Question about constness of EVP_PKEY* arguments in public API

Romain GEISSLER romain.geissler at
Thu Sep 2 15:43:44 UTC 2021


I have some piece of software using OpenSSL that works right now on a single thread right now. I am adding a bit more "const" in the code everywhere I can as we want to start using the same code in multithreaded environment, and potentially two threads might sign/verify/encrypt/decrypt using the same EVP_PKEY argument in multiple threads. By adding "const" I try to find what shall be protected by mutex and what shall not, in case it’s mutable.

I am using the following OpenSSL API: EVP_DigestSignInit, EVP_DigestVerifyInit, EVP_PKEY_size, EVP_SealInit, EVP_OpenInit. And it seems these all take an non-const EVP_PKEY* argument. Does it mean that EVP_PKEY* have some internal state which may be updated by these API and which I should definitely not call without thread syncronization in multiple threads ? Or the API of OpenSSL just miss the "const" keyword as really the key, once read, has absolutely no state modified by these APIs ?

Note: I have to support several branches of my software, the oldest branches are still using the old OpenSSL 1.0.2, other branches uses OpenSSL 1.1.1, and the latest branch uses the OpenSSL 3.0 release candidate.


More information about the openssl-users mailing list