<div dir="ltr"><div>It seems any TLS being allocated from the call stack of ERR_get_state() is not getting freed. I used an OPENSSL sample demos\bio\server-cmod.c and it reproduces the issue.</div><div>Any tips to resolve this issue is appreciated.</div><div><br></div><div>><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>testConsoleApplication.exe!CRYPTO_THREAD_init_local(unsigned long * key, void (void *) * cleanup) Line 93<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>C</div><div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>testConsoleApplication.exe!err_do_init() Line 637<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>C</div><div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>testConsoleApplication.exe!err_do_init_ossl_() Line 634<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>C</div><div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>testConsoleApplication.exe!CRYPTO_THREAD_run_once(long * once, void (void) * init) Line 82<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>C</div><div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>testConsoleApplication.exe!ERR_get_state() Line 643<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>C</div><div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>testConsoleApplication.exe!ERR_put_error(int lib, int func, int reason, const char * file, int line) Line 358<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>C</div><div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>testConsoleApplication.exe!BIO_new_file(const char * filename, const char * mode) Line 75<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>C</div><div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>testConsoleApplication.exe!def_load(conf_st * conf, const char * name, long * line) Line 140<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>C</div><div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>testConsoleApplication.exe!NCONF_load(conf_st * conf, const char * file, long * eline) Line 217<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>C</div><div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>testConsoleApplication.exe!CONF_modules_load_file(const char * filename, const char * appname, unsigned long flags) Line 129<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>C</div><div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>testConsoleApplication.exe!main(int argc, char * * argv) Line 120<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>C++</div><div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[External Code]<span class="gmail-Apple-tab-span" style="white-space:pre"> </span></div><div><span class="gmail-Apple-tab-span" style="white-space:pre"><br></span></div><div><span class="gmail-Apple-tab-span" style="white-space:pre">//</span>demos\bio\server-cmod.c</div><div><br></div><div><span class="gmail-Apple-tab-span" style="white-space:pre">#include <stdio.h>
#include <signal.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/conf.h>
int main(int argc, char *argv[])
{
unsigned char buf[512];
char *port = "*:4433";
BIO *in = NULL;
BIO *ssl_bio, *tmp;
SSL_CTX *ctx;
int ret = 1, i;
ctx = SSL_CTX_new(TLS_server_method());
if (CONF_modules_load_file("cmod.cnf", "testapp", 0) <= 0) {
fprintf(stderr, "Error processing config file\n");
goto err;
}
if (SSL_CTX_config(ctx, "server") == 0) {
fprintf(stderr, "Error configuring server.\n");
goto err;
}
/* Setup server side SSL bio */
ssl_bio = BIO_new_ssl(ctx, 0);
if ((in = BIO_new_accept(port)) == NULL)
goto err;
/*
* This means that when a new connection is accepted on 'in', The ssl_bio
* will be 'duplicated' and have the new socket BIO push into it.
* Basically it means the SSL BIO will be automatically setup
*/
BIO_set_accept_bios(in, ssl_bio);
again:
/*
* The first call will setup the accept socket, and the second will get a
* socket. In this loop, the first actual accept will occur in the
* BIO_read() function.
*/
if (BIO_do_accept(in) <= 0)
goto err;
for (;;) {
i = BIO_read(in, buf, sizeof(buf));
if (i == 0) {
/*
* If we have finished, remove the underlying BIO stack so the
* next time we call any function for this BIO, it will attempt
* to do an accept
*/
printf("Done\n");
tmp = BIO_pop(in);
BIO_free_all(tmp);
goto again;
}
if (i < 0) {
if (BIO_should_retry(in))
continue;
goto err;
}
fwrite(buf, 1, i, stdout);
fflush(stdout);
}
ret = 0;
err:
if (ret) {
ERR_print_errors_fp(stderr);
}
BIO_free(in);
exit(ret);
return (!ret);
}</span><span class="gmail-Apple-tab-span" style="white-space:pre">
</span></div><div><span class="gmail-Apple-tab-span" style="white-space:pre"><br></span></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Mar 25, 2017 at 8:59 PM, ghanashyam satpathy <span dir="ltr"><<a href="mailto:ghanashyam.satpathy@gmail.com" target="_blank">ghanashyam.satpathy@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">However this type of TLS leak was not there when my application was using OpenSSL 1.0.2<div>Noticed after using OpenSSL 1.1.0b</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Mar 25, 2017 at 8:12 PM, <span dir="ltr"><<a href="mailto:openssl-users-request@openssl.org" target="_blank">openssl-users-request@<wbr>openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send openssl-users mailing list submissions to<br>
<a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailma<wbr>n/listinfo/openssl-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:openssl-users-request@openssl.org" target="_blank">openssl-users-request@openssl.<wbr>org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:openssl-users-owner@openssl.org" target="_blank">openssl-users-owner@openssl.or<wbr>g</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of openssl-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. OpenSSL sending close_notify right after responding to a<br>
heartbeat request (R Kaja Mohideen)<br>
2. Re: how to implement functions for STACK OF custom type?<br>
(Dr. Stephen Henson)<br>
3. TLSv1_2_method (Lei Kong)<br>
4. Re: TLSv1_2_method (Viktor Dukhovni)<br>
5. TLS leak for openssl 1.1.0b with libcurl 7.50.3<br>
(ghanashyam satpathy)<br>
6. Re: TLS leak for openssl 1.1.0b with libcurl 7.50.3 (Salz, Rich)<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>----------<br>
<br>
Message: 1<br>
Date: Fri, 24 Mar 2017 19:10:41 +0530<br>
From: R Kaja Mohideen <<a href="mailto:reachme@kajasweb.com" target="_blank">reachme@kajasweb.com</a>><br>
To: <a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a><br>
Subject: [openssl-users] OpenSSL sending close_notify right after<br>
responding to a heartbeat request<br>
Message-ID:<br>
<CAMSoAtDCh7AZTBJeOtVa=Gdk3YZ2<wbr>yTStdwem56eN_d=<a href="mailto:eNVgaCQ@mail.gmail.com" target="_blank">eNVgaCQ@mail.<wbr>gmail.com</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
Hi,<br>
<br>
We have a TLS Server (Written in C) and Client (Written in Java using<br>
Netty + OpenSSL).<br>
<br>
I see that when Server sends a TLS extension Heartbeat request to<br>
client - OpenSSL responds to it and sends a close_notify alert right<br>
after it - causing the server to close the session with client.<br>
<br>
I don't have any callback registered in client (HB request recipient<br>
side - Java/Netty doesn't really have that support) and so I'm sure<br>
that it is OpenSSL by itself is responding to that heartbeat request.<br>
But, who or what is making OpenSSL to send an alert & close the<br>
session upon responding to heartbeat remains a mystery.<br>
<br>
Any help / suggestions to investigate this issue is highly appreciated.<br>
<br>
Thanks & regards,<br>
R Kaja Mohideen<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 24 Mar 2017 17:46:28 +0000<br>
From: "Dr. Stephen Henson" <<a href="mailto:steve@openssl.org" target="_blank">steve@openssl.org</a>><br>
To: <a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a><br>
Subject: Re: [openssl-users] how to implement functions for STACK OF<br>
custom type?<br>
Message-ID: <<a href="mailto:20170324174628.GA16753@openssl.org" target="_blank">20170324174628.GA16753@openss<wbr>l.org</a>><br>
Content-Type: text/plain; charset=iso-8859-1<br>
<br>
On Tue, Mar 21, 2017, lists wrote:<br>
<br>
> Sorry, I first posted this on the -dev list, likely inappropriate... now with an update:<br>
><br>
> I am exploring my options with OpenSSL and specifically I am trying to manage the stacks for some custom objects.<br>
> Currently, I have this code (sort of) in the headers:<br>
><br>
> typedef struct myThingA_st<br>
> {<br>
> ???? ASN1_OBJECT aID;<br>
> ???? ASN1_OCTET_STRING aOCST;<br>
> }<br>
> ???? myThingA;<br>
><br>
> DECLARE_ASN1_ITEM(myThingA)<br>
> DECLARE_ASN1_FUNCTIONS(myThing<wbr>A)<br>
> DECLARE_STACK_OF(myThingA)<br>
> // the next one seems to be ininfluent for my purpose, is it?<br>
> DECLARE_ASN1_SET_OF(myThingA)<br>
><br>
> typedef struct myThingB_st<br>
> {<br>
> ???? // SEQUENCE OF { ... }<br>
> ???? STACK_OF(myThingA) myThingA_sk;<br>
> }<br>
> ???? myThingB;<br>
><br>
> // DECLARE_ASN1_ITEM(myThingB)<br>
> DECLARE_STACK_OF(myThingB)<br>
> // DECLARE_ASN1_FUNCTIONS(myThing<wbr>B)<br>
> // the next one seems to be ininfluent for my purpose, is it?<br>
> DECLARE_ASN1_SET_OF(myThingB)<br>
><br>
> Then, in the .c file...<br>
><br>
> IMPLEMENT_STACK_OF(myThingA)<br>
> IMPLEMENT_STACK_OF(myThingB)<br>
><br>
> I thought that the basic functions for the stacks to be available (such as sk_myThingA_new, sk_myThingA_push...), yet by compiling a main, for<br>
> the first one that I try to use I get:<br>
><br>
> ?????? undefined reference to `sk_myThingA_value'<br>
><br>
> What am I doing wrong here?<br>
<br>
If you're using OpenSSL 1.1.0 you need to include:<br>
<br>
DEFINE_STACK_OF(FOO)<br>
<br>
in a header file and that should be it. That implements a set of inline<br>
functions that do the right thing.<br>
<br>
For OpenSSL versions before 1.1.0 it's a bit messier. The type specific<br>
STACK_OF functions are actually macros which are generated by the <a href="http://mkstack.pl" rel="noreferrer" target="_blank">mkstack.pl</a><br>
script and appear in the safestack.h header file. If you want to create your<br>
own one way is to extract a type specific section from safestack.h, copy it<br>
to your own header file and do a search/replace for the new type.<br>
<br>
So for example extract the sk_OPENSSL_BLOCK macros and replace OPENSSL_BLOCK<br>
with FOO.<br>
<br>
Steve.<br>
--<br>
Dr Stephen N. Henson. OpenSSL project core developer.<br>
Commercial tech support now available see: <a href="http://www.openssl.org" rel="noreferrer" target="_blank">http://www.openssl.org</a><br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Fri, 24 Mar 2017 21:51:07 +0000<br>
From: Lei Kong <<a href="mailto:leikong@msn.com" target="_blank">leikong@msn.com</a>><br>
To: "<a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a>" <<a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a>><br>
Subject: [openssl-users] TLSv1_2_method<br>
Message-ID:<br>
<<a href="mailto:BN1PR01MB021823477985DD1AFB7D042A83E0@BN1PR01MB021.prod.exchangelabs.com" target="_blank">BN1PR01MB021823477985DD1AFB7D<wbr>042A83E0@BN1PR01MB021.prod.exc<wbr>hangelabs.com</a>><br>
<br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Can processes running with TLSv1_2_method talk to processes running with something older, e.g. TLSv1_1_method? Along the same lines, will new TLS versions be backward compatible with TLSv1_2_method ?<br>
<br>
I would like to make my code proof, is there something like TLS_latest_method()?<br>
<br>
I have a cluster of nodes that talk to each other with TLS, currently the version is hardcoded to TLSv1_2_method. Suppose TLSv1_2 is deprecated by TLS_new one day, I update my service to use TLS_new node by node, during this time, some old nodes are running with TLSv1_2, some new nodes are running with new TLS_new, will the communication between old and new nodes work?<br>
<br>
Thanks.<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mta.openssl.org/pipermail/openssl-users/attachments/20170324/1f4d53f0/attachment-0001.html" rel="noreferrer" target="_blank">http://mta.openssl.org/piperm<wbr>ail/openssl-users/attachments/<wbr>20170324/1f4d53f0/attachment-<wbr>0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Sat, 25 Mar 2017 03:19:55 -0400<br>
From: Viktor Dukhovni <<a href="mailto:openssl-users@dukhovni.org" target="_blank">openssl-users@dukhovni.org</a>><br>
To: <a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a><br>
Subject: Re: [openssl-users] TLSv1_2_method<br>
Message-ID: <<a href="mailto:5D881D46-87A5-4053-B166-F1EE4AA52619@dukhovni.org" target="_blank">5D881D46-87A5-4053-B166-F1EE4<wbr>AA52619@dukhovni.org</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
<br>
> On Mar 24, 2017, at 5:51 PM, Lei Kong <<a href="mailto:leikong@msn.com" target="_blank">leikong@msn.com</a>> wrote:<br>
><br>
> TLS_latest_method<br>
<br>
<a href="https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_new.html" rel="noreferrer" target="_blank">https://www.openssl.org/docs/m<wbr>an1.1.0/ssl/SSL_CTX_new.html</a><br>
<br>
...<br>
<br>
TLS_method(), TLS_server_method(), TLS_client_method()<br>
<br>
These are the general-purpose version-flexible SSL/TLS methods.<br>
The actual protocol version used will be negotiated to the<br>
highest version mutually supported by the client and the server.<br>
The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2.<br>
Applications should use these methods, and avoid the version-specific<br>
methods described below.<br>
<br>
With OpenSSL 1.0.2 these are called SSLv23_method(), ...<br>
<br>
<a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html" rel="noreferrer" target="_blank">https://www.openssl.org/docs/<wbr>man1.0.2/ssl/SSL_CTX_new.html</a><br>
<br>
--<br>
Viktor.<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Sat, 25 Mar 2017 19:35:06 +0530<br>
From: ghanashyam satpathy <<a href="mailto:ghanashyam.satpathy@gmail.com" target="_blank">ghanashyam.satpathy@gmail.com</a><wbr>><br>
To: <a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a><br>
Subject: [openssl-users] TLS leak for openssl 1.1.0b with libcurl<br>
7.50.3<br>
Message-ID:<br>
<CAKn+8OKWHspSvk=<a href="mailto:sxZfz3PSOZK5qXkWQTy3z%2B3PimCiFrOnXkw@mail.gmail.com" target="_blank">sxZfz3PSOZK5q<wbr>XkWQTy3z+3PimCiFrOnXkw@mail.gm<wbr>ail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
I use libcurl 7.50.3 as statically linked in my application dll , along<br>
with openssl 1.1.0b also statically linked. The dll is dynamically loaded<br>
using LoadLibrary() and unloaded using FreeLibrary() inside application<br>
exe. I observed a TLS index is not getting freed which was allocated inside<br>
openssl. To narrow down the issue I have following exported function, which<br>
I call from my application exe. After FreeLibrary() I see the TLS leak<br>
through APplication verifier.<br>
<br>
extern "C" __declspec(dllexport)<br>
void CurlSetup()<br>
{<br>
<br>
curl_global_init(CURL_GLOBAL_D<wbr>EFAULT);<br>
curl_global_cleanup();<br>
return;<br>
<br>
}<br>
<br>
An early reply in this context is appreciated.<br>
<br>
Thanks<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mta.openssl.org/pipermail/openssl-users/attachments/20170325/12c0ccde/attachment-0001.html" rel="noreferrer" target="_blank">http://mta.openssl.org/piperm<wbr>ail/openssl-users/attachments/<wbr>20170325/12c0ccde/attachment-<wbr>0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Sat, 25 Mar 2017 14:13:47 +0000<br>
From: "Salz, Rich" <<a href="mailto:rsalz@akamai.com" target="_blank">rsalz@akamai.com</a>><br>
To: "<a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a>" <<a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a>><br>
Subject: Re: [openssl-users] TLS leak for openssl 1.1.0b with libcurl<br>
7.50.3<br>
Message-ID:<br>
<<a href="mailto:6d87957f6c654825a6a6c6f0d3d4a20a@usma1ex-dag1mb1.msg.corp.akamai.com" target="_blank">6d87957f6c654825a6a6c6f0d3d4a<wbr>20a@usma1ex-dag1mb1.msg.corp.a<wbr>kamai.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Those are curl functions, not openssl<br>
<br>
--<br>
Senior Architect, Akamai Technologies<br>
Member, OpenSSL Dev Team<br>
IM: <a href="mailto:richsalz@jabber.at" target="_blank">richsalz@jabber.at</a> Twitter: RichSalz<br>
<br>
From: ghanashyam satpathy [mailto:<a href="mailto:ghanashyam.satpathy@gmail.com" target="_blank">ghanashyam.satpathy@gm<wbr>ail.com</a>]<br>
Sent: Saturday, March 25, 2017 10:05 AM<br>
To: <a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a><br>
Subject: [openssl-users] TLS leak for openssl 1.1.0b with libcurl 7.50.3<br>
<br>
I use libcurl 7.50.3 as statically linked in my application dll , along<br>
with openssl 1.1.0b also statically linked. The dll is dynamically loaded<br>
using LoadLibrary() and unloaded using FreeLibrary() inside application<br>
exe. I observed a TLS index is not getting freed which was allocated inside<br>
openssl. To narrow down the issue I have following exported function, which<br>
I call from my application exe. After FreeLibrary() I see the TLS leak<br>
through APplication verifier.<br>
<br>
extern "C" __declspec(dllexport)<br>
void CurlSetup()<br>
{<br>
<br>
curl_global_init(CURL_GLOBAL_D<wbr>EFAULT);<br>
curl_global_cleanup();<br>
return;<br>
<br>
}<br>
<br>
An early reply in this context is appreciated.<br>
<br>
Thanks<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mta.openssl.org/pipermail/openssl-users/attachments/20170325/1a5b8980/attachment.html" rel="noreferrer" target="_blank">http://mta.openssl.org/piperm<wbr>ail/openssl-users/attachments/<wbr>20170325/1a5b8980/attachment.<wbr>html</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
______________________________<wbr>_________________<br>
openssl-users mailing list<br>
<a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a><br>
<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailma<wbr>n/listinfo/openssl-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of openssl-users Digest, Vol 28, Issue 33<br>
******************************<wbr>***************<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>