From: David Woodhouse Date: Fri, 15 Nov 2013 21:45:01 +0000 (+0000) Subject: Simplify handling of supporting_certs X-Git-Tag: v5.02~26 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=202bbd2d3f19a4964c6f07149525fbe5dff9a9d9;p=users%2Fdwmw2%2Fopenconnect.git Simplify handling of supporting_certs Dispense with the "if supporting_certs is non-NULL then use it else there's a single certificate in cert" logic. It's complex and pointless. We can live with an extra allocation in the "fast path", for $DEITY's sake. Signed-off-by: David Woodhouse --- diff --git a/gnutls.c b/gnutls.c index 2b3b45f0..afdb3159 100644 --- a/gnutls.c +++ b/gnutls.c @@ -1430,18 +1430,25 @@ static int load_certificate(struct openconnect_info *vpninfo) choose the _right_ one. (RT#1942) Pick the right ones for ourselves and add them manually. */ - if (nr_supporting_certs) { - /* We already got a bunch of certs from PKCS#12 file. Remember - how many need to be freed when we're done, since we'll - expand the supporting_certs array with more from the cafile - and extra_certs[] array if we can, and those extra certs - must not be freed (twice). */ - last_cert = supporting_certs[nr_supporting_certs-1]; - certs_to_free = nr_supporting_certs; - } else { - last_cert = cert; - certs_to_free = nr_supporting_certs = 1; + /* We may have already got a bunch of certs from PKCS#12 + file. Remember how many need to be freed when we're done, + since we'll expand the supporting_certs array with more + from the cafile and extra_certs[] array if we can, and + those extra certs must not be freed (twice). */ + if (!nr_supporting_certs) { + supporting_certs = gnutls_malloc(sizeof(*supporting_certs)); + if (!supporting_certs) { + vpn_progress(vpninfo, PRG_ERR, + _("Failed to allocate memory for certificate\n")); + ret = -ENOMEM; + goto out; + } + supporting_certs[0] = cert; + nr_supporting_certs = 1; } + last_cert = supporting_certs[nr_supporting_certs-1]; + certs_to_free = nr_supporting_certs; + while (1) { gnutls_x509_crt_t issuer; void *tmp; @@ -1500,10 +1507,6 @@ static int load_certificate(struct openconnect_info *vpninfo) goto out; } - /* First time we actually allocated an array? Copy the first cert into it */ - if (nr_supporting_certs == 2) - supporting_certs[0] = cert; - /* Append the new one */ supporting_certs[nr_supporting_certs-1] = issuer; last_cert = issuer; @@ -1525,7 +1528,7 @@ static int load_certificate(struct openconnect_info *vpninfo) #if defined(HAVE_P11KIT) || defined(HAVE_TROUSERS) if (pkey) { err = assign_privkey(vpninfo, pkey, - supporting_certs ? supporting_certs : &cert, + supporting_certs, nr_supporting_certs, extra_certs, nr_extra_certs); if (!err) { @@ -1535,7 +1538,7 @@ static int load_certificate(struct openconnect_info *vpninfo) } else #endif /* P11KIT || TROUSERS */ err = gnutls_certificate_set_x509_key(vpninfo->https_cred, - supporting_certs ? supporting_certs : &cert, + supporting_certs, nr_supporting_certs, key); if (err) {