Re: sessions reuse in openssl

Tue, 19 Jan 2021 22:04:03 -0800 

I am working on memory analysis of openssl. One of the observation is the
memory allocated by d2i_X509() API (returned in x) is not being freed after
the connection is closed.. and this memory is stored as part of session.. i
want to limit number of sessions which we cache for re-use.. or if possible
completely avoid session caching.


Using TLS 1.3


-thanks

harish


        x = d2i_X509(NULL, &q, l); //// <<<<<<< memory allocated HERE (HVK)

        if (x == NULL) {

            al = SSL_AD_BAD_CERTIFICATE;

            SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);

            goto f_err;

        }

        if (q != (p + l)) {

            al = SSL_AD_DECODE_ERROR;

            SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,

                   SSL_R_CERT_LENGTH_MISMATCH);

            goto f_err;

        }

        if (!sk_X509_push(sk, x)) { ////// STORED IN LIST HERE (HVK)

            SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);

            goto err;

        }

        x = NULL;

        nc += l + 3;

        p = q;

    }


    i = ssl_verify_cert_chain(s, sk);

    if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)

#ifndef OPENSSL_NO_KRB5

        && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&

             (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))

#endif                          /* OPENSSL_NO_KRB5 */

        ) {

        al = ssl_verify_alarm_type(s->verify_result);

        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,

               SSL_R_CERTIFICATE_VERIFY_FAILED);

        goto f_err;

    }

    ERR_clear_error();          /* but we keep s->verify_result */


    sc = ssl_sess_cert_new();

    if (sc == NULL)

        goto err;


    if (s->session->sess_cert)

        ssl_sess_cert_free(s->session->sess_cert);

    s->session->sess_cert = sc;


    sc->cert_chain = sk; ///// (HVK) THE CHAIN IS STORED HERE.. as part of
session struct.. not freed.

    /*

     * Inconsistency alert: cert_chain does include the peer's certificate,

     * which we don't include in s3_srvr.c

     */

    x = sk_X509_value(sk, 0);

    sk = NULL;

On Wed, Jan 20, 2021 at 10:26 AM Viktor Dukhovni <openssl-us...@dukhovni.org>
wrote:

> On Wed, Jan 20, 2021 at 08:55:13AM +0530, Harish Kulkarni wrote:
>
> > For some experiments i want to stop session re-use in openssl.. is there
> a
> > way to stop reusing of same session?.
>
> Your question is not sufficiently specific.  Are you looking to not
> reuse a session in an client or a server?  Is the server issuing
> stateless session tickets or doing fully stateful resumption with
> an in memory session cache?  Are you using TLS 1.2 or TLS 1.3?
>
> Post a reasonable level of detail outlining where the decision
> to reuse or not reuse the session is going to be made, and how
> session resumption is performed when not disabled.
>
> --
>     Viktor.
>

Reply via email to