Project

General

Profile

Bug #9743

Updated by nobu (Nobuyoshi Nakada) over 6 years ago

repeated calls to `pub_key.verify(digest, pub_key.verify(digest, signature, data)` data) leaks memory.  

 from what I can gather from the openssl documentation, there seems to be a missing call to `EVP_MD_CTX_cleanup()` 

 EVP_MD_CTX_cleanup()  

 FILE: ossl_pkey.c  

 ~~~C ~~~ 
 326      EVP_VerifyUpdate(&ctx, RSTRING_PTR(data), RSTRING_LEN(data)); 
 327      switch (EVP_VerifyFinal(&ctx, (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), pkey)) { 
 328      case 0: 
 ~~~ 

 from the openssl docs: 

 http://www.openssl.org/docs/crypto/EVP_VerifyInit.html 

 > The call to `EVP_VerifyFinal()` EVP_VerifyFinal() internally finalizes a copy of the digest context. This means that calls to `EVP_VerifyUpdate()` EVP_VerifyUpdate() and `EVP_VerifyFinal()` EVP_VerifyFinal() can be called later to digest and verify additional data. 
 > 

 Since only a copy of the digest context is ever finalized the context must be cleaned up after use by calling `EVP_MD_CTX_cleanup()` EVP_MD_CTX_cleanup() or a memory leak will occur. 
 

Back