On 07/05/2016 04:46 PM, Andreas Karlsson wrote:
@@ -280,8 +287,9 @@ px_find_digest(const char *name, PX_MD **res)
        digest = px_alloc(sizeof(*digest));
        digest->algo = md;

-       EVP_MD_CTX_init(&digest->ctx);
-       if (EVP_DigestInit_ex(&digest->ctx, digest->algo, NULL) == 0)
+       digest->ctx = EVP_MD_CTX_create();
+       EVP_MD_CTX_init(digest->ctx);
+       if (EVP_DigestInit_ex(digest->ctx, digest->algo, NULL) == 0)
                return -1;

        h = px_alloc(sizeof(*h));

Now that we're calling EVP_MD_CTX_create((), which allocates memory, are we risking memory leaks? It has always been part of the contract that you have to call px_md_free(), for any context returned by px_find_digest(), but I wonder just how careful we have been about that. Before this, you would probably get away with it without leaking, if the digest implementation didn't allocate any extra memory or other resources.

At least pg_digest and try_unix_std functions call px_find_digest(), and then do more palloc()s which could elog() if you run out of memory, leaking th digest struct. Highly unlikely, but I think it would be fairly straightforward to reorder those calls to eliminate the risk, so we probably should.

@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
        return dh;

+static DH  *
+generate_dh_params(int prime_len, int generator)
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+       DH *dh;
+       if ((dh = DH_new()) == NULL)
+               return NULL;
+       if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+               return dh;
+       DH_free(dh);
+       return NULL;
+       return DH_generate_parameters(prime_len, generator, NULL, NULL);

I think now would be a good time to drop support for OpenSSL versions older than 0.9.8. OpenSSL don't even support 0.9.8 anymore, although there are probably distributions out there that still provide patches for it. But OpenSSL 0.9.7 and older are really not interesting for PostgreSQL 10 anymore, I think.

- Heikki

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to