Centralize atexit(pkcs11_*_method_free)

mtrojnar · mtrojnar · commit 63e2e406a7b7 · 2026-04-02T14:36:18.000+02:00
diff --git a/src/libp11-int.h b/src/libp11-int.h
@@ -130,8 +130,6 @@ extern PKCS11_OBJECT_ops pkcs11_ed448_ops;
 # endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
 #endif /* OPENSSL_NO_EC */
 
-extern int pkcs11_global_data_refs;
-
 /*
  * Internal functions
  */
diff --git a/src/p11_ec.c b/src/p11_ec.c
@@ -809,14 +809,13 @@ EC_KEY_METHOD *PKCS11_get_ec_key_method(void)
 		EC_KEY_METHOD_set_sign(pkcs11_ec_key_method, orig_sign, NULL, pkcs11_ecdsa_sign_sig);
 		EC_KEY_METHOD_get_compute_key(pkcs11_ec_key_method, &ossl_ecdh_compute_key);
 		EC_KEY_METHOD_set_compute_key(pkcs11_ec_key_method, pkcs11_ec_ckey);
-		atexit(pkcs11_ec_key_method_free);
 	}
 	return pkcs11_ec_key_method;
 }
 
 void pkcs11_ec_key_method_free(void)
 {
-	if (pkcs11_global_data_refs == 0 && pkcs11_ec_key_method) {
+	if (pkcs11_ec_key_method) {
 		free_ec_ex_index();
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 		if (meth->pkcs11_ecdh_method & EC_KEY_METHOD_DYNAMIC)
@@ -853,14 +852,13 @@ ECDSA_METHOD *PKCS11_get_ecdsa_method(void)
 		alloc_ec_ex_index();
 		pkcs11_ecdsa_method = ECDSA_METHOD_new((ECDSA_METHOD *)ECDSA_OpenSSL());
 		ECDSA_METHOD_set_sign(pkcs11_ecdsa_method, pkcs11_ecdsa_sign_sig);
-		atexit(pkcs11_ecdsa_method_free);
 	}
 	return pkcs11_ecdsa_method;
 }
 
 void pkcs11_ecdsa_method_free(void)
 {
-	if (pkcs11_global_data_refs == 0 && pkcs11_ecdsa_method) {
+	if (pkcs11_ecdsa_method) {
 		free_ec_ex_index();
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 		if (pkcs11_ecdsa_method->flags & EC_KEY_METHOD_DYNAMIC)
@@ -879,14 +877,13 @@ ECDH_METHOD *PKCS11_get_ecdh_method(void)
 		pkcs11_ecdh_method = ECDH_METHOD_new((ECDH_METHOD *)ECDH_OpenSSL());
 		ECDH_METHOD_get_compute_key(pkcs11_ecdh_method, &ossl_ecdh_compute_key);
 		ECDH_METHOD_set_compute_key(pkcs11_ecdh_method, pkcs11_ec_ckey);
-		atexit(pkcs11_ecdh_method_free);
 	}
 	return pkcs11_ecdh_method;
 }
 
 void pkcs11_ecdh_method_free(void)
 {
-	if (pkcs11_global_data_refs == 0 && pkcs11_ecdh_method) {
+	if (pkcs11_ecdh_method) {
 		free_ec_ex_index();
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 		if (pkcs11_ecdh_method->flags & EC_KEY_METHOD_DYNAMIC)
diff --git a/src/p11_eddsa.c b/src/p11_eddsa.c
@@ -321,10 +321,8 @@ void pkcs11_ed448_method_free(void)
 
 void pkcs11_ed_key_method_free(void)
 {
-	if (pkcs11_global_data_refs == 0) {
-		pkcs11_ed25519_method_free();
-		pkcs11_ed448_method_free();
-	}
+	pkcs11_ed25519_method_free();
+	pkcs11_ed448_method_free();
 }
 
 #endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
@@ -608,7 +606,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ed25519(PKCS11_OBJECT_private *key)
 #if OPENSSL_VERSION_NUMBER < 0x40000000L
 		alloc_pkey_ex_index();
 		pkcs11_set_ex_data_pkey(pkey, key);
-		atexit(pkcs11_ed25519_method_free);
 #endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 	}
 	return pkey;
@@ -645,7 +642,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ed448(PKCS11_OBJECT_private *key)
 #if OPENSSL_VERSION_NUMBER < 0x40000000L
 		alloc_pkey_ex_index();
 		pkcs11_set_ex_data_pkey(pkey, key);
-		atexit(pkcs11_ed448_method_free);
 #endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 	}
 	return pkey;
diff --git a/src/p11_load.c b/src/p11_load.c
@@ -21,7 +21,46 @@
 #include <string.h>
 
 /* Global number of active PKCS11_CTX objects */
-int pkcs11_global_data_refs = 0;
+static int pkcs11_global_data_refs = 0;
+
+/*
+ * Free global ex_data indexes and methods
+ */
+static void libp11_global_free()
+{
+#ifndef OPENSSL_NO_RSA
+	pkcs11_rsa_method_free();
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100002L
+#ifndef OPENSSL_NO_EC
+	pkcs11_ec_key_method_free();
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L
+	pkcs11_ed_key_method_free();
+# endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L */
+#endif /* OPENSSL_NO_EC */
+#else /* OPENSSL_VERSION_NUMBER */
+#ifndef OPENSSL_NO_ECDSA
+	pkcs11_ecdsa_method_free();
+#endif /* OPENSSL_NO_ECDSA */
+#ifndef OPENSSL_NO_ECDH
+	pkcs11_ecdh_method_free();
+#endif /* OPENSSL_NO_ECDH */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L
+	pkcs11_rsa_key_method_free();
+# endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L */
+#endif /* OPENSSL_VERSION_NUMBER */
+}
+
+/*
+ * Free global data if some PKCS11_CTX objects were not freed by the user
+ */
+static void libp11_atexit()
+{
+	if (pkcs11_global_data_refs > 0) {
+		pkcs11_global_data_refs = 0;
+		libp11_global_free();
+	}
+}
 
 /*
  * Create a new context
@@ -46,7 +85,8 @@ PKCS11_CTX *pkcs11_CTX_new(void)
 	cpriv->forkid = get_forkid();
 	pthread_mutex_init(&cpriv->fork_lock, 0);
 
-	pkcs11_global_data_refs++;
+	if(pkcs11_global_data_refs++ == 0)
+		atexit(libp11_atexit);
 
 	return ctx;
 fail:
@@ -177,28 +217,8 @@ void pkcs11_CTX_free(PKCS11_CTX *ctx)
 	OPENSSL_free(ctx->_private);
 	OPENSSL_free(ctx);
 
-	pkcs11_global_data_refs--;
-#ifndef OPENSSL_NO_RSA
-	pkcs11_rsa_method_free();
-#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10100002L
-#ifndef OPENSSL_NO_EC
-	pkcs11_ec_key_method_free();
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L
-	pkcs11_ed_key_method_free();
-# endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L */
-#endif /* OPENSSL_NO_EC */
-#else /* OPENSSL_VERSION_NUMBER */
-#ifndef OPENSSL_NO_ECDSA
-	pkcs11_ecdsa_method_free();
-#endif /* OPENSSL_NO_ECDSA */
-#ifndef OPENSSL_NO_ECDH
-	pkcs11_ecdh_method_free();
-#endif /* OPENSSL_NO_ECDH */
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L
-	pkcs11_rsa_key_method_free();
-# endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L */
-#endif /* OPENSSL_VERSION_NUMBER */
+	if (--pkcs11_global_data_refs == 0)
+		libp11_global_free();
 }
 
 /* vim: set noexpandtab: */
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
@@ -314,7 +314,7 @@ static int pkcs11_pkey_method_rsa_new(void)
 
 void pkcs11_rsa_key_method_free(void)
 {
-	if (pkcs11_global_data_refs == 0 && pkey_method_rsa) {
+	if (pkey_method_rsa) {
 		free_pkey_ex_index();
 		EVP_PKEY_meth_remove(pkey_method_rsa);
 		EVP_PKEY_meth_free(pkey_method_rsa);
@@ -355,7 +355,6 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_OBJECT_private *key)
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L
 		alloc_pkey_ex_index();
 		pkcs11_set_ex_data_pkey(pk, key);
-		atexit(pkcs11_rsa_key_method_free);
 #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L */
 
 		RSA_set_method(rsa, PKCS11_get_rsa_method());
@@ -604,14 +603,13 @@ RSA_METHOD *PKCS11_get_rsa_method(void)
 		RSA_meth_set_priv_enc(pkcs11_rsa_method, pkcs11_rsa_priv_enc_method);
 		RSA_meth_set_priv_dec(pkcs11_rsa_method, pkcs11_rsa_priv_dec_method);
 		RSA_meth_set_finish(pkcs11_rsa_method, pkcs11_rsa_free_method);
-		atexit(pkcs11_rsa_method_free);
 	}
 	return pkcs11_rsa_method;
 }
 
 void pkcs11_rsa_method_free(void)
 {
-	if (pkcs11_global_data_refs == 0 && pkcs11_rsa_method) {
+	if (pkcs11_rsa_method) {
 		free_rsa_ex_index();
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 		RSA_meth_free(pkcs11_rsa_method);

Original file line number	Diff line number	Diff line change
`@@ -809,14 +809,13 @@ EC_KEY_METHOD *PKCS11_get_ec_key_method(void)`
`809`	`809`	`EC_KEY_METHOD_set_sign(pkcs11_ec_key_method, orig_sign, NULL, pkcs11_ecdsa_sign_sig);`
`810`	`810`	`EC_KEY_METHOD_get_compute_key(pkcs11_ec_key_method, &ossl_ecdh_compute_key);`
`811`	`811`	`EC_KEY_METHOD_set_compute_key(pkcs11_ec_key_method, pkcs11_ec_ckey);`
`812`		`- atexit(pkcs11_ec_key_method_free);`
`813`	`812`	`}`
`814`	`813`	`return pkcs11_ec_key_method;`
`815`	`814`	`}`
`816`	`815`
`817`	`816`	`void pkcs11_ec_key_method_free(void)`
`818`	`817`	`{`
`819`		`- if (pkcs11_global_data_refs == 0 && pkcs11_ec_key_method) {`
	`818`	`+ if (pkcs11_ec_key_method) {`
`820`	`819`	`free_ec_ex_index();`
`821`	`820`	`#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)`
`822`	`821`	`if (meth->pkcs11_ecdh_method & EC_KEY_METHOD_DYNAMIC)`
`@@ -853,14 +852,13 @@ ECDSA_METHOD *PKCS11_get_ecdsa_method(void)`
`853`	`852`	`alloc_ec_ex_index();`
`854`	`853`	`pkcs11_ecdsa_method = ECDSA_METHOD_new((ECDSA_METHOD *)ECDSA_OpenSSL());`
`855`	`854`	`ECDSA_METHOD_set_sign(pkcs11_ecdsa_method, pkcs11_ecdsa_sign_sig);`
`856`		`- atexit(pkcs11_ecdsa_method_free);`
`857`	`855`	`}`
`858`	`856`	`return pkcs11_ecdsa_method;`
`859`	`857`	`}`
`860`	`858`
`861`	`859`	`void pkcs11_ecdsa_method_free(void)`
`862`	`860`	`{`
`863`		`- if (pkcs11_global_data_refs == 0 && pkcs11_ecdsa_method) {`
	`861`	`+ if (pkcs11_ecdsa_method) {`
`864`	`862`	`free_ec_ex_index();`
`865`	`863`	`#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)`
`866`	`864`	`if (pkcs11_ecdsa_method->flags & EC_KEY_METHOD_DYNAMIC)`
`@@ -879,14 +877,13 @@ ECDH_METHOD *PKCS11_get_ecdh_method(void)`
`879`	`877`	`pkcs11_ecdh_method = ECDH_METHOD_new((ECDH_METHOD *)ECDH_OpenSSL());`
`880`	`878`	`ECDH_METHOD_get_compute_key(pkcs11_ecdh_method, &ossl_ecdh_compute_key);`
`881`	`879`	`ECDH_METHOD_set_compute_key(pkcs11_ecdh_method, pkcs11_ec_ckey);`
`882`		`- atexit(pkcs11_ecdh_method_free);`
`883`	`880`	`}`
`884`	`881`	`return pkcs11_ecdh_method;`
`885`	`882`	`}`
`886`	`883`
`887`	`884`	`void pkcs11_ecdh_method_free(void)`
`888`	`885`	`{`
`889`		`- if (pkcs11_global_data_refs == 0 && pkcs11_ecdh_method) {`
	`886`	`+ if (pkcs11_ecdh_method) {`
`890`	`887`	`free_ec_ex_index();`
`891`	`888`	`#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)`
`892`	`889`	`if (pkcs11_ecdh_method->flags & EC_KEY_METHOD_DYNAMIC)`