[openssl-users] X509_STORE_free() and X509_LOOKUP_free() also frees the X509 certificates inside it

Jakob Bohm jb-openssl at wisemo.com
Wed Jun 10 11:17:41 UTC 2015


On 10/06/2015 12:41, Thulasi Goriparthi wrote:
> X509_STORE_add_cert increments the reference count of the each cert, 
> but only by 1.
Sounds like there should be X509_STORE_add0_cert() and
X509_STORE_add1_cert() like for other parts of the library.
> X509_STORE_free decrements the ref count by 1. So after decrementing, 
> if ref_count is 0, certificate will be freed.
>
> Jakob is saying that if you want them to stay even after 
> X509_STORE_free, explicitly increment the ref count before calling 
> free using something like below.
>
Interesting!  I assumed (based on the standard
refcounting paradigm) that the reference count of a
new object would be 1, and that some API (perhaps
X509_free()) would decrement and free if it hit 0.

> CRYPTO_add(certificate->references, 1, CRYPTO_LOCK_X509);
>
Is there really no proper API wrapping this?
>
> decrypt the ref count when you really want to free them and call 
> X509_free(certificate).
>
Is there really no proper API wrapping this?
>
> On 10 June 2015 at 10:20, Nayna Jain <naynjain at in.ibm.com 
> <mailto:naynjain at in.ibm.com>> wrote:
>
>     Thanks Jacob,
>     So, does that API do not increment reference count internally itself.
>
>     I mean if I have to explicitly do that, what is the API for that ?
>
>     Thanks & Regards,
>     Nayna Jain
>
>     Inactive hide details for Jakob Bohm ---06/10/2015 09:49:54
>     AM---On 10/06/2015 05:22, Nayna Jain wrote: >Jakob Bohm
>     ---06/10/2015 09:49:54 AM---On 10/06/2015 05:22, Nayna Jain wrote: >
>
>     From: Jakob Bohm <jb-openssl at wisemo.com
>     <mailto:jb-openssl at wisemo.com>>
>     To: openssl-users at openssl.org <mailto:openssl-users at openssl.org>
>     Date: 06/10/2015 09:49 AM
>     Subject: Re: [openssl-users] X509_STORE_free() and
>     X509_LOOKUP_free() also frees the X509 certificates inside it
>     Sent by: "openssl-users" <openssl-users-bounces at openssl.org
>     <mailto:openssl-users-bounces at openssl.org>>
>
>     ------------------------------------------------------------------------
>
>
>
>
>     On 10/06/2015 05:22, Nayna Jain wrote:
>
>
>         Hi all,
>
>         I am using X509_STORE and X509_LOOKUP to verify the
>         certificate and its chain.
>
>         But at the end when I do X509_STORE_free(store)  and
>         X509_LOOKUP_free(lookup), it is also doing free of the X509*
>         certificate which I added.
>         But I don't want that, because after that when I immediately
>         try to access X509* certificate for further operation, then it
>         results in core dump
>
>         And if I don't do X509_STORE_free() then it will leave the
>         memory leak.
>
>         Let me know how to resolve this and if I misunderstood something. 
>
>
>     X509 objects (and many other objects in the API) are
>     reference counted.
>
>     Increment the reference count of each certificate as
>     you add it to the X509_STORE, this should make the
>     X509 object stay around after X509_STORE_free() frees
>     it.
>
>     However there is a shortage of documentation on the
>     reference counting functions involved.
>


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150610/8885b3ba/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150610/8885b3ba/attachment-0001.gif>


More information about the openssl-users mailing list