From 142324cf8f7dd2e71128d8ce87b9d03aeb26392d Mon Sep 17 00:00:00 2001
From: Marcel Poul <marcel.poul@cern.ch>
Date: Fri, 26 Oct 2012 16:59:07 +0000
Subject: [PATCH] Do not use GRST_callback_SSLVerify_wrapper to call canl
 verify callback directly. When verif. chain, do not store errors into
 conn_rec structure.

---
 org.gridsite.core/src/canl_mod_gridsite.c | 42 +------------------------------
 1 file changed, 1 insertion(+), 41 deletions(-)

diff --git a/org.gridsite.core/src/canl_mod_gridsite.c b/org.gridsite.core/src/canl_mod_gridsite.c
index 8b8de55..e864117 100644
--- a/org.gridsite.core/src/canl_mod_gridsite.c
+++ b/org.gridsite.core/src/canl_mod_gridsite.c
@@ -3445,45 +3445,6 @@ static int mod_gridsite_perm_handler(request_rec *r)
     return retcode;
 }
 
-int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx)
-{
-   SSL *ssl            = (SSL *) X509_STORE_CTX_get_app_data(ctx);
-   conn_rec *conn      = (conn_rec *) SSL_get_app_data(ssl);
-   int errnum          = X509_STORE_CTX_get_error(ctx);
-   int errdepth        = X509_STORE_CTX_get_error_depth(ctx);
-   int returned_ok;
-   STACK_OF(X509) *certstack;
-   GRSTx509Chain *grst_chain;
-
-   /* Call caNl callback directly */
-   returned_ok = canl_direct_pv_clb(NULL, ctx, ok);
-
-   /* in case ssl_callback_SSLVerify changed it */
-   errnum = X509_STORE_CTX_get_error(ctx); 
-
-   if ((errdepth == 0) && (errnum == X509_V_OK))
-       /*
-        * We've now got the last certificate - the identity being used for
-        * this connection. At this point we check the whole chain for valid
-        * CAs or, failing that, GSI-proxy validity using GRSTx509CheckChain.
-        */
-   {
-       certstack = (STACK_OF(X509) *) X509_STORE_CTX_get_chain(ctx);
-
-       errnum = GRSTx509ChainLoad(&grst_chain, certstack, NULL,
-               "/etc/grid-security/certificates",
-               "/etc/grid-security/vomsdir");
-
-       if (returned_ok)
-           /* Put result of GRSTx509ChainLoadCheck into connection notes */
-           GRST_save_ssl_creds(conn, grst_chain);
-       if (grst_chain)
-           GRSTx509ChainFree(grst_chain);
-   }
-
-   return returned_ok;
-}
-
 void sitecast_handle_NOP_request(server_rec *main_server, 
                                  GRSThtcpMessage *htcp_mesg, int s,
                                  struct sockaddr *client_addr_ptr,
@@ -3930,8 +3891,7 @@ static int mod_gridsite_server_post_config(apr_pool_t *pPool,
             ctx = SSLSrvConfigRec_server(sc)->ssl_ctx;
 
             /* Use default caNl callbacks to verify certificates*/
-            canl_ssl_ctx_set_clb(c_ctx, ctx, ctx->verify_mode,
-                    GRST_callback_SSLVerify_wrapper);
+            canl_ssl_ctx_set_clb(c_ctx, ctx, ctx->verify_mode);
 
             if (main_server->loglevel >= APLOG_DEBUG)
                  ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, main_server,
-- 
1.8.2.3