[openssl-users] Openssl static build linked in DLL does not unload on win32

Thu Jan 5 11:17:36 UTC 2017

On 05/01/2017 11:53, Matt Caswell wrote:
> On 04/01/17 23:11, Dan Heinz wrote:
>> Using openssl 1.1.0c.
>>
>> I have a test application that is a win32 console app that calls a win32
>> DLL which has the openssl libraries linked in statically.
>>
>> The test applications uses late-binding to the DLL and calls LoadLibrary
>> for the DLL, one test function in the DLL, and then FreeLibrary on the DLL.
>>
>>   
>>
>> The test function in the DLL does the following:
>>
>> RSA*rsa = NULL;
>>
>> rsa = RSA_new();
>>
>> RSA_free(rsa);
>>
>> OPENSSL_thread_stop();
>>
>> OPENSSL_cleanup();
>>
>> return0;
>>
>> When FreeLibrary is called on the DLL, dllmain in never called with any
>> messages.  A subsequent call to LoadLibrary also fails to call dllmain
>> and when the test function is called RSA_new() fails.  This leads me to
>> believe the DLL is never freed.
>>
>> I have tried building openssl with and without no-threads with the same
>> results.  My build parameters are:
>> perl Configure *%TEMP_ARCHITECTURE%*
>> --prefix=*%RootPath_ThirdParty%*\*%OPENSSL_VERSION%* -DPURIFY
>> -DOPENSSL_NO_COMP -D_USING_V110_SDK71_ no-shared no-threads no-asm
>> no-idea no-mdc2 no-rc5  no-ssl3 no-zlib no-comp
>>
>> What am I missing?
> OpenSSL does its cleanup at *process* exit. Don't call OPENSSL_cleanup()
> explicitly - this is discouraged.
>
>  From this manpage:
>
> https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
>
> "Typically there should be no need to call this function directly as it
> is initiated automatically on application exit...<snip>...
>
> Once OPENSSL_cleanup() has been called the library cannot be reinitialised."
>
> This last sentence is the reason why RSA_new() will fail after you have
> previously called OPENSSL_cleanup().
>
> Because cleanup happens on process exit, OpenSSL will keep itself in
> memory until that time (otherwise crashes will occur because the cleanup
> routines have been unloaded).
>
> If you want to dynamically load and unload your DLL then don't
> statically link it to OpenSSL - otherwise OpenSSL will keep your DLL
> around until process exit too.
>
> Matt
Which is a horribly broken design by the OpenSSL team, especially if
the surrounding process is extremely long-running.  Otherwise, security
updates to OpenSSL will end up requiring system reboots to ensure that
all OpenSSL-using code actually runs the updated OpenSSL libraries.

Someone needs to go back to the drawing board and make OpenSSL
unloadable again.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded