tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject cvs commit: jakarta-tomcat-connectors/jni/native/src sslutils.c
Date Sat, 11 Jun 2005 18:24:17 GMT
mturk       2005/06/11 11:24:17

  Modified:    jni/native/src sslutils.c
  Log:
  Temporary enable verification if client CA was not found.
  
  Revision  Changes    Path
  1.25      +16 -19    jakarta-tomcat-connectors/jni/native/src/sslutils.c
  
  Index: sslutils.c
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
  retrieving revision 1.24
  retrieving revision 1.25
  diff -u -r1.24 -r1.25
  --- sslutils.c	11 Jun 2005 07:02:15 -0000	1.24
  +++ sslutils.c	11 Jun 2005 18:24:17 -0000	1.25
  @@ -464,7 +464,7 @@
       return n;
   }
   
  -static int SSL_X509_STORE_lookup(X509_STORE *store, int yype,
  +static int ssl_X509_STORE_lookup(X509_STORE *store, int yype,
                                    X509_NAME *name, X509_OBJECT *obj)
   {
       X509_STORE_CTX ctx;
  @@ -476,7 +476,7 @@
       return rc;
   }
   
  -int SSL_callback_SSL_verify_CRL(int ok, X509_STORE_CTX *ctx, tcn_ssl_conn_t *con)
  +static int ssl_verify_CRL(int ok, X509_STORE_CTX *ctx, tcn_ssl_conn_t *con)
   {
       X509_OBJECT obj;
       X509_NAME *subject, *issuer;
  @@ -486,14 +486,6 @@
       int i, n, rc;
   
       /*
  -     * Unless a revocation store for CRLs was created we
  -     * cannot do any CRL-based verification, of course.
  -     */
  -    if (!con->ctx->crl) {
  -        return ok;
  -    }
  -
  -    /*
        * Determine certificate ingredients in advance
        */
       cert    = X509_STORE_CTX_get_current_cert(ctx);
  @@ -536,7 +528,7 @@
        * the current certificate in order to verify it's integrity.
        */
       memset((char *)&obj, 0, sizeof(obj));
  -    rc = SSL_X509_STORE_lookup(con->ctx->crl,
  +    rc = ssl_X509_STORE_lookup(con->ctx->crl,
                                  X509_LU_CRL, subject, &obj);
       crl = obj.data.crl;
   
  @@ -590,7 +582,7 @@
        * the current certificate in order to check for revocation.
        */
       memset((char *)&obj, 0, sizeof(obj));
  -    rc = SSL_X509_STORE_lookup(con->ctx->crl,
  +    rc = ssl_X509_STORE_lookup(con->ctx->crl,
                                  X509_LU_CRL, issuer, &obj);
   
       crl = obj.data.crl;
  @@ -641,15 +633,17 @@
           return 1;
   
       if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) &&
  -        (verify == SSL_CVERIFY_OPTIONAL_NO_CA))
  -        ok = TRUE;
  -
  +        (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) {
  +        ok = 1;
  +        SSL_set_verify_result(ssl, X509_V_OK);
  +    }
       /*
        * Additionally perform CRL-based revocation checks
        */
  -    if (ok) {
  -        if (!(ok = SSL_callback_SSL_verify_CRL(ok, ctx, con))) {
  +    if (ok && con->ctx->crl) {
  +        if (!(ok = ssl_verify_CRL(ok, ctx, con))) {
               errnum = X509_STORE_CTX_get_error(ctx);
  +            /* TODO: Log something */
           }
       }
       /*
  @@ -670,7 +664,10 @@
            */
           ok = 0;
       }
  -
  +#if 1
  +    else if (!ok)
  +        ok = 1;
  +#endif
       return ok;
   }
   
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message