Changeset 366d1a1 in mod_gnutls


Ignore:
Timestamp:
Jun 5, 2016, 3:42:32 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
eb63377
Parents:
08817d0
git-author:
Thomas Klute <thomas2.klute@…> (06/05/16 14:29:29)
git-committer:
Thomas Klute <thomas2.klute@…> (06/05/16 15:42:32)
Message:

Use nextUpdate field of OCSP response to set cache lifetime

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    r08817d0 r366d1a1  
    8080 *
    8181 * Supports only one certificate status per response.
     82 *
     83 * If expiry is not NULL, it will be set to the nextUpdate time
     84 * contained in the response, or zero the response does not contain a
     85 * nextUpdate field.
    8286 */
    83 int check_ocsp_response(server_rec *s, const gnutls_datum_t *ocsp_response)
     87int check_ocsp_response(server_rec *s, const gnutls_datum_t *ocsp_response,
     88                        apr_time_t* expiry)
    8489{
    8590    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     
    178183
    179184    if (next_update == (time_t) -1)
     185    {
    180186        ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
    181187                     "OSCP response does not contain nextUpdate info.");
     188        if (expiry != NULL)
     189            *expiry = 0;
     190    }
    182191    else
    183192    {
    184193        apr_time_t valid_to;
    185194        apr_time_ansi_put(&valid_to, next_update);
     195        if (expiry != NULL)
     196            *expiry = valid_to;
    186197        if (now > valid_to)
    187198        {
     
    256267    apr_pool_t *tmp;
    257268    apr_status_t rv = apr_pool_create(&tmp, NULL);
     269    if (rv != APR_SUCCESS)
     270    {
     271        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
     272                     "could not create temporary pool for %s",
     273                     __func__);
     274        return rv;
     275    }
    258276
    259277    /* the fingerprint will be used as cache key */
     
    299317    }
    300318
    301     if (check_ocsp_response(s, &resp) != GNUTLS_E_SUCCESS)
     319    apr_time_t expiry;
     320    if (check_ocsp_response(s, &resp, &expiry) != GNUTLS_E_SUCCESS)
    302321    {
    303322        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, s,
     
    307326        return APR_EGENERAL;
    308327    }
    309 
    310     /* TODO: make cache lifetime configurable, make sure expiration
    311      * happens without storing new data */
    312     int r = dbm_cache_store(s, fingerprint,
    313                             resp, apr_time_now() + apr_time_from_sec(120));
     328    /* if expiry is zero, the response does not contain a nextUpdate
     329     * field */
     330    /* TODO: If a refresh time is configured, use it as timeout. With
     331     * the current code the response will expire at next cache
     332     * expiration check. */
     333    if (expiry == 0)
     334        expiry = apr_time_now();
     335
     336    /* TODO: configurable refresh independent of expiration */
     337    int r = dbm_cache_store(s, fingerprint, resp, expiry);
    314338    /* destroy pool, and original copy of the OCSP response with it */
    315339    apr_pool_destroy(tmp);
     
    346370    {
    347371        /* Succeed if response is present and valid. */
    348         if (check_ocsp_response(ctxt->c->base_server, ocsp_response)
     372        if (check_ocsp_response(ctxt->c->base_server, ocsp_response, NULL)
    349373            == GNUTLS_E_SUCCESS)
    350374            return GNUTLS_E_SUCCESS;
     
    375399    {
    376400        /* Succeed if response is present and valid. */
    377         if (check_ocsp_response(ctxt->c->base_server, ocsp_response)
     401        if (check_ocsp_response(ctxt->c->base_server, ocsp_response, NULL)
    378402            == GNUTLS_E_SUCCESS)
    379403            return GNUTLS_E_SUCCESS;
Note: See TracChangeset for help on using the changeset viewer.