Hello all,
I am trying to use pkcs#11 engine as dynamic engine for Apache configured
with OpenSSL. I ran into segmentation faults when I hit Apache server with
multiple sslswamp clients. I tracked down the problem to
pk11_library_init() in hw_pk11.c where a child process tries to free the
memory allocated by parent thinking of it as a memory leak.
Code snippet and comments are as below.
/*
* pk11_library_initialized is set to 0 in pk11_finish() which is
called
* from ENGINE_finish(). However, if there is still at least one
* existing functional reference to the engine (see engine(3) for
more
* information), pk11_finish() is skipped. For example, this can
happen
* if an application forgets to clear one cipher context. In case
of a
* fork() when the application is finishing the engine so that it
can be
* reinitialized in the child, forgotten functional reference causes
* pk11_library_initialized to stay 1. In that case we need the PID
* check so that we properly initialize the engine again.
*/
if (pk11_library_initialized)
{
if (pk11_pid == getpid())
{
return (1);
}
else
{
global_session = CK_INVALID_HANDLE;
/*
* free the locks first to prevent memory leak in
case
* the application calls fork() without finishing
the
* engine first.
*/
pk11_free_all_locks();
}
}
******************
pk11_free_locks() is freeing the memory allocated for find_locks by the
parent. If I comment this out, my test works fine. But I stopped from
making it a real fix because of the preceding comment.
Why is it necessary that a parent should do ENGINE_finish first before
forking? Can't a process simultaneously use the pkcs#11 engine with it's
child?
Thanks,
Thulasi.
