[openssl-users] X509_STORE_free() and X509_LOOKUP_free() also frees the X509 certificates inside it

Thulasi Goriparthi thulasi.goriparthi at gmail.com
Wed Jun 10 12:35:44 UTC 2015 

On 10 June 2015 at 16:47, Jakob Bohm <jb-openssl at wisemo.com> wrote:

>  On 10/06/2015 12:41, Thulasi Goriparthi wrote:
>
>   X509_STORE_add_cert increments the reference count of the each cert,
> but only by 1.
>
> Sounds like there should be X509_STORE_add0_cert() and
> X509_STORE_add1_cert() like for other parts of the library.
>
>  X509_STORE_free decrements the ref count by 1. So after decrementing, if
> ref_count is 0, certificate will be freed.
>
> Jakob is saying that if you want them to stay even after X509_STORE_free,
> explicitly increment the ref count before calling free using something like
> below.
>
>   Interesting!  I assumed (based on the standard
> refcounting paradigm) that the reference count of a
> new object would be 1, and that some API (perhaps
> X509_free()) would decrement and free if it hit 0.
>

Yes. You are correct.  STORE_free, just decrements the ref count and calls
X509_free.
X509_free in turn checks if ref count is only 1 (in reference to the one
incremented by new) before proceeding with free. If it is, it will
decrement ref_count and proceed to free.


>  CRYPTO_add(certificate->references, 1, CRYPTO_LOCK_X509);
>
>   Is there really no proper API wrapping this?
>

I couldn't find any right now. There is X509_OBJECT_up_ref_count() which
takes care of X509_OBJECT s. But that requires allocating  X509_OBJECT and
copying X509 over there.

>
>  decrypt the ref count when you really want to free them and call
> X509_free(certificate).
>
>   Is there really no proper API wrapping this?
>
>
> On 10 June 2015 at 10:20, Nayna Jain <naynjain at in.ibm.com> wrote:
>
>>  Thanks Jacob,
>> So, does that API do not increment reference count internally itself.
>>
>> I mean if I have to explicitly do that, what is the API for that ?
>>
>> Thanks & Regards,
>> Nayna Jain
>>
>> [image: Inactive hide details for Jakob Bohm ---06/10/2015 09:49:54
>> AM---On 10/06/2015 05:22, Nayna Jain wrote: >]Jakob Bohm ---06/10/2015
>> 09:49:54 AM---On 10/06/2015 05:22, Nayna Jain wrote: >
>>
>> From: Jakob Bohm <jb-openssl at wisemo.com>
>> To: openssl-users at openssl.org
>> Date: 06/10/2015 09:49 AM
>> Subject: Re: [openssl-users] X509_STORE_free() and X509_LOOKUP_free()
>> also frees the X509 certificates inside it
>> Sent by: "openssl-users" <openssl-users-bounces at openssl.org>
>>  ------------------------------
>>
>>
>>
>>
>> On 10/06/2015 05:22, Nayna Jain wrote:
>>
>>
>>    Hi all,
>>
>>    I am using X509_STORE and X509_LOOKUP to verify the certificate and
>>    its chain.
>>
>>    But at the end when I do X509_STORE_free(store)  and
>>    X509_LOOKUP_free(lookup), it is also doing free of the X509* certificate
>>    which I added.
>>    But I don't want that, because after that when I immediately try to
>>    access X509* certificate for further operation, then it results in core dump
>>
>>    And if I don't do X509_STORE_free() then it will leave the memory
>>    leak.
>>
>>    Let me know how to resolve this and if I misunderstood something.
>>
>>
>> X509 objects (and many other objects in the API) are
>> reference counted.
>>
>> Increment the reference count of each certificate as
>> you add it to the X509_STORE, this should make the
>> X509 object stay around after X509_STORE_free() frees
>> it.
>>
>> However there is a shortage of documentation on the
>> reference counting functions involved.
>>
>>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150610/9d15efa8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150610/9d15efa8/attachment.gif>

More information about the openssl-users mailing list