From 369d1c90453be23270a30229cbf4f731e4080407 Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Tue, 3 Mar 2026 09:00:18 +0100
Subject: lib: Fix missing cleanup in authentication path

When auth_verify_crt fails (e.g., missing root CA),
crypt_get_pubkey_crt has already allocated pk but only crt was freed.

Adds a crypt_cleanup() function to wrap OpenSSL_cleanup(), as OpenSSL
lazily initializes a global decoder/provider registry the first time
PEM_read_bio or OSSL_DECODER_CTX_new_for_pkey is called, and this
leaves some memory owned by OpenSSL that triggers the leak sanitizer.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 src/lib/crypt/openssl.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/lib/crypt/openssl.h')

diff --git a/src/lib/crypt/openssl.h b/src/lib/crypt/openssl.h
index b95d1b0b..af285232 100644
--- a/src/lib/crypt/openssl.h
+++ b/src/lib/crypt/openssl.h
@@ -169,4 +169,6 @@ void    openssl_secure_free(void * ptr,
 void    openssl_secure_clear(void * ptr,
                              size_t size);
 
+void    openssl_cleanup(void);
+
 #endif /* OUROBOROS_LIB_CRYPT_OPENSSL_H */
-- 
cgit v1.2.3