Changeset cc74801 in mod_gnutls for src

Timestamp:

Jun 10, 2016, 8:19:20 PM (3 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, master, upstream

Children:

a372379

Parents:

6b89353

Message:

Move generated vhost-wide OCSP config into a private structure

Location:

src

Files:

• gnutls_config.c (modified) (2 diffs)
• gnutls_hooks.c (modified) (1 diff)
• gnutls_ocsp.c (modified) (5 diffs)
• gnutls_ocsp.h (modified) (1 diff)

src/gnutls_config.c

@@ -980 +980 @@
 
     sc->ocsp_response_file = NULL;
-    sc->ocsp_uri = NULL;
     sc->ocsp_mutex = NULL;
-    sc->ocsp_trust = NULL;
     sc->ocsp_grace_time = apr_time_from_sec(MGS_GRACE_TIME);
 
@@ -1042 +1040 @@
 
     gnutls_srvconf_assign(ocsp_response_file);
-    gnutls_srvconf_assign(ocsp_uri);
-    gnutls_srvconf_assign(ocsp_trust);
     gnutls_srvconf_merge(ocsp_grace_time, apr_time_from_sec(MGS_GRACE_TIME));
 

src/gnutls_hooks.c

@@ -402 +402 @@
 
         sc->ocsp_mutex = sc_base->ocsp_mutex;
-        /* init OCSP trust list if OCSP is enabled for this host */
+        /* init OCSP configuration if OCSP is enabled for this host */
         if (sc->ocsp_response_file != NULL)
         {

src/gnutls_ocsp.c

@@ -91 +91 @@
         ap_get_module_config(s->module_config, &gnutls_module);
 
-    if (sc->ocsp_trust == NULL)
+    if (sc->ocsp->trust == NULL)
     {
         ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
@@ -127 +127 @@
 
     unsigned int verify;
-    ret = gnutls_ocsp_resp_verify(resp, *(sc->ocsp_trust), &verify, 0);
+    ret = gnutls_ocsp_resp_verify(resp, *(sc->ocsp->trust), &verify, 0);
     if (ret != GNUTLS_E_SUCCESS)
     {
@@ -253 +253 @@
 
 
-/* TODO: fetch response from sc->ocsp_uri */
+/* TODO: fetch response from sc->ocsp->uri */
 apr_status_t mgs_cache_ocsp_response(server_rec *s)
 {
@@ -532 +532 @@
     }
 
-    sc->ocsp_uri = mgs_cert_get_ocsp_uri(pconf, sc->certs_x509_crt_chain[0]);
-
-    sc->ocsp_trust = apr_palloc(pconf,
-                                sizeof(gnutls_x509_trust_list_t));
+    sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
+
+    sc->ocsp->uri = mgs_cert_get_ocsp_uri(pconf,
+                                          sc->certs_x509_crt_chain[0]);
+
+    sc->ocsp->trust = apr_palloc(pconf,
+                                 sizeof(gnutls_x509_trust_list_t));
      /* Only the direct issuer may sign the OCSP response or an OCSP
       * signer. */
-    int ret = mgs_create_ocsp_trust_list(sc->ocsp_trust,
+    int ret = mgs_create_ocsp_trust_list(sc->ocsp->trust,
                                          &(sc->certs_x509_crt_chain[1]),
                                          1);
@@ -549 +552 @@
     }
     /* deinit trust list when the config pool is destroyed */
-    apr_pool_cleanup_register(pconf, sc->ocsp_trust,
+    apr_pool_cleanup_register(pconf, sc->ocsp->trust,
                               mgs_cleanup_trust_list,
                               apr_pool_cleanup_null);

src/gnutls_ocsp.h

@@ -24 +24 @@
 
 #define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
+
+/**
+ * Vhost specific OCSP data structure
+ */
+struct mgs_ocsp_data {
+    /* OCSP URI extracted from the server certificate. NULL if
+     * unset. */
+    apr_uri_t *uri;
+    /* Trust list to verify OCSP responses for stapling. Should
+     * usually only contain the CA that signed the server
+     * certificate. */
+    gnutls_x509_trust_list_t *trust;
+};
 
 const char *mgs_store_ocsp_response_path(cmd_parms * parms,