OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri, apr_interval_time_t timeout, OCSP_REQUEST *request, conn_rec *c, apr_pool_t *p) { OCSP_RESPONSE *response = NULL; apr_socket_t *sd; BIO *bio; bio = serialize_request(request, uri); if (bio == NULL) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01989) "could not serialize OCSP request"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, mySrvFromConn(c)); return NULL; } sd = send_request(bio, uri, timeout, c, p); if (sd == NULL) { /* Errors already logged. */ BIO_free(bio); return NULL; } /* Clear the BIO contents, ready for the response. */ (void)BIO_reset(bio); response = read_response(sd, bio, c, p); apr_socket_close(sd); BIO_free(bio); return response; }
void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, conn_rec *c, X509 *cert, const char *fmt, ...) { if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) { va_list ap; va_start(ap, fmt); ssl_log_cert_error(file, line, level, rv, NULL, c, NULL, c->pool, cert, fmt, ap); va_end(ap); } }
/* Read the OCSP response from the socket 'sd', using temporary memory * BIO 'bio', and return the decoded OCSP response object, or NULL on * error. */ static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c, apr_pool_t *p) { apr_bucket_brigade *bb, *tmpbb; OCSP_RESPONSE *response; char *line; apr_size_t count; apr_int64_t code; /* Using brigades for response parsing is much simpler than using * apr_socket_* directly. */ bb = apr_brigade_create(p, c->bucket_alloc); tmpbb = apr_brigade_create(p, c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_socket_create(sd, c->bucket_alloc)); line = get_line(tmpbb, bb, c, p); if (!line || strncmp(line, "HTTP/", 5) || (line = ap_strchr(line, ' ')) == NULL || (code = apr_atoi64(++line)) < 200 || code > 299) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01980) "bad response from OCSP server: %s", line ? line : "(none)"); return NULL; } /* Read till end of headers; don't have to even bother parsing the * Content-Length since the server is obliged to close the * connection after the response anyway for HTTP/1.0. */ count = 0; while ((line = get_line(tmpbb, bb, c, p)) != NULL && line[0] && ++count < MAX_HEADERS) { ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01981) "OCSP response header: %s", line); } if (count == MAX_HEADERS) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01982) "could not read response headers from OCSP server, " "exceeded maximum count (%u)", MAX_HEADERS); return NULL; } else if (!line) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01983) "could not read response header from OCSP server"); return NULL; } /* Read the response body into the memory BIO. */ count = 0; while (!APR_BRIGADE_EMPTY(bb)) { const char *data; apr_size_t len; apr_status_t rv; apr_bucket *e = APR_BRIGADE_FIRST(bb); rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ); if (rv == APR_EOF) { ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01984) "OCSP response: got EOF"); break; } if (rv != APR_SUCCESS) { ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01985) "error reading response from OCSP server"); return NULL; } if (len == 0) { /* Ignore zero-length buckets (possible side-effect of * line splitting). */ apr_bucket_delete(e); continue; } count += len; if (count > MAX_CONTENT) { ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01986) "OCSP response size exceeds %u byte limit", MAX_CONTENT); return NULL; } ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01987) "OCSP response: got %" APR_SIZE_T_FMT " bytes, %" APR_SIZE_T_FMT " total", len, count); BIO_write(bio, data, (int)len); apr_bucket_delete(e); } apr_brigade_destroy(bb); apr_brigade_destroy(tmpbb); /* Finally decode the OCSP response from what's stored in the * bio. */ response = d2i_OCSP_RESPONSE_bio(bio, NULL); if (response == NULL) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01988) "failed to decode OCSP response data"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, mySrvFromConn(c)); } return response; }