Reg: Freeing of SSL_CTX object through SSL_free Function

Ram Chandra rchandra612 at
Wed Apr 13 10:55:50 UTC 2022

I am using OpenSSL 1.1.1k Version, From that I see following are done in OpenSSL code, pls correct me if I am wrong.

Inside SSL_new:

SSL *SSL_new(SSL_CTX *ctx){    SSL *s;     .......     .......     s = OPENSSL_zalloc(sizeof(*s));     ....     ....     SSL_CTX_up_ref(ctx);     s->ctx = ctx;   /* ctx value to s->ctx , also gets freed when called SLL_free(s) ==>  SSL_CTX_free(s->ctx)*/
     ....     ....     SSL_CTX_up_ref(ctx);
     s->session_ctx = ctx; /* same value is getting assigned here also */     .....     return s;}
Inside SSL_free:void SSL_free(SSL *s){     if ( s == NULL)           return;     X509_VERIFY_PARAM_free(s->param);     .....     .....    SSL_CTX_free( s->session_ctx); /* this holds the value of ctx that was passed to SSL_new(), yes or no? */    .....    .....    SSL_CTX_free( s->ctx); /* this again trying to free the same pointer , abnormal behavior */
Point here is inside SSL_CTX_free(), after freeing  "s->session_ctx" , we are not setting "s->session_ctx" to NULL(this may be optional, its ok if we don't use the same pointer again), but "s->session_ctx" and "s->ctx" both have same value. So applying "free()" on same value again ( through  SSL_CTX_free( s->ctx); ) will result in abnormal behavior, correct or not?
I could not understand how OpenSSL free() ing pointers if they are assigned to multiple different variables.
Note: tried going through "SSL_CTX_up_ref(ctx);" , and "SSL_CTX_down_ref(ctx);", looks like they are tracking the pointer usage count by other APIs, but could not understand what exactly they are doing...when count is 0.
Could someone please elaborate a bit ..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list