1e1051a39Sopenharmony_ci=pod 2e1051a39Sopenharmony_ci 3e1051a39Sopenharmony_ci=head1 NAME 4e1051a39Sopenharmony_ci 5e1051a39Sopenharmony_ciopenssl-threads - Overview of thread safety in OpenSSL 6e1051a39Sopenharmony_ci 7e1051a39Sopenharmony_ci=head1 DESCRIPTION 8e1051a39Sopenharmony_ci 9e1051a39Sopenharmony_ciIn this man page, we use the term B<thread-safe> to indicate that an 10e1051a39Sopenharmony_ciobject or function can be used by multiple threads at the same time. 11e1051a39Sopenharmony_ci 12e1051a39Sopenharmony_ciOpenSSL can be built with or without threads support. The most important 13e1051a39Sopenharmony_ciuse of this support is so that OpenSSL itself can use a single consistent 14e1051a39Sopenharmony_ciAPI, as shown in L<CRYPTO_THREAD_run_once(3)/EXAMPLES>. 15e1051a39Sopenharmony_ciMulti-platform applications can also use this API. 16e1051a39Sopenharmony_ci 17e1051a39Sopenharmony_ciIn particular, being configured for threads support does not imply that 18e1051a39Sopenharmony_ciall OpenSSL objects are thread-safe. 19e1051a39Sopenharmony_ciTo emphasize: I<most objects are not safe for simultaneous use>. 20e1051a39Sopenharmony_ciExceptions to this should be documented on the specific manual pages, and 21e1051a39Sopenharmony_cisome general high-level guidance is given here. 22e1051a39Sopenharmony_ci 23e1051a39Sopenharmony_ciOne major use of the OpenSSL thread API is to implement reference counting. 24e1051a39Sopenharmony_ciMany objects within OpenSSL are reference-counted, so resources are not 25e1051a39Sopenharmony_cireleased, until the last reference is removed. 26e1051a39Sopenharmony_ciReferences are often increased automatically (such as when an B<X509> 27e1051a39Sopenharmony_cicertificate object is added into an B<X509_STORE> trust store). 28e1051a39Sopenharmony_ciThere is often an B<I<object>_up_ref>() function that can be used to increase 29e1051a39Sopenharmony_cithe reference count. 30e1051a39Sopenharmony_ciFailure to match B<I<object>_up_ref>() calls with the right number of 31e1051a39Sopenharmony_ciB<I<object>_free>() calls is a common source of memory leaks when a program 32e1051a39Sopenharmony_ciexits. 33e1051a39Sopenharmony_ci 34e1051a39Sopenharmony_ciMany objects have set and get API's to set attributes in the object. 35e1051a39Sopenharmony_ciA C<set0> passes ownership from the caller to the object and a 36e1051a39Sopenharmony_ciC<get0> returns a pointer but the attribute ownership 37e1051a39Sopenharmony_ciremains with the object and a reference to it is returned. 38e1051a39Sopenharmony_ciA C<set1> or C<get1> function does not change the ownership, but instead 39e1051a39Sopenharmony_ciupdates the attribute's reference count so that the object is shared 40e1051a39Sopenharmony_cibetween the caller and the object; the caller must free the returned 41e1051a39Sopenharmony_ciattribute when finished. 42e1051a39Sopenharmony_ciFunctions that involve attributes that have reference counts themselves, 43e1051a39Sopenharmony_cibut are named with just C<set> or C<get> are historical; and the documentation 44e1051a39Sopenharmony_cimust state how the references are handled. 45e1051a39Sopenharmony_ciGet methods are often thread-safe as long as the ownership requirements are 46e1051a39Sopenharmony_cimet and shared objects are not modified. 47e1051a39Sopenharmony_ciSet methods, or modifying shared objects, are generally not thread-safe 48e1051a39Sopenharmony_cias discussed below. 49e1051a39Sopenharmony_ci 50e1051a39Sopenharmony_ciObjects are thread-safe 51e1051a39Sopenharmony_cias long as the API's being invoked don't modify the object; in this 52e1051a39Sopenharmony_cicase the parameter is usually marked in the API as C<const>. 53e1051a39Sopenharmony_ciNot all parameters are marked this way. 54e1051a39Sopenharmony_ciNote that a C<const> declaration does not mean immutable; for example 55e1051a39Sopenharmony_ciL<X509_cmp(3)> takes pointers to C<const> objects, but the implementation 56e1051a39Sopenharmony_ciuses a C cast to remove that so it can lock objects, generate and cache 57e1051a39Sopenharmony_cia DER encoding, and so on. 58e1051a39Sopenharmony_ci 59e1051a39Sopenharmony_ciAnother instance of thread-safety is when updates to an object's 60e1051a39Sopenharmony_ciinternal state, such as cached values, are done with locks. 61e1051a39Sopenharmony_ciOne example of this is the reference counting API's described above. 62e1051a39Sopenharmony_ci 63e1051a39Sopenharmony_ciIn all cases, however, it is generally not safe for one thread to 64e1051a39Sopenharmony_cimutate an object, such as setting elements of a private or public key, 65e1051a39Sopenharmony_ciwhile another thread is using that object, such as verifying a signature. 66e1051a39Sopenharmony_ci 67e1051a39Sopenharmony_ciThe same API's can usually be used simultaneously on different objects 68e1051a39Sopenharmony_ciwithout interference. 69e1051a39Sopenharmony_ciFor example, two threads can calculate a signature using two different 70e1051a39Sopenharmony_ciB<EVP_PKEY_CTX> objects. 71e1051a39Sopenharmony_ci 72e1051a39Sopenharmony_ciFor implicit global state or singletons, thread-safety depends on the facility. 73e1051a39Sopenharmony_ciThe L<CRYPTO_secure_malloc(3)> and related API's have their own lock, 74e1051a39Sopenharmony_ciwhile L<CRYPTO_malloc(3)> assumes the underlying platform allocation 75e1051a39Sopenharmony_ciwill do any necessary locking. 76e1051a39Sopenharmony_ciSome API's, such as L<NCONF_load(3)> and related, or L<OBJ_create(3)> 77e1051a39Sopenharmony_cido no locking at all; this can be considered a bug. 78e1051a39Sopenharmony_ci 79e1051a39Sopenharmony_ciA separate, although related, issue is modifying "factory" objects 80e1051a39Sopenharmony_ciwhen other objects have been created from that. 81e1051a39Sopenharmony_ciFor example, an B<SSL_CTX> object created by L<SSL_CTX_new(3)> is used 82e1051a39Sopenharmony_cito create per-connection B<SSL> objects by calling L<SSL_new(3)>. 83e1051a39Sopenharmony_ciIn this specific case, and probably for factory methods in general, it is 84e1051a39Sopenharmony_cinot safe to modify the factory object after it has been used to create 85e1051a39Sopenharmony_ciother objects. 86e1051a39Sopenharmony_ci 87e1051a39Sopenharmony_ci=head1 SEE ALSO 88e1051a39Sopenharmony_ci 89e1051a39Sopenharmony_ciCRYPTO_THREAD_run_once(3), 90e1051a39Sopenharmony_cilocal system threads documentation. 91e1051a39Sopenharmony_ci 92e1051a39Sopenharmony_ci=head1 BUGS 93e1051a39Sopenharmony_ci 94e1051a39Sopenharmony_ciThis page is admittedly very incomplete. 95e1051a39Sopenharmony_ci 96e1051a39Sopenharmony_ci=head1 COPYRIGHT 97e1051a39Sopenharmony_ci 98e1051a39Sopenharmony_ciCopyright 2021 The OpenSSL Project Authors. All Rights Reserved. 99e1051a39Sopenharmony_ci 100e1051a39Sopenharmony_ciLicensed under the Apache License 2.0 (the "License"). You may not use 101e1051a39Sopenharmony_cithis file except in compliance with the License. You can obtain a copy 102e1051a39Sopenharmony_ciin the file LICENSE in the source distribution or at 103e1051a39Sopenharmony_ciL<https://www.openssl.org/source/license.html>. 104e1051a39Sopenharmony_ci 105e1051a39Sopenharmony_ci=cut 106