[openssl-users] Unclear docs -- request clarification on X509_STORE_add_cert

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jan 3 01:25:52 UTC 2018



> On Jan 2, 2018, at 7:38 PM, Karl Denninger <karl at denninger.net> wrote:
> 
> The question is the last line and whether it should be there (uncommented) -- does the X509_STORE_add_cert call load the *reference* or does it load the *data* (allocating whatever it needs internally to do so)?  In other words do I need to keep that X509 structure around that got allocated by the d2i_X509 call or do I free it after I've pushed it into the store?
> 
> The docs are silent on this as far as I can tell but some example code I've seen floating around doesn't free it.

The store takes ownership of the object (bumps its reference count
when it is added to the store) and so the caller should free it if
no longer needed outside the store.

At first glance I thought that commit:

  c0452248ea1a59a41023a4765ef7d9825e80a62b 

changed this in master, but a more careful reading of the
code reveals that the behaviour remains the same (corect).
The behaviour should of course be documented.  Feel free
to open an issue on github.

I should note that taking ownership of the object when added
to the store is the "natural" or "expected" behaviour, and
while this does not "excuse" not documenting it, that should
be the best guess of how the function behaves.

-- 
	Viktor.



More information about the openssl-users mailing list