aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorErik Johansson <erik@ejohansson.se>2015-10-09 21:02:13 +0200
committerDaniel Stenberg <daniel@haxx.se>2015-10-11 23:14:04 +0200
commit3ad83bc3a623758a53496dbb88be48fd5e190aca (patch)
tree55427ba22ce4ea47b1d7c03c8ae5d5ebb8807871
parent13ddb9e54afe9a3f43b4f6f33d3a8ff51d46f2c2 (diff)
openssl: Fix set up of pkcs12 certificate verification chain
sk_X509_pop will decrease the size of the stack which means that the loop would end after having added only half of the certificates. Also make sure that the X509 certificate is freed in case SSL_CTX_add_extra_chain_cert fails.
-rw-r--r--lib/vtls/openssl.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 1bb99671d..3bc079e7e 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -450,7 +450,6 @@ int cert_stuff(struct connectdata *conn,
PKCS12 *p12;
EVP_PKEY *pri;
STACK_OF(X509) *ca = NULL;
- int i;
f = fopen(cert_file, "rb");
if(!f) {
@@ -497,8 +496,8 @@ int cert_stuff(struct connectdata *conn,
goto fail;
}
/* Set Certificate Verification chain */
- if(ca && sk_X509_num(ca)) {
- for(i = 0; i < sk_X509_num(ca); i++) {
+ if(ca) {
+ while(sk_X509_num(ca)) {
/*
* Note that sk_X509_pop() is used below to make sure the cert is
* removed from the stack properly before getting passed to
@@ -508,6 +507,7 @@ int cert_stuff(struct connectdata *conn,
*/
X509 *x = sk_X509_pop(ca);
if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
+ X509_free(x);
failf(data, "cannot add certificate to certificate chain");
goto fail;
}