Commit 028391df authored by Adam Langley's avatar Adam Langley Committed by Jay Satiro
Browse files

openssl: Don't use certificate after transferring ownership 

SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
it's best to call SSL_CTX_add_client_CA before
SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
argument.

Closes https://github.com/curl/curl/pull/1236
parent a90a5bcc

lib/vtls/openssl.c

+8 −10
Original line number Diff line number Diff line
@@ -493,21 +493,19 @@ int cert_stuff(struct connectdata *conn, 
          /*

           * Note that sk_X509_pop() is used below to make sure the cert is

           * removed from the stack properly before getting passed to

           * SSL_CTX_add_extra_chain_cert(). Previously we used

           * sk_X509_value() instead, but then we'd clean it in the subsequent

           * sk_X509_pop_free() call.

           * SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously

           * we used sk_X509_value() instead, but then we'd clean it in the

           * subsequent sk_X509_pop_free() call.

           */

          X509 *x = sk_X509_pop(ca);

          if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {

          if(!SSL_CTX_add_client_CA(ctx, x)) {

            X509_free(x);

            failf(data, "cannot add certificate to certificate chain");

            failf(data, "cannot add certificate to client CA list");

            goto fail;

          }

          /* SSL_CTX_add_client_CA() seems to work with either sk_* function,

           * presumably because it duplicates what we pass to it.

           */

          if(!SSL_CTX_add_client_CA(ctx, x)) {

            failf(data, "cannot add certificate to client CA list");

          if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {

            X509_free(x);

            failf(data, "cannot add certificate to certificate chain");

            goto fail;

          }

        }