Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bind helper methods in engine_ctrl() only for OpenSSL versions older than 3.0 #559

Merged
merged 1 commit into from
Nov 13, 2024
Merged

Bind helper methods in engine_ctrl() only for OpenSSL versions older than 3.0 #559

merged 1 commit into from
Nov 13, 2024

Conversation

olszomal
Copy link
Contributor

With OpenSSL 3.x, an engine might be used if defined in openssl.cnf. This causes memory leaks when engine control commands are set in the config file. For OpenSSL 3.0 and newer, add engine routines only after loading keys.

Fixed #358

@olszomal
Bind helper methods in engine_ctrl() only for OpenSSL versions older …
7119335 
…than 3.0.

With OpenSSL 3.x, an engine might be used if defined in `openssl.cnf`.
This causes memory leaks when engine control commands are set in the config file.
For OpenSSL 3.0 and newer, add engine routines only after loading keys.
@dengert
Copy link
Member

dengert commented Nov 13, 2024

Have you looked at #540?
The engine support on OpenSSL is on its way out. #540 looks good, but needs a rebase by the author. It looks like you could define both a provider and an engine but may not both be usable from same application.

@olszomal
Copy link
Contributor Author

@dengert Thank you for the invitation. I’m preparing to take on this challenge.

@mtrojnar
Copy link
Member

Have you looked at #540?
The engine support on OpenSSL is on its way out. #540 looks good, but needs a rebase by the author. It looks like you could define both a provider and an engine but may not both be usable from same application.

Could you explain why they may not both be usable? The libp11 API was designed to allow for more than one context at a time. I can't find any fundamental technical reasons that could prevent that.

@mtrojnar mtrojnar merged commit 155455a into OpenSC:master Nov 13, 2024
10 checks passed
@dengert
Copy link
Member

dengert commented Nov 13, 2024

Could you explain why they may not both be usable?
No, but with all the the issues of cleaning up, including #359 and and #540 I as a user want to stick with only engine or provider in the same application.

@mtrojnar
Copy link
Member

No, but with all the the issues of cleaning up, including #359 and and #540 I as a user want to stick with only engine or provider in the same application.

Picking one interface and using libp11 either directly or over the engine or over the future provider in accordance with the KISS principle is a good idea. It's not a requirement though.

#359 mostly frustrated Valgrind users with OCD symptoms. Over the years, I only saw one report of a user whose in-house application was compulsively removing and re-adding the engine for each signature, where the leak caused an actual issue. A workaround seemed fairly straightforward though: to stop removing the engine after each signature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Memory leak when PKCS11 is enabled in openssl.cnf
3 participants
@olszomal @dengert @mtrojnar