Changeset eb63377 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Jun 5, 2016, 3:42:32 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
c005645
Parents:
366d1a1
git-author:
Thomas Klute <thomas2.klute@…> (06/05/16 15:37:33)
git-committer:
Thomas Klute <thomas2.klute@…> (06/05/16 15:42:32)
Message:

Check only expiration time for OCSP responses from cache

Responses are properly verified before storing, so verifying again is
a waste of time. This smaller check can be dropped once regular cache
expiration is implemented.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    r366d1a1 reb63377  
    7676
    7777/**
     78 * Check if the time specified in the nextUpdate field (if any) of the
     79 * given OCSP response has passed. Returns GNUTLS_E_SUCCESS if it has
     80 * not (so the response is still valid), or there is no such field.
     81 *
     82 * Note that this function does not do a signature check, it is meant
     83 * to operate on cached responses that have been verified before.
     84 */
     85static int check_ocsp_response_expiry(mgs_handle_t *ctxt,
     86                                      const gnutls_datum_t *ocsp_response)
     87{
     88    gnutls_ocsp_resp_t resp;
     89    int ret = gnutls_ocsp_resp_init(&resp);
     90    if (ret != GNUTLS_E_SUCCESS)
     91    {
     92        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
     93                      "Could not initialize OCSP response structure: "
     94                      "%s (%d)", gnutls_strerror(ret), ret);
     95        goto resp_cleanup;
     96    }
     97    ret = gnutls_ocsp_resp_import(resp, ocsp_response);
     98    if (ret != GNUTLS_E_SUCCESS)
     99    {
     100        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
     101                      "Importing OCSP response failed: %s (%d)",
     102                      gnutls_strerror(ret), ret);
     103        goto resp_cleanup;
     104    }
     105    time_t next_update;
     106    ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, NULL,
     107                                      NULL, &next_update, NULL, NULL);
     108    if (ret != GNUTLS_E_SUCCESS)
     109    {
     110        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
     111                      "Could not get OCSP response data: %s (%d)",
     112                      gnutls_strerror(ret), ret);
     113        goto resp_cleanup;
     114    }
     115
     116    if (next_update == (time_t) -1)
     117    {
     118        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     119                      "OSCP response does not contain nextUpdate info.");
     120    }
     121    else
     122    {
     123        apr_time_t now = apr_time_now();
     124        apr_time_t valid_to;
     125        apr_time_ansi_put(&valid_to, next_update);
     126        if (now > valid_to)
     127        {
     128            char date_str[APR_RFC822_DATE_LEN];
     129            apr_rfc822_date(date_str, valid_to);
     130            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     131                          "OCSP response has expired at %s.", date_str);
     132            ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
     133            goto resp_cleanup;
     134        }
     135    }
     136 resp_cleanup:
     137    gnutls_ocsp_resp_deinit(resp);
     138    return ret;
     139}
     140
     141
     142
     143/**
    78144 * Check if the provided OCSP response is usable for stapling in
    79145 * connections to this server. Returns GNUTLS_E_SUCCESS if yes.
     
    369435    else
    370436    {
    371         /* Succeed if response is present and valid. */
    372         if (check_ocsp_response(ctxt->c->base_server, ocsp_response, NULL)
     437        if (check_ocsp_response_expiry(ctxt, ocsp_response)
    373438            == GNUTLS_E_SUCCESS)
    374439            return GNUTLS_E_SUCCESS;
     
    399464    {
    400465        /* Succeed if response is present and valid. */
    401         if (check_ocsp_response(ctxt->c->base_server, ocsp_response, NULL)
     466        if (check_ocsp_response_expiry(ctxt, ocsp_response)
    402467            == GNUTLS_E_SUCCESS)
    403468            return GNUTLS_E_SUCCESS;
Note: See TracChangeset for help on using the changeset viewer.