Observing memory leak in x509_name_ex_new

Anirudh Kamatgi Wed, 26 May 2010 01:00:59 -0700

Hello,
We have a firewall acting as a reverse proxy(server) doing SSL offload and we 
are seeing a memory leak in x509_name_ex_new.
We are using OpenSSL 0.9.8l and we ran the OpenSSL's builtin memory leak 
checker, dumped the results using CRYPTO_mem_leaks_fp and found several leaks 
reported, one of them pointing to x509_name_ex_new.
We observed that this leak is happening only if client authentication is 
turned on.
The code which sets up client authentication is as below:


X509 *Ssl_LoadPEMFile( const char *pemFile )
{
    X509 *x = NULL;
    BIO *cert;

    if( ( cert = BIO_new( BIO_s_file( ) ) ) == NULL )
    {
        PrintOpenSSLError( &g_SslLog,
                           EVENTID_SSL_OUT_OF_MEMORY,
                           "%20.20s: Failed to create new BIO",
                           "SslLoadPEMFile" );
        return( NULL );
    }

    if( BIO_read_filename( cert, pemFile ) <= 0 )
    {
        PrintOpenSSLError( &g_SslLog,
                           EVENTID_SSL_OUT_OF_MEMORY,
                           "%20.20s: Failed to open file: %s",
                           "SslLoadPEMFile",
                           pemFile );

        BIO_free( cert );
        return( NULL );
    }

    x = PEM_read_bio_X509_AUX( cert, NULL, NULL, NULL );

    if( unlikely( x == NULL ) )
    {
        PrintOpenSSLError( &g_SslLog,
                           EVENTID_SSL_OUT_OF_MEMORY,
                           "%20.20s: Failed to load certificate from file: 
%s",
                           "SslLoadPEMFile",
                           pemFile );
    }

    BIO_free( cert );
    return( x );
}

int sslConnCtx_InitClientAuth(SSL_CTX*   pSslCtx)
{
        X509 *cacert = Ssl_LoadPEMFile( <trusted_certificate_file_location> );

        if( cacert != NULL )
        {
            /*
             * Add cert to the list of CA names to be sent to the client
             */
            if( SSL_CTX_add_client_CA( pSslCtx, cacert ) == 0 )
            {
                // Log error and return
            }

            /*
             * Add cert to the certificate verification storage.
             */
            if( X509_STORE_add_cert( SSL_CTX_get_cert_store( pSslCtx ), 
cacert ) == 0 )
            {
                // Log error and return.
            }

            X509_free( cacert );
        }

        SSL_CTX_set_verify( pSslCtx, SSL_VERIFY_PEER, NULL );
}

If I run our application in gdb and put breakpoints in x509_name_ex_new and 
x509_name_ex_free, I am seeing that for each request, x509_name_ex_new is 
getting called multiple number of times, but x509_name_ex_free is never 
getting called.

Am I missing something?
Thanks in advance,
-anirudh.

----------------------------------
Check out the Barracuda Spam & Virus Firewall - offering the fastest
virus & malware protection in the industry: www.barracudanetworks.com/spam
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Observing memory leak in x509_name_ex_new

Reply via email to