Changeset 78b75b3 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Jun 16, 2016, 6:49:25 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
87d507b
Parents:
a784735
git-author:
Thomas Klute <thomas2.klute@…> (06/16/16 18:49:02)
git-committer:
Thomas Klute <thomas2.klute@…> (06/16/16 18:49:25)
Message:

Restore GnuTLSOCSPResponseFile option

Using an externally updated response file avoids the blocking issues
the OCSP client implementation currently has, so it is good to have
both options.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    ra784735 r78b75b3  
    580580    }
    581581
    582     gnutls_datum_t req;
    583     gnutls_datum_t nonce;
    584     int ret = mgs_create_ocsp_request(s, &req, &nonce);
    585     if (ret == GNUTLS_E_SUCCESS)
    586     {
    587         ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
    588                      "created OCSP request for %s:%d: %s",
    589                      s->server_hostname, s->addrs->host_port,
    590                      apr_pescape_hex(tmp, req.data, req.size, 0));
    591     }
    592     else
    593     {
     582    gnutls_datum_t resp;
     583    gnutls_datum_t nonce = { NULL, 0 };
     584
     585    if (sc->ocsp_response_file != NULL)
     586    {
     587        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
     588                     "Loading OCSP response from %s",
     589                     sc->ocsp_response_file);
     590        rv = datum_from_file(tmp, sc->ocsp_response_file, &resp);
     591        if (rv != APR_SUCCESS)
     592        {
     593            ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
     594                         "Loading OCSP response from %s failed!",
     595                         sc->ocsp_response_file);
     596            apr_pool_destroy(tmp);
     597            return rv;
     598        }
     599    }
     600    else
     601    {
     602        gnutls_datum_t req;
     603        int ret = mgs_create_ocsp_request(s, &req, &nonce);
     604        if (ret == GNUTLS_E_SUCCESS)
     605        {
     606            ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
     607                         "created OCSP request for %s:%d: %s",
     608                         s->server_hostname, s->addrs->host_port,
     609                         apr_pescape_hex(tmp, req.data, req.size, 0));
     610        }
     611        else
     612        {
     613            gnutls_free(req.data);
     614            gnutls_free(nonce.data);
     615            apr_pool_destroy(tmp);
     616            return APR_EGENERAL;
     617        }
     618
     619        rv = do_ocsp_request(tmp, s, &req, &resp);
    594620        gnutls_free(req.data);
    595         gnutls_free(nonce.data);
    596         apr_pool_destroy(tmp);
    597         return APR_EGENERAL;
    598     }
    599 
    600     gnutls_datum_t resp;
    601     rv = do_ocsp_request(tmp, s, &req, &resp);
    602     gnutls_free(req.data);
    603     if (rv != APR_SUCCESS)
    604     {
    605         /* do_ocsp_request() does its own error logging. */
    606         gnutls_free(nonce.data);
    607         apr_pool_destroy(tmp);
    608         return rv;
    609     }
    610 
    611     /* TODO: separate option to enable/disable nonce, restore reading
    612      * response from file for debugging/expert use. */
     621        if (rv != APR_SUCCESS)
     622        {
     623            /* do_ocsp_request() does its own error logging. */
     624            gnutls_free(nonce.data);
     625            apr_pool_destroy(tmp);
     626            return rv;
     627        }
     628    }
     629
     630    /* TODO: separate option to enable/disable nonce */
    613631
    614632    apr_time_t expiry;
    615     if (check_ocsp_response(s, &resp, &expiry, &nonce) != GNUTLS_E_SUCCESS)
     633    if (check_ocsp_response(s, &resp, &expiry, nonce.size ? &nonce : NULL)
     634        != GNUTLS_E_SUCCESS)
    616635    {
    617636        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, s,
Note: See TracChangeset for help on using the changeset viewer.