> [[email protected] - Tue Jul 07 23:01:13 2009]: > > That's a useful tip, perhaps, but if the underlying calls are embedded > in a third-party libraries, such as handled by cURL etc, the end user > has no choice as to when they're being initialized. > > Of course since > multiple third-party libraries could be involved (which have no > knowledge of each other), it's only possible to fix this issue in > OpenSSL itself. >
Only certain issues can be handled in OpenSSL. Your fix handles algorithm initialisation but not cleanup which is problematical. Third party libraries can do things which break others in many different ways. Setting the locking callbacks is one way to produce a race condition for example. Also adding a new lock is not something which can be done in a stable branch because it causes nasty binary compatibility issues. The reason for that is that many applications use CRYPTO_NUM_LOCKS instead of Crypto_num_locks() to get the number of locks. If they do that and we add a new lock such applications will crash because an attempt will be made to use a lock out of range. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
