Skip to content

Commit

Permalink
Merge eef783a into f022c91
Browse files Browse the repository at this point in the history
  • Loading branch information
@sunnyap
sunnyap committed Apr 30, 2018
2 parents f022c91 + eef783a commit f54a991
Showing 1 changed file with 39 additions and 15 deletions.
54 changes: 39 additions & 15 deletions lib/vtls/openssl.c
View file
Expand Up @@ -661,18 +661,27 @@ int cert_stuff(struct connectdata *conn,

case SSL_FILETYPE_PKCS12:
{
FILE *f;
PKCS12 *p12;
BIO *fp = NULL;
PKCS12 *p12 = NULL;
EVP_PKEY *pri;
STACK_OF(X509) *ca = NULL;

fp = BIO_new(BIO_s_file());
if(fp == NULL) {
failf(data,
"BIO_new return NULL, " OSSL_PACKAGE
" error %s",
ossl_strerror(ERR_get_error(), error_buffer,
sizeof(error_buffer)) );
return 0;
}

f = fopen(cert_file, "rb");
if(!f) {
if(BIO_read_filename(fp, cert_file) <= 0) {
failf(data, "could not open PKCS12 file '%s'", cert_file);
return 0;
}
p12 = d2i_PKCS12_fp(f, NULL);
fclose(f);
p12 = d2i_PKCS12_bio(fp, NULL);
BIO_free(fp);

if(!p12) {
failf(data, "error reading PKCS12 file '%s'", cert_file);
Expand Down Expand Up @@ -3127,7 +3136,7 @@ static CURLcode servercert(struct connectdata *conn,
long lerr, len;
struct Curl_easy *data = conn->data;
X509 *issuer;
FILE *fp;
BIO *fp = NULL;
char buffer[2048];
const char *ptr;
long * const certverifyresult = SSL_IS_PROXY() ?
Expand All @@ -3138,8 +3147,20 @@ static CURLcode servercert(struct connectdata *conn,
/* we've been asked to gather certificate info! */
(void)get_cert_chain(conn, connssl);

fp = BIO_new(BIO_s_file());
if(fp == NULL) {
failf(data,
"BIO_new return NULL, " OSSL_PACKAGE
" error %s",
ossl_strerror(ERR_get_error(), error_buffer,
sizeof(error_buffer)) );
BIO_free(mem);
return 0;
}

BACKEND->server_cert = SSL_get_peer_certificate(BACKEND->handle);
if(!BACKEND->server_cert) {
BIO_free(fp);
BIO_free(mem);
if(!strict)
return CURLE_OK;
Expand Down Expand Up @@ -3169,6 +3190,7 @@ static CURLcode servercert(struct connectdata *conn,
if(SSL_CONN_CONFIG(verifyhost)) {
result = verifyhost(conn, BACKEND->server_cert);
if(result) {
BIO_free(fp);
X509_free(BACKEND->server_cert);
BACKEND->server_cert = NULL;
return result;
Expand All @@ -3190,35 +3212,35 @@ static CURLcode servercert(struct connectdata *conn,

/* e.g. match issuer name with provided issuer certificate */
if(SSL_SET_OPTION(issuercert)) {
fp = fopen(SSL_SET_OPTION(issuercert), FOPEN_READTEXT);
if(!fp) {
if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
if(strict)
failf(data, "SSL: Unable to open issuer cert (%s)",
SSL_SET_OPTION(issuercert));
BIO_free(fp);
X509_free(BACKEND->server_cert);
BACKEND->server_cert = NULL;
return CURLE_SSL_ISSUER_ERROR;
}

issuer = PEM_read_X509(fp, NULL, ZERO_NULL, NULL);
issuer = PEM_read_bio_X509(fp, NULL, ZERO_NULL, NULL);
if(!issuer) {
if(strict)
failf(data, "SSL: Unable to read issuer cert (%s)",
SSL_SET_OPTION(issuercert));
BIO_free(fp);
X509_free(issuer);
X509_free(BACKEND->server_cert);
X509_free(issuer);
fclose(fp);
BACKEND->server_cert = NULL;
return CURLE_SSL_ISSUER_ERROR;
}

fclose(fp);

if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {
if(strict)
failf(data, "SSL: Certificate issuer check failed (%s)",
SSL_SET_OPTION(issuercert));
X509_free(BACKEND->server_cert);
BIO_free(fp);
X509_free(issuer);
X509_free(BACKEND->server_cert);
BACKEND->server_cert = NULL;
return CURLE_SSL_ISSUER_ERROR;
}
Expand Down Expand Up @@ -3253,6 +3275,7 @@ static CURLcode servercert(struct connectdata *conn,
if(SSL_CONN_CONFIG(verifystatus)) {
result = verifystatus(conn, connssl);
if(result) {
BIO_free(fp);
X509_free(BACKEND->server_cert);
BACKEND->server_cert = NULL;
return result;
Expand All @@ -3272,6 +3295,7 @@ static CURLcode servercert(struct connectdata *conn,
failf(data, "SSL: public key does not match pinned public key!");
}

BIO_free(fp);
X509_free(BACKEND->server_cert);
BACKEND->server_cert = NULL;
connssl->connecting_state = ssl_connect_done;
Expand Down

0 comments on commit f54a991

Please sign in to comment.