Changeset a3e0f7b in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Jan 12, 2020, 10:01:55 AM (9 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
5c9ca6b
Parents:
845c112
git-author:
Fiona Klute <fiona.klute@…> (01/12/20 07:50:52)
git-committer:
Fiona Klute <fiona.klute@…> (01/12/20 10:01:55)
Message:

Support a list of files for the GnuTLSOCSPResponseFile option

This allows users to specify multiple responses for multi-staple. Note
that mod_gnutls will try to send its own requests for certificates
without a matching response.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    r845c112 ra3e0f7b  
    2828#include <gnutls/ocsp.h>
    2929#include <mod_watchdog.h>
     30#include <string.h>
    3031#include <time.h>
    3132
     
    133134const char *mgs_store_ocsp_response_path(cmd_parms *parms,
    134135                                         void *dummy __attribute__((unused)),
    135                                          const char *arg)
     136                                         int argc, char *const *argv)
    136137{
    137138    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    138139        ap_get_module_config(parms->server->module_config, &gnutls_module);
    139140
    140     sc->ocsp_response_file = ap_server_root_relative(parms->pool, arg);
     141    sc->ocsp_response_file_num = argc;
     142    sc->ocsp_response_file = apr_palloc(parms->pool, sizeof(char *) * argc);
     143    for (int i = 0; i < argc; i++)
     144    {
     145        if (strcmp(argv[i], "") == 0)
     146            sc->ocsp_response_file[i] = NULL;
     147        else
     148            sc->ocsp_response_file[i] =
     149                ap_server_root_relative(parms->pool, argv[i]);
     150    }
    141151    return NULL;
    142152}
     
    678688    gnutls_datum_t nonce = { NULL, 0 };
    679689
    680     if (sc->ocsp_response_file != NULL)
     690    if (req_data->response_file != NULL)
    681691    {
    682692        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
    683693                     "Loading OCSP response from %s",
    684                      sc->ocsp_response_file);
    685         rv = datum_from_file(tmp, sc->ocsp_response_file, &resp);
     694                     req_data->response_file);
     695        rv = datum_from_file(tmp, req_data->response_file, &resp);
    686696        if (rv != APR_SUCCESS)
    687697        {
    688698            ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
    689699                         "Loading OCSP response from %s failed!",
    690                          sc->ocsp_response_file);
     700                         req_data->response_file);
    691701            apr_pool_destroy(tmp);
    692702            return rv;
     
    11381148                                         server_rec *server,
    11391149                                         mgs_srvconf_rec *sc,
    1140                                          unsigned int idx,
     1150                                         int idx,
    11411151                                         apr_pool_t *pconf)
    11421152{
     
    11441154    ocsp->server = server;
    11451155
     1156    if (sc->ocsp_response_file != NULL && idx < sc->ocsp_response_file_num)
     1157        ocsp->response_file = sc->ocsp_response_file[idx];
     1158    else
     1159        ocsp->response_file = NULL;
     1160
    11461161    ocsp->uri = mgs_cert_get_ocsp_uri(pconf, ocsp->cert);
    1147     // TODO: ocsp_response_file is completely broken with >1
    1148     // certificates. Allow a list?
    1149     if (ocsp->uri == NULL && sc->ocsp_response_file == NULL)
     1162    if (ocsp->uri == NULL && ocsp->response_file == NULL)
    11501163        return "No OCSP URI in the certificate nor a "
    11511164            "GnuTLSOCSPResponseFile setting, cannot configure "
Note: See TracChangeset for help on using the changeset viewer.