Nid::create is not possible to use correctly without process-global knowledge #1879
Comments
|
In OpenSSL 3, this takes a global lock to ensure it is safe. (Incidentally, it's handling of that lock was buggy, which could lead to memory corruption, see openssl/openssl@10481d3#diff-9c1ebb22ae4d666ae0cdda6014f30ec0c2e5090fc8e549200988274a8e550904) Given that, I don't think this issue is accurate, at least as of OpenSSL 3. On OpenSSL 1.1, and it seems BoringSSL, this issue is present though. I didn't check for LibreSSL. Really, I'm not sure what the point of this method is though, besides the X509Extension snafu. |
|
We lock it in BoringSSL too. Although as a result we probably pay for some thread contention, which isn't great. The issue I was alluding to isn't thread-safety, but correctness. You need process-global knowledge to know that you're the only thing trying to register that OID. Otherwise your registration and the other code's registrations will conflict. If you have different long/short names, things will get very confusing. You also need future knowledge that the library won't later add support for the custom OID you tried register. |
The documentation for
Nid::createfails to mention that it modifies process-global state. See #1878 and https://commondatastorage.googleapis.com/chromium-boringssl-docs/obj.h.html#Adding-objects-at-runtimeThe text was updated successfully, but these errors were encountered: