From 82237a974d8503808a2d34c01bd07e14739995cc Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Mon, 4 Mar 2013 00:45:21 +0000
Subject: [PATCH] Destroy vpninfo->https_cred on failing to create it

If something like certificate setup went wrong, we'd return failure but
*not* destroy the gnutls_certificate_credentials_t that we were
attempting to set up. So a subsequent retry would see that it already
exists, assume it's *fine* and just go ahead and use it. Don't do that.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
 gnutls.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/gnutls.c b/gnutls.c
index cc2e2104..8e8e7786 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1782,8 +1782,11 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 			unsigned int nr_certs;
 
 			err = load_datum(vpninfo, &datum, vpninfo->cafile);
-			if (err < 0)
+			if (err < 0) {
+				gnutls_certificate_free_credentials(vpninfo->https_cred);
+				vpninfo->https_cred = NULL;
 				return err;
+			}
 
 			/* For GnuTLS 3.x We should use gnutls_x509_crt_list_import2() */
 			nr_certs = count_x509_certificates(&datum);
@@ -1796,6 +1799,8 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 					vpn_progress(vpninfo, PRG_ERR,
 						     _("Failed to allocate memory for cafile certs\n"));
 					gnutls_free(datum.data);
+					gnutls_certificate_free_credentials(vpninfo->https_cred);
+					vpninfo->https_cred = NULL;
 					close(ssl_sock);
 					return -ENOMEM;
 				}
@@ -1815,6 +1820,8 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 					vpn_progress(vpninfo, PRG_ERR,
 						     _("Failed to read certs from cafile: %s\n"),
 						     gnutls_strerror(err));
+					gnutls_certificate_free_credentials(vpninfo->https_cred);
+					vpninfo->https_cred = NULL;
 					close(ssl_sock);
 					return -EINVAL;
 				}
@@ -1829,6 +1836,8 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 				vpn_progress(vpninfo, PRG_ERR,
 					     _("Failed to open CA file '%s': %s\n"),
 					     vpninfo->cafile, gnutls_strerror(err));
+				gnutls_certificate_free_credentials(vpninfo->https_cred);
+				vpninfo->https_cred = NULL;
 				close(ssl_sock);
 				return -EINVAL;
 			}
@@ -1839,6 +1848,8 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 			if (err) {
 				vpn_progress(vpninfo, PRG_ERR,
 					     _("Loading certificate failed. Aborting.\n"));
+				gnutls_certificate_free_credentials(vpninfo->https_cred);
+				vpninfo->https_cred = NULL;
 				close(ssl_sock);
 				return err;
 			}