On 13/04/2022 11:55, Ram Chandra via openssl-users wrote:
I am using OpenSSL 1.1.1k Version, From that I see following are done in
OpenSSL code, pls correct me if I am wrong.
Inside SSL_new:
SSL *SSL_new(SSL_CTX *ctx)
{
SSL *s;
.......
.......
s = OPENSSL_zalloc(sizeof(*s));
....
....
SSL_CTX_up_ref(ctx);
s->ctx = ctx; /* *ctx* value to *s->ctx* , also gets freed when
called SLL_free(s) ==> SSL_CTX_free(s->ctx)*/
....
....
SSL_CTX_up_ref(ctx);
s->session_ctx = ctx;/* same value is getting assigned here also */
.....
return s;
}
Inside SSL_free:
void SSL_free(SSL *s)
{
if ( s == NULL)
return;
X509_VERIFY_PARAM_free(s->param);
.....
.....
SSL_CTX_free( s->session_ctx); /* this holds the value of ctx that
was passed t
o SSL_new(), yes or no? */
.....
.....
SSL_CTX_free( s->ctx); /* this again trying to free the same
pointer , abnormal behavior */
}
Point here is inside SSL_CTX_free(), after freeing "s->session_ctx" ,
we are not setting "s->session_ctx" to NULL(this may be optional, its ok
if we don't use the same pointer again), but "s->session_ctx"
and "s->ctx" both have same value. So applying "free()" on same value
again ( through SSL_CTX_free( s->ctx); ) will result in abnormal
behavior, *correct or not?*
Not correct. SSL_CTX_free() may not actually free the object at all -
see below.
I could not understand how OpenSSL *free() *ing pointers if they are
assigned to multiple different variables.
Note: tried going through "SSL_CTX_up_ref(ctx);" , and
"SSL_CTX_down_ref(ctx);", looks like they are tracking the pointer usage
count by other APIs, but could not understand what exactly they are
doing...when count is 0.
SSL_CTX objects are reference counted. So SSL_CTX_up_ref() increments
the reference count and SSL_CTX_free() decrements it. A reference is
created for each place that you assign an object to a different
location. Only when all references are freed (i.e. when the reference
count drops to 0) does the object itself actually get freed.
Matt
Could someone please elaborate a bit ..
Chand..
