Thanks Steve for the response. Given the current way it is done in OpenSSL-1.0.1f, what is the right thing for the application to do? Should the application be using a static EC_KEY for each of the curves that are supported?
Thanks Varma On Sat, Feb 15, 2014 at 6:36 AM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Thu, Feb 13, 2014, Varma Dantuluri wrote: > > > In OpenSSL-1.0.1f, in 'ssl3_send_server_key_exchange' function, when all > > the below conditions are true, there is a potential memory leak. > > > > 1) 'type & SSL_kEECDH' is true, (ie the key exchange is ephemeral ecdh) > > 2) 'ecdhp == NULL' && 's->cert->ecdh_tmp_cb != NULL' > > 3) 's->cert->ecdh_tmp_cb' mallocs a new 'EC_KEY' and returns the > allocated > > pointer. > > > > This allocated 'EC_KEY', 'ecdhp' is later copied to 'ecdh' using > > 'EC_KEY_dup'. But 'ecdhp' is not freed in the function. > > > > I would think that the call back functions would allocate a new EC_KEY, > > atleast sometimes if not everytime. And whenever the allocation is done, > > that memory is leaked. > > > > Well the callback works in the same way as the DH equivalent. For DH the > intention is that DH parameters had been pre-loaded and you just pass a > pointer to the already allocated pointer instead of allocating it on > demand. > So you might (for example) load a set of DH parameters and then return the > same DH pointer in multiple callbacks. > > This isn't really appopriate for ECDH (where you don't "generate" or > "load" a > curve, you just set it) but changing it would badly break compatibility > with > applications that do the right thing, typically with a double free error. > > In 1.0.2 and later you can forget about ECDH callbacks altogether and just > set > auto ECDH support and it will automatically select appropriate parameters. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
