OPENSSL_thread_stop() fiber local storage and questions

Matt Caswell matt at openssl.org
Fri Jan 19 10:04:31 UTC 2024 


On 19/01/2024 01:32, Matthew Ogilvie wrote:
> 
> IDEA/QUESTION 1: This is probably not a short-term change, but in the
> longer term, is there any chance Open SSL may switch to Windows fiber
> local storage, thereby simplifying the most common cases where users
> need to call OPENSSL_thread_stop()?

I would love to find a way to get rid of OPENSSL_thread_stop() 
altogether. This could be one approach that would solve one of the most 
common scenarios where it is needed. It's definitely worth considering 
although it wouldn't enable us to completely get rid of it since there 
will still be corner cases where it would be needed.


> 
> The biggest concern I can see is that I think this fiber local storage
> idea only works on Windows Vista or later, which raises the question:
> What is Open SSL's policy about supporting old versions of Windows
> that Microsoft no longer supports (XP/2000)? (Perhaps it could
> be a (pre-build) configure option, or auto-determined at runtime
> using GetProcAddress()...)

Currently, in theory, we support XP and above. But we don't test that in 
our CIs at the moment, and I don't know if anyone is actually using it 
there. This is fairly regularly questioned and I would not be surprised 
if we decide to drop XP support at some point fairly soon.

But, since we would still need to retain the OPENSSL_thread_stop() 
function in any case (because there are corner cases that FLS would not 
help for), we could just make the FLS solution conditionally compiled 
based on what Windows version is being targetted.



> QUESTION 2: When a thread is ending, is it necessary to
> call OPENSSL_thread_stop_ex() for every allocated OSSL_LIB_CTX, or
> is a single call to OPENSSL_thread_stop() sufficient?

The man page says this about OPENSSL_thread_stop_ex():

The OPENSSL_thread_stop_ex() function deallocates resources associated
with the current thread for the given OSSL_LIB_CTX B<ctx>.

It says this about OPENSSL_thread_stop():

OPENSSL_thread_stop() is the same as OPENSSL_thread_stop_ex() except 
that the default OSSL_LIB_CTX is always used.


So, OPENSSL_thread_stop() and OPENSSL_thread_stop_ex() are both specific 
to an individual OSSL_LIB_CTX. If you have used multiple OSSL_LIB_CTXs 
on a thread, then you need to call OPENSSL_thread_stop_ex() for each of 
them.


Matt

More information about the openssl-users mailing list