[openssl-users] Guidance on proper usage of OpenSSL_add_all_digests

Thomas Francis, Jr. thomas.francis.jr at pobox.com
Wed Mar 2 20:02:53 UTC 2016


> On Mar 2, 2016, at 12:27 PM, Neptune <pdrotter at us.ibm.com> wrote:
> 
> Using OpenSSL 1.0.1l
> 
> I just learned the painful way that OpenSSL_add_all_digests() is not a
> thread-safe function. I had been calling this in the constructor of a class
> providing hash functions for multiple threads. My question is, how do I know
> if a thread instantiating my class has called OpenSSL_add_all_digests() or
> not? Is there a way to query OpenSSL for the state of the table? Perhaps
> more importantly, is it a requirement to call this function at all? My test
> application seems quite happy to do SHA1 hashes without calling any of the
> *add_all* functions :-/

You should initialize OpenSSL prior to starting any threads.  Likewise, you should then de-initialize it only after all threads (except your main thread, of course) have finished.  If you absolutely have to do it inside some secondary thread, then initialize a value to tell you if you’ve initialized OpenSSL or not and look at it.  If you’re using pthreads, you could put your OpenSSL initialization in a single function, and then in each thread, invoke it with pthread_once().  That way it’ll never be called more than once.  That still leaves you with the issue of cleanup, but that might not matter, depending on how you use it.

This is changing with OpenSSL 1.1, but for the better.  IIUC, most users won’t need to bother with initialization at all.


> Google searches bring back about a dozen different "proper" ways of
> initializing, so I am asking for some expert guidance.

A lot of the differences come down to personal preference.  You don’t have to call OpenSSL_add_all_digests(), depending on what you’re doing, but I’d recommend either calling it, or calling EVP_add_digest() for each digest you intend to use.  I’d also suggest that if it’s working without either call, then perhaps you’re not doing it right. :)  Avoid using any functions like SHA1_Init(); use EVP_DigestInit(), instead.  The EVP interfaces are superior, especially when you eventually need to change which hashing algorithm to use.

TOM

> Thanks!
> 
> 
> 
> --
> View this message in context: http://openssl.6102.n7.nabble.com/Guidance-on-proper-usage-of-OpenSSL-add-all-digests-tp64243.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 



More information about the openssl-users mailing list