You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2015/06/30 17:26:19 UTC
svn commit: r1688474 [16/21] - in /httpd/httpd/trunk/modules/http2: ./ m4/
mod-h2.xcodeproj/ mod-h2.xcodeproj/project.xcworkspace/
mod-h2.xcodeproj/project.xcworkspace/xcshareddata/
mod-h2.xcodeproj/xcuserdata/ mod-h2.xcodeproj/xcuserdata/sei.xcuserdat...
Added: httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util.c?rev=1688474&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util.c (added)
+++ httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util.c Tue Jun 30 15:26:16 2015
@@ -0,0 +1,379 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* _ _
+ * _ __ ___ ___ __| | ___ ___| | mod_ssl
+ * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
+ * | | | | | | (_) | (_| | \__ \__ \ |
+ * |_| |_| |_|\___/ \__,_|___|___/___/_|
+ * |_____|
+ * ssl_util.c
+ * Utility Functions
+ */
+ /* ``Every day of my life
+ I am forced to add another
+ name to the list of people
+ who piss me off!''
+ -- Calvin */
+
+#include "ssl_private.h"
+#include "ap_mpm.h"
+#include "apr_thread_mutex.h"
+
+/* _________________________________________________________________
+**
+** Utility Functions
+** _________________________________________________________________
+*/
+
+char *ssl_util_vhostid(apr_pool_t *p, server_rec *s)
+{
+ char *id;
+ SSLSrvConfigRec *sc;
+ char *host;
+ apr_port_t port;
+
+ host = s->server_hostname;
+ if (s->port != 0)
+ port = s->port;
+ else {
+ sc = mySrvConfig(s);
+ if (sc->enabled == TRUE)
+ port = DEFAULT_HTTPS_PORT;
+ else
+ port = DEFAULT_HTTP_PORT;
+ }
+ id = apr_psprintf(p, "%s:%lu", host, (unsigned long)port);
+ return id;
+}
+
+apr_file_t *ssl_util_ppopen(server_rec *s, apr_pool_t *p, const char *cmd,
+ const char * const *argv)
+{
+ apr_procattr_t *procattr;
+ apr_proc_t *proc;
+
+ if (apr_procattr_create(&procattr, p) != APR_SUCCESS)
+ return NULL;
+ if (apr_procattr_io_set(procattr, APR_FULL_BLOCK, APR_FULL_BLOCK,
+ APR_FULL_BLOCK) != APR_SUCCESS)
+ return NULL;
+ if (apr_procattr_dir_set(procattr,
+ ap_make_dirstr_parent(p, cmd)) != APR_SUCCESS)
+ return NULL;
+ if (apr_procattr_cmdtype_set(procattr, APR_PROGRAM) != APR_SUCCESS)
+ return NULL;
+ proc = apr_pcalloc(p, sizeof(apr_proc_t));
+ if (apr_proc_create(proc, cmd, argv, NULL, procattr, p) != APR_SUCCESS)
+ return NULL;
+ return proc->out;
+}
+
+void ssl_util_ppclose(server_rec *s, apr_pool_t *p, apr_file_t *fp)
+{
+ apr_file_close(fp);
+ return;
+}
+
+/*
+ * Run a filter program and read the first line of its stdout output
+ */
+char *ssl_util_readfilter(server_rec *s, apr_pool_t *p, const char *cmd,
+ const char * const *argv)
+{
+ static char buf[MAX_STRING_LEN];
+ apr_file_t *fp;
+ apr_size_t nbytes = 1;
+ char c;
+ int k;
+
+ if ((fp = ssl_util_ppopen(s, p, cmd, argv)) == NULL)
+ return NULL;
+ /* XXX: we are reading 1 byte at a time here */
+ for (k = 0; apr_file_read(fp, &c, &nbytes) == APR_SUCCESS
+ && nbytes == 1 && (k < MAX_STRING_LEN-1) ; ) {
+ if (c == '\n' || c == '\r')
+ break;
+ buf[k++] = c;
+ }
+ buf[k] = NUL;
+ ssl_util_ppclose(s, p, fp);
+
+ return buf;
+}
+
+BOOL ssl_util_path_check(ssl_pathcheck_t pcm, const char *path, apr_pool_t *p)
+{
+ apr_finfo_t finfo;
+
+ if (path == NULL)
+ return FALSE;
+ if (pcm & SSL_PCM_EXISTS && apr_stat(&finfo, path,
+ APR_FINFO_TYPE|APR_FINFO_SIZE, p) != 0)
+ return FALSE;
+ AP_DEBUG_ASSERT((pcm & SSL_PCM_EXISTS) ||
+ !(pcm & (SSL_PCM_ISREG|SSL_PCM_ISDIR|SSL_PCM_ISNONZERO)));
+ if (pcm & SSL_PCM_ISREG && finfo.filetype != APR_REG)
+ return FALSE;
+ if (pcm & SSL_PCM_ISDIR && finfo.filetype != APR_DIR)
+ return FALSE;
+ if (pcm & SSL_PCM_ISNONZERO && finfo.size <= 0)
+ return FALSE;
+ return TRUE;
+}
+
+/*
+ * certain key data needs to survive restarts,
+ * which are stored in the user data table of s->process->pool.
+ * to prevent "leaking" of this data, we use malloc/free
+ * rather than apr_palloc and these wrappers to help make sure
+ * we do not leak the malloc-ed data.
+ */
+unsigned char *ssl_asn1_table_set(apr_hash_t *table,
+ const char *key,
+ long int length)
+{
+ apr_ssize_t klen = strlen(key);
+ ssl_asn1_t *asn1 = apr_hash_get(table, key, klen);
+
+ /*
+ * if a value for this key already exists,
+ * reuse as much of the already malloc-ed data
+ * as possible.
+ */
+ if (asn1) {
+ if (asn1->nData != length) {
+ free(asn1->cpData); /* XXX: realloc? */
+ asn1->cpData = NULL;
+ }
+ }
+ else {
+ asn1 = ap_malloc(sizeof(*asn1));
+ asn1->source_mtime = 0; /* used as a note for encrypted private keys */
+ asn1->cpData = NULL;
+ }
+
+ asn1->nData = length;
+ if (!asn1->cpData) {
+ asn1->cpData = ap_malloc(length);
+ }
+
+ apr_hash_set(table, key, klen, asn1);
+
+ return asn1->cpData; /* caller will assign a value to this */
+}
+
+ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table,
+ const char *key)
+{
+ return (ssl_asn1_t *)apr_hash_get(table, key, APR_HASH_KEY_STRING);
+}
+
+void ssl_asn1_table_unset(apr_hash_t *table,
+ const char *key)
+{
+ apr_ssize_t klen = strlen(key);
+ ssl_asn1_t *asn1 = apr_hash_get(table, key, klen);
+
+ if (!asn1) {
+ return;
+ }
+
+ if (asn1->cpData) {
+ free(asn1->cpData);
+ }
+ free(asn1);
+
+ apr_hash_set(table, key, klen, NULL);
+}
+
+#if APR_HAS_THREADS
+/*
+ * To ensure thread-safetyness in OpenSSL - work in progress
+ */
+
+static apr_thread_mutex_t **lock_cs;
+static int lock_num_locks;
+
+static void ssl_util_thr_lock(int mode, int type,
+ const char *file, int line)
+{
+ if (type < lock_num_locks) {
+ if (mode & CRYPTO_LOCK) {
+ apr_thread_mutex_lock(lock_cs[type]);
+ }
+ else {
+ apr_thread_mutex_unlock(lock_cs[type]);
+ }
+ }
+}
+
+/* Dynamic lock structure */
+struct CRYPTO_dynlock_value {
+ apr_pool_t *pool;
+ const char* file;
+ int line;
+ apr_thread_mutex_t *mutex;
+};
+
+/* Global reference to the pool passed into ssl_util_thread_setup() */
+apr_pool_t *dynlockpool = NULL;
+
+/*
+ * Dynamic lock creation callback
+ */
+static struct CRYPTO_dynlock_value *ssl_dyn_create_function(const char *file,
+ int line)
+{
+ struct CRYPTO_dynlock_value *value;
+ apr_pool_t *p;
+ apr_status_t rv;
+
+ /*
+ * We need a pool to allocate our mutex. Since we can't clear
+ * allocated memory from a pool, create a subpool that we can blow
+ * away in the destruction callback.
+ */
+ apr_pool_create(&p, dynlockpool);
+ ap_log_perror(file, line, APLOG_MODULE_INDEX, APLOG_TRACE1, 0, p,
+ "Creating dynamic lock");
+
+ value = apr_palloc(p, sizeof(struct CRYPTO_dynlock_value));
+ value->pool = p;
+ /* Keep our own copy of the place from which we were created,
+ using our own pool. */
+ value->file = apr_pstrdup(p, file);
+ value->line = line;
+ rv = apr_thread_mutex_create(&(value->mutex), APR_THREAD_MUTEX_DEFAULT,
+ p);
+ if (rv != APR_SUCCESS) {
+ ap_log_perror(file, line, APLOG_MODULE_INDEX, APLOG_ERR, rv, p, APLOGNO(02186)
+ "Failed to create thread mutex for dynamic lock");
+ apr_pool_destroy(p);
+ return NULL;
+ }
+ return value;
+}
+
+/*
+ * Dynamic locking and unlocking function
+ */
+
+static void ssl_dyn_lock_function(int mode, struct CRYPTO_dynlock_value *l,
+ const char *file, int line)
+{
+ apr_status_t rv;
+
+ if (mode & CRYPTO_LOCK) {
+ ap_log_perror(file, line, APLOG_MODULE_INDEX, APLOG_TRACE3, 0, l->pool,
+ "Acquiring mutex %s:%d", l->file, l->line);
+ rv = apr_thread_mutex_lock(l->mutex);
+ ap_log_perror(file, line, APLOG_MODULE_INDEX, APLOG_TRACE3, rv, l->pool,
+ "Mutex %s:%d acquired!", l->file, l->line);
+ }
+ else {
+ ap_log_perror(file, line, APLOG_MODULE_INDEX, APLOG_TRACE3, 0, l->pool,
+ "Releasing mutex %s:%d", l->file, l->line);
+ rv = apr_thread_mutex_unlock(l->mutex);
+ ap_log_perror(file, line, APLOG_MODULE_INDEX, APLOG_TRACE3, rv, l->pool,
+ "Mutex %s:%d released!", l->file, l->line);
+ }
+}
+
+/*
+ * Dynamic lock destruction callback
+ */
+static void ssl_dyn_destroy_function(struct CRYPTO_dynlock_value *l,
+ const char *file, int line)
+{
+ apr_status_t rv;
+
+ ap_log_perror(file, line, APLOG_MODULE_INDEX, APLOG_TRACE1, 0, l->pool,
+ "Destroying dynamic lock %s:%d", l->file, l->line);
+ rv = apr_thread_mutex_destroy(l->mutex);
+ if (rv != APR_SUCCESS) {
+ ap_log_perror(file, line, APLOG_MODULE_INDEX, APLOG_ERR, rv, l->pool,
+ APLOGNO(02192) "Failed to destroy mutex for dynamic "
+ "lock %s:%d", l->file, l->line);
+ }
+
+ /* Trust that whomever owned the CRYPTO_dynlock_value we were
+ * passed has no future use for it...
+ */
+ apr_pool_destroy(l->pool);
+}
+
+static unsigned long ssl_util_thr_id(void)
+{
+ /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread
+ * id is a structure twice that big. Use the TCB pointer instead as a
+ * unique unsigned long.
+ */
+#ifdef __MVS__
+ struct PSA {
+ char unmapped[540];
+ unsigned long PSATOLD;
+ } *psaptr = 0;
+
+ return psaptr->PSATOLD;
+#else
+ return (unsigned long) apr_os_thread_current();
+#endif
+}
+
+static apr_status_t ssl_util_thread_cleanup(void *data)
+{
+ CRYPTO_set_locking_callback(NULL);
+ CRYPTO_set_id_callback(NULL);
+
+ CRYPTO_set_dynlock_create_callback(NULL);
+ CRYPTO_set_dynlock_lock_callback(NULL);
+ CRYPTO_set_dynlock_destroy_callback(NULL);
+
+ dynlockpool = NULL;
+
+ /* Let the registered mutex cleanups do their own thing
+ */
+ return APR_SUCCESS;
+}
+
+void ssl_util_thread_setup(apr_pool_t *p)
+{
+ int i;
+
+ lock_num_locks = CRYPTO_num_locks();
+ lock_cs = apr_palloc(p, lock_num_locks * sizeof(*lock_cs));
+
+ for (i = 0; i < lock_num_locks; i++) {
+ apr_thread_mutex_create(&(lock_cs[i]), APR_THREAD_MUTEX_DEFAULT, p);
+ }
+
+ CRYPTO_set_id_callback(ssl_util_thr_id);
+
+ CRYPTO_set_locking_callback(ssl_util_thr_lock);
+
+ /* Set up dynamic locking scaffolding for OpenSSL to use at its
+ * convenience.
+ */
+ dynlockpool = p;
+ CRYPTO_set_dynlock_create_callback(ssl_dyn_create_function);
+ CRYPTO_set_dynlock_lock_callback(ssl_dyn_lock_function);
+ CRYPTO_set_dynlock_destroy_callback(ssl_dyn_destroy_function);
+
+ apr_pool_cleanup_register(p, NULL, ssl_util_thread_cleanup,
+ apr_pool_cleanup_null);
+}
+#endif
Added: httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ocsp.c?rev=1688474&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ocsp.c (added)
+++ httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ocsp.c Tue Jun 30 15:26:16 2015
@@ -0,0 +1,319 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* This file implements an OCSP client including a toy HTTP/1.0
+ * client. Once httpd depends on a real HTTP client library, most of
+ * this can be thrown away. */
+
+#include "ssl_private.h"
+
+#ifndef OPENSSL_NO_OCSP
+
+#include "apr_buckets.h"
+#include "apr_uri.h"
+
+/* Serialize an OCSP request which will be sent to the responder at
+ * given URI to a memory BIO object, which is returned. */
+static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri)
+{
+ BIO *bio;
+ int len;
+
+ len = i2d_OCSP_REQUEST(req, NULL);
+
+ bio = BIO_new(BIO_s_mem());
+
+ BIO_printf(bio, "POST %s%s%s HTTP/1.0\r\n"
+ "Host: %s:%d\r\n"
+ "Content-Type: application/ocsp-request\r\n"
+ "Content-Length: %d\r\n"
+ "\r\n",
+ uri->path ? uri->path : "/",
+ uri->query ? "?" : "", uri->query ? uri->query : "",
+ uri->hostname, uri->port, len);
+
+ if (i2d_OCSP_REQUEST_bio(bio, req) != 1) {
+ BIO_free(bio);
+ return NULL;
+ }
+
+ return bio;
+}
+
+/* Send the OCSP request serialized into BIO 'request' to the
+ * responder at given server given by URI. Returns socket object or
+ * NULL on error. */
+static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri,
+ apr_interval_time_t timeout,
+ conn_rec *c, apr_pool_t *p)
+{
+ apr_status_t rv;
+ apr_sockaddr_t *sa;
+ apr_socket_t *sd;
+ char buf[HUGE_STRING_LEN];
+ int len;
+
+ rv = apr_sockaddr_info_get(&sa, uri->hostname, APR_UNSPEC, uri->port, 0, p);
+ if (rv) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01972)
+ "could not resolve address of OCSP responder %s",
+ uri->hostinfo);
+ return NULL;
+ }
+
+ /* establish a connection to the OCSP responder */
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01973)
+ "connecting to OCSP responder '%s'", uri->hostinfo);
+
+ /* Cycle through address until a connect() succeeds. */
+ for (; sa; sa = sa->next) {
+ rv = apr_socket_create(&sd, sa->family, SOCK_STREAM, APR_PROTO_TCP, p);
+ if (rv == APR_SUCCESS) {
+ apr_socket_timeout_set(sd, timeout);
+
+ rv = apr_socket_connect(sd, sa);
+ if (rv == APR_SUCCESS) {
+ break;
+ }
+ apr_socket_close(sd);
+ }
+ }
+
+ if (sa == NULL) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01974)
+ "could not connect to OCSP responder '%s'",
+ uri->hostinfo);
+ return NULL;
+ }
+
+ /* send the request and get a response */
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01975)
+ "sending request to OCSP responder");
+
+ while ((len = BIO_read(request, buf, sizeof buf)) > 0) {
+ char *wbuf = buf;
+ apr_size_t remain = len;
+
+ do {
+ apr_size_t wlen = remain;
+
+ rv = apr_socket_send(sd, wbuf, &wlen);
+ wbuf += remain;
+ remain -= wlen;
+ } while (rv == APR_SUCCESS && remain > 0);
+
+ if (rv) {
+ apr_socket_close(sd);
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01976)
+ "failed to send request to OCSP responder '%s'",
+ uri->hostinfo);
+ return NULL;
+ }
+ }
+
+ return sd;
+}
+
+/* Return a pool-allocated NUL-terminated line, with CRLF stripped,
+ * read from brigade 'bbin' using 'bbout' as temporary storage. */
+static char *get_line(apr_bucket_brigade *bbout, apr_bucket_brigade *bbin,
+ conn_rec *c, apr_pool_t *p)
+{
+ apr_status_t rv;
+ apr_size_t len;
+ char *line;
+
+ apr_brigade_cleanup(bbout);
+
+ rv = apr_brigade_split_line(bbout, bbin, APR_BLOCK_READ, 8192);
+ if (rv) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01977)
+ "failed reading line from OCSP server");
+ return NULL;
+ }
+
+ rv = apr_brigade_pflatten(bbout, &line, &len, p);
+ if (rv) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01978)
+ "failed reading line from OCSP server");
+ return NULL;
+ }
+
+ if (len == 0) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(02321)
+ "empty response from OCSP server");
+ return NULL;
+ }
+
+ if (line[len-1] != APR_ASCII_LF) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01979)
+ "response header line too long from OCSP server");
+ return NULL;
+ }
+
+ line[len-1] = '\0';
+ if (len > 1 && line[len-2] == APR_ASCII_CR) {
+ line[len-2] = '\0';
+ }
+
+ return line;
+}
+
+/* Maximum values to prevent eating RAM forever. */
+#define MAX_HEADERS (256)
+#define MAX_CONTENT (2048 * 1024)
+
+/* Read the OCSP response from the socket 'sd', using temporary memory
+ * BIO 'bio', and return the decoded OCSP response object, or NULL on
+ * error. */
+static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c,
+ apr_pool_t *p)
+{
+ apr_bucket_brigade *bb, *tmpbb;
+ OCSP_RESPONSE *response;
+ char *line;
+ apr_size_t count;
+ apr_int64_t code;
+
+ /* Using brigades for response parsing is much simpler than using
+ * apr_socket_* directly. */
+ bb = apr_brigade_create(p, c->bucket_alloc);
+ tmpbb = apr_brigade_create(p, c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_socket_create(sd, c->bucket_alloc));
+
+ line = get_line(tmpbb, bb, c, p);
+ if (!line || strncmp(line, "HTTP/", 5)
+ || (line = ap_strchr(line, ' ')) == NULL
+ || (code = apr_atoi64(++line)) < 200 || code > 299) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01980)
+ "bad response from OCSP server: %s",
+ line ? line : "(none)");
+ return NULL;
+ }
+
+ /* Read till end of headers; don't have to even bother parsing the
+ * Content-Length since the server is obliged to close the
+ * connection after the response anyway for HTTP/1.0. */
+ count = 0;
+ while ((line = get_line(tmpbb, bb, c, p)) != NULL && line[0]
+ && ++count < MAX_HEADERS) {
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01981)
+ "OCSP response header: %s", line);
+ }
+
+ if (count == MAX_HEADERS) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01982)
+ "could not read response headers from OCSP server, "
+ "exceeded maximum count (%u)", MAX_HEADERS);
+ return NULL;
+ }
+ else if (!line) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01983)
+ "could not read response header from OCSP server");
+ return NULL;
+ }
+
+ /* Read the response body into the memory BIO. */
+ count = 0;
+ while (!APR_BRIGADE_EMPTY(bb)) {
+ const char *data;
+ apr_size_t len;
+ apr_status_t rv;
+ apr_bucket *e = APR_BRIGADE_FIRST(bb);
+
+ rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+ if (rv == APR_EOF) {
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01984)
+ "OCSP response: got EOF");
+ break;
+ }
+ if (rv != APR_SUCCESS) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01985)
+ "error reading response from OCSP server");
+ return NULL;
+ }
+ if (len == 0) {
+ /* Ignore zero-length buckets (possible side-effect of
+ * line splitting). */
+ apr_bucket_delete(e);
+ continue;
+ }
+ count += len;
+ if (count > MAX_CONTENT) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01986)
+ "OCSP response size exceeds %u byte limit",
+ MAX_CONTENT);
+ return NULL;
+ }
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01987)
+ "OCSP response: got %" APR_SIZE_T_FMT
+ " bytes, %" APR_SIZE_T_FMT " total", len, count);
+
+ BIO_write(bio, data, (int)len);
+ apr_bucket_delete(e);
+ }
+
+ apr_brigade_destroy(bb);
+ apr_brigade_destroy(tmpbb);
+
+ /* Finally decode the OCSP response from what's stored in the
+ * bio. */
+ response = d2i_OCSP_RESPONSE_bio(bio, NULL);
+ if (response == NULL) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01988)
+ "failed to decode OCSP response data");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, mySrvFromConn(c));
+ }
+
+ return response;
+}
+
+OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
+ apr_interval_time_t timeout,
+ OCSP_REQUEST *request,
+ conn_rec *c, apr_pool_t *p)
+{
+ OCSP_RESPONSE *response = NULL;
+ apr_socket_t *sd;
+ BIO *bio;
+
+ bio = serialize_request(request, uri);
+ if (bio == NULL) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01989)
+ "could not serialize OCSP request");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, mySrvFromConn(c));
+ return NULL;
+ }
+
+ sd = send_request(bio, uri, timeout, c, p);
+ if (sd == NULL) {
+ /* Errors already logged. */
+ BIO_free(bio);
+ return NULL;
+ }
+
+ /* Clear the BIO contents, ready for the response. */
+ (void)BIO_reset(bio);
+
+ response = read_response(sd, bio, c, p);
+
+ apr_socket_close(sd);
+ BIO_free(bio);
+
+ return response;
+}
+
+#endif /* HAVE_OCSP */
Added: httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ssl.c?rev=1688474&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ssl.c (added)
+++ httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ssl.c Tue Jun 30 15:26:16 2015
@@ -0,0 +1,537 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* _ _
+ * _ __ ___ ___ __| | ___ ___| | mod_ssl
+ * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
+ * | | | | | | (_) | (_| | \__ \__ \ |
+ * |_| |_| |_|\___/ \__,_|___|___/___/_|
+ * |_____|
+ * ssl_util_ssl.c
+ * Additional Utility Functions for OpenSSL
+ */
+
+#include "ssl_private.h"
+
+/* _________________________________________________________________
+**
+** Additional High-Level Functions for OpenSSL
+** _________________________________________________________________
+*/
+
+/* we initialize this index at startup time
+ * and never write to it at request time,
+ * so this static is thread safe.
+ * also note that OpenSSL increments at static variable when
+ * SSL_get_ex_new_index() is called, so we _must_ do this at startup.
+ */
+static int SSL_app_data2_idx = -1;
+
+void SSL_init_app_data2_idx(void)
+{
+ int i;
+
+ if (SSL_app_data2_idx > -1) {
+ return;
+ }
+
+ /* we _do_ need to call this twice */
+ for (i=0; i<=1; i++) {
+ SSL_app_data2_idx =
+ SSL_get_ex_new_index(0,
+ "Second Application Data for SSL",
+ NULL, NULL, NULL);
+ }
+}
+
+void *SSL_get_app_data2(SSL *ssl)
+{
+ return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);
+}
+
+void SSL_set_app_data2(SSL *ssl, void *arg)
+{
+ SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg);
+ return;
+}
+
+/* _________________________________________________________________
+**
+** High-Level Private Key Loading
+** _________________________________________________________________
+*/
+
+EVP_PKEY *SSL_read_PrivateKey(const char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
+{
+ EVP_PKEY *rc;
+ BIO *bioS;
+ BIO *bioF;
+
+ /* 1. try PEM (= DER+Base64+headers) */
+ if ((bioS=BIO_new_file(filename, "r")) == NULL)
+ return NULL;
+ rc = PEM_read_bio_PrivateKey(bioS, key, cb, s);
+ BIO_free(bioS);
+
+ if (rc == NULL) {
+ /* 2. try DER+Base64 */
+ if ((bioS = BIO_new_file(filename, "r")) == NULL)
+ return NULL;
+
+ if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
+ BIO_free(bioS);
+ return NULL;
+ }
+ bioS = BIO_push(bioF, bioS);
+ rc = d2i_PrivateKey_bio(bioS, NULL);
+ BIO_free_all(bioS);
+
+ if (rc == NULL) {
+ /* 3. try plain DER */
+ if ((bioS = BIO_new_file(filename, "r")) == NULL)
+ return NULL;
+ rc = d2i_PrivateKey_bio(bioS, NULL);
+ BIO_free(bioS);
+ }
+ }
+ if (rc != NULL && key != NULL) {
+ if (*key != NULL)
+ EVP_PKEY_free(*key);
+ *key = rc;
+ }
+ return rc;
+}
+
+/* _________________________________________________________________
+**
+** Smart shutdown
+** _________________________________________________________________
+*/
+
+int SSL_smart_shutdown(SSL *ssl)
+{
+ int i;
+ int rc;
+
+ /*
+ * Repeat the calls, because SSL_shutdown internally dispatches through a
+ * little state machine. Usually only one or two interation should be
+ * needed, so we restrict the total number of restrictions in order to
+ * avoid process hangs in case the client played bad with the socket
+ * connection and OpenSSL cannot recognize it.
+ */
+ rc = 0;
+ for (i = 0; i < 4 /* max 2x pending + 2x data = 4 */; i++) {
+ if ((rc = SSL_shutdown(ssl)))
+ break;
+ }
+ return rc;
+}
+
+/* _________________________________________________________________
+**
+** Certificate Checks
+** _________________________________________________________________
+*/
+
+/* retrieve basic constraints ingredients */
+BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
+{
+ BASIC_CONSTRAINTS *bc;
+ BIGNUM *bn = NULL;
+ char *cp;
+
+ bc = X509_get_ext_d2i(cert, NID_basic_constraints, NULL, NULL);
+ if (bc == NULL)
+ return FALSE;
+ *ca = bc->ca;
+ *pathlen = -1 /* unlimited */;
+ if (bc->pathlen != NULL) {
+ if ((bn = ASN1_INTEGER_to_BN(bc->pathlen, NULL)) == NULL)
+ return FALSE;
+ if ((cp = BN_bn2dec(bn)) == NULL)
+ return FALSE;
+ *pathlen = atoi(cp);
+ free(cp);
+ BN_free(bn);
+ }
+ BASIC_CONSTRAINTS_free(bc);
+ return TRUE;
+}
+
+/* convert a NAME_ENTRY to UTF8 string */
+char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
+{
+ char *result = NULL;
+ BIO* bio;
+ int len;
+
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ return NULL;
+ ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
+ ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT);
+ len = BIO_pending(bio);
+ result = apr_palloc(p, len+1);
+ len = BIO_read(bio, result, len);
+ result[len] = NUL;
+ BIO_free(bio);
+ ap_xlate_proto_from_ascii(result, len);
+ return result;
+}
+
+/*
+ * convert an X509_NAME to an RFC 2253 formatted string, optionally truncated
+ * to maxlen characters (specify a maxlen of 0 for no length limit)
+ */
+char *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
+{
+ char *result = NULL;
+ BIO *bio;
+ int len;
+
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ return NULL;
+ X509_NAME_print_ex(bio, dn, 0, XN_FLAG_RFC2253);
+ len = BIO_pending(bio);
+ if (len > 0) {
+ result = apr_palloc(p, (maxlen > 0) ? maxlen+1 : len+1);
+ if (maxlen > 0 && maxlen < len) {
+ len = BIO_read(bio, result, maxlen);
+ if (maxlen > 2) {
+ /* insert trailing ellipsis if there's enough space */
+ apr_snprintf(result + maxlen - 3, 4, "...");
+ }
+ } else {
+ len = BIO_read(bio, result, len);
+ }
+ result[len] = NUL;
+ }
+ BIO_free(bio);
+
+ return result;
+}
+
+/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
+BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
+{
+ STACK_OF(GENERAL_NAME) *names;
+ BIO *bio;
+ X509_NAME *subj;
+ char **cpp;
+ int i, n;
+
+ if (!x509 || !(*ids = apr_array_make(p, 0, sizeof(char *)))) {
+ *ids = NULL;
+ return FALSE;
+ }
+
+ /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
+ if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL)) &&
+ (bio = BIO_new(BIO_s_mem()))) {
+ GENERAL_NAME *name;
+
+ for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
+ name = sk_GENERAL_NAME_value(names, i);
+ if (name->type == GEN_DNS) {
+ ASN1_STRING_print_ex(bio, name->d.ia5, ASN1_STRFLGS_ESC_CTRL|
+ ASN1_STRFLGS_UTF8_CONVERT);
+ n = BIO_pending(bio);
+ if (n > 0) {
+ cpp = (char **)apr_array_push(*ids);
+ *cpp = apr_palloc(p, n+1);
+ n = BIO_read(bio, *cpp, n);
+ (*cpp)[n] = NUL;
+ }
+ }
+ }
+ BIO_free(bio);
+ }
+
+ if (names)
+ sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
+
+ /* Second, the CN-IDs (commonName attributes in the subject DN) */
+ subj = X509_get_subject_name(x509);
+ i = -1;
+ while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) {
+ cpp = (char **)apr_array_push(*ids);
+ *cpp = SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
+ }
+
+ return apr_is_empty_array(*ids) ? FALSE : TRUE;
+}
+
+/*
+ * Check if a certificate matches for a particular name, by iterating over its
+ * DNS-IDs and CN-IDs (RFC 6125), optionally with basic wildcard matching.
+ * If server_rec is non-NULL, some (debug/trace) logging is enabled.
+ */
+BOOL SSL_X509_match_name(apr_pool_t *p, X509 *x509, const char *name,
+ BOOL allow_wildcard, server_rec *s)
+{
+ BOOL matched = FALSE;
+ apr_array_header_t *ids;
+
+ /*
+ * At some day in the future, this might be replaced with X509_check_host()
+ * (available in OpenSSL 1.0.2 and later), but two points should be noted:
+ * 1) wildcard matching in X509_check_host() might yield different
+ * results (by default, it supports a broader set of patterns, e.g.
+ * wildcards in non-initial positions);
+ * 2) we lose the option of logging each DNS- and CN-ID (until a match
+ * is found).
+ */
+
+ if (SSL_X509_getIDs(p, x509, &ids)) {
+ const char *cp;
+ int i;
+ char **id = (char **)ids->elts;
+ BOOL is_wildcard;
+
+ for (i = 0; i < ids->nelts; i++) {
+ if (!id[i])
+ continue;
+
+ /*
+ * Determine if it is a wildcard ID - we're restrictive
+ * in the sense that we require the wildcard character to be
+ * THE left-most label (i.e., the ID must start with "*.")
+ */
+ is_wildcard = (*id[i] == '*' && *(id[i]+1) == '.') ? TRUE : FALSE;
+
+ /*
+ * If the ID includes a wildcard character (and the caller is
+ * allowing wildcards), check if it matches for the left-most
+ * DNS label - i.e., the wildcard character is not allowed
+ * to match a dot. Otherwise, try a simple string compare.
+ */
+ if ((allow_wildcard == TRUE && is_wildcard == TRUE &&
+ (cp = ap_strchr_c(name, '.')) && !strcasecmp(id[i]+1, cp)) ||
+ !strcasecmp(id[i], name)) {
+ matched = TRUE;
+ }
+
+ if (s) {
+ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
+ "[%s] SSL_X509_match_name: expecting name '%s', "
+ "%smatched by ID '%s'",
+ (mySrvConfig(s))->vhost_id, name,
+ matched == TRUE ? "" : "NOT ", id[i]);
+ }
+
+ if (matched == TRUE) {
+ break;
+ }
+ }
+
+ }
+
+ if (s) {
+ ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, p, s, x509,
+ APLOGNO(02412) "[%s] Cert %s for name '%s'",
+ (mySrvConfig(s))->vhost_id,
+ matched == TRUE ? "matches" : "does not match",
+ name);
+ }
+
+ return matched;
+}
+
+/* _________________________________________________________________
+**
+** Low-Level CA Certificate Loading
+** _________________________________________________________________
+*/
+
+BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp,
+ STACK_OF(X509_INFO) *sk,
+ const char *filename)
+{
+ BIO *in;
+
+ if (!(in = BIO_new(BIO_s_file()))) {
+ return FALSE;
+ }
+
+ if (BIO_read_filename(in, filename) <= 0) {
+ BIO_free(in);
+ return FALSE;
+ }
+
+ ERR_clear_error();
+
+ PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
+
+ BIO_free(in);
+
+ return TRUE;
+}
+
+BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp,
+ STACK_OF(X509_INFO) *sk,
+ const char *pathname)
+{
+ /* XXX: this dir read code is exactly the same as that in
+ * ssl_engine_init.c, only the call to handle the fullname is different,
+ * should fold the duplication.
+ */
+ apr_dir_t *dir;
+ apr_finfo_t dirent;
+ apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
+ const char *fullname;
+ BOOL ok = FALSE;
+
+ if (apr_dir_open(&dir, pathname, ptemp) != APR_SUCCESS) {
+ return FALSE;
+ }
+
+ while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) {
+ if (dirent.filetype == APR_DIR) {
+ continue; /* don't try to load directories */
+ }
+
+ fullname = apr_pstrcat(ptemp,
+ pathname, "/", dirent.name,
+ NULL);
+
+ if (SSL_X509_INFO_load_file(ptemp, sk, fullname)) {
+ ok = TRUE;
+ }
+ }
+
+ apr_dir_close(dir);
+
+ return ok;
+}
+
+/* _________________________________________________________________
+**
+** Custom (EC)DH parameter support
+** _________________________________________________________________
+*/
+
+DH *ssl_dh_GetParamFromFile(const char *file)
+{
+ DH *dh = NULL;
+ BIO *bio;
+
+ if ((bio = BIO_new_file(file, "r")) == NULL)
+ return NULL;
+ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ BIO_free(bio);
+ return (dh);
+}
+
+#ifdef HAVE_ECC
+EC_GROUP *ssl_ec_GetParamFromFile(const char *file)
+{
+ EC_GROUP *group = NULL;
+ BIO *bio;
+
+ if ((bio = BIO_new_file(file, "r")) == NULL)
+ return NULL;
+ group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
+ BIO_free(bio);
+ return (group);
+}
+#endif
+
+/* _________________________________________________________________
+**
+** Extra Server Certificate Chain Support
+** _________________________________________________________________
+*/
+
+/*
+ * Read a file that optionally contains the server certificate in PEM
+ * format, possibly followed by a sequence of CA certificates that
+ * should be sent to the peer in the SSL Certificate message.
+ */
+int SSL_CTX_use_certificate_chain(
+ SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
+{
+ BIO *bio;
+ X509 *x509;
+ unsigned long err;
+ int n;
+
+ if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
+ return -1;
+ if (BIO_read_filename(bio, file) <= 0) {
+ BIO_free(bio);
+ return -1;
+ }
+ /* optionally skip a leading server certificate */
+ if (skipfirst) {
+ if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
+ BIO_free(bio);
+ return -1;
+ }
+ X509_free(x509);
+ }
+ /* free a perhaps already configured extra chain */
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_clear_extra_chain_certs(ctx);
+#else
+ if (ctx->extra_certs != NULL) {
+ sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free);
+ ctx->extra_certs = NULL;
+ }
+#endif
+ /* create new extra chain by loading the certs */
+ n = 0;
+ while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
+ if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
+ X509_free(x509);
+ BIO_free(bio);
+ return -1;
+ }
+ n++;
+ }
+ /* Make sure that only the error is just an EOF */
+ if ((err = ERR_peek_error()) > 0) {
+ if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
+ && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
+ BIO_free(bio);
+ return -1;
+ }
+ while (ERR_get_error() > 0) ;
+ }
+ BIO_free(bio);
+ return n;
+}
+
+/* _________________________________________________________________
+**
+** Session Stuff
+** _________________________________________________________________
+*/
+
+char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
+ char *str, int strsize)
+{
+ if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
+ idlen = SSL_MAX_SSL_SESSION_ID_LENGTH;
+
+ /* We must ensure not to process more than what would fit in the
+ * destination buffer, including terminating NULL */
+ if (idlen > (strsize-1) / 2)
+ idlen = (strsize-1) / 2;
+
+ ap_bin2hex(id, idlen, str);
+
+ return str;
+}
Added: httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ssl.h?rev=1688474&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ssl.h (added)
+++ httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_ssl.h Tue Jun 30 15:26:16 2015
@@ -0,0 +1,77 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @verbatim
+ _ _
+ _ __ ___ ___ __| | ___ ___| | mod_ssl
+ | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
+ | | | | | | (_) | (_| | \__ \__ \ |
+ |_| |_| |_|\___/ \__,_|___|___/___/_|
+ |_____|
+ @endverbatim
+ * @file ssl_util_ssl.h
+ * @brief Additional Utility Functions for OpenSSL
+ *
+ * @defgroup MOD_SSL_UTIL Utilities
+ * @ingroup MOD_SSL
+ * @{
+ */
+
+#ifndef __SSL_UTIL_SSL_H__
+#define __SSL_UTIL_SSL_H__
+
+/**
+ * SSL library version number
+ */
+
+#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
+#define SSL_LIBRARY_NAME "OpenSSL"
+#define SSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
+#define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
+
+/**
+ * Maximum length of a DER encoded session.
+ * FIXME: There is no define in OpenSSL, but OpenSSL uses 1024*10,
+ * so this value should be ok. Although we have no warm feeling.
+ */
+#define SSL_SESSION_MAX_DER 1024*10
+
+/** max length for SSL_SESSION_id2sz */
+#define SSL_SESSION_ID_STRING_LEN \
+ ((SSL_MAX_SSL_SESSION_ID_LENGTH + 1) * 2)
+
+/**
+ * Additional Functions
+ */
+void SSL_init_app_data2_idx(void);
+void *SSL_get_app_data2(SSL *);
+void SSL_set_app_data2(SSL *, void *);
+EVP_PKEY *SSL_read_PrivateKey(const char *, EVP_PKEY **, pem_password_cb *, void *);
+int SSL_smart_shutdown(SSL *ssl);
+BOOL SSL_X509_getBC(X509 *, int *, int *);
+char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
+char *SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
+BOOL SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **);
+BOOL SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
+BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
+BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
+int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
+char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
+
+#endif /* __SSL_UTIL_SSL_H__ */
+/** @} */
+
Added: httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_stapling.c?rev=1688474&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_stapling.c (added)
+++ httpd/httpd/trunk/modules/http2/sandbox/httpd/mod_ssl-alpn/ssl_util_stapling.c Tue Jun 30 15:26:16 2015
@@ -0,0 +1,705 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* _ _
+ * _ __ ___ ___ __| | ___ ___| | mod_ssl
+ * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
+ * | | | | | | (_) | (_| | \__ \__ \ |
+ * |_| |_| |_|\___/ \__,_|___|___/___/_|
+ * |_____|
+ * ssl_stapling.c
+ * OCSP Stapling Support
+ */
+ /* ``Where's the spoons?
+ Where's the spoons?
+ Where's the bloody spoons?''
+ -- Alexei Sayle */
+
+#include "ssl_private.h"
+#include "ap_mpm.h"
+#include "apr_thread_mutex.h"
+
+#ifdef HAVE_OCSP_STAPLING
+
+/**
+ * Maxiumum OCSP stapling response size. This should be the response for a
+ * single certificate and will typically include the responder certificate chain
+ * so 10K should be more than enough.
+ *
+ */
+
+#define MAX_STAPLING_DER 10240
+
+/* Cached info stored in certificate ex_info. */
+typedef struct {
+ /* Index in session cache SHA1 hash of certificate */
+ UCHAR idx[20];
+ /* Certificate ID for OCSP requests or NULL if ID cannot be determined */
+ OCSP_CERTID *cid;
+ /* Responder details */
+ char *uri;
+} certinfo;
+
+static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp)
+{
+ certinfo *cinf = ptr;
+
+ if (!cinf)
+ return;
+ if (cinf->uri)
+ OPENSSL_free(cinf->uri);
+ OPENSSL_free(cinf);
+}
+
+static int stapling_ex_idx = -1;
+
+void ssl_stapling_ex_init(void)
+{
+ if (stapling_ex_idx != -1)
+ return;
+ stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
+ certinfo_free);
+}
+
+static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
+{
+ X509 *issuer = NULL;
+ int i;
+ X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
+ X509_STORE_CTX inctx;
+ STACK_OF(X509) *extra_certs = NULL;
+
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+ extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
+
+ for (i = 0; i < sk_X509_num(extra_certs); i++) {
+ issuer = sk_X509_value(extra_certs, i);
+ if (X509_check_issued(issuer, x) == X509_V_OK) {
+ CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
+ return issuer;
+ }
+ }
+
+ if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))
+ return 0;
+ if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
+ issuer = NULL;
+ X509_STORE_CTX_cleanup(&inctx);
+ return issuer;
+
+}
+
+int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
+{
+ certinfo *cinf;
+ X509 *issuer = NULL;
+ STACK_OF(OPENSSL_STRING) *aia = NULL;
+
+ if (x == NULL)
+ return 0;
+ cinf = X509_get_ex_data(x, stapling_ex_idx);
+ if (cinf) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)
+ "ssl_stapling_init_cert: certificate already initialized!");
+ return 0;
+ }
+ cinf = OPENSSL_malloc(sizeof(certinfo));
+ if (!cinf) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)
+ "ssl_stapling_init_cert: error allocating memory!");
+ return 0;
+ }
+ cinf->cid = NULL;
+ cinf->uri = NULL;
+ X509_set_ex_data(x, stapling_ex_idx, cinf);
+
+ issuer = stapling_get_issuer(mctx, x);
+
+ if (issuer == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02217)
+ "ssl_stapling_init_cert: Can't retrieve issuer certificate!");
+ return 0;
+ }
+
+ cinf->cid = OCSP_cert_to_id(NULL, x, issuer);
+ X509_free(issuer);
+ if (!cinf->cid)
+ return 0;
+ X509_digest(x, EVP_sha1(), cinf->idx, NULL);
+
+ aia = X509_get1_ocsp(x);
+ if (aia) {
+ cinf->uri = sk_OPENSSL_STRING_pop(aia);
+ X509_email_free(aia);
+ }
+ if (!cinf->uri && !mctx->stapling_force_url) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
+ "ssl_stapling_init_cert: no responder URL");
+ return 0;
+ }
+ return 1;
+}
+
+static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx,
+ SSL *ssl)
+{
+ certinfo *cinf;
+ X509 *x;
+ x = SSL_get_certificate(ssl);
+ if (x == NULL)
+ return NULL;
+ cinf = X509_get_ex_data(x, stapling_ex_idx);
+ if (cinf && cinf->cid)
+ return cinf;
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
+ "stapling_get_cert_info: stapling not supported for certificate");
+ return NULL;
+}
+
+/*
+ * OCSP response caching code. The response is preceded by a flag value
+ * which indicates whether the response was invalid when it was stored.
+ * the purpose of this flag is to avoid repeated queries to a server
+ * which has given an invalid response while allowing a response which
+ * has subsequently become invalid to be retried immediately.
+ *
+ * The key for the cache is the hash of the certificate the response
+ * is for.
+ */
+static BOOL stapling_cache_response(server_rec *s, modssl_ctx_t *mctx,
+ OCSP_RESPONSE *rsp, certinfo *cinf,
+ BOOL ok, apr_pool_t *pool)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+ unsigned char resp_der[MAX_STAPLING_DER];
+ unsigned char *p;
+ int resp_derlen;
+ BOOL rv;
+ apr_time_t expiry;
+
+ resp_derlen = i2d_OCSP_RESPONSE(rsp, NULL) + 1;
+
+ if (resp_derlen <= 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01927)
+ "OCSP stapling response encode error??");
+ return FALSE;
+ }
+
+ if (resp_derlen > sizeof resp_der) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01928)
+ "OCSP stapling response too big (%u bytes)", resp_derlen);
+ return FALSE;
+ }
+
+ p = resp_der;
+
+ /* TODO: potential optimization; _timeout members as apr_interval_time_t */
+ if (ok == TRUE) {
+ *p++ = 1;
+ expiry = apr_time_from_sec(mctx->stapling_cache_timeout);
+ }
+ else {
+ *p++ = 0;
+ expiry = apr_time_from_sec(mctx->stapling_errcache_timeout);
+ }
+
+ expiry += apr_time_now();
+
+ i2d_OCSP_RESPONSE(rsp, &p);
+
+ rv = mc->stapling_cache->store(mc->stapling_cache_context, s,
+ cinf->idx, sizeof(cinf->idx),
+ expiry, resp_der, resp_derlen, pool);
+ if (rv != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01929)
+ "stapling_cache_response: OCSP response session store error!");
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+static BOOL stapling_get_cached_response(server_rec *s, OCSP_RESPONSE **prsp,
+ BOOL *pok, certinfo *cinf,
+ apr_pool_t *pool)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+ apr_status_t rv;
+ OCSP_RESPONSE *rsp;
+ unsigned char resp_der[MAX_STAPLING_DER];
+ const unsigned char *p;
+ unsigned int resp_derlen = MAX_STAPLING_DER;
+
+ rv = mc->stapling_cache->retrieve(mc->stapling_cache_context, s,
+ cinf->idx, sizeof(cinf->idx),
+ resp_der, &resp_derlen, pool);
+ if (rv != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01930)
+ "stapling_get_cached_response: cache miss");
+ return TRUE;
+ }
+ if (resp_derlen <= 1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01931)
+ "stapling_get_cached_response: response length invalid??");
+ return TRUE;
+ }
+ p = resp_der;
+ if (pok) {
+ if (*p)
+ *pok = TRUE;
+ else
+ *pok = FALSE;
+ }
+ p++;
+ resp_derlen--;
+ rsp = d2i_OCSP_RESPONSE(NULL, &p, resp_derlen);
+ if (!rsp) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01932)
+ "stapling_get_cached_response: response parse error??");
+ return TRUE;
+ }
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01933)
+ "stapling_get_cached_response: cache hit");
+
+ *prsp = rsp;
+
+ return TRUE;
+}
+
+static int stapling_set_response(SSL *ssl, OCSP_RESPONSE *rsp)
+{
+ int rspderlen;
+ unsigned char *rspder = NULL;
+
+ rspderlen = i2d_OCSP_RESPONSE(rsp, &rspder);
+ if (rspderlen <= 0)
+ return 0;
+ SSL_set_tlsext_status_ocsp_resp(ssl, rspder, rspderlen);
+ return 1;
+}
+
+static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
+ certinfo *cinf, OCSP_RESPONSE *rsp,
+ BOOL *pok)
+{
+ int status, reason;
+ OCSP_BASICRESP *bs = NULL;
+ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+ int response_status = OCSP_response_status(rsp);
+
+ if (pok)
+ *pok = FALSE;
+ /* Check to see if response is an error. If so we automatically accept
+ * it because it would have expired from the cache if it was time to
+ * retry.
+ */
+ if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+ if (mctx->stapling_return_errors)
+ return SSL_TLSEXT_ERR_OK;
+ else
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+
+ bs = OCSP_response_get1_basic(rsp);
+ if (bs == NULL) {
+ /* If we can't parse response just pass it to client */
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01934)
+ "stapling_check_response: Error Parsing Response!");
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+ if (!OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev,
+ &thisupd, &nextupd)) {
+ /* If ID not present just pass back to client */
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01935)
+ "stapling_check_response: certificate ID not present in response!");
+ }
+ else {
+ if (OCSP_check_validity(thisupd, nextupd,
+ mctx->stapling_resptime_skew,
+ mctx->stapling_resp_maxage)) {
+ if (pok)
+ *pok = TRUE;
+ }
+ else {
+ /* If pok is not NULL response was direct from a responder and
+ * the times should be valide. If pok is NULL the response was
+ * retrieved from cache and it is expected to subsequently expire
+ */
+ if (pok) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01936)
+ "stapling_check_response: response times invalid");
+ }
+ else {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01937)
+ "stapling_check_response: cached response expired");
+ }
+
+ OCSP_BASICRESP_free(bs);
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+ }
+
+ OCSP_BASICRESP_free(bs);
+
+ return SSL_TLSEXT_ERR_OK;
+}
+
+static BOOL stapling_renew_response(server_rec *s, modssl_ctx_t *mctx, SSL *ssl,
+ certinfo *cinf, OCSP_RESPONSE **prsp,
+ apr_pool_t *pool)
+{
+ conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
+ apr_pool_t *vpool;
+ OCSP_REQUEST *req = NULL;
+ OCSP_CERTID *id = NULL;
+ STACK_OF(X509_EXTENSION) *exts;
+ int i;
+ BOOL ok = FALSE;
+ BOOL rv = TRUE;
+ const char *ocspuri;
+ apr_uri_t uri;
+
+ *prsp = NULL;
+ /* Build up OCSP query from server certificate info */
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01938)
+ "stapling_renew_response: querying responder");
+
+ req = OCSP_REQUEST_new();
+ if (!req)
+ goto err;
+ id = OCSP_CERTID_dup(cinf->cid);
+ if (!id)
+ goto err;
+ if (!OCSP_request_add0_id(req, id))
+ goto err;
+ id = NULL;
+ /* Add any extensions to the request */
+ SSL_get_tlsext_status_exts(ssl, &exts);
+ for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
+ X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
+ if (!OCSP_REQUEST_add_ext(req, ext, -1))
+ goto err;
+ }
+
+ if (mctx->stapling_force_url)
+ ocspuri = mctx->stapling_force_url;
+ else
+ ocspuri = cinf->uri;
+
+ if (!ocspuri) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02621)
+ "stapling_renew_response: no uri for responder");
+ rv = FALSE;
+ goto done;
+ }
+
+ /* Create a temporary pool to constrain memory use */
+ apr_pool_create(&vpool, conn->pool);
+
+ ok = apr_uri_parse(vpool, ocspuri, &uri);
+ if (ok != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01939)
+ "stapling_renew_response: Error parsing uri %s",
+ ocspuri);
+ rv = FALSE;
+ goto done;
+ }
+ else if (strcmp(uri.scheme, "http")) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01940)
+ "stapling_renew_response: Unsupported uri %s", ocspuri);
+ rv = FALSE;
+ goto done;
+ }
+
+ if (!uri.port) {
+ uri.port = apr_uri_port_of_scheme(uri.scheme);
+ }
+
+ *prsp = modssl_dispatch_ocsp_request(&uri, mctx->stapling_responder_timeout,
+ req, conn, vpool);
+
+ apr_pool_destroy(vpool);
+
+ if (!*prsp) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01941)
+ "stapling_renew_response: responder error");
+ if (mctx->stapling_fake_trylater) {
+ *prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
+ }
+ else {
+ goto done;
+ }
+ }
+ else {
+ int response_status = OCSP_response_status(*prsp);
+
+ if (response_status == OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01942)
+ "stapling_renew_response: query response received");
+ stapling_check_response(s, mctx, cinf, *prsp, &ok);
+ if (ok == FALSE) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01943)
+ "stapling_renew_response: error in retrieved response!");
+ }
+ }
+ else {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01944)
+ "stapling_renew_response: responder error %s",
+ OCSP_response_status_str(response_status));
+ }
+ }
+ if (stapling_cache_response(s, mctx, *prsp, cinf, ok, pool) == FALSE) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01945)
+ "stapling_renew_response: error caching response!");
+ }
+
+done:
+ if (id)
+ OCSP_CERTID_free(id);
+ if (req)
+ OCSP_REQUEST_free(req);
+ return rv;
+err:
+ rv = FALSE;
+ goto done;
+}
+
+/*
+ * SSLStaplingMutex operations. Similar to SSL mutex except a mutex is
+ * mandatory if stapling is enabled.
+ */
+static int ssl_stapling_mutex_init(server_rec *s, apr_pool_t *p)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+ SSLSrvConfigRec *sc = mySrvConfig(s);
+ apr_status_t rv;
+
+ if (mc->stapling_mutex || sc->server->stapling_enabled != TRUE) {
+ return TRUE;
+ }
+
+ if ((rv = ap_global_mutex_create(&mc->stapling_mutex, NULL,
+ SSL_STAPLING_MUTEX_TYPE, NULL, s,
+ s->process->pool, 0)) != APR_SUCCESS) {
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+int ssl_stapling_mutex_reinit(server_rec *s, apr_pool_t *p)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+ apr_status_t rv;
+ const char *lockfile;
+
+ if (mc->stapling_mutex == NULL) {
+ return TRUE;
+ }
+
+ lockfile = apr_global_mutex_lockfile(mc->stapling_mutex);
+ if ((rv = apr_global_mutex_child_init(&mc->stapling_mutex,
+ lockfile, p)) != APR_SUCCESS) {
+ if (lockfile) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(01946)
+ "Cannot reinit %s mutex with file `%s'",
+ SSL_STAPLING_MUTEX_TYPE, lockfile);
+ }
+ else {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01947)
+ "Cannot reinit %s mutex", SSL_STAPLING_MUTEX_TYPE);
+ }
+ return FALSE;
+ }
+ return TRUE;
+}
+
+static int stapling_mutex_on(server_rec *s)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+ apr_status_t rv;
+
+ if ((rv = apr_global_mutex_lock(mc->stapling_mutex)) != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01948)
+ "Failed to acquire OCSP stapling lock");
+ return FALSE;
+ }
+ return TRUE;
+}
+
+static int stapling_mutex_off(server_rec *s)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+ apr_status_t rv;
+
+ if ((rv = apr_global_mutex_unlock(mc->stapling_mutex)) != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01949)
+ "Failed to release OCSP stapling lock");
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/* Certificate Status callback. This is called when a client includes a
+ * certificate status request extension.
+ *
+ * Check for cached responses in session cache. If valid send back to
+ * client. If absent or no longer valid query responder and update
+ * cache. */
+static int stapling_cb(SSL *ssl, void *arg)
+{
+ conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
+ server_rec *s = mySrvFromConn(conn);
+ SSLSrvConfigRec *sc = mySrvConfig(s);
+ SSLConnRec *sslconn = myConnConfig(conn);
+ modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ certinfo *cinf = NULL;
+ OCSP_RESPONSE *rsp = NULL;
+ int rv;
+ BOOL ok;
+
+ if (sc->server->stapling_enabled != TRUE) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01950)
+ "stapling_cb: OCSP Stapling disabled");
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951)
+ "stapling_cb: OCSP Stapling callback called");
+
+ cinf = stapling_get_cert_info(s, mctx, ssl);
+ if (cinf == NULL) {
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01952)
+ "stapling_cb: retrieved cached certificate data");
+
+ /* Check to see if we already have a response for this certificate */
+ stapling_mutex_on(s);
+
+ rv = stapling_get_cached_response(s, &rsp, &ok, cinf, conn->pool);
+ if (rv == FALSE) {
+ stapling_mutex_off(s);
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+
+ if (rsp) {
+ /* see if response is acceptable */
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01953)
+ "stapling_cb: retrieved cached response");
+ rv = stapling_check_response(s, mctx, cinf, rsp, NULL);
+ if (rv == SSL_TLSEXT_ERR_ALERT_FATAL) {
+ OCSP_RESPONSE_free(rsp);
+ stapling_mutex_off(s);
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ else if (rv == SSL_TLSEXT_ERR_NOACK) {
+ /* Error in response. If this error was not present when it was
+ * stored (i.e. response no longer valid) then it can be
+ * renewed straight away.
+ *
+ * If the error *was* present at the time it was stored then we
+ * don't renew the response straight away we just wait for the
+ * cached response to expire.
+ */
+ if (ok) {
+ OCSP_RESPONSE_free(rsp);
+ rsp = NULL;
+ }
+ else if (!mctx->stapling_return_errors) {
+ OCSP_RESPONSE_free(rsp);
+ stapling_mutex_off(s);
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+ }
+ }
+
+ if (rsp == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01954)
+ "stapling_cb: renewing cached response");
+ rv = stapling_renew_response(s, mctx, ssl, cinf, &rsp, conn->pool);
+
+ if (rv == FALSE) {
+ stapling_mutex_off(s);
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01955)
+ "stapling_cb: fatal error");
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ }
+ stapling_mutex_off(s);
+
+ if (rsp) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01956)
+ "stapling_cb: setting response");
+ if (!stapling_set_response(ssl, rsp))
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ return SSL_TLSEXT_ERR_OK;
+ }
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01957)
+ "stapling_cb: no response available");
+
+ return SSL_TLSEXT_ERR_NOACK;
+
+}
+
+apr_status_t modssl_init_stapling(server_rec *s, apr_pool_t *p,
+ apr_pool_t *ptemp, modssl_ctx_t *mctx)
+{
+ SSL_CTX *ctx = mctx->ssl_ctx;
+ SSLModConfigRec *mc = myModConfig(s);
+
+ if (mc->stapling_cache == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01958)
+ "SSLStapling: no stapling cache available");
+ return ssl_die(s);
+ }
+ if (ssl_stapling_mutex_init(s, ptemp) == FALSE) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01959)
+ "SSLStapling: cannot initialise stapling mutex");
+ return ssl_die(s);
+ }
+ /* Set some default values for parameters if they are not set */
+ if (mctx->stapling_resptime_skew == UNSET) {
+ mctx->stapling_resptime_skew = 60 * 5;
+ }
+ if (mctx->stapling_cache_timeout == UNSET) {
+ mctx->stapling_cache_timeout = 3600;
+ }
+ if (mctx->stapling_return_errors == UNSET) {
+ mctx->stapling_return_errors = TRUE;
+ }
+ if (mctx->stapling_fake_trylater == UNSET) {
+ mctx->stapling_fake_trylater = TRUE;
+ }
+ if (mctx->stapling_errcache_timeout == UNSET) {
+ mctx->stapling_errcache_timeout = 600;
+ }
+ if (mctx->stapling_responder_timeout == UNSET) {
+ mctx->stapling_responder_timeout = 10 * APR_USEC_PER_SEC;
+ }
+ SSL_CTX_set_tlsext_status_cb(ctx, stapling_cb);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01960) "OCSP stapling initialized");
+
+ return APR_SUCCESS;
+}
+
+#endif
Added: httpd/httpd/trunk/modules/http2/sandbox/httpd/packages/pcre-8.36.tar.gz
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/sandbox/httpd/packages/pcre-8.36.tar.gz?rev=1688474&view=auto
==============================================================================
Binary file - no diff available.
Propchange: httpd/httpd/trunk/modules/http2/sandbox/httpd/packages/pcre-8.36.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/x-gzip