source-git / httpd

Clone
Source Code
GIT

Blame modules/ssl/ssl_util_stapling.c

c8s-stream-2.4 master
  1.   c8s-stream-2.4
  2.   modules
  3.   ssl
  4.   ssl_util_stapling.c
Blob History Raw
Packit 90a5c9 
/* Licensed to the Apache Software Foundation (ASF) under one or more
Packit 90a5c9 
 * contributor license agreements.  See the NOTICE file distributed with
Packit 90a5c9 
 * this work for additional information regarding copyright ownership.
Packit 90a5c9 
 * The ASF licenses this file to You under the Apache License, Version 2.0
Packit 90a5c9 
 * (the "License"); you may not use this file except in compliance with
Packit 90a5c9 
 * the License.  You may obtain a copy of the License at
Packit 90a5c9 
 *
Packit 90a5c9 
 *     http://www.apache.org/licenses/LICENSE-2.0
Packit 90a5c9 
 *
Packit 90a5c9 
 * Unless required by applicable law or agreed to in writing, software
Packit 90a5c9 
 * distributed under the License is distributed on an "AS IS" BASIS,
Packit 90a5c9 
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Packit 90a5c9 
 * See the License for the specific language governing permissions and
Packit 90a5c9 
 * limitations under the License.
Packit 90a5c9 
 */
Packit 90a5c9
Packit 90a5c9 
/*                      _             _
Packit 90a5c9 
 *  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
Packit 90a5c9 
 * | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
Packit 90a5c9 
 * | | | | | | (_) | (_| |   \__ \__ \ |
Packit 90a5c9 
 * |_| |_| |_|\___/ \__,_|___|___/___/_|
Packit 90a5c9 
 *                      |_____|
Packit 90a5c9 
 *  ssl_stapling.c
Packit 90a5c9 
 *  OCSP Stapling Support
Packit 90a5c9 
 */
Packit 90a5c9 
                             /* ``Where's the spoons?
Packit 90a5c9 
                                  Where's the spoons?
Packit 90a5c9 
                                  Where's the bloody spoons?''
Packit 90a5c9 
                                            -- Alexei Sayle          */
Packit 90a5c9
Packit 90a5c9 
#include "ssl_private.h"
Packit 90a5c9 
#include "ap_mpm.h"
Packit 90a5c9 
#include "apr_thread_mutex.h"
Packit 20f7c8 
#include "mod_ssl_openssl.h"
Packit 20f7c8
Packit 20f7c8 
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_stapling_status,
Packit 20f7c8 
                                    (server_rec *s, apr_pool_t *p,
Packit 20f7c8 
                                     X509 *cert, X509 *issuer),
Packit 20f7c8 
                                     (s, p, cert, issuer),
Packit 20f7c8 
                                    DECLINED, DECLINED)
Packit 20f7c8
Packit 20f7c8 
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, get_stapling_status,
Packit 20f7c8 
                                    (unsigned char **pder, int *pderlen,
Packit 20f7c8 
                                     conn_rec *c, server_rec *s, X509 *cert),
Packit 20f7c8 
                                     (pder, pderlen, c, s, cert),
Packit 20f7c8 
                                    DECLINED, DECLINED)
Packit 20f7c8
Packit 90a5c9
Packit 90a5c9 
#ifdef HAVE_OCSP_STAPLING
Packit 90a5c9
Packit 90a5c9 
static int stapling_cache_mutex_on(server_rec *s);
Packit 90a5c9 
static int stapling_cache_mutex_off(server_rec *s);
Packit 90a5c9
Packit 20f7c8 
static int stapling_cb(SSL *ssl, void *arg);
Packit 20f7c8
Packit 90a5c9 
/**
Packit 90a5c9 
 * Maxiumum OCSP stapling response size. This should be the response for a
Packit 90a5c9 
 * single certificate and will typically include the responder certificate chain
Packit 90a5c9 
 * so 10K should be more than enough.
Packit 90a5c9 
 *
Packit 90a5c9 
 */
Packit 90a5c9
Packit 90a5c9 
#define MAX_STAPLING_DER 10240
Packit 90a5c9
Packit 90a5c9 
/* Cached info stored in the global stapling_certinfo hash. */
Packit 90a5c9 
typedef struct {
Packit 90a5c9 
    /* Index in session cache (SHA-1 digest of DER encoded certificate) */
Packit 90a5c9 
    UCHAR idx[SHA_DIGEST_LENGTH];
Packit 90a5c9 
    /* Certificate ID for OCSP request */
Packit 90a5c9 
    OCSP_CERTID *cid;
Packit 90a5c9 
    /* URI of the OCSP responder */
Packit 90a5c9 
    char *uri;
Packit 90a5c9 
} certinfo;
Packit 90a5c9
Packit 90a5c9 
static apr_status_t ssl_stapling_certid_free(void *data)
Packit 90a5c9 
{
Packit 90a5c9 
    OCSP_CERTID *cid = data;
Packit 90a5c9
Packit 90a5c9 
    if (cid) {
Packit 90a5c9 
        OCSP_CERTID_free(cid);
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    return APR_SUCCESS;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static apr_hash_t *stapling_certinfo;
Packit 90a5c9
Packit 90a5c9 
void ssl_stapling_certinfo_hash_init(apr_pool_t *p)
Packit 90a5c9 
{
Packit 90a5c9 
    stapling_certinfo = apr_hash_make(p);
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
Packit 90a5c9 
{
Packit 90a5c9 
    X509 *issuer = NULL;
Packit 90a5c9 
    int i;
Packit 90a5c9 
    X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
Packit 90a5c9 
    X509_STORE_CTX *inctx;
Packit 90a5c9 
    STACK_OF(X509) *extra_certs = NULL;
Packit 90a5c9
Packit 90a5c9 
#ifdef OPENSSL_NO_SSL_INTERN
Packit 90a5c9 
    SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
Packit 90a5c9 
#else
Packit 90a5c9 
    extra_certs = mctx->ssl_ctx->extra_certs;
Packit 90a5c9 
#endif
Packit 90a5c9
Packit 90a5c9 
    for (i = 0; i < sk_X509_num(extra_certs); i++) {
Packit 90a5c9 
        issuer = sk_X509_value(extra_certs, i);
Packit 90a5c9 
        if (X509_check_issued(issuer, x) == X509_V_OK) {
Packit 90a5c9 
#if OPENSSL_VERSION_NUMBER < 0x10100000L
Packit 90a5c9 
            CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
Packit 90a5c9 
#else
Packit 90a5c9 
            X509_up_ref(issuer);
Packit 90a5c9 
#endif
Packit 90a5c9 
            return issuer;
Packit 90a5c9 
        }
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    inctx = X509_STORE_CTX_new();
Packit 90a5c9 
    if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
Packit 90a5c9 
        return 0;
Packit 90a5c9 
    if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
Packit 90a5c9 
        issuer = NULL;
Packit 90a5c9 
    X509_STORE_CTX_cleanup(inctx);
Packit 90a5c9 
    X509_STORE_CTX_free(inctx);
Packit 90a5c9 
    return issuer;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
Packit 90a5c9 
                           modssl_ctx_t *mctx, X509 *x)
Packit 90a5c9 
{
Packit 90a5c9 
    UCHAR idx[SHA_DIGEST_LENGTH];
Packit 90a5c9 
    certinfo *cinf = NULL;
Packit 90a5c9 
    X509 *issuer = NULL;
Packit 90a5c9 
    OCSP_CERTID *cid = NULL;
Packit 90a5c9 
    STACK_OF(OPENSSL_STRING) *aia = NULL;
Packit 90a5c9
Packit 20f7c8 
    if (x == NULL)
Packit 20f7c8 
        return 0;
Packit 20f7c8
Packit 20f7c8 
    if (!(issuer = stapling_get_issuer(mctx, x))) {
Packit 20f7c8 
        /* In Apache pre 2.4.40, we use to come here only when mod_ssl stapling
Packit 20f7c8 
         * was enabled. With the new hooks, we give other modules the chance
Packit 20f7c8 
         * to provide stapling status. However, we do not want to log ssl errors
Packit 20f7c8 
         * where we did not do so in the past. */
Packit 20f7c8 
        if (mctx->stapling_enabled == TRUE) {
Packit 20f7c8 
            ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217)
Packit 20f7c8 
                           "ssl_stapling_init_cert: can't retrieve issuer "
Packit 20f7c8 
                           "certificate!");
Packit 20f7c8 
            return 0;
Packit 20f7c8 
        }
Packit 20f7c8 
        return 1;
Packit 20f7c8 
    }
Packit 20f7c8
Packit 20f7c8 
    if (ssl_run_init_stapling_status(s, p, x, issuer) == APR_SUCCESS) {
Packit 20f7c8 
        /* Someone's taken over or mod_ssl's own implementation is not enabled */
Packit 20f7c8 
        if (mctx->stapling_enabled != TRUE) {
Packit 20f7c8 
            SSL_CTX_set_tlsext_status_cb(mctx->ssl_ctx, stapling_cb);
Packit 20f7c8 
            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO() "OCSP stapling added via hook");
Packit 20f7c8 
        }
Packit 20f7c8 
        return 1;
Packit 20f7c8 
    }
Packit 20f7c8
Packit 20f7c8 
    if (mctx->stapling_enabled != TRUE) {
Packit 20f7c8 
        /* mod_ssl's own implementation is not enabled */
Packit 20f7c8 
        return 1;
Packit 20f7c8 
    }
Packit 20f7c8
Packit 20f7c8 
    if (X509_digest(x, EVP_sha1(), idx, NULL) != 1)
Packit 90a5c9 
        return 0;
Packit 90a5c9
Packit 90a5c9 
    cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
Packit 90a5c9 
    if (cinf) {
Packit 90a5c9 
        /*
Packit 90a5c9 
         * We already parsed the certificate, and no OCSP URI was found.
Packit 90a5c9 
         * The certificate might be used for multiple vhosts, though,
Packit 90a5c9 
         * so we check for a ForceURL for this vhost.
Packit 90a5c9 
         */
Packit 90a5c9 
        if (!cinf->uri && !mctx->stapling_force_url) {
Packit 90a5c9 
            ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
Packit 90a5c9 
                           APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI "
Packit 90a5c9 
                           "in certificate and no SSLStaplingForceURL "
Packit 90a5c9 
                           "configured for server %s", mctx->sc->vhost_id);
Packit 90a5c9 
            return 0;
Packit 90a5c9 
        }
Packit 90a5c9 
        return 1;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    cid = OCSP_cert_to_id(NULL, x, issuer);
Packit 90a5c9 
    X509_free(issuer);
Packit 90a5c9 
    if (!cid) {
Packit 90a5c9 
        ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02815)
Packit 90a5c9 
                       "ssl_stapling_init_cert: can't create CertID "
Packit 90a5c9 
                       "for OCSP request");
Packit 90a5c9 
        return 0;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    aia = X509_get1_ocsp(x);
Packit 90a5c9 
    if (!aia && !mctx->stapling_force_url) {
Packit 90a5c9 
        OCSP_CERTID_free(cid);
Packit 90a5c9 
        ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
Packit 90a5c9 
                       APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI "
Packit 90a5c9 
                       "in certificate and no SSLStaplingForceURL set");
Packit 90a5c9 
        return 0;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    /* At this point, we have determined that there's something to store */
Packit 90a5c9 
    cinf = apr_pcalloc(p, sizeof(certinfo));
Packit 90a5c9 
    memcpy (cinf->idx, idx, sizeof(idx));
Packit 90a5c9 
    cinf->cid = cid;
Packit 90a5c9 
    /* make sure cid is also freed at pool cleanup */
Packit 90a5c9 
    apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free,
Packit 90a5c9 
                              apr_pool_cleanup_null);
Packit 90a5c9 
    if (aia) {
Packit 90a5c9 
       /* allocate uri from the pconf pool */
Packit 90a5c9 
       cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
Packit 90a5c9 
       X509_email_free(aia);
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x,
Packit 90a5c9 
                   "ssl_stapling_init_cert: storing certinfo for server %s",
Packit 90a5c9 
                   mctx->sc->vhost_id);
Packit 90a5c9
Packit 90a5c9 
    apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf);
Packit 20f7c8
Packit 90a5c9 
    return 1;
Packit 90a5c9 
}
Packit 90a5c9
Packit 20f7c8 
static certinfo *stapling_get_certinfo(server_rec *s, X509 *x, modssl_ctx_t *mctx,
Packit 90a5c9 
                                        SSL *ssl)
Packit 90a5c9 
{
Packit 90a5c9 
    certinfo *cinf;
Packit 90a5c9 
    UCHAR idx[SHA_DIGEST_LENGTH];
Packit 20f7c8 
    if (X509_digest(x, EVP_sha1(), idx, NULL) != 1)
Packit 90a5c9 
        return NULL;
Packit 90a5c9 
    cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
Packit 90a5c9 
    if (cinf && cinf->cid)
Packit 90a5c9 
        return cinf;
Packit 90a5c9 
    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
Packit 90a5c9 
                 "stapling_get_certinfo: stapling not supported for certificate");
Packit 90a5c9 
    return NULL;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
/*
Packit 90a5c9 
 * OCSP response caching code. The response is preceded by a flag value
Packit 90a5c9 
 * which indicates whether the response was invalid when it was stored.
Packit 90a5c9 
 * the purpose of this flag is to avoid repeated queries to a server
Packit 90a5c9 
 * which has given an invalid response while allowing a response which
Packit 90a5c9 
 * has subsequently become invalid to be retried immediately.
Packit 90a5c9 
 *
Packit 90a5c9 
 * The key for the cache is the hash of the certificate the response
Packit 90a5c9 
 * is for.
Packit 90a5c9 
 */
Packit 90a5c9 
static BOOL stapling_cache_response(server_rec *s, modssl_ctx_t *mctx,
Packit 90a5c9 
                                    OCSP_RESPONSE *rsp, certinfo *cinf,
Packit 90a5c9 
                                    BOOL ok, apr_pool_t *pool)
Packit 90a5c9 
{
Packit 90a5c9 
    SSLModConfigRec *mc = myModConfig(s);
Packit 90a5c9 
    unsigned char resp_der[MAX_STAPLING_DER]; /* includes one-byte flag + response */
Packit 90a5c9 
    unsigned char *p;
Packit 90a5c9 
    int resp_derlen, stored_len;
Packit 90a5c9 
    BOOL rv;
Packit 90a5c9 
    apr_time_t expiry;
Packit 90a5c9
Packit 90a5c9 
    resp_derlen = i2d_OCSP_RESPONSE(rsp, NULL);
Packit 90a5c9
Packit 90a5c9 
    if (resp_derlen <= 0) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01927)
Packit 90a5c9 
                     "OCSP stapling response encode error??");
Packit 90a5c9 
        return FALSE;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    stored_len = resp_derlen + 1; /* response + ok flag */
Packit 90a5c9 
    if (stored_len > sizeof resp_der) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01928)
Packit 90a5c9 
                     "OCSP stapling response too big (%u bytes)", resp_derlen);
Packit 90a5c9 
        return FALSE;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    p = resp_der;
Packit 90a5c9
Packit 90a5c9 
    /* TODO: potential optimization; _timeout members as apr_interval_time_t */
Packit 90a5c9 
    if (ok == TRUE) {
Packit 90a5c9 
        *p++ = 1;
Packit 90a5c9 
        expiry = apr_time_from_sec(mctx->stapling_cache_timeout);
Packit 90a5c9 
    }
Packit 90a5c9 
    else {
Packit 90a5c9 
        *p++ = 0;
Packit 90a5c9 
        expiry = apr_time_from_sec(mctx->stapling_errcache_timeout);
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    expiry += apr_time_now();
Packit 90a5c9
Packit 90a5c9 
    i2d_OCSP_RESPONSE(rsp, &p);
Packit 90a5c9
Packit 90a5c9 
    if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
Packit 90a5c9 
        stapling_cache_mutex_on(s);
Packit 90a5c9 
    rv = mc->stapling_cache->store(mc->stapling_cache_context, s,
Packit 90a5c9 
                                   cinf->idx, sizeof(cinf->idx),
Packit 90a5c9 
                                   expiry, resp_der, stored_len, pool);
Packit 90a5c9 
    if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
Packit 90a5c9 
        stapling_cache_mutex_off(s);
Packit 90a5c9 
    if (rv != APR_SUCCESS) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01929)
Packit 90a5c9 
                     "stapling_cache_response: OCSP response session store error!");
Packit 90a5c9 
        return FALSE;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    return TRUE;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static void stapling_get_cached_response(server_rec *s, OCSP_RESPONSE **prsp,
Packit 90a5c9 
                                         BOOL *pok, certinfo *cinf,
Packit 90a5c9 
                                         apr_pool_t *pool)
Packit 90a5c9 
{
Packit 90a5c9 
    SSLModConfigRec *mc = myModConfig(s);
Packit 90a5c9 
    apr_status_t rv;
Packit 90a5c9 
    OCSP_RESPONSE *rsp;
Packit 90a5c9 
    unsigned char resp_der[MAX_STAPLING_DER];
Packit 90a5c9 
    const unsigned char *p;
Packit 90a5c9 
    unsigned int resp_derlen = MAX_STAPLING_DER;
Packit 90a5c9
Packit 90a5c9 
    if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
Packit 90a5c9 
        stapling_cache_mutex_on(s);
Packit 90a5c9 
    rv = mc->stapling_cache->retrieve(mc->stapling_cache_context, s,
Packit 90a5c9 
                                      cinf->idx, sizeof(cinf->idx),
Packit 90a5c9 
                                      resp_der, &resp_derlen, pool);
Packit 90a5c9 
    if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
Packit 90a5c9 
        stapling_cache_mutex_off(s);
Packit 90a5c9 
    if (rv != APR_SUCCESS) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01930)
Packit 90a5c9 
                     "stapling_get_cached_response: cache miss");
Packit 90a5c9 
        return;
Packit 90a5c9 
    }
Packit 90a5c9 
    if (resp_derlen <= 1) {
Packit 90a5c9 
        /* should-not-occur; must have at least valid-when-stored flag +
Packit 90a5c9 
         * OCSPResponseStatus
Packit 90a5c9 
         */
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01931)
Packit 90a5c9 
                     "stapling_get_cached_response: response length invalid??");
Packit 90a5c9 
        return;
Packit 90a5c9 
    }
Packit 90a5c9 
    p = resp_der;
Packit 90a5c9 
    if (*p) /* valid when stored */
Packit 90a5c9 
        *pok = TRUE;
Packit 90a5c9 
    else
Packit 90a5c9 
        *pok = FALSE;
Packit 90a5c9 
    p++;
Packit 90a5c9 
    resp_derlen--;
Packit 90a5c9 
    rsp = d2i_OCSP_RESPONSE(NULL, &p, resp_derlen);
Packit 90a5c9 
    if (!rsp) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01932)
Packit 90a5c9 
                     "stapling_get_cached_response: response parse error??");
Packit 90a5c9 
        return;
Packit 90a5c9 
    }
Packit 90a5c9 
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01933)
Packit 90a5c9 
                 "stapling_get_cached_response: cache hit");
Packit 90a5c9
Packit 90a5c9 
    *prsp = rsp;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static int stapling_set_response(SSL *ssl, OCSP_RESPONSE *rsp)
Packit 90a5c9 
{
Packit 90a5c9 
    int rspderlen;
Packit 90a5c9 
    unsigned char *rspder = NULL;
Packit 90a5c9
Packit 90a5c9 
    rspderlen = i2d_OCSP_RESPONSE(rsp, &rspder);
Packit 90a5c9 
    if (rspderlen <= 0)
Packit 90a5c9 
        return 0;
Packit 90a5c9 
    SSL_set_tlsext_status_ocsp_resp(ssl, rspder, rspderlen);
Packit 90a5c9 
    return 1;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
Packit 90a5c9 
                                   certinfo *cinf, OCSP_RESPONSE *rsp,
Packit 90a5c9 
                                   BOOL *pok)
Packit 90a5c9 
{
Packit 90a5c9 
    int status = V_OCSP_CERTSTATUS_UNKNOWN;
Packit 90a5c9 
    int reason = OCSP_REVOKED_STATUS_NOSTATUS;
Packit 90a5c9 
    OCSP_BASICRESP *bs = NULL;
Packit 90a5c9 
    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
Packit 90a5c9 
    int response_status = OCSP_response_status(rsp);
Packit 90a5c9 
    int rv = SSL_TLSEXT_ERR_OK;
Packit 90a5c9
Packit 90a5c9 
    if (pok)
Packit 90a5c9 
        *pok = FALSE;
Packit 90a5c9 
    /* Check to see if response is an error. If so we automatically accept
Packit 90a5c9 
     * it because it would have expired from the cache if it was time to
Packit 90a5c9 
     * retry.
Packit 90a5c9 
     */
Packit 90a5c9 
    if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
Packit 90a5c9 
        if (mctx->stapling_return_errors)
Packit 90a5c9 
            return SSL_TLSEXT_ERR_OK;
Packit 90a5c9 
        else
Packit 90a5c9 
            return SSL_TLSEXT_ERR_NOACK;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    bs = OCSP_response_get1_basic(rsp);
Packit 90a5c9 
    if (bs == NULL) {
Packit 90a5c9 
        /* If we can't parse response just pass it to client */
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01934)
Packit 90a5c9 
                     "stapling_check_response: Error Parsing Response!");
Packit 90a5c9 
        return SSL_TLSEXT_ERR_OK;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    if (!OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev,
Packit 90a5c9 
                               &thisupd, &nextupd)) {
Packit 90a5c9 
        /* If ID not present pass back to client (if configured so) */
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01935)
Packit 90a5c9 
                     "stapling_check_response: certificate ID not present in response!");
Packit 90a5c9 
        if (mctx->stapling_return_errors == FALSE)
Packit 90a5c9 
            rv = SSL_TLSEXT_ERR_NOACK;
Packit 90a5c9 
    }
Packit 90a5c9 
    else {
Packit 90a5c9 
        if (OCSP_check_validity(thisupd, nextupd,
Packit 90a5c9 
                                mctx->stapling_resptime_skew,
Packit 90a5c9 
                                mctx->stapling_resp_maxage)) {
Packit 90a5c9 
            if (pok)
Packit 90a5c9 
                *pok = TRUE;
Packit 90a5c9 
        }
Packit 90a5c9 
        else {
Packit 90a5c9 
            /* If pok is not NULL response was direct from a responder and
Packit 90a5c9 
             * the times should be valide. If pok is NULL the response was
Packit 90a5c9 
             * retrieved from cache and it is expected to subsequently expire
Packit 90a5c9 
             */
Packit 90a5c9 
            if (pok) {
Packit 90a5c9 
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01936)
Packit 90a5c9 
                             "stapling_check_response: response times invalid");
Packit 90a5c9 
            }
Packit 90a5c9 
            else {
Packit 90a5c9 
                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01937)
Packit 90a5c9 
                             "stapling_check_response: cached response expired");
Packit 90a5c9 
            }
Packit 90a5c9
Packit 90a5c9 
            rv = SSL_TLSEXT_ERR_NOACK;
Packit 90a5c9 
        }
Packit 90a5c9
Packit 90a5c9 
        if (status != V_OCSP_CERTSTATUS_GOOD) {
Packit 90a5c9 
            char snum[MAX_STRING_LEN] = { '\0' };
Packit 90a5c9 
            BIO *bio = BIO_new(BIO_s_mem());
Packit 90a5c9
Packit 90a5c9 
            if (bio) {
Packit 90a5c9 
                int n;
Packit 90a5c9 
                ASN1_INTEGER *pserial;
Packit 90a5c9 
                OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
Packit 90a5c9 
                if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
Packit 90a5c9 
                    ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
Packit 90a5c9 
                    snum[n] = '\0';
Packit 90a5c9 
                BIO_free(bio);
Packit 90a5c9 
            }
Packit 90a5c9
Packit 90a5c9 
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02969)
Packit 90a5c9 
                         "stapling_check_response: response has certificate "
Packit 90a5c9 
                         "status %s (reason: %s) for serial number %s",
Packit 90a5c9 
                         OCSP_cert_status_str(status),
Packit 90a5c9 
                         (reason != OCSP_REVOKED_STATUS_NOSTATUS) ?
Packit 90a5c9 
                         OCSP_crl_reason_str(reason) : "n/a",
Packit 90a5c9 
                         snum[0] ? snum : "[n/a]");
Packit 90a5c9
Packit 90a5c9 
            if (mctx->stapling_return_errors == FALSE) {
Packit 90a5c9 
                if (pok)
Packit 90a5c9 
                    *pok = FALSE;
Packit 90a5c9 
                rv = SSL_TLSEXT_ERR_NOACK;
Packit 90a5c9 
            }
Packit 90a5c9 
        }
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    OCSP_BASICRESP_free(bs);
Packit 90a5c9
Packit 90a5c9 
    return rv;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static BOOL stapling_renew_response(server_rec *s, modssl_ctx_t *mctx, SSL *ssl,
Packit 90a5c9 
                                    certinfo *cinf, OCSP_RESPONSE **prsp,
Packit 90a5c9 
                                    BOOL *pok, apr_pool_t *pool)
Packit 90a5c9 
{
Packit 90a5c9 
    conn_rec *conn      = (conn_rec *)SSL_get_app_data(ssl);
Packit 90a5c9 
    apr_pool_t *vpool;
Packit 90a5c9 
    OCSP_REQUEST *req = NULL;
Packit 90a5c9 
    OCSP_CERTID *id = NULL;
Packit 90a5c9 
    STACK_OF(X509_EXTENSION) *exts;
Packit 90a5c9 
    int i;
Packit 90a5c9 
    BOOL rv = TRUE;
Packit 90a5c9 
    const char *ocspuri;
Packit 90a5c9 
    apr_uri_t uri;
Packit 90a5c9
Packit 90a5c9 
    *prsp = NULL;
Packit 90a5c9 
    /* Build up OCSP query from server certificate info */
Packit 90a5c9 
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01938)
Packit 90a5c9 
                 "stapling_renew_response: querying responder");
Packit 90a5c9
Packit 90a5c9 
    req = OCSP_REQUEST_new();
Packit 90a5c9 
    if (!req)
Packit 90a5c9 
        goto err;
Packit 90a5c9 
    id = OCSP_CERTID_dup(cinf->cid);
Packit 90a5c9 
    if (!id)
Packit 90a5c9 
        goto err;
Packit 90a5c9 
    if (!OCSP_request_add0_id(req, id))
Packit 90a5c9 
        goto err;
Packit 90a5c9 
    id = NULL;
Packit 90a5c9 
    /* Add any extensions to the request */
Packit 90a5c9 
    SSL_get_tlsext_status_exts(ssl, &exts);
Packit 90a5c9 
    for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
Packit 90a5c9 
        X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
Packit 90a5c9 
        if (!OCSP_REQUEST_add_ext(req, ext, -1))
Packit 90a5c9 
            goto err;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    if (mctx->stapling_force_url)
Packit 90a5c9 
        ocspuri = mctx->stapling_force_url;
Packit 90a5c9 
    else
Packit 90a5c9 
        ocspuri = cinf->uri;
Packit 90a5c9
Packit 90a5c9 
    if (!ocspuri) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02621)
Packit 90a5c9 
                     "stapling_renew_response: no uri for responder");
Packit 90a5c9 
        rv = FALSE;
Packit 90a5c9 
        goto done;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    /* Create a temporary pool to constrain memory use */
Packit 90a5c9 
    apr_pool_create(&vpool, conn->pool);
Packit 90a5c9
Packit 90a5c9 
    if (apr_uri_parse(vpool, ocspuri, &uri) != APR_SUCCESS) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01939)
Packit 90a5c9 
                     "stapling_renew_response: Error parsing uri %s",
Packit 90a5c9 
                      ocspuri);
Packit 90a5c9 
        rv = FALSE;
Packit 90a5c9 
        goto done;
Packit 90a5c9 
    }
Packit 90a5c9 
    else if (strcmp(uri.scheme, "http")) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01940)
Packit 90a5c9 
                     "stapling_renew_response: Unsupported uri %s", ocspuri);
Packit 90a5c9 
        rv = FALSE;
Packit 90a5c9 
        goto done;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    if (!uri.port) {
Packit 90a5c9 
        uri.port = apr_uri_port_of_scheme(uri.scheme);
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    *prsp = modssl_dispatch_ocsp_request(&uri, mctx->stapling_responder_timeout,
Packit 90a5c9 
                                         req, conn, vpool);
Packit 90a5c9
Packit 90a5c9 
    apr_pool_destroy(vpool);
Packit 90a5c9
Packit 90a5c9 
    if (!*prsp) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01941)
Packit 90a5c9 
                     "stapling_renew_response: responder error");
Packit 90a5c9 
        if (mctx->stapling_fake_trylater) {
Packit 90a5c9 
            *prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
Packit 90a5c9 
        }
Packit 90a5c9 
        else {
Packit 90a5c9 
            goto done;
Packit 90a5c9 
        }
Packit 90a5c9 
    }
Packit 90a5c9 
    else {
Packit 90a5c9 
        int response_status = OCSP_response_status(*prsp);
Packit 90a5c9
Packit 90a5c9 
        if (response_status == OCSP_RESPONSE_STATUS_SUCCESSFUL) {
Packit 90a5c9 
            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01942)
Packit 90a5c9 
                        "stapling_renew_response: query response received");
Packit 90a5c9 
            stapling_check_response(s, mctx, cinf, *prsp, pok);
Packit 90a5c9 
            if (*pok == FALSE) {
Packit 90a5c9 
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01943)
Packit 90a5c9 
                             "stapling_renew_response: error in retrieved response!");
Packit 90a5c9 
            }
Packit 90a5c9 
        }
Packit 90a5c9 
        else {
Packit 90a5c9 
            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01944)
Packit 90a5c9 
                         "stapling_renew_response: responder error %s",
Packit 90a5c9 
                         OCSP_response_status_str(response_status));
Packit 90a5c9 
            *pok = FALSE;
Packit 90a5c9 
        }
Packit 90a5c9 
    }
Packit 90a5c9 
    if (stapling_cache_response(s, mctx, *prsp, cinf, *pok, pool) == FALSE) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01945)
Packit 90a5c9 
                     "stapling_renew_response: error caching response!");
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
done:
Packit 90a5c9 
    if (id)
Packit 90a5c9 
        OCSP_CERTID_free(id);
Packit 90a5c9 
    if (req)
Packit 90a5c9 
        OCSP_REQUEST_free(req);
Packit 90a5c9 
    return rv;
Packit 90a5c9 
err:
Packit 90a5c9 
    rv = FALSE;
Packit 90a5c9 
    goto done;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
/*
Packit 90a5c9 
 * SSL stapling mutex operations. Similar to SSL mutex except mutexes are
Packit 90a5c9 
 * mandatory if stapling is enabled.
Packit 90a5c9 
 */
Packit 90a5c9 
static int ssl_stapling_mutex_init(server_rec *s, apr_pool_t *p)
Packit 90a5c9 
{
Packit 90a5c9 
    SSLModConfigRec *mc = myModConfig(s);
Packit 90a5c9 
    SSLSrvConfigRec *sc = mySrvConfig(s);
Packit 90a5c9 
    apr_status_t rv;
Packit 90a5c9
Packit 90a5c9 
    /* already init or stapling not enabled? */
Packit 90a5c9 
    if (mc->stapling_refresh_mutex || sc->server->stapling_enabled != TRUE) {
Packit 90a5c9 
        return TRUE;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    /* need a cache mutex? */
Packit 90a5c9 
    if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) {
Packit 90a5c9 
        if ((rv = ap_global_mutex_create(&mc->stapling_cache_mutex, NULL,
Packit 90a5c9 
                                         SSL_STAPLING_CACHE_MUTEX_TYPE, NULL, s,
Packit 90a5c9 
                                         s->process->pool, 0)) != APR_SUCCESS) {
Packit 90a5c9 
            return FALSE;
Packit 90a5c9 
        }
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    /* always need stapling_refresh_mutex */
Packit 90a5c9 
    if ((rv = ap_global_mutex_create(&mc->stapling_refresh_mutex, NULL,
Packit 90a5c9 
                                     SSL_STAPLING_REFRESH_MUTEX_TYPE, NULL, s,
Packit 90a5c9 
                                     s->process->pool, 0)) != APR_SUCCESS) {
Packit 90a5c9 
        return FALSE;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    return TRUE;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static int stapling_mutex_reinit_helper(server_rec *s, apr_pool_t *p,
Packit 90a5c9 
                                        apr_global_mutex_t **mutex,
Packit 90a5c9 
                                        const char *type)
Packit 90a5c9 
{
Packit 90a5c9 
    apr_status_t rv;
Packit 90a5c9 
    const char *lockfile;
Packit 90a5c9
Packit 90a5c9 
    lockfile = apr_global_mutex_lockfile(*mutex);
Packit 90a5c9 
    if ((rv = apr_global_mutex_child_init(mutex,
Packit 90a5c9 
                                          lockfile, p)) != APR_SUCCESS) {
Packit 90a5c9 
        if (lockfile) {
Packit 90a5c9 
            ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(01946)
Packit 90a5c9 
                         "Cannot reinit %s mutex with file `%s'",
Packit 90a5c9 
                         type, lockfile);
Packit 90a5c9 
        }
Packit 90a5c9 
        else {
Packit 90a5c9 
            ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01947)
Packit 90a5c9 
                         "Cannot reinit %s mutex", type);
Packit 90a5c9 
        }
Packit 90a5c9 
        return FALSE;
Packit 90a5c9 
    }
Packit 90a5c9 
    return TRUE;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
int ssl_stapling_mutex_reinit(server_rec *s, apr_pool_t *p)
Packit 90a5c9 
{
Packit 90a5c9 
    SSLModConfigRec *mc = myModConfig(s);
Packit 90a5c9
Packit 90a5c9 
    if (mc->stapling_cache_mutex != NULL
Packit 90a5c9 
        && stapling_mutex_reinit_helper(s, p, &mc->stapling_cache_mutex,
Packit 90a5c9 
                                        SSL_STAPLING_CACHE_MUTEX_TYPE) == FALSE) {
Packit 90a5c9 
        return FALSE;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    if (mc->stapling_refresh_mutex != NULL
Packit 90a5c9 
        && stapling_mutex_reinit_helper(s, p, &mc->stapling_refresh_mutex,
Packit 90a5c9 
                                        SSL_STAPLING_REFRESH_MUTEX_TYPE) == FALSE) {
Packit 90a5c9 
        return FALSE;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    return TRUE;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static int stapling_mutex_on(server_rec *s, apr_global_mutex_t *mutex,
Packit 90a5c9 
                             const char *name)
Packit 90a5c9 
{
Packit 90a5c9 
    apr_status_t rv;
Packit 90a5c9
Packit 90a5c9 
    if ((rv = apr_global_mutex_lock(mutex)) != APR_SUCCESS) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01948)
Packit 90a5c9 
                     "Failed to acquire OCSP %s lock", name);
Packit 90a5c9 
        return FALSE;
Packit 90a5c9 
    }
Packit 90a5c9 
    return TRUE;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static int stapling_mutex_off(server_rec *s, apr_global_mutex_t *mutex,
Packit 90a5c9 
                              const char *name)
Packit 90a5c9 
{
Packit 90a5c9 
    apr_status_t rv;
Packit 90a5c9
Packit 90a5c9 
    if ((rv = apr_global_mutex_unlock(mutex)) != APR_SUCCESS) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01949)
Packit 90a5c9 
                     "Failed to release OCSP %s lock", name);
Packit 90a5c9 
        return FALSE;
Packit 90a5c9 
    }
Packit 90a5c9 
    return TRUE;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static int stapling_cache_mutex_on(server_rec *s)
Packit 90a5c9 
{
Packit 90a5c9 
    SSLModConfigRec *mc = myModConfig(s);
Packit 90a5c9
Packit 90a5c9 
    return stapling_mutex_on(s, mc->stapling_cache_mutex,
Packit 90a5c9 
                             SSL_STAPLING_CACHE_MUTEX_TYPE);
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static int stapling_cache_mutex_off(server_rec *s)
Packit 90a5c9 
{
Packit 90a5c9 
    SSLModConfigRec *mc = myModConfig(s);
Packit 90a5c9
Packit 90a5c9 
    return stapling_mutex_off(s, mc->stapling_cache_mutex,
Packit 90a5c9 
                              SSL_STAPLING_CACHE_MUTEX_TYPE);
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static int stapling_refresh_mutex_on(server_rec *s)
Packit 90a5c9 
{
Packit 90a5c9 
    SSLModConfigRec *mc = myModConfig(s);
Packit 90a5c9
Packit 90a5c9 
    return stapling_mutex_on(s, mc->stapling_refresh_mutex,
Packit 90a5c9 
                             SSL_STAPLING_REFRESH_MUTEX_TYPE);
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static int stapling_refresh_mutex_off(server_rec *s)
Packit 90a5c9 
{
Packit 90a5c9 
    SSLModConfigRec *mc = myModConfig(s);
Packit 90a5c9
Packit 90a5c9 
    return stapling_mutex_off(s, mc->stapling_refresh_mutex,
Packit 90a5c9 
                              SSL_STAPLING_REFRESH_MUTEX_TYPE);
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
static int get_and_check_cached_response(server_rec *s, modssl_ctx_t *mctx,
Packit 90a5c9 
                                         OCSP_RESPONSE **rsp, BOOL *pok,
Packit 90a5c9 
                                         certinfo *cinf, apr_pool_t *p)
Packit 90a5c9 
{
Packit 90a5c9 
    BOOL ok = FALSE;
Packit 90a5c9 
    int rv;
Packit 90a5c9
Packit 90a5c9 
    AP_DEBUG_ASSERT(*rsp == NULL);
Packit 90a5c9
Packit 90a5c9 
    /* Check to see if we already have a response for this certificate */
Packit 90a5c9 
    stapling_get_cached_response(s, rsp, &ok, cinf, p);
Packit 90a5c9
Packit 90a5c9 
    if (*rsp) {
Packit 90a5c9 
        /* see if response is acceptable */
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01953)
Packit 90a5c9 
                     "stapling_cb: retrieved cached response");
Packit 90a5c9 
        rv = stapling_check_response(s, mctx, cinf, *rsp, NULL);
Packit 90a5c9 
        if (rv == SSL_TLSEXT_ERR_ALERT_FATAL) {
Packit 90a5c9 
            OCSP_RESPONSE_free(*rsp);
Packit 90a5c9 
            *rsp = NULL;
Packit 90a5c9 
            return SSL_TLSEXT_ERR_ALERT_FATAL;
Packit 90a5c9 
        }
Packit 90a5c9 
        else if (rv == SSL_TLSEXT_ERR_NOACK) {
Packit 90a5c9 
            /* Error in response. If this error was not present when it was
Packit 90a5c9 
             * stored (i.e. response no longer valid) then it can be
Packit 90a5c9 
             * renewed straight away.
Packit 90a5c9 
             *
Packit 90a5c9 
             * If the error *was* present at the time it was stored then we
Packit 90a5c9 
             * don't renew the response straight away; we just wait for the
Packit 90a5c9 
             * cached response to expire.
Packit 90a5c9 
             */
Packit 90a5c9 
            if (ok) {
Packit 90a5c9 
                OCSP_RESPONSE_free(*rsp);
Packit 90a5c9 
                *rsp = NULL;
Packit 90a5c9 
            }
Packit 90a5c9 
            else if (!mctx->stapling_return_errors) {
Packit 90a5c9 
                OCSP_RESPONSE_free(*rsp);
Packit 90a5c9 
                *rsp = NULL;
Packit 90a5c9 
                *pok = FALSE;
Packit 90a5c9 
                return SSL_TLSEXT_ERR_NOACK;
Packit 90a5c9 
            }
Packit 90a5c9 
        }
Packit 90a5c9 
    }
Packit 90a5c9 
    return 0;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
/* Certificate Status callback. This is called when a client includes a
Packit 90a5c9 
 * certificate status request extension.
Packit 90a5c9 
 *
Packit 90a5c9 
 * Check for cached responses in session cache. If valid send back to
Packit 90a5c9 
 * client.  If absent or no longer valid, query responder and update
Packit 90a5c9 
 * cache.
Packit 90a5c9 
 */
Packit 90a5c9 
static int stapling_cb(SSL *ssl, void *arg)
Packit 90a5c9 
{
Packit 90a5c9 
    conn_rec *conn      = (conn_rec *)SSL_get_app_data(ssl);
Packit 90a5c9 
    server_rec *s       = mySrvFromConn(conn);
Packit 90a5c9 
    SSLSrvConfigRec *sc = mySrvConfig(s);
Packit 90a5c9 
    SSLConnRec *sslconn = myConnConfig(conn);
Packit 90a5c9 
    modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);
Packit 90a5c9 
    certinfo *cinf = NULL;
Packit 90a5c9 
    OCSP_RESPONSE *rsp = NULL;
Packit 90a5c9 
    int rv;
Packit 90a5c9 
    BOOL ok = TRUE;
Packit 20f7c8 
    X509 *x;
Packit 20f7c8 
    unsigned char *rspder = NULL;
Packit 20f7c8 
    int rspderlen;
Packit 90a5c9
Packit 20f7c8 
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951)
Packit 20f7c8 
                 "stapling_cb: OCSP Stapling callback called");
Packit 20f7c8
Packit 20f7c8 
    x = SSL_get_certificate(ssl);
Packit 20f7c8 
    if (x == NULL) {
Packit 20f7c8 
        return SSL_TLSEXT_ERR_NOACK;
Packit 20f7c8 
    }
Packit 20f7c8
Packit 20f7c8 
    if (ssl_run_get_stapling_status(&rspder, &rspderlen, conn, s, x) == APR_SUCCESS) {
Packit 20f7c8 
        /* a hook handles stapling for this certicate and determines the response */
Packit 20f7c8 
        if (rspder == NULL || rspderlen <= 0) {
Packit 20f7c8 
            return SSL_TLSEXT_ERR_NOACK;
Packit 20f7c8 
        }
Packit 20f7c8 
        SSL_set_tlsext_status_ocsp_resp(ssl, rspder, rspderlen);
Packit 20f7c8 
        return SSL_TLSEXT_ERR_OK;
Packit 20f7c8 
    }
Packit 20f7c8
Packit 90a5c9 
    if (sc->server->stapling_enabled != TRUE) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01950)
Packit 90a5c9 
                     "stapling_cb: OCSP Stapling disabled");
Packit 90a5c9 
        return SSL_TLSEXT_ERR_NOACK;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 20f7c8 
    if ((cinf = stapling_get_certinfo(s, x, mctx, ssl)) == NULL) {
Packit 90a5c9 
        return SSL_TLSEXT_ERR_NOACK;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01952)
Packit 90a5c9 
                 "stapling_cb: retrieved cached certificate data");
Packit 90a5c9
Packit 90a5c9 
    rv = get_and_check_cached_response(s, mctx, &rsp, &ok, cinf, conn->pool);
Packit 90a5c9 
    if (rv != 0) {
Packit 90a5c9 
        return rv;
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    if (rsp == NULL) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01954)
Packit 90a5c9 
                     "stapling_cb: renewing cached response");
Packit 90a5c9 
        stapling_refresh_mutex_on(s);
Packit 90a5c9 
        /* Maybe another request refreshed the OCSP response while this
Packit 90a5c9 
         * thread waited for the mutex.  Check again.
Packit 90a5c9 
         */
Packit 90a5c9 
        rv = get_and_check_cached_response(s, mctx, &rsp, &ok, cinf,
Packit 90a5c9 
                                           conn->pool);
Packit 90a5c9 
        if (rv != 0) {
Packit 90a5c9 
            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03236)
Packit 90a5c9 
                         "stapling_cb: error checking for cached response "
Packit 90a5c9 
                         "after obtaining refresh mutex");
Packit 90a5c9 
            stapling_refresh_mutex_off(s);
Packit 90a5c9 
            return rv;
Packit 90a5c9 
        }
Packit 90a5c9 
        else if (rsp) {
Packit 90a5c9 
            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03237)
Packit 90a5c9 
                         "stapling_cb: don't need to refresh cached response "
Packit 90a5c9 
                         "after obtaining refresh mutex");
Packit 90a5c9 
            stapling_refresh_mutex_off(s);
Packit 90a5c9 
        }
Packit 90a5c9 
        else {
Packit 90a5c9 
            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03238)
Packit 90a5c9 
                         "stapling_cb: still must refresh cached response "
Packit 90a5c9 
                         "after obtaining refresh mutex");
Packit 90a5c9 
            rv = stapling_renew_response(s, mctx, ssl, cinf, &rsp, &ok,
Packit 90a5c9 
                                         conn->pool);
Packit 90a5c9 
            stapling_refresh_mutex_off(s);
Packit 90a5c9
Packit 90a5c9 
            if (rv == TRUE) {
Packit 90a5c9 
                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03040)
Packit 90a5c9 
                             "stapling_cb: success renewing response");
Packit 90a5c9 
            }
Packit 90a5c9 
            else {
Packit 90a5c9 
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01955)
Packit 90a5c9 
                             "stapling_cb: fatal error renewing response");
Packit 90a5c9 
                return SSL_TLSEXT_ERR_ALERT_FATAL;
Packit 90a5c9 
            }
Packit 90a5c9 
        }
Packit 90a5c9 
    }
Packit 90a5c9
Packit 90a5c9 
    if (rsp && ((ok == TRUE) || (mctx->stapling_return_errors == TRUE))) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01956)
Packit 90a5c9 
                     "stapling_cb: setting response");
Packit 90a5c9 
        if (!stapling_set_response(ssl, rsp))
Packit 90a5c9 
            return SSL_TLSEXT_ERR_ALERT_FATAL;
Packit 90a5c9 
        return SSL_TLSEXT_ERR_OK;
Packit 90a5c9 
    }
Packit 90a5c9 
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01957)
Packit 90a5c9 
                 "stapling_cb: no suitable response available");
Packit 90a5c9
Packit 90a5c9 
    return SSL_TLSEXT_ERR_NOACK;
Packit 90a5c9
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
apr_status_t modssl_init_stapling(server_rec *s, apr_pool_t *p,
Packit 90a5c9 
                                  apr_pool_t *ptemp, modssl_ctx_t *mctx)
Packit 90a5c9 
{
Packit 90a5c9 
    SSL_CTX *ctx = mctx->ssl_ctx;
Packit 90a5c9 
    SSLModConfigRec *mc = myModConfig(s);
Packit 90a5c9
Packit 90a5c9 
    if (mc->stapling_cache == NULL) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01958)
Packit 90a5c9 
                     "SSLStapling: no stapling cache available");
Packit 90a5c9 
        return ssl_die(s);
Packit 90a5c9 
    }
Packit 90a5c9 
    if (ssl_stapling_mutex_init(s, ptemp) == FALSE) {
Packit 90a5c9 
        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01959)
Packit 90a5c9 
                     "SSLStapling: cannot initialise stapling mutex");
Packit 90a5c9 
        return ssl_die(s);
Packit 90a5c9 
    }
Packit 90a5c9 
    /* Set some default values for parameters if they are not set */
Packit 90a5c9 
    if (mctx->stapling_resptime_skew == UNSET) {
Packit 90a5c9 
        mctx->stapling_resptime_skew = 60 * 5;
Packit 90a5c9 
    }
Packit 90a5c9 
    if (mctx->stapling_cache_timeout == UNSET) {
Packit 90a5c9 
        mctx->stapling_cache_timeout = 3600;
Packit 90a5c9 
    }
Packit 90a5c9 
    if (mctx->stapling_return_errors == UNSET) {
Packit 90a5c9 
        mctx->stapling_return_errors = TRUE;
Packit 90a5c9 
    }
Packit 90a5c9 
    if (mctx->stapling_fake_trylater == UNSET) {
Packit 90a5c9 
        mctx->stapling_fake_trylater = TRUE;
Packit 90a5c9 
    }
Packit 90a5c9 
    if (mctx->stapling_errcache_timeout == UNSET) {
Packit 90a5c9 
        mctx->stapling_errcache_timeout = 600;
Packit 90a5c9 
    }
Packit 90a5c9 
    if (mctx->stapling_responder_timeout == UNSET) {
Packit 90a5c9 
        mctx->stapling_responder_timeout = 10 * APR_USEC_PER_SEC;
Packit 90a5c9 
    }
Packit 20f7c8
Packit 90a5c9 
    SSL_CTX_set_tlsext_status_cb(ctx, stapling_cb);
Packit 90a5c9 
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01960) "OCSP stapling initialized");
Packit 20f7c8
Packit 90a5c9 
    return APR_SUCCESS;
Packit 90a5c9 
}
Packit 90a5c9
Packit 90a5c9 
#endif

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation