1
0
mirror of https://github.com/moparisthebest/curl synced 2024-10-31 15:45:12 -04:00

openssl: Don't use certificate after transferring ownership

SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
it's best to call SSL_CTX_add_client_CA before
SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
argument.

Closes https://github.com/curl/curl/pull/1236
This commit is contained in:
Adam Langley 2017-01-31 16:05:33 -08:00 committed by Jay Satiro
parent a90a5bccd4
commit 028391df5d

View File

@ -493,23 +493,21 @@ int cert_stuff(struct connectdata *conn,
/* /*
* Note that sk_X509_pop() is used below to make sure the cert is * Note that sk_X509_pop() is used below to make sure the cert is
* removed from the stack properly before getting passed to * removed from the stack properly before getting passed to
* SSL_CTX_add_extra_chain_cert(). Previously we used * SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously
* sk_X509_value() instead, but then we'd clean it in the subsequent * we used sk_X509_value() instead, but then we'd clean it in the
* sk_X509_pop_free() call. * subsequent sk_X509_pop_free() call.
*/ */
X509 *x = sk_X509_pop(ca); X509 *x = sk_X509_pop(ca);
if(!SSL_CTX_add_client_CA(ctx, x)) {
X509_free(x);
failf(data, "cannot add certificate to client CA list");
goto fail;
}
if(!SSL_CTX_add_extra_chain_cert(ctx, x)) { if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
X509_free(x); X509_free(x);
failf(data, "cannot add certificate to certificate chain"); failf(data, "cannot add certificate to certificate chain");
goto fail; goto fail;
} }
/* SSL_CTX_add_client_CA() seems to work with either sk_* function,
* presumably because it duplicates what we pass to it.
*/
if(!SSL_CTX_add_client_CA(ctx, x)) {
failf(data, "cannot add certificate to client CA list");
goto fail;
}
} }
} }