On Tue, Oct 29, 2013, Daniel Kahn Gillmor wrote: > On 10/29/2013 02:03 PM, Dr. Stephen Henson wrote: > >On Tue, Oct 29, 2013, ?????? ??????? wrote: > > > >> I've noticed that SSL_CTX_add_extra_chain_cert (actually > >>ss3_ctx_ctrl (..., SSL_CTRL_EXTRA_CHAIN_CERT, ..., ...)) just pushes > >>X509 cert to context's cert stack. This means that I'm unable to free > >>original certificate because double memory freeing occurs when context > >>is free'd later. > > > >You don't and shouldn't free it: it will be free when the SSL_CTX it is added > >to is freed. > > It isn't clear from the documentation for > SSL_CTX_add_extra_chain_cert that the caller is relieved of > responsibility for whatever is passed as the x509 argument (and > indeed should probably not try to re-use it elsewhere, for example, > in another SSL_CTX). Are you interested in patches to the > documentation which would make this workflow clearer? >
Yes, please send a patch to the request tracker. > Also, i don't think this same workflow holds for similar functions > (e.g. SSL_CTX_set_tmp_dh; apps/s_server.c invokes SSL_CTX_set_tmp_dh > and subsequently frees the dh argument). Is there a pattern to this > that users of OpenSSL should be aware of? > Newer functions have a 1 in the function name if they increase the reference coutn and 0 if they do not. There are a lot of functions from before the time this convention was adopted which can do either and you have to check the documentation (where it exists) or the source. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
