diff options
author | Adam Langley <agl@google.com> | 2017-01-31 16:05:33 -0800 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2017-01-31 21:04:31 -0500 |
commit | 028391df5d84d9fae3433afdee9261d565900355 (patch) | |
tree | 1f7519c0b7a28658488b7fcfcf50033521c9a2df /lib/vtls | |
parent | a90a5bccd47ba5425949a51e6d77b91a2a1e7fe6 (diff) |
openssl: Don't use certificate after transferring ownership
SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
it's best to call SSL_CTX_add_client_CA before
SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
argument.
Closes https://github.com/curl/curl/pull/1236
Diffstat (limited to 'lib/vtls')
-rw-r--r-- | lib/vtls/openssl.c | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 48a4c0b02..eb625fe93 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -493,21 +493,19 @@ int cert_stuff(struct connectdata *conn, /* * Note that sk_X509_pop() is used below to make sure the cert is * removed from the stack properly before getting passed to - * SSL_CTX_add_extra_chain_cert(). Previously we used - * sk_X509_value() instead, but then we'd clean it in the subsequent - * sk_X509_pop_free() call. + * SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously + * we used sk_X509_value() instead, but then we'd clean it in the + * subsequent sk_X509_pop_free() call. */ X509 *x = sk_X509_pop(ca); - if(!SSL_CTX_add_extra_chain_cert(ctx, x)) { + if(!SSL_CTX_add_client_CA(ctx, x)) { X509_free(x); - failf(data, "cannot add certificate to certificate chain"); + failf(data, "cannot add certificate to client CA list"); goto fail; } - /* SSL_CTX_add_client_CA() seems to work with either sk_* function, - * presumably because it duplicates what we pass to it. - */ - if(!SSL_CTX_add_client_CA(ctx, x)) { - failf(data, "cannot add certificate to client CA list"); + if(!SSL_CTX_add_extra_chain_cert(ctx, x)) { + X509_free(x); + failf(data, "cannot add certificate to certificate chain"); goto fail; } } |