Menu
▾
▴
Re: [Opensc-devel] Memory leaks with libp11 and engine-pkcs11
|
From: Douglas E. E. <dee...@an...> - 2013-09-26 19:21:13
|
On 9/26/2013 12:07 PM, Markus Koetter wrote: > Hi, > > On 09/26/2013 06:48 PM, Douglas E. Engert wrote: >> In Markus's code, you complained that the libp11 was using the >> RSA_set_app_data and it was getting in the way of you using >> the ex_data. But if you look closely, what libp11 is doing >> is saving the pointer to the, PKCS11_KEY so the RSA sign, encrypt, >> and decrypt functions can find the PKCS11_KEY. > > I was not really complaining, but ... lets say surprised, as app_data is > a #define to ex_data with index 0 and ... registering the first ex_data > hands you 0 as index, so initially my callback was free'ing p11 resources. > I'd complain if my application, which is supposed to use app_data would > clash with p11, but I do not have an application using app_data. > >> In the PKCS11_RSA_CRYPTO_EX structure in the engine which you >> store using the RSA_set_ex_data, has a pointer to the same >> PKCS11_KEY that the libp11 needs. >> So a single ex_data index could be used if the code to keep >> track of all of this was in the libp11. > > Yes, but in the engine loading the key happens, and everything related > to the key is available. > Which is why I put things there. > In p11 you do not know which slots relate to which key. I believe you do. (But p11 does not keep track of what slots are allocated.) The libp11-int.h defines all the *_private part for the ctx, slot, token, keys, and certs structures it allocates. In the *_private there is a parent pointer, and a #define to use the parent pointers. Thus given a PKCS11_KEY, on can find the token and slot. CERT-> TOKEN KEY -> TOKEN TOKEN -> SLOT SLOT -> CTX TOKEN has array of CERTs TOKEN has array of KEYs. SLOT does NOT have an array of TOKENS. CTX does NOT have an array of SLOTS. So the PKCS11_enumerate_slots leaves it up to the engine to call PKCS11_release_all_slots which the engine can not do if it found the key or cert is was looking, as these need to be available when using the key or cert. Is it possible to have the CTX contain an array of SLOTS, and the SLOTS and array of TOKENS? Thus at engine finish, any remaining SLOTS and TOKENS would be released. What is also not clear is if the libp11 keeps track of sessions correctly. It looks like it only allows one session, but may not clean up correctly if a second session is opened. (pkcs11-spy might help show what is going on.) > If you want tracking in p11, loading keys and certs (by slot/id, label) That part is OK as it is engine specific. But keeping track of all the allocated slots and tokens should be in libp11. > has to happen in p11, not in the engine. > Traversing things backwards from the key to the slots won't work. > The engine can call the p11 function, but p11 has to do the lifting. > > If you think that is an acceptable change, let me know. > >> The PKCS11_RSA_CRYPTO_EX is not particular to RSA. >> and could also be used for ECDSA and any other key types >> we add in the future. So a more generic name would be better. >> (It still needs to be added to the RSA, ECDSA, or what ever >> using the *_ex_data for that type of key.) > > Renaming to PKCS11_CRYPTO_EX is trivial. > >> (The ECDSA code I have working uses the ECDSA_set_ex_data >> like the RSA_set_ex_data to store a pointer to the PKCS11_KEY. >> Thus it would use the new version of the PKCS11_RSA_CRYPTO_EX. > > > > Markus > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
