[openssl-dev] [openssl.org #4546] bug: misleading docs for EVP_*{Cipher, Encrypt, Decrypt}Final() functions in release branch
g1pi@libero.it via RT
rt at openssl.org
Sun May 29 21:49:23 UTC 2016
More than 14 years ago, on Wed May 15 18:49:25 2002, Dr. Stephen Henson
committed a change to crypto/evp/evp_enc.c that made the EVP_*Final()
functions identical to the corresponding *_ex() functions.
In 2014, Rich Salz fixed the doc on the master branch with commit
538860a3ce0b9fd142a7f1a62e597cccb74475d3. However, the docs for the
current release branch (1.0.2) have not been updated, and still carry
misleading information:
https://www.openssl.org/docs/man1.0.2/crypto/EVP_CipherFinal.html
Whoever relies on the manual without reading the openssl source code, and
uses the EVP_*Final() functions without calling EVP_CIPHER_CTX_cleanup()
afterwards, is subject to leak memory and probably leave encryption keys
floating in RAM, waiting for a bug elsewhere to spill them.
Would you mind merging commit 538860a3ce0b9fd142a7f1a62e597cccb74475d3
into the 1.0.2 stable branch?
Best regards,
g
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4546
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list