Changeset fad7695 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Jun 1, 2016, 12:20:12 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
68ce93c
Parents:
64856fd
Message:

Store OCSP trust list in server config

This avoids recreating the trust list whenever an OCSP response has to
be verified.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    r64856fd rfad7695  
    8080int check_ocsp_response(mgs_handle_t *ctxt, const gnutls_datum_t *ocsp_response)
    8181{
    82     if (ctxt->sc->certs_x509_chain_num < 2)
    83     {
    84         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    85                       "No CA certificates in store, cannot verify response.");
     82    if (ctxt->sc->ocsp_trust == NULL)
     83    {
     84        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
     85                      "No OCSP trust list available for server \"%s\"!",
     86                      ctxt->c->base_server->server_hostname);
    8687        return GNUTLS_E_NO_CERTIFICATE_FOUND;
    8788    }
    8889
    89     /* Only the direct issuer may sign the OCSP response or an OCSP
    90      * signer. Assuming the certificate file is properly ordered, it
    91      * should be the one directly after the server's. */
    92     gnutls_x509_trust_list_t issuer;
    93     int ret = mgs_create_ocsp_trust_list(&issuer,
    94                                          &(ctxt->sc->certs_x509_crt_chain[1]),
    95                                          1);
    96     if (ret != GNUTLS_E_SUCCESS)
    97     {
    98         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    99                       "Could not create issuer trust list: %s (%d)",
    100                       gnutls_strerror(ret), ret);
    101         return ret;
    102     }
    103 
    10490    gnutls_ocsp_resp_t resp;
    105     ret = gnutls_ocsp_resp_init(&resp);
     91    int ret = gnutls_ocsp_resp_init(&resp);
    10692    if (ret != GNUTLS_E_SUCCESS)
    10793    {
     
    131117
    132118    unsigned int verify;
    133     ret = gnutls_ocsp_resp_verify(resp, issuer, &verify, 0);
     119    ret = gnutls_ocsp_resp_verify(resp, *(ctxt->sc->ocsp_trust), &verify, 0);
    134120    if (ret != GNUTLS_E_SUCCESS)
    135121    {
     
    223209 resp_cleanup:
    224210    gnutls_ocsp_resp_deinit(resp);
    225     /* deinit trust list, but not the certificates */
    226     gnutls_x509_trust_list_deinit(issuer, 0);
    227211    return ret;
    228212}
     
    280264    return ret;
    281265}
     266
     267
     268
     269apr_status_t mgs_cleanup_trust_list(void *data)
     270{
     271    gnutls_x509_trust_list_t *tl = (gnutls_x509_trust_list_t *) data;
     272    gnutls_x509_trust_list_deinit(*tl, 0);
     273    return APR_SUCCESS;
     274}
     275
     276
     277
     278/*
     279 * Like in the general post_config hook the HTTP status codes for
     280 * errors are just for fun. What matters is "neither OK nor DECLINED"
     281 * to denote an error.
     282 */
     283int mgs_ocsp_post_config_server(apr_pool_t *pconf, server_rec *server)
     284{
     285    mgs_srvconf_rec *sc =
     286        (mgs_srvconf_rec *) ap_get_module_config(server->module_config,
     287                                                 &gnutls_module);
     288
     289    if (sc->certs_x509_chain_num < 2)
     290    {
     291        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
     292                     "OCSP stapling is enabled but no CA certificate "
     293                     "available, make sure it is included in "
     294                     "GnuTLSCertificateFile!");
     295        return HTTP_NOT_FOUND;
     296    }
     297    sc->ocsp_trust = apr_palloc(pconf,
     298                                sizeof(gnutls_x509_trust_list_t));
     299     /* Only the direct issuer may sign the OCSP response or an OCSP
     300      * signer. */
     301    int ret = mgs_create_ocsp_trust_list(sc->ocsp_trust,
     302                                         &(sc->certs_x509_crt_chain[1]),
     303                                         1);
     304    if (ret != GNUTLS_E_SUCCESS)
     305    {
     306        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
     307                     "Could not create OCSP trust list: %s (%d)",
     308                     gnutls_strerror(ret), ret);
     309        return HTTP_INTERNAL_SERVER_ERROR;
     310    }
     311    /* deinit trust list when the config pool is destroyed */
     312    apr_pool_cleanup_register(pconf, sc->ocsp_trust,
     313                              mgs_cleanup_trust_list,
     314                              apr_pool_cleanup_null);
     315
     316    return OK;
     317}
Note: See TracChangeset for help on using the changeset viewer.