[openssl-dev] OpenSSL 1.1 SSL_CTX issues

[Viktor Dukhovni]

On Thu, Jan 21, 2016 at 05:33:51PM +0000, Howard Chu wrote:

> In OpenLDAP we've been using
>   CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX)
> to manage our own SSL_CTXs but this is not possible with current 1.1. Making
> the structures opaque is a good move, but please provide methods to
> manipulate refcounts.
> 
> Currently ssl_lib.c appears to bump the ctx refcount twice, in SSL_new. Why
> is that?

Because the SSL handle has two references to the SSL_CTX.

	ssl->ctx
	ssl->initial_ctx

they are initially the same, but may diverge.  These are freed
independently.

Indeed there are at present no SSL_up_ref() or SSL_CTX_up_ref()
functions.  The up_ref functions are at present:

    include/openssl/rsa.h:int RSA_up_ref(RSA *r);
    include/openssl/ec.h:int EC_KEY_up_ref(EC_KEY *key);
    include/openssl/dh.h:int DH_up_ref(DH *dh);
    include/openssl/dsa.h:int DSA_up_ref(DSA *r);
    include/openssl/evp.h:void EVP_PKEY_up_ref(EVP_PKEY *pkey);

    include/openssl/x509.h:void X509_up_ref(X509 *x);
    include/openssl/x509.h:void X509_CRL_up_ref(X509_CRL *crl);
    include/openssl/x509.h:STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain);
    include/openssl/x509_vfy.h:void X509_OBJECT_up_ref_count(X509_OBJECT *a);

    include/openssl/dso.h:int DSO_up_ref(DSO *dso);
    include/openssl/engine.h:int ENGINE_up_ref(ENGINE *e);

-- 
	Viktor.