Valgrind reports reachable heap memory with fips provider load

Wed Jul 5 06:32:49 UTC 2023

Hello everyone,
Valgrind is reporting reachable heap memory usage at exit when OpenSSL 3 fips provider is loaded and unloaded through config file or through OSSL_PROVIDER_load().
The provider is being unloaded for each case using OSSL_PROVIDER_unload().

==========
Program
==========
#include <stdio.h>
#include <stdlib.h>
#include <openssl/provider.h>
#include <openssl/err.h>

int main() {
int is_fips_available = OSSL_PROVIDER_available(NULL, "fips");
fprintf(stdout, "FIPS provider is %s\n", is_fips_available ? "available" : "unavailable");

OSSL_PROVIDER *fips = OSSL_PROVIDER_load(NULL, "fips");
fprintf(stdout, "FIPS provider load status: %s\n", (fips != NULL) ? "SUCCESS" : "FAIL");
if (fips == NULL) {
printf("Failed to load FIPS provider\n");
exit(EXIT_FAILURE);
}
OSSL_PROVIDER_unload(fips);
ERR_print_errors_fp(stdout);
exit(EXIT_SUCCESS);
}
==========
Configurations
==========
$ grep "\.include \| fips =" confs/openssl.cnf.fips.activated
# file using the .include directive.
#.include filename
.include /home/alice/confs/fipsmodule.cnf.activated

$ grep activate /home/alice/confs/fipsmodule.cnf.activated
activate = 1
==========
Output
==========
$ gcc -ggdb3 -O0 -Iheaders/include -Llibraries -o fips-provider-test fips-provider-test.c -lcrypto -ldl -lpthread
$ OPENSSL_MODULES=modules OPENSSL_CONF=confs/openssl.cnf.fips.activated ./simple-provider-available
FIPS provider is available
FIPS provider load status: SUCCESS
==========
Valgrind output
==========
$ OPENSSL_MODULES=modules OPENSSL_CONF=confs/openssl.cnf.fips.activated valgrind --show-leak-kinds=all --leak-check=full -s --log-file=valgrind-logs/fips-provider-test.log.0 ./fips-provider-test
FIPS provider is available
FIPS provider load status: SUCCESS

$ grep -A3 "HEAP SUMMARY" valgrind-logs/fips-provider-test.log.0
==17102== HEAP SUMMARY:
==17102== in use at exit: 1,512 bytes in 5 blocks
==17102== total heap usage: 24,181 allocs, 24,176 frees, 2,288,950 bytes allocated
==17102==

$ grep -A8 "LEAK SUMMARY" valgrind-logs/fips-provider-test.log.0
==17102== LEAK SUMMARY:
==17102== definitely lost: 0 bytes in 0 blocks
==17102== indirectly lost: 0 bytes in 0 blocks
==17102== possibly lost: 0 bytes in 0 blocks
==17102== still reachable: 1,512 bytes in 5 blocks
==17102== suppressed: 0 bytes in 0 blocks
==17102==
==17102== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

# Sample reachable record
$ grep -A13 "record 2 of 5" valgrind-logs/fips-provider-test.log.0
==17102== 32 bytes in 1 blocks are still reachable in loss record 2 of 5
==17102== at 0x4C2C089: calloc (vg_replace_malloc.c:762)
==17102== by 0x4E3860F: _dlerror_run (dlerror.c:141)
==17102== by 0x4E38040: dlopen@@GLIBC_2.2.5 (dlopen.c:87)
==17102== by 0x5D6CE1: dlfcn_load (dso_dlfcn.c:116)
==17102== by 0x4C32AF: DSO_load (dso_lib.c:151)
==17102== by 0x40686E: provider_init (provider_core.c:900)
==17102== by 0x406EF8: provider_activate (provider_core.c:1128)
==17102== by 0x4072D3: ossl_provider_activate (provider_core.c:1257)
==17102== by 0x688226: provider_conf_load (provider_conf.c:222)
==17102== by 0x688608: provider_conf_init (provider_conf.c:304)
==17102== by 0x5D2494: module_init (conf_mod.c:421)
==17102== by 0x5D1F21: module_run (conf_mod.c:266)
==17102==
==========

Am I missing any explicit unload/free calls or the library is missing any cleanup after unload?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230705/089d42ac/attachment.htm>