From: olszomal <Malgorzata.Olszowka@stunnel.org>
Date: Thu, 30 Nov 2023 11:53:40 +0000 (+0100)
Subject: Fix loading more than one certificate in PEM format in X509_load_cert_file_ex()
X-Git-Tag: openssl-3.3.0-alpha1~536
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=20c680de9c435534be48fa85b2a975067a4e7c9d;p=thirdparty%2Fopenssl.git

Fix loading more than one certificate in PEM format in X509_load_cert_file_ex()

Fixes #22895

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22885)
---

diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
index 450bbba0537..5073c137a20 100644
--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
@@ -128,6 +128,17 @@ int X509_load_cert_file_ex(X509_LOOKUP *ctx, const char *file, int type,
                 count = 0;
                 goto err;
             }
+            /*
+             * X509_STORE_add_cert() added a reference rather than a copy,
+             * so we need a fresh X509 object.
+             */
+            X509_free(x);
+            x = X509_new_ex(libctx, propq);
+            if (x == NULL) {
+                ERR_raise(ERR_LIB_X509, ERR_R_ASN1_LIB);
+                count = 0;
+                goto err;
+            }
             count++;
         }
     } else if (type == X509_FILETYPE_ASN1) {