1 files changed, 19 insertions, 16 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index a13ee598ce..b7c3718ef5 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.83 2021/06/11 11:13:53 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.84 2021/10/23 13:14:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -408,46 +408,49 @@ ssl_sess_cert_free(SESS_CERT *sc)
 int
 ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
 {
-        X509_STORE_CTX ctx;
+        X509_STORE_CTX *ctx = NULL;
        X509 *x;
-        int ret;
+        int ret = 0;
        if ((sk == NULL) || (sk_X509_num(sk) == 0))
-                return (0);
+                goto err;
+        if ((ctx = X509_STORE_CTX_new()) == NULL)
+                goto err;
        x = sk_X509_value(sk, 0);
-        if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) {
+        if (!X509_STORE_CTX_init(ctx, s->ctx->cert_store, x, sk)) {
                SSLerror(s, ERR_R_X509_LIB);
-                return (0);
+                goto err;
        }
-        X509_STORE_CTX_set_ex_data(&ctx,
+        X509_STORE_CTX_set_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
-            SSL_get_ex_data_X509_STORE_CTX_idx(), s);
        /*
         * We need to inherit the verify parameters. These can be
         * determined by the context: if its a server it will verify
         * SSL client certificates or vice versa.
         */
-        X509_STORE_CTX_set_default(&ctx,
+        X509_STORE_CTX_set_default(ctx, s->server ? "ssl_client" : "ssl_server");
-            s->server ? "ssl_client" : "ssl_server");
        /*
         * Anything non-default in "param" should overwrite anything
         * in the ctx.
         */
-        X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
+        X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx), s->param);
        if (s->internal->verify_callback)
-                X509_STORE_CTX_set_verify_cb(&ctx, s->internal->verify_callback);
+                X509_STORE_CTX_set_verify_cb(ctx, s->internal->verify_callback);
        if (s->ctx->internal->app_verify_callback != NULL)
-                ret = s->ctx->internal->app_verify_callback(&ctx,
+                ret = s->ctx->internal->app_verify_callback(ctx,
                    s->ctx->internal->app_verify_arg);
        else
-                ret = X509_verify_cert(&ctx);
+                ret = X509_verify_cert(ctx);
-        s->verify_result = ctx.error;
+        s->verify_result = X509_STORE_CTX_get_error(ctx);
-        X509_STORE_CTX_cleanup(&ctx);
+ err:
+        X509_STORE_CTX_free(ctx);
        return (ret);
 }

diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index a13ee598ce..b7c3718ef5 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_cert.c,v 1.83 2021/06/11 11:13:53 jsing Exp $ */	1	/* $OpenBSD: ssl_cert.c,v 1.84 2021/10/23 13:14:38 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -408,46 +408,49 @@ ssl_sess_cert_free(SESS_CERT *sc)
408	int	408	int
409	ssl_verify_cert_chain(SSL s, STACK_OF(X509) sk)	409	ssl_verify_cert_chain(SSL s, STACK_OF(X509) sk)
410	{	410	{
411	X509_STORE_CTX ctx;	411	X509_STORE_CTX *ctx = NULL;
412	X509 *x;	412	X509 *x;
413	int ret;	413	int ret = 0;
414		414
415	if ((sk == NULL) \|\| (sk_X509_num(sk) == 0))	415	if ((sk == NULL) \|\| (sk_X509_num(sk) == 0))
416	return (0);	416	goto err;
		417
		418	if ((ctx = X509_STORE_CTX_new()) == NULL)
		419	goto err;
417		420
418	x = sk_X509_value(sk, 0);	421	x = sk_X509_value(sk, 0);
419	if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) {	422	if (!X509_STORE_CTX_init(ctx, s->ctx->cert_store, x, sk)) {
420	SSLerror(s, ERR_R_X509_LIB);	423	SSLerror(s, ERR_R_X509_LIB);
421	return (0);	424	goto err;
422	}	425	}
423	X509_STORE_CTX_set_ex_data(&ctx,	426	X509_STORE_CTX_set_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
424	SSL_get_ex_data_X509_STORE_CTX_idx(), s);
425		427
426	/*	428	/*
427	* We need to inherit the verify parameters. These can be	429	* We need to inherit the verify parameters. These can be
428	* determined by the context: if its a server it will verify	430	* determined by the context: if its a server it will verify
429	* SSL client certificates or vice versa.	431	* SSL client certificates or vice versa.
430	*/	432	*/
431	X509_STORE_CTX_set_default(&ctx,	433	X509_STORE_CTX_set_default(ctx, s->server ? "ssl_client" : "ssl_server");
432	s->server ? "ssl_client" : "ssl_server");
433		434
434	/*	435	/*
435	* Anything non-default in "param" should overwrite anything	436	* Anything non-default in "param" should overwrite anything
436	* in the ctx.	437	* in the ctx.
437	*/	438	*/
438	X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);	439	X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx), s->param);
439		440
440	if (s->internal->verify_callback)	441	if (s->internal->verify_callback)
441	X509_STORE_CTX_set_verify_cb(&ctx, s->internal->verify_callback);	442	X509_STORE_CTX_set_verify_cb(ctx, s->internal->verify_callback);
442		443
443	if (s->ctx->internal->app_verify_callback != NULL)	444	if (s->ctx->internal->app_verify_callback != NULL)
444	ret = s->ctx->internal->app_verify_callback(&ctx,	445	ret = s->ctx->internal->app_verify_callback(ctx,
445	s->ctx->internal->app_verify_arg);	446	s->ctx->internal->app_verify_arg);
446	else	447	else
447	ret = X509_verify_cert(&ctx);	448	ret = X509_verify_cert(ctx);
448		449
449	s->verify_result = ctx.error;	450	s->verify_result = X509_STORE_CTX_get_error(ctx);
450	X509_STORE_CTX_cleanup(&ctx);	451
		452	err:
		453	X509_STORE_CTX_free(ctx);
451		454
452	return (ret);	455	return (ret);
453	}	456	}