BoringSSL: Replace stack-allocated X509_STORE_CTX with heap one
BoringSSL commit dddb60eb9700110835ff6e2b429de40a17006429 ("Make most of
crypto/x509 opaque.") broke the stack-allocated version, so move to
using X509_STORE_CTX_new() to get an opaque pointer to X509_STORE_CTX
instead.
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
3f94dcdd1a
commit
80be88a089
1 changed files with 8 additions and 6 deletions
|
|
@ -502,7 +502,7 @@ enum ocsp_result check_ocsp_resp(SSL_CTX *ssl_ctx, SSL *ssl, X509 *cert,
|
|||
enum ocsp_result result = OCSP_INVALID;
|
||||
X509_STORE *store;
|
||||
STACK_OF(X509) *untrusted = NULL, *certs = NULL, *chain = NULL;
|
||||
X509_STORE_CTX ctx;
|
||||
X509_STORE_CTX *ctx = NULL;
|
||||
X509 *signer, *tmp_cert;
|
||||
int signer_trusted = 0;
|
||||
EVP_PKEY *skey;
|
||||
|
|
@ -643,12 +643,13 @@ enum ocsp_result check_ocsp_resp(SSL_CTX *ssl_ctx, SSL *ssl, X509 *cert,
|
|||
"OpenSSL: Found OCSP signer certificate %s and verified BasicOCSPResponse signature",
|
||||
buf);
|
||||
|
||||
if (!X509_STORE_CTX_init(&ctx, store, signer, untrusted))
|
||||
ctx = X509_STORE_CTX_new();
|
||||
if (!ctx || !X509_STORE_CTX_init(ctx, store, signer, untrusted))
|
||||
goto fail;
|
||||
X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
|
||||
ret = X509_verify_cert(&ctx);
|
||||
chain = X509_STORE_CTX_get1_chain(&ctx);
|
||||
X509_STORE_CTX_cleanup(&ctx);
|
||||
X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
|
||||
ret = X509_verify_cert(ctx);
|
||||
chain = X509_STORE_CTX_get1_chain(ctx);
|
||||
X509_STORE_CTX_cleanup(ctx);
|
||||
if (ret <= 0) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"OpenSSL: Could not validate OCSP signer certificate");
|
||||
|
|
@ -839,6 +840,7 @@ fail:
|
|||
sk_X509_pop_free(certs, X509_free);
|
||||
BasicOCSPResponse_free(basic);
|
||||
OCSPResponse_free(resp);
|
||||
X509_STORE_CTX_free(ctx);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue