Changeset e376ed8 in mod_gnutls
- Timestamp:
- Nov 29, 2019, 4:30:08 PM (3 years ago)
- Branches:
- asyncio, main, master, proxy-ticket
- Children:
- 618ee14
- Parents:
- d4c9331 (diff), 556783e (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)links above to see all the changes relative to each parent. - Files:
-
- 3 added
- 11 edited
-
README (modified) (1 diff)
-
configure.ac (modified) (2 diffs)
-
src/gnutls_cache.c (modified) (7 diffs)
-
src/gnutls_cache.h (modified) (1 diff)
-
src/gnutls_hooks.c (modified) (9 diffs)
-
src/gnutls_ocsp.c (modified) (10 diffs)
-
test/Makefile.am (modified) (3 diffs)
-
test/authority/subca/ocsp-responder/template (added)
-
test/authority/subca/server/template.in (added)
-
test/authority/subca/template.in (added)
-
test/ocsp_server.conf.in (modified) (2 diffs)
-
test/test_ca.mk (modified) (2 diffs)
-
test/tests/00_basic/apache.conf (modified) (1 diff)
-
test/tests/27_OCSP_server/apache.conf (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
README
rd4c9331 re376ed8 22 22 ------------- 23 23 24 * GnuTLS >= 3. 3 <https://www.gnutls.org/> (3.4 or newer recommended)24 * GnuTLS >= 3.6.3 <https://www.gnutls.org/> 25 25 * Apache HTTPD >= 2.4.17 <https://httpd.apache.org/> 26 26 * autotools, GNU make, & GCC -
configure.ac
rd4c9331 re376ed8 46 46 ], []) 47 47 48 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3. 3.0])48 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.6.3]) 49 49 50 50 LIBGNUTLS_VERSION=`pkg-config --modversion gnutls` … … 133 133 # openssl is needed as the responder for OCSP tests 134 134 AC_PATH_PROG([OPENSSL], [openssl], [no]) 135 # OCSP checks with gnutls-cli from GnuTLS versions before 3.3.23, 136 # 3.4.12, or 3.5.1 (on the respective 3.x branch) fail if intermediate 137 # CAs cannot be status checked, even if there are no intermediate CAs 138 # like in the mod_gnutls test suite where end entity certificates are 139 # directly issued by a root CA. 140 AC_MSG_CHECKING([for gnutls-cli version supporting OCSP for EE under root CA]) 141 AC_PREPROC_IFELSE( 142 [AC_LANG_SOURCE([[#include "gnutls/gnutls.h" 143 #if GNUTLS_VERSION_NUMBER < 0x030317 144 #error 145 #elif GNUTLS_VERSION_NUMBER >= 0x030400 && GNUTLS_VERSION_NUMBER < 0x03040c 146 #error 147 #elif GNUTLS_VERSION_NUMBER == 0x030500 148 #error 149 #endif 150 ]])], 151 [gnutls_ocsp_ok="yes"], 152 [gnutls_ocsp_ok="no"], 153 ) 154 AC_MSG_RESULT([$gnutls_ocsp_ok]) 155 AM_CONDITIONAL([ENABLE_OCSP_TEST], [test "${OPENSSL}" != "no" && test "${gnutls_ocsp_ok}" = "yes"]) 135 AM_CONDITIONAL([ENABLE_OCSP_TEST], [test "${OPENSSL}" != "no"]) 156 136 157 137 dnl Enable test namespaces? Default is "yes". -
src/gnutls_cache.c
rd4c9331 re376ed8 52 52 /** Maximum length of the hex string representation of a GnuTLS 53 53 * session ID: two characters per byte, plus one more for `\0` */ 54 #if GNUTLS_VERSION_NUMBER >= 0x03040055 54 #define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID_SIZE * 2) + 1) 56 #else57 #define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID * 2) + 1)58 #endif59 55 60 56 #ifdef APLOG_USE_MODULE … … 179 175 #define SOCACHE_FETCH_BUF_SIZE (8 * 1024) 180 176 181 gnutls_datum_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server, 182 gnutls_datum_t key, apr_pool_t *pool) 183 { 184 gnutls_datum_t data = {NULL, 0}; 185 data.data = gnutls_malloc(SOCACHE_FETCH_BUF_SIZE); 186 if (data.data == NULL) 187 return data; 188 data.size = SOCACHE_FETCH_BUF_SIZE; 189 177 apr_status_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server, 178 gnutls_datum_t key, gnutls_datum_t *output, 179 apr_pool_t *pool) 180 { 190 181 apr_pool_t *spool; 191 182 apr_pool_create(&spool, pool); … … 195 186 apr_status_t rv = cache->prov->retrieve(cache->socache, server, 196 187 key.data, key.size, 197 data.data, &data.size,188 output->data, &output->size, 198 189 spool); 199 190 if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE) … … 211 202 "error fetching from cache '%s:%s'", 212 203 cache->prov->name, cache->config); 204 } 205 else 206 { 207 ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server, 208 "fetched %u bytes from cache '%s:%s'", 209 output->size, cache->prov->name, cache->config); 210 } 211 apr_pool_destroy(spool); 212 213 return rv; 214 } 215 216 217 218 /** 219 * Fetch function for the GnuTLS session cache, see 220 * gnutls_db_set_retrieve_function(). 221 * 222 * *Warning*: The `data` element of the returned `gnutls_datum_t` is 223 * allocated using `gnutls_malloc()` for compatibility with the GnuTLS 224 * session caching API, and must be released using `gnutls_free()`. 225 * 226 * @param baton mgs_handle_t for the connection, as set via 227 * gnutls_db_set_ptr() 228 * 229 * @param key object key to fetch 230 * 231 * @return the requested cache entry, or `{NULL, 0}` 232 */ 233 static gnutls_datum_t socache_fetch_session(void *baton, gnutls_datum_t key) 234 { 235 gnutls_datum_t data = {NULL, 0}; 236 gnutls_datum_t dbmkey; 237 mgs_handle_t *ctxt = baton; 238 239 if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0) 240 return data; 241 242 data.data = gnutls_malloc(SOCACHE_FETCH_BUF_SIZE); 243 if (data.data == NULL) 244 return data; 245 data.size = SOCACHE_FETCH_BUF_SIZE; 246 247 apr_status_t rv = mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server, 248 dbmkey, &data, ctxt->c->pool); 249 250 if (rv != APR_SUCCESS) 251 { 213 252 /* free unused buffer */ 214 253 gnutls_free(data.data); … … 218 257 else 219 258 { 220 ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server,221 "fetched %u bytes from cache '%s:%s'",222 data.size, cache->prov->name, cache->config);223 224 259 /* Realloc buffer to data.size. Data size must be less than or 225 260 * equal to the initial buffer size, so this REALLY should not … … 228 263 if (__builtin_expect(data.data == NULL, 0)) 229 264 { 230 ap_log_ error(APLOG_MARK, APLOG_CRIT, APR_ENOMEM, server,265 ap_log_cerror(APLOG_MARK, APLOG_CRIT, APR_ENOMEM, ctxt->c, 231 266 "%s: Could not realloc fetch buffer to data size!", 232 267 __func__); … … 234 269 } 235 270 } 236 apr_pool_destroy(spool);237 271 238 272 return data; 239 }240 241 242 243 /**244 * Fetch function for the GnuTLS session cache, see245 * gnutls_db_set_retrieve_function().246 *247 * *Warning*: The `data` element of the returned `gnutls_datum_t` is248 * allocated using `gnutls_malloc()` for compatibility with the GnuTLS249 * session caching API, and must be released using `gnutls_free()`.250 *251 * @param baton mgs_handle_t for the connection, as set via252 * gnutls_db_set_ptr()253 *254 * @param key object key to fetch255 *256 * @return the requested cache entry, or `{NULL, 0}`257 */258 static gnutls_datum_t socache_fetch_session(void *baton, gnutls_datum_t key)259 {260 gnutls_datum_t data = {NULL, 0};261 gnutls_datum_t dbmkey;262 mgs_handle_t *ctxt = baton;263 264 if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)265 return data;266 267 return mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server,268 dbmkey, ctxt->c->pool);269 273 } 270 274 -
src/gnutls_cache.h
rd4c9331 re376ed8 139 139 * @param key key for the cache entry to be fetched 140 140 * 141 * @param pool pool to allocate the response and other temporary 142 * memory from 141 * @param output pre-allocated buffer to write to and its size 143 142 * 144 * @return the requested cache entry, or `{NULL, 0}` 143 * @param pool pool to allocate temporary memory from 144 * 145 * @return APR status or error value 145 146 */ 146 gnutls_datum_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server, 147 gnutls_datum_t key, apr_pool_t *pool); 147 apr_status_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server, 148 gnutls_datum_t key, gnutls_datum_t *output, 149 apr_pool_t *pool); 148 150 149 151 /** -
src/gnutls_hooks.c
rd4c9331 re376ed8 73 73 { 74 74 /* Free session ticket master key */ 75 #if GNUTLS_VERSION_NUMBER >= 0x03040076 75 gnutls_memset(session_ticket_key.data, 0, session_ticket_key.size); 77 #endif78 76 gnutls_free(session_ticket_key.data); 79 77 session_ticket_key.data = NULL; … … 384 382 385 383 static int cert_retrieve_fn(gnutls_session_t session, 386 const gnutls_datum_t * req_ca_rdn __attribute__((unused)), 387 int nreqs __attribute__((unused)), 388 const gnutls_pk_algorithm_t * pk_algos __attribute__((unused)), 389 int pk_algos_length __attribute__((unused)), 384 const struct gnutls_cert_retr_st *info __attribute__((unused)), 390 385 gnutls_pcert_st **pcerts, 391 386 unsigned int *pcert_length, 392 gnutls_privkey_t *privkey) 387 gnutls_ocsp_data_st **ocsp, 388 unsigned int *ocsp_length, 389 gnutls_privkey_t *privkey, 390 unsigned int *flags) 393 391 { 394 392 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); … … 407 405 *pcerts = ctxt->sc->certs_x509_chain; 408 406 *pcert_length = ctxt->sc->certs_x509_chain_num; 407 *ocsp = NULL; 408 *ocsp_length = 0; 409 409 *privkey = ctxt->sc->privkey_x509; 410 *flags = 0; 411 412 if (ctxt->sc->ocsp_staple == GNUTLS_ENABLED_TRUE) 413 { 414 gnutls_ocsp_data_st *resp = 415 apr_palloc(ctxt->c->pool, sizeof(gnutls_ocsp_data_st)); 416 resp->version = 0; 417 resp->exptime = 0; 418 419 int ret = mgs_get_ocsp_response(session, NULL, &resp->response); 420 if (ret == GNUTLS_E_SUCCESS) 421 { 422 *ocsp = resp; 423 *ocsp_length = 1; 424 } 425 } 426 410 427 return 0; 411 428 } else { … … 417 434 418 435 419 #if GNUTLS_VERSION_NUMBER >= 0x030506420 #define HAVE_KNOWN_DH_GROUPS 1421 #endif422 #ifdef HAVE_KNOWN_DH_GROUPS423 436 /** 424 437 * Try to estimate a GnuTLS security parameter based on the given … … 447 460 return gnutls_pk_bits_to_sec_param(pk_algo, bits); 448 461 } 449 #else450 /** ffdhe2048 DH group as defined in RFC 7919, Appendix A.1. This is451 * the default DH group if mod_gnutls is compiled agains a GnuTLS452 * version that does not provide known DH groups based on security453 * parameters (before 3.5.6). */454 static const char FFDHE2048_PKCS3[] =455 "-----BEGIN DH PARAMETERS-----\n"456 "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"457 "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"458 "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"459 "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"460 "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"461 "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAQA=\n"462 "-----END DH PARAMETERS-----\n";463 const gnutls_datum_t default_dh_params = {464 (void *) FFDHE2048_PKCS3,465 sizeof(FFDHE2048_PKCS3)466 };467 #endif468 462 469 463 … … 485 479 ap_get_module_config(server->module_config, &gnutls_module); 486 480 487 #ifdef HAVE_KNOWN_DH_GROUPS488 481 gnutls_sec_param_t seclevel = GNUTLS_SEC_PARAM_UNKNOWN; 489 482 if (sc->privkey_x509) … … 519 512 return HTTP_UNAUTHORIZED; 520 513 } 521 #else522 int ret = gnutls_dh_params_init(&sc->dh_params);523 if (ret < 0)524 {525 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,526 "%s: Failed to initialize DH params structure: "527 "%s (%d)", __func__, gnutls_strerror(ret), ret);528 return HTTP_UNAUTHORIZED;529 }530 ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &default_dh_params,531 GNUTLS_X509_FMT_PEM);532 if (ret < 0)533 {534 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,535 "%s: Failed to import default DH params: %s (%d)",536 __func__, gnutls_strerror(ret), ret);537 return HTTP_UNAUTHORIZED;538 }539 540 gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);541 gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);542 #endif543 514 544 515 return OK; … … 731 702 } 732 703 733 /* The call after this comment is a workaround for bug in 734 * gnutls_certificate_set_retrieve_function2 that ignores 735 * supported certificate types. Should be fixed in GnuTLS 736 * 3.3.12. 737 * 738 * Details: 739 * https://lists.gnupg.org/pipermail/gnutls-devel/2015-January/007377.html 740 * Workaround from: 741 * https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12 */ 742 #if GNUTLS_VERSION_NUMBER < 0x030312 743 gnutls_certificate_set_retrieve_function(sc->certs, (void *) exit); 744 #endif 745 746 gnutls_certificate_set_retrieve_function2(sc->certs, cert_retrieve_fn); 704 gnutls_certificate_set_retrieve_function3(sc->certs, cert_retrieve_fn); 747 705 748 706 if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) && … … 1372 1330 gnutls_mac_get(ctxt->session))); 1373 1331 1374 #if GNUTLS_VERSION_NUMBER >= 0x0306001375 1332 /* Compression support has been removed since GnuTLS 3.6.0 */ 1376 1333 apr_table_setn(env, "SSL_COMPRESS_METHOD", "NULL"); 1377 #else1378 apr_table_setn(env, "SSL_COMPRESS_METHOD",1379 gnutls_compression_get_name(gnutls_compression_get(ctxt->session)));1380 #endif1381 1334 1382 1335 #ifdef ENABLE_SRP -
src/gnutls_ocsp.c
rd4c9331 re376ed8 41 41 /** Dummy data for failure cache entries (one byte). */ 42 42 #define OCSP_FAILURE_CACHE_DATA 0x0f 43 /** Macro to check if an OCSP reponse pointer contains a cached 44 * failure */ 45 #define IS_FAILURE_RESPONSE(resp) \ 46 (((resp)->size == sizeof(unsigned char)) && \ 47 (*((unsigned char *) (resp)->data) == OCSP_FAILURE_CACHE_DATA)) 43 48 44 49 … … 786 791 } 787 792 788 *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache, 789 ctxt->c->base_server, 790 ctxt->sc->ocsp->fingerprint, 791 ctxt->c->pool); 792 if (ocsp_response->size == 0) 793 // TODO: Large allocation, and the pool system doesn't offer realloc 794 ocsp_response->data = apr_palloc(ctxt->c->pool, OCSP_RESP_SIZE_MAX); 795 ocsp_response->size = OCSP_RESP_SIZE_MAX; 796 797 apr_status_t rv = mgs_cache_fetch(ctxt->sc->ocsp_cache, 798 ctxt->c->base_server, 799 ctxt->sc->ocsp->fingerprint, 800 ocsp_response, 801 ctxt->c->pool); 802 if (rv != APR_SUCCESS) 793 803 { 794 804 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c, 795 805 "Fetching OCSP response from cache failed."); 796 806 } 797 else if ((ocsp_response->size == sizeof(unsigned char)) && 798 (*((unsigned char *) ocsp_response->data) == OCSP_FAILURE_CACHE_DATA)) 807 else if (IS_FAILURE_RESPONSE(ocsp_response)) 799 808 { 800 809 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c, … … 807 816 return GNUTLS_E_SUCCESS; 808 817 } 809 /* get rid of invalid response (if any) */ 810 gnutls_free(ocsp_response->data); 811 ocsp_response->data = NULL; 818 /* keep response buffer, reset size for reuse */ 819 ocsp_response->size = OCSP_RESP_SIZE_MAX; 812 820 813 821 /* If the cache had no response or an invalid one, try to update. */ … … 815 823 "No valid OCSP response in cache, trying to update."); 816 824 817 apr_status_trv = apr_global_mutex_trylock(sc->ocsp_mutex);825 rv = apr_global_mutex_trylock(sc->ocsp_mutex); 818 826 if (APR_STATUS_IS_EBUSY(rv)) 819 827 { … … 824 832 * moment there's no good way to integrate that with the 825 833 * Apache Mutex directive. */ 826 *ocsp_response= mgs_cache_fetch(ctxt->sc->ocsp_cache,827 828 829 ctxt->c->pool);830 if (ocsp_response->size > 0)831 {832 /* Got a valid response now, unlock mutex and return. */834 rv = mgs_cache_fetch(ctxt->sc->ocsp_cache, 835 ctxt->c->base_server, 836 ctxt->sc->ocsp->fingerprint, 837 ocsp_response, 838 ctxt->c->pool); 839 if (rv == APR_SUCCESS) 840 { 833 841 apr_global_mutex_unlock(sc->ocsp_mutex); 834 return GNUTLS_E_SUCCESS; 842 /* Check if the response is valid. */ 843 if (IS_FAILURE_RESPONSE(ocsp_response)) 844 { 845 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c, 846 "Cached OCSP failure found for %s.", 847 ctxt->c->base_server->server_hostname); 848 goto fail_cleanup; 849 } 850 else 851 return GNUTLS_E_SUCCESS; 835 852 } 836 853 else 837 854 { 838 gnutls_free(ocsp_response->data);839 ocsp_response-> data = NULL;855 /* keep response buffer, reset size for reuse */ 856 ocsp_response->size = OCSP_RESP_SIZE_MAX; 840 857 } 841 858 } … … 855 872 856 873 /* retry reading from cache */ 857 *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache, 858 ctxt->c->base_server, 859 ctxt->sc->ocsp->fingerprint, 860 ctxt->c->pool); 861 if (ocsp_response->size == 0) 874 rv = mgs_cache_fetch(ctxt->sc->ocsp_cache, 875 ctxt->c->base_server, 876 ctxt->sc->ocsp->fingerprint, 877 ocsp_response, 878 ctxt->c->pool); 879 if (rv != APR_SUCCESS) 862 880 { 863 881 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, … … 869 887 } 870 888 871 /* failure, clean up response data */ 889 /* failure, reset struct, buffer will be released with the 890 * connection pool */ 872 891 fail_cleanup: 873 gnutls_free(ocsp_response->data);874 892 ocsp_response->size = 0; 875 893 ocsp_response->data = NULL; … … 1061 1079 if (rv != APR_SUCCESS) 1062 1080 { 1063 const gnutls_datum_t ocsp_response = 1064 mgs_cache_fetch(sc->ocsp_cache, server, 1065 sc->ocsp->fingerprint, pool); 1066 1067 if (ocsp_response.size == 0 || 1068 ((ocsp_response.size == sizeof(unsigned char)) && 1069 (*((unsigned char *) ocsp_response.data) == 1070 OCSP_FAILURE_CACHE_DATA))) 1081 gnutls_datum_t ocsp_response; 1082 ocsp_response.data = apr_palloc(pool, OCSP_RESP_SIZE_MAX); 1083 ocsp_response.size = OCSP_RESP_SIZE_MAX; 1084 1085 apr_status_t rv = mgs_cache_fetch(sc->ocsp_cache, server, 1086 sc->ocsp->fingerprint, 1087 &ocsp_response, 1088 pool); 1089 1090 if (rv != APR_SUCCESS || (IS_FAILURE_RESPONSE(&ocsp_response))) 1071 1091 { 1072 1092 ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server, … … 1075 1095 mgs_cache_ocsp_failure(server, sc->ocsp_failure_timeout * 2); 1076 1096 } 1077 1078 /* Get rid of the response, if any */1079 if (ocsp_response.size != 0)1080 gnutls_free(ocsp_response.data);1081 1097 } 1082 1098 apr_global_mutex_unlock(sc->ocsp_mutex); … … 1196 1212 apr_pool_cleanup_null); 1197 1213 1198 /* enable status request callback */1199 gnutls_certificate_set_ocsp_status_request_function(sc->certs,1200 mgs_get_ocsp_response,1201 sc);1202 1203 1214 /* The watchdog structure may be NULL if mod_watchdog is 1204 1215 * unavailable. */ -
test/Makefile.am
rd4c9331 re376ed8 58 58 shared_identities = authority authority/client 59 59 pgp_identities = $(shared_identities) 60 x509_only_identities = authority/server authority/imposter rogueca \ 61 rogueca/rogueclient 62 if ENABLE_OCSP_TEST 63 x509_only_identities += authority/ocsp-responder 60 x509_only_identities = authority/server authority/imposter \ 61 authority/subca authority/subca/server \ 62 rogueca rogueca/rogueclient 63 if ENABLE_OCSP_TEST 64 x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder 64 65 endif 65 66 x509_identities = $(shared_identities) $(x509_only_identities) … … 101 102 authority/imposter/template.in authority/ocsp-responder/template \ 102 103 authority/server/template.in \ 104 authority/subca/template.in authority/subca/server/template.in \ 105 authority/subca/ocsp-responder/template \ 103 106 rogueca/template rogueca/rogueclient/template.in 104 107 generated_templates = authority/template authority/client/template \ … … 161 164 if ENABLE_OCSP_TEST 162 165 # rules to build OCSP database 163 check_DATA += authority/ocsp_index.txt 164 MOSTLYCLEANFILES += authority/ocsp_index.txt authority/ocsp_index.txt.attr 165 authority/ocsp_index.txt: $(x509_tokens) gen_ocsp_index authority/ocsp_index.txt.attr 166 ./gen_ocsp_index authority/server/x509.pem authority/client/x509.pem > $@ 167 168 authority/ocsp_index.txt.attr: authority/secret.key 166 ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \ 167 authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr 168 check_DATA += $(ocsp_index_data) 169 MOSTLYCLEANFILES += $(ocsp_index_data) 170 171 # The "find" command builds a list of all certificates directly below 172 # the CA that aren't for the ocsp-responder. 173 %/ocsp_index.txt: $(x509_tokens) gen_ocsp_index 174 ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@ 175 176 %/ocsp_index.txt.attr: 177 @mkdir -m 0700 -p $(dir $@) 169 178 echo "unique_subject = no" > $@ 170 179 171 # build certificate chain file for server 172 check_DATA += authority/server/x509-chain.pem 173 MOSTLYCLEANFILES += authority/server/x509-chain.pem 174 %/x509-chain.pem: %/x509.pem authority/x509.pem 175 cat $< authority/x509.pem > $@ 180 # Build certificate chain files. Note that intermediate tokens must be 181 # listed explicitly, or the dependency chain will be broken because 182 # the higher level pattern matches, too. 183 chain_tokens = authority/server/x509-chain.pem \ 184 authority/subca/x509-chain.pem \ 185 authority/subca/server/x509-chain.pem 186 check_DATA += $(chain_tokens) 187 MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem 176 188 endif 177 189 -
test/ocsp_server.conf.in
rd4c9331 re376ed8 22 22 RewriteEngine On 23 23 RewriteRule ^/ocsp(.*) /ocsp.cgi$1 [L] 24 # General rules for all OCSP handling 24 25 <Location /ocsp/> 25 26 # Some clients seem to have trouble with chunked 26 27 # encoding, so force HTTP/1.0 for now. 27 28 SetEnv downgrade-1.0 29 <If "-n osenv('OPENSSL')"> 30 # Pass OPENSSL variable to CGI script if set 31 SetEnv OPENSSL ${OPENSSL} 32 </If> 33 </Location> 34 <Location /ocsp/authority/> 28 35 # certificates and key for ocsp.cgi 29 36 SetEnv CA_CERT ${PWD}/authority/x509.pem … … 31 38 SetEnv OCSP_CERT ${PWD}/authority/ocsp-responder/x509.pem 32 39 SetEnv OCSP_KEY ${PWD}/authority/ocsp-responder/secret.key 33 <If "-n osenv('OPENSSL')"> 34 # Pass OPENSSL variable to CGI script if set 35 SetEnv OPENSSL ${OPENSSL} 36 </If> 40 </Location> 41 <Location /ocsp/authority/subca/> 42 # certificates and key for ocsp.cgi 43 SetEnv CA_CERT ${PWD}/authority/subca/x509.pem 44 SetEnv OCSP_INDEX ${PWD}/authority/subca/ocsp_index.txt 45 SetEnv OCSP_CERT ${PWD}/authority/subca/ocsp-responder/x509.pem 46 SetEnv OCSP_KEY ${PWD}/authority/subca/ocsp-responder/secret.key 37 47 </Location> 38 48 <Directory ${srcdir}/data> -
test/test_ca.mk
rd4c9331 re376ed8 10 10 @mkdir -m 0700 -p $(@D) 11 11 sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@ 12 sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE) ," $@12 sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)$(dir $(*))," $@ 13 13 for i in $(patsubst [%],%,$(TEST_IP)); do \ 14 14 IP_ADDRS="$${IP_ADDRS}\nip_address = $${i}"; \ … … 58 58 # special rule for root CAs 59 59 root_cert_rule = certtool --outfile $@ --generate-self-signed --load-privkey $(dir $@)secret.key --template $< 60 root_chain_rule = cp $< $@ 60 61 authority/x509.pem rogueca/x509.pem: %/x509.pem: %/template %/secret.key 61 62 $(root_cert_rule) 63 authority/x509-chain.pem rogueca/x509-chain.pem: %/x509-chain.pem: %/x509.pem 64 $(root_chain_rule) 62 65 63 66 # generic rule for building non-root certificates, with the CA in the 64 67 # parent directory 65 68 cert_rule = certtool --outfile $@ --generate-certificate --load-ca-certificate $(dir $@)../x509.pem --load-ca-privkey $(dir $@)../secret.key --load-privkey $(dir $@)secret.key --template $< 69 chain_rule = cat $< $(dir $@)../x509-chain.pem > $@ 66 70 67 71 # certificates signed by the test root CA 68 72 %/x509.pem: %/template %/secret.key authority/secret.key authority/x509.pem 69 73 $(cert_rule) 74 %/x509-chain.pem: %/x509.pem authority/x509-chain.pem 75 $(chain_rule) 76 77 # certificates signed by the test sub CA 78 authority/subca/%/x509.pem: authority/subca/%/template authority/subca/%/secret.key authority/subca/x509.pem 79 $(cert_rule) 80 authority/subca/%/x509-chain.pem: authority/subca/%/x509.pem authority/subca/x509-chain.pem 81 $(chain_rule) 70 82 71 83 # certificates signed by rogue CA (for error cases) -
test/tests/00_basic/apache.conf
rd4c9331 re376ed8 6 6 ServerName ${TEST_HOST} 7 7 GnuTLSEnable On 8 GnuTLSCertificateFile authority/s erver/x509.pem9 GnuTLSKeyFile authority/s erver/secret.key8 GnuTLSCertificateFile authority/subca/server/x509-chain.pem 9 GnuTLSKeyFile authority/subca/server/secret.key 10 10 </VirtualHost> -
test/tests/27_OCSP_server/apache.conf
rd4c9331 re376ed8 12 12 #GnuTLSOCSPStapling On 13 13 GnuTLSOCSPCacheTimeout 60 14 GnuTLSCertificateFile authority/s erver/x509-chain.pem15 GnuTLSKeyFile authority/s erver/secret.key14 GnuTLSCertificateFile authority/subca/server/x509-chain.pem 15 GnuTLSKeyFile authority/subca/server/secret.key 16 16 GnuTLSPriorities NORMAL 17 17 </VirtualHost>
Note: See TracChangeset
for help on using the changeset viewer.
