Changeset 845c112 in mod_gnutls for src

Timestamp:

Jan 12, 2020, 5:27:45 AM (10 months ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

master, proxy-ticket

Children:

a3e0f7b

Parents:

587642d

Message:

Async OCSP updates for multi-stapling

There's now one mod_watchdog callback per certificate with stapling
enabled, so they all get updated independently. Adding "server" to the
OCSP data structure is necessary because the async update function
needs access to the virtual host configuration.

Location:

src

Files:

• gnutls_hooks.c (modified) (1 diff)
• gnutls_ocsp.c (modified) (8 diffs)
• gnutls_ocsp.h (modified) (1 diff)

src/gnutls_hooks.c

@@ -414 +414 @@
             gnutls_ocsp_data_st *resp =
                 apr_palloc(ctxt->c->pool,
-                           sizeof(gnutls_ocsp_data_st)
-                           * (ctxt->sc->certs_x509_chain_num - 1));
+                           sizeof(gnutls_ocsp_data_st) * ctxt->sc->ocsp_num);
 
             for (unsigned int i = 0; i < ctxt->sc->ocsp_num; i++)

src/gnutls_ocsp.c

@@ -1009 +1009 @@
 /**
  * Perform an asynchronous OCSP cache update. This is a callback for
- * mod_watchdog, so the API is fixed.
+ * mod_watchdog, so the API is fixed (except the meaning of data).
  *
  * @param state watchdog state (starting/running/stopping)
@@ -1026 +1026 @@
         return APR_SUCCESS;
 
-    server_rec *server = (server_rec *) data;
+    mgs_ocsp_data_t ocsp_data = (mgs_ocsp_data_t) data;
+    server_rec *server = (server_rec *) ocsp_data->server;
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
         ap_get_module_config(server->module_config, &gnutls_module);
@@ -1040 +1041 @@
      * mgs_get_ocsp_response. */
     apr_global_mutex_lock(sc->ocsp_mutex);
-    apr_status_t rv = mgs_cache_ocsp_response(server, sc->ocsp[0], &expiry);
+    apr_status_t rv = mgs_cache_ocsp_response(server, ocsp_data, &expiry);
 
     apr_interval_time_t next_interval;
@@ -1092 +1093 @@
     sc->singleton_wd->set_callback_interval(sc->singleton_wd->wd,
                                             next_interval,
-                                            server, mgs_async_ocsp_update);
+                                            ocsp_data, mgs_async_ocsp_update);
 
     ap_log_error(APLOG_MARK, rv == APR_SUCCESS ? APLOG_DEBUG : APLOG_WARNING,
@@ -1114 +1115 @@
 
         apr_status_t rv = mgs_cache_fetch(sc->ocsp_cache, server,
-                                          sc->ocsp[0]->fingerprint,
+                                          ocsp_data->fingerprint,
                                           &ocsp_response,
                                           pool);
@@ -1123 +1124 @@
                          "Caching OCSP request failure for %s:%d.",
                          server->server_hostname, server->addrs->host_port);
-            mgs_cache_ocsp_failure(server, sc->ocsp[0],
+            mgs_cache_ocsp_failure(server, ocsp_data,
                                    sc->ocsp_failure_timeout * 2);
         }
@@ -1141 +1142 @@
 {
     ocsp->cert = sc->certs_x509_crt_chain[idx];
+    ocsp->server = server;
 
     ocsp->uri = mgs_cert_get_ocsp_uri(pconf, ocsp->cert);
@@ -1292 +1294 @@
         && sc->ocsp_auto_refresh == GNUTLS_ENABLED_TRUE)
     {
-        apr_status_t rv =
-            sc->singleton_wd->register_callback(sc->singleton_wd->wd,
-                                                sc->ocsp_cache_time,
-                                                server, mgs_async_ocsp_update);
-        if (rv == APR_SUCCESS)
-            ap_log_error(APLOG_MARK, APLOG_INFO, rv, server,
-                         "Enabled async OCSP update via watchdog "
-                         "for %s:%d",
-                         server->server_hostname, server->addrs->host_port);
-        else
-            ap_log_error(APLOG_MARK, APLOG_WARNING, rv, server,
-                         "Enabling async OCSP update via watchdog "
-                         "for %s:%d failed!",
-                         server->server_hostname, server->addrs->host_port);
+        /* register an update callback for each certificate configured
+         * for stapling */
+        for (unsigned int i = 0; i < sc->ocsp_num; i++)
+        {
+            apr_status_t rv =
+                sc->singleton_wd->register_callback(sc->singleton_wd->wd,
+                                                    sc->ocsp_cache_time,
+                                                    sc->ocsp[i],
+                                                    mgs_async_ocsp_update);
+            if (rv == APR_SUCCESS)
+                ap_log_error(APLOG_MARK, APLOG_INFO, rv, server,
+                             "Enabled async OCSP update via watchdog "
+                             "for %s:%d, cert[%u]",
+                             server->server_hostname, server->addrs->host_port,
+                             i);
+            else
+                ap_log_error(APLOG_MARK, APLOG_WARNING, rv, server,
+                             "Enabling async OCSP update via watchdog "
+                             "for %s:%d, cert[%u] failed!",
+                             server->server_hostname, server->addrs->host_port,
+                             i);
+        }
     }
 

src/gnutls_ocsp.h

@@ -52 +52 @@
      * response. */
     gnutls_datum_t fingerprint;
+    /** Server (virtual host) that uses the certificate */
+    server_rec *server;
 };