mirror of
https://github.com/moparisthebest/curl
synced 2024-10-31 15:45:12 -04:00
openssl: Don't use certificate after transferring ownership
SSL_CTX_add_extra_chain_cert takes ownership of the given certificate while, despite the similar name, SSL_CTX_add_client_CA does not. Thus it's best to call SSL_CTX_add_client_CA before SSL_CTX_add_extra_chain_cert, while the code still has ownership of the argument. Closes https://github.com/curl/curl/pull/1236
This commit is contained in:
parent
a90a5bccd4
commit
028391df5d
@ -493,23 +493,21 @@ int cert_stuff(struct connectdata *conn,
|
|||||||
/*
|
/*
|
||||||
* Note that sk_X509_pop() is used below to make sure the cert is
|
* Note that sk_X509_pop() is used below to make sure the cert is
|
||||||
* removed from the stack properly before getting passed to
|
* removed from the stack properly before getting passed to
|
||||||
* SSL_CTX_add_extra_chain_cert(). Previously we used
|
* SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously
|
||||||
* sk_X509_value() instead, but then we'd clean it in the subsequent
|
* we used sk_X509_value() instead, but then we'd clean it in the
|
||||||
* sk_X509_pop_free() call.
|
* subsequent sk_X509_pop_free() call.
|
||||||
*/
|
*/
|
||||||
X509 *x = sk_X509_pop(ca);
|
X509 *x = sk_X509_pop(ca);
|
||||||
|
if(!SSL_CTX_add_client_CA(ctx, x)) {
|
||||||
|
X509_free(x);
|
||||||
|
failf(data, "cannot add certificate to client CA list");
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
|
if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
|
||||||
X509_free(x);
|
X509_free(x);
|
||||||
failf(data, "cannot add certificate to certificate chain");
|
failf(data, "cannot add certificate to certificate chain");
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
/* SSL_CTX_add_client_CA() seems to work with either sk_* function,
|
|
||||||
* presumably because it duplicates what we pass to it.
|
|
||||||
*/
|
|
||||||
if(!SSL_CTX_add_client_CA(ctx, x)) {
|
|
||||||
failf(data, "cannot add certificate to client CA list");
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user