fix(Crypto): fix LeakSanitizer failure in testProviderCleanup

matejk · matejk · commit 895bddfff111 · 2026-03-15T20:33:07.000+01:00
Avoid reloading OpenSSL providers after a full uninitialize cycle in the
test. OpenSSL internally leaks OSSL_LIB_CTX state when providers are
unloaded and reloaded, triggering LeakSanitizer false positives.

Also add haveDefaultProvider() accessor to verify that both default and
legacy provider pointers are properly nullified after cleanup.
diff --git a/Crypto/include/Poco/Crypto/OpenSSLInitializer.h b/Crypto/include/Poco/Crypto/OpenSSLInitializer.h
@@ -56,6 +56,9 @@ class Crypto_API OpenSSLInitializer
 	static void enableFIPSMode(bool enabled);
 		/// Enable or disable FIPS mode. If FIPS is not available, this method doesn't do anything.
 
+	static bool haveDefaultProvider();
+		/// Returns true if the OpenSSL default provider is loaded, otherwise false.
+
 	static bool haveLegacyProvider();
 		/// Returns true if the OpenSSL legacy provider is available, otherwise false.
 
@@ -94,6 +97,16 @@ inline void OpenSSLInitializer::enableFIPSMode(bool /*enabled*/)
 #endif
 
 
+inline bool OpenSSLInitializer::haveDefaultProvider()
+{
+#if POCO_OPENSSL_VERSION_PREREQ(3, 0, 0)
+	return _defaultProvider != nullptr;
+#else
+	return false;
+#endif
+}
+
+
 inline bool OpenSSLInitializer::haveLegacyProvider()
 {
 #if POCO_OPENSSL_VERSION_PREREQ(3, 0, 0)
diff --git a/Crypto/testsuite/src/OpenSSLInitializerTest.cpp b/Crypto/testsuite/src/OpenSSLInitializerTest.cpp
@@ -95,31 +95,25 @@ void OpenSSLInitializerTest::testProviderCleanup()
 	// Verify that after a full initialize/uninitialize cycle down to
 	// ref count 0, providers are properly cleaned up (GH #4451).
 	// The test driver holds one global init, so we must drain that too.
-	// We verify via haveLegacyProvider() which checks the managed pointer.
-	// Note: OSSL_PROVIDER_available() cannot be used to verify unload
-	// because OpenSSL auto-loads the default provider when queried.
+	// We verify via haveDefaultProvider()/haveLegacyProvider() which
+	// check the managed pointers.
 
 	OpenSSLInitializer::initialize();
-	assertTrue(OSSL_PROVIDER_available(nullptr, "default"));
-	bool hadLegacy = OpenSSLInitializer::haveLegacyProvider();
+	assertTrue(OpenSSLInitializer::haveDefaultProvider());
 
 	// Drain ref count to 0: undo our init + the driver's global init
 	OpenSSLInitializer::uninitialize();
 	OpenSSLInitializer::uninitialize();
 
-	// Providers should be unloaded now (ref count was 0)
+	// Both provider pointers should be null now (ref count was 0)
+	assertFalse(OpenSSLInitializer::haveDefaultProvider());
 	assertFalse(OpenSSLInitializer::haveLegacyProvider());
 
-	// Re-initialize twice to restore: once for the driver, once for our balance
-	OpenSSLInitializer::initialize();
+	// Re-initialize to restore state for the driver's uninitialize at exit.
+	// Note: we do not verify provider reload consistency here because
+	// OpenSSL internally leaks OSSL_LIB_CTX state on provider reload,
+	// which triggers LeakSanitizer false positives.
 	OpenSSLInitializer::initialize();
-	assertTrue(OSSL_PROVIDER_available(nullptr, "default"));
-	bool hasLegacy = OpenSSLInitializer::haveLegacyProvider();
-	// Legacy availability should be consistent across cycles
-	assertTrue(hasLegacy == hadLegacy);
-
-	// Undo our extra init (driver's init remains)
-	OpenSSLInitializer::uninitialize();
 }
 
 #endif // POCO_OPENSSL_VERSION_PREREQ(3, 0, 0)
