Correct ownership semantics of SSL_{CTX_,}use_certificate

rustls · Apr 9, 2024 · 16f975c · 16f975c
1 parent 1297a9c
commit 16f975c
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/rustls-libssl/src/entry.rs b/rustls-libssl/src/entry.rs
@@ -516,7 +516,10 @@ entry! {
             return Error::null_pointer().raise().into();
         }
 
-        let ee = CertificateDer::from(OwnedX509::new(x).der_bytes());
+        let x509 = OwnedX509::new(x);
+        // `x` belongs to caller.
+        x509.up_ref();
+        let ee = CertificateDer::from(x509.der_bytes());
 
         match ctx
             .lock()
@@ -1487,12 +1490,15 @@ entry! {
             return Error::null_pointer().raise().into();
         }
 
-        let chain = vec![CertificateDer::from(OwnedX509::new(x).der_bytes())];
+        let x509 = OwnedX509::new(x);
+        // `x` belongs to caller.
+        x509.up_ref();
+        let ee = CertificateDer::from(x509.der_bytes());
 
         match ssl
             .lock()
             .map_err(|_| Error::cannot_lock())
-            .map(|mut ssl| ssl.stage_certificate_chain(chain))
+            .map(|mut ssl| ssl.stage_certificate_end(ee))
         {
             Err(e) => e.raise().into(),
             Ok(()) => C_INT_SUCCESS,

diff --git a/rustls-libssl/src/lib.rs b/rustls-libssl/src/lib.rs
@@ -518,6 +518,10 @@ impl Ssl {
             .unwrap_or_default();
     }
 
+    fn stage_certificate_end(&mut self, end: CertificateDer<'static>) {
+        self.auth_keys.stage_certificate_end(end)
+    }
+
     fn stage_certificate_chain(&mut self, chain: Vec<CertificateDer<'static>>) {
         self.auth_keys.stage_certificate_chain(chain)
     }