Changeset 5559aa6 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Jun 10, 2016, 7:39:34 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
6b89353
Parents:
11e6205
Message:

Rely on cache for OCSP response expiration

With fixed DBM cache expiry, memcache support, and OCSP grace time we
should be able to rely on cache expiration instead of parsing the DER
response on every session start just to get the expiration time.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    r11e6205 r5559aa6  
    7676
    7777/**
    78  * Check if the time specified in the nextUpdate field (if any) of the
    79  * given OCSP response has passed. Returns GNUTLS_E_SUCCESS if it has
    80  * not (so the response is still valid), or there is no such field.
    81  *
    82  * Note that this function does not do a signature check, it is meant
    83  * to operate on cached responses that have been verified before.
    84  */
    85 static int check_ocsp_response_expiry(mgs_handle_t *ctxt,
    86                                       const gnutls_datum_t *ocsp_response)
    87 {
    88     gnutls_ocsp_resp_t resp;
    89     int ret = gnutls_ocsp_resp_init(&resp);
    90     if (ret != GNUTLS_E_SUCCESS)
    91     {
    92         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    93                       "Could not initialize OCSP response structure: "
    94                       "%s (%d)", gnutls_strerror(ret), ret);
    95         goto resp_cleanup;
    96     }
    97     ret = gnutls_ocsp_resp_import(resp, ocsp_response);
    98     if (ret != GNUTLS_E_SUCCESS)
    99     {
    100         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    101                       "Importing OCSP response failed: %s (%d)",
    102                       gnutls_strerror(ret), ret);
    103         goto resp_cleanup;
    104     }
    105     time_t next_update;
    106     ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, NULL,
    107                                       NULL, &next_update, NULL, NULL);
    108     if (ret != GNUTLS_E_SUCCESS)
    109     {
    110         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    111                       "Could not get OCSP response data: %s (%d)",
    112                       gnutls_strerror(ret), ret);
    113         goto resp_cleanup;
    114     }
    115 
    116     if (next_update == (time_t) -1)
    117     {
    118         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
    119                       "OSCP response does not contain nextUpdate info.");
    120     }
    121     else
    122     {
    123         apr_time_t now = apr_time_now();
    124         apr_time_t valid_to;
    125         apr_time_ansi_put(&valid_to, next_update);
    126         if (now > valid_to)
    127         {
    128             char date_str[APR_RFC822_DATE_LEN];
    129             apr_rfc822_date(date_str, valid_to);
    130             ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
    131                           "OCSP response has expired at %s.", date_str);
    132             ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
    133             goto resp_cleanup;
    134         }
    135     }
    136  resp_cleanup:
    137     gnutls_ocsp_resp_deinit(resp);
    138     return ret;
    139 }
    140 
    141 
    142 
    143 /**
    14478 * Check if the provided OCSP response is usable for stapling in
    14579 * connections to this server. Returns GNUTLS_E_SUCCESS if yes.
     
    14882 *
    14983 * If expiry is not NULL, it will be set to the nextUpdate time
    150  * contained in the response, or zero the response does not contain a
    151  * nextUpdate field.
     84 * contained in the response, or zero if the response does not contain
     85 * a nextUpdate field.
    15286 */
    15387int check_ocsp_response(server_rec *s, const gnutls_datum_t *ocsp_response,
     
    319253
    320254
    321 /* TODO: response should be fetched from sc->ocsp_uri */
     255/* TODO: fetch response from sc->ocsp_uri */
    322256apr_status_t mgs_cache_ocsp_response(server_rec *s)
    323257{
     
    439373    else
    440374    {
    441         if (check_ocsp_response_expiry(ctxt, ocsp_response)
    442             == GNUTLS_E_SUCCESS)
    443             return GNUTLS_E_SUCCESS;
     375        return GNUTLS_E_SUCCESS;
    444376    }
    445377    /* get rid of invalid response (if any) */
     
    461393         * Apache Mutex directive. */
    462394        *ocsp_response = ctxt->sc->cache->fetch(ctxt, fingerprint);
    463         if (ocsp_response->size > 0
    464             && check_ocsp_response_expiry(ctxt, ocsp_response)
    465             == GNUTLS_E_SUCCESS)
     395        if (ocsp_response->size > 0)
    466396        {
    467397            /* Got a valid response now, unlock mutex and return. */
     
    495425    else
    496426    {
    497         /* Succeed if response is present and valid. */
    498         if (check_ocsp_response_expiry(ctxt, ocsp_response)
    499             == GNUTLS_E_SUCCESS)
    500             return GNUTLS_E_SUCCESS;
     427        return GNUTLS_E_SUCCESS;
    501428    }
    502429
Note: See TracChangeset for help on using the changeset viewer.