[Openvpn-devel] Don't manually free DH params in OpenSSL 3

Message ID	20211025145314.23009-1-maximilian.fillinger@foxcrypto.com
State	Accepted
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> From: Max Fillinger <maximilian.fillinger@foxcrypto.com> To: <openvpn-devel@lists.sourceforge.net> Date: Mon, 25 Oct 2021 16:53:14 +0200 Message-ID: <20211025145314.23009-1-maximilian.fillinger@foxcrypto.com> MIME-Version: 1.0 preview: When the EVP_PKEY object with the Diffie-Hellman parameters is passed to SSL_CTX_set0_tmp_dh_pkey, it does not create a copy but stores the pointer in the SSL_CTX. Therefore, we should not free it. The EVP_PKEY will be freed automatically when we free the SSL_CTX. Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid Subject: [Openvpn-devel] [PATCH] Don't manually free DH params in OpenSSL 3 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel] Don't manually free DH params in OpenSSL 3 \| expand [Openvpn-devel] Don't manually free DH params in OpenSSL 3

Message ID

20211025145314.23009-1-maximilian.fillinger@foxcrypto.com

State

Accepted

Headers

From: Max Fillinger <maximilian.fillinger@foxcrypto.com>
To: <openvpn-devel@lists.sourceforge.net>
Date: Mon, 25 Oct 2021 16:53:14 +0200
Message-ID: <20211025145314.23009-1-maximilian.fillinger@foxcrypto.com>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH] Don't manually free DH params in OpenSSL 3
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel] Don't manually free DH params in OpenSSL 3 | expand

Commit Message

Maximilian Fillinger Oct. 25, 2021, 3:53 a.m. UTC

When the EVP_PKEY object with the Diffie-Hellman parameters is passed
to SSL_CTX_set0_tmp_dh_pkey, it does not create a copy but stores the
pointer in the SSL_CTX. Therefore, we should not free it.

The EVP_PKEY will be freed automatically when we free the SSL_CTX.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
---
 src/openvpn/ssl_openssl.c | 2 --
 1 file changed, 2 deletions(-)

Comments

Arne Schwabe Oct. 25, 2021, 4:07 a.m. UTC | #1

Am 25.10.21 um 16:53 schrieb Max Fillinger:
> When the EVP_PKEY object with the Diffie-Hellman parameters is passed
> to SSL_CTX_set0_tmp_dh_pkey, it does not create a copy but stores the
> pointer in the SSL_CTX. Therefore, we should not free it.
> 
> The EVP_PKEY will be freed automatically when we free the SSL_CTX.
> 

Yes. The set0 indicates that it does a direct reference.

Acked-By: Arne Schwabe <arne@rfc2549.org>

Gert Doering Oct. 25, 2021, 4:59 a.m. UTC | #2

Great find.  

I had this trac ticket (1436) about weird hanging/looping on signal exit, 
inside openssl cleanup, and your patch fixes this :-)

Your patch has been applied to the master branch.

commit 4daed27f28f6bb3033e659328fe80322a8f4b5e1
Author: Max Fillinger
Date:   Mon Oct 25 16:53:14 2021 +0200

     Don't manually free DH params in OpenSSL 3

     Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
     Message-Id: <20211025145314.23009-1-maximilian.fillinger@foxcrypto.com>
     URL: https://www.mail-archive.com/search?l=mid&q=20211025145314.23009-1-maximilian.fillinger@foxcrypto.com
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2414fc5e..6f2d6d57 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -685,8 +685,6 @@  tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
 
     msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
         8 * EVP_PKEY_get_size(dh));
-
-    EVP_PKEY_free(dh);
 #else
     DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
     BIO_free(bio);

[Openvpn-devel] Don't manually free DH params in OpenSSL 3

Commit Message

Comments

Patch