svn commit: r1832832 - /tomcat/native/trunk/native/src/sslutils.c

Mon, 04 Jun 2018 05:47:33 -0700 

Author: jfclere
Date: Mon Jun  4 12:47:18 2018
New Revision: 1832832

URL: http://svn.apache.org/viewvc?rev=1832832&view=rev
Log:
adjust the X509_STORE_CTX_get1_issuer() to X509_STORE_CTX_get0_current_issuer()
like in mod_ssl httpd.

Modified:
    tomcat/native/trunk/native/src/sslutils.c

Modified: tomcat/native/trunk/native/src/sslutils.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1832832&r1=1832831&r2=1832832&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Mon Jun  4 12:47:18 2018
@@ -35,7 +35,7 @@ extern int WIN32_SSL_password_prompt(tcn
 #define ASN1_OID      0x06
 #define ASN1_STRING   0x86
 static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx);
-static int ssl_ocsp_request(X509 *cert, X509 *issuer);
+static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx);
 #endif
 
 /*  _________________________________________________________________
@@ -519,21 +519,22 @@ static int ssl_verify_OCSP(int ok, X509_
     }
 
     /* if we can't get the issuer, we cannot perform OCSP verification */
-    if (X509_STORE_CTX_get1_issuer(&issuer, ctx, cert) == 1 ) {
-        r = ssl_ocsp_request(cert, issuer);
-        if (r == OCSP_STATUS_REVOKED) {
+    issuer = X509_STORE_CTX_get0_current_issuer(ctx);
+    if (issuer != NULL) {
+        r = ssl_ocsp_request(cert, issuer, ctx);
+        switch (r) {
+        case OCSP_STATUS_OK:
+            X509_STORE_CTX_set_error(ctx, X509_V_OK);
+            break;
+        case OCSP_STATUS_REVOKED:
             /* we set the error if we know that it is revoked */
             X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
+            break;
+        case OCSP_STATUS_UNKNOWN:
+            /* correct error code for application errors? */
+            // X509_STORE_CTX_set_error(ctx, 
X509_V_ERR_APPLICATION_VERIFICATION);
+            break;
         }
-        else {
-            /* else we return unknown */
-            r = OCSP_STATUS_UNKNOWN;
-        }
-        X509_free(issuer); /* It appears that we  should free issuer since
-                            * X509_STORE_CTX_get1_issuer() calls 
X509_OBJECT_up_ref_count()
-                            * on the issuer object (unline 
X509_STORE_CTX_get_current_cert()
-                            * that just returns the pointer
-                            */
     }
     return r;
 }
@@ -1038,7 +1039,7 @@ static int process_ocsp_response(OCSP_RE
     return o;
 }
 
-static int ssl_ocsp_request(X509 *cert, X509 *issuer)
+static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx)
 {
     char **ocsp_urls = NULL;
     int nid;
@@ -1061,13 +1062,20 @@ static int ssl_ocsp_request(X509 *cert,
        the ocsp status. Otherwise, return OCSP_STATUS_UNKNOWN */
     if (ocsp_urls != NULL) {
         OCSP_RESPONSE *resp;
+        int rv = OCSP_STATUS_UNKNOWN;
         /* for the time being just check for the fist response .. a better
            approach is to iterate for all the possible ocsp urls */
         resp = get_ocsp_response(cert, issuer, ocsp_urls[0]);
+        if (resp != NULL) {
+            rv = process_ocsp_response(resp);
+        } else {
+            /* correct error code for application errors? */
+            X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
+        }
 
         if (resp != NULL) {
             apr_pool_destroy(p);
-            return process_ocsp_response(resp);
+            return rv;
         }
     }
     apr_pool_destroy(p);



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to