Calling OpenSSL_thread_stop() multiple times
matt at openssl.org
Thu Aug 24 08:09:29 UTC 2023
On 24/08/2023 08:38, Martin Bonner via openssl-users wrote:
>> I have fixed the leak by moving Openssl_thread_stop() to dll_thread_detach.
> Beware! Here be dragons!
> dll_thread_detach is called from DllMain when that is called with
> The significance of this is that there are quite severe limitations on what you
> can do inside DllMain. See:
> https://learn.microsoft.com/en-us/windows/win32/dlls/dllmain and
> I have two particular concerns:
> * Openssl_thread_stop is not documented as being safe to call from DllMain
> (it would be awesome if it was) - and although it way work today, somebody may
> make a change which means it stops working tomorrow.
> * I rather expect Openssl_thread_stop calls into all loaded providers - and if
> your customer has a third-party provider loaded which you haven't tested with,
> things could go wrong.
> The only suggestion I have as to how to fix this is "submit a PR to document
> that Openssl_thread_stop/Openssl_thread_stop_ex are safe to call from DllMain"
> - preferably with the additions of loads of comments to the relevant code.
> Apart from that, do lots of testing, and be prepared for issues.
OPENSSL_thread_stop() is used for freeing resources and I wouldn't
generally expect more complex processing to occur in it.
If running on Windows and linking to OpenSSL dynamically then
OPENSSL_thread_stop() is automatically called (the application does not
need to do anything special). OpenSSL itself does this from DllMain and
The documentation for OPENSSL_thread_stop() does explicitly mention this:
"Resources local to a thread are deallocated automatically when the
thread exits (e.g. in a pthreads environment, when pthread_exit() is
called). On Windows platforms this is done in response to a
DLL_THREAD_DETACH message being sent to the libcrypto32.dll entry point.
Some windows functions may cause threads to exit without sending this
message (for example ExitProcess()). If the application uses such
functions, then the application must free up OpenSSL resources directly
via a call to OPENSSL_thread_stop() on each thread. Similarly this
message will also not be sent if OpenSSL is linked statically, and
therefore applications using static linking should also call
OPENSSL_thread_stop() on each thread. Additionally if OpenSSL is loaded
dynamically via LoadLibrary() and the threads are not destroyed until
after FreeLibrary() is called then each thread should call
OPENSSL_thread_stop() prior to the FreeLibrary() call."
More information about the openssl-users