Changeset 556783e in mod_gnutls

Timestamp:

Jul 24, 2019, 2:29:40 AM (3 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, master, proxy-ticket

Children:

e376ed8

Parents:

81018a4

Message:

Provide OCSP response via gnutls_certificate_retrieve_function3 callback

This replaces the old OCSP callback function, which is still used
internally.

Location:

src

Files:

• gnutls_cache.c (modified) (6 diffs)
• gnutls_cache.h (modified) (1 diff)
• gnutls_hooks.c (modified) (1 diff)
• gnutls_ocsp.c (modified) (10 diffs)

src/gnutls_cache.c

@@ -175 +175 @@
 #define SOCACHE_FETCH_BUF_SIZE (8 * 1024)
 
-gnutls_datum_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
-                               gnutls_datum_t key, apr_pool_t *pool)
-{
-    gnutls_datum_t data = {NULL, 0};
-    data.data = gnutls_malloc(SOCACHE_FETCH_BUF_SIZE);
-    if (data.data == NULL)
-        return data;
-    data.size = SOCACHE_FETCH_BUF_SIZE;
-
+apr_status_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
+                             gnutls_datum_t key, gnutls_datum_t *output,
+                             apr_pool_t *pool)
+{
     apr_pool_t *spool;
     apr_pool_create(&spool, pool);
@@ -191 +186 @@
     apr_status_t rv = cache->prov->retrieve(cache->socache, server,
                                             key.data, key.size,
-                                            data.data, &data.size,
+                                            output->data, &output->size,
                                             spool);
     if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
@@ -207 +202 @@
                          "error fetching from cache '%s:%s'",
                          cache->prov->name, cache->config);
+    }
+    else
+    {
+        ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server,
+                     "fetched %u bytes from cache '%s:%s'",
+                     output->size, cache->prov->name, cache->config);
+    }
+    apr_pool_destroy(spool);
+
+    return rv;
+}
+
+
+
+/**
+ * Fetch function for the GnuTLS session cache, see
+ * gnutls_db_set_retrieve_function().
+ *
+ * *Warning*: The `data` element of the returned `gnutls_datum_t` is
+ * allocated using `gnutls_malloc()` for compatibility with the GnuTLS
+ * session caching API, and must be released using `gnutls_free()`.
+ *
+ * @param baton mgs_handle_t for the connection, as set via
+ * gnutls_db_set_ptr()
+ *
+ * @param key object key to fetch
+ *
+ * @return the requested cache entry, or `{NULL, 0}`
+ */
+static gnutls_datum_t socache_fetch_session(void *baton, gnutls_datum_t key)
+{
+    gnutls_datum_t data = {NULL, 0};
+    gnutls_datum_t dbmkey;
+    mgs_handle_t *ctxt = baton;
+
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return data;
+
+    data.data = gnutls_malloc(SOCACHE_FETCH_BUF_SIZE);
+    if (data.data == NULL)
+        return data;
+    data.size = SOCACHE_FETCH_BUF_SIZE;
+
+    apr_status_t rv = mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server,
+                                      dbmkey, &data, ctxt->c->pool);
+
+    if (rv != APR_SUCCESS)
+    {
         /* free unused buffer */
         gnutls_free(data.data);
@@ -214 +257 @@
     else
     {
-        ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server,
-                     "fetched %u bytes from cache '%s:%s'",
-                     data.size, cache->prov->name, cache->config);
-
         /* Realloc buffer to data.size. Data size must be less than or
          * equal to the initial buffer size, so this REALLY should not
@@ -224 +263 @@
         if (__builtin_expect(data.data == NULL, 0))
         {
-            ap_log_error(APLOG_MARK, APLOG_CRIT, APR_ENOMEM, server,
+            ap_log_cerror(APLOG_MARK, APLOG_CRIT, APR_ENOMEM, ctxt->c,
                          "%s: Could not realloc fetch buffer to data size!",
                          __func__);
@@ -230 +269 @@
         }
     }
-    apr_pool_destroy(spool);
 
     return data;
-}
-
-
-
-/**
- * Fetch function for the GnuTLS session cache, see
- * gnutls_db_set_retrieve_function().
- *
- * *Warning*: The `data` element of the returned `gnutls_datum_t` is
- * allocated using `gnutls_malloc()` for compatibility with the GnuTLS
- * session caching API, and must be released using `gnutls_free()`.
- *
- * @param baton mgs_handle_t for the connection, as set via
- * gnutls_db_set_ptr()
- *
- * @param key object key to fetch
- *
- * @return the requested cache entry, or `{NULL, 0}`
- */
-static gnutls_datum_t socache_fetch_session(void *baton, gnutls_datum_t key)
-{
-    gnutls_datum_t data = {NULL, 0};
-    gnutls_datum_t dbmkey;
-    mgs_handle_t *ctxt = baton;
-
-    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
-        return data;
-
-    return mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server,
-                           dbmkey, ctxt->c->pool);
 }
 

src/gnutls_cache.h

@@ -139 +139 @@
  * @param key key for the cache entry to be fetched
  *
- * @param pool pool to allocate the response and other temporary
- * memory from
+ * @param output pre-allocated buffer to write to and its size
  *
- * @return the requested cache entry, or `{NULL, 0}`
+ * @param pool pool to allocate temporary memory from
+ *
+ * @return APR status or error value
  */
-gnutls_datum_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
-                               gnutls_datum_t key, apr_pool_t *pool);
+apr_status_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
+                             gnutls_datum_t key, gnutls_datum_t *output,
+                             apr_pool_t *pool);
 
 /**

src/gnutls_hooks.c

@@ -409 +409 @@
         *privkey = ctxt->sc->privkey_x509;
         *flags = 0;
+
+        if (ctxt->sc->ocsp_staple == GNUTLS_ENABLED_TRUE)
+        {
+            gnutls_ocsp_data_st *resp =
+                apr_palloc(ctxt->c->pool, sizeof(gnutls_ocsp_data_st));
+            resp->version = 0;
+            resp->exptime = 0;
+
+            int ret = mgs_get_ocsp_response(session, NULL, &resp->response);
+            if (ret == GNUTLS_E_SUCCESS)
+            {
+                *ocsp = resp;
+                *ocsp_length = 1;
+            }
+        }
+
         return 0;
     } else {

src/gnutls_ocsp.c

@@ -41 +41 @@
 /** Dummy data for failure cache entries (one byte). */
 #define OCSP_FAILURE_CACHE_DATA 0x0f
+/** Macro to check if an OCSP reponse pointer contains a cached
+ * failure */
+#define IS_FAILURE_RESPONSE(resp) \
+    (((resp)->size == sizeof(unsigned char)) &&                     \
+     (*((unsigned char *) (resp)->data) == OCSP_FAILURE_CACHE_DATA))
 
 
@@ -786 +791 @@
     }
 
-    *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache,
-                                     ctxt->c->base_server,
-                                     ctxt->sc->ocsp->fingerprint,
-                                     ctxt->c->pool);
-    if (ocsp_response->size == 0)
+    // TODO: Large allocation, and the pool system doesn't offer realloc
+    ocsp_response->data = apr_palloc(ctxt->c->pool, OCSP_RESP_SIZE_MAX);
+    ocsp_response->size = OCSP_RESP_SIZE_MAX;
+
+    apr_status_t rv = mgs_cache_fetch(ctxt->sc->ocsp_cache,
+                                      ctxt->c->base_server,
+                                      ctxt->sc->ocsp->fingerprint,
+                                      ocsp_response,
+                                      ctxt->c->pool);
+    if (rv != APR_SUCCESS)
     {
         ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c,
                       "Fetching OCSP response from cache failed.");
     }
-    else if ((ocsp_response->size == sizeof(unsigned char)) &&
-             (*((unsigned char *) ocsp_response->data) == OCSP_FAILURE_CACHE_DATA))
+    else if (IS_FAILURE_RESPONSE(ocsp_response))
     {
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
@@ -807 +816 @@
         return GNUTLS_E_SUCCESS;
     }
-    /* get rid of invalid response (if any) */
-    gnutls_free(ocsp_response->data);
-    ocsp_response->data = NULL;
+    /* keep response buffer, reset size for reuse */
+    ocsp_response->size = OCSP_RESP_SIZE_MAX;
 
     /* If the cache had no response or an invalid one, try to update. */
@@ -815 +823 @@
                   "No valid OCSP response in cache, trying to update.");
 
-    apr_status_t rv = apr_global_mutex_trylock(sc->ocsp_mutex);
+    rv = apr_global_mutex_trylock(sc->ocsp_mutex);
     if (APR_STATUS_IS_EBUSY(rv))
     {
@@ -824 +832 @@
          * moment there's no good way to integrate that with the
          * Apache Mutex directive. */
-        *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache,
-                                         ctxt->c->base_server,
-                                         ctxt->sc->ocsp->fingerprint,
-                                         ctxt->c->pool);
-        if (ocsp_response->size > 0)
-        {
-            /* Got a valid response now, unlock mutex and return. */
+        rv = mgs_cache_fetch(ctxt->sc->ocsp_cache,
+                             ctxt->c->base_server,
+                             ctxt->sc->ocsp->fingerprint,
+                             ocsp_response,
+                             ctxt->c->pool);
+        if (rv == APR_SUCCESS)
+        {
             apr_global_mutex_unlock(sc->ocsp_mutex);
-            return GNUTLS_E_SUCCESS;
+            /* Check if the response is valid. */
+            if (IS_FAILURE_RESPONSE(ocsp_response))
+            {
+                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
+                              "Cached OCSP failure found for %s.",
+                              ctxt->c->base_server->server_hostname);
+                goto fail_cleanup;
+            }
+            else
+                return GNUTLS_E_SUCCESS;
         }
         else
         {
-            gnutls_free(ocsp_response->data);
-            ocsp_response->data = NULL;
+            /* keep response buffer, reset size for reuse */
+            ocsp_response->size = OCSP_RESP_SIZE_MAX;
         }
     }
@@ -855 +872 @@
 
     /* retry reading from cache */
-    *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache,
-                                     ctxt->c->base_server,
-                                     ctxt->sc->ocsp->fingerprint,
-                                     ctxt->c->pool);
-    if (ocsp_response->size == 0)
+    rv = mgs_cache_fetch(ctxt->sc->ocsp_cache,
+                         ctxt->c->base_server,
+                         ctxt->sc->ocsp->fingerprint,
+                         ocsp_response,
+                         ctxt->c->pool);
+    if (rv != APR_SUCCESS)
     {
         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
@@ -869 +887 @@
     }
 
-    /* failure, clean up response data */
+    /* failure, reset struct, buffer will be released with the
+     * connection pool */
  fail_cleanup:
-    gnutls_free(ocsp_response->data);
     ocsp_response->size = 0;
     ocsp_response->data = NULL;
@@ -1061 +1079 @@
     if (rv != APR_SUCCESS)
     {
-        const gnutls_datum_t ocsp_response =
-            mgs_cache_fetch(sc->ocsp_cache, server,
-                            sc->ocsp->fingerprint, pool);
-
-        if (ocsp_response.size == 0 ||
-            ((ocsp_response.size == sizeof(unsigned char)) &&
-             (*((unsigned char *) ocsp_response.data) ==
-              OCSP_FAILURE_CACHE_DATA)))
+        gnutls_datum_t ocsp_response;
+        ocsp_response.data = apr_palloc(pool, OCSP_RESP_SIZE_MAX);
+        ocsp_response.size = OCSP_RESP_SIZE_MAX;
+
+        apr_status_t rv = mgs_cache_fetch(sc->ocsp_cache, server,
+                                          sc->ocsp->fingerprint,
+                                          &ocsp_response,
+                                          pool);
+
+        if (rv != APR_SUCCESS || (IS_FAILURE_RESPONSE(&ocsp_response)))
         {
             ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server,
@@ -1075 +1095 @@
             mgs_cache_ocsp_failure(server, sc->ocsp_failure_timeout * 2);
         }
-
-        /* Get rid of the response, if any */
-        if (ocsp_response.size != 0)
-            gnutls_free(ocsp_response.data);
     }
     apr_global_mutex_unlock(sc->ocsp_mutex);
@@ -1196 +1212 @@
                               apr_pool_cleanup_null);
 
-    /* enable status request callback */
-    gnutls_certificate_set_ocsp_status_request_function(sc->certs,
-                                                        mgs_get_ocsp_response,
-                                                        sc);
-
     /* The watchdog structure may be NULL if mod_watchdog is
      * unavailable. */