ctx->cert mysteriously goes NULL on exit from SSL_CTX_use_certificate()?

Thor Lancelot Simon Thu, 12 Jul 2007 22:02:25 -0700

I'm seeing a very, very strange problem with some application code (which I
unfortunately can't post in its entirety such that it could be compiled -- and
of course I'm having trouble finding a small test case, too) and OpenSSL
snapshots ranging from February to the latest from today (20070712).  The
application provides an SSL_CTX_use_certificate_chain_bio() roughly modeled
on the one from Apache's mod_ssl.  This routine takes an existing context "ctx"
and a bio "in", and does this:


nt
SSL_CTX_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
{
    int         ret = 0;
    X509        *x = 0;
    X509        *ca;
    int         r;
    u32_t       err;
 
    ERR_clear_error();

    x = PEM_read_bio_X509(in, 0,
                          ctx->default_passwd_callback,
                          ctx->default_passwd_callback_userdata);
    if (!x) {
        SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
        goto _end;  
    }

    ret = SSL_CTX_use_certificate(ctx, x);
[...]
   /*
     * If we could set up our certificate, now proceed to
     * the CA certificates.
     */

    while ((ca = PEM_read_bio_X509(in, 0,
                                   ctx->default_passwd_callback,
                                   ctx->default_passwd_callback_userdata))) {
        r = SSL_CTX_add_extra_chain_cert(ctx, ca);

With certain certificate chains, I find that, bizarrely, at exit from the
body of SSL_CTX_use_certificate, ctx->cert has been properly allocated and
filled in from the passed x509 x, but on return to the stack frame of the
caller (SSL_CTX_use_certificate_chain_bio()) ctx->cert is once again NULL.

Needless to say the succeeding add_extra_chain_cert() calls fail!

The environment is FreeBSD 4.11 and the compiler is the system gcc, which
identifies itself as "gcc version 2.95.4 20020320 [FreeBSD]".  I suspected
an optimizer error but the same problem occurs at optimizations from O1 to
O3 and with or without -fomit-stack-pointer.  The same application code
seems works fine (can load the problematic certificate chains) with any
_released_ version of OpenSSL I've tried from 0.9.7 through 0.9.8e.

Has anyone else seen anything like this?  I'm positively baffled as to
how the assignment of ctx->cert gets smashed on return from
SSL_CTX_use_certificate and suspect something must alias it, but I can't
see what.

Thor
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [EMAIL PROTECTED]

ctx->cert mysteriously goes NULL on exit from SSL_CTX_use_certificate()?

Reply via email to