httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yla...@apache.org
Subject svn commit: r1583191 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c ssl_engine_config.c ssl_engine_ocsp.c ssl_private.h
Date Sun, 30 Mar 2014 19:25:20 GMT
Author: ylavic
Date: Sun Mar 30 19:25:20 2014
New Revision: 1583191

URL: http://svn.apache.org/r1583191
Log:
mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.

Modified:
    httpd/httpd/trunk/modules/ssl/mod_ssl.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h

Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1583191&r1=1583190&r2=1583191&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sun Mar 30 19:25:20 2014
@@ -238,6 +238,8 @@ static const command_rec ssl_config_cmds
                 "Maximum age of OCSP responses")
     SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
                 "OCSP responder query timeout")
+    SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
+                "Whether OCSP queries use a nonce or not ('on', 'off')")
 
 #ifdef HAVE_OCSP_STAPLING
     /*

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1583191&r1=1583190&r2=1583191&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Sun Mar 30 19:25:20 2014
@@ -133,6 +133,7 @@ static void modssl_ctx_init(modssl_ctx_t
     mctx->ocsp_resptime_skew  = UNSET;
     mctx->ocsp_resp_maxage    = UNSET;
     mctx->ocsp_responder_timeout = UNSET;
+    mctx->ocsp_use_request_nonce = UNSET;
 
 #ifdef HAVE_OCSP_STAPLING
     mctx->stapling_enabled           = UNSET;
@@ -275,6 +276,7 @@ static void modssl_ctx_cfg_merge(apr_poo
     cfgMergeInt(ocsp_resptime_skew);
     cfgMergeInt(ocsp_resp_maxage);
     cfgMergeInt(ocsp_responder_timeout);
+    cfgMergeBool(ocsp_use_request_nonce);
 #ifdef HAVE_OCSP_STAPLING
     cfgMergeBool(stapling_enabled);
     cfgMergeInt(stapling_resptime_skew);
@@ -1605,6 +1607,16 @@ const char *ssl_cmd_SSLOCSPResponderTime
     return NULL;
 }
 
+const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->server->ocsp_use_request_nonce = flag ? SSL_ENABLED_TRUE
+                                              : SSL_ENABLED_FALSE;
+
+    return NULL;
+}
+
 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=1583191&r1=1583190&r2=1583191&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Sun Mar 30 19:25:20 2014
@@ -104,7 +104,8 @@ static apr_uri_t *determine_responder_ur
  * request object on success, or NULL on error. */
 static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
                                     OCSP_CERTID **certid,
-                                    server_rec *s, apr_pool_t *p)
+                                    server_rec *s, apr_pool_t *p,
+                                    SSLSrvConfigRec *sc)
 {
     OCSP_REQUEST *req = OCSP_REQUEST_new();
 
@@ -116,7 +117,9 @@ static OCSP_REQUEST *create_request(X509
         return NULL;
     }
 
-    OCSP_request_add1_nonce(req, 0, -1);
+    if (sc->server->ocsp_use_request_nonce != FALSE) {
+        OCSP_request_add1_nonce(req, 0, -1);
+    }
 
     return req;
 }
@@ -139,7 +142,7 @@ static int verify_ocsp_status(X509 *cert
         return V_OCSP_CERTSTATUS_UNKNOWN;
     }
 
-    request = create_request(ctx, cert, &certID, s, pool);
+    request = create_request(ctx, cert, &certID, s, pool, sc);
     if (request) {
         apr_interval_time_t to = sc->server->ocsp_responder_timeout == UNSET ?
                                  apr_time_from_sec(DEFAULT_OCSP_TIMEOUT) :
@@ -171,7 +174,8 @@ static int verify_ocsp_status(X509 *cert
         }
     }
 
-    if (rc == V_OCSP_CERTSTATUS_GOOD) {
+    if (rc == V_OCSP_CERTSTATUS_GOOD &&
+            sc->server->ocsp_use_request_nonce != FALSE) {
         if (OCSP_check_nonce(request, basicResponse) != 1) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
                         "Bad OCSP responder answer (bad nonce)");

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1583191&r1=1583190&r2=1583191&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sun Mar 30 19:25:20 2014
@@ -614,6 +614,7 @@ typedef struct {
     SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
 #endif
+    int ocsp_use_request_nonce;
 } modssl_ctx_t;
 
 struct SSLSrvConfigRec {
@@ -731,6 +732,7 @@ const char *ssl_cmd_SSLOCSPDefaultRespon
 const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
 
 #ifdef HAVE_SSL_CONF_CMD



Mime
View raw message