On 2/18/06, Marko Kreen <markokr@gmail.com> wrote:
> pgcrypto crypt()/md5 and hmac() leak memory when compiled against
> OpenSSL as openssl.c digest ->reset will do two DigestInit calls
> against a context. This happened to work with OpenSSL 0.9.6
> but not with 0.9.7+.
Ugh, seems I read the old code slightly wrong. The leak happens
also with regular digest(), although it will leak only 1 context
instance, not the 1000+ as the crypt-md5 does. And on 8.1 there
is pgp_sym_encrypt that also does lots of resets on one context,
like crypt-md5. In addition it does regular digest() in several
places. So if compiled against OpenSSL, its leaking everywhere.
The positive side is that only 8.1 has openssl autoconfiguration,
older versions default to builtin algorithms that can be changed
only by editing Makefile, thus most packages are hopefully safe.
--
marko
