diff options
| author | Tobias Heider <tobhe@cvs.openbsd.org> | 2022-11-07 22:39:53 +0000 |
|---|---|---|
| committer | Tobias Heider <tobhe@cvs.openbsd.org> | 2022-11-07 22:39:53 +0000 |
| commit | 2af397f36fcb076b99adc5a33f74a8c5f15c14ad (patch) | |
| tree | afc59dd91d530e756d00647df1660cdfa10934ca | |
| parent | 2de86b3c57a5e98a8f8f7085b877b214d9dc1c5b (diff) | |
Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.
Report and initial fix by dropk1ck (gh #92)
ok tb@
| -rw-r--r-- | sbin/iked/ca.c | 20 | ||||
| -rw-r--r-- | sbin/iked/crypto.c | 6 | ||||
| -rw-r--r-- | sbin/iked/ikev2.c | 6 |
3 files changed, 18 insertions, 14 deletions
diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c index 58b6050b607..a82fee0273b 100644 --- a/sbin/iked/ca.c +++ b/sbin/iked/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.88 2022/07/08 19:51:11 tobhe Exp $ */ +/* $OpenBSD: ca.c,v 1.89 2022/11/07 22:39:52 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -683,7 +683,7 @@ ca_getreq(struct iked *env, struct imsg *imsg) if (subj_name == NULL) return (-1); log_debug("%s: found CA %s", __func__, subj_name); - free(subj_name); + OPENSSL_free(subj_name); chain_len = ca_chain_by_issuer(store, subj, &id, chain, nitems(chain)); @@ -746,7 +746,7 @@ ca_getreq(struct iked *env, struct imsg *imsg) return (-1); log_debug("%s: found local certificate %s", __func__, subj_name); - free(subj_name); + OPENSSL_free(subj_name); if ((buf = ca_x509_serialize(cert)) == NULL) return (-1); @@ -921,7 +921,7 @@ ca_reload(struct iked *env) if (subj_name == NULL) return (-1); log_debug("%s: %s", __func__, subj_name); - free(subj_name); + OPENSSL_free(subj_name); if (ibuf_add(env->sc_certreq, md, len) != 0) { ibuf_release(env->sc_certreq); @@ -1195,10 +1195,10 @@ ca_subjectpubkey_digest(X509 *x509, uint8_t *md, unsigned int *size) if (buflen == 0) return (-1); if (!EVP_Digest(buf, buflen, md, size, EVP_sha1(), NULL)) { - free(buf); + OPENSSL_free(buf); return (-1); } - free(buf); + OPENSSL_free(buf); return (0); } @@ -1225,7 +1225,7 @@ ca_store_info(struct iked *env, const char *msg, X509_STORE *ctx) (name = X509_NAME_oneline(subject, NULL, 0)) == NULL) continue; buflen = asprintf(&buf, "%s: %s\n", msg, name); - free(name); + OPENSSL_free(name); if (buflen == -1) continue; proc_compose(&env->sc_ps, PROC_CONTROL, IMSG_CTL_SHOW_CERTSTORE, @@ -1478,6 +1478,10 @@ ca_privkey_to_method(struct iked_id *privkey) return (method); } +/* + * Return dynamically allocated buffer containing certificate name. + * The resulting buffer must be freed with OpenSSL_free(). + */ char * ca_asn1_name(uint8_t *asn1, size_t len) { @@ -1795,7 +1799,7 @@ ca_validate_cert(struct iked *env, struct iked_static_id *id, if (subj_name == NULL) goto err; log_debug("%s: %s %.100s", __func__, subj_name, errstr); - free(subj_name); + OPENSSL_free(subj_name); } err: diff --git a/sbin/iked/crypto.c b/sbin/iked/crypto.c index 87fb7650c3f..b8327f33e9e 100644 --- a/sbin/iked/crypto.c +++ b/sbin/iked/crypto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto.c,v 1.39 2021/12/13 17:35:34 tobhe Exp $ */ +/* $OpenBSD: crypto.c,v 1.40 2022/11/07 22:39:52 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -1193,11 +1193,11 @@ dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0) return (-1); if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) { - free(freeme); + OPENSSL_free(freeme); ca_sslerror(__func__); return (-1); } - free(freeme); + OPENSSL_free(freeme); } return (0); diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 43de6925581..686ca3bd1b5 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.356 2022/11/06 11:11:47 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.357 2022/11/07 22:39:52 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -6963,10 +6963,10 @@ ikev2_print_id(struct iked_id *id, char *idstr, size_t idstrlen) if ((str = ca_asn1_name(ptr, len)) == NULL) return (-1); if (strlcpy(idstr, str, idstrlen) >= idstrlen) { - free(str); + OPENSSL_free(str); return (-1); } - free(str); + OPENSSL_free(str); break; default: /* XXX test */ |