Convert CRYPTO_LOCK_X509_* to new multi-threading API

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>

crypto/asn1/tasn_utl.c

@@ -105,6 +105,7 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it)
 {
     const ASN1_AUX *aux;
     int *lck, ret;
+    CRYPTO_RWLOCK **lock;
     if ((it->itype != ASN1_ITYPE_SEQUENCE)
         && (it->itype != ASN1_ITYPE_NDEF_SEQUENCE))
         return 0;
@@ -112,15 +113,21 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it)
     if (!aux || !(aux->flags & ASN1_AFLG_REFCOUNT))
         return 0;
     lck = offset2ptr(*pval, aux->ref_offset);
+    lock = offset2ptr(*pval, aux->ref_lock);
     if (op == 0) {
         *lck = 1;
+        *lock = CRYPTO_THREAD_lock_new();
+        if (*lock == NULL)
+            return 0;
         return 1;
     }
-    ret = CRYPTO_add(lck, op, aux->ref_lock);
+    CRYPTO_atomic_add(lck, op, &ret, *lock);
 #ifdef REF_PRINT
     fprintf(stderr, "%p:%4d:%s\n", it, *lck, it->sname);
 #endif
     REF_ASSERT_ISNT(ret < 0);
+    if (ret == 0)
+        CRYPTO_THREAD_lock_free(*lock);
     return ret;
 }
 

crypto/asn1/x_info.c

@@ -68,10 +68,18 @@ X509_INFO *X509_INFO_new(void)
     ret = OPENSSL_zalloc(sizeof(*ret));
     if (ret == NULL) {
         ASN1err(ASN1_F_X509_INFO_NEW, ERR_R_MALLOC_FAILURE);
-        return (NULL);
+        return NULL;
     }
+
     ret->references = 1;
-    return (ret);
+
+    ret->lock = CRYPTO_THREAD_lock_new();
+    if (ret->lock == NULL) {
+        X509_INFO_free(ret);
+        return NULL;
+    }
+
+    return ret;
 }
 
 void X509_INFO_free(X509_INFO *x)
@@ -81,7 +89,7 @@ void X509_INFO_free(X509_INFO *x)
     if (x == NULL)
         return;
 
-    i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO);
+    CRYPTO_atomic_add(&x->references, -1, &i, x->lock);
     REF_PRINT_COUNT("X509_INFO", x);
     if (i > 0)
         return;
@@ -91,5 +99,6 @@ void X509_INFO_free(X509_INFO *x)
     X509_CRL_free(x->crl);
     X509_PKEY_free(x->x_pkey);
     OPENSSL_free(x->enc_data);
+    CRYPTO_THREAD_lock_free(x->lock);
     OPENSSL_free(x);
 }

crypto/asn1/x_pkey.c

@@ -70,6 +70,11 @@ X509_PKEY *X509_PKEY_new(void)
         goto err;
 
     ret->references = 1;
+    ret->lock = CRYPTO_THREAD_lock_new();
+    if (ret->lock == NULL) {
+        OPENSSL_free(ret);
+        return NULL;
+    }
     ret->enc_algor = X509_ALGOR_new();
     ret->enc_pkey = ASN1_OCTET_STRING_new();
     if (ret->enc_algor == NULL || ret->enc_pkey == NULL)
@@ -89,7 +94,7 @@ void X509_PKEY_free(X509_PKEY *x)
     if (x == NULL)
         return;
 
-    i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_PKEY);
+    CRYPTO_atomic_add(&x->references, -1, &i, x->lock);
     REF_PRINT_COUNT("X509_PKEY", x);
     if (i > 0)
         return;
@@ -100,5 +105,6 @@ void X509_PKEY_free(X509_PKEY *x)
     EVP_PKEY_free(x->dec_pkey);
     if (x->key_free)
         OPENSSL_free(x->key_data);
+    CRYPTO_THREAD_lock_free(x->lock);
     OPENSSL_free(x);
 }

crypto/ec/ec_kmeth.c

@@ -143,6 +143,7 @@ EC_KEY *EC_KEY_new_method(ENGINE *engine)
         if (!ENGINE_init(engine)) {
             ECerr(EC_F_EC_KEY_NEW_METHOD, ERR_R_ENGINE_LIB);
             CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, ret, &ret->ex_data);
+            CRYPTO_THREAD_lock_free(ret->lock);
             OPENSSL_free(ret);
             return NULL;
         }
@@ -155,6 +156,7 @@ EC_KEY *EC_KEY_new_method(ENGINE *engine)
             ECerr(EC_F_EC_KEY_NEW_METHOD, ERR_R_ENGINE_LIB);
             ENGINE_finish(ret->engine);
             CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, ret, &ret->ex_data);
+            CRYPTO_THREAD_lock_free(ret->lock);
             OPENSSL_free(ret);
             return NULL;
         }

crypto/include/internal/x509_int.h

@@ -104,6 +104,7 @@ struct X509_req_st {
     X509_ALGOR sig_alg;         /* signature algorithm */
     ASN1_BIT_STRING *signature; /* signature */
     int references;
+    CRYPTO_RWLOCK *lock;
 };
 
 struct X509_crl_info_st {
@@ -141,6 +142,7 @@ struct X509_crl_st {
     /* alternative method to handle this CRL */
     const X509_CRL_METHOD *meth;
     void *meth_data;
+    CRYPTO_RWLOCK *lock;
 };
 
 struct x509_revoked_st {
@@ -212,6 +214,7 @@ struct x509_st {
 # endif
     unsigned char sha1_hash[SHA_DIGEST_LENGTH];
     X509_CERT_AUX *aux;
+    CRYPTO_RWLOCK *lock;
 } /* X509 */ ;
 
 /* PKCS#8 private key info structure */

crypto/x509/x509_lu.c

@@ -194,8 +194,13 @@ X509_STORE *X509_STORE_new(void)
     if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
         goto err;
 
+    ret->lock = CRYPTO_THREAD_lock_new();
+    if (ret->lock == NULL)
+        goto err;
+
     ret->references = 1;
     return ret;
+
 err:
     X509_VERIFY_PARAM_free(ret->param);
     sk_X509_OBJECT_free(ret->objs);
@@ -228,7 +233,7 @@ void X509_STORE_free(X509_STORE *vfy)
     if (vfy == NULL)
         return;
 
-    i = CRYPTO_add(&vfy->references, -1, CRYPTO_LOCK_X509_STORE);
+    CRYPTO_atomic_add(&vfy->references, -1, &i, vfy->lock);
     REF_PRINT_COUNT("X509_STORE", vfy);
     if (i > 0)
         return;
@@ -245,9 +250,22 @@ void X509_STORE_free(X509_STORE *vfy)
 
     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
     X509_VERIFY_PARAM_free(vfy->param);
+    CRYPTO_THREAD_lock_free(vfy->lock);
     OPENSSL_free(vfy);
 }
 
+int X509_STORE_up_ref(X509_STORE *vfy)
+{
+    int i;
+
+    if (CRYPTO_atomic_add(&vfy->references, 1, &i, vfy->lock) <= 0)
+        return 0;
+
+    REF_PRINT_COUNT("X509_STORE", a);
+    REF_ASSERT_ISNT(i < 2);
+    return ((i > 1) ? 1 : 0);
+}
+
 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
 {
     int i;
@@ -284,9 +302,9 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
     X509_OBJECT stmp, *tmp;
     int i, j;
 
-    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_write_lock(ctx->lock);
     tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
-    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_unlock(ctx->lock);
 
     if (tmp == NULL || type == X509_LU_CRL) {
         for (i = vs->current_method;
@@ -332,7 +350,7 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
     obj->type = X509_LU_X509;
     obj->data.x509 = x;
 
-    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_write_lock(ctx->lock);
 
     X509_OBJECT_up_ref_count(obj);
 
@@ -345,7 +363,7 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
     } else
         sk_X509_OBJECT_push(ctx->objs, obj);
 
-    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_unlock(ctx->lock);
 
     return ret;
 }
@@ -365,7 +383,7 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
     obj->type = X509_LU_CRL;
     obj->data.crl = x;
 
-    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_write_lock(ctx->lock);
 
     X509_OBJECT_up_ref_count(obj);
 
@@ -377,7 +395,7 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
     } else
         sk_X509_OBJECT_push(ctx->objs, obj);
 
-    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_unlock(ctx->lock);
 
     return ret;
 }
@@ -474,7 +492,7 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
     X509 *x;
     X509_OBJECT *obj;
     sk = sk_X509_new_null();
-    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_write_lock(ctx->ctx->lock);
     idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
     if (idx < 0) {
         /*
@@ -482,16 +500,16 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
          * cache
          */
         X509_OBJECT xobj;
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+        CRYPTO_THREAD_unlock(ctx->ctx->lock);
         if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) {
             sk_X509_free(sk);
             return NULL;
         }
         X509_OBJECT_free_contents(&xobj);
-        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+        CRYPTO_THREAD_write_lock(ctx->ctx->lock);
         idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
         if (idx < 0) {
-            CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+            CRYPTO_THREAD_unlock(ctx->ctx->lock);
             sk_X509_free(sk);
             return NULL;
         }
@@ -501,13 +519,13 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
         x = obj->data.x509;
         X509_up_ref(x);
         if (!sk_X509_push(sk, x)) {
-            CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+            CRYPTO_THREAD_unlock(ctx->ctx->lock);
             X509_free(x);
             sk_X509_pop_free(sk, X509_free);
             return NULL;
         }
     }
-    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_unlock(ctx->ctx->lock);
     return sk;
 
 }
@@ -528,10 +546,10 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
         return NULL;
     }
     X509_OBJECT_free_contents(&xobj);
-    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_write_lock(ctx->ctx->lock);
     idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
     if (idx < 0) {
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+        CRYPTO_THREAD_unlock(ctx->ctx->lock);
         sk_X509_CRL_free(sk);
         return NULL;
     }
@@ -541,13 +559,13 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
         x = obj->data.crl;
         X509_CRL_up_ref(x);
         if (!sk_X509_CRL_push(sk, x)) {
-            CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+            CRYPTO_THREAD_unlock(ctx->ctx->lock);
             X509_CRL_free(x);
             sk_X509_CRL_pop_free(sk, X509_CRL_free);
             return NULL;
         }
     }
-    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_unlock(ctx->ctx->lock);
     return sk;
 }
 
@@ -621,7 +639,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 
     /* Else find index of first cert accepted by 'check_issued' */
     ret = 0;
-    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_write_lock(ctx->ctx->lock);
     idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
     if (idx != -1) {            /* should be true as we've had at least one
                                  * match */
@@ -648,7 +666,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
             }
         }
     }
-    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+    CRYPTO_THREAD_unlock(ctx->ctx->lock);
     if (*issuer)
         X509_up_ref(*issuer);
     return ret;

crypto/x509/x509_set.c

@@ -148,7 +148,8 @@ int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
 
 void X509_up_ref(X509 *x)
 {
-    CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+    int i;
+    CRYPTO_atomic_add(&x->references, 1, &i, x->lock);
 }
 
 long X509_get_version(X509 *x)

crypto/x509/x509_vfy.c

@@ -2160,8 +2160,9 @@ X509_STORE_CTX *X509_STORE_CTX_new(void)
 
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
 {
-    if (!ctx)
+    if (ctx == NULL)
         return;
+
     X509_STORE_CTX_cleanup(ctx);
     OPENSSL_free(ctx);
 }

crypto/x509/x509cset.c

@@ -134,7 +134,8 @@ int X509_CRL_sort(X509_CRL *c)
 
 void X509_CRL_up_ref(X509_CRL *crl)
 {
-    CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
+    int i;
+    CRYPTO_atomic_add(&crl->references, 1, &i, crl->lock);
 }
 
 long X509_CRL_get_version(X509_CRL *crl)

crypto/x509/x_crl.c

@@ -329,7 +329,7 @@ static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
     DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));
 }
 
-ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = {
+ASN1_SEQUENCE_ref(X509_CRL, crl_cb) = {
         ASN1_EMBED(X509_CRL, crl, X509_CRL_INFO),
         ASN1_EMBED(X509_CRL, sig_alg, X509_ALGOR),
         ASN1_EMBED(X509_CRL, signature, ASN1_BIT_STRING)
@@ -435,9 +435,9 @@ static int def_crl_lookup(X509_CRL *crl,
      * under a lock to avoid race condition.
      */
     if (!sk_X509_REVOKED_is_sorted(crl->crl.revoked)) {
-        CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
+        CRYPTO_THREAD_write_lock(crl->lock);
         sk_X509_REVOKED_sort(crl->crl.revoked);
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL);
+        CRYPTO_THREAD_unlock(crl->lock);
     }
     idx = sk_X509_REVOKED_find(crl->crl.revoked, &rtmp);
     if (idx < 0)

crypto/x509/x_req.c

@@ -105,7 +105,7 @@ ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
 
 IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
 
-ASN1_SEQUENCE_ref(X509_REQ, 0, CRYPTO_LOCK_X509_REQ) = {
+ASN1_SEQUENCE_ref(X509_REQ, 0) = {
         ASN1_EMBED(X509_REQ, req_info, X509_REQ_INFO),
         ASN1_EMBED(X509_REQ, sig_alg, X509_ALGOR),
         ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)

crypto/x509/x_x509.c

@@ -123,7 +123,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 
 }
 
-ASN1_SEQUENCE_ref(X509, x509_cb, CRYPTO_LOCK_X509) = {
+ASN1_SEQUENCE_ref(X509, x509_cb) = {
         ASN1_EMBED(X509, cert_info, X509_CINF),
         ASN1_EMBED(X509, sig_alg, X509_ALGOR),
         ASN1_EMBED(X509, signature, ASN1_BIT_STRING)

crypto/x509v3/pcy_cache.c

@@ -224,9 +224,9 @@ const X509_POLICY_CACHE *policy_cache_set(X509 *x)
 {
 
     if (x->policy_cache == NULL) {
-        CRYPTO_w_lock(CRYPTO_LOCK_X509);
+        CRYPTO_THREAD_write_lock(x->lock);
         policy_cache_new(x);
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+        CRYPTO_THREAD_unlock(x->lock);
     }
 
     return x->policy_cache;

crypto/x509v3/v3_purp.c

@@ -128,9 +128,9 @@ int X509_check_purpose(X509 *x, int id, int ca)
     int idx;
     const X509_PURPOSE *pt;
     if (!(x->ex_flags & EXFLAG_SET)) {
-        CRYPTO_w_lock(CRYPTO_LOCK_X509);
+        CRYPTO_THREAD_write_lock(x->lock);
         x509v3_cache_extensions(x);
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+        CRYPTO_THREAD_unlock(x->lock);
     }
     /* Return if side-effect only call */
     if (id == -1)
@@ -576,9 +576,9 @@ static int check_ca(const X509 *x)
 int X509_check_ca(X509 *x)
 {
     if (!(x->ex_flags & EXFLAG_SET)) {
-        CRYPTO_w_lock(CRYPTO_LOCK_X509);
+        CRYPTO_THREAD_write_lock(x->lock);
         x509v3_cache_extensions(x);
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+        CRYPTO_THREAD_unlock(x->lock);
     }
 
     return check_ca(x);

doc/crypto/X509_STORE_new.pod

+=pod
+
+=head1 NAME
+
+X509_STORE_new, X509_STORE_up_ref, X509_STORE_free - X509_STORE allocation and freeing functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509_vfy.h>
+
+ X509_STORE *X509_STORE_new(void);
+ void X509_STORE_free(X509_STORE *v);
+ int X509_STORE_up_ref(X509_STORE *v);
+
+=head1 DESCRIPTION
+
+The X509_STORE_new() function returns a new X509_STORE.
+
+X509_STORE_up_ref() increments the reference count associated with the
+X509_STORE object.
+
+X509_STORE_free() frees up a single X509_STORE object.
+
+=head1 RETURN VALUES
+
+X509_STORE_new() returns a newly created X509_STORE or NULL if the call fails.
+
+X509_STORE_up_ref() returns 1 for success and 0 for failure.
+
+X509_STORE_free() does not return values.
+
+=head1 SEE ALSO
+
+L<X509_STORE_set_verify_cb_func(3)>
+
+=cut

include/openssl/asn1t.h

@@ -207,8 +207,8 @@ extern "C" {
         static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_BROKEN, 0, 0, 0, 0}; \
         ASN1_SEQUENCE(tname)
 
-# define ASN1_SEQUENCE_ref(tname, cb, lck) \
-        static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), lck, cb, 0}; \
+# define ASN1_SEQUENCE_ref(tname, cb) \
+        static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), offsetof(tname, lock), cb, 0}; \
         ASN1_SEQUENCE(tname)
 
 # define ASN1_SEQUENCE_enc(tname, enc, cb) \

include/openssl/crypto.h

@@ -165,11 +165,6 @@ extern "C" {
  * names in cryptlib.c
  */
 
-# define CRYPTO_LOCK_X509                3
-# define CRYPTO_LOCK_X509_INFO           4
-# define CRYPTO_LOCK_X509_PKEY           5
-# define CRYPTO_LOCK_X509_CRL            6
-# define CRYPTO_LOCK_X509_REQ            7
 # define CRYPTO_LOCK_X509_STORE          11
 # define CRYPTO_LOCK_SSL_CTX             12
 # define CRYPTO_LOCK_SSL_CERT            13

include/openssl/x509.h

@@ -312,6 +312,7 @@ typedef struct private_key_st {
     /* expanded version of 'enc_algor' */
     EVP_CIPHER_INFO cipher;
     int references;
+    CRYPTO_RWLOCK *lock;
 } X509_PKEY;
 
 typedef struct X509_info_st {
@@ -322,6 +323,7 @@ typedef struct X509_info_st {
     int enc_len;
     char *enc_data;
     int references;
+    CRYPTO_RWLOCK *lock;
 } X509_INFO;
 
 DEFINE_STACK_OF(X509_INFO)

include/openssl/x509_vfy.h

@@ -179,6 +179,7 @@ struct x509_store_st {
     int (*cleanup) (X509_STORE_CTX *ctx);
     CRYPTO_EX_DATA ex_data;
     int references;
+    CRYPTO_RWLOCK *lock;
 } /* X509_STORE */ ;
 
 int X509_STORE_set_depth(X509_STORE *store, int depth);
@@ -430,6 +431,7 @@ void X509_OBJECT_up_ref_count(X509_OBJECT *a);
 void X509_OBJECT_free_contents(X509_OBJECT *a);
 X509_STORE *X509_STORE_new(void);
 void X509_STORE_free(X509_STORE *v);
+int X509_STORE_up_ref(X509_STORE *v);
 
 STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *st, X509_NAME *nm);
 STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *st, X509_NAME *nm);

ssl/ssl_cert.c

@@ -273,13 +273,12 @@ CERT *ssl_cert_dup(CERT *cert)
     ret->cert_cb_arg = cert->cert_cb_arg;
 
     if (cert->verify_store) {
-        CRYPTO_add(&cert->verify_store->references, 1,
-                   CRYPTO_LOCK_X509_STORE);
+        X509_STORE_up_ref(cert->verify_store);
         ret->verify_store = cert->verify_store;
     }
 
     if (cert->chain_store) {
-        CRYPTO_add(&cert->chain_store->references, 1, CRYPTO_LOCK_X509_STORE);
+        X509_STORE_up_ref(cert->chain_store);
         ret->chain_store = cert->chain_store;
     }
 
@@ -1056,7 +1055,7 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
     X509_STORE_free(*pstore);
     *pstore = store;
     if (ref && store)
-        CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
+        X509_STORE_up_ref(store);
     return 1;
 }