[GNUnet-SVN] [gnurl] 103/173: openssl: Don't use certificate after trans

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 103/173: openssl: Don't use certificate after trans

From:	gnunet
Subject:	[GNUnet-SVN] [gnurl] 103/173: openssl: Don't use certificate after transferring ownership
Date:	Fri, 24 Feb 2017 14:02:05 +0100

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to annotated tag gnurl-7.53.1
in repository gnurl.

commit 028391df5d84d9fae3433afdee9261d565900355
Author: Adam Langley <address@hidden>
AuthorDate: Tue Jan 31 16:05:33 2017 -0800

    openssl: Don't use certificate after transferring ownership
    
    SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
    while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
    it's best to call SSL_CTX_add_client_CA before
    SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
    argument.
    
    Closes https://github.com/curl/curl/pull/1236
---
 lib/vtls/openssl.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 48a4c0b02..eb625fe93 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -493,21 +493,19 @@ int cert_stuff(struct connectdata *conn,
           /*
            * Note that sk_X509_pop() is used below to make sure the cert is
            * removed from the stack properly before getting passed to
-           * SSL_CTX_add_extra_chain_cert(). Previously we used
-           * sk_X509_value() instead, but then we'd clean it in the subsequent
-           * sk_X509_pop_free() call.
+           * SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously
+           * we used sk_X509_value() instead, but then we'd clean it in the
+           * subsequent sk_X509_pop_free() call.
            */
           X509 *x = sk_X509_pop(ca);
-          if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
+          if(!SSL_CTX_add_client_CA(ctx, x)) {
             X509_free(x);
-            failf(data, "cannot add certificate to certificate chain");
+            failf(data, "cannot add certificate to client CA list");
             goto fail;
           }
-          /* SSL_CTX_add_client_CA() seems to work with either sk_* function,
-           * presumably because it duplicates what we pass to it.
-           */
-          if(!SSL_CTX_add_client_CA(ctx, x)) {
-            failf(data, "cannot add certificate to client CA list");
+          if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
+            X509_free(x);
+            failf(data, "cannot add certificate to certificate chain");
             goto fail;
           }
         }

-- 
To stop receiving notification emails like this one, please contact
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnurl] 101/173: docs: we no longer ship HTML versions of man pages, (continued)
- [GNUnet-SVN] [gnurl] 101/173: docs: we no longer ship HTML versions of man pages, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 96/173: polarssl: fix hangs, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 112/173: darwinssl: Avoid parsing certificates when not in verbose mode, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 95/173: cookies: do not assume a valid domain has a dot, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 66/173: TODO: Chunked transfer multipart formpost, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 137/173: TODO: consider file name from the redirected URL with -O ?, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 107/173: use *.sourceforge.io and misc URL updates, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 70/173: docs: improved language in README.md HISTORY.md CONTRIBUTE.md, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 113/173: test552: Fix typos, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 131/173: configure: Allow disabling pthreads, fall back on Win32 threads, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 103/173: openssl: Don't use certificate after transferring ownership, gnunet <=
- [GNUnet-SVN] [gnurl] 141/173: proxy: fix hostname resolution and IDN conversion, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 40/173: sws: retry send() on EWOULDBLOCK, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 108/173: cmdline-opts: Fixed build and test in out of source tree builds, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 123/173: examples/multithread.c: link to our multi-thread docs, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 152/173: digest_sspi: Handle 'stale=TRUE' directive in HTTP digest, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 129/173: tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 151/173: smb: use getpid replacement for windows UWP builds, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 65/173: TODO: Improve formpost API, not just add an easy argument, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 90/173: cmdline-opts/gen.pl: Open input files in CRLF mode, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 59/173: next.d: --trace and --trace-ascii are also global, gnunet, 2017/02/24

Prev by Date: [GNUnet-SVN] [gnurl] 131/173: configure: Allow disabling pthreads, fall back on Win32 threads
Next by Date: [GNUnet-SVN] [gnurl] 141/173: proxy: fix hostname resolution and IDN conversion
Previous by thread: [GNUnet-SVN] [gnurl] 131/173: configure: Allow disabling pthreads, fall back on Win32 threads
Next by thread: [GNUnet-SVN] [gnurl] 141/173: proxy: fix hostname resolution and IDN conversion
Index(es):
- Date
- Thread