Skip to content

Destroy stored imported public keys on free#751

Open
bukka wants to merge 1 commit into
openssl-projects:mainfrom
bukka:object-imported-free-destroy
Open

Destroy stored imported public keys on free#751
bukka wants to merge 1 commit into
openssl-projects:mainfrom
bukka:object-imported-free-destroy

Conversation

@bukka

@bukka bukka commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Description

When an imported public key is used in a token operation, the provider stores it on the token as a session object. The object was never destroyed, so every unique imported public key leaked one object on the long lived login session.

Mark objects stored by the provider and destroy their handle when the object is freed. Objects created from a pool copy borrow the handle and keep a reference on the owning object, so the stored object is only destroyed when the last object using it goes away. Refreshing an imported object now stores the key again instead of searching the token for an object that cannot be found there.

Fixes #739

Checklist

  • Test suite updated with functionality tests

Reviewer's checklist:

  • Any issues marked for closing are addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible commit messages

When an imported public key is used in a token operation, the provider
stores it on the token as a session object. The object was never
destroyed, so every unique imported public key leaked one object on the
long lived login session.

Mark objects stored by the provider and destroy their handle when the
object is freed. Objects created from a pool copy borrow the handle and
keep a reference on the owning object, so the stored object is only
destroyed when the last object using it goes away. Refreshing an
imported object now stores the key again instead of searching the token
for an object that cannot be found there.

Fixes openssl-projects#739

Signed-off-by: Jakub Zelenka <jakub.openssl@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Imported public keys leak token session objects

1 participant