Attachment #32073 for bug #54357

View | Details | Raw Unified | Return to bug 54357
Collapse All | Expand All





#define MAX_STAPLING_DER 10240

/* Cached info stored in the global stapling_certinfo hash. */
typedef struct {
    /* Index in session cache (SHA-1 digest of DER encoded certificate) */
    UCHAR idx[SHA_DIGEST_LENGTH];
    /* Certificate ID for OCSP request */
    OCSP_CERTID *cid;
    /* URI of the OCSP responder */
    char *uri;
} certinfo;

static apr_status_t ssl_stapling_certid_free(void *data)
                                        int idx, long argl, void *argp)
{
    OCSP_CERTID *cid = data;

    if (cid) {
        OCSP_CERTID_free(cid);
    }

    return APR_SUCCESS;
}

static apr_hash_t *stapling_certinfo;

void ssl_stapling_certinfo_hash_init(apr_pool_t *p)
{
    stapling_certinfo = apr_hash_make(p);
        return;
    stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
                                            certinfo_free);
}

static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)


}

int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
                           modssl_ctx_t *mctx, X509 *x)
{
    UCHAR idx[SHA_DIGEST_LENGTH];
    certinfo *cinf = NULL;
    X509 *issuer = NULL;
    OCSP_CERTID *cid = NULL;
    STACK_OF(OPENSSL_STRING) *aia = NULL;

    if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
        return 0;

    cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
    if (cinf) {
        /* 
         * We already parsed the certificate, and no OCSP URI was found.
         * The certificate might be used for multiple vhosts, though,
         * so we check for a ForceURL for this vhost.
         */
        if (!cinf->uri && !mctx->stapling_force_url) {
            ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
                           APLOGNO() "ssl_stapling_init_cert: no OCSP URI "
                           "in certificate and no SSLStaplingForceURL "
                           "configured for server %s", mctx->sc->vhost_id);
            return 0;
        }
        return 1;
    }

    if (!(issuer = stapling_get_issuer(mctx, x))) {
        ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217)
                       "ssl_stapling_init_cert: can't retrieve issuer "
                       "certificate!");
        return 0;
    }
    cinf->cid = NULL;
    cinf->uri = NULL;
    X509_set_ex_data(x, stapling_ex_idx, cinf);

    cid = OCSP_cert_to_id(NULL, x, issuer);
    X509_free(issuer);
    if (!cid) {
        ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO()
                       "ssl_stapling_init_cert: can't create CertID "
                       "for OCSP request");
        return 0;
    }

    aia = X509_get1_ocsp(x);
    if (!aia && !mctx->stapling_force_url) {
        OCSP_CERTID_free(cid);
        ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
                       APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI "
                       "in certificate and no SSLStaplingForceURL set");
        return 0;
    }

    /* At this point, we have determined that there's something to store */
    cinf = apr_pcalloc(p, sizeof(certinfo));
    memcpy (cinf->idx, idx, sizeof(idx));
    cinf->cid = cid;
    /* make sure cid is also freed at pool cleanup */
    apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free,
                              apr_pool_cleanup_null);
    if (aia) {
       /* allocate uri from the pconf pool */
       cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
       X509_email_free(aia);
    }

    ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x,
                   "ssl_stapling_init_cert: storing certinfo for server %s",
                   mctx->sc->vhost_id);

    apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf);

    return 1;
}

static certinfo *stapling_get_certinfo(server_rec *s, modssl_ctx_t *mctx,
                                        SSL *ssl)
{
    certinfo *cinf;
    X509 *x;
    UCHAR idx[SHA_DIGEST_LENGTH];
    x = SSL_get_certificate(ssl);
    if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
        return NULL;
    cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
    if (cinf && cinf->cid)
        return cinf;
    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
                 "stapling_get_certinfo: stapling not supported for certificate");
    return NULL;
}


    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951)
                 "stapling_cb: OCSP Stapling callback called");

    cinf = stapling_get_certinfo(s, mctx, ssl);
    if (cinf == NULL) {
        return SSL_TLSEXT_ERR_NOACK;
    }

Lines 812-819 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_pa Link Here

(-)modules/ssl/ssl_private.h (-2 / +3 lines)
812	const char ssl_cmd_SSLStaplingResponderTimeout(cmd_parms , void , const char );	812	const char ssl_cmd_SSLStaplingResponderTimeout(cmd_parms , void , const char );
813	const char ssl_cmd_SSLStaplingForceURL(cmd_parms , void , const char );	813	const char ssl_cmd_SSLStaplingForceURL(cmd_parms , void , const char );
814	apr_status_t modssl_init_stapling(server_rec , apr_pool_t , apr_pool_t , modssl_ctx_t );	814	apr_status_t modssl_init_stapling(server_rec , apr_pool_t , apr_pool_t , modssl_ctx_t );
815	void ssl_stapling_ex_init(void);	815	void ssl_stapling_certinfo_hash_init(apr_pool_t *);
816	int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x);	816	int ssl_stapling_init_cert(server_rec s, apr_pool_t , apr_pool_t *,
		817	modssl_ctx_t mctx, X509 x);
817	#endif	818	#endif
818	#ifdef HAVE_SRP	819	#ifdef HAVE_SRP
819	int ssl_callback_SRPServerParams(SSL , int , void *);	820	int ssl_callback_SRPServerParams(SSL , int , void *);




        return HTTP_INTERNAL_SERVER_ERROR;
    }
#ifdef HAVE_OCSP_STAPLING
    ssl_stapling_certinfo_hash_init(p);
#endif

    /*

         * later, we defer to the code in ssl_init_server_ctx.
         */
        if ((mctx->stapling_enabled == TRUE) &&
            !ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) {
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)
                         "Unable to configure certificate %s for stapling",
                         key_id);

                                           SSL_CERT_SET_FIRST);
        while (ret) {
            cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
            if (!cert || !ssl_stapling_init_cert(s, p, ptemp, sc->server,
                                                 cert)) {
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02604)
                             "Unable to configure certificate %s:%d "
                             "for stapling", sc->vhost_id, i);

Return to bug 54357

Lines 43-78 Link Here

(-)modules/ssl/ssl_util_stapling.c (-55 / +77 lines)
43		43
44	#define MAX_STAPLING_DER 10240	44	#define MAX_STAPLING_DER 10240
45		45
46	/* Cached info stored in certificate ex_info. */	46	/* Cached info stored in the global stapling_certinfo hash. */
47	typedef struct {	47	typedef struct {
48	/* Index in session cache SHA1 hash of certificate */	48	/* Index in session cache (SHA-1 digest of DER encoded certificate) */
49	UCHAR idx[20];	49	UCHAR idx[SHA_DIGEST_LENGTH];
50	/* Certificate ID for OCSP requests or NULL if ID cannot be determined */	50	/* Certificate ID for OCSP request */
51	OCSP_CERTID *cid;	51	OCSP_CERTID *cid;
52	/* Responder details */	52	/* URI of the OCSP responder */
53	char *uri;	53	char *uri;
54	} certinfo;	54	} certinfo;
55		55
56	static void certinfo_free(void parent, void ptr, CRYPTO_EX_DATA *ad,	56	static apr_status_t ssl_stapling_certid_free(void *data)
57	int idx, long argl, void *argp)
58	{	57	{
59	certinfo *cinf = ptr;	58	OCSP_CERTID *cid = data;
60		59
61	if (!cinf)	60	if (cid) {
62	return;	61	OCSP_CERTID_free(cid);
63	if (cinf->uri)	62	}
64	OPENSSL_free(cinf->uri);	63
65	OPENSSL_free(cinf);	64	return APR_SUCCESS;
66	}	65	}
67		66
68	static int stapling_ex_idx = -1;	67	static apr_hash_t *stapling_certinfo;
69		68
70	void ssl_stapling_ex_init(void)	69	void ssl_stapling_certinfo_hash_init(apr_pool_t *p)
71	{	70	{
72	if (stapling_ex_idx != -1)	71	stapling_certinfo = apr_hash_make(p);
73	return;
74	stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
75	certinfo_free);
76	}	72	}
77		73
78	static X509 stapling_get_issuer(modssl_ctx_t mctx, X509 *x)	74	static X509 stapling_get_issuer(modssl_ctx_t mctx, X509 *x)
Lines 106-175 static X509 stapling_get_issuer(modssl_ctx_t mct Link Here
106		102
107	}	103	}
108		104
109	int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x)	105	int ssl_stapling_init_cert(server_rec s, apr_pool_t p, apr_pool_t *ptemp,
		106	modssl_ctx_t mctx, X509 x)
110	{	107	{
111	certinfo *cinf;	108	UCHAR idx[SHA_DIGEST_LENGTH];
		109	certinfo *cinf = NULL;
112	X509 *issuer = NULL;	110	X509 *issuer = NULL;
		111	OCSP_CERTID *cid = NULL;
113	STACK_OF(OPENSSL_STRING) *aia = NULL;	112	STACK_OF(OPENSSL_STRING) *aia = NULL;
114		113
115	if (x == NULL)	114	if ((x == NULL) \|\| (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
116	return 0;	115	return 0;
117	cinf = X509_get_ex_data(x, stapling_ex_idx);	116
		117	cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
118	if (cinf) {	118	if (cinf) {
119	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)	119	/*
120	"ssl_stapling_init_cert: certificate already initialized!");	120	* We already parsed the certificate, and no OCSP URI was found.
121	return 0;	121	* The certificate might be used for multiple vhosts, though,
		122	* so we check for a ForceURL for this vhost.
		123	*/
		124	if (!cinf->uri && !mctx->stapling_force_url) {
		125	ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
		126	APLOGNO() "ssl_stapling_init_cert: no OCSP URI "
		127	"in certificate and no SSLStaplingForceURL "
		128	"configured for server %s", mctx->sc->vhost_id);
		129	return 0;
		130	}
		131	return 1;
122	}	132	}
123	cinf = OPENSSL_malloc(sizeof(certinfo));	133
124	if (!cinf) {	134	if (!(issuer = stapling_get_issuer(mctx, x))) {
125	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)	135	ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217)
126	"ssl_stapling_init_cert: error allocating memory!");	136	"ssl_stapling_init_cert: can't retrieve issuer "
		137	"certificate!");
127	return 0;	138	return 0;
128	}	139	}
129	cinf->cid = NULL;
130	cinf->uri = NULL;
131	X509_set_ex_data(x, stapling_ex_idx, cinf);
132		140
133	issuer = stapling_get_issuer(mctx, x);	141	cid = OCSP_cert_to_id(NULL, x, issuer);
134		142	X509_free(issuer);
135	if (issuer == NULL) {	143	if (!cid) {
136	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02217)	144	ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO()
137	"ssl_stapling_init_cert: Can't retrieve issuer certificate!");	145	"ssl_stapling_init_cert: can't create CertID "
		146	"for OCSP request");
138	return 0;	147	return 0;
139	}	148	}
140		149
141	cinf->cid = OCSP_cert_to_id(NULL, x, issuer);	150	aia = X509_get1_ocsp(x);
142	X509_free(issuer);	151	if (!aia && !mctx->stapling_force_url) {
143	if (!cinf->cid)	152	OCSP_CERTID_free(cid);
		153	ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
		154	APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI "
		155	"in certificate and no SSLStaplingForceURL set");
144	return 0;	156	return 0;
145	X509_digest(x, EVP_sha1(), cinf->idx, NULL);	157	}
146		158
147	aia = X509_get1_ocsp(x);	159	/* At this point, we have determined that there's something to store */
		160	cinf = apr_pcalloc(p, sizeof(certinfo));
		161	memcpy (cinf->idx, idx, sizeof(idx));
		162	cinf->cid = cid;
		163	/* make sure cid is also freed at pool cleanup */
		164	apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free,
		165	apr_pool_cleanup_null);
148	if (aia) {	166	if (aia) {
149	cinf->uri = sk_OPENSSL_STRING_pop(aia);	167	/* allocate uri from the pconf pool */
150	X509_email_free(aia);	168	cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
		169	X509_email_free(aia);
151	}	170	}
152	if (!cinf->uri && !mctx->stapling_force_url) {	171
153	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)	172	ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x,
154	"ssl_stapling_init_cert: no responder URL");	173	"ssl_stapling_init_cert: storing certinfo for server %s",
155	return 0;	174	mctx->sc->vhost_id);
156	}	175
		176	apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf);
		177
157	return 1;	178	return 1;
158	}	179	}
159		180
160	static certinfo stapling_get_cert_info(server_rec s, modssl_ctx_t *mctx,	181	static certinfo stapling_get_certinfo(server_rec s, modssl_ctx_t *mctx,
161	SSL *ssl)	182	SSL *ssl)
162	{	183	{
163	certinfo *cinf;	184	certinfo *cinf;
164	X509 *x;	185	X509 *x;
		186	UCHAR idx[SHA_DIGEST_LENGTH];
165	x = SSL_get_certificate(ssl);	187	x = SSL_get_certificate(ssl);
166	if (x == NULL)	188	if ((x == NULL) \|\| (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
167	return NULL;	189	return NULL;
168	cinf = X509_get_ex_data(x, stapling_ex_idx);	190	cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
169	if (cinf && cinf->cid)	191	if (cinf && cinf->cid)
170	return cinf;	192	return cinf;
171	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)	193	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
172	"stapling_get_cert_info: stapling not supported for certificate");	194	"stapling_get_certinfo: stapling not supported for certificate");
173	return NULL;	195	return NULL;
174	}	196	}
175		197
Lines 585-591 static int stapling_cb(SSL ssl, void arg) Link Here
585	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951)	607	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951)
586	"stapling_cb: OCSP Stapling callback called");	608	"stapling_cb: OCSP Stapling callback called");
587		609
588	cinf = stapling_get_cert_info(s, mctx, ssl);	610	cinf = stapling_get_certinfo(s, mctx, ssl);
589	if (cinf == NULL) {	611	if (cinf == NULL) {
590	return SSL_TLSEXT_ERR_NOACK;	612	return SSL_TLSEXT_ERR_NOACK;
591	}	613	}

Lines 278-284 apr_status_t ssl_init_Module(apr_pool_t *p, apr_po Link Here

(-)modules/ssl/ssl_engine_init.c (-3 / +4 lines)
278	return HTTP_INTERNAL_SERVER_ERROR;	278	return HTTP_INTERNAL_SERVER_ERROR;
279	}	279	}
280	#ifdef HAVE_OCSP_STAPLING	280	#ifdef HAVE_OCSP_STAPLING
281	ssl_stapling_ex_init();	281	ssl_stapling_certinfo_hash_init(p);
282	#endif	282	#endif
283		283
284	/*	284	/*
Lines 1093-1099 static apr_status_t ssl_init_server_certs(server_r Link Here
1093	* later, we defer to the code in ssl_init_server_ctx.	1093	* later, we defer to the code in ssl_init_server_ctx.
1094	*/	1094	*/
1095	if ((mctx->stapling_enabled == TRUE) &&	1095	if ((mctx->stapling_enabled == TRUE) &&
1096	!ssl_stapling_init_cert(s, mctx, cert)) {	1096	!ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) {
1097	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)	1097	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)
1098	"Unable to configure certificate %s for stapling",	1098	"Unable to configure certificate %s for stapling",
1099	key_id);	1099	key_id);
Lines 1450-1456 static apr_status_t ssl_init_server_ctx(server_rec Link Here
1450	SSL_CERT_SET_FIRST);	1450	SSL_CERT_SET_FIRST);
1451	while (ret) {	1451	while (ret) {
1452	cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);	1452	cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
1453	if (!cert \|\| !ssl_stapling_init_cert(s, sc->server, cert)) {	1453	if (!cert \|\| !ssl_stapling_init_cert(s, p, ptemp, sc->server,
		1454	cert)) {
1454	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02604)	1455	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02604)
1455	"Unable to configure certificate %s:%d "	1456	"Unable to configure certificate %s:%d "
1456	"for stapling", sc->vhost_id, i);	1457	"for stapling", sc->vhost_id, i);