ssl_util_ocsp.c revision 12b2973ae4fdb19829e3ccd9d5d3938451c67f41
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/* This file implements an OCSP client including a toy HTTP/1.0
* client. Once httpd depends on a real HTTP client library, most of
* this can be thrown away. */
#include "ssl_private.h"
#ifdef HAVE_OCSP
#include "apr_buckets.h"
#include "apr_uri.h"
/* Serialize an OCSP request which will be sent to the responder at
* given URI to a memory BIO object, which is returned. */
static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri)
{
BIO *bio;
int len;
len = i2d_OCSP_REQUEST(req, NULL);
bio = BIO_new(BIO_s_mem());
BIO_printf(bio, "POST %s%s%s HTTP/1.0\r\n"
"Host: %s:%d\r\n"
"Content-Length: %d\r\n"
"\r\n",
uri->path, uri->query ? "?" : "", uri->query ? uri->query : "",
uri->hostname, uri->port, len);
if (i2d_OCSP_REQUEST_bio(bio, req) != 1) {
BIO_free(bio);
return NULL;
}
return bio;
}
/* Send the OCSP request serialized into BIO 'request' to the
* responder at given server given by URI. Returns socket object or
* NULL on error. */
static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri,
conn_rec *c, apr_pool_t *p)
{
apr_status_t rv;
apr_sockaddr_t *sa;
apr_socket_t *sd;
char buf[HUGE_STRING_LEN];
int len;
rv = apr_sockaddr_info_get(&sa, uri->hostname, APR_UNSPEC, uri->port, 0, p);
if (rv) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c,
"could not resolve address of OCSP responder %s",
uri->hostinfo);
return NULL;
}
/* establish a connection to the OCSP responder */
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"connecting to OCSP responder '%s'", uri->hostinfo);
/* Cycle through address until a connect() succeeds. */
for (; sa; sa = sa->next) {
rv = apr_socket_create(&sd, sa->family, SOCK_STREAM, APR_PROTO_TCP, p);
if (rv == APR_SUCCESS) {
/* Inherit the default I/O timeout. */
apr_socket_timeout_set(sd, c->base_server->timeout);
rv = apr_socket_connect(sd, sa);
if (rv == APR_SUCCESS) {
break;
}
apr_socket_close(sd);
}
}
if (sa == NULL) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c,
"could not connect to OCSP responder '%s'",
uri->hostinfo);
apr_socket_close(sd);
return NULL;
}
/* send the request and get a response */
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"sending request to OCSP responder");
while ((len = BIO_read(request, buf, sizeof buf)) > 0) {
char *wbuf = buf;
apr_size_t remain = len;
do {
apr_size_t wlen = remain;
rv = apr_socket_send(sd, wbuf, &wlen);
wbuf += remain;
remain -= wlen;
} while (rv == APR_SUCCESS && remain > 0);
if (rv) {
apr_socket_close(sd);
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c,
"failed to send request to OCSP responder '%s'",
uri->hostinfo);
return NULL;
}
}
return sd;
}
/* Return a pool-alocated NUL-terminated line, with CRLF stripped,
* read from brigade 'bbin' using 'bbout' as temporary storage. */
static char *get_line(apr_bucket_brigade *bbout, apr_bucket_brigade *bbin,
conn_rec *c, apr_pool_t *p)
{
apr_status_t rv;
apr_size_t len;
char *line;
apr_brigade_cleanup(bbout);
rv = apr_brigade_split_line(bbout, bbin, APR_BLOCK_READ, 8192);
if (rv) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c,
"failed reading line from OCSP server");
return NULL;
}
rv = apr_brigade_pflatten(bbout, &line, &len, p);
if (rv) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c,
"failed reading line from OCSP server");
return NULL;
}
if (len && line[len-1] != APR_ASCII_LF) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c,
"response header line too long from OCSP server");
return NULL;
}
line[len-1] = '\0';
if (len > 1 && line[len-2] == APR_ASCII_CR) {
line[len-2] = '\0';
}
return line;
}
/* Maximum values to prevent eating RAM forever. */
#define MAX_HEADERS (256)
#define MAX_CONTENT (2048 * 1024)
/* Read the OCSP response from the socket 'sd', using temporary memory
* BIO 'bio', and return the decoded OCSP response object, or NULL on
* error. */
static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c,
apr_pool_t *p)
{
apr_bucket_brigade *bb, *tmpbb;
OCSP_RESPONSE *response;
char *line;
apr_size_t count;
apr_int64_t code;
/* Using brigades for response parsing is much simpler than using
* apr_socket_* directly. */
bb = apr_brigade_create(p, c->bucket_alloc);
tmpbb = apr_brigade_create(p, c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_socket_create(sd, c->bucket_alloc));
line = get_line(tmpbb, bb, c, p);
if (!line || strncmp(line, "HTTP/", 5)
|| (line = ap_strchr(line, ' ')) == NULL
|| (code = apr_atoi64(++line)) < 200 || code > 299) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"bad response from OCSP server: %s",
line ? line : "(none)");
return NULL;
}
/* Read till end of headers; don't have to even bother parsing the
* Content-Length since the server is obliged to close the
* connection after the response anyway for HTTP/1.0. */
count = 0;
while ((line = get_line(tmpbb, bb, c, p)) != NULL && line[0]
&& ++count < MAX_HEADERS) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"OCSP response header: %s", line);
}
if (!line) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"could not read response header from OCSP server");
return NULL;
}
/* Read the response body into the memory BIO. */
count = 0;
while (!APR_BRIGADE_EMPTY(bb)) {
const char *data;
apr_size_t len;
apr_status_t rv;
apr_bucket *e = APR_BRIGADE_FIRST(bb);
rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
if (rv == APR_EOF || (rv == APR_SUCCESS && len == 0)) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"OCSP response: got EOF");
break;
}
if (rv != APR_SUCCESS) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c,
"error reading response from OCSP server");
return NULL;
}
count += len;
if (count > MAX_CONTENT) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c,
"OCSP response size exceeds %u byte limit",
MAX_CONTENT);
return NULL;
}
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"OCSP response: got %" APR_SIZE_T_FMT
" bytes, %" APR_SIZE_T_FMT " total", len, count);
BIO_write(bio, data, (int)len);
apr_bucket_delete(e);
}
apr_brigade_destroy(bb);
apr_brigade_destroy(tmpbb);
/* Finally decode the OCSP response from what's stored in the
* bio. */
response = d2i_OCSP_RESPONSE_bio(bio, NULL);
if (response == NULL) {
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"failed to decode OCSP response data");
}
return response;
}
OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
OCSP_REQUEST *request,
conn_rec *c, apr_pool_t *p)
{
OCSP_RESPONSE *response = NULL;
apr_socket_t *sd;
BIO *bio;
bio = serialize_request(request, uri);
if (bio == NULL) {
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"could not serialize OCSP request");
return NULL;
}
sd = send_request(bio, uri, c, p);
if (sd == NULL) {
/* Errors already logged. */
BIO_free(bio);
return NULL;
}
/* Clear the BIO contents, ready for the response. */
(void)BIO_reset(bio);
response = read_response(sd, bio, c, p);
apr_socket_close(sd);
BIO_free(bio);
return response;
}
#endif /* HAVE_OCSP */