ssl - Usage difference between SSL_add0_chain_cert and SSL_add1_chain_cert? -


in openssl documentation says:

all these functions implemented macros. containing 1 increment reference count of supplied certificate or chain must freed @ point after operation. containing 0 not increment reference counts , supplied certificate or chain must not freed after operation.

but when tried @ examples of cases 1 should used i'm confused.

first openssl:

it uses ssl_add0_chain_cert in ssl_ctx_use_certificate_chain_file function of ssl_rsa.c. here source:

static int use_certificate_chain_file(ssl_ctx *ctx, ssl *ssl, const char *file) {     if (ctx)         ret = ssl_ctx_use_certificate(ctx, x);     else         ret = ssl_use_certificate(ssl, x);     ......     while ((ca = pem_read_bio_x509(in, null, passwd_callback,                                    passwd_callback_userdata))            != null) {         if (ctx)             r = ssl_ctx_add0_chain_cert(ctx, ca);         else             r = ssl_add0_chain_cert(ssl, ca);     ...... } 

second usage see openresty lua:

it uses ssl_add0_chain_cert in 1 way of setting certificate (ngx_http_lua_ffi_ssl_set_der_certificate), see here:

int ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, const char *data, size_t len, char **err) {     ......     if (ssl_use_certificate(ssl_conn, x509) == 0) {         *err = "ssl_use_certificate() failed";         goto failed;     }     ......     while (!bio_eof(bio)) {          x509 = d2i_x509_bio(bio, null);         if (x509 == null) {             *err = "d2i_x509_bio() failed";             goto failed;         }          if (ssl_add0_chain_cert(ssl_conn, x509) == 0) {             *err = "ssl_add0_chain_cert() failed";             goto failed;         }     }      bio_free(bio);      *err = null;     return ngx_ok; failed:     ....... } 

yet uses ssl_add1_chain_cert in way (ngx_http_lua_ffi_set_cert), see here:

int ngx_http_lua_ffi_set_cert(ngx_http_request_t *r,     void *cdata, char **err) {     ......     if (ssl_use_certificate(ssl_conn, x509) == 0) {         *err = "ssl_use_certificate() failed";         goto failed;     }      x509 = null;      /* read rest of chain */      (i = 1; < sk_x509_num(chain); i++) {          x509 = sk_x509_value(chain, i);         if (x509 == null) {             *err = "sk_x509_value() failed";             goto failed;         }          if (ssl_add1_chain_cert(ssl_conn, x509) == 0) {             *err = "ssl_add1_chain_cert() failed";             goto failed;         }     }      *err = null;     return ngx_ok; /* no free of x509 here */  failed: ...... } 

yet don't see clear difference of changes when calling these 2 in lua, , doesn't seem cert x509, when set successfully, gets freed in either case. according understanding of openssl doc, should expect x509_free(x509) gets called somewhere after ssl_add1_chain_cert called on x509. correct understanding?

last, openssl implementation of ssl_cert_add1_chain_cert (what boils down ssl_add1_chain_cert macro) indeed show it's wrapper of ssl_cert_add0_chain_cert reference count incremented on cert, how should reflected in calling process?

int ssl_cert_add1_chain_cert(ssl *s, ssl_ctx *ctx, x509 *x) {     if (!ssl_cert_add0_chain_cert(s, ctx, x))         return 0;     x509_up_ref(x);     return 1; } 

now nginx deals function ssl_ctx_add_extra_chain_cert leaves burden of such choice behind, not deal switching cert per ssl connection basis. in case need patch nginx capability, switching cert per connection (but without using lua).

so i'm not sure 1 should using, ssl_add0_chain_cert or ssl_add1_chain_cert? , what's freeing practice here?


Comments

Popular posts from this blog

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

python Tkinter Capturing keyboard events save as one single string -

sql server - Why does Linq-to-SQL add unnecessary COUNT()? -