From: Marcel Poul <marcel.poul@cern.ch>
Date: Fri, 2 Nov 2012 22:24:26 +0000 (+0000)
Subject: After certificate chain validation, certs have to be copied into GRST structure as... 
X-Git-Tag: gridsite-core_R_2_0_2~2
X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=ec00122a33e3c3b358995883aa7e7eaf02d7e437;p=jra1mw.git

After certificate chain validation, certs have to be copied into GRST structure as they might be used when ACLs are on scene.
---

diff --git a/org.gridsite.core/src/canl_mod_gridsite.c b/org.gridsite.core/src/canl_mod_gridsite.c
index 87f881d..8b8de55 100644
--- a/org.gridsite.core/src/canl_mod_gridsite.c
+++ b/org.gridsite.core/src/canl_mod_gridsite.c
@@ -3445,6 +3445,45 @@ static int mod_gridsite_perm_handler(request_rec *r)
     return retcode;
 }
 
+int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx)
+{
+   SSL *ssl            = (SSL *) X509_STORE_CTX_get_app_data(ctx);
+   conn_rec *conn      = (conn_rec *) SSL_get_app_data(ssl);
+   int errnum          = X509_STORE_CTX_get_error(ctx);
+   int errdepth        = X509_STORE_CTX_get_error_depth(ctx);
+   int returned_ok;
+   STACK_OF(X509) *certstack;
+   GRSTx509Chain *grst_chain;
+
+   /* Call caNl callback directly */
+   returned_ok = canl_direct_pv_clb(NULL, ctx, ok);
+
+   /* in case ssl_callback_SSLVerify changed it */
+   errnum = X509_STORE_CTX_get_error(ctx); 
+
+   if ((errdepth == 0) && (errnum == X509_V_OK))
+       /*
+        * We've now got the last certificate - the identity being used for
+        * this connection. At this point we check the whole chain for valid
+        * CAs or, failing that, GSI-proxy validity using GRSTx509CheckChain.
+        */
+   {
+       certstack = (STACK_OF(X509) *) X509_STORE_CTX_get_chain(ctx);
+
+       errnum = GRSTx509ChainLoad(&grst_chain, certstack, NULL,
+               "/etc/grid-security/certificates",
+               "/etc/grid-security/vomsdir");
+
+       if (returned_ok)
+           /* Put result of GRSTx509ChainLoadCheck into connection notes */
+           GRST_save_ssl_creds(conn, grst_chain);
+       if (grst_chain)
+           GRSTx509ChainFree(grst_chain);
+   }
+
+   return returned_ok;
+}
+
 void sitecast_handle_NOP_request(server_rec *main_server, 
                                  GRSThtcpMessage *htcp_mesg, int s,
                                  struct sockaddr *client_addr_ptr,
@@ -3891,7 +3930,8 @@ static int mod_gridsite_server_post_config(apr_pool_t *pPool,
             ctx = SSLSrvConfigRec_server(sc)->ssl_ctx;
 
             /* Use default caNl callbacks to verify certificates*/
-            canl_ssl_ctx_set_clb(c_ctx, ctx, ctx->verify_mode, NULL);
+            canl_ssl_ctx_set_clb(c_ctx, ctx, ctx->verify_mode,
+                    GRST_callback_SSLVerify_wrapper);
 
             if (main_server->loglevel >= APLOG_DEBUG)
                  ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, main_server,