From 3c77a51f6b0150243273ea7e955ba91048c9ad6e Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 25 Nov 2021 15:10:00 +0100
Subject: [PATCH] Add OPENSSL_cleanup to tls_shutdown function

This prevents a direct leak in OPENSSL_init_crypto (called from
OPENSSL_init_ssl).

Add shim version of OPENSSL_cleanup because it is missing in LibreSSL on
OpenBSD.

(cherry picked from commit 89f4f8f0c89a5243ba9fa343d492b15fd97e4df0)
---
 config.h.in            | 3 +++
 configure.ac           | 2 +-
 lib/isc/openssl_shim.c | 7 +++++++
 lib/isc/openssl_shim.h | 5 +++++
 lib/isc/tls.c          | 6 ++++--
 5 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/config.h.in b/config.h.in
index 39c140a3685..212bc0b1799 100644
--- a/config.h.in
+++ b/config.h.in
@@ -288,6 +288,9 @@
 /* Define to 1 if you have the <net/route.h> header file. */
 #undef HAVE_NET_ROUTE_H
 
+/* Define to 1 if you have the `OPENSSL_cleanup' function. */
+#undef HAVE_OPENSSL_CLEANUP
+
 /* define if OpenSSL supports Ed25519 */
 #undef HAVE_OPENSSL_ED25519
 
diff --git a/configure.ac b/configure.ac
index d11e0ca7264..b3c2eaa085e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -832,7 +832,7 @@ AC_COMPILE_IFELSE(
 # Check for functions added in OpenSSL or LibreSSL
 #
 
-AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto])
+AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup])
 AC_CHECK_FUNCS([CRYPTO_zalloc])
 AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free])
 AC_CHECK_FUNCS([EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset])
diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
index bc1baa92bbb..683526d0542 100644
--- a/lib/isc/openssl_shim.c
+++ b/lib/isc/openssl_shim.c
@@ -220,3 +220,10 @@ OPENSSL_init_ssl(uint64_t opts, const void *settings) {
 	return (1);
 }
 #endif
+
+#if !HAVE_OPENSSL_CLEANUP
+void
+OPENSSL_cleanup(void) {
+	return;
+}
+#endif
diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
index bd5a137e34b..2923e278b2d 100644
--- a/lib/isc/openssl_shim.h
+++ b/lib/isc/openssl_shim.h
@@ -119,6 +119,11 @@ OPENSSL_init_ssl(uint64_t opts, const void *settings);
 
 #endif
 
+#if !HAVE_OPENSSL_CLEANUP
+void
+OPENSSL_cleanup(void);
+#endif
+
 #if !HAVE_TLS_SERVER_METHOD
 #define TLS_server_method SSLv23_server_method
 #endif
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index c5da2144989..a73af17e969 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -13,6 +13,7 @@
 
 #include <openssl/bn.h>
 #include <openssl/conf.h>
+#include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/opensslv.h>
 #include <openssl/rand.h>
@@ -123,8 +124,9 @@ tls_shutdown(void) {
 	REQUIRE(atomic_load(&init_done));
 	REQUIRE(!atomic_load(&shut_done));
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	OPENSSL_cleanup();
+#else
 	CONF_modules_unload(1);
 	OBJ_cleanup();
 	EVP_cleanup();
-- 
2.47.3