diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/configure.in --- openca-ocspd-1.5.1-rc1.orig/configure.in 2006-10-13 22:45:29.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/configure.in 2008-07-02 14:31:13.000000000 +0200 @@ -3,7 +3,7 @@ dnl Autoconf boilerplate/ AC_INIT(src/ocspd.c) -AC_PREREQ( 2.50) +AC_PREREQ(2.50) AC_CONFIG_AUX_DIR(build) VERSION=`cat VERSION` @@ -11,12 +11,12 @@ PACKAGE_MAJOR=`cat VERSION` PACKAGE_MINOR=1 -AC_SUBST( PACKAGE_MAJOR ) -AC_SUBST( PACKAGE_MINOR ) +AC_SUBST(PACKAGE_MAJOR) +AC_SUBST(PACKAGE_MINOR) dnl Automake boilerplate. AC_CANONICAL_SYSTEM -AM_INIT_AUTOMAKE( $PACKAGE_NAME, $PACKAGE_MAJOR ) +AM_INIT_AUTOMAKE($PACKAGE_NAME, $PACKAGE_MAJOR) dnl Options. #AC_DISABLE_FAST_INSTALL @@ -40,9 +40,9 @@ AM_CONDITIONAL(OCSPD_ARCH_SOLARIS, test x$arch = xsolaris) AM_CONDITIONAL(OCSPD_ARCH_HPUX, test x$arch = xhpux) -AC_CHECK_LIB(pthread, pthread_create, - [ AC_DEFINE(HAVE_LIBPTHREAD, 1, [PTHREAD Library])], - [ AC_MSG_ERROR([pthread library is needed!]) ] +AC_CHECK_LIB(pthread, pthread_create, + [AC_DEFINE(HAVE_LIBPTHREAD, 1, [PTHREAD Library])], + [AC_MSG_ERROR([pthread library is needed!])] ) if test x$arch = xlinux ; then @@ -79,13 +79,6 @@ AC_PROG_MAKE_SET AC_PROG_LN_S -dnl Add libtool support. -AM_PROG_LIBTOOL -# AC_PROG_LIBTOOL - -dnl Automatically update the libtool script if it becomes out-of-date. -AC_SUBST(LIBTOOL_DEPS) - dnl Setup dist stuff AC_SUBST(ac_aux_dir) @@ -93,17 +86,17 @@ AC_CHECK_LIB(nsl, gethostbyname) AC_CHECK_LIB(socket, socket) AC_CHECK_LIB(resolv, res_query) -dnl AC_CHECK_LIB(crypto, SSLeay ) -dnl AC_CHECK_LIB(crypto, ENGINE_init ) -dnl AC_CHECK_LIB(ssl, SSL_version ) -dnl AC_CHECK_LIB(db-4.0, open ) +dnl AC_CHECK_LIB(crypto, SSLeay) +dnl AC_CHECK_LIB(crypto, ENGINE_init) +dnl AC_CHECK_LIB(ssl, SSL_version) +dnl AC_CHECK_LIB(db-4.0, open) dnl Check for Pod2Man program -AC_PATH_PROG( POD2MAN, pod2man,pod2man, +AC_PATH_PROG(POD2MAN, pod2man, pod2man, $PATH:/sbin:/usr/sbin:/usr/local/sbin) dnl Check for Pod2Html program -AC_PATH_PROG( POD2HTML, pod2html,pod2html, +AC_PATH_PROG(POD2HTML, pod2html, pod2html, $PATH:/sbin:/usr/sbin:/usr/local/sbin) dnl Check for package and related programs @@ -124,16 +117,16 @@ AC_PATH_PROG(PERL, perl) AC_SUBST(PERL) -AC_MSG_RESULT([architecture : ${build_os} ]) +AC_MSG_RESULT([architecture : ${build_os}]) dnl OpenSSL prefix -AC_ARG_WITH( openssl-prefix, +AC_ARG_WITH(openssl-prefix, [ --with-openssl-prefix=DIR openssl prefix directory], -[ openssl_prefix=$withval ] , [ openssl_prefix= ] ) +[openssl_prefix=$withval] , [openssl_prefix=]) AC_SUBST(openssl_prefix) -AC_MSG_RESULT([with openssl-prefix : $openssl_prefix ]) +AC_MSG_RESULT([with openssl-prefix : $openssl_prefix]) if [[ x$openssl_prefix != x ]]; then openssl_path=$openssl_prefix/lib @@ -142,7 +135,7 @@ AC_MSG_RESULT([openssl lib dir : $openssl_path (default)]) fi -AM_CONDITIONAL(OPENSSL_PREFIX, test x$openssl_prefix != x ) +AM_CONDITIONAL(OPENSSL_PREFIX, test x$openssl_prefix != x) ### Setup for OpenSSL build flags ### dnl Now we like the version of openssl. Let's construct @@ -160,7 +153,7 @@ openssl_cflags=[-I${openssl_prefix}/include] openssl_libs=["-L${openssl_prefix}/lib -L${openssl_prefix} -lssl -lcrypto "] openssl_setup=yes - dnl AC_MSG_RESULT( [User specified --with-openssl-prefix]) + dnl AC_MSG_RESULT([User specified --with-openssl-prefix]) dnl Check if the developer has the pkg-config macros dnl for the autotools on their system ifdef([PKG_CHECK_MODULES], @@ -169,22 +162,20 @@ dnl If so, we can check if the target system has dnl (1) pkg-config support installed as well, and dnl (2) has openssl 0.9.7 or greater installed - AC_CHECK_PROG( HAS_PKGCONF, pkg-config, yes, [] , $PATH) - if [[ x${HAS_PKGCONF} != x ]]; then - PKG_CHECK_MODULES( OPENSSL,openssl >= 0.9.7, [ - AC_MSG_RESULT( - [openssl 0.9.7 or greater found via pkgconfig] - ) + AC_CHECK_PROG(HAS_PKGCONF, pkg-config, yes, [] , $PATH) + if [[ x${HAS_PKGCONF} != x ]]; then + PKG_CHECK_MODULES(OPENSSL,openssl >= 0.9.7, [ + AC_MSG_RESULT([openssl 0.9.7 or greater found via pkgconfig]) openssl_cflags=$OPENSSL_CFLAGS openssl_libs=$OPENSSL_LIBS openssl_setup=yes - fi + fi ], - [ - AC_MSG_RESULT( [good openssl not found via pkgconfig]) + [ + AC_MSG_RESULT([good openssl not found via pkgconfig]) ] ) dnl End of PKG_CHECK macro - + ], [ ## Skipping pkg-config macros... @@ -192,14 +183,14 @@ )dnl End of check using pkg-config... fi dnl End of prefix block - + if [[ x${openssl_setup} != xyes ]]; then - AC_MSG_RESULT( [Assuming reasonable defaults for openssl...]) + AC_MSG_RESULT([Assuming reasonable defaults for openssl...]) openssl_setup=yes fi - - dnl Export our openssl build settings + + dnl Export our openssl build settings AC_SUBST(openssl_cflags) AC_SUBST(openssl_libs) @@ -209,28 +200,28 @@ dnl AC_OPENSSL_OCSP dnl Let's check the openssl version -dnl AC_EGREP_HEADER( [m/OPENSSL/gm], +dnl AC_EGREP_HEADER([m/OPENSSL/gm], dnl [${openssl_prefix}/include/openssl/opensslv.h], -dnl [openssl_ver="0.9.8+"], +dnl [openssl_ver="0.9.8+"], dnl [openssl_ver="0.9.7"]) -dnl +dnl dnl if [[ openssl_ver = "0.9.8+" ]] ; then dnl AC_DEFINE(OPENSSL_VER_00908000) dnl else dnl AC_DEFINE(OPENSSL_VER_00907000) dnl fi -dnl +dnl dnl AC_MSG_RESULT([OpenSSL Detected Version: $openssl_ver]); -dnl +dnl dnl CFLAGS=${openssl_flags} dnl AC_OPENSSL_VERSION -dnl AM_CONDITIONAL(OPENSSL_VER_00908000, if test "x$openssl_ver" = "x0.9.8+" ) +dnl AM_CONDITIONAL(OPENSSL_VER_00908000, if test "x$openssl_ver" = "x0.9.8+") dnl AC_MSG_RESULT([OpenSSL Detected Version: $openssl_ver]); dnl Enable OPENLDAP Support -AC_ARG_ENABLE( openldap, +AC_ARG_ENABLE(openldap, [ --enable-openldap enable openldap support (yes)], [case "${enableval}" in yes) openldap=true ;; @@ -244,16 +235,16 @@ if [[ x$openldap = xtrue ]]; then - AC_DEFINE(HAVE_OPENLDAP, [1], [OpenLDAP] ) + AC_DEFINE(HAVE_OPENLDAP, [1], [OpenLDAP]) dnl OpenLDAP prefix - AC_ARG_WITH( openldap-prefix, + AC_ARG_WITH(openldap-prefix, [ --with-openldap-prefix=DIR openldap prefix directory], - [ openldap_prefix=$withval ] , [ openldap_prefix= ] ) + [openldap_prefix=$withval], [openldap_prefix=]) AC_SUBST(openldap_prefix) - AC_MSG_RESULT([with openldap-prefix : $openldap_prefix ]) + AC_MSG_RESULT([with openldap-prefix : $openldap_prefix]) if [[ x$openldap_prefix != x ]]; then openldap_path=$openldap_prefix/lib AC_MSG_RESULT([openldap lib dir : $openldap_path]) @@ -286,31 +277,31 @@ fi fi -AM_CONDITIONAL(OPENLDAP_PREFIX, test x$openldap_prefix != x ) +AM_CONDITIONAL(OPENLDAP_PREFIX, test x$openldap_prefix != x) -dnl Export our OpenLDAP build settings +dnl Export our OpenLDAP build settings AC_SUBST(LDAP_LIBS) AC_SUBST(openldap_cflags) AC_SUBST(openldap_libs) dnl OCSP daemon default user -AC_ARG_WITH( ocspd-user, +AC_ARG_WITH(ocspd-user, [ --with-ocspd-user=ARG user to run processes as [ocspd]], -[ user=$withval ] , [ user=ocspd ] ) +[user=$withval], [user=ocspd]) -AC_MSG_RESULT([default ocspd user : $user ]) +AC_MSG_RESULT([default ocspd user : $user]) AC_SUBST(user) dnl OCSP daemon default group -AC_ARG_WITH( ocspd-group, +AC_ARG_WITH(ocspd-group, [ --with-ocspd-group=ARG group to run processes as [daemon]], -[ group=$withval ] , [ group=daemon ] ) +[group=$withval], [group=daemon]) -AC_MSG_RESULT([default ocspd group : $group ]) +AC_MSG_RESULT([default ocspd group : $group]) AC_SUBST(group) dnl OpenSSL Engine Support -AC_ARG_ENABLE( openssl-engine, +AC_ARG_ENABLE(openssl-engine, [ --enable-openssl-engine enable openssl engine support (no)], [case "${enableval}" in yes) engine=true ;; @@ -326,10 +317,10 @@ AC_DEFINE(HAVE_ENGINE, [1], [ENGINE support for OpenSSL]) fi -dnl AC_MSG_RESULT([enable engine support : $engine ]) +dnl AC_MSG_RESULT([enable engine support : $engine]) dnl Semaphores vs Flock Support -AC_ARG_ENABLE( semaphores, +AC_ARG_ENABLE(semaphores, [ --enable-semaphores use semaphores locking method (yes)], [case "${enableval}" in yes) sem=true ;; @@ -338,7 +329,7 @@ esac], [sem=true]) -AC_ARG_ENABLE( flock, +AC_ARG_ENABLE(flock, [ --enable-flock use semaphores locking method (no)], [case "${enableval}" in yes) flock=true && sem=false ;; @@ -361,10 +352,10 @@ dnl Debug option AC_ARG_ENABLE(debug, [ --enable-debug enable debug messages.], -[ case "${enableval}" in - yes) +[case "${enableval}" in + yes) debug=true ;; - no) + no) debug=false ;; *) AC_MSG_ERROR([bad value ${enableval} for --enable-debug]) ;; esac], [debug=false]) @@ -379,17 +370,27 @@ prefix="/usr/local"; fi +dnl Be sure we know the effective directory pathes. +sysconfdirvalue="`eval echo ${sysconfdir}`" +AC_SUBST(sysconfdirvalue) +sbindirvalue="`eval echo ${sbindir}`" +AC_SUBST(sbindirvalue) +localstatedirvalue="`eval echo ${localstatedir}`" +AC_SUBST(localstatedirvalue) +piddir="${piddir-${localstatedirvalue}/run}" +AC_SUBST(piddir) + dnl OpenCA prefix -AC_ARG_WITH( openca-prefix, +AC_ARG_WITH(openca-prefix, [ --with-openca-prefix=ARG OpenCA install prefix (PREFIX/OpenCA)], -[ openca_prefix=$withval], [openca_prefix=${prefix}/OpenCA] ) +[openca_prefix=$withval], [openca_prefix=${prefix}/OpenCA]) if [[ x${openca_prefix} = x ]] ; then AC_MSG_ERROR([bad value ${openca_prefix} for --with-openca-prefix]) fi -AC_MSG_RESULT([with openca-prefix : $openca_prefix ]) -AC_SUBST( openca_prefix ) +AC_MSG_RESULT([with openca-prefix : $openca_prefix]) +AC_SUBST(openca_prefix) AC_MSG_RESULT([install prefix : $prefix]) @@ -401,5 +402,5 @@ etc/Makefile etc/ocspd etc/ocspd.conf + etc/ocspd.sysconfig ) - diff -Naur openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod openca-ocspd-1.5.1-rc1.new/docs/ocspd.conf.3.pod --- openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod 2006-10-13 22:32:23.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/docs/ocspd.conf.3.pod 2008-07-02 14:31:13.000000000 +0200 @@ -68,11 +68,9 @@ [ OCSPD_default ] - dir = /usr/local/etc/ocspd - db = $dir/index.txt + dir = /etc/ocspd md = sha1 - ca_certificate = $dir/certs/cacert.pem ocspd_certificate = $dir/certs/ocspd_cert.pem ocspd_key = $dir/private/ocspd_key.pem pidfile = $dir/ocspd.pid @@ -100,7 +98,7 @@ #################################################################### [ ocsp_response ] - dir = /usr/local/etc/ocspd + dir = /etc/ocspd ocsp_add_response_certs = $dir/certs/chain_certs.pem ocsp_add_response_keyid = yes next_update_days = 0 @@ -127,7 +125,7 @@ # http is used) # # You can have the CRLs/CA certificates on a simple file - # crl_url = file:///usr/local/etc/ocspd/crl.pem + # crl_url = file:///etc/ocspd/crl.pem # # You can retrieve the CRLs/CA certificates from a web server # crl_urt = http://server/ca/cacert.der @@ -151,7 +149,7 @@ [ dbms_file ] # You can have the CRL on a simple file in PEM format - crl_url = file:///usr/local/etc/ocspd/crl.pem + crl_url = file:///etc/ocspd/crl.pem [ HSM ] # Hardware accelerators support via the ENGINE interface @@ -173,21 +171,10 @@ specifies the directory where everything is kept. -=item B - -specifies the db where info about issued certificates are kept. Right -now the only supported file format is the one from B>. -To reload the certificate's db simply send a SIGHUP to the main process -( kill -s SIGHUP pid ). - =item B specifies the digest to be used. Default is sha1. -=item B - -path to the CA's certificate. - =item B path to the certificate to be used by the responder. @@ -234,6 +221,13 @@ a pre-threaded one. In order to run the server needs support for POSIX1.c as found in most modern UNiX systems. +=item B + +Size of the system socket queue: when all service threads are busy, +up to this number of unserved requests are accepted in queue and +will be processed as soon as a thread becomes available; additional +connection requests will be denied. Default: 30. + =item B Chroot the application into the specified directory, watch @@ -296,7 +290,7 @@ specifies the URI where the CA certificate (which identifies the single CA) is located. Three different protocols are implemented ( file:// http:// or ldap:// ). If file is chosen, then the parameter -should carry the path to the CA file (i.e. file:///usr/local/etc/ca.pem). +should carry the path to the CA file (i.e. file:///etc/ocspd/certs/ca.pem). If ldap or http is chosen, you can specify the address, and the port of the server where to connect to (i.e. ldap://server.addr:port). @@ -306,7 +300,7 @@ actually used for building responses) is located. Three different protocols are actually implemented ( file:// http:// or ldap:// ). If file is chosen, then the parameter should have the path to the -crl file (i.e. file:///usr/local/etc/cacrl.pem). If ldap or http +crl file (i.e. file:///etc/ocspd/crls/cacrl.pem). If ldap or http is chosen, you can specify the address, and the port of the server where to connect to (i.e. ldap://server.addr:port). diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/Makefile.am openca-ocspd-1.5.1-rc1.new/etc/Makefile.am --- openca-ocspd-1.5.1-rc1.orig/etc/Makefile.am 2006-09-18 16:28:41.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/etc/Makefile.am 2008-07-02 14:31:13.000000000 +0200 @@ -2,20 +2,23 @@ CHMOD = @CHMOD@ -EXTRA_DIST = ocspd.conf.in ocspd.in +EXTRA_DIST = ocspd.conf.in ocspd.in ocspd.sysconfig.in install-data-local: @$(NORMAL_INSTALL) - $(mkinstalldirs) $(sysconfdir); \ - $(mkinstalldirs) $(sysconfdir)/init.d; \ - $(mkinstalldirs) $(sysconfdir)/ocspd; \ - $(mkinstalldirs) $(sysconfdir)/ocspd/certs; \ - $(mkinstalldirs) $(sysconfdir)/ocspd/private; \ + $(mkinstalldirs) $(DESTDIR)$(sysconfdir); \ + $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/rc.d; \ + $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/rc.d/init.d; \ + $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/sysconfig; \ + $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/ocspd; \ + $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/ocspd/certs; \ + $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/ocspd/crls; \ + $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/ocspd/private; \ for file in *.conf ; do \ if test -f $$file; then \ - $(INSTALL_DATA) $$file $(sysconfdir)/ocspd; \ + $(INSTALL_DATA) $$file $(DESTDIR)$(sysconfdir)/ocspd; \ fi \ done ; \ - $(INSTALL_DATA) ocspd $(sysconfdir)/init.d ; \ - $(CHMOD) +x $(sysconfdir)/init.d/ocspd - + $(INSTALL_DATA) ocspd $(DESTDIR)$(sysconfdir)/rc.d/init.d ; \ + $(CHMOD) +x $(DESTDIR)$(sysconfdir)/rc.d/init.d/ocspd; \ + $(INSTALL_DATA) ocspd.sysconfig $(DESTDIR)$(sysconfdir)/sysconfig/ocspd diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.new/etc/ocspd.conf.in --- openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in 2006-10-21 18:35:59.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/etc/ocspd.conf.in 2008-07-02 14:31:13.000000000 +0200 @@ -8,14 +8,12 @@ #################################################################### [ OCSPD_default ] -dir = @prefix@/etc/ocspd # Where everything is kept -db = $dir/index.txt # database index file. +dir = @sysconfdirvalue@/ocspd # Where everything is kept md = sha1 -ca_certificate = $dir/certs/cacert.pem # The CA certificate ocspd_certificate = $dir/certs/ocspd_cert.pem # The OCSP server cert ocspd_key = $dir/private/ocspd_key.pem # The OCSP server key -pidfile = $dir/ocspd.pid # Main process pid +pidfile = @piddir@/ocspd.pid # Main process pid # User and Group the server will run as. It is a good idea # not having servers running as root: in case of errors in @@ -41,6 +39,10 @@ # and processors. threads_num = 150 +# Size of the system listen() queue. This allows buffering connection +# requests for later processing when all threads are already busy. +#max_client_num = 30 + # Max timeout for request receiving. If a request is not received # within the specified number of seconds then the socket is closed # in order to free unused threads. If not set, the default value @@ -56,7 +58,7 @@ # error will be written in the logfile, but the server will # continue to run assuming the chroot() is sufficiently isolated # to prevent abuse of the machine. -# chdir = @prefix@ +#chroot_dir = @prefix@ # Auto Reload interval of CRL (if set to 0 or not present, to # reload the CRL you'll need to send a SIGHUP (kill -1 ) @@ -75,7 +77,7 @@ # Reload CRL if the one loaded is expired. Set this parameter # only if you are sure that the new CRL will be issued and put # in the crl_url. -crl_reload_expired = yes +#crl_reload_expired = yes # Specifies the response section to load the server options # from @@ -84,10 +86,10 @@ # It specifies the section to be used where options about where # CRL and certificates are kept. # -# Example section using LDAP for data retrival +# Example section using LDAP for data retrieval # dbms = dbms_ldap # -# Example section using FILES for data retrival +# Example section using FILES for data retrieval dbms = dbms_file # Enables the ENGINE interface for the server. If set to off then @@ -103,7 +105,7 @@ #################################################################### [ ocsp_response ] -dir = @prefix@/etc/ocspd +dir = @sysconfdirvalue@/ocspd # It is possible to include additional certificates in given # responses. Put all the certificates you want to include in @@ -140,7 +142,7 @@ [ ldap_ca_1 ] # You can have the CRL on a simple file -# crl_url = file:///usr/local/etc/ocspd/crl.pem +# crl_url = file://@sysconfdirvalue@/ocspd/crls/crl.pem # You can have the CRL retrieved from an HTTP server # crl_url = http://[user[:pwd]@]server[:port]/path_to_crl @@ -196,19 +198,19 @@ [ first_ca ] # You can have the CRL on a simple file in PEM format -crl_url = file:///@prefix@/etc/ocspd/crls/crl_01.pem +crl_url = file://@sysconfdirvalue@/ocspd/crls/crl_01.pem # We need the CA certificate for every supported CRL -ca_url = file:///@prefix@/etc/ocspd/certs/1st_cacert.pem +ca_url = file://@sysconfdirvalue@/ocspd/certs/1st_cacert.pem #################################################################### [ second_ca ] # You can have the CRL on a simple file in PEM format -crl_url = file:///@prefix@/etc/ocspd/crls/crl_02.pem +crl_url = file://@sysconfdirvalue@/ocspd/crls/crl_02.pem # We need the CA certificate for every supported CRL -ca_url = file:///@prefix@/etc/ocspd/certs/2nd_cacert.pem +ca_url = file://@sysconfdirvalue@/ocspd/certs/2nd_cacert.pem #################################################################### [ HSM ] diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.in openca-ocspd-1.5.1-rc1.new/etc/ocspd.in --- openca-ocspd-1.5.1-rc1.orig/etc/ocspd.in 2006-10-15 17:11:45.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/etc/ocspd.in 2008-07-02 15:31:57.000000000 +0200 @@ -1,90 +1,94 @@ #!/bin/sh # -# Startup script for the OCSPD responder +# ocspd Startup script for the OCSPD responder # -# chkconfig: 345 85 15 +# chkconfig: - 85 15 # description: OpenCA OCSP Responder -# processname: openca-ocspd - -prefix="@prefix@"; -sbin="${prefix}/sbin"; -etc="${prefix}/etc/ocspd" +# processname: ocspd +# pidfile: @piddir@/ocspd.pid # Source function library. -# . /etc/rc.d/init.d/functions - -ocspd="${sbin}/ocspd"; -conf="${etc}/ocspd.conf"; +. /etc/rc.d/init.d/functions -# Take a look in your apache config and set it as it is set there. -pidfile="${etc}/ocspd.pid"; +if [ -f /etc/sysconfig/network ]; then + . /etc/sysconfig/network +fi + +if [ -f /etc/sysconfig/ocspd ]; then + . /etc/sysconfig/ocspd +fi + +prog=ocspd +exec="@sbindirvalue@/${prog}"; +config="@sysconfdirvalue@/${prog}/${prog}.conf" +pidfile="@piddir@/${prog}.pid" +lockfile="@localstatedirvalue@/lock/subsys/${prog}" + +# Check that we are root ... so non-root users stop here +[ `id -u` = 0 ] || exit 1 + +# Check that networking is up. +[ "${NETWORKING}" = "yes" ] || exit 0 + +RETVAL=0 + +start() + +{ + [ -x "${exec}" ] || exit 5 + [ -f "${config}" ] || exit 6 + echo -n $"Starting ${prog}: " + daemon --pidfile "${pidfile}" "${exec}" -d -c "${config}" \ + ${OPTIONS} ${1} + RETVAL=$? + echo + [ "${RETVAL}" -eq "0" ] && touch "${lockfile}" + return $RETVAL +} # See how we were called. -case "$1" in +case "${1}" in start) - echo -n "Starting OCSP Responder: " - ${ocspd} -c "${conf}" -d - echo "Done." + start + RETVAL=$? ;; start-verbose) - echo -n "Starting OCSP Responder: " - ${ocspd} -c "${conf}" -d -v - echo "Done." + start -v + RETVAL=$? ;; start-debug) - echo -n "Starting OCSP Responder: " - ${ocspd} -c "${conf}" -d -v -debug - echo "Done." + start "-v -debug" + RETVAL=$? ;; stop) - echo -n "Shutting down OCSP Responder: " - if [ -f "$pidfile" ] ; then - pid=`cat $pidfile`; - # if [ "x$pid" = "x" ] ; then - # killall -15 ocspd - # else - kill -15 ${pid} - # fi - rm -f "$pidfile" - else - echo "Missing pidfile (already stopped?)" - fi - echo "Done." + echo -n $"Shutting down ${prog}: " + killproc -p "${pidfile}" "${prog}" + RETVAL=$? + echo + [ "${RETVAL}" -eq "0" ] && rm -f "${lockfile}" ;; status) - echo -n "OCSP Responder is " - if ! [ -f "$pidfile" ] ; then - echo "stopped." - else - pid=`cat $pidfile`; - if test `ps -p ${pid}` ; then - echo "running ( $pid ) ... " - else - echo "stopped." - fi - fi - ;; - reload-crl) - echo -n "Sending Reload CRL Signal to OCSP ... " - if ! [ -f "$pidfile" ] ; then - echo "stopped." - else - pid=`cat $pidfile`; - if test `kill -HUP ${pid}` ; then - echo "error." - else - echo "Ok." - fi - fi + status "${prog}" + RETVAL=$? ;; - restart) - $0 stop + reload) + echo -n $"Reloading CRLs: " + killproc -p "${pidfile}" "${prog}" -HUP + RETVAL=$? + echo + ;; + restart|force-reload) + "${0}" stop sleep 2 - $0 start + "${0}" start + ;; + condrestart|try-restart) + [ -e "${lockfile}" ] && "${0}" restart ;; *) - echo "Usage: $0 {start|stop|status|reload-crl|restart}" - exit 1 + echo "Usage: ${0} {start|start-verbose|start-debug|stop|status|" + echo " reload|force-reload|restart|condrestart|try-restart}" + RETVAL=2 esac -exit 0 +exit $RETVAL diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.sysconfig.in openca-ocspd-1.5.1-rc1.new/etc/ocspd.sysconfig.in --- openca-ocspd-1.5.1-rc1.orig/etc/ocspd.sysconfig.in 1970-01-01 01:00:00.000000000 +0100 +++ openca-ocspd-1.5.1-rc1.new/etc/ocspd.sysconfig.in 2008-07-02 14:31:13.000000000 +0200 @@ -0,0 +1,8 @@ +# Name of daemon program. +#OCSPD=@sbindirvalue@/ocspd + +# Configuration file. +#CONF=@sysconfdirvalue@/ocspd/ocspd.conf + +# Additional command line options. +#OPTIONS="" diff -Naur openca-ocspd-1.5.1-rc1.orig/examples/index.txt openca-ocspd-1.5.1-rc1.new/examples/index.txt --- openca-ocspd-1.5.1-rc1.orig/examples/index.txt 2006-09-18 16:28:39.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/examples/index.txt 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -V 020610093819Z 01 unknown /Email=chiarap@excite.com/CN=Chiara Ponz de Leon/OU=Building A/O=OpenCA/C=IT diff -Naur openca-ocspd-1.5.1-rc1.orig/examples/ocspd.conf openca-ocspd-1.5.1-rc1.new/examples/ocspd.conf --- openca-ocspd-1.5.1-rc1.orig/examples/ocspd.conf 2006-09-18 16:28:39.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/examples/ocspd.conf 2008-07-02 14:31:13.000000000 +0200 @@ -8,11 +8,9 @@ #################################################################### [ OCSPD_default ] -dir = /usr/local/ocspd/etc/ocspd # Where everything is kept -db = $dir/index.txt # database index file. +dir = /etc/ocspd # Where everything is kept md = sha1 -ca_certificate = $dir/certs/cacert.pem # The CA certificate ocspd_certificate = $dir/certs/ocspd_cert_2.pem # The OCSP server cert ocspd_key = $dir/private/ocspd_key.pem # The OCSP server key pidfile = $dir/ocspd.pid # Main process pid @@ -81,7 +79,7 @@ #################################################################### [ ocsp_response ] -dir = /usr/local/ocspd/etc/ocspd +dir = /etc/ocspd # It is possible to include additional certificates in given # responses. Put all the certificates you want to include in @@ -113,7 +111,7 @@ [ ldap_ca_1 ] # You can have the CRL on a simple file -# crl_url = file:///usr/local/etc/ocspd/crl.pem +# crl_url = file:///etc/ocspd/crls/crl.pem # You can store the CRL into an LDAP server, simply # store it in certificateRevocationList;binary attribute @@ -166,20 +164,20 @@ [ first_ca ] # You can have the CRL on a simple file in PEM format -crl_url = file:////usr/local/ocspd/etc/ocspd/crls/crl_07.crl +crl_url = file:///etc/ocspd/crls/crl_07.crl # We need the CA certificate for every supported CRL -# ca_url = file:////usr/local/ocspd/etc/ocspd/certs/1st_cacert.pem -ca_url = file:////usr/local/ocspd/etc/ocspd/certs/cacert.pem +# ca_url = file:///etc/ocspd/certs/1st_cacert.pem +ca_url = file:///etc/ocspd/certs/cacert.pem #################################################################### [ second_ca ] # You can have the CRL on a simple file in PEM format -crl_url = file:////usr/local/ocspd/etc/ocspd/crls/crl_01.crl +crl_url = file:///etc/ocspd/crls/crl_01.crl # We need the CA certificate for every supported CRL -ca_url = file:////usr/local/ocspd/etc/ocspd/certs/2nd_cacert.pem +ca_url = file:///etc/ocspd/certs/2nd_cacert.pem #################################################################### [ HSM ] diff -Naur openca-ocspd-1.5.1-rc1.orig/src/core.c openca-ocspd-1.5.1-rc1.new/src/core.c --- openca-ocspd-1.5.1-rc1.orig/src/core.c 2006-10-21 16:50:32.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/src/core.c 2008-07-02 14:31:13.000000000 +0200 @@ -18,8 +18,8 @@ pthread_cond_t clifd_cond; -int start_threaded_server ( char * bind_s, char * port_s, int nthreads, - OCSPD_CONFIG * ocspd_conf ) { +int start_threaded_server ( char * bind_s, char * port_s, int queue_len, + int nthreads, OCSPD_CONFIG * ocspd_conf ) { int i; struct sockaddr_in cliaddr; @@ -36,7 +36,8 @@ exit(68); } - if( (ocspd_conf->listenfd = Listen( bind_s, atoi(port_s) )) == 0) { + if ((ocspd_conf->listenfd = Listen(bind_s, atoi(port_s), + queue_len)) == 0) { syslog(LOG_ERR, "ERROR::BIND::Can not bind to [%s],[%d]", bind_s, atoi(port_s)); exit(101); diff -Naur openca-ocspd-1.5.1-rc1.orig/src/core.h openca-ocspd-1.5.1-rc1.new/src/core.h --- openca-ocspd-1.5.1-rc1.orig/src/core.h 2006-10-14 13:37:32.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/src/core.h 2008-07-02 14:31:13.000000000 +0200 @@ -16,8 +16,8 @@ #include "general.h" #include "ocsp_request.h" -int start_threaded_server ( char * bind_s, char * port_s, int nthreads, - OCSPD_CONFIG * ocspd_conf ); +int start_threaded_server ( char * bind_s, char * port_s, int queue_len, + int nthreads, OCSPD_CONFIG * ocspd_conf ); int set_alrm_handler( void ); void close_server ( void ); void handle_sigterm ( int i ); diff -Naur openca-ocspd-1.5.1-rc1.orig/src/general.h openca-ocspd-1.5.1-rc1.new/src/general.h --- openca-ocspd-1.5.1-rc1.orig/src/general.h 2006-10-21 14:53:55.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/src/general.h 2008-07-02 14:31:13.000000000 +0200 @@ -83,24 +83,14 @@ #include -#define HTTP_POST 0 -#define HTTP_GET 1 -#define HTTP_POST_METHOD "POST" -#define HTTP_GET_METHOD "GET" - -#define OCSP_REQ_TYPE "application/ocsp-request" -#define OCSP_RESP_TYPE "application/ocsp-response" - #define BASE_SECTION "ocspd" #define CONFIG_FILE "ocspd.conf" #define ENV_SECTION "conf_section" #define ENV_DEFAULT_OCSPD "default_ocspd" -#define ENV_DATABASE "db" #define ENV_OCSPD_DBMS "dbms" #define ENV_PRIVATE_KEY "ocspd_key" #define ENV_CERTIFICATE "ocspd_certificate" -#define ENV_CA_CERTIFICATE "ca_certificate" #define ENV_OCSPD_PORT "port" #define ENV_OCSPD_BIND "bind" #define ENV_OCSPD_CHILD "threads_num" @@ -142,20 +132,6 @@ #define OCSP_REQ_CONTENT_TYPE "application/ocsp-request" #define OCSP_RESP_CONTENT_TYPE "application/ocsp-response" -#define DB_type 0 -#define DB_exp_date 1 -#define DB_rev_date 2 -#define DB_serial 3 /* index - unique */ -#define DB_file 4 -#define DB_name 5 /* index - unique for active */ -#define DB_NUMBER 6 - -#define DB_TYPE_REV 'R' -#define DB_TYPE_EXP 'E' -#define DB_TYPE_VAL 'V' -#define DB_TYPE_SUS 'S' -#define DB_TYPE_UNK 'U' - #define FORMAT_UNDEF 0 #define FORMAT_ASN1 1 #define FORMAT_TEXT 2 diff -Naur openca-ocspd-1.5.1-rc1.orig/src/ocspd.c openca-ocspd-1.5.1-rc1.new/src/ocspd.c --- openca-ocspd-1.5.1-rc1.orig/src/ocspd.c 2006-10-21 14:58:10.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/src/ocspd.c 2008-07-02 14:31:13.000000000 +0200 @@ -71,7 +71,8 @@ NULL }; -/* Staic variables */ + +/* Static variables */ char *prgname = "ocspd"; char *version = VERSION; @@ -91,6 +92,7 @@ char *max_timeout_s = NULL; int child_num = 5; + int queue_len = 30; int verbose = 0; int debug = 0; @@ -103,7 +105,6 @@ char *keyfile = NULL; char *configfile = NULL; char *cert = NULL; - char *cacert = NULL; char **pp = NULL; char *key = NULL; char *passargin = NULL; @@ -387,36 +388,6 @@ } /*****************************************************************/ - /* Load the CA certificate file */ - if ((cacert == NULL) && ((cacert=NCONF_get_string(ocspd_conf->conf, - section,ENV_CA_CERTIFICATE)) == NULL)) - { - lookup_fail(section,ENV_CA_CERTIFICATE); - goto err; - } - if ( cacert ) { - if( verbose ) - syslog(LOG_INFO,"reading CA certificate file.\n"); - if ((certf=BIO_new_file( cacert, "r")) == NULL) { - syslog(LOG_ERR,"unable to open CA certificate file.\n"); - goto err; - } - if ((ocspd_conf->cacert = PEM_read_bio_X509(certf,NULL,NULL,NULL)) - ==NULL) { - syslog(LOG_ERR,"cannot load CA certificate.\n"); - goto err; - } - BIO_free( certf ); - } - if (ocspd_conf->cacert == NULL) { - syslog(LOG_ERR,"unable to load CA certificate\n"); - goto err; - } - - if(verbose) - syslog(LOG_INFO,"OCSP Daemon setup completed"); - - /*****************************************************************/ /* Let's get the digest */ if ((ocsp_digest_name == NULL) && ((ocsp_digest_name=NCONF_get_string(ocspd_conf->conf,section, @@ -452,6 +423,15 @@ bind_s = "0.0.0.0"; } + /* Listen queue size */ + if ((tmp_s = NCONF_get_string(ocspd_conf->conf, + section, ENV_OCSPD_QUEUE)) == NULL) { + if( verbose ) + lookup_fail(section,ENV_OCSPD_QUEUE); + } else { + queue_len = atoi(tmp_s); + } + /* Number of child threads to be spawned */ if ((child_s == NULL) && ((child_s = NCONF_get_string(ocspd_conf->conf, section, ENV_OCSPD_CHILD)) == NULL)) { @@ -682,7 +662,7 @@ } // CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - start_threaded_server( bind_s, port_s, child_num, ocspd_conf ); + start_threaded_server(bind_s, port_s, queue_len, child_num, ocspd_conf); goto end; diff -Naur openca-ocspd-1.5.1-rc1.orig/src/sock.c openca-ocspd-1.5.1-rc1.new/src/sock.c --- openca-ocspd-1.5.1-rc1.orig/src/sock.c 2006-10-14 13:26:00.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/src/sock.c 2008-07-02 14:31:13.000000000 +0200 @@ -18,12 +18,11 @@ #include "sock.h" #define SERV_PORT 4567 -#define LISTENQ 30 extern int h_errno; extern OCSPD_CONFIG *ocspd_conf; -int Listen (char *hostname, int port) { +int Listen (char *hostname, int port, int queue_len) { int fd, reuse_addr; struct sockaddr_in servaddr; struct hostent *ht = NULL; @@ -79,7 +78,7 @@ return(0); }; - if( listen( fd, LISTENQ ) == -1 ) { + if (listen(fd, queue_len) == -1) { syslog(LOG_ERR, "FATAL ERROR::Listen::%s", strerror( errno )); return(0); diff -Naur openca-ocspd-1.5.1-rc1.orig/src/sock.h openca-ocspd-1.5.1-rc1.new/src/sock.h --- openca-ocspd-1.5.1-rc1.orig/src/sock.h 2006-10-13 17:06:00.000000000 +0200 +++ openca-ocspd-1.5.1-rc1.new/src/sock.h 2008-07-02 14:31:13.000000000 +0200 @@ -8,7 +8,7 @@ /* Socket Wrapping functions */ -int Listen (char *hostname, int port); +int Listen (char *hostname, int port, int queue_len); // int Accept (int sock, int *c_sock); int Accept (int listen_sockfd, SA *cliaddr, socklen_t *addrlenp); ssize_t Read (int fd, void *bufptr, size_t nbytes);