Changeset 75f2d96 in mod_gnutls


Ignore:
Timestamp:
Jan 11, 2020, 10:45:00 AM (7 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
06dcf89
Parents:
e798149
Message:

check_ocsp_response: Require explicit struct mgs_ocsp_data

The response is verified based on the passed request data, making it
possible to check responses for more than one certificate per virtual
host.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    re798149 r75f2d96  
    266266 * If nonce is not NULL, the response must contain a matching nonce.
    267267 */
    268 int check_ocsp_response(server_rec *s, const gnutls_datum_t *ocsp_response,
     268int check_ocsp_response(server_rec *s, struct mgs_ocsp_data *req_data,
     269                        const gnutls_datum_t *ocsp_response,
    269270                        apr_time_t* expiry, const gnutls_datum_t *nonce)
    270     __attribute__((nonnull(1, 2)));
    271 int check_ocsp_response(server_rec *s, const gnutls_datum_t *ocsp_response,
     271    __attribute__((nonnull(1, 3)));
     272int check_ocsp_response(server_rec *s, struct mgs_ocsp_data *req_data,
     273                        const gnutls_datum_t *ocsp_response,
    272274                        apr_time_t* expiry, const gnutls_datum_t *nonce)
    273275{
     
    275277        ap_get_module_config(s->module_config, &gnutls_module);
    276278
    277     if (sc->ocsp->trust == NULL)
     279    if (req_data->trust == NULL)
    278280    {
    279281        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
     
    301303    }
    302304
    303     ret = gnutls_ocsp_resp_check_crt(resp, 0, sc->certs_x509_crt_chain[0]);
     305    ret = gnutls_ocsp_resp_check_crt(resp, 0, req_data->cert);
    304306    if (ret != GNUTLS_E_SUCCESS)
    305307    {
     
    311313
    312314    unsigned int verify;
    313     ret = gnutls_ocsp_resp_verify(resp, *(sc->ocsp->trust), &verify, 0);
     315    ret = gnutls_ocsp_resp_verify(resp, *(req_data->trust), &verify, 0);
    314316    if (ret != GNUTLS_E_SUCCESS)
    315317    {
     
    718720
    719721    apr_time_t next_update;
    720     if (check_ocsp_response(s, &resp, &next_update, nonce.size ? &nonce : NULL)
     722    if (check_ocsp_response(s, sc->ocsp, &resp, &next_update,
     723                            nonce.size ? &nonce : NULL)
    721724        != GNUTLS_E_SUCCESS)
    722725    {
Note: See TracChangeset for help on using the changeset viewer.