Changeset 1c3853a in mod_gnutls

Timestamp:

Jan 11, 2020, 3:30:40 PM (3 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, main, master, proxy-ticket

Children:

1aad1d7

Parents:

08ba205

Message:

Minimal multi-staple implementation

Works, but has limitations:

• Async OCSP updates are only done for the server (end entity) certificate.

• The configuration requires there to be an OCSP URI in every certificate but the last one in the configured chain. If configuration for any certificate fails vhost configuration fails.

Files:

• include/mod_gnutls.h.in (modified) (1 diff)
• src/gnutls_hooks.c (modified) (1 diff)
• src/gnutls_ocsp.c (modified) (1 diff)

include/mod_gnutls.h.in

@@ -180 +180 @@
     /* Internal OCSP data for this server */
     mgs_ocsp_data_t *ocsp;
+    /* Number of successfully configured OCSP data sets */
+    unsigned int ocsp_num;
     /* Mutex to prevent parallel OCSP requests */
     apr_global_mutex_t *ocsp_mutex;

src/gnutls_hooks.c

@@ -413 +413 @@
         {
             gnutls_ocsp_data_st *resp =
-                apr_palloc(ctxt->c->pool, sizeof(gnutls_ocsp_data_st));
-            resp->version = 0;
-            resp->exptime = 0;
-
-            int ret = mgs_get_ocsp_response(ctxt, ctxt->sc->ocsp[0],
-                                            &resp->response);
-            if (ret == GNUTLS_E_SUCCESS)
+                apr_palloc(ctxt->c->pool,
+                           sizeof(gnutls_ocsp_data_st)
+                           * (ctxt->sc->certs_x509_chain_num - 1));
+
+            for (unsigned int i = 0; i < ctxt->sc->ocsp_num; i++)
             {
-                *ocsp = resp;
-                *ocsp_length = 1;
+                resp[i].version = 0;
+                resp[i].exptime = 0;
+
+                int ret = mgs_get_ocsp_response(ctxt, ctxt->sc->ocsp[i],
+                                                &resp[i].response);
+                if (ret == GNUTLS_E_SUCCESS)
+                {
+                    ocsp[i] = resp;
+                    *ocsp_length = i + 1;
+                }
+                else
+                    break;
             }
         }

src/gnutls_ocsp.c

@@ -1150 +1150 @@
 
     /* array for ocsp data, currently size 1 */
-    sc->ocsp = apr_palloc(pconf, sizeof(mgs_ocsp_data_t));
-
-    mgs_ocsp_data_t ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
-
-    ocsp->cert = sc->certs_x509_crt_chain[0];
-
-    ocsp->uri = mgs_cert_get_ocsp_uri(pconf, ocsp->cert);
-    if (ocsp->uri == NULL && sc->ocsp_response_file == NULL)
-        return "No OCSP URI in the certificate nor a GnuTLSOCSPResponseFile "
-            "setting, cannot configure OCSP stapling.";
-
-    ocsp->fingerprint =
-        mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[0]);
-    if (ocsp->fingerprint.data == NULL)
-        return "Could not read fingerprint from certificate!";
-
-    ocsp->trust = apr_palloc(pconf,
-                             sizeof(gnutls_x509_trust_list_t));
-    /* Only the direct issuer may sign the OCSP response or an OCSP
-     * signer. */
-    int ret = mgs_create_ocsp_trust_list(ocsp->trust,
-                                         &(sc->certs_x509_crt_chain[1]),
-                                         1);
-    if (ret != GNUTLS_E_SUCCESS)
-    {
-        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
-                     "Could not create OCSP trust list: %s (%d)",
-                     gnutls_strerror(ret), ret);
-        return "Could not build trust list for OCSP stapling!";
-    }
-    /* deinit trust list when the config pool is destroyed */
-    apr_pool_cleanup_register(pconf, ocsp->trust,
-                              mgs_cleanup_trust_list,
-                              apr_pool_cleanup_null);
-
-    sc->ocsp[0] = ocsp;
+    sc->ocsp = apr_palloc(pconf, sizeof(mgs_ocsp_data_t) * (sc->certs_x509_chain_num - 1));
+
+    for (unsigned int i = 0; i < (sc->certs_x509_chain_num - 1); i++)
+    {
+        mgs_ocsp_data_t ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
+
+        ocsp->cert = sc->certs_x509_crt_chain[i];
+
+        ocsp->uri = mgs_cert_get_ocsp_uri(pconf, ocsp->cert);
+        if (ocsp->uri == NULL && sc->ocsp_response_file == NULL)
+            return "No OCSP URI in the certificate nor a "
+                "GnuTLSOCSPResponseFile setting, cannot configure "
+                "OCSP stapling.";
+
+        ocsp->fingerprint =
+            mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[i]);
+        if (ocsp->fingerprint.data == NULL)
+            return "Could not read fingerprint from certificate!";
+
+        ocsp->trust = apr_palloc(pconf,
+                                 sizeof(gnutls_x509_trust_list_t));
+        /* Only the direct issuer may sign the OCSP response or an
+         * OCSP signer. */
+        int ret = mgs_create_ocsp_trust_list(ocsp->trust,
+                                             &(sc->certs_x509_crt_chain[i+1]),
+                                             1);
+        if (ret != GNUTLS_E_SUCCESS)
+        {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
+                         "Could not create OCSP trust list: %s (%d)",
+                         gnutls_strerror(ret), ret);
+            return "Could not build trust list for OCSP stapling!";
+        }
+        /* deinit trust list when the config pool is destroyed */
+        apr_pool_cleanup_register(pconf, ocsp->trust,
+                                  mgs_cleanup_trust_list,
+                                  apr_pool_cleanup_null);
+
+        sc->ocsp[i] = ocsp;
+        sc->ocsp_num = i + 1;
+    }
     return NULL;
 }