ssl - Usage difference between SSL_add0_chain_cert and SSL_add1_chain_cert? -
in openssl documentation says:
all these functions implemented macros. containing 1 increment reference count of supplied certificate or chain must freed @ point after operation. containing 0 not increment reference counts , supplied certificate or chain must not freed after operation.
but when tried @ examples of cases 1 should used i'm confused.
first openssl:
it uses ssl_add0_chain_cert
in ssl_ctx_use_certificate_chain_file
function of ssl_rsa.c
. here source:
static int use_certificate_chain_file(ssl_ctx *ctx, ssl *ssl, const char *file) { if (ctx) ret = ssl_ctx_use_certificate(ctx, x); else ret = ssl_use_certificate(ssl, x); ...... while ((ca = pem_read_bio_x509(in, null, passwd_callback, passwd_callback_userdata)) != null) { if (ctx) r = ssl_ctx_add0_chain_cert(ctx, ca); else r = ssl_add0_chain_cert(ssl, ca); ...... }
second usage see openresty lua:
it uses ssl_add0_chain_cert
in 1 way of setting certificate (ngx_http_lua_ffi_ssl_set_der_certificate
), see here:
int ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, const char *data, size_t len, char **err) { ...... if (ssl_use_certificate(ssl_conn, x509) == 0) { *err = "ssl_use_certificate() failed"; goto failed; } ...... while (!bio_eof(bio)) { x509 = d2i_x509_bio(bio, null); if (x509 == null) { *err = "d2i_x509_bio() failed"; goto failed; } if (ssl_add0_chain_cert(ssl_conn, x509) == 0) { *err = "ssl_add0_chain_cert() failed"; goto failed; } } bio_free(bio); *err = null; return ngx_ok; failed: ....... }
yet uses ssl_add1_chain_cert
in way (ngx_http_lua_ffi_set_cert
), see here:
int ngx_http_lua_ffi_set_cert(ngx_http_request_t *r, void *cdata, char **err) { ...... if (ssl_use_certificate(ssl_conn, x509) == 0) { *err = "ssl_use_certificate() failed"; goto failed; } x509 = null; /* read rest of chain */ (i = 1; < sk_x509_num(chain); i++) { x509 = sk_x509_value(chain, i); if (x509 == null) { *err = "sk_x509_value() failed"; goto failed; } if (ssl_add1_chain_cert(ssl_conn, x509) == 0) { *err = "ssl_add1_chain_cert() failed"; goto failed; } } *err = null; return ngx_ok; /* no free of x509 here */ failed: ...... }
yet don't see clear difference of changes when calling these 2 in lua, , doesn't seem cert x509, when set successfully, gets freed in either case. according understanding of openssl doc, should expect x509_free(x509)
gets called somewhere after ssl_add1_chain_cert
called on x509. correct understanding?
last, openssl implementation of ssl_cert_add1_chain_cert
(what boils down ssl_add1_chain_cert
macro) indeed show it's wrapper of ssl_cert_add0_chain_cert
reference count incremented on cert, how should reflected in calling process?
int ssl_cert_add1_chain_cert(ssl *s, ssl_ctx *ctx, x509 *x) { if (!ssl_cert_add0_chain_cert(s, ctx, x)) return 0; x509_up_ref(x); return 1; }
now nginx deals function ssl_ctx_add_extra_chain_cert
leaves burden of such choice behind, not deal switching cert per ssl connection basis. in case need patch nginx capability, switching cert per connection (but without using lua).
so i'm not sure 1 should using, ssl_add0_chain_cert
or ssl_add1_chain_cert
? , what's freeing practice here?
Comments
Post a Comment