[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 103/173: openssl: Don't use certificate after trans
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 103/173: openssl: Don't use certificate after transferring ownership |
Date: |
Fri, 24 Feb 2017 14:02:05 +0100 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to annotated tag gnurl-7.53.1
in repository gnurl.
commit 028391df5d84d9fae3433afdee9261d565900355
Author: Adam Langley <address@hidden>
AuthorDate: Tue Jan 31 16:05:33 2017 -0800
openssl: Don't use certificate after transferring ownership
SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
it's best to call SSL_CTX_add_client_CA before
SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
argument.
Closes https://github.com/curl/curl/pull/1236
---
lib/vtls/openssl.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 48a4c0b02..eb625fe93 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -493,21 +493,19 @@ int cert_stuff(struct connectdata *conn,
/*
* Note that sk_X509_pop() is used below to make sure the cert is
* removed from the stack properly before getting passed to
- * SSL_CTX_add_extra_chain_cert(). Previously we used
- * sk_X509_value() instead, but then we'd clean it in the subsequent
- * sk_X509_pop_free() call.
+ * SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously
+ * we used sk_X509_value() instead, but then we'd clean it in the
+ * subsequent sk_X509_pop_free() call.
*/
X509 *x = sk_X509_pop(ca);
- if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
+ if(!SSL_CTX_add_client_CA(ctx, x)) {
X509_free(x);
- failf(data, "cannot add certificate to certificate chain");
+ failf(data, "cannot add certificate to client CA list");
goto fail;
}
- /* SSL_CTX_add_client_CA() seems to work with either sk_* function,
- * presumably because it duplicates what we pass to it.
- */
- if(!SSL_CTX_add_client_CA(ctx, x)) {
- failf(data, "cannot add certificate to client CA list");
+ if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
+ X509_free(x);
+ failf(data, "cannot add certificate to certificate chain");
goto fail;
}
}
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 101/173: docs: we no longer ship HTML versions of man pages, (continued)
- [GNUnet-SVN] [gnurl] 101/173: docs: we no longer ship HTML versions of man pages, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 96/173: polarssl: fix hangs, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 112/173: darwinssl: Avoid parsing certificates when not in verbose mode, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 95/173: cookies: do not assume a valid domain has a dot, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 66/173: TODO: Chunked transfer multipart formpost, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 137/173: TODO: consider file name from the redirected URL with -O ?, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 107/173: use *.sourceforge.io and misc URL updates, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 70/173: docs: improved language in README.md HISTORY.md CONTRIBUTE.md, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 113/173: test552: Fix typos, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 131/173: configure: Allow disabling pthreads, fall back on Win32 threads, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 103/173: openssl: Don't use certificate after transferring ownership,
gnunet <=
- [GNUnet-SVN] [gnurl] 141/173: proxy: fix hostname resolution and IDN conversion, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 40/173: sws: retry send() on EWOULDBLOCK, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 108/173: cmdline-opts: Fixed build and test in out of source tree builds, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 123/173: examples/multithread.c: link to our multi-thread docs, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 152/173: digest_sspi: Handle 'stale=TRUE' directive in HTTP digest, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 129/173: tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 151/173: smb: use getpid replacement for windows UWP builds, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 65/173: TODO: Improve formpost API, not just add an easy argument, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 90/173: cmdline-opts/gen.pl: Open input files in CRLF mode, gnunet, 2017/02/24
- [GNUnet-SVN] [gnurl] 59/173: next.d: --trace and --trace-ascii are also global, gnunet, 2017/02/24