PKCS12_newpass中的内存泄漏

时间:2016-03-18 08:31:33

标签: ios objective-c memory-leaks openssl

我编写了更改PKCS12证书密码的函数。

我注意到PKCS12_newpass函数泄漏了内存。注释掉这一行时,不会产生内存泄漏。

我如何修复此内存泄漏?

- (NSData*)changePKCS12:(NSData*)p12Data
          oldPassphrase:(NSString*)oldPassphrase
          newPassphrase:(NSString*)newPassphrase {
    OpenSSL_add_all_algorithms();
    BIO *bp = NULL;
    PKCS12 *p12 = NULL;
    int status = 0;
    do {
        bp = BIO_new_mem_buf((void *)[p12Data bytes], (int)[p12Data length]);    
        p12 = d2i_PKCS12_bio(bp, NULL);

        // MEMORY LEAK in PKCS12_newpass
        status = PKCS12_newpass(p12, (char *)[oldPassphrase UTF8String], (char *)[newPassphrase UTF8String]);
    } while (false);

    if (p12) {
        PKCS12_free(p12);
        p12 = NULL;
    }
    if (bp) {
        BIO_free_all(bp);
        bp = NULL;
    }
    EVP_cleanup();
    return NULL;
}

1 个答案:

答案 0 :(得分:1)

以下是Valgrind报告的两个漏洞:

$ valgrind --leak-check=full ./test.exe 
==32547== Memcheck, a memory error detector
==32547== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==32547== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==32547== Command: ./test.exe
==32547== 
==32547== 
==32547== HEAP SUMMARY:
==32547==     in use at exit: 4,044 bytes in 25 blocks
==32547==   total heap usage: 3,273 allocs, 3,248 frees, 149,992 bytes allocated
==32547== 
==32547== 1,307 (32 direct, 1,275 indirect) bytes in 1 blocks are definitely lost in loss record 22 of 24
==32547==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32547==    by 0x408A76: CRYPTO_malloc (mem.c:140)
==32547==    by 0x408AA9: CRYPTO_zalloc (mem.c:148)
==32547==    by 0x447104: asn1_item_embed_new (tasn_new.c:171)
==32547==    by 0x446E66: ASN1_item_ex_new (tasn_new.c:88)
==32547==    by 0x4439AA: asn1_item_embed_d2i (tasn_dec.c:333)
==32547==    by 0x4431B7: ASN1_item_ex_d2i (tasn_dec.c:162)
==32547==    by 0x44314A: ASN1_item_d2i (tasn_dec.c:152)
==32547==    by 0x4AB8BA: PKCS12_item_decrypt_d2i (p12_decr.c:159)
==32547==    by 0x40CA79: PKCS8_decrypt (p12_p8d.c:69)
==32547==    by 0x40C8DC: newpass_bag (p12_npas.c:206)
==32547==    by 0x40C868: newpass_bags (p12_npas.c:188)
==32547== 
==32547== 2,625 (32 direct, 2,593 indirect) bytes in 1 blocks are definitely lost in loss record 24 of 24
==32547==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32547==    by 0x408A76: CRYPTO_malloc (mem.c:140)
==32547==    by 0x408AA9: CRYPTO_zalloc (mem.c:148)
==32547==    by 0x41258E: sk_new (stack.c:153)
==32547==    by 0x41256A: sk_new_null (stack.c:146)
==32547==    by 0x40C27E: sk_PKCS7_new_null (pkcs7.h:199)
==32547==    by 0x40C489: newpass_p12 (p12_npas.c:118)
==32547==    by 0x40C3CC: PKCS12_newpass (p12_npas.c:96)
==32547==    by 0x40315F: main (in /home/openssl/test.exe)

第一个是0x40C8DC: newpass_bag (p12_npas.c:206)

X509_SIG_get0(&shalg, NULL, bag->value.shkeybag);

但是,get0中的X509_SIG_get0不会影响引用计数,因此我认为它实际上是它之前的行(或X509_SIG_get0中的错误):

if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag)

PKCS12_SAFEBAG_get_nid未记录在案。这意味着它是一个私有API,因此OpenSSL开发人员必须修复由它引起的泄漏。 (我认为它实际上是由于PKCS12_item_decrypt_d2i更深入到堆栈中,但由于PKCS12_SAFEBAG_get_nid而无法实现。

第二个是0x40C489: newpass_p12 (p12_npas.c:118)

if ((newsafes = sk_PKCS7_new_null()) == NULL)
    return 0;

sk_PKCS7_new_null未记录在案。这意味着它是一个私有API,因此OpenSSL开发人员必须修复由它引起的泄漏。

  

我如何修复此内存泄漏?

不幸的是,你不能,因为这两个罪犯都是私人API。您可以做的最好的事情是RTOpenSSL bug tracker

关于文档和私有API等有一些意外的“大问题”。有关讨论和新规则,请参阅EC_KEY_priv2buf(): check parameter sanity

根据搜索来源,PKCS12_newpass缺少文档,所以它也是一个私有API(没有POD文件,用于构建手册页):

$ grep -IR PKCS12_newpass *
CHANGES:  *) New function PKCS12_newpass() which changes the password of a
crypto/pkcs12/pk12err.c:    {ERR_FUNC(PKCS12_F_PKCS12_NEWPASS), "PKCS12_newpass"},
crypto/pkcs12/p12_npas.c:int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass)
crypto.map:        PKCS12_newpass;
include/openssl/pkcs12.h:int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass);
util/libcrypto.num:PKCS12_newpass                          3204 1_1_0   EXIST::FUNCTION:

提交的错误报告包含Issue 4478: DOCUMENTATION PKCS12_newpass的文档。它应该有助于超越“文档其他私有”规则。

以下是cat test.cc

#include "openssl/pkcs12.h"
#include "openssl/bio.h"
#include "openssl/engine.h"
#include "openssl/conf.h"
#include "openssl/err.h"

/* openssl req -x509 -newkey rsa:1024 -keyout key.pem -nodes -out cert.pem -days 365 */
/* openssl pkcs12 -export -out pkcs12.p12 -inkey key.pem -in cert.pem         */

/* gcc -ansi -I . -I ./include test.cc ./libcrypto.a -o test.exe */

int main(int argc, char* argv[])
{
  OpenSSL_add_all_algorithms();

  BIO *bp = NULL;
  PKCS12 *p12 = NULL;
  int rc = -1;
  unsigned long err = 0;
  char password[] = "passphrase";

  bp =  BIO_new_file("pkcs12.p12", "r");
  if (bp == NULL) goto cleanup;

  p12 = d2i_PKCS12_bio(bp, NULL);
  if (p12 == NULL) goto cleanup;

  /* Use empty string when no password was applies with 'openssl pkcs12' */
  rc = PKCS12_newpass(p12, password, password);

cleanup:

  if (rc == 1)
    {
      fprintf(stdout, "Sucessfully changed password\n");
    }
  else
    {
      err = ERR_get_error();
      fprintf(stderr, "Failed to change password, error %lu\n", err);
    }

  if (p12)
    PKCS12_free(p12);

  if (bp)
    BIO_free_all(bp);

  /* http://wiki.openssl.org/index.php/Library_Initialization#Cleanup */
  ENGINE_cleanup();
  CONF_modules_unload(1);
  EVP_cleanup();
  CRYPTO_cleanup_all_ex_data();
#if OPENSSL_API_COMPAT < 0x10000000L
  ERR_remove_state(0);
#else
  ERR_remove_thread_state();
#endif
  ERR_free_strings(); 

  return 0;
}