Lines 46-80
Link Here
|
46 |
/* Cached info stored in certificate ex_info. */ |
46 |
/* Cached info stored in certificate ex_info. */ |
47 |
typedef struct { |
47 |
typedef struct { |
48 |
/* Index in session cache SHA1 hash of certificate */ |
48 |
/* Index in session cache SHA1 hash of certificate */ |
49 |
UCHAR idx[20]; |
49 |
UCHAR idx[SHA_DIGEST_LENGTH]; |
50 |
/* Certificate ID for OCSP requests or NULL if ID cannot be determined */ |
50 |
/* Certificate ID for OCSP requests or NULL if ID cannot be determined */ |
51 |
OCSP_CERTID *cid; |
51 |
OCSP_CERTID *cid; |
52 |
/* Responder details */ |
52 |
/* Responder details */ |
53 |
char *uri; |
53 |
char *uri; |
54 |
} certinfo; |
54 |
} certinfo; |
55 |
|
55 |
|
56 |
static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, |
|
|
57 |
int idx, long argl, void *argp) |
58 |
{ |
59 |
certinfo *cinf = ptr; |
60 |
|
61 |
if (!cinf) |
62 |
return; |
63 |
if (cinf->uri) |
64 |
OPENSSL_free(cinf->uri); |
65 |
OPENSSL_free(cinf); |
66 |
} |
67 |
|
68 |
static int stapling_ex_idx = -1; |
69 |
|
70 |
void ssl_stapling_ex_init(void) |
71 |
{ |
72 |
if (stapling_ex_idx != -1) |
73 |
return; |
74 |
stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0, |
75 |
certinfo_free); |
76 |
} |
77 |
|
78 |
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) |
56 |
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) |
79 |
{ |
57 |
{ |
80 |
X509 *issuer = NULL; |
58 |
X509 *issuer = NULL; |
Lines 111-134
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
Link Here
|
111 |
certinfo *cinf; |
89 |
certinfo *cinf; |
112 |
X509 *issuer = NULL; |
90 |
X509 *issuer = NULL; |
113 |
STACK_OF(OPENSSL_STRING) *aia = NULL; |
91 |
STACK_OF(OPENSSL_STRING) *aia = NULL; |
|
|
92 |
UCHAR idx[SHA_DIGEST_LENGTH]; |
93 |
SSLModConfigRec *mc = myModConfig(s); |
94 |
apr_pool_t *p = mc->pPool; |
114 |
|
95 |
|
115 |
if (x == NULL) |
96 |
if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) |
116 |
return 0; |
97 |
return 0; |
117 |
cinf = X509_get_ex_data(x, stapling_ex_idx); |
98 |
|
|
|
99 |
cinf = apr_hash_get(mc->stapling_cert_info, idx, sizeof(idx)); |
118 |
if (cinf) { |
100 |
if (cinf) { |
119 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215) |
101 |
/* It's already in the hash. However, it may not have a uri |
120 |
"ssl_stapling_init_cert: certificate already initialized!"); |
102 |
* If not, check we have a force URL */ |
121 |
return 0; |
103 |
if (!cinf->uri && !mctx->stapling_force_url) { |
122 |
} |
104 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218) |
123 |
cinf = OPENSSL_malloc(sizeof(certinfo)); |
105 |
"ssl_stapling_init_cert: no responder URL"); |
124 |
if (!cinf) { |
106 |
return 0; |
125 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216) |
107 |
} |
126 |
"ssl_stapling_init_cert: error allocating memory!"); |
108 |
return 1; |
127 |
return 0; |
|
|
128 |
} |
109 |
} |
129 |
cinf->cid = NULL; |
|
|
130 |
cinf->uri = NULL; |
131 |
X509_set_ex_data(x, stapling_ex_idx, cinf); |
132 |
|
110 |
|
133 |
issuer = stapling_get_issuer(mctx, x); |
111 |
issuer = stapling_get_issuer(mctx, x); |
134 |
|
112 |
|
Lines 138-152
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
Link Here
|
138 |
return 0; |
116 |
return 0; |
139 |
} |
117 |
} |
140 |
|
118 |
|
|
|
119 |
cinf = apr_pcalloc(p, sizeof(certinfo)); |
120 |
memcpy (cinf->idx, idx, sizeof(idx)); |
121 |
|
141 |
cinf->cid = OCSP_cert_to_id(NULL, x, issuer); |
122 |
cinf->cid = OCSP_cert_to_id(NULL, x, issuer); |
142 |
X509_free(issuer); |
123 |
X509_free(issuer); |
143 |
if (!cinf->cid) |
124 |
if (!cinf->cid) |
144 |
return 0; |
125 |
return 0; |
145 |
X509_digest(x, EVP_sha1(), cinf->idx, NULL); |
|
|
146 |
|
126 |
|
147 |
aia = X509_get1_ocsp(x); |
127 |
aia = X509_get1_ocsp(x); |
148 |
if (aia) { |
128 |
if (aia) { |
149 |
cinf->uri = sk_OPENSSL_STRING_pop(aia); |
129 |
cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0)); |
150 |
X509_email_free(aia); |
130 |
X509_email_free(aia); |
151 |
} |
131 |
} |
152 |
if (!cinf->uri && !mctx->stapling_force_url) { |
132 |
if (!cinf->uri && !mctx->stapling_force_url) { |
Lines 154-159
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
Link Here
|
154 |
"ssl_stapling_init_cert: no responder URL"); |
134 |
"ssl_stapling_init_cert: no responder URL"); |
155 |
return 0; |
135 |
return 0; |
156 |
} |
136 |
} |
|
|
137 |
|
138 |
apr_hash_set(mc->stapling_cert_info, cinf->idx, sizeof(cinf->idx), cinf); |
139 |
|
157 |
return 1; |
140 |
return 1; |
158 |
} |
141 |
} |
159 |
|
142 |
|
Lines 162-171
static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx,
Link Here
|
162 |
{ |
145 |
{ |
163 |
certinfo *cinf; |
146 |
certinfo *cinf; |
164 |
X509 *x; |
147 |
X509 *x; |
|
|
148 |
UCHAR idx[SHA_DIGEST_LENGTH]; |
149 |
SSLModConfigRec *mc = myModConfig(s); |
165 |
x = SSL_get_certificate(ssl); |
150 |
x = SSL_get_certificate(ssl); |
166 |
if (x == NULL) |
151 |
if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) |
167 |
return NULL; |
152 |
return NULL; |
168 |
cinf = X509_get_ex_data(x, stapling_ex_idx); |
153 |
cinf = apr_hash_get(mc->stapling_cert_info, idx, sizeof(idx)); |
169 |
if (cinf && cinf->cid) |
154 |
if (cinf && cinf->cid) |
170 |
return cinf; |
155 |
return cinf; |
171 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926) |
156 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926) |
172 |
- |
|
|