the correct way of dealloc used memory by ssl structures?

Hi,

I'm tracking my server memory usage with valgrind, pmap and top or any
process monitor. Mi first test was a startup-shutdown. In this test
the only thing the server does is:

[0] initialize SSL_CTX
[1] load some cert files
[2] waits for a client
[3] receives a termination signal
[4] Clear SSL_CTX

With the following lines (the important ones):

[0]:
    SSL_load_error_strings();
    OpenSSL_add_all_algorithms(); /* I think this is deprecated */
    SSL_library_init();
    method = SSLv23_method(); /* for compatibility with some java clients */
    ctx = SSL_CTX_new(method);

[1]:
  SSL_CTX_use_certificate_file(ctx, file1, SSL_FILETYPE_PEM);
  SSL_CTX_use_PrivateKey_file(ctx, file2, SSL_FILETYPE_PEM);

[2]: here the server is wating for a connection to handle.

[3]: I send C-c (SIGINT signal)

[4]:
  SSL_CTX_free(ctx);
  ERR_free_strings();
  EVP_cleanup();

Valgrind shows me that are still reachable blocks, those blocks are
from SSL initialization as the test is with that purpose. Any other
malloc() is crearly deallocated, I can check that with valgrind:

==20018== LEAK SUMMARY:
==20018==    definitely lost: 0 bytes in 0 blocks
==20018==    indirectly lost: 0 bytes in 0 blocks
==20018==      possibly lost: 0 bytes in 0 blocks
==20018==    still reachable: 2,176 bytes in 39 blocks
==20018==         suppressed: 0 bytes in 0 blocks


Then I can see those blocks leaking that correspond to SSL structures:

http://pastebin.ca/1658134

This wrong way of freeing ssl structures is big deal, because when I
run the test for new clients (that I repeat, i can check and affirm
that my mallocs are freed), the size of used memory increments even
though the client disconnects. A client disconnection dealloc routine
is something like this (again, important lines):

  /* release ssl structure */
  SSL_free(client->ssl);

  /* close client file descriptor */
  close(client->fd);


I wonder if I need to free something more than just the ssl structure
associated with a client. For each new connection a new ssl structure
is created, for that client ( I came to this conclusion myself, maybe
I'm wrong and the ssl structure should be only one for all clients):

   client->ssl = SSL_new(ctx);

And if the SSL_free() does not frees all used memory, every new
connection will increase memory usage.

That was my brief introduction to the situation. My question is: which
is the procedure to free *all* used memory first, by a ssl structure
and, second, by the ssl context structure? If it's not much to ask, I
will also appreciate to know the correct way of initialize *all* the
structures. Valgrind informs hundreds (if not thousands) of errors
about uninitialized values:

http://pastebin.ca/1658151

Should I call EVP_ functions to initialize all structures?

One last thing, SSL_CTX_free() should free the allocated memory for
keys (from man):
       It also calls the free()ing procedures for indirectly affected
items, if applicable: the session cache, the list
       of ciphers, the list of Client CAs, the certificates and keys.


Thanks in advance,
Regards
--
If you want freedom, compile the source. Get gentoo.

Sebastián Treu
http://labombiya.com.ar
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...