Re: cvs commit: openssl/ssl ssl_cert.c ssltest.c

Fri, 15 Dec 2000 15:53:58 -0800 



Richard Levitte - VMS Whacker wrote:
> 
> From: Richard Levitte - VMS Whacker <[EMAIL PROTECTED]>
> 
> levitte> From: [EMAIL PROTECTED]
> levitte>
> levitte> bodo>    /* crypto/ex_data.c */
> levitte> bodo>   +
> levitte> bodo>   +/*
> levitte> bodo>   + * This is not thread-safe, nor can it be changed to become 
>thread-safe
> levitte> bodo>   + * without changing various function prototypes and using a lot of 
>locking.
> levitte> bodo>   + * Luckily, it's not really used anywhere except in 
>ssl_verify_cert_chain
> levitte> bodo>   + * via SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c), where
> levitte> bodo>   + * new_func, dup_func, and free_func all are 0.
> levitte> bodo>   + *
> levitte> bodo>   + * Any multi-threaded application crazy enough to use ex_data for 
>its own
> levitte> bodo>   + * purposes had better make sure that 
>SSL_get_ex_data_X509_STORE_CTX_idx
> levitte> bodo>   + * is called once before multiple threads are created.
> levitte> bodo>   + */
> levitte>
> levitte> Not quite right.  It's also used in the CHIL/hwcrhk engine as a clever
> levitte> tool to keep track of the actual "hardware" key that an RSA is
> levitte> connected to.
> 
> And then I forgot to mention that application have good use of
> ex_data.  For example, the verification callback takes only an SSL and
> an integer as arguments.  If the application wants to pass down, say,
> data about an LDAP server where certificates to accept are stored, the
> only ways are through global variables or through the ex_data in the
> SSL structure.  I wouldn't opt for global variables, especially in a
> threaded application...
> 

Indeed ex_data is very useful for many things if used correctly. OpenSSL
doesn't use it much internally though. There are a lot of crazy
multi-threaded applications out there :-)

We should document the issues such as obtaining the new index before
starting threads and being careful about using ex_data in shared
structures though.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to