GUYOMARCH David Ext VIACCESS-DT wrote:
Hello,I have a problem using the ocspd server v 1.1.0a. The server keep responding trylater when I send an ocsp request.
[...]
I’m confused because I can not have more logs… Is there a problem in my configuration file?I wonder if it can be a problem with my certificates. Here is the description of the files I use$dir/certs/cacert.pem is issued by a root CA. This intermediate CA has signed the ocsp certificate $dir/certs/ocspd_cert.pem, and issued the CRL File /etc/ocspd/crls/crl_01.pem.
Hello,
usually this behavior is due to some problems with the CRL,
can you please re-compile the OCSPD by replacing the server.c
file with the one attached to this message and report back
what the syslog reports ?
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883
PKI/Trust - Office 062 Work Phone: +1 (603) 646-9226
--o------------------------------------------------------------------------
/* src/net/server.c
* ============================================================
* OCSP Responder
* (c) 2001 by Massimiliano Pala
* OpenCA released software
* ============================================================
*/
#include "general.h"
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <resolv.h>
#include <unistd.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/conf.h>
#include <openssl/txt_db.h>
#include "support.h"
#include "configuration.h"
#include "ocsp_response.h"
#include "server.h"
#include <sys/time.h>
/* External General Variables */
extern int debug;
extern int verbose;
extern OCSPD_CONFIG *ocspd_conf;
static int max_child = 10;
static int live_childrens = 0;
static int got_lock = 0;
/* If this is true =1 then we should stop spawning processes */
/* static int stop_server = 0; */
BIO *curr_bio = NULL;
#define BUSY 0
#define READY 1
#define STOP 2
#define RELOAD 3
/* Define Status of the server */
int server_status = READY;
/*
static struct timeval tv[10];
static struct timezone tz[10];
*/
static pid_t *child_list = NULL;
void wait_for_all_dead ( void );
void kill_all_childs( void );
int add_child_list( pid_t pid );
void child_died ( int i );
int start_server( char *bind_s, char *port_s, int max_ch_num,
long max_size, OCSPD_CONFIG *ocspd_conf ) {
BIO *bio_socket;
/*
BIO *buf_bio;
OCSP_REQUEST *OCSP_req = NULL;
OCSP_RESPONSE *OCSP_resp = NULL;
*/
/*
char *buf = NULL;
char tmp_socket[1024];
*/
char *addr = NULL;
int addr_len;
/*
int i = 0;
long buf_len = 0;
sigset_t mask;
*/
/* Let's copy the passed pointer of child_lst into the static
* variable child_list */
max_child = max_ch_num;
/* Alloc addr for binding to specific address:port */
if( max_child > 0 ) {
if((child_list = (pid_t *) OPENSSL_malloc (sizeof(pid_t)
* max_child)) == NULL ) {
syslog(LOG_ERR, "Cannot alloc child list");
exit( -5 );
}
bzero( child_list, sizeof(pid_t) * max_child );
}
/* Let's add for later SSL support */
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
/* No max size under 1024 */
if( max_size < 1024 ) max_size = 1024;
/* Alloc addr for binding to specific address:port */
addr_len = strlen(bind_s) + strlen(port_s) + 2 ;
if((addr = (char *) OPENSSL_malloc (addr_len)) == NULL ) {
syslog(LOG_ERR, "Cannot alloc addr");
exit( -5 );
}
/* We build the "host:port" string to be used */
sprintf( addr, "%s:%s", bind_s, port_s );
if( (bio_socket = init_connection( addr )) == NULL ) {
syslog(LOG_ERR,"Can not setup socket, exit.");
exit( -6 );
}
/* Set privileges */
if( set_privileges( ocspd_conf ) < 1 ) {
syslog( LOG_ERR, "Error in setting privileges, exiting!");
exit(-7);
}
/* Set the Lock Management into config variable */
ocspd_conf->lck = init_lock();
/* Now let's spaw childrens so that can compete on the accept() */
spawn_children( &bio_socket, max_child, ocspd_conf );
/* Register the alrm handler */
set_parent_alrm_handler();
// Register signal handlers
signal( SIGCHLD, child_died );
// signal( SIGKILL, handle_sigkill );
signal( SIGTERM, handle_sigkill );
signal( SIGSTOP, handle_sigkill );
#ifdef SIGHUP
signal( SIGHUP, handle_sigusr1 );
#endif
signal( SIGQUIT, handle_sigkill );
signal( SIGPIPE, SIG_IGN );
signal( SIGUSR1, handle_sigusr1 );
while ( 1 ) {
if( server_status == READY ) {
if( pause() < 0 ) {
if(verbose)
syslog(LOG_ERR, "Verbose Debug Info ["
" %s ]", strerror(errno));
}
}
/* Here we should monitor the child list for dead
children */
if( server_status == STOP ) {
raise(SIGTERM);
} else if ( server_status == RELOAD ) {
/* int ret; */
server_status = BUSY;
syslog(LOG_INFO,"Reloading all CRLs");
kill_all_childs();
delete_all_childs();
live_childrens = 0;
if( verbose )
syslog(LOG_INFO, "All Childs died.");
/* Close the bio_socket */
/*
if(verbose)
syslog( LOG_INFO,
"Closing main socket while reloading CRLs");
BIO_free_all(bio_socket);
sleep(1);
*/
if( verbose )
syslog(LOG_ERR, "Freeing lock [%d]",
ocspd_conf->lck );
free_lock( ocspd_conf->lck );
ocspd_conf->lck = -1;
if( verbose ) syslog(LOG_ERR, "Lock system released.");
/* Here we de-allocate the CRL entries and
reload the CRL */
if( ocspd_reload_crls( ocspd_conf ) == 0 ) {
syslog( LOG_ERR, "Error reloading CRLs");
} else {
if( verbose )
syslog( LOG_INFO, "CRLs reloaded.");
}
sleep(1);
if( verbose )
syslog(LOG_ERR, "Initialising lock [%d]",
ocspd_conf->lck );
ocspd_conf->lck = init_lock();
if( verbose )
syslog(LOG_ERR, "lock system ok [%d]",
ocspd_conf->lck );
if(verbose)
syslog( LOG_INFO, "Lock system re-init: got %d",
ocspd_conf->lck );
/* Re-Init the socket */
/*
if(verbose)
syslog(LOG_INFO,
"Re-Initialising server socket.");
if( (bio_socket = init_connection( addr )) == NULL ) {
syslog(LOG_ERR,"Can not setup socket, exit.");
exit( -6 );
}
*/
if(verbose)
syslog(LOG_INFO, "Spawning %d childs.",
max_child );
/* Spawning Childrens */
spawn_children( &bio_socket, max_child, ocspd_conf);
syslog(LOG_INFO, "Reload completed, server ready.");
server_status = READY;
}
}
return(1);
}
BIO *init_connection ( char *addr ) {
BIO *bio_socket, *buf_bio;
/* Set buffered bio */
buf_bio = BIO_new(BIO_f_buffer());
if (!buf_bio) {
syslog( LOG_ERR, "Can not set bufbio %d", __LINE__ );
return (NULL);
}
/* Bind to socket */
if((bio_socket = BIO_new_accept( addr )) == NULL ) {
syslog(LOG_ERR, "Cannot bind to %s", addr);
return (NULL);
}
/* Set the reuse of local port */
BIO_set_bind_mode(bio_socket, 2L );
if (verbose)
syslog(LOG_INFO, "Successfully binded to %s", addr);
BIO_set_accept_bios(bio_socket, buf_bio);
buf_bio = NULL;
if (BIO_do_accept(bio_socket) <= 0) {
syslog( LOG_ERR, "Error setting up accept BIO");
BIO_free_all( bio_socket );
BIO_free( buf_bio );
return( NULL );
}
return bio_socket;
}
int handle_connection( BIO **bio_socket, OCSPD_CONFIG *ocspd_conf ) {
/*
pid_t pid;
int i, status = 0;
*/
int ret = 0;
BIO *pbio_socket = NULL;
OCSP_REQUEST *ocsp_req = NULL;
OCSP_RESPONSE *ocsp_resp = NULL;
pbio_socket = *bio_socket;
while ( 1 ) {
if( (got_lock = get_lock( ocspd_conf )) < 0 ) {
syslog( LOG_ERR, "Cannot get lock on resource (%d)",
getpid());
sleep(1);
continue;
}
if( getppid() == 1 ) {
syslog( LOG_ERR, "Father died, committing suicide.");
lease_lock(ocspd_conf);
break;
}
#ifdef _DEBUG
#ifdef _USE_SEMAPHORES
if( verbose )
syslog(LOG_INFO, "Got lock on semaphore (%d)",
ocspd_conf->lck);
#else
if( verbose )
syslog(LOG_INFO, "Got lock on file descriptor (%d)",
ocspd_conf->lck);
#endif
#endif
if (BIO_do_accept( pbio_socket ) <= 0) {
lease_lock(ocspd_conf);
syslog(LOG_ERR, "Error in getting the socket (%d)!",
getpid());
continue;
}
if( (curr_bio = BIO_pop( pbio_socket )) == NULL) {
lease_lock(ocspd_conf);
syslog(LOG_ERR, "%s:%d Error in BIO_pop",
__FILE__, __LINE__ );
continue;
};
if( (got_lock = lease_lock( ocspd_conf )) < 0 ) {
syslog( LOG_ERR, "Cannot release lock on resource");
goto err;
}
if((ocsp_req = get_ocsp_request( curr_bio )) == NULL ) {
if( verbose )
syslog(LOG_ERR, "Can not parse ocsp request");
goto err;
}
if(( make_ocsp_response(&ocsp_resp, ocsp_req, ocspd_conf))
== 0 ) {
syslog( LOG_ERR, "Error in generating response" );
goto err;
}
send_ocsp_response( curr_bio, ocsp_resp );
goto end;
err:
ocsp_resp = OCSP_response_create(
OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
send_ocsp_response( curr_bio, ocsp_resp );
end:
if( curr_bio ) BIO_free_all(curr_bio);
curr_bio = NULL;
if( ocsp_req ) OCSP_REQUEST_free( ocsp_req );
if( ocsp_resp ) OCSP_RESPONSE_free( ocsp_resp );
}
return ret;
}
OCSP_REQUEST *get_ocsp_request( BIO *bio ) {
int r, have_post, tot_len;
char buf[1024];
OCSP_REQUEST *ocsp_req = NULL;
tot_len = 0;
have_post = 0;
for( ;; ) {
r = BIO_gets(bio, buf, 1024);
if( r <= 0 ) break;
tot_len += r;
if( (ocspd_conf->max_req_size > 0 ) &&
(tot_len >= ocspd_conf->max_req_size) ) break;
if(!have_post) {
if( strncmp( buf, "POST", 4) ) {
if( verbose ) syslog(LOG_ERR,"Method is not POST, rejecting");
return (NULL);
}
have_post = 1;
}
/* Here we have seen all the header lines */
if((buf[0] == '\n') || (buf[0] == '\r')) {
break;
}
}
ocsp_req = d2i_OCSP_REQUEST_bio(bio, NULL);
if (!ocsp_req) {
/* remove to prevent unused log...
syslog( LOG_ERR, "Error parsing OCSP request\n");*/
return(NULL);
}
return ocsp_req;
}
OCSP_REQUEST *NEW_get_ocsp_request( BIO *in ) {
int head_lines = 0;
char linebuf[1024];
BUF_MEM *buf = NULL;
OCSP_REQUEST *ocsp_req = NULL;
BIO *mem = NULL;
if( (buf = ocspd_http_get_data(in, ocspd_conf->max_req_size)) == NULL){
if( verbose )
syslog ( LOG_ERR, "ERROR -- impossible reading req");
return NULL;
}
/* Build a memory bio from the MEM_BUF data */
if(!(mem = BIO_new_mem_buf(buf->data, buf->length) )) {
syslog( LOG_ERR, "ERROR: Internal memory allocation error!");
if( buf ) BUF_MEM_free (buf);
return NULL;
}
head_lines = 0;
do {
int read_code = 0;
bzero(linebuf, sizeof linebuf);
if((read_code = BIO_gets(mem, linebuf, sizeof(linebuf))) < 0) {
syslog( LOG_ERR, "HTTP - Error (%d) retrieving header"
" (%d)", read_code, head_lines );
if( buf ) BUF_MEM_free ( buf );
return NULL;
}
/* Let's check if the first line has good code */
if ( ( head_lines == 0 ) &&
( strncmp( linebuf, "POST ", 5) != 0 )) {
/* Got an error - probably not found (?) */
syslog( LOG_ERR, "ERROR - HTTP method is not POST, "
" rejecting.");
if( buf ) BUF_MEM_free ( buf );
return NULL;
} else {
head_lines++;
}
}
while( (linebuf[0] != '\r') && (linebuf[0] != '\n') );
ocsp_req = d2i_OCSP_REQUEST_bio(mem, NULL);
if (!ocsp_req) {
/* remove to prevent unused log...
syslog( LOG_ERR, "Error parsing OCSP request\n");*/
if( verbose )
syslog(LOG_ERR, "ERROR in parsing request");
}
if( mem ) BIO_free_all (mem);
if( buf ) BUF_MEM_free (buf);
return ocsp_req;
}
int send_ocsp_response(BIO *bio, OCSP_RESPONSE *resp) {
char http_resp[] =
"HTTP/1.0 200 OK\r\n"
"Content-type: application/ocsp-response\r\n"
"Content-Transfer-Encoding: Binary\r\n"
"Content-Length: %d\r\n\r\n";
if (!bio) {
syslog(LOG_ERR, "Error sending response, bio is NULL");
return 0;
}
BIO_printf(bio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
i2d_OCSP_RESPONSE_bio(bio, resp);
BIO_flush(bio);
return 1;
}
int add_child_list( pid_t pid ) {
int i;
if( verbose )
syslog(LOG_ERR,"Add Child to List child [%d]", pid );
for(i = 0; i < max_child; i++ ) {
if(child_list[i] == 0 ) {
child_list[i] = pid;
break;
};
}
return( 1 );
}
int delete_child_from_list ( pid_t pid ) {
int i;
for(i = 0; i < max_child; i++ ) {
if(child_list[i] == pid ) {
child_list[i] = 0;
if( verbose )
syslog(LOG_ERR,"Deleted Child to List [%d]",
pid );
break;
};
}
if( i == max_child ) {
syslog(LOG_ERR, "Child %d not found in child list!",
pid);
}
return(1);
}
int delete_all_childs( void ) {
if( !child_list ) return (0);
bzero(child_list, sizeof(child_list) * max_child);
return(1);
}
pid_t wait_dead() {
int status;
return(wait3(&status,WNOHANG,NULL));
}
void wait_for_all_dead(void) {
int i = 0;
syslog(LOG_ERR, "Waiting for all child to die [%d]", live_childrens);
while ( 1 ) {
// We now see if there are waiting childrens
i = waitpid( -1, NULL, WNOHANG );
if( i < 1 ) {
// No more childrens
if(verbose)
syslog(LOG_INFO,
"All childrens died, a second of silence, please.");
break;
} else {
// Let's free all the waiting childrens
while( waitpid( -1, NULL, WNOHANG) > 0 );
}
}
live_childrens = 0;
return;
}
void child_died ( int i ) {
live_childrens--;
return;
}
void kill_all_childs( void ) {
int ret, i, status;
for( i = 0; i < max_child; i++ ) {
ret = kill( child_list[i], SIGTERM);
if(verbose) {
syslog(LOG_INFO, "Killing child %d [ret %d]",
child_list[i], ret);
};
if( ret < 0 ) {
syslog(LOG_ERR, "Killing child %d error: %s",
child_list[i], strerror(errno));
}
if( waitpid( child_list[i], &status, WUNTRACED) == -1 ) {
if(verbose)
syslog(LOG_ERR, "Wait for child error: %s",
strerror(errno));
}
}
return;
}
void exit_child( int sig ) {
/* Let's free the resources */
lease_lock( ocspd_conf );
if( curr_bio ) BIO_free_all( curr_bio );
_exit(0);
return;
}
void child_sighup( int sig ) {
if(verbose)
syslog( LOG_ERR, "%s:%d child %d got hup signal",
__FILE__, __LINE__, getpid());
if( getppid() == 1 ) {
syslog( LOG_ERR, "Father died, killing me softly.");
/* Let's free the resources */
lease_lock( ocspd_conf );
_exit(0);
}
return;
}
void handle_sigkill( int sig ) {
server_status = STOP;
syslog(LOG_INFO,
"Shutting down, master (received signal %d).", sig );
while(wait_dead() > 0);
kill_all_childs();
delete_all_childs();
sleep(1);
free_lock( ocspd_conf->lck );
if(verbose)
syslog(LOG_INFO, "All done. Happy to serve you, bye!");
_exit(0);
return;
}
void handle_sigusr1( int sig ) {
server_status = RELOAD;
ocspd_conf->crl_auto_reload = 10;
return;
}
int get_lock( OCSPD_CONFIG *ocspd_conf ) {
#ifdef _USE_SEMAPHORES
struct sembuf lock_it;
#endif
#ifdef _USE_FLOCK
if( lockf( ocspd_conf->lck, F_LOCK, 0 ) == 0 ) {
syslog( LOG_ERR, "Cannot get lock on resource");
return(0);
}
#endif
#ifdef _USE_SEMAPHORES
/* Set the semaphore */
lock_it.sem_num = 0;
lock_it.sem_op = -1;
lock_it.sem_flg = 0;
if((semop(ocspd_conf->lck, &lock_it, 1)) == -1 ) {
return(-1);
}
#endif
return(0);
}
int lease_lock( OCSPD_CONFIG *ocspd_conf ) {
#ifdef _USE_SEMAPHORES
struct sembuf lock_it;
/* union semun options; */
#endif
#ifdef _USE_SEMAPHORES
/* Un-Set the semaphore */
lock_it.sem_num = 0;
lock_it.sem_op = 1;
lock_it.sem_flg = 0;
if((semop(ocspd_conf->lck, &lock_it, 1)) == -1 ) {
return(-1);
}
#endif
return(0);
}
int init_lock ( void ) {
int lck = -1;
#ifdef _USE_SEMAPHORES
union semun options;
/* struct sembuf lock_it; */
key_t my_key;
#endif
#ifdef _USE_FLOCK
/* We need a file descriptor to make locks on it */
if( (lck = open("/tmp/ocsp.lck", O_CREAT )) == 0 ) {
syslog(LOG_ERR, "Impossible to open flock file");
return -1;
}
#endif
#ifdef _USE_SEMAPHORES
/* Let's create the semaphore and check it */
my_key = ftok("/tmp", getpid());
lck = semget( my_key, 1, IPC_CREAT | IPC_EXCL | 0600 );
if(lck < 0 ) return lck;
options.val = 1;
if( semctl( lck, 0, SETVAL, options) < 0 ) return lck;
if( semctl(lck,0,GETVAL,0) == 0 ) {
syslog( LOG_ERR, "Cannot Lock the Semaphore (%d)",lck);
return(-1);
}
#endif
return lck;
}
void free_lock( int lck ) {
/* Let's free the lock. It is not very important for
flock() support but it is needed for semaphores */
if( lck >= 0 ) {
#ifdef _USE_FLOCK
close(lck);
#endif
#ifdef _USE_SEMAPHORES
semctl(lck, 0, IPC_RMID, 0);
#endif
lck = -1;
}
#ifdef DEBUG
if( verbose )
syslog( LOG_ERR, "%s:%d freed lock", __FILE__, __LINE__ );
#endif
}
int spawn_children(BIO **bio, int max_child, OCSPD_CONFIG *ocspd_conf ) {
int i=0;
int pid = 0;
if(verbose)
syslog( LOG_INFO, "Pre-Spawning %d processes (live %d)",
max_child, live_childrens );
/* Let's init the client list, -1 means free space */
for( i = 0 ; i < max_child; i++ ) {
/* Forking process */
pid = fork();
if ( pid == 0 ) {
/* child */
set_child_sig_handlers();
handle_connection( bio, ocspd_conf );
_exit(0);
} else if ( pid > 0 ) {
/* Parent Process -- Ok */
live_childrens++;
add_child_list( pid );
} else {
/*
* Error in Spawning Process
* not spawned and the pid value is -1
*/
syslog(LOG_ERR, "Error in spawning process!");
}
}
if( verbose )
syslog( LOG_INFO, "%s:%d Active Childrens [ %d ]",
__FILE__, __LINE__, live_childrens );
return 1;
}
int set_child_sig_handlers( void ) {
/* Register signal handlers */
signal( SIGCHLD, SIG_DFL );
signal( SIGALRM, SIG_IGN );
#ifdef SIGHUP
signal( SIGHUP, child_sighup );
#endif
signal( SIGTERM, exit_child );
signal( SIGKILL, exit_child );
signal( SIGSTOP, exit_child );
return 1;
}
int set_parent_alrm_handler( void ) {
/* Now on the parent process we setup the auto_checking
functions */
if( ocspd_conf->crl_auto_reload ||
ocspd_conf->crl_check_validity ) {
int auto_rel, val_check;
/* Help variable, for readability reasons */
auto_rel = ocspd_conf->crl_auto_reload;
val_check = ocspd_conf->crl_check_validity;
/* This returns the min of the two values if it
is not 0, otherwise return the other */
ocspd_conf->alarm_decrement =
(( auto_rel > val_check ) ?
(val_check ? val_check : auto_rel) :
(auto_rel ? auto_rel : val_check ));
signal( SIGALRM, auto_crl_check );
alarm ( ocspd_conf->alarm_decrement );
} else {
signal( SIGALRM, SIG_IGN);
}
return 1;
}
void auto_crl_check ( int sig ) {
CA_LIST_ENTRY *ca = NULL;
int i, ret;
if( !ocspd_conf ) return;
if( ocspd_conf->crl_auto_reload ) {
ocspd_conf->current_crl_reload +=
ocspd_conf->alarm_decrement;
if( ocspd_conf->current_crl_reload >=
ocspd_conf->crl_auto_reload ) {
ocspd_conf->current_crl_reload = 0;
/* Calling signal seems to be needed on Solaris(!?!) */
signal( SIGALRM, auto_crl_check );
alarm( ocspd_conf->alarm_decrement );
server_status = RELOAD;
return;
}
}
for( i=0; i < ocspd_conf->ca_list_len; i++ ) {
ca = ocspd_conf->ca_list[i];
ret = check_crl_validity ( ca );
if( ca->crl_status != ret ) {
if(verbose)
syslog( LOG_INFO,"Detected CRL status change");
ca->crl_status = ret;
server_status = RELOAD;
return;
}
ca->crl_status = ret;
if( verbose )
syslog( LOG_INFO, "Auto CRL checking [%s]", ca->ca_id);
switch (ca->crl_status) {
case CRL_EXPIRED:
syslog(LOG_ERR, "CRL is expired [%s]",
ca->ca_id );
if ( ocspd_conf->crl_reload_expired == 1 ) {
/* Calling signal seems to be
needed on Solaris(!?!) */
signal( SIGALRM, auto_crl_check );
alarm( ocspd_conf->crl_check_validity );
if( verbose ) {
syslog(LOG_INFO,
"Reloading CRL ");
}
server_status = RELOAD;
}
break;
case CRL_OK:
if( verbose ) {
syslog(LOG_INFO,
"CRL ok [ %s ]", ca->ca_id);
}
break;
case CRL_NOT_YET_VALID:
if( verbose ) {
syslog(LOG_INFO,
"CRL not yet valid [ %s ]",
ca->ca_id);
}
break;
case CRL_ERROR_LAST_UPDATE:
if( verbose ) {
syslog(LOG_INFO,
"CRL lastUpdate ERROR [ %s ]",
ca->ca_id);
}
break;
case CRL_ERROR_NEXT_UPDATE:
if( verbose ) {
syslog(LOG_INFO,
"CRL nextUpdate ERROR [ %s ]",
ca->ca_id);
}
break;
}
}
if( ocspd_conf->crl_check_validity ) {
if( verbose )
syslog(LOG_INFO, "Checking again CRL in %d secs",
ocspd_conf->crl_check_validity );
/* Calling signal seems to be needed on Solaris(!?!) */
signal( SIGALRM, auto_crl_check );
alarm( ocspd_conf->crl_check_validity );
}
return;
}
int check_crl_validity ( CA_LIST_ENTRY *ca ) {
int i;
if( (!ca) || (!ca->crl) || (!(ca->lastUpdate)) ) {
if( verbose )
syslog(LOG_ERR, "CRL Verify error (memory alloc)");
return(CRL_ERROR_LAST_UPDATE);
}
i=X509_cmp_time(ca->lastUpdate, NULL);
if (i == 0) {
if( verbose )
syslog(LOG_ERR, "CRL Verify error (code %d)",
CRL_ERROR_LAST_UPDATE );
return(CRL_ERROR_LAST_UPDATE);
}
if (i > 0) {
if( verbose )
syslog(LOG_ERR, "CRL Verify error (code %d)",
CRL_NOT_YET_VALID);
return(CRL_NOT_YET_VALID);
}
if(ca->nextUpdate) {
i=X509_cmp_time(ca->nextUpdate, NULL);
if (i == 0) {
if( verbose )
syslog(LOG_ERR, "CRL Verify error (code %d)",
CRL_ERROR_NEXT_UPDATE );
return(CRL_ERROR_NEXT_UPDATE);
}
if (i < 0) {
if( verbose )
syslog(LOG_ERR, "CRL Verify error (code %d)",
CRL_EXPIRED );
return(CRL_EXPIRED);
}
}
return (CRL_OK);
}
smime.p7s
Description: S/MIME Cryptographic Signature
