- Timestamp:
- Jun 10, 2016, 7:39:34 PM (6 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
- Children:
- 6b89353
- Parents:
- 11e6205
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_ocsp.c
r11e6205 r5559aa6 76 76 77 77 /** 78 * Check if the time specified in the nextUpdate field (if any) of the79 * given OCSP response has passed. Returns GNUTLS_E_SUCCESS if it has80 * not (so the response is still valid), or there is no such field.81 *82 * Note that this function does not do a signature check, it is meant83 * to operate on cached responses that have been verified before.84 */85 static int check_ocsp_response_expiry(mgs_handle_t *ctxt,86 const gnutls_datum_t *ocsp_response)87 {88 gnutls_ocsp_resp_t resp;89 int ret = gnutls_ocsp_resp_init(&resp);90 if (ret != GNUTLS_E_SUCCESS)91 {92 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,93 "Could not initialize OCSP response structure: "94 "%s (%d)", gnutls_strerror(ret), ret);95 goto resp_cleanup;96 }97 ret = gnutls_ocsp_resp_import(resp, ocsp_response);98 if (ret != GNUTLS_E_SUCCESS)99 {100 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,101 "Importing OCSP response failed: %s (%d)",102 gnutls_strerror(ret), ret);103 goto resp_cleanup;104 }105 time_t next_update;106 ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, NULL,107 NULL, &next_update, NULL, NULL);108 if (ret != GNUTLS_E_SUCCESS)109 {110 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,111 "Could not get OCSP response data: %s (%d)",112 gnutls_strerror(ret), ret);113 goto resp_cleanup;114 }115 116 if (next_update == (time_t) -1)117 {118 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,119 "OSCP response does not contain nextUpdate info.");120 }121 else122 {123 apr_time_t now = apr_time_now();124 apr_time_t valid_to;125 apr_time_ansi_put(&valid_to, next_update);126 if (now > valid_to)127 {128 char date_str[APR_RFC822_DATE_LEN];129 apr_rfc822_date(date_str, valid_to);130 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,131 "OCSP response has expired at %s.", date_str);132 ret = GNUTLS_E_OCSP_RESPONSE_ERROR;133 goto resp_cleanup;134 }135 }136 resp_cleanup:137 gnutls_ocsp_resp_deinit(resp);138 return ret;139 }140 141 142 143 /**144 78 * Check if the provided OCSP response is usable for stapling in 145 79 * connections to this server. Returns GNUTLS_E_SUCCESS if yes. … … 148 82 * 149 83 * If expiry is not NULL, it will be set to the nextUpdate time 150 * contained in the response, or zero the response does not contain a151 * nextUpdate field.84 * contained in the response, or zero if the response does not contain 85 * a nextUpdate field. 152 86 */ 153 87 int check_ocsp_response(server_rec *s, const gnutls_datum_t *ocsp_response, … … 319 253 320 254 321 /* TODO: response should be fetchedfrom sc->ocsp_uri */255 /* TODO: fetch response from sc->ocsp_uri */ 322 256 apr_status_t mgs_cache_ocsp_response(server_rec *s) 323 257 { … … 439 373 else 440 374 { 441 if (check_ocsp_response_expiry(ctxt, ocsp_response) 442 == GNUTLS_E_SUCCESS) 443 return GNUTLS_E_SUCCESS; 375 return GNUTLS_E_SUCCESS; 444 376 } 445 377 /* get rid of invalid response (if any) */ … … 461 393 * Apache Mutex directive. */ 462 394 *ocsp_response = ctxt->sc->cache->fetch(ctxt, fingerprint); 463 if (ocsp_response->size > 0 464 && check_ocsp_response_expiry(ctxt, ocsp_response) 465 == GNUTLS_E_SUCCESS) 395 if (ocsp_response->size > 0) 466 396 { 467 397 /* Got a valid response now, unlock mutex and return. */ … … 495 425 else 496 426 { 497 /* Succeed if response is present and valid. */ 498 if (check_ocsp_response_expiry(ctxt, ocsp_response) 499 == GNUTLS_E_SUCCESS) 500 return GNUTLS_E_SUCCESS; 427 return GNUTLS_E_SUCCESS; 501 428 } 502 429
Note: See TracChangeset
for help on using the changeset viewer.