Changeset 4e60dd8 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Jan 11, 2020, 12:05:52 PM (8 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
08ba205
Parents:
de9b100
Message:

Handle initialization of the OCSP data structure in one place

This will make it easier to loop over the certificate chain for OCSP
multi staple.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    rde9b100 r4e60dd8  
    11521152
    11531153    ocsp->cert = sc->certs_x509_crt_chain[0];
     1154
    11541155    ocsp->uri = mgs_cert_get_ocsp_uri(pconf, ocsp->cert);
    11551156    if (ocsp->uri == NULL && sc->ocsp_response_file == NULL)
    11561157        return "No OCSP URI in the certificate nor a GnuTLSOCSPResponseFile "
    11571158            "setting, cannot configure OCSP stapling.";
     1159
     1160    ocsp->fingerprint =
     1161        mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[0]);
     1162    if (ocsp->fingerprint.data == NULL)
     1163        return "Could not read fingerprint from certificate!";
     1164
     1165    ocsp->trust = apr_palloc(pconf,
     1166                             sizeof(gnutls_x509_trust_list_t));
     1167    /* Only the direct issuer may sign the OCSP response or an OCSP
     1168     * signer. */
     1169    int ret = mgs_create_ocsp_trust_list(ocsp->trust,
     1170                                         &(sc->certs_x509_crt_chain[1]),
     1171                                         1);
     1172    if (ret != GNUTLS_E_SUCCESS)
     1173    {
     1174        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
     1175                     "Could not create OCSP trust list: %s (%d)",
     1176                     gnutls_strerror(ret), ret);
     1177        return "Could not build trust list for OCSP stapling!";
     1178    }
     1179    /* deinit trust list when the config pool is destroyed */
     1180    apr_pool_cleanup_register(pconf, ocsp->trust,
     1181                              mgs_cleanup_trust_list,
     1182                              apr_pool_cleanup_null);
    11581183
    11591184    sc->ocsp = ocsp;
     
    11681193 * to denote an error.
    11691194 */
    1170 int mgs_ocsp_enable_stapling(apr_pool_t *pconf,
     1195int mgs_ocsp_enable_stapling(apr_pool_t *pconf __attribute__((unused)),
    11711196                             apr_pool_t *ptemp __attribute__((unused)),
    11721197                             server_rec *server)
     
    12191244    }
    12201245
    1221     sc->ocsp->fingerprint =
    1222         mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[0]);
    1223     if (sc->ocsp->fingerprint.data == NULL)
    1224         return HTTP_INTERNAL_SERVER_ERROR;
    1225 
    1226     sc->ocsp->trust = apr_palloc(pconf,
    1227                                  sizeof(gnutls_x509_trust_list_t));
    1228     /* Only the direct issuer may sign the OCSP response or an OCSP
    1229      * signer. */
    1230     int ret = mgs_create_ocsp_trust_list(sc->ocsp->trust,
    1231                                          &(sc->certs_x509_crt_chain[1]),
    1232                                          1);
    1233     if (ret != GNUTLS_E_SUCCESS)
    1234     {
    1235         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
    1236                      "Could not create OCSP trust list: %s (%d)",
    1237                      gnutls_strerror(ret), ret);
    1238         return HTTP_INTERNAL_SERVER_ERROR;
    1239     }
    1240     /* deinit trust list when the config pool is destroyed */
    1241     apr_pool_cleanup_register(pconf, sc->ocsp->trust,
    1242                               mgs_cleanup_trust_list,
    1243                               apr_pool_cleanup_null);
    1244 
    12451246    /* The watchdog structure may be NULL if mod_watchdog is
    12461247     * unavailable. */
Note: See TracChangeset for help on using the changeset viewer.