From: Matthew Newton Date: Mon, 23 Jan 2012 12:45:50 +0000 (+0100) Subject: Add OCSP timeout option X-Git-Tag: release_3_0_0_beta0~392 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=freeradius.git;a=commitdiff_plain;h=7ee1c2964f9cabfa59969348f0733d42ee2ffd78 Add OCSP timeout option Manual pull of commit 07a4b30f181 --- diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index 26195d5..0e767d8 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -459,6 +459,12 @@ # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx # # use_nonce = yes + + # + # Number of seconds before giving up waiting + # for OCSP response. 0 uses system default. + # + # timeout = 0 } } diff --git a/src/include/tls.h b/src/include/tls.h index 2e88383..2b86902 100644 --- a/src/include/tls.h +++ b/src/include/tls.h @@ -376,6 +376,7 @@ struct fr_tls_server_conf_t { char *ocsp_url; int ocsp_use_nonce; X509_STORE *ocsp_store; + int ocsp_timeout; #endif #if OPENSSL_VERSION_NUMBER >= 0x0090800fL diff --git a/src/main/tls.c b/src/main/tls.c index c975758..de0c428 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -781,6 +781,8 @@ static CONF_PARSER ocsp_config[] = { offsetof(fr_tls_server_conf_t, ocsp_url), NULL, NULL }, { "use_nonce", PW_TYPE_BOOLEAN, offsetof(fr_tls_server_conf_t, ocsp_use_nonce), NULL, "yes"}, + { "timeout", PW_TYPE_INTEGER, + offsetof(fr_tls_server_conf_t, ocsp_timeout), NULL, "yes"}, { NULL, -1, 0, NULL, NULL } /* end the list */ }; #endif @@ -1057,7 +1059,7 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert, { OCSP_CERTID *certid; OCSP_REQUEST *req; - OCSP_RESPONSE *resp; + OCSP_RESPONSE *resp = NULL; OCSP_BASICRESP *bresp = NULL; char *host = NULL; char *port = NULL; @@ -1069,6 +1071,10 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert, int status ; ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; int reason; + OCSP_REQ_CTX *ctx; + int rc; + struct timeval now; + struct timeval when; /* * Create OCSP Request @@ -1100,11 +1106,42 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert, bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); BIO_set_conn_port(cbio, port); - BIO_do_connect(cbio); - /* Send OCSP request and wait for response */ - resp = OCSP_sendreq_bio(cbio, path, req); - if(resp==0) { + if (conf->ocsp_timeout) + BIO_set_nbio(cbio, 1); + + rc = BIO_do_connect(cbio); + if ((rc <= 0) && ((!conf->ocsp_timeout) || !BIO_should_retry(cbio))) { + radlog(L_ERR, "Error: Couldn't connect to OCSP responder"); + goto ocsp_end; + } + + ctx = OCSP_sendreq_new(cbio, path, req, -1); + if (!ctx) { + radlog(L_ERR, "Error: Couldn't send OCSP request"); + goto ocsp_end; + } + + gettimeofday(&when, NULL); + when.tv_sec += conf->ocsp_timeout; + + do { + rc = OCSP_sendreq_nbio(&resp, ctx); + if (conf->ocsp_timeout) { + gettimeofday(&now, NULL); + if (!timercmp(&now, &when, <)) + break; + } + } while ((rc == -1) && BIO_should_retry(cbio)); + + if (conf->ocsp_timeout && (rc == -1) && BIO_should_retry(cbio)) { + radlog(L_ERR, "Error: OCSP response timed out"); + goto ocsp_end; + } + + OCSP_REQ_CTX_free(ctx); + + if (rc == 0) { radlog(L_ERR, "Error: Couldn't get OCSP response"); goto ocsp_end; }