1 files changed, 5 insertions, 17 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 6e74943803..7f7a176950 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.133 2022/01/08 12:43:44 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.134 2022/01/08 12:59:59 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2235,29 +2235,17 @@ ssl3_get_client_certificate(SSL *s)
        X509_free(s->session->peer);
        s->session->peer = sk_X509_shift(sk);
-        s->session->verify_result = s->verify_result;
-        /*
-         * With the current implementation, sess_cert will always be NULL
-         * when we arrive here
-         */
-        if (s->session->sess_cert == NULL) {
-                s->session->sess_cert = ssl_sess_cert_new();
-                if (s->session->sess_cert == NULL) {
-                        SSLerror(s, ERR_R_MALLOC_FAILURE);
-                        goto err;
-                }
-        }
-        sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
-        s->session->sess_cert->cert_chain = sk;
        /*
         * Inconsistency alert: cert_chain does *not* include the
         * peer's own certificate, while we do include it in s3_clnt.c
         */
+        sk_X509_pop_free(s->session->cert_chain, X509_free);
+        s->session->cert_chain = sk;
        sk = NULL;
+        s->session->verify_result = s->verify_result;
        ret = 1;
        if (0) {
 decode_err:

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 6e74943803..7f7a176950 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.133 2022/01/08 12:43:44 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.134 2022/01/08 12:59:59 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2235,29 +2235,17 @@ ssl3_get_client_certificate(SSL *s)
2235		2235
2236	X509_free(s->session->peer);	2236	X509_free(s->session->peer);
2237	s->session->peer = sk_X509_shift(sk);	2237	s->session->peer = sk_X509_shift(sk);
2238	s->session->verify_result = s->verify_result;
2239
2240	/*
2241	* With the current implementation, sess_cert will always be NULL
2242	* when we arrive here
2243	*/
2244	if (s->session->sess_cert == NULL) {
2245	s->session->sess_cert = ssl_sess_cert_new();
2246	if (s->session->sess_cert == NULL) {
2247	SSLerror(s, ERR_R_MALLOC_FAILURE);
2248	goto err;
2249	}
2250	}
2251	sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
2252	s->session->sess_cert->cert_chain = sk;
2253		2238
2254	/*	2239	/*
2255	* Inconsistency alert: cert_chain does not include the	2240	* Inconsistency alert: cert_chain does not include the
2256	* peer's own certificate, while we do include it in s3_clnt.c	2241	* peer's own certificate, while we do include it in s3_clnt.c
2257	*/	2242	*/
2258		2243	sk_X509_pop_free(s->session->cert_chain, X509_free);
		2244	s->session->cert_chain = sk;
2259	sk = NULL;	2245	sk = NULL;
2260		2246
		2247	s->session->verify_result = s->verify_result;
		2248
2261	ret = 1;	2249	ret = 1;
2262	if (0) {	2250	if (0) {
2263	decode_err:	2251	decode_err: