for (j = 0; j < sk_ACCESS_DESCRIPTION_num(values) && !result; j++) {
ACCESS_DESCRIPTION *value = sk_ACCESS_DESCRIPTION_value(values, j);
-
+
/* Name found in extension, and is a URI: */
if (OBJ_obj2nid(value->method) == NID_ad_OCSP
&& value->location->type == GEN_URI) {
(char *)value->location->d.uniformResourceIdentifier->data);
}
}
-
+
AUTHORITY_INFO_ACCESS_free(values);
return result;
/* Return the responder URI object which should be used in the given
* configuration for the given certificate, or NULL if none can be
* determined. */
-static apr_uri_t *determine_responder_uri(SSLSrvConfigRec *sc, X509 *cert,
+static apr_uri_t *determine_responder_uri(SSLSrvConfigRec *sc, X509 *cert,
conn_rec *c, apr_pool_t *p)
{
apr_uri_t *u = apr_palloc(p, sizeof *u);
s = sc->server->ocsp_responder;
}
else {
- s = extract_responder_uri(cert, p);
+ s = extract_responder_uri(cert, p);
if (s == NULL && sc->server->ocsp_responder) {
s = sc->server->ocsp_responder;
}
rv = apr_uri_parse(p, s, u);
- if (rv || !u->hostname) {
- ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c,
+ if (rv || !u->hostname) {
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c,
"failed to parse OCSP responder URI '%s'", s);
return NULL;
}
if (strcasecmp(u->scheme, "http") != 0) {
- ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c,
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c,
"cannot handle OCSP responder URI '%s'", s);
return NULL;
}
/* Create an OCSP request for the given certificate; returning the
* certificate ID in *certid and *issuer on success. Returns the
* request object on success, or NULL on error. */
-static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
- OCSP_CERTID **certid,
+static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
+ OCSP_CERTID **certid,
server_rec *s, apr_pool_t *p)
{
OCSP_REQUEST *req = OCSP_REQUEST_new();
"could not retrieve certificate id");
return NULL;
}
-
+
OCSP_request_add1_nonce(req, 0, -1);
-
+
return req;
}
-
+
/* Verify the OCSP status of given certificate. Returns
* V_OCSP_CERTSTATUS_* result code. */
-static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
+static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
SSLSrvConfigRec *sc, server_rec *s,
- apr_pool_t *pool)
+ apr_pool_t *pool)
{
int rc = V_OCSP_CERTSTATUS_GOOD;
OCSP_RESPONSE *response = NULL;
OCSP_REQUEST *request = NULL;
OCSP_CERTID *certID = NULL;
apr_uri_t *ruri;
-
+
ruri = determine_responder_uri(sc, cert, c, pool);
if (!ruri) {
return V_OCSP_CERTSTATUS_UNKNOWN;
if (!request || !response) {
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
-
+
if (rc == V_OCSP_CERTSTATUS_GOOD) {
int r = OCSP_response_status(response);
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
-
+
if (rc == V_OCSP_CERTSTATUS_GOOD) {
basicResponse = OCSP_response_get1_basic(response);
if (!basicResponse) {
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
-
+
if (rc == V_OCSP_CERTSTATUS_GOOD) {
if (OCSP_check_nonce(request, basicResponse) != 1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
-
+
if (rc == V_OCSP_CERTSTATUS_GOOD) {
/* TODO: allow flags configuration. */
if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
-
+
if (rc == V_OCSP_CERTSTATUS_GOOD) {
int reason = -1, status;
ASN1_GENERALIZEDTIME *thisup = NULL, *nextup = NULL;
}
{
- int level =
+ int level =
(status == V_OCSP_CERTSTATUS_GOOD) ? APLOG_INFO : APLOG_ERR;
- const char *result =
- status == V_OCSP_CERTSTATUS_GOOD ? "good" :
+ const char *result =
+ status == V_OCSP_CERTSTATUS_GOOD ? "good" :
(status == V_OCSP_CERTSTATUS_REVOKED ? "revoked" : "unknown");
ssl_log_cxerror(SSLLOG_MARK, level, 0, c, cert,
result, status, reason);
}
}
-
+
if (request) OCSP_REQUEST_free(request);
if (response) OCSP_RESPONSE_free(response);
if (basicResponse) OCSP_BASICRESP_free(basicResponse);
return rc;
}
-int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
- server_rec *s, conn_rec *c, apr_pool_t *pool)
+int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
+ server_rec *s, conn_rec *c, apr_pool_t *pool)
{
X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
apr_pool_t *vpool;
apr_pool_create(&vpool, pool);
rv = verify_ocsp_status(cert, ctx, c, sc, s, vpool);
-
+
apr_pool_destroy(vpool);
/* Propagate the verification status back to the passed-in
case V_OCSP_CERTSTATUS_GOOD:
X509_STORE_CTX_set_error(ctx, X509_V_OK);
break;
-
+
case V_OCSP_CERTSTATUS_REVOKED:
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
break;
-
+
case V_OCSP_CERTSTATUS_UNKNOWN:
/* correct error code for application errors? */
X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
}
return rv == V_OCSP_CERTSTATUS_GOOD;
-}
+}
#endif /* HAVE_OCSP */