Author: jfclere
Date: Mon Jun 4 12:47:18 2018
New Revision: 1832832
URL: http://svn.apache.org/viewvc?rev=1832832&view=rev
Log:
adjust the X509_STORE_CTX_get1_issuer() to X509_STORE_CTX_get0_current_issuer()
like in mod_ssl httpd.
Modified:
tomcat/native/trunk/native/src/sslutils.c
Modified: tomcat/native/trunk/native/src/sslutils.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1832832&r1=1832831&r2=1832832&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Mon Jun 4 12:47:18 2018
@@ -35,7 +35,7 @@ extern int WIN32_SSL_password_prompt(tcn
#define ASN1_OID 0x06
#define ASN1_STRING 0x86
static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx);
-static int ssl_ocsp_request(X509 *cert, X509 *issuer);
+static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx);
#endif
/* _________________________________________________________________
@@ -519,21 +519,22 @@ static int ssl_verify_OCSP(int ok, X509_
}
/* if we can't get the issuer, we cannot perform OCSP verification */
- if (X509_STORE_CTX_get1_issuer(&issuer, ctx, cert) == 1 ) {
- r = ssl_ocsp_request(cert, issuer);
- if (r == OCSP_STATUS_REVOKED) {
+ issuer = X509_STORE_CTX_get0_current_issuer(ctx);
+ if (issuer != NULL) {
+ r = ssl_ocsp_request(cert, issuer, ctx);
+ switch (r) {
+ case OCSP_STATUS_OK:
+ X509_STORE_CTX_set_error(ctx, X509_V_OK);
+ break;
+ case OCSP_STATUS_REVOKED:
/* we set the error if we know that it is revoked */
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
+ break;
+ case OCSP_STATUS_UNKNOWN:
+ /* correct error code for application errors? */
+ // X509_STORE_CTX_set_error(ctx,
X509_V_ERR_APPLICATION_VERIFICATION);
+ break;
}
- else {
- /* else we return unknown */
- r = OCSP_STATUS_UNKNOWN;
- }
- X509_free(issuer); /* It appears that we should free issuer since
- * X509_STORE_CTX_get1_issuer() calls
X509_OBJECT_up_ref_count()
- * on the issuer object (unline
X509_STORE_CTX_get_current_cert()
- * that just returns the pointer
- */
}
return r;
}
@@ -1038,7 +1039,7 @@ static int process_ocsp_response(OCSP_RE
return o;
}
-static int ssl_ocsp_request(X509 *cert, X509 *issuer)
+static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx)
{
char **ocsp_urls = NULL;
int nid;
@@ -1061,13 +1062,20 @@ static int ssl_ocsp_request(X509 *cert,
the ocsp status. Otherwise, return OCSP_STATUS_UNKNOWN */
if (ocsp_urls != NULL) {
OCSP_RESPONSE *resp;
+ int rv = OCSP_STATUS_UNKNOWN;
/* for the time being just check for the fist response .. a better
approach is to iterate for all the possible ocsp urls */
resp = get_ocsp_response(cert, issuer, ocsp_urls[0]);
+ if (resp != NULL) {
+ rv = process_ocsp_response(resp);
+ } else {
+ /* correct error code for application errors? */
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
+ }
if (resp != NULL) {
apr_pool_destroy(p);
- return process_ocsp_response(resp);
+ return rv;
}
}
apr_pool_destroy(p);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
