Changeset a3e0f7b in mod_gnutls
- Timestamp:
- Jan 12, 2020, 10:01:55 AM (11 months ago)
- Branches:
- asyncio, master, proxy-ticket
- Children:
- 5c9ca6b
- Parents:
- 845c112
- git-author:
- Fiona Klute <fiona.klute@…> (01/12/20 07:50:52)
- git-committer:
- Fiona Klute <fiona.klute@…> (01/12/20 10:01:55)
- Files:
-
- 5 edited
-
include/mod_gnutls.h.in (modified) (1 diff)
-
src/gnutls_config.c (modified) (3 diffs)
-
src/gnutls_ocsp.c (modified) (5 diffs)
-
src/gnutls_ocsp.h (modified) (2 diffs)
-
src/mod_gnutls.c (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
include/mod_gnutls.h.in
r845c112 ra3e0f7b 177 177 /* Read OCSP response for stapling from this file instead of 178 178 * sending a request over HTTP */ 179 char *ocsp_response_file; 179 char **ocsp_response_file; 180 /* Number of configured OCSP response files */ 181 int ocsp_response_file_num; 180 182 /* Internal OCSP data for this server */ 181 183 mgs_ocsp_data_t *ocsp; -
src/gnutls_config.c
r845c112 ra3e0f7b 3 3 * Copyright 2008, 2014 Nikos Mavrogiannopoulos 4 4 * Copyright 2011 Dash Shendy 5 * Copyright 2015-20 18Fiona Klute5 * Copyright 2015-2020 Fiona Klute 6 6 * 7 7 * Licensed under the Apache License, Version 2.0 (the "License"); … … 906 906 sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET; 907 907 sc->ocsp_response_file = NULL; 908 sc->ocsp_response_file_num = 0; 908 909 sc->ocsp_mutex = NULL; 909 910 sc->ocsp_cache = NULL; … … 972 973 gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET); 973 974 gnutls_srvconf_assign(ocsp_response_file); 975 gnutls_srvconf_assign(ocsp_response_file_num); 974 976 gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET); 975 977 gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET); -
src/gnutls_ocsp.c
r845c112 ra3e0f7b 28 28 #include <gnutls/ocsp.h> 29 29 #include <mod_watchdog.h> 30 #include <string.h> 30 31 #include <time.h> 31 32 … … 133 134 const char *mgs_store_ocsp_response_path(cmd_parms *parms, 134 135 void *dummy __attribute__((unused)), 135 const char *arg)136 int argc, char *const *argv) 136 137 { 137 138 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 138 139 ap_get_module_config(parms->server->module_config, &gnutls_module); 139 140 140 sc->ocsp_response_file = ap_server_root_relative(parms->pool, arg); 141 sc->ocsp_response_file_num = argc; 142 sc->ocsp_response_file = apr_palloc(parms->pool, sizeof(char *) * argc); 143 for (int i = 0; i < argc; i++) 144 { 145 if (strcmp(argv[i], "") == 0) 146 sc->ocsp_response_file[i] = NULL; 147 else 148 sc->ocsp_response_file[i] = 149 ap_server_root_relative(parms->pool, argv[i]); 150 } 141 151 return NULL; 142 152 } … … 678 688 gnutls_datum_t nonce = { NULL, 0 }; 679 689 680 if ( sc->ocsp_response_file != NULL)690 if (req_data->response_file != NULL) 681 691 { 682 692 ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s, 683 693 "Loading OCSP response from %s", 684 sc->ocsp_response_file);685 rv = datum_from_file(tmp, sc->ocsp_response_file, &resp);694 req_data->response_file); 695 rv = datum_from_file(tmp, req_data->response_file, &resp); 686 696 if (rv != APR_SUCCESS) 687 697 { 688 698 ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, 689 699 "Loading OCSP response from %s failed!", 690 sc->ocsp_response_file);700 req_data->response_file); 691 701 apr_pool_destroy(tmp); 692 702 return rv; … … 1138 1148 server_rec *server, 1139 1149 mgs_srvconf_rec *sc, 1140 unsignedint idx,1150 int idx, 1141 1151 apr_pool_t *pconf) 1142 1152 { … … 1144 1154 ocsp->server = server; 1145 1155 1156 if (sc->ocsp_response_file != NULL && idx < sc->ocsp_response_file_num) 1157 ocsp->response_file = sc->ocsp_response_file[idx]; 1158 else 1159 ocsp->response_file = NULL; 1160 1146 1161 ocsp->uri = mgs_cert_get_ocsp_uri(pconf, ocsp->cert); 1147 // TODO: ocsp_response_file is completely broken with >1 1148 // certificates. Allow a list? 1149 if (ocsp->uri == NULL && sc->ocsp_response_file == NULL) 1162 if (ocsp->uri == NULL && ocsp->response_file == NULL) 1150 1163 return "No OCSP URI in the certificate nor a " 1151 1164 "GnuTLSOCSPResponseFile setting, cannot configure " -
src/gnutls_ocsp.h
r845c112 ra3e0f7b 46 46 /** OCSP URI extracted from the certificate. NULL if unset. */ 47 47 apr_uri_t *uri; 48 /** OCSP response file for the certificate. NULL if unset. Takes 49 * precedence over uri. */ 50 char *response_file; 48 51 /** Trust list to verify OCSP responses for stapling. Should 49 52 * usually only contain the CA that signed the certificate. */ … … 70 73 const char *mgs_store_ocsp_response_path(cmd_parms * parms, 71 74 void *dummy __attribute__((unused)), 72 const char *arg);75 int argc, char *const *argv); 73 76 74 77 /** -
src/mod_gnutls.c
r845c112 ra3e0f7b 3 3 * Copyright 2008, 2014 Nikos Mavrogiannopoulos 4 4 * Copyright 2011 Dash Shendy 5 * Copyright 2015-20 19Fiona Klute5 * Copyright 2015-2020 Fiona Klute 6 6 * 7 7 * Licensed under the Apache License, Version 2.0 (the "License"); … … 379 379 NULL, RSRC_CONF, 380 380 "Check nonce in OCSP responses?"), 381 AP_INIT_TAKE 1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,381 AP_INIT_TAKE_ARGV("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path, 382 382 NULL, RSRC_CONF, 383 "Read OCSP response for stapling from this file instead " 384 "of sending a request over HTTP (must be updated " 385 "externally)"), 383 "Read OCSP responses for stapling from these files instead " 384 "of sending a request over HTTP. Files must be listed in " 385 "the same order as listed in GnuTLSX509CertificateFile, " 386 "and must be updated externally. Use the empty string " 387 "(\"\") to skip a certificate in the list."), 386 388 AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout, 387 389 NULL, RSRC_CONF,
Note: See TracChangeset
for help on using the changeset viewer.
