Context Navigation

gnutls_ocsp.c @ a467635

Visit:

asynciodebian/masterproxy-ticket

Last change on this file since a467635 was a467635, checked in by Fiona Klute <fiona.klute@…>, 3 years ago

Enable asynchronous OCSP updates

Asynchronous updates are always enabled if mod_watchdog is
available. For now, the OCSP cache lifetime is used as the callback
interval.

Property mode set to 100644

File size: 36.2 KB

Rev	Line
[104e881]	1	/*
[3c123cd]	2	* Copyright 2016 Fiona Klute
[94cb972]	3	*
	4	* Licensed under the Apache License, Version 2.0 (the "License");
	5	* you may not use this file except in compliance with the License.
	6	* You may obtain a copy of the License at
	7	*
	8	* http://www.apache.org/licenses/LICENSE-2.0
	9	*
	10	* Unless required by applicable law or agreed to in writing, software
	11	* distributed under the License is distributed on an "AS IS" BASIS,
	12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	13	* See the License for the specific language governing permissions and
	14	* limitations under the License.
	15	*/
	16
	17	#include "gnutls_ocsp.h"
	18	#include "mod_gnutls.h"
[6b4136c]	19	#include "gnutls_cache.h"
[c39ae1a]	20	#include "gnutls_config.h"
[16ad0eb]	21	#include "gnutls_util.h"
[a467635]	22	#include "gnutls_watchdog.h"
[d35b98e]	23
[47a909e]	24	#include <apr_escape.h>
[d35b98e]	25	#include <apr_lib.h>
	26	#include <apr_time.h>
	27	#include <gnutls/ocsp.h>
[a467635]	28	#include <mod_watchdog.h>
[d35b98e]	29	#include <time.h>
[94cb972]	30
	31	#ifdef APLOG_USE_MODULE
	32	APLOG_USE_MODULE(gnutls);
	33	#endif
	34
[104e881]	35	/** maximum supported OCSP response size, 8K should be plenty */
[16ad0eb]	36	#define OCSP_RESP_SIZE_MAX (8 * 1024)
	37	#define OCSP_REQ_TYPE "application/ocsp-request"
	38	#define OCSP_RESP_TYPE "application/ocsp-response"
	39
[104e881]	40	/** Dummy data for failure cache entries (one byte). */
[c6dda6d]	41	#define OCSP_FAILURE_CACHE_DATA 0x0f
	42
[d35b98e]	43
[08817d0]	44	#define _log_one_ocsp_fail(str, srv) \
	45	ap_log_error(APLOG_MARK, APLOG_INFO, APR_EGENERAL, (srv), \
	46	"Reason for failed OCSP response verification: %s", (str))
[104e881]	47	/**
[d35b98e]	48	* Log all matching reasons for verification failure
	49	*/
[08817d0]	50	static void _log_verify_fail_reason(const unsigned int verify, server_rec *s)
[d35b98e]	51	{
	52	if (verify & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND)
[08817d0]	53	_log_one_ocsp_fail("Signer cert not found", s);
[d35b98e]	54
	55	if (verify & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR)
[08817d0]	56	_log_one_ocsp_fail("Signer cert keyusage error", s);
[d35b98e]	57
	58	if (verify & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER)
[08817d0]	59	_log_one_ocsp_fail("Signer cert is not trusted", s);
[d35b98e]	60
	61	if (verify & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM)
[08817d0]	62	_log_one_ocsp_fail("Insecure algorithm", s);
[d35b98e]	63
	64	if (verify & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE)
[08817d0]	65	_log_one_ocsp_fail("Signature failure", s);
[d35b98e]	66
	67	if (verify & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED)
[08817d0]	68	_log_one_ocsp_fail("Signer cert not yet activated", s);
[d35b98e]	69
	70	if (verify & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
[08817d0]	71	_log_one_ocsp_fail("Signer cert expired", s);
[d35b98e]	72	}
	73
	74
	75
[4d4a406]	76	const char mgs_ocsp_stapling_enable(cmd_parms parms,
	77	void *dummy __attribute__((unused)),
	78	const int arg)
	79	{
	80	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	81	ap_get_module_config(parms->server->module_config, &gnutls_module);
	82
	83	if (arg)
	84	sc->ocsp_staple = GNUTLS_ENABLED_TRUE;
	85	else
	86	sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
	87
	88	return NULL;
	89	}
	90
	91
	92
[b888e8b]	93	const char mgs_set_ocsp_check_nonce(cmd_parms parms,
	94	void *dummy __attribute__((unused)),
	95	const int arg)
	96	{
	97	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	98	ap_get_module_config(parms->server->module_config, &gnutls_module);
	99
	100	if (arg)
	101	sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
	102	else
	103	sc->ocsp_check_nonce = GNUTLS_ENABLED_FALSE;
	104
	105	return NULL;
	106	}
	107
	108
	109
[94cb972]	110	const char mgs_store_ocsp_response_path(cmd_parms parms,
	111	void *dummy __attribute__((unused)),
	112	const char *arg)
	113	{
	114	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	115	ap_get_module_config(parms->server->module_config, &gnutls_module);
	116
	117	sc->ocsp_response_file = ap_server_root_relative(parms->pool, arg);
	118	return NULL;
	119	}
	120
[d35b98e]	121
	122
	123	/**
[47a909e]	124	* Create an OCSP request for the certificate of the given server. The
	125	* DER encoded request is stored in 'req' (must be released with
	126	* gnutls_free() when no longer needed), its nonce in 'nonce' (same,
	127	* if not NULL).
	128	*
	129	* Returns GNUTLS_E_SUCCESS, or a GnuTLS error code.
	130	*/
[16ad0eb]	131	static int mgs_create_ocsp_request(server_rec s, gnutls_datum_t req,
	132	gnutls_datum_t *nonce)
	133	__attribute__((nonnull(1, 2)));
	134	static int mgs_create_ocsp_request(server_rec s, gnutls_datum_t req,
[47a909e]	135	gnutls_datum_t *nonce)
	136	{
	137	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	138	ap_get_module_config(s->module_config, &gnutls_module);
	139
	140	gnutls_ocsp_req_t r;
	141	int ret = gnutls_ocsp_req_init(&r);
	142	if (ret != GNUTLS_E_SUCCESS)
	143	{
	144	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	145	"Could not initialize OCSP request structure: %s (%d)",
	146	gnutls_strerror(ret), ret);
	147	return ret;
	148	}
	149
	150	/* GnuTLS doc says that the digest is "normally"
	151	* GNUTLS_DIG_SHA1. */
	152	ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA256,
	153	sc->certs_x509_crt_chain[1],
	154	sc->certs_x509_crt_chain[0]);
	155
	156	if (ret != GNUTLS_E_SUCCESS)
	157	{
	158	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	159	"Adding certificate to OCSP request for %s:%d "
	160	"failed: %s (%d)",
	161	s->server_hostname, s->addrs->host_port,
	162	gnutls_strerror(ret), ret);
	163	gnutls_ocsp_req_deinit(r);
	164	return ret;
	165	}
	166
	167	ret = gnutls_ocsp_req_randomize_nonce(r);
	168	if (ret != GNUTLS_E_SUCCESS)
	169	{
	170	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	171	"OCSP nonce creation failed: %s (%d)",
	172	gnutls_strerror(ret), ret);
	173	gnutls_ocsp_req_deinit(r);
	174	return ret;
	175	}
	176
	177	if (nonce != NULL)
	178	{
	179	ret = gnutls_ocsp_req_get_nonce(r, NULL, nonce);
	180	if (ret != GNUTLS_E_SUCCESS)
	181	{
	182	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	183	"Could not get nonce: %s (%d)",
	184	gnutls_strerror(ret), ret);
	185	gnutls_free(nonce->data);
	186	nonce->data = NULL;
	187	nonce->size = 0;
	188	gnutls_ocsp_req_deinit(r);
	189	return ret;
	190	}
	191	}
	192
	193	ret = gnutls_ocsp_req_export(r, req);
	194	if (ret != GNUTLS_E_SUCCESS)
	195	{
	196	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	197	"OCSP request export failed: %s (%d)",
	198	gnutls_strerror(ret), ret);
	199	gnutls_free(req->data);
	200	req->data = NULL;
	201	req->size = 0;
	202	if (nonce != NULL)
	203	{
	204	gnutls_free(nonce->data);
	205	nonce->data = NULL;
	206	nonce->size = 0;
	207	}
	208	gnutls_ocsp_req_deinit(r);
	209	return ret;
	210	}
	211
	212	gnutls_ocsp_req_deinit(r);
	213	return ret;
	214	}
	215
	216
[16ad0eb]	217
[47a909e]	218	/**
[08817d0]	219	* Check if the provided OCSP response is usable for stapling in
	220	* connections to this server. Returns GNUTLS_E_SUCCESS if yes.
	221	*
	222	* Supports only one certificate status per response.
[366d1a1]	223	*
	224	* If expiry is not NULL, it will be set to the nextUpdate time
[5559aa6]	225	* contained in the response, or zero if the response does not contain
	226	* a nextUpdate field.
[894efd0]	227	*
	228	* If nonce is not NULL, the response must contain a matching nonce.
[d35b98e]	229	*/
[366d1a1]	230	int check_ocsp_response(server_rec s, const gnutls_datum_t ocsp_response,
[894efd0]	231	apr_time_t* expiry, const gnutls_datum_t *nonce)
	232	__attribute__((nonnull(1, 2)));
	233	int check_ocsp_response(server_rec s, const gnutls_datum_t ocsp_response,
	234	apr_time_t* expiry, const gnutls_datum_t *nonce)
[d35b98e]	235	{
[08817d0]	236	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	237	ap_get_module_config(s->module_config, &gnutls_module);
	238
[cc74801e]	239	if (sc->ocsp->trust == NULL)
[d35b98e]	240	{
[08817d0]	241	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	242	"No OCSP trust list available for server \"%s\"!",
	243	s->server_hostname);
[d35b98e]	244	return GNUTLS_E_NO_CERTIFICATE_FOUND;
	245	}
[2a1ffd6]	246
[d35b98e]	247	gnutls_ocsp_resp_t resp;
[fad7695]	248	int ret = gnutls_ocsp_resp_init(&resp);
[d35b98e]	249	if (ret != GNUTLS_E_SUCCESS)
	250	{
[08817d0]	251	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	252	"Could not initialize OCSP response structure: %s (%d)",
	253	gnutls_strerror(ret), ret);
[d35b98e]	254	goto resp_cleanup;
	255	}
	256	ret = gnutls_ocsp_resp_import(resp, ocsp_response);
	257	if (ret != GNUTLS_E_SUCCESS)
	258	{
[08817d0]	259	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	260	"Importing OCSP response failed: %s (%d)",
	261	gnutls_strerror(ret), ret);
[d35b98e]	262	goto resp_cleanup;
	263	}
	264
[08817d0]	265	ret = gnutls_ocsp_resp_check_crt(resp, 0, sc->certs_x509_crt_chain[0]);
[d35b98e]	266	if (ret != GNUTLS_E_SUCCESS)
	267	{
[08817d0]	268	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	269	"OCSP response is not for server certificate: %s (%d)",
	270	gnutls_strerror(ret), ret);
[d35b98e]	271	goto resp_cleanup;
	272	}
	273
	274	unsigned int verify;
[cc74801e]	275	ret = gnutls_ocsp_resp_verify(resp, *(sc->ocsp->trust), &verify, 0);
[d35b98e]	276	if (ret != GNUTLS_E_SUCCESS)
	277	{
[08817d0]	278	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	279	"OCSP response verification failed: %s (%d)",
	280	gnutls_strerror(ret), ret);
[d35b98e]	281	goto resp_cleanup;
	282	}
	283	else
	284	{
	285	/* verification worked, check the result */
	286	if (verify != 0)
	287	{
[08817d0]	288	_log_verify_fail_reason(verify, s);
[d35b98e]	289	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
	290	goto resp_cleanup;
	291	}
	292	else
[8a0da86]	293	ap_log_error(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, s,
[894efd0]	294	"OCSP response signature is valid.");
	295	}
	296
[b888e8b]	297	/* Even some large CAs do not support nonces, probably because
	298	* that way they can cache responses. :-/ */
	299	if (nonce != NULL && sc->ocsp_check_nonce)
[894efd0]	300	{
	301	gnutls_datum_t resp_nonce;
	302	ret = gnutls_ocsp_resp_get_nonce(resp, 0, &resp_nonce);
	303	if (ret != GNUTLS_E_SUCCESS)
	304	{
	305	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	306	"Could not get OCSP response nonce: %s (%d)",
	307	gnutls_strerror(ret), ret);
	308	goto resp_cleanup;
	309	}
	310	if (resp_nonce.size != nonce->size
	311	\|\| memcmp(resp_nonce.data, nonce->data, nonce->size))
	312	{
	313	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
	314	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	315	"OCSP response invalid: nonce mismatch");
	316	gnutls_free(resp_nonce.data);
	317	goto resp_cleanup;
	318	}
	319	ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
	320	"OCSP response: nonce match");
	321	gnutls_free(resp_nonce.data);
[d35b98e]	322	}
	323
	324	/* OK, response is for our certificate and valid, let's get the
	325	* actual response data. */
	326	unsigned int cert_status;
	327	time_t this_update;
	328	time_t next_update;
	329	ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
	330	&cert_status, &this_update,
	331	&next_update, NULL, NULL);
	332	if (ret != GNUTLS_E_SUCCESS)
	333	{
[08817d0]	334	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	335	"Could not get OCSP response data: %s (%d)",
	336	gnutls_strerror(ret), ret);
[d35b98e]	337	goto resp_cleanup;
	338	}
	339
	340	apr_time_t now = apr_time_now();
	341	apr_time_t valid_at;
	342	apr_time_ansi_put(&valid_at, this_update);
	343	/* Buffer for human-readable times produced by apr_rfc822_date,
	344	* see apr_time.h */
	345	char date_str[APR_RFC822_DATE_LEN];
	346	apr_rfc822_date(date_str, valid_at);
	347
	348	if (now < valid_at)
	349	{
	350	/* We don't know if our clock or that of the OCSP responder is
	351	* out of sync, so warn but continue. */
[08817d0]	352	ap_log_error(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, s,
	353	"OSCP response claims to be from future (%s), check "
	354	"time synchronization!", date_str);
[d35b98e]	355	}
	356
	357	if (next_update == (time_t) -1)
[366d1a1]	358	{
[08817d0]	359	ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
	360	"OSCP response does not contain nextUpdate info.");
[366d1a1]	361	if (expiry != NULL)
	362	*expiry = 0;
	363	}
[d35b98e]	364	else
	365	{
	366	apr_time_t valid_to;
	367	apr_time_ansi_put(&valid_to, next_update);
[366d1a1]	368	if (expiry != NULL)
	369	*expiry = valid_to;
[d35b98e]	370	if (now > valid_to)
	371	{
	372	apr_rfc822_date(date_str, valid_to);
[08817d0]	373	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	374	"OCSP response has expired at %s!", date_str);
[2a1ffd6]	375	/* Do not send a stale response */
[d35b98e]	376	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
	377	goto resp_cleanup;
	378	}
	379	}
	380
	381	/* What's the actual status? Will be one of
	382	* gnutls_ocsp_cert_status_t as defined in gnutls/ocsp.h. */
	383	if (cert_status == GNUTLS_OCSP_CERT_GOOD)
	384	{
	385	/* Yay, everything's good! */
[08817d0]	386	ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
	387	"CA flagged certificate as valid at %s.", date_str);
[d35b98e]	388	}
	389	else
	390	{
[08817d0]	391	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	392	"CA flagged certificate as %s at %s.",
	393	cert_status == GNUTLS_OCSP_CERT_REVOKED ?
	394	"revoked" : "unknown", date_str);
[d35b98e]	395	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
	396	}
	397
	398	resp_cleanup:
	399	gnutls_ocsp_resp_deinit(resp);
	400	return ret;
	401	}
	402
	403
	404
[6b4136c]	405	/*
	406	* Returns the certificate fingerprint, memory is allocated from p.
	407	*/
	408	static gnutls_datum_t mgs_get_cert_fingerprint(apr_pool_t *p,
	409	gnutls_x509_crt_t cert)
	410	{
	411	gnutls_datum_t fingerprint = {NULL, 0};
[82745d1]	412	size_t fplen = 0;
[6b4136c]	413	gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, NULL, &fplen);
	414	unsigned char * fp = apr_palloc(p, fplen);
	415	gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, fp, &fplen);
[4bf4ce2]	416	/* Safe integer type conversion: The types of fingerprint.size
	417	* (unsigned int) and fplen (size_t) may have different
	418	* lengths. */
[ef06c74]	419	#if defined(__GNUC__) && __GNUC__ < 5 && !defined(__clang__)
	420	if (__builtin_expect(fplen <= UINT_MAX, 1))
	421	{
	422	fingerprint.size = (unsigned int) fplen;
	423	fingerprint.data = fp;
	424	}
	425	#else
[4bf4ce2]	426	if (__builtin_add_overflow(fplen, 0, &fingerprint.size))
	427	fingerprint.size = 0;
	428	else
	429	fingerprint.data = fp;
[ef06c74]	430	#endif
[6b4136c]	431	return fingerprint;
	432	}
	433
	434
	435
[16ad0eb]	436	static apr_status_t do_ocsp_request(apr_pool_t p, server_rec s,
	437	gnutls_datum_t *request,
	438	gnutls_datum_t *response)
	439	__attribute__((nonnull));
	440	static apr_status_t do_ocsp_request(apr_pool_t p, server_rec s,
	441	gnutls_datum_t *request,
	442	gnutls_datum_t *response)
	443	{
	444	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	445	ap_get_module_config(s->module_config, &gnutls_module);
	446
	447	if (apr_strnatcmp(sc->ocsp->uri->scheme, "http"))
	448	{
	449	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	450	"Scheme \"%s\" is not supported for OCSP requests!",
	451	sc->ocsp->uri->scheme);
	452	return APR_EINVAL;
	453	}
	454
	455	const char* header = http_post_header(p, sc->ocsp->uri,
	456	OCSP_REQ_TYPE, OCSP_RESP_TYPE,
	457	request->size);
[8a0da86]	458	ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
[16ad0eb]	459	"OCSP POST header: %s", header);
	460
	461	/* Find correct port */
	462	apr_port_t port = sc->ocsp->uri->port ?
	463	sc->ocsp->uri->port : apr_uri_port_of_scheme(sc->ocsp->uri->scheme);
	464
	465	apr_sockaddr_t *sa;
	466	apr_status_t rv = apr_sockaddr_info_get(&sa, sc->ocsp->uri->hostname,
	467	APR_UNSPEC, port, 0, p);
	468	if (rv != APR_SUCCESS)
	469	{
	470	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	471	"Address resolution for OCSP responder %s failed.",
	472	sc->ocsp->uri->hostinfo);
	473	}
	474
	475	/* There may be multiple answers, try them in order until one
	476	* works. */
	477	apr_socket_t *sock;
	478	while (sa)
	479	{
	480	rv = apr_socket_create(&sock, sa->family, SOCK_STREAM,
	481	APR_PROTO_TCP, p);
	482	if (rv == APR_SUCCESS)
	483	{
[333bbc7]	484	apr_socket_timeout_set(sock, sc->ocsp_socket_timeout);
[16ad0eb]	485	rv = apr_socket_connect(sock, sa);
	486	if (rv == APR_SUCCESS)
	487	/* Connected! */
	488	break;
	489	apr_socket_close(sock);
	490	}
	491	sa = sa->next;
	492	}
	493	/* If the socket is connected, 'sa' points at the matching
	494	* address. */
	495	if (sa == NULL)
	496	{
	497	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	498	"Connecting to OCSP responder %s failed.",
	499	sc->ocsp->uri->hostinfo);
	500	return rv;
	501	}
	502
	503	/* Header is generated locally, so strlen() is safe. */
	504	rv = sock_send_buf(sock, header, strlen(header));
	505	if (rv == APR_SUCCESS)
	506	rv = sock_send_buf(sock, (char*) request->data, request->size);
	507	/* catches errors from both header and request */
	508	if (rv != APR_SUCCESS)
	509	{
	510	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	511	"Sending OCSP request failed.");
	512	goto exit;
	513	}
	514
	515	/* Prepare bucket brigades to read the response header. BBs make
	516	* it easy to split the header into lines. */
	517	apr_bucket_alloc_t *ba = apr_bucket_alloc_create(p);
	518	apr_bucket_brigade *bb = apr_brigade_create(p, ba);
	519	/* will carry split response headers */
	520	apr_bucket_brigade *rh = apr_brigade_create(p, ba);
	521
	522	APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_socket_create(sock, ba));
	523	/* The first line in the response header must be the status, check
	524	* for OK status code. Line looks similar to "HTTP/1.0 200 OK". */
	525	const char *h = read_line(p, bb, rh);
	526	const char *code = 0;
	527	if (h == NULL
	528	\|\| strncmp(h, "HTTP/", 5)
	529	\|\| (code = ap_strchr(h, ' ')) == NULL
	530	\|\| apr_atoi64(code + 1) != HTTP_OK)
	531	{
	532	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	533	"Invalid HTTP response status from %s: %s",
	534	sc->ocsp->uri->hostinfo, h);
	535	rv = APR_ECONNRESET;
	536	goto exit;
	537	}
	538	/* Read remaining header lines */
	539	for (h = read_line(p, bb, rh); h != NULL && apr_strnatcmp(h, "") != 0;
	540	h = read_line(p, bb, rh))
	541	{
	542	ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
	543	"Received header: %s", h);
	544	}
	545	/* The last header line should be empty (""), NULL indicates an
	546	* error. */
	547	if (h == NULL)
	548	{
	549	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	550	"Error while reading HTTP response header from %s",
	551	sc->ocsp->uri->hostinfo);
	552	rv = APR_ECONNRESET;
	553	goto exit;
	554	}
	555
	556	/* Headers have been consumed, the rest of the available data
	557	* should be the actual response. */
	558	apr_size_t len = OCSP_RESP_SIZE_MAX;
	559	char buf[OCSP_RESP_SIZE_MAX];
	560	/* apr_brigade_pflatten() can allocate directly from the pool, but
	561	* the documentation does not describe a way to limit the size of
	562	* the buffer, which is necessary here to prevent DoS by endless
	563	* response. Use apr_brigade_flatten() to read to a stack pool,
	564	* then create a copy to return. */
	565	rv = apr_brigade_flatten(bb, buf, &len);
	566	if (rv != APR_SUCCESS)
	567	{
	568	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	569	"Failed to read OCSP response.");
	570	goto exit;
	571	}
	572
[ef06c74]	573	/* With the length restriction this really should not overflow. */
	574	#if defined(__GNUC__) && __GNUC__ < 5 && !defined(__clang__)
	575	if (__builtin_expect(len > UINT_MAX, 0))
	576	#else
[16ad0eb]	577	if (__builtin_add_overflow(len, 0, &response->size))
[ef06c74]	578	#endif
[16ad0eb]	579	{
	580	response->data = NULL;
	581	rv = APR_ENOMEM;
	582	}
	583	else
	584	{
[ef06c74]	585	#if defined(__GNUC__) && __GNUC__ < 5 && !defined(__clang__)
	586	response->size = (unsigned int) len;
	587	#endif
[16ad0eb]	588	response->data = apr_pmemdup(p, buf, len);
	589	}
	590
	591	exit:
	592	apr_socket_close(sock);
	593	return rv;
	594	}
	595
	596
	597
[506e64a]	598	/**
	599	* Get a fresh OCSP response and put it into the cache.
	600	*
	601	* @param s server that needs a new response
	602	*
	603	* @param cache_expiry If not `NULL`, this `apr_time_t` will be set to
	604	* the expiration time of the cache entry. Remains unchanged on
	605	* failure.
	606	*
	607	* @return APR_SUCCESS or an APR error code
	608	*/
	609	static apr_status_t mgs_cache_ocsp_response(server_rec *s,
	610	apr_time_t *cache_expiry)
[6b4136c]	611	{
	612	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	613	ap_get_module_config(s->module_config, &gnutls_module);
	614
[e809fb3]	615	if (sc->cache == NULL)
[6b4136c]	616	{
[e809fb3]	617	/* OCSP caching requires a cache. */
[6b4136c]	618	return APR_ENOTIMPL;
	619	}
	620
	621	apr_pool_t *tmp;
	622	apr_status_t rv = apr_pool_create(&tmp, NULL);
[366d1a1]	623	if (rv != APR_SUCCESS)
	624	{
	625	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	626	"could not create temporary pool for %s",
	627	__func__);
	628	return rv;
	629	}
[6b4136c]	630
[78b75b3]	631	gnutls_datum_t resp;
	632	gnutls_datum_t nonce = { NULL, 0 };
	633
	634	if (sc->ocsp_response_file != NULL)
[47a909e]	635	{
[78b75b3]	636	ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
	637	"Loading OCSP response from %s",
	638	sc->ocsp_response_file);
	639	rv = datum_from_file(tmp, sc->ocsp_response_file, &resp);
	640	if (rv != APR_SUCCESS)
	641	{
	642	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	643	"Loading OCSP response from %s failed!",
	644	sc->ocsp_response_file);
	645	apr_pool_destroy(tmp);
	646	return rv;
	647	}
[82745d1]	648	}
	649	else
	650	{
[78b75b3]	651	gnutls_datum_t req;
	652	int ret = mgs_create_ocsp_request(s, &req, &nonce);
	653	if (ret == GNUTLS_E_SUCCESS)
	654	{
	655	ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
	656	"created OCSP request for %s:%d: %s",
	657	s->server_hostname, s->addrs->host_port,
	658	apr_pescape_hex(tmp, req.data, req.size, 0));
	659	}
	660	else
	661	{
	662	gnutls_free(req.data);
	663	gnutls_free(nonce.data);
	664	apr_pool_destroy(tmp);
	665	return APR_EGENERAL;
	666	}
[47a909e]	667
[78b75b3]	668	rv = do_ocsp_request(tmp, s, &req, &resp);
	669	gnutls_free(req.data);
	670	if (rv != APR_SUCCESS)
	671	{
	672	/* do_ocsp_request() does its own error logging. */
	673	gnutls_free(nonce.data);
	674	apr_pool_destroy(tmp);
	675	return rv;
	676	}
[6b4136c]	677	}
[16ad0eb]	678
[e1c094c]	679	apr_time_t next_update;
	680	if (check_ocsp_response(s, &resp, &next_update, nonce.size ? &nonce : NULL)
[78b75b3]	681	!= GNUTLS_E_SUCCESS)
[08817d0]	682	{
	683	ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, s,
	684	"OCSP response validation failed, cannot "
	685	"update cache.");
	686	apr_pool_destroy(tmp);
[894efd0]	687	gnutls_free(nonce.data);
[08817d0]	688	return APR_EGENERAL;
	689	}
[894efd0]	690	gnutls_free(nonce.data);
	691
[e1c094c]	692	apr_time_t expiry = apr_time_now() + sc->ocsp_cache_time;
	693	/* Make sure that a response is not cached beyond its nextUpdate
	694	* time. If the variable next_update is zero, the response does
	695	* not contain a nextUpdate field. */
	696	if (next_update != 0 && next_update < expiry)
	697	{
	698	char date_str[APR_RFC822_DATE_LEN];
	699	apr_rfc822_date(date_str, next_update);
	700	ap_log_error(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, s,
	701	"OCSP response timeout restricted to nextUpdate time %s. "
	702	"Check if GnuTLSOCSPCacheTimeout is appropriate.",
	703	date_str);
	704	expiry = next_update;
	705	}
[366d1a1]	706
[a372379]	707	int r = sc->cache->store(s, sc->ocsp->fingerprint, resp, expiry);
[6b4136c]	708	/* destroy pool, and original copy of the OCSP response with it */
	709	apr_pool_destroy(tmp);
	710	if (r != 0)
	711	{
	712	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	713	"Storing OCSP response in cache failed.");
	714	return APR_EGENERAL;
	715	}
[506e64a]	716
	717	if (cache_expiry != NULL)
	718	*cache_expiry = expiry;
[6b4136c]	719	return APR_SUCCESS;
	720	}
	721
	722
	723
[c6dda6d]	724	/*
	725	* Retries after failed OCSP requests must be rate limited. If the
	726	* responder is overloaded or buggy we don't want to add too much more
	727	* load, and if a MITM is messing with requests a repetition loop
	728	* might end up being a self-inflicted denial of service.
	729	*/
	730	void mgs_cache_ocsp_failure(server_rec *s)
	731	{
	732	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	733	ap_get_module_config(s->module_config, &gnutls_module);
	734
	735	unsigned char c = OCSP_FAILURE_CACHE_DATA;
	736	gnutls_datum_t dummy = {
	737	.data = &c,
	738	.size = sizeof(c)
	739	};
	740	apr_time_t expiry = apr_time_now() + sc->ocsp_failure_timeout;
	741
	742	char date_str[APR_RFC822_DATE_LEN];
	743	apr_rfc822_date(date_str, expiry);
	744	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	745	"OCSP request for %s failed, next try after %s.",
	746	s->server_hostname, date_str);
	747
	748	int r = sc->cache->store(s, sc->ocsp->fingerprint, dummy, expiry);
	749	if (r != 0)
	750	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
	751	"Caching OCSP failure failed.");
	752	}
	753
	754
	755
[994a5fb]	756	int mgs_get_ocsp_response(gnutls_session_t session,
	757	void *ptr __attribute__((unused)),
[94cb972]	758	gnutls_datum_t *ocsp_response)
	759	{
[994a5fb]	760	mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
[1de1026]	761	mgs_srvconf_rec *sc = ctxt->sc;
	762
	763	if (!sc->ocsp_staple \|\| sc->cache == NULL)
[e809fb3]	764	{
[4d4a406]	765	/* OCSP must be enabled and caching requires a cache. */
[e809fb3]	766	return GNUTLS_E_NO_CERTIFICATE_STATUS;
	767	}
[94cb972]	768
[1de1026]	769	*ocsp_response = sc->cache->fetch(ctxt,
	770	sc->ocsp->fingerprint);
[6b4136c]	771	if (ocsp_response->size == 0)
[94cb972]	772	{
[8a0da86]	773	ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c,
[6b4136c]	774	"Fetching OCSP response from cache failed.");
[68ce93c]	775	}
[c6dda6d]	776	else if ((ocsp_response->size == sizeof(unsigned char)) &&
	777	(((unsigned char ) ocsp_response->data) == OCSP_FAILURE_CACHE_DATA))
	778	{
	779	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
	780	"Cached OCSP failure found for %s.",
	781	ctxt->c->base_server->server_hostname);
	782	goto fail_cleanup;
	783	}
[68ce93c]	784	else
	785	{
[5559aa6]	786	return GNUTLS_E_SUCCESS;
[94cb972]	787	}
[368e581]	788	/* get rid of invalid response (if any) */
	789	gnutls_free(ocsp_response->data);
[08817d0]	790	ocsp_response->data = NULL;
[368e581]	791
	792	/* If the cache had no response or an invalid one, try to update. */
	793	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
	794	"No valid OCSP response in cache, trying to update.");
[d6834e0]	795
[1de1026]	796	apr_status_t rv = apr_global_mutex_trylock(sc->ocsp_mutex);
[d6834e0]	797	if (APR_STATUS_IS_EBUSY(rv))
	798	{
	799	/* Another thread is currently holding the mutex, wait. */
[1de1026]	800	apr_global_mutex_lock(sc->ocsp_mutex);
[d6834e0]	801	/* Check if this other thread updated the response we need. It
	802	* would be better to have a vhost specific mutex, but at the
	803	* moment there's no good way to integrate that with the
	804	* Apache Mutex directive. */
[1de1026]	805	*ocsp_response = sc->cache->fetch(ctxt,
	806	sc->ocsp->fingerprint);
[5559aa6]	807	if (ocsp_response->size > 0)
[d6834e0]	808	{
	809	/* Got a valid response now, unlock mutex and return. */
[1de1026]	810	apr_global_mutex_unlock(sc->ocsp_mutex);
[d6834e0]	811	return GNUTLS_E_SUCCESS;
	812	}
	813	else
	814	{
	815	gnutls_free(ocsp_response->data);
	816	ocsp_response->data = NULL;
	817	}
	818	}
	819
[506e64a]	820	rv = mgs_cache_ocsp_response(ctxt->c->base_server, NULL);
[368e581]	821	if (rv != APR_SUCCESS)
	822	{
	823	ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, ctxt->c,
[c6dda6d]	824	"Caching a fresh OCSP response failed");
	825	/* cache failure to rate limit retries */
	826	mgs_cache_ocsp_failure(ctxt->c->base_server);
[1de1026]	827	apr_global_mutex_unlock(sc->ocsp_mutex);
[368e581]	828	goto fail_cleanup;
	829	}
[1de1026]	830	apr_global_mutex_unlock(sc->ocsp_mutex);
[368e581]	831
	832	/* retry reading from cache */
[1de1026]	833	*ocsp_response = sc->cache->fetch(ctxt,
	834	sc->ocsp->fingerprint);
[368e581]	835	if (ocsp_response->size == 0)
	836	{
	837	ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
	838	"Fetching OCSP response from cache failed on retry.");
	839	}
	840	else
	841	{
[5559aa6]	842	return GNUTLS_E_SUCCESS;
[368e581]	843	}
[94cb972]	844
[68ce93c]	845	/* failure, clean up response data */
[368e581]	846	fail_cleanup:
[d35b98e]	847	gnutls_free(ocsp_response->data);
	848	ocsp_response->size = 0;
	849	ocsp_response->data = NULL;
	850	return GNUTLS_E_NO_CERTIFICATE_STATUS;
[94cb972]	851	}
[2a1ffd6]	852
	853
	854
	855	int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
	856	const gnutls_x509_crt_t *chain,
	857	const int num)
	858	{
	859	int added = 0;
	860	int ret = gnutls_x509_trust_list_init(tl, num);
	861
	862	if (ret == GNUTLS_E_SUCCESS)
	863	added = gnutls_x509_trust_list_add_cas(*tl, chain, num, 0);
	864
	865	if (added != num)
	866	ret = GNUTLS_E_CERTIFICATE_ERROR;
	867
	868	/* Clean up trust list in case of error */
	869	if (ret != GNUTLS_E_SUCCESS)
	870	gnutls_x509_trust_list_deinit(*tl, 0);
	871
	872	return ret;
	873	}
[fad7695]	874
	875
	876
	877	apr_status_t mgs_cleanup_trust_list(void *data)
	878	{
	879	gnutls_x509_trust_list_t tl = (gnutls_x509_trust_list_t ) data;
	880	gnutls_x509_trust_list_deinit(*tl, 0);
	881	return APR_SUCCESS;
	882	}
	883
	884
	885
[fd6bb19]	886	apr_uri_t * mgs_cert_get_ocsp_uri(apr_pool_t *p, gnutls_x509_crt_t cert)
	887	{
	888	apr_pool_t *tmp;
	889	apr_status_t rv = apr_pool_create(&tmp, p);
	890	if (rv != APR_SUCCESS)
	891	return NULL;
	892
	893	apr_uri_t *ocsp_uri = NULL;
	894
	895	int ret = GNUTLS_E_SUCCESS;
	896	/* search authority info access for OCSP URI */
	897	for (int seq = 0; ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; seq++)
	898	{
	899	gnutls_datum_t ocsp_access_data;
	900	ret = gnutls_x509_crt_get_authority_info_access(cert, seq,
	901	GNUTLS_IA_OCSP_URI,
	902	&ocsp_access_data,
	903	NULL);
	904	if (ret == GNUTLS_E_SUCCESS)
	905	{
	906	/* create NULL terminated string */
	907	char *ocsp_str =
	908	apr_pstrndup(tmp, (const char*) ocsp_access_data.data,
	909	ocsp_access_data.size);
	910	gnutls_free(ocsp_access_data.data);
	911
	912	ocsp_uri = apr_palloc(p, sizeof(apr_uri_t));
	913	rv = apr_uri_parse(p, ocsp_str, ocsp_uri);
	914	if (rv == APR_SUCCESS)
	915	break;
	916	else
	917	ocsp_uri = NULL;
	918	}
	919	}
	920
	921	apr_pool_destroy(tmp);
	922	return ocsp_uri;
	923	}
	924
	925
	926
[a467635]	927	/**
	928	* Perform an asynchronous OCSP cache update. This is a callback for
	929	* mod_watchdog, so the API is fixed.
	930	*
	931	* @param state watchdog state (starting/running/stopping)
	932	* @param data callback data, contains the server_rec
	933	* @param pool temporary callback pool destroyed after the call
	934	* @return always `APR_SUCCESS` as required by the mod_watchdog API to
	935	* indicate that the callback should be called again
	936	*/
	937	static apr_status_t mgs_async_ocsp_update(int state,
	938	void *data,
	939	apr_pool_t *pool __attribute__((unused)))
	940	{
	941	/* If the server is stopping there's no need to do an OCSP
	942	* update. */
	943	if (state == AP_WATCHDOG_STATE_STOPPING)
	944	return APR_SUCCESS;
	945
	946	server_rec s = (server_rec ) data;
	947	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	948	ap_get_module_config(s->module_config, &gnutls_module);
	949	apr_time_t expiry = 0;
	950
	951	/* Callbacks registered to one watchdog instance are run
	952	* sequentially. Child watchdog threads are created in a
	953	* child_init hook, but it doesn't guarantee when callbacks will
	954	* be called for the first time.
	955	*
	956	* Using the mutex should help avoiding duplicate OCSP requests
	957	* (async and during request handling) if requests arrive before
	958	* the startup run completes. However, an early request might
	959	* still get in between initial OCSP caching calls. */
	960	if (state == AP_WATCHDOG_STATE_STARTING)
	961	apr_global_mutex_lock(sc->ocsp_mutex);
	962	apr_status_t rv = mgs_cache_ocsp_response(s, &expiry);
	963	if (state == AP_WATCHDOG_STATE_STARTING)
	964	apr_global_mutex_unlock(sc->ocsp_mutex);
	965
	966	/* TODO: error handling, fuzzy interval */
	967
	968	ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s,
	969	"Async OCSP update done for %s:%d.",
	970	s->server_hostname, s->addrs->host_port);
	971
	972	return APR_SUCCESS;
	973	}
	974
	975
	976
[fad7695]	977	/*
	978	* Like in the general post_config hook the HTTP status codes for
	979	* errors are just for fun. What matters is "neither OK nor DECLINED"
	980	* to denote an error.
	981	*/
[fd6bb19]	982	int mgs_ocsp_post_config_server(apr_pool_t *pconf,
	983	apr_pool_t *ptemp __attribute__((unused)),
	984	server_rec *server)
[fad7695]	985	{
[fd6bb19]	986	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	987	ap_get_module_config(server->module_config, &gnutls_module);
[fad7695]	988
	989	if (sc->certs_x509_chain_num < 2)
	990	{
	991	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
	992	"OCSP stapling is enabled but no CA certificate "
[4ae7810]	993	"available for %s:%d, make sure it is included in "
	994	"GnuTLSCertificateFile!",
	995	server->server_hostname, server->addrs->host_port);
[fad7695]	996	return HTTP_NOT_FOUND;
	997	}
[fd6bb19]	998
[b888e8b]	999	/* set default values for unset parameters */
	1000	if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET)
	1001	sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
[e1c094c]	1002	if (sc->ocsp_cache_time == MGS_TIMEOUT_UNSET)
	1003	sc->ocsp_cache_time = apr_time_from_sec(MGS_OCSP_CACHE_TIMEOUT);
[c39ae1a]	1004	if (sc->ocsp_failure_timeout == MGS_TIMEOUT_UNSET)
	1005	sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT);
	1006	if (sc->ocsp_socket_timeout == MGS_TIMEOUT_UNSET)
	1007	sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT);
	1008
[cc74801e]	1009	sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
[fd6bb19]	1010
[a372379]	1011	sc->ocsp->fingerprint =
	1012	mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[0]);
	1013	if (sc->ocsp->fingerprint.data == NULL)
	1014	return HTTP_INTERNAL_SERVER_ERROR;
	1015
[cc74801e]	1016	sc->ocsp->uri = mgs_cert_get_ocsp_uri(pconf,
	1017	sc->certs_x509_crt_chain[0]);
[f1147b6]	1018	if (sc->ocsp->uri == NULL && sc->ocsp_response_file == NULL)
	1019	{
	1020	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
	1021	"OCSP stapling is enabled for for %s:%d, but there is "
	1022	"neither an OCSP URI in the certificate nor a "
	1023	"GnuTLSOCSPResponseFile setting for this host!",
	1024	server->server_hostname, server->addrs->host_port);
	1025	return HTTP_NOT_FOUND;
	1026	}
[cc74801e]	1027
	1028	sc->ocsp->trust = apr_palloc(pconf,
	1029	sizeof(gnutls_x509_trust_list_t));
[fad7695]	1030	/* Only the direct issuer may sign the OCSP response or an OCSP
	1031	* signer. */
[cc74801e]	1032	int ret = mgs_create_ocsp_trust_list(sc->ocsp->trust,
[fad7695]	1033	&(sc->certs_x509_crt_chain[1]),
	1034	1);
	1035	if (ret != GNUTLS_E_SUCCESS)
	1036	{
	1037	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
	1038	"Could not create OCSP trust list: %s (%d)",
	1039	gnutls_strerror(ret), ret);
	1040	return HTTP_INTERNAL_SERVER_ERROR;
	1041	}
	1042	/* deinit trust list when the config pool is destroyed */
[cc74801e]	1043	apr_pool_cleanup_register(pconf, sc->ocsp->trust,
[fad7695]	1044	mgs_cleanup_trust_list,
	1045	apr_pool_cleanup_null);
	1046
[994a5fb]	1047	/* enable status request callback */
	1048	gnutls_certificate_set_ocsp_status_request_function(sc->certs,
	1049	mgs_get_ocsp_response,
	1050	sc);
	1051
[a467635]	1052	/* The watchdog structure may be NULL if mod_watchdog is
	1053	* unavailable. */
	1054	if (sc->singleton_wd != NULL)
	1055	{
	1056	apr_status_t rv =
	1057	sc->singleton_wd->register_callback(sc->singleton_wd->wd,
	1058	sc->ocsp_cache_time,
	1059	server, mgs_async_ocsp_update);
	1060	if (rv == APR_SUCCESS)
	1061	ap_log_error(APLOG_MARK, APLOG_INFO, rv, server,
	1062	"Enabled async OCSP update via watchdog "
	1063	"for %s:%d",
	1064	server->server_hostname, server->addrs->host_port);
	1065	else
	1066	ap_log_error(APLOG_MARK, APLOG_WARNING, rv, server,
	1067	"Enabling async OCSP update via watchdog "
	1068	"for %s:%d failed!",
	1069	server->server_hostname, server->addrs->host_port);
	1070	}
	1071
[fad7695]	1072	return OK;
	1073	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/gnutls_ocsp.c @ a467635

Download in other formats: