<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 10 June 2015 at 18:05, Thulasi Goriparthi <span dir="ltr"><<a href="mailto:thulasi.goriparthi@gmail.com" target="_blank">thulasi.goriparthi@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On 10 June 2015 at 16:47, Jakob Bohm <span dir="ltr"><<a href="mailto:jb-openssl@wisemo.com" target="_blank">jb-openssl@wisemo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
<div>On 10/06/2015 12:41, Thulasi Goriparthi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>X509_STORE_add_cert increments the reference count of
the each cert, but only by 1.<br>
</div>
</div>
</div>
</div>
</blockquote>
</span><tt>Sounds like there should be X509_STORE_add0_cert() and <br>
X509_STORE_add1_cert() like for other parts of the library.</tt><span><br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>X509_STORE_free decrements the ref count by 1. So after
decrementing, if ref_count is 0, certificate will be freed.
<br>
</div>
<br>
Jakob is saying that if you want them to stay even after
X509_STORE_free, explicitly increment the ref count before
calling free using something like below.<br>
<br>
</div>
</div>
</blockquote>
</span><tt>Interesting! I assumed (based on the standard <br>
refcounting paradigm) that the reference count of a <br>
new object would be 1, and that some API (perhaps <br>
X509_free()) would decrement and free if it hit 0.</tt><tt><br></tt></div></blockquote><div><br></div></span><div>Yes. You are correct. STORE_free, just decrements the ref count and calls X509_free.<br></div><div>X509_free in turn checks if ref count is only 1 (in reference to the one incremented by new) before proceeding with free. If it is, it will decrement ref_count and proceed to free.<br></div></div></div></div></blockquote><div><br></div><div>Correction: X509_free or any free, just decrements the ref_count first and then if it is 0, it will proceed to real free. So, if there is any explicit up ref count, there is no need to decrement it (shouldn't be decremented) before calling X509_free<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><br></div><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><tt>
</tt><br>
<blockquote type="cite">
<div dir="ltr">
<div>CRYPTO_add(certificate->references, 1,
CRYPTO_LOCK_X509);<br>
<br>
</div>
</div>
</blockquote>
<tt>Is there really no proper API wrapping this?</tt><span><br></span></div></blockquote><div> </div></span><div>I couldn't find any right now. There is X509_OBJECT_up_ref_count() which takes care of X509_OBJECT s. But that requires allocating X509_OBJECT and copying X509 over there.<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="h5"><div bgcolor="#FFFFFF" text="#000000"><span>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>decrypt the ref count when you really want to free them and
call X509_free(certificate).<br>
<tt><br></tt></div></div></blockquote></span></div></div></div></blockquote></div></div></div></blockquote><div>Sorry for the confusion, decrementing ref count wouldn't be required. <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="h5"><div bgcolor="#FFFFFF" text="#000000"><span><blockquote type="cite"><div dir="ltr"><div><tt>
</tt></div>
</div>
</blockquote>
</span><tt>Is there really no proper API wrapping this?</tt><div><div>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 10 June 2015 at 10:20, Nayna Jain <span dir="ltr"><<a href="mailto:naynjain@in.ibm.com" target="_blank">naynjain@in.ibm.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><font size="2" face="sans-serif">Thanks Jacob,</font><br>
<font size="2" face="sans-serif">So, does that API do
not increment reference count internally itself.</font><br>
<br>
<font size="2" face="sans-serif">I mean if I have to
explicitly do that, what is the API for that ? </font><br>
<span>
<br>
<font size="2" face="sans-serif">Thanks & Regards,<br>
Nayna Jain</font><br>
<br>
</span><img src="cid:part2.05060507.06000308@wisemo.com" alt="Inactive hide details for Jakob Bohm
---06/10/2015 09:49:54 AM---On 10/06/2015 05:22, Nayna
Jain wrote: >" height="16" width="16" border="0"><font size="2" color="#424282" face="sans-serif">Jakob Bohm
---06/10/2015 09:49:54 AM---On 10/06/2015 05:22, Nayna
Jain wrote: ></font><br>
<br>
<font size="1" color="#5F5F5F" face="sans-serif">From: </font><font size="1" face="sans-serif">Jakob Bohm <<a href="mailto:jb-openssl@wisemo.com" target="_blank">jb-openssl@wisemo.com</a>></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">To: </font><font size="1" face="sans-serif"><a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Date: </font><font size="1" face="sans-serif">06/10/2015 09:49 AM</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Subject:
</font><font size="1" face="sans-serif">Re:
[openssl-users] X509_STORE_free() and
X509_LOOKUP_free() also frees the X509 certificates
inside it</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Sent
by: </font><font size="1" face="sans-serif">"openssl-users"
<<a href="mailto:openssl-users-bounces@openssl.org" target="_blank">openssl-users-bounces@openssl.org</a>></font><br>
</p>
<hr style="color:rgb(128,145,165)" noshade size="2" width="100%" align="left">
<div>
<div><br>
<br>
<br>
<br>
<font size="3" face="serif">On 10/06/2015 05:22, Nayna
Jain wrote:</font>
<ul style="padding-left:36pt">
<br>
<font size="2" face="sans-serif">Hi all,</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
I am using X509_STORE and X509_LOOKUP to verify
the certificate and its chain.</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
But at the end when I do X509_STORE_free(store)
and X509_LOOKUP_free(lookup), it is also doing
free of the X509* certificate which I added.<br>
But I don't want that, because after that when I
immediately try to access X509* certificate for
further operation, then it results in core dump</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
And if I don't do X509_STORE_free() then it will
leave the memory leak.<br>
<br>
Let me know how to resolve this and if I
misunderstood something.</font>
</ul>
<br>
<tt><font size="3">X509 objects (and many other
objects in the API) are <br>
reference counted.<br>
<br>
Increment the reference count of each certificate
as <br>
you add it to the X509_STORE, this should make the
<br>
X509 object stay around after X509_STORE_free()
frees <br>
it.<br>
<br>
However there is a shortage of documentation on
the <br>
reference counting functions involved.<br>
</font></tt><br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
<br>
<pre cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a href="http://www.wisemo.com" target="_blank">http://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</div></div></div>
<br></div></div><span class="">_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br></span></blockquote></div><br></div></div>
</blockquote></div><br></div></div>