From 790fbb71d92b47c6637892f3feedc0f99000f01e Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Mon, 22 Jun 2015 10:32:01 +0100
Subject: [PATCH] Before importing a certificate, free any previous one.  Bug
 1648 Second try

---
 src/src/deliver.c         | 12 ++----------
 src/src/functions.h       |  6 +++---
 src/src/spool_in.c        |  6 ++++--
 src/src/tlscert-gnu.c     | 11 ++++++++---
 src/src/tlscert-openssl.c |  9 +++++++--
 5 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/src/src/deliver.c b/src/src/deliver.c
index 543a618eb..78f8f4bd4 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -1170,16 +1170,8 @@ if (result == OK)
   delivery_log(LOG_MAIN, addr, logchar, NULL);
 
 #ifdef SUPPORT_TLS
-  if (tls_out.ourcert)
-    {
-    tls_free_cert(tls_out.ourcert);
-    tls_out.ourcert = NULL;
-    }
-  if (tls_out.peercert)
-    {
-    tls_free_cert(tls_out.peercert);
-    tls_out.peercert = NULL;
-    }
+  tls_free_cert(&tls_out.ourcert);
+  tls_free_cert(&tls_out.peercert);
   tls_out.cipher = NULL;
   tls_out.peerdn = NULL;
   tls_out.ocsp = OCSP_NOT_REQ;
diff --git a/src/src/functions.h b/src/src/functions.h
index 70f187050..02579040e 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -45,15 +45,15 @@ extern uschar * tls_cert_fprt_sha256(void *);
 
 extern int     tls_client_start(int, host_item *, address_item *,
 		 transport_instance *
-#ifdef EXPERIMENTAL_DANE
+# ifdef EXPERIMENTAL_DANE
 		, dns_answer *
-#endif
+# endif
 				);
 extern void    tls_close(BOOL, BOOL);
 extern int     tls_export_cert(uschar *, size_t, void *);
 extern int     tls_feof(void);
 extern int     tls_ferror(void);
-extern void    tls_free_cert(void *);
+extern void    tls_free_cert(void **);
 extern int     tls_getc(void);
 extern int     tls_import_cert(const uschar *, void **);
 extern int     tls_read(BOOL, uschar *, size_t);
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 9ce8ce5cb..1a5bf4ec8 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -288,8 +288,10 @@ tls_in.certificate_verified = FALSE;
 tls_in.dane_verified = FALSE;
 # endif
 tls_in.cipher = NULL;
-tls_in.ourcert = NULL;
-tls_in.peercert = NULL;
+# ifndef COMPILE_UTILITY	/* tls support fns not built in */
+tls_free_cert(&tls_in.ourcert);
+tls_free_cert(&tls_in.peercert);
+# endif
 tls_in.peerdn = NULL;
 tls_in.sni = NULL;
 tls_in.ocsp = OCSP_NOT_REQ;
diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c
index 40f49d366..69ce27fc8 100644
--- a/src/src/tlscert-gnu.c
+++ b/src/src/tlscert-gnu.c
@@ -77,10 +77,15 @@ return fail;
 }
 
 void
-tls_free_cert(void * cert)
+tls_free_cert(void ** cert)
 {
-gnutls_x509_crt_deinit((gnutls_x509_crt_t) cert);
-gnutls_global_deinit();
+gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
+if (crt)
+  {
+  gnutls_x509_crt_deinit(crt);
+  gnutls_global_deinit();
+  *cert = NULL;
+  }
 }
 
 /*****************************************************
diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c
index f2e482ba7..72808a7ad 100644
--- a/src/src/tlscert-openssl.c
+++ b/src/src/tlscert-openssl.c
@@ -75,9 +75,14 @@ return fail;
 }
 
 void
-tls_free_cert(void * cert)
+tls_free_cert(void ** cert)
 {
-X509_free((X509 *)cert);
+X509 * x = *(X509 **)cert;
+if (x)
+  {
+  X509_free(x);
+  *cert = NULL;
+  }
 }
 
 
-- 
2.30.2