From 65d7c6a533f50a2d13e1234fb91b6f5d146fd5a4 Mon Sep 17 00:00:00 2001
From: Colton Willey <colton@wolfssl.com>
Date: Wed, 14 Aug 2024 17:07:20 -0700
Subject: [PATCH] Do not overwrite cert in wolfSSL_set_SSL_CTX if one is
 already set, remove unreachable frees.

---
 src/internal.c |  6 ------
 src/ssl.c      | 15 ++++++---------
 2 files changed, 6 insertions(+), 15 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index d80080dba..4ba6013fe 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -6806,9 +6806,6 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
 #ifdef WOLFSSL_COPY_CERT
     /* If WOLFSSL_COPY_CERT is defined, always copy the cert */
     if (ctx->certificate != NULL) {
-        if (ssl->buffers.certificate != NULL) {
-            FreeDer(&ssl->buffers.certificate);
-        }
         ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
             ctx->certificate->length, ctx->certificate->type,
             ctx->certificate->heap);
@@ -6820,9 +6817,6 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
         ret = WOLFSSL_SUCCESS;
     }
     if (ctx->certChain != NULL) {
-        if (ssl->buffers.certChain != NULL) {
-            FreeDer(&ssl->buffers.certChain);
-        }
         ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
             ctx->certChain->length, ctx->certChain->type,
             ctx->certChain->heap);
diff --git a/src/ssl.c b/src/ssl.c
index 1b8e60310..1b18d8da1 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -20152,11 +20152,10 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
 
 #ifndef NO_CERTS
 #ifdef WOLFSSL_COPY_CERT
-    /* If WOLFSSL_COPY_CERT defined, always make new copy of cert */
-    if (ctx->certificate != NULL) {
-        if (ssl->buffers.certificate != NULL) {
-            FreeDer(&ssl->buffers.certificate);
-        }
+    /* If WOLFSSL_COPY_CERT defined, make new copy of cert from ctx
+     * unless SSL object already has a cert */
+    if ((ctx->certificate != NULL) &&
+        (ssl->buffers.certificate == NULL)) {
         ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
             ctx->certificate->length, ctx->certificate->type,
             ctx->certificate->heap);
@@ -20167,10 +20166,8 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
         ssl->buffers.weOwnCert = 1;
         ret = WOLFSSL_SUCCESS;
     }
-    if (ctx->certChain != NULL) {
-        if (ssl->buffers.certChain != NULL) {
-            FreeDer(&ssl->buffers.certChain);
-        }
+    if ((ctx->certChain != NULL) &&
+        (ssl->buffers.certChain == NULL)) {
         ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
             ctx->certChain->length, ctx->certChain->type,
             ctx->certChain->heap);