Attachment #32021 for bug #54357

View | Details | Raw Unified | Return to bug 54357
Collapse All | Expand All




    if (!ssl_mutex_init(base_server, p)) {
        return HTTP_INTERNAL_SERVER_ERROR;
    }
#ifdef HAVE_OCSP_STAPLING
    ssl_stapling_ex_init();
#endif

    /*
     * initialize session caching

         * later, we defer to the code in ssl_init_server_ctx.
         */
        if ((mctx->stapling_enabled == TRUE) &&
            !ssl_stapling_init_cert(s, mctx, cert, p)) {
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)
                         "Unable to configure certificate %s for stapling",
                         key_id);

Lines 513-518 typedef struct { Link Here

(-)a/modules/ssl/ssl_private.h (-1 / +4 lines)
513	* sent in the CertificateRequest message: */	513	* sent in the CertificateRequest message: */
514	const char *ca_name_path;	514	const char *ca_name_path;
515	const char *ca_name_file;	515	const char *ca_name_file;
		516
		517	/* Hash of stapling information by SHA1 of certificate */
		518	apr_hash_t *stapling_info;
516	} modssl_pk_server_t;	519	} modssl_pk_server_t;
517		520
518	typedef struct {	521	typedef struct {
Lines 813-819 const char ssl_cmd_SSLStaplingResponderTimeout(cmd_parms , void *, const char Link Here
813	const char ssl_cmd_SSLStaplingForceURL(cmd_parms , void , const char );	816	const char ssl_cmd_SSLStaplingForceURL(cmd_parms , void , const char );
814	apr_status_t modssl_init_stapling(server_rec , apr_pool_t , apr_pool_t , modssl_ctx_t );	817	apr_status_t modssl_init_stapling(server_rec , apr_pool_t , apr_pool_t , modssl_ctx_t );
815	void ssl_stapling_ex_init(void);	818	void ssl_stapling_ex_init(void);
816	int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x);	819	int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 x, apr_pool_t p);
817	#endif	820	#endif
818	#ifdef HAVE_SRP	821	#ifdef HAVE_SRP
819	int ssl_callback_SRPServerParams(SSL , int , void *);	822	int ssl_callback_SRPServerParams(SSL , int , void *);




    char *uri;
} certinfo;

static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
                                        int idx, long argl, void *argp)
{
    certinfo *cinf = ptr;

    if (!cinf)
        return;
    if (cinf->uri)
        OPENSSL_free(cinf->uri);
    OPENSSL_free(cinf);
}

static int stapling_ex_idx = -1;

void ssl_stapling_ex_init(void)
{
    if (stapling_ex_idx != -1)
        return;
    stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
                                            certinfo_free);
}

static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
{
    X509 *issuer = NULL;


}

int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x, apr_pool_t *p)
{
    certinfo *cinf;
    X509 *issuer = NULL;


    if (x == NULL)
        return 0;

    if (mctx->pks->stapling_info == NULL)
        mctx->pks->stapling_info = apr_hash_make(p);

    if (mctx->pks->stapling_info == NULL) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)
                     "ssl_stapling_init_cert: error allocating memory!");
        return 0;
    }

    cinf = apr_pcalloc(p, sizeof(certinfo));
    if (!cinf) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)
                     "ssl_stapling_init_cert: error allocating memory!");
        return 0;
    }
    cinf->cid = NULL;
    cinf->uri = NULL;
    X509_set_ex_data(x, stapling_ex_idx, cinf);

    issuer = stapling_get_issuer(mctx, x);



    aia = X509_get1_ocsp(x);
    if (aia) {
        /* Ugly: ensure memory managed by apr */
        char *uri;
        uri = sk_OPENSSL_STRING_pop(aia);
        cinf->uri = apr_pstrdup(p, uri);
        OPENSSL_free(uri);
    }
    if (!cinf->uri && !mctx->stapling_force_url) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
                     "ssl_stapling_init_cert: no responder URL");
        return 0;
    }

    if (apr_hash_get(mctx->pks->stapling_info, cinf->idx, sizeof(cinf->idx))) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)
                     "ssl_stapling_init_cert: certificate already initialized!");
        return 0;
    }

    apr_hash_set(mctx->pks->stapling_info, cinf->idx, sizeof(cinf->idx), cinf);

    return 1;
}


{
    certinfo *cinf;
    X509 *x;
    UCHAR idx[20];
    x = SSL_get_certificate(ssl);
    if (x == NULL)
        return NULL;
    X509_digest(x, EVP_sha1(), idx, NULL);
    cinf = apr_hash_get(mctx->pks->stapling_info, idx, sizeof(idx));
    if (cinf && cinf->cid)
        return cinf;
    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
- 

Return to bug 54357

Lines 277-285 apr_status_t ssl_init_Module(apr_pool_t p, apr_pool_t plog, Link Here

(-)a/modules/ssl/ssl_engine_init.c (-4 / +1 lines)
277	if (!ssl_mutex_init(base_server, p)) {	277	if (!ssl_mutex_init(base_server, p)) {
278	return HTTP_INTERNAL_SERVER_ERROR;	278	return HTTP_INTERNAL_SERVER_ERROR;
279	}	279	}
280	#ifdef HAVE_OCSP_STAPLING
281	ssl_stapling_ex_init();
282	#endif
283		280
284	/*	281	/*
285	* initialize session caching	282	* initialize session caching
Lines 1093-1099 static apr_status_t ssl_init_server_certs(server_rec *s, Link Here
1093	* later, we defer to the code in ssl_init_server_ctx.	1090	* later, we defer to the code in ssl_init_server_ctx.
1094	*/	1091	*/
1095	if ((mctx->stapling_enabled == TRUE) &&	1092	if ((mctx->stapling_enabled == TRUE) &&
1096	!ssl_stapling_init_cert(s, mctx, cert)) {	1093	!ssl_stapling_init_cert(s, mctx, cert, p)) {
1097	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)	1094	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)
1098	"Unable to configure certificate %s for stapling",	1095	"Unable to configure certificate %s for stapling",
1099	key_id);	1096	key_id);

Lines 53-80 typedef struct { Link Here

(-)a/modules/ssl/ssl_util_stapling.c (-35 / +27 lines)
53	char *uri;	53	char *uri;
54	} certinfo;	54	} certinfo;
55		55
56	static void certinfo_free(void parent, void ptr, CRYPTO_EX_DATA *ad,
57	int idx, long argl, void *argp)
58	{
59	certinfo *cinf = ptr;
60
61	if (!cinf)
62	return;
63	if (cinf->uri)
64	OPENSSL_free(cinf->uri);
65	OPENSSL_free(cinf);
66	}
67
68	static int stapling_ex_idx = -1;
69
70	void ssl_stapling_ex_init(void)
71	{
72	if (stapling_ex_idx != -1)
73	return;
74	stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
75	certinfo_free);
76	}
77
78	static X509 stapling_get_issuer(modssl_ctx_t mctx, X509 *x)	56	static X509 stapling_get_issuer(modssl_ctx_t mctx, X509 *x)
79	{	57	{
80	X509 *issuer = NULL;	58	X509 *issuer = NULL;
Lines 106-112 static X509 stapling_get_issuer(modssl_ctx_t mctx, X509 *x) Link Here
106		84
107	}	85	}
108		86
109	int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x)	87	int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 x, apr_pool_t p)
110	{	88	{
111	certinfo *cinf;	89	certinfo *cinf;
112	X509 *issuer = NULL;	90	X509 *issuer = NULL;
Lines 114-134 int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x) Link Here
114		92
115	if (x == NULL)	93	if (x == NULL)
116	return 0;	94	return 0;
117	cinf = X509_get_ex_data(x, stapling_ex_idx);	95
118	if (cinf) {	96	if (mctx->pks->stapling_info == NULL)
119	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)	97	mctx->pks->stapling_info = apr_hash_make(p);
120	"ssl_stapling_init_cert: certificate already initialized!");	98
		99	if (mctx->pks->stapling_info == NULL) {
		100	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)
		101	"ssl_stapling_init_cert: error allocating memory!");
121	return 0;	102	return 0;
122	}	103	}
123	cinf = OPENSSL_malloc(sizeof(certinfo));	104
		105	cinf = apr_pcalloc(p, sizeof(certinfo));
124	if (!cinf) {	106	if (!cinf) {
125	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)	107	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)
126	"ssl_stapling_init_cert: error allocating memory!");	108	"ssl_stapling_init_cert: error allocating memory!");
127	return 0;	109	return 0;
128	}	110	}
129	cinf->cid = NULL;
130	cinf->uri = NULL;
131	X509_set_ex_data(x, stapling_ex_idx, cinf);
132		111
133	issuer = stapling_get_issuer(mctx, x);	112	issuer = stapling_get_issuer(mctx, x);
134		113
Lines 146-159 int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x) Link Here
146		125
147	aia = X509_get1_ocsp(x);	126	aia = X509_get1_ocsp(x);
148	if (aia) {	127	if (aia) {
149	cinf->uri = sk_OPENSSL_STRING_pop(aia);	128	/* Ugly: ensure memory managed by apr */
150	X509_email_free(aia);	129	char *uri;
		130	uri = sk_OPENSSL_STRING_pop(aia);
		131	cinf->uri = apr_pstrdup(p, uri);
		132	OPENSSL_free(uri);
151	}	133	}
152	if (!cinf->uri && !mctx->stapling_force_url) {	134	if (!cinf->uri && !mctx->stapling_force_url) {
153	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)	135	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
154	"ssl_stapling_init_cert: no responder URL");	136	"ssl_stapling_init_cert: no responder URL");
155	return 0;	137	return 0;
156	}	138	}
		139
		140	if (apr_hash_get(mctx->pks->stapling_info, cinf->idx, sizeof(cinf->idx))) {
		141	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)
		142	"ssl_stapling_init_cert: certificate already initialized!");
		143	return 0;
		144	}
		145
		146	apr_hash_set(mctx->pks->stapling_info, cinf->idx, sizeof(cinf->idx), cinf);
		147
157	return 1;	148	return 1;
158	}	149	}
159		150
Lines 162-171 static certinfo stapling_get_cert_info(server_rec s, modssl_ctx_t *mctx, Link Here
162	{	153	{
163	certinfo *cinf;	154	certinfo *cinf;
164	X509 *x;	155	X509 *x;
		156	UCHAR idx[20];
165	x = SSL_get_certificate(ssl);	157	x = SSL_get_certificate(ssl);
166	if (x == NULL)	158	if (x == NULL)
167	return NULL;	159	return NULL;
168	cinf = X509_get_ex_data(x, stapling_ex_idx);	160	X509_digest(x, EVP_sha1(), idx, NULL);
		161	cinf = apr_hash_get(mctx->pks->stapling_info, idx, sizeof(idx));
169	if (cinf && cinf->cid)	162	if (cinf && cinf->cid)
170	return cinf;	163	return cinf;
171	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)	164	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
172	-