From cd69343d67081ab9c070f21d58918433a44f97bf Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 17 Aug 2016 19:30:57 -0700 Subject: Fix SslContext::add_extra_chain_cert SSL_CTX_add_extra_chain_cert assumes ownership of the certificate, so the method really needs to take an X509 by value. Work around this by manually cloning the cert. This method has been around for over a year but I'm guessing nobody actually used it since it produces a nice double free into segfault! --- openssl/src/ssl/mod.rs | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'openssl/src/ssl/mod.rs') diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 64a2ccaf..6e365af6 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -535,9 +535,14 @@ impl<'a> SslContextRef<'a> { /// Adds a certificate to the certificate chain presented together with the /// certificate specified using set_certificate() pub fn add_extra_chain_cert(&mut self, cert: &X509Ref) -> Result<(), ErrorStack> { - wrap_ssl_result(unsafe { - ffi::SSL_CTX_add_extra_chain_cert(self.as_ptr(), cert.as_ptr()) as c_int - }) + // FIXME this should really just take an X509 by value + let der = try!(cert.to_der()); + let cert = try!(X509::from_der(&der)); + unsafe { + try_ssl!(ffi::SSL_CTX_add_extra_chain_cert(self.as_ptr(), cert.as_ptr())); + } + mem::forget(cert); + Ok(()) } /// Specifies the file that contains private key -- cgit v1.2.3