OpenSSL: Use library wrapper functions to access cert store

OpenSSL 0.9.8 and newer includes SSL_CTX_get_cert_store() and
SSL_CTX_set_cert_store() helper functions, so there is no need to
dereference the SSL_CTX pointer to cert ssl_ctx->cert_store. This helps
in working with the future OpenSSL 1.1.0 release that makes the SSL_CTX
structure opaque.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index b24f60ef8f38db7fd24eee0fb644503a52a9aecf..163d5d29d733bb64a0a5dcac1cb5c7d16d9851d6 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -84,6 +84,7 @@ static struct tls_context *tls_global = NULL;
 
 struct tls_connection {
        struct tls_context *context;
+       SSL_CTX *ssl_ctx;
        SSL *ssl;
        BIO *ssl_in, *ssl_out;
 #ifndef OPENSSL_NO_ENGINE
@@ -1041,6 +1042,7 @@ struct tls_connection * tls_connection_init(void *ssl_ctx)
        conn = os_zalloc(sizeof(*conn));
        if (conn == NULL)
                return NULL;
+       conn->ssl_ctx = ssl_ctx;
        conn->ssl = SSL_new(ssl);
        if (conn->ssl == NULL) {
                tls_show_errors(MSG_INFO, __func__,
@@ -1609,7 +1611,7 @@ static int tls_load_ca_der(void *_ssl_ctx, const char *ca_cert)
        X509_LOOKUP *lookup;
        int ret = 0;
 
-       lookup = X509_STORE_add_lookup(ssl_ctx->cert_store,
+       lookup = X509_STORE_add_lookup(SSL_CTX_get_cert_store(ssl_ctx),
                                       X509_LOOKUP_file());
        if (lookup == NULL) {
                tls_show_errors(MSG_WARNING, __func__,
@@ -1640,18 +1642,19 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
                                  size_t ca_cert_blob_len, const char *ca_path)
 {
        SSL_CTX *ssl_ctx = _ssl_ctx;
+       X509_STORE *store;
 
        /*
         * Remove previously configured trusted CA certificates before adding
         * new ones.
         */
-       X509_STORE_free(ssl_ctx->cert_store);
-       ssl_ctx->cert_store = X509_STORE_new();
-       if (ssl_ctx->cert_store == NULL) {
+       store = X509_STORE_new();
+       if (store == NULL) {
                wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
                           "certificate store", __func__);
                return -1;
        }
+       SSL_CTX_set_cert_store(ssl_ctx, store);
 
        SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
        conn->ca_cert_verify = 1;
@@ -1704,7 +1707,8 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
                        return -1;
                }
 
-               if (!X509_STORE_add_cert(ssl_ctx->cert_store, cert)) {
+               if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
+                                        cert)) {
                        unsigned long err = ERR_peek_error();
                        tls_show_errors(MSG_WARNING, __func__,
                                        "Failed to add ca_cert_blob to "
@@ -2216,20 +2220,21 @@ static int tls_connection_engine_ca_cert(void *_ssl_ctx,
 #ifndef OPENSSL_NO_ENGINE
        X509 *cert;
        SSL_CTX *ssl_ctx = _ssl_ctx;
+       X509_STORE *store;
 
        if (tls_engine_get_cert(conn, ca_cert_id, &cert))
                return -1;
 
        /* start off the same as tls_connection_ca_cert */
-       X509_STORE_free(ssl_ctx->cert_store);
-       ssl_ctx->cert_store = X509_STORE_new();
-       if (ssl_ctx->cert_store == NULL) {
+       store = X509_STORE_new();
+       if (store == NULL) {
                wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
                           "certificate store", __func__);
                X509_free(cert);
                return -1;
        }
-       if (!X509_STORE_add_cert(ssl_ctx->cert_store, cert)) {
+       SSL_CTX_set_cert_store(ssl_ctx, store);
+       if (!X509_STORE_add_cert(store, cert)) {
                unsigned long err = ERR_peek_error();
                tls_show_errors(MSG_WARNING, __func__,
                                "Failed to add CA certificate from engine "
@@ -3138,7 +3143,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
                return 0;
        }
 
-       store = SSL_CTX_get_cert_store(s->ctx);
+       store = SSL_CTX_get_cert_store(conn->ssl_ctx);
        if (conn->peer_issuer) {
                debug_print_cert(conn->peer_issuer, "Add OCSP issuer");