From: Marcel Poul Date: Wed, 19 Dec 2012 13:53:28 +0000 (+0000) Subject: no need to keep unused path lengths checks X-Git-Tag: glite-px-proxyrenewal_R_1_3_29_1~6 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=d0d22c58e08c04dc526bbd62f2540243927d3245;p=jra1mw.git no need to keep unused path lengths checks --- diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index 71b0452..07505fd 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -4023,39 +4023,6 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) } } -#if 0 - /* - * Allow path length violations if we have a proxy cert. - */ - if (errnum == X509_V_ERR_PATH_LENGTH_EXCEEDED) - { - //ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - // "Checking to see if we should ignore the path length exceeded error"); - int proxy_path_length = 0, i; - for (i = 0; i < ctx->last_untrusted; i++) - { - int ret; - X509 *x = sk_X509_value(ctx->chain, i); - if ((i == errdepth) && (x->ex_pathlen != -1) - && (i <= (x->ex_pathlen + proxy_path_length))) - { // Can violate the path length by proxy_path_length. - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "Skip path length violation error."); - sslconn->verify_error == NULL; - ok = TRUE; - errnum = X509_V_ERR_INVALID_CA; // Oddly enough, setting the error to X509_V_OK will cause later errors. This causes an ignore. - X509_STORE_CTX_set_error(ctx, errnum); break; - } - if (X509_check_ca(x) == 0) - { // Not a CA - maybe a proxy cert? - // Since gridsite accepts legacy proxies, we don't check - // if (x->ex_flags & EXFLAG_PROXY) is set. - proxy_path_length++; - } - } - } -#endif - /* * New style GSI Proxy handling, with critical ProxyCertInfo * extension: we use GRSTx509KnownCriticalExts() to check this