[openssl-users] Correct way to free SSL_CTX* ?

Mon Jan 29 05:09:44 UTC 2018

Hi all,

I think I found the way to fix the memory leak in my application. Just
floating it here in case it helps out someone else.
The answer was on the wiki page for SSL_CTX_add_extra_chain_cert():

"The *x509* certificate provided to SSL_CTX_add_extra_chain_cert() will be
freed by the library when the *SSL_CTX* is destroyed. An application *should
not* free the *x509* object."

The trick was to realize that the cert added via SSL_CTX_use_certificate()
can be (and should be, I think) free'd manually right after this call.
Otherwise you've got a memory leak on your hands. But the certs added
using SSL_CTX_add_extra_chain_cert() should not be free'd up manually -
those are cleaned up SSL_CTX_free later at the end of the application.

After doing this, the memory leak and the crash both went away.

Thanks,
-Pratyush.

On Sun, Jan 28, 2018 at 10:20 PM, J Decker <d3ck0r at gmail.com> wrote:

>
>
> On Sun, Jan 28, 2018 at 7:05 PM, pratyush parimal <
> pratyush.parimal at gmail.com> wrote:
>
>> Hi all,
>>
>> I'm trying to write an application in which I create an instance of
>> SSL_CTX* using SSL_CTX_new(), and set the following things in it:
>>
>> (1) An EVP_PKEY* :
>> 1a> created with PEM_read_bio_PrivateKey().
>> 1b> set in the ctx using SSL_CTX_use_PrivateKey().
>>
> after setting key, free key
>
>>
>> (2) A number of X509* instances (cuz chained certs) :
>> 2a> all created with PEM_read_bio_X509().
>> 2b> set in the ctx using SSL_CTX_use_certificate() or
>> SSL_CTX_add_extra_chain_cert().
>>
> after setting certs, free certs.
>
>>
>> At the end, I use SSL_CTX_free() to free up the ctx. According to the man
>> page for SSL_CTX_free():
>>
>> "SSL_CTX_free() decrements the reference count of ctx, and removes the
>> SSL_CTX object pointed to by ctx and frees up the allocated memory if the
>> the reference count has reached 0.
>>        It also calls the free()ing procedures for indirectly affected
>> items, if applicable: the session cache, the list of ciphers, the list of
>> Client CAs, the certificates and keys. "
>>
>> ... which tells me that freeing the SSL_CTX should free up its memory as
>> well as the things I set inside of it (unless I'm interpreting it super
>> wrong?) like " ... certificates and keys".
>> The problem is, when run my application under valgrind, I keep seeing
>> memory leaks for both steps (1a) and (2a).
>>
>> I tried to get rid of them, by using EVP_PKEY_free() after I'm done
>> setting in step (1b). This works, and the leak for step (1a) goes away.
>> When I try to do the same for step (2), i.e. calling X509_free() after
>> every successful "set" call, I get a coredump (backtrace is attached:
>> bt_1.txt), coming out of SSL_CTX_free, suggesting that I did something
>> wrong.
>>
>>
>> Which brings me to my question, does anyone know the correct way to free
>> memory in SSL_CTX ? Or, what's wrong with my steps? The application doesn't
>> even perform SSL yet, I'm just trying to create/destroy SSL_CTX objects
>> without leaks first. Any help would be appreciated!
>>
>>
>> Thanks in advance,
>> -Pratyush.
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180129/8e249f63/attachment-0001.html>