Move peer_cert handling to openconnect_open_https()

There's no real need to do this in openconnect_obtain_cookie(). It doesn't
really matter if we do it for other connections, since any connections we
make *after* obtaining the cookie will be to the same server anyway.

This moves another OpenSSL-specific snippet out of what should be generic
code.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/http.c b/http.c
index ccbb551..602ea8f 100644 (file)
--- a/http.c
+++ b/http.c
@@ -693,12 +693,6 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
        if (result < 0)
                return result;
 
-       /* Remember the peer's SSL certificate; it may disconnect during
-          the response and then we wouldn't be able to find it */
-       if (vpninfo->peer_cert)
-               X509_free(vpninfo->peer_cert);
-       vpninfo->peer_cert = SSL_get_peer_certificate(vpninfo->https_ssl);
-
        buflen = process_http_response(vpninfo, &result, NULL, &form_buf);
        if (buflen < 0) {
                /* We'll already have complained about whatever offended us */

diff --git a/ssl.c b/ssl.c
index 843026a..2299efd 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -1017,6 +1017,11 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
        if (vpninfo->https_ssl)
                return 0;
 
+       if (vpninfo->peer_cert) {
+               X509_free(vpninfo->peer_cert);
+               vpninfo->peer_cert = NULL;
+       }
+
        if (!vpninfo->port)
                vpninfo->port = 443;
 
@@ -1288,6 +1293,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
        vpninfo->ssl_fd = ssl_sock;
        vpninfo->https_ssl = https_ssl;
 
+       /* Stash this now, because it might not be available later if the
+          server has disconnected. */
+       vpninfo->peer_cert = SSL_get_peer_certificate(vpninfo->https_ssl);
+
        vpn_progress(vpninfo, PRG_INFO, _("Connected to HTTPS on %s\n"),
                     vpninfo->hostname);