From 5e6e46092b1b16ca7be107711e67259b335c8de6 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 8 Feb 2025 01:04:56 +0000
Subject: x509_verify_parent_signature(): no need to bump pkey's refcount

The parent certificate outlives the signature check, so we don't have
to take a refcount of its pubkey and then release it again.

ok beck
---
 src/lib/libcrypto/x509/x509_verify.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 5dcec27542..235f488fc7 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.71 2025/02/08 01:01:31 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.72 2025/02/08 01:04:56 tb Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -546,7 +546,7 @@ x509_verify_parent_signature(X509 *parent, X509 *child, int *error)
 	}
 
 	/* Check signature. Did parent sign child? */
-	if ((pkey = X509_get_pubkey(parent)) == NULL) {
+	if ((pkey = X509_get0_pubkey(parent)) == NULL) {
 		*error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
 		return 0;
 	}
@@ -558,8 +558,6 @@ x509_verify_parent_signature(X509 *parent, X509 *child, int *error)
 	/* Add result to cache */
 	x509_issuer_cache_add(parent->hash, child->hash, ret);
 
-	EVP_PKEY_free(pkey);
-
 	return ret;
 }
 
-- 
cgit v1.2.3-55-g6feb