fix: multiple OpenSSL 3.x memory leaks#75
Draft
Koan-Bot wants to merge 1 commit intocpan-authors:mainfrom
Draft
Conversation
… construction
Three distinct memory leak fixes for OpenSSL >= 3.0.0 code paths:
1. _get_key_parameters(): EVP_PKEY_get_bn_param() allocates new BIGNUMs
(unlike pre-3.x getters which return internal pointers). cor_bn2sv()
duplicates them via BN_dup() but the originals were never freed,
leaking 8 BIGNUMs on every call.
2. verify(): XSRETURN_NO/XSRETURN_YES returned immediately, bypassing
EVP_MD_free(md) and EVP_PKEY_CTX_free(ctx) cleanup. Restructured to
capture verify result, free resources, then switch on the result.
3. _new_key_from_parameters():
- EVP_PKEY_CTX (pctx) was never freed on any path (success or error)
- EVP_PKEY_CTX from EVP_PKEY_check() (test_ctx) was never freed
- OSSL_PARAM_BLD and OSSL_PARAM were not freed in the else branch
(public-key-only path)
Moved pctx/params_build/params declarations to PREINIT for proper
scope, added cleanup on both success and error paths.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes three distinct memory leak families in OpenSSL >= 3.0.0 code paths:
_get_key_parameters():EVP_PKEY_get_bn_param()allocates new BIGNUMs (unlike pre-3.x getters which return internal const pointers), butcor_bn2sv()duplicates them viaBN_dup()without freeing the originals — 8 BIGNUMs leaked per callverify():XSRETURN_NO/XSRETURN_YESreturned immediately, bypassingEVP_MD_free()andEVP_PKEY_CTX_free()cleanup — leaked on every verify call_new_key_from_parameters():EVP_PKEY_CTX(pctx) was never freed on any path,test_ctxfromEVP_PKEY_check()was never freed, andOSSL_PARAM_BLD/OSSL_PARAMwere not freed in the public-key-only branchRoot cause
The OpenSSL 3.x migration changed ownership semantics: pre-3.x getter functions return internal pointers (caller must not free), while 3.x functions like
EVP_PKEY_get_bn_param()allocate new objects (caller must free). The original migration missed several of these ownership changes.Test plan
_get_key_parameters())🤖 Generated with Claude Code