1 files changed, 20 insertions, 12 deletions
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index f00e6bc84b..3b06f01eba 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls_ocsp.c,v 1.20 2021/03/23 20:04:29 tb Exp $ */
+/*      $OpenBSD: tls_ocsp.c,v 1.21 2021/10/21 14:57:55 tb Exp $ */
 /*
 * Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
 * Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -128,30 +128,38 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs,
 {
        X509_NAME *issuer_name;
        X509 *issuer;
-        X509_STORE_CTX storectx;
+        X509_STORE_CTX *storectx = NULL;
        X509_OBJECT tmpobj;
        OCSP_CERTID *cid = NULL;
        X509_STORE *store;
        if ((issuer_name = X509_get_issuer_name(main_cert)) == NULL)
-                return NULL;
+                goto out;
        if (extra_certs != NULL) {
                issuer = X509_find_by_subject(extra_certs, issuer_name);
-                if (issuer != NULL)
+                if (issuer != NULL) {
-                        return OCSP_cert_to_id(NULL, main_cert, issuer);
+                        cid = OCSP_cert_to_id(NULL, main_cert, issuer);
+                        goto out;
+                }
        }
        if ((store = SSL_CTX_get_cert_store(ssl_ctx)) == NULL)
-                return NULL;
+                goto out;
-        if (X509_STORE_CTX_init(&storectx, store, main_cert, extra_certs) != 1)
+        if ((storectx = X509_STORE_CTX_new()) == NULL)
-                return NULL;
+                goto out;
-        if (X509_STORE_get_by_subject(&storectx, X509_LU_X509, issuer_name,
+        if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1)
-                &tmpobj) == 1) {
+                goto out;
-                cid = OCSP_cert_to_id(NULL, main_cert, tmpobj.data.x509);
+        if (X509_STORE_get_by_subject(storectx, X509_LU_X509, issuer_name,
+            &tmpobj) == 1) {
+                cid = OCSP_cert_to_id(NULL, main_cert,
+                    X509_OBJECT_get0_X509(&tmpobj));
                X509_OBJECT_free_contents(&tmpobj);
        }
-        X509_STORE_CTX_cleanup(&storectx);
+ out:
+        X509_STORE_CTX_free(storectx);
        return cid;
 }

diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index f00e6bc84b..3b06f01eba 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_ocsp.c,v 1.20 2021/03/23 20:04:29 tb Exp $ */	1	/* $OpenBSD: tls_ocsp.c,v 1.21 2021/10/21 14:57:55 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Marko Kreen <markokr@gmail.com>	3	* Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
4	* Copyright (c) 2016 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -128,30 +128,38 @@ tls_ocsp_get_certid(X509 main_cert, STACK_OF(X509) extra_certs,
128	{	128	{
129	X509_NAME *issuer_name;	129	X509_NAME *issuer_name;
130	X509 *issuer;	130	X509 *issuer;
131	X509_STORE_CTX storectx;	131	X509_STORE_CTX *storectx = NULL;
132	X509_OBJECT tmpobj;	132	X509_OBJECT tmpobj;
133	OCSP_CERTID *cid = NULL;	133	OCSP_CERTID *cid = NULL;
134	X509_STORE *store;	134	X509_STORE *store;
135		135
136	if ((issuer_name = X509_get_issuer_name(main_cert)) == NULL)	136	if ((issuer_name = X509_get_issuer_name(main_cert)) == NULL)
137	return NULL;	137	goto out;
138		138
139	if (extra_certs != NULL) {	139	if (extra_certs != NULL) {
140	issuer = X509_find_by_subject(extra_certs, issuer_name);	140	issuer = X509_find_by_subject(extra_certs, issuer_name);
141	if (issuer != NULL)	141	if (issuer != NULL) {
142	return OCSP_cert_to_id(NULL, main_cert, issuer);	142	cid = OCSP_cert_to_id(NULL, main_cert, issuer);
		143	goto out;
		144	}
143	}	145	}
144		146
145	if ((store = SSL_CTX_get_cert_store(ssl_ctx)) == NULL)	147	if ((store = SSL_CTX_get_cert_store(ssl_ctx)) == NULL)
146	return NULL;	148	goto out;
147	if (X509_STORE_CTX_init(&storectx, store, main_cert, extra_certs) != 1)	149	if ((storectx = X509_STORE_CTX_new()) == NULL)
148	return NULL;	150	goto out;
149	if (X509_STORE_get_by_subject(&storectx, X509_LU_X509, issuer_name,	151	if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1)
150	&tmpobj) == 1) {	152	goto out;
151	cid = OCSP_cert_to_id(NULL, main_cert, tmpobj.data.x509);	153	if (X509_STORE_get_by_subject(storectx, X509_LU_X509, issuer_name,
		154	&tmpobj) == 1) {
		155	cid = OCSP_cert_to_id(NULL, main_cert,
		156	X509_OBJECT_get0_X509(&tmpobj));
152	X509_OBJECT_free_contents(&tmpobj);	157	X509_OBJECT_free_contents(&tmpobj);
153	}	158	}
154	X509_STORE_CTX_cleanup(&storectx);	159
		160	out:
		161	X509_STORE_CTX_free(storectx);
		162
155	return cid;	163	return cid;
156	}	164	}
157		165