Changeset 366d1a1 in mod_gnutls
- Timestamp:
- Jun 5, 2016, 3:42:32 PM (6 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
- Children:
- eb63377
- Parents:
- 08817d0
- git-author:
- Thomas Klute <thomas2.klute@…> (06/05/16 14:29:29)
- git-committer:
- Thomas Klute <thomas2.klute@…> (06/05/16 15:42:32)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_ocsp.c
r08817d0 r366d1a1 80 80 * 81 81 * Supports only one certificate status per response. 82 * 83 * If expiry is not NULL, it will be set to the nextUpdate time 84 * contained in the response, or zero the response does not contain a 85 * nextUpdate field. 82 86 */ 83 int check_ocsp_response(server_rec *s, const gnutls_datum_t *ocsp_response) 87 int check_ocsp_response(server_rec *s, const gnutls_datum_t *ocsp_response, 88 apr_time_t* expiry) 84 89 { 85 90 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) … … 178 183 179 184 if (next_update == (time_t) -1) 185 { 180 186 ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s, 181 187 "OSCP response does not contain nextUpdate info."); 188 if (expiry != NULL) 189 *expiry = 0; 190 } 182 191 else 183 192 { 184 193 apr_time_t valid_to; 185 194 apr_time_ansi_put(&valid_to, next_update); 195 if (expiry != NULL) 196 *expiry = valid_to; 186 197 if (now > valid_to) 187 198 { … … 256 267 apr_pool_t *tmp; 257 268 apr_status_t rv = apr_pool_create(&tmp, NULL); 269 if (rv != APR_SUCCESS) 270 { 271 ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, 272 "could not create temporary pool for %s", 273 __func__); 274 return rv; 275 } 258 276 259 277 /* the fingerprint will be used as cache key */ … … 299 317 } 300 318 301 if (check_ocsp_response(s, &resp) != GNUTLS_E_SUCCESS) 319 apr_time_t expiry; 320 if (check_ocsp_response(s, &resp, &expiry) != GNUTLS_E_SUCCESS) 302 321 { 303 322 ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, s, … … 307 326 return APR_EGENERAL; 308 327 } 309 310 /* TODO: make cache lifetime configurable, make sure expiration 311 * happens without storing new data */ 312 int r = dbm_cache_store(s, fingerprint, 313 resp, apr_time_now() + apr_time_from_sec(120)); 328 /* if expiry is zero, the response does not contain a nextUpdate 329 * field */ 330 /* TODO: If a refresh time is configured, use it as timeout. With 331 * the current code the response will expire at next cache 332 * expiration check. */ 333 if (expiry == 0) 334 expiry = apr_time_now(); 335 336 /* TODO: configurable refresh independent of expiration */ 337 int r = dbm_cache_store(s, fingerprint, resp, expiry); 314 338 /* destroy pool, and original copy of the OCSP response with it */ 315 339 apr_pool_destroy(tmp); … … 346 370 { 347 371 /* Succeed if response is present and valid. */ 348 if (check_ocsp_response(ctxt->c->base_server, ocsp_response )372 if (check_ocsp_response(ctxt->c->base_server, ocsp_response, NULL) 349 373 == GNUTLS_E_SUCCESS) 350 374 return GNUTLS_E_SUCCESS; … … 375 399 { 376 400 /* Succeed if response is present and valid. */ 377 if (check_ocsp_response(ctxt->c->base_server, ocsp_response )401 if (check_ocsp_response(ctxt->c->base_server, ocsp_response, NULL) 378 402 == GNUTLS_E_SUCCESS) 379 403 return GNUTLS_E_SUCCESS;
Note: See TracChangeset
for help on using the changeset viewer.