From: Brendan Cully <brendan@kublai.com>
Date: Thu, 28 May 2009 05:52:04 +0000 (-0700)
Subject: Don't leak gnutls certs on preauth validation failure.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=11a3e190f1a83085fc7eeb139b4464a090f196fb;p=mutt

Don't leak gnutls certs on preauth validation failure.
Thanks to Miroslav Lichvar.
---

diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index a51e6b05..e840694e 100644
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -634,6 +634,8 @@ static int tls_check_preauth (const gnutls_datum_t *certdata,
     certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
   }
 
+  gnutls_x509_crt_deinit (cert);
+
   /* OK if signed by (or is) a trusted certificate */
   /* we've been zeroing the interesting bits in certstat -
    don't return OK if there are any unhandled bits we don't
@@ -641,10 +643,7 @@ static int tls_check_preauth (const gnutls_datum_t *certdata,
   if (!(*certerr & (CERTERR_EXPIRED | CERTERR_NOTYETVALID
                     | CERTERR_HOSTNAME | CERTERR_NOTTRUSTED))
       && certstat == 0)
-  {
-    gnutls_x509_crt_deinit (cert);
     return 0;
-  }
 
   return -1;
 }