Fix wpa_supplicant build with newer BoringSSL
Like OpenSSL, reaching into BoringSSL's internal structs is not
supported and we're enforcing this by hiding the structs. This matches
the corresponding changes in OpenSSL 1.1.x.
It looks like wpa_supplicant has some custom BoringSSL-only
reimplementation of OCSP. Fix that to use public APIs. Note this change
does not audit the file for correctness, only fixes compile errors. The
change does the following:
1. Switch ASN1_STRING_data to ASN1_STRING_get0_data. This is not
strictly necessary, but uses the slightly more const-correct API.
2. Heap-allocate X509_STORE_CTX. Matching OpenSSL 1.1.x, the type is now
opaque and must use the new/free functions.
3. Don't reach into internal ex_flags and ex_xkusage fields. The old
wpa_supplicant was relying on X509_check_purpose filling in the
internal cached fields as a side effect. Instead, use the public API,
which does not need the side effect.
This file should be rewritten with CBS/CBB, or removed altogether, but
for now just fix the build.
Test: mm
Change-Id: I27d7b79e333260f27b75dda6caef0c25dd838c6b
diff --git a/src/crypto/tls_openssl_ocsp.c b/src/crypto/tls_openssl_ocsp.c
index 8b37b34..97bf605 100644
--- a/src/crypto/tls_openssl_ocsp.c
+++ b/src/crypto/tls_openssl_ocsp.c
@@ -502,7 +502,7 @@
enum ocsp_result result = OCSP_INVALID;
X509_STORE *store;
STACK_OF(X509) *untrusted = NULL, *certs = NULL, *chain = NULL;
- X509_STORE_CTX ctx;
+ X509_STORE_CTX *ctx = NULL;
X509 *signer, *tmp_cert;
int signer_trusted = 0;
EVP_PKEY *skey;
@@ -546,7 +546,7 @@
return OCSP_INVALID;
}
- basic_data = ASN1_STRING_data(bytes->response);
+ basic_data = ASN1_STRING_get0_data(bytes->response);
basic_len = ASN1_STRING_length(bytes->response);
wpa_hexdump(MSG_DEBUG, "OpenSSL: BasicOCSPResponse",
basic_data, basic_len);
@@ -643,12 +643,14 @@
"OpenSSL: Found OCSP signer certificate %s and verified BasicOCSPResponse signature",
buf);
- if (!X509_STORE_CTX_init(&ctx, store, signer, untrusted))
+ ctx = X509_STORE_CTX_new();
+ if (!ctx ||
+ !X509_STORE_CTX_init(ctx, store, signer, untrusted) ||
+ !X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER)) {
goto fail;
- X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
- ret = X509_verify_cert(&ctx);
- chain = X509_STORE_CTX_get1_chain(&ctx);
- X509_STORE_CTX_cleanup(&ctx);
+ }
+ ret = X509_verify_cert(ctx);
+ chain = X509_STORE_CTX_get1_chain(ctx);
if (ret <= 0) {
wpa_printf(MSG_DEBUG,
"OpenSSL: Could not validate OCSP signer certificate");
@@ -661,9 +663,8 @@
}
if (!signer_trusted) {
- X509_check_purpose(signer, -1, 0);
- if ((signer->ex_flags & EXFLAG_XKUSAGE) &&
- (signer->ex_xkusage & XKU_OCSP_SIGN)) {
+ if ((X509_get_extension_flags(signer) & EXFLAG_XKUSAGE) &&
+ (X509_get_extended_key_usage(signer) & XKU_OCSP_SIGN)) {
wpa_printf(MSG_DEBUG,
"OpenSSL: OCSP signer certificate delegation OK");
} else {
@@ -839,6 +840,7 @@
sk_X509_pop_free(certs, X509_free);
BasicOCSPResponse_free(basic);
OCSPResponse_free(resp);
+ X509_STORE_CTX_free(ctx);
return result;
}