aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/ssluse.c36
1 files changed, 12 insertions, 24 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 36c38042a..e9ae45ae0 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -435,7 +435,7 @@ int cert_stuff(struct connectdata *conn,
PKCS12_PBE_add();
if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509,
- &ca)) {
+ &ca)) {
failf(data,
"could not parse PKCS12 file, check password, OpenSSL error %s",
ERR_error_string(ERR_get_error(), NULL) );
@@ -447,54 +447,42 @@ int cert_stuff(struct connectdata *conn,
if(SSL_CTX_use_certificate(ctx, x509) != 1) {
failf(data, SSL_CLIENT_CERT_ERR);
- EVP_PKEY_free(pri);
- X509_free(x509);
- sk_X509_pop_free(ca, X509_free);
- return 0;
+ goto fail;
}
if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
failf(data, "unable to use private key from PKCS12 file '%s'",
cert_file);
- EVP_PKEY_free(pri);
- X509_free(x509);
- sk_X509_pop_free(ca, X509_free);
- return 0;
+ goto fail;
}
if(!SSL_CTX_check_private_key (ctx)) {
failf(data, "private key from PKCS12 file '%s' "
"does not match certificate in same file", cert_file);
- EVP_PKEY_free(pri);
- X509_free(x509);
- sk_X509_pop_free(ca, X509_free);
- return 0;
+ goto fail;
}
/* Set Certificate Verification chain */
if(ca && sk_X509_num(ca)) {
for(i = 0; i < sk_X509_num(ca); i++) {
- if(!SSL_CTX_add_extra_chain_cert(ctx,sk_X509_value(ca, i))) {
+ if(!SSL_CTX_add_extra_chain_cert(ctx, sk_X509_value(ca, i))) {
failf(data, "cannot add certificate to certificate chain");
- EVP_PKEY_free(pri);
- X509_free(x509);
- sk_X509_pop_free(ca, X509_free);
- return 0;
+ goto fail;
}
if(!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) {
failf(data, "cannot add certificate to client CA list");
- EVP_PKEY_free(pri);
- X509_free(x509);
- sk_X509_pop_free(ca, X509_free);
- return 0;
+ goto fail;
}
}
}
+ cert_done = 1;
+ fail:
EVP_PKEY_free(pri);
X509_free(x509);
sk_X509_pop_free(ca, X509_free);
- cert_done = 1;
- break;
+
+ if(!cert_done)
+ return 0; /* failure! */
#else
failf(data, "file type P12 for certificate not supported");
return 0;