From: Yu Watanabe Date: Tue, 30 Jun 2026 15:00:11 +0000 (+0900) Subject: crypto-util: use correct cleanup function for OpenSSL buffers X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=94e8d7209ef86892e6b6d045e25d875528ea1d0d;p=thirdparty%2Fsystemd.git crypto-util: use correct cleanup function for OpenSSL buffers Buffers allocated by OpenSSL must be freed with OPENSSL_free(). Fortunately, we do not enable the secure heap, so OPENSSL_free() is currently equivalent to free(), but let's fix this for correctness. --- diff --git a/src/shared/crypto-util.c b/src/shared/crypto-util.c index f99147d7bb0..006edbe8662 100644 --- a/src/shared/crypto-util.c +++ b/src/shared/crypto-util.c @@ -1860,7 +1860,6 @@ static int ecc_pkey_generate_volume_keys( _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey_new = NULL; _cleanup_(erase_and_freep) void *decrypted_key = NULL; - _cleanup_free_ unsigned char *saved_key = NULL; size_t decrypted_key_size, saved_key_size; int r; @@ -1892,10 +1891,17 @@ static int ecc_pkey_generate_volume_keys( /* EVP_PKEY_get1_encoded_public_key() always returns uncompressed format of EC points. See https://github.com/openssl/openssl/discussions/22835 */ - saved_key_size = sym_EVP_PKEY_get1_encoded_public_key(pkey_new, &saved_key); + _cleanup_(OPENSSL_freep) void *buf = NULL; + saved_key_size = sym_EVP_PKEY_get1_encoded_public_key(pkey_new, (unsigned char**) &buf); if (saved_key_size == 0) return log_openssl_errors(LOG_DEBUG, "Failed to convert the generated public key to SEC1 format"); + /* 'buf' is allocated by OpenSSL and must be freed via OPENSSL_free(). We duplicate it here so the + * caller can safely use standard free(). */ + _cleanup_free_ void *saved_key = memdup(buf, saved_key_size); + if (!saved_key) + return log_oom_debug(); + *ret_decrypted_key = TAKE_PTR(decrypted_key); *ret_decrypted_key_size = decrypted_key_size; *ret_saved_key = TAKE_PTR(saved_key); @@ -2278,7 +2284,7 @@ OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui) { } int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) { - _cleanup_free_ uint8_t *der = NULL; + _cleanup_(OPENSSL_freep) void *der = NULL; int dersz, r; assert(cert); @@ -2287,7 +2293,7 @@ int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) { if (r < 0) return r; - dersz = sym_i2d_X509(cert, &der); + dersz = sym_i2d_X509(cert, (unsigned char**) &der); if (dersz < 0) return log_openssl_errors(LOG_DEBUG, "Unable to convert PEM certificate to DER format");