[QUIC][BUG] function 'ngx_hkdf_extract ' has memory leak when use OPENSSL but not BoringSSL.
lingtao.klt
nginx-forum at forum.nginx.org
Wed Mar 10 03:17:43 UTC 2021
In ngx_hkdf_expand, when use OPENSSL, the *pctx need to be free.
```
static ngx_int_t
ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
const uint8_t *prk, size_t prk_len, const u_char *info, size_t
info_len)
{
#ifdef OPENSSL_IS_BORINGSSL
if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
== 0)
{
return NGX_ERROR;
}
#else
EVP_PKEY_CTX *pctx;
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
if (EVP_PKEY_derive_init(pctx) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0)
{
return NGX_ERROR;
}
if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) {
return NGX_ERROR;
}
#endif
return NGX_OK;
}
```
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,290935,290935#msg-290935
More information about the nginx
mailing list