From: Jouni Malinen <j@w1.fi>
Date: Fri, 15 Apr 2022 09:50:51 +0000 (+0300)
Subject: BoringSSL: Replace stack-allocated X509_STORE_CTX with heap one
X-Git-Tag: hostap_2_11~2070
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80be88a08932012f724594fe1fe8a0393c9715ac;p=thirdparty%2Fhostap.git

BoringSSL: Replace stack-allocated X509_STORE_CTX with heap one

BoringSSL commit dddb60eb9700110835ff6e2b429de40a17006429 ("Make most of
crypto/x509 opaque.") broke the stack-allocated version, so move to
using X509_STORE_CTX_new() to get an opaque pointer to X509_STORE_CTX
instead.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/crypto/tls_openssl_ocsp.c b/src/crypto/tls_openssl_ocsp.c
index 8b37b34e7..12e975c39 100644
--- a/src/crypto/tls_openssl_ocsp.c
+++ b/src/crypto/tls_openssl_ocsp.c
@@ -502,7 +502,7 @@ enum ocsp_result check_ocsp_resp(SSL_CTX *ssl_ctx, SSL *ssl, X509 *cert,
 	enum ocsp_result result = OCSP_INVALID;
 	X509_STORE *store;
 	STACK_OF(X509) *untrusted = NULL, *certs = NULL, *chain = NULL;
-	X509_STORE_CTX ctx;
+	X509_STORE_CTX *ctx = NULL;
 	X509 *signer, *tmp_cert;
 	int signer_trusted = 0;
 	EVP_PKEY *skey;
@@ -643,12 +643,13 @@ enum ocsp_result check_ocsp_resp(SSL_CTX *ssl_ctx, SSL *ssl, X509 *cert,
 		   "OpenSSL: Found OCSP signer certificate %s and verified BasicOCSPResponse signature",
 		   buf);
 
-	if (!X509_STORE_CTX_init(&ctx, store, signer, untrusted))
+	ctx = X509_STORE_CTX_new();
+	if (!ctx || !X509_STORE_CTX_init(ctx, store, signer, untrusted))
 		goto fail;
-	X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
-	ret = X509_verify_cert(&ctx);
-	chain = X509_STORE_CTX_get1_chain(&ctx);
-	X509_STORE_CTX_cleanup(&ctx);
+	X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
+	ret = X509_verify_cert(ctx);
+	chain = X509_STORE_CTX_get1_chain(ctx);
+	X509_STORE_CTX_cleanup(ctx);
 	if (ret <= 0) {
 		wpa_printf(MSG_DEBUG,
 			   "OpenSSL: Could not validate OCSP signer certificate");
@@ -839,6 +840,7 @@ fail:
 	sk_X509_pop_free(certs, X509_free);
 	BasicOCSPResponse_free(basic);
 	OCSPResponse_free(resp);
+	X509_STORE_CTX_free(ctx);
 
 	return result;
 }