Hello everyone.
I'm playing around with engine_pkcs11 and libp11 and, maybe I'm doing
something wrong, but I'm getting leaks regarding EVP_PKEY's. The following
sample code just load a private key into an EVP_PKEY and then release it.
I'm using Safenet pkcs11 implementation (libcryptoki.so) to work with an
HSM.
int main() {
EVP_PKEY *p = NULL;
OpenSSL_add_all_algorithms();
ENGINE_load_dynamic();
ENGINE *pkcs11_engine = ENGINE_by_id("dynamic");
if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "SO_PATH",
"/usr/lib/engines/engine_pkcs11.so", 0)){
// error handling...
}
if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "LIST_ADD", "1", 0)){
// error handling...
}
if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "LOAD", NULL, 0)){
// error handling...
}
if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "MODULE_PATH",
"/opt/PTK/lib/libcryptoki.so", 0)){
// error handling...
}
if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "PIN", "my_pin", 0)){
// error handling...
}
if (!ENGINE_ctrl_cmd_string(pkcs11_engine, "VERBOSE", NULL, 0)){
// error handling...
}
if (!ENGINE_init(pkcs11_engine))
{
// error handling...
}
ENGINE_set_default(pkcs11_engine, ENGINE_METHOD_ALL);
p = ENGINE_load_private_key(pkcs11_engine, "slot_0-label_rsa", NULL, NULL);
EVP_PKEY_free(p);
ENGINE_finish(pkcs11_engine);
ENGINE_free(pkcs11_engine);
EVP_cleanup();
return 0;
}
And here is valgrind output:
==22067== HEAP SUMMARY:
==22067== in use at exit: 21,519 bytes in 314 blocks
==22067== total heap usage: 2,638 allocs, 2,324 frees, 229,559 bytes
allocated
==22067==
==22067== 144 bytes in 1 blocks are possibly lost in loss record 139 of 158
==22067== at 0x4024F12: calloc (vg_replace_malloc.c:467)
==22067== by 0x40117CB: _dl_allocate_tls (dl-tls.c:300)
==22067== by 0x40906A9: pthread_create@@GLIBC_2.1 (allocatestack.c:570)
==22067== by 0x49104B5: InitMonitor (in /usr/lib/libethsm.so)
==22067== by 0x490ED80: TCP_Initialize (in /usr/lib/libethsm.so)
==22067== by 0x4907B22: MD_Initialize (in /usr/lib/libethsm.so)
==22067== by 0x48BA0E2: InitDevices (in
/opt/ETcpsdk/lib/linux-i386/libcthsm.so)
==22067== by 0x48BA1C8: InitHostInterface (in
/opt/ETcpsdk/lib/linux-i386/libcthsm.so)
==22067== by 0x48C1E02: C_Initialize (in
/opt/ETcpsdk/lib/linux-i386/libcthsm.so)
==22067== by 0x4035DC6: PKCS11_CTX_load (p11_load.c:75)
==22067== by 0x402CE50: pkcs11_init (engine_pkcs11.c:177)
==22067== by 0x41394EC: engine_unlocked_init (in /lib/libcrypto.so.0.9.8)
==22067==
==22067== 4,211 (40 direct, 4,171 indirect) bytes in 1 blocks are definitely
lost in loss record 158 of 158
==22067== at 0x4025BD3: malloc (vg_replace_malloc.c:236)
==22067== by 0x40DD3FD: ??? (in /lib/libcrypto.so.0.9.8)
==22067== by 0x40DDA8B: CRYPTO_malloc (in /lib/libcrypto.so.0.9.8)
==22067== by 0x4036016: pkcs11_malloc (p11_misc.c:26)
==22067== by 0x4037B9C: PKCS11_enumerate_slots (p11_slot.c:61)
==22067== by 0x402D063: pkcs11_load_key (engine_pkcs11.c:585)
==22067== by 0x402DDD6: pkcs11_load_private_key (engine_pkcs11.c:812)
==22067== by 0x413AC46: ENGINE_load_private_key (in
/lib/libcrypto.so.0.9.8)
==22067== by 0x8049429: main (pkcs11_engine_test.cpp:242)
==22067==
==22067== LEAK SUMMARY:
==22067== definitely lost: 40 bytes in 1 blocks
==22067== indirectly lost: 4,171 bytes in 55 blocks
==22067== possibly lost: 144 bytes in 1 blocks
==22067== still reachable: 17,164 bytes in 257 blocks
==22067== suppressed: 0 bytes in 0 blocks
The still reachable should be because I'm not calling the correct OpenSSL
cleanup stuff. But the direct lost is caused by the EVP_PKEY loading. By
looking at libp11 and engine_pkcs11 code, the
function PKCS11_enumerate_slots allocates a PKCS11_SLOT * list that is not
beeing freed. I tryed to just freed it (without succes), but I think it is
not the wat to go, because libp11 works in an OOP fashion by linking
slot->token->keys,certs....
Am I doing something wrong (ie: not calling the correct methods to clean
things) ?. I couldn't find where stuff get cleaned and how it is related
to EVP_PKEY_free() method.
Thank you.
PS: Ive tryed with both OpenSSL 0.9.8o 01 Jun 2010 (default Ubuntu version)
and OpenSSL 1.0.0d 8 Feb 2011
--
Felipe Menegola Blauth
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
