liboqs usage of OpenSSL memory APIs

[baluduvvuri1]

Hi all,

We set OQS_USE_OPENSSL to ON during compilation of liboqs (-DOQS_USE_OPENSSL=ON) so that liboqs will use OpenSSL API's as needed and as the crypto code provider.

The issue is in order for liboqs to use the OpenSSL memory API's, the check is as below:

In the liboqs source code : src/common/common.h

#if (defined(OQS_USE_OPENSSL) || defined(OQS_DLOPEN_OPENSSL)) &&
defined(OPENSSL_VERSION_NUMBER)
#include <openssl/crypto.h>
#define OQS_MEM_malloc(size) OPENSSL_malloc(size) --->OpenSSL memory API
..........
#else
...........
#define OQS_MEM_malloc(size) malloc(size) // IGNORE memory-check

My question is who needs to define OPENSSL_VERSION_NUMBER?

The definition of OPENSSL_VERSION_NUMBER is present in the OpenSSL header file opensslv.h which is included by crypto.h

But as from above code , crypto.h is included only if OPENSSL_VERSION_NUMBER has been defined?

Can you please help to understand ?

The below change worked for me:

#if (defined(OQS_USE_OPENSSL))
#include <openssl/crypto.h>
#endif

#if (defined(OQS_USE_OPENSSL) || defined(OQS_DLOPEN_OPENSSL)) &&
defined(OPENSSL_VERSION_NUMBER)
#define OQS_MEM_malloc(size) OPENSSL_malloc(size)
..........
#else
..........
#define OQS_MEM_malloc(size) malloc(size) // IGNORE memory-check...

Thanks
Bala

[baentsch]

Thanks for this excellent question and observation, @baluduvvuri1 ! IMO this is a serious bug effectively disabling use of OpenSSL malloc logic entirely. Would you want to contribute your fix as a PR to plug that hole? Moving this to issues for resolution either way.

[SWilson4]

Hi @baluduvvuri1, I believe this has been resolved by 64bceb3. Would you be able to confirm that the issue is indeed fixed for you?

[baluduvvuri1]

@SWilson4, I have verified that with this commit, liboqs is invoking the OpenSSL memory API's correctly.