Changeset cc74801 in mod_gnutls


Ignore:
Timestamp:
Jun 10, 2016, 8:19:20 PM (2 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
a372379
Parents:
6b89353
Message:

Move generated vhost-wide OCSP config into a private structure

Files:
5 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r6b89353 rcc74801  
    8686    int client_verify_mode;
    8787} mgs_dirconf_rec;
     88
     89
     90/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
     91typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
    8892
    8993
     
    210214     * once sending OCSP requests is implemented */
    211215    char *ocsp_response_file;
    212     /* OCSP URI extracted from the server certificate. NULL if
    213      * unset. */
    214     apr_uri_t *ocsp_uri;
     216    /* Server specific OCSP data */
     217    mgs_ocsp_data_t ocsp;
    215218    /* Mutex to prevent parallel OCSP requests */
    216219    apr_global_mutex_t *ocsp_mutex;
    217     /* Trust list to verify OCSP responses for stapling. Should
    218      * usually only contain the CA that signed the server
    219      * certificate. */
    220     gnutls_x509_trust_list_t *ocsp_trust;
    221220    /* Cached OCSP responses expire this long before their validity
    222221     * period expires. This way mod_gnutls does not staple barely
  • src/gnutls_config.c

    r6b89353 rcc74801  
    980980
    981981    sc->ocsp_response_file = NULL;
    982     sc->ocsp_uri = NULL;
    983982    sc->ocsp_mutex = NULL;
    984     sc->ocsp_trust = NULL;
    985983    sc->ocsp_grace_time = apr_time_from_sec(MGS_GRACE_TIME);
    986984
     
    10421040
    10431041    gnutls_srvconf_assign(ocsp_response_file);
    1044     gnutls_srvconf_assign(ocsp_uri);
    1045     gnutls_srvconf_assign(ocsp_trust);
    10461042    gnutls_srvconf_merge(ocsp_grace_time, apr_time_from_sec(MGS_GRACE_TIME));
    10471043
  • src/gnutls_hooks.c

    r6b89353 rcc74801  
    402402
    403403        sc->ocsp_mutex = sc_base->ocsp_mutex;
    404         /* init OCSP trust list if OCSP is enabled for this host */
     404        /* init OCSP configuration if OCSP is enabled for this host */
    405405        if (sc->ocsp_response_file != NULL)
    406406        {
  • src/gnutls_ocsp.c

    r6b89353 rcc74801  
    9191        ap_get_module_config(s->module_config, &gnutls_module);
    9292
    93     if (sc->ocsp_trust == NULL)
     93    if (sc->ocsp->trust == NULL)
    9494    {
    9595        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
     
    127127
    128128    unsigned int verify;
    129     ret = gnutls_ocsp_resp_verify(resp, *(sc->ocsp_trust), &verify, 0);
     129    ret = gnutls_ocsp_resp_verify(resp, *(sc->ocsp->trust), &verify, 0);
    130130    if (ret != GNUTLS_E_SUCCESS)
    131131    {
     
    253253
    254254
    255 /* TODO: fetch response from sc->ocsp_uri */
     255/* TODO: fetch response from sc->ocsp->uri */
    256256apr_status_t mgs_cache_ocsp_response(server_rec *s)
    257257{
     
    532532    }
    533533
    534     sc->ocsp_uri = mgs_cert_get_ocsp_uri(pconf, sc->certs_x509_crt_chain[0]);
    535 
    536     sc->ocsp_trust = apr_palloc(pconf,
    537                                 sizeof(gnutls_x509_trust_list_t));
     534    sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
     535
     536    sc->ocsp->uri = mgs_cert_get_ocsp_uri(pconf,
     537                                          sc->certs_x509_crt_chain[0]);
     538
     539    sc->ocsp->trust = apr_palloc(pconf,
     540                                 sizeof(gnutls_x509_trust_list_t));
    538541     /* Only the direct issuer may sign the OCSP response or an OCSP
    539542      * signer. */
    540     int ret = mgs_create_ocsp_trust_list(sc->ocsp_trust,
     543    int ret = mgs_create_ocsp_trust_list(sc->ocsp->trust,
    541544                                         &(sc->certs_x509_crt_chain[1]),
    542545                                         1);
     
    549552    }
    550553    /* deinit trust list when the config pool is destroyed */
    551     apr_pool_cleanup_register(pconf, sc->ocsp_trust,
     554    apr_pool_cleanup_register(pconf, sc->ocsp->trust,
    552555                              mgs_cleanup_trust_list,
    553556                              apr_pool_cleanup_null);
  • src/gnutls_ocsp.h

    r6b89353 rcc74801  
    2424
    2525#define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
     26
     27/**
     28 * Vhost specific OCSP data structure
     29 */
     30struct mgs_ocsp_data {
     31    /* OCSP URI extracted from the server certificate. NULL if
     32     * unset. */
     33    apr_uri_t *uri;
     34    /* Trust list to verify OCSP responses for stapling. Should
     35     * usually only contain the CA that signed the server
     36     * certificate. */
     37    gnutls_x509_trust_list_t *trust;
     38};
    2639
    2740const char *mgs_store_ocsp_response_path(cmd_parms * parms,
Note: See TracChangeset for help on using the changeset viewer.