Make use of acquire/release in client-side ssl_write_encrypted_pms()
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 174e8b1..0ea581d 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2323,7 +2323,16 @@
peer_pk = &ssl->handshake->peer_pubkey;
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if( ssl->session_negotiate->peer_cert != NULL )
- peer_pk = &ssl->session_negotiate->peer_cert->pk;
+ {
+ ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
+ &peer_pk );
+ if( ret != 0 )
+ {
+ /* Should never happen */
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+ }
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if( peer_pk == NULL )
@@ -2339,7 +2348,8 @@
if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
- return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+ ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
+ goto cleanup;
}
if( ( ret = mbedtls_pk_encrypt( peer_pk,
@@ -2349,7 +2359,7 @@
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
- return( ret );
+ goto cleanup;
}
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
@@ -2362,11 +2372,16 @@
}
#endif
+cleanup:
+
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it. */
mbedtls_pk_free( peer_pk );
-#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- return( 0 );
+#else
+ mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert, peer_pk );
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+ return( ret );
}
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */