From 3f3c7d26d577902a542bf226a091aab93ea1ff96 Mon Sep 17 00:00:00 2001 From: Rob Percival Date: Mon, 7 Mar 2016 18:05:53 +0000 Subject: [PATCH] Use s->session->peer instead of calling SSL_get_peer_certificate(s) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Avoids modifying certificate reference count, and thereby avoids locking. Reviewed-by: Emilia Käsper Reviewed-by: Rich Salz --- ssl/ssl_lib.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index b1e7d0d2ec..5dfb0fdbc7 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3931,7 +3931,7 @@ err: static int ct_extract_x509v3_extension_scts(SSL *s) { int scts_extracted = 0; - X509 *cert = SSL_get_peer_certificate(s); + X509 *cert = s->session != NULL ? s->session->peer : NULL; if (cert != NULL) { STACK_OF(SCT) *scts = @@ -3941,7 +3941,6 @@ static int ct_extract_x509v3_extension_scts(SSL *s) ct_move_scts(&s->scts, scts, SCT_SOURCE_X509V3_EXTENSION); SCT_LIST_free(scts); - X509_free(cert); } return scts_extracted; @@ -4032,7 +4031,7 @@ ct_validation_cb SSL_CTX_get_ct_validation_callback(const SSL_CTX *ctx) int ssl_validate_ct(SSL *s) { int ret = 0; - X509 *cert = SSL_get_peer_certificate(s); + X509 *cert = s->session != NULL ? s->session->peer : NULL; X509 *issuer = NULL; CT_POLICY_EVAL_CTX *ctx = NULL; const STACK_OF(SCT) *scts; @@ -4072,7 +4071,6 @@ int ssl_validate_ct(SSL *s) end: CT_POLICY_EVAL_CTX_free(ctx); - X509_free(cert); return ret; } -- 2.25.1