Changeset 2a1ffd6 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
May 31, 2016, 1:12:53 PM (6 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
Children:
64856fd
Parents:
d35b98e
Message:

Move trust list generation for OCSP to a separate function

The new function is supposed be used during server configuration
later, instead of recreating the trust list every time an OCSP
response is checked.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_ocsp.c

    rd35b98e r2a1ffd6  
    8686        return GNUTLS_E_NO_CERTIFICATE_FOUND;
    8787    }
    88     gnutls_x509_trust_list_t issuer;
    89     int ret = gnutls_x509_trust_list_init(&issuer, 1);
    90     if (ret != GNUTLS_E_SUCCESS)
    91     {
    92         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    93                       "Could not create issuer trust list: %s (%d)",
    94                       gnutls_strerror(ret), ret);
    95         goto trust_cleanup;
    96     }
     88
    9789    /* Only the direct issuer may sign the OCSP response or an OCSP
    9890     * signer. Assuming the certificate file is properly ordered, it
    9991     * should be the one directly after the server's. */
    100     ret = gnutls_x509_trust_list_add_cas(issuer,
     92    gnutls_x509_trust_list_t issuer;
     93    int ret = mgs_create_ocsp_trust_list(&issuer,
    10194                                         &(ctxt->sc->certs_x509_crt_chain[1]),
    102                                          1, 0);
    103     if (ret != 1)
    104     {
    105         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    106                       "Could not populate issuer trust list.");
    107         ret = GNUTLS_E_CERTIFICATE_ERROR;
    108         goto trust_cleanup;
     95                                         1);
     96    if (ret != GNUTLS_E_SUCCESS)
     97    {
     98        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
     99                      "Could not create issuer trust list: %s (%d)",
     100                      gnutls_strerror(ret), ret);
     101        return ret;
    109102    }
    110103
     
    205198            ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    206199                          "OCSP response has expired at %s!", date_str);
     200            /* Do not send a stale response */
    207201            ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
    208202            goto resp_cleanup;
     
    229223 resp_cleanup:
    230224    gnutls_ocsp_resp_deinit(resp);
    231  trust_cleanup:
    232225    /* deinit trust list, but not the certificates */
    233226    gnutls_x509_trust_list_deinit(issuer, 0);
     
    265258    return GNUTLS_E_NO_CERTIFICATE_STATUS;
    266259}
     260
     261
     262
     263int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
     264                               const gnutls_x509_crt_t *chain,
     265                               const int num)
     266{
     267    int added = 0;
     268    int ret = gnutls_x509_trust_list_init(tl, num);
     269
     270    if (ret == GNUTLS_E_SUCCESS)
     271        added = gnutls_x509_trust_list_add_cas(*tl, chain, num, 0);
     272
     273    if (added != num)
     274        ret = GNUTLS_E_CERTIFICATE_ERROR;
     275
     276    /* Clean up trust list in case of error */
     277    if (ret != GNUTLS_E_SUCCESS)
     278        gnutls_x509_trust_list_deinit(*tl, 0);
     279
     280    return ret;
     281}
Note: See TracChangeset for help on using the changeset viewer.