Re: [openssl-users] Issue with freeing X509

2017-10-17 Thread Adi Mallikarjuna Reddy V 
Since I tried all that and it crashes, I am going ahead and giving you the
more details on how I created *cert/evp_pkey* objects.


*X509 *cert =  PEM_read_bio_X509_AUX(cert_bio, NULL, NULL, NULL);*

*EVP_PKEY *evp_pkey = PEM_read_bio_PrivateKey(key_bio, NULL, NULL, NULL);*

I tried freeing both *cert* and *evp_pkey* locally before even I use
SSL_Ctx object and after using it and freeing using SSL_CTx_Free(ctx). Both
results in a signal 11 crash.


*/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(i2c_ASN1_INTEGER+0x10)[0x2b6a4a09d2b0]*
*/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(asn1_ex_i2c+0x119)[0x2b6a4a0a8269]*
*/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(+0x13835f)[0x2b6a4a0a835f]*
*/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(ASN1_item_ex_i2d+0x127)[0x2b6a4a0a85d7]*
*/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(+0x138b51)[0x2b6a4a0a8b51]*
*/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(ASN1_item_ex_i2d+0x270)[0x2b6a4a0a8720]*
*/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(+0x138bdd)[0x2b6a4a0a8bdd]*
*/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(ASN1_item_ex_i2d+0x270)[0x2b6a4a0a8720]*
*/opt/openssl/1.0.2k/lib64/libcrypto.so.1.0.0(ASN1_item_i2d+0x4b)[0x2b6a4a0a8ebb]*
*/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(+0x463db)[0x2b6a49d473db]*
*/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl_add_cert_chain+0xb1)[0x2b6a49d47551]*
*/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl3_output_cert_chain+0x28)[0x2b6a49d2dc88]*
*/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl3_send_server_certificate+0x3d)[0x2b6a49d1b2bd]*
*/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl3_accept+0xfe8)[0x2b6a49d206b8]*
*/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl23_get_client_hello+0x94)[0x2b6a49d2f984]*
*/opt/openssl/1.0.2k/lib64/libssl.so.1.0.0(ssl23_accept+0xa1)[0x2b6a49d30251]*





On Tue, Oct 17, 2017 at 11:37 AM, Benjamin Kaduk  wrote:

> I thought this had become documented recently (i.e., in master only, not
> even in 1.1.0), but can't find any evidence of such documentation.
>
> SSL_CTX_use_PrivateKey() takes a reference on its pkey argument in the
> same way as SSL_CTX_use_certificate(); it is safe for the local code to
> free its local copy.
>
> -Ben
>
> On 10/17/2017 12:32 PM, Adi Mallikarjuna Reddy V wrote:
>
> Is this documented some where?
>
> Also is the same true - with SSL_CTX_use_PrivateKey(ctx, evp_pkey) ? where
> I can free evp_pkey with EVP_PKEY_free()?
>
>
> Thanks
> Adi
>
> On Tue, Oct 17, 2017 at 9:50 AM, Benjamin Kaduk  wrote:
>
>> On 10/17/2017 11:27 AM, Adi Mallikarjuna Reddy V wrote:
>>
>> I am only worried about the following line.
>>
>> SSL_CTX_use_certificate(ctx, cert)
>>
>> After this line is it safe to free cert object while ctx is still used
>> later on?
>>
>>
>> SSL_CTX_use_certificate(ctx, cert), on successful return, takes an
>> additional reference on the supplied |cert| argument to account for the
>> pointer in |ctx|.  Thus, the caller of SSL_CTX_use_certificate() can safely
>> call X509_free(cert) to release the caller's local reference, while the
>> |ctx| retains a pointer to |cert|.
>>
>> -Ben
>>
>
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Issue with freeing X509

2017-10-17 Thread Benjamin Kaduk via openssl-users 
I thought this had become documented recently (i.e., in master only, not
even in 1.1.0), but can't find any evidence of such documentation.

SSL_CTX_use_PrivateKey() takes a reference on its pkey argument in the
same way as SSL_CTX_use_certificate(); it is safe for the local code to
free its local copy.

-Ben

On 10/17/2017 12:32 PM, Adi Mallikarjuna Reddy V wrote:
> Is this documented some where? 
>
> Also is the same true - with SSL_CTX_use_PrivateKey(ctx, evp_pkey) ?
> where I can free evp_pkey with EVP_PKEY_free()?
>
>
> Thanks
> Adi
>
> On Tue, Oct 17, 2017 at 9:50 AM, Benjamin Kaduk  > wrote:
>
> On 10/17/2017 11:27 AM, Adi Mallikarjuna Reddy V wrote:
>>> I am only worried about the following line. 
>>>
>>> SSL_CTX_use_certificate(ctx, cert)
>>>
>>> After this line is it safe to free cert object while ctx is
>>> still used later on?
>>>
>
> SSL_CTX_use_certificate(ctx, cert), on successful return, takes an
> additional reference on the supplied |cert| argument to account
> for the pointer in |ctx|.  Thus, the caller of
> SSL_CTX_use_certificate() can safely call X509_free(cert) to
> release the caller's local reference, while the |ctx| retains a
> pointer to |cert|.
>
> -Ben
>
>

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Issue with freeing X509

2017-10-17 Thread Adi Mallikarjuna Reddy V 
Is this documented some where?

Also is the same true - with SSL_CTX_use_PrivateKey(ctx, evp_pkey) ? where
I can free evp_pkey with EVP_PKEY_free()?


Thanks
Adi

On Tue, Oct 17, 2017 at 9:50 AM, Benjamin Kaduk  wrote:

> On 10/17/2017 11:27 AM, Adi Mallikarjuna Reddy V wrote:
>
> I am only worried about the following line.
>
> SSL_CTX_use_certificate(ctx, cert)
>
> After this line is it safe to free cert object while ctx is still used
> later on?
>
>
> SSL_CTX_use_certificate(ctx, cert), on successful return, takes an
> additional reference on the supplied |cert| argument to account for the
> pointer in |ctx|.  Thus, the caller of SSL_CTX_use_certificate() can safely
> call X509_free(cert) to release the caller's local reference, while the
> |ctx| retains a pointer to |cert|.
>
> -Ben
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Issue with freeing X509

2017-10-17 Thread Benjamin Kaduk via openssl-users 
On 10/17/2017 11:27 AM, Adi Mallikarjuna Reddy V wrote:
>> I am only worried about the following line. 
>>
>> SSL_CTX_use_certificate(ctx, cert)
>>
>> After this line is it safe to free cert object while ctx is still
>> used later on?
>>

SSL_CTX_use_certificate(ctx, cert), on successful return, takes an
additional reference on the supplied |cert| argument to account for the
pointer in |ctx|.  Thus, the caller of SSL_CTX_use_certificate() can
safely call X509_free(cert) to release the caller's local reference,
while the |ctx| retains a pointer to |cert|.

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Issue with freeing X509

2017-10-17 Thread Adi Mallikarjuna Reddy V 
I am only worried about the following line.

SSL_CTX_use_certificate(ctx, cert)

After this line is it safe to free cert object while ctx is still used
later on?

Thanks
Adi

On Tue, Oct 17, 2017 at 9:21 AM Benjamin Kaduk  wrote:

> You only asked about freeing the X509, which is safe in this situation.
>
> It is not safe to free the SSL_CTX if you want to use it again later --
> remove this SSL_CTX_free(ctx) call and put one in your program's cleanup
> instead.
>
> -Ben
>
> On 10/17/2017 11:08 AM, Adi Mallikarjuna Reddy V wrote:
>
> Forgot to mention that the ssl_ctx is going to be used by another thread
> later. When I do x509_free, the handshake doesn’t finish.
>
> I see a crash in ssl_accept.
>
> Thanks
> Adi
>
> On Tue, Oct 17, 2017 at 8:41 AM Benjamin Kaduk  wrote:
>
>> On 10/17/2017 08:39 AM, Adi Mallikarjuna Reddy V wrote:
>>
>> Hi,
>>
>> If I have an X509 object and is created using PEM_read_bio_X509_AUX(),
>> then Can I free X509 right after the completion of PEM_read_bio_X509_AUX()?
>>
>>BIO *cert_bio = BIO_new(BIO_s_mem());
>> X509 *cert = X509_new();
>> BIO_puts(cert_bio, cert_str.c_str());
>> cert = PEM_read_bio_X509_AUX(cert_bio,
>> , NULL, NULL);
>> if ( (cert != NULL) &&
>> SSL_CTX_use_certificate(ctx, cert) < 1) {
>> SSL_CTX_free(ctx);
>>
>>
>> Yes.
>>
>> -Ben
>>
>>
>> return NULL;
>> }
>>
>> if(cert_bio !=NULL) {
>> BIO_free(cert_bio);
>> }
>> if(cert != NULL) {
>> X509_free(cert); //is it needed?
>> }
>>
>>
>> Thanks
>> Adi
>>
>>
>>
>> --
> Sent from Mobile
>
>
> --
Sent from Mobile
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Issue with freeing X509

2017-10-17 Thread Benjamin Kaduk via openssl-users 
You only asked about freeing the X509, which is safe in this situation.

It is not safe to free the SSL_CTX if you want to use it again later --
remove this SSL_CTX_free(ctx) call and put one in your program's cleanup
instead.

-Ben

On 10/17/2017 11:08 AM, Adi Mallikarjuna Reddy V wrote:
> Forgot to mention that the ssl_ctx is going to be used by another
> thread later. When I do x509_free, the handshake doesn’t finish.
>
> I see a crash in ssl_accept.
>
> Thanks 
> Adi
>
> On Tue, Oct 17, 2017 at 8:41 AM Benjamin Kaduk  > wrote:
>
> On 10/17/2017 08:39 AM, Adi Mallikarjuna Reddy V wrote:
>> Hi,
>>
>> If I have an X509 object and is created
>> using PEM_read_bio_X509_AUX(), then Can I free X509 right after
>> the completion of PEM_read_bio_X509_AUX()?
>>
>>                                BIO *cert_bio = BIO_new(BIO_s_mem());
>>                                 X509 *cert = X509_new();
>>                                 BIO_puts(cert_bio, cert_str.c_str());
>>                                 cert =
>> PEM_read_bio_X509_AUX(cert_bio, , NULL, NULL);
>>                                 if ( (cert != NULL) &&
>> SSL_CTX_use_certificate(ctx, cert) < 1) {
>>                                         SSL_CTX_free(ctx);
>
> Yes.
>
> -Ben
>
>
>>                                         return NULL;
>>                                 }
>>                                
>>                                 if(cert_bio !=NULL) {
>>                                         BIO_free(cert_bio);
>>                                 }
>>                                 if(cert != NULL) {
>>                                         X509_free(cert); //is it
>> needed?
>>                                 }
>>
>>
>> Thanks
>> Adi
>>
>>
>
> -- 
> Sent from Mobile

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Issue with freeing X509

2017-10-17 Thread Adi Mallikarjuna Reddy V 
Forgot to mention that the ssl_ctx is going to be used by another thread
later. When I do x509_free, the handshake doesn’t finish.

I see a crash in ssl_accept.

Thanks
Adi

On Tue, Oct 17, 2017 at 8:41 AM Benjamin Kaduk  wrote:

> On 10/17/2017 08:39 AM, Adi Mallikarjuna Reddy V wrote:
>
> Hi,
>
> If I have an X509 object and is created using PEM_read_bio_X509_AUX(),
> then Can I free X509 right after the completion of PEM_read_bio_X509_AUX()?
>
>BIO *cert_bio = BIO_new(BIO_s_mem());
> X509 *cert = X509_new();
> BIO_puts(cert_bio, cert_str.c_str());
> cert = PEM_read_bio_X509_AUX(cert_bio,
> , NULL, NULL);
> if ( (cert != NULL) &&
> SSL_CTX_use_certificate(ctx, cert) < 1) {
> SSL_CTX_free(ctx);
>
>
> Yes.
>
> -Ben
>
>
> return NULL;
> }
>
> if(cert_bio !=NULL) {
> BIO_free(cert_bio);
> }
> if(cert != NULL) {
> X509_free(cert); //is it needed?
> }
>
>
> Thanks
> Adi
>
>
>
> --
Sent from Mobile
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Issue with freeing X509

2017-10-17 Thread Benjamin Kaduk via openssl-users 
On 10/17/2017 08:39 AM, Adi Mallikarjuna Reddy V wrote:
> Hi,
>
> If I have an X509 object and is created using PEM_read_bio_X509_AUX(),
> then Can I free X509 right after the completion
> of PEM_read_bio_X509_AUX()?
>
>                                BIO *cert_bio = BIO_new(BIO_s_mem());
>                                 X509 *cert = X509_new();
>                                 BIO_puts(cert_bio, cert_str.c_str());
>                                 cert = PEM_read_bio_X509_AUX(cert_bio,
> , NULL, NULL);
>                                 if ( (cert != NULL) &&
> SSL_CTX_use_certificate(ctx, cert) < 1) {
>                                         SSL_CTX_free(ctx);

Yes.

-Ben

>                                         return NULL;
>                                 }
>                                
>                                 if(cert_bio !=NULL) {
>                                         BIO_free(cert_bio);
>                                 }
>                                 if(cert != NULL) {
>                                         X509_free(cert); //is it needed?
>                                 }
>
>
> Thanks
> Adi
>
>

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Issue with freeing X509

2017-10-17 Thread Adi Mallikarjuna Reddy V 
Hi,

If I have an X509 object and is created using PEM_read_bio_X509_AUX(), then
Can I free X509 right after the completion of PEM_read_bio_X509_AUX()?

   BIO *cert_bio = BIO_new(BIO_s_mem());
X509 *cert = X509_new();
BIO_puts(cert_bio, cert_str.c_str());
cert = PEM_read_bio_X509_AUX(cert_bio,
, NULL, NULL);
if ( (cert != NULL) &&
SSL_CTX_use_certificate(ctx, cert) < 1) {
SSL_CTX_free(ctx);
return NULL;
}

if(cert_bio !=NULL) {
BIO_free(cert_bio);
}
if(cert != NULL) {
X509_free(cert); //is it needed?
}


Thanks
Adi
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users