View | Details | Raw Unified | Return to bug 54357
Collapse All | Expand All

(-)a/modules/ssl/ssl_engine_config.c (+4 lines)
Lines 193-198 static void modssl_ctx_init_server(SSLSrvConfigRec *sc, Link Here
193
    mctx->pks->cert_files = apr_array_make(p, 3, sizeof(char *));
193
    mctx->pks->cert_files = apr_array_make(p, 3, sizeof(char *));
194
    mctx->pks->key_files  = apr_array_make(p, 3, sizeof(char *));
194
    mctx->pks->key_files  = apr_array_make(p, 3, sizeof(char *));
195
195
196
#ifdef HAVE_OCSP_STAPLING
197
    mctx->pks->stapling_cert_info = apr_hash_make(p);
198
#endif
199
196
#ifdef HAVE_TLS_SESSION_TICKETS
200
#ifdef HAVE_TLS_SESSION_TICKETS
197
    mctx->ticket_key = apr_pcalloc(p, sizeof(*mctx->ticket_key));
201
    mctx->ticket_key = apr_pcalloc(p, sizeof(*mctx->ticket_key));
198
#endif
202
#endif
(-)a/modules/ssl/ssl_engine_init.c (-5 / +2 lines)
Lines 277-285 apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, Link Here
277
    if (!ssl_mutex_init(base_server, p)) {
277
    if (!ssl_mutex_init(base_server, p)) {
278
        return HTTP_INTERNAL_SERVER_ERROR;
278
        return HTTP_INTERNAL_SERVER_ERROR;
279
    }
279
    }
280
#ifdef HAVE_OCSP_STAPLING
281
    ssl_stapling_ex_init();
282
#endif
283
280
284
    /*
281
    /*
285
     * initialize session caching
282
     * initialize session caching
Lines 1093-1099 static apr_status_t ssl_init_server_certs(server_rec *s, Link Here
1093
         * later, we defer to the code in ssl_init_server_ctx.
1090
         * later, we defer to the code in ssl_init_server_ctx.
1094
         */
1091
         */
1095
        if ((mctx->stapling_enabled == TRUE) &&
1092
        if ((mctx->stapling_enabled == TRUE) &&
1096
            !ssl_stapling_init_cert(s, mctx, cert)) {
1093
            !ssl_stapling_init_cert(s, mctx, cert, p)) {
1097
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)
1094
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)
1098
                         "Unable to configure certificate %s for stapling",
1095
                         "Unable to configure certificate %s for stapling",
1099
                         key_id);
1096
                         key_id);
Lines 1450-1456 static apr_status_t ssl_init_server_ctx(server_rec *s, Link Here
1450
                                           SSL_CERT_SET_FIRST);
1447
                                           SSL_CERT_SET_FIRST);
1451
        while (ret) {
1448
        while (ret) {
1452
            cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
1449
            cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
1453
            if (!cert || !ssl_stapling_init_cert(s, sc->server, cert)) {
1450
            if (!cert || !ssl_stapling_init_cert(s, sc->server, cert, p)) {
1454
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02604)
1451
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02604)
1455
                             "Unable to configure certificate %s:%d "
1452
                             "Unable to configure certificate %s:%d "
1456
                             "for stapling", sc->vhost_id, i);
1453
                             "for stapling", sc->vhost_id, i);
(-)a/modules/ssl/ssl_private.h (-2 / +6 lines)
Lines 513-518 typedef struct { Link Here
513
     * sent in the CertificateRequest message: */
513
     * sent in the CertificateRequest message: */
514
    const char  *ca_name_path;
514
    const char  *ca_name_path;
515
    const char  *ca_name_file;
515
    const char  *ca_name_file;
516
517
#ifdef HAVE_OCSP_STAPLING
518
    /* Hash of stapling information by SHA1 of certificate */
519
    apr_hash_t *stapling_cert_info;
520
#endif
516
} modssl_pk_server_t;
521
} modssl_pk_server_t;
517
522
518
typedef struct {
523
typedef struct {
Lines 812-819 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int); Link Here
812
const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
817
const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
813
const char  *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
818
const char  *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
814
apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
819
apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
815
void         ssl_stapling_ex_init(void);
820
int          ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x, apr_pool_t *p);
816
int          ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
817
#endif
821
#endif
818
#ifdef HAVE_SRP
822
#ifdef HAVE_SRP
819
int          ssl_callback_SRPServerParams(SSL *, int *, void *);
823
int          ssl_callback_SRPServerParams(SSL *, int *, void *);
(-)a/modules/ssl/ssl_util_stapling.c (-43 / +21 lines)
Lines 46-80 Link Here
46
/* Cached info stored in certificate ex_info. */
46
/* Cached info stored in certificate ex_info. */
47
typedef struct {
47
typedef struct {
48
    /* Index in session cache SHA1 hash of certificate */
48
    /* Index in session cache SHA1 hash of certificate */
49
    UCHAR idx[20];
49
    UCHAR idx[SHA_DIGEST_LENGTH];
50
    /* Certificate ID for OCSP requests or NULL if ID cannot be determined */
50
    /* Certificate ID for OCSP requests or NULL if ID cannot be determined */
51
    OCSP_CERTID *cid;
51
    OCSP_CERTID *cid;
52
    /* Responder details */
52
    /* Responder details */
53
    char *uri;
53
    char *uri;
54
} certinfo;
54
} certinfo;
55
55
56
static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
57
                                        int idx, long argl, void *argp)
58
{
59
    certinfo *cinf = ptr;
60
61
    if (!cinf)
62
        return;
63
    if (cinf->uri)
64
        OPENSSL_free(cinf->uri);
65
    OPENSSL_free(cinf);
66
}
67
68
static int stapling_ex_idx = -1;
69
70
void ssl_stapling_ex_init(void)
71
{
72
    if (stapling_ex_idx != -1)
73
        return;
74
    stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
75
                                            certinfo_free);
76
}
77
78
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
56
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
79
{
57
{
80
    X509 *issuer = NULL;
58
    X509 *issuer = NULL;
Lines 106-112 static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) Link Here
106
84
107
}
85
}
108
86
109
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
87
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x, apr_pool_t *p)
110
{
88
{
111
    certinfo *cinf;
89
    certinfo *cinf;
112
    X509 *issuer = NULL;
90
    X509 *issuer = NULL;
Lines 114-134 int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) Link Here
114
92
115
    if (x == NULL)
93
    if (x == NULL)
116
        return 0;
94
        return 0;
117
    cinf  = X509_get_ex_data(x, stapling_ex_idx);
95
118
    if (cinf) {
96
    cinf = apr_pcalloc(p, sizeof(certinfo));
119
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)
120
                     "ssl_stapling_init_cert: certificate already initialized!");
121
        return 0;
122
    }
123
    cinf = OPENSSL_malloc(sizeof(certinfo));
124
    if (!cinf) {
125
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)
126
                     "ssl_stapling_init_cert: error allocating memory!");
127
        return 0;
128
    }
129
    cinf->cid = NULL;
130
    cinf->uri = NULL;
131
    X509_set_ex_data(x, stapling_ex_idx, cinf);
132
97
133
    issuer = stapling_get_issuer(mctx, x);
98
    issuer = stapling_get_issuer(mctx, x);
134
99
Lines 146-152 int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) Link Here
146
111
147
    aia = X509_get1_ocsp(x);
112
    aia = X509_get1_ocsp(x);
148
    if (aia) {
113
    if (aia) {
149
        cinf->uri = sk_OPENSSL_STRING_pop(aia);
114
        /* Ensure memory managed by apr */
115
        char *uri;
116
        uri = sk_OPENSSL_STRING_value(aia, 0);
117
        if (uri)
118
            cinf->uri = apr_pstrdup(p, uri);
150
        X509_email_free(aia);
119
        X509_email_free(aia);
151
    }
120
    }
152
    if (!cinf->uri && !mctx->stapling_force_url) {
121
    if (!cinf->uri && !mctx->stapling_force_url) {
Lines 154-159 int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) Link Here
154
                     "ssl_stapling_init_cert: no responder URL");
123
                     "ssl_stapling_init_cert: no responder URL");
155
        return 0;
124
        return 0;
156
    }
125
    }
126
127
    if (apr_hash_get(mctx->pks->stapling_cert_info, cinf->idx, sizeof(cinf->idx))) {
128
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)
129
                     "ssl_stapling_init_cert: certificate already initialized!");
130
        return 0;
131
    }
132
133
    apr_hash_set(mctx->pks->stapling_cert_info, cinf->idx, sizeof(cinf->idx), cinf);
134
157
    return 1;
135
    return 1;
158
}
136
}
159
137
Lines 162-171 static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx, Link Here
162
{
140
{
163
    certinfo *cinf;
141
    certinfo *cinf;
164
    X509 *x;
142
    X509 *x;
143
    UCHAR idx[SHA_DIGEST_LENGTH];
165
    x = SSL_get_certificate(ssl);
144
    x = SSL_get_certificate(ssl);
166
    if (x == NULL)
145
    if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
167
        return NULL;
146
        return NULL;
168
    cinf = X509_get_ex_data(x, stapling_ex_idx);
147
    cinf = apr_hash_get(mctx->pks->stapling_cert_info, idx, sizeof(idx));
169
    if (cinf && cinf->cid)
148
    if (cinf && cinf->cid)
170
        return cinf;
149
        return cinf;
171
    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
150
    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
172
- 

Return to bug 54357