Author: jfclere Date: Mon Jun 4 12:47:18 2018 New Revision: 1832832 URL: http://svn.apache.org/viewvc?rev=1832832&view=rev Log: adjust the X509_STORE_CTX_get1_issuer() to X509_STORE_CTX_get0_current_issuer() like in mod_ssl httpd.
Modified: tomcat/native/trunk/native/src/sslutils.c Modified: tomcat/native/trunk/native/src/sslutils.c URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1832832&r1=1832831&r2=1832832&view=diff ============================================================================== --- tomcat/native/trunk/native/src/sslutils.c (original) +++ tomcat/native/trunk/native/src/sslutils.c Mon Jun 4 12:47:18 2018 @@ -35,7 +35,7 @@ extern int WIN32_SSL_password_prompt(tcn #define ASN1_OID 0x06 #define ASN1_STRING 0x86 static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx); -static int ssl_ocsp_request(X509 *cert, X509 *issuer); +static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx); #endif /* _________________________________________________________________ @@ -519,21 +519,22 @@ static int ssl_verify_OCSP(int ok, X509_ } /* if we can't get the issuer, we cannot perform OCSP verification */ - if (X509_STORE_CTX_get1_issuer(&issuer, ctx, cert) == 1 ) { - r = ssl_ocsp_request(cert, issuer); - if (r == OCSP_STATUS_REVOKED) { + issuer = X509_STORE_CTX_get0_current_issuer(ctx); + if (issuer != NULL) { + r = ssl_ocsp_request(cert, issuer, ctx); + switch (r) { + case OCSP_STATUS_OK: + X509_STORE_CTX_set_error(ctx, X509_V_OK); + break; + case OCSP_STATUS_REVOKED: /* we set the error if we know that it is revoked */ X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); + break; + case OCSP_STATUS_UNKNOWN: + /* correct error code for application errors? */ + // X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); + break; } - else { - /* else we return unknown */ - r = OCSP_STATUS_UNKNOWN; - } - X509_free(issuer); /* It appears that we should free issuer since - * X509_STORE_CTX_get1_issuer() calls X509_OBJECT_up_ref_count() - * on the issuer object (unline X509_STORE_CTX_get_current_cert() - * that just returns the pointer - */ } return r; } @@ -1038,7 +1039,7 @@ static int process_ocsp_response(OCSP_RE return o; } -static int ssl_ocsp_request(X509 *cert, X509 *issuer) +static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx) { char **ocsp_urls = NULL; int nid; @@ -1061,13 +1062,20 @@ static int ssl_ocsp_request(X509 *cert, the ocsp status. Otherwise, return OCSP_STATUS_UNKNOWN */ if (ocsp_urls != NULL) { OCSP_RESPONSE *resp; + int rv = OCSP_STATUS_UNKNOWN; /* for the time being just check for the fist response .. a better approach is to iterate for all the possible ocsp urls */ resp = get_ocsp_response(cert, issuer, ocsp_urls[0]); + if (resp != NULL) { + rv = process_ocsp_response(resp); + } else { + /* correct error code for application errors? */ + X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); + } if (resp != NULL) { apr_pool_destroy(p); - return process_ocsp_response(resp); + return rv; } } apr_pool_destroy(p); --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org