Changeset e376ed8 in mod_gnutls


Ignore:
Timestamp:
Nov 29, 2019, 4:30:08 PM (11 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
618ee14
Parents:
d4c9331 (diff), 556783e (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge branch 'subca'

Files:
3 added
11 edited

Legend:

Unmodified
Added
Removed
  • README

    rd4c9331 re376ed8  
    2222-------------
    2323
    24  * GnuTLS          >= 3.3 <https://www.gnutls.org/> (3.4 or newer recommended)
     24 * GnuTLS          >= 3.6.3 <https://www.gnutls.org/>
    2525 * Apache HTTPD    >= 2.4.17 <https://httpd.apache.org/>
    2626 * autotools, GNU make, & GCC
  • configure.ac

    rd4c9331 re376ed8  
    4646        ], [])
    4747
    48 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.3.0])
     48PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.6.3])
    4949
    5050LIBGNUTLS_VERSION=`pkg-config --modversion gnutls`
     
    133133# openssl is needed as the responder for OCSP tests
    134134AC_PATH_PROG([OPENSSL], [openssl], [no])
    135 # OCSP checks with gnutls-cli from GnuTLS versions before 3.3.23,
    136 # 3.4.12, or 3.5.1 (on the respective 3.x branch) fail if intermediate
    137 # CAs cannot be status checked, even if there are no intermediate CAs
    138 # like in the mod_gnutls test suite where end entity certificates are
    139 # directly issued by a root CA.
    140 AC_MSG_CHECKING([for gnutls-cli version supporting OCSP for EE under root CA])
    141 AC_PREPROC_IFELSE(
    142         [AC_LANG_SOURCE([[#include "gnutls/gnutls.h"
    143                         #if GNUTLS_VERSION_NUMBER < 0x030317
    144                         #error
    145                         #elif GNUTLS_VERSION_NUMBER >= 0x030400 && GNUTLS_VERSION_NUMBER < 0x03040c
    146                         #error
    147                         #elif GNUTLS_VERSION_NUMBER == 0x030500
    148                         #error
    149                         #endif
    150                         ]])],
    151         [gnutls_ocsp_ok="yes"],
    152         [gnutls_ocsp_ok="no"],
    153 )
    154 AC_MSG_RESULT([$gnutls_ocsp_ok])
    155 AM_CONDITIONAL([ENABLE_OCSP_TEST], [test "${OPENSSL}" != "no" && test "${gnutls_ocsp_ok}" = "yes"])
     135AM_CONDITIONAL([ENABLE_OCSP_TEST], [test "${OPENSSL}" != "no"])
    156136
    157137dnl Enable test namespaces? Default is "yes".
  • src/gnutls_cache.c

    rd4c9331 re376ed8  
    5252/** Maximum length of the hex string representation of a GnuTLS
    5353 * session ID: two characters per byte, plus one more for `\0` */
    54 #if GNUTLS_VERSION_NUMBER >= 0x030400
    5554#define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID_SIZE * 2) + 1)
    56 #else
    57 #define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID * 2) + 1)
    58 #endif
    5955
    6056#ifdef APLOG_USE_MODULE
     
    179175#define SOCACHE_FETCH_BUF_SIZE (8 * 1024)
    180176
    181 gnutls_datum_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
    182                                gnutls_datum_t key, apr_pool_t *pool)
    183 {
    184     gnutls_datum_t data = {NULL, 0};
    185     data.data = gnutls_malloc(SOCACHE_FETCH_BUF_SIZE);
    186     if (data.data == NULL)
    187         return data;
    188     data.size = SOCACHE_FETCH_BUF_SIZE;
    189 
     177apr_status_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
     178                             gnutls_datum_t key, gnutls_datum_t *output,
     179                             apr_pool_t *pool)
     180{
    190181    apr_pool_t *spool;
    191182    apr_pool_create(&spool, pool);
     
    195186    apr_status_t rv = cache->prov->retrieve(cache->socache, server,
    196187                                            key.data, key.size,
    197                                             data.data, &data.size,
     188                                            output->data, &output->size,
    198189                                            spool);
    199190    if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
     
    211202                         "error fetching from cache '%s:%s'",
    212203                         cache->prov->name, cache->config);
     204    }
     205    else
     206    {
     207        ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server,
     208                     "fetched %u bytes from cache '%s:%s'",
     209                     output->size, cache->prov->name, cache->config);
     210    }
     211    apr_pool_destroy(spool);
     212
     213    return rv;
     214}
     215
     216
     217
     218/**
     219 * Fetch function for the GnuTLS session cache, see
     220 * gnutls_db_set_retrieve_function().
     221 *
     222 * *Warning*: The `data` element of the returned `gnutls_datum_t` is
     223 * allocated using `gnutls_malloc()` for compatibility with the GnuTLS
     224 * session caching API, and must be released using `gnutls_free()`.
     225 *
     226 * @param baton mgs_handle_t for the connection, as set via
     227 * gnutls_db_set_ptr()
     228 *
     229 * @param key object key to fetch
     230 *
     231 * @return the requested cache entry, or `{NULL, 0}`
     232 */
     233static gnutls_datum_t socache_fetch_session(void *baton, gnutls_datum_t key)
     234{
     235    gnutls_datum_t data = {NULL, 0};
     236    gnutls_datum_t dbmkey;
     237    mgs_handle_t *ctxt = baton;
     238
     239    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
     240        return data;
     241
     242    data.data = gnutls_malloc(SOCACHE_FETCH_BUF_SIZE);
     243    if (data.data == NULL)
     244        return data;
     245    data.size = SOCACHE_FETCH_BUF_SIZE;
     246
     247    apr_status_t rv = mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server,
     248                                      dbmkey, &data, ctxt->c->pool);
     249
     250    if (rv != APR_SUCCESS)
     251    {
    213252        /* free unused buffer */
    214253        gnutls_free(data.data);
     
    218257    else
    219258    {
    220         ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server,
    221                      "fetched %u bytes from cache '%s:%s'",
    222                      data.size, cache->prov->name, cache->config);
    223 
    224259        /* Realloc buffer to data.size. Data size must be less than or
    225260         * equal to the initial buffer size, so this REALLY should not
     
    228263        if (__builtin_expect(data.data == NULL, 0))
    229264        {
    230             ap_log_error(APLOG_MARK, APLOG_CRIT, APR_ENOMEM, server,
     265            ap_log_cerror(APLOG_MARK, APLOG_CRIT, APR_ENOMEM, ctxt->c,
    231266                         "%s: Could not realloc fetch buffer to data size!",
    232267                         __func__);
     
    234269        }
    235270    }
    236     apr_pool_destroy(spool);
    237271
    238272    return data;
    239 }
    240 
    241 
    242 
    243 /**
    244  * Fetch function for the GnuTLS session cache, see
    245  * gnutls_db_set_retrieve_function().
    246  *
    247  * *Warning*: The `data` element of the returned `gnutls_datum_t` is
    248  * allocated using `gnutls_malloc()` for compatibility with the GnuTLS
    249  * session caching API, and must be released using `gnutls_free()`.
    250  *
    251  * @param baton mgs_handle_t for the connection, as set via
    252  * gnutls_db_set_ptr()
    253  *
    254  * @param key object key to fetch
    255  *
    256  * @return the requested cache entry, or `{NULL, 0}`
    257  */
    258 static gnutls_datum_t socache_fetch_session(void *baton, gnutls_datum_t key)
    259 {
    260     gnutls_datum_t data = {NULL, 0};
    261     gnutls_datum_t dbmkey;
    262     mgs_handle_t *ctxt = baton;
    263 
    264     if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
    265         return data;
    266 
    267     return mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server,
    268                            dbmkey, ctxt->c->pool);
    269273}
    270274
  • src/gnutls_cache.h

    rd4c9331 re376ed8  
    139139 * @param key key for the cache entry to be fetched
    140140 *
    141  * @param pool pool to allocate the response and other temporary
    142  * memory from
     141 * @param output pre-allocated buffer to write to and its size
    143142 *
    144  * @return the requested cache entry, or `{NULL, 0}`
     143 * @param pool pool to allocate temporary memory from
     144 *
     145 * @return APR status or error value
    145146 */
    146 gnutls_datum_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
    147                                gnutls_datum_t key, apr_pool_t *pool);
     147apr_status_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
     148                             gnutls_datum_t key, gnutls_datum_t *output,
     149                             apr_pool_t *pool);
    148150
    149151/**
  • src/gnutls_hooks.c

    rd4c9331 re376ed8  
    7373{
    7474    /* Free session ticket master key */
    75 #if GNUTLS_VERSION_NUMBER >= 0x030400
    7675    gnutls_memset(session_ticket_key.data, 0, session_ticket_key.size);
    77 #endif
    7876    gnutls_free(session_ticket_key.data);
    7977    session_ticket_key.data = NULL;
     
    384382
    385383static int cert_retrieve_fn(gnutls_session_t session,
    386                             const gnutls_datum_t * req_ca_rdn __attribute__((unused)),
    387                             int nreqs __attribute__((unused)),
    388                             const gnutls_pk_algorithm_t * pk_algos __attribute__((unused)),
    389                             int pk_algos_length __attribute__((unused)),
     384                            const struct gnutls_cert_retr_st *info __attribute__((unused)),
    390385                            gnutls_pcert_st **pcerts,
    391386                            unsigned int *pcert_length,
    392                             gnutls_privkey_t *privkey)
     387                            gnutls_ocsp_data_st **ocsp,
     388                            unsigned int *ocsp_length,
     389                            gnutls_privkey_t *privkey,
     390                            unsigned int *flags)
    393391{
    394392    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     
    407405        *pcerts = ctxt->sc->certs_x509_chain;
    408406        *pcert_length = ctxt->sc->certs_x509_chain_num;
     407        *ocsp = NULL;
     408        *ocsp_length = 0;
    409409        *privkey = ctxt->sc->privkey_x509;
     410        *flags = 0;
     411
     412        if (ctxt->sc->ocsp_staple == GNUTLS_ENABLED_TRUE)
     413        {
     414            gnutls_ocsp_data_st *resp =
     415                apr_palloc(ctxt->c->pool, sizeof(gnutls_ocsp_data_st));
     416            resp->version = 0;
     417            resp->exptime = 0;
     418
     419            int ret = mgs_get_ocsp_response(session, NULL, &resp->response);
     420            if (ret == GNUTLS_E_SUCCESS)
     421            {
     422                *ocsp = resp;
     423                *ocsp_length = 1;
     424            }
     425        }
     426
    410427        return 0;
    411428    } else {
     
    417434
    418435
    419 #if GNUTLS_VERSION_NUMBER >= 0x030506
    420 #define HAVE_KNOWN_DH_GROUPS 1
    421 #endif
    422 #ifdef HAVE_KNOWN_DH_GROUPS
    423436/**
    424437 * Try to estimate a GnuTLS security parameter based on the given
     
    447460    return gnutls_pk_bits_to_sec_param(pk_algo, bits);
    448461}
    449 #else
    450 /** ffdhe2048 DH group as defined in RFC 7919, Appendix A.1. This is
    451  * the default DH group if mod_gnutls is compiled agains a GnuTLS
    452  * version that does not provide known DH groups based on security
    453  * parameters (before 3.5.6). */
    454 static const char FFDHE2048_PKCS3[] =
    455     "-----BEGIN DH PARAMETERS-----\n"
    456     "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
    457     "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
    458     "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
    459     "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
    460     "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
    461     "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAQA=\n"
    462     "-----END DH PARAMETERS-----\n";
    463 const gnutls_datum_t default_dh_params = {
    464     (void *) FFDHE2048_PKCS3,
    465     sizeof(FFDHE2048_PKCS3)
    466 };
    467 #endif
    468462
    469463
     
    485479        ap_get_module_config(server->module_config, &gnutls_module);
    486480
    487 #ifdef HAVE_KNOWN_DH_GROUPS
    488481    gnutls_sec_param_t seclevel = GNUTLS_SEC_PARAM_UNKNOWN;
    489482    if (sc->privkey_x509)
     
    519512        return HTTP_UNAUTHORIZED;
    520513    }
    521 #else
    522     int ret = gnutls_dh_params_init(&sc->dh_params);
    523     if (ret < 0)
    524     {
    525         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
    526                      "%s: Failed to initialize DH params structure: "
    527                      "%s (%d)", __func__, gnutls_strerror(ret), ret);
    528         return HTTP_UNAUTHORIZED;
    529     }
    530     ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &default_dh_params,
    531                                         GNUTLS_X509_FMT_PEM);
    532     if (ret < 0)
    533     {
    534         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
    535                      "%s: Failed to import default DH params: %s (%d)",
    536                      __func__, gnutls_strerror(ret), ret);
    537         return HTTP_UNAUTHORIZED;
    538     }
    539 
    540     gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
    541     gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
    542 #endif
    543514
    544515    return OK;
     
    731702        }
    732703
    733         /* The call after this comment is a workaround for bug in
    734          * gnutls_certificate_set_retrieve_function2 that ignores
    735          * supported certificate types. Should be fixed in GnuTLS
    736          * 3.3.12.
    737          *
    738          * Details:
    739          * https://lists.gnupg.org/pipermail/gnutls-devel/2015-January/007377.html
    740          * Workaround from:
    741          * https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12 */
    742 #if GNUTLS_VERSION_NUMBER < 0x030312
    743         gnutls_certificate_set_retrieve_function(sc->certs, (void *) exit);
    744 #endif
    745 
    746         gnutls_certificate_set_retrieve_function2(sc->certs, cert_retrieve_fn);
     704        gnutls_certificate_set_retrieve_function3(sc->certs, cert_retrieve_fn);
    747705
    748706        if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) &&
     
    13721330                                         gnutls_mac_get(ctxt->session)));
    13731331
    1374 #if GNUTLS_VERSION_NUMBER >= 0x030600
    13751332    /* Compression support has been removed since GnuTLS 3.6.0 */
    13761333    apr_table_setn(env, "SSL_COMPRESS_METHOD", "NULL");
    1377 #else
    1378     apr_table_setn(env, "SSL_COMPRESS_METHOD",
    1379             gnutls_compression_get_name(gnutls_compression_get(ctxt->session)));
    1380 #endif
    13811334
    13821335#ifdef ENABLE_SRP
  • src/gnutls_ocsp.c

    rd4c9331 re376ed8  
    4141/** Dummy data for failure cache entries (one byte). */
    4242#define OCSP_FAILURE_CACHE_DATA 0x0f
     43/** Macro to check if an OCSP reponse pointer contains a cached
     44 * failure */
     45#define IS_FAILURE_RESPONSE(resp) \
     46    (((resp)->size == sizeof(unsigned char)) &&                     \
     47     (*((unsigned char *) (resp)->data) == OCSP_FAILURE_CACHE_DATA))
    4348
    4449
     
    786791    }
    787792
    788     *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache,
    789                                      ctxt->c->base_server,
    790                                      ctxt->sc->ocsp->fingerprint,
    791                                      ctxt->c->pool);
    792     if (ocsp_response->size == 0)
     793    // TODO: Large allocation, and the pool system doesn't offer realloc
     794    ocsp_response->data = apr_palloc(ctxt->c->pool, OCSP_RESP_SIZE_MAX);
     795    ocsp_response->size = OCSP_RESP_SIZE_MAX;
     796
     797    apr_status_t rv = mgs_cache_fetch(ctxt->sc->ocsp_cache,
     798                                      ctxt->c->base_server,
     799                                      ctxt->sc->ocsp->fingerprint,
     800                                      ocsp_response,
     801                                      ctxt->c->pool);
     802    if (rv != APR_SUCCESS)
    793803    {
    794804        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c,
    795805                      "Fetching OCSP response from cache failed.");
    796806    }
    797     else if ((ocsp_response->size == sizeof(unsigned char)) &&
    798              (*((unsigned char *) ocsp_response->data) == OCSP_FAILURE_CACHE_DATA))
     807    else if (IS_FAILURE_RESPONSE(ocsp_response))
    799808    {
    800809        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
     
    807816        return GNUTLS_E_SUCCESS;
    808817    }
    809     /* get rid of invalid response (if any) */
    810     gnutls_free(ocsp_response->data);
    811     ocsp_response->data = NULL;
     818    /* keep response buffer, reset size for reuse */
     819    ocsp_response->size = OCSP_RESP_SIZE_MAX;
    812820
    813821    /* If the cache had no response or an invalid one, try to update. */
     
    815823                  "No valid OCSP response in cache, trying to update.");
    816824
    817     apr_status_t rv = apr_global_mutex_trylock(sc->ocsp_mutex);
     825    rv = apr_global_mutex_trylock(sc->ocsp_mutex);
    818826    if (APR_STATUS_IS_EBUSY(rv))
    819827    {
     
    824832         * moment there's no good way to integrate that with the
    825833         * Apache Mutex directive. */
    826         *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache,
    827                                          ctxt->c->base_server,
    828                                          ctxt->sc->ocsp->fingerprint,
    829                                          ctxt->c->pool);
    830         if (ocsp_response->size > 0)
    831         {
    832             /* Got a valid response now, unlock mutex and return. */
     834        rv = mgs_cache_fetch(ctxt->sc->ocsp_cache,
     835                             ctxt->c->base_server,
     836                             ctxt->sc->ocsp->fingerprint,
     837                             ocsp_response,
     838                             ctxt->c->pool);
     839        if (rv == APR_SUCCESS)
     840        {
    833841            apr_global_mutex_unlock(sc->ocsp_mutex);
    834             return GNUTLS_E_SUCCESS;
     842            /* Check if the response is valid. */
     843            if (IS_FAILURE_RESPONSE(ocsp_response))
     844            {
     845                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
     846                              "Cached OCSP failure found for %s.",
     847                              ctxt->c->base_server->server_hostname);
     848                goto fail_cleanup;
     849            }
     850            else
     851                return GNUTLS_E_SUCCESS;
    835852        }
    836853        else
    837854        {
    838             gnutls_free(ocsp_response->data);
    839             ocsp_response->data = NULL;
     855            /* keep response buffer, reset size for reuse */
     856            ocsp_response->size = OCSP_RESP_SIZE_MAX;
    840857        }
    841858    }
     
    855872
    856873    /* retry reading from cache */
    857     *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache,
    858                                      ctxt->c->base_server,
    859                                      ctxt->sc->ocsp->fingerprint,
    860                                      ctxt->c->pool);
    861     if (ocsp_response->size == 0)
     874    rv = mgs_cache_fetch(ctxt->sc->ocsp_cache,
     875                         ctxt->c->base_server,
     876                         ctxt->sc->ocsp->fingerprint,
     877                         ocsp_response,
     878                         ctxt->c->pool);
     879    if (rv != APR_SUCCESS)
    862880    {
    863881        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
     
    869887    }
    870888
    871     /* failure, clean up response data */
     889    /* failure, reset struct, buffer will be released with the
     890     * connection pool */
    872891 fail_cleanup:
    873     gnutls_free(ocsp_response->data);
    874892    ocsp_response->size = 0;
    875893    ocsp_response->data = NULL;
     
    10611079    if (rv != APR_SUCCESS)
    10621080    {
    1063         const gnutls_datum_t ocsp_response =
    1064             mgs_cache_fetch(sc->ocsp_cache, server,
    1065                             sc->ocsp->fingerprint, pool);
    1066 
    1067         if (ocsp_response.size == 0 ||
    1068             ((ocsp_response.size == sizeof(unsigned char)) &&
    1069              (*((unsigned char *) ocsp_response.data) ==
    1070               OCSP_FAILURE_CACHE_DATA)))
     1081        gnutls_datum_t ocsp_response;
     1082        ocsp_response.data = apr_palloc(pool, OCSP_RESP_SIZE_MAX);
     1083        ocsp_response.size = OCSP_RESP_SIZE_MAX;
     1084
     1085        apr_status_t rv = mgs_cache_fetch(sc->ocsp_cache, server,
     1086                                          sc->ocsp->fingerprint,
     1087                                          &ocsp_response,
     1088                                          pool);
     1089
     1090        if (rv != APR_SUCCESS || (IS_FAILURE_RESPONSE(&ocsp_response)))
    10711091        {
    10721092            ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server,
     
    10751095            mgs_cache_ocsp_failure(server, sc->ocsp_failure_timeout * 2);
    10761096        }
    1077 
    1078         /* Get rid of the response, if any */
    1079         if (ocsp_response.size != 0)
    1080             gnutls_free(ocsp_response.data);
    10811097    }
    10821098    apr_global_mutex_unlock(sc->ocsp_mutex);
     
    11961212                              apr_pool_cleanup_null);
    11971213
    1198     /* enable status request callback */
    1199     gnutls_certificate_set_ocsp_status_request_function(sc->certs,
    1200                                                         mgs_get_ocsp_response,
    1201                                                         sc);
    1202 
    12031214    /* The watchdog structure may be NULL if mod_watchdog is
    12041215     * unavailable. */
  • test/Makefile.am

    rd4c9331 re376ed8  
    5858shared_identities = authority authority/client
    5959pgp_identities = $(shared_identities)
    60 x509_only_identities = authority/server authority/imposter rogueca \
    61         rogueca/rogueclient
    62 if ENABLE_OCSP_TEST
    63 x509_only_identities += authority/ocsp-responder
     60x509_only_identities = authority/server authority/imposter \
     61        authority/subca authority/subca/server \
     62        rogueca rogueca/rogueclient
     63if ENABLE_OCSP_TEST
     64x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder
    6465endif
    6566x509_identities = $(shared_identities) $(x509_only_identities)
     
    101102        authority/imposter/template.in authority/ocsp-responder/template \
    102103        authority/server/template.in \
     104        authority/subca/template.in authority/subca/server/template.in \
     105        authority/subca/ocsp-responder/template \
    103106        rogueca/template rogueca/rogueclient/template.in
    104107generated_templates = authority/template authority/client/template \
     
    161164if ENABLE_OCSP_TEST
    162165# rules to build OCSP database
    163 check_DATA += authority/ocsp_index.txt
    164 MOSTLYCLEANFILES += authority/ocsp_index.txt authority/ocsp_index.txt.attr
    165 authority/ocsp_index.txt: $(x509_tokens) gen_ocsp_index authority/ocsp_index.txt.attr
    166         ./gen_ocsp_index authority/server/x509.pem authority/client/x509.pem > $@
    167 
    168 authority/ocsp_index.txt.attr: authority/secret.key
     166ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \
     167        authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr
     168check_DATA += $(ocsp_index_data)
     169MOSTLYCLEANFILES += $(ocsp_index_data)
     170
     171# The "find" command builds a list of all certificates directly below
     172# the CA that aren't for the ocsp-responder.
     173%/ocsp_index.txt: $(x509_tokens) gen_ocsp_index
     174        ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@
     175
     176%/ocsp_index.txt.attr:
     177        @mkdir -m 0700 -p $(dir $@)
    169178        echo "unique_subject = no" > $@
    170179
    171 # build certificate chain file for server
    172 check_DATA += authority/server/x509-chain.pem
    173 MOSTLYCLEANFILES += authority/server/x509-chain.pem
    174 %/x509-chain.pem: %/x509.pem authority/x509.pem
    175         cat $< authority/x509.pem > $@
     180# Build certificate chain files. Note that intermediate tokens must be
     181# listed explicitly, or the dependency chain will be broken because
     182# the higher level pattern matches, too.
     183chain_tokens = authority/server/x509-chain.pem \
     184        authority/subca/x509-chain.pem \
     185        authority/subca/server/x509-chain.pem
     186check_DATA += $(chain_tokens)
     187MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem
    176188endif
    177189
  • test/ocsp_server.conf.in

    rd4c9331 re376ed8  
    2222        RewriteEngine   On
    2323        RewriteRule     ^/ocsp(.*)      /ocsp.cgi$1     [L]
     24        # General rules for all OCSP handling
    2425        <Location /ocsp/>
    2526                # Some clients seem to have trouble with chunked
    2627                # encoding, so force HTTP/1.0 for now.
    2728                SetEnv  downgrade-1.0
     29                <If "-n osenv('OPENSSL')">
     30                        # Pass OPENSSL variable to CGI script if set
     31                        SetEnv  OPENSSL         ${OPENSSL}
     32                </If>
     33        </Location>
     34        <Location /ocsp/authority/>
    2835                # certificates and key for ocsp.cgi
    2936                SetEnv  CA_CERT         ${PWD}/authority/x509.pem
     
    3138                SetEnv  OCSP_CERT       ${PWD}/authority/ocsp-responder/x509.pem
    3239                SetEnv  OCSP_KEY        ${PWD}/authority/ocsp-responder/secret.key
    33                 <If "-n osenv('OPENSSL')">
    34                         # Pass OPENSSL variable to CGI script if set
    35                         SetEnv  OPENSSL         ${OPENSSL}
    36                 </If>
     40        </Location>
     41        <Location /ocsp/authority/subca/>
     42                # certificates and key for ocsp.cgi
     43                SetEnv  CA_CERT         ${PWD}/authority/subca/x509.pem
     44                SetEnv  OCSP_INDEX      ${PWD}/authority/subca/ocsp_index.txt
     45                SetEnv  OCSP_CERT       ${PWD}/authority/subca/ocsp-responder/x509.pem
     46                SetEnv  OCSP_KEY        ${PWD}/authority/subca/ocsp-responder/secret.key
    3747        </Location>
    3848        <Directory ${srcdir}/data>
  • test/test_ca.mk

    rd4c9331 re376ed8  
    1010        @mkdir -m 0700 -p $(@D)
    1111        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
    12         sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)," $@
     12        sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)$(dir $(*))," $@
    1313        for i in $(patsubst [%],%,$(TEST_IP)); do \
    1414                IP_ADDRS="$${IP_ADDRS}\nip_address = $${i}"; \
     
    5858# special rule for root CAs
    5959root_cert_rule = certtool --outfile $@ --generate-self-signed --load-privkey $(dir $@)secret.key --template $<
     60root_chain_rule = cp $< $@
    6061authority/x509.pem rogueca/x509.pem: %/x509.pem: %/template %/secret.key
    6162        $(root_cert_rule)
     63authority/x509-chain.pem rogueca/x509-chain.pem: %/x509-chain.pem: %/x509.pem
     64        $(root_chain_rule)
    6265
    6366# generic rule for building non-root certificates, with the CA in the
    6467# parent directory
    6568cert_rule = certtool --outfile $@ --generate-certificate --load-ca-certificate $(dir $@)../x509.pem --load-ca-privkey $(dir $@)../secret.key --load-privkey $(dir $@)secret.key --template $<
     69chain_rule = cat $< $(dir $@)../x509-chain.pem > $@
    6670
    6771# certificates signed by the test root CA
    6872%/x509.pem: %/template %/secret.key authority/secret.key authority/x509.pem
    6973        $(cert_rule)
     74%/x509-chain.pem: %/x509.pem authority/x509-chain.pem
     75        $(chain_rule)
     76
     77# certificates signed by the test sub CA
     78authority/subca/%/x509.pem: authority/subca/%/template authority/subca/%/secret.key authority/subca/x509.pem
     79        $(cert_rule)
     80authority/subca/%/x509-chain.pem: authority/subca/%/x509.pem authority/subca/x509-chain.pem
     81        $(chain_rule)
    7082
    7183# certificates signed by rogue CA (for error cases)
  • test/tests/00_basic/apache.conf

    rd4c9331 re376ed8  
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
    8  GnuTLSCertificateFile  authority/server/x509.pem
    9  GnuTLSKeyFile          authority/server/secret.key
     8 GnuTLSCertificateFile  authority/subca/server/x509-chain.pem
     9 GnuTLSKeyFile          authority/subca/server/secret.key
    1010</VirtualHost>
  • test/tests/27_OCSP_server/apache.conf

    rd4c9331 re376ed8  
    1212        #GnuTLSOCSPStapling     On
    1313        GnuTLSOCSPCacheTimeout  60
    14         GnuTLSCertificateFile   authority/server/x509-chain.pem
    15         GnuTLSKeyFile           authority/server/secret.key
     14        GnuTLSCertificateFile   authority/subca/server/x509-chain.pem
     15        GnuTLSKeyFile           authority/subca/server/secret.key
    1616        GnuTLSPriorities        NORMAL
    1717</VirtualHost>
Note: See TracChangeset for help on using the changeset viewer.