Re: X509 reference counts

Mon, 8 Nov 1999 17:42:52 -0800 

Geoff Thorpe wrote:
> 
> Hi there,
> 
> I've been checking up on some memory management issues and have a couple
> of questions. If anyone has any thoughts or views I'd very much appreciate
> them.
> 
> X509_STORE_CTX_get_current_cert() and a few others do not up the reference
> count on the X509 object returned. I was carefully X509_free()ing
> everything I used and found this anomaly courtesy of some seg-faults. Some
> of the functions in x509_vfy.c seem to modify the reference count so I'm
> not sure if this is a bug or intentional. It's easy to workaround just by
> not freeing, but I'd prefer to know if this should be changed rather than
> missing it and having my programs develop leaks.
> 
[ other examples deleted ]

Yes horrible isn't it?

I've also noticed wildly inconsistent behaviour. When you call something
like XXX_get_YYY() you might get something which will last only as long
as the parent and it shouldn't be freed at all or something which will
persist by virtue of the upped reference count.

Also the way reference counts are upped is not friendly. I suppose we
should have functions like XXXX_up_reference_count(x); for use at an
application level rather than the current stuff which messes round with
structure internals.

I'm currently looking into rewriting the verify code. I'm hoping to
retain compatability with the old behavior except where it does things
that are really silly. More consistency with the reference counts is
certainly one issue...

However if it works the way I hope it will then it will support things
like proper chain verify and certificate trust settings so hopefully no
one would *want* to do things the old way.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to