OSSL_PROVIDER_unload() segfaults if called from external library destructor

[mbroz]

We have to enable legacy provider in libcryptsetup for backward compatibility. Because we have support for various crypto backends, we have also a constructor (where we can load legacy provider) and destructor to unoad it.
The destructor is called from libcryptsetup exit handler automatically.

Unfortunately, it seems that OpenSSL cannot use OSSL_PROVIDER_* calls from this context.

Is it a bug or intentional feature?

Minimal example simulating this from simple C program:

#include <stdio.h>
#include <openssl/crypto.h>
#include <openssl/provider.h>

static OSSL_PROVIDER *ossl_legacy = NULL;
static OSSL_PROVIDER *ossl_default = NULL;

static void __attribute__((destructor)) my_exit(void)
{
        printf("EXIT\n");
        OSSL_PROVIDER_unload(ossl_legacy);
        OSSL_PROVIDER_unload(ossl_default);
}

int main(int argc, char *argv[])
{
        printf("OpenSSL (%s)\n", OpenSSL_version(OPENSSL_VERSION));

        ossl_legacy  = OSSL_PROVIDER_try_load(NULL, "legacy", 1);
        ossl_default = OSSL_PROVIDER_try_load(NULL, "default", 1);

        return 0;
}

Running that, I see:

OpenSSL (OpenSSL 3.0.0-beta1 17 Jun 2021)
EXIT

Program received signal SIGSEGV, Segmentation fault.
__GI___pthread_rwlock_rdlock (rwlock=0x0) at pthread_rwlock_rdlock.c:27
27      pthread_rwlock_rdlock.c: No such file or directory.
(gdb) bt
#0  __GI___pthread_rwlock_rdlock (rwlock=0x0) at pthread_rwlock_rdlock.c:27
#1  0x00007ffff7d65199 in CRYPTO_THREAD_read_lock () from /usr/lib/x86_64-linux-gnu/libcrypto.so.3
#2  0x00007ffff7d56327 in ?? () from /usr/lib/x86_64-linux-gnu/libcrypto.so.3
#3  0x00007ffff7d62149 in ?? () from /usr/lib/x86_64-linux-gnu/libcrypto.so.3
#4  0x00007ffff7d62fde in ?? () from /usr/lib/x86_64-linux-gnu/libcrypto.so.3
#5  0x00007ffff7d610a9 in OSSL_PROVIDER_unload () from /usr/lib/x86_64-linux-gnu/libcrypto.so.3
#6  0x000055555555519b in my_exit () at openssl-test.c:11
#7  0x00007ffff7fe2373 in _dl_fini () at dl-fini.c:138
#8  0x00007ffff79b44d7 in __run_exit_handlers (status=0, listp=0x7ffff7b34718 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
#9  0x00007ffff79b467a in __GI_exit (status=<optimized out>) at exit.c:139
#10 0x00007ffff799cd11 in __libc_start_main (main=0x5555555551ad <main>, argc=1, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:342
#11 0x00005555555550ba in _start ()

[mattcaswell]

By default OpenSSL will clean itself up via an "atexit" handler. You can suppress this behaviour usingOPENSSL_INIT_NO_ATEXIT. See:

https://www.openssl.org/docs/manmaster/man3/OPENSSL_init_crypto.html

I guess what is happening here is that the default library context (which you are using owing to the "NULL" parameter passed to OSSL_PROVIDER_try_load) has already been cleaned up via "atexit" and no longer exists by the time your destructor gets called. Possibly other required library resources have also been cleaned up. Basically you shouldn't call any OpenSSL functions after cleanup has already occurred.

To work around this you could suppress the "atexit" handling using OPENSSL_INIT_NO_ATEXIT as described on the man page above. You need to call this option early, i.e. before OpenSSL has already registered its handler. You will then also need to call OPENSSL_cleanup() explicitly in your destructor.

[mbroz]

Well, then it is probaly much easier to not call provider unload here if OpenSSL handles it by default.
Thanks!

[mattcaswell]

Well, then it is probaly much easier to not call provider unload here if OpenSSL handles it by default.

Ah, well I didn't actually say that. It cleans up library owned resources automatically - including the default library context. OSSL_PROVIDER objects are ref counted, so any references that the library owns to OSSL_PROVIDER objects will be freed - and the provider will be automatically freed when the ref count drops to 0. However if the application owns references to the OSSL_PROVIDER and those references never get freed then the ref count never gets to 0 and a memleak will occur. Of course the OS will automatically free the memory anyway, and unload the shared object so its debatable about how much it matters....but tools such as valgrind/asan will show a leak (even though it is one that won't grow).

[mbroz]

Yes, we run valgrind and asan. So it will backfire on us :) Anyway, now I see the problem, so will try NO_ATEXIT flag or some other solution. thx

[mbroz]

It seems to work with the at exit flag, closing.

[t8m]

@mbroz if you're using the OSSL_PROVIDER_try_load() in the library, you should have a separate library OSSL_LIB_CTX and use that for all the crypto operations within your library. If you have something like a context or handle in your library api, you should associate the OSSL_LIB_CTX with your handle and do the init/tear down including the load/unload of the legacy provider in that init/teardown routines.

[t8m]

This is the only way how to ensure you won't mess up your calling application if it also wants to use the OpenSSL.