Changeset c39ae1a in mod_gnutls


Ignore:
Timestamp:
Oct 30, 2016, 5:43:03 PM (14 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
3475e62
Parents:
0cd8f3d
Message:

Initialize OCSP timeouts with an "unset" value

The configuration merge function used the default timeout to check if
an OCSP related timeout has been set in a virtual host
configuration. This would work most of the time, but break in the
corner case of the global configuration setting a non-default timeout
and a virtual host configuration restoring the default. In this
situation the merge would handle the value from the virtual host
configuration as unset and copy the global timeout.

The problem is solved by initializing the timeouts using the new macro
MGS_TIMEOUT_UNSET. Timeouts as used in the mod_gnutls configuration
cannot be negative, so there is ample room for explicitly unset
values. MGS_TIMEOUT_UNSET is also used for the session cache timeout
instead of hard coded -1.

Location:
src
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed
  • src/Makefile.am

    r16ad0eb rc39ae1a  
    1010mod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}
    1111mod_gnutls_la_LDFLAGS = -module -avoid-version ${MODULE_LIBS}
    12 noinst_HEADERS = gnutls_cache.h gnutls_ocsp.h gnutls_util.h
     12noinst_HEADERS = gnutls_cache.h gnutls_config.h gnutls_ocsp.h gnutls_util.h
    1313
    1414apmodpkglib_LTLIBRARIES = mod_gnutls.la
  • src/gnutls_cache.c

    r9c456a9 rc39ae1a  
    4545#include "gnutls_cache.h"
    4646#include "mod_gnutls.h"
     47#include "gnutls_config.h"
    4748
    4849#if HAVE_APR_MEMCACHE
     
    695696        sc->cache_type = mgs_cache_none;
    696697    /* if GnuTLSCacheTimeout was never explicitly set: */
    697     if (sc->cache_timeout == -1)
     698    if (sc->cache_timeout == MGS_TIMEOUT_UNSET)
    698699        sc->cache_timeout = apr_time_from_sec(MGS_DEFAULT_CACHE_TIMEOUT);
    699700
  • src/gnutls_config.c

    r0a02378 rc39ae1a  
    1919 */
    2020
     21#include "gnutls_config.h"
    2122#include "mod_gnutls.h"
    2223#include "gnutls_ocsp.h"
     
    852853{
    853854    apr_int64_t argint = apr_atoi64(arg);
     855    /* timeouts cannot be negative */
    854856    if (argint < 0)
    855857        return apr_psprintf(parms->pool, "%s: Invalid argument",
     
    11011103
    11021104    sc->priorities_str = NULL;
    1103     sc->cache_timeout = -1;     /* -1 means "unset" */
     1105    sc->cache_timeout = MGS_TIMEOUT_UNSET;
    11041106    sc->cache_type = mgs_cache_unset;
    11051107    sc->cache_config = NULL;
     
    11271129    sc->ocsp_response_file = NULL;
    11281130    sc->ocsp_mutex = NULL;
    1129     sc->ocsp_grace_time = apr_time_from_sec(MGS_OCSP_GRACE_TIME);
    1130     sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT);
    1131     sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT);
     1131    sc->ocsp_grace_time = MGS_TIMEOUT_UNSET;
     1132    sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET;
     1133    sc->ocsp_socket_timeout = MGS_TIMEOUT_UNSET;
    11321134
    11331135/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
     
    11891191    gnutls_srvconf_merge(ocsp_staple, GNUTLS_ENABLED_UNSET);
    11901192    gnutls_srvconf_assign(ocsp_response_file);
    1191     gnutls_srvconf_merge(ocsp_grace_time,
    1192                          apr_time_from_sec(MGS_OCSP_GRACE_TIME));
    1193     gnutls_srvconf_merge(ocsp_failure_timeout,
    1194                          apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT));
    1195     gnutls_srvconf_merge(ocsp_socket_timeout,
    1196                          apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT));
     1193    gnutls_srvconf_merge(ocsp_grace_time, MGS_TIMEOUT_UNSET);
     1194    gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);
     1195    gnutls_srvconf_merge(ocsp_socket_timeout, MGS_TIMEOUT_UNSET);
    11971196
    11981197    gnutls_srvconf_assign(ca_list);
  • src/gnutls_ocsp.c

    ref107fd rc39ae1a  
    1818#include "mod_gnutls.h"
    1919#include "gnutls_cache.h"
     20#include "gnutls_config.h"
    2021#include "gnutls_util.h"
    2122
     
    904905    }
    905906
     907    /* set default values for unset timeouts */
     908    if (sc->ocsp_grace_time == MGS_TIMEOUT_UNSET)
     909        sc->ocsp_grace_time = apr_time_from_sec(MGS_OCSP_GRACE_TIME);
     910    if (sc->ocsp_failure_timeout == MGS_TIMEOUT_UNSET)
     911        sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT);
     912    if (sc->ocsp_socket_timeout == MGS_TIMEOUT_UNSET)
     913        sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT);
     914
    906915    sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
    907916
Note: See TracChangeset for help on using the changeset viewer.