On Fri, Mar 16, 2018 at 03:25:08PM -0000, [email protected] wrote:
> Author: icing
> Date: Fri Mar 16 15:25:08 2018
> New Revision: 1826995
>
> URL: http://svn.apache.org/viewvc?rev=1826995&view=rev
> Log:
> Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a
> certificate chain. PR62112 [Ricardo Martin Camarero <[email protected]>]
>
> Modified:
> httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
> httpd/httpd/trunk/modules/ssl/mod_ssl.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
> httpd/httpd/trunk/modules/ssl/ssl_private.h
The bulk of this is copy and paste of code which remains largely
identical - ssl_cmd_crlcheck_parse to ssl_cmd_ocspcheck_parse etc,
though looks like the policy dumping stuff should be updated too.
Anybody good a good reason to think the CRL/OCSP checking mode
directives would diverge in the future or could we unify that code?
Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c (revision 1827336)
+++ modules/ssl/ssl_engine_config.c (working copy)
@@ -1346,21 +1346,27 @@
return NULL;
}
-static const char *ssl_cmd_crlcheck_parse(cmd_parms *parms,
+#define IS_REVCHECK_OCSP(cmdname_) (strcmp((cmdname_), "SSLOCSPEnable") == 0)
+
+static const char *ssl_cmd_revcheck_parse(cmd_parms *parms,
const char *arg,
int *mask)
{
const char *w;
+ const char *notfor_arg;
+ notfor_arg = IS_REVCHECK_OCSP(parms->cmd->name) ?
+ "no_ocsp_for_cert_ok" : "no_crl_for_cert_ok";
+
w = ap_getword_conf(parms->temp_pool, &arg);
if (strcEQ(w, "none")) {
- *mask = SSL_CRLCHECK_NONE;
+ *mask = SSL_REVCHECK_NONE;
}
else if (strcEQ(w, "leaf")) {
- *mask = SSL_CRLCHECK_LEAF;
+ *mask = SSL_REVCHECK_LEAF;
}
else if (strcEQ(w, "chain")) {
- *mask = SSL_CRLCHECK_CHAIN;
+ *mask = SSL_REVCHECK_CHAIN;
}
else {
return apr_pstrcat(parms->temp_pool, parms->cmd->name,
@@ -1370,8 +1376,8 @@
while (*arg) {
w = ap_getword_conf(parms->temp_pool, &arg);
- if (strcEQ(w, "no_crl_for_cert_ok")) {
- *mask |= SSL_CRLCHECK_NO_CRL_FOR_CERT_OK;
+ if (strcEQ(w, notfor_arg)) {
+ *mask |= SSL_REVCHECK_NOT_FOR_CERT_OK;
}
else {
return apr_pstrcat(parms->temp_pool, parms->cmd->name,
@@ -1389,7 +1395,7 @@
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mask);
+ return ssl_cmd_revcheck_parse(cmd, arg, &sc->server->crl_check_mask);
}
static const char *ssl_cmd_verify_parse(cmd_parms *parms,
@@ -1906,7 +1912,7 @@
{
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
- return ssl_cmd_crlcheck_parse(cmd, arg, &dc->proxy->crl_check_mask);
+ return ssl_cmd_revcheck_parse(cmd, arg, &dc->proxy->crl_check_mask);
}
const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd,
@@ -1965,43 +1971,6 @@
return NULL;
}
-static const char *ssl_cmd_ocspcheck_parse(cmd_parms *parms,
- const char *arg,
- int *mask)
-{
- const char *w;
-
- w = ap_getword_conf(parms->temp_pool, &arg);
- if (strcEQ(w, "off")) {
- *mask = SSL_OCSPCHECK_NONE;
- }
- else if (strcEQ(w, "leaf")) {
- *mask = SSL_OCSPCHECK_LEAF;
- }
- else if (strcEQ(w, "on")) {
- *mask = SSL_OCSPCHECK_CHAIN;
- }
- else {
- return apr_pstrcat(parms->temp_pool, parms->cmd->name,
- ": Invalid argument '", w, "'",
- NULL);
- }
-
- while (*arg) {
- w = ap_getword_conf(parms->temp_pool, &arg);
- if (strcEQ(w, "no_ocsp_for_cert_ok")) {
- *mask |= SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK;
- }
- else {
- return apr_pstrcat(parms->temp_pool, parms->cmd->name,
- ": Invalid argument '", w, "'",
- NULL);
- }
- }
-
- return NULL;
-}
-
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
@@ -2013,7 +1982,7 @@
}
#endif
- return ssl_cmd_ocspcheck_parse(cmd, arg, &sc->server->ocsp_mask);
+ return ssl_cmd_revcheck_parse(cmd, arg, &sc->server->ocsp_mask);
}
const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int
flag)
@@ -2600,21 +2569,24 @@
}
}
-static void val_crl_check_dump(apr_file_t *out, const char *key, int mask,
+static void val_rev_check_dump(apr_file_t *out, const char *key, int mask,
apr_pool_t *p, const char *indent, const char
**psep)
{
if (mask != UNSET) {
- if (mask == SSL_CRLCHECK_NONE) {
+ if (mask == SSL_REVCHECK_NONE) {
val_str_dump(out, key, "none", p, indent, psep);
}
- else if (mask == SSL_CRLCHECK_LEAF) {
+ else if (mask == SSL_REVCHECK_LEAF) {
val_str_dump(out, key, "leaf", p, indent, psep);
}
- else if (mask == SSL_CRLCHECK_CHAIN) {
+ else if (mask == SSL_REVCHECK_CHAIN) {
val_str_dump(out, key, "chain", p, indent, psep);
}
- else if (mask == (SSL_CRLCHECK_CHAIN|SSL_CRLCHECK_NO_CRL_FOR_CERT_OK))
{
- val_str_dump(out, key, "chain no_crl_for_cert_ok", p, indent,
psep);
+ else if (mask == (SSL_REVCHECK_CHAIN|SSL_REVCHECK_NOT_FOR_CERT_OK)) {
+ if (IS_REVCHECK_OCSP(key))
+ val_str_dump(out, key, "chain no_ocsp_for_cert_ok", p, indent,
psep);
+ else
+ val_str_dump(out, key, "chain no_crl_for_cert_ok", p, indent,
psep);
}
else {
val_str_dump(out, key, "???", p, indent, psep);
@@ -2678,8 +2650,8 @@
val_onoff_dump(out, k, v, p, indent, psep)
#define DMP_URI(k,v) \
val_uri_dump(out, k, v, p, indent, psep)
-#define DMP_CRLCHK(k,v) \
- val_crl_check_dump(out, k, v, p, indent, psep)
+#define DMP_REVCHK(k,v) \
+ val_rev_check_dump(out, k, v, p, indent, psep)
#define DMP_PHRASE(k,v, v2) \
val_pphrase_dump(out, k, v, v2, p, indent, psep)
#define DMP_ENABLD(k,v) \
@@ -2713,7 +2685,7 @@
DMP_STRING(proxy? "SSLProxyCARevocationFile" : "SSLCARevocationFile",
ctx->crl_file);
DMP_STRING(proxy? "SSLProxyCARevocationPath" : "SSLCARevocationPath",
ctx->crl_path);
- DMP_CRLCHK(proxy? "SSLProxyCARevocationCheck" : "SSLCARevocationCheck",
ctx->crl_check_mask);
+ DMP_REVCHK(proxy? "SSLProxyCARevocationCheck" : "SSLCARevocationCheck",
ctx->crl_check_mask);
if (!proxy) {
DMP_PHRASE("SSLPassPhraseDialog", ctx->pphrase_dialog_type,
ctx->pphrase_dialog_path);
if (ctx->pks) {
@@ -2738,7 +2710,7 @@
DMP_STRING("SSLSRPUnknownUserSeed", ctx->srp_unknown_user_seed);
DMP_STRING("SSLSRPVerifierFile", ctx->srp_vfile);
#endif
- DMP_LONG( "SSLOCSPEnable", ctx->ocsp_mask);
+ DMP_REVCHK( "SSLOCSPEnable", ctx->ocsp_mask);
DMP_ON_OFF("SSLOCSPOverrideResponder", ctx->ocsp_force_default);
DMP_STRING("SSLOCSPDefaultResponder", ctx->ocsp_responder);
DMP_LONG( "SSLOCSPResponseTimeSkew", ctx->ocsp_resptime_skew);
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 1827336)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -945,7 +945,7 @@
int crl_check_mode;
if (mctx->ocsp_mask == UNSET) {
- mctx->ocsp_mask = SSL_OCSPCHECK_NONE;
+ mctx->ocsp_mask = SSL_REVCHECK_NONE;
}
if (mctx->crl_check_mask == UNSET) {
Index: modules/ssl/ssl_engine_kernel.c
===================================================================
--- modules/ssl/ssl_engine_kernel.c (revision 1827336)
+++ modules/ssl/ssl_engine_kernel.c (working copy)
@@ -1669,8 +1669,8 @@
/*
* Perform OCSP-based revocation checks
*/
- if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
- (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
+ if (ok && ((sc->server->ocsp_mask & SSL_REVCHECK_CHAIN) ||
+ (errdepth == 0 && (sc->server->ocsp_mask & SSL_REVCHECK_CHAIN)))) {
/* If there was an optional verification error, it's not
* possible to perform OCSP validation since the issuer may be
* missing/untrusted. Fail in that case. */
Index: modules/ssl/ssl_engine_ocsp.c
===================================================================
--- modules/ssl/ssl_engine_ocsp.c (revision 1827336)
+++ modules/ssl/ssl_engine_ocsp.c (working copy)
@@ -139,10 +139,10 @@
ruri = determine_responder_uri(sc, cert, c, pool);
if (!ruri) {
- if (sc->server->ocsp_mask & SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK) {
+ if (sc->server->ocsp_mask & SSL_REVCHECK_NOT_FOR_CERT_OK) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
- "Skipping OCSP check for certificate cos no OCSP URL"
- " found and no_ocsp_for_cert_ok is set");
+ "Skipping OCSP check for certificate without OCSP
URL"
+ " and no_ocsp_for_cert_ok set");
return V_OCSP_CERTSTATUS_GOOD;
} else {
return V_OCSP_CERTSTATUS_UNKNOWN;
Index: modules/ssl/ssl_private.h
===================================================================
--- modules/ssl/ssl_private.h (revision 1827336)
+++ modules/ssl/ssl_private.h (working copy)
@@ -390,26 +390,22 @@
|| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
/**
- * CRL checking mask (mode | flags)
+ * Revocation (CRL/OCSP) checking mask (mode | flags)
*/
typedef enum {
- SSL_CRLCHECK_NONE = (0),
- SSL_CRLCHECK_LEAF = (1 << 0),
- SSL_CRLCHECK_CHAIN = (1 << 1),
+ SSL_REVCHECK_NONE = (0),
+ SSL_REVCHECK_LEAF = (1 << 0),
+ SSL_REVCHECK_CHAIN = (1 << 1),
-#define SSL_CRLCHECK_FLAGS (~0x3)
- SSL_CRLCHECK_NO_CRL_FOR_CERT_OK = (1 << 2)
-} ssl_crlcheck_t;
+#define SSL_REVCHECK_FLAGS (~0x3)
+ SSL_REVCHECK_NOT_FOR_CERT_OK = (1 << 2)
+} ssl_revcheck_t;
-/**
- * OCSP checking mask (mode | flags)
- */
-typedef enum {
- SSL_OCSPCHECK_NONE = (0),
- SSL_OCSPCHECK_LEAF = (1 << 0),
- SSL_OCSPCHECK_CHAIN = (1 << 1),
- SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK = (1 << 2)
-} ssl_ocspcheck_t;
+#define SSL_CRLCHECK_FLAGS SSL_REVCHECK_FLAGS
+#define SSL_CRLCHECK_NONE SSL_REVCHECK_NONE
+#define SSL_CRLCHECK_LEAF SSL_REVCHECK_LEAF
+#define SSL_CRLCHECK_CHAIN SSL_REVCHECK_CHAIN
+#define SSL_CRLCHECK_NO_CRL_FOR_CERT_OK SSL_REVCHECK_NOT_FOR_CERT_OK
/**
* Define the SSL pass phrase dialog types
