Check that all arguments are certificates before allocating OpenSSL
structures that require cleanup afterwards.
API of issued() changes (again) to root:issued(cert, [chain]*)
==1429== 336 (144 direct, 192 indirect) bytes in 1 blocks are definitely lost in loss record 567 of 611
...
==1429== by 0x5ECCBC7: PEM_ASN1_read_bio (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==1429== by 0x4E39D8F: dhparam_cb (context.c:184)
==1429== by 0x5B679D3: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==1429== by 0x5B6A6EE: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==1429== by 0x4E3C00D: meth_handshake (ssl.c:103)
...
The integer value that's actually returned for this flag is 2, which is fine
for C (it is defined as true), but it's sufficiently surprising (because it's
not 1), that this is worth fixing -- even if export ciphers aren't common.
It should be a boolean anyway.
SSL_CTX_set_tmp_ecdh() takes a reference to the provided key.
==8323== 1,044 (56 direct, 988 indirect) bytes in 1 blocks are definitely lost in loss record 611 of 631
==8323== at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==8323== by 0x5E05D9F: CRYPTO_malloc (mem.c:308)
==8323== by 0x5E59859: EC_KEY_new (ec_key.c:75)
==8323== by 0x5E59974: EC_KEY_new_by_curve_name (ec_key.c:96)
==8323== by 0x4E395A7: set_curve (context.c:261)
...
The workaround for 'no_compression' on older OpenSSL is handled in context.c;
set_option_flag (which uses ssl_options) is never called, so this shouldn't
exist.
