Change in gnutls_certificate_set_x509_key() API from 2.10 to 2.12

Sam Varshavchik mrsam at
Sun Nov 20 04:38:07 CET 2011

I updated from gnutls 2.10 to 2.12 (Fedora 15 to 16). I'm seeing memory  
corruption after recompiling my gnutls client apps. I think I figured out  
why, and I want to make sure that my understanding is correct.

Looking at gnutls 2.10 source, gnutls_certificate_set_x509_key() calls an  
internal function, _gnutls_x509_privkey_to_gkey() to essentially make a copy  
of the contents of the gnutls_x509_privkey_t parameter. So, in 2.10, the  
caller to gnutls_certificate_set_x509_key() maintains exclusive ownership of  
the gnutls_x509_privkey_t. The caller can destroy the gnutls_x509_privkey_t  
as soon as gnutls_certificate_set_x509_key() returns, without affecting the  
credentials object. That's what I am doing.

In gnutls 2.12, gnutls_certificate_set_x509_key() is completely different.  
It looks to me like in 2.12, the gnutls_certificate_credentials_t object  
saves a pointer to the gnutls_x509_privkey_t structure, essentially, so it  
/cannot/ be destroyed, and must remain in existence as long as  
gnutls_certificate_credentials_t exists, correct? I was destroying  
gnutls_x509_privkey_t immediately after gnutls_certificate_set_x509_key(), I  
no longer needed it. This works in 2.10, but doesn't appear to work in 2.12.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20111119/c6cd8b33/attachment.pgp>

More information about the Gnutls-help mailing list