View | Details | Raw Unified | Return to bug 54357
Collapse All | Expand All

(-)a/modules/ssl/ssl_engine_config.c (+1 lines)
Lines 72-77 SSLModConfigRec *ssl_config_global_create(server_rec *s) Link Here
72
#ifdef HAVE_OCSP_STAPLING
72
#ifdef HAVE_OCSP_STAPLING
73
    mc->stapling_cache         = NULL;
73
    mc->stapling_cache         = NULL;
74
    mc->stapling_mutex         = NULL;
74
    mc->stapling_mutex         = NULL;
75
    mc->stapling_cert_info     = apr_hash_make(pool);
75
#endif
76
#endif
76
77
77
    apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
78
    apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
(-)a/modules/ssl/ssl_engine_init.c (-3 lines)
Lines 277-285 apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, Link Here
277
    if (!ssl_mutex_init(base_server, p)) {
277
    if (!ssl_mutex_init(base_server, p)) {
278
        return HTTP_INTERNAL_SERVER_ERROR;
278
        return HTTP_INTERNAL_SERVER_ERROR;
279
    }
279
    }
280
#ifdef HAVE_OCSP_STAPLING
281
    ssl_stapling_ex_init();
282
#endif
283
280
284
    /*
281
    /*
285
     * initialize session caching
282
     * initialize session caching
(-)a/modules/ssl/ssl_private.h (-1 / +3 lines)
Lines 499-504 typedef struct { Link Here
499
    const ap_socache_provider_t *stapling_cache;
499
    const ap_socache_provider_t *stapling_cache;
500
    ap_socache_instance_t *stapling_cache_context;
500
    ap_socache_instance_t *stapling_cache_context;
501
    apr_global_mutex_t   *stapling_mutex;
501
    apr_global_mutex_t   *stapling_mutex;
502
503
    /* Hash of stapling information by SHA1 of certificate */
504
    apr_hash_t *stapling_cert_info;
502
#endif
505
#endif
503
} SSLModConfigRec;
506
} SSLModConfigRec;
504
507
Lines 812-818 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int); Link Here
812
const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
815
const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
813
const char  *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
816
const char  *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
814
apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
817
apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
815
void         ssl_stapling_ex_init(void);
816
int          ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
818
int          ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
817
#endif
819
#endif
818
#ifdef HAVE_SRP
820
#ifdef HAVE_SRP
(-)a/modules/ssl/ssl_util_stapling.c (-46 / +32 lines)
Lines 46-80 Link Here
46
/* Cached info stored in certificate ex_info. */
46
/* Cached info stored in certificate ex_info. */
47
typedef struct {
47
typedef struct {
48
    /* Index in session cache SHA1 hash of certificate */
48
    /* Index in session cache SHA1 hash of certificate */
49
    UCHAR idx[20];
49
    UCHAR idx[SHA_DIGEST_LENGTH];
50
    /* Certificate ID for OCSP requests or NULL if ID cannot be determined */
50
    /* Certificate ID for OCSP requests or NULL if ID cannot be determined */
51
    OCSP_CERTID *cid;
51
    OCSP_CERTID *cid;
52
    /* Responder details */
52
    /* Responder details */
53
    char *uri;
53
    char *uri;
54
} certinfo;
54
} certinfo;
55
55
56
static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
57
                                        int idx, long argl, void *argp)
58
{
59
    certinfo *cinf = ptr;
60
61
    if (!cinf)
62
        return;
63
    if (cinf->uri)
64
        OPENSSL_free(cinf->uri);
65
    OPENSSL_free(cinf);
66
}
67
68
static int stapling_ex_idx = -1;
69
70
void ssl_stapling_ex_init(void)
71
{
72
    if (stapling_ex_idx != -1)
73
        return;
74
    stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
75
                                            certinfo_free);
76
}
77
78
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
56
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
79
{
57
{
80
    X509 *issuer = NULL;
58
    X509 *issuer = NULL;
Lines 106-134 static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) Link Here
106
84
107
}
85
}
108
86
87
static int ssl_stapling_check_uri(server_rec *s, certinfo *cinf, modssl_ctx_t *mctx)
88
{
89
    if (!cinf->uri && !mctx->stapling_force_url) {
90
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
91
                     "ssl_stapling_init_cert: no responder URL");
92
        return 0;
93
    }
94
    return 1;
95
}
96
109
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
97
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
110
{
98
{
111
    certinfo *cinf;
99
    certinfo *cinf;
112
    X509 *issuer = NULL;
100
    X509 *issuer = NULL;
113
    STACK_OF(OPENSSL_STRING) *aia = NULL;
101
    STACK_OF(OPENSSL_STRING) *aia = NULL;
102
    UCHAR idx[SHA_DIGEST_LENGTH];
103
    SSLModConfigRec *mc = myModConfig(s);
104
    apr_pool_t *p = mc->pPool;
114
105
115
    if (x == NULL)
106
    if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
116
        return 0;
107
        return 0;
117
    cinf  = X509_get_ex_data(x, stapling_ex_idx);
108
109
    cinf = apr_hash_get(mc->stapling_cert_info, idx, sizeof(idx));
118
    if (cinf) {
110
    if (cinf) {
119
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)
111
        /* It's already in the hash. However, it may not have a uri
120
                     "ssl_stapling_init_cert: certificate already initialized!");
112
         * If not, check we have a force URL */
121
        return 0;
113
        return ssl_stapling_check_uri(s, cinf, mctx);
122
    }
123
    cinf = OPENSSL_malloc(sizeof(certinfo));
124
    if (!cinf) {
125
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)
126
                     "ssl_stapling_init_cert: error allocating memory!");
127
        return 0;
128
    }
114
    }
129
    cinf->cid = NULL;
130
    cinf->uri = NULL;
131
    X509_set_ex_data(x, stapling_ex_idx, cinf);
132
115
133
    issuer = stapling_get_issuer(mctx, x);
116
    issuer = stapling_get_issuer(mctx, x);
134
117
Lines 138-159 int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) Link Here
138
        return 0;
121
        return 0;
139
    }
122
    }
140
123
124
    cinf = apr_pcalloc(p, sizeof(certinfo));
125
    memcpy (cinf->idx, idx, sizeof(idx));
126
141
    cinf->cid = OCSP_cert_to_id(NULL, x, issuer);
127
    cinf->cid = OCSP_cert_to_id(NULL, x, issuer);
142
    X509_free(issuer);
128
    X509_free(issuer);
143
    if (!cinf->cid)
129
    if (!cinf->cid)
144
        return 0;
130
        return 0;
145
    X509_digest(x, EVP_sha1(), cinf->idx, NULL);
146
131
147
    aia = X509_get1_ocsp(x);
132
    aia = X509_get1_ocsp(x);
148
    if (aia) {
133
    if (aia) {
149
        cinf->uri = sk_OPENSSL_STRING_pop(aia);
134
        cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
150
        X509_email_free(aia);
135
        X509_email_free(aia);
151
    }
136
    }
152
    if (!cinf->uri && !mctx->stapling_force_url) {
137
    if (!ssl_stapling_check_uri(s, cinf, mctx))
153
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
154
                     "ssl_stapling_init_cert: no responder URL");
155
        return 0;
138
        return 0;
156
    }
139
140
    apr_hash_set(mc->stapling_cert_info, cinf->idx, sizeof(cinf->idx), cinf);
141
157
    return 1;
142
    return 1;
158
}
143
}
159
144
Lines 162-171 static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx, Link Here
162
{
147
{
163
    certinfo *cinf;
148
    certinfo *cinf;
164
    X509 *x;
149
    X509 *x;
150
    UCHAR idx[SHA_DIGEST_LENGTH];
151
    SSLModConfigRec *mc = myModConfig(s);
165
    x = SSL_get_certificate(ssl);
152
    x = SSL_get_certificate(ssl);
166
    if (x == NULL)
153
    if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
167
        return NULL;
154
        return NULL;
168
    cinf = X509_get_ex_data(x, stapling_ex_idx);
155
    cinf = apr_hash_get(mc->stapling_cert_info, idx, sizeof(idx));
169
    if (cinf && cinf->cid)
156
    if (cinf && cinf->cid)
170
        return cinf;
157
        return cinf;
171
    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
158
    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
172
- 

Return to bug 54357