Attachment #22754 for bug #46037

View | Details | Raw Unified | Return to bug 46037
Collapse All | Expand All

Lines 427-432 Link Here

(-)ssl_private.h (+6 lines)
427	BOOL ocsp_force_default; /* true if the default responder URL is	427	BOOL ocsp_force_default; /* true if the default responder URL is
428	* used regardless of per-cert URL */	428	* used regardless of per-cert URL */
429	const char ocsp_responder; / default responder URL */	429	const char ocsp_responder; / default responder URL */
		430	int ocsp_verify_flags; /* Flags to use when verifying OCSP response */
		431	const char ocsp_certs_file; / OCSP other certificates filename */
		432	STACK_OF(X509) ocsp_certs; / OCSP other certificates */
430		433
431	} modssl_ctx_t;	434	} modssl_ctx_t;
432		435
Lines 519-524 Link Here
519		522
520	const char ssl_cmd_SSLOCSPOverrideResponder(cmd_parms cmd, void *dcfg, int flag);	523	const char ssl_cmd_SSLOCSPOverrideResponder(cmd_parms cmd, void *dcfg, int flag);
521	const char ssl_cmd_SSLOCSPDefaultResponder(cmd_parms cmd, void dcfg, const char arg);	524	const char ssl_cmd_SSLOCSPDefaultResponder(cmd_parms cmd, void dcfg, const char arg);
		525	const char ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms cmd, void dcfg, const char arg);
522	const char ssl_cmd_SSLOCSPEnable(cmd_parms cmd, void *dcfg, int flag);	526	const char ssl_cmd_SSLOCSPEnable(cmd_parms cmd, void *dcfg, int flag);
523		527
524	/** module initialization */	528	/** module initialization */
Lines 661-666 Link Here
661	OCSP_RESPONSE modssl_dispatch_ocsp_request(const apr_uri_t uri,	665	OCSP_RESPONSE modssl_dispatch_ocsp_request(const apr_uri_t uri,
662	OCSP_REQUEST *request,	666	OCSP_REQUEST *request,
663	conn_rec c, apr_pool_t p);	667	conn_rec c, apr_pool_t p);
		668	/* Initialize OCSP trusted certificate list */
		669	void ssl_init_ocsp_certificates(server_rec s, modssl_ctx_t mctx);
664	#endif	670	#endif
665		671
666	#endif /* SSL_PRIVATE_H */	672	#endif /* SSL_PRIVATE_H */

Lines 1022-1027 Link Here

(-)ssl_engine_init.c (+6 lines)
1022	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,	1022	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
1023	"Configuring server for SSL protocol");	1023	"Configuring server for SSL protocol");
1024	ssl_init_server_ctx(s, p, ptemp, sc);	1024	ssl_init_server_ctx(s, p, ptemp, sc);
		1025	#ifdef HAVE_OCSP
		1026	ssl_init_ocsp_certificates(s, sc->server);
		1027	#endif
1025	}	1028	}
1026		1029
1027	if (sc->proxy_enabled) {	1030	if (sc->proxy_enabled) {
Lines 1311-1316 Link Here
1311	ssl_init_ctx_cleanup_proxy(sc->proxy);	1314	ssl_init_ctx_cleanup_proxy(sc->proxy);
1312		1315
1313	ssl_init_ctx_cleanup_server(sc->server);	1316	ssl_init_ctx_cleanup_server(sc->server);
		1317	#ifdef HAVE_OCSP
		1318	sk_X509_pop_free(sc->server->ocsp_certs, X509_free);
		1319	#endif
1314	}	1320	}
1315		1321
1316	return APR_SUCCESS;	1322	return APR_SUCCESS;

Lines 178-184 Link Here

(-)ssl_engine_ocsp.c (-1 / +2 lines)
178		178
179	if (rc == V_OCSP_CERTSTATUS_GOOD) {	179	if (rc == V_OCSP_CERTSTATUS_GOOD) {
180	/* TODO: allow flags configuration. */	180	/* TODO: allow flags configuration. */
181	if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {	181	if (OCSP_basic_verify(basicResponse, sc->server->ocsp_certs, ctx->ctx,
		182	sc->server->ocsp_verify_flags) != 1) {
182	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);	183	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
183	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,	184	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
184	"failed to verify the OCSP response");	185	"failed to verify the OCSP response");

Lines 129-134 Link Here

(-)ssl_engine_config.c (+20 lines)
129	mctx->ocsp_enabled = FALSE;	129	mctx->ocsp_enabled = FALSE;
130	mctx->ocsp_force_default = FALSE;	130	mctx->ocsp_force_default = FALSE;
131	mctx->ocsp_responder = NULL;	131	mctx->ocsp_responder = NULL;
		132	mctx->ocsp_verify_flags = 0;
		133	mctx->ocsp_certs_file = NULL;
		134	mctx->ocsp_certs = NULL;
132	}	135	}
133		136
134	static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,	137	static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
Lines 222-227 Link Here
222	cfgMergeBool(ocsp_enabled);	225	cfgMergeBool(ocsp_enabled);
223	cfgMergeBool(ocsp_force_default);	226	cfgMergeBool(ocsp_force_default);
224	cfgMerge(ocsp_responder, NULL);	227	cfgMerge(ocsp_responder, NULL);
		228	cfgMerge(ocsp_certs_file, NULL);
225	}	229	}
226		230
227	static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,	231	static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,
Lines 1408-1413 Link Here
1408	return NULL;	1412	return NULL;
1409	}	1413	}
1410		1414
		1415	const char ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms cmd,
		1416	void *dcfg,
		1417	const char *arg)
		1418	{
		1419	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
		1420	const char *err;
		1421
		1422	if ((err = ssl_cmd_check_file(cmd, &arg))) {
		1423	return err;
		1424	}
		1425
		1426	sc->server->ocsp_certs_file = arg;
		1427
		1428	return NULL;
		1429	}
		1430
1411	void ssl_hook_ConfigTest(apr_pool_t pconf, server_rec s)	1431	void ssl_hook_ConfigTest(apr_pool_t pconf, server_rec s)
1412	{	1432	{
1413	if (!ap_exists_config_define("DUMP_CERTS")) {	1433	if (!ap_exists_config_define("DUMP_CERTS")) {




    return response;
}

/*  _________________________________________________________________
**
**  OCSP other certificate support
**  _________________________________________________________________
*/

/*
 * Read a file that contains certificates in PEM format and
 * return as a STACK.
 */
static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file)
{
    BIO *bio;
    X509 *x509;
    unsigned long err;
    int n;
    STACK_OF(X509) *other_certs = NULL;

    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
        return NULL;
    if (BIO_read_filename(bio, file) <= 0) {
        BIO_free(bio);
        return NULL;
    }
    /* create new extra chain by loading the certs */
    while ((x509 = modssl_PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
	if (!other_certs) {
		other_certs = sk_X509_new_null();
		if (!other_certs)
			return NULL;
	}
		
        if (!sk_X509_push(other_certs, x509)) {
            X509_free(x509);
            sk_X509_pop_free(other_certs, X509_free);
            BIO_free(bio);
            return NULL;
        }
    }
    /* Make sure that only the error is just an EOF */
    if ((err = ERR_peek_error()) > 0) {
        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM
              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
            BIO_free(bio);
            sk_X509_pop_free(other_certs, X509_free);
            return NULL;
        }
        while (ERR_get_error() > 0) ;
    }
    BIO_free(bio);
    return other_certs;
}

void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
{
    /*
     * Configure Trusted OCSP certificates.
     */

    if (!mctx->ocsp_certs_file) {
        return;
    }

    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
                 "Configuring Trusted OCSP certificates");

    mctx->ocsp_certs = modssl_read_ocsp_certificates(mctx->ocsp_certs_file);

    if (!mctx->ocsp_certs) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                "Unable to configure OCSP Trusted Certificates");
        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
        ssl_die();
    }
    mctx->ocsp_verify_flags |= OCSP_TRUSTOTHER;
}

#endif /* HAVE_OCSP */

Lines 186-191 Link Here

(-)mod_ssl.c (+3 lines)
186	"URL of the default OCSP Responder")	186	"URL of the default OCSP Responder")
187	SSL_CMD_SRV(OCSPOverrideResponder, FLAG,	187	SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
188	"Force use of the default responder URL (`on', `off')")	188	"Force use of the default responder URL (`on', `off')")
		189	SSL_CMD_SRV(OCSPResponderCertificateFile, TAKE1,
		190	"Trusted OCSP responder certificates"
		191	"(`/path/to/file' - PEM encoded certificates)")
189		192
190	/* Deprecated directives. */	193	/* Deprecated directives. */
191	AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,	194	AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,

Return to bug 46037

Lines 303-306 Link Here

(-)ssl_util_ocsp.c (+77 lines)
303	return response;	303	return response;
304	}	304	}
305		305
		306	/* _________________________________________________________________
		307	**
		308	** OCSP other certificate support
		309	** _________________________________________________________________
		310	*/
		311
		312	/*
		313	* Read a file that contains certificates in PEM format and
		314	* return as a STACK.
		315	*/
		316	static STACK_OF(X509) modssl_read_ocsp_certificates(const char file)
		317	{
		318	BIO *bio;
		319	X509 *x509;
		320	unsigned long err;
		321	int n;
		322	STACK_OF(X509) *other_certs = NULL;
		323
		324	if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
		325	return NULL;
		326	if (BIO_read_filename(bio, file) <= 0) {
		327	BIO_free(bio);
		328	return NULL;
		329	}
		330	/* create new extra chain by loading the certs */
		331	while ((x509 = modssl_PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
		332	if (!other_certs) {
		333	other_certs = sk_X509_new_null();
		334	if (!other_certs)
		335	return NULL;
		336	}
		337
		338	if (!sk_X509_push(other_certs, x509)) {
		339	X509_free(x509);
		340	sk_X509_pop_free(other_certs, X509_free);
		341	BIO_free(bio);
		342	return NULL;
		343	}
		344	}
		345	/* Make sure that only the error is just an EOF */
		346	if ((err = ERR_peek_error()) > 0) {
		347	if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
		348	&& ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
		349	BIO_free(bio);
		350	sk_X509_pop_free(other_certs, X509_free);
		351	return NULL;
		352	}
		353	while (ERR_get_error() > 0) ;
		354	}
		355	BIO_free(bio);
		356	return other_certs;
		357	}
		358
		359	void ssl_init_ocsp_certificates(server_rec s, modssl_ctx_t mctx)
		360	{
		361	/*
		362	* Configure Trusted OCSP certificates.
		363	*/
		364
		365	if (!mctx->ocsp_certs_file) {
		366	return;
		367	}
		368
		369	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
370	"Configuring Trusted OCSP certificates");
371
372	mctx->ocsp_certs = modssl_read_ocsp_certificates(mctx->ocsp_certs_file);
373
374	if (!mctx->ocsp_certs) {
375	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
376	"Unable to configure OCSP Trusted Certificates");
377	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
378	ssl_die();
379	}
380	mctx->ocsp_verify_flags \|= OCSP_TRUSTOTHER;
381	}
382
306	#endif /* HAVE_OCSP */	383	#endif /* HAVE_OCSP */