/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License.
*/
/** * Maximum OCSP stapling response size. This should be the response for a * single certificate and will typically include the responder certificate chain * so 10K should be more than enough. *
*/
#define MAX_STAPLING_DER 10240
/* Cached info stored in the global stapling_certinfo hash. */ typedefstruct { /* Index in session cache (SHA-1 digest of DER encoded certificate) */
UCHAR idx[SHA_DIGEST_LENGTH]; /* Certificate ID for OCSP request */
OCSP_CERTID *cid; /* URI of the OCSP responder */ char *uri;
} certinfo;
if (!(issuer = stapling_get_issuer(mctx, x))) { /* In Apache pre 2.4.40, we use to come here only when mod_ssl stapling * was enabled. With the new hooks, we give other modules the chance * to provide stapling status. However, we do not want to log ssl errors
* where we did not do so in the past. */ if (mctx->stapling_enabled == TRUE) {
ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217) "ssl_stapling_init_cert: can't retrieve issuer " "certificate!"); return 0;
} return 1;
}
if (ap_ssl_ocsp_prime(s, p, (constchar*)idx, sizeof(idx), pem) == APR_SUCCESS
|| ssl_run_init_stapling_status(s, p, x, issuer) == OK) { /* Someone's taken over or mod_ssl's own implementation is not enabled */ if (mctx->stapling_enabled != TRUE) {
SSL_CTX_set_tlsext_status_cb(mctx->ssl_ctx, stapling_cb);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10177) "OCSP stapling added via hook");
} goto cleanup;
}
if (mctx->stapling_enabled != TRUE) { /* mod_ssl's own implementation is not enabled */ goto cleanup;
}
cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx)); if (cinf) { /* * We already parsed the certificate, and no OCSP URI was found. * The certificate might be used for multiple vhosts, though, * so we check for a ForceURL for this vhost.
*/ if (!cinf->uri && !mctx->stapling_force_url) {
ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI " "in certificate and no SSLStaplingForceURL " "configured for server %s", mctx->sc->vhost_id);
rv = 0;
} goto cleanup;
}
aia = X509_get1_ocsp(x); if (!aia && !mctx->stapling_force_url) {
OCSP_CERTID_free(cid);
ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI " "in certificate and no SSLStaplingForceURL set");
rv = 0; goto cleanup;
}
/* At this point, we have determined that there's something to store */
cinf = apr_pcalloc(p, sizeof(certinfo));
memcpy (cinf->idx, idx, sizeof(idx));
cinf->cid = cid; /* make sure cid is also freed at pool cleanup */
apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free,
apr_pool_cleanup_null); if (aia) { /* allocate uri from the pconf pool */
cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
X509_email_free(aia);
}
ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x, "ssl_stapling_init_cert: storing certinfo for server %s",
mctx->sc->vhost_id);
/* * OCSP response caching code. The response is preceded by a flag value * which indicates whether the response was invalid when it was stored. * the purpose of this flag is to avoid repeated queries to a server * which has given an invalid response while allowing a response which * has subsequently become invalid to be retried immediately. * * The key for the cache is the hash of the certificate the response * is for.
*/ staticBOOL stapling_cache_response(server_rec *s, modssl_ctx_t *mctx,
OCSP_RESPONSE *rsp, certinfo *cinf, BOOL ok, apr_pool_t *pool)
{
SSLModConfigRec *mc = myModConfig(s); unsignedchar resp_der[MAX_STAPLING_DER]; /* includes one-byte flag + response */ unsignedchar *p; int resp_derlen, stored_len; BOOL rv;
apr_time_t expiry;
staticint stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
certinfo *cinf, OCSP_RESPONSE *rsp, BOOL *pok)
{ int status = V_OCSP_CERTSTATUS_UNKNOWN; int reason = OCSP_REVOKED_STATUS_NOSTATUS;
OCSP_BASICRESP *bs = NULL;
ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; int response_status = OCSP_response_status(rsp); int rv = SSL_TLSEXT_ERR_OK;
if (pok)
*pok = FALSE; /* Check to see if response is an error. If so we automatically accept * it because it would have expired from the cache if it was time to * retry.
*/ if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { if (mctx->stapling_return_errors) return SSL_TLSEXT_ERR_OK; else return SSL_TLSEXT_ERR_NOACK;
}
bs = OCSP_response_get1_basic(rsp); if (bs == NULL) { /* If we can't parse response just pass it to client */
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01934) "stapling_check_response: Error Parsing Response!"); return SSL_TLSEXT_ERR_OK;
}
if (!OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev,
&thisupd, &nextupd)) { /* If ID not present pass back to client (if configured so) */
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01935) "stapling_check_response: certificate ID not present in response!"); if (mctx->stapling_return_errors == FALSE)
rv = SSL_TLSEXT_ERR_NOACK;
} else { if (OCSP_check_validity(thisupd, nextupd,
mctx->stapling_resptime_skew,
mctx->stapling_resp_maxage)) { if (pok)
*pok = TRUE;
} else { /* If pok is not NULL response was direct from a responder and * the times should be valide. If pok is NULL the response was * retrieved from cache and it is expected to subsequently expire
*/ if (pok) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01936) "stapling_check_response: response times invalid");
} else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01937) "stapling_check_response: cached response expired");
}
rv = SSL_TLSEXT_ERR_NOACK;
}
if (status != V_OCSP_CERTSTATUS_GOOD && pok) { char snum[MAX_STRING_LEN] = { '\0' };
BIO *bio = BIO_new(BIO_s_mem());
*prsp = NULL; /* Build up OCSP query from server certificate info */
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01938) "stapling_renew_response: querying responder");
req = OCSP_REQUEST_new(); if (!req) goto err;
id = OCSP_CERTID_dup(cinf->cid); if (!id) goto err; if (!OCSP_request_add0_id(req, id)) goto err;
id = NULL; /* Add any extensions to the request */
SSL_get_tlsext_status_exts(ssl, &exts); for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); if (!OCSP_REQUEST_add_ext(req, ext, -1)) goto err;
}
if (mctx->stapling_force_url)
ocspuri = mctx->stapling_force_url; else
ocspuri = cinf->uri;
if (!ocspuri) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02621) "stapling_renew_response: no uri for responder");
rv = FALSE; goto done;
}
/* Create a temporary pool to constrain memory use */
apr_pool_create(&vpool, conn->pool);
apr_pool_tag(vpool, "modssl_stapling_renew");
staticint get_and_check_cached_response(server_rec *s, modssl_ctx_t *mctx,
OCSP_RESPONSE **rsp, BOOL *pok,
certinfo *cinf, apr_pool_t *p)
{ BOOL ok = FALSE; int rv;
AP_DEBUG_ASSERT(*rsp == NULL);
/* Check to see if we already have a response for this certificate */
stapling_get_cached_response(s, rsp, &ok, cinf, p);
if (*rsp) { /* see if response is acceptable */
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01953) "stapling_cb: retrieved cached response");
rv = stapling_check_response(s, mctx, cinf, *rsp, NULL); if (rv == SSL_TLSEXT_ERR_ALERT_FATAL) {
OCSP_RESPONSE_free(*rsp);
*rsp = NULL; return SSL_TLSEXT_ERR_ALERT_FATAL;
} elseif (rv == SSL_TLSEXT_ERR_NOACK) { /* Error in response. If this error was not present when it was * stored (i.e. response no longer valid) then it can be * renewed straight away. * * If the error *was* present at the time it was stored then we * don't renew the response straight away; we just wait for the * cached response to expire.
*/ if (ok) {
OCSP_RESPONSE_free(*rsp);
*rsp = NULL;
} elseif (!mctx->stapling_return_errors) {
OCSP_RESPONSE_free(*rsp);
*rsp = NULL;
*pok = FALSE; return SSL_TLSEXT_ERR_NOACK;
}
}
} return 0;
}
/* Certificate Status callback. This is called when a client includes a * certificate status request extension. * * Check for cached responses in session cache. If valid send back to * client. If absent or no longer valid, query responder and update * cache.
*/ staticint stapling_cb(SSL *ssl, void *arg)
{
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(conn);
SSLSrvConfigRec *sc = mySrvConfig(s);
modssl_ctx_t *mctx = myConnCtxConfig(conn, sc);
UCHAR idx[SHA_DIGEST_LENGTH];
ocsp_resp resp;
certinfo *cinf = NULL;
OCSP_RESPONSE *rsp = NULL; int rv; BOOL ok = TRUE;
X509 *x; int rspderlen, provided = 0;
if (provided) { /* a hook handles stapling for this certificate and determines the response */ if (resp.data == NULL || resp.len == 0) { return SSL_TLSEXT_ERR_NOACK;
}
SSL_set_tlsext_status_ocsp_resp(ssl, resp.data, (int)resp.len); return SSL_TLSEXT_ERR_OK;
}
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
