source: mod_gnutls/src/gnutls_ocsp.c @ 94cb972

debian/masterdebian/stretch-backportsupstream
Last change on this file since 94cb972 was 94cb972, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Minimal OCSP stapling implementation using externally provided response

Works if the configured file contains a valid and current OCSP
response. Note that the module does not yet check those conditions,
the file is just read and forwarded to GnuTLS.

  • Property mode set to 100644
File size: 2.0 KB
Line 
1/**
2 *  Copyright 2016 Thomas Klute
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 */
16
17#include "gnutls_ocsp.h"
18
19#include "mod_gnutls.h"
20#include "apr_lib.h"
21
22#ifdef APLOG_USE_MODULE
23APLOG_USE_MODULE(gnutls);
24#endif
25
26const char *mgs_store_ocsp_response_path(cmd_parms *parms,
27                                         void *dummy __attribute__((unused)),
28                                         const char *arg)
29{
30    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
31        ap_get_module_config(parms->server->module_config, &gnutls_module);
32
33    sc->ocsp_response_file = ap_server_root_relative(parms->pool, arg);
34    return NULL;
35}
36
37int mgs_get_ocsp_response(gnutls_session_t session __attribute__((unused)),
38                          void *ptr,
39                          gnutls_datum_t *ocsp_response)
40{
41    mgs_handle_t *ctxt = (mgs_handle_t *) ptr;
42    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
43                  "Loading OCSP response from %s",
44                  ctxt->sc->ocsp_response_file);
45
46    int ret = gnutls_load_file(ctxt->sc->ocsp_response_file, ocsp_response);
47    if (ret != GNUTLS_E_SUCCESS)
48    {
49        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
50                      "Loading OCSP response failed: %s (%d)",
51                      gnutls_strerror(ret), ret);
52        gnutls_free(ocsp_response->data);
53        ocsp_response->size = 0;
54        ocsp_response->data = NULL;
55        return GNUTLS_E_NO_CERTIFICATE_STATUS;
56    }
57
58    return GNUTLS_E_SUCCESS;
59}
Note: See TracBrowser for help on using the repository browser.