From: Marcel Poul Date: Tue, 20 Nov 2012 13:05:02 +0000 (+0000) Subject: Maarten Litmaath's patch solving GGUS Ticket-ID: 87573 X-Git-Tag: gridsite-core_R_1_7_25~11 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=dcf21fe8de18d97772fae61e13fe590018774351;p=jra1mw.git Maarten Litmaath's patch solving GGUS Ticket-ID: 87573 --- diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index bd7adfd..441f533 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -3879,6 +3879,37 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) #endif /* + * Allow path length violations if we have a proxy cert. + */ + if (errnum == X509_V_ERR_PATH_LENGTH_EXCEEDED) + { + //ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + // "Checking to see if we should ignore the path length exceeded error"); + int proxy_path_length = 0, i; + for (i = 0; i < ctx->last_untrusted; i++) + { + int ret; + X509 *x = sk_X509_value(ctx->chain, i); + if ((i == errdepth) && (x->ex_pathlen != -1) + && (i <= (x->ex_pathlen + proxy_path_length))) + { // Can violate the path length by proxy_path_length. + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Skip path length violation error."); + sslconn->verify_error == NULL; + ok = TRUE; + errnum = X509_V_ERR_INVALID_CA; // Oddly enough, setting the error to X509_V_OK will cause later errors. This causes an ignore. + X509_STORE_CTX_set_error(ctx, errnum); break; + } + if (X509_check_ca(x) == 0) + { // Not a CA - maybe a proxy cert? + // Since gridsite accepts legacy proxies, we don't check + // if (x->ex_flags & EXFLAG_PROXY) is set. + proxy_path_length++; + } + } + } + + /* * New style GSI Proxy handling, with critical ProxyCertInfo * extension: we use GRSTx509KnownCriticalExts() to check this */