[openssl-users] X509_STORE_free() and X509_LOOKUP_free() also frees the X509 certificates inside it

Thulasi Goriparthi thulasi.goriparthi at gmail.com
Wed Jun 10 13:08:10 UTC 2015


On 10 June 2015 at 18:05, Thulasi Goriparthi <thulasi.goriparthi at gmail.com>
wrote:

>
>
> On 10 June 2015 at 16:47, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>
>>  On 10/06/2015 12:41, Thulasi Goriparthi wrote:
>>
>>   X509_STORE_add_cert increments the reference count of the each cert,
>> but only by 1.
>>
>> Sounds like there should be X509_STORE_add0_cert() and
>> X509_STORE_add1_cert() like for other parts of the library.
>>
>>  X509_STORE_free decrements the ref count by 1. So after decrementing,
>> if ref_count is 0, certificate will be freed.
>>
>> Jakob is saying that if you want them to stay even after X509_STORE_free,
>> explicitly increment the ref count before calling free using something like
>> below.
>>
>>   Interesting!  I assumed (based on the standard
>> refcounting paradigm) that the reference count of a
>> new object would be 1, and that some API (perhaps
>> X509_free()) would decrement and free if it hit 0.
>>
>
> Yes. You are correct.  STORE_free, just decrements the ref count and calls
> X509_free.
> X509_free in turn checks if ref count is only 1 (in reference to the one
> incremented by new) before proceeding with free. If it is, it will
> decrement ref_count and proceed to free.
>

Correction: X509_free or any free, just decrements the ref_count first and
then if it is 0, it will proceed to real free. So, if there is any explicit
up ref count, there is no need to decrement it (shouldn't be decremented)
before calling X509_free


>
>>  CRYPTO_add(certificate->references, 1, CRYPTO_LOCK_X509);
>>
>>   Is there really no proper API wrapping this?
>>
>
> I couldn't find any right now. There is X509_OBJECT_up_ref_count() which
> takes care of X509_OBJECT s. But that requires allocating  X509_OBJECT and
> copying X509 over there.
>
>>
>>  decrypt the ref count when you really want to free them and call
>> X509_free(certificate).
>>
>> Sorry for the confusion, decrementing ref count wouldn't be required.

>   Is there really no proper API wrapping this?
>>
>>
>> On 10 June 2015 at 10:20, Nayna Jain <naynjain at in.ibm.com> wrote:
>>
>>>  Thanks Jacob,
>>> So, does that API do not increment reference count internally itself.
>>>
>>> I mean if I have to explicitly do that, what is the API for that ?
>>>
>>> Thanks & Regards,
>>> Nayna Jain
>>>
>>> [image: Inactive hide details for Jakob Bohm ---06/10/2015 09:49:54
>>> AM---On 10/06/2015 05:22, Nayna Jain wrote: >]Jakob Bohm ---06/10/2015
>>> 09:49:54 AM---On 10/06/2015 05:22, Nayna Jain wrote: >
>>>
>>> From: Jakob Bohm <jb-openssl at wisemo.com>
>>> To: openssl-users at openssl.org
>>> Date: 06/10/2015 09:49 AM
>>> Subject: Re: [openssl-users] X509_STORE_free() and X509_LOOKUP_free()
>>> also frees the X509 certificates inside it
>>> Sent by: "openssl-users" <openssl-users-bounces at openssl.org>
>>>  ------------------------------
>>>
>>>
>>>
>>>
>>> On 10/06/2015 05:22, Nayna Jain wrote:
>>>
>>>
>>>    Hi all,
>>>
>>>    I am using X509_STORE and X509_LOOKUP to verify the certificate and
>>>    its chain.
>>>
>>>    But at the end when I do X509_STORE_free(store)  and
>>>    X509_LOOKUP_free(lookup), it is also doing free of the X509* certificate
>>>    which I added.
>>>    But I don't want that, because after that when I immediately try to
>>>    access X509* certificate for further operation, then it results in core dump
>>>
>>>    And if I don't do X509_STORE_free() then it will leave the memory
>>>    leak.
>>>
>>>    Let me know how to resolve this and if I misunderstood something.
>>>
>>>
>>> X509 objects (and many other objects in the API) are
>>> reference counted.
>>>
>>> Increment the reference count of each certificate as
>>> you add it to the X509_STORE, this should make the
>>> X509 object stay around after X509_STORE_free() frees
>>> it.
>>>
>>> However there is a shortage of documentation on the
>>> reference counting functions involved.
>>>
>>>
>>
>> Enjoy
>>
>> Jakob
>> --
>> Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
>> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
>> This public discussion message is non-binding and may contain errors.
>> WiseMo - Remote Service Management for PCs, Phones and Embedded
>>
>>
>> _______________________________________________
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150610/9922548d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150610/9922548d/attachment-0001.gif>


More information about the openssl-users mailing list