Lines 43-78
Link Here
|
43 |
|
43 |
|
44 |
#define MAX_STAPLING_DER 10240 |
44 |
#define MAX_STAPLING_DER 10240 |
45 |
|
45 |
|
46 |
/* Cached info stored in certificate ex_info. */ |
46 |
/* Cached info stored in the global stapling_certinfo hash. */ |
47 |
typedef struct { |
47 |
typedef struct { |
48 |
/* Index in session cache SHA1 hash of certificate */ |
48 |
/* Index in session cache (SHA-1 digest of DER encoded certificate) */ |
49 |
UCHAR idx[20]; |
49 |
UCHAR idx[SHA_DIGEST_LENGTH]; |
50 |
/* Certificate ID for OCSP requests or NULL if ID cannot be determined */ |
50 |
/* Certificate ID for OCSP request */ |
51 |
OCSP_CERTID *cid; |
51 |
OCSP_CERTID *cid; |
52 |
/* Responder details */ |
52 |
/* URI of the OCSP responder */ |
53 |
char *uri; |
53 |
char *uri; |
54 |
} certinfo; |
54 |
} certinfo; |
55 |
|
55 |
|
56 |
static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, |
56 |
static apr_status_t ssl_stapling_certid_free(void *data) |
57 |
int idx, long argl, void *argp) |
|
|
58 |
{ |
57 |
{ |
59 |
certinfo *cinf = ptr; |
58 |
OCSP_CERTID *cid = data; |
60 |
|
59 |
|
61 |
if (!cinf) |
60 |
if (cid) { |
62 |
return; |
61 |
OCSP_CERTID_free(cid); |
63 |
if (cinf->uri) |
62 |
} |
64 |
OPENSSL_free(cinf->uri); |
63 |
|
65 |
OPENSSL_free(cinf); |
64 |
return APR_SUCCESS; |
66 |
} |
65 |
} |
67 |
|
66 |
|
68 |
static int stapling_ex_idx = -1; |
67 |
static apr_hash_t *stapling_certinfo; |
69 |
|
68 |
|
70 |
void ssl_stapling_ex_init(void) |
69 |
void ssl_stapling_certinfo_hash_init(apr_pool_t *p) |
71 |
{ |
70 |
{ |
72 |
if (stapling_ex_idx != -1) |
71 |
stapling_certinfo = apr_hash_make(p); |
73 |
return; |
|
|
74 |
stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0, |
75 |
certinfo_free); |
76 |
} |
72 |
} |
77 |
|
73 |
|
78 |
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) |
74 |
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) |
Lines 106-175
static X509 *stapling_get_issuer(modssl_ctx_t *mct
Link Here
|
106 |
|
102 |
|
107 |
} |
103 |
} |
108 |
|
104 |
|
109 |
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) |
105 |
int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, |
|
|
106 |
modssl_ctx_t *mctx, X509 *x) |
110 |
{ |
107 |
{ |
111 |
certinfo *cinf; |
108 |
UCHAR idx[SHA_DIGEST_LENGTH]; |
|
|
109 |
certinfo *cinf = NULL; |
112 |
X509 *issuer = NULL; |
110 |
X509 *issuer = NULL; |
|
|
111 |
OCSP_CERTID *cid = NULL; |
113 |
STACK_OF(OPENSSL_STRING) *aia = NULL; |
112 |
STACK_OF(OPENSSL_STRING) *aia = NULL; |
114 |
|
113 |
|
115 |
if (x == NULL) |
114 |
if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) |
116 |
return 0; |
115 |
return 0; |
117 |
cinf = X509_get_ex_data(x, stapling_ex_idx); |
116 |
|
|
|
117 |
cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx)); |
118 |
if (cinf) { |
118 |
if (cinf) { |
119 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215) |
119 |
/* |
120 |
"ssl_stapling_init_cert: certificate already initialized!"); |
120 |
* We already parsed the certificate, and no OCSP URI was found. |
121 |
return 0; |
121 |
* The certificate might be used for multiple vhosts, though, |
|
|
122 |
* so we check for a ForceURL for this vhost. |
123 |
*/ |
124 |
if (!cinf->uri && !mctx->stapling_force_url) { |
125 |
ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, |
126 |
APLOGNO() "ssl_stapling_init_cert: no OCSP URI " |
127 |
"in certificate and no SSLStaplingForceURL " |
128 |
"configured for server %s", mctx->sc->vhost_id); |
129 |
return 0; |
130 |
} |
131 |
return 1; |
122 |
} |
132 |
} |
123 |
cinf = OPENSSL_malloc(sizeof(certinfo)); |
133 |
|
124 |
if (!cinf) { |
134 |
if (!(issuer = stapling_get_issuer(mctx, x))) { |
125 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216) |
135 |
ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217) |
126 |
"ssl_stapling_init_cert: error allocating memory!"); |
136 |
"ssl_stapling_init_cert: can't retrieve issuer " |
|
|
137 |
"certificate!"); |
127 |
return 0; |
138 |
return 0; |
128 |
} |
139 |
} |
129 |
cinf->cid = NULL; |
|
|
130 |
cinf->uri = NULL; |
131 |
X509_set_ex_data(x, stapling_ex_idx, cinf); |
132 |
|
140 |
|
133 |
issuer = stapling_get_issuer(mctx, x); |
141 |
cid = OCSP_cert_to_id(NULL, x, issuer); |
134 |
|
142 |
X509_free(issuer); |
135 |
if (issuer == NULL) { |
143 |
if (!cid) { |
136 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02217) |
144 |
ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO() |
137 |
"ssl_stapling_init_cert: Can't retrieve issuer certificate!"); |
145 |
"ssl_stapling_init_cert: can't create CertID " |
|
|
146 |
"for OCSP request"); |
138 |
return 0; |
147 |
return 0; |
139 |
} |
148 |
} |
140 |
|
149 |
|
141 |
cinf->cid = OCSP_cert_to_id(NULL, x, issuer); |
150 |
aia = X509_get1_ocsp(x); |
142 |
X509_free(issuer); |
151 |
if (!aia && !mctx->stapling_force_url) { |
143 |
if (!cinf->cid) |
152 |
OCSP_CERTID_free(cid); |
|
|
153 |
ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, |
154 |
APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI " |
155 |
"in certificate and no SSLStaplingForceURL set"); |
144 |
return 0; |
156 |
return 0; |
145 |
X509_digest(x, EVP_sha1(), cinf->idx, NULL); |
157 |
} |
146 |
|
158 |
|
147 |
aia = X509_get1_ocsp(x); |
159 |
/* At this point, we have determined that there's something to store */ |
|
|
160 |
cinf = apr_pcalloc(p, sizeof(certinfo)); |
161 |
memcpy (cinf->idx, idx, sizeof(idx)); |
162 |
cinf->cid = cid; |
163 |
/* make sure cid is also freed at pool cleanup */ |
164 |
apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free, |
165 |
apr_pool_cleanup_null); |
148 |
if (aia) { |
166 |
if (aia) { |
149 |
cinf->uri = sk_OPENSSL_STRING_pop(aia); |
167 |
/* allocate uri from the pconf pool */ |
150 |
X509_email_free(aia); |
168 |
cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0)); |
|
|
169 |
X509_email_free(aia); |
151 |
} |
170 |
} |
152 |
if (!cinf->uri && !mctx->stapling_force_url) { |
171 |
|
153 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218) |
172 |
ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x, |
154 |
"ssl_stapling_init_cert: no responder URL"); |
173 |
"ssl_stapling_init_cert: storing certinfo for server %s", |
155 |
return 0; |
174 |
mctx->sc->vhost_id); |
156 |
} |
175 |
|
|
|
176 |
apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf); |
177 |
|
157 |
return 1; |
178 |
return 1; |
158 |
} |
179 |
} |
159 |
|
180 |
|
160 |
static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx, |
181 |
static certinfo *stapling_get_certinfo(server_rec *s, modssl_ctx_t *mctx, |
161 |
SSL *ssl) |
182 |
SSL *ssl) |
162 |
{ |
183 |
{ |
163 |
certinfo *cinf; |
184 |
certinfo *cinf; |
164 |
X509 *x; |
185 |
X509 *x; |
|
|
186 |
UCHAR idx[SHA_DIGEST_LENGTH]; |
165 |
x = SSL_get_certificate(ssl); |
187 |
x = SSL_get_certificate(ssl); |
166 |
if (x == NULL) |
188 |
if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) |
167 |
return NULL; |
189 |
return NULL; |
168 |
cinf = X509_get_ex_data(x, stapling_ex_idx); |
190 |
cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx)); |
169 |
if (cinf && cinf->cid) |
191 |
if (cinf && cinf->cid) |
170 |
return cinf; |
192 |
return cinf; |
171 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926) |
193 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926) |
172 |
"stapling_get_cert_info: stapling not supported for certificate"); |
194 |
"stapling_get_certinfo: stapling not supported for certificate"); |
173 |
return NULL; |
195 |
return NULL; |
174 |
} |
196 |
} |
175 |
|
197 |
|
Lines 585-591
static int stapling_cb(SSL *ssl, void *arg)
Link Here
|
585 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951) |
607 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951) |
586 |
"stapling_cb: OCSP Stapling callback called"); |
608 |
"stapling_cb: OCSP Stapling callback called"); |
587 |
|
609 |
|
588 |
cinf = stapling_get_cert_info(s, mctx, ssl); |
610 |
cinf = stapling_get_certinfo(s, mctx, ssl); |
589 |
if (cinf == NULL) { |
611 |
if (cinf == NULL) { |
590 |
return SSL_TLSEXT_ERR_NOACK; |
612 |
return SSL_TLSEXT_ERR_NOACK; |
591 |
} |
613 |
} |