View | Details | Raw Unified | Return to bug 54357
Collapse All | Expand All

(-)a/modules/ssl/ssl_engine_config.c (+1 lines)
Lines 72-77 SSLModConfigRec *ssl_config_global_create(server_rec *s) Link Here
72
#ifdef HAVE_OCSP_STAPLING
72
#ifdef HAVE_OCSP_STAPLING
73
    mc->stapling_cache         = NULL;
73
    mc->stapling_cache         = NULL;
74
    mc->stapling_mutex         = NULL;
74
    mc->stapling_mutex         = NULL;
75
    mc->stapling_cert_info     = apr_hash_make(pool);
75
#endif
76
#endif
76
77
77
    apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
78
    apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
(-)a/modules/ssl/ssl_engine_init.c (-3 lines)
Lines 277-285 apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, Link Here
277
    if (!ssl_mutex_init(base_server, p)) {
277
    if (!ssl_mutex_init(base_server, p)) {
278
        return HTTP_INTERNAL_SERVER_ERROR;
278
        return HTTP_INTERNAL_SERVER_ERROR;
279
    }
279
    }
280
#ifdef HAVE_OCSP_STAPLING
281
    ssl_stapling_ex_init();
282
#endif
283
280
284
    /*
281
    /*
285
     * initialize session caching
282
     * initialize session caching
(-)a/modules/ssl/ssl_private.h (-1 / +3 lines)
Lines 499-504 typedef struct { Link Here
499
    const ap_socache_provider_t *stapling_cache;
499
    const ap_socache_provider_t *stapling_cache;
500
    ap_socache_instance_t *stapling_cache_context;
500
    ap_socache_instance_t *stapling_cache_context;
501
    apr_global_mutex_t   *stapling_mutex;
501
    apr_global_mutex_t   *stapling_mutex;
502
503
    /* Hash of stapling information by SHA1 of certificate */
504
    apr_hash_t *stapling_cert_info;
502
#endif
505
#endif
503
} SSLModConfigRec;
506
} SSLModConfigRec;
504
507
Lines 812-818 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int); Link Here
812
const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
815
const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
813
const char  *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
816
const char  *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
814
apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
817
apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
815
void         ssl_stapling_ex_init(void);
816
int          ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
818
int          ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
817
#endif
819
#endif
818
#ifdef HAVE_SRP
820
#ifdef HAVE_SRP
(-)a/modules/ssl/ssl_util_stapling.c (-42 / +17 lines)
Lines 46-80 Link Here
46
/* Cached info stored in certificate ex_info. */
46
/* Cached info stored in certificate ex_info. */
47
typedef struct {
47
typedef struct {
48
    /* Index in session cache SHA1 hash of certificate */
48
    /* Index in session cache SHA1 hash of certificate */
49
    UCHAR idx[20];
49
    UCHAR idx[SHA_DIGEST_LENGTH];
50
    /* Certificate ID for OCSP requests or NULL if ID cannot be determined */
50
    /* Certificate ID for OCSP requests or NULL if ID cannot be determined */
51
    OCSP_CERTID *cid;
51
    OCSP_CERTID *cid;
52
    /* Responder details */
52
    /* Responder details */
53
    char *uri;
53
    char *uri;
54
} certinfo;
54
} certinfo;
55
55
56
static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
57
                                        int idx, long argl, void *argp)
58
{
59
    certinfo *cinf = ptr;
60
61
    if (!cinf)
62
        return;
63
    if (cinf->uri)
64
        OPENSSL_free(cinf->uri);
65
    OPENSSL_free(cinf);
66
}
67
68
static int stapling_ex_idx = -1;
69
70
void ssl_stapling_ex_init(void)
71
{
72
    if (stapling_ex_idx != -1)
73
        return;
74
    stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
75
                                            certinfo_free);
76
}
77
78
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
56
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
79
{
57
{
80
    X509 *issuer = NULL;
58
    X509 *issuer = NULL;
Lines 111-134 int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) Link Here
111
    certinfo *cinf;
89
    certinfo *cinf;
112
    X509 *issuer = NULL;
90
    X509 *issuer = NULL;
113
    STACK_OF(OPENSSL_STRING) *aia = NULL;
91
    STACK_OF(OPENSSL_STRING) *aia = NULL;
92
    SSLModConfigRec *mc = myModConfig(s);
93
    apr_pool_t *p = mc->pPool;
114
94
115
    if (x == NULL)
95
    if (x == NULL)
116
        return 0;
96
        return 0;
117
    cinf  = X509_get_ex_data(x, stapling_ex_idx);
97
118
    if (cinf) {
98
    cinf = apr_pcalloc(p, sizeof(certinfo));
119
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)
120
                     "ssl_stapling_init_cert: certificate already initialized!");
121
        return 0;
122
    }
123
    cinf = OPENSSL_malloc(sizeof(certinfo));
124
    if (!cinf) {
125
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)
126
                     "ssl_stapling_init_cert: error allocating memory!");
127
        return 0;
128
    }
129
    cinf->cid = NULL;
130
    cinf->uri = NULL;
131
    X509_set_ex_data(x, stapling_ex_idx, cinf);
132
99
133
    issuer = stapling_get_issuer(mctx, x);
100
    issuer = stapling_get_issuer(mctx, x);
134
101
Lines 146-152 int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) Link Here
146
113
147
    aia = X509_get1_ocsp(x);
114
    aia = X509_get1_ocsp(x);
148
    if (aia) {
115
    if (aia) {
149
        cinf->uri = sk_OPENSSL_STRING_pop(aia);
116
        /* Ensure memory managed by apr */
117
        char *uri;
118
        uri = sk_OPENSSL_STRING_value(aia, 0);
119
        if (uri)
120
            cinf->uri = apr_pstrdup(p, uri);
150
        X509_email_free(aia);
121
        X509_email_free(aia);
151
    }
122
    }
152
    if (!cinf->uri && !mctx->stapling_force_url) {
123
    if (!cinf->uri && !mctx->stapling_force_url) {
Lines 154-159 int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) Link Here
154
                     "ssl_stapling_init_cert: no responder URL");
125
                     "ssl_stapling_init_cert: no responder URL");
155
        return 0;
126
        return 0;
156
    }
127
    }
128
129
    apr_hash_set(mc->stapling_cert_info, cinf->idx, sizeof(cinf->idx), cinf);
130
157
    return 1;
131
    return 1;
158
}
132
}
159
133
Lines 162-171 static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx, Link Here
162
{
136
{
163
    certinfo *cinf;
137
    certinfo *cinf;
164
    X509 *x;
138
    X509 *x;
139
    UCHAR idx[SHA_DIGEST_LENGTH];
140
    SSLModConfigRec *mc = myModConfig(s);
165
    x = SSL_get_certificate(ssl);
141
    x = SSL_get_certificate(ssl);
166
    if (x == NULL)
142
    if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
167
        return NULL;
143
        return NULL;
168
    cinf = X509_get_ex_data(x, stapling_ex_idx);
144
    cinf = apr_hash_get(mc->stapling_cert_info, idx, sizeof(idx));
169
    if (cinf && cinf->cid)
145
    if (cinf && cinf->cid)
170
        return cinf;
146
        return cinf;
171
    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
147
    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
172
- 

Return to bug 54357