cert_stuff: remove code duplication in the pkcs12 logic

2013-06-10 16:10:44 +02:00 · 2013-06-10 16:10:44 +02:00 · ce362e8eb9
commit ce362e8eb9
parent a4decb49a6
1 changed files with 12 additions and 24 deletions
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@ -435,7 +435,7 @@ int cert_stuff(struct connectdata *conn,
      PKCS12_PBE_add();

      if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509,
-                        &ca)) {
+                       &ca)) {
        failf(data,
              "could not parse PKCS12 file, check password, OpenSSL error %s",
              ERR_error_string(ERR_get_error(), NULL) );
@ -447,54 +447,42 @@ int cert_stuff(struct connectdata *conn,

      if(SSL_CTX_use_certificate(ctx, x509) != 1) {
        failf(data, SSL_CLIENT_CERT_ERR);
-        EVP_PKEY_free(pri);
-        X509_free(x509);
-        sk_X509_pop_free(ca, X509_free);
-        return 0;
+        goto fail;
      }

      if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
        failf(data, "unable to use private key from PKCS12 file '%s'",
              cert_file);
-        EVP_PKEY_free(pri);
-        X509_free(x509);
-        sk_X509_pop_free(ca, X509_free);
-        return 0;
+        goto fail;
      }

      if(!SSL_CTX_check_private_key (ctx)) {
        failf(data, "private key from PKCS12 file '%s' "
              "does not match certificate in same file", cert_file);
-        EVP_PKEY_free(pri);
-        X509_free(x509);
-        sk_X509_pop_free(ca, X509_free);
-        return 0;
+        goto fail;
      }
      /* Set Certificate Verification chain */
      if(ca && sk_X509_num(ca)) {
        for(i = 0; i < sk_X509_num(ca); i++) {
-          if(!SSL_CTX_add_extra_chain_cert(ctx,sk_X509_value(ca, i))) {
+          if(!SSL_CTX_add_extra_chain_cert(ctx, sk_X509_value(ca, i))) {
            failf(data, "cannot add certificate to certificate chain");
-            EVP_PKEY_free(pri);
-            X509_free(x509);
-            sk_X509_pop_free(ca, X509_free);
-            return 0;
+            goto fail;
          }
          if(!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) {
            failf(data, "cannot add certificate to client CA list");
-            EVP_PKEY_free(pri);
-            X509_free(x509);
-            sk_X509_pop_free(ca, X509_free);
-            return 0;
+            goto fail;
          }
        }
      }

+      cert_done = 1;
+  fail:
      EVP_PKEY_free(pri);
      X509_free(x509);
      sk_X509_pop_free(ca, X509_free);
-      cert_done = 1;
-      break;
+
+      if(!cert_done)
+        return 0; /* failure! */
 #else
      failf(data, "file type P12 for certificate not supported");
      return 0;