This has an ACK, but will leak memory in OpenSSL 3.0 On Tue, Oct 19, 2021 at 2:32 PM Arne Schwabe <a...@rfc2549.org> wrote:
> In OpenSSL 3.0 EVP_get_cipherbyname return a non NULL algorithm > even if the algorithm is not avaialble with the currently available > provider. Luckily EVP_get_cipherbyname can be used here as drop > in replacement and returns only non NULL if the algorithm is actually > currently supported. > > Signed-off-by: Arne Schwabe <a...@rfc2549.org> > --- > src/openvpn/crypto_openssl.c | 6 +++--- > src/openvpn/openssl_compat.h | 17 +++++++++++++++++ > 2 files changed, 20 insertions(+), 3 deletions(-) > > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c > index 93c85a836..b10bd7cd5 100644 > --- a/src/openvpn/crypto_openssl.c > +++ b/src/openvpn/crypto_openssl.c > @@ -572,7 +572,7 @@ cipher_kt_get(const char *ciphername) > ASSERT(ciphername); > > ciphername = translate_cipher_name_from_openvpn(ciphername); > - cipher = EVP_get_cipherbyname(ciphername); > + cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); > In OpenSSL 3.0, this 'cipher' must be freed. But the compat function is written using get_cipherbyname() which returns a const variable that should not be freed. Also, here we want to return a const cipher to the caller. One option is to continue using get_cipherbyname() but add a helper call for OpenSSL 3.0 to check algorithm availability. Say, EVP_CIPHER_available() that fetches, checks the result and frees --- to be used on top of the existing code. Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel