X509 *issuer = NULL;
int i;
X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
- X509_STORE_CTX inctx;
+ X509_STORE_CTX *inctx;
STACK_OF(X509) *extra_certs = NULL;
#ifdef OPENSSL_NO_SSL_INTERN
for (i = 0; i < sk_X509_num(extra_certs); i++) {
issuer = sk_X509_value(extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
+#else
+ X509_up_ref(issuer);
+#endif
return issuer;
}
}
- if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))
+ inctx = X509_STORE_CTX_new();
+ if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
return 0;
- if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
+ if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
issuer = NULL;
- X509_STORE_CTX_cleanup(&inctx);
+ X509_STORE_CTX_cleanup(inctx);
+ X509_STORE_CTX_free(inctx);
return issuer;
-
}
int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
if (bio) {
int n;
- if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) &&
+ ASN1_INTEGER *pserial;
+ OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
+ if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
snum[n] = '\0';
BIO_free(bio);
"stapling_renew_response: responder error");
if (mctx->stapling_fake_trylater) {
*prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
+ *pok = FALSE;
}
else {
goto done;
OCSP_RESPONSE **rsp, BOOL *pok,
certinfo *cinf, apr_pool_t *p)
{
- BOOL ok;
+ BOOL ok = FALSE;
int rv;
AP_DEBUG_ASSERT(*rsp == NULL);
rv = get_and_check_cached_response(s, mctx, &rsp, &ok, cinf,
conn->pool);
if (rv != 0) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03236)
"stapling_cb: error checking for cached response "
"after obtaining refresh mutex");
stapling_refresh_mutex_off(s);
return rv;
}
else if (rsp) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03237)
"stapling_cb: don't need to refresh cached response "
"after obtaining refresh mutex");
stapling_refresh_mutex_off(s);
}
else {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03238)
"stapling_cb: still must refresh cached response "
"after obtaining refresh mutex");
rv = stapling_renew_response(s, mctx, ssl, cinf, &rsp, &ok,
conn->pool);
stapling_refresh_mutex_off(s);
- if (rv == TRUE) {
+ if ((rv == TRUE) && (ok == TRUE) && rsp) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03040)
"stapling_cb: success renewing response");
}
- else {
+ else if (rv == FALSE) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01955)
"stapling_cb: fatal error renewing response");
return SSL_TLSEXT_ERR_ALERT_FATAL;