Changeset 47a909e in mod_gnutls
- Timestamp:
- Jun 11, 2016, 4:44:52 PM (6 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
- Children:
- 0831437
- Parents:
- 6c44ed2
- git-author:
- Thomas Klute <thomas2.klute@…> (06/11/16 16:39:43)
- git-committer:
- Thomas Klute <thomas2.klute@…> (06/11/16 16:44:52)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_ocsp.c
r6c44ed2 r47a909e 19 19 #include "gnutls_cache.h" 20 20 21 #include <apr_escape.h> 21 22 #include <apr_lib.h> 22 23 #include <apr_time.h> … … 73 74 } 74 75 76 77 78 /** 79 * Create an OCSP request for the certificate of the given server. The 80 * DER encoded request is stored in 'req' (must be released with 81 * gnutls_free() when no longer needed), its nonce in 'nonce' (same, 82 * if not NULL). 83 * 84 * Returns GNUTLS_E_SUCCESS, or a GnuTLS error code. 85 */ 86 int mgs_create_ocsp_request(server_rec *s, gnutls_datum_t *req, 87 gnutls_datum_t *nonce) 88 { 89 if (req == NULL || s == NULL) 90 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; 91 92 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 93 ap_get_module_config(s->module_config, &gnutls_module); 94 95 gnutls_ocsp_req_t r; 96 int ret = gnutls_ocsp_req_init(&r); 97 if (ret != GNUTLS_E_SUCCESS) 98 { 99 ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s, 100 "Could not initialize OCSP request structure: %s (%d)", 101 gnutls_strerror(ret), ret); 102 return ret; 103 } 104 105 /* GnuTLS doc says that the digest is "normally" 106 * GNUTLS_DIG_SHA1. */ 107 ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA256, 108 sc->certs_x509_crt_chain[1], 109 sc->certs_x509_crt_chain[0]); 110 111 if (ret != GNUTLS_E_SUCCESS) 112 { 113 ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s, 114 "Adding certificate to OCSP request for %s:%d " 115 "failed: %s (%d)", 116 s->server_hostname, s->addrs->host_port, 117 gnutls_strerror(ret), ret); 118 gnutls_ocsp_req_deinit(r); 119 return ret; 120 } 121 122 ret = gnutls_ocsp_req_randomize_nonce(r); 123 if (ret != GNUTLS_E_SUCCESS) 124 { 125 ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s, 126 "OCSP nonce creation failed: %s (%d)", 127 gnutls_strerror(ret), ret); 128 gnutls_ocsp_req_deinit(r); 129 return ret; 130 } 131 132 if (nonce != NULL) 133 { 134 ret = gnutls_ocsp_req_get_nonce(r, NULL, nonce); 135 if (ret != GNUTLS_E_SUCCESS) 136 { 137 ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s, 138 "Could not get nonce: %s (%d)", 139 gnutls_strerror(ret), ret); 140 gnutls_free(nonce->data); 141 nonce->data = NULL; 142 nonce->size = 0; 143 gnutls_ocsp_req_deinit(r); 144 return ret; 145 } 146 } 147 148 ret = gnutls_ocsp_req_export(r, req); 149 if (ret != GNUTLS_E_SUCCESS) 150 { 151 ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s, 152 "OCSP request export failed: %s (%d)", 153 gnutls_strerror(ret), ret); 154 gnutls_free(req->data); 155 req->data = NULL; 156 req->size = 0; 157 if (nonce != NULL) 158 { 159 gnutls_free(nonce->data); 160 nonce->data = NULL; 161 nonce->size = 0; 162 } 163 gnutls_ocsp_req_deinit(r); 164 return ret; 165 } 166 167 gnutls_ocsp_req_deinit(r); 168 return ret; 169 } 75 170 76 171 … … 253 348 254 349 255 /* TODO: fetch response from sc->ocsp->uri */256 350 apr_status_t mgs_cache_ocsp_response(server_rec *s) 257 351 { … … 273 367 __func__); 274 368 return rv; 369 } 370 371 /* TODO: actually send this request to sc->ocsp->uri and parse the 372 * received response (including nonce) */ 373 gnutls_datum_t req; 374 int ret = mgs_create_ocsp_request(s, &req, NULL); 375 if (ret == GNUTLS_E_SUCCESS) 376 { 377 ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s, 378 "created OCSP request for %s:%d: %s", 379 s->server_hostname, s->addrs->host_port, 380 apr_pescape_hex(tmp, req.data, req.size, 0)); 381 gnutls_free(req.data); 275 382 } 276 383 … … 372 479 "No valid OCSP response in cache, trying to update."); 373 480 481 /* TODO: Once sending OCSP requests is implemented we need a rate 482 * limit for retries on error. If the responder is overloaded or 483 * buggy we don't want to add too much more load, and if a MITM is 484 * messing with requests a repetition loop might end up being a 485 * self-inflicted denial of service. */ 374 486 apr_status_t rv = apr_global_mutex_trylock(ctxt->sc->ocsp_mutex); 375 487 if (APR_STATUS_IS_EBUSY(rv))
Note: See TracChangeset
for help on using the changeset viewer.