA* functions directly is not recommended, you should u=
se EVP instead. 
 
You need the callbacks for almost any usage because the locks are used to<b=
r>
maintain the error queue which is used by just about every subsection of<br=
>
OpenSSL. 
 
Steve. 
-- 
Dr Stephen N. Henson. OpenSSL project core developer. 
Commercial tech support now available see: <a href=3D"http://www.openssl.or=
g" target=3D"_blank">http://www.openssl.org</a> 
______________________________________________________________________ 
OpenSSL Project =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 <a href=3D"http://www.openssl.org" target=3D"_blank">http://www.openss=
l.org</a> 
User Support Mailing List =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<a href=3D=
"mailto:openss...@openssl.org">openss...@openssl.org</a> 
Automated List Manager =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
<a href=3D"mailto:majo...@openssl.org">majo...@openssl.org</a> 
</blockquote></div>

--00c09f8de204d2a4fc047332ddad--

Dr. Stephen Henson

unread,

Sep 10, 2009, 7:08:14 AM9/10/09

to

On Thu, Sep 10, 2009, deiva shanmugam wrote:

> Hi,
>

> Thanks for the response, steve.
>
> So, irrepective of creating the openssl object per thread or globally for
> all threads, callback functions should be implemented to make the
> application thread safe?
>

Yes: the error queue requires it and just about every part of OpenSSL uses the
error queue.

Mark

unread,

Sep 10, 2009, 7:36:41 AM9/10/09

to

> We are planning to make use of openssl crypto library in=20
> multithreaded environment.
>=20

> We found in the openssl website that "

> OpenSSL can safely be used in multi-threaded applications=20
> provided that at least two callback functions are set,=20
> locking_function and threadid_func." And from FAQ, its stated=20
> that "Openssl is thread safe with limitations [ SSL=20

> connections may not be used concurrently in many threads]" .

>=20
> So, can someone let us know that the functions mentioned=20

> above are MT safe without implementing the two callback functions.

I am always very concerned when I read questions like this. The
documentation says to implement the callbacks. Therefore you must
do so.

I have often be called in to sort bugs out which have turned out to
be caused by programmers taking shortcuts. It's just not worth
it.

Mark.

Ben Sandee

unread,

Sep 10, 2009, 10:40:42 AM9/10/09

to

On Thu, Sep 10, 2009 at 6:29 AM, Mark <2d3w...@sneakemail.com> wrote:
>
> I am always very concerned when I read questions like this. =A0The
> documentation says to implement the callbacks. =A0Therefore you must
> do so.

No offense, but that's what the mailing list is for. Granted, a
search might have yielded the answer as well... but if anything, the
question should make you feel good because it's one mess you won't be
cleaning up.

Ben

Mark

unread,

Sep 10, 2009, 10:55:30 AM9/10/09

to

> On Thu, Sep 10, 2009 at 6:29 AM, Mark=20

> <2d3w...@sneakemail.com> wrote:
> >
> > I am always very concerned when I read questions like this. =A0The
> > documentation says to implement the callbacks. =A0Therefore you must
> > do so.

>=20

> No offense, but that's what the mailing list is for. Granted, a
> search might have yielded the answer as well... but if anything, the
> question should make you feel good because it's one mess you won't be
> cleaning up.

No offense, but I disagree. This list is for questions specific to OpenSSL
programming, not for questions like "should I do what the documentation say=
s".
Asking such a question shows a fundamental misunderstanding on correct prog=
ramming
techniques. Unfortunately this is all too common IME.

Mark

Ben Sandee

unread,

Sep 10, 2009, 11:02:40 AM9/10/09

to

>
> No offense, but I disagree. =A0This list is for questions specific to Ope=
nSSL
> programming, not for questions like "should I do what the documentation s=
ays".
> Asking such a question shows a fundamental misunderstanding on correct pr=
ogramming
> techniques. =A0 Unfortunately this is all too common IME.

It's OK, you can be wrong. Whether you like it or not, that question
was about OpenSSL programming. The documentation for this project is
not always up to date on these and other issues and it's reasonable to
ask for clarification or confirmation.

Ben