Apache HTTPD
ssl_util_ocsp.c
Go to the documentation of this file.
1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* This file implements an OCSP client including a toy HTTP/1.0
18 * client. Once httpd depends on a real HTTP client library, most of
19 * this can be thrown away. */
20
21#include "ssl_private.h"
22
23#ifndef OPENSSL_NO_OCSP
24
25#include "apr_buckets.h"
26#include "apr_uri.h"
27
28/* Serialize an OCSP request which will be sent to the responder at
29 * given URI to a memory BIO object, which is returned. */
30static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri,
31 const apr_uri_t *proxy_uri)
32{
33 BIO *bio;
34 int len;
35
36 len = i2d_OCSP_REQUEST(req, NULL);
37
38 bio = BIO_new(BIO_s_mem());
39
40 BIO_printf(bio, "POST ");
41 /* Use full URL instead of URI in case of a request through a proxy */
42 if (proxy_uri) {
43 BIO_printf(bio, "http://%s:%d",
44 uri->hostname, uri->port);
45 }
46 BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
47 "Host: %s:%d\r\n"
48 "Content-Type: application/ocsp-request\r\n"
49 "Connection: close\r\n"
50 "Content-Length: %d\r\n"
51 "\r\n",
52 uri->path ? uri->path : "/",
53 uri->query ? "?" : "", uri->query ? uri->query : "",
54 uri->hostname, uri->port, len);
55
56 if (i2d_OCSP_REQUEST_bio(bio, req) != 1) {
57 BIO_free(bio);
58 return NULL;
59 }
60
61 return bio;
62}
63
64/* Send the OCSP request serialized into BIO 'request' to the
65 * responder at given server given by URI. Returns socket object or
66 * NULL on error. */
67static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri,
68 apr_interval_time_t timeout,
69 conn_rec *c, apr_pool_t *p,
70 const apr_uri_t *proxy_uri)
71{
72 apr_status_t rv;
73 apr_sockaddr_t *sa;
74 apr_socket_t *sd;
75 char buf[HUGE_STRING_LEN];
76 int len;
77 const apr_uri_t *next_hop_uri;
78
79 if (proxy_uri) {
80 next_hop_uri = proxy_uri;
81 }
82 else {
83 next_hop_uri = uri;
84 }
85
86 rv = apr_sockaddr_info_get(&sa, next_hop_uri->hostname, APR_UNSPEC,
87 next_hop_uri->port, 0, p);
88 if (rv) {
89 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01972)
90 "could not resolve address of %s %s",
91 proxy_uri ? "proxy" : "OCSP responder",
92 next_hop_uri->hostinfo);
93 return NULL;
94 }
95
96 /* establish a connection to the OCSP responder */
97 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01973)
98 "connecting to %s '%s'",
99 proxy_uri ? "proxy" : "OCSP responder",
100 uri->hostinfo);
101
102 /* Cycle through address until a connect() succeeds. */
103 for (; sa; sa = sa->next) {
104 rv = apr_socket_create(&sd, sa->family, SOCK_STREAM, APR_PROTO_TCP, p);
105 if (rv == APR_SUCCESS) {
106 apr_socket_timeout_set(sd, timeout);
107
108 rv = apr_socket_connect(sd, sa);
109 if (rv == APR_SUCCESS) {
110 break;
111 }
112 apr_socket_close(sd);
113 }
114 }
115
116 if (sa == NULL) {
117 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01974)
118 "could not connect to %s '%s'",
119 proxy_uri ? "proxy" : "OCSP responder",
120 next_hop_uri->hostinfo);
121 return NULL;
122 }
123
124 /* send the request and get a response */
125 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01975)
126 "sending request to OCSP responder");
127
128 while ((len = BIO_read(request, buf, sizeof buf)) > 0) {
129 char *wbuf = buf;
130 apr_size_t remain = len;
131
132 do {
133 apr_size_t wlen = remain;
134
135 rv = apr_socket_send(sd, wbuf, &wlen);
136 wbuf += remain;
137 remain -= wlen;
138 } while (rv == APR_SUCCESS && remain > 0);
139
140 if (rv) {
141 apr_socket_close(sd);
142 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01976)
143 "failed to send request to OCSP responder '%s'",
144 uri->hostinfo);
145 return NULL;
146 }
147 }
148
149 return sd;
150}
151
152/* Return a pool-allocated NUL-terminated line, with CRLF stripped,
153 * read from brigade 'bbin' using 'bbout' as temporary storage. */
154static char *get_line(apr_bucket_brigade *bbout, apr_bucket_brigade *bbin,
155 conn_rec *c, apr_pool_t *p)
156{
157 apr_status_t rv;
158 apr_size_t len;
159 char *line;
160
161 apr_brigade_cleanup(bbout);
162
163 rv = apr_brigade_split_line(bbout, bbin, APR_BLOCK_READ, 8192);
164 if (rv) {
165 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01977)
166 "failed reading line from OCSP server");
167 return NULL;
168 }
169
170 rv = apr_brigade_pflatten(bbout, &line, &len, p);
171 if (rv) {
172 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01978)
173 "failed reading line from OCSP server");
174 return NULL;
175 }
176
177 if (len == 0) {
178 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(02321)
179 "empty response from OCSP server");
180 return NULL;
181 }
182
183 if (line[len-1] != APR_ASCII_LF) {
184 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01979)
185 "response header line too long from OCSP server");
186 return NULL;
187 }
188
189 line[len-1] = '\0';
190 if (len > 1 && line[len-2] == APR_ASCII_CR) {
191 line[len-2] = '\0';
192 }
193
194 return line;
195}
196
197/* Maximum values to prevent eating RAM forever. */
198#define MAX_HEADERS (256)
199#define MAX_CONTENT (2048 * 1024)
200
201/* Read the OCSP response from the socket 'sd', using temporary memory
202 * BIO 'bio', and return the decoded OCSP response object, or NULL on
203 * error. */
204static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c,
205 apr_pool_t *p)
206{
207 apr_bucket_brigade *bb, *tmpbb;
208 OCSP_RESPONSE *response;
209 char *line;
210 apr_size_t count;
211 apr_int64_t code;
212
213 /* Using brigades for response parsing is much simpler than using
214 * apr_socket_* directly. */
215 bb = apr_brigade_create(p, c->bucket_alloc);
216 tmpbb = apr_brigade_create(p, c->bucket_alloc);
217 APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_socket_create(sd, c->bucket_alloc));
218
219 line = get_line(tmpbb, bb, c, p);
220 if (!line || strncmp(line, "HTTP/", 5)
221 || (line = ap_strchr(line, ' ')) == NULL
222 || (code = apr_atoi64(++line)) < 200 || code > 299) {
223 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01980)
224 "bad response from OCSP server: %s",
225 line ? line : "(none)");
226 return NULL;
227 }
228
229 /* Read till end of headers; don't have to even bother parsing the
230 * Content-Length since the server is obliged to close the
231 * connection after the response anyway for HTTP/1.0. */
232 count = 0;
233 while ((line = get_line(tmpbb, bb, c, p)) != NULL && line[0]
234 && ++count < MAX_HEADERS) {
235 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01981)
236 "OCSP response header: %s", line);
237 }
238
239 if (count == MAX_HEADERS) {
240 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01982)
241 "could not read response headers from OCSP server, "
242 "exceeded maximum count (%u)", MAX_HEADERS);
243 return NULL;
244 }
245 else if (!line) {
246 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01983)
247 "could not read response header from OCSP server");
248 return NULL;
249 }
250
251 /* Read the response body into the memory BIO. */
252 count = 0;
253 while (!APR_BRIGADE_EMPTY(bb)) {
254 const char *data;
255 apr_size_t len;
256 apr_status_t rv;
257 apr_bucket *e = APR_BRIGADE_FIRST(bb);
258
259 rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
260 if (rv == APR_EOF) {
261 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01984)
262 "OCSP response: got EOF");
263 break;
264 }
265 if (rv != APR_SUCCESS) {
266 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01985)
267 "error reading response from OCSP server");
268 return NULL;
269 }
270 if (len == 0) {
271 /* Ignore zero-length buckets (possible side-effect of
272 * line splitting). */
273 apr_bucket_delete(e);
274 continue;
275 }
276 count += len;
277 if (count > MAX_CONTENT) {
278 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01986)
279 "OCSP response size exceeds %u byte limit",
280 MAX_CONTENT);
281 return NULL;
282 }
283 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01987)
284 "OCSP response: got %" APR_SIZE_T_FMT
285 " bytes, %" APR_SIZE_T_FMT " total", len, count);
286
287 BIO_write(bio, data, (int)len);
288 apr_bucket_delete(e);
289 }
290
291 apr_brigade_destroy(bb);
292 apr_brigade_destroy(tmpbb);
293
294 /* Finally decode the OCSP response from what's stored in the
295 * bio. */
296 response = d2i_OCSP_RESPONSE_bio(bio, NULL);
297 if (response == NULL) {
298 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01988)
299 "failed to decode OCSP response data");
300 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, mySrvFromConn(c));
301 }
302
303 return response;
304}
305
306OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
307 apr_interval_time_t timeout,
308 OCSP_REQUEST *request,
309 conn_rec *c, apr_pool_t *p)
310{
311 OCSP_RESPONSE *response = NULL;
312 apr_socket_t *sd;
313 BIO *bio;
314 const apr_uri_t *proxy_uri;
315
316 proxy_uri = (mySrvConfigFromConn(c))->server->proxy_uri;
317 bio = serialize_request(request, uri, proxy_uri);
318 if (bio == NULL) {
319 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01989)
320 "could not serialize OCSP request");
321 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, mySrvFromConn(c));
322 return NULL;
323 }
324
325 sd = send_request(bio, uri, timeout, c, p, proxy_uri);
326 if (sd == NULL) {
327 /* Errors already logged. */
328 BIO_free(bio);
329 return NULL;
330 }
331
332 /* Clear the BIO contents, ready for the response. */
333 (void)BIO_reset(bio);
334
335 response = read_response(sd, bio, c, p);
336
337 apr_socket_close(sd);
338 BIO_free(bio);
339
340 return response;
341}
342
343/* _________________________________________________________________
344**
345** OCSP other certificate support
346** _________________________________________________________________
347*/
348
349/*
350 * Read a file that contains certificates in PEM format and
351 * return as a STACK.
352 */
353
354static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file)
355{
356 BIO *bio;
357 X509 *x509;
358 unsigned long err;
359 STACK_OF(X509) *other_certs = NULL;
360
361 if ((bio = BIO_new(BIO_s_file())) == NULL)
362 return NULL;
363 if (BIO_read_filename(bio, file) <= 0) {
364 BIO_free(bio);
365 return NULL;
366 }
367
368 /* create new extra chain by loading the certs */
369 ERR_clear_error();
370 while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
371 if (!other_certs) {
372 other_certs = sk_X509_new_null();
373 if (!other_certs) {
374 X509_free(x509);
375 BIO_free(bio);
376 return NULL;
377 }
378 }
379
380 if (!sk_X509_push(other_certs, x509)) {
381 X509_free(x509);
382 sk_X509_pop_free(other_certs, X509_free);
383 BIO_free(bio);
384 return NULL;
385 }
386 }
387 /* Make sure that only the error is just an EOF */
388 if ((err = ERR_peek_error()) > 0) {
389 if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
390 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
391 BIO_free(bio);
392 sk_X509_pop_free(other_certs, X509_free);
393 return NULL;
394 }
395 while (ERR_get_error() > 0) ;
396 }
397 BIO_free(bio);
398 return other_certs;
399}
400
401void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
402{
403 /*
404 * Configure Trusted OCSP certificates.
405 */
406
407 if (!mctx->ocsp_certs_file) {
408 return;
409 }
410
411 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
412 "Configuring Trusted OCSP certificates");
413
414 mctx->ocsp_certs = modssl_read_ocsp_certificates(mctx->ocsp_certs_file);
415
416 if (!mctx->ocsp_certs) {
417 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
418 "Unable to configure OCSP Trusted Certificates");
419 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
420 ssl_die(s);
421 }
422 mctx->ocsp_verify_flags |= OCSP_TRUSTOTHER;
423}
424
425#endif /* HAVE_OCSP */
len
const char apr_size_t len
Definition ap_regex.h:187
apr_buckets.h
APR-UTIL Buckets/Bucket Brigades.
apr_uri.h
APR-UTIL URI Routines.
HUGE_STRING_LEN
#define HUGE_STRING_LEN
Definition httpd.h:303
APLOGNO
#define APLOGNO(n)
Definition http_log.h:117
APLOG_ERR
#define APLOG_ERR
Definition http_log.h:67
ap_log_error
#define ap_log_error
Definition http_log.h:370
ap_log_cerror
#define ap_log_cerror
Definition http_log.h:498
APLOG_MARK
#define APLOG_MARK
Definition http_log.h:283
APLOG_DEBUG
#define APLOG_DEBUG
Definition http_log.h:71
buf
const unsigned char * buf
Definition util_md5.h:50
APR_EOF
#define APR_EOF
Definition apr_errno.h:461
count
unsigned int count
Definition apr_md5.h:152
APR_BRIGADE_INSERT_TAIL
#define APR_BRIGADE_INSERT_TAIL(b, e)
Definition apr_buckets.h:369
e
apr_bucket * e
Definition apr_buckets.h:699
APR_BRIGADE_EMPTY
#define APR_BRIGADE_EMPTY(b)
Definition apr_buckets.h:338
apr_bucket_delete
#define apr_bucket_delete(e)
Definition apr_buckets.h:1016
APR_BRIGADE_FIRST
#define APR_BRIGADE_FIRST(b)
Definition apr_buckets.h:345
apr_bucket_read
#define apr_bucket_read(e, str, len, block)
Definition apr_buckets.h:1089
APR_BLOCK_READ
@ APR_BLOCK_READ
Definition apr_buckets.h:58
server
apr_memcache_server_t * server
Definition apr_memcache.h:173
uri
const char * uri
Definition apr_uri.h:159
APR_PROTO_TCP
#define APR_PROTO_TCP
Definition apr_network_io.h:189
ssl_die
apr_status_t ssl_die(server_rec *s)
Definition ssl_engine_log.c:66
SSLLOG_MARK
#define SSLLOG_MARK
Definition ssl_private.h:1156
mySrvFromConn
#define mySrvFromConn(c)
Definition ssl_private.h:365
mySrvConfigFromConn
#define mySrvConfigFromConn(c)
Definition ssl_private.h:367
modssl_dispatch_ocsp_request
OCSP_RESPONSE * modssl_dispatch_ocsp_request(const apr_uri_t *uri, apr_interval_time_t timeout, OCSP_REQUEST *request, conn_rec *c, apr_pool_t *p)
Definition ssl_util_ocsp.c:306
ssl_log_ssl_error
void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
Definition ssl_engine_log.c:94
ssl_init_ocsp_certificates
void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
Definition ssl_util_ocsp.c:401
ap_strchr
#define ap_strchr(s, c)
Definition httpd.h:2351
size
apr_size_t size
Definition apr_allocator.h:115
APR_SUCCESS
#define APR_SUCCESS
Definition apr_errno.h:225
apr_status_t
int apr_status_t
Definition apr_errno.h:44
data
void * data
Definition apr_file_io.h:832
file
const char apr_file_t * file
Definition apr_file_io.h:823
APR_ASCII_CR
#define APR_ASCII_CR
Definition apr_general.h:61
APR_ASCII_LF
#define APR_ASCII_LF
Definition apr_general.h:63
c
apr_vformatter_buff_t * c
Definition apr_lib.h:175
sa
apr_sockaddr_t * sa
Definition apr_network_io.h:352
APR_UNSPEC
#define APR_UNSPEC
Definition apr_network_io.h:156
s
const char * s
Definition apr_strings.h:95
err
apr_int32_t apr_int32_t apr_int32_t err
Definition apr_thread_proc.h:418
apr_interval_time_t
apr_int64_t apr_interval_time_t
Definition apr_time.h:55
p
apr_pool_t * p
Definition md_event.c:32
NULL
return NULL
Definition mod_so.c:359
ssl_private.h
Internal interfaces private to mod_ssl.
STACK_OF
static STACK_OF(X509)
Definition ssl_util_ocsp.c:354
serialize_request
static BIO * serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri, const apr_uri_t *proxy_uri)
Definition ssl_util_ocsp.c:30
MAX_CONTENT
#define MAX_CONTENT
Definition ssl_util_ocsp.c:199
get_line
static char * get_line(apr_bucket_brigade *bbout, apr_bucket_brigade *bbin, conn_rec *c, apr_pool_t *p)
Definition ssl_util_ocsp.c:154
MAX_HEADERS
#define MAX_HEADERS
Definition ssl_util_ocsp.c:198
read_response
static OCSP_RESPONSE * read_response(apr_socket_t *sd, BIO *bio, conn_rec *c, apr_pool_t *p)
Definition ssl_util_ocsp.c:204
send_request
static apr_socket_t * send_request(BIO *request, const apr_uri_t *uri, apr_interval_time_t timeout, conn_rec *c, apr_pool_t *p, const apr_uri_t *proxy_uri)
Definition ssl_util_ocsp.c:67
apr_bucket_brigade
Definition apr_buckets.h:258
apr_bucket
Definition apr_buckets.h:224
apr_pool_t
Definition apr_pools.c:562
apr_sockaddr_t
Definition apr_network_io.h:239
apr_sockaddr_t::next
apr_sockaddr_t * next
Definition apr_network_io.h:262
apr_sockaddr_t::hostname
char * hostname
Definition apr_network_io.h:243
apr_sockaddr_t::family
apr_int32_t family
Definition apr_network_io.h:249
apr_socket_t
Definition apr_arch_networkio.h:37
apr_uri_t
Definition apr_uri.h:85
conn_rec
Structure to store things which are per connection.
Definition httpd.h:1152
modssl_ctx_t
Definition ssl_private.h:755
server_rec
A structure to store information for each virtual server.
Definition httpd.h:1322
apr_socket_send
apr_status_t apr_socket_send(apr_socket_t *sock, const char *buf, apr_size_t *len)
Definition sendrecv.c:30
apr_socket_close
apr_status_t apr_socket_close(apr_socket_t *thesocket)
Definition sockets.c:211
apr_socket_connect
apr_status_t apr_socket_connect(apr_socket_t *sock, apr_sockaddr_t *sa)
Definition sockets.c:388
apr_socket_create
apr_status_t apr_socket_create(apr_socket_t **new, int ofamily, int type, int protocol, apr_pool_t *cont)
Definition sockets.c:116
apr_socket_timeout_set
apr_status_t apr_socket_timeout_set(apr_socket_t *sock, apr_interval_time_t t)
Definition sockopt.c:75
timeout
IN ULONG IN INT timeout
Definition apr_arch_misc.h:482
Generated by doxygen 1.9.8