Attachment #32039 for bug #54357

View | Details | Raw Unified | Return to bug 54357
Collapse All | Expand All

Lines 72-77 SSLModConfigRec ssl_config_global_create(server_rec s) Link Here

(-)a/modules/ssl/ssl_engine_config.c (+1 lines)
72	#ifdef HAVE_OCSP_STAPLING	72	#ifdef HAVE_OCSP_STAPLING
73	mc->stapling_cache = NULL;	73	mc->stapling_cache = NULL;
74	mc->stapling_mutex = NULL;	74	mc->stapling_mutex = NULL;
		75	mc->stapling_cert_info = apr_hash_make(pool);
75	#endif	76	#endif
76		77
77	apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,	78	apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,

Lines 277-285 apr_status_t ssl_init_Module(apr_pool_t p, apr_pool_t plog, Link Here

(-)a/modules/ssl/ssl_engine_init.c (-3 lines)
277	if (!ssl_mutex_init(base_server, p)) {	277	if (!ssl_mutex_init(base_server, p)) {
278	return HTTP_INTERNAL_SERVER_ERROR;	278	return HTTP_INTERNAL_SERVER_ERROR;
279	}	279	}
280	#ifdef HAVE_OCSP_STAPLING
281	ssl_stapling_ex_init();
282	#endif
283		280
284	/*	281	/*
285	* initialize session caching	282	* initialize session caching

Lines 499-504 typedef struct { Link Here

(-)a/modules/ssl/ssl_private.h (-1 / +3 lines)
499	const ap_socache_provider_t *stapling_cache;	499	const ap_socache_provider_t *stapling_cache;
500	ap_socache_instance_t *stapling_cache_context;	500	ap_socache_instance_t *stapling_cache_context;
501	apr_global_mutex_t *stapling_mutex;	501	apr_global_mutex_t *stapling_mutex;
		502
		503	/* Hash of stapling information by SHA1 of certificate */
		504	apr_hash_t *stapling_cert_info;
502	#endif	505	#endif
503	} SSLModConfigRec;	506	} SSLModConfigRec;
504		507
Lines 812-818 const char ssl_cmd_SSLStaplingFakeTryLater(cmd_parms , void *, int); Link Here
812	const char ssl_cmd_SSLStaplingResponderTimeout(cmd_parms , void , const char );	815	const char ssl_cmd_SSLStaplingResponderTimeout(cmd_parms , void , const char );
813	const char ssl_cmd_SSLStaplingForceURL(cmd_parms , void , const char );	816	const char ssl_cmd_SSLStaplingForceURL(cmd_parms , void , const char );
814	apr_status_t modssl_init_stapling(server_rec , apr_pool_t , apr_pool_t , modssl_ctx_t );	817	apr_status_t modssl_init_stapling(server_rec , apr_pool_t , apr_pool_t , modssl_ctx_t );
815	void ssl_stapling_ex_init(void);
816	int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x);	818	int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x);
817	#endif	819	#endif
818	#ifdef HAVE_SRP	820	#ifdef HAVE_SRP




/* Cached info stored in certificate ex_info. */
typedef struct {
    /* Index in session cache SHA1 hash of certificate */
    UCHAR idx[SHA_DIGEST_LENGTH];
    /* Certificate ID for OCSP requests or NULL if ID cannot be determined */
    OCSP_CERTID *cid;
    /* Responder details */
    char *uri;
} certinfo;

static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
                                        int idx, long argl, void *argp)
{
    certinfo *cinf = ptr;

    if (!cinf)
        return;
    if (cinf->uri)
        OPENSSL_free(cinf->uri);
    OPENSSL_free(cinf);
}

static int stapling_ex_idx = -1;

void ssl_stapling_ex_init(void)
{
    if (stapling_ex_idx != -1)
        return;
    stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
                                            certinfo_free);
}

static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
{
    X509 *issuer = NULL;

    certinfo *cinf;
    X509 *issuer = NULL;
    STACK_OF(OPENSSL_STRING) *aia = NULL;
    UCHAR idx[SHA_DIGEST_LENGTH];
    SSLModConfigRec *mc = myModConfig(s);
    apr_pool_t *p = mc->pPool;

    if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
        return 0;

    cinf = apr_hash_get(mc->stapling_cert_info, idx, sizeof(idx));
    if (cinf) {
        /* It's already in the hash. However, it may not have a uri
         * If not, check we have a force URL */
        if (!cinf->uri && !mctx->stapling_force_url) {
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
                         "ssl_stapling_init_cert: no responder URL");
            return 0;
        }
        return 1;
        return 0;
    }
    cinf->cid = NULL;
    cinf->uri = NULL;
    X509_set_ex_data(x, stapling_ex_idx, cinf);

    issuer = stapling_get_issuer(mctx, x);


        return 0;
    }

    cinf = apr_pcalloc(p, sizeof(certinfo));
    memcpy (cinf->idx, idx, sizeof(idx));

    cinf->cid = OCSP_cert_to_id(NULL, x, issuer);
    X509_free(issuer);
    if (!cinf->cid)
        return 0;
    X509_digest(x, EVP_sha1(), cinf->idx, NULL);

    aia = X509_get1_ocsp(x);
    if (aia) {
        cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
        X509_email_free(aia);
    }
    if (!cinf->uri && !mctx->stapling_force_url) {

                     "ssl_stapling_init_cert: no responder URL");
        return 0;
    }

    apr_hash_set(mc->stapling_cert_info, cinf->idx, sizeof(cinf->idx), cinf);

    return 1;
}


{
    certinfo *cinf;
    X509 *x;
    UCHAR idx[SHA_DIGEST_LENGTH];
    SSLModConfigRec *mc = myModConfig(s);
    x = SSL_get_certificate(ssl);
    if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
        return NULL;
    cinf = apr_hash_get(mc->stapling_cert_info, idx, sizeof(idx));
    if (cinf && cinf->cid)
        return cinf;
    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
- 

Return to bug 54357

Lines 46-80 Link Here

(-)a/modules/ssl/ssl_util_stapling.c (-42 / +26 lines)
46	/* Cached info stored in certificate ex_info. */	46	/* Cached info stored in certificate ex_info. */
47	typedef struct {	47	typedef struct {
48	/* Index in session cache SHA1 hash of certificate */	48	/* Index in session cache SHA1 hash of certificate */
49	UCHAR idx[20];	49	UCHAR idx[SHA_DIGEST_LENGTH];
50	/* Certificate ID for OCSP requests or NULL if ID cannot be determined */	50	/* Certificate ID for OCSP requests or NULL if ID cannot be determined */
51	OCSP_CERTID *cid;	51	OCSP_CERTID *cid;
52	/* Responder details */	52	/* Responder details */
53	char *uri;	53	char *uri;
54	} certinfo;	54	} certinfo;
55		55
56	static void certinfo_free(void parent, void ptr, CRYPTO_EX_DATA *ad,
57	int idx, long argl, void *argp)
58	{
59	certinfo *cinf = ptr;
60
61	if (!cinf)
62	return;
63	if (cinf->uri)
64	OPENSSL_free(cinf->uri);
65	OPENSSL_free(cinf);
66	}
67
68	static int stapling_ex_idx = -1;
69
70	void ssl_stapling_ex_init(void)
71	{
72	if (stapling_ex_idx != -1)
73	return;
74	stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
75	certinfo_free);
76	}
77
78	static X509 stapling_get_issuer(modssl_ctx_t mctx, X509 *x)	56	static X509 stapling_get_issuer(modssl_ctx_t mctx, X509 *x)
79	{	57	{
80	X509 *issuer = NULL;	58	X509 *issuer = NULL;
Lines 111-134 int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x) Link Here
111	certinfo *cinf;	89	certinfo *cinf;
112	X509 *issuer = NULL;	90	X509 *issuer = NULL;
113	STACK_OF(OPENSSL_STRING) *aia = NULL;	91	STACK_OF(OPENSSL_STRING) *aia = NULL;
		92	UCHAR idx[SHA_DIGEST_LENGTH];
		93	SSLModConfigRec *mc = myModConfig(s);
		94	apr_pool_t *p = mc->pPool;
114		95
115	if (x == NULL)	96	if ((x == NULL) \|\| (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
116	return 0;	97	return 0;
117	cinf = X509_get_ex_data(x, stapling_ex_idx);	98
		99	cinf = apr_hash_get(mc->stapling_cert_info, idx, sizeof(idx));
118	if (cinf) {	100	if (cinf) {
119	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)	101	/* It's already in the hash. However, it may not have a uri
120	"ssl_stapling_init_cert: certificate already initialized!");	102	* If not, check we have a force URL */
121	return 0;	103	if (!cinf->uri && !mctx->stapling_force_url) {
122	}	104	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
123	cinf = OPENSSL_malloc(sizeof(certinfo));	105	"ssl_stapling_init_cert: no responder URL");
124	if (!cinf) {	106	return 0;
125	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)	107	}
126	"ssl_stapling_init_cert: error allocating memory!");	108	return 1;
127	return 0;
128	}	109	}
129	cinf->cid = NULL;
130	cinf->uri = NULL;
131	X509_set_ex_data(x, stapling_ex_idx, cinf);
132		110
133	issuer = stapling_get_issuer(mctx, x);	111	issuer = stapling_get_issuer(mctx, x);
134		112
Lines 138-152 int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x) Link Here
138	return 0;	116	return 0;
139	}	117	}
140		118
		119	cinf = apr_pcalloc(p, sizeof(certinfo));
		120	memcpy (cinf->idx, idx, sizeof(idx));
		121
141	cinf->cid = OCSP_cert_to_id(NULL, x, issuer);	122	cinf->cid = OCSP_cert_to_id(NULL, x, issuer);
142	X509_free(issuer);	123	X509_free(issuer);
143	if (!cinf->cid)	124	if (!cinf->cid)
144	return 0;	125	return 0;
145	X509_digest(x, EVP_sha1(), cinf->idx, NULL);
146		126
147	aia = X509_get1_ocsp(x);	127	aia = X509_get1_ocsp(x);
148	if (aia) {	128	if (aia) {
149	cinf->uri = sk_OPENSSL_STRING_pop(aia);	129	cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
150	X509_email_free(aia);	130	X509_email_free(aia);
151	}	131	}
152	if (!cinf->uri && !mctx->stapling_force_url) {	132	if (!cinf->uri && !mctx->stapling_force_url) {
Lines 154-159 int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x) Link Here
154	"ssl_stapling_init_cert: no responder URL");	134	"ssl_stapling_init_cert: no responder URL");
155	return 0;	135	return 0;
156	}	136	}
		137
		138	apr_hash_set(mc->stapling_cert_info, cinf->idx, sizeof(cinf->idx), cinf);
		139
157	return 1;	140	return 1;
158	}	141	}
159		142
Lines 162-171 static certinfo stapling_get_cert_info(server_rec s, modssl_ctx_t *mctx, Link Here
162	{	145	{
163	certinfo *cinf;	146	certinfo *cinf;
164	X509 *x;	147	X509 *x;
		148	UCHAR idx[SHA_DIGEST_LENGTH];
		149	SSLModConfigRec *mc = myModConfig(s);
165	x = SSL_get_certificate(ssl);	150	x = SSL_get_certificate(ssl);
166	if (x == NULL)	151	if ((x == NULL) \|\| (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
167	return NULL;	152	return NULL;
168	cinf = X509_get_ex_data(x, stapling_ex_idx);	153	cinf = apr_hash_get(mc->stapling_cert_info, idx, sizeof(idx));
169	if (cinf && cinf->cid)	154	if (cinf && cinf->cid)
170	return cinf;	155	return cinf;
171	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)	156	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
172	-