Changeset 08817d0 in mod_gnutls

Timestamp:

Jun 5, 2016, 3:42:32 PM (7 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, main, master, proxy-ticket, upstream

Children:

366d1a1

Parents:

368e581

git-author:

Thomas Klute <thomas2.klute@…> (06/05/16 11:53:31)

git-committer:

Thomas Klute <thomas2.klute@…> (06/05/16 15:42:32)

Message:

Check OCSP response before caching

Only verified responses should be cached. This improves both security
and performance: The cache does not need to touch untrusted data, and
if only verified responses are cached there is no need to do full
verification every time a response is fetched from the cache.

File:

• src/gnutls_ocsp.c (modified) (12 diffs)

src/gnutls_ocsp.c

@@ -30 +30 @@
 
 
-#define _log_one_ocsp_fail(s, c)                                      \
-    ap_log_cerror(APLOG_MARK, APLOG_INFO, APR_EGENERAL, (c),           \
-                  "Reason for failed OCSP response verification: %s", (s))
+#define _log_one_ocsp_fail(str, srv)                                    \
+    ap_log_error(APLOG_MARK, APLOG_INFO, APR_EGENERAL, (srv),           \
+                 "Reason for failed OCSP response verification: %s", (str))
 /*
  * Log all matching reasons for verification failure
  */
-static void _log_verify_fail_reason(const unsigned int verify, conn_rec *c)
+static void _log_verify_fail_reason(const unsigned int verify, server_rec *s)
 {
     if (verify & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND)
-        _log_one_ocsp_fail("Signer cert not found", c);
+        _log_one_ocsp_fail("Signer cert not found", s);
 
     if (verify & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR)
-        _log_one_ocsp_fail("Signer cert keyusage error", c);
+        _log_one_ocsp_fail("Signer cert keyusage error", s);
 
     if (verify & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER)
-        _log_one_ocsp_fail("Signer cert is not trusted", c);
+        _log_one_ocsp_fail("Signer cert is not trusted", s);
 
     if (verify & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM)
-        _log_one_ocsp_fail("Insecure algorithm", c);
+        _log_one_ocsp_fail("Insecure algorithm", s);
 
     if (verify & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE)
-        _log_one_ocsp_fail("Signature failure", c);
+        _log_one_ocsp_fail("Signature failure", s);
 
     if (verify & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED)
-        _log_one_ocsp_fail("Signer cert not yet activated", c);
+        _log_one_ocsp_fail("Signer cert not yet activated", s);
 
     if (verify & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
-        _log_one_ocsp_fail("Signer cert expired", c);
+        _log_one_ocsp_fail("Signer cert expired", s);
 }
 
@@ -76 +76 @@
 
 /**
- * Check if the provided OCSP response is usable for stapling in this
- * connection context. Returns GNUTLS_E_SUCCESS if yes.
+ * Check if the provided OCSP response is usable for stapling in
+ * connections to this server. Returns GNUTLS_E_SUCCESS if yes.
+ *
+ * Supports only one certificate status per response.
  */
-int check_ocsp_response(mgs_handle_t *ctxt, const gnutls_datum_t *ocsp_response)
-{
-    if (ctxt->sc->ocsp_trust == NULL)
-    {
-        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
-                      "No OCSP trust list available for server \"%s\"!",
-                      ctxt->c->base_server->server_hostname);
+int check_ocsp_response(server_rec *s, const gnutls_datum_t *ocsp_response)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(s->module_config, &gnutls_module);
+
+    if (sc->ocsp_trust == NULL)
+    {
+        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
+                     "No OCSP trust list available for server \"%s\"!",
+                     s->server_hostname);
         return GNUTLS_E_NO_CERTIFICATE_FOUND;
     }
@@ -93 +98 @@
     if (ret != GNUTLS_E_SUCCESS)
     {
-        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
-                      "Could not initialize OCSP response structure: %s (%d)",
-                      gnutls_strerror(ret), ret);
+        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
+                     "Could not initialize OCSP response structure: %s (%d)",
+                     gnutls_strerror(ret), ret);
         goto resp_cleanup;
     }
@@ -101 +106 @@
     if (ret != GNUTLS_E_SUCCESS)
     {
-        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
-                      "Importing OCSP response failed: %s (%d)",
-                      gnutls_strerror(ret), ret);
+        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
+                     "Importing OCSP response failed: %s (%d)",
+                     gnutls_strerror(ret), ret);
         goto resp_cleanup;
     }
 
-    ret = gnutls_ocsp_resp_check_crt(resp, 0,
-                                     ctxt->sc->certs_x509_crt_chain[0]);
-    if (ret != GNUTLS_E_SUCCESS)
-    {
-        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
-                      "OCSP response is not for server certificate: %s (%d)",
-                      gnutls_strerror(ret), ret);
+    ret = gnutls_ocsp_resp_check_crt(resp, 0, sc->certs_x509_crt_chain[0]);
+    if (ret != GNUTLS_E_SUCCESS)
+    {
+        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
+                     "OCSP response is not for server certificate: %s (%d)",
+                     gnutls_strerror(ret), ret);
         goto resp_cleanup;
     }
 
     unsigned int verify;
-    ret = gnutls_ocsp_resp_verify(resp, *(ctxt->sc->ocsp_trust), &verify, 0);
-    if (ret != GNUTLS_E_SUCCESS)
-    {
-        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
-                      "OCSP response verification failed: %s (%d)",
-                      gnutls_strerror(ret), ret);
+    ret = gnutls_ocsp_resp_verify(resp, *(sc->ocsp_trust), &verify, 0);
+    if (ret != GNUTLS_E_SUCCESS)
+    {
+        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
+                     "OCSP response verification failed: %s (%d)",
+                     gnutls_strerror(ret), ret);
         goto resp_cleanup;
     }
@@ -131 +135 @@
         if (verify != 0)
         {
-            _log_verify_fail_reason(verify, ctxt->c);
+            _log_verify_fail_reason(verify, s);
             ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
             goto resp_cleanup;
         }
         else
-            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
-                          "OCSP response is valid.");
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
+                         "OCSP response is valid.");
     }
 
@@ -150 +154 @@
     if (ret != GNUTLS_E_SUCCESS)
     {
-        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
-                      "Could not get OCSP response data: %s (%d)",
-                      gnutls_strerror(ret), ret);
+        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
+                     "Could not get OCSP response data: %s (%d)",
+                     gnutls_strerror(ret), ret);
         goto resp_cleanup;
     }
@@ -168 +172 @@
         /* We don't know if our clock or that of the OCSP responder is
          * out of sync, so warn but continue. */
-        ap_log_cerror(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, ctxt->c,
-                      "OSCP response claims to be from future (%s), check "
-                      "time synchronization!", date_str);
+        ap_log_error(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, s,
+                     "OSCP response claims to be from future (%s), check "
+                     "time synchronization!", date_str);
     }
 
     if (next_update == (time_t) -1)
-        ap_log_cerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, ctxt->c,
-                      "OSCP response does not contain nextUpdate info.");
+        ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
+                     "OSCP response does not contain nextUpdate info.");
     else
     {
@@ -183 +187 @@
         {
             apr_rfc822_date(date_str, valid_to);
-            ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
-                          "OCSP response has expired at %s!", date_str);
+            ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
+                         "OCSP response has expired at %s!", date_str);
             /* Do not send a stale response */
             ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
@@ -196 +200 @@
     {
         /* Yay, everything's good! */
-        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
-                      "CA flagged certificate as valid at %s.", date_str);
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
+                     "CA flagged certificate as valid at %s.", date_str);
     }
     else
     {
-        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
-                      "CA flagged certificate as %s at %s.",
-                      cert_status == GNUTLS_OCSP_CERT_REVOKED ?
-                      "revoked" : "unknown", date_str);
+        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
+                     "CA flagged certificate as %s at %s.",
+                     cert_status == GNUTLS_OCSP_CERT_REVOKED ?
+                     "revoked" : "unknown", date_str);
         ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
     }
@@ -295 +299 @@
     }
 
+    if (check_ocsp_response(s, &resp) != GNUTLS_E_SUCCESS)
+    {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, s,
+                     "OCSP response validation failed, cannot "
+                     "update cache.");
+        apr_pool_destroy(tmp);
+        return APR_EGENERAL;
+    }
+
     /* TODO: make cache lifetime configurable, make sure expiration
      * happens without storing new data */
@@ -333 +346 @@
     {
         /* Succeed if response is present and valid. */
-        if (check_ocsp_response(ctxt, ocsp_response) == GNUTLS_E_SUCCESS)
+        if (check_ocsp_response(ctxt->c->base_server, ocsp_response)
+            == GNUTLS_E_SUCCESS)
             return GNUTLS_E_SUCCESS;
     }
     /* get rid of invalid response (if any) */
     gnutls_free(ocsp_response->data);
+    ocsp_response->data = NULL;
 
     /* If the cache had no response or an invalid one, try to update. */
@@ -360 +375 @@
     {
         /* Succeed if response is present and valid. */
-        if (check_ocsp_response(ctxt, ocsp_response) == GNUTLS_E_SUCCESS)
+        if (check_ocsp_response(ctxt->c->base_server, ocsp_response)
+            == GNUTLS_E_SUCCESS)
             return GNUTLS_E_SUCCESS;
     }