1 files changed, 21 insertions, 10 deletions

diff --git a/tls_ocsp.c b/tls_ocsp.c
index 32c372e..3ba45fc 100644
--- a/tls_ocsp.c
+++ b/tls_ocsp.c
@@ -17,6 +17,7 @@
  */
 
 #include <sys/types.h>
+#include <string.h>
 
 #include <arpa/inet.h>
 #include <netinet/in.h>
@@ -62,8 +63,9 @@ tls_ocsp_asn1_parse_time(struct tls *ctx, ASN1_GENERALIZEDTIME *gt, time_t *gt_t
 	if (gt == NULL)
 		return -1;
 	/* RFC 6960 specifies that all times in OCSP must be GENERALIZEDTIME */
-	if (ASN1_time_parse(gt->data, gt->length, &tm,
-		V_ASN1_GENERALIZEDTIME) == -1)
+	if (ASN1_GENERALIZEDTIME_check(gt) == 0)
+		return -1;
+	if (ASN1_TIME_to_tm(gt, &tm) == 0)
 		return -1;
 	if ((*gt_time = timegm(&tm)) == -1)
 		return -1;
@@ -128,8 +130,8 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs,
 {
 	X509_NAME *issuer_name;
 	X509 *issuer;
-	X509_STORE_CTX storectx;
-	X509_OBJECT tmpobj;
+	X509_STORE_CTX *storectx = NULL;
+	X509_OBJECT *tmpobj = NULL;
 	OCSP_CERTID *cid = NULL;
 	X509_STORE *store;
 
@@ -144,15 +146,24 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs,
 
 	if ((store = SSL_CTX_get_cert_store(ssl_ctx)) == NULL)
 		return NULL;
-	if (X509_STORE_CTX_init(&storectx, store, main_cert, extra_certs) != 1)
+	if ((storectx = X509_STORE_CTX_new()) == NULL)
 		return NULL;
-	if (X509_STORE_get_by_subject(&storectx, X509_LU_X509, issuer_name,
-		&tmpobj) == 1) {
-		cid = OCSP_cert_to_id(NULL, main_cert, tmpobj.data.x509);
-		X509_OBJECT_free_contents(&tmpobj);
+	if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1)
+		goto err;
+	if ((tmpobj = X509_OBJECT_new()) == NULL)
+		goto err;
+	if (X509_STORE_get_by_subject(storectx, X509_LU_X509, issuer_name,
+		tmpobj) == 1) {
+		cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(tmpobj));
+		X509_OBJECT_free(tmpobj);
 	}
-	X509_STORE_CTX_cleanup(&storectx);
+	X509_STORE_CTX_free(storectx);
 	return cid;
+
+ err:
+	X509_OBJECT_free(tmpobj);
+	X509_STORE_CTX_free(storectx);
+	return NULL;
 }
 
 struct tls_ocsp *