www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Add support for OCSP "stapling":

Browse Source 
* modules/ssl/ssl_util_stapling.c: New file.

* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.

* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if
  OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS
  extension support enabled).

* modules/ssl/mod_ssl.c: Add config directives.

* modules/ssl/ssl_private.h: Add prototypes for new functions.
  (SSLModConfigRec): Add fields for stapling socache instance and
  associated mutex.
  (modssl_ctx_t): Add config fields for stapling.

* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):
  Call the stapling initialization functions.

* modules/ssl/ssl_engine_config.c: Add config hooks.

* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache
  instance for OCSP responses.

Submitted by: Dr Stephen Henson <shenson oss-institute.org>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@829619 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joe Orton
2009-10-25 17:21:10 +00:00
parent 299688e2b1
commit b2cb650f61
10 changed files with 1051 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -10,6 +10,9 @@ Changes with Apache 2.3.3
mod_proxy_ftp: NULL pointer dereference on error paths.
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
*) mod_ssl: Add support for OCSP Stapling. PR 43822.
[Dr Stephen Henson <shenson oss-institute.org>]
*) mod_socache_shmcb: Allow parens in file name if cache size is given.
Fixes SSLSessionCache directive mis-parsing parens in pathname.
PR 47945. [Stefan Fritsch]

1
modules/ssl/config.m4
View File

@@ -40,6 +40,7 @@ ssl_expr_eval.lo dnl
ssl_expr_parse.lo dnl
ssl_expr_scan.lo dnl
ssl_scache.lo dnl
ssl_util_stapling.lo dnl
ssl_util.lo dnl
ssl_util_ssl.lo dnl
ssl_engine_ocsp.lo dnl

30
modules/ssl/mod_ssl.c
View File

@@ -197,6 +197,36 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
"Force use of the default responder URL ('on', 'off')")
#ifdef HAVE_OCSP_STAPLING
/*
* OCSP Stapling options
*/
SSL_CMD_SRV(StaplingMutex, TAKE1, AP_ALL_AVAILABLE_MUTEXES_STRING)
SSL_CMD_SRV(StaplingCache, TAKE1,
"SSL Stapling Response Cache storage "
"(`dbm:/path/to/file')")
SSL_CMD_SRV(UseStapling, FLAG,
"SSL switch for the OCSP Stapling protocol " "(`on', `off')")
SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
"SSL stapling option for maximum time difference in OCSP responses")
SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
"SSL stapling option for OCSP responder timeout")
SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1,
"SSL stapling option for maximum age of OCSP responses")
SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
"SSL stapling option for normal OCSP Response Cache Lifetime")
SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
"SSL stapling switch to return Status Errors Back to Client"
"(`on', `off')")
SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
"SSL stapling switch to send tryLater response to client on error "
"(`on', `off')")
SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
"SSL stapling option for OCSP Response Error Cache Lifetime")
SSL_CMD_SRV(StaplingForceURL, TAKE1,
"SSL stapling option to Force the OCSP Stapling URL")
#endif
/* Deprecated directives. */
AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
"SSLLog directive is no longer supported - use ErrorLog."),

4
modules/ssl/mod_ssl.dsp
View File

@@ -210,6 +210,10 @@ SOURCE=.\ssl_scache.c
# End Source File
# Begin Source File
SOURCE=.\ssl_util_stapling.c
# End Source File
# Begin Source File
SOURCE=.\ssl_util.c
# End Source File
# Begin Source File

212
modules/ssl/ssl_engine_config.c
View File

@@ -73,6 +73,13 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
mc->szCryptoDevice = NULL;
#endif
#ifdef HAVE_OCSP_STAPLING
mc->stapling_cache = NULL;
mc->stapling_mutex_mode = SSL_MUTEXMODE_UNSET;
mc->stapling_mutex_mech = APR_LOCK_DEFAULT;
mc->stapling_mutex_file = NULL;
mc->stapling_mutex = NULL;
#endif
memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
@@ -129,6 +136,18 @@ static void modssl_ctx_init(modssl_ctx_t *mctx)
mctx->ocsp_enabled = FALSE;
mctx->ocsp_force_default = FALSE;
mctx->ocsp_responder = NULL;
#ifdef HAVE_OCSP_STAPLING
mctx->stapling_enabled = UNSET;
mctx->stapling_resptime_skew = UNSET;
mctx->stapling_resp_maxage = UNSET;
mctx->stapling_cache_timeout = UNSET;
mctx->stapling_return_errors = UNSET;
mctx->stapling_fake_trylater = UNSET;
mctx->stapling_errcache_timeout = UNSET;
mctx->stapling_responder_timeout = UNSET;
mctx->stapling_force_url = NULL;
#endif
}
static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
@@ -227,6 +246,17 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
cfgMergeBool(ocsp_enabled);
cfgMergeBool(ocsp_force_default);
cfgMerge(ocsp_responder, NULL);
#ifdef HAVE_OCSP_STAPLING
cfgMergeBool(stapling_enabled);
cfgMergeInt(stapling_resptime_skew);
cfgMergeInt(stapling_resp_maxage);
cfgMergeInt(stapling_cache_timeout);
cfgMergeBool(stapling_return_errors);
cfgMergeBool(stapling_fake_trylater);
cfgMergeInt(stapling_errcache_timeout);
cfgMergeInt(stapling_responder_timeout);
cfgMerge(stapling_force_url, NULL);
#endif
}
static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,
@@ -1461,6 +1491,188 @@ const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag
#endif
}
#ifdef HAVE_OCSP_STAPLING
const char *ssl_cmd_SSLStaplingCache(cmd_parms *cmd,
void *dcfg,
const char *arg)
{
SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err, *sep, *name;
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
/* Argument is of form 'name:args' or just 'name'. */
sep = ap_strchr_c(arg, ':');
if (sep) {
name = apr_pstrmemdup(cmd->pool, arg, sep - arg);
sep++;
}
else {
name = arg;
}
/* Find the provider of given name. */
mc->stapling_cache = ap_lookup_provider(AP_SOCACHE_PROVIDER_GROUP,
name,
AP_SOCACHE_PROVIDER_VERSION);
if (mc->stapling_cache) {
/* Cache found; create it, passing anything beyond the colon. */
err = mc->stapling_cache->create(&mc->stapling_cache_context,
sep, cmd->temp_pool,
cmd->pool);
}
else {
apr_array_header_t *name_list;
const char *all_names;
/* Build a comma-separated list of all registered provider
* names: */
name_list = ap_list_provider_names(cmd->pool,
AP_SOCACHE_PROVIDER_GROUP,
AP_SOCACHE_PROVIDER_VERSION);
all_names = apr_array_pstrcat(cmd->pool, name_list, ',');
err = apr_psprintf(cmd->pool, "'%s' stapling cache not supported "
"(known names: %s)", name, all_names);
}
if (err) {
return apr_psprintf(cmd->pool, "SSLStaplingCache: %s", err);
}
return NULL;
}
const char *ssl_cmd_SSLStaplingMutex(cmd_parms *cmd,
void *dcfg,
const char *arg_)
{
apr_status_t rv;
const char *err;
SSLModConfigRec *mc = myModConfig(cmd->server);
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
if (ssl_config_global_isfixed(mc)) {
return NULL;
}
rv = ap_parse_mutex(arg_, cmd->server->process->pool,
&mc->stapling_mutex_mech, &mc->stapling_mutex_file);
if (rv == APR_ENOLOCK) {
mc->stapling_mutex_mode = SSL_MUTEXMODE_NONE;
return NULL;
}
else if (rv == APR_ENOTIMPL) {
return apr_pstrcat(cmd->pool, "Invalid SSLStaplingMutex argument ",
arg_,
" (" AP_ALL_AVAILABLE_MUTEXES_STRING ")", NULL);
}
else if (rv == APR_BADARG) {
return apr_pstrcat(cmd->pool, "Invalid SSLStaplingMutex filepath ",
arg_, NULL);
}
mc->stapling_mutex_mode = SSL_MUTEXMODE_USED;
return NULL;
}
const char *ssl_cmd_SSLUseStapling(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->stapling_enabled = flag ? TRUE : FALSE;
return NULL;
}
const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *cmd, void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->stapling_resptime_skew = atoi(arg);
if (sc->server->stapling_resptime_skew < 0) {
return "SSLstapling_resptime_skew: invalid argument";
}
return NULL;
}
const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *cmd, void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->stapling_resp_maxage = atoi(arg);
if (sc->server->stapling_resp_maxage < 0) {
return "SSLstapling_resp_maxage: invalid argument";
}
return NULL;
}
const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *cmd, void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->stapling_cache_timeout = atoi(arg);
if (sc->server->stapling_cache_timeout < 0) {
return "SSLstapling_cache_timeout: invalid argument";
}
return NULL;
}
const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *cmd, void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->stapling_errcache_timeout = atoi(arg);
if (sc->server->stapling_errcache_timeout < 0) {
return "SSLstapling_errcache_timeout: invalid argument";
}
return NULL;
}
const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *cmd,
void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->stapling_return_errors = flag ? TRUE : FALSE;
return NULL;
}
const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *cmd,
void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->stapling_fake_trylater = flag ? TRUE : FALSE;
return NULL;
}
const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *cmd, void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->stapling_responder_timeout = atoi(arg);
sc->server->stapling_responder_timeout *= APR_USEC_PER_SEC;
if (sc->server->stapling_responder_timeout < 0) {
return "SSLstapling_responder_timeout: invalid argument";
}
return NULL;
}
const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *cmd, void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->stapling_force_url = arg;
return NULL;
}
#endif /* HAVE_OCSP_STAPLING */
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
{
if (!ap_exists_config_define("DUMP_CERTS")) {

28
modules/ssl/ssl_engine_init.c
View File

@@ -249,6 +249,13 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
if (!ssl_mutex_init(base_server, p)) {
return HTTP_INTERNAL_SERVER_ERROR;
}
#ifdef HAVE_OCSP_STAPLING
if (!ssl_stapling_mutex_init(base_server, p)) {
return HTTP_INTERNAL_SERVER_ERROR;
}
ssl_stapling_ex_init();
#endif
/*
* initialize session caching
@@ -382,6 +389,15 @@ static void ssl_init_ctx_tls_extensions(server_rec *s,
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
#ifdef HAVE_OCSP_STAPLING
/*
* OCSP Stapling support, status_request extension
*/
if ((mctx->pkp == FALSE) && (mctx->stapling_enabled == TRUE)) {
modssl_init_stapling(s, p, ptemp, mctx);
}
#endif
}
#endif
@@ -773,6 +789,15 @@ static int ssl_server_import_cert(server_rec *s,
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
#ifdef HAVE_OCSP_STAPLING
if ((mctx->pkp == FALSE) && (mctx->stapling_enabled == TRUE)) {
if (!ssl_stapling_init_cert(s, mctx, cert)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to configure server certificate for stapling");
}
}
#endif
mctx->pks->certs[idx] = cert;
@@ -1246,6 +1271,9 @@ void ssl_init_Child(apr_pool_t *p, server_rec *s)
/* open the mutex lockfile */
ssl_mutex_reinit(s, p);
#ifdef HAVE_OCSP_STAPLING
ssl_stapling_mutex_reinit(s, p);
#endif
}
#define MODSSL_CFG_ITEM_FREE(func, item) \

44
modules/ssl/ssl_private.h
View File

@@ -391,6 +391,16 @@ typedef struct {
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
const char *szCryptoDevice;
#endif
#ifdef HAVE_OCSP_STAPLING
const ap_socache_provider_t *stapling_cache;
ap_socache_instance_t *stapling_cache_context;
ssl_mutexmode_t stapling_mutex_mode;
apr_lockmech_e stapling_mutex_mech;
const char *stapling_mutex_file;
apr_global_mutex_t *stapling_mutex;
#endif
struct {
void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
} rCtx;
@@ -457,6 +467,19 @@ typedef struct {
const char *crl_file;
X509_STORE *crl;
#ifdef HAVE_OCSP_STAPLING
/** OCSP stapling options */
BOOL stapling_enabled;
long stapling_resptime_skew;
long stapling_resp_maxage;
int stapling_cache_timeout;
BOOL stapling_return_errors;
BOOL stapling_fake_trylater;
int stapling_errcache_timeout;
apr_interval_time_t stapling_responder_timeout;
const char *stapling_force_url;
#endif
modssl_auth_ctx_t auth;
BOOL ocsp_enabled; /* true if OCSP verification enabled */
@@ -614,6 +637,24 @@ void ssl_scache_remove(server_rec *, UCHAR *, int,
int ssl_proxy_enable(conn_rec *c);
int ssl_engine_disable(conn_rec *c);
/** OCSP Stapling Support */
#ifdef HAVE_OCSP_STAPLING
const char *ssl_cmd_SSLStaplingMutex(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLStaplingCache(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int);
const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int);
const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);
const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
void modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
void ssl_stapling_ex_init(void);
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
#endif
/** I/O */
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
void ssl_io_filter_register(apr_pool_t *);
@@ -670,6 +711,9 @@ int ssl_mutex_reinit(server_rec *, apr_pool_t *);
int ssl_mutex_on(server_rec *);
int ssl_mutex_off(server_rec *);
int ssl_stapling_mutex_init(server_rec *, apr_pool_t *);
int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *);
/** Logfile Support */
void ssl_die(void);
void ssl_log_ssl_error(const char *, int, int, server_rec *);

25
modules/ssl/ssl_scache.c
View File

@@ -57,6 +57,22 @@ void ssl_scache_init(server_rec *s, apr_pool_t *p)
return;
}
#ifdef HAVE_OCSP_STAPLING
if (mc->stapling_cache) {
memset(&hints, 0, sizeof hints);
hints.avg_obj_size = 1500;
hints.avg_id_len = 20;
hints.expiry_interval = 300;
rv = mc->stapling_cache->init(mc->stapling_cache_context,
"mod_ssl-stapling", &hints, s, p);
if (rv) {
/* ABORT ABORT etc. */
ssl_die();
}
}
#endif
/*
* Warn the user that he should use the session cache.
* But we can operate without it, of course.
@@ -73,7 +89,7 @@ void ssl_scache_init(server_rec *s, apr_pool_t *p)
hints.avg_id_len = 30;
hints.expiry_interval = 30;
rv = mc->sesscache->init(mc->sesscache_context, "mod_ssl", &hints, s, p);
rv = mc->sesscache->init(mc->sesscache_context, "mod_ssl-session", &hints, s, p);
if (rv) {
/* ABORT ABORT etc. */
ssl_die();
@@ -87,6 +103,13 @@ void ssl_scache_kill(server_rec *s)
if (mc->sesscache) {
mc->sesscache->destroy(mc->sesscache_context, s);
}
#ifdef HAVE_OCSP_STAPLING
if (mc->stapling_cache) {
mc->stapling_cache->destroy(mc->stapling_cache_context, s);
}
#endif
}
BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen,

6
modules/ssl/ssl_toolkit_compat.h
View File

@@ -147,6 +147,12 @@ typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
#define HAVE_SSL_X509V3_EXT_d2i
#if (OPENSSL_VERSION_NUMBER >= 0x00908080)
#ifndef OPENSSL_NO_TLSEXT
#define HAVE_OCSP_STAPLING
#endif
#endif
#ifndef PEM_F_DEF_CALLBACK
#ifdef PEM_F_PEM_DEF_CALLBACK
/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */

699
modules/ssl/ssl_util_stapling.c Normal file
View File

@@ -0,0 +1,699 @@
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/* _ _
* _ __ ___ ___ __| | ___ ___| | mod_ssl
* | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
* | | | | | | (_) | (_| | \__ \__ \ |
* |_| |_| |_|\___/ \__,_|___|___/___/_|
* |_____|
* ssl_stapling.c
* OCSP Stapling Support
*/
/* ``Where's the spoons?
Where's the spoons?
Where's the bloody spoons?''
-- Alexei Sayle */
#include "ssl_private.h"
#include "ap_mpm.h"
#include "apr_thread_mutex.h"
#ifdef AP_NEED_SET_MUTEX_PERMS
#include "unixd.h"
#endif
#ifdef HAVE_OCSP_STAPLING
/**
* Maxiumum OCSP stapling response size. This should be the response for a
* single certificate and will typically include the responder certificate chain
* so 10K should be more than enough.
*
*/
#define MAX_STAPLING_DER 10240
/* Cached info stored in certificate ex_info. */
typedef struct {
/* Index in session cache SHA1 hash of certificate */
UCHAR idx[20];
/* Certificate ID for OCSP requests or NULL if ID cannot be determined */
OCSP_CERTID *cid;
/* Responder details */
char *uri;
} certinfo;
static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
int idx, long argl, void *argp)
{
certinfo *cinf = ptr;
if (!cinf)
return;
if (cinf->uri)
OPENSSL_free(cinf->uri);
OPENSSL_free(cinf);
}
static int stapling_ex_idx = -1;
void ssl_stapling_ex_init(void)
{
if (stapling_ex_idx != -1)
return;
stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
certinfo_free);
}
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
{
X509 *issuer = NULL;
int i;
X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
X509_STORE_CTX inctx;
for (i = 0; i < sk_X509_num(mctx->ssl_ctx->extra_certs); i++) {
issuer = sk_X509_value(mctx->ssl_ctx->extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
return issuer;
}
}
if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))
return 0;
if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
issuer = NULL;
X509_STORE_CTX_cleanup(&inctx);
return issuer;
}
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
{
certinfo *cinf;
X509 *issuer = NULL;
STACK *aia = NULL;
if (x == NULL)
return 0;
cinf = X509_get_ex_data(x, stapling_ex_idx);
if (cinf) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"ssl_stapling_init_cert: certificate already initialized!");
return 0;
}
cinf = OPENSSL_malloc(sizeof(certinfo));
if (!cinf) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"ssl_stapling_init_cert: error allocating memory!");
return 0;
}
cinf->cid = NULL;
cinf->uri = NULL;
X509_set_ex_data(x, stapling_ex_idx, cinf);
issuer = stapling_get_issuer(mctx, x);
if (issuer == NULL) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"ssl_stapling_init_cert: Can't retrieve issuer certificate!");
return 0;
}
cinf->cid = OCSP_cert_to_id(NULL, x, issuer);
X509_free(issuer);
if (!cinf->cid)
return 0;
X509_digest(x, EVP_sha1(), cinf->idx, NULL);
aia = X509_get1_ocsp(x);
if (aia)
cinf->uri = sk_pop(aia);
if (!cinf->uri && !mctx->stapling_force_url) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"ssl_stapling_init_cert: no responder URL");
}
if (aia)
X509_email_free(aia);
return 1;
}
static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx,
SSL *ssl)
{
certinfo *cinf;
X509 *x;
x = SSL_get_certificate(ssl);
if (x == NULL)
return NULL;
cinf = X509_get_ex_data(x, stapling_ex_idx);
if (cinf && cinf->cid)
return cinf;
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"stapling_get_cert_info: stapling not supported for certificate");
return NULL;
}
/*
* OCSP response caching code. The response is preceded by a flag value
* which indicates whether the response was invalid when it was stored.
* the purpose of this flag is to avoid repeated queries to a server
* which has given an invalid response while allowing a response which
* has subsequently become invalid to be retried immediately.
*
* The key for the cache is the hash of the certificate the response
* is for.
*/
static BOOL stapling_cache_response(server_rec *s, modssl_ctx_t *mctx,
OCSP_RESPONSE *rsp, certinfo *cinf,
BOOL ok, apr_pool_t *pool)
{
SSLModConfigRec *mc = myModConfig(s);
unsigned char resp_der[MAX_STAPLING_DER];
unsigned char *p;
int resp_derlen;
BOOL rv;
time_t timeout;
resp_derlen = i2d_OCSP_RESPONSE(rsp, NULL) + 1;
if (resp_derlen <= 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"OCSP stapling response encode error??");
return FALSE;
}
if (resp_derlen > sizeof resp_der) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"OCSP stapling response too big (%u bytes)", resp_derlen);
return FALSE;
}
p = resp_der;
if (ok == TRUE) {
*p++ = 1;
timeout = mctx->stapling_cache_timeout;
} else {
*p++ = 0;
timeout = mctx->stapling_errcache_timeout;
}
timeout += time(NULL);
i2d_OCSP_RESPONSE(rsp, &p);
rv = mc->stapling_cache->store(mc->stapling_cache_context, s,
cinf->idx, sizeof(cinf->idx),
timeout, resp_der, resp_derlen, pool);
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_cache_response: OCSP response session store error!");
return FALSE;
}
return TRUE;
}
static BOOL stapling_get_cached_response(server_rec *s, OCSP_RESPONSE **prsp,
BOOL *pok, certinfo *cinf,
apr_pool_t *pool)
{
SSLModConfigRec *mc = myModConfig(s);
apr_status_t rv;
OCSP_RESPONSE *rsp;
unsigned char resp_der[MAX_STAPLING_DER];
const unsigned char *p;
unsigned int resp_derlen = MAX_STAPLING_DER;
rv = mc->stapling_cache->retrieve(mc->stapling_cache_context, s,
cinf->idx, sizeof(cinf->idx),
resp_der, &resp_derlen, pool);
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_get_cached_response: cache miss");
return TRUE;
}
if (resp_derlen <= 1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_get_cached_response: response length invalid??");
return TRUE;
}
p = resp_der;
if (pok) {
if (*p)
*pok = TRUE;
else
*pok = FALSE;
}
p++;
resp_derlen--;
rsp = d2i_OCSP_RESPONSE(NULL, &p, resp_derlen);
if (!rsp) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_get_cached_response: response parse error??");
return TRUE;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_get_cached_response: cache hit");
*prsp = rsp;
return TRUE;
}
static int stapling_set_response(SSL *ssl, OCSP_RESPONSE *rsp)
{
int rspderlen;
unsigned char *rspder = NULL;
rspderlen = i2d_OCSP_RESPONSE(rsp, &rspder);
if (rspderlen <= 0)
return 0;
SSL_set_tlsext_status_ocsp_resp(ssl, rspder, rspderlen);
return 1;
}
static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
certinfo *cinf, OCSP_RESPONSE *rsp,
BOOL *pok)
{
int status, reason;
OCSP_BASICRESP *bs = NULL;
ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
int response_status = OCSP_response_status(rsp);
if (pok)
*pok = FALSE;
/* Check to see if response is an error. If so we automatically accept
* it because it would have expired from the cache if it was time to
* retry.
*/
if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
if (mctx->stapling_return_errors)
return SSL_TLSEXT_ERR_OK;
else
return SSL_TLSEXT_ERR_NOACK;
}
bs = OCSP_response_get1_basic(rsp);
if (bs == NULL) {
/* If we can't parse response just pass it to client */
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_check_response: Error Parsing Response!");
return SSL_TLSEXT_ERR_OK;
}
if (!OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev,
&thisupd, &nextupd)) {
/* If ID not present just pass back to client */
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_check_response: certificate ID not present in response!");
} else {
if (OCSP_check_validity(thisupd, nextupd,
mctx->stapling_resptime_skew,
mctx->stapling_resp_maxage)) {
if (pok)
*pok = TRUE;
}
else {
/* If pok is not NULL response was direct from a responder and
* the times should be valide. If pok is NULL the response was
* retrieved from cache and it is expected to subsequently expire
*/
if (pok) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_check_response: response times invalid");
} else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_check_response: cached response expired");
}
OCSP_BASICRESP_free(bs);
return SSL_TLSEXT_ERR_NOACK;
}
}
OCSP_BASICRESP_free(bs);
return SSL_TLSEXT_ERR_OK;
}
static BOOL stapling_renew_response(server_rec *s, modssl_ctx_t *mctx, SSL *ssl,
certinfo *cinf, OCSP_RESPONSE **prsp,
apr_pool_t *pool)
{
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
apr_pool_t *vpool;
OCSP_REQUEST *req = NULL;
OCSP_CERTID *id = NULL;
STACK_OF(X509_EXTENSION) *exts;
int i;
BOOL ok = FALSE;
BOOL rv = TRUE;
const char *ocspuri;
apr_uri_t uri;
*prsp = NULL;
/* Build up OCSP query from server certificate info */
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_renew_response: querying responder");
req = OCSP_REQUEST_new();
if (!req)
goto err;
id = OCSP_CERTID_dup(cinf->cid);
if (!id)
goto err;
if (!OCSP_request_add0_id(req, id))
goto err;
id = NULL;
/* Add any extensions to the request */
SSL_get_tlsext_status_exts(ssl, &exts);
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
if (!OCSP_REQUEST_add_ext(req, ext, -1))
goto err;
}
if (mctx->stapling_force_url)
ocspuri = mctx->stapling_force_url;
else
ocspuri = cinf->uri;
/* Create a temporary pool to constrain memory use */
apr_pool_create(&vpool, conn->pool);
ok = apr_uri_parse(vpool, ocspuri, &uri);
if (ok != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_renew_response: Error parsing uri %s",
ocspuri);
rv = FALSE;
goto done;
} else if (strcmp(uri.scheme, "http")) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_renew_response: Unsupported uri %s", ocspuri);
rv = FALSE;
goto done;
}
*prsp = modssl_dispatch_ocsp_request(&uri, mctx->stapling_responder_timeout,
req, conn, vpool);
apr_pool_destroy(vpool);
if (!*prsp) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_renew_response: responder error");
if (mctx->stapling_fake_trylater) {
*prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
}
else {
goto done;
}
} else {
int response_status = OCSP_response_status(*prsp);
if (response_status == OCSP_RESPONSE_STATUS_SUCCESSFUL) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_renew_response: query response received");
stapling_check_response(s, mctx, cinf, *prsp, &ok);
if (ok == FALSE) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_renew_response: error in retreived response!");
}
} else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_renew_response: responder error %s",
OCSP_response_status_str(response_status));
}
}
if (stapling_cache_response(s, mctx, *prsp, cinf, ok, pool) == FALSE) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_renew_response: error caching response!");
}
done:
if (id)
OCSP_CERTID_free(id);
if (req)
OCSP_REQUEST_free(req);
return rv;
err:
rv = FALSE;
goto done;
}
/*
* SSLStaplingMutex operations. Similar to SSL mutex except a mutex is
* mandatory if stapling is enabled.
*/
int ssl_stapling_mutex_init(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
SSLSrvConfigRec *sc = mySrvConfig(s);
apr_status_t rv;
if (mc->stapling_mutex || sc->server->stapling_enabled != TRUE) {
return TRUE;
}
if (mc->stapling_mutex_mode == SSL_MUTEXMODE_NONE
|| mc->stapling_mutex_mode == SSL_MUTEXMODE_UNSET) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"An SSLStaplingMutex is required for OCSP Stapling");
return FALSE;
}
if ((rv = apr_global_mutex_create(&mc->stapling_mutex,
mc->stapling_mutex_file,
mc->stapling_mutex_mech, s->process->pool))
!= APR_SUCCESS) {
if (mc->stapling_mutex_file)
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
"Cannot create SSLStaplingMutex with file `%s'",
mc->stapling_mutex_file);
else
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
"Cannot create SSLStaplingMutex");
return FALSE;
}
#ifdef AP_NEED_SET_MUTEX_PERMS
rv = ap_unixd_set_global_mutex_perms(mc->stapling_mutex);
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
"Could not set permissions on ssl_mutex; check User "
"and Group directives");
return FALSE;
}
#endif
return TRUE;
}
int ssl_stapling_mutex_reinit(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
apr_status_t rv;
if (mc->stapling_mutex == NULL) {
return TRUE;
}
if ((rv = apr_global_mutex_child_init(&mc->stapling_mutex,
mc->stapling_mutex_file, p)) != APR_SUCCESS) {
if (mc->stapling_mutex_file) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
"Cannot reinit SSLMutex with file `%s'",
mc->szMutexFile);
}
else {
ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s,
"Cannot reinit SSLMutex");
}
return FALSE;
}
return TRUE;
}
static int stapling_mutex_on(server_rec *s)
{
SSLModConfigRec *mc = myModConfig(s);
apr_status_t rv;
if ((rv = apr_global_mutex_lock(mc->stapling_mutex)) != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s,
"Failed to acquire OCSP stapling lock");
return FALSE;
}
return TRUE;
}
static int stapling_mutex_off(server_rec *s)
{
SSLModConfigRec *mc = myModConfig(s);
apr_status_t rv;
if ((rv = apr_global_mutex_unlock(mc->stapling_mutex)) != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s,
"Failed to release OCSP stapling lock");
return FALSE;
}
return TRUE;
}
/* Certificate Status callback. This is called when a client includes a
* certificate status request extension.
*
* Check for cached responses in session cache. If valid send back to
* client. If absent or no longer valid query responder and update
* cache. */
static int stapling_cb(SSL *ssl, void *arg)
{
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = conn->base_server;
SSLSrvConfigRec *sc = mySrvConfig(s);
SSLConnRec *sslconn = myConnConfig(conn);
modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
certinfo *cinf = NULL;
OCSP_RESPONSE *rsp = NULL;
int rv;
BOOL ok;
if (sc->server->stapling_enabled != TRUE) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_cb: OCSP Stapling disabled");
return SSL_TLSEXT_ERR_NOACK;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_cb: OCSP Stapling callback called");
cinf = stapling_get_cert_info(s, mctx, ssl);
if (cinf == NULL) {
return SSL_TLSEXT_ERR_NOACK;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_cb: retrieved cached certificate data");
/* Check to see if we already have a response for this certificate */
stapling_mutex_on(s);
rv = stapling_get_cached_response(s, &rsp, &ok, cinf, conn->pool);
if (rv == FALSE) {
stapling_mutex_off(s);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
if (rsp) {
/* see if response is acceptable */
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_cb: retrieved cached response");
rv = stapling_check_response(s, mctx, cinf, rsp, NULL);
if (rv == SSL_TLSEXT_ERR_ALERT_FATAL) {
OCSP_RESPONSE_free(rsp);
stapling_mutex_off(s);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
else if (rv == SSL_TLSEXT_ERR_NOACK) {
/* Error in response. If this error was not present when it was
* stored (i.e. response no longer valid) then it can be
* renewed straight away.
*
* If the error *was* present at the time it was stored then we
* don't renew the response straight away we just wait for the
* cached response to expire.
*/
if (ok) {
OCSP_RESPONSE_free(rsp);
rsp = NULL;
}
else if (!mctx->stapling_return_errors) {
OCSP_RESPONSE_free(rsp);
stapling_mutex_off(s);
return SSL_TLSEXT_ERR_NOACK;
}
}
}
if (rsp == NULL) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_cb: renewing cached response");
rv = stapling_renew_response(s, mctx, ssl, cinf, &rsp, conn->pool);
if (rv == FALSE) {
stapling_mutex_off(s);
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"stapling_cb: fatal error");
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
}
stapling_mutex_off(s);
if (rsp) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_cb: setting response");
if (!stapling_set_response(ssl, rsp))
return SSL_TLSEXT_ERR_ALERT_FATAL;
return SSL_TLSEXT_ERR_OK;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"stapling_cb: no response available");
return SSL_TLSEXT_ERR_NOACK;
}
void modssl_init_stapling(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
modssl_ctx_t *mctx)
{
SSL_CTX *ctx = mctx->ssl_ctx;
SSLModConfigRec *mc = myModConfig(s);
if (mc->stapling_cache == NULL) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"SSLStapling: no stapling cache available");
ssl_die();
}
/* Set some default values for parameters if they are not set */
if (mctx->stapling_resptime_skew == UNSET) {
mctx->stapling_resptime_skew = 60 * 5;
}
if (mctx->stapling_cache_timeout == UNSET) {
mctx->stapling_cache_timeout = 3600;
}
if (mctx->stapling_return_errors == UNSET) {
mctx->stapling_return_errors = TRUE;
}
if (mctx->stapling_fake_trylater == UNSET) {
mctx->stapling_fake_trylater = TRUE;
}
if (mctx->stapling_errcache_timeout == UNSET) {
mctx->stapling_errcache_timeout = 600;
}
if (mctx->stapling_responder_timeout == UNSET) {
mctx->stapling_responder_timeout = 10 * APR_USEC_PER_SEC;
}
SSL_CTX_set_tlsext_status_cb(ctx, stapling_cb);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "OCSP stapling initialized");
}
#endif