Free objects that were dynamically allocated in libcrypto with OPENSSL_free().

When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c
index 58b6050..a82fee0 100644 (file)
--- a/sbin/iked/ca.c
+++ b/sbin/iked/ca.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ca.c,v 1.88 2022/07/08 19:51:11 tobhe Exp $   */
+/*     $OpenBSD: ca.c,v 1.89 2022/11/07 22:39:52 tobhe Exp $   */
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -683,7 +683,7 @@ ca_getreq(struct iked *env, struct imsg *imsg)
                        if (subj_name == NULL)
                                return (-1);
                        log_debug("%s: found CA %s", __func__, subj_name);
-                       free(subj_name);
+                       OPENSSL_free(subj_name);
 
                        chain_len = ca_chain_by_issuer(store, subj, &id,
                            chain, nitems(chain));
@@ -746,7 +746,7 @@ ca_getreq(struct iked *env, struct imsg *imsg)
                        return (-1);
                log_debug("%s: found local certificate %s", __func__,
                    subj_name);
-               free(subj_name);
+               OPENSSL_free(subj_name);
 
                if ((buf = ca_x509_serialize(cert)) == NULL)
                        return (-1);
@@ -921,7 +921,7 @@ ca_reload(struct iked *env)
                if (subj_name == NULL)
                        return (-1);
                log_debug("%s: %s", __func__, subj_name);
-               free(subj_name);
+               OPENSSL_free(subj_name);
 
                if (ibuf_add(env->sc_certreq, md, len) != 0) {
                        ibuf_release(env->sc_certreq);
@@ -1195,10 +1195,10 @@ ca_subjectpubkey_digest(X509 *x509, uint8_t *md, unsigned int *size)
        if (buflen == 0)
                return (-1);
        if (!EVP_Digest(buf, buflen, md, size, EVP_sha1(), NULL)) {
-               free(buf);
+               OPENSSL_free(buf);
                return (-1);
        }
-       free(buf);
+       OPENSSL_free(buf);
 
        return (0);
 }
@@ -1225,7 +1225,7 @@ ca_store_info(struct iked *env, const char *msg, X509_STORE *ctx)
                    (name = X509_NAME_oneline(subject, NULL, 0)) == NULL)
                        continue;
                buflen = asprintf(&buf, "%s: %s\n", msg, name);
-               free(name);
+               OPENSSL_free(name);
                if (buflen == -1)
                        continue;
                proc_compose(&env->sc_ps, PROC_CONTROL, IMSG_CTL_SHOW_CERTSTORE,
@@ -1478,6 +1478,10 @@ ca_privkey_to_method(struct iked_id *privkey)
        return (method);
 }
 
+/*
+ * Return dynamically allocated buffer containing certificate name.
+ * The resulting buffer must be freed with OpenSSL_free().
+ */
 char *
 ca_asn1_name(uint8_t *asn1, size_t len)
 {
@@ -1795,7 +1799,7 @@ ca_validate_cert(struct iked *env, struct iked_static_id *id,
                if (subj_name == NULL)
                        goto err;
                log_debug("%s: %s %.100s", __func__, subj_name, errstr);
-               free(subj_name);
+               OPENSSL_free(subj_name);
        }
  err:
 

diff --git a/sbin/iked/crypto.c b/sbin/iked/crypto.c
index 87fb765..b8327f3 100644 (file)
--- a/sbin/iked/crypto.c
+++ b/sbin/iked/crypto.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: crypto.c,v 1.39 2021/12/13 17:35:34 tobhe Exp $       */
+/*     $OpenBSD: crypto.c,v 1.40 2022/11/07 22:39:52 tobhe Exp $       */
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -1193,11 +1193,11 @@ dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len)
                if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0)
                        return (-1);
                if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) {
-                       free(freeme);
+                       OPENSSL_free(freeme);
                        ca_sslerror(__func__);
                        return (-1);
                }
-               free(freeme);
+               OPENSSL_free(freeme);
        }
 
        return (0);

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 43de692..686ca3b 100644 (file)
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ikev2.c,v 1.356 2022/11/06 11:11:47 tobhe Exp $       */
+/*     $OpenBSD: ikev2.c,v 1.357 2022/11/07 22:39:52 tobhe Exp $       */
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -6963,10 +6963,10 @@ ikev2_print_id(struct iked_id *id, char *idstr, size_t idstrlen)
                if ((str = ca_asn1_name(ptr, len)) == NULL)
                        return (-1);
                if (strlcpy(idstr, str, idstrlen) >= idstrlen) {
-                       free(str);
+                       OPENSSL_free(str);
                        return (-1);
                }
-               free(str);
+               OPENSSL_free(str);
                break;
        default:
                /* XXX test */