From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 17 Oct 2025 22:01:26 +0000 (+0200)
Subject: openssl: fix resource leak in provider error path
X-Git-Tag: rc-8_17_0-2~35
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b9b8a7a5df552d4e5929d4d7e38490b9aef642a9;p=thirdparty%2Fcurl.git

openssl: fix resource leak in provider error path

Pointed out by ZeroPath

Closes #19111
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 43fa417a35..2868ea85ec 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1473,6 +1473,8 @@ static int providerload(struct Curl_easy *data,
     OSSL_STORE_CTX *store =
       OSSL_STORE_open_ex(cert_file, data->state.libctx,
                          NULL, NULL, NULL, NULL, NULL, NULL);
+    int rc;
+
     if(!store) {
       failf(data, "Failed to open OpenSSL store: %s",
             ossl_strerror(ERR_get_error(), error_buffer,
@@ -1501,13 +1503,15 @@ static int providerload(struct Curl_easy *data,
       return 0;
     }
 
-    if(SSL_CTX_use_certificate(ctx, cert) != 1) {
+    rc = SSL_CTX_use_certificate(ctx, cert);
+    X509_free(cert); /* we do not need the handle any more... */
+
+    if(rc != 1) {
       failf(data, "unable to set client certificate [%s]",
             ossl_strerror(ERR_get_error(), error_buffer,
                           sizeof(error_buffer)));
       return 0;
     }
-    X509_free(cert); /* we do not need the handle any more... */
   }
   else {
     failf(data, "crypto provider not set, cannot load certificate");