mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
openssl: Don't use certificate after transferring ownership
SSL_CTX_add_extra_chain_cert takes ownership of the given certificate while, despite the similar name, SSL_CTX_add_client_CA does not. Thus it's best to call SSL_CTX_add_client_CA before SSL_CTX_add_extra_chain_cert, while the code still has ownership of the argument. Closes https://github.com/curl/curl/pull/1236
This commit is contained in:
parent
a90a5bccd4
commit
028391df5d
@ -493,23 +493,21 @@ int cert_stuff(struct connectdata *conn,
|
||||
/*
|
||||
* Note that sk_X509_pop() is used below to make sure the cert is
|
||||
* removed from the stack properly before getting passed to
|
||||
* SSL_CTX_add_extra_chain_cert(). Previously we used
|
||||
* sk_X509_value() instead, but then we'd clean it in the subsequent
|
||||
* sk_X509_pop_free() call.
|
||||
* SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously
|
||||
* we used sk_X509_value() instead, but then we'd clean it in the
|
||||
* subsequent sk_X509_pop_free() call.
|
||||
*/
|
||||
X509 *x = sk_X509_pop(ca);
|
||||
if(!SSL_CTX_add_client_CA(ctx, x)) {
|
||||
X509_free(x);
|
||||
failf(data, "cannot add certificate to client CA list");
|
||||
goto fail;
|
||||
}
|
||||
if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
|
||||
X509_free(x);
|
||||
failf(data, "cannot add certificate to certificate chain");
|
||||
goto fail;
|
||||
}
|
||||
/* SSL_CTX_add_client_CA() seems to work with either sk_* function,
|
||||
* presumably because it duplicates what we pass to it.
|
||||
*/
|
||||
if(!SSL_CTX_add_client_CA(ctx, x)) {
|
||||
failf(data, "cannot add certificate to client CA list");
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user