diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2021-06-17 20:45:32 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2021-06-17 20:45:32 +0100 |
commit | 1e2b1976ead627c662bf82042be742086ba0b2f3 (patch) | |
tree | 0d9d49153c0a856d6cb0a25aa32391f216b3ed17 | |
parent | 6814cb2f15160a6171e7a55605ba8e80f58302a9 (diff) |
OpenSSL: fix verify-certs stack initialization
-rw-r--r-- | src/src/tls-openssl.c | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 906c98cef..4d6eeaab3 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -2760,18 +2760,23 @@ if (tlsp->peercert) /* Load certs from file, return TRUE on success */ static BOOL -chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack) +chain_from_pem_file(const uschar * file, STACK_OF(X509) ** vp) { BIO * bp; +STACK_OF(X509) * verify_stack = *vp; X509 * x; -while (sk_X509_num(verify_stack) > 0) - X509_free(sk_X509_pop(verify_stack)); +if (verify_stack) + while (sk_X509_num(verify_stack) > 0) + X509_free(sk_X509_pop(verify_stack)); +else + verify_stack = sk_X509_new_null(); if (!(bp = BIO_new_file(CS file, "r"))) return FALSE; -while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL))) +for (X509 * x; x = PEM_read_bio_X509(bp, NULL, 0, NULL); ) sk_X509_push(verify_stack, x); BIO_free(bp); +*vp = verify_stack; return TRUE; } #endif @@ -2826,6 +2831,13 @@ if (expcerts && *expcerts) { file = NULL; dir = expcerts; } else { + STACK_OF(X509) * verify_stack = +#ifndef DISABLE_OCSP + !host ? state_server.verify_stack : +#endif + NULL; + STACK_OF(X509) ** vp = &verify_stack; + file = expcerts; dir = NULL; #ifndef DISABLE_OCSP /* In the server if we will be offering an OCSP proof, load chain from @@ -2834,11 +2846,10 @@ if (expcerts && *expcerts) /*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert. This is inconsistent with the need to verify the OCSP proof of the server cert. */ - if ( !host && statbuf.st_size > 0 && state_server.u_ocsp.server.file - && !chain_from_pem_file(file, state_server.verify_stack) + && !chain_from_pem_file(file, vp) ) { log_write(0, LOG_MAIN|LOG_PANIC, |