From 6edabd71b5636e9bddc38b6b5a2b4a157bd43ba5 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Tue, 29 May 2012 12:33:08 +0100 Subject: [PATCH] Move peer_cert handling to openconnect_open_https() There's no real need to do this in openconnect_obtain_cookie(). It doesn't really matter if we do it for other connections, since any connections we make *after* obtaining the cookie will be to the same server anyway. This moves another OpenSSL-specific snippet out of what should be generic code. Signed-off-by: David Woodhouse --- http.c | 6 ------ ssl.c | 9 +++++++++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/http.c b/http.c index ccbb551..602ea8f 100644 --- a/http.c +++ b/http.c @@ -693,12 +693,6 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo) if (result < 0) return result; - /* Remember the peer's SSL certificate; it may disconnect during - the response and then we wouldn't be able to find it */ - if (vpninfo->peer_cert) - X509_free(vpninfo->peer_cert); - vpninfo->peer_cert = SSL_get_peer_certificate(vpninfo->https_ssl); - buflen = process_http_response(vpninfo, &result, NULL, &form_buf); if (buflen < 0) { /* We'll already have complained about whatever offended us */ diff --git a/ssl.c b/ssl.c index 843026a..2299efd 100644 --- a/ssl.c +++ b/ssl.c @@ -1017,6 +1017,11 @@ int openconnect_open_https(struct openconnect_info *vpninfo) if (vpninfo->https_ssl) return 0; + if (vpninfo->peer_cert) { + X509_free(vpninfo->peer_cert); + vpninfo->peer_cert = NULL; + } + if (!vpninfo->port) vpninfo->port = 443; @@ -1288,6 +1293,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo) vpninfo->ssl_fd = ssl_sock; vpninfo->https_ssl = https_ssl; + /* Stash this now, because it might not be available later if the + server has disconnected. */ + vpninfo->peer_cert = SSL_get_peer_certificate(vpninfo->https_ssl); + vpn_progress(vpninfo, PRG_INFO, _("Connected to HTTPS on %s\n"), vpninfo->hostname); -- 2.7.4