commit b400ca1d900bb955d47442147287a7f0112ed698
from: tb <tb@openbsd.org>
date: Thu May 21 14:56:34 2026 UTC

relayd: remove X509_dup() call that leaks memory

While there, add error checks for X509_set_{pubkey,issuer_name}().

From Marc Jorge

commit - ee2597096652830f488428a76fe8eb91c92ac82d
commit + b400ca1d900bb955d47442147287a7f0112ed698
blob - 96f51bb931d9596eebae75968ffe819f2c774716
blob + b6ab383e6a530e094b57b870d5df0942a429842a
--- ssl.c
+++ ssl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.c,v 1.39 2026/05/16 13:16:50 rsadowski Exp $	*/
+/*	$OpenBSD: ssl.c,v 1.40 2026/05/21 14:56:34 tb Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -127,12 +127,15 @@ ssl_update_certificate(const uint8_t *oldcert, size_t 
 	    name[1], sizeof(name[1])))
 		goto done;
 
-	if ((cert = X509_dup(cert)) == NULL)
-		goto done;
-
 	/* Update certificate key and use our CA as the issuer */
-	X509_set_pubkey(cert, pkey);
-	X509_set_issuer_name(cert, X509_get_subject_name(cacert));
+	if (!X509_set_pubkey(cert, pkey)) {
+		log_warnx("%s: X509_set_pubkey failed", __func__);
+		goto done;
+	}
+	if (!X509_set_issuer_name(cert, X509_get_subject_name(cacert))) {
+		log_warnx("%s: X509_get_issuer_name failed", __func__);
+		goto done;
+	}
 
 	/* Sign with our CA */
 	if (!X509_sign(cert, capkey, EVP_sha256())) {