Changeset efc43b4 in mod_gnutls for src


Ignore:
Timestamp:
Sep 25, 2018, 3:46:26 PM (3 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
asyncio, debian/master, master, proxy-ticket
Children:
cb6476c
Parents:
994200a
Message:

Split per-vhost post config for OCSP stapling into configuring and enabling

This is preparation for enabling stapling by default: Configuration
failure may be ignored if stapling is not explicitly enabled by the
user (at the cost of not stapling).

Location:
src
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_hooks.c

    r994200a refc43b4  
    659659            sc->client_verify_method = mgs_cvm_cartel;
    660660        if (sc->ocsp_staple == GNUTLS_ENABLED_UNSET)
     661            // TODO: Check result of mgs_ocsp_configure_stapling()
     662            // below instead, staple if possible.
    661663            sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
    662664
     
    665667        if (sc->enabled && sc->ocsp_staple)
    666668        {
    667             rv = mgs_ocsp_post_config_server(pconf, ptemp, s);
     669            const char *err = mgs_ocsp_configure_stapling(pconf, ptemp, s);
     670            if (err != NULL)
     671            {
     672                ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, s,
     673                             "OCSP stapling configuration failed for "
     674                             "host '%s:%d': %s",
     675                             s->server_hostname, s->addrs->host_port, err);
     676                return HTTP_INTERNAL_SERVER_ERROR;
     677            }
     678            rv = mgs_ocsp_enable_stapling(pconf, ptemp, s);
    668679            if (rv != OK && rv != DECLINED)
    669680                return rv;

  • src/gnutls_ocsp.c

    r994200a refc43b4  
    10871087
    10881088
     1089const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf,
     1090                                        apr_pool_t *ptemp __attribute__((unused)),
     1091                                        server_rec *server)
     1092{
     1093    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     1094        ap_get_module_config(server->module_config, &gnutls_module);
     1095
     1096    if (sc->certs_x509_chain_num < 2)
     1097        return "No issuer (CA) certificate available, cannot enable "
     1098            "stapling. Please add it to the GnuTLSCertificateFile.";
     1099
     1100    mgs_ocsp_data_t ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
     1101
     1102    ocsp->uri = mgs_cert_get_ocsp_uri(pconf,
     1103                                      sc->certs_x509_crt_chain[0]);
     1104    if (ocsp->uri == NULL && sc->ocsp_response_file == NULL)
     1105        return "No OCSP URI in the certificate nor a GnuTLSOCSPResponseFile "
     1106            "setting, cannot configure OCSP stapling.";
     1107
     1108    if (sc->ocsp_cache == NULL)
     1109        return "No OCSP response cache available, please check "
     1110            "the GnuTLSOCSPCache setting.";
     1111
     1112    sc->ocsp = ocsp;
     1113    return NULL;
     1114}
     1115
     1116
     1117
    10891118/*
    10901119 * Like in the general post_config hook the HTTP status codes for
     
    10921121 * to denote an error.
    10931122 */
    1094 int mgs_ocsp_post_config_server(apr_pool_t *pconf,
    1095                                 apr_pool_t *ptemp __attribute__((unused)),
    1096                                 server_rec *server)
     1123int mgs_ocsp_enable_stapling(apr_pool_t *pconf,
     1124                             apr_pool_t *ptemp __attribute__((unused)),
     1125                             server_rec *server)
    10971126{
    10981127    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    10991128        ap_get_module_config(server->module_config, &gnutls_module);
    1100 
    1101     if (sc->certs_x509_chain_num < 2)
    1102     {
    1103         ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, server,
    1104                      "OCSP stapling is enabled but no CA certificate "
    1105                      "available for %s:%d, make sure it is included in "
    1106                      "GnuTLSCertificateFile!",
    1107                      server->server_hostname, server->addrs->host_port);
    1108         return HTTP_NOT_FOUND;
    1109     }
    1110 
    1111     if (sc->ocsp_cache == NULL)
    1112     {
    1113         ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, server,
    1114                      "OCSP stapling is enabled but no cache configured!");
    1115         return HTTP_NOT_FOUND;
     1129    if (sc->ocsp == NULL)
     1130    {
     1131        ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EGENERAL, server,
     1132                     "CRITICAL ERROR: %s called with uninitialized OCSP "
     1133                     "data structure. This indicates a bug in mod_gnutls.",
     1134                     __func__);
     1135        return HTTP_INTERNAL_SERVER_ERROR;
    11161136    }
    11171137
     
    11521172    }
    11531173
    1154     sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
    1155 
    11561174    sc->ocsp->fingerprint =
    11571175        mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[0]);
    11581176    if (sc->ocsp->fingerprint.data == NULL)
    11591177        return HTTP_INTERNAL_SERVER_ERROR;
    1160 
    1161     sc->ocsp->uri = mgs_cert_get_ocsp_uri(pconf,
    1162                                           sc->certs_x509_crt_chain[0]);
    1163     if (sc->ocsp->uri == NULL && sc->ocsp_response_file == NULL)
    1164     {
    1165         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
    1166                      "OCSP stapling is enabled for for %s:%d, but there is "
    1167                      "neither an OCSP URI in the certificate nor a "
    1168                      "GnuTLSOCSPResponseFile setting for this host!",
    1169                      server->server_hostname, server->addrs->host_port);
    1170         return HTTP_NOT_FOUND;
    1171     }
    11721178
    11731179    sc->ocsp->trust = apr_palloc(pconf,

  • src/gnutls_ocsp.h

    r994200a refc43b4  
    9898
    9999/**
    100  * Initialize server config for OCSP, supposed to be called in the
    101  * post_config hook for each server where OCSP stapling is enabled,
    102  * after certificates have been loaded.
     100 * Try to generate the OCSP stapling configuration for a (virtual)
     101 * host. This function must be called in the post_config hook after
     102 * certificates have been loaded. This method does not actually enable
     103 * stapling, it only prepares the configuration. The reason for
     104 * splitting these tasks is that configuration failure may be ignored
     105 * if stapling is not explicitly enabled but only opportunistically.
     106 *
     107 * @return `NULL` on success, a string describing why configuration
     108 * failed otherwise (static or allocated from ptemp)
     109 */
     110const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, apr_pool_t *ptemp,
     111                                        server_rec *server);
     112
     113/**
     114 * Enable OCSP stapling for a (virtual) host. Must be called in the
     115 * post_config hook after mgs_ocsp_configure_stapling has returned
     116 * successfully for that host.
    103117 *
    104118 * @return OK or DECLINED on success, any other value on error (like
    105  * the post_config hook itself)
     119 * the post_config hook)
    106120 */
    107 int mgs_ocsp_post_config_server(apr_pool_t *pconf, apr_pool_t *ptemp,
    108                                 server_rec *server);
     121int mgs_ocsp_enable_stapling(apr_pool_t *pconf, apr_pool_t *ptemp,
     122                             server_rec *server);
    109123
    110124int mgs_get_ocsp_response(gnutls_session_t session, void *ptr,
Note: See TracChangeset for help on using the changeset viewer.