Will ignoring to call openssl EVP_cleanup result in serious flaws or memory leaks?

Question

I have an odd situation in my application. I am using the EVP methods in OpenSSL to compute digests and perform encryption. At the end of it, I am performing an EVP_cleanup() in the destructor of my CryptoProvider class (the main gateway to my application). It unloads all the algorithms etc. from the OpenSSL state.

However, this makes it impossible for seamless usage of OpenSSL outside my application, if the client is using it for something else. It cleans up their work as well.

Now, I am left with these choices:

• Ignore EVP_cleanup(). Will this result in leaks or other consequences?

• Set up a static API for cleanup in my application, that the client must call towards the end of their lifetime, which is much after the lifetime of my application.

• Just trust the client to call EVP_cleanup at the end of its lifetime.

What do you think you would do here?

Answer 1

I had this question this morning and came across this thread... It would have saved me time if I would have found the following response:

The EVP_cleanup() function was deprecated in OpenSSL versions 1.0.2h and 1.1.0.

See thier change-log for full details.

Excerpt:

"Make various cleanup routines no-ops and mark them as deprecated. Most global cleanup functions are no longer required because they are handled via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages). Explicitly de-initing can cause problems (e.g. where a library that uses OpenSSL de-inits, but an application is still using it). The affected functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(), EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(), RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and COMP_zlib_cleanup()."