Changeset 2246a84 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Apr 21, 2018, 3:51:51 PM (3 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master, proxy-ticket
Children:
7921dc7
Parents:
fa6d0bb
Message:

Make automatic OCSP cache updates and fuzz time configurable

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_ocsp.c

    rfa6d0bb r2246a84  
    8686    else
    8787        sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
     88
     89    return NULL;
     90}
     91
     92
     93
     94const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms,
     95                                      void *dummy __attribute__((unused)),
     96                                      const int arg)
     97{
     98    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     99        ap_get_module_config(parms->server->module_config, &gnutls_module);
     100
     101    if (arg)
     102        sc->ocsp_auto_refresh = GNUTLS_ENABLED_TRUE;
     103    else
     104        sc->ocsp_auto_refresh = GNUTLS_ENABLED_FALSE;
    88105
    89106    return NULL;
     
    929946
    930947
    931 /** The maximum random fuzz interval that will not overflow. The
    932  * permitted values are limited to whatever will not make an
    933  * `apr_interval_time_t` variable overflow when multiplied with
    934  * `APR_UINT16_MAX`. With apr_interval_time_t being a 64 bit signed
    935  * integer the maximum fuzz interval is about 4.5 years, which should
    936  * be more than plenty. */
    937 #define MAX_FUZZ_TIME (APR_INT64_MAX / APR_UINT16_MAX)
     948/** The maximum random fuzz base (half the maximum fuzz) that will not
     949 * overflow. The permitted values are limited to whatever will not
     950 * make an `apr_interval_time_t` variable overflow when multiplied
     951 * with `APR_UINT16_MAX`. With apr_interval_time_t being a 64 bit
     952 * signed integer the maximum fuzz interval is about 4.5 years, which
     953 * should be more than plenty. */
     954#define MAX_FUZZ_BASE (APR_INT64_MAX / APR_UINT16_MAX)
    938955
    939956/**
     
    972989    apr_status_t rv = mgs_cache_ocsp_response(server, &expiry);
    973990
    974     /* TODO: Make maximum fuzz time configurable and compare to
    975      * allowed maximum during config */
    976     ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server,
    977                  "%s: Maximum fuzz time without overflow: %" APR_INT64_T_FMT
    978                  " seconds",
    979                  __func__, apr_time_sec(MAX_FUZZ_TIME));
    980 
    981991    apr_interval_time_t next_interval;
    982992    if (rv != APR_SUCCESS)
     
    9981008        }
    9991009
    1000         /* Base fuzz is half the maximum (sc->ocsp_cache_time / 8 at
    1001          * the moment). The actual fuzz is between the maximum and
    1002          * half that. */
    1003         apr_interval_time_t base_fuzz = sc->ocsp_cache_time / 16;
    1004         apr_interval_time_t fuzz =
    1005             base_fuzz + base_fuzz * random_bytes / APR_UINT16_MAX;
     1010        /* Choose the fuzz interval for the next update between
     1011         * `sc->ocsp_fuzz_time` and twice that. */
     1012        apr_interval_time_t fuzz = sc->ocsp_fuzz_time
     1013            + (sc->ocsp_fuzz_time * random_bytes / APR_UINT16_MAX);
    10061014
    10071015        /* With an extremly short timeout or weird nextUpdate value
     
    10961104
    10971105    /* set default values for unset parameters */
     1106    if (sc->ocsp_auto_refresh == GNUTLS_ENABLED_UNSET)
     1107        sc->ocsp_auto_refresh = GNUTLS_ENABLED_TRUE;
    10981108    if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET)
    10991109        sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
     
    11041114    if (sc->ocsp_socket_timeout == MGS_TIMEOUT_UNSET)
    11051115        sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT);
     1116    /* Base fuzz is half the configured maximum, the actual fuzz is
     1117     * between the maximum and half that. The default maximum is
     1118     * sc->ocsp_cache_time / 8, or twice the failure timeout,
     1119     * whichever is larger (so the default guarantees at least one
     1120     * retry before the cache entry expires).*/
     1121    if (sc->ocsp_fuzz_time == MGS_TIMEOUT_UNSET)
     1122    {
     1123        sc->ocsp_fuzz_time = sc->ocsp_cache_time / 16;
     1124        if (sc->ocsp_fuzz_time < sc->ocsp_failure_timeout)
     1125            sc->ocsp_fuzz_time = sc->ocsp_failure_timeout;
     1126    }
     1127    else
     1128        sc->ocsp_fuzz_time = sc->ocsp_fuzz_time / 2;
     1129
     1130    /* This really shouldn't happen considering MAX_FUZZ_BASE is about
     1131     * 4.5 years, but better safe than sorry. */
     1132    if (sc->ocsp_fuzz_time > MAX_FUZZ_BASE)
     1133    {
     1134        ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, server,
     1135                     "%s: Maximum fuzz time is too large, maximum "
     1136                     "supported value is %" APR_INT64_T_FMT " seconds",
     1137                     __func__, apr_time_sec(MAX_FUZZ_BASE) * 2);
     1138        return HTTP_INTERNAL_SERVER_ERROR;
     1139    }
    11061140
    11071141    sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
     
    11501184    /* The watchdog structure may be NULL if mod_watchdog is
    11511185     * unavailable. */
    1152     if (sc->singleton_wd != NULL)
     1186    if (sc->singleton_wd != NULL
     1187        && sc->ocsp_auto_refresh == GNUTLS_ENABLED_TRUE)
    11531188    {
    11541189        apr_status_t rv =
Note: See TracChangeset for help on using the changeset viewer.