From 62ef55d64fd17c17cefc2aa169595fb3d9858bbc Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 10 Apr 2026 15:50:17 +0200
Subject: [PATCH] getinfo: repair CURLINFO_TLS_SESSION

This should return a SSL_CTX pointer but it was accidentally broken.

Follow-up to 2db8ae480fdcae7f005

Spotted by Codex Security
---
 lib/cfilters.c | 6 ++++--
 lib/cfilters.h | 1 +
 lib/getinfo.c  | 6 ++++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/lib/cfilters.c b/lib/cfilters.c
index 2f8fd4a6b0..c3e79bb78c 100644
--- a/lib/cfilters.c
+++ b/lib/cfilters.c
@@ -676,14 +676,16 @@ bool Curl_conn_is_ssl(struct connectdata *conn, int sockindex)
 
 bool Curl_conn_get_ssl_info(struct Curl_easy *data,
                             struct connectdata *conn, int sockindex,
+                            int query,
                             struct curl_tlssessioninfo *info)
 {
   if(!CONN_SOCK_IDX_VALID(sockindex))
     return FALSE;
   if(Curl_conn_is_ssl(conn, sockindex)) {
     struct Curl_cfilter *cf = conn->cfilter[sockindex];
-    CURLcode result = cf ? cf->cft->query(cf, data, CF_QUERY_SSL_INFO,
-                               NULL, (void *)info) : CURLE_UNKNOWN_OPTION;
+    CURLcode result = cf ?
+      cf->cft->query(cf, data, query, NULL, (void *)info) :
+      CURLE_UNKNOWN_OPTION;
     return !result;
   }
   return FALSE;
diff --git a/lib/cfilters.h b/lib/cfilters.h
index 38311b24b8..1f0eda5014 100644
--- a/lib/cfilters.h
+++ b/lib/cfilters.h
@@ -400,6 +400,7 @@ bool Curl_conn_is_ssl(struct connectdata *conn, int sockindex);
  */
 bool Curl_conn_get_ssl_info(struct Curl_easy *data,
                             struct connectdata *conn, int sockindex,
+                            int query,
                             struct curl_tlssessioninfo *info);
 
 CURLcode Curl_conn_get_ip_info(struct Curl_easy *data,
diff --git a/lib/getinfo.c b/lib/getinfo.c
index 106c476d49..fab63e669a 100644
--- a/lib/getinfo.c
+++ b/lib/getinfo.c
@@ -586,14 +586,16 @@ static CURLcode getinfo_slist(struct Curl_easy *data, CURLINFO info,
     break;
   case CURLINFO_TLS_SESSION:
   case CURLINFO_TLS_SSL_PTR: {
+    int query = (info == CURLINFO_TLS_SSL_PTR) ?
+      CF_QUERY_SSL_INFO : CF_QUERY_SSL_CTX_INFO;
     struct curl_tlssessioninfo **tsip = (struct curl_tlssessioninfo **)
-                                        param_slistp;
+      param_slistp;
     struct curl_tlssessioninfo *tsi = &data->tsi;
 
     /* we are exposing a pointer to internal memory with unknown
      * lifetime here. */
     *tsip = tsi;
-    if(!Curl_conn_get_ssl_info(data, data->conn, FIRSTSOCKET, tsi)) {
+    if(!Curl_conn_get_ssl_info(data, data->conn, FIRSTSOCKET, query, tsi)) {
       tsi->backend = Curl_ssl_backend();
       tsi->internals = NULL;
     }