That looks like a bug in the engine - the reference count in the EVP_PKEY after the ENGINE_load_private_key() call should be just 1. As the EVP_PKEY is created by the engine, there is not much OpenSSL can do if the engine somehow keeps an additional reference to the key somewhere. Tomas Mraz, OpenSSL On Thu, 2024-11-07 at 21:38 +0800, Shudong Zhang wrote: > Hi Tomas, > After add some log, I find code do some ops to add ref_counter. > ``` > ENGINE_load_private_key -----> add ref_counter to 2 > if (!X509_REQ_set_pubkey(req, pkey)) ------> add ref_counter to 3 > X509_REQ_free(req); ------> decrease ref_counter to 2 > EVP_PKEY_free ------> decrease ref_counter to 2 > ``` > It looks like that I miss a free api to call. Do you konw which I > miss? > > BRs, > Shudong > > > > > At 2024-11-07 20:52:23, "Shudong Zhang" <zsdclgc@xxxxxxx> wrote: > > Hi Tomas, > > You are right! I add log to printf ref_counter. > > And when I call EVP_PKEY_free, the ref_conunter is 1. So the > > function just return and not to release engine. > > I will try to figure out where still have referance this pkey. > > Thanks very much! > > BRs, > > Shudong > > > > > > > > > > At 2024-11-07 18:54:38, "Tomas Mraz" <tomas@xxxxxxxxxxx> wrote: > > > Are you sure the EVP_PKEY is really released, i.e. as it is also > > > refcounted, there is no other reference to it? If so, the engine > > > struct > > > reference wouldn't be decreased only if the engine_finish > > > function > > > returned failure. You'll have to use a debugger and build OpenSSL > > > with > > > debug info to step through the EVP_PKEY_free() call to see what > > > really > > > happens. > > > > > > Regards, > > > Tomas Mraz, OpenSSL > > > > > > > > > On Thu, 2024-11-07 at 18:12 +0800, Shudong Zhang wrote: > > > > > > > > > > > > > > > > Hi Tomas, > > > > Thansk for yur quick reply. The version that we use is > > > > 1.1.1.o. > > > > Unfortunately, our result indicate that EVP_PKEY_free can > > > > not > > > > decrese engine struct counter. > > > > > > -- > > > Tomáš Mráz, OpenSSL > > > > > > -- > > > You received this message because you are subscribed to the > > > Google Groups "openssl-users" group. > > > To unsubscribe from this group and stop receiving emails from it, > > > send an email to openssl-users+unsubscribe@xxxxxxxxxxx. > > > To view this discussion visit > > > https://groups.google.com/a/openssl.org/d/msgid/openssl-users/d245d4c167097092496366399e026cdf1faa728d.camel%40openssl.org > > > . -- Tomáš Mráz, OpenSSL -- You received this message because you are subscribed to the Google Groups "openssl-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx. To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/243c32bb447de6b89b4152c586cf91c7453fe4ce.camel%40openssl.org.
