Lines 43-80
Link Here
|
43 |
|
43 |
|
44 |
#define MAX_STAPLING_DER 10240 |
44 |
#define MAX_STAPLING_DER 10240 |
45 |
|
45 |
|
46 |
/* Cached info stored in certificate ex_info. */ |
|
|
47 |
typedef struct { |
48 |
/* Index in session cache SHA1 hash of certificate */ |
49 |
UCHAR idx[20]; |
50 |
/* Certificate ID for OCSP requests or NULL if ID cannot be determined */ |
51 |
OCSP_CERTID *cid; |
52 |
/* Responder details */ |
53 |
char *uri; |
54 |
} certinfo; |
55 |
|
56 |
static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, |
57 |
int idx, long argl, void *argp) |
58 |
{ |
59 |
certinfo *cinf = ptr; |
60 |
|
61 |
if (!cinf) |
62 |
return; |
63 |
if (cinf->uri) |
64 |
OPENSSL_free(cinf->uri); |
65 |
OPENSSL_free(cinf); |
66 |
} |
67 |
|
68 |
static int stapling_ex_idx = -1; |
69 |
|
70 |
void ssl_stapling_ex_init(void) |
71 |
{ |
72 |
if (stapling_ex_idx != -1) |
73 |
return; |
74 |
stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0, |
75 |
certinfo_free); |
76 |
} |
77 |
|
78 |
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) |
46 |
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) |
79 |
{ |
47 |
{ |
80 |
X509 *issuer = NULL; |
48 |
X509 *issuer = NULL; |
Lines 106-112
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
Link Here
|
106 |
|
74 |
|
107 |
} |
75 |
} |
108 |
|
76 |
|
109 |
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) |
77 |
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x, apr_pool_t *p) |
110 |
{ |
78 |
{ |
111 |
certinfo *cinf; |
79 |
certinfo *cinf; |
112 |
X509 *issuer = NULL; |
80 |
X509 *issuer = NULL; |
Lines 114-134
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
Link Here
|
114 |
|
82 |
|
115 |
if (x == NULL) |
83 |
if (x == NULL) |
116 |
return 0; |
84 |
return 0; |
117 |
cinf = X509_get_ex_data(x, stapling_ex_idx); |
85 |
|
118 |
if (cinf) { |
86 |
if (mctx->pks->stapling_cert_info) { |
119 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215) |
87 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215) |
120 |
"ssl_stapling_init_cert: certificate already initialized!"); |
88 |
"ssl_stapling_init_cert: certificate already initialized!"); |
121 |
return 0; |
89 |
return 0; |
122 |
} |
90 |
} |
123 |
cinf = OPENSSL_malloc(sizeof(certinfo)); |
91 |
cinf = apr_pcalloc(p, sizeof(certinfo)); |
124 |
if (!cinf) { |
92 |
if (!cinf) { |
125 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216) |
93 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216) |
126 |
"ssl_stapling_init_cert: error allocating memory!"); |
94 |
"ssl_stapling_init_cert: error allocating memory!"); |
127 |
return 0; |
95 |
return 0; |
128 |
} |
96 |
} |
129 |
cinf->cid = NULL; |
97 |
mctx->pks->stapling_cert_info = cinf; |
130 |
cinf->uri = NULL; |
|
|
131 |
X509_set_ex_data(x, stapling_ex_idx, cinf); |
132 |
|
98 |
|
133 |
issuer = stapling_get_issuer(mctx, x); |
99 |
issuer = stapling_get_issuer(mctx, x); |
134 |
|
100 |
|
Lines 145-152
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
Link Here
|
145 |
X509_digest(x, EVP_sha1(), cinf->idx, NULL); |
111 |
X509_digest(x, EVP_sha1(), cinf->idx, NULL); |
146 |
|
112 |
|
147 |
aia = X509_get1_ocsp(x); |
113 |
aia = X509_get1_ocsp(x); |
148 |
if (aia) |
114 |
if (aia) { |
149 |
cinf->uri = sk_OPENSSL_STRING_pop(aia); |
115 |
/* Ugly: ensure memory managed by apr */ |
|
|
116 |
char *uri; |
117 |
uri = sk_OPENSSL_STRING_pop(aia); |
118 |
cinf->uri = apr_pstrdup(p, uri); |
119 |
OPENSSL_free(uri); |
120 |
} |
150 |
if (!cinf->uri && !mctx->stapling_force_url) { |
121 |
if (!cinf->uri && !mctx->stapling_force_url) { |
151 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218) |
122 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218) |
152 |
"ssl_stapling_init_cert: no responder URL"); |
123 |
"ssl_stapling_init_cert: no responder URL"); |
Lines 160-170
static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx,
Link Here
|
160 |
SSL *ssl) |
131 |
SSL *ssl) |
161 |
{ |
132 |
{ |
162 |
certinfo *cinf; |
133 |
certinfo *cinf; |
163 |
X509 *x; |
134 |
cinf = mctx->pks->stapling_cert_info; |
164 |
x = SSL_get_certificate(ssl); |
|
|
165 |
if (x == NULL) |
166 |
return NULL; |
167 |
cinf = X509_get_ex_data(x, stapling_ex_idx); |
168 |
if (cinf && cinf->cid) |
135 |
if (cinf && cinf->cid) |
169 |
return cinf; |
136 |
return cinf; |
170 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926) |
137 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926) |
171 |
- |
|
|