From b99c00571f4d6be8fb500311592ad8b33d6b5e66 Mon Sep 17 00:00:00 2001
From: Brendan Cully <brendan@kublai.com>
Date: Wed, 27 May 2009 22:52:04 -0700
Subject: [PATCH] Don't leak gnutls certs on preauth validation failure. Thanks
 to Miroslav Lichvar.

---
 mutt_ssl_gnutls.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index a51e6b058..e840694e5 100644
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -634,6 +634,8 @@ static int tls_check_preauth (const gnutls_datum_t *certdata,
     certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
   }
 
+  gnutls_x509_crt_deinit (cert);
+
   /* OK if signed by (or is) a trusted certificate */
   /* we've been zeroing the interesting bits in certstat -
    don't return OK if there are any unhandled bits we don't
@@ -641,10 +643,7 @@ static int tls_check_preauth (const gnutls_datum_t *certdata,
   if (!(*certerr & (CERTERR_EXPIRED | CERTERR_NOTYETVALID
                     | CERTERR_HOSTNAME | CERTERR_NOTTRUSTED))
       && certstat == 0)
-  {
-    gnutls_x509_crt_deinit (cert);
     return 0;
-  }
 
   return -1;
 }
-- 
2.40.0