Changeset fad7695 in mod_gnutls


Ignore:
Timestamp:
Jun 1, 2016, 12:20:12 PM (5 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
Children:
68ce93c
Parents:
64856fd
Message:

Store OCSP trust list in server config

This avoids recreating the trust list whenever an OCSP response has to
be verified.

Files:
5 edited

Legend:

Unmodified
Added
Removed

  • include/mod_gnutls.h.in

    r64856fd rfad7695  
    220220     * once sending OCSP requests is implemented */
    221221    char *ocsp_response_file;
     222    /* Trust list to verify OCSP responses for stapling. Should
     223     * usually only contain the CA that signed the server
     224     * certificate. */
     225    gnutls_x509_trust_list_t *ocsp_trust;
    222226} mgs_srvconf_rec;
    223227

  • src/gnutls_config.c

    r64856fd rfad7695  
    973973
    974974    sc->ocsp_response_file = NULL;
     975    sc->ocsp_trust = NULL;
    975976
    976977/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
     
    10301031    gnutls_srvconf_merge(proxy_priorities, NULL);
    10311032
    1032     gnutls_srvconf_merge(ocsp_response_file, NULL);
     1033    gnutls_srvconf_assign(ocsp_response_file);
     1034    gnutls_srvconf_assign(ocsp_trust);
    10331035
    10341036    /* FIXME: the following items are pre-allocated, and should be

  • src/gnutls_hooks.c

    r64856fd rfad7695  
    381381                " Shutting Down.");
    382382            return HTTP_NOT_FOUND;
     383        }
     384
     385        /* init OCSP trust list if OCSP is enabled */
     386        if (sc->ocsp_response_file != NULL)
     387        {
     388            rv = mgs_ocsp_post_config_server(pconf, s);
     389            if (rv != OK && rv != DECLINED)
     390                return rv;
    383391        }
    384392

  • src/gnutls_ocsp.c

    r64856fd rfad7695  
    8080int check_ocsp_response(mgs_handle_t *ctxt, const gnutls_datum_t *ocsp_response)
    8181{
    82     if (ctxt->sc->certs_x509_chain_num < 2)
    83     {
    84         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    85                       "No CA certificates in store, cannot verify response.");
     82    if (ctxt->sc->ocsp_trust == NULL)
     83    {
     84        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
     85                      "No OCSP trust list available for server \"%s\"!",
     86                      ctxt->c->base_server->server_hostname);
    8687        return GNUTLS_E_NO_CERTIFICATE_FOUND;
    8788    }
    8889
    89     /* Only the direct issuer may sign the OCSP response or an OCSP
    90      * signer. Assuming the certificate file is properly ordered, it
    91      * should be the one directly after the server's. */
    92     gnutls_x509_trust_list_t issuer;
    93     int ret = mgs_create_ocsp_trust_list(&issuer,
    94                                          &(ctxt->sc->certs_x509_crt_chain[1]),
    95                                          1);
    96     if (ret != GNUTLS_E_SUCCESS)
    97     {
    98         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    99                       "Could not create issuer trust list: %s (%d)",
    100                       gnutls_strerror(ret), ret);
    101         return ret;
    102     }
    103 
    10490    gnutls_ocsp_resp_t resp;
    105     ret = gnutls_ocsp_resp_init(&resp);
     91    int ret = gnutls_ocsp_resp_init(&resp);
    10692    if (ret != GNUTLS_E_SUCCESS)
    10793    {
     
    131117
    132118    unsigned int verify;
    133     ret = gnutls_ocsp_resp_verify(resp, issuer, &verify, 0);
     119    ret = gnutls_ocsp_resp_verify(resp, *(ctxt->sc->ocsp_trust), &verify, 0);
    134120    if (ret != GNUTLS_E_SUCCESS)
    135121    {
     
    223209 resp_cleanup:
    224210    gnutls_ocsp_resp_deinit(resp);
    225     /* deinit trust list, but not the certificates */
    226     gnutls_x509_trust_list_deinit(issuer, 0);
    227211    return ret;
    228212}
     
    280264    return ret;
    281265}
     266
     267
     268
     269apr_status_t mgs_cleanup_trust_list(void *data)
     270{
     271    gnutls_x509_trust_list_t *tl = (gnutls_x509_trust_list_t *) data;
     272    gnutls_x509_trust_list_deinit(*tl, 0);
     273    return APR_SUCCESS;
     274}
     275
     276
     277
     278/*
     279 * Like in the general post_config hook the HTTP status codes for
     280 * errors are just for fun. What matters is "neither OK nor DECLINED"
     281 * to denote an error.
     282 */
     283int mgs_ocsp_post_config_server(apr_pool_t *pconf, server_rec *server)
     284{
     285    mgs_srvconf_rec *sc =
     286        (mgs_srvconf_rec *) ap_get_module_config(server->module_config,
     287                                                 &gnutls_module);
     288
     289    if (sc->certs_x509_chain_num < 2)
     290    {
     291        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
     292                     "OCSP stapling is enabled but no CA certificate "
     293                     "available, make sure it is included in "
     294                     "GnuTLSCertificateFile!");
     295        return HTTP_NOT_FOUND;
     296    }
     297    sc->ocsp_trust = apr_palloc(pconf,
     298                                sizeof(gnutls_x509_trust_list_t));
     299     /* Only the direct issuer may sign the OCSP response or an OCSP
     300      * signer. */
     301    int ret = mgs_create_ocsp_trust_list(sc->ocsp_trust,
     302                                         &(sc->certs_x509_crt_chain[1]),
     303                                         1);
     304    if (ret != GNUTLS_E_SUCCESS)
     305    {
     306        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
     307                     "Could not create OCSP trust list: %s (%d)",
     308                     gnutls_strerror(ret), ret);
     309        return HTTP_INTERNAL_SERVER_ERROR;
     310    }
     311    /* deinit trust list when the config pool is destroyed */
     312    apr_pool_cleanup_register(pconf, sc->ocsp_trust,
     313                              mgs_cleanup_trust_list,
     314                              apr_pool_cleanup_null);
     315
     316    return OK;
     317}

  • src/gnutls_ocsp.h

    r64856fd rfad7695  
    4949                               const int num);
    5050
     51/**
     52 * Pool cleanup function that deinits the trust list without
     53 * deinitializing certificates.
     54 */
     55apr_status_t mgs_cleanup_trust_list(void *data);
     56
     57/**
     58 * Initialize server config for OCSP, supposed to be called in the
     59 * post_config hook for each server where OCSP stapling is enabled,
     60 * after certificates have been loaded.
     61 *
     62 * @return OK or DECLINED on success, any other value on error (like
     63 * the post_config hook itself)
     64 */
     65int mgs_ocsp_post_config_server(apr_pool_t *pconf, server_rec *server);
     66
    5167int mgs_get_ocsp_response(gnutls_session_t session, void *ptr,
    5268                          gnutls_datum_t *ocsp_response);
Note: See TracChangeset for help on using the changeset viewer.