see the "if (csc == NULL)" error case below. otherwise ok
Theo Buehler([email protected]) on 2021.10.21 13:45:43 +0200: > On Thu, Oct 21, 2021 at 01:05:18PM +0200, Theo Buehler wrote: > > This is the first of two diffs to prepare isakmpd for upcoming libcrypto > > changes. X509_EXTENSION will become opaque so we need to use an accessor. > > I decided to leave accesses into ASN1_OCTET_STRING as they are for > > readability (asn1_string_st is still exposed in OpenSSL's asn1.h). > > Here's a second diff that deals with opaque X509_STORE_CTX. > > There is a minor piece left that needs X509_OBJECT_{new,free}() to land > in libcrypto. > > Index: x509.c > =================================================================== > RCS file: /cvs/src/sbin/isakmpd/x509.c,v > retrieving revision 1.120 > diff -u -p -r1.120 x509.c > --- x509.c 13 Oct 2021 16:57:43 -0000 1.120 > +++ x509.c 21 Oct 2021 11:19:14 -0000 > @@ -109,7 +109,7 @@ x509_generate_kn(int id, X509 *cert) > "Conditions: %s >= \"%s\" && %s <= \"%s\";\n"; > X509_NAME *issuer, *subject; > struct keynote_deckey dc; > - X509_STORE_CTX csc; > + X509_STORE_CTX *csc = NULL; > X509_OBJECT obj; > X509 *icert; > RSA *key = NULL; > @@ -154,24 +154,32 @@ x509_generate_kn(int id, X509 *cert) > RSA_free(key); > key = NULL; > > + csc = X509_STORE_CTX_new(); > + if (csc == NULL) { > + log_print("x509_generate_kn: failed to get memory for " > + "certificate store"); > + goto fail; > + } > + > /* Now find issuer's certificate so we can get the public key. */ > - X509_STORE_CTX_init(&csc, x509_cas, cert, NULL); > - if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) != > + X509_STORE_CTX_init(csc, x509_cas, cert, NULL); > + if (X509_STORE_get_by_subject(csc, X509_LU_X509, issuer, &obj) != > X509_LU_X509) { > - X509_STORE_CTX_cleanup(&csc); > - X509_STORE_CTX_init(&csc, x509_certs, cert, NULL); > - if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) > + X509_STORE_CTX_cleanup(csc); > + X509_STORE_CTX_init(csc, x509_certs, cert, NULL); > + if (X509_STORE_get_by_subject(csc, X509_LU_X509, issuer, &obj) > != X509_LU_X509) { > - X509_STORE_CTX_cleanup(&csc); > + X509_STORE_CTX_cleanup(csc); > LOG_DBG((LOG_POLICY, 30, > "x509_generate_kn: no certificate found for " > "issuer")); > goto fail; > } > } > - X509_STORE_CTX_cleanup(&csc); > - icert = obj.data.x509; > + X509_STORE_CTX_free(csc); > + csc = NULL; > > + icert = X509_OBJECT_get0_X509(&obj); > if (icert == NULL) { > LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: " > "missing certificates, cannot construct X509 chain")); > @@ -435,6 +443,7 @@ x509_generate_kn(int id, X509 *cert) > return 1; > > fail: > + X509_STORE_CTX_free(csc); > free(buf); > free(skey); > free(ikey); > @@ -812,25 +821,31 @@ x509_cert_get(u_int8_t *asn, u_int32_t l > int > x509_cert_validate(void *scert) > { > - X509_STORE_CTX csc; > + X509_STORE_CTX *csc; > X509_NAME *issuer, *subject; > X509 *cert = (X509 *) scert; > EVP_PKEY *key; > - int res, err; > + int res, err, flags; > > /* > * Validate the peer certificate by checking with the CA certificates > * we trust. > */ > - X509_STORE_CTX_init(&csc, x509_cas, cert, NULL); > + csc = X509_STORE_CTX_new(); > + if (csc == NULL) { > + log_print("x509_cert_validate: failed to get memory for " > + "certificate store"); return 0 ? > + } > + X509_STORE_CTX_init(csc, x509_cas, cert, NULL); > /* XXX See comment in x509_read_crls_from_dir. */ > - if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) { > - X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK); > - X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL); > - } > - res = X509_verify_cert(&csc); > - err = csc.error; > - X509_STORE_CTX_cleanup(&csc); > + flags = X509_VERIFY_PARAM_get_flags(X509_STORE_get0_param(x509_cas)); > + if (flags & X509_V_FLAG_CRL_CHECK) { > + X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CRL_CHECK); > + X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CRL_CHECK_ALL); > + } > + res = X509_verify_cert(csc); > + err = X509_STORE_CTX_get_error(csc); > + X509_STORE_CTX_free(csc); > > /* > * Return if validation succeeded or self-signed certs are not >
