Debian 13, OpenSSL 3.5.4 - crash when using pkcs11 engine

[drauch]

We use openssl cms in combination with your module to perform the signing operation from our PKCS#11 module.

On all other OS we test on (Debian 11, 12, Ubuntu 24, RedHat 8, 9) this works fine. However, on Debian 13 the log of our PCKS#11 library is longer: it contains the following additional PKCS#11 calls:

2025-11-29 09:23:10,969 [744:1] DBG <> EntryPoint - C_CloseAllSessions called: slotId=1
2025-11-29 09:23:10,971 [744:1] DBG <> EntryPoint - C_CloseAllSessions returns with 0
2025-11-29 09:23:10,971 [744:1] DBG <> EntryPoint - C_Finalize called: isnull(pReserved)=true
2025-11-29 09:23:10,972 [744:1] DBG <> EntryPoint - C_Finalize returns with 0

Afterwards we get a segmentation fault at this stack trace:

Thread 1 "openssl" received signal SIGSEGV, Segmentation fault.
0x00007bce2150db30 in ?? ()
(gdb) bt
#0  0x00007bce2150db30 in ?? ()
#1  0x00007bce22f1e93a in CRYPTO_free_ex_data (class_index=class_index@entry=3, obj=obj@entry=0x5abce851d770, ad=ad@entry=0x5abce851d838) at ../crypto/ex_data.c:406
#2  0x00007bce230a9f04 in x509_cb (operation=<optimized out>, pval=<optimized out>, it=<optimized out>, exarg=<optimized out>) at ../crypto/x509/x_x509.c:85
#3  0x00007bce22de4212 in ossl_asn1_item_embed_free (pval=pval@entry=0x5abce8565ac8, it=0x7bce23289040 <local_it>, embed=embed@entry=0) at ../crypto/asn1/tasn_fre.c:117
#4  0x00007bce22de43c3 in ossl_asn1_template_free (pval=0x5abce8565ac8, tt=tt@entry=0x7bce232b5340 <CMS_CertificateChoices_ch_tt>) at ../crypto/asn1/tasn_fre.c:146
#5  0x00007bce22de4289 in ossl_asn1_item_embed_free (pval=pval@entry=0x7ffc0d668770, it=<optimized out>, embed=embed@entry=0) at ../crypto/asn1/tasn_fre.c:70
#6  0x00007bce22de4365 in ossl_asn1_template_free (pval=0x5abce8501958, tt=tt@entry=0x7bce232b5018 <CMS_SignedData_seq_tt+120>) at ../crypto/asn1/tasn_fre.c:141
#7  0x00007bce22de41f3 in ossl_asn1_item_embed_free (pval=pval@entry=0x5abce8501918, it=0x7bce2325f640 <local_it>, embed=embed@entry=0) at ../crypto/asn1/tasn_fre.c:114
#8  0x00007bce22de43c3 in ossl_asn1_template_free (pval=0x5abce8501918, tt=tt@entry=0x7bce232b4118 <CMS_ContentInfo_adbtbl+56>) at ../crypto/asn1/tasn_fre.c:146
#9  0x00007bce22de41f3 in ossl_asn1_item_embed_free (pval=pval@entry=0x7ffc0d6688c8, it=0x7bce2325f0c0 <local_it>, embed=embed@entry=0) at ../crypto/asn1/tasn_fre.c:114
#10 0x00007bce22de42c9 in ASN1_item_free (val=<optimized out>, val@entry=0x5abce8501910, it=<optimized out>) at ../crypto/asn1/tasn_fre.c:20
#11 0x00007bce22e45da9 in CMS_ContentInfo_free (a=a@entry=0x5abce8501910) at ../crypto/cms/cms_lib.c:27
#12 0x00005abcd6ae2ab4 in cms_main (argc=<optimized out>, argv=<optimized out>) at ../apps/cms.c:1320
#13 0x00005abcd6afa991 in do_cmd (prog=prog@entry=0x5abce85038e0, argc=argc@entry=17, argv=argv@entry=0x7ffc0d668d00) at ../apps/openssl.c:428
#14 0x00005abcd6acfb46 in main (argc=<optimized out>, argv=<optimized out>) at ../apps/openssl.c:309

It sounds like (only a wild guess by myself) there is some ex_data cleanup that happens after the PKCS#11 module has already been unloaded?

Hope I can help to fix this issue soon, we're not able to deliver our PKCS#11 module for Debian 13 at the moment without statically linking an outdated OpenSSL version.

Best regards, D.R.