|
|
@@ -5946,6 +5946,10 @@ int cb_test(int a, X509_STORE_CTX *ctx)
|
|
|
return 1;
|
|
|
}
|
|
|
|
|
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
+#define X509_STORE_CTX_get0_cert(o) ((o)->cert)
|
|
|
+#endif
|
|
|
+
|
|
|
// Verify client SSL certificate during TLS handshake.
|
|
|
//
|
|
|
// (actually, only save the certificate for later authentication in Protocol.c)
|
|
|
@@ -5953,27 +5957,27 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
|
|
|
{
|
|
|
SSL *ssl;
|
|
|
struct SslClientCertInfo *clientcert;
|
|
|
+ X509 *cert;
|
|
|
|
|
|
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
|
|
|
clientcert = SSL_get_ex_data(ssl, GetSslClientCertIndex());
|
|
|
|
|
|
if (clientcert != NULL)
|
|
|
{
|
|
|
- clientcert->PreverifyErr = 0;
|
|
|
+ clientcert->PreverifyErr = X509_STORE_CTX_get_error(ctx);
|
|
|
clientcert->PreverifyErrMessage[0] = '\0';
|
|
|
if (!preverify_ok)
|
|
|
{
|
|
|
- char *msg;
|
|
|
- clientcert->PreverifyErr = X509_STORE_CTX_get_error(ctx);
|
|
|
- msg = (char *)X509_verify_cert_error_string(clientcert->PreverifyErr);
|
|
|
- StrCpy(clientcert->PreverifyErrMessage, PREVERIFY_ERR_MESSAGE_SIZE, msg);
|
|
|
+ const char *msg = X509_verify_cert_error_string(clientcert->PreverifyErr);
|
|
|
+ StrCpy(clientcert->PreverifyErrMessage, PREVERIFY_ERR_MESSAGE_SIZE, (char *)msg);
|
|
|
Debug("SslCertVerifyCallback preverify error: '%s'\n", msg);
|
|
|
}
|
|
|
else
|
|
|
{
|
|
|
- if (ctx->cert != NULL)
|
|
|
+ cert = X509_STORE_CTX_get0_cert(ctx);
|
|
|
+ if (cert != NULL)
|
|
|
{
|
|
|
- X *tmpX = X509ToX(ctx->cert); // this only wraps ctx->cert, but we need to make a copy
|
|
|
+ X *tmpX = X509ToX(cert); // this only wraps cert, but we need to make a copy
|
|
|
X *copyX = CloneX(tmpX);
|
|
|
tmpX->do_not_free = true; // do not release inner X509 object
|
|
|
FreeX(tmpX);
|
dnobori