Issue with freeing X509

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue with freeing X509

Adi Mallikarjuna Reddy V
Hi,

If I have an X509 object and is created using PEM_read_bio_X509_AUX(), then Can I free X509 right after the completion of PEM_read_bio_X509_AUX()?

                               BIO *cert_bio = BIO_new(BIO_s_mem());
                                X509 *cert = X509_new();
                                BIO_puts(cert_bio, cert_str.c_str());
                                cert = PEM_read_bio_X509_AUX(cert_bio, &cert, NULL, NULL);
                                if ( (cert != NULL) && SSL_CTX_use_certificate(ctx, cert) < 1) {
                                        SSL_CTX_free(ctx);
                                        return NULL;
                                }
                               
                                if(cert_bio !=NULL) {
                                        BIO_free(cert_bio);
                                }
                                if(cert != NULL) {
                                        X509_free(cert); //is it needed?
                                }


Thanks
Adi

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with freeing X509

OpenSSL - User mailing list
On 10/17/2017 08:39 AM, Adi Mallikarjuna Reddy V wrote:
Hi,

If I have an X509 object and is created using PEM_read_bio_X509_AUX(), then Can I free X509 right after the completion of PEM_read_bio_X509_AUX()?

                               BIO *cert_bio = BIO_new(BIO_s_mem());
                                X509 *cert = X509_new();
                                BIO_puts(cert_bio, cert_str.c_str());
                                cert = PEM_read_bio_X509_AUX(cert_bio, &cert, NULL, NULL);
                                if ( (cert != NULL) && SSL_CTX_use_certificate(ctx, cert) < 1) {
                                        SSL_CTX_free(ctx);

Yes.

-Ben

                                        return NULL;
                                }
                               
                                if(cert_bio !=NULL) {
                                        BIO_free(cert_bio);
                                }
                                if(cert != NULL) {
                                        X509_free(cert); //is it needed?
                                }


Thanks
Adi




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with freeing X509

Adi Mallikarjuna Reddy V
Forgot to mention that the ssl_ctx is going to be used by another thread later. When I do x509_free, the handshake doesn’t finish.

I see a crash in ssl_accept.

Thanks 
Adi

On Tue, Oct 17, 2017 at 8:41 AM Benjamin Kaduk <[hidden email]> wrote:
On 10/17/2017 08:39 AM, Adi Mallikarjuna Reddy V wrote:
Hi,

If I have an X509 object and is created using PEM_read_bio_X509_AUX(), then Can I free X509 right after the completion of PEM_read_bio_X509_AUX()?

                               BIO *cert_bio = BIO_new(BIO_s_mem());
                                X509 *cert = X509_new();
                                BIO_puts(cert_bio, cert_str.c_str());
                                cert = PEM_read_bio_X509_AUX(cert_bio, &cert, NULL, NULL);
                                if ( (cert != NULL) && SSL_CTX_use_certificate(ctx, cert) < 1) {
                                        SSL_CTX_free(ctx);

Yes.

-Ben


                                        return NULL;
                                }
                               
                                if(cert_bio !=NULL) {
                                        BIO_free(cert_bio);
                                }
                                if(cert != NULL) {
                                        X509_free(cert); //is it needed?
                                }


Thanks
Adi



--
Sent from Mobile

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with freeing X509

OpenSSL - User mailing list
You only asked about freeing the X509, which is safe in this situation.

It is not safe to free the SSL_CTX if you want to use it again later -- remove this SSL_CTX_free(ctx) call and put one in your program's cleanup instead.

-Ben

On 10/17/2017 11:08 AM, Adi Mallikarjuna Reddy V wrote:
Forgot to mention that the ssl_ctx is going to be used by another thread later. When I do x509_free, the handshake doesn’t finish.

I see a crash in ssl_accept.

Thanks 
Adi

On Tue, Oct 17, 2017 at 8:41 AM Benjamin Kaduk <[hidden email]> wrote:
On 10/17/2017 08:39 AM, Adi Mallikarjuna Reddy V wrote:
Hi,

If I have an X509 object and is created using PEM_read_bio_X509_AUX(), then Can I free X509 right after the completion of PEM_read_bio_X509_AUX()?

                               BIO *cert_bio = BIO_new(BIO_s_mem());
                                X509 *cert = X509_new();
                                BIO_puts(cert_bio, cert_str.c_str());
                                cert = PEM_read_bio_X509_AUX(cert_bio, &cert, NULL, NULL);
                                if ( (cert != NULL) && SSL_CTX_use_certificate(ctx, cert) < 1) {
                                        SSL_CTX_free(ctx);

Yes.

-Ben


                                        return NULL;
                                }
                               
                                if(cert_bio !=NULL) {
                                        BIO_free(cert_bio);
                                }
                                if(cert != NULL) {
                                        X509_free(cert); //is it needed?
                                }


Thanks
Adi



--
Sent from Mobile


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with freeing X509

Adi Mallikarjuna Reddy V
I am only worried about the following line. 

SSL_CTX_use_certificate(ctx, cert)

After this line is it safe to free cert object while ctx is still used later on?

Thanks 
Adi
On Tue, Oct 17, 2017 at 9:21 AM Benjamin Kaduk <[hidden email]> wrote:
You only asked about freeing the X509, which is safe in this situation.

It is not safe to free the SSL_CTX if you want to use it again later -- remove this SSL_CTX_free(ctx) call and put one in your program's cleanup instead.

-Ben

On 10/17/2017 11:08 AM, Adi Mallikarjuna Reddy V wrote:
Forgot to mention that the ssl_ctx is going to be used by another thread later. When I do x509_free, the handshake doesn’t finish.

I see a crash in ssl_accept.

Thanks 
Adi

On Tue, Oct 17, 2017 at 8:41 AM Benjamin Kaduk <[hidden email]> wrote:
On 10/17/2017 08:39 AM, Adi Mallikarjuna Reddy V wrote:
Hi,

If I have an X509 object and is created using PEM_read_bio_X509_AUX(), then Can I free X509 right after the completion of PEM_read_bio_X509_AUX()?

                               BIO *cert_bio = BIO_new(BIO_s_mem());
                                X509 *cert = X509_new();
                                BIO_puts(cert_bio, cert_str.c_str());
                                cert = PEM_read_bio_X509_AUX(cert_bio, &cert, NULL, NULL);
                                if ( (cert != NULL) && SSL_CTX_use_certificate(ctx, cert) < 1) {
                                        SSL_CTX_free(ctx);

Yes.

-Ben


                                        return NULL;
                                }
                               
                                if(cert_bio !=NULL) {
                                        BIO_free(cert_bio);
                                }
                                if(cert != NULL) {
                                        X509_free(cert); //is it needed?
                                }


Thanks
Adi



--
Sent from Mobile

--
Sent from Mobile

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with freeing X509

OpenSSL - User mailing list
On 10/17/2017 11:27 AM, Adi Mallikarjuna Reddy V wrote:
I am only worried about the following line. 

SSL_CTX_use_certificate(ctx, cert)

After this line is it safe to free cert object while ctx is still used later on?


SSL_CTX_use_certificate(ctx, cert), on successful return, takes an additional reference on the supplied |cert| argument to account for the pointer in |ctx|.  Thus, the caller of SSL_CTX_use_certificate() can safely call X509_free(cert) to release the caller's local reference, while the |ctx| retains a pointer to |cert|.

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with freeing X509

Adi Mallikarjuna Reddy V
Is this documented some where? 

Also is the same true - with SSL_CTX_use_PrivateKey(ctx, evp_pkey) ? where I can free evp_pkey with EVP_PKEY_free()?


Thanks
Adi

On Tue, Oct 17, 2017 at 9:50 AM, Benjamin Kaduk <[hidden email]> wrote:
On 10/17/2017 11:27 AM, Adi Mallikarjuna Reddy V wrote:
I am only worried about the following line. 

SSL_CTX_use_certificate(ctx, cert)

After this line is it safe to free cert object while ctx is still used later on?


SSL_CTX_use_certificate(ctx, cert), on successful return, takes an additional reference on the supplied |cert| argument to account for the pointer in |ctx|.  Thus, the caller of SSL_CTX_use_certificate() can safely call X509_free(cert) to release the caller's local reference, while the |ctx| retains a pointer to |cert|.

-Ben


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with freeing X509

OpenSSL - User mailing list
I thought this had become documented recently (i.e., in master only, not even in 1.1.0), but can't find any evidence of such documentation.

SSL_CTX_use_PrivateKey() takes a reference on its pkey argument in the same way as SSL_CTX_use_certificate(); it is safe for the local code to free its local copy.

-Ben

On 10/17/2017 12:32 PM, Adi Mallikarjuna Reddy V wrote:
Is this documented some where? 

Also is the same true - with SSL_CTX_use_PrivateKey(ctx, evp_pkey) ? where I can free evp_pkey with EVP_PKEY_free()?


Thanks
Adi

On Tue, Oct 17, 2017 at 9:50 AM, Benjamin Kaduk <[hidden email]> wrote:
On 10/17/2017 11:27 AM, Adi Mallikarjuna Reddy V wrote:
I am only worried about the following line. 

SSL_CTX_use_certificate(ctx, cert)

After this line is it safe to free cert object while ctx is still used later on?


SSL_CTX_use_certificate(ctx, cert), on successful return, takes an additional reference on the supplied |cert| argument to account for the pointer in |ctx|.  Thus, the caller of SSL_CTX_use_certificate() can safely call X509_free(cert) to release the caller's local reference, while the |ctx| retains a pointer to |cert|.

-Ben



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with freeing X509

Adi Mallikarjuna Reddy V
Since I tried all that and it crashes, I am going ahead and giving you the more details on how I created cert/evp_pkey objects.


X509 *cert =  PEM_read_bio_X509_AUX(cert_bio, NULL, NULL, NULL);

EVP_PKEY *evp_pkey = PEM_read_bio_PrivateKey(key_bio, NULL, NULL, NULL);

I tried freeing both cert and evp_pkey locally before even I use SSL_Ctx object and after using it and freeing using SSL_CTx_Free(ctx). Both results in a signal 11 crash.


/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(i2c_ASN1_INTEGER+0x10)[0x2b6a4a09d2b0]
/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(asn1_ex_i2c+0x119)[0x2b6a4a0a8269]
/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(+0x13835f)[0x2b6a4a0a835f]
/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(ASN1_item_ex_i2d+0x127)[0x2b6a4a0a85d7]
/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(+0x138b51)[0x2b6a4a0a8b51]
/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(ASN1_item_ex_i2d+0x270)[0x2b6a4a0a8720]
/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(+0x138bdd)[0x2b6a4a0a8bdd]
/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(ASN1_item_ex_i2d+0x270)[0x2b6a4a0a8720]
/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(ASN1_item_i2d+0x4b)[0x2b6a4a0a8ebb]
/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(+0x463db)[0x2b6a49d473db]
/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl_add_cert_chain+0xb1)[0x2b6a49d47551]
/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl3_output_cert_chain+0x28)[0x2b6a49d2dc88]
/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl3_send_server_certificate+0x3d)[0x2b6a49d1b2bd]
/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl3_accept+0xfe8)[0x2b6a49d206b8]
/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl23_get_client_hello+0x94)[0x2b6a49d2f984]
/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl23_accept+0xa1)[0x2b6a49d30251]





On Tue, Oct 17, 2017 at 11:37 AM, Benjamin Kaduk <[hidden email]> wrote:
I thought this had become documented recently (i.e., in master only, not even in 1.1.0), but can't find any evidence of such documentation.

SSL_CTX_use_PrivateKey() takes a reference on its pkey argument in the same way as SSL_CTX_use_certificate(); it is safe for the local code to free its local copy.

-Ben

On 10/17/2017 12:32 PM, Adi Mallikarjuna Reddy V wrote:
Is this documented some where? 

Also is the same true - with SSL_CTX_use_PrivateKey(ctx, evp_pkey) ? where I can free evp_pkey with EVP_PKEY_free()?


Thanks
Adi

On Tue, Oct 17, 2017 at 9:50 AM, Benjamin Kaduk <[hidden email]> wrote:
On 10/17/2017 11:27 AM, Adi Mallikarjuna Reddy V wrote:
I am only worried about the following line. 

SSL_CTX_use_certificate(ctx, cert)

After this line is it safe to free cert object while ctx is still used later on?


SSL_CTX_use_certificate(ctx, cert), on successful return, takes an additional reference on the supplied |cert| argument to account for the pointer in |ctx|.  Thus, the caller of SSL_CTX_use_certificate() can safely call X509_free(cert) to release the caller's local reference, while the |ctx| retains a pointer to |cert|.

-Ben




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users