ssl - Usage difference between SSL_add0_chain_cert and SSL_add1_chain_cert? -


in openssl documentation says:

all these functions implemented macros. containing 1 increment reference count of supplied certificate or chain must freed @ point after operation. containing 0 not increment reference counts , supplied certificate or chain must not freed after operation.

but when tried @ examples of cases 1 should used i'm confused.

first openssl:

it uses ssl_add0_chain_cert in ssl_ctx_use_certificate_chain_file function of ssl_rsa.c. here source:

static int use_certificate_chain_file(ssl_ctx *ctx, ssl *ssl, const char *file) {     if (ctx)         ret = ssl_ctx_use_certificate(ctx, x);     else         ret = ssl_use_certificate(ssl, x);     ......     while ((ca = pem_read_bio_x509(in, null, passwd_callback,                                    passwd_callback_userdata))            != null) {         if (ctx)             r = ssl_ctx_add0_chain_cert(ctx, ca);         else             r = ssl_add0_chain_cert(ssl, ca);     ...... }

second usage see openresty lua:

it uses ssl_add0_chain_cert in 1 way of setting certificate (ngx_http_lua_ffi_ssl_set_der_certificate), see here:

int ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, const char *data, size_t len, char **err) {     ......     if (ssl_use_certificate(ssl_conn, x509) == 0) {         *err = "ssl_use_certificate() failed";         goto failed;     }     ......     while (!bio_eof(bio)) {          x509 = d2i_x509_bio(bio, null);         if (x509 == null) {             *err = "d2i_x509_bio() failed";             goto failed;         }          if (ssl_add0_chain_cert(ssl_conn, x509) == 0) {             *err = "ssl_add0_chain_cert() failed";             goto failed;         }     }      bio_free(bio);      *err = null;     return ngx_ok; failed:     ....... }

yet uses ssl_add1_chain_cert in way (ngx_http_lua_ffi_set_cert), see here:

int ngx_http_lua_ffi_set_cert(ngx_http_request_t *r,     void *cdata, char **err) {     ......     if (ssl_use_certificate(ssl_conn, x509) == 0) {         *err = "ssl_use_certificate() failed";         goto failed;     }      x509 = null;      /* read rest of chain */      (i = 1; < sk_x509_num(chain); i++) {          x509 = sk_x509_value(chain, i);         if (x509 == null) {             *err = "sk_x509_value() failed";             goto failed;         }          if (ssl_add1_chain_cert(ssl_conn, x509) == 0) {             *err = "ssl_add1_chain_cert() failed";             goto failed;         }     }      *err = null;     return ngx_ok; /* no free of x509 here */  failed: ...... }

yet don't see clear difference of changes when calling these 2 in lua, , doesn't seem cert x509, when set successfully, gets freed in either case. according understanding of openssl doc, should expect x509_free(x509) gets called somewhere after ssl_add1_chain_cert called on x509. correct understanding?

last, openssl implementation of ssl_cert_add1_chain_cert (what boils down ssl_add1_chain_cert macro) indeed show it's wrapper of ssl_cert_add0_chain_cert reference count incremented on cert, how should reflected in calling process?

int ssl_cert_add1_chain_cert(ssl *s, ssl_ctx *ctx, x509 *x) {     if (!ssl_cert_add0_chain_cert(s, ctx, x))         return 0;     x509_up_ref(x);     return 1; }

now nginx deals function ssl_ctx_add_extra_chain_cert leaves burden of such choice behind, not deal switching cert per ssl connection basis. in case need patch nginx capability, switching cert per connection (but without using lua).

so i'm not sure 1 should using, ssl_add0_chain_cert or ssl_add1_chain_cert? , what's freeing practice here?


Comments

Post a Comment

Popular posts from this blog

python Tkinter Capturing keyboard events save as one single string -

is possible store keyboard events 1 string? code below stores 1 char , prints it. card reader or bar code reader, contains collection of character/ string not 1 character @ time. goal save char pressed text variable. from tkinter import * root = tk() def key(event): text= event.char text+= event.char print ("pressed", text) def callback(event): frame.focus_set() print ("clicked at", event.x, event.y) frame = frame(root, width=100, height=100) frame.bind("<key>", key) frame.bind("<button-1>", callback) frame.pack() root.mainloop() currently, creating text variable , everytime key() function gets called, , text stores last character typed. you can define text module level variable , , use module level text inside key function - text = '' def key(event): global text text+= event.char print("pressed", text)
Read more

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

i'm implementing inapp billing in android app. works well, however, i'm trying decouple broadcast receiver activity manifest. suggestion in android's trivialdrive sample: // important: dynamically register broadcast messages updated purchases. // register receiver here instead of <receiver> in manifest // because call getpurchases() @ startup, therefore can ignore // broadcasts sent while app isn't running. // note: registering listener in activity bad idea, done here // because sample. regardless, receiver must registered after // iabhelper setup, before first call getpurchases(). currently there's class extends broadcastreceiver : public class iabbroadcastreceiver extends broadcastreceiver { /** * intent action receiver should filter for. */ public static final string action = "com.android.vending.billing.purchases_updated"; private final iabbroadcastlistener mlistener; public iabbroadcastreceiver(iabbroadcastlistener listener) { m
Read more

javascript - Z-index in d3.js -

i have map , when hover effect on region of map below yellow line , circle, last ones disappear. how can solve problem? http://jsfiddle.net/ot21n9qx/ var arc = g.append("path") .style("fill", "none") .style("stroke", "yellow") .style("stroke-width", 2) .attr("d", "m" + pathorigin[0] + "," + pathorigin[1] + " q" + svgpoint[0] + "," + pathorigin[1] + " " + svgpoint[0] + "," + svgpoint[1]); var circlesize = d3.scale.linear() .domain([0, 0.5, 1]) .range([4, 10, 4]); svg not have z order draws objects in order created. need create path , circle after create highlight regions. here forked fiddle: http://jsfiddle.net/o00fzgaf/1/
Read more