Re: [openssl-users] Correct way to free SSL_CTX* ?

[murugesh pitchaiah]

Hi Pratyush,

Whenever you set a certificate to CTX, the reference count will get incremented:

CRYPTO_add(>references, 1, CRYPTO_LOCK_X509);

In addition, inside your application any usage of a certificate may
cause this reference count to be incremented.

As you can seen in man page - one call to ctx free will just decrement
the reference count by one. Only the count is 0, it starts freeing
whole memory. So you need to watch for these reference counts, to
avoid leak. Also when you fix leak properly hope the back trace should
be gone.

X509_free - can also be used to decrement the reference count.

Regards,
Murugesh P.

On 1/29/18, pratyush parimal  wrote:
> Hi all,
>
> I'm trying to write an application in which I create an instance of
> SSL_CTX* using SSL_CTX_new(), and set the following things in it:
>
> (1) An EVP_PKEY* :
> 1a> created with PEM_read_bio_PrivateKey().
> 1b> set in the ctx using SSL_CTX_use_PrivateKey().
>
> (2) A number of X509* instances (cuz chained certs) :
> 2a> all created with PEM_read_bio_X509().
> 2b> set in the ctx using SSL_CTX_use_certificate() or
> SSL_CTX_add_extra_chain_cert().
>
> At the end, I use SSL_CTX_free() to free up the ctx. According to the man
> page for SSL_CTX_free():
>
> "SSL_CTX_free() decrements the reference count of ctx, and removes the
> SSL_CTX object pointed to by ctx and frees up the allocated memory if the
> the reference count has reached 0.
>It also calls the free()ing procedures for indirectly affected
> items, if applicable: the session cache, the list of ciphers, the list of
> Client CAs, the certificates and keys. "
>
> ... which tells me that freeing the SSL_CTX should free up its memory as
> well as the things I set inside of it (unless I'm interpreting it super
> wrong?) like " ... certificates and keys".
> The problem is, when run my application under valgrind, I keep seeing
> memory leaks for both steps (1a) and (2a).
>
> I tried to get rid of them, by using EVP_PKEY_free() after I'm done setting
> in step (1b). This works, and the leak for step (1a) goes away.
> When I try to do the same for step (2), i.e. calling X509_free() after
> every successful "set" call, I get a coredump (backtrace is attached:
> bt_1.txt), coming out of SSL_CTX_free, suggesting that I did something
> wrong.
>
>
> Which brings me to my question, does anyone know the correct way to free
> memory in SSL_CTX ? Or, what's wrong with my steps? The application doesn't
> even perform SSL yet, I'm just trying to create/destroy SSL_CTX objects
> without leaks first. Any help would be appreciated!
>
>
> Thanks in advance,
> -Pratyush.
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Correct way to free SSL_CTX* ?

[pratyush parimal]

Hi all,

I think I found the way to fix the memory leak in my application. Just
floating it here in case it helps out someone else.
The answer was on the wiki page for SSL_CTX_add_extra_chain_cert():

"The *x509* certificate provided to SSL_CTX_add_extra_chain_cert() will be
freed by the library when the *SSL_CTX* is destroyed. An application *should
not* free the *x509* object."

The trick was to realize that the cert added via SSL_CTX_use_certificate()
can be (and should be, I think) free'd manually right after this call.
Otherwise you've got a memory leak on your hands. But the certs added
using SSL_CTX_add_extra_chain_cert() should not be free'd up manually -
those are cleaned up SSL_CTX_free later at the end of the application.

After doing this, the memory leak and the crash both went away.

Thanks,
-Pratyush.


On Sun, Jan 28, 2018 at 10:20 PM, J Decker  wrote:

>
>
> On Sun, Jan 28, 2018 at 7:05 PM, pratyush parimal <
> pratyush.pari...@gmail.com> wrote:
>
>> Hi all,
>>
>> I'm trying to write an application in which I create an instance of
>> SSL_CTX* using SSL_CTX_new(), and set the following things in it:
>>
>> (1) An EVP_PKEY* :
>> 1a> created with PEM_read_bio_PrivateKey().
>> 1b> set in the ctx using SSL_CTX_use_PrivateKey().
>>
> after setting key, free key
>
>>
>> (2) A number of X509* instances (cuz chained certs) :
>> 2a> all created with PEM_read_bio_X509().
>> 2b> set in the ctx using SSL_CTX_use_certificate() or
>> SSL_CTX_add_extra_chain_cert().
>>
> after setting certs, free certs.
>
>>
>> At the end, I use SSL_CTX_free() to free up the ctx. According to the man
>> page for SSL_CTX_free():
>>
>> "SSL_CTX_free() decrements the reference count of ctx, and removes the
>> SSL_CTX object pointed to by ctx and frees up the allocated memory if the
>> the reference count has reached 0.
>>It also calls the free()ing procedures for indirectly affected
>> items, if applicable: the session cache, the list of ciphers, the list of
>> Client CAs, the certificates and keys. "
>>
>> ... which tells me that freeing the SSL_CTX should free up its memory as
>> well as the things I set inside of it (unless I'm interpreting it super
>> wrong?) like " ... certificates and keys".
>> The problem is, when run my application under valgrind, I keep seeing
>> memory leaks for both steps (1a) and (2a).
>>
>> I tried to get rid of them, by using EVP_PKEY_free() after I'm done
>> setting in step (1b). This works, and the leak for step (1a) goes away.
>> When I try to do the same for step (2), i.e. calling X509_free() after
>> every successful "set" call, I get a coredump (backtrace is attached:
>> bt_1.txt), coming out of SSL_CTX_free, suggesting that I did something
>> wrong.
>>
>>
>> Which brings me to my question, does anyone know the correct way to free
>> memory in SSL_CTX ? Or, what's wrong with my steps? The application doesn't
>> even perform SSL yet, I'm just trying to create/destroy SSL_CTX objects
>> without leaks first. Any help would be appreciated!
>>
>>
>> Thanks in advance,
>> -Pratyush.
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Correct way to free SSL_CTX* ?

[J Decker]

On Sun, Jan 28, 2018 at 7:05 PM, pratyush parimal <
pratyush.pari...@gmail.com> wrote:

> Hi all,
>
> I'm trying to write an application in which I create an instance of
> SSL_CTX* using SSL_CTX_new(), and set the following things in it:
>
> (1) An EVP_PKEY* :
> 1a> created with PEM_read_bio_PrivateKey().
> 1b> set in the ctx using SSL_CTX_use_PrivateKey().
>
after setting key, free key

>
> (2) A number of X509* instances (cuz chained certs) :
> 2a> all created with PEM_read_bio_X509().
> 2b> set in the ctx using SSL_CTX_use_certificate() or
> SSL_CTX_add_extra_chain_cert().
>
after setting certs, free certs.

>
> At the end, I use SSL_CTX_free() to free up the ctx. According to the man
> page for SSL_CTX_free():
>
> "SSL_CTX_free() decrements the reference count of ctx, and removes the
> SSL_CTX object pointed to by ctx and frees up the allocated memory if the
> the reference count has reached 0.
>It also calls the free()ing procedures for indirectly affected
> items, if applicable: the session cache, the list of ciphers, the list of
> Client CAs, the certificates and keys. "
>
> ... which tells me that freeing the SSL_CTX should free up its memory as
> well as the things I set inside of it (unless I'm interpreting it super
> wrong?) like " ... certificates and keys".
> The problem is, when run my application under valgrind, I keep seeing
> memory leaks for both steps (1a) and (2a).
>
> I tried to get rid of them, by using EVP_PKEY_free() after I'm done
> setting in step (1b). This works, and the leak for step (1a) goes away.
> When I try to do the same for step (2), i.e. calling X509_free() after
> every successful "set" call, I get a coredump (backtrace is attached:
> bt_1.txt), coming out of SSL_CTX_free, suggesting that I did something
> wrong.
>
>
> Which brings me to my question, does anyone know the correct way to free
> memory in SSL_CTX ? Or, what's wrong with my steps? The application doesn't
> even perform SSL yet, I'm just trying to create/destroy SSL_CTX objects
> without leaks first. Any help would be appreciated!
>
>
> Thanks in advance,
> -Pratyush.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Correct way to free SSL_CTX* ?

[pratyush parimal]

Hi all,

I'm trying to write an application in which I create an instance of
SSL_CTX* using SSL_CTX_new(), and set the following things in it:

(1) An EVP_PKEY* :
1a> created with PEM_read_bio_PrivateKey().
1b> set in the ctx using SSL_CTX_use_PrivateKey().

(2) A number of X509* instances (cuz chained certs) :
2a> all created with PEM_read_bio_X509().
2b> set in the ctx using SSL_CTX_use_certificate() or
SSL_CTX_add_extra_chain_cert().

At the end, I use SSL_CTX_free() to free up the ctx. According to the man
page for SSL_CTX_free():

"SSL_CTX_free() decrements the reference count of ctx, and removes the
SSL_CTX object pointed to by ctx and frees up the allocated memory if the
the reference count has reached 0.
   It also calls the free()ing procedures for indirectly affected
items, if applicable: the session cache, the list of ciphers, the list of
Client CAs, the certificates and keys. "

... which tells me that freeing the SSL_CTX should free up its memory as
well as the things I set inside of it (unless I'm interpreting it super
wrong?) like " ... certificates and keys".
The problem is, when run my application under valgrind, I keep seeing
memory leaks for both steps (1a) and (2a).

I tried to get rid of them, by using EVP_PKEY_free() after I'm done setting
in step (1b). This works, and the leak for step (1a) goes away.
When I try to do the same for step (2), i.e. calling X509_free() after
every successful "set" call, I get a coredump (backtrace is attached:
bt_1.txt), coming out of SSL_CTX_free, suggesting that I did something
wrong.


Which brings me to my question, does anyone know the correct way to free
memory in SSL_CTX ? Or, what's wrong with my steps? The application doesn't
even perform SSL yet, I'm just trying to create/destroy SSL_CTX objects
without leaks first. Any help would be appreciated!


Thanks in advance,
-Pratyush.
Leak when I don't free the X509* objects manually.
Line test_ssl_leak.cpp:241 actually has a call to PEM_read_bio_X509.

==27639== 
==27639== HEAP SUMMARY:
==27639== in use at exit: 163,236 bytes in 2,948 blocks
==27639==   total heap usage: 5,063 allocs, 2,115 frees, 398,442 bytes allocated
==27639== 
==27639== 3,659 (184 direct, 3,475 indirect) bytes in 1 blocks are definitely 
lost in loss record 278 of 282
==27639==at 0x4C2DB8F: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27639==by 0x5105E77: CRYPTO_malloc (in 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==27639==by 0x51E1443: asn1_item_ex_combine_new (in 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==27639==by 0x51E3EB0: ASN1_item_ex_d2i (in 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==27639==by 0x51E449A: ASN1_item_d2i (in 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==27639==by 0x51F33AD: PEM_ASN1_read_bio (in 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==27639==by 0x4173B8: makeDataSSLCtx(std::__cxx11::basic_string const&, 
std::__cxx11::basic_string 
const&, std::__cxx11::basic_string const&, bool) (test_ssl_leak.cpp:241)
==27639==by 0x417BE0: test_ssl_leak() (test_ssl_leak.cpp:487)
==27639==by 0x4083CE: main (test2.cpp:53)
==27639== 
==27639== LEAK SUMMARY:
==27639==definitely lost: 184 bytes in 1 blocks
==27639==indirectly lost: 3,475 bytes in 94 blocks
==27639==  possibly lost: 0 bytes in 0 blocks
==27639==still reachable: 159,577 bytes in 2,853 blocks
==27639== suppressed: 0 bytes in 0 blocks
==27639== Reachable blocks (those to which a pointer was found) are not shown.
==27639== To see them, rerun with: --leak-check=full --show-leak-kinds=all


==
Core dump after I do call X509_free after a successful call to 
SSL_CTX_use_certificate() or SSL_CTX_add_extra_chain_cert()


#0  ASN1_STRING_free (a=0x40) at asn1_lib.c:428
#1  0x7f53f2fa5675 in ASN1_primitive_free (pval=, 
it=) at tasn_fre.c:244
#2  0x7f53f2fa5aaf in ASN1_template_free (pval=0x1627060, 
tt=tt@entry=0x7f53f3295970 ) at tasn_fre.c:191
#3  0x7f53f2fa57e2 in asn1_item_combine_free 
(pval=pval@entry=0x7ffe273ef1a8, it=0x7f53f328eb20 , 
combine=combine@entry=0) at tasn_fre.c:166
#4  0x7f53f2fa59f5 in ASN1_item_free (val=0x1627050, it=) at 
tasn_fre.c:72
#5  0x7f53f2f81041 in sk_pop_free (st=0x1628520, func=0x405380 
) at stack.c:327
#6  0x7f53f32e8da7 in SSL_CTX_free (a=0x16249d0) at ssl_lib.c:2152
#7  0x00417d69 in std::unique_ptr::reset (this=0x7ffe273ef220, __p=0x16249d0) at 
/usr/include/c++/5/bits/unique_ptr.h:344
#8  0x00417c33 in test_ssl_leak () at ../src/test_ssl_leak.cpp:492
#9  0x004083cf in main () at ../src/test2.cpp:53
-- 
openssl-users mailing list
To unsubscribe: 

Re: [openssl-users] mail encryption with ecdsa cert

[clou]

> On 26 Jan 2018, at 18:20, Kyle Hamilton  wrote:
> 
> In order to use Elliptical Curves to encrypt, you would have to use
> the "Elliptical Curve Diffie-Hellman" algorithm to perform a key
> agreement.  This requires that both the sender and the recipient have
> EC keys which are marked in their certificates as being for the
> purpose "keyAgreement”.

I have made sure that keyAgreement is in.
I get the following error

Error:
PKCS7_RECIP_INFO_set:encryption not supported for this key type

Key gen happens like this
/usr/local/bin/openssl ecparam -name secp521r1 -out secp521r1.pem
/usr/local/bin/openssl req -x509 -nodes -days 3650 -newkey ec:secp521r1.pem 
-keyout email-key.pem -out email.ch.pem

Which type of key do I need to generate? (for email signing and encryption).

Thanks a lot for any help !-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users