Context Navigation

gnutls_ocsp.c @ 506e64a

Visit:

asynciodebian/masterproxy-ticket

Last change on this file since 506e64a was 506e64a, checked in by Fiona Klute <fiona.klute@…>, 3 years ago

Optionally return cache expiry time when caching an OCSP response

This will be needed to adjust intervals of OCSP watchdog callbacks.

Property mode set to 100644

File size: 33.3 KB

Rev	Line
[104e881]	1	/*
[3c123cd]	2	* Copyright 2016 Fiona Klute
[94cb972]	3	*
	4	* Licensed under the Apache License, Version 2.0 (the "License");
	5	* you may not use this file except in compliance with the License.
	6	* You may obtain a copy of the License at
	7	*
	8	* http://www.apache.org/licenses/LICENSE-2.0
	9	*
	10	* Unless required by applicable law or agreed to in writing, software
	11	* distributed under the License is distributed on an "AS IS" BASIS,
	12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	13	* See the License for the specific language governing permissions and
	14	* limitations under the License.
	15	*/
	16
	17	#include "gnutls_ocsp.h"
	18	#include "mod_gnutls.h"
[6b4136c]	19	#include "gnutls_cache.h"
[c39ae1a]	20	#include "gnutls_config.h"
[16ad0eb]	21	#include "gnutls_util.h"
[d35b98e]	22
[47a909e]	23	#include <apr_escape.h>
[d35b98e]	24	#include <apr_lib.h>
	25	#include <apr_time.h>
	26	#include <gnutls/ocsp.h>
	27	#include <time.h>
[94cb972]	28
	29	#ifdef APLOG_USE_MODULE
	30	APLOG_USE_MODULE(gnutls);
	31	#endif
	32
[104e881]	33	/** maximum supported OCSP response size, 8K should be plenty */
[16ad0eb]	34	#define OCSP_RESP_SIZE_MAX (8 * 1024)
	35	#define OCSP_REQ_TYPE "application/ocsp-request"
	36	#define OCSP_RESP_TYPE "application/ocsp-response"
	37
[104e881]	38	/** Dummy data for failure cache entries (one byte). */
[c6dda6d]	39	#define OCSP_FAILURE_CACHE_DATA 0x0f
	40
[d35b98e]	41
[08817d0]	42	#define _log_one_ocsp_fail(str, srv) \
	43	ap_log_error(APLOG_MARK, APLOG_INFO, APR_EGENERAL, (srv), \
	44	"Reason for failed OCSP response verification: %s", (str))
[104e881]	45	/**
[d35b98e]	46	* Log all matching reasons for verification failure
	47	*/
[08817d0]	48	static void _log_verify_fail_reason(const unsigned int verify, server_rec *s)
[d35b98e]	49	{
	50	if (verify & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND)
[08817d0]	51	_log_one_ocsp_fail("Signer cert not found", s);
[d35b98e]	52
	53	if (verify & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR)
[08817d0]	54	_log_one_ocsp_fail("Signer cert keyusage error", s);
[d35b98e]	55
	56	if (verify & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER)
[08817d0]	57	_log_one_ocsp_fail("Signer cert is not trusted", s);
[d35b98e]	58
	59	if (verify & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM)
[08817d0]	60	_log_one_ocsp_fail("Insecure algorithm", s);
[d35b98e]	61
	62	if (verify & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE)
[08817d0]	63	_log_one_ocsp_fail("Signature failure", s);
[d35b98e]	64
	65	if (verify & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED)
[08817d0]	66	_log_one_ocsp_fail("Signer cert not yet activated", s);
[d35b98e]	67
	68	if (verify & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
[08817d0]	69	_log_one_ocsp_fail("Signer cert expired", s);
[d35b98e]	70	}
	71
	72
	73
[4d4a406]	74	const char mgs_ocsp_stapling_enable(cmd_parms parms,
	75	void *dummy __attribute__((unused)),
	76	const int arg)
	77	{
	78	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	79	ap_get_module_config(parms->server->module_config, &gnutls_module);
	80
	81	if (arg)
	82	sc->ocsp_staple = GNUTLS_ENABLED_TRUE;
	83	else
	84	sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
	85
	86	return NULL;
	87	}
	88
	89
	90
[b888e8b]	91	const char mgs_set_ocsp_check_nonce(cmd_parms parms,
	92	void *dummy __attribute__((unused)),
	93	const int arg)
	94	{
	95	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	96	ap_get_module_config(parms->server->module_config, &gnutls_module);
	97
	98	if (arg)
	99	sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
	100	else
	101	sc->ocsp_check_nonce = GNUTLS_ENABLED_FALSE;
	102
	103	return NULL;
	104	}
	105
	106
	107
[94cb972]	108	const char mgs_store_ocsp_response_path(cmd_parms parms,
	109	void *dummy __attribute__((unused)),
	110	const char *arg)
	111	{
	112	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	113	ap_get_module_config(parms->server->module_config, &gnutls_module);
	114
	115	sc->ocsp_response_file = ap_server_root_relative(parms->pool, arg);
	116	return NULL;
	117	}
	118
[d35b98e]	119
	120
	121	/**
[47a909e]	122	* Create an OCSP request for the certificate of the given server. The
	123	* DER encoded request is stored in 'req' (must be released with
	124	* gnutls_free() when no longer needed), its nonce in 'nonce' (same,
	125	* if not NULL).
	126	*
	127	* Returns GNUTLS_E_SUCCESS, or a GnuTLS error code.
	128	*/
[16ad0eb]	129	static int mgs_create_ocsp_request(server_rec s, gnutls_datum_t req,
	130	gnutls_datum_t *nonce)
	131	__attribute__((nonnull(1, 2)));
	132	static int mgs_create_ocsp_request(server_rec s, gnutls_datum_t req,
[47a909e]	133	gnutls_datum_t *nonce)
	134	{
	135	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	136	ap_get_module_config(s->module_config, &gnutls_module);
	137
	138	gnutls_ocsp_req_t r;
	139	int ret = gnutls_ocsp_req_init(&r);
	140	if (ret != GNUTLS_E_SUCCESS)
	141	{
	142	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	143	"Could not initialize OCSP request structure: %s (%d)",
	144	gnutls_strerror(ret), ret);
	145	return ret;
	146	}
	147
	148	/* GnuTLS doc says that the digest is "normally"
	149	* GNUTLS_DIG_SHA1. */
	150	ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA256,
	151	sc->certs_x509_crt_chain[1],
	152	sc->certs_x509_crt_chain[0]);
	153
	154	if (ret != GNUTLS_E_SUCCESS)
	155	{
	156	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	157	"Adding certificate to OCSP request for %s:%d "
	158	"failed: %s (%d)",
	159	s->server_hostname, s->addrs->host_port,
	160	gnutls_strerror(ret), ret);
	161	gnutls_ocsp_req_deinit(r);
	162	return ret;
	163	}
	164
	165	ret = gnutls_ocsp_req_randomize_nonce(r);
	166	if (ret != GNUTLS_E_SUCCESS)
	167	{
	168	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	169	"OCSP nonce creation failed: %s (%d)",
	170	gnutls_strerror(ret), ret);
	171	gnutls_ocsp_req_deinit(r);
	172	return ret;
	173	}
	174
	175	if (nonce != NULL)
	176	{
	177	ret = gnutls_ocsp_req_get_nonce(r, NULL, nonce);
	178	if (ret != GNUTLS_E_SUCCESS)
	179	{
	180	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	181	"Could not get nonce: %s (%d)",
	182	gnutls_strerror(ret), ret);
	183	gnutls_free(nonce->data);
	184	nonce->data = NULL;
	185	nonce->size = 0;
	186	gnutls_ocsp_req_deinit(r);
	187	return ret;
	188	}
	189	}
	190
	191	ret = gnutls_ocsp_req_export(r, req);
	192	if (ret != GNUTLS_E_SUCCESS)
	193	{
	194	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	195	"OCSP request export failed: %s (%d)",
	196	gnutls_strerror(ret), ret);
	197	gnutls_free(req->data);
	198	req->data = NULL;
	199	req->size = 0;
	200	if (nonce != NULL)
	201	{
	202	gnutls_free(nonce->data);
	203	nonce->data = NULL;
	204	nonce->size = 0;
	205	}
	206	gnutls_ocsp_req_deinit(r);
	207	return ret;
	208	}
	209
	210	gnutls_ocsp_req_deinit(r);
	211	return ret;
	212	}
	213
	214
[16ad0eb]	215
[47a909e]	216	/**
[08817d0]	217	* Check if the provided OCSP response is usable for stapling in
	218	* connections to this server. Returns GNUTLS_E_SUCCESS if yes.
	219	*
	220	* Supports only one certificate status per response.
[366d1a1]	221	*
	222	* If expiry is not NULL, it will be set to the nextUpdate time
[5559aa6]	223	* contained in the response, or zero if the response does not contain
	224	* a nextUpdate field.
[894efd0]	225	*
	226	* If nonce is not NULL, the response must contain a matching nonce.
[d35b98e]	227	*/
[366d1a1]	228	int check_ocsp_response(server_rec s, const gnutls_datum_t ocsp_response,
[894efd0]	229	apr_time_t* expiry, const gnutls_datum_t *nonce)
	230	__attribute__((nonnull(1, 2)));
	231	int check_ocsp_response(server_rec s, const gnutls_datum_t ocsp_response,
	232	apr_time_t* expiry, const gnutls_datum_t *nonce)
[d35b98e]	233	{
[08817d0]	234	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	235	ap_get_module_config(s->module_config, &gnutls_module);
	236
[cc74801e]	237	if (sc->ocsp->trust == NULL)
[d35b98e]	238	{
[08817d0]	239	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	240	"No OCSP trust list available for server \"%s\"!",
	241	s->server_hostname);
[d35b98e]	242	return GNUTLS_E_NO_CERTIFICATE_FOUND;
	243	}
[2a1ffd6]	244
[d35b98e]	245	gnutls_ocsp_resp_t resp;
[fad7695]	246	int ret = gnutls_ocsp_resp_init(&resp);
[d35b98e]	247	if (ret != GNUTLS_E_SUCCESS)
	248	{
[08817d0]	249	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	250	"Could not initialize OCSP response structure: %s (%d)",
	251	gnutls_strerror(ret), ret);
[d35b98e]	252	goto resp_cleanup;
	253	}
	254	ret = gnutls_ocsp_resp_import(resp, ocsp_response);
	255	if (ret != GNUTLS_E_SUCCESS)
	256	{
[08817d0]	257	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	258	"Importing OCSP response failed: %s (%d)",
	259	gnutls_strerror(ret), ret);
[d35b98e]	260	goto resp_cleanup;
	261	}
	262
[08817d0]	263	ret = gnutls_ocsp_resp_check_crt(resp, 0, sc->certs_x509_crt_chain[0]);
[d35b98e]	264	if (ret != GNUTLS_E_SUCCESS)
	265	{
[08817d0]	266	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	267	"OCSP response is not for server certificate: %s (%d)",
	268	gnutls_strerror(ret), ret);
[d35b98e]	269	goto resp_cleanup;
	270	}
	271
	272	unsigned int verify;
[cc74801e]	273	ret = gnutls_ocsp_resp_verify(resp, *(sc->ocsp->trust), &verify, 0);
[d35b98e]	274	if (ret != GNUTLS_E_SUCCESS)
	275	{
[08817d0]	276	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	277	"OCSP response verification failed: %s (%d)",
	278	gnutls_strerror(ret), ret);
[d35b98e]	279	goto resp_cleanup;
	280	}
	281	else
	282	{
	283	/* verification worked, check the result */
	284	if (verify != 0)
	285	{
[08817d0]	286	_log_verify_fail_reason(verify, s);
[d35b98e]	287	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
	288	goto resp_cleanup;
	289	}
	290	else
[8a0da86]	291	ap_log_error(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, s,
[894efd0]	292	"OCSP response signature is valid.");
	293	}
	294
[b888e8b]	295	/* Even some large CAs do not support nonces, probably because
	296	* that way they can cache responses. :-/ */
	297	if (nonce != NULL && sc->ocsp_check_nonce)
[894efd0]	298	{
	299	gnutls_datum_t resp_nonce;
	300	ret = gnutls_ocsp_resp_get_nonce(resp, 0, &resp_nonce);
	301	if (ret != GNUTLS_E_SUCCESS)
	302	{
	303	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	304	"Could not get OCSP response nonce: %s (%d)",
	305	gnutls_strerror(ret), ret);
	306	goto resp_cleanup;
	307	}
	308	if (resp_nonce.size != nonce->size
	309	\|\| memcmp(resp_nonce.data, nonce->data, nonce->size))
	310	{
	311	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
	312	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	313	"OCSP response invalid: nonce mismatch");
	314	gnutls_free(resp_nonce.data);
	315	goto resp_cleanup;
	316	}
	317	ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
	318	"OCSP response: nonce match");
	319	gnutls_free(resp_nonce.data);
[d35b98e]	320	}
	321
	322	/* OK, response is for our certificate and valid, let's get the
	323	* actual response data. */
	324	unsigned int cert_status;
	325	time_t this_update;
	326	time_t next_update;
	327	ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
	328	&cert_status, &this_update,
	329	&next_update, NULL, NULL);
	330	if (ret != GNUTLS_E_SUCCESS)
	331	{
[08817d0]	332	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	333	"Could not get OCSP response data: %s (%d)",
	334	gnutls_strerror(ret), ret);
[d35b98e]	335	goto resp_cleanup;
	336	}
	337
	338	apr_time_t now = apr_time_now();
	339	apr_time_t valid_at;
	340	apr_time_ansi_put(&valid_at, this_update);
	341	/* Buffer for human-readable times produced by apr_rfc822_date,
	342	* see apr_time.h */
	343	char date_str[APR_RFC822_DATE_LEN];
	344	apr_rfc822_date(date_str, valid_at);
	345
	346	if (now < valid_at)
	347	{
	348	/* We don't know if our clock or that of the OCSP responder is
	349	* out of sync, so warn but continue. */
[08817d0]	350	ap_log_error(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, s,
	351	"OSCP response claims to be from future (%s), check "
	352	"time synchronization!", date_str);
[d35b98e]	353	}
	354
	355	if (next_update == (time_t) -1)
[366d1a1]	356	{
[08817d0]	357	ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
	358	"OSCP response does not contain nextUpdate info.");
[366d1a1]	359	if (expiry != NULL)
	360	*expiry = 0;
	361	}
[d35b98e]	362	else
	363	{
	364	apr_time_t valid_to;
	365	apr_time_ansi_put(&valid_to, next_update);
[366d1a1]	366	if (expiry != NULL)
	367	*expiry = valid_to;
[d35b98e]	368	if (now > valid_to)
	369	{
	370	apr_rfc822_date(date_str, valid_to);
[08817d0]	371	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	372	"OCSP response has expired at %s!", date_str);
[2a1ffd6]	373	/* Do not send a stale response */
[d35b98e]	374	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
	375	goto resp_cleanup;
	376	}
	377	}
	378
	379	/* What's the actual status? Will be one of
	380	* gnutls_ocsp_cert_status_t as defined in gnutls/ocsp.h. */
	381	if (cert_status == GNUTLS_OCSP_CERT_GOOD)
	382	{
	383	/* Yay, everything's good! */
[08817d0]	384	ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
	385	"CA flagged certificate as valid at %s.", date_str);
[d35b98e]	386	}
	387	else
	388	{
[08817d0]	389	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	390	"CA flagged certificate as %s at %s.",
	391	cert_status == GNUTLS_OCSP_CERT_REVOKED ?
	392	"revoked" : "unknown", date_str);
[d35b98e]	393	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
	394	}
	395
	396	resp_cleanup:
	397	gnutls_ocsp_resp_deinit(resp);
	398	return ret;
	399	}
	400
	401
	402
[6b4136c]	403	/*
	404	* Returns the certificate fingerprint, memory is allocated from p.
	405	*/
	406	static gnutls_datum_t mgs_get_cert_fingerprint(apr_pool_t *p,
	407	gnutls_x509_crt_t cert)
	408	{
	409	gnutls_datum_t fingerprint = {NULL, 0};
[82745d1]	410	size_t fplen = 0;
[6b4136c]	411	gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, NULL, &fplen);
	412	unsigned char * fp = apr_palloc(p, fplen);
	413	gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, fp, &fplen);
[4bf4ce2]	414	/* Safe integer type conversion: The types of fingerprint.size
	415	* (unsigned int) and fplen (size_t) may have different
	416	* lengths. */
[ef06c74]	417	#if defined(__GNUC__) && __GNUC__ < 5 && !defined(__clang__)
	418	if (__builtin_expect(fplen <= UINT_MAX, 1))
	419	{
	420	fingerprint.size = (unsigned int) fplen;
	421	fingerprint.data = fp;
	422	}
	423	#else
[4bf4ce2]	424	if (__builtin_add_overflow(fplen, 0, &fingerprint.size))
	425	fingerprint.size = 0;
	426	else
	427	fingerprint.data = fp;
[ef06c74]	428	#endif
[6b4136c]	429	return fingerprint;
	430	}
	431
	432
	433
[16ad0eb]	434	static apr_status_t do_ocsp_request(apr_pool_t p, server_rec s,
	435	gnutls_datum_t *request,
	436	gnutls_datum_t *response)
	437	__attribute__((nonnull));
	438	static apr_status_t do_ocsp_request(apr_pool_t p, server_rec s,
	439	gnutls_datum_t *request,
	440	gnutls_datum_t *response)
	441	{
	442	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	443	ap_get_module_config(s->module_config, &gnutls_module);
	444
	445	if (apr_strnatcmp(sc->ocsp->uri->scheme, "http"))
	446	{
	447	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	448	"Scheme \"%s\" is not supported for OCSP requests!",
	449	sc->ocsp->uri->scheme);
	450	return APR_EINVAL;
	451	}
	452
	453	const char* header = http_post_header(p, sc->ocsp->uri,
	454	OCSP_REQ_TYPE, OCSP_RESP_TYPE,
	455	request->size);
[8a0da86]	456	ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
[16ad0eb]	457	"OCSP POST header: %s", header);
	458
	459	/* Find correct port */
	460	apr_port_t port = sc->ocsp->uri->port ?
	461	sc->ocsp->uri->port : apr_uri_port_of_scheme(sc->ocsp->uri->scheme);
	462
	463	apr_sockaddr_t *sa;
	464	apr_status_t rv = apr_sockaddr_info_get(&sa, sc->ocsp->uri->hostname,
	465	APR_UNSPEC, port, 0, p);
	466	if (rv != APR_SUCCESS)
	467	{
	468	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	469	"Address resolution for OCSP responder %s failed.",
	470	sc->ocsp->uri->hostinfo);
	471	}
	472
	473	/* There may be multiple answers, try them in order until one
	474	* works. */
	475	apr_socket_t *sock;
	476	while (sa)
	477	{
	478	rv = apr_socket_create(&sock, sa->family, SOCK_STREAM,
	479	APR_PROTO_TCP, p);
	480	if (rv == APR_SUCCESS)
	481	{
[333bbc7]	482	apr_socket_timeout_set(sock, sc->ocsp_socket_timeout);
[16ad0eb]	483	rv = apr_socket_connect(sock, sa);
	484	if (rv == APR_SUCCESS)
	485	/* Connected! */
	486	break;
	487	apr_socket_close(sock);
	488	}
	489	sa = sa->next;
	490	}
	491	/* If the socket is connected, 'sa' points at the matching
	492	* address. */
	493	if (sa == NULL)
	494	{
	495	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	496	"Connecting to OCSP responder %s failed.",
	497	sc->ocsp->uri->hostinfo);
	498	return rv;
	499	}
	500
	501	/* Header is generated locally, so strlen() is safe. */
	502	rv = sock_send_buf(sock, header, strlen(header));
	503	if (rv == APR_SUCCESS)
	504	rv = sock_send_buf(sock, (char*) request->data, request->size);
	505	/* catches errors from both header and request */
	506	if (rv != APR_SUCCESS)
	507	{
	508	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	509	"Sending OCSP request failed.");
	510	goto exit;
	511	}
	512
	513	/* Prepare bucket brigades to read the response header. BBs make
	514	* it easy to split the header into lines. */
	515	apr_bucket_alloc_t *ba = apr_bucket_alloc_create(p);
	516	apr_bucket_brigade *bb = apr_brigade_create(p, ba);
	517	/* will carry split response headers */
	518	apr_bucket_brigade *rh = apr_brigade_create(p, ba);
	519
	520	APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_socket_create(sock, ba));
	521	/* The first line in the response header must be the status, check
	522	* for OK status code. Line looks similar to "HTTP/1.0 200 OK". */
	523	const char *h = read_line(p, bb, rh);
	524	const char *code = 0;
	525	if (h == NULL
	526	\|\| strncmp(h, "HTTP/", 5)
	527	\|\| (code = ap_strchr(h, ' ')) == NULL
	528	\|\| apr_atoi64(code + 1) != HTTP_OK)
	529	{
	530	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	531	"Invalid HTTP response status from %s: %s",
	532	sc->ocsp->uri->hostinfo, h);
	533	rv = APR_ECONNRESET;
	534	goto exit;
	535	}
	536	/* Read remaining header lines */
	537	for (h = read_line(p, bb, rh); h != NULL && apr_strnatcmp(h, "") != 0;
	538	h = read_line(p, bb, rh))
	539	{
	540	ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
	541	"Received header: %s", h);
	542	}
	543	/* The last header line should be empty (""), NULL indicates an
	544	* error. */
	545	if (h == NULL)
	546	{
	547	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	548	"Error while reading HTTP response header from %s",
	549	sc->ocsp->uri->hostinfo);
	550	rv = APR_ECONNRESET;
	551	goto exit;
	552	}
	553
	554	/* Headers have been consumed, the rest of the available data
	555	* should be the actual response. */
	556	apr_size_t len = OCSP_RESP_SIZE_MAX;
	557	char buf[OCSP_RESP_SIZE_MAX];
	558	/* apr_brigade_pflatten() can allocate directly from the pool, but
	559	* the documentation does not describe a way to limit the size of
	560	* the buffer, which is necessary here to prevent DoS by endless
	561	* response. Use apr_brigade_flatten() to read to a stack pool,
	562	* then create a copy to return. */
	563	rv = apr_brigade_flatten(bb, buf, &len);
	564	if (rv != APR_SUCCESS)
	565	{
	566	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	567	"Failed to read OCSP response.");
	568	goto exit;
	569	}
	570
[ef06c74]	571	/* With the length restriction this really should not overflow. */
	572	#if defined(__GNUC__) && __GNUC__ < 5 && !defined(__clang__)
	573	if (__builtin_expect(len > UINT_MAX, 0))
	574	#else
[16ad0eb]	575	if (__builtin_add_overflow(len, 0, &response->size))
[ef06c74]	576	#endif
[16ad0eb]	577	{
	578	response->data = NULL;
	579	rv = APR_ENOMEM;
	580	}
	581	else
	582	{
[ef06c74]	583	#if defined(__GNUC__) && __GNUC__ < 5 && !defined(__clang__)
	584	response->size = (unsigned int) len;
	585	#endif
[16ad0eb]	586	response->data = apr_pmemdup(p, buf, len);
	587	}
	588
	589	exit:
	590	apr_socket_close(sock);
	591	return rv;
	592	}
	593
	594
	595
[506e64a]	596	/**
	597	* Get a fresh OCSP response and put it into the cache.
	598	*
	599	* @param s server that needs a new response
	600	*
	601	* @param cache_expiry If not `NULL`, this `apr_time_t` will be set to
	602	* the expiration time of the cache entry. Remains unchanged on
	603	* failure.
	604	*
	605	* @return APR_SUCCESS or an APR error code
	606	*/
	607	static apr_status_t mgs_cache_ocsp_response(server_rec *s,
	608	apr_time_t *cache_expiry)
[6b4136c]	609	{
	610	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	611	ap_get_module_config(s->module_config, &gnutls_module);
	612
[e809fb3]	613	if (sc->cache == NULL)
[6b4136c]	614	{
[e809fb3]	615	/* OCSP caching requires a cache. */
[6b4136c]	616	return APR_ENOTIMPL;
	617	}
	618
	619	apr_pool_t *tmp;
	620	apr_status_t rv = apr_pool_create(&tmp, NULL);
[366d1a1]	621	if (rv != APR_SUCCESS)
	622	{
	623	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	624	"could not create temporary pool for %s",
	625	__func__);
	626	return rv;
	627	}
[6b4136c]	628
[78b75b3]	629	gnutls_datum_t resp;
	630	gnutls_datum_t nonce = { NULL, 0 };
	631
	632	if (sc->ocsp_response_file != NULL)
[47a909e]	633	{
[78b75b3]	634	ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
	635	"Loading OCSP response from %s",
	636	sc->ocsp_response_file);
	637	rv = datum_from_file(tmp, sc->ocsp_response_file, &resp);
	638	if (rv != APR_SUCCESS)
	639	{
	640	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	641	"Loading OCSP response from %s failed!",
	642	sc->ocsp_response_file);
	643	apr_pool_destroy(tmp);
	644	return rv;
	645	}
[82745d1]	646	}
	647	else
	648	{
[78b75b3]	649	gnutls_datum_t req;
	650	int ret = mgs_create_ocsp_request(s, &req, &nonce);
	651	if (ret == GNUTLS_E_SUCCESS)
	652	{
	653	ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
	654	"created OCSP request for %s:%d: %s",
	655	s->server_hostname, s->addrs->host_port,
	656	apr_pescape_hex(tmp, req.data, req.size, 0));
	657	}
	658	else
	659	{
	660	gnutls_free(req.data);
	661	gnutls_free(nonce.data);
	662	apr_pool_destroy(tmp);
	663	return APR_EGENERAL;
	664	}
[47a909e]	665
[78b75b3]	666	rv = do_ocsp_request(tmp, s, &req, &resp);
	667	gnutls_free(req.data);
	668	if (rv != APR_SUCCESS)
	669	{
	670	/* do_ocsp_request() does its own error logging. */
	671	gnutls_free(nonce.data);
	672	apr_pool_destroy(tmp);
	673	return rv;
	674	}
[6b4136c]	675	}
[16ad0eb]	676
[e1c094c]	677	apr_time_t next_update;
	678	if (check_ocsp_response(s, &resp, &next_update, nonce.size ? &nonce : NULL)
[78b75b3]	679	!= GNUTLS_E_SUCCESS)
[08817d0]	680	{
	681	ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, s,
	682	"OCSP response validation failed, cannot "
	683	"update cache.");
	684	apr_pool_destroy(tmp);
[894efd0]	685	gnutls_free(nonce.data);
[08817d0]	686	return APR_EGENERAL;
	687	}
[894efd0]	688	gnutls_free(nonce.data);
	689
[e1c094c]	690	apr_time_t expiry = apr_time_now() + sc->ocsp_cache_time;
	691	/* Make sure that a response is not cached beyond its nextUpdate
	692	* time. If the variable next_update is zero, the response does
	693	* not contain a nextUpdate field. */
	694	if (next_update != 0 && next_update < expiry)
	695	{
	696	char date_str[APR_RFC822_DATE_LEN];
	697	apr_rfc822_date(date_str, next_update);
	698	ap_log_error(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, s,
	699	"OCSP response timeout restricted to nextUpdate time %s. "
	700	"Check if GnuTLSOCSPCacheTimeout is appropriate.",
	701	date_str);
	702	expiry = next_update;
	703	}
[366d1a1]	704
[a372379]	705	int r = sc->cache->store(s, sc->ocsp->fingerprint, resp, expiry);
[6b4136c]	706	/* destroy pool, and original copy of the OCSP response with it */
	707	apr_pool_destroy(tmp);
	708	if (r != 0)
	709	{
	710	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	711	"Storing OCSP response in cache failed.");
	712	return APR_EGENERAL;
	713	}
[506e64a]	714
	715	if (cache_expiry != NULL)
	716	*cache_expiry = expiry;
[6b4136c]	717	return APR_SUCCESS;
	718	}
	719
	720
	721
[c6dda6d]	722	/*
	723	* Retries after failed OCSP requests must be rate limited. If the
	724	* responder is overloaded or buggy we don't want to add too much more
	725	* load, and if a MITM is messing with requests a repetition loop
	726	* might end up being a self-inflicted denial of service.
	727	*/
	728	void mgs_cache_ocsp_failure(server_rec *s)
	729	{
	730	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	731	ap_get_module_config(s->module_config, &gnutls_module);
	732
	733	unsigned char c = OCSP_FAILURE_CACHE_DATA;
	734	gnutls_datum_t dummy = {
	735	.data = &c,
	736	.size = sizeof(c)
	737	};
	738	apr_time_t expiry = apr_time_now() + sc->ocsp_failure_timeout;
	739
	740	char date_str[APR_RFC822_DATE_LEN];
	741	apr_rfc822_date(date_str, expiry);
	742	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	743	"OCSP request for %s failed, next try after %s.",
	744	s->server_hostname, date_str);
	745
	746	int r = sc->cache->store(s, sc->ocsp->fingerprint, dummy, expiry);
	747	if (r != 0)
	748	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	749	"Caching OCSP failure failed.");
	750	}
	751
	752
	753
[994a5fb]	754	int mgs_get_ocsp_response(gnutls_session_t session,
	755	void *ptr __attribute__((unused)),
[94cb972]	756	gnutls_datum_t *ocsp_response)
	757	{
[994a5fb]	758	mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
[1de1026]	759	mgs_srvconf_rec *sc = ctxt->sc;
	760
	761	if (!sc->ocsp_staple \|\| sc->cache == NULL)
[e809fb3]	762	{
[4d4a406]	763	/* OCSP must be enabled and caching requires a cache. */
[e809fb3]	764	return GNUTLS_E_NO_CERTIFICATE_STATUS;
	765	}
[94cb972]	766
[1de1026]	767	*ocsp_response = sc->cache->fetch(ctxt,
	768	sc->ocsp->fingerprint);
[6b4136c]	769	if (ocsp_response->size == 0)
[94cb972]	770	{
[8a0da86]	771	ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c,
[6b4136c]	772	"Fetching OCSP response from cache failed.");
[68ce93c]	773	}
[c6dda6d]	774	else if ((ocsp_response->size == sizeof(unsigned char)) &&
	775	(((unsigned char ) ocsp_response->data) == OCSP_FAILURE_CACHE_DATA))
	776	{
	777	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
	778	"Cached OCSP failure found for %s.",
	779	ctxt->c->base_server->server_hostname);
	780	goto fail_cleanup;
	781	}
[68ce93c]	782	else
	783	{
[5559aa6]	784	return GNUTLS_E_SUCCESS;
[94cb972]	785	}
[368e581]	786	/* get rid of invalid response (if any) */
	787	gnutls_free(ocsp_response->data);
[08817d0]	788	ocsp_response->data = NULL;
[368e581]	789
	790	/* If the cache had no response or an invalid one, try to update. */
	791	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
	792	"No valid OCSP response in cache, trying to update.");
[d6834e0]	793
[1de1026]	794	apr_status_t rv = apr_global_mutex_trylock(sc->ocsp_mutex);
[d6834e0]	795	if (APR_STATUS_IS_EBUSY(rv))
	796	{
	797	/* Another thread is currently holding the mutex, wait. */
[1de1026]	798	apr_global_mutex_lock(sc->ocsp_mutex);
[d6834e0]	799	/* Check if this other thread updated the response we need. It
	800	* would be better to have a vhost specific mutex, but at the
	801	* moment there's no good way to integrate that with the
	802	* Apache Mutex directive. */
[1de1026]	803	*ocsp_response = sc->cache->fetch(ctxt,
	804	sc->ocsp->fingerprint);
[5559aa6]	805	if (ocsp_response->size > 0)
[d6834e0]	806	{
	807	/* Got a valid response now, unlock mutex and return. */
[1de1026]	808	apr_global_mutex_unlock(sc->ocsp_mutex);
[d6834e0]	809	return GNUTLS_E_SUCCESS;
	810	}
	811	else
	812	{
	813	gnutls_free(ocsp_response->data);
	814	ocsp_response->data = NULL;
	815	}
	816	}
	817
[506e64a]	818	rv = mgs_cache_ocsp_response(ctxt->c->base_server, NULL);
[368e581]	819	if (rv != APR_SUCCESS)
	820	{
	821	ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, ctxt->c,
[c6dda6d]	822	"Caching a fresh OCSP response failed");
	823	/* cache failure to rate limit retries */
	824	mgs_cache_ocsp_failure(ctxt->c->base_server);
[1de1026]	825	apr_global_mutex_unlock(sc->ocsp_mutex);
[368e581]	826	goto fail_cleanup;
	827	}
[1de1026]	828	apr_global_mutex_unlock(sc->ocsp_mutex);
[368e581]	829
	830	/* retry reading from cache */
[1de1026]	831	*ocsp_response = sc->cache->fetch(ctxt,
	832	sc->ocsp->fingerprint);
[368e581]	833	if (ocsp_response->size == 0)
	834	{
	835	ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
	836	"Fetching OCSP response from cache failed on retry.");
	837	}
	838	else
	839	{
[5559aa6]	840	return GNUTLS_E_SUCCESS;
[368e581]	841	}
[94cb972]	842
[68ce93c]	843	/* failure, clean up response data */
[368e581]	844	fail_cleanup:
[d35b98e]	845	gnutls_free(ocsp_response->data);
	846	ocsp_response->size = 0;
	847	ocsp_response->data = NULL;
	848	return GNUTLS_E_NO_CERTIFICATE_STATUS;
[94cb972]	849	}
[2a1ffd6]	850
	851
	852
	853	int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
	854	const gnutls_x509_crt_t *chain,
	855	const int num)
	856	{
	857	int added = 0;
	858	int ret = gnutls_x509_trust_list_init(tl, num);
	859
	860	if (ret == GNUTLS_E_SUCCESS)
	861	added = gnutls_x509_trust_list_add_cas(*tl, chain, num, 0);
	862
	863	if (added != num)
	864	ret = GNUTLS_E_CERTIFICATE_ERROR;
	865
	866	/* Clean up trust list in case of error */
	867	if (ret != GNUTLS_E_SUCCESS)
	868	gnutls_x509_trust_list_deinit(*tl, 0);
	869
	870	return ret;
	871	}
[fad7695]	872
	873
	874
	875	apr_status_t mgs_cleanup_trust_list(void *data)
	876	{
	877	gnutls_x509_trust_list_t tl = (gnutls_x509_trust_list_t ) data;
	878	gnutls_x509_trust_list_deinit(*tl, 0);
	879	return APR_SUCCESS;
	880	}
	881
	882
	883
[fd6bb19]	884	apr_uri_t * mgs_cert_get_ocsp_uri(apr_pool_t *p, gnutls_x509_crt_t cert)
	885	{
	886	apr_pool_t *tmp;
	887	apr_status_t rv = apr_pool_create(&tmp, p);
	888	if (rv != APR_SUCCESS)
	889	return NULL;
	890
	891	apr_uri_t *ocsp_uri = NULL;
	892
	893	int ret = GNUTLS_E_SUCCESS;
	894	/* search authority info access for OCSP URI */
	895	for (int seq = 0; ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; seq++)
	896	{
	897	gnutls_datum_t ocsp_access_data;
	898	ret = gnutls_x509_crt_get_authority_info_access(cert, seq,
	899	GNUTLS_IA_OCSP_URI,
	900	&ocsp_access_data,
	901	NULL);
	902	if (ret == GNUTLS_E_SUCCESS)
	903	{
	904	/* create NULL terminated string */
	905	char *ocsp_str =
	906	apr_pstrndup(tmp, (const char*) ocsp_access_data.data,
	907	ocsp_access_data.size);
	908	gnutls_free(ocsp_access_data.data);
	909
	910	ocsp_uri = apr_palloc(p, sizeof(apr_uri_t));
	911	rv = apr_uri_parse(p, ocsp_str, ocsp_uri);
	912	if (rv == APR_SUCCESS)
	913	break;
	914	else
	915	ocsp_uri = NULL;
	916	}
	917	}
	918
	919	apr_pool_destroy(tmp);
	920	return ocsp_uri;
	921	}
	922
	923
	924
[fad7695]	925	/*
	926	* Like in the general post_config hook the HTTP status codes for
	927	* errors are just for fun. What matters is "neither OK nor DECLINED"
	928	* to denote an error.
	929	*/
[fd6bb19]	930	int mgs_ocsp_post_config_server(apr_pool_t *pconf,
	931	apr_pool_t *ptemp __attribute__((unused)),
	932	server_rec *server)
[fad7695]	933	{
[fd6bb19]	934	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	935	ap_get_module_config(server->module_config, &gnutls_module);
[fad7695]	936
	937	if (sc->certs_x509_chain_num < 2)
	938	{
	939	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
	940	"OCSP stapling is enabled but no CA certificate "
[4ae7810]	941	"available for %s:%d, make sure it is included in "
	942	"GnuTLSCertificateFile!",
	943	server->server_hostname, server->addrs->host_port);
[fad7695]	944	return HTTP_NOT_FOUND;
	945	}
[fd6bb19]	946
[b888e8b]	947	/* set default values for unset parameters */
	948	if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET)
	949	sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
[e1c094c]	950	if (sc->ocsp_cache_time == MGS_TIMEOUT_UNSET)
	951	sc->ocsp_cache_time = apr_time_from_sec(MGS_OCSP_CACHE_TIMEOUT);
[c39ae1a]	952	if (sc->ocsp_failure_timeout == MGS_TIMEOUT_UNSET)
	953	sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT);
	954	if (sc->ocsp_socket_timeout == MGS_TIMEOUT_UNSET)
	955	sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT);
	956
[cc74801e]	957	sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
[fd6bb19]	958
[a372379]	959	sc->ocsp->fingerprint =
	960	mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[0]);
	961	if (sc->ocsp->fingerprint.data == NULL)
	962	return HTTP_INTERNAL_SERVER_ERROR;
	963
[cc74801e]	964	sc->ocsp->uri = mgs_cert_get_ocsp_uri(pconf,
	965	sc->certs_x509_crt_chain[0]);
[f1147b6]	966	if (sc->ocsp->uri == NULL && sc->ocsp_response_file == NULL)
	967	{
	968	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
	969	"OCSP stapling is enabled for for %s:%d, but there is "
	970	"neither an OCSP URI in the certificate nor a "
	971	"GnuTLSOCSPResponseFile setting for this host!",
	972	server->server_hostname, server->addrs->host_port);
	973	return HTTP_NOT_FOUND;
	974	}
[cc74801e]	975
	976	sc->ocsp->trust = apr_palloc(pconf,
	977	sizeof(gnutls_x509_trust_list_t));
[fad7695]	978	/* Only the direct issuer may sign the OCSP response or an OCSP
	979	* signer. */
[cc74801e]	980	int ret = mgs_create_ocsp_trust_list(sc->ocsp->trust,
[fad7695]	981	&(sc->certs_x509_crt_chain[1]),
	982	1);
	983	if (ret != GNUTLS_E_SUCCESS)
	984	{
	985	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
	986	"Could not create OCSP trust list: %s (%d)",
	987	gnutls_strerror(ret), ret);
	988	return HTTP_INTERNAL_SERVER_ERROR;
	989	}
	990	/* deinit trust list when the config pool is destroyed */
[cc74801e]	991	apr_pool_cleanup_register(pconf, sc->ocsp->trust,
[fad7695]	992	mgs_cleanup_trust_list,
	993	apr_pool_cleanup_null);
	994
[994a5fb]	995	/* enable status request callback */
	996	gnutls_certificate_set_ocsp_status_request_function(sc->certs,
	997	mgs_get_ocsp_response,
	998	sc);
	999
[fad7695]	1000	return OK;
	1001	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/gnutls_ocsp.c @ 506e64a

Download in other formats: