httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jfcl...@apache.org
Subject svn commit: r1781575 - in /httpd/httpd/trunk: build/PrintPath modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_ocsp.c modules/ssl/ssl_private.h modules/ssl/ssl_util_ocsp.c
Date Fri, 03 Feb 2017 16:19:17 GMT
Author: jfclere
Date: Fri Feb  3 16:19:17 2017
New Revision: 1781575

URL: http://svn.apache.org/viewvc?rev=1781575&view=rev
Log:
Add Configuration for trusted OCSP responder certificates
Fix for PR 46037

Removed:
    httpd/httpd/trunk/build/PrintPath
Modified:
    httpd/httpd/trunk/modules/ssl/mod_ssl.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h
    httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c

Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1781575&r1=1781574&r2=1781575&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Fri Feb  3 16:19:17 2017
@@ -264,6 +264,14 @@ static const command_rec ssl_config_cmds
     SSL_CMD_SRV(OCSPProxyURL, TAKE1,
                 "Proxy URL to use for OCSP requests")
 
+/* Define OCSP Responder Certificate Verification Directive */
+    SSL_CMD_SRV(OCSPNoverify, FLAG,
+                "Do not verify OCSP Responder certificate ('on', 'off')")
+/* Define OCSP Responder File Configuration Directive */
+    SSL_CMD_SRV(OCSPResponderCertificateFile, TAKE1,
+               "Trusted OCSP responder certificates"
+               "(`/path/to/file' - PEM encoded certificates)")
+
 #ifdef HAVE_OCSP_STAPLING
     /*
      * OCSP Stapling options

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1781575&r1=1781574&r2=1781575&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Fri Feb  3 16:19:17 2017
@@ -146,6 +146,13 @@ static void modssl_ctx_init(modssl_ctx_t
     mctx->ocsp_use_request_nonce = UNSET;
     mctx->proxy_uri              = NULL;
 
+/* Set OCSP Responder Certificate Verification variable */
+    mctx->ocsp_noverify       = FALSE;
+/* Set OCSP Responder File variables */
+    mctx->ocsp_verify_flags   = 0;
+    mctx->ocsp_certs_file     = NULL;
+    mctx->ocsp_certs          = NULL;
+
 #ifdef HAVE_OCSP_STAPLING
     mctx->stapling_enabled           = UNSET;
     mctx->stapling_resptime_skew     = UNSET;
@@ -282,6 +289,12 @@ static void modssl_ctx_cfg_merge(apr_poo
     cfgMergeInt(ocsp_responder_timeout);
     cfgMergeBool(ocsp_use_request_nonce);
     cfgMerge(proxy_uri, NULL);
+
+/* Set OCSP Responder Certificate Verification directive */
+    cfgMergeBool(ocsp_noverify);  
+/* Set OCSP Responder File directive for importing */
+    cfgMerge(ocsp_certs_file, NULL);
+
 #ifdef HAVE_OCSP_STAPLING
     cfgMergeBool(stapling_enabled);
     cfgMergeInt(stapling_resptime_skew);
@@ -1707,6 +1720,16 @@ const char *ssl_cmd_SSLOCSPProxyURL(cmd_
     return NULL;
 }
 
+/* Set OCSP responder certificate verification directive */
+const char *ssl_cmd_SSLOCSPNoverify(cmd_parms *cmd, void *dcfg, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->server->ocsp_noverify = flag ? TRUE : FALSE;
+
+    return NULL;
+}
+
 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
 {
     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
@@ -1958,6 +1981,21 @@ const char *ssl_cmd_SSLSRPUnknownUserSee
 
 #endif /* HAVE_SRP */
 
+/* OCSP Responder File Function to read in value */
+const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, 
+					   const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    const char *err;
+
+    if ((err = ssl_cmd_check_file(cmd, &arg))) {
+        return err;
+    }
+
+    sc->server->ocsp_certs_file = arg;
+    return NULL;
+}
+
 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
 {
     apr_file_t *out = NULL;

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1781575&r1=1781574&r2=1781575&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Fri Feb  3 16:19:17 2017
@@ -1762,6 +1762,12 @@ apr_status_t ssl_init_ConfigureServer(se
             != APR_SUCCESS) {
             return rv;
         }
+
+	/* Initialize OCSP Responder certificate if OCSP enabled */
+	#ifndef OPENSSL_NO_OCSP
+        	ssl_init_ocsp_certificates(s, sc->server);
+	#endif
+
     }
 
     sdc->proxy->sc = sc;
@@ -2061,6 +2067,12 @@ apr_status_t ssl_init_ModuleKill(void *d
         sc = mySrvConfig(s);
 
         ssl_init_ctx_cleanup(sc->server);
+
+	/* Not Sure but possibly clear X509 trusted cert file */
+	#ifndef OPENSSL_NO_OCSP
+		sk_X509_pop_free(sc->server->ocsp_certs, X509_free);
+	#endif
+
     }
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=1781575&r1=1781574&r2=1781575&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Fri Feb  3 16:19:17 2017
@@ -183,12 +183,16 @@ static int verify_ocsp_status(X509 *cert
     }
 
     if (rc == V_OCSP_CERTSTATUS_GOOD) {
-        /* TODO: allow flags configuration. */
-        if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) !=
1) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
-                        "failed to verify the OCSP response");
-            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
-            rc = V_OCSP_CERTSTATUS_UNKNOWN;
+        /* Check if OCSP certificate verification required */
+        if (!sc->server->ocsp_noverify) {
+            /* Modify OCSP response verification to include OCSP Responder cert */
+            if (OCSP_basic_verify(basicResponse, sc->server->ocsp_certs, X509_STORE_CTX_get0_store(ctx),
+                                  sc->server->ocsp_verify_flags) != 1) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
+                            "failed to verify the OCSP response");
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+                rc = V_OCSP_CERTSTATUS_UNKNOWN;
+            }
         }
     }
 

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1781575&r1=1781574&r2=1781575&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Fri Feb  3 16:19:17 2017
@@ -678,6 +678,12 @@ typedef struct {
     BOOL ocsp_use_request_nonce;
     apr_uri_t *proxy_uri;
 
+    BOOL ocsp_noverify; /* true if skipping OCSP certification verification like openssl
-noverify */
+    /* Declare variables for using OCSP Responder Certs for OCSP verification */
+    int ocsp_verify_flags; /* Flags to use when verifying OCSP response */
+    const char *ocsp_certs_file; /* OCSP other certificates filename */
+    STACK_OF(X509) *ocsp_certs; /* OCSP other certificates */
+
 #ifdef HAVE_SSL_CONF_CMD
     SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
@@ -808,6 +814,11 @@ const char *ssl_cmd_SSLOCSPUseRequestNon
 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
 const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
 
+/* Declare OCSP Responder Certificate Verification Directive */
+const char *ssl_cmd_SSLOCSPNoverify(cmd_parms *cmd, void *dcfg, int flag);
+/* Declare OCSP Responder Certificate File Directive */
+const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char
*arg);
+
 #ifdef HAVE_SSL_CONF_CMD
 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const
char *arg2);
 #endif
@@ -1022,6 +1033,10 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_requ
                                             apr_interval_time_t timeout,
                                             OCSP_REQUEST *request,
                                             conn_rec *c, apr_pool_t *p);
+
+/* Initialize OCSP trusted certificate list */
+void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
+
 #endif
 
 /* Retrieve DH parameters for given key length.  Return value should

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=1781575&r1=1781574&r2=1781575&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Fri Feb  3 16:19:17 2017
@@ -339,4 +339,82 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_requ
     return response;
 }
 
+/*  _________________________________________________________________
+**
+**  OCSP other certificate support
+**  _________________________________________________________________
+*/
+
+/*
+ * Read a file that contains certificates in PEM format and
+ * return as a STACK.
+ */
+
+static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file)
+{
+    BIO *bio;
+    X509 *x509;
+    unsigned long err;
+    int n;
+    STACK_OF(X509) *other_certs = NULL;
+
+    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
+        return NULL;
+    if (BIO_read_filename(bio, file) <= 0) {
+        BIO_free(bio);
+        return NULL;
+    }
+    /* create new extra chain by loading the certs */
+    while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
+        if (!other_certs) {
+                other_certs = sk_X509_new_null();
+                if (!other_certs)
+                        return NULL;
+        }
+                
+        if (!sk_X509_push(other_certs, x509)) {
+            X509_free(x509);
+            sk_X509_pop_free(other_certs, X509_free);
+            BIO_free(bio);
+            return NULL;
+        }
+    }
+    /* Make sure that only the error is just an EOF */
+    if ((err = ERR_peek_error()) > 0) {
+        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM
+              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
+            BIO_free(bio);
+            sk_X509_pop_free(other_certs, X509_free);
+            return NULL;
+        }
+        while (ERR_get_error() > 0) ;
+    }
+    BIO_free(bio);
+    return other_certs;
+}
+
+void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
+{
+    /*
+     * Configure Trusted OCSP certificates.
+     */
+
+    if (!mctx->ocsp_certs_file) {
+        return;
+    }
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                 "Configuring Trusted OCSP certificates");
+
+    mctx->ocsp_certs = modssl_read_ocsp_certificates(mctx->ocsp_certs_file);
+
+    if (!mctx->ocsp_certs) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                "Unable to configure OCSP Trusted Certificates");
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+        ssl_die(s);
+    }
+    mctx->ocsp_verify_flags |= OCSP_TRUSTOTHER;
+}
+
 #endif /* HAVE_OCSP */



Mime
View raw message