<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 10 June 2015 at 16:47, Jakob Bohm <span dir="ltr"><<a href="mailto:jb-openssl@wisemo.com" target="_blank">jb-openssl@wisemo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 10/06/2015 12:41, Thulasi Goriparthi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>X509_STORE_add_cert increments the reference count of
the each cert, but only by 1.<br>
</div>
</div>
</div>
</div>
</blockquote>
</span><tt>Sounds like there should be X509_STORE_add0_cert() and <br>
X509_STORE_add1_cert() like for other parts of the library.</tt><span class=""><br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>X509_STORE_free decrements the ref count by 1. So after
decrementing, if ref_count is 0, certificate will be freed.
<br>
</div>
<br>
Jakob is saying that if you want them to stay even after
X509_STORE_free, explicitly increment the ref count before
calling free using something like below.<br>
<br>
</div>
</div>
</blockquote>
</span><tt>Interesting! I assumed (based on the standard <br>
refcounting paradigm) that the reference count of a <br>
new object would be 1, and that some API (perhaps <br>
X509_free()) would decrement and free if it hit 0.</tt><tt><br></tt></div></blockquote><div><br></div><div>Yes. You are correct. STORE_free, just decrements the ref count and calls X509_free.<br></div><div>X509_free in turn checks if ref count is only 1 (in reference to the one incremented by new) before proceeding with free. If it is, it will decrement ref_count and proceed to free.<br><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><tt>
</tt><br>
<blockquote type="cite">
<div dir="ltr">
<div>CRYPTO_add(certificate->references, 1,
CRYPTO_LOCK_X509);<br>
<br>
</div>
</div>
</blockquote>
<tt>Is there really no proper API wrapping this?</tt><span class=""><br></span></div></blockquote><div> </div><div>I couldn't find any right now. There is X509_OBJECT_up_ref_count() which takes care of X509_OBJECT s. But that requires allocating X509_OBJECT and copying X509 over there.<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><span class="">
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>decrypt the ref count when you really want to free them and
call X509_free(certificate).<br>
<tt><br>
</tt></div>
</div>
</blockquote>
</span><tt>Is there really no proper API wrapping this?</tt><div><div class="h5">
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 10 June 2015 at 10:20, Nayna Jain <span dir="ltr"><<a href="mailto:naynjain@in.ibm.com" target="_blank">naynjain@in.ibm.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><font size="2" face="sans-serif">Thanks Jacob,</font><br>
<font size="2" face="sans-serif">So, does that API do
not increment reference count internally itself.</font><br>
<br>
<font size="2" face="sans-serif">I mean if I have to
explicitly do that, what is the API for that ? </font><br>
<span>
<br>
<font size="2" face="sans-serif">Thanks & Regards,<br>
Nayna Jain</font><br>
<br>
</span><img src="cid:part2.05060507.06000308@wisemo.com" alt="Inactive hide details for Jakob Bohm
---06/10/2015 09:49:54 AM---On 10/06/2015 05:22, Nayna
Jain wrote: >" height="16" width="16" border="0"><font size="2" color="#424282" face="sans-serif">Jakob Bohm
---06/10/2015 09:49:54 AM---On 10/06/2015 05:22, Nayna
Jain wrote: ></font><br>
<br>
<font size="1" color="#5F5F5F" face="sans-serif">From: </font><font size="1" face="sans-serif">Jakob Bohm <<a href="mailto:jb-openssl@wisemo.com" target="_blank">jb-openssl@wisemo.com</a>></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">To: </font><font size="1" face="sans-serif"><a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Date: </font><font size="1" face="sans-serif">06/10/2015 09:49 AM</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Subject:
</font><font size="1" face="sans-serif">Re:
[openssl-users] X509_STORE_free() and
X509_LOOKUP_free() also frees the X509 certificates
inside it</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Sent
by: </font><font size="1" face="sans-serif">"openssl-users"
<<a href="mailto:openssl-users-bounces@openssl.org" target="_blank">openssl-users-bounces@openssl.org</a>></font><br>
</p>
<hr style="color:#8091a5" noshade size="2" width="100%" align="left">
<div>
<div><br>
<br>
<br>
<br>
<font size="3" face="serif">On 10/06/2015 05:22, Nayna
Jain wrote:</font>
<ul style="padding-left:36pt">
<br>
<font size="2" face="sans-serif">Hi all,</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
I am using X509_STORE and X509_LOOKUP to verify
the certificate and its chain.</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
But at the end when I do X509_STORE_free(store)
and X509_LOOKUP_free(lookup), it is also doing
free of the X509* certificate which I added.<br>
But I don't want that, because after that when I
immediately try to access X509* certificate for
further operation, then it results in core dump</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
And if I don't do X509_STORE_free() then it will
leave the memory leak.<br>
<br>
Let me know how to resolve this and if I
misunderstood something.</font>
</ul>
<br>
<tt><font size="3">X509 objects (and many other
objects in the API) are <br>
reference counted.<br>
<br>
Increment the reference count of each certificate
as <br>
you add it to the X509_STORE, this should make the
<br>
X509 object stay around after X509_STORE_free()
frees <br>
it.<br>
<br>
However there is a shortage of documentation on
the <br>
reference counting functions involved.<br>
</font></tt><br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
<br>
<pre cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a href="http://www.wisemo.com" target="_blank">http://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</div></div></div>
<br>_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br></blockquote></div><br></div></div>