You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
275 lines
10 KiB
275 lines
10 KiB
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c |
|
index 9811af8..568627f 100644 |
|
--- a/modules/ssl/ssl_engine_init.c |
|
+++ b/modules/ssl/ssl_engine_init.c |
|
@@ -276,7 +276,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, |
|
return HTTP_INTERNAL_SERVER_ERROR; |
|
} |
|
#ifdef HAVE_OCSP_STAPLING |
|
- ssl_stapling_ex_init(); |
|
+ ssl_stapling_certinfo_hash_init(p); |
|
#endif |
|
|
|
/* |
|
@@ -899,6 +899,8 @@ static void ssl_init_ctx(server_rec *s, |
|
} |
|
|
|
static int ssl_server_import_cert(server_rec *s, |
|
+ apr_pool_t *p, |
|
+ apr_pool_t *ptemp, |
|
modssl_ctx_t *mctx, |
|
const char *id, |
|
int idx) |
|
@@ -933,7 +935,7 @@ static int ssl_server_import_cert(server_rec *s, |
|
|
|
#ifdef HAVE_OCSP_STAPLING |
|
if ((mctx->pkp == FALSE) && (mctx->stapling_enabled == TRUE)) { |
|
- if (!ssl_stapling_init_cert(s, mctx, cert)) { |
|
+ if (!ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) { |
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02235) |
|
"Unable to configure server certificate for stapling"); |
|
} |
|
@@ -1081,10 +1083,10 @@ static void ssl_init_server_certs(server_rec *s, |
|
ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC); |
|
#endif |
|
|
|
- have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA); |
|
- have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA); |
|
+ have_rsa = ssl_server_import_cert(s, p, ptemp, mctx, rsa_id, SSL_AIDX_RSA); |
|
+ have_dsa = ssl_server_import_cert(s, p, ptemp, mctx, dsa_id, SSL_AIDX_DSA); |
|
#ifndef OPENSSL_NO_EC |
|
- have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC); |
|
+ have_ecc = ssl_server_import_cert(s, p, ptemp, mctx, ecc_id, SSL_AIDX_ECC); |
|
#endif |
|
|
|
if (!(have_rsa || have_dsa |
|
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h |
|
index 80e1e8e..0cc6d3f 100644 |
|
--- a/modules/ssl/ssl_private.h |
|
+++ b/modules/ssl/ssl_private.h |
|
@@ -132,6 +132,13 @@ |
|
#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \ |
|
&& !defined(OPENSSL_NO_TLSEXT) |
|
#define HAVE_OCSP_STAPLING |
|
+/* backward compatibility with OpenSSL < 1.0 */ |
|
+#ifndef sk_OPENSSL_STRING_num |
|
+#define sk_OPENSSL_STRING_num sk_num |
|
+#endif |
|
+#ifndef sk_OPENSSL_STRING_value |
|
+#define sk_OPENSSL_STRING_value sk_value |
|
+#endif |
|
#if (OPENSSL_VERSION_NUMBER < 0x10000000) |
|
#define sk_OPENSSL_STRING_pop sk_pop |
|
#endif |
|
@@ -862,10 +869,10 @@ const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char |
|
const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int); |
|
const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int); |
|
const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *); |
|
-const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *); |
|
+const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *); |
|
void modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *); |
|
-void ssl_stapling_ex_init(void); |
|
-int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x); |
|
+void ssl_stapling_certinfo_hash_init(apr_pool_t *); |
|
+int ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *, X509 *); |
|
#endif |
|
#ifndef OPENSSL_NO_SRP |
|
int ssl_callback_SRPServerParams(SSL *, int *, void *); |
|
diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c |
|
index 2be2c36..2387ae1 100644 |
|
--- a/modules/ssl/ssl_util_stapling.c |
|
+++ b/modules/ssl/ssl_util_stapling.c |
|
@@ -43,36 +43,32 @@ |
|
|
|
#define MAX_STAPLING_DER 10240 |
|
|
|
-/* Cached info stored in certificate ex_info. */ |
|
+/* Cached info stored in the global stapling_certinfo hash. */ |
|
typedef struct { |
|
- /* Index in session cache SHA1 hash of certificate */ |
|
- UCHAR idx[20]; |
|
- /* Certificate ID for OCSP requests or NULL if ID cannot be determined */ |
|
+ /* Index in session cache (SHA-1 digest of DER encoded certificate) */ |
|
+ UCHAR idx[SHA_DIGEST_LENGTH]; |
|
+ /* Certificate ID for OCSP request */ |
|
OCSP_CERTID *cid; |
|
- /* Responder details */ |
|
+ /* URI of the OCSP responder */ |
|
char *uri; |
|
} certinfo; |
|
|
|
-static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, |
|
- int idx, long argl, void *argp) |
|
+static apr_status_t ssl_stapling_certid_free(void *data) |
|
{ |
|
- certinfo *cinf = ptr; |
|
+ OCSP_CERTID *cid = data; |
|
|
|
- if (!cinf) |
|
- return; |
|
- if (cinf->uri) |
|
- OPENSSL_free(cinf->uri); |
|
- OPENSSL_free(cinf); |
|
+ if (cid) { |
|
+ OCSP_CERTID_free(cid); |
|
+ } |
|
+ |
|
+ return APR_SUCCESS; |
|
} |
|
|
|
-static int stapling_ex_idx = -1; |
|
+static apr_hash_t *stapling_certinfo; |
|
|
|
-void ssl_stapling_ex_init(void) |
|
+void ssl_stapling_certinfo_hash_init(apr_pool_t *p) |
|
{ |
|
- if (stapling_ex_idx != -1) |
|
- return; |
|
- stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0, |
|
- certinfo_free); |
|
+ stapling_certinfo = apr_hash_make(p); |
|
} |
|
|
|
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) |
|
@@ -106,70 +102,97 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) |
|
|
|
} |
|
|
|
-int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) |
|
+int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, |
|
+ modssl_ctx_t *mctx, X509 *x) |
|
{ |
|
- certinfo *cinf; |
|
+ UCHAR idx[SHA_DIGEST_LENGTH]; |
|
+ certinfo *cinf = NULL; |
|
X509 *issuer = NULL; |
|
+ OCSP_CERTID *cid = NULL; |
|
STACK_OF(OPENSSL_STRING) *aia = NULL; |
|
|
|
- if (x == NULL) |
|
+ if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) |
|
return 0; |
|
- cinf = X509_get_ex_data(x, stapling_ex_idx); |
|
+ |
|
+ cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx)); |
|
if (cinf) { |
|
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215) |
|
- "ssl_stapling_init_cert: certificate already initialized!"); |
|
- return 0; |
|
- } |
|
- cinf = OPENSSL_malloc(sizeof(certinfo)); |
|
- if (!cinf) { |
|
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216) |
|
- "ssl_stapling_init_cert: error allocating memory!"); |
|
- return 0; |
|
+ /* |
|
+ * We already parsed the certificate, and no OCSP URI was found. |
|
+ * The certificate might be used for multiple vhosts, though, |
|
+ * so we check for a ForceURL for this vhost. |
|
+ */ |
|
+ if (!cinf->uri && !mctx->stapling_force_url) { |
|
+ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, |
|
+ APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI " |
|
+ "in certificate and no SSLStaplingForceURL " |
|
+ "configured for server %s", mctx->sc->vhost_id); |
|
+ return 0; |
|
+ } |
|
+ return 1; |
|
} |
|
- cinf->cid = NULL; |
|
- cinf->uri = NULL; |
|
- X509_set_ex_data(x, stapling_ex_idx, cinf); |
|
- |
|
- issuer = stapling_get_issuer(mctx, x); |
|
|
|
- if (issuer == NULL) { |
|
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02217) |
|
- "ssl_stapling_init_cert: Can't retrieve issuer certificate!"); |
|
+ if (!(issuer = stapling_get_issuer(mctx, x))) { |
|
+ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217) |
|
+ "ssl_stapling_init_cert: can't retrieve issuer " |
|
+ "certificate!"); |
|
return 0; |
|
} |
|
|
|
- cinf->cid = OCSP_cert_to_id(NULL, x, issuer); |
|
+ cid = OCSP_cert_to_id(NULL, x, issuer); |
|
X509_free(issuer); |
|
- if (!cinf->cid) |
|
+ if (!cid) { |
|
+ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02815) |
|
+ "ssl_stapling_init_cert: can't create CertID " |
|
+ "for OCSP request"); |
|
return 0; |
|
- X509_digest(x, EVP_sha1(), cinf->idx, NULL); |
|
+ } |
|
|
|
aia = X509_get1_ocsp(x); |
|
- if (aia) { |
|
- cinf->uri = sk_OPENSSL_STRING_pop(aia); |
|
- X509_email_free(aia); |
|
- } |
|
- if (!cinf->uri && !mctx->stapling_force_url) { |
|
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218) |
|
- "ssl_stapling_init_cert: no responder URL"); |
|
+ |
|
+ if (!aia && !mctx->stapling_force_url) { |
|
+ OCSP_CERTID_free(cid); |
|
+ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, |
|
+ APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI " |
|
+ "in certificate and no SSLStaplingForceURL set"); |
|
return 0; |
|
} |
|
+ |
|
+ /* At this point, we have determined that there's something to store */ |
|
+ cinf = apr_pcalloc(p, sizeof(certinfo)); |
|
+ memcpy (cinf->idx, idx, sizeof(idx)); |
|
+ cinf->cid = cid; |
|
+ /* make sure cid is also freed at pool cleanup */ |
|
+ apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free, |
|
+ apr_pool_cleanup_null); |
|
+ if (aia) { |
|
+ /* allocate uri from the pconf pool */ |
|
+ cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0)); |
|
+ X509_email_free(aia); |
|
+ } |
|
+ |
|
+ ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x, |
|
+ "ssl_stapling_init_cert: storing certinfo for server %s", |
|
+ mctx->sc->vhost_id); |
|
+ |
|
+ apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf); |
|
+ |
|
return 1; |
|
} |
|
|
|
-static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx, |
|
+static certinfo *stapling_get_certinfo(server_rec *s, modssl_ctx_t *mctx, |
|
SSL *ssl) |
|
{ |
|
certinfo *cinf; |
|
X509 *x; |
|
+ UCHAR idx[SHA_DIGEST_LENGTH]; |
|
x = SSL_get_certificate(ssl); |
|
- if (x == NULL) |
|
+ if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) |
|
return NULL; |
|
- cinf = X509_get_ex_data(x, stapling_ex_idx); |
|
+ cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx)); |
|
if (cinf && cinf->cid) |
|
return cinf; |
|
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926) |
|
- "stapling_get_cert_info: stapling not supported for certificate"); |
|
+ "stapling_get_certinfo: stapling not supported for certificate"); |
|
return NULL; |
|
} |
|
|
|
@@ -585,7 +608,7 @@ static int stapling_cb(SSL *ssl, void *arg) |
|
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951) |
|
"stapling_cb: OCSP Stapling callback called"); |
|
|
|
- cinf = stapling_get_cert_info(s, mctx, ssl); |
|
+ cinf = stapling_get_certinfo(s, mctx, ssl); |
|
if (cinf == NULL) { |
|
return SSL_TLSEXT_ERR_NOACK; |
|
}
|
|
|