Changeset 366d1a1 in mod_gnutls

Timestamp:

Jun 5, 2016, 3:42:32 PM (3 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, master, upstream

Children:

eb63377

Parents:

08817d0

git-author:

Thomas Klute <thomas2.klute@…> (06/05/16 14:29:29)

git-committer:

Thomas Klute <thomas2.klute@…> (06/05/16 15:42:32)

Message:

Use nextUpdate field of OCSP response to set cache lifetime

File:

• src/gnutls_ocsp.c (modified) (7 diffs)

src/gnutls_ocsp.c

@@ -80 +80 @@
  *
  * Supports only one certificate status per response.
+ *
+ * If expiry is not NULL, it will be set to the nextUpdate time
+ * contained in the response, or zero the response does not contain a
+ * nextUpdate field.
  */
-int check_ocsp_response(server_rec *s, const gnutls_datum_t *ocsp_response)
+int check_ocsp_response(server_rec *s, const gnutls_datum_t *ocsp_response,
+                        apr_time_t* expiry)
 {
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
@@ -178 +183 @@
 
     if (next_update == (time_t) -1)
+    {
         ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
                      "OSCP response does not contain nextUpdate info.");
+        if (expiry != NULL)
+            *expiry = 0;
+    }
     else
     {
         apr_time_t valid_to;
         apr_time_ansi_put(&valid_to, next_update);
+        if (expiry != NULL)
+            *expiry = valid_to;
         if (now > valid_to)
         {
@@ -256 +267 @@
     apr_pool_t *tmp;
     apr_status_t rv = apr_pool_create(&tmp, NULL);
+    if (rv != APR_SUCCESS)
+    {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                     "could not create temporary pool for %s",
+                     __func__);
+        return rv;
+    }
 
     /* the fingerprint will be used as cache key */
@@ -299 +317 @@
     }
 
-    if (check_ocsp_response(s, &resp) != GNUTLS_E_SUCCESS)
+    apr_time_t expiry;
+    if (check_ocsp_response(s, &resp, &expiry) != GNUTLS_E_SUCCESS)
     {
         ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, s,
@@ -307 +326 @@
         return APR_EGENERAL;
     }
-
-    /* TODO: make cache lifetime configurable, make sure expiration
-     * happens without storing new data */
-    int r = dbm_cache_store(s, fingerprint,
-                            resp, apr_time_now() + apr_time_from_sec(120));
+    /* if expiry is zero, the response does not contain a nextUpdate
+     * field */
+    /* TODO: If a refresh time is configured, use it as timeout. With
+     * the current code the response will expire at next cache
+     * expiration check. */
+    if (expiry == 0)
+        expiry = apr_time_now();
+
+    /* TODO: configurable refresh independent of expiration */
+    int r = dbm_cache_store(s, fingerprint, resp, expiry);
     /* destroy pool, and original copy of the OCSP response with it */
     apr_pool_destroy(tmp);
@@ -346 +370 @@
     {
         /* Succeed if response is present and valid. */
-        if (check_ocsp_response(ctxt->c->base_server, ocsp_response)
+        if (check_ocsp_response(ctxt->c->base_server, ocsp_response, NULL)
             == GNUTLS_E_SUCCESS)
             return GNUTLS_E_SUCCESS;
@@ -375 +399 @@
     {
         /* Succeed if response is present and valid. */
-        if (check_ocsp_response(ctxt->c->base_server, ocsp_response)
+        if (check_ocsp_response(ctxt->c->base_server, ocsp_response, NULL)
             == GNUTLS_E_SUCCESS)
             return GNUTLS_E_SUCCESS;