From: Jim Jagielski <jim@apache.org>
Date: Mon, 3 Apr 2017 11:39:20 +0000 (+0000)
Subject: Merge r1781575, r1781577, r1781580, r1781687, r1783305 from trunk:
X-Git-Tag: 2.4.26~177
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0fc9880259a00dd909082451fb2be50ff39462c3;p=apache

Merge r1781575, r1781577, r1781580, r1781687, r1783305 from trunk:

Add Configuration for trusted OCSP responder certificates
Fix for PR 46037


Add back the file I removed in r1781575.


Add missing documentation for r1781575
Fix for PR 46037


Remove unused variable

Fix OpenSSL 1.1.0 breakage in r1781575; BIO_s_file_internal() is gone.



Submitted by: jfclere, druggeri, wrowe
Reviewed by: jfclere, jim, ylavic
Merge r1788430 from trunk:

mod_ssl: follow up to r1781575
Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested
by wrowe.


Submitted by: ylavic
Reviewed by: jfclere, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1789970 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 37eaccee1f..c2559b87e1 100644
--- a/STATUS
+++ b/STATUS
@@ -118,18 +118,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: backport fix for PR 46037
-     trunk patch: http://svn.apache.org/r1781575
-                  http://svn.apache.org/r1781577
-                  http://svn.apache.org/r1781580
-                  http://svn.apache.org/r1781687
-                  http://svn.apache.org/r1783305
-     2.4.x patch: http://people.apache.org/~jfclere/patches/patch.46037.txt
-     +1: jfclere, jim
-     wrowe asks: Can we capitalize Verify in SSLOCSPNoverify to keep
-                 with conventions?
-     ylavic: +1 with http://svn.apache.org/r1788430, fixing the merge of
-             SSLOCSPNoverify and capitalizing as suggested above.
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index f19994d64f..b8e7810cb4 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -2414,6 +2414,37 @@ Responder), this option should be turned <code>off</code>.</p>
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SSLOCSPNoverify</name>
+<description>skip the OCSP responder certificates verification</description>
+<syntax>SSLOCSPNoverify <em>On/Off</em></syntax>
+<default>SSLOCSPNoverify Off</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.5 and later, if using OpenSSL 0.9.7 or later</compatibility>
+<usage>
+<p>Skip the OCSP responder certificates verification, mostly useful when
+testing an OCSP server.</p>
+</usage>
+</directivesynopsis>
+
+
+<directivesynopsis>
+<name>SSLOCSPResponderCertificateFile</name>
+<description>Set of trusted PEM encoded OCSP responder certificates</description>
+<syntax>SSLOCSPResponderCertificateFile <em>file</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.5 and later, if using OpenSSL 0.9.7 or later</compatibility>
+<usage>
+<p>This supplies a list of trusted OCSP responder certificates to be used
+during OCSP responder certificate validation. The supplied certificates are
+implicitly trusted without any further validation. This is typically used
+where the OCSP responder certificate is self signed or omitted from the OCSP
+response.</p>
+</usage>
+</directivesynopsis>
+
 <directivesynopsis>
 <name>SSLOCSPProxyURL</name>
 <description>Proxy URL to use for OCSP requests</description>
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index f58e145f19..131ec7e4ae 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -254,6 +254,14 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_SRV(OCSPProxyURL, TAKE1,
                 "Proxy URL to use for OCSP requests")
 
+/* Define OCSP Responder Certificate Verification Directive */
+    SSL_CMD_SRV(OCSPNoVerify, FLAG,
+                "Do not verify OCSP Responder certificate ('on', 'off')")
+/* Define OCSP Responder File Configuration Directive */
+    SSL_CMD_SRV(OCSPResponderCertificateFile, TAKE1,
+               "Trusted OCSP responder certificates"
+               "(`/path/to/file' - PEM encoded certificates)")
+
 #ifdef HAVE_OCSP_STAPLING
     /*
      * OCSP Stapling options
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 392c9ac7d9..6750b98a8a 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -146,6 +146,13 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
     mctx->ocsp_use_request_nonce = UNSET;
     mctx->proxy_uri              = NULL;
 
+/* Set OCSP Responder Certificate Verification variable */
+    mctx->ocsp_noverify       = UNSET;
+/* Set OCSP Responder File variables */
+    mctx->ocsp_verify_flags   = 0;
+    mctx->ocsp_certs_file     = NULL;
+    mctx->ocsp_certs          = NULL;
+
 #ifdef HAVE_OCSP_STAPLING
     mctx->stapling_enabled           = UNSET;
     mctx->stapling_resptime_skew     = UNSET;
@@ -298,6 +305,12 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
     cfgMergeInt(ocsp_responder_timeout);
     cfgMergeBool(ocsp_use_request_nonce);
     cfgMerge(proxy_uri, NULL);
+
+/* Set OCSP Responder Certificate Verification directive */
+    cfgMergeBool(ocsp_noverify);  
+/* Set OCSP Responder File directive for importing */
+    cfgMerge(ocsp_certs_file, NULL);
+
 #ifdef HAVE_OCSP_STAPLING
     cfgMergeBool(stapling_enabled);
     cfgMergeInt(stapling_resptime_skew);
@@ -1710,6 +1723,16 @@ const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg,
     return NULL;
 }
 
+/* Set OCSP responder certificate verification directive */
+const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->server->ocsp_noverify = flag ? TRUE : FALSE;
+
+    return NULL;
+}
+
 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
@@ -1961,6 +1984,21 @@ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg,
 
 #endif /* HAVE_SRP */
 
+/* OCSP Responder File Function to read in value */
+const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, 
+					   const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    const char *err;
+
+    if ((err = ssl_cmd_check_file(cmd, &arg))) {
+        return err;
+    }
+
+    sc->server->ocsp_certs_file = arg;
+    return NULL;
+}
+
 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
 {
     apr_file_t *out = NULL;
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 5683c552d0..3e11d560cd 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1709,6 +1709,12 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s,
             != APR_SUCCESS) {
             return rv;
         }
+
+	/* Initialize OCSP Responder certificate if OCSP enabled */
+	#ifndef OPENSSL_NO_OCSP
+        	ssl_init_ocsp_certificates(s, sc->server);
+	#endif
+
     }
 
     if (sc->proxy_enabled) {
@@ -1997,6 +2003,12 @@ apr_status_t ssl_init_ModuleKill(void *data)
         ssl_init_ctx_cleanup_proxy(sc->proxy);
 
         ssl_init_ctx_cleanup(sc->server);
+
+	/* Not Sure but possibly clear X509 trusted cert file */
+	#ifndef OPENSSL_NO_OCSP
+		sk_X509_pop_free(sc->server->ocsp_certs, X509_free);
+	#endif
+
     }
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index 282a2a2f69..0d6592ff4a 100644
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -183,12 +183,16 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
     }
 
     if (rc == V_OCSP_CERTSTATUS_GOOD) {
-        /* TODO: allow flags configuration. */
-        if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
-                        "failed to verify the OCSP response");
-            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
-            rc = V_OCSP_CERTSTATUS_UNKNOWN;
+        /* Check if OCSP certificate verification required */
+        if (sc->server->ocsp_noverify != TRUE) {
+            /* Modify OCSP response verification to include OCSP Responder cert */
+            if (OCSP_basic_verify(basicResponse, sc->server->ocsp_certs, X509_STORE_CTX_get0_store(ctx),
+                                  sc->server->ocsp_verify_flags) != 1) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
+                            "failed to verify the OCSP response");
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+                rc = V_OCSP_CERTSTATUS_UNKNOWN;
+            }
         }
     }
 
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index b6483a127f..3e9602ca52 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -682,6 +682,12 @@ typedef struct {
     BOOL ocsp_use_request_nonce;
     apr_uri_t *proxy_uri;
 
+    BOOL ocsp_noverify; /* true if skipping OCSP certification verification like openssl -noverify */
+    /* Declare variables for using OCSP Responder Certs for OCSP verification */
+    int ocsp_verify_flags; /* Flags to use when verifying OCSP response */
+    const char *ocsp_certs_file; /* OCSP other certificates filename */
+    STACK_OF(X509) *ocsp_certs; /* OCSP other certificates */
+
 #ifdef HAVE_SSL_CONF_CMD
     SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
@@ -809,6 +815,11 @@ const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
 const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
 
+/* Declare OCSP Responder Certificate Verification Directive */
+const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag);
+/* Declare OCSP Responder Certificate File Directive */
+const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg);
+
 #ifdef HAVE_SSL_CONF_CMD
 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
 #endif
@@ -1024,6 +1035,10 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
                                             apr_interval_time_t timeout,
                                             OCSP_REQUEST *request,
                                             conn_rec *c, apr_pool_t *p);
+
+/* Initialize OCSP trusted certificate list */
+void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
+
 #endif
 
 /* Retrieve DH parameters for given key length.  Return value should
diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c
index a00c273d89..b11a6e924e 100644
--- a/modules/ssl/ssl_util_ocsp.c
+++ b/modules/ssl/ssl_util_ocsp.c
@@ -339,4 +339,81 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
     return response;
 }
 
+/*  _________________________________________________________________
+**
+**  OCSP other certificate support
+**  _________________________________________________________________
+*/
+
+/*
+ * Read a file that contains certificates in PEM format and
+ * return as a STACK.
+ */
+
+static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file)
+{
+    BIO *bio;
+    X509 *x509;
+    unsigned long err;
+    STACK_OF(X509) *other_certs = NULL;
+
+    if ((bio = BIO_new(BIO_s_file())) == NULL)
+        return NULL;
+    if (BIO_read_filename(bio, file) <= 0) {
+        BIO_free(bio);
+        return NULL;
+    }
+    /* create new extra chain by loading the certs */
+    while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
+        if (!other_certs) {
+                other_certs = sk_X509_new_null();
+                if (!other_certs)
+                        return NULL;
+        }
+                
+        if (!sk_X509_push(other_certs, x509)) {
+            X509_free(x509);
+            sk_X509_pop_free(other_certs, X509_free);
+            BIO_free(bio);
+            return NULL;
+        }
+    }
+    /* Make sure that only the error is just an EOF */
+    if ((err = ERR_peek_error()) > 0) {
+        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM
+              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
+            BIO_free(bio);
+            sk_X509_pop_free(other_certs, X509_free);
+            return NULL;
+        }
+        while (ERR_get_error() > 0) ;
+    }
+    BIO_free(bio);
+    return other_certs;
+}
+
+void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
+{
+    /*
+     * Configure Trusted OCSP certificates.
+     */
+
+    if (!mctx->ocsp_certs_file) {
+        return;
+    }
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                 "Configuring Trusted OCSP certificates");
+
+    mctx->ocsp_certs = modssl_read_ocsp_certificates(mctx->ocsp_certs_file);
+
+    if (!mctx->ocsp_certs) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                "Unable to configure OCSP Trusted Certificates");
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+        ssl_die(s);
+    }
+    mctx->ocsp_verify_flags |= OCSP_TRUSTOTHER;
+}
+
 #endif /* HAVE_OCSP */