return retcode;
}
-#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
-/*
- Include this here until libgridsite functions can be used
-*/
-int GRST_ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
-{
- server_rec *s = c->base_server;
- SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module);
- SSLConnRec *sslconn = (SSLConnRec *) ap_get_module_config(c->conn_config, &ssl_module);
- modssl_ctx_t *mctx = sslconn->is_proxy ? SSLSrvConfigRec_proxy(sc) : SSLSrvConfigRec_server(sc);
- X509_OBJECT obj;
- X509_NAME *subject, *issuer;
- X509 *cert;
- X509_CRL *crl;
- EVP_PKEY *pubkey;
- int i, n, rc;
-
- /*
- * Unless a revocation store for CRLs was created we
- * cannot do any CRL-based verification, of course.
- */
- if (!mctx->crl) {
- return ok;
- }
-
- /*
- * Determine certificate ingredients in advance
- */
- cert = X509_STORE_CTX_get_current_cert(ctx);
- subject = X509_get_subject_name(cert);
- issuer = X509_get_issuer_name(cert);
-
- /*
- * OpenSSL provides the general mechanism to deal with CRLs but does not
- * use them automatically when verifying certificates, so we do it
- * explicitly here. We will check the CRL for the currently checked
- * certificate, if there is such a CRL in the store.
- *
- * We come through this procedure for each certificate in the certificate
- * chain, starting with the root-CA's certificate. At each step we've to
- * both verify the signature on the CRL (to make sure it's a valid CRL)
- * and it's revocation list (to make sure the current certificate isn't
- * revoked). But because to check the signature on the CRL we need the
- * public key of the issuing CA certificate (which was already processed
- * one round before), we've a little problem. But we can both solve it and
- * at the same time optimize the processing by using the following
- * verification scheme (idea and code snippets borrowed from the GLOBUS
- * project):
- *
- * 1. We'll check the signature of a CRL in each step when we find a CRL
- * through the _subject_ name of the current certificate. This CRL
- * itself will be needed the first time in the next round, of course.
- * But we do the signature processing one round before this where the
- * public key of the CA is available.
- *
- * 2. We'll check the revocation list of a CRL in each step when
- * we find a CRL through the _issuer_ name of the current certificate.
- * This CRLs signature was then already verified one round before.
- *
- * This verification scheme allows a CA to revoke its own certificate as
- * well, of course.
- */
-
- /*
- * Try to retrieve a CRL corresponding to the _subject_ of
- * the current certificate in order to verify it's integrity.
- */
- memset((char *)&obj, 0, sizeof(obj));
- {
- X509_STORE_CTX pStoreCtx;
- X509_STORE_CTX_init(&pStoreCtx, mctx->crl, NULL, NULL);
- rc = X509_STORE_get_by_subject(&pStoreCtx, X509_LU_CRL, subject, &obj);
- X509_STORE_CTX_cleanup(&pStoreCtx);
- }
-
- crl = obj.data.crl;
-
- if ((rc > 0) && crl) {
- /*
- * Log information about CRL
- * (A little bit complicated because of ASN.1 and BIOs...)
- */
- if (s->loglevel >= APLOG_DEBUG) {
- char buff[512]; /* should be plenty */
- BIO *bio = BIO_new(BIO_s_mem());
-
- BIO_printf(bio, "CA CRL: Issuer: ");
- X509_NAME_print(bio, issuer, 0);
-
- BIO_printf(bio, ", lastUpdate: ");
- ASN1_UTCTIME_print(bio, X509_CRL_get_lastUpdate(crl));
-
- BIO_printf(bio, ", nextUpdate: ");
- ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
-
- n = BIO_read(bio, buff, sizeof(buff) - 1);
- buff[n] = '\0';
-
- BIO_free(bio);
-
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s", buff);
- }
-
- /*
- * Verify the signature on this CRL
- */
- pubkey = X509_get_pubkey(cert);
- rc = X509_CRL_verify(crl, pubkey);
-#ifdef OPENSSL_VERSION_NUMBER
- /* Only refcounted in OpenSSL */
- if (pubkey)
- EVP_PKEY_free(pubkey);
-#endif
- if (rc <= 0) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
- "Invalid signature on CRL");
-
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
- X509_OBJECT_free_contents(&obj);
- return FALSE;
- }
-
- /*
- * Check date of CRL to make sure it's not expired
- */
- i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
-
- if (i == 0) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
- "Found CRL has invalid nextUpdate field");
-
- X509_STORE_CTX_set_error(ctx,
- X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
- X509_OBJECT_free_contents(&obj);
-
- return FALSE;
- }
-
- if (i < 0) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
- "Found CRL is expired - "
- "revoking all certificates until you get updated CRL");
-
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED);
- X509_OBJECT_free_contents(&obj);
-
- return FALSE;
- }
-
- X509_OBJECT_free_contents(&obj);
- }
-
- /*
- * Try to retrieve a CRL corresponding to the _issuer_ of
- * the current certificate in order to check for revocation.
- */
- memset((char *)&obj, 0, sizeof(obj));
- {
- X509_STORE_CTX pStoreCtx;
- X509_STORE_CTX_init(&pStoreCtx, mctx->crl, NULL, NULL);
- rc = X509_STORE_get_by_subject(&pStoreCtx, X509_LU_CRL, issuer, &obj);
- X509_STORE_CTX_cleanup(&pStoreCtx);
- }
-
- crl = obj.data.crl;
- if ((rc > 0) && crl) {
- /*
- * Check if the current certificate is revoked by this CRL
- */
- n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
-
- for (i = 0; i < n; i++) {
- X509_REVOKED *revoked =
- sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
-
-// ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked);
- ASN1_INTEGER *sn = revoked->serialNumber;
-
- if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) {
- if (s->loglevel >= APLOG_DEBUG) {
- char *cp = X509_NAME_oneline(issuer, NULL, 0);
- char *serial = i2s_ASN1_INTEGER(NULL,sn);
-
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Certificate with serial %s "
- "revoked per CRL from issuer %s",
- serial, cp);
- OPENSSL_free(cp);
- free(serial);
- }
-
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
- X509_OBJECT_free_contents(&obj);
-
- return FALSE;
- }
- }
-
- X509_OBJECT_free_contents(&obj);
- }
-
- return ok;
-}
-#endif
-
int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx)
{
SSL *ssl = (SSL *) X509_STORE_CTX_get_app_data(ctx);
#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module);
modssl_ctx_t *mctx = sslconn->is_proxy ? SSLSrvConfigRec_proxy(sc) : SSLSrvConfigRec_server(sc);
- int verify, depth;
+ int verify;
#endif
STACK_OF(X509) *certstack;
GRSTx509Chain *grst_chain;
git://scientific.zcu.cz / jra1mw.git / commitdiff