[openssl-dev] OpenSSL version 1.1.0 pre release 3 published

[Matt Caswell]

On 15/02/16 21:50, Jouni Malinen wrote:
> On Mon, Feb 15, 2016 at 09:34:33PM +0000, Matt Caswell wrote:
>> On 15/02/16 21:25, Jouni Malinen wrote:
>>> Is this change in OpenSSL behavior expected? Is it not allowed to call
>>> EVP_cleanup() and then re-initialize OpenSSL digests with
>>> SSL_library_init()?
>>
>> Correct, you cannot reinit once you have deinit.
> 
> OK.. That used to work, though, so it would be good to mention this
> clearly in the release notes since this can cause a difficult to find
> issues for existing programs. Luckily I happened to have automated test
> cases that found this now with wpa_supplicant.
> 
>> You should not need to explicitly init or deinit at all. Try removing
>> all such calls. If you are getting memory leaks not caused by your
>> application then that is a bug in OpenSSL.
> 
> I agree with the "should not need" part, but there is a reason why I
> added those calls in the first place, i.e., these were needed with older
> OpenSSL releases (well, all releases so far since 1.1.0 has not been
> released). I guess I can remove these calls with #ifdef
> OPENSSL_VERSION_NUMBER < 0x10100000L to maintain support for older
> versions.
> 
> I'd also recommend updating EVP_cleanup man page to be clearer about
> EVP_cleanup() being something that must not be called if there is going
> to be any future calls to OpenSSL before the process exits.

Maybe EVP_cleanup() and other similar explicit deinit functions should
be deprecated, and do nothing in 1.1.0? The auto-deinit capability
should handle it. That way you would not need to do anything "special"
for 1.1.0 with "#ifdef" etc. What do you think?

If applications *must* do explicit cleanup they can always use the new
OPENSSL_cleanup() function (which is clear in the docs that you cannot
reinit afterwards).

Matt