Revert r1798456

[apache] / modules / ssl / ssl_util_stapling.c

diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index 779c3e3b635af04d0ebbd96de249f67801a268f8..aecf5d324c3f15b8f56a6d2d5f34afc5b6ad40bf 100644 (file)
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -79,7 +79,7 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
     X509 *issuer = NULL;
     int i;
     X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
-    X509_STORE_CTX inctx;
+    X509_STORE_CTX *inctx;
     STACK_OF(X509) *extra_certs = NULL;
 
 #ifdef OPENSSL_NO_SSL_INTERN
@@ -91,18 +91,23 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
     for (i = 0; i < sk_X509_num(extra_certs); i++) {
         issuer = sk_X509_value(extra_certs, i);
         if (X509_check_issued(issuer, x) == X509_V_OK) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
             CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
+#else
+            X509_up_ref(issuer);
+#endif
             return issuer;
         }
     }
 
-    if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))
+    inctx = X509_STORE_CTX_new();
+    if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
         return 0;
-    if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
+    if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
         issuer = NULL;
-    X509_STORE_CTX_cleanup(&inctx);
+    X509_STORE_CTX_cleanup(inctx);
+    X509_STORE_CTX_free(inctx);
     return issuer;
-
 }
 
 int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
@@ -398,7 +403,9 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
 
             if (bio) {
                 int n;
-                if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) &&
+                ASN1_INTEGER *pserial;
+                OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
+                if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
                     ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
                     snum[n] = '\0';
                 BIO_free(bio);
@@ -504,6 +511,7 @@ static BOOL stapling_renew_response(server_rec *s, modssl_ctx_t *mctx, SSL *ssl,
                      "stapling_renew_response: responder error");
         if (mctx->stapling_fake_trylater) {
             *prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
+            *pok = FALSE;
         }
         else {
             goto done;
@@ -683,7 +691,7 @@ static int get_and_check_cached_response(server_rec *s, modssl_ctx_t *mctx,
                                          OCSP_RESPONSE **rsp, BOOL *pok,
                                          certinfo *cinf, apr_pool_t *p)
 {
-    BOOL ok;
+    BOOL ok = FALSE;
     int rv;
 
     AP_DEBUG_ASSERT(*rsp == NULL);
@@ -776,31 +784,31 @@ static int stapling_cb(SSL *ssl, void *arg)
         rv = get_and_check_cached_response(s, mctx, &rsp, &ok, cinf,
                                            conn->pool);
         if (rv != 0) {
-            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03236)
                          "stapling_cb: error checking for cached response "
                          "after obtaining refresh mutex");
             stapling_refresh_mutex_off(s);
             return rv;
         }
         else if (rsp) {
-            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03237)
                          "stapling_cb: don't need to refresh cached response "
                          "after obtaining refresh mutex");
             stapling_refresh_mutex_off(s);
         }
         else {
-            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03238)
                          "stapling_cb: still must refresh cached response "
                          "after obtaining refresh mutex");
             rv = stapling_renew_response(s, mctx, ssl, cinf, &rsp, &ok,
                                          conn->pool);
             stapling_refresh_mutex_off(s);
 
-            if (rv == TRUE) {
+            if ((rv == TRUE) && (ok == TRUE) && rsp) {
                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03040)
                              "stapling_cb: success renewing response");
             }
-            else {
+            else if (rv == FALSE) {
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01955)
                              "stapling_cb: fatal error renewing response");
                 return SSL_TLSEXT_ERR_ALERT_FATAL;