From 369d1c90453be23270a30229cbf4f731e4080407 Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Tue, 3 Mar 2026 09:00:18 +0100
Subject: lib: Fix missing cleanup in authentication path

When auth_verify_crt fails (e.g., missing root CA),
crypt_get_pubkey_crt has already allocated pk but only crt was freed.

Adds a crypt_cleanup() function to wrap OpenSSL_cleanup(), as OpenSSL
lazily initializes a global decoder/provider registry the first time
PEM_read_bio or OSSL_DECODER_CTX_new_for_pkey is called, and this
leaves some memory owned by OpenSSL that triggers the leak sanitizer.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 src/irmd/oap/auth.c                  | 4 ++--
 src/irmd/oap/tests/oap_test.c        | 2 ++
 src/irmd/oap/tests/oap_test_ml_dsa.c | 1 +
 3 files changed, 5 insertions(+), 2 deletions(-)

(limited to 'src/irmd/oap')

diff --git a/src/irmd/oap/auth.c b/src/irmd/oap/auth.c
index a11ab158..4b86f055 100644
--- a/src/irmd/oap/auth.c
+++ b/src/irmd/oap/auth.c
@@ -183,7 +183,7 @@ int oap_auth_peer(char *                 name,
                   const struct oap_hdr * peer_hdr)
 {
         void *     crt;
-        void *     pk;
+        void *     pk  = NULL;
         buffer_t   sign; /* Signed region */
         uint8_t *  id = peer_hdr->id.data;
 
@@ -244,8 +244,8 @@ int oap_auth_peer(char *                 name,
         return 0;
 
  fail_check_sig:
-        crypt_free_key(pk);
  fail_crt:
+        crypt_free_key(pk);
         crypt_free_crt(crt);
  fail_check:
         return -EAUTH;
diff --git a/src/irmd/oap/tests/oap_test.c b/src/irmd/oap/tests/oap_test.c
index dffffe82..a324b586 100644
--- a/src/irmd/oap/tests/oap_test.c
+++ b/src/irmd/oap/tests/oap_test.c
@@ -1247,5 +1247,7 @@ int oap_test(int    argc,
 
         ret = TEST_RC_SKIP;
 #endif
+        crypt_cleanup();
+
         return ret;
 }
diff --git a/src/irmd/oap/tests/oap_test_ml_dsa.c b/src/irmd/oap/tests/oap_test_ml_dsa.c
index f9e6bdb2..81b307ab 100644
--- a/src/irmd/oap/tests/oap_test_ml_dsa.c
+++ b/src/irmd/oap/tests/oap_test_ml_dsa.c
@@ -442,6 +442,7 @@ int oap_test_ml_dsa(int    argc,
 
         ret = TEST_RC_SKIP;
 #endif
+        crypt_cleanup();
 
         return ret;
 }
-- 
cgit v1.2.3