From 2009ecca3f3413925537ed5563a1409f74bcd194 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 22 Feb 2018 23:52:17 +0000
Subject: [PATCH 1/1] OpenSSL: revert needless free of certificate list.  The
 library handlies it internally.

Reported-by: Torsten Tributh
---
 src/src/tls-openssl.c | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 4dfeac06d..8e8f27686 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -152,7 +152,6 @@ typedef struct tls_ext_ctx_cb {
   uschar *certificate;
   uschar *privatekey;
   BOOL is_server;
-  STACK_OF(X509_NAME) * acceptable_certnames;
 #ifndef DISABLE_OCSP
   STACK_OF(X509) *verify_stack;		/* chain for verifying the proof */
   union {
@@ -1511,7 +1510,6 @@ cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
 cbinfo->certificate = certificate;
 cbinfo->privatekey = privatekey;
 cbinfo->is_server = host==NULL;
-cbinfo->acceptable_certnames = NULL;
 #ifndef DISABLE_OCSP
 cbinfo->verify_stack = NULL;
 if (!host)
@@ -1861,19 +1859,11 @@ if (expcerts && *expcerts)
 	{
 	tls_ext_ctx_cb * cbinfo = host
 	  ? client_static_cbinfo : server_static_cbinfo;
-	STACK_OF(X509_NAME) * names;
-
-	if ((names = cbinfo->acceptable_certnames))
-	  {
-	  sk_X509_NAME_pop_free(names, X509_NAME_free);
-	  cbinfo->acceptable_certnames = NULL;
-	  }
-	names = SSL_load_client_CA_file(CS file);
+	STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
 
 	SSL_CTX_set_client_CA_list(sctx, names);
 	DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
 				    sk_X509_NAME_num(names));
-	cbinfo->acceptable_certnames = names;
 	}
       }
     }
@@ -2488,11 +2478,9 @@ if (error == SSL_ERROR_ZERO_RETURN)
  	SSL_shutdown(server_ssl);
 
   sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
-  sk_X509_NAME_pop_free(server_static_cbinfo->acceptable_certnames, X509_NAME_free);
   SSL_free(server_ssl);
   SSL_CTX_free(server_ctx);
   server_static_cbinfo->verify_stack = NULL;
-  server_static_cbinfo->acceptable_certnames = NULL;
   server_ctx = NULL;
   server_ssl = NULL;
   tls_in.active = -1;
@@ -2769,10 +2757,7 @@ if (shutdown)
 if (is_server)
   {
   sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
-  sk_X509_NAME_pop_free(server_static_cbinfo->acceptable_certnames,
-    X509_NAME_free);
   server_static_cbinfo->verify_stack = NULL;
-  server_static_cbinfo->acceptable_certnames = NULL;
   }
 
 SSL_CTX_free(*ctxp);
-- 
2.25.1