rpms/ocspd/F-8 import.log, NONE, 1.1 ocspd.spec, NONE, 1.1 openca-ocspd-1.5.1-badcomment.patch, NONE, 1.1 openca-ocspd-1.5.1-bufresponse.patch, NONE, 1.1 openca-ocspd-1.5.1-misc.patch, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
Patrick Monnerat
monnerat at fedoraproject.org
Mon Oct 13 10:48:02 UTC 2008
Author: monnerat
Update of /cvs/pkgs/rpms/ocspd/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28808/F-8
Modified Files:
.cvsignore sources
Added Files:
import.log ocspd.spec openca-ocspd-1.5.1-badcomment.patch
openca-ocspd-1.5.1-bufresponse.patch
openca-ocspd-1.5.1-misc.patch
Log Message:
* Mon Oct 13 2008 Patrick Monnerat <pm at datasphere.ch> 1.5.1-0.3.fc1
- Initial CVS import
--- NEW FILE import.log ---
ocspd-1_5_1-0_3_rc1_fc8:F-8:ocspd-1.5.1-0.3.rc1.fc8.src.rpm:1223894754
--- NEW FILE ocspd.spec ---
%define alphatag rc1
%define revision %{?alphatag:-}%{alphatag}
Name: ocspd
Version: 1.5.1
Release: 0.3.%{alphatag}%{?dist}
Summary: OpenCA OCSP Daemon
License: ASL 1.0
Group: System Environment/Daemons
Source: http://downloads.sourceforge.net/openca/openca-ocspd-%{version}%{revision}.tar.gz
Patch1: openca-ocspd-1.5.1-bufresponse.patch
Patch2: openca-ocspd-1.5.1-misc.patch
Patch3: openca-ocspd-1.5.1-badcomment.patch
URL: http://www.openca.org/projects/ocspd
Obsoletes: openca-ocspd <= %{version}-%{release}
Provides: openca-ocspd = %{version}-%{release}
Requires(pre): shadow-utils
Requires(post): chkconfig
Requires(preun):chkconfig
Requires(preun):initscripts
Requires(postun):initscripts
BuildRequires: openssl-devel
BuildRequires: openldap-devel
BuildRequires: automake autoconf
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%description
The ocspd is an RFC2560 compliant OCSPD responder. It can be used to
verify the status of a certificate using OCSP clients (such as
Mozilla/Firefox/Thunderbird/Apache).
%prep
%setup -q -n openca-ocspd-%{version}%{revision}
%patch1 -p1 -b .bufresponse
%patch2 -p1 -b .misc
%patch3 -p1 -b .badcomment
%build
# Need automake/autoconf rebuild because of above patches.
aclocal
autoheader
automake
autoconf
%ifarch alpha
ARCH_FLAGS="--host=alpha-redhat-linux"
%endif
%configure ${ARCH_FLAGS} --enable-openssl-engine --with-ocspd-group=ocspd
make %{?_smp_mflags}
%install
rm -rf "${RPM_BUILD_ROOT}"
make DESTDIR="${RPM_BUILD_ROOT}" install
%clean
rm -rf "${RPM_BUILD_ROOT}"
%pre
getent group ocspd >/dev/null || groupadd -r ocspd
getent passwd ocspd >/dev/null ||
useradd -r -g ocspd -d "%{_sysconfdir}/ocspd" \
-s /sbin/nologin -c "OCSP Responder" ocspd
exit 0
%post
/sbin/chkconfig --add ocspd
%preun
if [ "${1}" = "0" ]
then /sbin/service ocspd stop >/dev/null 2>&1 || :
/sbin/chkconfig --del ocspd
fi
%postun
if [ "${1}" -gt "0" ]
then /sbin/service ocspd condrestart >/dev/null 2>&1 || :
fi
%files
%defattr(-, root, root, -)
%doc AUTHORS COPYING ChangeLog README
%{_sbindir}/*
%dir %{_sysconfdir}/ocspd
%dir %{_sysconfdir}/ocspd/c*
%attr(700, ocspd, root) %dir %{_sysconfdir}/ocspd/private
%config(noreplace) %{_sysconfdir}/ocspd/ocspd.conf
%config(noreplace) %{_sysconfdir}/sysconfig/*
%{_initrddir}/*
%{_mandir}/*/*
%changelog
* Wed Oct 8 2008 Patrick Monnerat <pm at datasphere.ch> 1.5.1-0.3.rc1
- Use group "ocspd" for daemon.
* Tue Oct 7 2008 Patrick Monnerat <pm at datasphere.ch> 1.5.1-0.2.rc1
- Spec file section reworked.
- autoheader called.
- Patch "badcomment" to replace bad "#" comment marks in configure.in.
- Unimplemented configure option "--disable-shared" removed.
- System user creation reworked.
* Wed Jul 2 2008 Patrick Monnerat <pm at datasphere.ch> 1.5.1-0.1.rc1
- Package revision change and specs reworked according to Fedora standards.
* Mon Jun 30 2008 Patrick Monnerat <pm at datasphere.ch> 1.5.1-rc1.2
- Specific Fedora RPM spec file, obsolescing package "openca-ocspd".
- Patch "bufresponse" to output response in a single packet if possible.
- Patch "misc" to clean-up various things, such as suppressing the need of
an unused CA certificate, use of regular Fedora directories, configuration
files fixes, typos, configurable listen() queue length, configuration
parameter names, autoconf 2.62 compatibility, etc.
* Sun Oct 15 2006 Massimiliano Pala <madwolf at openca.org>
-Fixed HTTP HEADERS parsing problem
-Tested behind an Apache Proxy
-Added '-debug' startup option to output the HTTP head and additional
informations to be pushed to stderr
* Fri Oct 13 2006 Massimiliano Pala <madwolf at openca.org>
-Completely changed the codebase in order to use threads instead
of fork().
-Fixed compilation under OpenSolaris (SunOS 5.11)
-Added chroot() capabilities
-Added options to set the number of threads to be pre-spawned
-Fixed Socket creation under Solaris (Accept)
-Moved from BIO_* interface to pure socket implementation for
better Network options management
* Tue Jul 18 2006 Massimiliano Pala <madwolf at openca.org>
-Removed required index file option in the configuration file (was not
used)
* Mon Apr 24 2006 Massimiliano Pala <madwolf at openca.org>
-Fixed invalidity date problem (no more empty ext added to responses)
-Added log reporting of returned status about a response when the
verbose switch is used (before it was enabled only in DEBUG mode)
* Mon Dec 19 2005 Massimiliano Pala <madwolf at openca.org>
-Added chroot facility to enhance server security
* Thu Nov 3 2005 Massimiliano Pala <madwolf at openca.org>
-Fixed compile against OpenSSL 0.9.8a
-Fixed HTTP downloading routines for CRLs and CA certs
-Fixed Solaris Port for Signal Handling on CRLs check and reloading
* Thu Oct 6 2005 Massimiliano Pala <madwolf at openca.org>
-Fixed variables init (for Solaris) and code cleanup
* Thu Apr 28 2005 Massimiliano Pala <madwolf at openca.org>
-Fixed RPM installation of man pages
* Wed Apr 27 2005 Massimiliano Pala <madwolf at openca.org>
-Fixed RPM creation on Fedora Distros
* Tue Apr 19 2005 Massimiliano Pala <madwolf at openca.org>
-Fixed child re-spawning when HSM is active
-Added support for CA/CRL downloading via HTTP
* Fri Jan 28 2005 Massimiliano Pala <madwolf at openca.org>
-Fixed SIGHUP problem when auto_crl_reload was enabled
-Fixed Solaris include for flock usage instead of semaphores
-Added --enable-flock and --enable-semaphores in configure script
* Tue Jan 18 2005 Massimiliano Pala <madwolf at openca.org>
- Fixed bug for nextUpdate and lastUpdate fields setting when reloading
CRLs.
- Added CA certificate loading from LDAP.
- Added multiple CA certificate from the same cACertificate entry in LDAP.
- Fixed Solaris putenv issues in configure.c
- Added OS architecture specific targes in makefiles
* Wed May 19 2004 Massimiliano Pala <madwolf at openca.org>
- First support for new data structure for CRL lookup and multi CAs
support (not working now)
- Fixed configure.in for correct generation of config.h
- Fixed configure.in for openldap ld options (for non-standard directories)
* Mon May 17 2004 Massimiliano Pala <madwolf at openca.org>
- Fixed compilation problems on Solaris
- Added support for exclusion of ldap usage (--disable-openldap)
- Added support for openldap directory specification
- Fixed signal handling and correct children death
- Added pre-spawning of processes()
* Thu May 13 2004 Massimiliano Pala <madwolf at openca.org>
- Fixed miscreation of responses when certificate is revoked
- Fixed crl loading checking (segmentation fault on loading fixed)
* Fri Jan 17 2003 Massimiliano Pala <madwolf at openca.org>
- Correclty lookup using loaded CRL
- Added extensions management from CRL to OCSP response
* Mon Jan 13 2003 Massimiliano Pala <madwolf at openca.org>
- Updated the sample (contrib/) configuration file
- Added CRL retrivial from LDAP server
- Added LDAP support (needs OpenLDAP libraries)
- Added CRL retrivial from file
* Wed Oct 16 2002 Massimiliano Pala <madwolf at openca.org>
- Fixed daemon description
- Fixed requirements (for ENGINE support)
- Added multi child spawning (max_childs_num)
- Fixed zombi child presence
* Mon Feb 25 2002 Massimiliano Pala <madwolf at openca.org>
- Fixed response generation
* Thu Feb 20 2001 Massimiliano Pala <madwolf at openca.org>
- First RPM spec file
openca-ocspd-1.5.1-badcomment.patch:
--- NEW FILE openca-ocspd-1.5.1-badcomment.patch ---
diff -Naur openca-ocspd-1.5.1.orig/configure.in openca-ocspd-1.5.1.new/configure.in
--- openca-ocspd-1.5.1.orig/configure.in 2008-10-06 20:01:40.000000000 +0200
+++ openca-ocspd-1.5.1.new/configure.in 2008-10-06 20:03:17.000000000 +0200
@@ -19,9 +19,9 @@
AM_INIT_AUTOMAKE($PACKAGE_NAME, $PACKAGE_MAJOR)
dnl Options.
-#AC_DISABLE_FAST_INSTALL
-#AC_DISABLE_SHARED
-#AM_MAINTAINER_MODE
+dnl AC_DISABLE_FAST_INSTALL
+dnl AC_DISABLE_SHARED
+dnl AM_MAINTAINER_MODE
dnl Select OS specific versions of source files.
case "${build_os}" in
openca-ocspd-1.5.1-bufresponse.patch:
--- NEW FILE openca-ocspd-1.5.1-bufresponse.patch ---
diff -Naur openca-ocspd-1.5.1.orig/src/ocspd_engine.c openca-ocspd-1.5.1.new/src/ocspd_engine.c
--- openca-ocspd-1.5.1.orig/src/ocspd_engine.c 2006-10-13 21:26:35.000000000 +0200
+++ openca-ocspd-1.5.1.new/src/ocspd_engine.c 2008-06-19 18:14:58.000000000 +0200
@@ -213,7 +213,7 @@
syslog( LOG_INFO, "Added '%s' to POST COMMANDS",
val->value );
} else {
- syslog( LOG_INFO, "Not Reckognised '%s' option",
+ syslog( LOG_INFO, "Not recognised '%s' option",
val->name );
}
}
diff -Naur openca-ocspd-1.5.1.orig/src/ocsp_response.c openca-ocspd-1.5.1.new/src/ocsp_response.c
--- openca-ocspd-1.5.1.orig/src/ocsp_response.c 2006-10-13 17:05:59.000000000 +0200
+++ openca-ocspd-1.5.1.new/src/ocsp_response.c 2008-06-19 18:40:45.000000000 +0200
@@ -67,7 +67,7 @@
if ((ca = ocspd_CA_ENTRY_find( conf, cid )) == NULL) {
if (conf->verbose) {
syslog( LOG_INFO,
- "request for non reckognized CA [serial %ld]",
+ "request for non recognized CA [serial %ld]",
ASN1_INTEGER_get(serial) );
}
OCSP_basic_add1_status(bs, cid,
@@ -178,6 +178,9 @@
int ocspd_resp_send_socket(int connfd, OCSP_RESPONSE *resp) {
BIO *out = NULL;
+ BIO *mem = NULL;
+ char * cp;
+ int len;
char http_resp[] =
"HTTP/1.0 200 OK\r\n"
@@ -195,12 +198,24 @@
return(0);
}
- BIO_printf(out, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
- i2d_OCSP_RESPONSE_bio(out, resp);
- BIO_flush(out);
+ if((mem = BIO_new(BIO_s_mem())) == NULL ) {
+ syslog(LOG_ERR, "ERROR::memory BIO creation");
+ BIO_free(out);
+ return(0);
+ }
+ BIO_printf(mem, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
+ i2d_OCSP_RESPONSE_bio(mem, resp);
+ len = BIO_get_mem_data(mem, &cp);
+
+ if (len < 0)
+ syslog(LOG_ERR, "ERROR::response length %d <= 0", len);
+ else
+ BIO_write(out, cp, len);
+
+ BIO_flush(out);
+ BIO_free(mem);
BIO_free(out);
return 1;
}
-
openca-ocspd-1.5.1-misc.patch:
--- NEW FILE openca-ocspd-1.5.1-misc.patch ---
diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/configure.in
--- openca-ocspd-1.5.1-rc1.orig/configure.in 2006-10-13 22:45:29.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/configure.in 2008-07-02 14:31:13.000000000 +0200
@@ -3,7 +3,7 @@
dnl Autoconf boilerplate/
AC_INIT(src/ocspd.c)
-AC_PREREQ( 2.50)
+AC_PREREQ(2.50)
AC_CONFIG_AUX_DIR(build)
VERSION=`cat VERSION`
@@ -11,12 +11,12 @@
PACKAGE_MAJOR=`cat VERSION`
PACKAGE_MINOR=1
-AC_SUBST( PACKAGE_MAJOR )
-AC_SUBST( PACKAGE_MINOR )
+AC_SUBST(PACKAGE_MAJOR)
+AC_SUBST(PACKAGE_MINOR)
dnl Automake boilerplate.
AC_CANONICAL_SYSTEM
-AM_INIT_AUTOMAKE( $PACKAGE_NAME, $PACKAGE_MAJOR )
+AM_INIT_AUTOMAKE($PACKAGE_NAME, $PACKAGE_MAJOR)
dnl Options.
#AC_DISABLE_FAST_INSTALL
@@ -40,9 +40,9 @@
AM_CONDITIONAL(OCSPD_ARCH_SOLARIS, test x$arch = xsolaris)
AM_CONDITIONAL(OCSPD_ARCH_HPUX, test x$arch = xhpux)
-AC_CHECK_LIB(pthread, pthread_create,
- [ AC_DEFINE(HAVE_LIBPTHREAD, 1, [PTHREAD Library])],
- [ AC_MSG_ERROR([pthread library is needed!]) ]
+AC_CHECK_LIB(pthread, pthread_create,
+ [AC_DEFINE(HAVE_LIBPTHREAD, 1, [PTHREAD Library])],
+ [AC_MSG_ERROR([pthread library is needed!])]
)
if test x$arch = xlinux ; then
@@ -79,13 +79,6 @@
AC_PROG_MAKE_SET
AC_PROG_LN_S
-dnl Add libtool support.
-AM_PROG_LIBTOOL
-# AC_PROG_LIBTOOL
-
-dnl Automatically update the libtool script if it becomes out-of-date.
-AC_SUBST(LIBTOOL_DEPS)
-
dnl Setup dist stuff
AC_SUBST(ac_aux_dir)
@@ -93,17 +86,17 @@
AC_CHECK_LIB(nsl, gethostbyname)
AC_CHECK_LIB(socket, socket)
AC_CHECK_LIB(resolv, res_query)
-dnl AC_CHECK_LIB(crypto, SSLeay )
-dnl AC_CHECK_LIB(crypto, ENGINE_init )
-dnl AC_CHECK_LIB(ssl, SSL_version )
-dnl AC_CHECK_LIB(db-4.0, open )
+dnl AC_CHECK_LIB(crypto, SSLeay)
+dnl AC_CHECK_LIB(crypto, ENGINE_init)
+dnl AC_CHECK_LIB(ssl, SSL_version)
+dnl AC_CHECK_LIB(db-4.0, open)
dnl Check for Pod2Man program
-AC_PATH_PROG( POD2MAN, pod2man,pod2man,
+AC_PATH_PROG(POD2MAN, pod2man, pod2man,
$PATH:/sbin:/usr/sbin:/usr/local/sbin)
dnl Check for Pod2Html program
-AC_PATH_PROG( POD2HTML, pod2html,pod2html,
+AC_PATH_PROG(POD2HTML, pod2html, pod2html,
$PATH:/sbin:/usr/sbin:/usr/local/sbin)
dnl Check for package and related programs
@@ -124,16 +117,16 @@
AC_PATH_PROG(PERL, perl)
AC_SUBST(PERL)
-AC_MSG_RESULT([architecture : ${build_os} ])
+AC_MSG_RESULT([architecture : ${build_os}])
dnl OpenSSL prefix
-AC_ARG_WITH( openssl-prefix,
+AC_ARG_WITH(openssl-prefix,
[ --with-openssl-prefix=DIR openssl prefix directory],
-[ openssl_prefix=$withval ] , [ openssl_prefix= ] )
+[openssl_prefix=$withval] , [openssl_prefix=])
AC_SUBST(openssl_prefix)
-AC_MSG_RESULT([with openssl-prefix : $openssl_prefix ])
+AC_MSG_RESULT([with openssl-prefix : $openssl_prefix])
if [[ x$openssl_prefix != x ]]; then
openssl_path=$openssl_prefix/lib
@@ -142,7 +135,7 @@
AC_MSG_RESULT([openssl lib dir : $openssl_path (default)])
fi
-AM_CONDITIONAL(OPENSSL_PREFIX, test x$openssl_prefix != x )
+AM_CONDITIONAL(OPENSSL_PREFIX, test x$openssl_prefix != x)
### Setup for OpenSSL build flags ###
dnl Now we like the version of openssl. Let's construct
@@ -160,7 +153,7 @@
openssl_cflags=[-I${openssl_prefix}/include]
openssl_libs=["-L${openssl_prefix}/lib -L${openssl_prefix} -lssl -lcrypto "]
openssl_setup=yes
- dnl AC_MSG_RESULT( [User specified --with-openssl-prefix])
+ dnl AC_MSG_RESULT([User specified --with-openssl-prefix])
dnl Check if the developer has the pkg-config macros
dnl for the autotools on their system
ifdef([PKG_CHECK_MODULES],
@@ -169,22 +162,20 @@
dnl If so, we can check if the target system has
dnl (1) pkg-config support installed as well, and
dnl (2) has openssl 0.9.7 or greater installed
- AC_CHECK_PROG( HAS_PKGCONF, pkg-config, yes, [] , $PATH)
- if [[ x${HAS_PKGCONF} != x ]]; then
- PKG_CHECK_MODULES( OPENSSL,openssl >= 0.9.7, [
- AC_MSG_RESULT(
- [openssl 0.9.7 or greater found via pkgconfig]
- )
+ AC_CHECK_PROG(HAS_PKGCONF, pkg-config, yes, [] , $PATH)
+ if [[ x${HAS_PKGCONF} != x ]]; then
+ PKG_CHECK_MODULES(OPENSSL,openssl >= 0.9.7, [
+ AC_MSG_RESULT([openssl 0.9.7 or greater found via pkgconfig])
openssl_cflags=$OPENSSL_CFLAGS
openssl_libs=$OPENSSL_LIBS
openssl_setup=yes
- fi
+ fi
],
- [
- AC_MSG_RESULT( [good openssl not found via pkgconfig])
+ [
+ AC_MSG_RESULT([good openssl not found via pkgconfig])
]
) dnl End of PKG_CHECK macro
-
+
],
[
## Skipping pkg-config macros...
@@ -192,14 +183,14 @@
)dnl End of check using pkg-config...
fi dnl End of prefix block
-
+
if [[ x${openssl_setup} != xyes ]]; then
- AC_MSG_RESULT( [Assuming reasonable defaults for openssl...])
+ AC_MSG_RESULT([Assuming reasonable defaults for openssl...])
openssl_setup=yes
fi
-
- dnl Export our openssl build settings
+
+ dnl Export our openssl build settings
AC_SUBST(openssl_cflags)
AC_SUBST(openssl_libs)
@@ -209,28 +200,28 @@
dnl AC_OPENSSL_OCSP
dnl Let's check the openssl version
-dnl AC_EGREP_HEADER( [m/OPENSSL/gm],
+dnl AC_EGREP_HEADER([m/OPENSSL/gm],
dnl [${openssl_prefix}/include/openssl/opensslv.h],
-dnl [openssl_ver="0.9.8+"],
+dnl [openssl_ver="0.9.8+"],
dnl [openssl_ver="0.9.7"])
-dnl
+dnl
dnl if [[ openssl_ver = "0.9.8+" ]] ; then
dnl AC_DEFINE(OPENSSL_VER_00908000)
dnl else
dnl AC_DEFINE(OPENSSL_VER_00907000)
dnl fi
-dnl
+dnl
dnl AC_MSG_RESULT([OpenSSL Detected Version: $openssl_ver]);
-dnl
+dnl
dnl CFLAGS=${openssl_flags}
dnl AC_OPENSSL_VERSION
-dnl AM_CONDITIONAL(OPENSSL_VER_00908000, if test "x$openssl_ver" = "x0.9.8+" )
+dnl AM_CONDITIONAL(OPENSSL_VER_00908000, if test "x$openssl_ver" = "x0.9.8+")
dnl AC_MSG_RESULT([OpenSSL Detected Version: $openssl_ver]);
dnl Enable OPENLDAP Support
-AC_ARG_ENABLE( openldap,
+AC_ARG_ENABLE(openldap,
[ --enable-openldap enable openldap support (yes)],
[case "${enableval}" in
yes) openldap=true ;;
@@ -244,16 +235,16 @@
if [[ x$openldap = xtrue ]]; then
- AC_DEFINE(HAVE_OPENLDAP, [1], [OpenLDAP] )
+ AC_DEFINE(HAVE_OPENLDAP, [1], [OpenLDAP])
dnl OpenLDAP prefix
- AC_ARG_WITH( openldap-prefix,
+ AC_ARG_WITH(openldap-prefix,
[ --with-openldap-prefix=DIR openldap prefix directory],
- [ openldap_prefix=$withval ] , [ openldap_prefix= ] )
+ [openldap_prefix=$withval], [openldap_prefix=])
AC_SUBST(openldap_prefix)
- AC_MSG_RESULT([with openldap-prefix : $openldap_prefix ])
+ AC_MSG_RESULT([with openldap-prefix : $openldap_prefix])
if [[ x$openldap_prefix != x ]]; then
openldap_path=$openldap_prefix/lib
AC_MSG_RESULT([openldap lib dir : $openldap_path])
@@ -286,31 +277,31 @@
fi
fi
-AM_CONDITIONAL(OPENLDAP_PREFIX, test x$openldap_prefix != x )
+AM_CONDITIONAL(OPENLDAP_PREFIX, test x$openldap_prefix != x)
-dnl Export our OpenLDAP build settings
+dnl Export our OpenLDAP build settings
AC_SUBST(LDAP_LIBS)
AC_SUBST(openldap_cflags)
AC_SUBST(openldap_libs)
dnl OCSP daemon default user
-AC_ARG_WITH( ocspd-user,
+AC_ARG_WITH(ocspd-user,
[ --with-ocspd-user=ARG user to run processes as [ocspd]],
-[ user=$withval ] , [ user=ocspd ] )
+[user=$withval], [user=ocspd])
-AC_MSG_RESULT([default ocspd user : $user ])
+AC_MSG_RESULT([default ocspd user : $user])
AC_SUBST(user)
dnl OCSP daemon default group
-AC_ARG_WITH( ocspd-group,
+AC_ARG_WITH(ocspd-group,
[ --with-ocspd-group=ARG group to run processes as [daemon]],
-[ group=$withval ] , [ group=daemon ] )
+[group=$withval], [group=daemon])
-AC_MSG_RESULT([default ocspd group : $group ])
+AC_MSG_RESULT([default ocspd group : $group])
AC_SUBST(group)
dnl OpenSSL Engine Support
-AC_ARG_ENABLE( openssl-engine,
+AC_ARG_ENABLE(openssl-engine,
[ --enable-openssl-engine enable openssl engine support (no)],
[case "${enableval}" in
yes) engine=true ;;
@@ -326,10 +317,10 @@
AC_DEFINE(HAVE_ENGINE, [1], [ENGINE support for OpenSSL])
fi
-dnl AC_MSG_RESULT([enable engine support : $engine ])
+dnl AC_MSG_RESULT([enable engine support : $engine])
dnl Semaphores vs Flock Support
-AC_ARG_ENABLE( semaphores,
+AC_ARG_ENABLE(semaphores,
[ --enable-semaphores use semaphores locking method (yes)],
[case "${enableval}" in
yes) sem=true ;;
@@ -338,7 +329,7 @@
esac], [sem=true])
-AC_ARG_ENABLE( flock,
+AC_ARG_ENABLE(flock,
[ --enable-flock use semaphores locking method (no)],
[case "${enableval}" in
yes) flock=true && sem=false ;;
@@ -361,10 +352,10 @@
dnl Debug option
AC_ARG_ENABLE(debug,
[ --enable-debug enable debug messages.],
-[ case "${enableval}" in
- yes)
+[case "${enableval}" in
+ yes)
debug=true ;;
- no)
+ no)
debug=false ;;
*) AC_MSG_ERROR([bad value ${enableval} for --enable-debug]) ;;
esac], [debug=false])
@@ -379,17 +370,27 @@
prefix="/usr/local";
fi
+dnl Be sure we know the effective directory pathes.
+sysconfdirvalue="`eval echo ${sysconfdir}`"
+AC_SUBST(sysconfdirvalue)
+sbindirvalue="`eval echo ${sbindir}`"
+AC_SUBST(sbindirvalue)
+localstatedirvalue="`eval echo ${localstatedir}`"
+AC_SUBST(localstatedirvalue)
+piddir="${piddir-${localstatedirvalue}/run}"
+AC_SUBST(piddir)
+
dnl OpenCA prefix
-AC_ARG_WITH( openca-prefix,
+AC_ARG_WITH(openca-prefix,
[ --with-openca-prefix=ARG OpenCA install prefix (PREFIX/OpenCA)],
-[ openca_prefix=$withval], [openca_prefix=${prefix}/OpenCA] )
+[openca_prefix=$withval], [openca_prefix=${prefix}/OpenCA])
if [[ x${openca_prefix} = x ]] ; then
AC_MSG_ERROR([bad value ${openca_prefix} for --with-openca-prefix])
fi
-AC_MSG_RESULT([with openca-prefix : $openca_prefix ])
-AC_SUBST( openca_prefix )
+AC_MSG_RESULT([with openca-prefix : $openca_prefix])
+AC_SUBST(openca_prefix)
AC_MSG_RESULT([install prefix : $prefix])
@@ -401,5 +402,5 @@
etc/Makefile
etc/ocspd
etc/ocspd.conf
+ etc/ocspd.sysconfig
)
-
diff -Naur openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod openca-ocspd-1.5.1-rc1.new/docs/ocspd.conf.3.pod
--- openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod 2006-10-13 22:32:23.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/docs/ocspd.conf.3.pod 2008-07-02 14:31:13.000000000 +0200
@@ -68,11 +68,9 @@
[ OCSPD_default ]
- dir = /usr/local/etc/ocspd
- db = $dir/index.txt
+ dir = /etc/ocspd
md = sha1
- ca_certificate = $dir/certs/cacert.pem
ocspd_certificate = $dir/certs/ocspd_cert.pem
ocspd_key = $dir/private/ocspd_key.pem
pidfile = $dir/ocspd.pid
@@ -100,7 +98,7 @@
####################################################################
[ ocsp_response ]
- dir = /usr/local/etc/ocspd
+ dir = /etc/ocspd
ocsp_add_response_certs = $dir/certs/chain_certs.pem
ocsp_add_response_keyid = yes
next_update_days = 0
@@ -127,7 +125,7 @@
# http is used)
#
# You can have the CRLs/CA certificates on a simple file
- # crl_url = file:///usr/local/etc/ocspd/crl.pem
+ # crl_url = file:///etc/ocspd/crl.pem
#
# You can retrieve the CRLs/CA certificates from a web server
# crl_urt = http://server/ca/cacert.der
@@ -151,7 +149,7 @@
[ dbms_file ]
# You can have the CRL on a simple file in PEM format
- crl_url = file:///usr/local/etc/ocspd/crl.pem
+ crl_url = file:///etc/ocspd/crl.pem
[ HSM ]
# Hardware accelerators support via the ENGINE interface
@@ -173,21 +171,10 @@
specifies the directory where everything is kept.
-=item B<db>
-
-specifies the db where info about issued certificates are kept. Right
-now the only supported file format is the one from B<L<openssl(1)>>.
-To reload the certificate's db simply send a SIGHUP to the main process
-( kill -s SIGHUP pid ).
-
=item B<md>
specifies the digest to be used. Default is sha1.
-=item B<ca_certificate>
-
-path to the CA's certificate.
-
=item B<ocspd_certificate>
path to the certificate to be used by the responder.
@@ -234,6 +221,13 @@
a pre-threaded one. In order to run the server needs support
for POSIX1.c as found in most modern UNiX systems.
+=item B<max_client_num>
+
+Size of the system socket queue: when all service threads are busy,
+up to this number of unserved requests are accepted in queue and
+will be processed as soon as a thread becomes available; additional
+connection requests will be denied. Default: 30.
+
=item B<chroot_dir>
Chroot the application into the specified directory, watch
@@ -296,7 +290,7 @@
specifies the URI where the CA certificate (which identifies the
single CA) is located. Three different protocols are implemented
( file:// http:// or ldap:// ). If file is chosen, then the parameter
-should carry the path to the CA file (i.e. file:///usr/local/etc/ca.pem).
+should carry the path to the CA file (i.e. file:///etc/ocspd/certs/ca.pem).
If ldap or http is chosen, you can specify the address, and the port
of the server where to connect to (i.e. ldap://server.addr:port).
@@ -306,7 +300,7 @@
actually used for building responses) is located. Three different
protocols are actually implemented ( file:// http:// or ldap:// ).
If file is chosen, then the parameter should have the path to the
-crl file (i.e. file:///usr/local/etc/cacrl.pem). If ldap or http
+crl file (i.e. file:///etc/ocspd/crls/cacrl.pem). If ldap or http
is chosen, you can specify the address, and the port of the
server where to connect to (i.e. ldap://server.addr:port).
diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/Makefile.am openca-ocspd-1.5.1-rc1.new/etc/Makefile.am
--- openca-ocspd-1.5.1-rc1.orig/etc/Makefile.am 2006-09-18 16:28:41.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/etc/Makefile.am 2008-07-02 14:31:13.000000000 +0200
@@ -2,20 +2,23 @@
CHMOD = @CHMOD@
-EXTRA_DIST = ocspd.conf.in ocspd.in
+EXTRA_DIST = ocspd.conf.in ocspd.in ocspd.sysconfig.in
install-data-local:
@$(NORMAL_INSTALL)
- $(mkinstalldirs) $(sysconfdir); \
- $(mkinstalldirs) $(sysconfdir)/init.d; \
- $(mkinstalldirs) $(sysconfdir)/ocspd; \
- $(mkinstalldirs) $(sysconfdir)/ocspd/certs; \
- $(mkinstalldirs) $(sysconfdir)/ocspd/private; \
+ $(mkinstalldirs) $(DESTDIR)$(sysconfdir); \
+ $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/rc.d; \
+ $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/rc.d/init.d; \
+ $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/sysconfig; \
+ $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/ocspd; \
+ $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/ocspd/certs; \
+ $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/ocspd/crls; \
+ $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/ocspd/private; \
for file in *.conf ; do \
if test -f $$file; then \
- $(INSTALL_DATA) $$file $(sysconfdir)/ocspd; \
+ $(INSTALL_DATA) $$file $(DESTDIR)$(sysconfdir)/ocspd; \
fi \
done ; \
- $(INSTALL_DATA) ocspd $(sysconfdir)/init.d ; \
- $(CHMOD) +x $(sysconfdir)/init.d/ocspd
-
+ $(INSTALL_DATA) ocspd $(DESTDIR)$(sysconfdir)/rc.d/init.d ; \
+ $(CHMOD) +x $(DESTDIR)$(sysconfdir)/rc.d/init.d/ocspd; \
+ $(INSTALL_DATA) ocspd.sysconfig $(DESTDIR)$(sysconfdir)/sysconfig/ocspd
diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.new/etc/ocspd.conf.in
--- openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in 2006-10-21 18:35:59.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/etc/ocspd.conf.in 2008-07-02 14:31:13.000000000 +0200
@@ -8,14 +8,12 @@
####################################################################
[ OCSPD_default ]
-dir = @prefix@/etc/ocspd # Where everything is kept
-db = $dir/index.txt # database index file.
+dir = @sysconfdirvalue@/ocspd # Where everything is kept
md = sha1
-ca_certificate = $dir/certs/cacert.pem # The CA certificate
ocspd_certificate = $dir/certs/ocspd_cert.pem # The OCSP server cert
ocspd_key = $dir/private/ocspd_key.pem # The OCSP server key
-pidfile = $dir/ocspd.pid # Main process pid
+pidfile = @piddir@/ocspd.pid # Main process pid
# User and Group the server will run as. It is a good idea
# not having servers running as root: in case of errors in
@@ -41,6 +39,10 @@
# and processors.
threads_num = 150
+# Size of the system listen() queue. This allows buffering connection
+# requests for later processing when all threads are already busy.
+#max_client_num = 30
+
# Max timeout for request receiving. If a request is not received
# within the specified number of seconds then the socket is closed
# in order to free unused threads. If not set, the default value
@@ -56,7 +58,7 @@
# error will be written in the logfile, but the server will
# continue to run assuming the chroot() is sufficiently isolated
# to prevent abuse of the machine.
-# chdir = @prefix@
+#chroot_dir = @prefix@
# Auto Reload interval of CRL (if set to 0 or not present, to
# reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
@@ -75,7 +77,7 @@
# Reload CRL if the one loaded is expired. Set this parameter
# only if you are sure that the new CRL will be issued and put
# in the crl_url.
-crl_reload_expired = yes
+#crl_reload_expired = yes
# Specifies the response section to load the server options
# from
@@ -84,10 +86,10 @@
# It specifies the section to be used where options about where
# CRL and certificates are kept.
#
-# Example section using LDAP for data retrival
+# Example section using LDAP for data retrieval
# dbms = dbms_ldap
#
-# Example section using FILES for data retrival
+# Example section using FILES for data retrieval
dbms = dbms_file
# Enables the ENGINE interface for the server. If set to off then
@@ -103,7 +105,7 @@
####################################################################
[ ocsp_response ]
-dir = @prefix@/etc/ocspd
+dir = @sysconfdirvalue@/ocspd
# It is possible to include additional certificates in given
# responses. Put all the certificates you want to include in
@@ -140,7 +142,7 @@
[ ldap_ca_1 ]
# You can have the CRL on a simple file
-# crl_url = file:///usr/local/etc/ocspd/crl.pem
+# crl_url = file://@sysconfdirvalue@/ocspd/crls/crl.pem
# You can have the CRL retrieved from an HTTP server
# crl_url = http://[user[:pwd]@]server[:port]/path_to_crl
@@ -196,19 +198,19 @@
[ first_ca ]
# You can have the CRL on a simple file in PEM format
-crl_url = file:///@prefix@/etc/ocspd/crls/crl_01.pem
+crl_url = file://@sysconfdirvalue@/ocspd/crls/crl_01.pem
# We need the CA certificate for every supported CRL
-ca_url = file:///@prefix@/etc/ocspd/certs/1st_cacert.pem
+ca_url = file://@sysconfdirvalue@/ocspd/certs/1st_cacert.pem
####################################################################
[ second_ca ]
# You can have the CRL on a simple file in PEM format
-crl_url = file:///@prefix@/etc/ocspd/crls/crl_02.pem
+crl_url = file://@sysconfdirvalue@/ocspd/crls/crl_02.pem
# We need the CA certificate for every supported CRL
-ca_url = file:///@prefix@/etc/ocspd/certs/2nd_cacert.pem
+ca_url = file://@sysconfdirvalue@/ocspd/certs/2nd_cacert.pem
####################################################################
[ HSM ]
diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.in openca-ocspd-1.5.1-rc1.new/etc/ocspd.in
--- openca-ocspd-1.5.1-rc1.orig/etc/ocspd.in 2006-10-15 17:11:45.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/etc/ocspd.in 2008-07-02 15:31:57.000000000 +0200
@@ -1,90 +1,94 @@
#!/bin/sh
#
-# Startup script for the OCSPD responder
+# ocspd Startup script for the OCSPD responder
#
-# chkconfig: 345 85 15
+# chkconfig: - 85 15
# description: OpenCA OCSP Responder
-# processname: openca-ocspd
-
-prefix="@prefix@";
-sbin="${prefix}/sbin";
-etc="${prefix}/etc/ocspd"
+# processname: ocspd
+# pidfile: @piddir@/ocspd.pid
# Source function library.
-# . /etc/rc.d/init.d/functions
-
-ocspd="${sbin}/ocspd";
-conf="${etc}/ocspd.conf";
+. /etc/rc.d/init.d/functions
-# Take a look in your apache config and set it as it is set there.
-pidfile="${etc}/ocspd.pid";
+if [ -f /etc/sysconfig/network ]; then
+ . /etc/sysconfig/network
+fi
+
+if [ -f /etc/sysconfig/ocspd ]; then
+ . /etc/sysconfig/ocspd
+fi
+
+prog=ocspd
+exec="@sbindirvalue@/${prog}";
+config="@sysconfdirvalue@/${prog}/${prog}.conf"
+pidfile="@piddir@/${prog}.pid"
+lockfile="@localstatedirvalue@/lock/subsys/${prog}"
+
+# Check that we are root ... so non-root users stop here
+[ `id -u` = 0 ] || exit 1
+
+# Check that networking is up.
+[ "${NETWORKING}" = "yes" ] || exit 0
+
+RETVAL=0
+
+start()
+
+{
+ [ -x "${exec}" ] || exit 5
+ [ -f "${config}" ] || exit 6
+ echo -n $"Starting ${prog}: "
+ daemon --pidfile "${pidfile}" "${exec}" -d -c "${config}" \
+ ${OPTIONS} ${1}
+ RETVAL=$?
+ echo
+ [ "${RETVAL}" -eq "0" ] && touch "${lockfile}"
+ return $RETVAL
+}
# See how we were called.
-case "$1" in
+case "${1}" in
start)
- echo -n "Starting OCSP Responder: "
- ${ocspd} -c "${conf}" -d
- echo "Done."
+ start
+ RETVAL=$?
;;
start-verbose)
- echo -n "Starting OCSP Responder: "
- ${ocspd} -c "${conf}" -d -v
- echo "Done."
+ start -v
+ RETVAL=$?
;;
start-debug)
- echo -n "Starting OCSP Responder: "
- ${ocspd} -c "${conf}" -d -v -debug
- echo "Done."
+ start "-v -debug"
+ RETVAL=$?
;;
stop)
- echo -n "Shutting down OCSP Responder: "
- if [ -f "$pidfile" ] ; then
- pid=`cat $pidfile`;
- # if [ "x$pid" = "x" ] ; then
- # killall -15 ocspd
- # else
- kill -15 ${pid}
- # fi
- rm -f "$pidfile"
- else
- echo "Missing pidfile (already stopped?)"
- fi
- echo "Done."
+ echo -n $"Shutting down ${prog}: "
+ killproc -p "${pidfile}" "${prog}"
+ RETVAL=$?
+ echo
+ [ "${RETVAL}" -eq "0" ] && rm -f "${lockfile}"
;;
status)
- echo -n "OCSP Responder is "
- if ! [ -f "$pidfile" ] ; then
- echo "stopped."
- else
- pid=`cat $pidfile`;
- if test `ps -p ${pid}` ; then
- echo "running ( $pid ) ... "
- else
- echo "stopped."
- fi
- fi
- ;;
- reload-crl)
- echo -n "Sending Reload CRL Signal to OCSP ... "
- if ! [ -f "$pidfile" ] ; then
- echo "stopped."
- else
- pid=`cat $pidfile`;
- if test `kill -HUP ${pid}` ; then
- echo "error."
- else
- echo "Ok."
- fi
- fi
+ status "${prog}"
+ RETVAL=$?
;;
- restart)
- $0 stop
+ reload)
+ echo -n $"Reloading CRLs: "
+ killproc -p "${pidfile}" "${prog}" -HUP
+ RETVAL=$?
+ echo
+ ;;
+ restart|force-reload)
+ "${0}" stop
sleep 2
- $0 start
+ "${0}" start
+ ;;
+ condrestart|try-restart)
+ [ -e "${lockfile}" ] && "${0}" restart
;;
*)
- echo "Usage: $0 {start|stop|status|reload-crl|restart}"
- exit 1
+ echo "Usage: ${0} {start|start-verbose|start-debug|stop|status|"
+ echo " reload|force-reload|restart|condrestart|try-restart}"
+ RETVAL=2
esac
-exit 0
+exit $RETVAL
diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.sysconfig.in openca-ocspd-1.5.1-rc1.new/etc/ocspd.sysconfig.in
--- openca-ocspd-1.5.1-rc1.orig/etc/ocspd.sysconfig.in 1970-01-01 01:00:00.000000000 +0100
+++ openca-ocspd-1.5.1-rc1.new/etc/ocspd.sysconfig.in 2008-07-02 14:31:13.000000000 +0200
@@ -0,0 +1,8 @@
+# Name of daemon program.
+#OCSPD=@sbindirvalue@/ocspd
+
+# Configuration file.
+#CONF=@sysconfdirvalue@/ocspd/ocspd.conf
+
+# Additional command line options.
+#OPTIONS=""
diff -Naur openca-ocspd-1.5.1-rc1.orig/examples/index.txt openca-ocspd-1.5.1-rc1.new/examples/index.txt
--- openca-ocspd-1.5.1-rc1.orig/examples/index.txt 2006-09-18 16:28:39.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/examples/index.txt 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-V 020610093819Z 01 unknown /Email=chiarap at excite.com/CN=Chiara Ponz de Leon/OU=Building A/O=OpenCA/C=IT
diff -Naur openca-ocspd-1.5.1-rc1.orig/examples/ocspd.conf openca-ocspd-1.5.1-rc1.new/examples/ocspd.conf
--- openca-ocspd-1.5.1-rc1.orig/examples/ocspd.conf 2006-09-18 16:28:39.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/examples/ocspd.conf 2008-07-02 14:31:13.000000000 +0200
@@ -8,11 +8,9 @@
####################################################################
[ OCSPD_default ]
-dir = /usr/local/ocspd/etc/ocspd # Where everything is kept
-db = $dir/index.txt # database index file.
+dir = /etc/ocspd # Where everything is kept
md = sha1
-ca_certificate = $dir/certs/cacert.pem # The CA certificate
ocspd_certificate = $dir/certs/ocspd_cert_2.pem # The OCSP server cert
ocspd_key = $dir/private/ocspd_key.pem # The OCSP server key
pidfile = $dir/ocspd.pid # Main process pid
@@ -81,7 +79,7 @@
####################################################################
[ ocsp_response ]
-dir = /usr/local/ocspd/etc/ocspd
+dir = /etc/ocspd
# It is possible to include additional certificates in given
# responses. Put all the certificates you want to include in
@@ -113,7 +111,7 @@
[ ldap_ca_1 ]
# You can have the CRL on a simple file
-# crl_url = file:///usr/local/etc/ocspd/crl.pem
+# crl_url = file:///etc/ocspd/crls/crl.pem
# You can store the CRL into an LDAP server, simply
# store it in certificateRevocationList;binary attribute
@@ -166,20 +164,20 @@
[ first_ca ]
# You can have the CRL on a simple file in PEM format
-crl_url = file:////usr/local/ocspd/etc/ocspd/crls/crl_07.crl
+crl_url = file:///etc/ocspd/crls/crl_07.crl
# We need the CA certificate for every supported CRL
-# ca_url = file:////usr/local/ocspd/etc/ocspd/certs/1st_cacert.pem
-ca_url = file:////usr/local/ocspd/etc/ocspd/certs/cacert.pem
+# ca_url = file:///etc/ocspd/certs/1st_cacert.pem
+ca_url = file:///etc/ocspd/certs/cacert.pem
####################################################################
[ second_ca ]
# You can have the CRL on a simple file in PEM format
-crl_url = file:////usr/local/ocspd/etc/ocspd/crls/crl_01.crl
+crl_url = file:///etc/ocspd/crls/crl_01.crl
# We need the CA certificate for every supported CRL
-ca_url = file:////usr/local/ocspd/etc/ocspd/certs/2nd_cacert.pem
+ca_url = file:///etc/ocspd/certs/2nd_cacert.pem
####################################################################
[ HSM ]
diff -Naur openca-ocspd-1.5.1-rc1.orig/src/core.c openca-ocspd-1.5.1-rc1.new/src/core.c
--- openca-ocspd-1.5.1-rc1.orig/src/core.c 2006-10-21 16:50:32.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/src/core.c 2008-07-02 14:31:13.000000000 +0200
@@ -18,8 +18,8 @@
pthread_cond_t clifd_cond;
-int start_threaded_server ( char * bind_s, char * port_s, int nthreads,
- OCSPD_CONFIG * ocspd_conf ) {
+int start_threaded_server ( char * bind_s, char * port_s, int queue_len,
+ int nthreads, OCSPD_CONFIG * ocspd_conf ) {
int i;
struct sockaddr_in cliaddr;
@@ -36,7 +36,8 @@
exit(68);
}
- if( (ocspd_conf->listenfd = Listen( bind_s, atoi(port_s) )) == 0) {
+ if ((ocspd_conf->listenfd = Listen(bind_s, atoi(port_s),
+ queue_len)) == 0) {
syslog(LOG_ERR, "ERROR::BIND::Can not bind to [%s],[%d]",
bind_s, atoi(port_s));
exit(101);
diff -Naur openca-ocspd-1.5.1-rc1.orig/src/core.h openca-ocspd-1.5.1-rc1.new/src/core.h
--- openca-ocspd-1.5.1-rc1.orig/src/core.h 2006-10-14 13:37:32.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/src/core.h 2008-07-02 14:31:13.000000000 +0200
@@ -16,8 +16,8 @@
#include "general.h"
#include "ocsp_request.h"
-int start_threaded_server ( char * bind_s, char * port_s, int nthreads,
- OCSPD_CONFIG * ocspd_conf );
+int start_threaded_server ( char * bind_s, char * port_s, int queue_len,
+ int nthreads, OCSPD_CONFIG * ocspd_conf );
int set_alrm_handler( void );
void close_server ( void );
void handle_sigterm ( int i );
diff -Naur openca-ocspd-1.5.1-rc1.orig/src/general.h openca-ocspd-1.5.1-rc1.new/src/general.h
--- openca-ocspd-1.5.1-rc1.orig/src/general.h 2006-10-21 14:53:55.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/src/general.h 2008-07-02 14:31:13.000000000 +0200
@@ -83,24 +83,14 @@
#include <openssl/ocsp.h>
-#define HTTP_POST 0
-#define HTTP_GET 1
-#define HTTP_POST_METHOD "POST"
-#define HTTP_GET_METHOD "GET"
-
-#define OCSP_REQ_TYPE "application/ocsp-request"
-#define OCSP_RESP_TYPE "application/ocsp-response"
-
#define BASE_SECTION "ocspd"
#define CONFIG_FILE "ocspd.conf"
#define ENV_SECTION "conf_section"
#define ENV_DEFAULT_OCSPD "default_ocspd"
-#define ENV_DATABASE "db"
#define ENV_OCSPD_DBMS "dbms"
#define ENV_PRIVATE_KEY "ocspd_key"
#define ENV_CERTIFICATE "ocspd_certificate"
-#define ENV_CA_CERTIFICATE "ca_certificate"
#define ENV_OCSPD_PORT "port"
#define ENV_OCSPD_BIND "bind"
#define ENV_OCSPD_CHILD "threads_num"
@@ -142,20 +132,6 @@
#define OCSP_REQ_CONTENT_TYPE "application/ocsp-request"
#define OCSP_RESP_CONTENT_TYPE "application/ocsp-response"
-#define DB_type 0
-#define DB_exp_date 1
-#define DB_rev_date 2
-#define DB_serial 3 /* index - unique */
-#define DB_file 4
-#define DB_name 5 /* index - unique for active */
-#define DB_NUMBER 6
-
-#define DB_TYPE_REV 'R'
-#define DB_TYPE_EXP 'E'
-#define DB_TYPE_VAL 'V'
-#define DB_TYPE_SUS 'S'
-#define DB_TYPE_UNK 'U'
-
#define FORMAT_UNDEF 0
#define FORMAT_ASN1 1
#define FORMAT_TEXT 2
diff -Naur openca-ocspd-1.5.1-rc1.orig/src/ocspd.c openca-ocspd-1.5.1-rc1.new/src/ocspd.c
--- openca-ocspd-1.5.1-rc1.orig/src/ocspd.c 2006-10-21 14:58:10.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/src/ocspd.c 2008-07-02 14:31:13.000000000 +0200
@@ -71,7 +71,8 @@
NULL
};
-/* Staic variables */
+
+/* Static variables */
char *prgname = "ocspd";
char *version = VERSION;
@@ -91,6 +92,7 @@
char *max_timeout_s = NULL;
int child_num = 5;
+ int queue_len = 30;
int verbose = 0;
int debug = 0;
@@ -103,7 +105,6 @@
char *keyfile = NULL;
char *configfile = NULL;
char *cert = NULL;
- char *cacert = NULL;
char **pp = NULL;
char *key = NULL;
char *passargin = NULL;
@@ -387,36 +388,6 @@
}
/*****************************************************************/
- /* Load the CA certificate file */
- if ((cacert == NULL) && ((cacert=NCONF_get_string(ocspd_conf->conf,
- section,ENV_CA_CERTIFICATE)) == NULL))
- {
- lookup_fail(section,ENV_CA_CERTIFICATE);
- goto err;
- }
- if ( cacert ) {
- if( verbose )
- syslog(LOG_INFO,"reading CA certificate file.\n");
- if ((certf=BIO_new_file( cacert, "r")) == NULL) {
- syslog(LOG_ERR,"unable to open CA certificate file.\n");
- goto err;
- }
- if ((ocspd_conf->cacert = PEM_read_bio_X509(certf,NULL,NULL,NULL))
- ==NULL) {
- syslog(LOG_ERR,"cannot load CA certificate.\n");
- goto err;
- }
- BIO_free( certf );
- }
- if (ocspd_conf->cacert == NULL) {
- syslog(LOG_ERR,"unable to load CA certificate\n");
- goto err;
- }
-
- if(verbose)
- syslog(LOG_INFO,"OCSP Daemon setup completed");
-
- /*****************************************************************/
/* Let's get the digest */
if ((ocsp_digest_name == NULL) &&
((ocsp_digest_name=NCONF_get_string(ocspd_conf->conf,section,
@@ -452,6 +423,15 @@
bind_s = "0.0.0.0";
}
+ /* Listen queue size */
+ if ((tmp_s = NCONF_get_string(ocspd_conf->conf,
+ section, ENV_OCSPD_QUEUE)) == NULL) {
+ if( verbose )
+ lookup_fail(section,ENV_OCSPD_QUEUE);
+ } else {
+ queue_len = atoi(tmp_s);
+ }
+
/* Number of child threads to be spawned */
if ((child_s == NULL) && ((child_s = NCONF_get_string(ocspd_conf->conf,
section, ENV_OCSPD_CHILD)) == NULL)) {
@@ -682,7 +662,7 @@
}
// CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
- start_threaded_server( bind_s, port_s, child_num, ocspd_conf );
+ start_threaded_server(bind_s, port_s, queue_len, child_num, ocspd_conf);
goto end;
diff -Naur openca-ocspd-1.5.1-rc1.orig/src/sock.c openca-ocspd-1.5.1-rc1.new/src/sock.c
--- openca-ocspd-1.5.1-rc1.orig/src/sock.c 2006-10-14 13:26:00.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/src/sock.c 2008-07-02 14:31:13.000000000 +0200
@@ -18,12 +18,11 @@
#include "sock.h"
#define SERV_PORT 4567
-#define LISTENQ 30
extern int h_errno;
extern OCSPD_CONFIG *ocspd_conf;
-int Listen (char *hostname, int port) {
+int Listen (char *hostname, int port, int queue_len) {
int fd, reuse_addr;
struct sockaddr_in servaddr;
struct hostent *ht = NULL;
@@ -79,7 +78,7 @@
return(0);
};
- if( listen( fd, LISTENQ ) == -1 ) {
+ if (listen(fd, queue_len) == -1) {
syslog(LOG_ERR, "FATAL ERROR::Listen::%s",
strerror( errno ));
return(0);
diff -Naur openca-ocspd-1.5.1-rc1.orig/src/sock.h openca-ocspd-1.5.1-rc1.new/src/sock.h
--- openca-ocspd-1.5.1-rc1.orig/src/sock.h 2006-10-13 17:06:00.000000000 +0200
+++ openca-ocspd-1.5.1-rc1.new/src/sock.h 2008-07-02 14:31:13.000000000 +0200
@@ -8,7 +8,7 @@
/* Socket Wrapping functions */
-int Listen (char *hostname, int port);
+int Listen (char *hostname, int port, int queue_len);
// int Accept (int sock, int *c_sock);
int Accept (int listen_sockfd, SA *cliaddr, socklen_t *addrlenp);
ssize_t Read (int fd, void *bufptr, size_t nbytes);
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/ocspd/F-8/.cvsignore,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- .cvsignore 11 Oct 2008 00:14:44 -0000 1.1
+++ .cvsignore 13 Oct 2008 10:47:29 -0000 1.2
@@ -0,0 +1 @@
+openca-ocspd-1.5.1-rc1.tar.gz
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/ocspd/F-8/sources,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sources 11 Oct 2008 00:14:44 -0000 1.1
+++ sources 13 Oct 2008 10:47:30 -0000 1.2
@@ -0,0 +1 @@
+79e6ba80ccd7daa9212c03ca951f7d15 openca-ocspd-1.5.1-rc1.tar.gz
More information about the fedora-extras-commits
mailing list