Lines 303-306
Link Here
|
303 |
return response; |
303 |
return response; |
304 |
} |
304 |
} |
305 |
|
305 |
|
|
|
306 |
/* _________________________________________________________________ |
307 |
** |
308 |
** OCSP other certificate support |
309 |
** _________________________________________________________________ |
310 |
*/ |
311 |
|
312 |
/* |
313 |
* Read a file that contains certificates in PEM format and |
314 |
* return as a STACK. |
315 |
*/ |
316 |
static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file) |
317 |
{ |
318 |
BIO *bio; |
319 |
X509 *x509; |
320 |
unsigned long err; |
321 |
int n; |
322 |
STACK_OF(X509) *other_certs = NULL; |
323 |
|
324 |
if ((bio = BIO_new(BIO_s_file_internal())) == NULL) |
325 |
return NULL; |
326 |
if (BIO_read_filename(bio, file) <= 0) { |
327 |
BIO_free(bio); |
328 |
return NULL; |
329 |
} |
330 |
/* create new extra chain by loading the certs */ |
331 |
while ((x509 = modssl_PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) { |
332 |
if (!other_certs) { |
333 |
other_certs = sk_X509_new_null(); |
334 |
if (!other_certs) |
335 |
return NULL; |
336 |
} |
337 |
|
338 |
if (!sk_X509_push(other_certs, x509)) { |
339 |
X509_free(x509); |
340 |
sk_X509_pop_free(other_certs, X509_free); |
341 |
BIO_free(bio); |
342 |
return NULL; |
343 |
} |
344 |
} |
345 |
/* Make sure that only the error is just an EOF */ |
346 |
if ((err = ERR_peek_error()) > 0) { |
347 |
if (!( ERR_GET_LIB(err) == ERR_LIB_PEM |
348 |
&& ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) { |
349 |
BIO_free(bio); |
350 |
sk_X509_pop_free(other_certs, X509_free); |
351 |
return NULL; |
352 |
} |
353 |
while (ERR_get_error() > 0) ; |
354 |
} |
355 |
BIO_free(bio); |
356 |
return other_certs; |
357 |
} |
358 |
|
359 |
void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx) |
360 |
{ |
361 |
/* |
362 |
* Configure Trusted OCSP certificates. |
363 |
*/ |
364 |
|
365 |
if (!mctx->ocsp_certs_file) { |
366 |
return; |
367 |
} |
368 |
|
369 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, |
370 |
"Configuring Trusted OCSP certificates"); |
371 |
|
372 |
mctx->ocsp_certs = modssl_read_ocsp_certificates(mctx->ocsp_certs_file); |
373 |
|
374 |
if (!mctx->ocsp_certs) { |
375 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, |
376 |
"Unable to configure OCSP Trusted Certificates"); |
377 |
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); |
378 |
ssl_die(); |
379 |
} |
380 |
mctx->ocsp_verify_flags |= OCSP_TRUSTOTHER; |
381 |
} |
382 |
|
306 |
#endif /* HAVE_OCSP */ |
383 |
#endif /* HAVE_OCSP */ |