OCSP off by default, can be switched of by setting CANL_SSL_OCSP_VERIFY_ALL as a...

author Marcel Poul <marcel.poul@cern.ch>

Sun, 3 Feb 2013 12:13:21 +0000 (12:13 +0000)

committer František Dvořák <valtri@civ.zcu.cz>

Sun, 3 Feb 2013 19:08:15 +0000 (20:08 +0100)
author Marcel Poul <marcel.poul@cern.ch>
Sun, 3 Feb 2013 12:13:21 +0000 (12:13 +0000)
committer František Dvořák <valtri@civ.zcu.cz>
Sun, 3 Feb 2013 19:08:15 +0000 (20:08 +0100)
diff --git a/emi.canl.canl-c/src/canl_cred.c b/emi.canl.canl-c/src/canl_cred.c

index f101c31..18d0a43 100644 (file)
--- a/emi.canl.canl-c/src/canl_cred.c
+++ b/emi.canl.canl-c/src/canl_cred.c
@@ -9,7 +9,7 @@
  
  static STACK_OF(X509)* my_sk_X509_dup(glb_ctx *cc, STACK_OF(X509) *stack);
  extern int proxy_verify_cert_chain(X509 * ucert, STACK_OF(X509) * cert_chain, proxy_verify_desc * pvd);
-extern proxy_verify_desc *pvd_setup_initializers(char *cadir);
+extern proxy_verify_desc *pvd_setup_initializers(char *cadir, int flags);
  extern void pvd_destroy_initializers(void *data);
  extern canl_error map_verify_result(unsigned long ssl_err,
                  const X509_STORE_CTX *store_ctx, SSL *ssl);
@@ -698,7 +698,7 @@ canl_verify_chain(canl_ctx ctx, X509 *ucert, STACK_OF(X509) *cert_chain,
      int ret = 0;
      proxy_verify_desc *pvd = NULL; /* verification context */
  
-    pvd = pvd_setup_initializers(cadir);
+    pvd = pvd_setup_initializers(cadir, 0);
      ret = proxy_verify_cert_chain(ucert, cert_chain, pvd);
      pvd_destroy_initializers(pvd);
      if (ret)
@@ -719,7 +719,7 @@ canl_verify_chain_wo_ossl(canl_ctx ctx, char *cadir,
      unsigned long ssl_err = 0;
      canl_error canl_err = 0;
  
-    pvd = pvd_setup_initializers(cadir);
+    pvd = pvd_setup_initializers(cadir, 0);
      X509_STORE_CTX_set_ex_data(store_ctx, PVD_STORE_EX_DATA_IDX, (void *)pvd);
  #ifdef X509_V_FLAG_ALLOW_PROXY_CERTS
      X509_STORE_CTX_set_flags(store_ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
@@ -750,7 +750,7 @@ canl_verify_chain_wo_ossl(canl_ctx ctx, char *cadir,
      return 0;
  }
  
-proxy_verify_desc *pvd_setup_initializers(char *cadir)
+proxy_verify_desc *pvd_setup_initializers(char *cadir, int pvxd_flags)
  {
      proxy_verify_ctx_desc *pvxd = NULL;
      proxy_verify_desc *pvd = NULL;
@@ -782,6 +782,7 @@ proxy_verify_desc *pvd_setup_initializers(char *cadir)
      }
      else
          pvd->pvxd->certdir = strdup(cadir);
+    pvd->pvxd->flags |= pvxd_flags;
      return pvd;
  }
  
diff --git a/emi.canl.canl-c/src/canl_ssl.c b/emi.canl.canl-c/src/canl_ssl.c

index 9221334..dbbe409 100644 (file)
--- a/emi.canl.canl-c/src/canl_ssl.c
+++ b/emi.canl.canl-c/src/canl_ssl.c
@@ -20,7 +20,7 @@ static canl_error map_proxy_error(int reason);
  
  static int setup_SSL_proxy_handler(glb_ctx *cc, SSL_CTX *ssl, char *cadir,
          int leave_pvd);
-extern proxy_verify_desc *pvd_setup_initializers(char *cadir);
+extern proxy_verify_desc *pvd_setup_initializers(char *cadir, int flags);
  extern void pvd_destroy_initializers(void *data);
  
  #ifdef DEBUG
@@ -392,7 +392,7 @@ static int setup_SSL_proxy_handler(glb_ctx *cc, SSL_CTX *ssl, char *cadir,
  {
      proxy_verify_desc *new_pvd = NULL;
      mech_glb_ctx *m_ctx = (mech_glb_ctx *)cc->mech_ctx;
-    new_pvd =  pvd_setup_initializers(cadir);
+    new_pvd =  pvd_setup_initializers(cadir, m_ctx->flags);
      if (new_pvd){
          SSL_CTX_set_ex_data(ssl, PVD_SSL_EX_DATA_IDX, new_pvd);
          if (!leave_pvd)
diff --git a/emi.canl.canl-c/src/canl_ssl.h b/emi.canl.canl-c/src/canl_ssl.h

index a3bf96b..ad8de11 100644 (file)
--- a/emi.canl.canl-c/src/canl_ssl.h
+++ b/emi.canl.canl-c/src/canl_ssl.h
@@ -12,6 +12,7 @@ typedef enum canl_ctx_ssl_flags {
      CANL_SSL_ACCEPT_SSLv2       = 0x0001,
      CANL_SSL_DN_OSSL            = 0x0002,
      CANL_SSL_VERIFY_NONE        = 0x0004,
+    CANL_SSL_OCSP_VERIFY_ALL    = 0x0008,
  } canl_ctx_ssl_flags;
  
  canl_err_code CANL_CALLCONV
diff --git a/emi.canl.canl-c/src/proxy/sslutils.c b/emi.canl.canl-c/src/proxy/sslutils.c

index 6b594bd..5ece7f4 100644 (file)
--- a/emi.canl.canl-c/src/proxy/sslutils.c
+++ b/emi.canl.canl-c/src/proxy/sslutils.c
@@ -1500,6 +1500,7 @@ proxy_verify_ctx_init(
      pvxd->magicnum = PVXD_MAGIC_NUMBER; /* used for debuging */
      pvxd->certdir = NULL;
      pvxd->goodtill = 0;
+    pvxd->flags = 0;
  
  }
  /**********************************************************************
@@ -2191,27 +2192,29 @@ proxy_verify_callback(
      /*
         OCSP check
       */
-    if (!ocsp_data)
-        ocsprequest_init(&ocsp_data);
      ret = 0;
-    if (ocsp_data) {
-        if (ctx->current_cert)
-            ocsp_data->cert = ctx->current_cert;
-        if (ctx->current_issuer)
-            ocsp_data->issuer = ctx->current_issuer;
-        if (cert_dir)
-            ocsp_data->store.ca_dir = cert_dir;
-
-        ocsp_data->skew = MAX_VALIDITY_PERIOD;
-        ocsp_data->maxage = -1;
-        if (ctx->chain)
-            ocsp_data->cert_chain = ctx->chain;
-        /*Timeout should be set here 
-          ocsp_data->timeout = -1; */
-        ret = do_ocsp_verify (ocsp_data);
-        /* TODO sign key and cert */
-        ocsprequest_free(ocsp_data);
-        ocsp_data = NULL;
+    if (pvd->pvxd->flags & CANL_SSL_OCSP_VERIFY_ALL){
+        if (!ocsp_data)
+            ocsprequest_init(&ocsp_data);
+        if (ocsp_data) {
+            if (ctx->current_cert)
+                ocsp_data->cert = ctx->current_cert;
+            if (ctx->current_issuer)
+                ocsp_data->issuer = ctx->current_issuer;
+            if (cert_dir)
+                ocsp_data->store.ca_dir = cert_dir;
+
+            ocsp_data->skew = MAX_VALIDITY_PERIOD;
+            ocsp_data->maxage = -1;
+            if (ctx->chain)
+                ocsp_data->cert_chain = ctx->chain;
+            /*Timeout should be set here 
+              ocsp_data->timeout = -1; */
+            ret = do_ocsp_verify (ocsp_data);
+            /* TODO sign key and cert */
+            ocsprequest_free(ocsp_data);
+            ocsp_data = NULL;
+        }
      }
  
      EVP_PKEY_free(key);
diff --git a/emi.canl.canl-c/src/proxy/sslutils.h b/emi.canl.canl-c/src/proxy/sslutils.h

index 016f237..6499bb8 100644 (file)
--- a/emi.canl.canl-c/src/proxy/sslutils.h
+++ b/emi.canl.canl-c/src/proxy/sslutils.h
@@ -61,6 +61,7 @@ EXTERN_C_BEGIN
  
  //canl headers
  #include "canl_ocsp.h"
+#include "canl_ssl.h"
  
  #if defined(__GNUC__)
  #if (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
@@ -325,6 +326,7 @@ typedef struct proxy_verify_ctx_desc_struct {
      int                                 magicnum ;  
      char *                              certdir; 
      time_t                              goodtill;
+    int                                 flags; //OCSP flags etc.
  } proxy_verify_ctx_desc ;
  
  /* proxy_verify_desc - allows for recursive verifys with delegation */
author	Marcel Poul <marcel.poul@cern.ch>
	Sun, 3 Feb 2013 12:13:21 +0000 (12:13 +0000)
committer	František Dvořák <valtri@civ.zcu.cz>
	Sun, 3 Feb 2013 19:08:15 +0000 (20:08 +0100)
emi.canl.canl-c/src/canl_cred.c		patch \| blob \| blame \| history
emi.canl.canl-c/src/canl_ssl.c		patch \| blob \| blame \| history
emi.canl.canl-c/src/canl_ssl.h		patch \| blob \| blame \| history
emi.canl.canl-c/src/proxy/sslutils.c		patch \| blob \| blame \| history
emi.canl.canl-c/src/proxy/sslutils.h		patch \| blob \| blame \| history