Context Navigation

← Previous Changeset
Next Changeset →

Changeset a3e0f7b in mod_gnutls

Timestamp:

Jan 12, 2020, 10:01:55 AM (7 months ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

master, proxy-ticket

Children:

5c9ca6b

Parents:

845c112

git-author:

Fiona Klute <fiona.klute@…> (01/12/20 07:50:52)

git-committer:

Fiona Klute <fiona.klute@…> (01/12/20 10:01:55)

Message:

Support a list of files for the GnuTLSOCSPResponseFile option

This allows users to specify multiple responses for multi-staple. Note
that mod_gnutls will try to send its own requests for certificates
without a matching response.

Files:

: 5 edited

include/mod_gnutls.h.in (modified) (1 diff)
src/gnutls_config.c (modified) (3 diffs)
src/gnutls_ocsp.c (modified) (5 diffs)
src/gnutls_ocsp.h (modified) (2 diffs)
src/mod_gnutls.c (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

include/mod_gnutls.h.in

-                      r845c112
+                      ra3e0f7b
     /* Read OCSP response for stapling from this file instead of
      * sending a request over HTTP */
+    char *ocsp_response_file;
+    char **ocsp_response_file;
+    /* Number of configured OCSP response files */
+    int ocsp_response_file_num;
     /* Internal OCSP data for this server */
     mgs_ocsp_data_t *ocsp;

src/gnutls_config.c

-                      r845c112
+                      ra3e0f7b
  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
  *  Copyright 2015-2018 Fiona Klute
+ *  Copyright 2015-2020 Fiona Klute
+ *
  *  Licensed under the Apache License, Version 2.0 (the "License");
 …
     sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET;
     sc->ocsp_response_file = NULL;
+    sc->ocsp_response_file_num = 0;
     sc->ocsp_mutex = NULL;
     sc->ocsp_cache = NULL;
 …
     gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
     gnutls_srvconf_assign(ocsp_response_file);
+    gnutls_srvconf_assign(ocsp_response_file_num);
     gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET);
     gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);

src/gnutls_ocsp.c

-                      r845c112
+                      ra3e0f7b
 #include <gnutls/ocsp.h>
 #include <mod_watchdog.h>
+#include <string.h>
 #include <time.h>
 …
 const char *mgs_store_ocsp_response_path(cmd_parms *parms,
                                          void *dummy __attribute__((unused)),
                                          const char *arg)
+                                         int argc, char *const *argv)
+{
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
         ap_get_module_config(parms->server->module_config, &gnutls_module);
+    sc->ocsp_response_file = ap_server_root_relative(parms->pool, arg);
+    sc->ocsp_response_file_num = argc;
+    sc->ocsp_response_file = apr_palloc(parms->pool, sizeof(char *) * argc);
+    for (int i = 0; i < argc; i++)
+    {
+        if (strcmp(argv[i], "") == 0)
+            sc->ocsp_response_file[i] = NULL;
+        else
+            sc->ocsp_response_file[i] =
+                ap_server_root_relative(parms->pool, argv[i]);
+    }
     return NULL;
+}
 …
     gnutls_datum_t nonce = { NULL, 0 };
     if (sc->ocsp_response_file != NULL)
+    if (req_data->response_file != NULL)
+    {
         ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
                      "Loading OCSP response from %s",
                      sc->ocsp_response_file);
         rv = datum_from_file(tmp, sc->ocsp_response_file, &resp);
+                     req_data->response_file);
+        rv = datum_from_file(tmp, req_data->response_file, &resp);
         if (rv != APR_SUCCESS)
+        {
             ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
                          "Loading OCSP response from %s failed!",
                          sc->ocsp_response_file);
+                         req_data->response_file);
             apr_pool_destroy(tmp);
             return rv;
 …
                                          server_rec *server,
                                          mgs_srvconf_rec *sc,
                                          unsigned int idx,
+                                         int idx,
                                          apr_pool_t *pconf)
+{
 …
     ocsp->server = server;
+    if (sc->ocsp_response_file != NULL && idx < sc->ocsp_response_file_num)
+        ocsp->response_file = sc->ocsp_response_file[idx];
+    else
+        ocsp->response_file = NULL;
     ocsp->uri = mgs_cert_get_ocsp_uri(pconf, ocsp->cert);
+    // TODO: ocsp_response_file is completely broken with >1
+    // certificates. Allow a list?
+    if (ocsp->uri == NULL && sc->ocsp_response_file == NULL)
+    if (ocsp->uri == NULL && ocsp->response_file == NULL)
         return "No OCSP URI in the certificate nor a "
             "GnuTLSOCSPResponseFile setting, cannot configure "

src/gnutls_ocsp.h

-                      r845c112
+                      ra3e0f7b
     /** OCSP URI extracted from the certificate. NULL if unset. */
     apr_uri_t *uri;
+    /** OCSP response file for the certificate. NULL if unset. Takes
+     * precedence over uri. */
+    char *response_file;
     /** Trust list to verify OCSP responses for stapling. Should
      * usually only contain the CA that signed the certificate. */
 …
 const char *mgs_store_ocsp_response_path(cmd_parms * parms,
                                          void *dummy __attribute__((unused)),
                                          const char *arg);
+                                         int argc, char *const *argv);
 /**

src/mod_gnutls.c

-                      r845c112
+                      ra3e0f7b
  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
  *  Copyright 2015-2019 Fiona Klute
+ *  Copyright 2015-2020 Fiona Klute
+ *
  *  Licensed under the Apache License, Version 2.0 (the "License");
 …
                  NULL, RSRC_CONF,
                  "Check nonce in OCSP responses?"),
     AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
+    AP_INIT_TAKE_ARGV("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
                   NULL, RSRC_CONF,
+                  "Read OCSP response for stapling from this file instead "
+                  "of sending a request over HTTP (must be updated "
+                  "externally)"),
+                  "Read OCSP responses for stapling from these files instead "
+                  "of sending a request over HTTP. Files must be listed in "
+                  "the same order as listed in GnuTLSX509CertificateFile, "
+                  "and must be updated externally. Use the empty string "
+                  "(\"\") to skip a certificate in the list."),
     AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
                   NULL, RSRC_CONF,

Note: See TracChangeset for help on using the changeset viewer.