#include "ap_mpm.h"
#include "apr_thread_mutex.h"
-#ifdef AP_NEED_SET_MUTEX_PERMS
-#include "unixd.h"
-#endif
-
#ifdef HAVE_OCSP_STAPLING
+static int stapling_cache_mutex_on(server_rec *s);
+static int stapling_cache_mutex_off(server_rec *s);
+
/**
* Maxiumum OCSP stapling response size. This should be the response for a
* single certificate and will typically include the responder certificate chain
#define MAX_STAPLING_DER 10240
-/* Cached info stored in certificate ex_info. */
+/* Cached info stored in the global stapling_certinfo hash. */
typedef struct {
- /* Index in session cache SHA1 hash of certificate */
- UCHAR idx[20];
- /* Certificate ID for OCSP requests or NULL if ID cannot be determined */
+ /* Index in session cache (SHA-1 digest of DER encoded certificate) */
+ UCHAR idx[SHA_DIGEST_LENGTH];
+ /* Certificate ID for OCSP request */
OCSP_CERTID *cid;
- /* Responder details */
+ /* URI of the OCSP responder */
char *uri;
} certinfo;
-static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
- int idx, long argl, void *argp)
+static apr_status_t ssl_stapling_certid_free(void *data)
{
- certinfo *cinf = ptr;
+ OCSP_CERTID *cid = data;
- if (!cinf)
- return;
- if (cinf->uri)
- OPENSSL_free(cinf->uri);
- OPENSSL_free(cinf);
+ if (cid) {
+ OCSP_CERTID_free(cid);
+ }
+
+ return APR_SUCCESS;
}
-static int stapling_ex_idx = -1;
+static apr_hash_t *stapling_certinfo;
-void ssl_stapling_ex_init(void)
+void ssl_stapling_certinfo_hash_init(apr_pool_t *p)
{
- if (stapling_ex_idx != -1)
- return;
- stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
- certinfo_free);
+ stapling_certinfo = apr_hash_make(p);
}
static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
X509 *issuer = NULL;
int i;
X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
- X509_STORE_CTX inctx;
+ X509_STORE_CTX *inctx;
+ STACK_OF(X509) *extra_certs = NULL;
+
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+ extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
- for (i = 0; i < sk_X509_num(mctx->ssl_ctx->extra_certs); i++) {
- issuer = sk_X509_value(mctx->ssl_ctx->extra_certs, i);
+ for (i = 0; i < sk_X509_num(extra_certs); i++) {
+ issuer = sk_X509_value(extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
+#else
+ X509_up_ref(issuer);
+#endif
return issuer;
}
}
- if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))
+ inctx = X509_STORE_CTX_new();
+ if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
return 0;
- if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
+ if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
issuer = NULL;
- X509_STORE_CTX_cleanup(&inctx);
+ X509_STORE_CTX_cleanup(inctx);
+ X509_STORE_CTX_free(inctx);
return issuer;
-
}
-int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
+int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
+ modssl_ctx_t *mctx, X509 *x)
{
- certinfo *cinf;
+ UCHAR idx[SHA_DIGEST_LENGTH];
+ certinfo *cinf = NULL;
X509 *issuer = NULL;
- STACK_OF(STRING) *aia = NULL;
+ OCSP_CERTID *cid = NULL;
+ STACK_OF(OPENSSL_STRING) *aia = NULL;
- if (x == NULL)
+ if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
return 0;
- cinf = X509_get_ex_data(x, stapling_ex_idx);
+
+ cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
if (cinf) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "ssl_stapling_init_cert: certificate already initialized!");
- return 0;
- }
- cinf = OPENSSL_malloc(sizeof(certinfo));
- if (!cinf) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "ssl_stapling_init_cert: error allocating memory!");
- return 0;
+ /*
+ * We already parsed the certificate, and no OCSP URI was found.
+ * The certificate might be used for multiple vhosts, though,
+ * so we check for a ForceURL for this vhost.
+ */
+ if (!cinf->uri && !mctx->stapling_force_url) {
+ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
+ APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI "
+ "in certificate and no SSLStaplingForceURL "
+ "configured for server %s", mctx->sc->vhost_id);
+ return 0;
+ }
+ return 1;
}
- cinf->cid = NULL;
- cinf->uri = NULL;
- X509_set_ex_data(x, stapling_ex_idx, cinf);
-
- issuer = stapling_get_issuer(mctx, x);
- if (issuer == NULL) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "ssl_stapling_init_cert: Can't retrieve issuer certificate!");
+ if (!(issuer = stapling_get_issuer(mctx, x))) {
+ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217)
+ "ssl_stapling_init_cert: can't retrieve issuer "
+ "certificate!");
return 0;
}
- cinf->cid = OCSP_cert_to_id(NULL, x, issuer);
+ cid = OCSP_cert_to_id(NULL, x, issuer);
X509_free(issuer);
- if (!cinf->cid)
+ if (!cid) {
+ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02815)
+ "ssl_stapling_init_cert: can't create CertID "
+ "for OCSP request");
return 0;
- X509_digest(x, EVP_sha1(), cinf->idx, NULL);
+ }
aia = X509_get1_ocsp(x);
- if (aia)
- cinf->uri = sk_STRING_pop(aia);
- if (!cinf->uri && !mctx->stapling_force_url) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "ssl_stapling_init_cert: no responder URL");
- }
- if (aia)
- X509_email_free(aia);
+ if (!aia && !mctx->stapling_force_url) {
+ OCSP_CERTID_free(cid);
+ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
+ APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI "
+ "in certificate and no SSLStaplingForceURL set");
+ return 0;
+ }
+
+ /* At this point, we have determined that there's something to store */
+ cinf = apr_pcalloc(p, sizeof(certinfo));
+ memcpy (cinf->idx, idx, sizeof(idx));
+ cinf->cid = cid;
+ /* make sure cid is also freed at pool cleanup */
+ apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free,
+ apr_pool_cleanup_null);
+ if (aia) {
+ /* allocate uri from the pconf pool */
+ cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
+ X509_email_free(aia);
+ }
+
+ ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x,
+ "ssl_stapling_init_cert: storing certinfo for server %s",
+ mctx->sc->vhost_id);
+
+ apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf);
+
return 1;
}
-static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx,
+static certinfo *stapling_get_certinfo(server_rec *s, modssl_ctx_t *mctx,
SSL *ssl)
{
certinfo *cinf;
X509 *x;
+ UCHAR idx[SHA_DIGEST_LENGTH];
x = SSL_get_certificate(ssl);
- if (x == NULL)
+ if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
return NULL;
- cinf = X509_get_ex_data(x, stapling_ex_idx);
+ cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
if (cinf && cinf->cid)
return cinf;
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "stapling_get_cert_info: stapling not supported for certificate");
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
+ "stapling_get_certinfo: stapling not supported for certificate");
return NULL;
}
BOOL ok, apr_pool_t *pool)
{
SSLModConfigRec *mc = myModConfig(s);
- unsigned char resp_der[MAX_STAPLING_DER];
+ unsigned char resp_der[MAX_STAPLING_DER]; /* includes one-byte flag + response */
unsigned char *p;
- int resp_derlen;
+ int resp_derlen, stored_len;
BOOL rv;
- time_t timeout;
+ apr_time_t expiry;
- resp_derlen = i2d_OCSP_RESPONSE(rsp, NULL) + 1;
+ resp_derlen = i2d_OCSP_RESPONSE(rsp, NULL);
if (resp_derlen <= 0) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01927)
"OCSP stapling response encode error??");
return FALSE;
}
- if (resp_derlen > sizeof resp_der) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ stored_len = resp_derlen + 1; /* response + ok flag */
+ if (stored_len > sizeof resp_der) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01928)
"OCSP stapling response too big (%u bytes)", resp_derlen);
return FALSE;
}
-
p = resp_der;
+ /* TODO: potential optimization; _timeout members as apr_interval_time_t */
if (ok == TRUE) {
*p++ = 1;
- timeout = mctx->stapling_cache_timeout;
- }
+ expiry = apr_time_from_sec(mctx->stapling_cache_timeout);
+ }
else {
*p++ = 0;
- timeout = mctx->stapling_errcache_timeout;
+ expiry = apr_time_from_sec(mctx->stapling_errcache_timeout);
}
- timeout += apr_time_sec(apr_time_now());
+ expiry += apr_time_now();
i2d_OCSP_RESPONSE(rsp, &p);
+ if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+ stapling_cache_mutex_on(s);
rv = mc->stapling_cache->store(mc->stapling_cache_context, s,
cinf->idx, sizeof(cinf->idx),
- timeout, resp_der, resp_derlen, pool);
+ expiry, resp_der, stored_len, pool);
+ if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+ stapling_cache_mutex_off(s);
if (rv != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01929)
"stapling_cache_response: OCSP response session store error!");
return FALSE;
}
return TRUE;
}
-static BOOL stapling_get_cached_response(server_rec *s, OCSP_RESPONSE **prsp,
+static void stapling_get_cached_response(server_rec *s, OCSP_RESPONSE **prsp,
BOOL *pok, certinfo *cinf,
apr_pool_t *pool)
{
const unsigned char *p;
unsigned int resp_derlen = MAX_STAPLING_DER;
+ if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+ stapling_cache_mutex_on(s);
rv = mc->stapling_cache->retrieve(mc->stapling_cache_context, s,
cinf->idx, sizeof(cinf->idx),
resp_der, &resp_derlen, pool);
+ if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+ stapling_cache_mutex_off(s);
if (rv != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01930)
"stapling_get_cached_response: cache miss");
- return TRUE;
+ return;
}
if (resp_derlen <= 1) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ /* should-not-occur; must have at least valid-when-stored flag +
+ * OCSPResponseStatus
+ */
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01931)
"stapling_get_cached_response: response length invalid??");
- return TRUE;
+ return;
}
p = resp_der;
- if (pok) {
- if (*p)
- *pok = TRUE;
- else
- *pok = FALSE;
- }
+ if (*p) /* valid when stored */
+ *pok = TRUE;
+ else
+ *pok = FALSE;
p++;
resp_derlen--;
rsp = d2i_OCSP_RESPONSE(NULL, &p, resp_derlen);
if (!rsp) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01932)
"stapling_get_cached_response: response parse error??");
- return TRUE;
+ return;
}
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01933)
"stapling_get_cached_response: cache hit");
*prsp = rsp;
-
- return TRUE;
}
static int stapling_set_response(SSL *ssl, OCSP_RESPONSE *rsp)
certinfo *cinf, OCSP_RESPONSE *rsp,
BOOL *pok)
{
- int status, reason;
+ int status = V_OCSP_CERTSTATUS_UNKNOWN;
+ int reason = OCSP_REVOKED_STATUS_NOSTATUS;
OCSP_BASICRESP *bs = NULL;
ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
int response_status = OCSP_response_status(rsp);
+ int rv = SSL_TLSEXT_ERR_OK;
if (pok)
*pok = FALSE;
bs = OCSP_response_get1_basic(rsp);
if (bs == NULL) {
/* If we can't parse response just pass it to client */
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01934)
"stapling_check_response: Error Parsing Response!");
return SSL_TLSEXT_ERR_OK;
}
if (!OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev,
&thisupd, &nextupd)) {
- /* If ID not present just pass back to client */
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ /* If ID not present pass back to client (if configured so) */
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01935)
"stapling_check_response: certificate ID not present in response!");
- }
+ if (mctx->stapling_return_errors == FALSE)
+ rv = SSL_TLSEXT_ERR_NOACK;
+ }
else {
if (OCSP_check_validity(thisupd, nextupd,
mctx->stapling_resptime_skew,
* retrieved from cache and it is expected to subsequently expire
*/
if (pok) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01936)
"stapling_check_response: response times invalid");
- }
+ }
else {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01937)
"stapling_check_response: cached response expired");
}
- OCSP_BASICRESP_free(bs);
- return SSL_TLSEXT_ERR_NOACK;
+ rv = SSL_TLSEXT_ERR_NOACK;
+ }
+
+ if (status != V_OCSP_CERTSTATUS_GOOD) {
+ char snum[MAX_STRING_LEN] = { '\0' };
+ BIO *bio = BIO_new(BIO_s_mem());
+
+ if (bio) {
+ int n;
+ ASN1_INTEGER *pserial;
+ OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
+ if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
+ ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
+ snum[n] = '\0';
+ BIO_free(bio);
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02969)
+ "stapling_check_response: response has certificate "
+ "status %s (reason: %s) for serial number %s",
+ OCSP_cert_status_str(status),
+ (reason != OCSP_REVOKED_STATUS_NOSTATUS) ?
+ OCSP_crl_reason_str(reason) : "n/a",
+ snum[0] ? snum : "[n/a]");
+
+ if (mctx->stapling_return_errors == FALSE) {
+ if (pok)
+ *pok = FALSE;
+ rv = SSL_TLSEXT_ERR_NOACK;
+ }
}
}
OCSP_BASICRESP_free(bs);
- return SSL_TLSEXT_ERR_OK;
+ return rv;
}
static BOOL stapling_renew_response(server_rec *s, modssl_ctx_t *mctx, SSL *ssl,
certinfo *cinf, OCSP_RESPONSE **prsp,
- apr_pool_t *pool)
+ BOOL *pok, apr_pool_t *pool)
{
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
apr_pool_t *vpool;
OCSP_CERTID *id = NULL;
STACK_OF(X509_EXTENSION) *exts;
int i;
- BOOL ok = FALSE;
BOOL rv = TRUE;
const char *ocspuri;
apr_uri_t uri;
*prsp = NULL;
/* Build up OCSP query from server certificate info */
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01938)
"stapling_renew_response: querying responder");
req = OCSP_REQUEST_new();
else
ocspuri = cinf->uri;
+ if (!ocspuri) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02621)
+ "stapling_renew_response: no uri for responder");
+ rv = FALSE;
+ goto done;
+ }
+
/* Create a temporary pool to constrain memory use */
apr_pool_create(&vpool, conn->pool);
- ok = apr_uri_parse(vpool, ocspuri, &uri);
- if (ok != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ if (apr_uri_parse(vpool, ocspuri, &uri) != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01939)
"stapling_renew_response: Error parsing uri %s",
ocspuri);
rv = FALSE;
goto done;
- }
+ }
else if (strcmp(uri.scheme, "http")) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01940)
"stapling_renew_response: Unsupported uri %s", ocspuri);
rv = FALSE;
goto done;
}
+ if (!uri.port) {
+ uri.port = apr_uri_port_of_scheme(uri.scheme);
+ }
+
*prsp = modssl_dispatch_ocsp_request(&uri, mctx->stapling_responder_timeout,
req, conn, vpool);
apr_pool_destroy(vpool);
if (!*prsp) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01941)
"stapling_renew_response: responder error");
if (mctx->stapling_fake_trylater) {
*prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
+ *pok = FALSE;
}
else {
goto done;
}
- }
+ }
else {
int response_status = OCSP_response_status(*prsp);
if (response_status == OCSP_RESPONSE_STATUS_SUCCESSFUL) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01942)
"stapling_renew_response: query response received");
- stapling_check_response(s, mctx, cinf, *prsp, &ok);
- if (ok == FALSE) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "stapling_renew_response: error in retreived response!");
+ stapling_check_response(s, mctx, cinf, *prsp, pok);
+ if (*pok == FALSE) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01943)
+ "stapling_renew_response: error in retrieved response!");
}
- }
+ }
else {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01944)
"stapling_renew_response: responder error %s",
OCSP_response_status_str(response_status));
+ *pok = FALSE;
}
}
- if (stapling_cache_response(s, mctx, *prsp, cinf, ok, pool) == FALSE) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ if (stapling_cache_response(s, mctx, *prsp, cinf, *pok, pool) == FALSE) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01945)
"stapling_renew_response: error caching response!");
}
}
/*
- * SSLStaplingMutex operations. Similar to SSL mutex except a mutex is
+ * SSL stapling mutex operations. Similar to SSL mutex except mutexes are
* mandatory if stapling is enabled.
*/
-int ssl_stapling_mutex_init(server_rec *s, apr_pool_t *p)
+static int ssl_stapling_mutex_init(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
SSLSrvConfigRec *sc = mySrvConfig(s);
apr_status_t rv;
- if (mc->stapling_mutex || sc->server->stapling_enabled != TRUE) {
+ /* already init or stapling not enabled? */
+ if (mc->stapling_refresh_mutex || sc->server->stapling_enabled != TRUE) {
return TRUE;
}
- if (mc->stapling_mutex_mode == SSL_MUTEXMODE_NONE
- || mc->stapling_mutex_mode == SSL_MUTEXMODE_UNSET) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "An SSLStaplingMutex is required for OCSP Stapling");
- return FALSE;
+
+ /* need a cache mutex? */
+ if (mc->stapling_cache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) {
+ if ((rv = ap_global_mutex_create(&mc->stapling_cache_mutex, NULL,
+ SSL_STAPLING_CACHE_MUTEX_TYPE, NULL, s,
+ s->process->pool, 0)) != APR_SUCCESS) {
+ return FALSE;
+ }
}
- if ((rv = apr_global_mutex_create(&mc->stapling_mutex,
- mc->stapling_mutex_file,
- mc->stapling_mutex_mech, s->process->pool))
- != APR_SUCCESS) {
- if (mc->stapling_mutex_file)
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
- "Cannot create SSLStaplingMutex with file `%s'",
- mc->stapling_mutex_file);
- else
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
- "Cannot create SSLStaplingMutex");
+ /* always need stapling_refresh_mutex */
+ if ((rv = ap_global_mutex_create(&mc->stapling_refresh_mutex, NULL,
+ SSL_STAPLING_REFRESH_MUTEX_TYPE, NULL, s,
+ s->process->pool, 0)) != APR_SUCCESS) {
return FALSE;
}
-#ifdef AP_NEED_SET_MUTEX_PERMS
- rv = ap_unixd_set_global_mutex_perms(mc->stapling_mutex);
- if (rv != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
- "Could not set permissions on ssl_mutex; check User "
- "and Group directives");
+ return TRUE;
+}
+
+static int stapling_mutex_reinit_helper(server_rec *s, apr_pool_t *p,
+ apr_global_mutex_t **mutex,
+ const char *type)
+{
+ apr_status_t rv;
+ const char *lockfile;
+
+ lockfile = apr_global_mutex_lockfile(*mutex);
+ if ((rv = apr_global_mutex_child_init(mutex,
+ lockfile, p)) != APR_SUCCESS) {
+ if (lockfile) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(01946)
+ "Cannot reinit %s mutex with file `%s'",
+ type, lockfile);
+ }
+ else {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01947)
+ "Cannot reinit %s mutex", type);
+ }
return FALSE;
}
-#endif
return TRUE;
}
int ssl_stapling_mutex_reinit(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
- apr_status_t rv;
- if (mc->stapling_mutex == NULL) {
- return TRUE;
+ if (mc->stapling_cache_mutex != NULL
+ && stapling_mutex_reinit_helper(s, p, &mc->stapling_cache_mutex,
+ SSL_STAPLING_CACHE_MUTEX_TYPE) == FALSE) {
+ return FALSE;
}
- if ((rv = apr_global_mutex_child_init(&mc->stapling_mutex,
- mc->stapling_mutex_file, p)) != APR_SUCCESS) {
- if (mc->stapling_mutex_file) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
- "Cannot reinit SSLMutex with file `%s'",
- mc->szMutexFile);
- }
- else {
- ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s,
- "Cannot reinit SSLMutex");
- }
+ if (mc->stapling_refresh_mutex != NULL
+ && stapling_mutex_reinit_helper(s, p, &mc->stapling_refresh_mutex,
+ SSL_STAPLING_REFRESH_MUTEX_TYPE) == FALSE) {
return FALSE;
}
+
return TRUE;
}
-static int stapling_mutex_on(server_rec *s)
+static int stapling_mutex_on(server_rec *s, apr_global_mutex_t *mutex,
+ const char *name)
{
- SSLModConfigRec *mc = myModConfig(s);
apr_status_t rv;
- if ((rv = apr_global_mutex_lock(mc->stapling_mutex)) != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s,
- "Failed to acquire OCSP stapling lock");
+ if ((rv = apr_global_mutex_lock(mutex)) != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01948)
+ "Failed to acquire OCSP %s lock", name);
return FALSE;
}
return TRUE;
}
-static int stapling_mutex_off(server_rec *s)
+static int stapling_mutex_off(server_rec *s, apr_global_mutex_t *mutex,
+ const char *name)
{
- SSLModConfigRec *mc = myModConfig(s);
apr_status_t rv;
- if ((rv = apr_global_mutex_unlock(mc->stapling_mutex)) != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s,
- "Failed to release OCSP stapling lock");
+ if ((rv = apr_global_mutex_unlock(mutex)) != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(01949)
+ "Failed to release OCSP %s lock", name);
return FALSE;
}
return TRUE;
}
+static int stapling_cache_mutex_on(server_rec *s)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+
+ return stapling_mutex_on(s, mc->stapling_cache_mutex,
+ SSL_STAPLING_CACHE_MUTEX_TYPE);
+}
+
+static int stapling_cache_mutex_off(server_rec *s)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+
+ return stapling_mutex_off(s, mc->stapling_cache_mutex,
+ SSL_STAPLING_CACHE_MUTEX_TYPE);
+}
+
+static int stapling_refresh_mutex_on(server_rec *s)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+
+ return stapling_mutex_on(s, mc->stapling_refresh_mutex,
+ SSL_STAPLING_REFRESH_MUTEX_TYPE);
+}
+
+static int stapling_refresh_mutex_off(server_rec *s)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+
+ return stapling_mutex_off(s, mc->stapling_refresh_mutex,
+ SSL_STAPLING_REFRESH_MUTEX_TYPE);
+}
+
+static int get_and_check_cached_response(server_rec *s, modssl_ctx_t *mctx,
+ OCSP_RESPONSE **rsp, BOOL *pok,
+ certinfo *cinf, apr_pool_t *p)
+{
+ BOOL ok = FALSE;
+ int rv;
+
+ AP_DEBUG_ASSERT(*rsp == NULL);
+
+ /* Check to see if we already have a response for this certificate */
+ stapling_get_cached_response(s, rsp, &ok, cinf, p);
+
+ if (*rsp) {
+ /* see if response is acceptable */
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01953)
+ "stapling_cb: retrieved cached response");
+ rv = stapling_check_response(s, mctx, cinf, *rsp, NULL);
+ if (rv == SSL_TLSEXT_ERR_ALERT_FATAL) {
+ OCSP_RESPONSE_free(*rsp);
+ *rsp = NULL;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ else if (rv == SSL_TLSEXT_ERR_NOACK) {
+ /* Error in response. If this error was not present when it was
+ * stored (i.e. response no longer valid) then it can be
+ * renewed straight away.
+ *
+ * If the error *was* present at the time it was stored then we
+ * don't renew the response straight away; we just wait for the
+ * cached response to expire.
+ */
+ if (ok) {
+ OCSP_RESPONSE_free(*rsp);
+ *rsp = NULL;
+ }
+ else if (!mctx->stapling_return_errors) {
+ OCSP_RESPONSE_free(*rsp);
+ *rsp = NULL;
+ *pok = FALSE;
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+ }
+ }
+ return 0;
+}
+
/* Certificate Status callback. This is called when a client includes a
* certificate status request extension.
*
* Check for cached responses in session cache. If valid send back to
- * client. If absent or no longer valid query responder and update
- * cache. */
+ * client. If absent or no longer valid, query responder and update
+ * cache.
+ */
static int stapling_cb(SSL *ssl, void *arg)
{
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
certinfo *cinf = NULL;
OCSP_RESPONSE *rsp = NULL;
int rv;
- BOOL ok;
+ BOOL ok = TRUE;
if (sc->server->stapling_enabled != TRUE) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01950)
"stapling_cb: OCSP Stapling disabled");
return SSL_TLSEXT_ERR_NOACK;
}
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951)
"stapling_cb: OCSP Stapling callback called");
- cinf = stapling_get_cert_info(s, mctx, ssl);
+ cinf = stapling_get_certinfo(s, mctx, ssl);
if (cinf == NULL) {
return SSL_TLSEXT_ERR_NOACK;
}
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01952)
"stapling_cb: retrieved cached certificate data");
- /* Check to see if we already have a response for this certificate */
- stapling_mutex_on(s);
-
- rv = stapling_get_cached_response(s, &rsp, &ok, cinf, conn->pool);
- if (rv == FALSE) {
- stapling_mutex_off(s);
- return SSL_TLSEXT_ERR_ALERT_FATAL;
+ rv = get_and_check_cached_response(s, mctx, &rsp, &ok, cinf, conn->pool);
+ if (rv != 0) {
+ return rv;
}
- if (rsp) {
- /* see if response is acceptable */
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "stapling_cb: retrieved cached response");
- rv = stapling_check_response(s, mctx, cinf, rsp, NULL);
- if (rv == SSL_TLSEXT_ERR_ALERT_FATAL) {
- OCSP_RESPONSE_free(rsp);
- stapling_mutex_off(s);
- return SSL_TLSEXT_ERR_ALERT_FATAL;
+ if (rsp == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01954)
+ "stapling_cb: renewing cached response");
+ stapling_refresh_mutex_on(s);
+ /* Maybe another request refreshed the OCSP response while this
+ * thread waited for the mutex. Check again.
+ */
+ rv = get_and_check_cached_response(s, mctx, &rsp, &ok, cinf,
+ conn->pool);
+ if (rv != 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03236)
+ "stapling_cb: error checking for cached response "
+ "after obtaining refresh mutex");
+ stapling_refresh_mutex_off(s);
+ return rv;
}
- else if (rv == SSL_TLSEXT_ERR_NOACK) {
- /* Error in response. If this error was not present when it was
- * stored (i.e. response no longer valid) then it can be
- * renewed straight away.
- *
- * If the error *was* present at the time it was stored then we
- * don't renew the response straight away we just wait for the
- * cached response to expire.
- */
- if (ok) {
- OCSP_RESPONSE_free(rsp);
- rsp = NULL;
+ else if (rsp) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03237)
+ "stapling_cb: don't need to refresh cached response "
+ "after obtaining refresh mutex");
+ stapling_refresh_mutex_off(s);
+ }
+ else {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03238)
+ "stapling_cb: still must refresh cached response "
+ "after obtaining refresh mutex");
+ rv = stapling_renew_response(s, mctx, ssl, cinf, &rsp, &ok,
+ conn->pool);
+ stapling_refresh_mutex_off(s);
+
+ if ((rv == TRUE) && (ok == TRUE) && rsp) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03040)
+ "stapling_cb: success renewing response");
}
- else if (!mctx->stapling_return_errors) {
- OCSP_RESPONSE_free(rsp);
- stapling_mutex_off(s);
- return SSL_TLSEXT_ERR_NOACK;
+ else if (rv == FALSE) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01955)
+ "stapling_cb: fatal error renewing response");
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
}
}
}
- if (rsp == NULL) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "stapling_cb: renewing cached response");
- rv = stapling_renew_response(s, mctx, ssl, cinf, &rsp, conn->pool);
-
- if (rv == FALSE) {
- stapling_mutex_off(s);
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "stapling_cb: fatal error");
- return SSL_TLSEXT_ERR_ALERT_FATAL;
- }
- }
- stapling_mutex_off(s);
-
- if (rsp) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ if (rsp && ((ok == TRUE) || (mctx->stapling_return_errors == TRUE))) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01956)
"stapling_cb: setting response");
if (!stapling_set_response(ssl, rsp))
return SSL_TLSEXT_ERR_ALERT_FATAL;
return SSL_TLSEXT_ERR_OK;
}
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "stapling_cb: no response available");
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01957)
+ "stapling_cb: no suitable response available");
return SSL_TLSEXT_ERR_NOACK;
}
-void modssl_init_stapling(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
- modssl_ctx_t *mctx)
+apr_status_t modssl_init_stapling(server_rec *s, apr_pool_t *p,
+ apr_pool_t *ptemp, modssl_ctx_t *mctx)
{
SSL_CTX *ctx = mctx->ssl_ctx;
SSLModConfigRec *mc = myModConfig(s);
if (mc->stapling_cache == NULL) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01958)
"SSLStapling: no stapling cache available");
- ssl_die();
+ return ssl_die(s);
+ }
+ if (ssl_stapling_mutex_init(s, ptemp) == FALSE) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01959)
+ "SSLStapling: cannot initialise stapling mutex");
+ return ssl_die(s);
}
/* Set some default values for parameters if they are not set */
if (mctx->stapling_resptime_skew == UNSET) {
mctx->stapling_responder_timeout = 10 * APR_USEC_PER_SEC;
}
SSL_CTX_set_tlsext_status_cb(ctx, stapling_cb);
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "OCSP stapling initialized");
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01960) "OCSP stapling initialized");
+
+ return APR_SUCCESS;
}
#endif