How to handle OpenSSL and not get hurt

From PDP/Grid Wiki
Jump to navigationJump to search

Stuff you wished to know before you every needed to touch the OpenSSL library

On the web OpenSSL is poorly documented and even the book Network Security with OpenSSL doesn't touch the advanced inner workings of the library. There are more gems in the documentation of the OpenSSL source tarballs.

Use the source! When you're looking for anything particular or specialized and you really wish to know how OpenSSL is handling this: Use the Source!


What does that library call really do?

There exists X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) and X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx). The difference is that the X509_STORE_CTX_get_chain() will only return a reference to the certificate chain (type STACK_OF (X509) *) from within the X509_STORE_CTX structure and the X509_STORE_CTX_get1_chain() will make a duplicate certificate chain that will need to be free()'d.

Freeing a STACK_OF (X509) * is not to be done with just free(). That will create a memory leak. Also a X509_free (X509) * and using a STACK_OF (X509) * as input will create a memory leak. The proper way to free a STACK_OF (X509) * is to use sk_X509_pop_free(st, free_func), where for free_func you should use X509_free. Example: sk_X509_pop_free(chain, X509_free).

Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=How_to_handle_OpenSSL_and_not_get_hurt&oldid=3371"