Am 30.10.21 um 21:28 schrieb Selva Nair: > This has an ACK, but will leak memory in OpenSSL 3.0 > > On Tue, Oct 19, 2021 at 2:32 PM Arne Schwabe <a...@rfc2549.org > <mailto:a...@rfc2549.org>> wrote: > > In OpenSSL 3.0 EVP_get_cipherbyname return a non NULL algorithm > even if the algorithm is not avaialble with the currently available > provider. Luckily EVP_get_cipherbyname can be used here as drop > in replacement and returns only non NULL if the algorithm is actually > currently supported. > > Signed-off-by: Arne Schwabe <a...@rfc2549.org <mailto:a...@rfc2549.org>> > --- > src/openvpn/crypto_openssl.c | 6 +++--- > src/openvpn/openssl_compat.h | 17 +++++++++++++++++ > 2 files changed, 20 insertions(+), 3 deletions(-) > > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c > index 93c85a836..b10bd7cd5 100644 > --- a/src/openvpn/crypto_openssl.c > +++ b/src/openvpn/crypto_openssl.c > @@ -572,7 +572,7 @@ cipher_kt_get(const char *ciphername) > ASSERT(ciphername); > > ciphername = translate_cipher_name_from_openvpn(ciphername); > - cipher = EVP_get_cipherbyname(ciphername); > + cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); > > > In OpenSSL 3.0, this 'cipher' must be freed. But the compat function is > written using get_cipherbyname() which returns a const variable that > should not be freed. Also, here we want to return a const cipher to the > caller. > > One option is to continue using get_cipherbyname() but add a helper call > for OpenSSL 3.0 to check algorithm availability. Say, > EVP_CIPHER_available() that fetches, checks the result and frees --- > to be used on top of the existing code.
That is an option but will break as soon as we have the first cipher that is no longer defined with EVP_ORIG_GLOBAL compatibility definition. I need to check how much work it is to teach OpenVPN to free the cipher and md. Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
