From c50c1c53430faf3ba9f3c2403c94952777f29e48 Mon Sep 17 00:00:00 2001 From: tb Date: Thu, 21 Oct 2021 14:57:55 +0000 Subject: [PATCH] libtls: Don't reach into X509_STORE_CTX. ok jsing --- lib/libtls/tls_ocsp.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c index f00e6bc84b2..3b06f01eba3 100644 --- a/lib/libtls/tls_ocsp.c +++ b/lib/libtls/tls_ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_ocsp.c,v 1.20 2021/03/23 20:04:29 tb Exp $ */ +/* $OpenBSD: tls_ocsp.c,v 1.21 2021/10/21 14:57:55 tb Exp $ */ /* * Copyright (c) 2015 Marko Kreen * Copyright (c) 2016 Bob Beck @@ -128,30 +128,38 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, { X509_NAME *issuer_name; X509 *issuer; - X509_STORE_CTX storectx; + X509_STORE_CTX *storectx = NULL; X509_OBJECT tmpobj; OCSP_CERTID *cid = NULL; X509_STORE *store; if ((issuer_name = X509_get_issuer_name(main_cert)) == NULL) - return NULL; + goto out; if (extra_certs != NULL) { issuer = X509_find_by_subject(extra_certs, issuer_name); - if (issuer != NULL) - return OCSP_cert_to_id(NULL, main_cert, issuer); + if (issuer != NULL) { + cid = OCSP_cert_to_id(NULL, main_cert, issuer); + goto out; + } } if ((store = SSL_CTX_get_cert_store(ssl_ctx)) == NULL) - return NULL; - if (X509_STORE_CTX_init(&storectx, store, main_cert, extra_certs) != 1) - return NULL; - if (X509_STORE_get_by_subject(&storectx, X509_LU_X509, issuer_name, - &tmpobj) == 1) { - cid = OCSP_cert_to_id(NULL, main_cert, tmpobj.data.x509); + goto out; + if ((storectx = X509_STORE_CTX_new()) == NULL) + goto out; + if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1) + goto out; + if (X509_STORE_get_by_subject(storectx, X509_LU_X509, issuer_name, + &tmpobj) == 1) { + cid = OCSP_cert_to_id(NULL, main_cert, + X509_OBJECT_get0_X509(&tmpobj)); X509_OBJECT_free_contents(&tmpobj); } - X509_STORE_CTX_cleanup(&storectx); + + out: + X509_STORE_CTX_free(storectx); + return cid; } -- 2.20.1