svn commit: r1832863 - /tomcat/native/trunk/native/src/sslutils.c

[jfclere]

Author: jfclere
Date: Mon Jun  4 16:02:26 2018
New Revision: 1832863

URL: http://svn.apache.org/viewvc?rev=1832863&view=rev
Log:
follow up for r1832832... more mod_ssl arrangements.

Modified:
    tomcat/native/trunk/native/src/sslutils.c

Modified: tomcat/native/trunk/native/src/sslutils.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1832863&r1=1832862&r2=1832863&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Mon Jun  4 16:02:26 2018
@@ -532,7 +532,7 @@ static int ssl_verify_OCSP(int ok, X509_
             break;
         case OCSP_STATUS_UNKNOWN:
             /* correct error code for application errors? */
-            // X509_STORE_CTX_set_error(ctx, 
X509_V_ERR_APPLICATION_VERIFICATION);
+            X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
             break;
         }
     }
@@ -1010,11 +1010,12 @@ end:
 /* Process the OCSP_RESPONSE and returns the corresponding
    answert according to the status.
 */
-static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp)
+static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 
*issuer)
 {
     int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i;
     OCSP_BASICRESP *bs;
     OCSP_SINGLERESP *ss;
+    OCSP_CERTID *certid;
 
     r = OCSP_response_status(ocsp_resp);
 
@@ -1024,7 +1025,13 @@ static int process_ocsp_response(OCSP_RE
     }
     bs = OCSP_response_get1_basic(ocsp_resp);
 
-    ss = OCSP_resp_get0(bs,0); /* we know we have only 1 request */
+    certid = OCSP_cert_to_id(NULL, cert, issuer);
+    if (certid == NULL) {
+        OCSP_RESPONSE_free(ocsp_resp);
+        return OCSP_STATUS_UNKNOWN;
+    }
+    ss = OCSP_resp_get0(bs, OCSP_resp_find(bs, certid, -1)); /* find by serial 
number and get the matching response */
+
 
     i = OCSP_single_get0_status(ss, NULL, NULL, NULL, NULL);
     if (i == V_OCSP_CERTSTATUS_GOOD)
@@ -1035,6 +1042,7 @@ static int process_ocsp_response(OCSP_RE
         o = OCSP_STATUS_UNKNOWN;
 
     /* we clean up */
+    OCSP_CERTID_free(certid);
     OCSP_RESPONSE_free(ocsp_resp);
     return o;
 }
@@ -1067,7 +1075,7 @@ static int ssl_ocsp_request(X509 *cert,
            approach is to iterate for all the possible ocsp urls */
         resp = get_ocsp_response(cert, issuer, ocsp_urls[0]);
         if (resp != NULL) {
-            rv = process_ocsp_response(resp);
+            rv = process_ocsp_response(resp, cert, issuer);
         } else {
             /* correct error code for application errors? */
             X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org