From 49fc19b21eac29dd3ec75e417e7ffd126b492fb8 Mon Sep 17 00:00:00 2001
From: Andrew McNab <andrew.mcnab@manchester.ac.uk>
Date: Wed, 21 Oct 2009 13:53:45 +0000
Subject: [PATCH] Invalid Purpose change for OpenSSL 0.9.8e

---
 org.gridsite.core/CHANGES            |  9 ++++++++-
 org.gridsite.core/src/mod_gridsite.c | 17 ++++++++++++++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES
index 04cdb09..bb102a2 100644
--- a/org.gridsite.core/CHANGES
+++ b/org.gridsite.core/CHANGES
@@ -1,4 +1,11 @@
-* Fri Sep 15 2009 Andrew McNab <Andrew.McNab@cern.ch>
+* Mon Oct 19 2009 Andrew McNab <Andrew.McNab@cern.ch>
+- Discard X509_V_ERR_INVALID_PURPOSE errors in 
+  GRST_callback_SSLVerify_wrapper(), needed by 
+  OpenSSL 0.9.8e
+* Thu Sep 17 2009 Andrew McNab <Andrew.McNab@cern.ch>
+- GRSThttpUrlEncode rather than GRSThttpUrlMildencode
+  in mod_gridsite directory listings.
+* Fri Sep 11 2009 Andrew McNab <Andrew.McNab@cern.ch>
 - Include GRSTgaclUserFree() memory leak fix in 
   mod_gridsite_perm_handler() in mod_gridsite.c
 * Mon Aug 10 2009 Andrew McNab <Andrew.McNab@cern.ch>
diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c
index d5027af..547e6a3 100644
--- a/org.gridsite.core/src/mod_gridsite.c
+++ b/org.gridsite.core/src/mod_gridsite.c
@@ -725,7 +725,7 @@ int html_dir_list(request_rec *r, mod_gridsite_dir_cfg *conf)
               "<td align=right>%R</td><td align=right>%e&nbsp;%b&nbsp;%y</td>",
                         &mtime_tm);    
 
-               encoded = GRSThttpUrlMildencode(namelist[n]->d_name);
+               encoded = GRSThttpUrlEncode(namelist[n]->d_name);
                escaped = html_escape(r->pool, namelist[n]->d_name);
 
                if (S_ISDIR(statbuf.st_mode))
@@ -3832,6 +3832,21 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx)
      }
 
    /*
+    * Skip X509_V_ERR_INVALID_PURPOSE at this stage, since we will check 
+    * the full chain using GRSTx509ChainLoadCheck at errdepth=0
+    */
+   if (errnum == X509_V_ERR_INVALID_PURPOSE)
+     {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                    "Skip Invalid Purpose error");
+
+        sslconn->verify_error = NULL;
+        ok = TRUE;
+        errnum = X509_V_OK;
+        X509_STORE_CTX_set_error(ctx, errnum);
+     }
+
+   /*
     * New style GSI Proxy handling, with critical ProxyCertInfo
     * extension: we use GRSTx509KnownCriticalExts() to check this
     */
-- 
1.8.2.3