Changeset 2246a84 in mod_gnutls for src/gnutls_ocsp.c
- Timestamp:
- Apr 21, 2018, 3:51:51 PM (3 years ago)
- Branches:
- asyncio, debian/master, master, proxy-ticket
- Children:
- 7921dc7
- Parents:
- fa6d0bb
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_ocsp.c
rfa6d0bb r2246a84 86 86 else 87 87 sc->ocsp_staple = GNUTLS_ENABLED_FALSE; 88 89 return NULL; 90 } 91 92 93 94 const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms, 95 void *dummy __attribute__((unused)), 96 const int arg) 97 { 98 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 99 ap_get_module_config(parms->server->module_config, &gnutls_module); 100 101 if (arg) 102 sc->ocsp_auto_refresh = GNUTLS_ENABLED_TRUE; 103 else 104 sc->ocsp_auto_refresh = GNUTLS_ENABLED_FALSE; 88 105 89 106 return NULL; … … 929 946 930 947 931 /** The maximum random fuzz interval that will not overflow. The932 * permitted values are limited to whatever will not make an933 * `apr_interval_time_t` variable overflow when multiplied with934 * `APR_UINT16_MAX`. With apr_interval_time_t being a 64 bit signed935 * integer the maximum fuzz interval is about 4.5 years, which should936 * be more than plenty. */937 #define MAX_FUZZ_ TIME (APR_INT64_MAX / APR_UINT16_MAX)948 /** The maximum random fuzz base (half the maximum fuzz) that will not 949 * overflow. The permitted values are limited to whatever will not 950 * make an `apr_interval_time_t` variable overflow when multiplied 951 * with `APR_UINT16_MAX`. With apr_interval_time_t being a 64 bit 952 * signed integer the maximum fuzz interval is about 4.5 years, which 953 * should be more than plenty. */ 954 #define MAX_FUZZ_BASE (APR_INT64_MAX / APR_UINT16_MAX) 938 955 939 956 /** … … 972 989 apr_status_t rv = mgs_cache_ocsp_response(server, &expiry); 973 990 974 /* TODO: Make maximum fuzz time configurable and compare to975 * allowed maximum during config */976 ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server,977 "%s: Maximum fuzz time without overflow: %" APR_INT64_T_FMT978 " seconds",979 __func__, apr_time_sec(MAX_FUZZ_TIME));980 981 991 apr_interval_time_t next_interval; 982 992 if (rv != APR_SUCCESS) … … 998 1008 } 999 1009 1000 /* Base fuzz is half the maximum (sc->ocsp_cache_time / 8 at 1001 * the moment). The actual fuzz is between the maximum and 1002 * half that. */ 1003 apr_interval_time_t base_fuzz = sc->ocsp_cache_time / 16; 1004 apr_interval_time_t fuzz = 1005 base_fuzz + base_fuzz * random_bytes / APR_UINT16_MAX; 1010 /* Choose the fuzz interval for the next update between 1011 * `sc->ocsp_fuzz_time` and twice that. */ 1012 apr_interval_time_t fuzz = sc->ocsp_fuzz_time 1013 + (sc->ocsp_fuzz_time * random_bytes / APR_UINT16_MAX); 1006 1014 1007 1015 /* With an extremly short timeout or weird nextUpdate value … … 1096 1104 1097 1105 /* set default values for unset parameters */ 1106 if (sc->ocsp_auto_refresh == GNUTLS_ENABLED_UNSET) 1107 sc->ocsp_auto_refresh = GNUTLS_ENABLED_TRUE; 1098 1108 if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET) 1099 1109 sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE; … … 1104 1114 if (sc->ocsp_socket_timeout == MGS_TIMEOUT_UNSET) 1105 1115 sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT); 1116 /* Base fuzz is half the configured maximum, the actual fuzz is 1117 * between the maximum and half that. The default maximum is 1118 * sc->ocsp_cache_time / 8, or twice the failure timeout, 1119 * whichever is larger (so the default guarantees at least one 1120 * retry before the cache entry expires).*/ 1121 if (sc->ocsp_fuzz_time == MGS_TIMEOUT_UNSET) 1122 { 1123 sc->ocsp_fuzz_time = sc->ocsp_cache_time / 16; 1124 if (sc->ocsp_fuzz_time < sc->ocsp_failure_timeout) 1125 sc->ocsp_fuzz_time = sc->ocsp_failure_timeout; 1126 } 1127 else 1128 sc->ocsp_fuzz_time = sc->ocsp_fuzz_time / 2; 1129 1130 /* This really shouldn't happen considering MAX_FUZZ_BASE is about 1131 * 4.5 years, but better safe than sorry. */ 1132 if (sc->ocsp_fuzz_time > MAX_FUZZ_BASE) 1133 { 1134 ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, server, 1135 "%s: Maximum fuzz time is too large, maximum " 1136 "supported value is %" APR_INT64_T_FMT " seconds", 1137 __func__, apr_time_sec(MAX_FUZZ_BASE) * 2); 1138 return HTTP_INTERNAL_SERVER_ERROR; 1139 } 1106 1140 1107 1141 sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data)); … … 1150 1184 /* The watchdog structure may be NULL if mod_watchdog is 1151 1185 * unavailable. */ 1152 if (sc->singleton_wd != NULL) 1186 if (sc->singleton_wd != NULL 1187 && sc->ocsp_auto_refresh == GNUTLS_ENABLED_TRUE) 1153 1188 { 1154 1189 apr_status_t rv =
Note: See TracChangeset
for help on using the changeset viewer.