Changeset 368e581 in mod_gnutls


Ignore:
Timestamp:
Jun 5, 2016, 3:42:32 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
08817d0
Parents:
4bf4ce2
git-author:
Thomas Klute <thomas2.klute@…> (06/05/16 09:53:50)
git-committer:
Thomas Klute <thomas2.klute@…> (06/05/16 15:42:32)
Message:

Update OCSP response cache only if response is missing or invalid

"Invalid" includes expiration, so responses that contain a nextUpdate
field will be updated after that time has passed even if their cache
lifetime has not yet expired, or cache objects haven't been expired
since.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_ocsp.c

    r4bf4ce2 r368e581  
    295295    }
    296296
    297     /* TODO: make cache lifetime configurable */
     297    /* TODO: make cache lifetime configurable, make sure expiration
     298     * happens without storing new data */
    298299    int r = dbm_cache_store(s, fingerprint,
    299300                            resp, apr_time_now() + apr_time_from_sec(120));
     
    317318    mgs_handle_t *ctxt = (mgs_handle_t *) ptr;
    318319
    319     apr_status_t rv = mgs_cache_ocsp_response(ctxt->c->base_server);
    320     if (rv != APR_SUCCESS)
    321     {
    322         ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, ctxt->c,
    323                       "Updating OCSP response cache failed");
    324         return GNUTLS_E_NO_CERTIFICATE_STATUS;
    325     }
    326 
    327320    gnutls_datum_t fingerprint =
    328321        mgs_get_cert_fingerprint(ctxt->c->pool,
     
    343336            return GNUTLS_E_SUCCESS;
    344337    }
     338    /* get rid of invalid response (if any) */
     339    gnutls_free(ocsp_response->data);
     340
     341    /* If the cache had no response or an invalid one, try to update. */
     342    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     343                  "No valid OCSP response in cache, trying to update.");
     344    apr_status_t rv = mgs_cache_ocsp_response(ctxt->c->base_server);
     345    if (rv != APR_SUCCESS)
     346    {
     347        ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, ctxt->c,
     348                      "Updating OCSP response cache failed");
     349        goto fail_cleanup;
     350    }
     351
     352    /* retry reading from cache */
     353    *ocsp_response = dbm_cache_fetch(ctxt, fingerprint);
     354    if (ocsp_response->size == 0)
     355    {
     356        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
     357                      "Fetching OCSP response from cache failed on retry.");
     358    }
     359    else
     360    {
     361        /* Succeed if response is present and valid. */
     362        if (check_ocsp_response(ctxt, ocsp_response) == GNUTLS_E_SUCCESS)
     363            return GNUTLS_E_SUCCESS;
     364    }
    345365
    346366    /* failure, clean up response data */
     367 fail_cleanup:
    347368    gnutls_free(ocsp_response->data);
    348369    ocsp_response->size = 0;
Note: See TracChangeset for help on using the changeset viewer.