DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

BoringSSL: Replace stack-allocated X509_STORE_CTX with heap one

Browse source 
BoringSSL commit dddb60eb9700110835ff6e2b429de40a17006429 ("Make most of
crypto/x509 opaque.") broke the stack-allocated version, so move to
using X509_STORE_CTX_new() to get an opaque pointer to X509_STORE_CTX
instead.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2022-04-15 12:50:51 +03:00
parent 3f94dcdd1a
commit 80be88a089
1 changed files with 8 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/crypto/tls_openssl_ocsp.c
View file

@ -502,7 +502,7 @@ enum ocsp_result check_ocsp_resp(SSL_CTX *ssl_ctx, SSL *ssl, X509 *cert,
enum ocsp_result result = OCSP_INVALID; enum ocsp_result result = OCSP_INVALID;
X509_STORE *store; X509_STORE *store;
STACK_OF(X509) *untrusted = NULL, *certs = NULL, *chain = NULL; STACK_OF(X509) *untrusted = NULL, *certs = NULL, *chain = NULL;
X509_STORE_CTX ctx; X509_STORE_CTX *ctx = NULL;
X509 *signer, *tmp_cert; X509 *signer, *tmp_cert;
int signer_trusted = 0; int signer_trusted = 0;
EVP_PKEY *skey; EVP_PKEY *skey;
@ -643,12 +643,13 @@ enum ocsp_result check_ocsp_resp(SSL_CTX *ssl_ctx, SSL *ssl, X509 *cert,
"OpenSSL: Found OCSP signer certificate %s and verified BasicOCSPResponse signature", "OpenSSL: Found OCSP signer certificate %s and verified BasicOCSPResponse signature",
buf); buf);
if (!X509_STORE_CTX_init(&ctx, store, signer, untrusted)) ctx = X509_STORE_CTX_new();
if (!ctx || !X509_STORE_CTX_init(ctx, store, signer, untrusted))
goto fail; goto fail;
X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
ret = X509_verify_cert(&ctx); ret = X509_verify_cert(ctx);
chain = X509_STORE_CTX_get1_chain(&ctx); chain = X509_STORE_CTX_get1_chain(ctx);
X509_STORE_CTX_cleanup(&ctx); X509_STORE_CTX_cleanup(ctx);
if (ret <= 0) { if (ret <= 0) {
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"OpenSSL: Could not validate OCSP signer certificate"); "OpenSSL: Could not validate OCSP signer certificate");
@ -839,6 +840,7 @@ fail:
sk_X509_pop_free(certs, X509_free); sk_X509_pop_free(certs, X509_free);
BasicOCSPResponse_free(basic); BasicOCSPResponse_free(basic);
OCSPResponse_free(resp); OCSPResponse_free(resp);
X509_STORE_CTX_free(ctx);
return result; return result;
} }