moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 23:58:49 -05:00
Code Issues Releases Wiki Activity

openssl: Fix set up of pkcs12 certificate verification chain

Browse Source 
sk_X509_pop will decrease the size of the stack which means that the loop would
end after having added only half of the certificates.

Also make sure that the X509 certificate is freed in case
SSL_CTX_add_extra_chain_cert fails.
This commit is contained in:
Erik Johansson 2015-10-09 21:02:13 +02:00 committed by Daniel Stenberg
parent 13ddb9e54a
commit 3ad83bc3a6
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/vtls/openssl.c
View File

@ -450,7 +450,6 @@ int cert_stuff(struct connectdata *conn,
PKCS12 *p12;
EVP_PKEY *pri;
STACK_OF(X509) *ca = NULL;
int i;
f = fopen(cert_file, "rb");
if(!f) {
@ -497,8 +496,8 @@ int cert_stuff(struct connectdata *conn,
goto fail;
}
/* Set Certificate Verification chain */
if(ca && sk_X509_num(ca)) {
for(i = 0; i < sk_X509_num(ca); i++) {
if(ca) {
while(sk_X509_num(ca)) {
/*
* Note that sk_X509_pop() is used below to make sure the cert is
* removed from the stack properly before getting passed to
@ -508,6 +507,7 @@ int cert_stuff(struct connectdata *conn,
*/
X509 *x = sk_X509_pop(ca);
if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
X509_free(x);
failf(data, "cannot add certificate to certificate chain");
goto fail;
}