Correctly fix double free introduced on review.

the roots for a ctx are only freed in the free function, not in the
clear function, so that a ctx can be re-used with the same roots.

ok tb@

2 files changed, 3 insertions, 3 deletions

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 5f5070c122..aeab03ffc2 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.1 2020/09/13 15:06:17 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.2 2020/09/14 08:06:09 beck Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -153,7 +153,6 @@ x509_verify_ctx_clear(struct x509_verify_ctx *ctx)
 {
         x509_verify_ctx_reset(ctx);
         sk_X509_pop_free(ctx->intermediates, X509_free);
-        sk_X509_pop_free(ctx->roots, X509_free);
         free(ctx->chains);
         memset(ctx, 0, sizeof(*ctx));
 }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index f076a1dc5c..a66ef76e6b 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.76 2020/09/14 07:46:01 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.77 2020/09/14 08:06:09 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -682,6 +682,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
                 chain_count = x509_verify(vctx, NULL, NULL);
         }
 
+        sk_X509_pop_free(roots, X509_free);
         x509_verify_ctx_free(vctx);
 
         /* if we succeed we have a chain in ctx->chain */