Apache HTTPD
ssl_util_stapling.c
Go to the documentation of this file.
1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* _ _
18 * _ __ ___ ___ __| | ___ ___| | mod_ssl
19 * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
20 * | | | | | | (_) | (_| | \__ \__ \ |
21 * |_| |_| |_|\___/ \__,_|___|___/___/_|
22 * |_____|
23 * ssl_stapling.c
24 * OCSP Stapling Support
25 */
26 /* ``Where's the spoons?
27 Where's the spoons?
28 Where's the bloody spoons?''
29 -- Alexei Sayle */
30
31#include "ssl_private.h"
32
33#include "ap_mpm.h"
34#include "apr_thread_mutex.h"
35
36APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_stapling_status,
37 (server_rec *s, apr_pool_t *p,
38 X509 *cert, X509 *issuer),
39 (s, p, cert, issuer),
40 DECLINED, DECLINED)
41
42APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, get_stapling_status,
43 (unsigned char **pder, int *pderlen,
44 conn_rec *c, server_rec *s, X509 *cert),
45 (pder, pderlen, c, s, cert),
46 DECLINED, DECLINED)
47
48
49#ifdef HAVE_OCSP_STAPLING
50
51static int stapling_cache_mutex_on(server_rec *s);
52static int stapling_cache_mutex_off(server_rec *s);
53
54static int stapling_cb(SSL *ssl, void *arg);
55
63#define MAX_STAPLING_DER 10240
64
65/* Cached info stored in the global stapling_certinfo hash. */
66typedef struct {
67 /* Index in session cache (SHA-1 digest of DER encoded certificate) */
68 UCHAR idx[SHA_DIGEST_LENGTH];
69 /* Certificate ID for OCSP request */
70 OCSP_CERTID *cid;
71 /* URI of the OCSP responder */
72 char *uri;
73} certinfo;
74
75static apr_status_t ssl_stapling_certid_free(void *data)
76{
77 OCSP_CERTID *cid = data;
78
79 if (cid) {
80 OCSP_CERTID_free(cid);
81 }
82
83 return APR_SUCCESS;
84}
85
86static apr_hash_t *stapling_certinfo;
87
88void ssl_stapling_certinfo_hash_init(apr_pool_t *p)
89{
90 stapling_certinfo = apr_hash_make(p);
91}
92
93static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
94{
95 X509 *issuer = NULL;
96 int i;
97 X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
98 X509_STORE_CTX *inctx;
99 STACK_OF(X509) *extra_certs = NULL;
100
101#ifdef OPENSSL_NO_SSL_INTERN
102 SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
103#else
104 extra_certs = mctx->ssl_ctx->extra_certs;
105#endif
106
107 for (i = 0; i < sk_X509_num(extra_certs); i++) {
108 issuer = sk_X509_value(extra_certs, i);
109 if (X509_check_issued(issuer, x) == X509_V_OK) {
110#if OPENSSL_VERSION_NUMBER < 0x10100000L
111 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
112#else
113 X509_up_ref(issuer);
114#endif
115 return issuer;
116 }
117 }
118
119 inctx = X509_STORE_CTX_new();
120 if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) {
121 X509_STORE_CTX_free(inctx);
122 return 0;
123 }
124 if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
125 issuer = NULL;
126 X509_STORE_CTX_cleanup(inctx);
127 X509_STORE_CTX_free(inctx);
128 return issuer;
129}
130
131int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
132 modssl_ctx_t *mctx, X509 *x)
133{
134 UCHAR idx[SHA_DIGEST_LENGTH];
135 certinfo *cinf = NULL;
136 X509 *issuer = NULL;
137 OCSP_CERTID *cid = NULL;
138 STACK_OF(OPENSSL_STRING) *aia = NULL;
139 const char *pem = NULL;
140 int rv = 1; /* until further notice */
141
142 if (x == NULL)
143 return 0;
144
145 if (!(issuer = stapling_get_issuer(mctx, x))) {
146 /* In Apache pre 2.4.40, we use to come here only when mod_ssl stapling
147 * was enabled. With the new hooks, we give other modules the chance
148 * to provide stapling status. However, we do not want to log ssl errors
149 * where we did not do so in the past. */
150 if (mctx->stapling_enabled == TRUE) {
151 ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217)
152 "ssl_stapling_init_cert: can't retrieve issuer "
153 "certificate!");
154 return 0;
155 }
156 return 1;
157 }
158
159 if (X509_digest(x, EVP_sha1(), idx, NULL) != 1) {
160 rv = 0;
161 goto cleanup;
162 }
163
164 if (modssl_cert_get_pem(ptemp, x, issuer, &pem) != APR_SUCCESS) {
165 rv = 0;
166 goto cleanup;
167 }
168
169 if (ap_ssl_ocsp_prime(s, p, (const char*)idx, sizeof(idx), pem) == APR_SUCCESS
170 || ssl_run_init_stapling_status(s, p, x, issuer) == OK) {
171 /* Someone's taken over or mod_ssl's own implementation is not enabled */
172 if (mctx->stapling_enabled != TRUE) {
173 SSL_CTX_set_tlsext_status_cb(mctx->ssl_ctx, stapling_cb);
174 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10177) "OCSP stapling added via hook");
175 }
176 goto cleanup;
177 }
178
179 if (mctx->stapling_enabled != TRUE) {
180 /* mod_ssl's own implementation is not enabled */
181 goto cleanup;
182 }
183
184 cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
185 if (cinf) {
186 /*
187 * We already parsed the certificate, and no OCSP URI was found.
188 * The certificate might be used for multiple vhosts, though,
189 * so we check for a ForceURL for this vhost.
190 */
191 if (!cinf->uri && !mctx->stapling_force_url) {
192 ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
193 APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI "
194 "in certificate and no SSLStaplingForceURL "
195 "configured for server %s", mctx->sc->vhost_id);
196 rv = 0;
197 }
198 goto cleanup;
199 }
200
201 cid = OCSP_cert_to_id(NULL, x, issuer);
202 if (!cid) {
203 ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02815)
204 "ssl_stapling_init_cert: can't create CertID "
205 "for OCSP request");
206 rv = 0;
207 goto cleanup;
208 }
209
210 aia = X509_get1_ocsp(x);
211 if (!aia && !mctx->stapling_force_url) {
212 OCSP_CERTID_free(cid);
213 ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
214 APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI "
215 "in certificate and no SSLStaplingForceURL set");
216 rv = 0;
217 goto cleanup;
218 }
219
220 /* At this point, we have determined that there's something to store */
221 cinf = apr_pcalloc(p, sizeof(certinfo));
222 memcpy (cinf->idx, idx, sizeof(idx));
223 cinf->cid = cid;
224 /* make sure cid is also freed at pool cleanup */
225 apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free,
226 apr_pool_cleanup_null);
227 if (aia) {
228 /* allocate uri from the pconf pool */
229 cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
230 X509_email_free(aia);
231 }
232
233 ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x,
234 "ssl_stapling_init_cert: storing certinfo for server %s",
235 mctx->sc->vhost_id);
236
237 apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf);
238
239cleanup:
240 X509_free(issuer);
241 return rv;
242}
243
244static certinfo *stapling_get_certinfo(server_rec *s, UCHAR *idx, apr_size_t idx_len,
245 modssl_ctx_t *mctx, SSL *ssl)
246{
247 certinfo *cinf;
248 cinf = apr_hash_get(stapling_certinfo, idx, idx_len);
249 if (cinf && cinf->cid)
250 return cinf;
251 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
252 "stapling_get_certinfo: stapling not supported for certificate");
253 return NULL;
254}
255
256/*
257 * OCSP response caching code. The response is preceded by a flag value
258 * which indicates whether the response was invalid when it was stored.
259 * the purpose of this flag is to avoid repeated queries to a server
260 * which has given an invalid response while allowing a response which
261 * has subsequently become invalid to be retried immediately.
262 *
263 * The key for the cache is the hash of the certificate the response
264 * is for.
265 */
266static BOOL stapling_cache_response(server_rec *s, modssl_ctx_t *mctx,
267 OCSP_RESPONSE *rsp, certinfo *cinf,
268 BOOL ok, apr_pool_t *pool)
269{
270 SSLModConfigRec *mc = myModConfig(s);
271 unsigned char resp_der[MAX_STAPLING_DER]; /* includes one-byte flag + response */
272 unsigned char *p;
273 int resp_derlen, stored_len;
274 BOOL rv;
275 apr_time_t expiry;
276
277 resp_derlen = i2d_OCSP_RESPONSE(rsp, NULL);
278
279 if (resp_derlen <= 0) {
280 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01927)
281 "OCSP stapling response encode error??");
282 return FALSE;
283 }
284
285 stored_len = resp_derlen + 1; /* response + ok flag */
286 if (stored_len > sizeof resp_der) {
287 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01928)
288 "OCSP stapling response too big (%u bytes)", resp_derlen);
289 return FALSE;
290 }
291
292 p = resp_der;
293
294 /* TODO: potential optimization; _timeout members as apr_interval_time_t */
295 if (ok == TRUE) {
296 *p++ = 1;
297 expiry = apr_time_from_sec(mctx->stapling_cache_timeout);
298 }
299 else {
300 *p++ = 0;
301 expiry = apr_time_from_sec(mctx->stapling_errcache_timeout);
302 }
303
304 expiry += apr_time_now();
305
306 i2d_OCSP_RESPONSE(rsp, &p);
307
308 if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
309 stapling_cache_mutex_on(s);
310 rv = mc->stapling_cache->store(mc->stapling_cache_context, s,
311 cinf->idx, sizeof(cinf->idx),
312 expiry, resp_der, stored_len, pool);
313 if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
314 stapling_cache_mutex_off(s);
315 if (rv != APR_SUCCESS) {
316 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01929)
317 "stapling_cache_response: OCSP response session store error!");
318 return FALSE;
319 }
320
321 return TRUE;
322}
323
324static void stapling_get_cached_response(server_rec *s, OCSP_RESPONSE **prsp,
325 BOOL *pok, certinfo *cinf,
326 apr_pool_t *pool)
327{
328 SSLModConfigRec *mc = myModConfig(s);
329 apr_status_t rv;
330 OCSP_RESPONSE *rsp;
331 unsigned char resp_der[MAX_STAPLING_DER];
332 const unsigned char *p;
333 unsigned int resp_derlen = MAX_STAPLING_DER;
334
335 if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
336 stapling_cache_mutex_on(s);
337 rv = mc->stapling_cache->retrieve(mc->stapling_cache_context, s,
338 cinf->idx, sizeof(cinf->idx),
339 resp_der, &resp_derlen, pool);
340 if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
341 stapling_cache_mutex_off(s);
342 if (rv != APR_SUCCESS) {
343 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01930)
344 "stapling_get_cached_response: cache miss");
345 return;
346 }
347 if (resp_derlen <= 1) {
348 /* should-not-occur; must have at least valid-when-stored flag +
349 * OCSPResponseStatus
350 */
351 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01931)
352 "stapling_get_cached_response: response length invalid??");
353 return;
354 }
355 p = resp_der;
356 if (*p) /* valid when stored */
357 *pok = TRUE;
358 else
359 *pok = FALSE;
360 p++;
361 resp_derlen--;
362 rsp = d2i_OCSP_RESPONSE(NULL, &p, resp_derlen);
363 if (!rsp) {
364 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01932)
365 "stapling_get_cached_response: response parse error??");
366 return;
367 }
368 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01933)
369 "stapling_get_cached_response: cache hit");
370
371 *prsp = rsp;
372}
373
374static int stapling_set_response(SSL *ssl, OCSP_RESPONSE *rsp)
375{
376 int rspderlen;
377 unsigned char *rspder = NULL;
378
379 rspderlen = i2d_OCSP_RESPONSE(rsp, &rspder);
380 if (rspderlen <= 0)
381 return 0;
382 SSL_set_tlsext_status_ocsp_resp(ssl, rspder, rspderlen);
383 return 1;
384}
385
386static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
387 certinfo *cinf, OCSP_RESPONSE *rsp,
388 BOOL *pok)
389{
390 int status = V_OCSP_CERTSTATUS_UNKNOWN;
391 int reason = OCSP_REVOKED_STATUS_NOSTATUS;
392 OCSP_BASICRESP *bs = NULL;
393 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
394 int response_status = OCSP_response_status(rsp);
395 int rv = SSL_TLSEXT_ERR_OK;
396
397 if (pok)
398 *pok = FALSE;
399 /* Check to see if response is an error. If so we automatically accept
400 * it because it would have expired from the cache if it was time to
401 * retry.
402 */
403 if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
404 if (mctx->stapling_return_errors)
405 return SSL_TLSEXT_ERR_OK;
406 else
407 return SSL_TLSEXT_ERR_NOACK;
408 }
409
410 bs = OCSP_response_get1_basic(rsp);
411 if (bs == NULL) {
412 /* If we can't parse response just pass it to client */
413 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01934)
414 "stapling_check_response: Error Parsing Response!");
415 return SSL_TLSEXT_ERR_OK;
416 }
417
418 if (!OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev,
419 &thisupd, &nextupd)) {
420 /* If ID not present pass back to client (if configured so) */
421 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01935)
422 "stapling_check_response: certificate ID not present in response!");
423 if (mctx->stapling_return_errors == FALSE)
424 rv = SSL_TLSEXT_ERR_NOACK;
425 }
426 else {
427 if (OCSP_check_validity(thisupd, nextupd,
428 mctx->stapling_resptime_skew,
429 mctx->stapling_resp_maxage)) {
430 if (pok)
431 *pok = TRUE;
432 }
433 else {
434 /* If pok is not NULL response was direct from a responder and
435 * the times should be valide. If pok is NULL the response was
436 * retrieved from cache and it is expected to subsequently expire
437 */
438 if (pok) {
439 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01936)
440 "stapling_check_response: response times invalid");
441 }
442 else {
443 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01937)
444 "stapling_check_response: cached response expired");
445 }
446
447 rv = SSL_TLSEXT_ERR_NOACK;
448 }
449
450 if (status != V_OCSP_CERTSTATUS_GOOD && pok) {
451 char snum[MAX_STRING_LEN] = { '\0' };
452 BIO *bio = BIO_new(BIO_s_mem());
453
454 if (bio) {
455 int n;
456 ASN1_INTEGER *pserial;
457 OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
458 if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
459 ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
460 snum[n] = '\0';
461 BIO_free(bio);
462 }
463
464 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02969)
465 "stapling_check_response: response has certificate "
466 "status %s (reason: %s) for serial number %s",
467 OCSP_cert_status_str(status),
468 (reason != OCSP_REVOKED_STATUS_NOSTATUS) ?
469 OCSP_crl_reason_str(reason) : "n/a",
470 snum[0] ? snum : "[n/a]");
471 }
472 }
473
474 OCSP_BASICRESP_free(bs);
475
476 return rv;
477}
478
479static BOOL stapling_renew_response(server_rec *s, modssl_ctx_t *mctx, SSL *ssl,
480 certinfo *cinf, OCSP_RESPONSE **prsp,
481 BOOL *pok, apr_pool_t *pool)
482{
483 conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
484 apr_pool_t *vpool;
485 OCSP_REQUEST *req = NULL;
486 OCSP_CERTID *id = NULL;
487 STACK_OF(X509_EXTENSION) *exts;
488 int i;
489 BOOL rv = TRUE;
490 const char *ocspuri;
491 apr_uri_t uri;
492
493 *prsp = NULL;
494 /* Build up OCSP query from server certificate info */
495 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01938)
496 "stapling_renew_response: querying responder");
497
498 req = OCSP_REQUEST_new();
499 if (!req)
500 goto err;
501 id = OCSP_CERTID_dup(cinf->cid);
502 if (!id)
503 goto err;
504 if (!OCSP_request_add0_id(req, id))
505 goto err;
506 id = NULL;
507 /* Add any extensions to the request */
508 SSL_get_tlsext_status_exts(ssl, &exts);
509 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
510 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
511 if (!OCSP_REQUEST_add_ext(req, ext, -1))
512 goto err;
513 }
514
515 if (mctx->stapling_force_url)
516 ocspuri = mctx->stapling_force_url;
517 else
518 ocspuri = cinf->uri;
519
520 if (!ocspuri) {
521 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02621)
522 "stapling_renew_response: no uri for responder");
523 rv = FALSE;
524 goto done;
525 }
526
527 /* Create a temporary pool to constrain memory use */
528 apr_pool_create(&vpool, conn->pool);
529 apr_pool_tag(vpool, "modssl_stapling_renew");
530
531 if (apr_uri_parse(vpool, ocspuri, &uri) != APR_SUCCESS) {
532 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01939)
533 "stapling_renew_response: Error parsing uri %s",
534 ocspuri);
535 rv = FALSE;
536 goto done;
537 }
538 else if (strcmp(uri.scheme, "http")) {
539 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01940)
540 "stapling_renew_response: Unsupported uri %s", ocspuri);
541 rv = FALSE;
542 goto done;
543 }
544
545 if (!uri.port) {
546 uri.port = apr_uri_port_of_scheme(uri.scheme);
547 }
548
549 *prsp = modssl_dispatch_ocsp_request(&uri, mctx->stapling_responder_timeout,
550 req, conn, vpool);
551
552 apr_pool_destroy(vpool);
553
554 if (!*prsp) {
555 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01941)
556 "stapling_renew_response: responder error");
557 if (mctx->stapling_fake_trylater) {
558 *prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
559 }
560 else {
561 goto done;
562 }
563 }
564 else {
565 int response_status = OCSP_response_status(*prsp);
566
567 if (response_status == OCSP_RESPONSE_STATUS_SUCCESSFUL) {
568 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01942)
569 "stapling_renew_response: query response received");
570 stapling_check_response(s, mctx, cinf, *prsp, pok);
571 if (*pok == FALSE) {
572 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01943)
573 "stapling_renew_response: error in retrieved response!");
574 }
575 }
576 else {
577 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01944)
578 "stapling_renew_response: responder error %s",
579 OCSP_response_status_str(response_status));
580 *pok = FALSE;
581 }
582 }
583 if (stapling_cache_response(s, mctx, *prsp, cinf, *pok, pool) == FALSE) {
584 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01945)
585 "stapling_renew_response: error caching response!");
586 }
587
588done:
589 if (id)
590 OCSP_CERTID_free(id);
591 if (req)
592 OCSP_REQUEST_free(req);
593 return rv;
594err:
595 rv = FALSE;
596 goto done;
597}
598
599/*
600 * SSL stapling mutex operations. Similar to SSL mutex except mutexes are
601 * mandatory if stapling is enabled.
602 */
603static int ssl_stapling_mutex_init(server_rec *s, apr_pool_t *p)
604{
605 SSLModConfigRec *mc = myModConfig(s);
606 SSLSrvConfigRec *sc = mySrvConfig(s);
607 apr_status_t rv;
608
609 /* already init or stapling not enabled? */
610 if (mc->stapling_refresh_mutex || sc->server->stapling_enabled != TRUE) {
611 return TRUE;
612 }
613
614 /* need a cache mutex? */
615 if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) {
616 if ((rv = ap_global_mutex_create(&mc->stapling_cache_mutex, NULL,
617 SSL_STAPLING_CACHE_MUTEX_TYPE, NULL, s,
618 s->process->pool, 0)) != APR_SUCCESS) {
619 return FALSE;
620 }
621 }
622
623 /* always need stapling_refresh_mutex */
624 if ((rv = ap_global_mutex_create(&mc->stapling_refresh_mutex, NULL,
625 SSL_STAPLING_REFRESH_MUTEX_TYPE, NULL, s,
626 s->process->pool, 0)) != APR_SUCCESS) {
627 return FALSE;
628 }
629
630 return TRUE;
631}
632
633static int stapling_mutex_reinit_helper(server_rec *s, apr_pool_t *p,
634 apr_global_mutex_t **mutex,
635 const char *type)
636{
637 apr_status_t rv;
638 const char *lockfile;
639
640 lockfile = apr_global_mutex_lockfile(*mutex);
641 if ((rv = apr_global_mutex_child_init(mutex,
642 lockfile, p)) != APR_SUCCESS) {
643 if (lockfile) {
644 ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(01946)
645 "Cannot reinit %s mutex with file `%s'",
646 type, lockfile);
647 }
648 else {
649 ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01947)
650 "Cannot reinit %s mutex", type);
651 }
652 return FALSE;
653 }
654 return TRUE;
655}
656
657int ssl_stapling_mutex_reinit(server_rec *s, apr_pool_t *p)
658{
659 SSLModConfigRec *mc = myModConfig(s);
660
661 if (mc->stapling_cache_mutex != NULL
662 && stapling_mutex_reinit_helper(s, p, &mc->stapling_cache_mutex,
663 SSL_STAPLING_CACHE_MUTEX_TYPE) == FALSE) {
664 return FALSE;
665 }
666
667 if (mc->stapling_refresh_mutex != NULL
668 && stapling_mutex_reinit_helper(s, p, &mc->stapling_refresh_mutex,
669 SSL_STAPLING_REFRESH_MUTEX_TYPE) == FALSE) {
670 return FALSE;
671 }
672
673 return TRUE;
674}
675
676static int stapling_mutex_on(server_rec *s, apr_global_mutex_t *mutex,
677 const char *name)
678{
679 apr_status_t rv;
680
681 if ((rv = apr_global_mutex_lock(mutex)) != APR_SUCCESS) {
682 ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01948)
683 "Failed to acquire OCSP %s lock", name);
684 return FALSE;
685 }
686 return TRUE;
687}
688
689static int stapling_mutex_off(server_rec *s, apr_global_mutex_t *mutex,
690 const char *name)
691{
692 apr_status_t rv;
693
694 if ((rv = apr_global_mutex_unlock(mutex)) != APR_SUCCESS) {
695 ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01949)
696 "Failed to release OCSP %s lock", name);
697 return FALSE;
698 }
699 return TRUE;
700}
701
702static int stapling_cache_mutex_on(server_rec *s)
703{
704 SSLModConfigRec *mc = myModConfig(s);
705
706 return stapling_mutex_on(s, mc->stapling_cache_mutex,
707 SSL_STAPLING_CACHE_MUTEX_TYPE);
708}
709
710static int stapling_cache_mutex_off(server_rec *s)
711{
712 SSLModConfigRec *mc = myModConfig(s);
713
714 return stapling_mutex_off(s, mc->stapling_cache_mutex,
715 SSL_STAPLING_CACHE_MUTEX_TYPE);
716}
717
718static int stapling_refresh_mutex_on(server_rec *s)
719{
720 SSLModConfigRec *mc = myModConfig(s);
721
722 return stapling_mutex_on(s, mc->stapling_refresh_mutex,
723 SSL_STAPLING_REFRESH_MUTEX_TYPE);
724}
725
726static int stapling_refresh_mutex_off(server_rec *s)
727{
728 SSLModConfigRec *mc = myModConfig(s);
729
730 return stapling_mutex_off(s, mc->stapling_refresh_mutex,
731 SSL_STAPLING_REFRESH_MUTEX_TYPE);
732}
733
734static int get_and_check_cached_response(server_rec *s, modssl_ctx_t *mctx,
735 OCSP_RESPONSE **rsp, BOOL *pok,
736 certinfo *cinf, apr_pool_t *p)
737{
738 BOOL ok = FALSE;
739 int rv;
740
741 AP_DEBUG_ASSERT(*rsp == NULL);
742
743 /* Check to see if we already have a response for this certificate */
744 stapling_get_cached_response(s, rsp, &ok, cinf, p);
745
746 if (*rsp) {
747 /* see if response is acceptable */
748 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01953)
749 "stapling_cb: retrieved cached response");
750 rv = stapling_check_response(s, mctx, cinf, *rsp, NULL);
751 if (rv == SSL_TLSEXT_ERR_ALERT_FATAL) {
752 OCSP_RESPONSE_free(*rsp);
753 *rsp = NULL;
754 return SSL_TLSEXT_ERR_ALERT_FATAL;
755 }
756 else if (rv == SSL_TLSEXT_ERR_NOACK) {
757 /* Error in response. If this error was not present when it was
758 * stored (i.e. response no longer valid) then it can be
759 * renewed straight away.
760 *
761 * If the error *was* present at the time it was stored then we
762 * don't renew the response straight away; we just wait for the
763 * cached response to expire.
764 */
765 if (ok) {
766 OCSP_RESPONSE_free(*rsp);
767 *rsp = NULL;
768 }
769 else if (!mctx->stapling_return_errors) {
770 OCSP_RESPONSE_free(*rsp);
771 *rsp = NULL;
772 *pok = FALSE;
773 return SSL_TLSEXT_ERR_NOACK;
774 }
775 }
776 }
777 return 0;
778}
779
780typedef struct {
781 unsigned char *data;
782 apr_size_t len;
783} ocsp_resp;
784
785static void copy_ocsp_resp(const unsigned char *der, apr_size_t der_len, void *userdata)
786{
787 ocsp_resp *resp = userdata;
788
789 resp->len = 0;
790 resp->data = der? OPENSSL_malloc(der_len) : NULL;
791 if (resp->data) {
792 memcpy(resp->data, der, der_len);
793 resp->len = der_len;
794 }
795}
796
797/* Certificate Status callback. This is called when a client includes a
798 * certificate status request extension.
799 *
800 * Check for cached responses in session cache. If valid send back to
801 * client. If absent or no longer valid, query responder and update
802 * cache.
803 */
804static int stapling_cb(SSL *ssl, void *arg)
805{
806 conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
807 server_rec *s = mySrvFromConn(conn);
808 SSLSrvConfigRec *sc = mySrvConfig(s);
809 modssl_ctx_t *mctx = myConnCtxConfig(conn, sc);
810 UCHAR idx[SHA_DIGEST_LENGTH];
811 ocsp_resp resp;
812 certinfo *cinf = NULL;
813 OCSP_RESPONSE *rsp = NULL;
814 int rv;
815 BOOL ok = TRUE;
816 X509 *x;
817 int rspderlen, provided = 0;
818
819 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951)
820 "stapling_cb: OCSP Stapling callback called");
821
822 x = SSL_get_certificate(ssl);
823 if (x == NULL) {
824 return SSL_TLSEXT_ERR_NOACK;
825 }
826
827 if (X509_digest(x, EVP_sha1(), idx, NULL) != 1) {
828 return SSL_TLSEXT_ERR_NOACK;
829 }
830
831 if (ap_ssl_ocsp_get_resp(s, conn, (const char*)idx, sizeof(idx),
832 copy_ocsp_resp, &resp) == APR_SUCCESS) {
833 provided = 1;
834 }
835 else if (ssl_run_get_stapling_status(&resp.data, &rspderlen, conn, s, x) == APR_SUCCESS) {
836 resp.len = (apr_size_t)rspderlen;
837 provided = 1;
838 }
839
840 if (provided) {
841 /* a hook handles stapling for this certificate and determines the response */
842 if (resp.data == NULL || resp.len == 0) {
843 return SSL_TLSEXT_ERR_NOACK;
844 }
845 SSL_set_tlsext_status_ocsp_resp(ssl, resp.data, (int)resp.len);
846 return SSL_TLSEXT_ERR_OK;
847 }
848
849 if (sc->server->stapling_enabled != TRUE) {
850 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01950)
851 "stapling_cb: OCSP Stapling disabled");
852 return SSL_TLSEXT_ERR_NOACK;
853 }
854
855 if ((cinf = stapling_get_certinfo(s, idx, sizeof(idx), mctx, ssl)) == NULL) {
856 return SSL_TLSEXT_ERR_NOACK;
857 }
858
859 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01952)
860 "stapling_cb: retrieved cached certificate data");
861
862 rv = get_and_check_cached_response(s, mctx, &rsp, &ok, cinf, conn->pool);
863 if (rv != 0) {
864 return rv;
865 }
866
867 if (rsp == NULL) {
868 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01954)
869 "stapling_cb: renewing cached response");
870 stapling_refresh_mutex_on(s);
871 /* Maybe another request refreshed the OCSP response while this
872 * thread waited for the mutex. Check again.
873 */
874 rv = get_and_check_cached_response(s, mctx, &rsp, &ok, cinf,
875 conn->pool);
876 if (rv != 0) {
877 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03236)
878 "stapling_cb: error checking for cached response "
879 "after obtaining refresh mutex");
880 stapling_refresh_mutex_off(s);
881 return rv;
882 }
883 else if (rsp) {
884 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03237)
885 "stapling_cb: don't need to refresh cached response "
886 "after obtaining refresh mutex");
887 stapling_refresh_mutex_off(s);
888 }
889 else {
890 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03238)
891 "stapling_cb: still must refresh cached response "
892 "after obtaining refresh mutex");
893 rv = stapling_renew_response(s, mctx, ssl, cinf, &rsp, &ok,
894 conn->pool);
895 stapling_refresh_mutex_off(s);
896
897 if (rv == TRUE) {
898 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03040)
899 "stapling_cb: success renewing response");
900 }
901 else {
902 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01955)
903 "stapling_cb: fatal error renewing response");
904 return SSL_TLSEXT_ERR_ALERT_FATAL;
905 }
906 }
907 }
908
909 if (rsp && ((ok == TRUE) || (mctx->stapling_return_errors == TRUE))) {
910 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01956)
911 "stapling_cb: setting response");
912 if (!stapling_set_response(ssl, rsp)) {
913 rv = SSL_TLSEXT_ERR_ALERT_FATAL;
914 }
915 else {
916 rv = SSL_TLSEXT_ERR_OK;
917 }
918 }
919 else {
920 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01957)
921 "stapling_cb: no suitable response available");
922 rv = SSL_TLSEXT_ERR_NOACK;
923 }
924 OCSP_RESPONSE_free(rsp); /* NULL safe */
925
926 return rv;
927}
928
929apr_status_t modssl_init_stapling(server_rec *s, apr_pool_t *p,
930 apr_pool_t *ptemp, modssl_ctx_t *mctx)
931{
932 SSL_CTX *ctx = mctx->ssl_ctx;
933 SSLModConfigRec *mc = myModConfig(s);
934
935 if (mc->stapling_cache == NULL) {
936 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01958)
937 "SSLStapling: no stapling cache available");
938 return ssl_die(s);
939 }
940 if (ssl_stapling_mutex_init(s, ptemp) == FALSE) {
941 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01959)
942 "SSLStapling: cannot initialise stapling mutex");
943 return ssl_die(s);
944 }
945 /* Set some default values for parameters if they are not set */
946 if (mctx->stapling_resptime_skew == UNSET) {
947 mctx->stapling_resptime_skew = 60 * 5;
948 }
949 if (mctx->stapling_cache_timeout == UNSET) {
950 mctx->stapling_cache_timeout = 3600;
951 }
952 if (mctx->stapling_return_errors == UNSET) {
953 mctx->stapling_return_errors = TRUE;
954 }
955 if (mctx->stapling_fake_trylater == UNSET) {
956 mctx->stapling_fake_trylater = TRUE;
957 }
958 if (mctx->stapling_errcache_timeout == UNSET) {
959 mctx->stapling_errcache_timeout = 600;
960 }
961 if (mctx->stapling_responder_timeout == UNSET) {
962 mctx->stapling_responder_timeout = 10 * APR_USEC_PER_SEC;
963 }
964
965 SSL_CTX_set_tlsext_status_cb(ctx, stapling_cb);
966 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01960) "OCSP stapling initialized");
967
968 return APR_SUCCESS;
969}
970
971#endif
ap_mpm.h
Apache Multi-Processing Module library.
n
int n
Definition ap_regex.h:278
len
const char apr_size_t len
Definition ap_regex.h:187
TRUE
#define TRUE
Definition abts.h:38
FALSE
#define FALSE
Definition abts.h:35
apr_thread_mutex.h
APR Thread Mutex Routines.
MAX_STRING_LEN
#define MAX_STRING_LEN
Definition httpd.h:300
DECLINED
#define DECLINED
Definition httpd.h:457
OK
#define OK
Definition httpd.h:456
APLOGNO
#define APLOGNO(n)
Definition http_log.h:117
APLOG_INFO
#define APLOG_INFO
Definition http_log.h:70
APLOG_ERR
#define APLOG_ERR
Definition http_log.h:67
ap_log_error
#define ap_log_error
Definition http_log.h:370
APLOG_MARK
#define APLOG_MARK
Definition http_log.h:283
APLOG_WARNING
#define APLOG_WARNING
Definition http_log.h:68
APLOG_EMERG
#define APLOG_EMERG
Definition http_log.h:64
APLOG_TRACE1
#define APLOG_TRACE1
Definition http_log.h:72
APLOG_DEBUG
#define APLOG_DEBUG
Definition http_log.h:71
ap_global_mutex_create
apr_status_t ap_global_mutex_create(apr_global_mutex_t **mutex, const char **name, const char *type, const char *instance_id, server_rec *server, apr_pool_t *pool, apr_int32_t options)
Definition util_mutex.c:407
ap_ssl_ocsp_get_resp
apr_status_t ap_ssl_ocsp_get_resp(server_rec *s, conn_rec *c, const char *id, apr_size_t id_len, ap_ssl_ocsp_copy_resp *cb, void *userdata)
Definition ssl.c:253
ap_ssl_ocsp_prime
apr_status_t ap_ssl_ocsp_prime(server_rec *s, apr_pool_t *p, const char *id, apr_size_t id_len, const char *pem)
Definition ssl.c:245
arg
void const char * arg
Definition http_vhost.h:63
ctx
apr_brigade_flush void * ctx
Definition apr_buckets.h:802
mc
apr_memcache_t * mc
Definition apr_memcache.h:161
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL
#define APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ns, link, ret, name, args_decl, args_use, ok, decline)
Definition apr_optional_hooks.h:90
uri
const char * uri
Definition apr_uri.h:159
AP_SOCACHE_FLAG_NOTMPSAFE
#define AP_SOCACHE_FLAG_NOTMPSAFE
Definition ap_socache.h:46
ssl_die
apr_status_t ssl_die(server_rec *s)
Definition ssl_engine_log.c:66
SSLLOG_MARK
#define SSLLOG_MARK
Definition ssl_private.h:1156
mySrvFromConn
#define mySrvFromConn(c)
Definition ssl_private.h:365
mySrvConfig
#define mySrvConfig(srv)
Definition ssl_private.h:358
modssl_dispatch_ocsp_request
OCSP_RESPONSE * modssl_dispatch_ocsp_request(const apr_uri_t *uri, apr_interval_time_t timeout, OCSP_REQUEST *request, conn_rec *c, apr_pool_t *p)
Definition ssl_util_ocsp.c:306
SSL_STAPLING_REFRESH_MUTEX_TYPE
#define SSL_STAPLING_REFRESH_MUTEX_TYPE
Definition ssl_private.h:1129
myModConfig
#define myModConfig(srv)
Definition ssl_private.h:364
UCHAR
#define UCHAR
Definition ssl_private.h:336
ssl_stapling_mutex_reinit
int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *)
myConnCtxConfig
#define myConnCtxConfig(c, sc)
Definition ssl_private.h:362
SSL_STAPLING_CACHE_MUTEX_TYPE
#define SSL_STAPLING_CACHE_MUTEX_TYPE
Definition ssl_private.h:1128
BOOL
#define BOOL
Definition ssl_private.h:81
modssl_cert_get_pem
apr_status_t modssl_cert_get_pem(apr_pool_t *p, X509 *cert1, X509 *cert2, const char **ppem)
Definition ssl_util_ssl.c:593
ssl_run_get_stapling_status
int ssl_run_get_stapling_status(unsigned char **pder, int *pderlen, conn_rec *c, server_rec *s, X509 *cert)
Definition ssl_util_stapling.c:46
ssl_run_init_stapling_status
int ssl_run_init_stapling_status(server_rec *s, apr_pool_t *p, X509 *cert, X509 *issuer)
Definition ssl_util_stapling.c:40
AP_DEBUG_ASSERT
#define AP_DEBUG_ASSERT(exp)
Definition httpd.h:2283
size
apr_size_t size
Definition apr_allocator.h:115
pool
const char int apr_pool_t * pool
Definition apr_cstr.h:84
APR_SUCCESS
#define APR_SUCCESS
Definition apr_errno.h:225
apr_status_t
int apr_status_t
Definition apr_errno.h:44
data
void * data
Definition apr_file_io.h:832
cleanup
void const char apr_status_t(* cleanup)(void *))
Definition apr_file_io.h:834
type
int type
Definition apr_file_io.h:798
c
apr_vformatter_buff_t * c
Definition apr_lib.h:175
apr_pool_create
#define apr_pool_create(newpool, parent)
Definition apr_pools.h:322
apr_pcalloc
#define apr_pcalloc(p, size)
Definition apr_pools.h:465
s
const char * s
Definition apr_strings.h:95
err
apr_int32_t apr_int32_t apr_int32_t err
Definition apr_thread_proc.h:418
reason
int reason
Definition apr_thread_proc.h:759
status
int int status
Definition apr_thread_proc.h:760
APR_USEC_PER_SEC
#define APR_USEC_PER_SEC
Definition apr_time.h:60
apr_time_t
apr_int64_t apr_time_t
Definition apr_time.h:45
apr_time_from_sec
#define apr_time_from_sec(sec)
Definition apr_time.h:78
p
apr_pool_t * p
Definition md_event.c:32
UNSET
#define UNSET
Definition mod_authz_core.c:92
NULL
return NULL
Definition mod_so.c:359
i
int i
Definition mod_so.c:347
STACK_OF
STACK_OF(X509_NAME)
Definition ssl_engine_init.c:2304
ssl_log_xerror
void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, apr_pool_t *ptemp, server_rec *s, X509 *cert, const char *fmt,...)
Definition ssl_engine_log.c:211
name
char * name
Definition ssl_engine_vars.c:563
ssl_private.h
Internal interfaces private to mod_ssl.
SSLSrvConfigRec::server
modssl_ctx_t * server
Definition ssl_private.h:836
apr_global_mutex_t
Definition apr_arch_global_mutex.h:23
apr_hash_t
Definition apr_hash.c:75
apr_memcache_t::flags
apr_uint32_t flags
Definition apr_memcache.h:100
apr_pool_t
Definition apr_pools.c:562
apr_uri_t
Definition apr_uri.h:85
conn_rec
Structure to store things which are per connection.
Definition httpd.h:1152
conn_rec::pool
apr_pool_t * pool
Definition httpd.h:1154
modssl_ctx_t
Definition ssl_private.h:755
server_rec
A structure to store information for each virtual server.
Definition httpd.h:1322
Generated by doxygen 1.9.8