From 9d4e840617cc24616da776fe48076b37f787a373 Mon Sep 17 00:00:00 2001
From: Jiawei Ou <ouj@fb.com>
Date: Wed, 23 May 2018 15:44:20 -0700
Subject: [PATCH] Change how we get the current cert in SSLVerifyCallback when
 using OpenSSL.

Use X509_STORE_CTX_get0_cert instead of SSL_get_peer_certificate.
In OpenSSL SSL_get_peer_certificate can only be used after the TLS session is established. Use X509_STORE_CTX_get0_cert instead.

https://bugs.chromium.org/p/webrtc/issues/detail?id=9272


Bug: webrtc:9272
Change-Id: I1f3288748c2ef8f50249713805bedffe59433961
Reviewed-on: https://webrtc-review.googlesource.com/78640
Reviewed-by: David Benjamin <davidben@webrtc.org>
Reviewed-by: Tommi <tommi@webrtc.org>
Commit-Queue: Jiawei Ou <ouj@fb.com>
Cr-Commit-Position: refs/heads/master@{#23376}
---
 rtc_base/opensslstreamadapter.cc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rtc_base/opensslstreamadapter.cc b/rtc_base/opensslstreamadapter.cc
index c0fb108b9e..adbc0c04d0 100644
--- a/rtc_base/opensslstreamadapter.cc
+++ b/rtc_base/opensslstreamadapter.cc
@@ -1108,10 +1108,9 @@ int OpenSSLStreamAdapter::SSLVerifyCallback(X509_STORE_CTX* store, void* arg) {
   stream->peer_cert_chain_.reset(new SSLCertChain(std::move(cert_chain)));
 #else
   // Record the peer's certificate.
-  X509* cert = SSL_get_peer_certificate(ssl);
+  X509* cert = X509_STORE_CTX_get0_cert(store);
   stream->peer_cert_chain_.reset(
       new SSLCertChain(new OpenSSLCertificate(cert)));
-  X509_free(cert);
 #endif
 
   // If the peer certificate digest isn't known yet, we'll wait to verify