Changeset a3e0f7b in mod_gnutls


Ignore:
Timestamp:
Jan 12, 2020, 10:01:55 AM (9 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
5c9ca6b
Parents:
845c112
git-author:
Fiona Klute <fiona.klute@…> (01/12/20 07:50:52)
git-committer:
Fiona Klute <fiona.klute@…> (01/12/20 10:01:55)
Message:

Support a list of files for the GnuTLSOCSPResponseFile option

This allows users to specify multiple responses for multi-staple. Note
that mod_gnutls will try to send its own requests for certificates
without a matching response.

Files:
5 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r845c112 ra3e0f7b  
    177177    /* Read OCSP response for stapling from this file instead of
    178178     * sending a request over HTTP */
    179     char *ocsp_response_file;
     179    char **ocsp_response_file;
     180    /* Number of configured OCSP response files */
     181    int ocsp_response_file_num;
    180182    /* Internal OCSP data for this server */
    181183    mgs_ocsp_data_t *ocsp;
  • src/gnutls_config.c

    r845c112 ra3e0f7b  
    33 *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
    44 *  Copyright 2011 Dash Shendy
    5  *  Copyright 2015-2018 Fiona Klute
     5 *  Copyright 2015-2020 Fiona Klute
    66 *
    77 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    906906    sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET;
    907907    sc->ocsp_response_file = NULL;
     908    sc->ocsp_response_file_num = 0;
    908909    sc->ocsp_mutex = NULL;
    909910    sc->ocsp_cache = NULL;
     
    972973    gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
    973974    gnutls_srvconf_assign(ocsp_response_file);
     975    gnutls_srvconf_assign(ocsp_response_file_num);
    974976    gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET);
    975977    gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);
  • src/gnutls_ocsp.c

    r845c112 ra3e0f7b  
    2828#include <gnutls/ocsp.h>
    2929#include <mod_watchdog.h>
     30#include <string.h>
    3031#include <time.h>
    3132
     
    133134const char *mgs_store_ocsp_response_path(cmd_parms *parms,
    134135                                         void *dummy __attribute__((unused)),
    135                                          const char *arg)
     136                                         int argc, char *const *argv)
    136137{
    137138    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    138139        ap_get_module_config(parms->server->module_config, &gnutls_module);
    139140
    140     sc->ocsp_response_file = ap_server_root_relative(parms->pool, arg);
     141    sc->ocsp_response_file_num = argc;
     142    sc->ocsp_response_file = apr_palloc(parms->pool, sizeof(char *) * argc);
     143    for (int i = 0; i < argc; i++)
     144    {
     145        if (strcmp(argv[i], "") == 0)
     146            sc->ocsp_response_file[i] = NULL;
     147        else
     148            sc->ocsp_response_file[i] =
     149                ap_server_root_relative(parms->pool, argv[i]);
     150    }
    141151    return NULL;
    142152}
     
    678688    gnutls_datum_t nonce = { NULL, 0 };
    679689
    680     if (sc->ocsp_response_file != NULL)
     690    if (req_data->response_file != NULL)
    681691    {
    682692        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
    683693                     "Loading OCSP response from %s",
    684                      sc->ocsp_response_file);
    685         rv = datum_from_file(tmp, sc->ocsp_response_file, &resp);
     694                     req_data->response_file);
     695        rv = datum_from_file(tmp, req_data->response_file, &resp);
    686696        if (rv != APR_SUCCESS)
    687697        {
    688698            ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
    689699                         "Loading OCSP response from %s failed!",
    690                          sc->ocsp_response_file);
     700                         req_data->response_file);
    691701            apr_pool_destroy(tmp);
    692702            return rv;
     
    11381148                                         server_rec *server,
    11391149                                         mgs_srvconf_rec *sc,
    1140                                          unsigned int idx,
     1150                                         int idx,
    11411151                                         apr_pool_t *pconf)
    11421152{
     
    11441154    ocsp->server = server;
    11451155
     1156    if (sc->ocsp_response_file != NULL && idx < sc->ocsp_response_file_num)
     1157        ocsp->response_file = sc->ocsp_response_file[idx];
     1158    else
     1159        ocsp->response_file = NULL;
     1160
    11461161    ocsp->uri = mgs_cert_get_ocsp_uri(pconf, ocsp->cert);
    1147     // TODO: ocsp_response_file is completely broken with >1
    1148     // certificates. Allow a list?
    1149     if (ocsp->uri == NULL && sc->ocsp_response_file == NULL)
     1162    if (ocsp->uri == NULL && ocsp->response_file == NULL)
    11501163        return "No OCSP URI in the certificate nor a "
    11511164            "GnuTLSOCSPResponseFile setting, cannot configure "
  • src/gnutls_ocsp.h

    r845c112 ra3e0f7b  
    4646    /** OCSP URI extracted from the certificate. NULL if unset. */
    4747    apr_uri_t *uri;
     48    /** OCSP response file for the certificate. NULL if unset. Takes
     49     * precedence over uri. */
     50    char *response_file;
    4851    /** Trust list to verify OCSP responses for stapling. Should
    4952     * usually only contain the CA that signed the certificate. */
     
    7073const char *mgs_store_ocsp_response_path(cmd_parms * parms,
    7174                                         void *dummy __attribute__((unused)),
    72                                          const char *arg);
     75                                         int argc, char *const *argv);
    7376
    7477/**
  • src/mod_gnutls.c

    r845c112 ra3e0f7b  
    33 *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
    44 *  Copyright 2011 Dash Shendy
    5  *  Copyright 2015-2019 Fiona Klute
     5 *  Copyright 2015-2020 Fiona Klute
    66 *
    77 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    379379                 NULL, RSRC_CONF,
    380380                 "Check nonce in OCSP responses?"),
    381     AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
     381    AP_INIT_TAKE_ARGV("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
    382382                  NULL, RSRC_CONF,
    383                   "Read OCSP response for stapling from this file instead "
    384                   "of sending a request over HTTP (must be updated "
    385                   "externally)"),
     383                  "Read OCSP responses for stapling from these files instead "
     384                  "of sending a request over HTTP. Files must be listed in "
     385                  "the same order as listed in GnuTLSX509CertificateFile, "
     386                  "and must be updated externally. Use the empty string "
     387                  "(\"\") to skip a certificate in the list."),
    386388    AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
    387389                  NULL, RSRC_CONF,
Note: See TracChangeset for help on using the changeset viewer.