Re: svn commit: r1832863 - /tomcat/native/trunk/native/src/sslutils.c

[jean-frederic clere]

On 04/06/18 18:02, jfcl...@apache.org wrote:
> +++ tomcat/native/trunk/native/src/sslutils.c Mon Jun  4 16:02:26 2018
> @@ -532,7 +532,7 @@ static int ssl_verify_OCSP(int ok, X509_
>  break;
>  case OCSP_STATUS_UNKNOWN:
>  /* correct error code for application errors? */
> -// X509_STORE_CTX_set_error(ctx, 
> X509_V_ERR_APPLICATION_VERIFICATION);
> +X509_STORE_CTX_set_error(ctx, 
> X509_V_ERR_APPLICATION_VERIFICATION);
>  break;
>  }
>  }

Oops that is bad I need to review again...

Cheers

Jean-Frederic

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1832863 - /tomcat/native/trunk/native/src/sslutils.c

[jfclere]

Author: jfclere
Date: Mon Jun  4 16:02:26 2018
New Revision: 1832863

URL: http://svn.apache.org/viewvc?rev=1832863=rev
Log:
follow up for r1832832... more mod_ssl arrangements.

Modified:
tomcat/native/trunk/native/src/sslutils.c

Modified: tomcat/native/trunk/native/src/sslutils.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1832863=1832862=1832863=diff
==
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Mon Jun  4 16:02:26 2018
@@ -532,7 +532,7 @@ static int ssl_verify_OCSP(int ok, X509_
 break;
 case OCSP_STATUS_UNKNOWN:
 /* correct error code for application errors? */
-// X509_STORE_CTX_set_error(ctx, 
X509_V_ERR_APPLICATION_VERIFICATION);
+X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
 break;
 }
 }
@@ -1010,11 +1010,12 @@ end:
 /* Process the OCSP_RESPONSE and returns the corresponding
answert according to the status.
 */
-static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp)
+static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 
*issuer)
 {
 int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i;
 OCSP_BASICRESP *bs;
 OCSP_SINGLERESP *ss;
+OCSP_CERTID *certid;
 
 r = OCSP_response_status(ocsp_resp);
 
@@ -1024,7 +1025,13 @@ static int process_ocsp_response(OCSP_RE
 }
 bs = OCSP_response_get1_basic(ocsp_resp);
 
-ss = OCSP_resp_get0(bs,0); /* we know we have only 1 request */
+certid = OCSP_cert_to_id(NULL, cert, issuer);
+if (certid == NULL) {
+OCSP_RESPONSE_free(ocsp_resp);
+return OCSP_STATUS_UNKNOWN;
+}
+ss = OCSP_resp_get0(bs, OCSP_resp_find(bs, certid, -1)); /* find by serial 
number and get the matching response */
+
 
 i = OCSP_single_get0_status(ss, NULL, NULL, NULL, NULL);
 if (i == V_OCSP_CERTSTATUS_GOOD)
@@ -1035,6 +1042,7 @@ static int process_ocsp_response(OCSP_RE
 o = OCSP_STATUS_UNKNOWN;
 
 /* we clean up */
+OCSP_CERTID_free(certid);
 OCSP_RESPONSE_free(ocsp_resp);
 return o;
 }
@@ -1067,7 +1075,7 @@ static int ssl_ocsp_request(X509 *cert,
approach is to iterate for all the possible ocsp urls */
 resp = get_ocsp_response(cert, issuer, ocsp_urls[0]);
 if (resp != NULL) {
-rv = process_ocsp_response(resp);
+rv = process_ocsp_response(resp, cert, issuer);
 } else {
 /* correct error code for application errors? */
 X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org