From: Norbert Pocs <norbertp@openssl.org>
Date: Mon, 14 Jul 2025 13:01:24 +0000 (+0200)
Subject: openssl: Add option to init sec mem at startup
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=91d34f408cd23aa38275a3ce9e8bb31c4cbbcd83;p=thirdparty%2Fopenssl.git

openssl: Add option to init sec mem at startup

Adding env variables OPENSSL_SEC_MEM and OPENSSL_SEC_MEM_MINSIZE, which
initializes the secure memory at the beginning of the openssl app.

Resolves: https://github.com/openssl/project/issues/786

Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28036)
---

diff --git a/apps/openssl.c b/apps/openssl.c
index da0fc9db3ff..bcda3e55ad2 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -247,6 +247,10 @@ int main(int argc, char *argv[])
     int global_help = 0;
     int global_version = 0;
     int ret = 0;
+    char *sec_mem_char = NULL;
+#ifndef OPENSSL_NO_SECURE_MEMORY
+    char *sec_mem_minsize_char = NULL;
+#endif
 
     arg.argv = NULL;
     arg.size = 0;
@@ -267,6 +271,54 @@ int main(int argc, char *argv[])
     setup_trace(getenv("OPENSSL_TRACE"));
 #endif
 
+    sec_mem_char = getenv("OPENSSL_SEC_MEM");
+    if (sec_mem_char != NULL) {
+#ifndef OPENSSL_NO_SECURE_MEMORY
+        long sec_mem = 0;
+        long sec_mem_minsize = 0;
+        char *end = NULL;
+
+        errno = 0;
+        sec_mem = strtol(sec_mem_char, &end, 0);
+        if (errno != 0 || *end != 0 || end == sec_mem_char) {
+            BIO_printf(bio_err,
+                       "FATAL: could not convert OPENSSL_SEC_MEM (%s) to number\n",
+                       sec_mem_char);
+            ret = EXIT_FAILURE;
+            goto end;
+        }
+
+        /*
+         * Try to fetch the minsize if given, if not use the default value.
+         */
+        sec_mem_minsize_char = getenv("OPENSSL_SEC_MEM_MINSIZE");
+        if (sec_mem_minsize_char != NULL) {
+            errno = 0;
+            sec_mem_minsize = strtol(sec_mem_minsize_char, &end, 0);
+            if (errno != 0 || *end != 0 || end == sec_mem_minsize_char) {
+                BIO_printf(bio_err,
+                           "FATAL: could not convert OPENSSL_SEC_MEM_MINSIZE (%s) to number\n",
+                           sec_mem_minsize_char);
+                ret = 1;
+                goto end;
+            }
+        }
+
+        ret = CRYPTO_secure_malloc_init(sec_mem, sec_mem_minsize);
+        if (ret != 1) {
+            BIO_printf(bio_err,
+                       "FATAL: could not initialize secure memory\n");
+            ERR_print_errors(bio_err);
+            ret = 1;
+            goto end;
+        }
+#else
+        BIO_printf(bio_err,
+                   "FATAL: OPENSSL_SEC_MEM environment variable was set, but "
+                   "openssl was compiled without secure memory support.\n");
+#endif
+    }
+
     if ((fname = "apps_startup", !apps_startup())
             || (fname = "prog_init", (prog = prog_init()) == NULL)) {
         BIO_printf(bio_err,
@@ -322,6 +374,9 @@ int main(int argc, char *argv[])
     BIO_free_all(bio_out);
     apps_shutdown();
     BIO_free_all(bio_err);
+#ifndef OPENSSL_NO_SECURE_MEMORY
+    CRYPTO_secure_malloc_done();
+#endif
     EXIT(ret);
 }