Hello everyone. I'm playing around with engine_pkcs11 and libp11 and, maybe I'm doing something wrong, but I'm getting leaks regarding EVP_PKEY's. The following sample code just load a private key into an EVP_PKEY and then release it. I'm using Safenet pkcs11 implementation (libcryptoki.so) to work with an HSM.
int main() { EVP_PKEY *p = NULL; OpenSSL_add_all_algorithms(); ENGINE_load_dynamic(); ENGINE *pkcs11_engine = ENGINE_by_id("dynamic"); if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "SO_PATH", "/usr/lib/engines/engine_pkcs11.so", 0)){ // error handling... } if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "LIST_ADD", "1", 0)){ // error handling... } if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "LOAD", NULL, 0)){ // error handling... } if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "MODULE_PATH", "/opt/PTK/lib/libcryptoki.so", 0)){ // error handling... } if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "PIN", "my_pin", 0)){ // error handling... } if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "VERBOSE", NULL, 0)){ // error handling... } if (!ENGINE_init(pkcs11_engine)) { // error handling... } ENGINE_set_default(pkcs11_engine, ENGINE_METHOD_ALL); p = ENGINE_load_private_key(pkcs11_engine, "slot_0-label_rsa", NULL, NULL); EVP_PKEY_free(p); ENGINE_finish(pkcs11_engine); ENGINE_free(pkcs11_engine); EVP_cleanup(); return 0; } And here is valgrind output: ==22067== HEAP SUMMARY: ==22067== in use at exit: 21,519 bytes in 314 blocks ==22067== total heap usage: 2,638 allocs, 2,324 frees, 229,559 bytes allocated ==22067== ==22067== 144 bytes in 1 blocks are possibly lost in loss record 139 of 158 ==22067== at 0x4024F12: calloc (vg_replace_malloc.c:467) ==22067== by 0x40117CB: _dl_allocate_tls (dl-tls.c:300) ==22067== by 0x40906A9: pthread_create@@GLIBC_2.1 (allocatestack.c:570) ==22067== by 0x49104B5: InitMonitor (in /usr/lib/libethsm.so) ==22067== by 0x490ED80: TCP_Initialize (in /usr/lib/libethsm.so) ==22067== by 0x4907B22: MD_Initialize (in /usr/lib/libethsm.so) ==22067== by 0x48BA0E2: InitDevices (in /opt/ETcpsdk/lib/linux-i386/libcthsm.so) ==22067== by 0x48BA1C8: InitHostInterface (in /opt/ETcpsdk/lib/linux-i386/libcthsm.so) ==22067== by 0x48C1E02: C_Initialize (in /opt/ETcpsdk/lib/linux-i386/libcthsm.so) ==22067== by 0x4035DC6: PKCS11_CTX_load (p11_load.c:75) ==22067== by 0x402CE50: pkcs11_init (engine_pkcs11.c:177) ==22067== by 0x41394EC: engine_unlocked_init (in /lib/libcrypto.so.0.9.8) ==22067== ==22067== 4,211 (40 direct, 4,171 indirect) bytes in 1 blocks are definitely lost in loss record 158 of 158 ==22067== at 0x4025BD3: malloc (vg_replace_malloc.c:236) ==22067== by 0x40DD3FD: ??? (in /lib/libcrypto.so.0.9.8) ==22067== by 0x40DDA8B: CRYPTO_malloc (in /lib/libcrypto.so.0.9.8) ==22067== by 0x4036016: pkcs11_malloc (p11_misc.c:26) ==22067== by 0x4037B9C: PKCS11_enumerate_slots (p11_slot.c:61) ==22067== by 0x402D063: pkcs11_load_key (engine_pkcs11.c:585) ==22067== by 0x402DDD6: pkcs11_load_private_key (engine_pkcs11.c:812) ==22067== by 0x413AC46: ENGINE_load_private_key (in /lib/libcrypto.so.0.9.8) ==22067== by 0x8049429: main (pkcs11_engine_test.cpp:242) ==22067== ==22067== LEAK SUMMARY: ==22067== definitely lost: 40 bytes in 1 blocks ==22067== indirectly lost: 4,171 bytes in 55 blocks ==22067== possibly lost: 144 bytes in 1 blocks ==22067== still reachable: 17,164 bytes in 257 blocks ==22067== suppressed: 0 bytes in 0 blocks The still reachable should be because I'm not calling the correct OpenSSL cleanup stuff. But the direct lost is caused by the EVP_PKEY loading. By looking at libp11 and engine_pkcs11 code, the function PKCS11_enumerate_slots allocates a PKCS11_SLOT * list that is not beeing freed. I tryed to just freed it (without succes), but I think it is not the wat to go, because libp11 works in an OOP fashion by linking slot->token->keys,certs.... Am I doing something wrong (ie: not calling the correct methods to clean things) ?. I couldn't find where stuff get cleaned and how it is related to EVP_PKEY_free() method. Thank you. PS: Ive tryed with both OpenSSL 0.9.8o 01 Jun 2010 (default Ubuntu version) and OpenSSL 1.0.0d 8 Feb 2011 -- Felipe Menegola Blauth
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel