<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Assume the following code snippet:</p>
<p>const unsigned char a_cert = {....... }; (A DER certificate we
wish to load into the context's chain storage)<br>
int size_a_cert = sizeof(a_cert);</p>
<p>const unsigned char *cp;</p>
<p>X509 *cc_cert;<br>
</p>
<p>X509_STORE *cc = SSL_CTX_get_cert_store(a_context);<br>
if (cc == NULL) {<br>
panic ("Cannot get chain; fail");<br>
}<br>
cp = a_cert;<br>
cc_cert = d2i_X509(NULL, &cp, size_a_cert);<br>
if (cc_cert == NULL) {<br>
panic("Cert not valid");<br>
}<br>
if (!X509_STORE_add_cert(cc, cc_cert)) { /* Push the cert
into the chain store */<br>
panic ("Cannot add required chain certificate");<br>
}<br>
</p>
<p>/* X509_free(cc_cert); */<br>
</p>
<p>The question is the last line and whether it should be there
(uncommented) -- does the X509_STORE_add_cert call load the
*reference* or does it load the *data* (allocating whatever it
needs internally to do so)? In other words do I need to keep that
X509 structure around that got allocated by the d2i_X509 call or
do I free it after I've pushed it into the store?</p>
<p>The docs are silent on this as far as I can tell but some example
code I've seen floating around doesn't free it.<br>
</p>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>