From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 25 Nov 2021 14:10:00 +0000 (+0100)
Subject: Add OPENSSL_cleanup to tls_shutdown function
X-Git-Tag: v9.17.21~16^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=89f4f8f0c89a5243ba9fa343d492b15fd97e4df0;p=thirdparty%2Fbind9.git

Add OPENSSL_cleanup to tls_shutdown function

This prevents a direct leak in OPENSSL_init_crypto (called from
OPENSSL_init_ssl).

Add shim version of OPENSSL_cleanup because it is missing in LibreSSL on
OpenBSD.
---

diff --git a/configure.ac b/configure.ac
index ffcc69f3255..817a01d0883 100644
--- a/configure.ac
+++ b/configure.ac
@@ -624,7 +624,7 @@ AC_COMPILE_IFELSE(
 # Check for functions added in OpenSSL or LibreSSL
 #
 
-AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto])
+AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup])
 AC_CHECK_FUNCS([CRYPTO_zalloc])
 AC_CHECK_FUNCS([EVP_PKEY_new_raw_private_key EVP_PKEY_eq])
 AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free])
diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
index d75c9db86b1..140d6d71cf7 100644
--- a/lib/isc/openssl_shim.c
+++ b/lib/isc/openssl_shim.c
@@ -160,3 +160,10 @@ OPENSSL_init_ssl(uint64_t opts, const void *settings) {
 	return (1);
 }
 #endif
+
+#if !HAVE_OPENSSL_CLEANUP
+void
+OPENSSL_cleanup(void) {
+	return;
+}
+#endif
diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
index 57465ba0124..55e3187d5fa 100644
--- a/lib/isc/openssl_shim.h
+++ b/lib/isc/openssl_shim.h
@@ -106,6 +106,11 @@ OPENSSL_init_ssl(uint64_t opts, const void *settings);
 
 #endif
 
+#if !HAVE_OPENSSL_CLEANUP
+void
+OPENSSL_cleanup(void);
+#endif
+
 #if !HAVE_TLS_SERVER_METHOD
 #define TLS_server_method SSLv23_server_method
 #endif
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index cc63e2e9cd2..a59bb4f2adc 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -17,6 +17,7 @@
 
 #include <openssl/bn.h>
 #include <openssl/conf.h>
+#include <openssl/crypto.h>
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/opensslv.h>
@@ -128,8 +129,9 @@ tls_shutdown(void) {
 	REQUIRE(atomic_load(&init_done));
 	REQUIRE(!atomic_load(&shut_done));
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	OPENSSL_cleanup();
+#else
 	CONF_modules_unload(1);
 	OBJ_cleanup();
 	EVP_cleanup();