Changeset eb63377 in mod_gnutls

Timestamp:

Jun 5, 2016, 3:42:32 PM (7 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, main, master, proxy-ticket, upstream

Children:

c005645

Parents:

366d1a1

git-author:

Thomas Klute <thomas2.klute@…> (06/05/16 15:37:33)

git-committer:

Thomas Klute <thomas2.klute@…> (06/05/16 15:42:32)

Message:

Check only expiration time for OCSP responses from cache

Responses are properly verified before storing, so verifying again is
a waste of time. This smaller check can be dropped once regular cache
expiration is implemented.

File:

• src/gnutls_ocsp.c (modified) (3 diffs)

src/gnutls_ocsp.c

@@ -76 +76 @@
 
 /**
+ * Check if the time specified in the nextUpdate field (if any) of the
+ * given OCSP response has passed. Returns GNUTLS_E_SUCCESS if it has
+ * not (so the response is still valid), or there is no such field.
+ *
+ * Note that this function does not do a signature check, it is meant
+ * to operate on cached responses that have been verified before.
+ */
+static int check_ocsp_response_expiry(mgs_handle_t *ctxt,
+                                      const gnutls_datum_t *ocsp_response)
+{
+    gnutls_ocsp_resp_t resp;
+    int ret = gnutls_ocsp_resp_init(&resp);
+    if (ret != GNUTLS_E_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
+                      "Could not initialize OCSP response structure: "
+                      "%s (%d)", gnutls_strerror(ret), ret);
+        goto resp_cleanup;
+    }
+    ret = gnutls_ocsp_resp_import(resp, ocsp_response);
+    if (ret != GNUTLS_E_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
+                      "Importing OCSP response failed: %s (%d)",
+                      gnutls_strerror(ret), ret);
+        goto resp_cleanup;
+    }
+    time_t next_update;
+    ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, NULL,
+                                      NULL, &next_update, NULL, NULL);
+    if (ret != GNUTLS_E_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
+                      "Could not get OCSP response data: %s (%d)",
+                      gnutls_strerror(ret), ret);
+        goto resp_cleanup;
+    }
+
+    if (next_update == (time_t) -1)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
+                      "OSCP response does not contain nextUpdate info.");
+    }
+    else
+    {
+        apr_time_t now = apr_time_now();
+        apr_time_t valid_to;
+        apr_time_ansi_put(&valid_to, next_update);
+        if (now > valid_to)
+        {
+            char date_str[APR_RFC822_DATE_LEN];
+            apr_rfc822_date(date_str, valid_to);
+            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
+                          "OCSP response has expired at %s.", date_str);
+            ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
+            goto resp_cleanup;
+        }
+    }
+ resp_cleanup:
+    gnutls_ocsp_resp_deinit(resp);
+    return ret;
+}
+
+
+
+/**
  * Check if the provided OCSP response is usable for stapling in
  * connections to this server. Returns GNUTLS_E_SUCCESS if yes.
@@ -369 +435 @@
     else
     {
-        /* Succeed if response is present and valid. */
-        if (check_ocsp_response(ctxt->c->base_server, ocsp_response, NULL)
+        if (check_ocsp_response_expiry(ctxt, ocsp_response)
             == GNUTLS_E_SUCCESS)
             return GNUTLS_E_SUCCESS;
@@ -399 +464 @@
     {
         /* Succeed if response is present and valid. */
-        if (check_ocsp_response(ctxt->c->base_server, ocsp_response, NULL)
+        if (check_ocsp_response_expiry(ctxt, ocsp_response)
             == GNUTLS_E_SUCCESS)
             return GNUTLS_E_SUCCESS;