Free objects that were dynamically allocated in libcrypto with OPENSSL_free().

When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

sbin/iked/ca.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ca.c,v 1.88 2022/07/08 19:51:11 tobhe Exp $	*/
+/*	$OpenBSD: ca.c,v 1.89 2022/11/07 22:39:52 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -683,7 +683,7 @@ ca_getreq(struct iked *env, struct imsg *imsg)
 			if (subj_name == NULL)
 				return (-1);
 			log_debug("%s: found CA %s", __func__, subj_name);
-			free(subj_name);
+			OPENSSL_free(subj_name);
 
 			chain_len = ca_chain_by_issuer(store, subj, &id,
 			    chain, nitems(chain));
@@ -746,7 +746,7 @@ ca_getreq(struct iked *env, struct imsg *imsg)
 			return (-1);
 		log_debug("%s: found local certificate %s", __func__,
 		    subj_name);
-		free(subj_name);
+		OPENSSL_free(subj_name);
 
 		if ((buf = ca_x509_serialize(cert)) == NULL)
 			return (-1);
@@ -921,7 +921,7 @@ ca_reload(struct iked *env)
 		if (subj_name == NULL)
 			return (-1);
 		log_debug("%s: %s", __func__, subj_name);
-		free(subj_name);
+		OPENSSL_free(subj_name);
 
 		if (ibuf_add(env->sc_certreq, md, len) != 0) {
 			ibuf_release(env->sc_certreq);
@@ -1195,10 +1195,10 @@ ca_subjectpubkey_digest(X509 *x509, uint8_t *md, unsigned int *size)
 	if (buflen == 0)
 		return (-1);
 	if (!EVP_Digest(buf, buflen, md, size, EVP_sha1(), NULL)) {
-		free(buf);
+		OPENSSL_free(buf);
 		return (-1);
 	}
-	free(buf);
+	OPENSSL_free(buf);
 
 	return (0);
 }
@@ -1225,7 +1225,7 @@ ca_store_info(struct iked *env, const char *msg, X509_STORE *ctx)
 		    (name = X509_NAME_oneline(subject, NULL, 0)) == NULL)
 			continue;
 		buflen = asprintf(&buf, "%s: %s\n", msg, name);
-		free(name);
+		OPENSSL_free(name);
 		if (buflen == -1)
 			continue;
 		proc_compose(&env->sc_ps, PROC_CONTROL, IMSG_CTL_SHOW_CERTSTORE,
@@ -1478,6 +1478,10 @@ ca_privkey_to_method(struct iked_id *privkey)
 	return (method);
 }
 
+/*
+ * Return dynamically allocated buffer containing certificate name.
+ * The resulting buffer must be freed with OpenSSL_free().
+ */
 char *
 ca_asn1_name(uint8_t *asn1, size_t len)
 {
@@ -1795,7 +1799,7 @@ ca_validate_cert(struct iked *env, struct iked_static_id *id,
 		if (subj_name == NULL)
 			goto err;
 		log_debug("%s: %s %.100s", __func__, subj_name, errstr);
-		free(subj_name);
+		OPENSSL_free(subj_name);
 	}
  err:
 

sbin/iked/crypto.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: crypto.c,v 1.39 2021/12/13 17:35:34 tobhe Exp $	*/
+/*	$OpenBSD: crypto.c,v 1.40 2022/11/07 22:39:52 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -1193,11 +1193,11 @@ dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len)
 		if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0)
 			return (-1);
 		if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) {
-			free(freeme);
+			OPENSSL_free(freeme);
 			ca_sslerror(__func__);
 			return (-1);
 		}
-		free(freeme);
+		OPENSSL_free(freeme);
 	}
 
 	return (0);

sbin/iked/ikev2.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.356 2022/11/06 11:11:47 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.357 2022/11/07 22:39:52 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -6963,10 +6963,10 @@ ikev2_print_id(struct iked_id *id, char *idstr, size_t idstrlen)
 		if ((str = ca_asn1_name(ptr, len)) == NULL)
 			return (-1);
 		if (strlcpy(idstr, str, idstrlen) >= idstrlen) {
-			free(str);
+			OPENSSL_free(str);
 			return (-1);
 		}
-		free(str);
+		OPENSSL_free(str);
 		break;
 	default:
 		/* XXX test */