On May 21, 2010, at 5:58 PM, Dr. Stephen Henson wrote: > On Fri, May 21, 2010, Sander Temme wrote: > <..> >> What would be best? >> > > Unfortunately there is no way to do this with the existing ex_data API and > we'd rather avoid extending APIs in the stable branches if possible. > > My suggestion would be to follow the same route I did with the compression > ex_data: avoid the use of the ex_data free handler entirely and free up the > ex_data pointer elsewhere. > > Since this is an RSA structure you can add a "finish" handler to contain the > necessary functionality.
The following fixes the problem for me on Red Hat: Index: engines/e_chil.c =================================================================== RCS file: /home/openssl/cvs/openssl/engines/e_chil.c,v retrieving revision 1.12 diff -u -r1.12 e_chil.c --- engines/e_chil.c 24 Mar 2010 23:42:05 -0000 1.12 +++ engines/e_chil.c 24 May 2010 22:24:28 -0000 @@ -138,6 +138,7 @@ #ifndef OPENSSL_NO_RSA static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, int ind,long argl, void *argp); +static int hwcrhk_rsa_finish(RSA *rsa); #endif /* Interaction stuff */ @@ -193,7 +194,7 @@ hwcrhk_rsa_mod_exp, hwcrhk_mod_exp_mont, NULL, - NULL, + hwcrhk_rsa_finish, 0, NULL, NULL, @@ -602,7 +603,7 @@ if (hndidx_rsa == -1) hndidx_rsa = RSA_get_ex_new_index(0, "nFast HWCryptoHook RSA key handle", - NULL, NULL, hwcrhk_ex_free); + NULL, NULL, NULL); #endif return 1; err: @@ -1162,6 +1163,36 @@ } #endif } + +/* + * Cleanup function for RSA structures. This is a wrapper function + * around hwcrhk_ex_free, which was supposed to be registered as a + * free_func for the ex_data entry attached to RSA instances. Since + * the free_func is not robust when the ENGINE gets loaded multiple + * times, call it instead in a finish handler for RSA structures. + */ + +int hwcrhk_rsa_finish(RSA *rsa) +{ + /* The intention is that this is our index on the stack of + * CRYPTO_EX_DATA_FUNCS. This value is not used by + * hwcrhk_ex_free() + */ + int index = 0; + void *item; + CRYPTO_EX_DATA *ad; + + /* Retrieve the ex_data data. This value is used by + * hwcrhk_ex_free() to unload the loaded key from the HSM(s) + */ + ad = &rsa->ex_data; + item = CRYPTO_get_ex_data(ad, index); + + hwcrhk_ex_free(rsa, item, ad, 0, 0, + "nFast HWCryptoHook RSA key handle"); + + return 1; +} #endif /* Mutex calls: since the HWCryptoHook model closely follows the POSIX model Attached patch with CHANGES entry against HEAD. Save for the CHANGES entry, this applies cleanly against 1.0.0 Stable and with a little fuzz against 0.9.8 Stable. Tested on that same CentOS 5.4 system with HEAD and 0.9.8-Stable HEAD against Apache HEAD (prefork). -- san...@temme.net http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
e_chil_double_load.patch
Description: Binary data