From: Stefan Eissing Date: Tue, 2 Jan 2018 15:57:39 +0000 (+0000) Subject: On the trunk: X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=00edcb7d39c434a3a0629262bc9e67774330db25;p=apache On the trunk: mod_md v1.1.7 changes git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1819854 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 2ef6c1b26b..518f1f04f3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,18 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_md v1.1.7: + - MDMustStaple was unable to create the necessary OpenSSL OBJ identifier on some platforms, + possibly because this fails if the OID is already configured in ```openssl.cnf```, see + [here](https://github.com/openssl/openssl/issues/2795). + - Two memory leaks in cert issuer and alt-names lookup eliminated by Yann Ylavic. + - Changing MDMustStaple triggers certificate renewal. + - More verbosity when *not* handing out certificates, e.g. mod_ssl asks, but mod_md has no + idea what it is talking about. Some people report misbehaviour here. + - Re-enabled support for md_get_credentials() function that was used in older mod_ssl + patch, so that people with old patched servers get a chance to upgrade. + [Stefan Eissing, Yann Ylavic] + *) mod_susbtitute: Allow expressions in the subtitution, prefixed with expr= [Eric Covener] diff --git a/modules/md/md.h b/modules/md/md.h index 0c4aed5fb9..a35aaac0a4 100644 --- a/modules/md/md.h +++ b/modules/md/md.h @@ -119,6 +119,7 @@ struct md_t { #define MD_KEY_CONTACT "contact" #define MD_KEY_CONTACTS "contacts" #define MD_KEY_CSR "csr" +#define MD_KEY_DETAIL "detail" #define MD_KEY_DISABLED "disabled" #define MD_KEY_DIR "dir" #define MD_KEY_DOMAIN "domain" @@ -275,4 +276,14 @@ struct md_creds_t { int expired; }; +/* TODO: not sure this is a good idea, testing some readability and debuggabiltiy of + * cascaded apr_status_t checks. */ +#define MD_CHK_VARS const char *md_chk_ +#define MD_LAST_CHK md_chk_ +#define MD_CHK_STEP(c, status, s) (md_chk_ = s, status == (rv = (c))) +#define MD_CHK(c, status) MD_CHK_STEP(c, status, #c) +#define MD_IS_ERR(c, err) (md_chk_ = #c, APR_STATUS_IS_##err((rv = (c)))) +#define MD_CHK_SUCCESS(c) MD_CHK(c, APR_SUCCESS) +#define MD_OK(c) MD_CHK_SUCCESS(c) + #endif /* mod_md_md_h */ diff --git a/modules/md/md_acme.c b/modules/md/md_acme.c index e94cac34c8..f692e25dea 100644 --- a/modules/md/md_acme.c +++ b/modules/md/md_acme.c @@ -284,8 +284,8 @@ static apr_status_t inspect_problem(md_acme_req_t *req, const md_http_response_t const char *ptype, *pdetail; req->resp_json = problem; - ptype = md_json_gets(problem, "type", NULL); - pdetail = md_json_gets(problem, "detail", NULL); + ptype = md_json_gets(problem, MD_KEY_TYPE, NULL); + pdetail = md_json_gets(problem, MD_KEY_DETAIL, NULL); req->rv = problem_status_get(ptype); if (APR_STATUS_IS_EAGAIN(req->rv)) { diff --git a/modules/md/md_acme_authz.c b/modules/md/md_acme_authz.c index 68fdc36801..9cb1a09530 100644 --- a/modules/md/md_acme_authz.c +++ b/modules/md/md_acme_authz.c @@ -207,8 +207,10 @@ apr_status_t md_acme_authz_update(md_acme_authz_t *authz, md_acme_t *acme, md_store_t *store, apr_pool_t *p) { md_json_t *json; - const char *s; + const char *s, *err; + md_log_level_t log_level; apr_status_t rv; + MD_CHK_VARS; (void)store; assert(acme); @@ -216,46 +218,46 @@ apr_status_t md_acme_authz_update(md_acme_authz_t *authz, md_acme_t *acme, assert(authz); assert(authz->location); - if (APR_SUCCESS != (rv = md_acme_get_json(&json, acme, authz->location, p))) { - md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "update authz for %s at %s", - authz->domain, authz->location); - return rv; - } - - authz->resource = json; - s = md_json_gets(json, "identifier", "type", NULL); - if (!s || strcmp(s, "dns")) return APR_EINVAL; - s = md_json_gets(json, "identifier", "value", NULL); - if (!s || strcmp(s, authz->domain)) return APR_EINVAL; - authz->state = MD_ACME_AUTHZ_S_UNKNOWN; - s = md_json_gets(json, "status", NULL); - if (s && !strcmp(s, "pending")) { - authz->state = MD_ACME_AUTHZ_S_PENDING; - } - else if (s && !strcmp(s, "valid")) { - authz->state = MD_ACME_AUTHZ_S_VALID; - if (md_log_is_level(p, MD_LOG_DEBUG)) { - md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p, "ACME server validated challenge " - "for %s in %s, ACME response is: %s", - authz->domain, authz->location, - md_json_writep(json, p, MD_JSON_FMT_COMPACT)); + json = NULL; + err = "unable to parse response"; + log_level = MD_LOG_ERR; + + if (MD_OK(md_acme_get_json(&json, acme, authz->location, p)) + && (s = md_json_gets(json, MD_KEY_IDENTIFIER, MD_KEY_TYPE, NULL)) + && !strcmp(s, "dns") + && (s = md_json_gets(json, MD_KEY_IDENTIFIER, MD_KEY_VALUE, NULL)) + && !strcmp(s, authz->domain) + && (s = md_json_gets(json, MD_KEY_STATUS, NULL))) { + + authz->resource = json; + if (!strcmp(s, "pending")) { + authz->state = MD_ACME_AUTHZ_S_PENDING; + err = "challenge 'pending'"; + log_level = MD_LOG_DEBUG; + } + else if (!strcmp(s, "valid")) { + authz->state = MD_ACME_AUTHZ_S_VALID; + err = "challenge 'valid'"; + log_level = MD_LOG_DEBUG; + } + else if (!strcmp(s, "invalid")) { + authz->state = MD_ACME_AUTHZ_S_INVALID; + err = "challenge 'invalid'"; } } - else if (s && !strcmp(s, "invalid")) { - authz->state = MD_ACME_AUTHZ_S_INVALID; - md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "ACME server reports challenge " - "for %s in %s as 'invalid', ACME response is: %s", - authz->domain, authz->location, - md_json_writep(json, p, MD_JSON_FMT_COMPACT)); + + if (json && authz->state == MD_ACME_AUTHZ_S_UNKNOWN) { + err = "unable to understand response"; + rv = APR_EINVAL; } - else if (s) { - md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "ACME server reports unrecognized " - "authz state '%s' for %s in %s, ACME response is: %s", - s, authz->domain, authz->location, - md_json_writep(json, p, MD_JSON_FMT_COMPACT)); - return APR_EINVAL; + + if (md_log_is_level(p, log_level)) { + md_log_perror(MD_LOG_MARK, log_level, rv, p, "ACME server authz: %s for %s at %s. " + "Exact repsonse was: %s", err? err : "", authz->domain, authz->location, + json? md_json_writep(json, p, MD_JSON_FMT_COMPACT) : "not available"); } + return rv; } @@ -306,13 +308,14 @@ static apr_status_t setup_key_authz(md_acme_authz_cha_t *cha, md_acme_authz_t *a { const char *thumb64, *key_authz; apr_status_t rv; + MD_CHK_VARS; (void)authz; assert(cha); assert(cha->token); *pchanged = 0; - if (APR_SUCCESS == (rv = md_jws_pkey_thumb(&thumb64, p, acme->acct_key))) { + if (MD_OK(md_jws_pkey_thumb(&thumb64, p, acme->acct_key))) { key_authz = apr_psprintf(p, "%s.%s", cha->token, thumb64); if (cha->key_authz) { if (strcmp(key_authz, cha->key_authz)) { @@ -335,9 +338,10 @@ static apr_status_t cha_http_01_setup(md_acme_authz_cha_t *cha, md_acme_authz_t const char *data; apr_status_t rv; int notify_server; + MD_CHK_VARS; (void)key_spec; - if (APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, ¬ify_server))) { + if (!MD_OK(setup_key_authz(cha, authz, acme, p, ¬ify_server))) { goto out; } @@ -395,9 +399,10 @@ static apr_status_t cha_tls_sni_01_setup(md_acme_authz_cha_t *cha, md_acme_authz apr_status_t rv; int notify_server; apr_array_header_t *domains; + MD_CHK_VARS; - if ( APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, ¬ify_server)) - || APR_SUCCESS != (rv = setup_cha_dns(&cha_dns, cha, p))) { + if ( !MD_OK(setup_key_authz(cha, authz, acme, p, ¬ify_server)) + || !MD_OK(setup_cha_dns(&cha_dns, cha, p))) { goto out; } @@ -415,18 +420,15 @@ static apr_status_t cha_tls_sni_01_setup(md_acme_authz_cha_t *cha, md_acme_authz /* setup a certificate containing the challenge dns */ domains = apr_array_make(p, 5, sizeof(const char*)); APR_ARRAY_PUSH(domains, const char*) = cha_dns; - rv = md_cert_self_sign(&cha_cert, authz->domain, domains, cha_key, - apr_time_from_sec(7 * MD_SECS_PER_DAY), p); - - if (APR_SUCCESS != rv) { + if (!MD_OK(md_cert_self_sign(&cha_cert, authz->domain, domains, cha_key, + apr_time_from_sec(7 * MD_SECS_PER_DAY), p))) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: setup self signed cert for %s", authz->domain, cha_dns); goto out; } - rv = md_store_save(store, p, MD_SG_CHALLENGES, cha_dns, MD_FN_TLSSNI01_PKEY, - MD_SV_PKEY, (void*)cha_key, 0); - if (APR_SUCCESS == rv) { + if (MD_OK(md_store_save(store, p, MD_SG_CHALLENGES, cha_dns, MD_FN_TLSSNI01_PKEY, + MD_SV_PKEY, (void*)cha_key, 0))) { rv = md_store_save(store, p, MD_SG_CHALLENGES, cha_dns, MD_FN_TLSSNI01_CERT, MD_SV_CERT, (void*)cha_cert, 0); } diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c index e540df50af..d1f8bd05ec 100644 --- a/modules/md/md_crypt.c +++ b/modules/md/md_crypt.c @@ -1103,6 +1103,30 @@ static apr_status_t sk_add_alt_names(STACK_OF(X509_EXTENSION) *exts, return APR_SUCCESS; } +#define MD_OID_MUST_STAPLE_NUM "1.3.6.1.5.5.7.1.24" +#define MD_OID_MUST_STAPLE_SNAME "tlsfeature" +#define MD_OID_MUST_STAPLE_LNAME "TLS Feature" + +static int get_must_staple_nid() +{ + /* Funny API, the OID for must staple might be configured or + * might be not. In the second case, we need to add it. But adding + * when it already is there is an error... */ + int nid = OBJ_txt2nid(MD_OID_MUST_STAPLE_NUM); + if (NID_undef == nid) { + nid = OBJ_create(MD_OID_MUST_STAPLE_NUM, + MD_OID_MUST_STAPLE_SNAME, MD_OID_MUST_STAPLE_LNAME); + } + return nid; +} + +int md_cert_must_staple(md_cert_t *cert) +{ + /* In case we do not get the NID for it, we treat this as not set. */ + int nid = get_must_staple_nid(); + return ((NID_undef != nid)) && X509_get_ext_by_NID(cert->x509, nid, -1) >= 0; +} + static apr_status_t add_must_staple(STACK_OF(X509_EXTENSION) *exts, const md_t *md, apr_pool_t *p) { @@ -1110,7 +1134,7 @@ static apr_status_t add_must_staple(STACK_OF(X509_EXTENSION) *exts, const md_t * X509_EXTENSION *x; int nid; - nid = OBJ_create("1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature"); + nid = get_must_staple_nid(); if (NID_undef == nid) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "%s: unable to get NID for v3 must-staple TLS feature", md->name); diff --git a/modules/md/md_crypt.h b/modules/md/md_crypt.h index fc7c2d1dd3..94bde5ca86 100644 --- a/modules/md/md_crypt.h +++ b/modules/md/md_crypt.h @@ -107,6 +107,7 @@ int md_cert_is_valid_now(const md_cert_t *cert); int md_cert_has_expired(const md_cert_t *cert); int md_cert_covers_domain(md_cert_t *cert, const char *domain_name); int md_cert_covers_md(md_cert_t *cert, const struct md_t *md); +int md_cert_must_staple(md_cert_t *cert); apr_time_t md_cert_get_not_after(md_cert_t *cert); apr_time_t md_cert_get_not_before(md_cert_t *cert); diff --git a/modules/md/md_reg.c b/modules/md/md_reg.c index f5e6dc2c07..556d9aace7 100644 --- a/modules/md/md_reg.c +++ b/modules/md/md_reg.c @@ -234,6 +234,15 @@ static apr_status_t state_init(md_reg_t *reg, apr_pool_t *p, md_t *md, int save_ "needs sign up for a new certificate", md->name); goto out; } + if (!md->must_staple != !md_cert_must_staple(creds->cert)) { + state = MD_S_INCOMPLETE; + md_log_perror(MD_LOG_MARK, MD_LOG_INFO, rv, p, + "md{%s}: OCSP Stapling is%s requested, but certificate " + "has it%s enabled. Need to get a new certificate.", md->name, + md->must_staple? "" : " not", + !md->must_staple? "" : " not"); + goto out; + } for (i = 1; i < creds->pubcert->nelts; ++i) { cert = APR_ARRAY_IDX(creds->pubcert, i, const md_cert_t *); diff --git a/modules/md/md_store_fs.c b/modules/md/md_store_fs.c index e6a988d28a..726aeb8631 100644 --- a/modules/md/md_store_fs.c +++ b/modules/md/md_store_fs.c @@ -137,11 +137,12 @@ static apr_status_t rename_pkey(void *baton, apr_pool_t *p, apr_pool_t *ptemp, { const char *from, *to; apr_status_t rv = APR_SUCCESS; - + MD_CHK_VARS; + (void)baton; (void)ftype; - if (APR_SUCCESS == (rv = md_util_path_merge(&from, ptemp, dir, name, NULL)) - && APR_SUCCESS == (rv = md_util_path_merge(&to, ptemp, dir, MD_FN_PRIVKEY, NULL))) { + if ( MD_OK(md_util_path_merge(&from, ptemp, dir, name, NULL)) + && MD_OK(md_util_path_merge(&to, ptemp, dir, MD_FN_PRIVKEY, NULL))) { md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p, "renaming %s/%s to %s", dir, name, MD_FN_PRIVKEY); return apr_file_rename(from, to, ptemp); @@ -157,15 +158,16 @@ static apr_status_t mk_pubcert(void *baton, apr_pool_t *p, apr_pool_t *ptemp, apr_array_header_t *chain, *pubcert; const char *fname, *fpubcert; apr_status_t rv = APR_SUCCESS; + MD_CHK_VARS; (void)baton; (void)ftype; (void)p; - if ( APR_SUCCESS == (rv = md_util_path_merge(&fpubcert, ptemp, dir, MD_FN_PUBCERT, NULL)) - && APR_STATUS_IS_ENOENT((rv = md_chain_fload(&pubcert, ptemp, fpubcert))) - && APR_SUCCESS == (rv = md_util_path_merge(&fname, ptemp, dir, name, NULL)) - && APR_SUCCESS == (rv = md_cert_fload(&cert, ptemp, fname)) - && APR_SUCCESS == (rv = md_util_path_merge(&fname, ptemp, dir, MD_FN_CHAIN, NULL))) { + if ( MD_OK(md_util_path_merge(&fpubcert, ptemp, dir, MD_FN_PUBCERT, NULL)) + && MD_IS_ERR(md_chain_fload(&pubcert, ptemp, fpubcert), ENOENT) + && MD_OK(md_util_path_merge(&fname, ptemp, dir, name, NULL)) + && MD_OK(md_cert_fload(&cert, ptemp, fname)) + && MD_OK(md_util_path_merge(&fname, ptemp, dir, MD_FN_CHAIN, NULL))) { rv = md_chain_fload(&chain, ptemp, fname); if (APR_STATUS_IS_ENOENT(rv)) { @@ -209,8 +211,9 @@ static apr_status_t read_store_file(md_store_fs_t *s_fs, const char *fname, const char *key64, *key; apr_status_t rv; double store_version; + MD_CHK_VARS; - if (APR_SUCCESS == (rv = md_json_readf(&json, p, fname))) { + if (MD_OK(md_json_readf(&json, p, fname))) { store_version = md_json_getn(json, MD_KEY_STORE, MD_KEY_VERSION, NULL); if (store_version <= 0.0) { /* ok, an old one, compatible to 1.0 */ @@ -261,25 +264,23 @@ static apr_status_t setup_store_file(void *baton, apr_pool_t *p, apr_pool_t *pte md_store_fs_t *s_fs = baton; const char *fname; apr_status_t rv; + MD_CHK_VARS; (void)ap; s_fs->plain_pkey[MD_SG_DOMAINS] = 1; s_fs->plain_pkey[MD_SG_TMP] = 1; - rv = md_util_path_merge(&fname, ptemp, s_fs->base, FS_STORE_JSON, NULL); - if (APR_SUCCESS != rv) { + if (!MD_OK(md_util_path_merge(&fname, ptemp, s_fs->base, FS_STORE_JSON, NULL))) { return rv; } read: - if (APR_SUCCESS == (rv = md_util_is_file(fname, ptemp))) { + if (MD_OK(md_util_is_file(fname, ptemp))) { rv = read_store_file(s_fs, fname, p, ptemp); } - else if (APR_STATUS_IS_ENOENT(rv)) { - rv = init_store_file(s_fs, fname, p, ptemp); - if (APR_STATUS_IS_EEXIST(rv)) { - goto read; - } + else if (APR_STATUS_IS_ENOENT(rv) + && MD_IS_ERR(init_store_file(s_fs, fname, p, ptemp), EEXIST)) { + goto read; } return rv; } @@ -288,6 +289,7 @@ apr_status_t md_store_fs_init(md_store_t **pstore, apr_pool_t *p, const char *pa { md_store_fs_t *s_fs; apr_status_t rv = APR_SUCCESS; + MD_CHK_VARS; s_fs = apr_pcalloc(p, sizeof(*s_fs)); @@ -316,20 +318,15 @@ apr_status_t md_store_fs_init(md_store_t **pstore, apr_pool_t *p, const char *pa s_fs->base = apr_pstrdup(p, path); - if (APR_SUCCESS != (rv = md_util_is_dir(s_fs->base, p))) { - if (APR_STATUS_IS_ENOENT(rv)) { - rv = apr_dir_make_recursive(s_fs->base, s_fs->def_perms.dir, p); - if (APR_SUCCESS == rv) { - rv = apr_file_perms_set(s_fs->base, MD_FPROT_D_UALL_WREAD); - if (APR_STATUS_IS_ENOTIMPL(rv)) { - rv = APR_SUCCESS; - } - } + if (MD_IS_ERR(md_util_is_dir(s_fs->base, p), ENOENT) + && MD_OK(apr_dir_make_recursive(s_fs->base, s_fs->def_perms.dir, p))) { + rv = apr_file_perms_set(s_fs->base, MD_FPROT_D_UALL_WREAD); + if (APR_STATUS_IS_ENOTIMPL(rv)) { + rv = APR_SUCCESS; } } - rv = md_util_pool_vdo(setup_store_file, s_fs, p, NULL); - if (APR_SUCCESS != rv) { + if ((APR_SUCCESS != rv) || !MD_OK(md_util_pool_vdo(setup_store_file, s_fs, p, NULL))) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "init fs store at %s", path); } *pstore = (rv == APR_SUCCESS)? &(s_fs->s) : NULL; @@ -464,6 +461,7 @@ static apr_status_t pfs_load(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l md_store_group_t group; void **pvalue; apr_status_t rv; + MD_CHK_VARS; group = (md_store_group_t)va_arg(ap, int); name = va_arg(ap, const char *); @@ -471,8 +469,7 @@ static apr_status_t pfs_load(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l vtype = (md_store_vtype_t)va_arg(ap, int); pvalue= va_arg(ap, void **); - rv = fs_get_fname(&fpath, &s_fs->s, group, name, aspect, ptemp); - if (APR_SUCCESS == rv) { + if (MD_OK(fs_get_fname(&fpath, &s_fs->s, group, name, aspect, ptemp))) { rv = fs_fload(pvalue, s_fs, fpath, group, vtype, p, ptemp); } return rv; @@ -495,18 +492,14 @@ static apr_status_t mk_group_dir(const char **pdir, md_store_fs_t *s_fs, { const perms_t *perms; apr_status_t rv; + MD_CHK_VARS; perms = gperms(s_fs, group); - if (APR_SUCCESS == (rv = fs_get_dname(pdir, &s_fs->s, group, name, p)) - && (MD_SG_NONE != group)) { - if (APR_SUCCESS != md_util_is_dir(*pdir, p)) { - if (APR_SUCCESS == (rv = apr_dir_make_recursive(*pdir, perms->dir, p))) { - rv = dispatch(s_fs, MD_S_FS_EV_CREATED, group, *pdir, APR_DIR, p); - } - } - else { - /* already exists */ + if (MD_OK(fs_get_dname(pdir, &s_fs->s, group, name, p)) && (MD_SG_NONE != group)) { + if ( !MD_OK(md_util_is_dir(*pdir, p)) + && MD_OK(apr_dir_make_recursive(*pdir, perms->dir, p))) { + rv = dispatch(s_fs, MD_S_FS_EV_CREATED, group, *pdir, APR_DIR, p); } if (APR_SUCCESS == rv) { @@ -529,6 +522,7 @@ static apr_status_t pfs_is_newer(void *baton, apr_pool_t *p, apr_pool_t *ptemp, apr_finfo_t inf1, inf2; int *pnewer; apr_status_t rv; + MD_CHK_VARS; (void)p; group1 = (md_store_group_t)va_arg(ap, int); @@ -538,10 +532,10 @@ static apr_status_t pfs_is_newer(void *baton, apr_pool_t *p, apr_pool_t *ptemp, pnewer = va_arg(ap, int*); *pnewer = 0; - if ( APR_SUCCESS == (rv = fs_get_fname(&fname1, &s_fs->s, group1, name, aspect, ptemp)) - && APR_SUCCESS == (rv = fs_get_fname(&fname2, &s_fs->s, group2, name, aspect, ptemp)) - && APR_SUCCESS == (rv = apr_stat(&inf1, fname1, APR_FINFO_MTIME, ptemp)) - && APR_SUCCESS == (rv = apr_stat(&inf2, fname2, APR_FINFO_MTIME, ptemp))) { + if ( MD_OK(fs_get_fname(&fname1, &s_fs->s, group1, name, aspect, ptemp)) + && MD_OK(fs_get_fname(&fname2, &s_fs->s, group2, name, aspect, ptemp)) + && MD_OK(apr_stat(&inf1, fname1, APR_FINFO_MTIME, ptemp)) + && MD_OK(apr_stat(&inf2, fname2, APR_FINFO_MTIME, ptemp))) { *pnewer = inf1.mtime > inf2.mtime; } @@ -575,6 +569,7 @@ static apr_status_t pfs_save(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l const perms_t *perms; const char *pass; apr_size_t pass_len; + MD_CHK_VARS; group = (md_store_group_t)va_arg(ap, int); name = va_arg(ap, const char*); @@ -585,9 +580,9 @@ static apr_status_t pfs_save(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l perms = gperms(s_fs, group); - if (APR_SUCCESS == (rv = mk_group_dir(&gdir, s_fs, group, NULL, p)) - && APR_SUCCESS == (rv = mk_group_dir(&dir, s_fs, group, name, p)) - && APR_SUCCESS == (rv = md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) { + if ( MD_OK(mk_group_dir(&gdir, s_fs, group, NULL, p)) + && MD_OK(mk_group_dir(&dir, s_fs, group, name, p)) + && MD_OK(md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) { md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, ptemp, "storing in %s", fpath); switch (vtype) { @@ -632,6 +627,7 @@ static apr_status_t pfs_remove(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va int force; apr_finfo_t info; md_store_group_t group; + MD_CHK_VARS; (void)p; group = (md_store_group_t)va_arg(ap, int); @@ -641,12 +637,12 @@ static apr_status_t pfs_remove(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va groupname = md_store_group_name(group); - if (APR_SUCCESS == (rv = md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL)) - && APR_SUCCESS == (rv = md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) { + if ( MD_OK(md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL)) + && MD_OK(md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) { md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, ptemp, "start remove of md %s/%s/%s", groupname, name, aspect); - if (APR_SUCCESS != (rv = apr_stat(&info, dir, APR_FINFO_TYPE, ptemp))) { + if (!MD_OK(apr_stat(&info, dir, APR_FINFO_TYPE, ptemp))) { if (APR_ENOENT == rv && force) { return APR_SUCCESS; } @@ -692,6 +688,7 @@ static apr_status_t pfs_purge(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_ const char *dir, *name, *groupname; md_store_group_t group; apr_status_t rv; + MD_CHK_VARS; (void)p; group = (md_store_group_t)va_arg(ap, int); @@ -699,7 +696,7 @@ static apr_status_t pfs_purge(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_ groupname = md_store_group_name(group); - if (APR_SUCCESS == (rv = md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL))) { + if (MD_OK(md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL))) { /* Remove all files in dir, there should be no sub-dirs */ rv = md_util_rm_recursive(dir, ptemp, 1); } @@ -734,15 +731,14 @@ static apr_status_t insp(void *baton, apr_pool_t *p, apr_pool_t *ptemp, apr_status_t rv; void *value; const char *fpath; + MD_CHK_VARS; (void)ftype; md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, ptemp, "inspecting value at: %s/%s", dir, name); - if (APR_SUCCESS == (rv = md_util_path_merge(&fpath, ptemp, dir, name, NULL))) { - rv = fs_fload(&value, ctx->s_fs, fpath, ctx->group, ctx->vtype, p, ptemp); - if (APR_SUCCESS == rv - && !ctx->inspect(ctx->baton, name, ctx->aspect, ctx->vtype, value, ptemp)) { - return APR_EOF; - } + if ( MD_OK(md_util_path_merge(&fpath, ptemp, dir, name, NULL)) + && MD_OK(fs_fload(&value, ctx->s_fs, fpath, ctx->group, ctx->vtype, p, ptemp)) + && !ctx->inspect(ctx->baton, name, ctx->aspect, ctx->vtype, value, ptemp)) { + return APR_EOF; } return rv; } @@ -779,6 +775,7 @@ static apr_status_t pfs_move(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l md_store_group_t from, to; int archive; apr_status_t rv; + MD_CHK_VARS; (void)p; from = (md_store_group_t)va_arg(ap, int); @@ -792,27 +789,26 @@ static apr_status_t pfs_move(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l return APR_EINVAL; } - rv = md_util_path_merge(&from_dir, ptemp, s_fs->base, from_group, name, NULL); - if (APR_SUCCESS != rv) goto out; - rv = md_util_path_merge(&to_dir, ptemp, s_fs->base, to_group, name, NULL); - if (APR_SUCCESS != rv) goto out; + if ( !MD_OK(md_util_path_merge(&from_dir, ptemp, s_fs->base, from_group, name, NULL)) + || !MD_OK(md_util_path_merge(&to_dir, ptemp, s_fs->base, to_group, name, NULL))) { + goto out; + } - if (APR_SUCCESS != (rv = md_util_is_dir(from_dir, ptemp))) { + if (!MD_OK(md_util_is_dir(from_dir, ptemp))) { md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, ptemp, "source is no dir: %s", from_dir); goto out; } - rv = archive? md_util_is_dir(to_dir, ptemp) : APR_ENOENT; - if (APR_SUCCESS == rv) { + if (MD_OK(archive? md_util_is_dir(to_dir, ptemp) : APR_ENOENT)) { int n = 1; const char *narch_dir; - rv = md_util_path_merge(&dir, ptemp, s_fs->base, md_store_group_name(MD_SG_ARCHIVE), NULL); - if (APR_SUCCESS != rv) goto out; - rv = apr_dir_make_recursive(dir, MD_FPROT_D_UONLY, ptemp); - if (APR_SUCCESS != rv) goto out; - rv = md_util_path_merge(&arch_dir, ptemp, dir, name, NULL); - if (APR_SUCCESS != rv) goto out; + if ( !MD_OK(md_util_path_merge(&dir, ptemp, s_fs->base, + md_store_group_name(MD_SG_ARCHIVE), NULL)) + || !MD_OK(apr_dir_make_recursive(dir, MD_FPROT_D_UONLY, ptemp)) + || !MD_OK(md_util_path_merge(&arch_dir, ptemp, dir, name, NULL))) { + goto out; + } #ifdef WIN32 /* WIN32 and handling of files/dirs. What can one say? */ @@ -835,8 +831,7 @@ static apr_status_t pfs_move(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l while (n < 1000) { narch_dir = apr_psprintf(ptemp, "%s.%d", arch_dir, n); - rv = apr_dir_make(narch_dir, MD_FPROT_D_UONLY, ptemp); - if (APR_SUCCESS == rv) { + if (MD_OK(apr_dir_make(narch_dir, MD_FPROT_D_UONLY, ptemp))) { md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, ptemp, "using archive dir: %s", narch_dir); break; @@ -863,19 +858,18 @@ static apr_status_t pfs_move(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l goto out; } - if (APR_SUCCESS != (rv = apr_file_rename(to_dir, narch_dir, ptemp))) { + if (!MD_OK(apr_file_rename(to_dir, narch_dir, ptemp))) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, ptemp, "rename from %s to %s", to_dir, narch_dir); goto out; } - if (APR_SUCCESS != (rv = apr_file_rename(from_dir, to_dir, ptemp))) { + if (!MD_OK(apr_file_rename(from_dir, to_dir, ptemp))) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, ptemp, "moving %s to %s: %s", from_dir, to_dir); apr_file_rename(narch_dir, to_dir, ptemp); goto out; } - rv = dispatch(s_fs, MD_S_FS_EV_MOVED, to, to_dir, APR_DIR, ptemp); - if (APR_SUCCESS == rv) { + if (MD_OK(dispatch(s_fs, MD_S_FS_EV_MOVED, to, to_dir, APR_DIR, ptemp))) { rv = dispatch(s_fs, MD_S_FS_EV_MOVED, MD_SG_ARCHIVE, narch_dir, APR_DIR, ptemp); } } diff --git a/modules/md/md_version.h b/modules/md/md_version.h index 7b0b428671..c6d7e59ad5 100644 --- a/modules/md/md_version.h +++ b/modules/md/md_version.h @@ -26,7 +26,7 @@ * @macro * Version number of the md module as c string */ -#define MOD_MD_VERSION "1.1.4" +#define MOD_MD_VERSION "1.1.7" /** * @macro @@ -34,7 +34,7 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define MOD_MD_VERSION_NUM 0x010104 +#define MOD_MD_VERSION_NUM 0x010107 #define MD_ACME_DEF_URL "https://acme-v01.api.letsencrypt.org/directory" diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c index 718b41d32d..3649cfaa24 100644 --- a/modules/md/mod_md.c +++ b/modules/md/mod_md.c @@ -459,29 +459,21 @@ static apr_status_t setup_store(md_store_t **pstore, md_mod_conf_t *mc, { const char *base_dir; apr_status_t rv; + MD_CHK_VARS; base_dir = ap_server_root_relative(p, mc->base_dir); - if (APR_SUCCESS != (rv = md_store_fs_init(pstore, p, base_dir))) { + if (!MD_OK(md_store_fs_init(pstore, p, base_dir))) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10046)"setup store for %s", base_dir); goto out; } md_store_fs_set_event_cb(*pstore, store_file_ev, s); - if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_CHALLENGES, p, s))) { + if ( !MD_OK(check_group_dir(*pstore, MD_SG_CHALLENGES, p, s)) + || !MD_OK(check_group_dir(*pstore, MD_SG_STAGING, p, s)) + || !MD_OK(check_group_dir(*pstore, MD_SG_ACCOUNTS, p, s))) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10047) - "setup challenges directory"); - goto out; - } - if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_STAGING, p, s))) { - ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10048) - "setup staging directory"); - goto out; - } - if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_ACCOUNTS, p, s))) { - ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10049) - "setup accounts directory"); - goto out; + "setup challenges directory, call %s", MD_LAST_CHK); } out: @@ -495,12 +487,13 @@ static apr_status_t setup_reg(md_reg_t **preg, apr_pool_t *p, server_rec *s, md_mod_conf_t *mc; md_store_t *store; apr_status_t rv; + MD_CHK_VARS; sc = md_config_get(s); mc = sc->mc; - if (APR_SUCCESS == (rv = setup_store(&store, mc, p, s)) - && APR_SUCCESS == (rv = md_reg_init(preg, p, store, mc->proxy_url))) { + if ( MD_OK(setup_store(&store, mc, p, s)) + && MD_OK(md_reg_init(preg, p, store, mc->proxy_url))) { mc->reg = *preg; return md_reg_set_props(*preg, p, can_http, can_https); } @@ -801,10 +794,6 @@ static apr_status_t run_watchdog(int state, void *baton, apr_pool_t *ptemp) "next run in %s", md_print_duration(ptemp, next_run - now)); } wd_set_interval(wd->watchdog, next_run - now, wd, run_watchdog); - - for (i = 0; i < wd->jobs->nelts; ++i) { - job = APR_ARRAY_IDX(wd->jobs, i, md_job_t *); - } break; case AP_WATCHDOG_STATE_STOPPING: @@ -1133,26 +1122,28 @@ static int md_is_managed(server_rec *s) return 0; } -static apr_status_t setup_fallback_cert(md_store_t *store, const md_t *md, apr_pool_t *p) +static apr_status_t setup_fallback_cert(md_store_t *store, const md_t *md, + server_rec *s, apr_pool_t *p) { md_pkey_t *pkey; md_cert_t *cert; md_pkey_spec_t spec; apr_status_t rv; - + MD_CHK_VARS; + spec.type = MD_PKEY_TYPE_RSA; spec.params.rsa.bits = MD_PKEY_RSA_BITS_DEF; - - if ( APR_SUCCESS == (rv = md_pkey_gen(&pkey, p, &spec)) - && APR_SUCCESS == (rv = md_store_save(store, p, MD_SG_DOMAINS, md->name, - MD_FN_FALLBACK_PKEY, MD_SV_PKEY, (void*)pkey, 0)) - && APR_SUCCESS == (rv = md_cert_self_sign(&cert, "Apache Managed Domain Fallback", - md->domains, pkey, - apr_time_from_sec(14 * MD_SECS_PER_DAY), p))) { - rv = md_store_save(store, p, MD_SG_DOMAINS, md->name, - MD_FN_FALLBACK_CERT, MD_SV_CERT, (void*)cert, 0); + + if ( !MD_OK(md_pkey_gen(&pkey, p, &spec)) + || !MD_OK(md_store_save(store, p, MD_SG_DOMAINS, md->name, + MD_FN_FALLBACK_PKEY, MD_SV_PKEY, (void*)pkey, 0)) + || !MD_OK(md_cert_self_sign(&cert, "Apache Managed Domain Fallback", + md->domains, pkey, apr_time_from_sec(14 * MD_SECS_PER_DAY), p)) + || !MD_OK(md_store_save(store, p, MD_SG_DOMAINS, md->name, + MD_FN_FALLBACK_CERT, MD_SV_CERT, (void*)cert, 0))) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "%s: setup fallback certificate, call %s", md->name, MD_LAST_CHK); } - return rv; } @@ -1169,62 +1160,105 @@ static apr_status_t md_get_certificate(server_rec *s, apr_pool_t *p, md_reg_t *reg; md_store_t *store; const md_t *md; + MD_CHK_VARS; *pkeyfile = NULL; *pcertfile = NULL; - + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO() + "md_get_certificate called for vhost %s.", s->server_hostname); + sc = md_config_get(s); + if (!sc) { + ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, + "asked for certificate of server %s which has no md config", + s->server_hostname); + return APR_ENOENT; + } + + if (!sc->assigned) { + /* Hmm, mod_ssl (or someone like it) asks for certificates for a server + * where we did not assign a MD to. Either the user forgot to configure + * that server with SSL certs, has misspelled a server name or we have + * a bug that prevented us from taking responsibility for this server. + * Either way, make some polite noise */ + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO() + "asked for certificate of server %s which has no MD assigned. This " + "could be ok, but most likely it is either a misconfiguration or " + "a bug. Please check server names and MD names carefully and if " + "everything checks open, please open an issue.", + s->server_hostname); + return APR_ENOENT; + } - if (sc && sc->assigned) { - assert(sc->mc); - reg = sc->mc->reg; - assert(reg); + assert(sc->mc); + reg = sc->mc->reg; + assert(reg); + + md = md_reg_get(reg, sc->assigned->name, p); + if (!md) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO() + "unable to hand out certificates, as registry can no longer " + "find MD '%s'.", sc->assigned->name); + return APR_ENOENT; + } + + if (!MD_OK(md_reg_get_cred_files(reg, md, p, pkeyfile, pcertfile))) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10110) + "retrieving credentials for MD %s", md->name); + return rv; + } + + if (!fexists(*pkeyfile, p) || !fexists(*pcertfile, p)) { + /* Provide temporary, self-signed certificate as fallback, so that + * clients do not get obscure TLS handshake errors or will see a fallback + * virtual host that is not intended to be served here. */ store = md_reg_store_get(reg); - assert(store); - - md = md_reg_get(reg, sc->assigned->name, p); - - if (APR_SUCCESS != (rv = md_reg_get_cred_files(reg, md, p, pkeyfile, pcertfile))) { - ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10110) - "retrieving credentials for MD %s", md->name); - return rv; - } - + assert(store); + + md_store_get_fname(pkeyfile, store, MD_SG_DOMAINS, + md->name, MD_FN_FALLBACK_PKEY, p); + md_store_get_fname(pcertfile, store, MD_SG_DOMAINS, + md->name, MD_FN_FALLBACK_CERT, p); if (!fexists(*pkeyfile, p) || !fexists(*pcertfile, p)) { - /* Provide temporary, self-signed certificate as fallback, so that - * clients do not get obscure TLS handshake errors or will see a fallback - * virtual host that is not intended to be served here. */ - - md_store_get_fname(pkeyfile, store, MD_SG_DOMAINS, - md->name, MD_FN_FALLBACK_PKEY, p); - md_store_get_fname(pcertfile, store, MD_SG_DOMAINS, - md->name, MD_FN_FALLBACK_CERT, p); - if (!fexists(*pkeyfile, p) || !fexists(*pcertfile, p)) { - if (APR_SUCCESS != (rv = setup_fallback_cert(store, md, p))) { - ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s, - "%s: setup fallback certificate", md->name); - return rv; - } + if (!MD_OK(setup_fallback_cert(store, md, s, p))) { + return rv; } - - ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, - "%s: providing fallback certificate for server %s", - md->name, s->server_hostname); - return APR_EAGAIN; } - - /* We have key and cert files, but they might no longer be valid or not - * match all domain names. Still use these files for now, but indicate that - * resources should no longer be served until we have a new certificate again. */ - if (md->state != MD_S_COMPLETE) { - return APR_EAGAIN; - } - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10077) - "%s: providing certificate for server %s", md->name, s->server_hostname); + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO() + "%s: providing fallback certificate for server %s", + md->name, s->server_hostname); + return APR_EAGAIN; } + + /* We have key and cert files, but they might no longer be valid or not + * match all domain names. Still use these files for now, but indicate that + * resources should no longer be served until we have a new certificate again. */ + if (md->state != MD_S_COMPLETE) { + rv = APR_EAGAIN; + } + ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s, APLOGNO(10077) + "%s: providing certificate for server %s", md->name, s->server_hostname); return rv; } +static int compat_warned; +static apr_status_t md_get_credentials(server_rec *s, apr_pool_t *p, + const char **pkeyfile, + const char **pcertfile, + const char **pchainfile) +{ + *pchainfile = NULL; + if (!compat_warned) { + compat_warned = 1; + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, /* no APLOGNO */ + "You are using mod_md with an old patch to mod_ssl. This will " + " work for now, but support will be dropped in a future release."); + } + return md_get_certificate(s, p, pkeyfile, pcertfile); +} + static int md_is_challenge(conn_rec *c, const char *servername, X509 **pcert, EVP_PKEY **pkey) { @@ -1414,5 +1448,6 @@ static void md_hooks(apr_pool_t *pool) APR_REGISTER_OPTIONAL_FN(md_is_managed); APR_REGISTER_OPTIONAL_FN(md_get_certificate); APR_REGISTER_OPTIONAL_FN(md_is_challenge); + APR_REGISTER_OPTIONAL_FN(md_get_credentials); } diff --git a/modules/md/mod_md.h b/modules/md/mod_md.h index 34edba8a1f..edfee72165 100644 --- a/modules/md/mod_md.h +++ b/modules/md/mod_md.h @@ -38,5 +38,12 @@ APR_DECLARE_OPTIONAL_FN(int, md_is_challenge, (struct conn_rec *, const char *, X509 **pcert, EVP_PKEY **pkey)); +/* Backward compatibility to older mod_ssl patches, will generate + * a WARNING in the logs, use 'md_get_certificate' instead */ +APR_DECLARE_OPTIONAL_FN(apr_status_t, + md_get_credentials, (struct server_rec *, apr_pool_t *, + const char **pkeyfile, + const char **pcertfile, + const char **pchainfile)); #endif /* mod_md_mod_md_h */