On 10/29/2013 02:03 PM, Dr. Stephen Henson wrote:
On Tue, Oct 29, 2013, ?????? ??????? wrote:
I've noticed that SSL_CTX_add_extra_chain_cert (actually
ss3_ctx_ctrl (..., SSL_CTRL_EXTRA_CHAIN_CERT, ..., ...)) just pushes
X509 cert to context's cert stack. This means that I'm unable to free
original certificate because double memory freeing occurs when context
is free'd later.
You don't and shouldn't free it: it will be free when the SSL_CTX it is added
to is freed.
It isn't clear from the documentation for SSL_CTX_add_extra_chain_cert
that the caller is relieved of responsibility for whatever is passed as
the x509 argument (and indeed should probably not try to re-use it
elsewhere, for example, in another SSL_CTX). Are you interested in
patches to the documentation which would make this workflow clearer?
Also, i don't think this same workflow holds for similar functions (e.g.
SSL_CTX_set_tmp_dh; apps/s_server.c invokes SSL_CTX_set_tmp_dh and
subsequently frees the dh argument). Is there a pattern to this that
users of OpenSSL should be aware of?
--dkg
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
