From b1236fb5520047fe7a27e3c4538cbee2596335e0 Mon Sep 17 00:00:00 2001
From: Marcel Poul <marcel.poul@cern.ch>
Date: Tue, 16 Oct 2012 14:12:21 +0000
Subject: [PATCH] Add canl_direct_pv_clb() to API; to be used in gridsite
 callback wrapper;

---
 emi.canl.canl-c/src/canl_ssl.c | 23 +++++++++++++++++++++--
 emi.canl.canl-c/src/canl_ssl.h | 25 +++++++++++++++++++++++--
 2 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/emi.canl.canl-c/src/canl_ssl.c b/emi.canl.canl-c/src/canl_ssl.c
index 0067b97..6b1a5ce 100644
--- a/emi.canl.canl-c/src/canl_ssl.c
+++ b/emi.canl.canl-c/src/canl_ssl.c
@@ -1163,9 +1163,14 @@ canl_ctx_set_ca_fn(canl_ctx cc, const char *fn)
 }
 
 canl_err_code CANL_CALLCONV
-canl_ssl_ctx_set_clb(canl_ctx cc, SSL_CTX *ssl_ctx, int ver_mode)
+canl_ssl_ctx_set_clb(canl_ctx cc, SSL_CTX *ssl_ctx, int ver_mode,
+        int (*verify_callback)(int, X509_STORE_CTX *))
 {
     glb_ctx *glb_cc = (glb_ctx*) cc;
+    int (*vc)(int, X509_STORE_CTX *) = NULL;
+
+    vc = (verify_callback) ? verify_callback : proxy_verify_callback;
+
     if (!cc)
         return EINVAL;
     if (!ssl_ctx)
@@ -1176,11 +1181,25 @@ canl_ssl_ctx_set_clb(canl_ctx cc, SSL_CTX *ssl_ctx, int ver_mode)
     setup_SSL_proxy_handler(ssl_ctx, m_ctx->ca_dir);
     SSL_CTX_set_cert_verify_callback(ssl_ctx, proxy_app_verify_callback, NULL);
 
-    SSL_CTX_set_verify(ssl_ctx, ver_mode, proxy_verify_callback);
+    SSL_CTX_set_verify(ssl_ctx, ver_mode, vc);
 
     return 0;
 }
 
+    int CANL_CALLCONV
+canl_direct_pv_clb(canl_ctx cc, X509_STORE_CTX *store_ctx, int ok)
+{
+    glb_ctx *glb_cc = (glb_ctx*) cc;
+    if (!store_ctx){
+        if (glb_cc)
+            set_error(glb_cc, EINVAL, POSIX_ERROR, "X509_STORE_CTX not"
+                    " initialized");
+        return 0;
+    }
+
+    return proxy_verify_callback(ok, store_ctx);
+}
+
 static canl_err_code
 ssl_get_peer(glb_ctx *cc, io_handler *io, void *auth_ctx, canl_principal *peer)
 {
diff --git a/emi.canl.canl-c/src/canl_ssl.h b/emi.canl.canl-c/src/canl_ssl.h
index 7a317ca..716171e 100644
--- a/emi.canl.canl-c/src/canl_ssl.h
+++ b/emi.canl.canl-c/src/canl_ssl.h
@@ -40,9 +40,30 @@ canl_err_code CANL_CALLCONV
 canl_ctx_set_pkcs11_init_args(canl_ctx, const char *);
 
 /* Set canl cert verification callbacks into SSL_CTX.
-   Do not use SSL_CTX stored in canl_ctx */
+   Do not use SSL_CTX stored in canl_ctx.
+
+   Special case: if verify_callback is not NULL, then caNl will be ready 
+   to use its callback,but it must be called separately by canl_direct_pv_clb()
+   (e.g. in verify_callback)-try to avoid this, unless you 
+   know what you are doing.
+*/
 canl_err_code CANL_CALLCONV
-canl_ssl_ctx_set_clb(canl_ctx cc, SSL_CTX *ssl_ctx, int ver_mode);
+canl_ssl_ctx_set_clb(canl_ctx cc, SSL_CTX *ssl_ctx, int ver_mode,
+        int (*verify_callback)(int, X509_STORE_CTX *));
+
+/* Call caNl proxy certificate verification callback directly. Use it only
+   when you really know what you are doing. canl_ssl_ctx_set_clb() should be
+   called before. (X509_STORE_CTX param of this function must correspond  to
+   SSL_CTX of canl_ssl_ctx_set_clb()) 
+   
+   Return - 0 varification OK, 1 verification failed
+   
+   Note: This is one of the funcions that accept NULL as canl_ctx
+         parameter, since it is intended to be called inside
+         other callback funcion.
+*/
+int CANL_CALLCONV
+canl_direct_pv_clb(canl_ctx cc, X509_STORE_CTX *store_ctx, int ok);
 
 #ifdef __cplusplus
 }
-- 
1.8.2.3