Changeset fad7695 in mod_gnutls
- Timestamp:
- Jun 1, 2016, 12:20:12 PM (7 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
- Children:
- 68ce93c
- Parents:
- 64856fd
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
include/mod_gnutls.h.in
r64856fd rfad7695 220 220 * once sending OCSP requests is implemented */ 221 221 char *ocsp_response_file; 222 /* Trust list to verify OCSP responses for stapling. Should 223 * usually only contain the CA that signed the server 224 * certificate. */ 225 gnutls_x509_trust_list_t *ocsp_trust; 222 226 } mgs_srvconf_rec; 223 227 -
src/gnutls_config.c
r64856fd rfad7695 973 973 974 974 sc->ocsp_response_file = NULL; 975 sc->ocsp_trust = NULL; 975 976 976 977 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */ … … 1030 1031 gnutls_srvconf_merge(proxy_priorities, NULL); 1031 1032 1032 gnutls_srvconf_merge(ocsp_response_file, NULL); 1033 gnutls_srvconf_assign(ocsp_response_file); 1034 gnutls_srvconf_assign(ocsp_trust); 1033 1035 1034 1036 /* FIXME: the following items are pre-allocated, and should be -
src/gnutls_hooks.c
r64856fd rfad7695 381 381 " Shutting Down."); 382 382 return HTTP_NOT_FOUND; 383 } 384 385 /* init OCSP trust list if OCSP is enabled */ 386 if (sc->ocsp_response_file != NULL) 387 { 388 rv = mgs_ocsp_post_config_server(pconf, s); 389 if (rv != OK && rv != DECLINED) 390 return rv; 383 391 } 384 392 -
src/gnutls_ocsp.c
r64856fd rfad7695 80 80 int check_ocsp_response(mgs_handle_t *ctxt, const gnutls_datum_t *ocsp_response) 81 81 { 82 if (ctxt->sc->certs_x509_chain_num < 2) 83 { 84 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, 85 "No CA certificates in store, cannot verify response."); 82 if (ctxt->sc->ocsp_trust == NULL) 83 { 84 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, 85 "No OCSP trust list available for server \"%s\"!", 86 ctxt->c->base_server->server_hostname); 86 87 return GNUTLS_E_NO_CERTIFICATE_FOUND; 87 88 } 88 89 89 /* Only the direct issuer may sign the OCSP response or an OCSP90 * signer. Assuming the certificate file is properly ordered, it91 * should be the one directly after the server's. */92 gnutls_x509_trust_list_t issuer;93 int ret = mgs_create_ocsp_trust_list(&issuer,94 &(ctxt->sc->certs_x509_crt_chain[1]),95 1);96 if (ret != GNUTLS_E_SUCCESS)97 {98 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,99 "Could not create issuer trust list: %s (%d)",100 gnutls_strerror(ret), ret);101 return ret;102 }103 104 90 gnutls_ocsp_resp_t resp; 105 ret = gnutls_ocsp_resp_init(&resp);91 int ret = gnutls_ocsp_resp_init(&resp); 106 92 if (ret != GNUTLS_E_SUCCESS) 107 93 { … … 131 117 132 118 unsigned int verify; 133 ret = gnutls_ocsp_resp_verify(resp, issuer, &verify, 0);119 ret = gnutls_ocsp_resp_verify(resp, *(ctxt->sc->ocsp_trust), &verify, 0); 134 120 if (ret != GNUTLS_E_SUCCESS) 135 121 { … … 223 209 resp_cleanup: 224 210 gnutls_ocsp_resp_deinit(resp); 225 /* deinit trust list, but not the certificates */226 gnutls_x509_trust_list_deinit(issuer, 0);227 211 return ret; 228 212 } … … 280 264 return ret; 281 265 } 266 267 268 269 apr_status_t mgs_cleanup_trust_list(void *data) 270 { 271 gnutls_x509_trust_list_t *tl = (gnutls_x509_trust_list_t *) data; 272 gnutls_x509_trust_list_deinit(*tl, 0); 273 return APR_SUCCESS; 274 } 275 276 277 278 /* 279 * Like in the general post_config hook the HTTP status codes for 280 * errors are just for fun. What matters is "neither OK nor DECLINED" 281 * to denote an error. 282 */ 283 int mgs_ocsp_post_config_server(apr_pool_t *pconf, server_rec *server) 284 { 285 mgs_srvconf_rec *sc = 286 (mgs_srvconf_rec *) ap_get_module_config(server->module_config, 287 &gnutls_module); 288 289 if (sc->certs_x509_chain_num < 2) 290 { 291 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server, 292 "OCSP stapling is enabled but no CA certificate " 293 "available, make sure it is included in " 294 "GnuTLSCertificateFile!"); 295 return HTTP_NOT_FOUND; 296 } 297 sc->ocsp_trust = apr_palloc(pconf, 298 sizeof(gnutls_x509_trust_list_t)); 299 /* Only the direct issuer may sign the OCSP response or an OCSP 300 * signer. */ 301 int ret = mgs_create_ocsp_trust_list(sc->ocsp_trust, 302 &(sc->certs_x509_crt_chain[1]), 303 1); 304 if (ret != GNUTLS_E_SUCCESS) 305 { 306 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server, 307 "Could not create OCSP trust list: %s (%d)", 308 gnutls_strerror(ret), ret); 309 return HTTP_INTERNAL_SERVER_ERROR; 310 } 311 /* deinit trust list when the config pool is destroyed */ 312 apr_pool_cleanup_register(pconf, sc->ocsp_trust, 313 mgs_cleanup_trust_list, 314 apr_pool_cleanup_null); 315 316 return OK; 317 } -
src/gnutls_ocsp.h
r64856fd rfad7695 49 49 const int num); 50 50 51 /** 52 * Pool cleanup function that deinits the trust list without 53 * deinitializing certificates. 54 */ 55 apr_status_t mgs_cleanup_trust_list(void *data); 56 57 /** 58 * Initialize server config for OCSP, supposed to be called in the 59 * post_config hook for each server where OCSP stapling is enabled, 60 * after certificates have been loaded. 61 * 62 * @return OK or DECLINED on success, any other value on error (like 63 * the post_config hook itself) 64 */ 65 int mgs_ocsp_post_config_server(apr_pool_t *pconf, server_rec *server); 66 51 67 int mgs_get_ocsp_response(gnutls_session_t session, void *ptr, 52 68 gnutls_datum_t *ocsp_response);
Note: See TracChangeset
for help on using the changeset viewer.