Before importing a certificate, free any previous one. Bug 1648

Second try

diff --git a/src/src/deliver.c b/src/src/deliver.c
index 543a618eb842b09d8df9a69ec412db9e572778b8..78f8f4bd47163cc5570dae14978ebf344de551fb 100644 (file)
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -1170,16 +1170,8 @@ if (result == OK)
   delivery_log(LOG_MAIN, addr, logchar, NULL);
 
 #ifdef SUPPORT_TLS
-  if (tls_out.ourcert)
-    {
-    tls_free_cert(tls_out.ourcert);
-    tls_out.ourcert = NULL;
-    }
-  if (tls_out.peercert)
-    {
-    tls_free_cert(tls_out.peercert);
-    tls_out.peercert = NULL;
-    }
+  tls_free_cert(&tls_out.ourcert);
+  tls_free_cert(&tls_out.peercert);
   tls_out.cipher = NULL;
   tls_out.peerdn = NULL;
   tls_out.ocsp = OCSP_NOT_REQ;

diff --git a/src/src/functions.h b/src/src/functions.h
index 70f187050ce5518ef22cce3dc92c4646cdc2be69..02579040eccc1731c260877aec042a87e07c39f4 100644 (file)
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -45,15 +45,15 @@ extern uschar * tls_cert_fprt_sha256(void *);
 
 extern int     tls_client_start(int, host_item *, address_item *,
                 transport_instance *
-#ifdef EXPERIMENTAL_DANE
+# ifdef EXPERIMENTAL_DANE
                , dns_answer *
-#endif
+# endif
                                );
 extern void    tls_close(BOOL, BOOL);
 extern int     tls_export_cert(uschar *, size_t, void *);
 extern int     tls_feof(void);
 extern int     tls_ferror(void);
-extern void    tls_free_cert(void *);
+extern void    tls_free_cert(void **);
 extern int     tls_getc(void);
 extern int     tls_import_cert(const uschar *, void **);
 extern int     tls_read(BOOL, uschar *, size_t);

diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 9ce8ce5cb28b731e3b92203ece70209253b3257a..1a5bf4ec8a3e0e9262b22b2aaec59faad7113247 100644 (file)
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -288,8 +288,10 @@ tls_in.certificate_verified = FALSE;
 tls_in.dane_verified = FALSE;
 # endif
 tls_in.cipher = NULL;
-tls_in.ourcert = NULL;
-tls_in.peercert = NULL;
+# ifndef COMPILE_UTILITY       /* tls support fns not built in */
+tls_free_cert(&tls_in.ourcert);
+tls_free_cert(&tls_in.peercert);
+# endif
 tls_in.peerdn = NULL;
 tls_in.sni = NULL;
 tls_in.ocsp = OCSP_NOT_REQ;

diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c
index 40f49d36699dfd21a4d10a941cce65f90bbdc3bd..69ce27fc81db405b10edabf555966abe5f7081ea 100644 (file)
--- a/src/src/tlscert-gnu.c
+++ b/src/src/tlscert-gnu.c
@@ -77,10 +77,15 @@ return fail;
 }
 
 void
-tls_free_cert(void * cert)
+tls_free_cert(void ** cert)
 {
-gnutls_x509_crt_deinit((gnutls_x509_crt_t) cert);
-gnutls_global_deinit();
+gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
+if (crt)
+  {
+  gnutls_x509_crt_deinit(crt);
+  gnutls_global_deinit();
+  *cert = NULL;
+  }
 }
 
 /*****************************************************

diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c
index f2e482ba7757634413603b9859882365d6b5c423..72808a7ad797fc34745756589a7f9ada7c1b78b6 100644 (file)
--- a/src/src/tlscert-openssl.c
+++ b/src/src/tlscert-openssl.c
@@ -75,9 +75,14 @@ return fail;
 }
 
 void
-tls_free_cert(void * cert)
+tls_free_cert(void ** cert)
 {
-X509_free((X509 *)cert);
+X509 * x = *(X509 **)cert;
+if (x)
+  {
+  X509_free(x);
+  *cert = NULL;
+  }
 }