Context Navigation

gnutls_ocsp.c @ 70a1e5a

Visit:

asynciodebian/masterdebian/stretch-backportsproxy-ticketupstream

Last change on this file since 70a1e5a was 70a1e5a, checked in by Thomas Klute <thomas2.klute@…>, 7 years ago

Introduce OCSP caching grace time

A cached OCSP response must be updated before it expires, or time skew
might cause a client to receive a response it considers expired. In
some corner cases even network transmission delay might have the same
effect. To prevent this problem let the response cache entry expire a
configurable grace time before the response does, so a fresh response
will be fetched.

Property mode set to 100644

File size: 19.2 KB

Line
1	/**
2	* Copyright 2016 Thomas Klute
3	*
4	* Licensed under the Apache License, Version 2.0 (the "License");
5	* you may not use this file except in compliance with the License.
6	* You may obtain a copy of the License at
7	*
8	* http://www.apache.org/licenses/LICENSE-2.0
9	*
10	* Unless required by applicable law or agreed to in writing, software
11	* distributed under the License is distributed on an "AS IS" BASIS,
12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	* See the License for the specific language governing permissions and
14	* limitations under the License.
15	*/
16
17	#include "gnutls_ocsp.h"
18	#include "mod_gnutls.h"
19	#include "gnutls_cache.h"
20
21	#include <apr_lib.h>
22	#include <apr_time.h>
23	#include <gnutls/ocsp.h>
24	#include <time.h>
25
26	#ifdef APLOG_USE_MODULE
27	APLOG_USE_MODULE(gnutls);
28	#endif
29
30
31
32	#define _log_one_ocsp_fail(str, srv) \
33	ap_log_error(APLOG_MARK, APLOG_INFO, APR_EGENERAL, (srv), \
34	"Reason for failed OCSP response verification: %s", (str))
35	/*
36	* Log all matching reasons for verification failure
37	*/
38	static void _log_verify_fail_reason(const unsigned int verify, server_rec *s)
39	{
40	if (verify & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND)
41	_log_one_ocsp_fail("Signer cert not found", s);
42
43	if (verify & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR)
44	_log_one_ocsp_fail("Signer cert keyusage error", s);
45
46	if (verify & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER)
47	_log_one_ocsp_fail("Signer cert is not trusted", s);
48
49	if (verify & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM)
50	_log_one_ocsp_fail("Insecure algorithm", s);
51
52	if (verify & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE)
53	_log_one_ocsp_fail("Signature failure", s);
54
55	if (verify & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED)
56	_log_one_ocsp_fail("Signer cert not yet activated", s);
57
58	if (verify & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
59	_log_one_ocsp_fail("Signer cert expired", s);
60	}
61
62
63
64	const char mgs_store_ocsp_response_path(cmd_parms parms,
65	void *dummy __attribute__((unused)),
66	const char *arg)
67	{
68	mgs_srvconf_rec sc = (mgs_srvconf_rec )
69	ap_get_module_config(parms->server->module_config, &gnutls_module);
70
71	sc->ocsp_response_file = ap_server_root_relative(parms->pool, arg);
72	return NULL;
73	}
74
75
76
77	/**
78	* Check if the time specified in the nextUpdate field (if any) of the
79	* given OCSP response has passed. Returns GNUTLS_E_SUCCESS if it has
80	* not (so the response is still valid), or there is no such field.
81	*
82	* Note that this function does not do a signature check, it is meant
83	* to operate on cached responses that have been verified before.
84	*/
85	static int check_ocsp_response_expiry(mgs_handle_t *ctxt,
86	const gnutls_datum_t *ocsp_response)
87	{
88	gnutls_ocsp_resp_t resp;
89	int ret = gnutls_ocsp_resp_init(&resp);
90	if (ret != GNUTLS_E_SUCCESS)
91	{
92	ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
93	"Could not initialize OCSP response structure: "
94	"%s (%d)", gnutls_strerror(ret), ret);
95	goto resp_cleanup;
96	}
97	ret = gnutls_ocsp_resp_import(resp, ocsp_response);
98	if (ret != GNUTLS_E_SUCCESS)
99	{
100	ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
101	"Importing OCSP response failed: %s (%d)",
102	gnutls_strerror(ret), ret);
103	goto resp_cleanup;
104	}
105	time_t next_update;
106	ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, NULL,
107	NULL, &next_update, NULL, NULL);
108	if (ret != GNUTLS_E_SUCCESS)
109	{
110	ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
111	"Could not get OCSP response data: %s (%d)",
112	gnutls_strerror(ret), ret);
113	goto resp_cleanup;
114	}
115
116	if (next_update == (time_t) -1)
117	{
118	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
119	"OSCP response does not contain nextUpdate info.");
120	}
121	else
122	{
123	apr_time_t now = apr_time_now();
124	apr_time_t valid_to;
125	apr_time_ansi_put(&valid_to, next_update);
126	if (now > valid_to)
127	{
128	char date_str[APR_RFC822_DATE_LEN];
129	apr_rfc822_date(date_str, valid_to);
130	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
131	"OCSP response has expired at %s.", date_str);
132	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
133	goto resp_cleanup;
134	}
135	}
136	resp_cleanup:
137	gnutls_ocsp_resp_deinit(resp);
138	return ret;
139	}
140
141
142
143	/**
144	* Check if the provided OCSP response is usable for stapling in
145	* connections to this server. Returns GNUTLS_E_SUCCESS if yes.
146	*
147	* Supports only one certificate status per response.
148	*
149	* If expiry is not NULL, it will be set to the nextUpdate time
150	* contained in the response, or zero the response does not contain a
151	* nextUpdate field.
152	*/
153	int check_ocsp_response(server_rec s, const gnutls_datum_t ocsp_response,
154	apr_time_t* expiry)
155	{
156	mgs_srvconf_rec sc = (mgs_srvconf_rec )
157	ap_get_module_config(s->module_config, &gnutls_module);
158
159	if (sc->ocsp_trust == NULL)
160	{
161	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
162	"No OCSP trust list available for server \"%s\"!",
163	s->server_hostname);
164	return GNUTLS_E_NO_CERTIFICATE_FOUND;
165	}
166
167	gnutls_ocsp_resp_t resp;
168	int ret = gnutls_ocsp_resp_init(&resp);
169	if (ret != GNUTLS_E_SUCCESS)
170	{
171	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
172	"Could not initialize OCSP response structure: %s (%d)",
173	gnutls_strerror(ret), ret);
174	goto resp_cleanup;
175	}
176	ret = gnutls_ocsp_resp_import(resp, ocsp_response);
177	if (ret != GNUTLS_E_SUCCESS)
178	{
179	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
180	"Importing OCSP response failed: %s (%d)",
181	gnutls_strerror(ret), ret);
182	goto resp_cleanup;
183	}
184
185	ret = gnutls_ocsp_resp_check_crt(resp, 0, sc->certs_x509_crt_chain[0]);
186	if (ret != GNUTLS_E_SUCCESS)
187	{
188	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
189	"OCSP response is not for server certificate: %s (%d)",
190	gnutls_strerror(ret), ret);
191	goto resp_cleanup;
192	}
193
194	unsigned int verify;
195	ret = gnutls_ocsp_resp_verify(resp, *(sc->ocsp_trust), &verify, 0);
196	if (ret != GNUTLS_E_SUCCESS)
197	{
198	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
199	"OCSP response verification failed: %s (%d)",
200	gnutls_strerror(ret), ret);
201	goto resp_cleanup;
202	}
203	else
204	{
205	/* verification worked, check the result */
206	if (verify != 0)
207	{
208	_log_verify_fail_reason(verify, s);
209	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
210	goto resp_cleanup;
211	}
212	else
213	ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
214	"OCSP response is valid.");
215	}
216
217	/* OK, response is for our certificate and valid, let's get the
218	* actual response data. */
219	unsigned int cert_status;
220	time_t this_update;
221	time_t next_update;
222	ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
223	&cert_status, &this_update,
224	&next_update, NULL, NULL);
225	if (ret != GNUTLS_E_SUCCESS)
226	{
227	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
228	"Could not get OCSP response data: %s (%d)",
229	gnutls_strerror(ret), ret);
230	goto resp_cleanup;
231	}
232
233	apr_time_t now = apr_time_now();
234	apr_time_t valid_at;
235	apr_time_ansi_put(&valid_at, this_update);
236	/* Buffer for human-readable times produced by apr_rfc822_date,
237	* see apr_time.h */
238	char date_str[APR_RFC822_DATE_LEN];
239	apr_rfc822_date(date_str, valid_at);
240
241	if (now < valid_at)
242	{
243	/* We don't know if our clock or that of the OCSP responder is
244	* out of sync, so warn but continue. */
245	ap_log_error(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, s,
246	"OSCP response claims to be from future (%s), check "
247	"time synchronization!", date_str);
248	}
249
250	if (next_update == (time_t) -1)
251	{
252	ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
253	"OSCP response does not contain nextUpdate info.");
254	if (expiry != NULL)
255	*expiry = 0;
256	}
257	else
258	{
259	apr_time_t valid_to;
260	apr_time_ansi_put(&valid_to, next_update);
261	if (expiry != NULL)
262	*expiry = valid_to;
263	if (now > valid_to)
264	{
265	apr_rfc822_date(date_str, valid_to);
266	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
267	"OCSP response has expired at %s!", date_str);
268	/* Do not send a stale response */
269	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
270	goto resp_cleanup;
271	}
272	}
273
274	/* What's the actual status? Will be one of
275	* gnutls_ocsp_cert_status_t as defined in gnutls/ocsp.h. */
276	if (cert_status == GNUTLS_OCSP_CERT_GOOD)
277	{
278	/* Yay, everything's good! */
279	ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
280	"CA flagged certificate as valid at %s.", date_str);
281	}
282	else
283	{
284	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
285	"CA flagged certificate as %s at %s.",
286	cert_status == GNUTLS_OCSP_CERT_REVOKED ?
287	"revoked" : "unknown", date_str);
288	ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
289	}
290
291	resp_cleanup:
292	gnutls_ocsp_resp_deinit(resp);
293	return ret;
294	}
295
296
297
298	/*
299	* Returns the certificate fingerprint, memory is allocated from p.
300	*/
301	static gnutls_datum_t mgs_get_cert_fingerprint(apr_pool_t *p,
302	gnutls_x509_crt_t cert)
303	{
304	gnutls_datum_t fingerprint = {NULL, 0};
305	size_t fplen;
306	gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, NULL, &fplen);
307	unsigned char * fp = apr_palloc(p, fplen);
308	gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, fp, &fplen);
309	/* Safe integer type conversion: The types of fingerprint.size
310	* (unsigned int) and fplen (size_t) may have different
311	* lengths. */
312	if (__builtin_add_overflow(fplen, 0, &fingerprint.size))
313	fingerprint.size = 0;
314	else
315	fingerprint.data = fp;
316	return fingerprint;
317	}
318
319
320
321	/* TODO: response should be fetched from sc->ocsp_uri */
322	apr_status_t mgs_cache_ocsp_response(server_rec *s)
323	{
324	mgs_srvconf_rec sc = (mgs_srvconf_rec )
325	ap_get_module_config(s->module_config, &gnutls_module);
326
327	if (sc->cache_type != mgs_cache_dbm && sc->cache_type != mgs_cache_gdbm)
328	{
329	/* experimental OCSP cache requires DBM cache */
330	return APR_ENOTIMPL;
331	}
332
333	apr_pool_t *tmp;
334	apr_status_t rv = apr_pool_create(&tmp, NULL);
335	if (rv != APR_SUCCESS)
336	{
337	ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
338	"could not create temporary pool for %s",
339	__func__);
340	return rv;
341	}
342
343	/* the fingerprint will be used as cache key */
344	gnutls_datum_t fingerprint =
345	mgs_get_cert_fingerprint(tmp, sc->certs_x509_crt_chain[0]);
346	if (fingerprint.data == NULL)
347	return APR_EINVAL;
348
349	ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
350	"Loading OCSP response from %s",
351	sc->ocsp_response_file);
352	apr_file_t *file;
353	apr_finfo_t finfo;
354	apr_size_t br = 0;
355	rv = apr_file_open(&file, sc->ocsp_response_file,
356	APR_READ \| APR_BINARY, APR_OS_DEFAULT, tmp);
357	if (rv != APR_SUCCESS)
358	{
359	apr_pool_destroy(tmp);
360	return rv;
361	}
362	rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, file);
363	if (rv != APR_SUCCESS)
364	{
365	apr_pool_destroy(tmp);
366	return rv;
367	}
368
369	gnutls_datum_t resp;
370	resp.data = apr_palloc(tmp, finfo.size);
371	rv = apr_file_read_full(file, resp.data, finfo.size, &br);
372	if (rv != APR_SUCCESS)
373	{
374	apr_pool_destroy(tmp);
375	return rv;
376	}
377	apr_file_close(file);
378	/* safe integer type conversion */
379	if (__builtin_add_overflow(br, 0, &resp.size))
380	{
381	apr_pool_destroy(tmp);
382	return APR_EINVAL;
383	}
384
385	apr_time_t expiry;
386	if (check_ocsp_response(s, &resp, &expiry) != GNUTLS_E_SUCCESS)
387	{
388	ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, s,
389	"OCSP response validation failed, cannot "
390	"update cache.");
391	apr_pool_destroy(tmp);
392	return APR_EGENERAL;
393	}
394	/* If expiry is zero, the response does not contain a nextUpdate
395	* field. Use the default cache timeout. */
396	if (expiry == 0)
397	expiry = apr_time_now() + sc->cache_timeout;
398	/* Apply grace time otherwise. */
399	else
400	expiry -= sc->ocsp_grace_time;
401
402	int r = dbm_cache_store(s, fingerprint, resp, expiry);
403	/* destroy pool, and original copy of the OCSP response with it */
404	apr_pool_destroy(tmp);
405	if (r != 0)
406	{
407	ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
408	"Storing OCSP response in cache failed.");
409	return APR_EGENERAL;
410	}
411	return APR_SUCCESS;
412	}
413
414
415
416	int mgs_get_ocsp_response(gnutls_session_t session __attribute__((unused)),
417	void *ptr,
418	gnutls_datum_t *ocsp_response)
419	{
420	mgs_handle_t ctxt = (mgs_handle_t ) ptr;
421
422	gnutls_datum_t fingerprint =
423	mgs_get_cert_fingerprint(ctxt->c->pool,
424	ctxt->sc->certs_x509_crt_chain[0]);
425	if (fingerprint.data == NULL)
426	return GNUTLS_E_NO_CERTIFICATE_STATUS;
427
428	*ocsp_response = dbm_cache_fetch(ctxt, fingerprint);
429	if (ocsp_response->size == 0)
430	{
431	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
432	"Fetching OCSP response from cache failed.");
433	}
434	else
435	{
436	if (check_ocsp_response_expiry(ctxt, ocsp_response)
437	== GNUTLS_E_SUCCESS)
438	return GNUTLS_E_SUCCESS;
439	}
440	/* get rid of invalid response (if any) */
441	gnutls_free(ocsp_response->data);
442	ocsp_response->data = NULL;
443
444	/* If the cache had no response or an invalid one, try to update. */
445	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
446	"No valid OCSP response in cache, trying to update.");
447	apr_status_t rv = mgs_cache_ocsp_response(ctxt->c->base_server);
448	if (rv != APR_SUCCESS)
449	{
450	ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, ctxt->c,
451	"Updating OCSP response cache failed");
452	goto fail_cleanup;
453	}
454
455	/* retry reading from cache */
456	*ocsp_response = dbm_cache_fetch(ctxt, fingerprint);
457	if (ocsp_response->size == 0)
458	{
459	ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
460	"Fetching OCSP response from cache failed on retry.");
461	}
462	else
463	{
464	/* Succeed if response is present and valid. */
465	if (check_ocsp_response_expiry(ctxt, ocsp_response)
466	== GNUTLS_E_SUCCESS)
467	return GNUTLS_E_SUCCESS;
468	}
469
470	/* failure, clean up response data */
471	fail_cleanup:
472	gnutls_free(ocsp_response->data);
473	ocsp_response->size = 0;
474	ocsp_response->data = NULL;
475	return GNUTLS_E_NO_CERTIFICATE_STATUS;
476	}
477
478
479
480	int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
481	const gnutls_x509_crt_t *chain,
482	const int num)
483	{
484	int added = 0;
485	int ret = gnutls_x509_trust_list_init(tl, num);
486
487	if (ret == GNUTLS_E_SUCCESS)
488	added = gnutls_x509_trust_list_add_cas(*tl, chain, num, 0);
489
490	if (added != num)
491	ret = GNUTLS_E_CERTIFICATE_ERROR;
492
493	/* Clean up trust list in case of error */
494	if (ret != GNUTLS_E_SUCCESS)
495	gnutls_x509_trust_list_deinit(*tl, 0);
496
497	return ret;
498	}
499
500
501
502	apr_status_t mgs_cleanup_trust_list(void *data)
503	{
504	gnutls_x509_trust_list_t tl = (gnutls_x509_trust_list_t ) data;
505	gnutls_x509_trust_list_deinit(*tl, 0);
506	return APR_SUCCESS;
507	}
508
509
510
511	apr_uri_t * mgs_cert_get_ocsp_uri(apr_pool_t *p, gnutls_x509_crt_t cert)
512	{
513	apr_pool_t *tmp;
514	apr_status_t rv = apr_pool_create(&tmp, p);
515	if (rv != APR_SUCCESS)
516	return NULL;
517
518	apr_uri_t *ocsp_uri = NULL;
519
520	int ret = GNUTLS_E_SUCCESS;
521	/* search authority info access for OCSP URI */
522	for (int seq = 0; ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; seq++)
523	{
524	gnutls_datum_t ocsp_access_data;
525	ret = gnutls_x509_crt_get_authority_info_access(cert, seq,
526	GNUTLS_IA_OCSP_URI,
527	&ocsp_access_data,
528	NULL);
529	if (ret == GNUTLS_E_SUCCESS)
530	{
531	/* create NULL terminated string */
532	char *ocsp_str =
533	apr_pstrndup(tmp, (const char*) ocsp_access_data.data,
534	ocsp_access_data.size);
535	gnutls_free(ocsp_access_data.data);
536
537	ocsp_uri = apr_palloc(p, sizeof(apr_uri_t));
538	rv = apr_uri_parse(p, ocsp_str, ocsp_uri);
539	if (rv == APR_SUCCESS)
540	break;
541	else
542	ocsp_uri = NULL;
543	}
544	}
545
546	apr_pool_destroy(tmp);
547	return ocsp_uri;
548	}
549
550
551
552	/*
553	* Like in the general post_config hook the HTTP status codes for
554	* errors are just for fun. What matters is "neither OK nor DECLINED"
555	* to denote an error.
556	*/
557	int mgs_ocsp_post_config_server(apr_pool_t *pconf,
558	apr_pool_t *ptemp __attribute__((unused)),
559	server_rec *server)
560	{
561	mgs_srvconf_rec sc = (mgs_srvconf_rec )
562	ap_get_module_config(server->module_config, &gnutls_module);
563
564	if (sc->certs_x509_chain_num < 2)
565	{
566	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
567	"OCSP stapling is enabled but no CA certificate "
568	"available for %s:%d, make sure it is included in "
569	"GnuTLSCertificateFile!",
570	server->server_hostname, server->addrs->host_port);
571	return HTTP_NOT_FOUND;
572	}
573
574	sc->ocsp_uri = mgs_cert_get_ocsp_uri(pconf, sc->certs_x509_crt_chain[0]);
575
576	sc->ocsp_trust = apr_palloc(pconf,
577	sizeof(gnutls_x509_trust_list_t));
578	/* Only the direct issuer may sign the OCSP response or an OCSP
579	* signer. */
580	int ret = mgs_create_ocsp_trust_list(sc->ocsp_trust,
581	&(sc->certs_x509_crt_chain[1]),
582	1);
583	if (ret != GNUTLS_E_SUCCESS)
584	{
585	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
586	"Could not create OCSP trust list: %s (%d)",
587	gnutls_strerror(ret), ret);
588	return HTTP_INTERNAL_SERVER_ERROR;
589	}
590	/* deinit trust list when the config pool is destroyed */
591	apr_pool_cleanup_register(pconf, sc->ocsp_trust,
592	mgs_cleanup_trust_list,
593	apr_pool_cleanup_null);
594
595	return OK;
596	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/gnutls_ocsp.c @ 70a1e5a

Download in other formats: