On 10 June 2015 at 16:47, Jakob Bohm <jb-openssl at wisemo.com> wrote: > On 10/06/2015 12:41, Thulasi Goriparthi wrote: > > X509_STORE_add_cert increments the reference count of the each cert, > but only by 1. > > Sounds like there should be X509_STORE_add0_cert() and > X509_STORE_add1_cert() like for other parts of the library. > > X509_STORE_free decrements the ref count by 1. So after decrementing, if > ref_count is 0, certificate will be freed. > > Jakob is saying that if you want them to stay even after X509_STORE_free, > explicitly increment the ref count before calling free using something like > below. > > Interesting! I assumed (based on the standard > refcounting paradigm) that the reference count of a > new object would be 1, and that some API (perhaps > X509_free()) would decrement and free if it hit 0. > Yes. You are correct. STORE_free, just decrements the ref count and calls X509_free. X509_free in turn checks if ref count is only 1 (in reference to the one incremented by new) before proceeding with free. If it is, it will decrement ref_count and proceed to free. > CRYPTO_add(certificate->references, 1, CRYPTO_LOCK_X509); > > Is there really no proper API wrapping this? > I couldn't find any right now. There is X509_OBJECT_up_ref_count() which takes care of X509_OBJECT s. But that requires allocating X509_OBJECT and copying X509 over there. > > decrypt the ref count when you really want to free them and call > X509_free(certificate). > > Is there really no proper API wrapping this? > > > On 10 June 2015 at 10:20, Nayna Jain <naynjain at in.ibm.com> wrote: > >> Thanks Jacob, >> So, does that API do not increment reference count internally itself. >> >> I mean if I have to explicitly do that, what is the API for that ? >> >> Thanks & Regards, >> Nayna Jain >> >> [image: Inactive hide details for Jakob Bohm ---06/10/2015 09:49:54 >> AM---On 10/06/2015 05:22, Nayna Jain wrote: >]Jakob Bohm ---06/10/2015 >> 09:49:54 AM---On 10/06/2015 05:22, Nayna Jain wrote: > >> >> From: Jakob Bohm <jb-openssl at wisemo.com> >> To: openssl-users at openssl.org >> Date: 06/10/2015 09:49 AM >> Subject: Re: [openssl-users] X509_STORE_free() and X509_LOOKUP_free() >> also frees the X509 certificates inside it >> Sent by: "openssl-users" <openssl-users-bounces at openssl.org> >> ------------------------------ >> >> >> >> >> On 10/06/2015 05:22, Nayna Jain wrote: >> >> >> Hi all, >> >> I am using X509_STORE and X509_LOOKUP to verify the certificate and >> its chain. >> >> But at the end when I do X509_STORE_free(store) and >> X509_LOOKUP_free(lookup), it is also doing free of the X509* certificate >> which I added. >> But I don't want that, because after that when I immediately try to >> access X509* certificate for further operation, then it results in core dump >> >> And if I don't do X509_STORE_free() then it will leave the memory >> leak. >> >> Let me know how to resolve this and if I misunderstood something. >> >> >> X509 objects (and many other objects in the API) are >> reference counted. >> >> Increment the reference count of each certificate as >> you add it to the X509_STORE, this should make the >> X509 object stay around after X509_STORE_free() frees >> it. >> >> However there is a shortage of documentation on the >> reference counting functions involved. >> >> > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com > Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150610/9d15efa8/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 105 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150610/9d15efa8/attachment.gif>
