From: Gerardo Ravago <gcr@amazon.com>
Date: Wed, 6 Mar 2024 15:45:00 +0000 (-0500)
Subject: leak-detective: Add whitelist entries for AWS-LC
X-Git-Tag: 5.9.14dr2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8237968c2c0cf52af3a1b1a586da5d0bddb2b2c1;p=thirdparty%2Fstrongswan.git

leak-detective: Add whitelist entries for AWS-LC

AWS-LC (and likely BoringSSL) uses thread specific data to store internal
library state which gets freed via a registered destructor when the thread
terminates. If this thread happens to be the main thread, which runs the
leak-detective evaluation, the detective won't observe the corresponding free
of the related memory and erroneously reports it as a leak.

The two places this happens are:
- `RAND_bytes` for storing internal RNG state.
- `ERR_put_error` for storing the per-thread OpenSSL error queue.

References strongswan/strongswan#1907
Closes strongswan/strongswan#2147
---

diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 78a8a709f6..292f68f0bf 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -632,6 +632,9 @@ static char *whitelist[] = {
 	"CRYPTO_get_ex_new_index",
 	/* OpenSSL libssl */
 	"SSL_COMP_get_compression_methods",
+	/* AWS-LC */
+	"RAND_bytes",
+	"ERR_put_error",
 	/* NSPR */
 	"PR_CallOnce",
 	/* libapr */