[Fedora-directory-commits] mod_nss mod_nss.c, 1.14, 1.15 mod_nss.h, 1.16, 1.17 nss_engine_config.c, 1.13, 1.14 nss_engine_init.c, 1.24, 1.25 nss.conf.in, 1.9, 1.10

Robert Crittenden (rcritten) fedora-directory-commits at redhat.com
Fri Oct 20 15:23:42 UTC 2006


Author: rcritten

Update of /cvs/dirsec/mod_nss
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1460

Modified Files:
	mod_nss.c mod_nss.h nss_engine_config.c nss_engine_init.c 
	nss.conf.in 
Log Message:
211612

Add support for setting a default OCSP responder.



Index: mod_nss.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- mod_nss.c	9 Aug 2006 19:17:56 -0000	1.14
+++ mod_nss.c	20 Oct 2006 15:23:39 -0000	1.15
@@ -63,6 +63,15 @@
     SSL_CMD_SRV(OCSP, FLAG,
                 "OCSP (Online Certificate Status Protocol)"
                 "(`on', `off')")
+    SSL_CMD_SRV(OCSPDefaultResponder, FLAG,
+                "Use a default OCSP Responder"
+                "(`on', `off')")
+    SSL_CMD_SRV(OCSPDefaultURL, TAKE1,
+                "The URL of the OCSP default responder"
+                "(`http://example.com:80/ocsp")
+    SSL_CMD_SRV(OCSPDefaultName, TAKE1,
+                "The nickname of the certificate to trust to sign the OCSP responses."
+                "(`OCSP_Cert`")
      SSL_CMD_SRV(RandomSeed, TAKE23,
                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
                 "(`startup builtin|file:/path|exec:/path [bytes]')")


Index: mod_nss.h
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.h,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- mod_nss.h	25 Aug 2006 20:19:48 -0000	1.16
+++ mod_nss.h	20 Oct 2006 15:23:39 -0000	1.17
@@ -291,6 +291,9 @@
 struct SSLSrvConfigRec {
     SSLModConfigRec *mc;
     BOOL             fips;
+    BOOL             ocsp_default;
+    const char      *ocsp_url;
+    const char      *ocsp_name;
     BOOL             ocsp;
     BOOL             enabled;
     BOOL             proxy_enabled;
@@ -370,6 +373,9 @@
 const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
 const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
 const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
+const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
+const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg);
+const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg);
 const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);


Index: nss_engine_config.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_config.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- nss_engine_config.c	25 Aug 2006 20:19:48 -0000	1.13
+++ nss_engine_config.c	20 Oct 2006 15:23:39 -0000	1.14
@@ -126,6 +126,9 @@
     
     sc->mc                          = NULL;
     sc->ocsp                        = UNSET;
+    sc->ocsp_default                = UNSET;
+    sc->ocsp_url                    = NULL;
+    sc->ocsp_name                   = NULL;
     sc->fips                        = UNSET;
     sc->enabled                     = UNSET;
     sc->proxy_enabled               = UNSET;
@@ -197,6 +200,9 @@
 
     cfgMerge(mc, NULL);
     cfgMergeBool(ocsp);
+    cfgMergeBool(ocsp_default);
+    cfgMerge(ocsp_url, NULL);
+    cfgMerge(ocsp_name, NULL);
     cfgMergeBool(fips);
     cfgMergeBool(enabled);
     cfgMergeBool(proxy_enabled);
@@ -314,6 +320,37 @@
     return NULL;
 }
 
+const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->ocsp_default = flag ? TRUE : FALSE;
+
+    return NULL;
+}
+
+const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *cmd,
+                                       void *dcfg,
+                                       const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->ocsp_url = arg;
+
+    return NULL;
+}
+
+const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *cmd,
+                                       void *dcfg,
+                                       const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->ocsp_name = arg;
+
+    return NULL;
+}
+
 const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd,
                                            void *dcfg,
                                            const char *arg)


Index: nss_engine_init.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_init.c,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- nss_engine_init.c	17 Oct 2006 16:45:57 -0000	1.24
+++ nss_engine_init.c	20 Oct 2006 15:23:39 -0000	1.25
@@ -21,6 +21,7 @@
 #include "pk11func.h"
 #include "ocsp.h"
 #include "keyhi.h"
+#include "cert.h"
 
 static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
 static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
@@ -137,7 +138,8 @@
  *  passwords. 
  */
 static void nss_init_SSLLibrary(server_rec *s, int sslenabled, int fipsenabled,
-                                int ocspenabled)
+                                int ocspenabled, int ocspdefault,
+                                const char * ocspurl, const char *ocspname)
 {
     SECStatus rv;
     SSLModConfigRec *mc = myModConfig(s);
@@ -280,6 +282,30 @@
         CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
             "OCSP is enabled.");
+
+        /* We ensure that ocspname and ocspurl are not NULL in nss_init_Module
+         */
+        if (ocspdefault) {
+            SECStatus sv;
+ 
+            sv = CERT_SetOCSPDefaultResponder(CERT_GetDefaultCertDB(),
+                     ocspurl, ocspname);
+
+            if (sv == SECFailure) {
+                ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                    "Unable to set OCSP default responder nickname %s.", ocspname);
+                nss_log_nss_error(APLOG_MARK, APLOG_INFO, s);
+                nss_die();
+            }
+
+            sv = CERT_EnableOCSPDefaultResponder(CERT_GetDefaultCertDB());
+            if (sv == SECFailure) {
+                ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                    "Unable to enable the OCSP default responder, %s (this shouldn't happen).", ocspname);
+                nss_log_nss_error(APLOG_MARK, APLOG_INFO, s);
+                nss_die();
+            }
+        }
     }
 }
 
@@ -293,6 +319,9 @@
     int sslenabled = FALSE;
     int fipsenabled = FALSE;
     int ocspenabled = FALSE;
+    int ocspdefault = FALSE;
+    const char * ocspurl = NULL;
+    const char * ocspname = NULL;
 
     mc->nInitCount++;
  
@@ -382,9 +411,21 @@
         if (sc->proxy_enabled == UNSET) {
             sc->proxy_enabled = FALSE;
         }
+
+        if (sc->ocsp_default == TRUE) {
+            ocspdefault = TRUE;
+            ocspurl = sc->ocsp_url;
+            ocspname = sc->ocsp_name;
+            if ((ocspurl == NULL) || (ocspname == NULL)) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                    "When NSSOCSPDefaultResponder is enabled both a default URL (NSSOCSPDefaultUrl) and certificate nickname (NSSOCSPDefaultName) are required.");
+                nss_die();
+            }
+        }
     }
 
-    nss_init_SSLLibrary(base_server, sslenabled, fipsenabled, ocspenabled);
+    nss_init_SSLLibrary(base_server, sslenabled, fipsenabled, ocspenabled,
+        ocspdefault, ocspurl, ocspname);
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
                  "done Init: Initializing NSS library");
 
@@ -1061,11 +1102,19 @@
     }
 
     if (shutdown) {
+        if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB())
+            != SECSuccess) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+                 "Turning off the OCSP default responder failed.");
+            nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
+        }
+
         SSL_ShutdownServerSessionIDCache();
 
         if ((rv = NSS_Shutdown()) != SECSuccess) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
-                 "NSS_Shutdown failed: %d", PR_GetError());
+                 "NSS_Shutdown failed");
+            nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
         }
     }
 


Index: nss.conf.in
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss.conf.in,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- nss.conf.in	2 Aug 2006 15:14:47 -0000	1.9
+++ nss.conf.in	20 Oct 2006 15:23:39 -0000	1.10
@@ -131,6 +131,18 @@
 #   Verify that certificates have not been revoked before accepting them.
 #NSSOCSP off
 
+#
+#   Use a default OCSP responder. If enabled this will be used regardless
+#   of whether one is included in a client certificate. Note that the
+#   server certificate is verified during startup.
+#
+#   NSSOCSPDefaultURL defines the service URL of the OCSP responder
+#   NSSOCSPDefaultName is the nickname of the certificate to trust to
+#       sign the OCSP responses.
+#NSSOCSPDefaultResponder on
+#NSSOCSPDefaultURL http://example.com/ocsp/status
+#NSSOCSPDefaultName ocsp-nickname
+
 #   Access Control:
 #   With SSLRequire you can do per-directory access control based
 #   on arbitrary complex boolean expressions containing server




More information about the Fedora-directory-commits mailing list