Merge "Fix wpa_supplicant build with newer BoringSSL" am: 96e84352e6 am: 12405a05cf
Original change: https://android-review.googlesource.com/c/platform/external/wpa_supplicant_8/+/1835013
Change-Id: I9aa801edb195a464c337b869045dcc16402b81c7
diff --git a/src/crypto/tls_openssl_ocsp.c b/src/crypto/tls_openssl_ocsp.c
index 8b37b34..97bf605 100644
--- a/src/crypto/tls_openssl_ocsp.c
+++ b/src/crypto/tls_openssl_ocsp.c
@@ -502,7 +502,7 @@
enum ocsp_result result = OCSP_INVALID;
X509_STORE *store;
STACK_OF(X509) *untrusted = NULL, *certs = NULL, *chain = NULL;
- X509_STORE_CTX ctx;
+ X509_STORE_CTX *ctx = NULL;
X509 *signer, *tmp_cert;
int signer_trusted = 0;
EVP_PKEY *skey;
@@ -546,7 +546,7 @@
return OCSP_INVALID;
}
- basic_data = ASN1_STRING_data(bytes->response);
+ basic_data = ASN1_STRING_get0_data(bytes->response);
basic_len = ASN1_STRING_length(bytes->response);
wpa_hexdump(MSG_DEBUG, "OpenSSL: BasicOCSPResponse",
basic_data, basic_len);
@@ -643,12 +643,14 @@
"OpenSSL: Found OCSP signer certificate %s and verified BasicOCSPResponse signature",
buf);
- if (!X509_STORE_CTX_init(&ctx, store, signer, untrusted))
+ ctx = X509_STORE_CTX_new();
+ if (!ctx ||
+ !X509_STORE_CTX_init(ctx, store, signer, untrusted) ||
+ !X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER)) {
goto fail;
- X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
- ret = X509_verify_cert(&ctx);
- chain = X509_STORE_CTX_get1_chain(&ctx);
- X509_STORE_CTX_cleanup(&ctx);
+ }
+ ret = X509_verify_cert(ctx);
+ chain = X509_STORE_CTX_get1_chain(ctx);
if (ret <= 0) {
wpa_printf(MSG_DEBUG,
"OpenSSL: Could not validate OCSP signer certificate");
@@ -661,9 +663,8 @@
}
if (!signer_trusted) {
- X509_check_purpose(signer, -1, 0);
- if ((signer->ex_flags & EXFLAG_XKUSAGE) &&
- (signer->ex_xkusage & XKU_OCSP_SIGN)) {
+ if ((X509_get_extension_flags(signer) & EXFLAG_XKUSAGE) &&
+ (X509_get_extended_key_usage(signer) & XKU_OCSP_SIGN)) {
wpa_printf(MSG_DEBUG,
"OpenSSL: OCSP signer certificate delegation OK");
} else {
@@ -839,6 +840,7 @@
sk_X509_pop_free(certs, X509_free);
BasicOCSPResponse_free(basic);
OCSPResponse_free(resp);
+ X509_STORE_CTX_free(ctx);
return result;
}