[openssl-dev] [openssl.org #3825] [PATCH] Add X509_STORE_clear_cache to clear CRL/cert cache

Wed, 29 Apr 2015 04:35:59 -0700 

Hi,

when long-running process, such as httpd, uses OpenSSL and loads new 
CRLs or certificates over the time, they are all staying in the 
X509_STORE's cache. It could be really nice to have a way how to clear 
the cache to free the CRls/certificates from the memory.

Attached patch against master does that by introducing new 
X509_STORE_clear_cache. Few things about the patch to point out:

1. It increases the refcount of X509_OBJECT returned by 
by_dir.c:get_cert_by_subject. This is needed to ensure that X509_OBJECT 
won't be freed when cache is cleared by another thread during 
get_cert_by_subject execution.

This change breaks the ABI because the get_cert_by_subject semantic 
changed, but I haven't found another way how to do that.

2. Other refcount changes should be safe and again ensures that 
X509_OBJECT is not freed by another thread while used.

3. The patch changes semantic of X509_STORE.cache variable, but this 
variable has not been used for anything before (It is just set to 1 
during initialization and never used again), so this should be safe too.


In the future, it would be nice to call X509_STORE_clear_cache 
automatically when caching is disabled, but so far I haven't found good 
place where to do such call.

Regards,
Jan Kaluza


diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index 80444ff..ea3dd1b 100644
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -379,8 +379,10 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
          */
         CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
         j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp);
-        if (j != -1)
+        if (j != -1) {
             tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j);
+            X509_OBJECT_up_ref_count(tmp);
+        }
         else
             tmp = NULL;
         CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
@@ -426,17 +428,14 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
             ok = 1;
             ret->type = tmp->type;
             memcpy(&ret->data, &tmp->data, sizeof(ret->data));
-            /*
-             * If we were going to up the reference count, we would need to
-             * do it on a perl 'type' basis
-             */
-        /*- CRYPTO_add(&tmp->data.x509->references,1,
-                    CRYPTO_LOCK_X509);*/
             goto finish;
         }
     }
  finish:
     if (b != NULL)
         BUF_MEM_free(b);
+    if (tmp != NULL && !ok) {
+        X509_OBJECT_free_contents(tmp);
+    }
     return (ok);
 }
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index f77e59d..c8bc2a6 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -187,7 +187,7 @@ X509_STORE *X509_STORE_new(void)
     if ((ret = (X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL)
         return NULL;
     ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
-    ret->cache = 1;
+    ret->cache = X509_STORE_CACHE_ALL;
     ret->get_cert_methods = sk_X509_LOOKUP_new_null();
     ret->verify = 0;
     ret->verify_cb = 0;
@@ -303,6 +303,9 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
 
     CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
     tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
+   if (tmp) {
+       X509_OBJECT_up_ref_count(tmp);
+   }
     CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
     if (tmp == NULL || type == X509_LU_CRL) {
@@ -312,8 +315,14 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
             j = X509_LOOKUP_by_subject(lu, type, name, &stmp);
             if (j < 0) {
                 vs->current_method = j;
+                if (tmp) {
+                    X509_OBJECT_free_contents(tmp);
+                }
                 return j;
             } else if (j) {
+                if (tmp) {
+                    X509_OBJECT_free_contents(tmp);
+                }
                 tmp = &stmp;
                 break;
             }
@@ -329,8 +338,6 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
     ret->type = tmp->type;
     ret->data.ptr = tmp->data.ptr;
 
-    X509_OBJECT_up_ref_count(ret);
-
     return 1;
 }
 
@@ -502,8 +509,8 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
             sk_X509_free(sk);
             return NULL;
         }
-        X509_OBJECT_free_contents(&xobj);
         CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+        X509_OBJECT_free_contents(&xobj);
         idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
         if (idx < 0) {
             CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
@@ -546,8 +553,8 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
         sk_X509_CRL_free(sk);
         return NULL;
     }
-    X509_OBJECT_free_contents(&xobj);
     CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+    X509_OBJECT_free_contents(&xobj);
     idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
     if (idx < 0) {
         CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
@@ -673,6 +680,59 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
     return ret;
 }
 
+void X509_STORE_clear_cache(X509_STORE *ctx)
+{
+   X509_OBJECT *a;
+   int i;
+
+   if (ctx->objs == NULL) {
+       return;
+   }
+
+   CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+
+    for (i = 0 ; i < sk_X509_OBJECT_num(ctx->objs); i++) {
+        a = (X509_OBJECT *) sk_X509_OBJECT_value(ctx->objs, i);
+        if (a == NULL) {
+            continue;
+        }
+        switch (a->type) {
+        case X509_LU_X509:
+            if (ctx->cache & X509_STORE_CACHE_CERT) {
+                break;
+            }
+            if (a->data.x509->references == 1) {
+                X509_free(a->data.x509);
+                OPENSSL_free(a);
+                sk_X509_OBJECT_delete(ctx->objs, i);
+                --i;
+            }
+            break;
+        case X509_LU_CRL:
+            if (ctx->cache & X509_STORE_CACHE_CRL) {
+                break;
+            }
+            if (a->data.crl->references == 1) {
+                X509_CRL_free(a->data.crl);
+                OPENSSL_free(a);
+                sk_X509_OBJECT_delete(ctx->objs, i);
+                --i;
+            }
+            break;
+        default:
+            break;
+        }
+    }
+
+    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+}
+
+int X509_STORE_set_cache(X509_STORE *ctx, int cache)
+{
+   ctx->cache = cache;
+   return 1;
+}
+
 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
 {
     return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index e41b5e2..d88f6bf 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -166,6 +166,11 @@ typedef struct X509_VERIFY_PARAM_st {
 
 DECLARE_STACK_OF(X509_VERIFY_PARAM)
 
+#define X509_STORE_NO_CACHE		0
+#define X509_STORE_CACHE_CRL	1
+#define X509_STORE_CACHE_CERT	2
+#define X509_STORE_CACHE_ALL	(X509_STORE_CACHE_CRL | X509_STORE_CACHE_CERT)
+
 /*
  * This is used to hold everything.  It is used for all certificate
  * validation.  Once we have a certificate chain, the 'verify' function is
@@ -203,6 +208,8 @@ struct x509_store_st {
 } /* X509_STORE */ ;
 
 int X509_STORE_set_depth(X509_STORE *store, int depth);
+int X509_STORE_set_cache(X509_STORE *store, int cache);
+void X509_STORE_clear_cache(X509_STORE *store);
 
 # define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
 # define X509_STORE_set_verify_func(ctx,func)    ((ctx)->verify=(func))

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to