链和主证书添加之间X509结构的正确释放是否有所不同? [英] Does correct freeing of X509 structures differ between chain and main certificate adding?

问题描述

我需要从内存中添加PEM类型证书，这意味着我无法使用内置的文件读取帮助器.

I need to add PEM type certificates from memory, which means I can't use the built in read-from-file helpers.

我的问题是，之后没有有关如何释放内存的文档.现在，我的最佳猜测如下:

My problem is that there's no documentation on how to free up memory afterwards. Now my best guess is as follows:

SSL_CTX_use_certificate(): //X509 structure SHOULD be freed using X509_free(), as in     SSL_CTX_use_certificate_file()
SSL_CTX_use_PrivateKey()  // EVP_KEY structure SHOULD be freed using EVP_KEY_free(), as in     SSL_CTX_use_PrivateKey_file()
SSL_CTX_add_extra_chain_cert() // X509 structure SHOULD NOT be freed, as in SSL_CTX_use_certificate_chain_file()

有些时候，源代码似乎暗示着SSL_CTX_use_certificate()增加了引用计数，而SSL_CTX_add_extra_chain_cert()却没有.

And some time grepping the source seems to suggest that SSL_CTX_use_certificate() increments a reference count, whereas SSL_CTX_add_extra_chain_cert() doesn't.

任何人都可以确认或否认我的怀疑吗?

Can anyone confirm or deny my suspicions?

推荐答案

在Valgrind下使用和不使用X509_free的情况下运行此程序.

Run this program with and without the X509_free under Valgrind.

#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>

int main(int argc, char* argv[])
{
    unsigned long err;

    SSL_library_init();
    OpenSSL_add_all_algorithms();

    SSL_CTX* ctx = SSL_CTX_new(SSLv23_method());
    err = ERR_get_error();
    if(ctx == NULL)
    {
        printf("SSL_CTX_new failed: 0x%lx\n", err);
        exit (1);
    }

    X509* x509 = X509_new();
    err = ERR_get_error();
    if(x509 == NULL)
    {
        printf("X509_new failed: 0x%lx\n", err);
        exit (1);
    }

    long res = SSL_CTX_add_extra_chain_cert(ctx, x509);
    err = ERR_get_error();
    if(res != 1)
    {
        printf("SSL_CTX_add_extra_chain_cert failed: 0x%lx\n", err);
        exit (1);
    }

    X509_free(x509);
    SSL_CTX_free(ctx);

    return 0;
}

X509_free(x509) 未注释:

$ valgrind ./openssl-test.exe
==23505== Memcheck, a memory error detector
==23505== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==23505== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==23505== Command: ./openssl-test.exe
==23505== 
==23505== WARNING: Support on MacOS 10.8 is experimental and mostly broken.
==23505== WARNING: Expect incorrect results, assertions and crashes.
==23505== WARNING: In particular, Memcheck on 32-bit programs will fail to
==23505== WARNING: detect any errors associated with heap-allocated data.
==23505== 
==23505== Invalid read of size 4
==23505==    at 0x100001AD9: CRYPTO_add_lock (in ./openssl-test.exe)
==23505==    by 0x1000BC62A: asn1_item_combine_free (in ./openssl-test.exe)
==23505==    by 0x1000BC5A6: ASN1_item_free (in ./openssl-test.exe)
==23505==    by 0x10009CC5F: sk_pop_free (in ./openssl-test.exe)
==23505==    by 0x100114862: SSL_CTX_free (in ./openssl-test.exe)
==23505==    by 0x100001213: main (openssl-test.c:43)
==23505==  Address 0x100202dac is 28 bytes inside a block of size 184 free'd
==23505==    at 0x7517: free (vg_replace_malloc.c:472)
==23505==    by 0x100002634: CRYPTO_free (in ./openssl-test.exe)
==23505==    by 0x1000BC95C: asn1_item_combine_free (in ./openssl-test.exe)
==23505==    by 0x1000BC5A6: ASN1_item_free (in ./openssl-test.exe)
==23505==    by 0x10000120A: main (openssl-test.c:42)
...

这篇关于链和主证书添加之间X509结构的正确释放是否有所不同?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！