Changeset 70cf137 in mod_gnutls


Ignore:
Timestamp:
Jul 17, 2021, 6:47:23 AM (3 months ago)
Author:
GitHub <noreply@…>
Branches:
master
Children:
5168eb0
Parents:
a6b3ae3 (diff), 9c4ae9c2 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
git-author:
Airtower <fiona.klute@…> (07/17/21 06:47:23)
git-committer:
GitHub <noreply@…> (07/17/21 06:47:23)
Message:

Merge pull request #4 from airtower-luna/ocsp-hash

Fix OCSP response handling errors with Let's Encrypt

Files:
3 edited

Legend:

Unmodified
Added
Removed
  • configure.ac

    ra6b3ae3 r70cf137  
    235235AC_PATH_PROGS([HTTP_CLI], [curl], [no])
    236236
    237 MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${GNUTLS_FEAT_CFLAGS} ${MSVA_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS} ${COVERAGE_CFLAGS}"
     237MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${GNUTLS_FEAT_CFLAGS} ${MSVA_CFLAGS} ${APR_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS} ${COVERAGE_CFLAGS}"
    238238MODULE_LIBS="${LIBGNUTLS_LIBS}"
    239239
  • src/gnutls_ocsp.c

    ra6b3ae3 r70cf137  
    184184    }
    185185
    186     /* issuer is set to a reference, so musn't be cleaned up */
    187     gnutls_x509_crt_t issuer;
    188     ret = gnutls_x509_trust_list_get_issuer(*req_data->trust, req_data->cert,
    189                                             &issuer, 0);
    190     if (ret != GNUTLS_E_SUCCESS)
    191     {
    192         ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
    193                      "Could not get issuer from trust list: %s (%d)",
    194                      gnutls_strerror(ret), ret);
    195         gnutls_ocsp_req_deinit(r);
    196         return ret;
    197     }
    198 
    199     /* GnuTLS doc says that the digest is "normally"
    200      * GNUTLS_DIG_SHA1. */
    201     ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA256,
    202                                    issuer, req_data->cert);
     186    /* Use SHA1 for issuer name hash and issuer key hash, for
     187     * compliance with "lightweight" OCSP profile specified in RFC
     188     * 5019. */
     189    ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA1,
     190                                   req_data->issuer, req_data->cert);
    203191
    204192    if (ret != GNUTLS_E_SUCCESS)
     
    287275        ap_get_module_config(s->module_config, &gnutls_module);
    288276
    289     if (req_data->trust == NULL)
    290     {
    291         ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
    292                      "No OCSP trust list available for server \"%s\"!",
    293                      s->server_hostname);
    294         return GNUTLS_E_NO_CERTIFICATE_FOUND;
    295     }
    296 
    297277    gnutls_ocsp_resp_t resp;
    298278    int ret = gnutls_ocsp_resp_init(&resp);
     
    323303
    324304    unsigned int verify;
    325     ret = gnutls_ocsp_resp_verify(resp, *(req_data->trust), &verify, 0);
     305    ret = gnutls_ocsp_resp_verify_direct(resp, req_data->issuer, &verify, 0);
    326306    if (ret != GNUTLS_E_SUCCESS)
    327307    {
     
    938918
    939919
    940 int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
    941                                const gnutls_x509_crt_t *chain,
    942                                const int num)
    943 {
    944     int added = 0;
    945     int ret = gnutls_x509_trust_list_init(tl, num);
    946 
    947     if (ret == GNUTLS_E_SUCCESS)
    948         added = gnutls_x509_trust_list_add_cas(*tl, chain, num, 0);
    949 
    950     if (added != num)
    951         ret = GNUTLS_E_CERTIFICATE_ERROR;
    952 
    953     /* Clean up trust list in case of error */
    954     if (ret != GNUTLS_E_SUCCESS)
    955         gnutls_x509_trust_list_deinit(*tl, 0);
    956 
    957     return ret;
    958 }
    959 
    960 
    961 
    962 apr_status_t mgs_cleanup_trust_list(void *data)
    963 {
    964     gnutls_x509_trust_list_t *tl = (gnutls_x509_trust_list_t *) data;
    965     gnutls_x509_trust_list_deinit(*tl, 0);
    966     return APR_SUCCESS;
    967 }
    968 
    969 
    970 
    971920apr_uri_t * mgs_cert_get_ocsp_uri(apr_pool_t *p, gnutls_x509_crt_t cert)
    972921{
     
    998947            rv = apr_uri_parse(p, ocsp_str, ocsp_uri);
    999948            if (rv == APR_SUCCESS)
     949            {
     950                if (ocsp_uri->path == NULL)
     951                    ocsp_uri->path = "/";
    1000952                break;
     953            }
    1001954            else
    1002955                ocsp_uri = NULL;
     
    11691122        return "Could not read fingerprint from certificate!";
    11701123
    1171     ocsp->trust = apr_palloc(pconf,
    1172                              sizeof(gnutls_x509_trust_list_t));
    1173     /* Only the direct issuer may sign the OCSP response or an
    1174      * OCSP signer. */
    1175     int ret = mgs_create_ocsp_trust_list(
    1176         ocsp->trust, &(sc->certs_x509_crt_chain[idx + 1]), 1);
    1177     if (ret != GNUTLS_E_SUCCESS)
    1178     {
    1179         ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, server,
    1180                      "Could not create OCSP trust list: %s (%d)",
    1181                      gnutls_strerror(ret), ret);
    1182         return "Could not build trust list for OCSP stapling!";
    1183     }
    1184     /* deinit trust list when the config pool is destroyed */
    1185     apr_pool_cleanup_register(pconf, ocsp->trust,
    1186                               mgs_cleanup_trust_list,
    1187                               apr_pool_cleanup_null);
     1124    ocsp->issuer = sc->certs_x509_crt_chain[idx + 1];
    11881125    return NULL;
    11891126}
  • src/gnutls_ocsp.h

    ra6b3ae3 r70cf137  
    4444    /** The certificate the following elements refer to. */
    4545    gnutls_x509_crt_t cert;
     46    /** Issuer certificate, used for verifying OCSP responses. */
     47    gnutls_x509_crt_t issuer;
    4648    /** OCSP URI extracted from the certificate. NULL if unset. */
    4749    apr_uri_t *uri;
     
    4951     * precedence over uri. */
    5052    char *response_file;
    51     /** Trust list to verify OCSP responses for stapling. Should
    52      * usually only contain the CA that signed the certificate. */
    53     gnutls_x509_trust_list_t *trust;
    5453    /** Certificate fingerprint, used as cache key for the OCSP
    5554     * response. */
Note: See TracChangeset for help on using the changeset viewer.