diff options
| author | Gergely Nagy <ngg@tresorit.com> | 2018-12-03 17:34:57 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2018-12-05 15:26:18 +0100 |
| commit | 08efa19e6aaf0e8bf8ece5a35f369c0cb346ace9 (patch) | |
| tree | 54355019ed7a8c46e7e282395d8ddc892cd1e3f9 | |
| parent | 8ad9e5915a95258267f2af463559ded134e8e643 (diff) | |
| download | curl-08efa19e6aaf0e8bf8ece5a35f369c0cb346ace9.tar.gz | |
openssl: do not use file BIOs if not requested
Moves the file handling BIO calls to the branch of the code where they
are actually used.
Closes #3339
| -rw-r--r-- | lib/vtls/openssl.c | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 720e87d81..404f9c8aa 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3321,20 +3321,8 @@ static CURLcode servercert(struct connectdata *conn, /* we've been asked to gather certificate info! */ (void)get_cert_chain(conn, connssl); - fp = BIO_new(BIO_s_file()); - if(fp == NULL) { - failf(data, - "BIO_new return NULL, " OSSL_PACKAGE - " error %s", - ossl_strerror(ERR_get_error(), error_buffer, - sizeof(error_buffer)) ); - BIO_free(mem); - return CURLE_OUT_OF_MEMORY; - } - BACKEND->server_cert = SSL_get_peer_certificate(BACKEND->handle); if(!BACKEND->server_cert) { - BIO_free(fp); BIO_free(mem); if(!strict) return CURLE_OK; @@ -3369,7 +3357,6 @@ static CURLcode servercert(struct connectdata *conn, if(SSL_CONN_CONFIG(verifyhost)) { result = verifyhost(conn, BACKEND->server_cert); if(result) { - BIO_free(fp); X509_free(BACKEND->server_cert); BACKEND->server_cert = NULL; return result; @@ -3391,6 +3378,18 @@ static CURLcode servercert(struct connectdata *conn, /* e.g. match issuer name with provided issuer certificate */ if(SSL_SET_OPTION(issuercert)) { + fp = BIO_new(BIO_s_file()); + if(fp == NULL) { + failf(data, + "BIO_new return NULL, " OSSL_PACKAGE + " error %s", + ossl_strerror(ERR_get_error(), error_buffer, + sizeof(error_buffer)) ); + X509_free(BACKEND->server_cert); + BACKEND->server_cert = NULL; + return CURLE_OUT_OF_MEMORY; + } + if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { if(strict) failf(data, "SSL: Unable to open issuer cert (%s)", @@ -3426,6 +3425,7 @@ static CURLcode servercert(struct connectdata *conn, infof(data, " SSL certificate issuer check ok (%s)\n", SSL_SET_OPTION(issuercert)); + BIO_free(fp); X509_free(issuer); } @@ -3454,7 +3454,6 @@ static CURLcode servercert(struct connectdata *conn, if(SSL_CONN_CONFIG(verifystatus)) { result = verifystatus(conn, connssl); if(result) { - BIO_free(fp); X509_free(BACKEND->server_cert); BACKEND->server_cert = NULL; return result; @@ -3474,7 +3473,6 @@ static CURLcode servercert(struct connectdata *conn, failf(data, "SSL: public key does not match pinned public key!"); } - BIO_free(fp); X509_free(BACKEND->server_cert); BACKEND->server_cert = NULL; connssl->connecting_state = ssl_connect_done; |