Hi, Stumbled upon what looked like incorrect code while on the search for something else. See attached patch. I haven't actually tested it, but it compiles here at least :)
// Erik -- Erik Johansson Home Page: http://ejohansson.se/ PGP Key: http://ejohansson.se/erik.asc
From 7ca5a0eb081fc3c8a84598d18a3991e8bc38b135 Mon Sep 17 00:00:00 2001 From: Erik Johansson <[email protected]> Date: Fri, 9 Oct 2015 21:02:13 +0200 Subject: [PATCH] openssl: Fix set up of pkcs12 certificate verification chain sk_X509_pop will decrease the size of the stack which means that the loop would end after having added only half of the certificates. Also make sure that the X509 certificate is freed in case SSL_CTX_add_extra_chain_cert fails. --- lib/vtls/openssl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 1bb9967..3bc079e 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -450,7 +450,6 @@ int cert_stuff(struct connectdata *conn, PKCS12 *p12; EVP_PKEY *pri; STACK_OF(X509) *ca = NULL; - int i; f = fopen(cert_file, "rb"); if(!f) { @@ -497,8 +496,8 @@ int cert_stuff(struct connectdata *conn, goto fail; } /* Set Certificate Verification chain */ - if(ca && sk_X509_num(ca)) { - for(i = 0; i < sk_X509_num(ca); i++) { + if(ca) { + while(sk_X509_num(ca)) { /* * Note that sk_X509_pop() is used below to make sure the cert is * removed from the stack properly before getting passed to @@ -508,6 +507,7 @@ int cert_stuff(struct connectdata *conn, */ X509 *x = sk_X509_pop(ca); if(!SSL_CTX_add_extra_chain_cert(ctx, x)) { + X509_free(x); failf(data, "cannot add certificate to certificate chain"); goto fail; } -- 2.5.0
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
