From 271de81e7cf874c743aa066bab129d18d14401bb Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Mon, 17 Jan 2011 13:27:03 +0000
Subject: [PATCH] * modules/ssl/ssl_engine_config.c, modules/ssl/ssl_private.h:
 Add   config hooks for OCSP response time skew, maximum age, timeout.

* modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Respect
  config settings for above.

* docs/: Update accordingly.

Submitted by: Kaspar Brand <httpd-dev.2011 velox.ch>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1059917 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         |  4 +++
 docs/manual/mod/mod_ssl.xml     | 47 +++++++++++++++++++++++++++++++++
 modules/ssl/mod_ssl.c           |  6 +++++
 modules/ssl/ssl_engine_config.c | 36 +++++++++++++++++++++++++
 modules/ssl/ssl_engine_ocsp.c   | 21 ++++++++-------
 modules/ssl/ssl_private.h       | 16 +++++++++++
 6 files changed, 120 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5a92c69cb9..05563c8cca 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.3.11
 
+  *) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout,
+     SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew.  
+     [Kaspar Brand <httpd-dev.2011 velox.ch>]
+
   *) mod_ssl: Revamp output buffering to reduce network overhead for
      output fragmented into many buckets, such as chunked HTTP responses.
      [Joe Orton] 
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 4cbb1ba266..f4ebecaaab 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -1855,6 +1855,53 @@ certificate being validated references an OCSP responder.</p>
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SSLOCSPResponseTimeSkew</name>
+<description>Maximum allowable time skew for OCSP response validation</description>
+<syntax>SSLOCSPResponseTimeSkew <em>seconds</em></syntax>
+<default>SSLOCSPResponseTimeSkew 300</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option sets the maximum allowable time skew for OCSP responses
+(when checking their <code>thisUpdate</code> and <code>nextUpdate</code> fields).</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLOCSPResponseMaxAge</name>
+<description>Maximum allowable age for OCSP responses</description>
+<syntax>SSLOCSPResponseMaxAge <em>seconds</em></syntax>
+<default>SSLOCSPResponseMaxAge -1</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option sets the maximum allowable age ("freshness") for OCSP responses.
+The default value (<code>-1</code>) does not enforce a maximum age,
+which means that OCSP responses are considered valid as long as their
+<code>nextUpdate</code> field is in the future.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLOCSPResponderTimeout</name>
+<description>Timeout for OCSP queries</description>
+<syntax>SSLOCSPResponderTimeout <em>seconds</em></syntax>
+<default>SSLOCSPResponderTimeout 10</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option sets the timeout for queries to OCSP responders, when
+<directive module="mod_ssl">SSLOCSPEnable</directive> is turned on.</p>
+</usage>
+</directivesynopsis>
+
 <directivesynopsis>
 <name>SSLInsecureRenegotiation</name>
 <description>Option to enable support for insecure renegotiation</description>
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 3d090cb15b..d908e61d44 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -197,6 +197,12 @@ static const command_rec ssl_config_cmds[] = {
                "URL of the default OCSP Responder")
     SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
                "Force use of the default responder URL ('on', 'off')")
+    SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1,
+                "Maximum time difference in OCSP responses")
+    SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1,
+                "Maximum age of OCSP responses")
+    SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
+                "OCSP responder query timeout")
 
 #ifdef HAVE_OCSP_STAPLING
     /*
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 029d3d77c5..89270bf4ec 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -130,6 +130,9 @@ static void modssl_ctx_init(modssl_ctx_t *mctx)
     mctx->ocsp_enabled        = FALSE;
     mctx->ocsp_force_default  = FALSE;
     mctx->ocsp_responder      = NULL;
+    mctx->ocsp_resptime_skew  = UNSET;
+    mctx->ocsp_resp_maxage    = UNSET;
+    mctx->ocsp_responder_timeout = UNSET;
 
 #ifdef HAVE_OCSP_STAPLING
     mctx->stapling_enabled                   = UNSET;
@@ -243,6 +246,9 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
     cfgMergeBool(ocsp_enabled);
     cfgMergeBool(ocsp_force_default);
     cfgMerge(ocsp_responder, NULL);
+    cfgMergeInt(ocsp_resptime_skew);
+    cfgMergeInt(ocsp_resp_maxage);
+    cfgMergeInt(ocsp_responder_timeout);
 #ifdef HAVE_OCSP_STAPLING
     cfgMergeBool(stapling_enabled);
     cfgMergeInt(stapling_resptime_skew);
@@ -1445,6 +1451,36 @@ const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const ch
     return NULL;
 }
 
+const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->server->ocsp_resptime_skew = atoi(arg);
+    if (sc->server->ocsp_resptime_skew < 0) {
+        return "SSLOCSPResponseTimeSkew: invalid argument";
+    }
+    return NULL;
+}
+
+const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->server->ocsp_resp_maxage = atoi(arg);
+    if (sc->server->ocsp_resp_maxage < 0) {
+        return "SSLOCSPResponseMaxAge: invalid argument";
+    }
+    return NULL;
+}
+
+const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->server->ocsp_responder_timeout = apr_time_from_sec(atoi(arg));
+    if (sc->server->ocsp_responder_timeout < 0) {
+        return "SSLOCSPResponderTimeout: invalid argument";
+    }
+    return NULL;
+}
+
 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index b0a16b4251..d52bc5e1a3 100644
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -141,10 +141,10 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
 
     request = create_request(ctx, cert, &certID, s, pool);
     if (request) {
-        /* Use default I/O timeout for the server. */
-        response = modssl_dispatch_ocsp_request(ruri, 
-                                                mySrvFromConn(c)->timeout,
-                                                request, c, pool);
+        apr_interval_time_t to = sc->server->ocsp_responder_timeout == UNSET ?
+                                 DEFAULT_OCSP_TIMEOUT :
+                                 sc->server->ocsp_responder_timeout;
+        response = modssl_dispatch_ocsp_request(ruri, to, request, c, pool);
     }
 
     if (!request || !response) {
@@ -205,15 +205,16 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
             rc = status;
         }
 
-        /* TODO: make these configurable. */
-#define MAX_SKEW (60)
-#define MAX_AGE (360)
-
         /* Check whether the response is inside the defined validity
          * period; otherwise fail.  */
         if (rc != V_OCSP_CERTSTATUS_UNKNOWN) {
-            int vrc  = OCSP_check_validity(thisup, nextup, MAX_SKEW, MAX_AGE);
-            
+            long resptime_skew = sc->server->ocsp_resptime_skew == UNSET ?
+                                 DEFAULT_OCSP_MAX_SKEW : sc->server->ocsp_resptime_skew;
+            /* oscp_resp_maxage can be passed verbatim - UNSET (-1) means
+             * that responses can be of any age as long as nextup is in the
+             * future. */
+            int vrc  = OCSP_check_validity(thisup, nextup, resptime_skew,
+                                           sc->server->ocsp_resp_maxage);
             if (vrc != 1) {
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
                 ssl_log_cxerror(SSLLOG_MARK, APLOG_ERR, 0, c, cert,
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index d8d0cd27b7..7c7cda84b4 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -179,6 +179,16 @@ ap_set_module_config(c->conn_config, &ssl_module, val)
 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
 #endif
 
+/* Default for OCSP response validity */
+#ifndef DEFAULT_OCSP_MAX_SKEW
+#define DEFAULT_OCSP_MAX_SKEW (60 * 5)
+#endif
+
+/* Default timeout for OCSP queries */
+#ifndef DEFAULT_OCSP_TIMEOUT
+#define DEFAULT_OCSP_TIMEOUT 10
+#endif
+
 /**
  * Support for MM library
  */
@@ -516,6 +526,9 @@ typedef struct {
     BOOL ocsp_force_default; /* true if the default responder URL is
                               * used regardless of per-cert URL */
     const char *ocsp_responder; /* default responder URL */
+    long ocsp_resptime_skew;
+    long ocsp_resp_maxage;
+    apr_interval_time_t ocsp_responder_timeout;
 
 } modssl_ctx_t;
 
@@ -620,6 +633,9 @@ const char  *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
 
 const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
 const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
 
 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
-- 
2.50.1