]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
crypto-util: use correct cleanup function for OpenSSL buffers
authorYu Watanabe <watanabe.yu+github@gmail.com>
Tue, 30 Jun 2026 15:00:11 +0000 (00:00 +0900)
committerYu Watanabe <watanabe.yu+github@gmail.com>
Thu, 2 Jul 2026 18:02:56 +0000 (03:02 +0900)
Buffers allocated by OpenSSL must be freed with OPENSSL_free().
Fortunately, we do not enable the secure heap, so OPENSSL_free()
is currently equivalent to free(), but let's fix this for correctness.

src/shared/crypto-util.c

index f99147d7bb046824708cc84ed5699fbf05bf2543..006edbe8662dd01c20965303bb07359027325011 100644 (file)
@@ -1860,7 +1860,6 @@ static int ecc_pkey_generate_volume_keys(
 
         _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey_new = NULL;
         _cleanup_(erase_and_freep) void *decrypted_key = NULL;
-        _cleanup_free_ unsigned char *saved_key = NULL;
         size_t decrypted_key_size, saved_key_size;
         int r;
 
@@ -1892,10 +1891,17 @@ static int ecc_pkey_generate_volume_keys(
 
         /* EVP_PKEY_get1_encoded_public_key() always returns uncompressed format of EC points.
            See https://github.com/openssl/openssl/discussions/22835 */
-        saved_key_size = sym_EVP_PKEY_get1_encoded_public_key(pkey_new, &saved_key);
+        _cleanup_(OPENSSL_freep) void *buf = NULL;
+        saved_key_size = sym_EVP_PKEY_get1_encoded_public_key(pkey_new, (unsigned char**) &buf);
         if (saved_key_size == 0)
                 return log_openssl_errors(LOG_DEBUG, "Failed to convert the generated public key to SEC1 format");
 
+        /* 'buf' is allocated by OpenSSL and must be freed via OPENSSL_free(). We duplicate it here so the
+         * caller can safely use standard free(). */
+        _cleanup_free_ void *saved_key = memdup(buf, saved_key_size);
+        if (!saved_key)
+                return log_oom_debug();
+
         *ret_decrypted_key = TAKE_PTR(decrypted_key);
         *ret_decrypted_key_size = decrypted_key_size;
         *ret_saved_key = TAKE_PTR(saved_key);
@@ -2278,7 +2284,7 @@ OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui) {
 }
 
 int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) {
-        _cleanup_free_ uint8_t *der = NULL;
+        _cleanup_(OPENSSL_freep) void *der = NULL;
         int dersz, r;
 
         assert(cert);
@@ -2287,7 +2293,7 @@ int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) {
         if (r < 0)
                 return r;
 
-        dersz = sym_i2d_X509(cert, &der);
+        dersz = sym_i2d_X509(cert, (unsigned char**) &der);
         if (dersz < 0)
                 return log_openssl_errors(LOG_DEBUG, "Unable to convert PEM certificate to DER format");