openssl: fix resource leak in provider error path

author Daniel Stenberg <daniel@haxx.se>

Fri, 17 Oct 2025 22:01:26 +0000 (00:01 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Fri, 17 Oct 2025 22:40:13 +0000 (00:40 +0200)
author Daniel Stenberg <daniel@haxx.se>
Fri, 17 Oct 2025 22:01:26 +0000 (00:01 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Fri, 17 Oct 2025 22:40:13 +0000 (00:40 +0200)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c

index 43fa417a3554854c5ed62daffa4613fe635d67fb..2868ea85ec09094b47e447a9bddda8b8c7a81d3d 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1473,6 +1473,8 @@ static int providerload(struct Curl_easy *data,
      OSSL_STORE_CTX *store =
        OSSL_STORE_open_ex(cert_file, data->state.libctx,
                           NULL, NULL, NULL, NULL, NULL, NULL);
+    int rc;
+
      if(!store) {
        failf(data, "Failed to open OpenSSL store: %s",
              ossl_strerror(ERR_get_error(), error_buffer,
@@ -1501,13 +1503,15 @@ static int providerload(struct Curl_easy *data,
        return 0;
      }
  
-    if(SSL_CTX_use_certificate(ctx, cert) != 1) {
+    rc = SSL_CTX_use_certificate(ctx, cert);
+    X509_free(cert); /* we do not need the handle any more... */
+
+    if(rc != 1) {
        failf(data, "unable to set client certificate [%s]",
              ossl_strerror(ERR_get_error(), error_buffer,
                            sizeof(error_buffer)));
        return 0;
      }
-    X509_free(cert); /* we do not need the handle any more... */
    }
    else {
      failf(data, "crypto provider not set, cannot load certificate");
author	Daniel Stenberg <daniel@haxx.se>
	Fri, 17 Oct 2025 22:01:26 +0000 (00:01 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Fri, 17 Oct 2025 22:40:13 +0000 (00:40 +0200)